From effbfc3189333859c9c92b3db3cbe043bff6a063 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Thu, 6 Jul 2017 11:58:48 +0200 Subject: [PATCH 001/266] Be sure to have the bash-completion package It is very handy to have this package to have completion of commands like systemctl. --- evolinux-base/tasks/packages.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 13b735c7..a4a95dbb 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -14,6 +14,7 @@ - apg - conntrack - logrotate + - bash-completion when: evolinux_packages_system - name: Install/Update diagnostic tools From 3e1a600fd559287b362dfda6a6cb0a327a14de31 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 18:25:22 +0200 Subject: [PATCH 002/266] apache: enable Munin plugins and CGI mode --- apache/handlers/main.yml | 5 +++++ apache/tasks/main.yml | 10 ++++++++++ apache/tasks/munin.yml | 24 +++++++++++++++++++++++ apache/templates/evolinux-default.conf.j2 | 19 ++++++++++++++++++ 4 files changed, 58 insertions(+) create mode 100644 apache/tasks/munin.yml diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index af4d94d2..96daa368 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -8,3 +8,8 @@ service: name: apache2 state: reloaded + +- name: restart munin-node + service: + name: munin-node + state: restarted diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index a6a46eb8..2325ba4c 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -209,6 +209,16 @@ - include: phpmyadmin.yml when: _default_index.stat.exists +- name: Check if Munin plugins exists + stat: + path: /etc/munin/plugins/ + register: _munin_plugins + check_mode: no + tags: + - apache + +- include: munin.yml + when: _munin_plugins.stat.exists # - block: # - name: generate random string for serverstatus suffix diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml new file mode 100644 index 00000000..ce560868 --- /dev/null +++ b/apache/tasks/munin.yml @@ -0,0 +1,24 @@ +--- + +- name: install packages for Apache and Munin + apt: + name: libapache2-mod-fcgid + state: installed + notify: reload apache + tags: + - apache + - munin + +- name: install munin plugins + file: + src: "/etc/munin/plugins/{{ item }}" + dest: "/usr/share/munin/plugins/{{ item }}" + state: link + with_items: + - apache_accesses + - apache_processes + - apache_volume + notify: restart munin-node + tags: + - apache + - munin diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 38a367d4..36ae65ad 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -53,6 +53,25 @@ Include /etc/apache2/private_ipaddr_whitelist.conf + # Munin cgi + # Ensure we can run (fast)cgi scripts + ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph + + Options +ExecCGI + + SetHandler fcgid-script + + + SetHandler fastcgi-script + + + + SetHandler cgi-script + + + Allow from all + + # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ From c2f67086453ef0e6d42969180624b8b4f6aaa126 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Thu, 20 Jul 2017 09:33:22 +0200 Subject: [PATCH 003/266] Better minimalist config in the vhost Also install mandatory package libcgi-fast-perl. --- apache/tasks/munin.yml | 9 ++++++++- apache/templates/evolinux-default.conf.j2 | 23 +++-------------------- 2 files changed, 11 insertions(+), 21 deletions(-) diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index ce560868..2850b101 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -2,13 +2,20 @@ - name: install packages for Apache and Munin apt: - name: libapache2-mod-fcgid + name: "{{ item }}" state: installed + with_items: + - libapache2-mod-fcgid + - libcgi-fast-perl notify: reload apache tags: - apache - munin +- name: change group for /var/log/munin/ + file: + group: www-data + - name: install munin plugins file: src: "/etc/munin/plugins/{{ item }}" diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 36ae65ad..105edeb1 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -47,29 +47,12 @@ Require all denied Include /etc/apache2/private_ipaddr_whitelist.conf - - Options -Indexes - Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf - - - # Munin cgi - # Ensure we can run (fast)cgi scripts + # munin-cgi-graph, used for zooming on graphs. ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph Options +ExecCGI - - SetHandler fcgid-script - - - SetHandler fastcgi-script - - - - SetHandler cgi-script - - - Allow from all + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. From 1f87d3832054eef924aadb33095657aa0048810e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Thu, 20 Jul 2017 09:38:05 +0200 Subject: [PATCH 004/266] Be sure to enable libapache2-mod-fcgid --- apache/tasks/munin.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index 2850b101..1daf4a30 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -12,6 +12,15 @@ - apache - munin +- name: be sure to enable libapache2-mod-fcgid + command: a2enmod fcgid + register: cmd_disable_fcgid + changed_when: "'Module fcgid already enabled' not in cmd_disable_fcgid.stdout" + notify: restart apache + tags: + - apache + - munin + - name: change group for /var/log/munin/ file: group: www-data From 5ed119eb382b0a71bfec4b69fcfa54b550b6540a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Thu, 20 Jul 2017 09:38:39 +0200 Subject: [PATCH 005/266] Missing path and tags for a task --- apache/tasks/munin.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index 1daf4a30..fa377cb9 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -23,7 +23,11 @@ - name: change group for /var/log/munin/ file: + path: /var/log/munin/ group: www-data + tags: + - apache + - munin - name: install munin plugins file: From f5c8d56b6a5beeb14ccf06c57eb23b39a1a1ca7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Thu, 20 Jul 2017 09:40:45 +0200 Subject: [PATCH 006/266] Wrong register name fixed --- apache/tasks/munin.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index fa377cb9..150a6e87 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -14,8 +14,8 @@ - name: be sure to enable libapache2-mod-fcgid command: a2enmod fcgid - register: cmd_disable_fcgid - changed_when: "'Module fcgid already enabled' not in cmd_disable_fcgid.stdout" + register: cmd_enable_fcgid + changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout" notify: restart apache tags: - apache From fa55761714ca934c31fde8fbc66047aa29edc4a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 20 Sep 2017 11:29:54 +0200 Subject: [PATCH 007/266] Add support for PHP 7.1 using sury repository. See the documentation: https://wiki.evolix.org/HowtoPHP#php-7.1-avec-deb.sury.org --- php/defaults/main.yml | 1 + php/handlers/main.yml | 4 ++++ php/tasks/main.yml | 3 +++ php/tasks/php_stretch_sury.yml | 24 ++++++++++++++++++++++++ 4 files changed, 32 insertions(+) create mode 100644 php/tasks/php_stretch_sury.yml diff --git a/php/defaults/main.yml b/php/defaults/main.yml index ca243024..d12014b2 100644 --- a/php/defaults/main.yml +++ b/php/defaults/main.yml @@ -1,5 +1,6 @@ --- +php_sury_enable: False php_fpm_enable: False php_apache_enable: False php_symfony_requirements: False diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 31c87470..641154c8 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -3,3 +3,7 @@ service: name: php-fpm state: restarted + +- name: apt update + apt: + update_cache: yes diff --git a/php/tasks/main.yml b/php/tasks/main.yml index 7ea4269c..9b1d3375 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -8,6 +8,9 @@ - include: php_jessie.yml when: ansible_distribution_release == "jessie" +- include: php_stretch_sury.yml + when: ansible_distribution_major_version | version_compare('9', '>=') and php_sury_enable + - include: php_stretch.yml when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/php/tasks/php_stretch_sury.yml b/php/tasks/php_stretch_sury.yml new file mode 100644 index 00000000..56a3ac3c --- /dev/null +++ b/php/tasks/php_stretch_sury.yml @@ -0,0 +1,24 @@ +--- + +- name: Setup deb.sury.org repository - Add GPG key + get_url: + url: https://packages.sury.org/php/apt.gpg + dest: /etc/apt/trusted.gpg.d/php71-sury.gpg + mode: "0644" + +- name: Setup deb.sury.org repository - Install apt-transport-https + apt: + state: present + name: apt-transport-https + +- name: Setup deb.sury.org repository - Add source list + copy: + dest: /etc/apt/sources.list.d/php71-sury.list + force: no + mode: "0600" + content: | + deb https://packages.sury.org/php/ stretch main + notify: apt update + +- name: Intermediate flush of handlers + meta: flush_handlers From 21f85e4e84afec94e1eef7c34397c2b320d974e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 20 Sep 2017 14:17:02 +0200 Subject: [PATCH 008/266] Use apt_repository and rename source list to sury.list --- php/tasks/php_stretch_sury.yml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/php/tasks/php_stretch_sury.yml b/php/tasks/php_stretch_sury.yml index 56a3ac3c..9ac58421 100644 --- a/php/tasks/php_stretch_sury.yml +++ b/php/tasks/php_stretch_sury.yml @@ -3,7 +3,7 @@ - name: Setup deb.sury.org repository - Add GPG key get_url: url: https://packages.sury.org/php/apt.gpg - dest: /etc/apt/trusted.gpg.d/php71-sury.gpg + dest: /etc/apt/trusted.gpg.d/sury.gpg mode: "0644" - name: Setup deb.sury.org repository - Install apt-transport-https @@ -12,13 +12,7 @@ name: apt-transport-https - name: Setup deb.sury.org repository - Add source list - copy: - dest: /etc/apt/sources.list.d/php71-sury.list - force: no - mode: "0600" - content: | - deb https://packages.sury.org/php/ stretch main - notify: apt update - -- name: Intermediate flush of handlers - meta: flush_handlers + apt_repository: + repo: "deb https://packages.sury.org/php/ stretch main" + filename: sury + state: present From cbe40162d9482964e4e4a5a0f08bb875f75e901b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 20 Sep 2017 14:19:30 +0200 Subject: [PATCH 009/266] Remove useless apt update handler --- php/handlers/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 641154c8..31c87470 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -3,7 +3,3 @@ service: name: php-fpm state: restarted - -- name: apt update - apt: - update_cache: yes From e2ed9e4be8e61c26ea23a56a79b0776ea42d0269 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 20 Sep 2017 14:33:22 +0200 Subject: [PATCH 010/266] Add preferences file to pin php7.1 packages --- php/files/sury.preferences | 7 +++++++ php/tasks/php_stretch_sury.yml | 5 +++++ 2 files changed, 12 insertions(+) create mode 100644 php/files/sury.preferences diff --git a/php/files/sury.preferences b/php/files/sury.preferences new file mode 100644 index 00000000..95b28e3d --- /dev/null +++ b/php/files/sury.preferences @@ -0,0 +1,7 @@ +Package: php7.1* libapache2-mod-php7.1 +Pin: origin packages.sury.org +Pin-Priority: 999 + +Package: * +Pin: origin packages.sury.org +Pin-Priority: 50 diff --git a/php/tasks/php_stretch_sury.yml b/php/tasks/php_stretch_sury.yml index 9ac58421..be549804 100644 --- a/php/tasks/php_stretch_sury.yml +++ b/php/tasks/php_stretch_sury.yml @@ -11,6 +11,11 @@ state: present name: apt-transport-https +- name: Setup deb.sury.org repository - Add preferences file + copy: + src: sury.preferences + dest: /etc/apt/preferences.d/z-sury + - name: Setup deb.sury.org repository - Add source list apt_repository: repo: "deb https://packages.sury.org/php/ stretch main" From 741993719661ab05008de074e89cf39b0e2920a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 20 Sep 2017 15:06:15 +0200 Subject: [PATCH 011/266] Force pining to php* Why? Because we have some meta-packages like php which redirect to php7.0 or php7.1. With this, all php packages will be 7.1 (default from sury). --- php/files/sury.preferences | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/php/files/sury.preferences b/php/files/sury.preferences index 95b28e3d..9c644b5d 100644 --- a/php/files/sury.preferences +++ b/php/files/sury.preferences @@ -1,4 +1,4 @@ -Package: php7.1* libapache2-mod-php7.1 +Package: php* libapache2-mod-php* Pin: origin packages.sury.org Pin-Priority: 999 From 404519549596dd492a98cb4004d5935e2ae9a9dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 20 Sep 2017 15:36:48 +0200 Subject: [PATCH 012/266] Sed keyword missing Fix #2 Sed keyword SERVERNAME was replaced with ansible variables which is incorrect. --- webapps/evoadmin-web/templates/web-mail.tpl.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webapps/evoadmin-web/templates/web-mail.tpl.j2 b/webapps/evoadmin-web/templates/web-mail.tpl.j2 index 262995c3..57c92779 100644 --- a/webapps/evoadmin-web/templates/web-mail.tpl.j2 +++ b/webapps/evoadmin-web/templates/web-mail.tpl.j2 @@ -20,10 +20,10 @@ PASSWORD : PASSE1 ***************************************** URL du site : -http://{{ evoadmin_tpl_servername }} +http://SERVERNAME URL des stats : -http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl +http://SERVERNAME/cgi-RANDOM/awstats.pl (acces par IP ou login a demander !) Repertoire de connexion : HOME_DIR/LOGIN/ @@ -60,7 +60,7 @@ ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME). Si vous avez besoin de faire des tests, vous devez ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP : -{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }} +{{ evoadmin_tpl_address }} SERVERNAME Attention, par defaut, toutes les connexions vers l'exterieur sont bloquees. Si vous avez besoin de recuperer des donnees @@ -71,7 +71,7 @@ Afin de securiser au maximum le serveur, certaines URL particulieres sont non autorisees pour eviter diverses attaques (XSS, robots, trojans, injections, etc.). Exemple d'URL refusee : -http://{{ evoadmin_tpl_servername }}/cmd32.exe +http://SERVERNAME/cmd32.exe En cas de soucis avec votre application, prevenez-nous. Si vous desirez mettre en place des parametres particuliers From cdf086182106958858f2b19304727748656b2d52 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:00:30 +0200 Subject: [PATCH 013/266] More clear without include for determining apache/nginx presence --- evoacme/tasks/main.yml | 12 +++++++++++- evoacme/tasks/webserver.yml | 12 ------------ 2 files changed, 11 insertions(+), 13 deletions(-) delete mode 100644 evoacme/tasks/webserver.yml diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index beac178e..6bc21a02 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -13,7 +13,17 @@ - include: scripts.yml -- include: webserver.yml +- name: Determine Apache presence + stat: + path: /etc/apache2/apache2.conf + check_mode: no + register: sta + +- name: Determine Nginx presence + stat: + path: /etc/nginx/nginx.conf + check_mode: no + register: stn - include: apache.yml when: sta.stat.isreg is defined and sta.stat.isreg diff --git a/evoacme/tasks/webserver.yml b/evoacme/tasks/webserver.yml deleted file mode 100644 index 8092aa98..00000000 --- a/evoacme/tasks/webserver.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Determine Nginx presence - stat: - path: /etc/nginx/nginx.conf - check_mode: no - register: stn - -- name: Determine Apache presence - stat: - path: /etc/apache2/apache2.conf - check_mode: no - register: sta From a006a604f24db0bb9379d360aa3815c3aa0cb902 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:26:59 +0200 Subject: [PATCH 014/266] Rename /etc/cron.d/certbot to .disabled as written in https://wiki.evolix.org/HowtoLetsEncrypt --- evoacme/tasks/certbot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 20658ec2..88f0eb5b 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -42,6 +42,18 @@ path: /usr/local/bin/certbot state: absent +- name: stat /etc/cron.d/certbot + stat: + path: /etc/cron.d/certbot + register: etc_cron_d_certbot + +- name: Rename certbot dpkg cron to .disabled + copy: + remote_src: True + src: /etc/cron.d/certbot + dest: /etc/cron.d/certbot.disabled + when: etc_cron_d_certbot.stat.exists + - name: Remove certbot dpkg cron file: path: /etc/cron.d/certbot From 26d823174f70eaa1b85f9543fb41870ab748f72f Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:32:34 +0200 Subject: [PATCH 015/266] use {{ evoacme_crt_dir }} var everywhere --- evoacme/tasks/conf.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/tasks/conf.yml b/evoacme/tasks/conf.yml index b39b5384..4d9f6704 100644 --- a/evoacme/tasks/conf.yml +++ b/evoacme/tasks/conf.yml @@ -1,6 +1,6 @@ --- - ini_file: - dest: /etc/letsencrypt/openssl.cnf + dest: "{{ evoacme_crt_dir }}/openssl.cnf" section: 'req' option: "{{ item.name }}" value: "{{ item.var }}" From 81698d03de5392a1ae05646a0ce11480a8637d54 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:36:47 +0200 Subject: [PATCH 016/266] by default copy use files/ directory --- evoacme/tasks/scripts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml index 01e61fdb..b1ebe473 100644 --- a/evoacme/tasks/scripts.yml +++ b/evoacme/tasks/scripts.yml @@ -9,7 +9,7 @@ - name: Copy make-csr.sh script copy: - src: files/make-csr.sh + src: make-csr.sh dest: /usr/local/sbin/make-csr owner: root group: root @@ -17,7 +17,7 @@ - name: Copy evoacme script copy: - src: files/evoacme.sh + src: evoacme.sh dest: /usr/local/sbin/evoacme owner: root group: root From 7ea59826117fda8b59869a349de1d8057d8b2a7c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:39:06 +0200 Subject: [PATCH 017/266] empty commit, only :retab --- evoacme/files/certbot.cron | 2 +- evoacme/files/evoacme.sh | 104 +++++++++--------- evoacme/files/make-csr.sh | 212 ++++++++++++++++++------------------- 3 files changed, 159 insertions(+), 159 deletions(-) diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index a7c4eef2..eb2ddb3a 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -10,5 +10,5 @@ [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do - evoacme "$vhost" + evoacme "$vhost" done diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index ffbf22ac..0504567e 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -8,12 +8,12 @@ # usage() { - echo "Usage: $0 NAME" - echo "" - echo "NAME must be correspond to :" - echo "- a CSR in ${CSR_DIR}/NAME.csr" - echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" - echo "" + echo "Usage: $0 NAME" + echo "" + echo "NAME must be correspond to :" + echo "- a CSR in ${CSR_DIR}/NAME.csr" + echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" + echo "" } mkconf_apache() { @@ -27,58 +27,58 @@ mkconf_nginx() { } mkconf_haproxy() { - mkdir -p /etc/ssl/haproxy -m 700 - cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" - [ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem" - haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload + mkdir -p /etc/ssl/haproxy -m 700 + cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" + [ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem" + haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload } main() { - [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' - [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' - [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' - [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' - - [ "$#" -ne 1 ] && usage && exit 1 + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' + [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' + [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' + [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' + + [ "$#" -ne 1 ] && usage && exit 1 - vhost=$(basename "$1" .conf) + vhost=$(basename "$1" .conf) - # Check master status for evoadmin-cluster - if [ -f "/home/${vhost}/state" ]; then - grep -q "STATE=master" "/home/${vhost}/state" || exit 0 - fi + # Check master status for evoadmin-cluster + if [ -f "/home/${vhost}/state" ]; then + grep -q "STATE=master" "/home/${vhost}/state" || exit 0 + fi - SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) - if [ -n "$SSL_EMAIL" ]; then - emailopt="-m $SSL_EMAIL" - else - emailopt="--register-unsafely-without-email" - fi - DATE=$(date "+%Y%m%d") - - if [ -h "$CRT_DIR/${vhost}/live" ]; then - crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//") - date_crt=$(date -ud "$crt_end_date" +"%s") - date_today=$(date +'%s') - date_diff=$(((date_crt - date_today) / (60*60*24))) - [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 - fi - rm -rf "$CRT_DIR/${vhost}/${DATE}" - mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" - chown -R acme: "$CRT_DIR/${vhost}" - sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" - if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then - rm -f "$CRT_DIR/${vhost}/live" - ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" - which apache2ctl >/dev/null && mkconf_apache - which nginx >/dev/null && mkconf_nginx - which haproxy >/dev/null && mkconf_haproxy - else - rmdir "$CRT_DIR/${vhost}/${DATE}" - fi + SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) + if [ -n "$SSL_EMAIL" ]; then + emailopt="-m $SSL_EMAIL" + else + emailopt="--register-unsafely-without-email" + fi + DATE=$(date "+%Y%m%d") + + if [ -h "$CRT_DIR/${vhost}/live" ]; then + crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//") + date_crt=$(date -ud "$crt_end_date" +"%s") + date_today=$(date +'%s') + date_diff=$(((date_crt - date_today) / (60*60*24))) + [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 + fi + rm -rf "$CRT_DIR/${vhost}/${DATE}" + mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" + chown -R acme: "$CRT_DIR/${vhost}" + sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" + if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then + rm -f "$CRT_DIR/${vhost}/live" + ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + which apache2ctl >/dev/null && mkconf_apache + which nginx >/dev/null && mkconf_nginx + which haproxy >/dev/null && mkconf_haproxy + else + rmdir "$CRT_DIR/${vhost}/${DATE}" + fi } main "$@" diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 844847ab..5338ba2c 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -8,143 +8,143 @@ # get_domains() { - echo "$vhostfile"|grep -q nginx - if [ "$?" -eq 0 ]; then - domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq) - fi - - echo "$vhostfile" |grep -q apache2 - if [ "$?" -eq 0 ]; then - domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq) - fi - valid_domains="" - nb=0 - - echo "Valid(s) domain(s) in $vhost :" - for domain in $domains; do - real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") - for ip in $(echo "$SRV_IP"|xargs -n1); do - if [ "${ip}" = "${real_ip}" ]; then - valid_domains="$valid_domains $domain" - nb=$(( nb + 1 )) - echo "* $domain -> $real_ip" - fi - done - done - - if [ "$nb" -eq 0 ]; then - nb=$(echo "$domains"|wc -l) - echo "* No valid domain found" - echo "All following(s) domain(s) will be used for CSR creation :" - for domain in $domains; do - echo "* $domain" - done - else - domains="$valid_domains" - fi - domains=$(echo "$domains"|xargs -n1) + echo "$vhostfile"|grep -q nginx + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq) + fi + + echo "$vhostfile" |grep -q apache2 + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq) + fi + valid_domains="" + nb=0 + + echo "Valid(s) domain(s) in $vhost :" + for domain in $domains; do + real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") + for ip in $(echo "$SRV_IP"|xargs -n1); do + if [ "${ip}" = "${real_ip}" ]; then + valid_domains="$valid_domains $domain" + nb=$(( nb + 1 )) + echo "* $domain -> $real_ip" + fi + done + done + + if [ "$nb" -eq 0 ]; then + nb=$(echo "$domains"|wc -l) + echo "* No valid domain found" + echo "All following(s) domain(s) will be used for CSR creation :" + for domain in $domains; do + echo "* $domain" + done + else + domains="$valid_domains" + fi + domains=$(echo "$domains"|xargs -n1) } make_key() { - openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null - chown root: "$SSL_KEY_DIR/${vhost}.key" - chmod 600 "$SSL_KEY_DIR/${vhost}.key" + openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null + chown root: "$SSL_KEY_DIR/${vhost}.key" + chmod 600 "$SSL_KEY_DIR/${vhost}.key" } make_csr() { - domains="$1" - nb=$(echo "$domains"|wc -l) - config_file="/tmp/make-csr-${vhost}.conf" + domains="$1" + nb=$(echo "$domains"|wc -l) + config_file="/tmp/make-csr-${vhost}.conf" - mkdir -p "$CSR_DIR" -m 0755 - - if [ "$nb" -eq 1 ]; then - cat /etc/letsencrypt/openssl.cnf - > "$config_file" < "$config_file" < "$config_file" < "$config_file" < "$CSR_DIR/${vhost}.csr" - fi - - if [ -f "$CSR_DIR/${vhost}.csr" ]; then - chmod 644 "$CSR_DIR/${vhost}.csr" - mkdir -p "$SELF_SIGNED_DIR" -m 0755 - openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem" - [ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem" - fi + openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr" + fi + + if [ -f "$CSR_DIR/${vhost}.csr" ]; then + chmod 644 "$CSR_DIR/${vhost}.csr" + mkdir -p "$SELF_SIGNED_DIR" -m 0755 + openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem" + [ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem" + fi } mkconf_apache() { - mkdir -p /etc/apache2/ssl - if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then - cat > "/etc/apache2/ssl/${vhost}.conf" < "/etc/apache2/ssl/${vhost}.conf" < "/etc/nginx/ssl/${vhost}.conf" < "/etc/nginx/ssl/${vhost}.conf" <&2 - exit 1 - fi - vhost=$(basename "$1" .conf) - local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") + if [ "$#" -ne 1 ]; then + echo "You need to provide one argument !" >&2 + exit 1 + fi + vhost=$(basename "$1" .conf) + local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") - [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' - [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' - [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) - [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip" - - vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) - - if [ ! -h "$vhostfile" ]; then - echo "$vhost is not a valid virtualhost !" >&2 - exit 1 - fi + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' + [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' + [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) + [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip" + + vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) + + if [ ! -h "$vhostfile" ]; then + echo "$vhost is not a valid virtualhost !" >&2 + exit 1 + fi - if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then - echo "$vhost key already exist, overwrite it ? (y)" - read REPLY - [ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0 - rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf" - [ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live" - fi + if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then + echo "$vhost key already exist, overwrite it ? (y)" + read REPLY + [ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0 + rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf" + [ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live" + fi - get_domains - make_key - make_csr "$domains" - which apache2ctl >/dev/null && mkconf_apache + get_domains + make_key + make_csr "$domains" + which apache2ctl >/dev/null && mkconf_apache which nginx >/dev/null && mkconf_nginx } From 30c47fcd502af2c22287d4d096f1dc30d2890629 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 03:29:55 +0200 Subject: [PATCH 018/266] A lot of improvments: add comments, add tests/tests/tests, add --cron option, drop HAProxy support, modify Apache/Nginx conf only first time --- evoacme/files/evoacme.sh | 109 +++++++++++++++++++++++++-------------- 1 file changed, 70 insertions(+), 39 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 0504567e..56f3f0e5 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -7,8 +7,10 @@ # Licence: AGPLv3 # +set -e + usage() { - echo "Usage: $0 NAME" + echo "Usage: $0 [ --cron ] NAME" echo "" echo "NAME must be correspond to :" echo "- a CSR in ${CSR_DIR}/NAME.csr" @@ -17,68 +19,97 @@ usage() { } mkconf_apache() { - [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" - apache2ctl -t 2>/dev/null && service apache2 reload + echo "Apache detected... first configuration" + [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" + apache2ctl -t } mkconf_nginx() { - [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" - nginx -t 2>/dev/null && service nginx reload -} - -mkconf_haproxy() { - mkdir -p /etc/ssl/haproxy -m 700 - cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" - [ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem" - haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload + echo "Nginx detected... first configuration" + [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" + nginx -t } main() { [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' - [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' - [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' - [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' - - [ "$#" -ne 1 ] && usage && exit 1 + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR=/etc/ssl/private + [ -z "${ACME_DIR}" ] && ACME_DIR=/var/lib/letsencrypt + [ -z "${CSR_DIR}" ] && CSR_DIR=/etc/ssl/requests + [ -z "${CRT_DIR}" ] && CRT_DIR=/etc/letsencrypt + [ -z "${LOG_DIR}" ] && LOG_DIR=/var/log/evoacme + [ -z "${SSL_MINDAY}" ] && SSL_MINDAY=30 + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR=/etc/ssl/self-signed + [ -z "${DH_DIR}" ] && DH_DIR=etc/ssl/dhparam - vhost=$(basename "$1" .conf) + # misc verifications + [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 + which openssl >/dev/null || ( echo "error: openssl command not installed" && exit 1 ) + which certbot >/dev/null || ( echo "error: certbot command not installed" && exit 1 ) + [ ! -d $ACME_DIR ] && echo "error: $ACME_DIR is not a directory" && exit 1 + [ ! -d $CSR_DIR ] && echo "error: $CSR_DIR is not a directory" && exit 1 + [ ! -d $LOG_DIR ] && echo "error: $LOG_DIR is not a directory" && exit 1 + [ "$#" -ge 3 ] || [ "$#" -le 0 ] && echo "error: invalid argument(s)" && usage && exit 1 + [ "$#" -eq 2 ] && [ "$1" != "--cron" ] && echo "error: invalid argument(s)" && usage && exit 1 - # Check master status for evoadmin-cluster + [ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO + [ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES + + # verify .csr file + test ! -f "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr absent" && exit 1 + test ! -r "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr is not readable" && exit 1 + openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || ( echo "error: $CSR_DIR/${vhost}.csr is invalid" && exit 1 ) + [ "$CRON" = "NO" ] && echo "Using CSR file: $CSR_DIR/${vhost}.csr" + + # Hook for evoadmin-web in cluster mode : check master status if [ -f "/home/${vhost}/state" ]; then grep -q "STATE=master" "/home/${vhost}/state" || exit 0 fi - SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) if [ -n "$SSL_EMAIL" ]; then emailopt="-m $SSL_EMAIL" else emailopt="--register-unsafely-without-email" fi + DATE=$(date "+%Y%m%d") - + [ ! -n "$DATE" ] && echo "error: invalid date" && exit 1 + + + # If live link already exists, it's not our first time... if [ -h "$CRT_DIR/${vhost}/live" ]; then - crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//") - date_crt=$(date -ud "$crt_end_date" +"%s") + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: $CRT_DIR/${vhost}/live/cert.crt is invalid" && exit 1 ) + + # Verify if our certificate will expire + crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2) + date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s") date_today=$(date +'%s') - date_diff=$(((date_crt - date_today) / (60*60*24))) - [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 - fi - rm -rf "$CRT_DIR/${vhost}/${DATE}" - mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" - chown -R acme: "$CRT_DIR/${vhost}" - sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" - if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then - rm -f "$CRT_DIR/${vhost}/live" - ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + [ "$date_today" -lt "$date_renew" ] && ( [ "$CRON" = "NO" ] && echo "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." || true ) && exit 0 + else which apache2ctl >/dev/null && mkconf_apache which nginx >/dev/null && mkconf_nginx - which haproxy >/dev/null && mkconf_haproxy - else - rmdir "$CRT_DIR/${vhost}/${DATE}" fi + + # renew certificate with certbot + [ -d "$CRT_DIR/${vhost}/${DATE}" ] && echo "error: $CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." && exit 1 + mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" + chown -R acme: "$CRT_DIR/${vhost}/${DATE}" + [ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet" + sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" + + # verify if all is right + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" && exit 1 ) + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" && exit 1 ) + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" && exit 1 ) + + # link dance + [ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live" + ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/{vhost}/live/cert.crt is invalid" && exit 1 ) + + # reload apache or nginx (TODO: need improvments) + pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Apache detected... reloading" || true ) && systemctl reload apache2 + pidof nginx >/dev/null && nginx -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Nginx detected... reloading" || true ) && systemctl reload apache2 + } main "$@" From 4d6cbb52cd534c9da931a928b133f6732fe6a735 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Tue, 26 Sep 2017 17:32:47 -0400 Subject: [PATCH 019/266] Add Amazon EC2 role This role is intended to setup and start EC2 instances, before Evolinux roles. --- amazon-ec2/README | 58 +++++++++++++++++++++++++++ amazon-ec2/amazon-ec2-evolinux.yml | 59 ++++++++++++++++++++++++++++ amazon-ec2/defaults/main.yml | 48 ++++++++++++++++++++++ amazon-ec2/tasks/create-instance.yml | 55 ++++++++++++++++++++++++++ 4 files changed, 220 insertions(+) create mode 100644 amazon-ec2/README create mode 100644 amazon-ec2/amazon-ec2-evolinux.yml create mode 100644 amazon-ec2/defaults/main.yml create mode 100644 amazon-ec2/tasks/create-instance.yml diff --git a/amazon-ec2/README b/amazon-ec2/README new file mode 100644 index 00000000..d3be7dc3 --- /dev/null +++ b/amazon-ec2/README @@ -0,0 +1,58 @@ +# amazon-ec2 + +Manage Amazon EC2 instances. + +This role is intended to be called before any other role to setup and start EC2 +instances. + +## Dependancies + +You should first ensure that you have python-boto package installed on your +machine and an Amazon security access key pair created for your account. + +## Tasks + +By default, this role does nothing (no `main.yml` file). + +* `create-instance.yml`: create new EC2 instances + +## Variables + + - `aws_access_key` and `aws_secret_key`: your AWS credentials + - `aws_region`: where to create instances. Default: ca-central-1 + - `ec2_public_ip`: assign public elastic IP address. Default: False + - `ec2_instance_count`: how many instance to launch. Default: 1 + - `ec2_security_group: EC2 security group to use. See + ec2_evolinux_security_group in `defaults/main.yml` to define your own. + Default: ec2_evolinux_security_group + - `ec2_base_ami`: EC2 image to use. Default is to use Debian official ones, + depending on the region + - `ec2_instance_type`: EC2 instance type to use + - `ssh_pubkey_file`: SSH public key file to push to AWS. Do not try to put + your ED25519 key here, AWS does not support it. Default: ~/.ssh/id_rsa.pub + - `ec2_keyname: a name to give to your public key on AWS. Default is to use + $USER environment variable. + +## Examples + +In your main evolinux playbook put this play before Evolinux one: + +``` +--- +- name: Prepare Amazon EC2 instance + hosts: localhost + gather_facts: False + + vars: + aws_access_key: + aws_secret_key: + # Any other variable you want to set. + + tasks: + - include_role: + name: amazon-ec2 + tasks_from: create-instance.yml +``` + +See amazon-ec2-evolinux.yml for an almost ready-to-use playbook to set up +Amazon EC2 instances running Evolinux. diff --git a/amazon-ec2/amazon-ec2-evolinux.yml b/amazon-ec2/amazon-ec2-evolinux.yml new file mode 100644 index 00000000..282b8353 --- /dev/null +++ b/amazon-ec2/amazon-ec2-evolinux.yml @@ -0,0 +1,59 @@ +--- +- name: Prepare Amazon EC2 instance + hosts: localhost + gather_facts: False + + vars: + aws_access_key: + aws_secret_key: + aws_region: ca-central-1 + + tasks: + - include_role: + name: amazon-ec2 + tasks_from: create-instance.yml + +- name: Install Evolinux + hosts: launched-instances + become: yes + + vars_files: + - 'vars/secrets.yml' + + vars: + admin_users: "{{ admin_users }}" + minifirewall_trusted_ips: "{{ trusted_ips }}" + fail2ban_ignore_ips: "{{ trusted_ips }}" + evolinux_hostname: + evolinux_domain: + evolinux_fqdn: + evolinux_internal_hostname: + minifirewall_public_ports_tcp: [80, 443] + minifirewall_public_ports_udp: [] + minifirewall_semipublic_ports_tcp: [22] + nagios_nrpe_allowed_hosts: "{{ trusted_ips }}" + + roles: + - etc-git + - evolinux-base + - admin-users + - munin + - minifirewall + - fail2ban + - nagios-nrpe + - listupgrade + - evomaintenance + - evocheck + - packweb-apache + - mysql + + post_tasks: + - include_role: + name: etc-git + tasks_from: commit.yml + vars: + commit_message: "Ansible post-run Evolinux playbook" + + - include_role: + name: evocheck + tasks_from: exec.yml diff --git a/amazon-ec2/defaults/main.yml b/amazon-ec2/defaults/main.yml new file mode 100644 index 00000000..d53371dc --- /dev/null +++ b/amazon-ec2/defaults/main.yml @@ -0,0 +1,48 @@ +--- +aws_region: ca-central-1 +ec2_public_ip: False +ec2_instance_count: 1 +ec2_security_group: "{{ec2_evolinux_security_group}}" +ec2_base_ami: "{{ec2_debian_base_ami[aws_region]}}" +ec2_instance_type: t2.micro +# Note: Do not try to put your ED25519 key here, AWS does not support it... +ssh_pubkey_file: ~/.ssh/id_rsa.pub +ec2_keyname: "{{lookup('env', 'USER')}}" + +# From https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch +ec2_debian_base_ami: + ap-northeast-1: ami-032dd665 + ap-northeast-2: ami-e174ac8f + ap-south-1: ami-6e7a3e01 + ap-southeast-1: ami-41365b22 + ap-southeast-2: ami-51f61333 + ca-central-1: ami-18239d7c + eu-central-1: ami-11bb0e7e + eu-west-1: ami-d037cda9 + eu-west-2: ami-ece3f388 + sa-east-1: ami-a24635ce + us-east-1: ami-ac5e55d7 + us-east-2: ami-9fbb98fa + us-west-1: ami-560c3836 + us-west-2: ami-fa18f282 + +ec2_evolinux_security_group: + name: evolinux-default + description: Evolinux default security group + rules: + - proto: icmp + cidr_ip: 0.0.0.0/0 + from_port: -1 + to_port: -1 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 5666 + to_port: 5666 + cidr_ip: 0.0.0.0/0 + rules_egress: + - proto: all + cidr_ip: 0.0.0.0/0 + diff --git a/amazon-ec2/tasks/create-instance.yml b/amazon-ec2/tasks/create-instance.yml new file mode 100644 index 00000000..25b5c620 --- /dev/null +++ b/amazon-ec2/tasks/create-instance.yml @@ -0,0 +1,55 @@ +--- +- name: Create default security group + ec2_group: + name: "{{ec2_security_group.name}}" + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + description: "{{ec2_security_group.description}}" + rules: "{{ec2_security_group.rules}}" + +- name: Create key pair + ec2_key: + name: "{{ec2_keyname}}" + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + key_material: "{{item}}" + with_file: "{{ssh_pubkey_file}}" + +- name: Launch new instance(s) + ec2: + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + image: "{{ec2_base_ami}}" + instance_type: "{{ec2_instance_type}}" + count: "{{ec2_instance_count}}" + assign_public_ip: "{{ec2_public_ip}}" + group: "{{ec2_security_group.name}}" + key_name: "{{ec2_keyname}}" + wait: yes + register: ec2 + +- name: Add newly created instance(s) to inventory + add_host: + hostname: "{{item.public_dns_name}}" + groupname: launched-instances + ansible_user: admin + ansible_ssh_common_args: "-o StrictHostKeyChecking=no" + with_items: "{{ec2.instances}}" + +- debug: + msg: "Your newly created instance is reachable at: {{item.public_dns_name}}" + with_items: "{{ec2.instances}}" + +- name: Wait for SSH to come up on all instances (give up after 2m) + wait_for: + state: started + host: "{{item.public_dns_name}}" + port: 22 + timeout: 120 + with_items: "{{ec2.instances}}" From 7fa2dcbb2848fdf9eb6f6e8eec38b6f4a553d8b1 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 27 Sep 2017 17:57:02 +0200 Subject: [PATCH 020/266] Redis: Also install redis-tools --- redis/tasks/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 1b0545fa..eb31749e 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -1,8 +1,11 @@ --- - name: Redis is installed. apt: - name: redis-server + name: "{{ item }}" state: present + with_items: + - redis-server + - redis-tools tags: - redis - packages From eab2c3946a4e644ca0b1a32347b6a1544ccfe4c2 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 27 Sep 2017 18:41:21 +0200 Subject: [PATCH 021/266] Redis: On stretch, make sure nrpe will use check_redis instead of check_tcp check_redis was added in nagios-plugins-contrib in strech. --- redis/handlers/main.yml | 5 +++++ redis/tasks/main.yml | 9 +++++++++ redis/tasks/nrpe_stretch.yml | 15 +++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 redis/tasks/nrpe_stretch.yml diff --git a/redis/handlers/main.yml b/redis/handlers/main.yml index 8a416b0e..49b906a1 100644 --- a/redis/handlers/main.yml +++ b/redis/handlers/main.yml @@ -8,3 +8,8 @@ service: name: munin-node state: restarted + +- name: restart nagios-nrpe-server + service: + name: nagios-nrpe-server + state: restarted diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index eb31749e..3c76eab5 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -34,3 +34,12 @@ - include: munin.yml when: _munin_installed.stat.exists and _munin_installed.stat.isdir + +- name: is NRPE present ? + stat: + path: /etc/nagios/nrpe.d/evolix.cfg + check_mode: no + register: nrpe_evolix_config + +- include: nrpe_stretch.yml + when: ansible_distribution_release == "stretch" and nrpe_evolix_config == true diff --git a/redis/tasks/nrpe_stretch.yml b/redis/tasks/nrpe_stretch.yml new file mode 100644 index 00000000..a2ffba17 --- /dev/null +++ b/redis/tasks/nrpe_stretch.yml @@ -0,0 +1,15 @@ +--- +- name: Install perl lib-redis (needed by check_redis) + apt: + name: libredis-perl + state: present + tags: + - redis + - nrpe + +- name: Replace check_tcp by check_redis for NRPE + replace: + dest: /etc/nagios/nrpe.d/evolix.cfg + regexp: '^command\[check_redis\]=\/usr\/lib\/nagios\/plugins\/check_tcp -p 6379' + replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1' + notify: restart nagios-nrpe-server From c12559193a7fce1f2f3ce472bc5ecae2d274c073 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 28 Sep 2017 15:02:29 +0200 Subject: [PATCH 022/266] Redis: Add the possibility to set an instance password --- redis/README.md | 1 + redis/defaults/main.yml | 2 ++ redis/tasks/munin.yml | 10 ++++++++++ redis/templates/redis.conf.j2 | 4 ++++ 4 files changed, 17 insertions(+) diff --git a/redis/README.md b/redis/README.md index 29ff132f..5a7168b7 100644 --- a/redis/README.md +++ b/redis/README.md @@ -16,6 +16,7 @@ Main variables are : * `redis_conf_path`: config file location ; * `redis_port`: listening TCP port ; * `redis_bind_interface`: listening IP address ; +* `redis_password`: password for redis. Empty means no password ; * `redis_unixsocket`: Unix socket ; * `redis_loglevel`: log verbosity ; * `redis_logfile`: log file location. diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index cf4e5fef..268bdd08 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -7,6 +7,8 @@ redis_bind_interface: 127.0.0.1 redis_unixsocket: '/var/run/redis/redis.sock' redis_timeout: 300 +redis_password: '' + redis_loglevel: "notice" redis_logfile: /var/log/redis/redis-server.log diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 07473e2f..75d44941 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -60,3 +60,13 @@ - used_memory notify: restart munin-node tags: redis + +- name: Add redis password for munin + ini_file: + dest: /etc/munin/plugin-conf.d/munin-node + section: 'redis_*' + option: env.password + value: '{{ redis_password }}' + notify: restart munin-node + when: redis_password != '' + tags: redis diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index f7a7c5f0..78dd0c8c 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -7,6 +7,10 @@ bind {{ redis_bind_interface }} unixsocket {{ redis_unixsocket }} {% endif %} +{% if redis_password %} +requirepass {{ redis_password }} +{% endif %} + timeout {{ redis_timeout }} loglevel {{ redis_loglevel }} From 43d2de5da7e0f969aafc5fa6aa83b67323cf7380 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 28 Sep 2017 18:03:26 +0200 Subject: [PATCH 023/266] Redis: Fix error in the conditional inclusion of nrpe_stretch.yml --- redis/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 3c76eab5..33a70797 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -42,4 +42,4 @@ register: nrpe_evolix_config - include: nrpe_stretch.yml - when: ansible_distribution_release == "stretch" and nrpe_evolix_config == true + when: ansible_distribution_release == "stretch" and nrpe_evolix_config.stat.exists == true From 31a8aa0a326664afc87401ccfb49985dcf116dd8 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 29 Sep 2017 02:22:38 +0200 Subject: [PATCH 024/266] update tasks description. --- packweb-apache/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packweb-apache/README.md b/packweb-apache/README.md index d3f3f5b6..99e25da1 100644 --- a/packweb-apache/README.md +++ b/packweb-apache/README.md @@ -4,7 +4,7 @@ Install the web pack, with Apache. ## Tasks -Everything is in the `tasks/main.yml` file for now. +See `tasks/main.yml`. ## Available variables From 36419c5b3c7c3144466d7c1a4f0d294a1a850e8f Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 2 Oct 2017 17:13:10 +0200 Subject: [PATCH 025/266] Redis: Set pasword variable as NULL instead of '' --- redis/defaults/main.yml | 2 +- redis/tasks/munin.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 268bdd08..6526c887 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -7,7 +7,7 @@ redis_bind_interface: 127.0.0.1 redis_unixsocket: '/var/run/redis/redis.sock' redis_timeout: 300 -redis_password: '' +redis_password: NULL redis_loglevel: "notice" redis_logfile: /var/log/redis/redis-server.log diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 75d44941..04d6449c 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -68,5 +68,5 @@ option: env.password value: '{{ redis_password }}' notify: restart munin-node - when: redis_password != '' + when: redis_password != '' and redis_password != None tags: redis From 27e4512e502870af67aa7665c16b43e71a2ccff8 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 3 Oct 2017 10:21:13 +0200 Subject: [PATCH 026/266] Redis: Ensure that we do not modify munin-node config if there is multiple redis config blocs --- redis/tasks/munin.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 04d6449c..74676e07 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -61,12 +61,24 @@ notify: restart munin-node tags: redis -- name: Add redis password for munin +- name: Count redis condif blocks in munin-node configuration + command: grep -c "\[redis_" /etc/munin/plugin-conf.d/munin-node + register: munin_redis_blocs_in_config + failed_when: False + changed_when: False + +- name: Add redis password for munin (if no more than 1 config block) ini_file: dest: /etc/munin/plugin-conf.d/munin-node section: 'redis_*' option: env.password value: '{{ redis_password }}' notify: restart munin-node - when: redis_password != '' and redis_password != None + when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} <= 1" tags: redis + + +- name: Warn if multiple instance in munin-plugins configuration + debug: + msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed" + when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} > 1 " From 46c1cbd1a4339b12f79eb0b5aefd112bfab323b8 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 3 Oct 2017 23:45:17 +0200 Subject: [PATCH 027/266] update title --- memcached/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memcached/README.md b/memcached/README.md index 3c571029..38e5f89d 100644 --- a/memcached/README.md +++ b/memcached/README.md @@ -1,4 +1,4 @@ -# PHP-FPM +# Memcached Installation and basic configuration of memcached From 5ffc94281fe0b2299fb1cfb065e240c8ed59f4ea Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 4 Oct 2017 14:29:19 +0200 Subject: [PATCH 028/266] evolinux-base: parse fstab with better regex The fstab file usually has fields separated by spaces but sometimes they are separated by tabs. --- evolinux-base/tasks/fstab.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evolinux-base/tasks/fstab.yml b/evolinux-base/tasks/fstab.yml index 6c8b122a..9baa8a70 100644 --- a/evolinux-base/tasks/fstab.yml +++ b/evolinux-base/tasks/fstab.yml @@ -16,7 +16,7 @@ replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3' notify: remount /home when: - - "' /home ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/home\s') - evolinux_fstab_home - name: /tmp partition is customized @@ -25,7 +25,7 @@ regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3' when: - - "' /tmp ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/tmp\s') - evolinux_fstab_tmp - name: /usr partition is customized @@ -34,7 +34,7 @@ regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3' when: - - "' /usr ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/usr\s') - evolinux_fstab_usr - name: /var partition is customized @@ -44,7 +44,7 @@ replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3' notify: remount /var when: - - "' /var ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/var\s') - evolinux_fstab_var - name: /var/tmp is created From 72c1bb483404c3cd05ffcd1a16f7fc367d091785 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 4 Oct 2017 14:54:46 +0200 Subject: [PATCH 029/266] postgresql: version 9.6 by default For Jessie we use external repositories For Stretch we install from Debian repositories --- postgresql/defaults/main.yml | 2 +- postgresql/tasks/main.yml | 7 ++++--- postgresql/tasks/packages.yml | 8 -------- postgresql/templates/postgresql.conf | 2 +- 4 files changed, 6 insertions(+), 13 deletions(-) delete mode 100644 postgresql/tasks/packages.yml diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index 543f1707..6ee57747 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -9,4 +9,4 @@ postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" # PostgreSQL version -postgresql_version: '9.4' +postgresql_version: '9.6' diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml index b090b09d..3bc1f904 100644 --- a/postgresql/tasks/main.yml +++ b/postgresql/tasks/main.yml @@ -1,9 +1,10 @@ --- -- include: pgdg-repo.yml - when: postgresql_version != '9.4' +- include: packages_jessie.yml + when: ansible_distribution_release == "jessie" -- include: packages.yml +- include: packages_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') - include: config.yml diff --git a/postgresql/tasks/packages.yml b/postgresql/tasks/packages.yml deleted file mode 100644 index cd4f3efa..00000000 --- a/postgresql/tasks/packages.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Install postgresql package - apt: - name: '{{item}}' - with_items: - - "postgresql-{{postgresql_version}}" - - ptop diff --git a/postgresql/templates/postgresql.conf b/postgresql/templates/postgresql.conf index eafadeb9..ebb6dde2 100644 --- a/postgresql/templates/postgresql.conf +++ b/postgresql/templates/postgresql.conf @@ -3,7 +3,7 @@ shared_buffers = {{ postgresql_shared_buffers }} work_mem = {{ postgresql_work_mem }} #shared_preload_libraries = 'pg_stat_statements' #synchronous_commit = off -{% if postgresql_version |version_compare('9.5', '<') %} +{% if postgresql_version | version_compare('9.5', '<') %} checkpoint_segments = 30 {% else %} max_wal_size = 15GB From 3f350e795548699be2c4e563aa80590446b35eef Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 4 Oct 2017 17:19:49 +0200 Subject: [PATCH 030/266] nagios: don't overwrite the config file --- nagios-nrpe/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index dbb73903..b52d0425 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -17,6 +17,7 @@ dest: /etc/nagios/nrpe.d/evolix.cfg group: nagios mode: "0640" + force: no notify: restart nagios-nrpe-server - name: Nagios config is secured From d35068cf11693f46580741f1aba2dca8c6021686 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 4 Oct 2017 17:20:33 +0200 Subject: [PATCH 031/266] postgresql: forgotten files, sorry --- postgresql/tasks/packages_jessie.yml | 11 +++++++++++ postgresql/tasks/packages_stretch.yml | 8 ++++++++ 2 files changed, 19 insertions(+) create mode 100644 postgresql/tasks/packages_jessie.yml create mode 100644 postgresql/tasks/packages_stretch.yml diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml new file mode 100644 index 00000000..399a680e --- /dev/null +++ b/postgresql/tasks/packages_jessie.yml @@ -0,0 +1,11 @@ +--- + +- include: pgdg-repo.yml + when: postgresql_version != '9.4' + +- name: Install postgresql package + apt: + name: '{{item}}' + with_items: + - "postgresql-{{postgresql_version}}" + - ptop diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml new file mode 100644 index 00000000..d3a3e8fe --- /dev/null +++ b/postgresql/tasks/packages_stretch.yml @@ -0,0 +1,8 @@ +--- + +- name: Install postgresql package + apt: + name: '{{item}}' + with_items: + - postgresql + - ptop From f050608596230c573254cd51f50ff87a60dae4f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 4 Oct 2017 23:31:29 +0200 Subject: [PATCH 032/266] evolinux-base/meta: compatible with stretch --- evolinux-base/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evolinux-base/meta/main.yml b/evolinux-base/meta/main.yml index 2d640995..2b6aed3c 100644 --- a/evolinux-base/meta/main.yml +++ b/evolinux-base/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch dependencies: [] # List your role dependencies here, one per line. From ee80235e14f212a87ccc9f16796726133a8cb3cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 4 Oct 2017 23:32:27 +0200 Subject: [PATCH 033/266] evolinux-base: etc-git is included after apt customization APT sources must be customized before installing any package --- evolinux-base/defaults/main.yml | 26 +++++++++++++++----------- evolinux-base/tasks/main.yml | 13 +++++++++---- 2 files changed, 24 insertions(+), 15 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index e0c91fd1..37cc826d 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -10,6 +10,21 @@ logcheck_alert_email: Null raid_alert_email: Null postfix_alias_email: Null +# apt + +evolinux_apt_include: True + +evolinux_apt_conf: True +evolinux_apt_hooks: True +evolinux_apt_replace_default_sources: True +evolinux_apt_public_sources: True +evolinux_apt_upgrade: True +evolinux_apt_remove_aptitude: True + +# etc-git + +evolinux_etcgit_include: True + # hostname evolinux_hostname_include: True @@ -31,17 +46,6 @@ evolinux_kernel_disable_tcp_timestamps: True evolinux_kernel_reduce_swapiness: True evolinux_kernel_cve20165696: True -# apt - -evolinux_apt_include: True - -evolinux_apt_conf: True -evolinux_apt_hooks: True -evolinux_apt_replace_default_sources: True -evolinux_apt_public_sources: True -evolinux_apt_upgrade: True -evolinux_apt_remove_aptitude: True - # fstab evolinux_fstab_include: True diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 5c1ad594..f44cfa11 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -5,6 +5,15 @@ when: - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') +- name: Apt configuration + include: apt.yml + when: evolinux_apt_include + +- name: /etc versioning with Git + include_role: + name: etc-git + when: evolinux_etcgit_include + - name: Hostname include: hostname.yml when: evolinux_hostname_include @@ -13,10 +22,6 @@ include: kernel.yml when: evolinux_kernel_include -- name: Apt configuration and packages install - include: apt.yml - when: evolinux_apt_include - - name: Fstab configuration include: fstab.yml when: evolinux_fstab_include From 622698fb99ccb18239f369104bd16038a660e649 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 4 Oct 2017 23:43:33 +0200 Subject: [PATCH 034/266] Don't disable root access by default It will be caught by evocheck if we forget to disable it but will prevent locking ourselves out if we don't create users --- evolinux-base/README.md | 2 +- evolinux-base/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/README.md b/evolinux-base/README.md index 8ef7a70e..570e2313 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -36,6 +36,6 @@ Main variables are: * `evolinux_additional_packages`: optional additional packages to install (default: `[]`) * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ; * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`) -* `evolinux_ssh_disable_root`: disable SSH access for root (default: `True`) +* `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 37cc826d..4328b241 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -119,7 +119,7 @@ evolinux_ssh_include: True evolinux_ssh_password_auth_addresses: [] evolinux_ssh_match_address: True -evolinux_ssh_disable_root: True +evolinux_ssh_disable_root: False evolinux_ssh_disable_acceptenv: True # postfix From be32fd9a23201266cc1ace6c1840e15d70d58e15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 4 Oct 2017 23:43:55 +0200 Subject: [PATCH 035/266] Remove useless comments --- evolinux-base/tasks/ssh.yml | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 2b7273b5..6fc80292 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -17,40 +17,6 @@ notify: reload sshd when: not evolinux_ssh_password_auth_addresses == [] -# - name: verify Match Address directive -# command: "grep 'Match Address' /etc/ssh/sshd_config" -# changed_when: False -# failed_when: False -# check_mode: no -# register: grep_matchaddress_ssh -# -# - name: Add Match Address sshd directive -# lineinfile: -# dest: /etc/ssh/sshd_config -# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" -# insertafter: '# +ForceCommand cvs server' -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd -# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != [] -# -# - name: Modify Match Address sshd directive -# replace: -# dest: /etc/ssh/sshd_config -# regexp: '^(Match Address ((?!{{ item }}).)*)$' -# replace: '\1,{{ item }}' -# validate: '/usr/sbin/sshd -T -f %s' -# with_items: "{{ evolinux_ssh_password_auth_addresses }}" -# notify: reload sshd -# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0 -# -# - name: Add Match Group sudo without password -# lineinfile: -# dest: /etc/ssh/sshd_config -# line: "\nMatch Group sudo\n PasswordAuthentication no" -# insertbefore: '^Match Address' -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd - - name: disable SSH access for root replace: dest: /etc/ssh/sshd_config From 24948cf4faf0d0f6dd53723ffe20e8dbdb5a170c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 5 Oct 2017 18:46:40 +0200 Subject: [PATCH 036/266] proftpd: blank vpasswd if missing --- proftpd/files/vpasswd | 1 + proftpd/tasks/main.yml | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 proftpd/files/vpasswd diff --git a/proftpd/files/vpasswd b/proftpd/files/vpasswd new file mode 100644 index 00000000..c7f074ae --- /dev/null +++ b/proftpd/files/vpasswd @@ -0,0 +1 @@ +# username:password:uid:gid:gecos:homedir:shell diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 3f6b3abe..76056e15 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -32,3 +32,12 @@ notify: restart proftpd tags: - proftpd + +- name: Put empty vpasswd file if missing + copy: + src: vpasswd + dest: /etc/proftpd/vpasswd + force: no + mode: "0440" + tags: + - proftpd From b180ca432bea4ac2a93754dc47cee7b6bb89202e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 00:21:00 +0200 Subject: [PATCH 037/266] apt: remove a debug task --- apt/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 7bb8950e..af7980c8 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -19,9 +19,6 @@ tags: - apt -- debug: - var: apt_install_evolix_public - - name: Install Evolix Public APT repository include: evolix_public.yml when: apt_install_evolix_public From 116f086b861b623473002b1b14ff56d464eb8d4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 00:21:19 +0200 Subject: [PATCH 038/266] drbd: cleanup readme --- drbd/README.md | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/drbd/README.md b/drbd/README.md index 86ae3aa6..f08d30f4 100644 --- a/drbd/README.md +++ b/drbd/README.md @@ -5,23 +5,3 @@ Install tools to setup DRBD replication accross servers. ## Tasks Everything is in the `tasks/main.yml` file. - -## Available variables - -The variable `admin_users` must be a "dict" of one or more users : - -``` -admin_users: - foo: - name: foo - uid: 1001 - fullname: 'Mr Foo' - password_hash: 'sdfgsdfgsdfgsdfg' - ssh_key: 'ssh-rsa AZERTYXYZ' - bar: - name: bar - uid: 1002 - fullname: 'Mr Bar' - password_hash: 'gsdfgsdfgsdfgsdf' - ssh_key: 'ssh-rsa QWERTYUIOP' -``` From 7b88393ccf95e38a8d5784617c70eb850919d1f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 5 Oct 2017 23:55:34 +0200 Subject: [PATCH 039/266] Refactoring of admin-users + evolinux-base roles * rename admin-users to evolinux-users * splitting the "sudo" part for users between jessie and stretch * with stretch, the sudo group is customizable and properly configured * import evolinux-users role from evolinux-base at proper time to ensure ssh connections are possible for other users before cutting root's access * evomaintenance is also included in evolinux-base to have it available when users are created --- admin-users/defaults/main.yml | 3 -- admin-users/tasks/admin_user.yml | 11 ----- admin-users/tasks/sudo.yml | 48 ------------------- evolinux-base/defaults/main.yml | 26 ++++++---- evolinux-base/tasks/main.yml | 16 +++++-- evolinux-base/tasks/root.yml | 8 ++++ evolinux-base/tasks/ssh.yml | 8 ---- {admin-users => evolinux-users}/.kitchen.yml | 2 +- {admin-users => evolinux-users}/README.md | 8 ++-- evolinux-users/defaults/main.yml | 3 ++ .../handlers/main.yml | 0 {admin-users => evolinux-users}/meta/main.yml | 2 +- .../tasks/account.yml | 12 ----- .../tasks/main.yml | 10 ++-- .../tasks/profile.yml | 0 {admin-users => evolinux-users}/tasks/ssh.yml | 0 evolinux-users/tasks/sudo_jessie.yml | 21 ++++++++ evolinux-users/tasks/sudo_stretch.yml | 23 +++++++++ evolinux-users/tasks/user.yml | 15 ++++++ .../templates/sudoers_jessie.j2 | 0 .../templates/sudoers_stretch.j2 | 4 +- .../tests/spec/evolinux-users_spec.rb | 0 .../tests/test.yml | 4 +- 23 files changed, 115 insertions(+), 109 deletions(-) delete mode 100644 admin-users/defaults/main.yml delete mode 100644 admin-users/tasks/admin_user.yml delete mode 100644 admin-users/tasks/sudo.yml rename {admin-users => evolinux-users}/.kitchen.yml (92%) rename {admin-users => evolinux-users}/README.md (66%) create mode 100644 evolinux-users/defaults/main.yml rename {admin-users => evolinux-users}/handlers/main.yml (100%) rename {admin-users => evolinux-users}/meta/main.yml (88%) rename admin-users/tasks/user.yml => evolinux-users/tasks/account.yml (72%) rename {admin-users => evolinux-users}/tasks/main.yml (52%) rename {admin-users => evolinux-users}/tasks/profile.yml (100%) rename {admin-users => evolinux-users}/tasks/ssh.yml (100%) create mode 100644 evolinux-users/tasks/sudo_jessie.yml create mode 100644 evolinux-users/tasks/sudo_stretch.yml create mode 100644 evolinux-users/tasks/user.yml rename {admin-users => evolinux-users}/templates/sudoers_jessie.j2 (100%) rename {admin-users => evolinux-users}/templates/sudoers_stretch.j2 (75%) rename admin-users/tests/spec/admin-users_spec.rb => evolinux-users/tests/spec/evolinux-users_spec.rb (100%) rename {admin-users => evolinux-users}/tests/test.yml (94%) diff --git a/admin-users/defaults/main.yml b/admin-users/defaults/main.yml deleted file mode 100644 index ad5f42cb..00000000 --- a/admin-users/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -admin_users: {} -admin_users_group: adm diff --git a/admin-users/tasks/admin_user.yml b/admin-users/tasks/admin_user.yml deleted file mode 100644 index 329ce50e..00000000 --- a/admin-users/tasks/admin_user.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- include: user.yml - -- include: profile.yml - -- include: ssh.yml - -- include: sudo.yml - -- meta: flush_handlers diff --git a/admin-users/tasks/sudo.yml b/admin-users/tasks/sudo.yml deleted file mode 100644 index e05ac614..00000000 --- a/admin-users/tasks/sudo.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- name: "Verify Evolinux sudoers file presence (jessie)" - template: - src: sudoers_jessie.j2 - dest: /etc/sudoers.d/evolinux - force: no - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - when: ansible_distribution_release == "jessie" - -- name: "Verify Evolinux sudoers file presence (Debian 9 or later)" - template: - src: sudoers_stretch.j2 - dest: /etc/sudoers.d/evolinux - force: no - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Verify Evolinux sudoers file permissions" - file: - path: /etc/sudoers.d/evolinux - mode: "0440" - state: file - -- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" - replace: - dest: /etc/sudoers.d/evolinux - regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/visudo -cf %s' - when: - - ansible_distribution_release == "jessie" - - not copy_sudoers_evolinux.changed - -- name: "Create evolinux-sudo group (Debian 9 or later)" - group: - name: evolinux-sudo - system: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Add user to evolinux-sudo group (Debian 9 or later)" - user: - name: '{{ user.name }}' - groups: 'evolinux-sudo' - append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 4328b241..174fc2d0 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -100,6 +100,22 @@ evolinux_system_alert5_init: True evolinux_system_alert5_enable: True evolinux_system_eni_auto: True +# evomaintenance + +evolinux_evomaintenance_include: True + +# ssh + +evolinux_ssh_include: True + +evolinux_ssh_password_auth_addresses: [] +evolinux_ssh_match_address: True +evolinux_ssh_disable_acceptenv: True + +# evolinux users + +evolinux_users_include: True + # root evolinux_root_include: True @@ -112,15 +128,7 @@ evolinux_root_gitconfig: True evolinux_root_bash_history_appendonly: True evolinux_root_vim_default: True evolinux_root_vim_conf: True - -# ssh - -evolinux_ssh_include: True - -evolinux_ssh_password_auth_addresses: [] -evolinux_ssh_match_address: True -evolinux_ssh_disable_root: False -evolinux_ssh_disable_acceptenv: True +evolinux_root_disable_ssh: True # postfix diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index f44cfa11..b400e334 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -34,14 +34,24 @@ include: system.yml when: evolinux_system_include -- name: Root user configuration - include: root.yml - when: evolinux_root_include +- name: Evomaintenance + include_role: + name: evomaintenance + when: evolinux_evomaintenance_include - name: SSH configuration include: ssh.yml when: evolinux_ssh_include +- name: Create evolinux users + include_role: + name: evolinux-users + when: evolinux_users_include + +- name: Root user configuration + include: root.yml + when: evolinux_root_include + - name: Postfix include: postfix.yml when: evolinux_postfix_include diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index ffe64fe1..4c66324a 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -80,4 +80,12 @@ - "set shiftwidth=4" when: evolinux_root_vim_conf +- name: disable SSH access for root + replace: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin (yes|without-password)' + replace: "PermitRootLogin no" + notify: reload sshd + when: evolinux_root_disable_ssh + - meta: flush_handlers diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 6fc80292..8094d8bc 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -17,14 +17,6 @@ notify: reload sshd when: not evolinux_ssh_password_auth_addresses == [] -- name: disable SSH access for root - replace: - dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password)' - replace: "PermitRootLogin no" - notify: reload sshd - when: evolinux_ssh_disable_root - # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. - name: disable AcceptEnv in ssh config diff --git a/admin-users/.kitchen.yml b/evolinux-users/.kitchen.yml similarity index 92% rename from admin-users/.kitchen.yml rename to evolinux-users/.kitchen.yml index f9ea107a..0c97cc85 100644 --- a/admin-users/.kitchen.yml +++ b/evolinux-users/.kitchen.yml @@ -31,7 +31,7 @@ suites: playbook: ./tests/test.yml verifier: patterns: - - admin-users/tests/spec/admin-users_spec.rb + - evolinux-users/tests/spec/evolinux-users_spec.rb bundler_path: '/usr/local/bin' rspec_path: '/usr/local/bin' diff --git a/admin-users/README.md b/evolinux-users/README.md similarity index 66% rename from admin-users/README.md rename to evolinux-users/README.md index 68b0044d..83d69172 100644 --- a/admin-users/README.md +++ b/evolinux-users/README.md @@ -1,6 +1,6 @@ -# admin-users +# evolinux-users -Creates admin users accounts, based on a configuration data structure. +Creates evolinux users accounts, based on a configuration data structure. ## Tasks @@ -8,10 +8,10 @@ Everything is in the `tasks/main.yml` file. ## Available variables -The variable `admin_users` must be a "dict" of one or more users : +The variable `evolinux_users` must be a "dict" of one or more users : ``` -admin_users: +evolinux_users: foo: name: foo uid: 1001 diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml new file mode 100644 index 00000000..f0947958 --- /dev/null +++ b/evolinux-users/defaults/main.yml @@ -0,0 +1,3 @@ +--- +evolinux_users: {} +evolinux_sudo_group: "evolinux-sudo" diff --git a/admin-users/handlers/main.yml b/evolinux-users/handlers/main.yml similarity index 100% rename from admin-users/handlers/main.yml rename to evolinux-users/handlers/main.yml diff --git a/admin-users/meta/main.yml b/evolinux-users/meta/main.yml similarity index 88% rename from admin-users/meta/main.yml rename to evolinux-users/meta/main.yml index 006768d3..9bae9e73 100644 --- a/admin-users/meta/main.yml +++ b/evolinux-users/meta/main.yml @@ -1,6 +1,6 @@ galaxy_info: author: Evolix - description: Creates admin users accounts. + description: Creates evolinux users accounts. issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues diff --git a/admin-users/tasks/user.yml b/evolinux-users/tasks/account.yml similarity index 72% rename from admin-users/tasks/user.yml rename to evolinux-users/tasks/account.yml index 94f1a0c3..453eca66 100644 --- a/admin-users/tasks/user.yml +++ b/evolinux-users/tasks/account.yml @@ -35,18 +35,6 @@ update_password: on_create when: loginisbusy.rc != 0 and uidisbusy.rc == 0 -- name: "Create {{ admin_users_group }} group (Debian 9 or later)" - group: - name: "{{ admin_users_group }}" - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Add user to {{ admin_users_group }} group (Debian 9 or later)" - user: - name: '{{ user.name }}' - groups: '{{ admin_users_group }}' - append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - - name: "Fix perms on homedirectory for '{{ user.name }}'" file: name: '/home/{{ user.name }}' diff --git a/admin-users/tasks/main.yml b/evolinux-users/tasks/main.yml similarity index 52% rename from admin-users/tasks/main.yml rename to evolinux-users/tasks/main.yml index 6a1d1506..f168ae08 100644 --- a/admin-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -6,11 +6,11 @@ - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - debug: - msg: "Warning: empty 'admin_users' variable, tasks will be skipped!" - when: admin_users == {} + msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" + when: evolinux_users == {} -- include: admin_user.yml +- include: user.yml vars: user: "{{ item.value }}" - with_dict: "{{ admin_users }}" - when: admin_users != {} + with_dict: "{{ evolinux_users }}" + when: evolinux_users != {} diff --git a/admin-users/tasks/profile.yml b/evolinux-users/tasks/profile.yml similarity index 100% rename from admin-users/tasks/profile.yml rename to evolinux-users/tasks/profile.yml diff --git a/admin-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml similarity index 100% rename from admin-users/tasks/ssh.yml rename to evolinux-users/tasks/ssh.yml diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml new file mode 100644 index 00000000..fd854c1f --- /dev/null +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -0,0 +1,21 @@ +--- + +- name: "Verify Evolinux sudoers file presence (jessie)" + template: + src: sudoers_jessie.j2 + dest: /etc/sudoers.d/evolinux + force: no + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + when: ansible_distribution_release == "jessie" + +- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" + replace: + dest: /etc/sudoers.d/evolinux + regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' + replace: '\1,{{ user.name }}' + validate: '/usr/sbin/visudo -cf %s' + when: + - ansible_distribution_release == "jessie" + - not copy_sudoers_evolinux.changed diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml new file mode 100644 index 00000000..7358fbf1 --- /dev/null +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -0,0 +1,23 @@ +--- + +- name: "Verify Evolinux sudoers file presence (Debian 9 or later)" + template: + src: sudoers_stretch.j2 + dest: /etc/sudoers.d/evolinux + force: no + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Create evolinux-sudo group (Debian 9 or later)" + group: + name: "{{ evolinux_sudo_group }}" + system: yes + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Add user to evolinux-sudo group (Debian 9 or later)" + user: + name: '{{ user.name }}' + groups: "{{ evolinux_sudo_group }}" + append: yes + when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml new file mode 100644 index 00000000..73fea728 --- /dev/null +++ b/evolinux-users/tasks/user.yml @@ -0,0 +1,15 @@ +--- + +- include: account.yml + +- include: profile.yml + +- include: ssh.yml + +- include: sudo_jessie.yml + when: ansible_distribution_release == "jessie" + +- include: sudo_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') + +- meta: flush_handlers diff --git a/admin-users/templates/sudoers_jessie.j2 b/evolinux-users/templates/sudoers_jessie.j2 similarity index 100% rename from admin-users/templates/sudoers_jessie.j2 rename to evolinux-users/templates/sudoers_jessie.j2 diff --git a/admin-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 similarity index 75% rename from admin-users/templates/sudoers_stretch.j2 rename to evolinux-users/templates/sudoers_stretch.j2 index 8de1bbc6..289a65ee 100644 --- a/admin-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -5,5 +5,5 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt -%evolinux-sudo ALL=(ALL:ALL) ALL -%evolinux-sudo ALL = NOPASSWD: MAINT +%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL +%{{ evolinux_sudo_group }} ALL = NOPASSWD: MAINT diff --git a/admin-users/tests/spec/admin-users_spec.rb b/evolinux-users/tests/spec/evolinux-users_spec.rb similarity index 100% rename from admin-users/tests/spec/admin-users_spec.rb rename to evolinux-users/tests/spec/evolinux-users_spec.rb diff --git a/admin-users/tests/test.yml b/evolinux-users/tests/test.yml similarity index 94% rename from admin-users/tests/test.yml rename to evolinux-users/tests/test.yml index 06c29643..f622eebf 100644 --- a/admin-users/tests/test.yml +++ b/evolinux-users/tests/test.yml @@ -2,7 +2,7 @@ - hosts: test-kitchen vars: - admin_users: + evolinux_users: foo: name: foo uid: 1001 @@ -20,4 +20,4 @@ # state: directory roles: - - role: admin-users + - role: evolinux-users From ef93d5679939f37356d61bf1ad29ddd4ae19cff9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 00:21:44 +0200 Subject: [PATCH 040/266] evolinux-base: better task name for postfix --- evolinux-base/tasks/postfix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 9aad67e4..84bb06a2 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -1,6 +1,6 @@ --- -- name: packages are installed +- name: Postfix packages are installed apt: name: "{{ item }}" state: present From f759b849a53180f9014bbc63cd81cdc0946d76f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 00:51:20 +0200 Subject: [PATCH 041/266] evolinux-users: install many ssh keys if needed --- evolinux-users/tasks/ssh.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index d74a51f2..85d01a8b 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -14,6 +14,17 @@ user: "{{ user.name }}" key: "{{ user.ssh_key }}" state: present + when: user.ssh_key is defined + +- name: "Add user's SSH public keys for '{{ user.name }}'" + authorized_key: + user: "{{ user.name }}" + key: "{{ ssk_key }}" + state: present + with_items: "{{ user.ssh_keys }}" + loop_control: + loop_var: ssk_key + when: user.ssh_keys is defined # we must double-escape caracters, because python - name: verify AllowUsers directive From 2b253e075c7b5fd7ee70a3dc0ba3b6e081fbddb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 01:04:48 +0200 Subject: [PATCH 042/266] Users can be added to secondary groups --- evolinux-users/README.md | 8 +++++++- evolinux-users/tasks/account.yml | 17 ++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/evolinux-users/README.md b/evolinux-users/README.md index 83d69172..439bd898 100644 --- a/evolinux-users/README.md +++ b/evolinux-users/README.md @@ -16,12 +16,18 @@ evolinux_users: name: foo uid: 1001 fullname: 'Mr Foo' + groups: "baz" password_hash: 'sdfgsdfgsdfgsdfg' ssh_key: 'ssh-rsa AZERTYXYZ' bar: name: bar uid: 1002 fullname: 'Mr Bar' + groups: + - "baz" + - "qux" password_hash: 'gsdfgsdfgsdfgsdf' - ssh_key: 'ssh-rsa QWERTYUIOP' + ssh_keys: + - 'ssh-rsa QWERTYUIOP' + - 'ssh-ed25519 QWERTYUIOP' ``` diff --git a/evolinux-users/tasks/account.yml b/evolinux-users/tasks/account.yml index 453eca66..1ed142f9 100644 --- a/evolinux-users/tasks/account.yml +++ b/evolinux-users/tasks/account.yml @@ -35,7 +35,22 @@ update_password: on_create when: loginisbusy.rc != 0 and uidisbusy.rc == 0 -- name: "Fix perms on homedirectory for '{{ user.name }}'" +- name: "Create secondary groups" + group: + name: "{{ group }}" + with_items: "{{ user.groups }}" + loop_control: + loop_var: group + when: user.groups is defined + +- name: "Add user '{{ user.name }}' to secondary groups" + user: + name: '{{ user.name }}' + groups: "{{ user.groups }}" + append: yes + when: user.groups is defined + +- name: "Fix perms on home directory for '{{ user.name }}'" file: name: '/home/{{ user.name }}' mode: "0700" From fedbc5b579321d06ee93c5b84aca0580e37b6f0e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 6 Oct 2017 12:05:07 +0200 Subject: [PATCH 043/266] evolinux-users: no need to repeat condition --- evolinux-users/tasks/sudo_jessie.yml | 5 +---- evolinux-users/tasks/sudo_stretch.yml | 3 --- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml index fd854c1f..f675954e 100644 --- a/evolinux-users/tasks/sudo_jessie.yml +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -8,7 +8,6 @@ mode: "0440" validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux - when: ansible_distribution_release == "jessie" - name: "Add user in sudoers file for '{{ user.name }}' (jessie)" replace: @@ -16,6 +15,4 @@ regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' validate: '/usr/sbin/visudo -cf %s' - when: - - ansible_distribution_release == "jessie" - - not copy_sudoers_evolinux.changed + when: not copy_sudoers_evolinux.changed diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml index 7358fbf1..f77ae484 100644 --- a/evolinux-users/tasks/sudo_stretch.yml +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -7,17 +7,14 @@ force: no validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux - when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Create evolinux-sudo group (Debian 9 or later)" group: name: "{{ evolinux_sudo_group }}" system: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Add user to evolinux-sudo group (Debian 9 or later)" user: name: '{{ user.name }}' groups: "{{ evolinux_sudo_group }}" append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') From ed17676432557c49a3b4c4059789fd8a50325cfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 5 Oct 2017 00:25:13 +0200 Subject: [PATCH 044/266] A real systemd unit for alert5 --- evolinux-base/files/alert5.service | 9 +++ evolinux-base/tasks/system.yml | 55 ++++++++++++++----- evolinux-base/templates/system/alert5.sh.j2 | 7 +++ .../{init_alert5.j2 => alert5.sysvinit.j2} | 0 4 files changed, 57 insertions(+), 14 deletions(-) create mode 100644 evolinux-base/files/alert5.service create mode 100644 evolinux-base/templates/system/alert5.sh.j2 rename evolinux-base/templates/system/{init_alert5.j2 => alert5.sysvinit.j2} (100%) diff --git a/evolinux-base/files/alert5.service b/evolinux-base/files/alert5.service new file mode 100644 index 00000000..ea560a51 --- /dev/null +++ b/evolinux-base/files/alert5.service @@ -0,0 +1,9 @@ +[Unit] +Description=Evolix alert5 script + +[Service] +Type=oneshot +ExecStart=/usr/share/scripts/alert5.sh + +[Install] +WantedBy=multi-user.target diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 261ef1a9..74051657 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -116,29 +116,56 @@ ## alert5 -- name: Install alert5 init script +- name: Install alert5 init script (jessie) template: - src: system/init_alert5.j2 + src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 force: no mode: "0755" - when: evolinux_system_alert5_init + when: + - evolinux_system_alert5_init + - ansible_distribution_release == "jessie" - -#TODO: switch service/systemd modules with Ansible 2.2+ - -- name: Enable alert5 init script +- name: Enable alert5 init script (jessie) service: name: alert5 enabled: yes - when: evolinux_system_alert5_init and evolinux_system_alert5_enable + when: + - evolinux_system_alert5_init + - evolinux_system_alert5_enable + - ansible_distribution_release == "jessie" -# - name: Enable alert5 init script -# systemd: -# name: alert5 -# daemon_reload: yes -# enabled: yes -# when: evolinux_system_alert5_init and evolinux_system_alert5_enable + + +- name: Install alert5 init script (stretch) + template: + src: system/alert5.sh.j2 + dest: /usr/share/scripts/alert5.sh + force: no + mode: "0755" + when: + - evolinux_system_alert5_init + - ansible_distribution_major_version | version_compare('9', '>=') + +- name: Install alert5 service (stretch) + copy: + src: alert5.service + dest: /etc/systemd/system/alert5.service + force: yes + mode: "0755" + when: + - evolinux_system_alert5_init + - ansible_distribution_major_version | version_compare('9', '>=') + +- name: Enable alert5 init script (stretch) + systemd: + name: alert5 + daemon_reload: yes + enabled: yes + when: + - evolinux_system_alert5_init + - evolinux_system_alert5_enable + - ansible_distribution_major_version | version_compare('9', '>=') ## network interfaces diff --git a/evolinux-base/templates/system/alert5.sh.j2 b/evolinux-base/templates/system/alert5.sh.j2 new file mode 100644 index 00000000..7949af28 --- /dev/null +++ b/evolinux-base/templates/system/alert5.sh.j2 @@ -0,0 +1,7 @@ +#!/bin/sh + +## sends a mail when booting +date | mail -s'boot/reboot' {{ reboot_alert_email or general_alert_email | mandatory }} + +## starts the firewall +#/etc/init.d/minifirewall start diff --git a/evolinux-base/templates/system/init_alert5.j2 b/evolinux-base/templates/system/alert5.sysvinit.j2 similarity index 100% rename from evolinux-base/templates/system/init_alert5.j2 rename to evolinux-base/templates/system/alert5.sysvinit.j2 From 7f4eb747de5db5d326be1a0a7cb343a71ac46a2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 01:09:48 +0200 Subject: [PATCH 045/266] change alert5 only for buster --- evolinux-base/tasks/system.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 74051657..2102765b 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -116,7 +116,7 @@ ## alert5 -- name: Install alert5 init script (jessie) +- name: Install alert5 init script (jessie/stretch) template: src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 @@ -124,20 +124,20 @@ mode: "0755" when: - evolinux_system_alert5_init - - ansible_distribution_release == "jessie" + - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" -- name: Enable alert5 init script (jessie) +- name: Enable alert5 init script (jessie/stretch) service: name: alert5 enabled: yes when: - evolinux_system_alert5_init - evolinux_system_alert5_enable - - ansible_distribution_release == "jessie" + - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" -- name: Install alert5 init script (stretch) +- name: Install alert5 init script (buster) template: src: system/alert5.sh.j2 dest: /usr/share/scripts/alert5.sh @@ -145,9 +145,9 @@ mode: "0755" when: - evolinux_system_alert5_init - - ansible_distribution_major_version | version_compare('9', '>=') + - ansible_distribution_major_version | version_compare('10', '>=') -- name: Install alert5 service (stretch) +- name: Install alert5 service (buster) copy: src: alert5.service dest: /etc/systemd/system/alert5.service @@ -155,9 +155,9 @@ mode: "0755" when: - evolinux_system_alert5_init - - ansible_distribution_major_version | version_compare('9', '>=') + - ansible_distribution_major_version | version_compare('10', '>=') -- name: Enable alert5 init script (stretch) +- name: Enable alert5 init script (buster) systemd: name: alert5 daemon_reload: yes @@ -165,7 +165,7 @@ when: - evolinux_system_alert5_init - evolinux_system_alert5_enable - - ansible_distribution_major_version | version_compare('9', '>=') + - ansible_distribution_major_version | version_compare('10', '>=') ## network interfaces From 3d7a54482090ee4285d8afc6ebdab34cdb80de34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 10:59:22 +0200 Subject: [PATCH 046/266] minifirewall: restore default ports Copied from https://forge.evolix.org/projects/minifirewall/repository/revisions/master/entry/minifirewall.conf --- minifirewall/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 69e1e8fe..2b55884f 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -11,9 +11,9 @@ minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] minifirewall_protected_ports_udp: [] -minifirewall_public_ports_tcp: [22, 80, 443] -minifirewall_public_ports_udp: [] -minifirewall_semipublic_ports_tcp: [20, 21, 25] +minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222] +minifirewall_public_ports_udp: [53] +minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143] minifirewall_semipublic_ports_udp: [] minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] From 1776b4bc24a34f2211eb810360d5035e12c0c6dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 11:15:45 +0200 Subject: [PATCH 047/266] Apache: improve munin integration * ansible syntax * remove duplicate tasks * improve tasks names --- apache/tasks/munin.yml | 55 ++++++++++++++++-------------------------- 1 file changed, 21 insertions(+), 34 deletions(-) diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index 859a9ad6..9195ae0f 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -1,68 +1,55 @@ --- -- name: munin-node and core plugins are installed +- name: "Install munin-node and core plugins packages" apt: name: "{{ item }}" state: installed with_items: - munin-node - munin-plugins-core + tags: + - apache + - munin -- name: enable munin plugins +- name: "Enable Munin plugins" file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link with_items: - - apache_accesses - - apache_processes - - apache_volume + - apache_accesses + - apache_processes + - apache_volume notify: restart munin-node tags: - - apache - - munin + - apache + - munin ---- - -- name: install packages for Apache and Munin +- name: "Install fcgi packages for Munin graphs" apt: name: "{{ item }}" state: installed with_items: - - libapache2-mod-fcgid - - libcgi-fast-perl + - libapache2-mod-fcgid + - libcgi-fast-perl notify: reload apache tags: - - apache - - munin + - apache + - munin -- name: be sure to enable libapache2-mod-fcgid +- name: "Enable libapache2-mod-fcgid" command: a2enmod fcgid register: cmd_enable_fcgid changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout" notify: restart apache tags: - - apache - - munin + - apache + - munin -- name: change group for /var/log/munin/ +- name: "Apache has access to /var/log/munin/" file: path: /var/log/munin/ group: www-data tags: - - apache - - munin - -- name: install munin plugins - file: - src: "/etc/munin/plugins/{{ item }}" - dest: "/usr/share/munin/plugins/{{ item }}" - state: link - with_items: - - apache_accesses - - apache_processes - - apache_volume - notify: restart munin-node - tags: - - apache - - munin + - apache + - munin From dc3b7354459fb22c635b4b205ff8374c214d31a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 11:54:31 +0200 Subject: [PATCH 048/266] apache: cleanup munin tasks --- apache/tasks/main.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index dd675f4a..e107cac2 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -138,17 +138,6 @@ - include: phpmyadmin.yml when: _default_index.stat.exists -- name: Check if Munin plugins exists - stat: - path: /etc/munin/plugins/ - register: _munin_plugins - check_mode: no - tags: - - apache - -- include: munin.yml - when: _munin_plugins.stat.exists - # - block: # - name: generate random string for serverstatus suffix # command: "apg -a 1 -M N -n 1" From ddeb39b88670cfc833d97e20d72f76c68e16c49b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 11:57:49 +0200 Subject: [PATCH 049/266] apache: phpmyadmin is not managed here anymore --- apache/tasks/main.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index e107cac2..5fc6f2ba 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -127,17 +127,6 @@ tags: - apache -- name: Stat /default index - stat: - path: /var/www/index.html - register: _default_index - check_mode: no - tags: - - apache - -- include: phpmyadmin.yml - when: _default_index.stat.exists - # - block: # - name: generate random string for serverstatus suffix # command: "apg -a 1 -M N -n 1" From 2395777194b18182792f75038d0b7f9090681d17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 12:01:23 +0200 Subject: [PATCH 050/266] apache: no need for server status suffix anymore The location is restricted, so we don't need to obfuscate --- apache/tasks/main.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 5fc6f2ba..ee6d3b47 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -127,23 +127,6 @@ tags: - apache -# - block: -# - name: generate random string for serverstatus suffix -# command: "apg -a 1 -M N -n 1" -# changed_when: False -# register: _random_serverstatus_suffix -# -# - name: overwrite apache_serverstatus_suffix -# set_fact: -# apache_serverstatus_suffix: "{{ _random_serverstatus_suffix.stdout }}" -# when: apache_serverstatus_suffix == "" -# -# - name: replace server-status suffix in default site index -# replace: -# dest: /var/www/index.html -# regexp: '__SERVERSTATUS_SUFFIX__' -# replace: "{{ apache_serverstatus_suffix }}" - - include: log2mail.yml when: apache_log2mail_include From be84ab434eff154d48ce1df8f7f05074664a2a46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 11:55:02 +0200 Subject: [PATCH 051/266] apache: install save_apache_status.sh --- apache/files/save_apache_status.sh | 18 ++++++++++++++++++ apache/tasks/main.yml | 9 +++++++++ apache/tasks/remount_usr_rw.yml | 15 +++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 apache/files/save_apache_status.sh create mode 100644 apache/tasks/remount_usr_rw.yml diff --git a/apache/files/save_apache_status.sh b/apache/files/save_apache_status.sh new file mode 100644 index 00000000..d65b2e08 --- /dev/null +++ b/apache/files/save_apache_status.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +DIR="/var/log/apache-status" +URL="http://127.0.0.1/server-status" +TS=`date +%Y%m%d%H%M%S` +FILE="${DIR}/${TS}.html" + +mkdir -p "${DIR}" + +wget -q -O "${FILE}" "${URL}" + +chmod 640 "${FILE}" + +find "${DIR}" -type f -mtime +1 -delete + +exit 0 diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index ee6d3b47..ed99fe5a 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -127,6 +127,15 @@ tags: - apache +- include: remount_usr_rw.yml + +- name: "Install save_apache_status.sh" + copy: + src: save_apache_status.sh + dest: /usr/share/scripts/save_apache_status.sh + mode: "0755" + force: no + - include: log2mail.yml when: apache_log2mail_include diff --git a/apache/tasks/remount_usr_rw.yml b/apache/tasks/remount_usr_rw.yml new file mode 100644 index 00000000..8c51aee2 --- /dev/null +++ b/apache/tasks/remount_usr_rw.yml @@ -0,0 +1,15 @@ +--- +- name: Get mount options for partitions + shell: "mount | grep 'on /usr type'" + args: + warn: no + register: mount + changed_when: False + failed_when: False + when: not ansible_check_mode + +- name: Remount /usr if it is a partition and it is not mounted in rw + command: "mount -o remount,rw /usr" + when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + args: + warn: no From 0e9fab48f54aee3f4f0de102a5f3f575e9986337 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 12:56:05 +0200 Subject: [PATCH 052/266] apache: fix ipaddr_whitelist path --- apache/templates/evolinux-default.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 8c7a28af..238665b2 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -24,7 +24,7 @@ Options +ExecCGI Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. From 382d545d0d9a0eb86aefaf63b5f201188bb4e32e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 12:57:05 +0200 Subject: [PATCH 053/266] evolinux-base: fix netextreme device detection --- evolinux-base/tasks/hardware.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 69ab0889..16d26cd7 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -9,7 +9,7 @@ - name: Check if Broadcom NetXtreme II device is present shell: "lspci | grep -q 'NetXtreme II'" check_mode: no - register: broadcom + register: broadcom_netextreme_search failed_when: False changed_when: False @@ -22,7 +22,7 @@ tasks_from: basics.yml vars: apt_basics_components: "main contrib non-free" - when: broadcom|success + when: broadcom_netextreme_search.rc == 0 ## RAID From 03bc456dfa6e2ebcc6624660b0f315900e011fad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 12:59:35 +0200 Subject: [PATCH 054/266] evolinux-base: allow ssh for current user When you're not sure to have a proper ssh connection after install, you can keep the current user authorized. Example: when using vagrant This is disabled by default --- evolinux-base/README.md | 1 + evolinux-base/defaults/main.yml | 1 + evolinux-base/tasks/ssh.yml | 13 +++++++++++++ 3 files changed, 15 insertions(+) diff --git a/evolinux-base/README.md b/evolinux-base/README.md index 570e2313..dbcf7762 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -37,5 +37,6 @@ Main variables are: * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ; * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`) * `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`) +* `evolinux_ssh_allow_current_user`: don't lock yourself out (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 174fc2d0..c5b09328 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -111,6 +111,7 @@ evolinux_ssh_include: True evolinux_ssh_password_auth_addresses: [] evolinux_ssh_match_address: True evolinux_ssh_disable_acceptenv: True +evolinux_ssh_allow_current_user: False # evolinux users diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 8094d8bc..20b93fed 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -35,4 +35,17 @@ notify: reload sshd when: ansible_distribution_major_version | version_compare('9', '>=') +- name: "Get current user" + command: logname + register: logname + check_mode: no + when: evolinux_ssh_allow_current_user + +- name: "Allow current user" + lineinfile: + dest: /etc/ssh/sshd_config + line: "AllowUsers {{ logname.stdout }}" + insertafter: 'Subsystem' + when: evolinux_ssh_allow_current_user + - meta: flush_handlers From e7e9f9e125e20cc8e728b49fe27aabbf80d0e550 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 13:48:04 +0200 Subject: [PATCH 055/266] Apache/Nginx: use ipaddr_whitelist --- apache/README.md | 4 ++-- apache/defaults/main.yml | 4 ++-- ...r_whitelist.conf => ipaddr_whitelist.conf} | 0 apache/tasks/auth.yml | 12 +++++++--- kibana/templates/nginx_proxy_kibana_nossl.j2 | 2 +- kibana/templates/nginx_proxy_kibana_ssl.j2 | 2 +- nginx/README.md | 4 ++-- nginx/defaults/main.yml | 4 ++-- nginx/tasks/main_regular.yml | 23 ++++++++++++------- nginx/templates/evolinux-default.conf.j2 | 2 +- 10 files changed, 35 insertions(+), 22 deletions(-) rename apache/files/{private_ipaddr_whitelist.conf => ipaddr_whitelist.conf} (100%) diff --git a/apache/README.md b/apache/README.md index 66804981..40e17499 100644 --- a/apache/README.md +++ b/apache/README.md @@ -10,8 +10,8 @@ Everything is in the `tasks/main.yml` file for now. Main variables are : -* `apache_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; -* `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist; +* `apache_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; +* `apache_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist; * `apache_private_htpasswd_present` : list of users to have in the private htpasswd ; * `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd. * `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 276f5a38..390adb43 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -1,6 +1,6 @@ --- -apache_private_ipaddr_whitelist_present: [] -apache_private_ipaddr_whitelist_absent: [] +apache_ipaddr_whitelist_present: [] +apache_ipaddr_whitelist_absent: [] apache_private_htpasswd_present: [] apache_private_htpasswd_absent: [] diff --git a/apache/files/private_ipaddr_whitelist.conf b/apache/files/ipaddr_whitelist.conf similarity index 100% rename from apache/files/private_ipaddr_whitelist.conf rename to apache/files/ipaddr_whitelist.conf diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index 0f550a3c..4be44bea 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -1,8 +1,14 @@ --- +- name: "Rename private_ipaddr_whitelist if present" + command: "mv /etc/apache2/private_ipaddr_whitelist.conf /etc/apache2/ipaddr_whitelist.conf" + args: + removes: /etc/apache2/private_ipaddr_whitelist.conf + creates: /etc/apache2/ipaddr_whitelist.conf + - name: Init ipaddr_whitelist.conf file copy: - src: private_ipaddr_whitelist.conf + src: ipaddr_whitelist.conf dest: /etc/apache2/ipaddr_whitelist.conf owner: root group: root @@ -16,7 +22,7 @@ dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: present - with_items: "{{ apache_private_ipaddr_whitelist_present }}" + with_items: "{{ apache_ipaddr_whitelist_present }}" notify: reload apache tags: - apache @@ -26,7 +32,7 @@ dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: absent - with_items: "{{ apache_private_ipaddr_whitelist_absent }}" + with_items: "{{ apache_ipaddr_whitelist_absent }}" notify: reload apache tags: - apache diff --git a/kibana/templates/nginx_proxy_kibana_nossl.j2 b/kibana/templates/nginx_proxy_kibana_nossl.j2 index 1540b841..3c674317 100644 --- a/kibana/templates/nginx_proxy_kibana_nossl.j2 +++ b/kibana/templates/nginx_proxy_kibana_nossl.j2 @@ -9,7 +9,7 @@ server { server_name {{ kibana_proxy_domain }}; # Auth. - include /etc/nginx/snippets/private_ipaddr_whitelist; + include /etc/nginx/snippets/ipaddr_whitelist; deny all; auth_basic "Reserved {{ kibana_proxy_domain }}"; auth_basic_user_file /etc/nginx/snippets/private_htpasswd; diff --git a/kibana/templates/nginx_proxy_kibana_ssl.j2 b/kibana/templates/nginx_proxy_kibana_ssl.j2 index ea2e06c9..c72db251 100644 --- a/kibana/templates/nginx_proxy_kibana_ssl.j2 +++ b/kibana/templates/nginx_proxy_kibana_ssl.j2 @@ -19,7 +19,7 @@ server { ssl_certificate_key {{ kibana_proxy_ssl_key }}; # Auth. - include /etc/nginx/snippets/private_ipaddr_whitelist; + include /etc/nginx/snippets/ipaddr_whitelist; deny all; auth_basic "Reserved {{ kibana_proxy_domain }}"; auth_basic_user_file /etc/nginx/snippets/private_htpasswd; diff --git a/nginx/README.md b/nginx/README.md index d519608b..73ede527 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -18,8 +18,8 @@ Main variables are : * `nginx_minimal` : very basic install and config (default: `False`) ; * `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ; -* `nginx_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; -* `nginx_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ; +* `nginx_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; +* `nginx_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ; * `nginx_private_htpasswd_present` : list of users to have in the private htpasswd ; * `nginx_private_htpasswd_absent` : list of users to **not** have in the private htpasswd. diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 16398ee4..dd6e58d7 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -3,8 +3,8 @@ nginx_minimal: False nginx_jessie_backports: False -nginx_private_ipaddr_whitelist_present: [] -nginx_private_ipaddr_whitelist_absent: [] +nginx_ipaddr_whitelist_present: [] +nginx_ipaddr_whitelist_absent: [] nginx_private_htpasswd_present: [] nginx_private_htpasswd_absent: [] diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 74580972..6249e92b 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -38,13 +38,20 @@ - nginx # TODO: verify that those permissions are correct : -# not too strict for private_ipaddr_whitelist +# not too strict for ipaddr_whitelist # and not too loose for private_htpasswd -- name: Copy private_ipaddr_whitelist + +- name: "Rename private_ipaddr_whitelist if present" + command: "mv /etc/nginx/snippets/private_ipaddr_whitelist /etc/nginx/snippets/ipaddr_whitelist + args: + removes: /etc/nginx/snippets/private_ipaddr_whitelist + creates: /etc/nginx/snippets/ipaddr_whitelist + +- name: Copy ipaddr_whitelist copy: - src: nginx/snippets/private_ipaddr_whitelist - dest: /etc/nginx/snippets/private_ipaddr_whitelist + src: nginx/snippets/ipaddr_whitelist + dest: /etc/nginx/snippets/ipaddr_whitelist owner: www-data group: www-data directory_mode: "0640" @@ -56,20 +63,20 @@ - name: add IP addresses to private IP whitelist lineinfile: - dest: /etc/nginx/snippets/private_ipaddr_whitelist + dest: /etc/nginx/snippets/ipaddr_whitelist line: "allow {{ item }};" state: present - with_items: "{{ nginx_private_ipaddr_whitelist_present }}" + with_items: "{{ nginx_ipaddr_whitelist_present }}" notify: reload nginx tags: - nginx - name: remove IP addresses from private IP whitelist lineinfile: - dest: /etc/nginx/snippets/private_ipaddr_whitelist + dest: /etc/nginx/snippets/ipaddr_whitelist line: "allow {{ item }};" state: absent - with_items: "{{ nginx_private_ipaddr_whitelist_absent }}" + with_items: "{{ nginx_ipaddr_whitelist_absent }}" notify: reload nginx tags: - nginx diff --git a/nginx/templates/evolinux-default.conf.j2 b/nginx/templates/evolinux-default.conf.j2 index 165f39f8..2ec13fd8 100644 --- a/nginx/templates/evolinux-default.conf.j2 +++ b/nginx/templates/evolinux-default.conf.j2 @@ -23,7 +23,7 @@ server { root /var/www; # Auth. - include /etc/nginx/snippets/private_ipaddr_whitelist; + include /etc/nginx/snippets/ipaddr_whitelist; deny all; auth_basic "Reserved {{ ansible_fqdn }}"; auth_basic_user_file /etc/nginx/snippets/private_htpasswd; From adade8ae3c2052d14396dddee29341ddbf672548 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 17:54:25 +0200 Subject: [PATCH 056/266] formatting --- evolinux-base/tasks/apt.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evolinux-base/tasks/apt.yml b/evolinux-base/tasks/apt.yml index bb0be3fc..8966e4d9 100644 --- a/evolinux-base/tasks/apt.yml +++ b/evolinux-base/tasks/apt.yml @@ -18,7 +18,7 @@ - "APT::Install-Suggests \"false\";" when: evolinux_apt_conf -- name: DPKg invoke hooks +- name: DPKG invoke hooks lineinfile: dest: /etc/apt/apt.conf.d/z-evolinux.conf line: "{{ item }}" @@ -26,8 +26,8 @@ state: present mode: "0640" with_items: - - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" - - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" + - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" + - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" when: evolinux_apt_hooks From dba77f3bbca84a88d2b55d0139cbfbcd7431ed29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 18:12:28 +0200 Subject: [PATCH 057/266] packweb-apache: dependency on squid and mysql --- packweb-apache/meta/main.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 packweb-apache/meta/main.yml diff --git a/packweb-apache/meta/main.yml b/packweb-apache/meta/main.yml new file mode 100644 index 00000000..914dbebb --- /dev/null +++ b/packweb-apache/meta/main.yml @@ -0,0 +1,19 @@ +galaxy_info: + author: Evolix + description: Installation of Evolix "Pack Web" meta-role + + issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - jessie + - stretch + +dependencies: + - { role: squid, squid_localproxy_enable: True } + - mysql From c4e61a18d4d29379bf421493f360593cc36f31d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 18:13:52 +0200 Subject: [PATCH 058/266] evolinux-base includes a few external roles * minifirewall * munin * nagios-nrpe * fail2ban * listupgrade --- evolinux-base/defaults/main.yml | 22 ++++++++++++++++++++++ evolinux-base/tasks/main.yml | 27 ++++++++++++++++++++++++++- 2 files changed, 48 insertions(+), 1 deletion(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index c5b09328..9d9d90b3 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -165,3 +165,25 @@ evolinux_hardware_include: True evolinux_provider_online_include: False evolinux_provider_orange_fce_include: False + +# log2mail + +evolinux_log2mail_include: True + +# Minifirewall + +evolinux_minifirewall_include: True + +# Munin + +evolinux_munin_include: True + +# Nagios/NRPE + +evolinux_nagios_nrpe_include: True + +# fail2ban +evolinux_fail2ban_include: True + +# Listupgrade +evolinux_listupgrade_include: True diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index b400e334..09321bab 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -78,4 +78,29 @@ - name: Override Logmail service include: log2mail.yml - when: evolinux_packages_serveur_base + when: evolinux_log2mail_include + +- name: Minifirewall + include_role: + name: minifirewall + when: evolinux_minifirewall_include + +- name: Munin + include_role: + name: munin + when: evolinux_munin_include + +- name: Nagios/NRPE + include_role: + name: nagios-nrpe + when: evolinux_nagios_nrpe_include + +- name: fail2ban + include_role: + name: fail2ban + when: evolinux_fail2ban_include + +- name: Listupgrade + include_role: + name: listupgrade + when: evolinux_listupgrade_include From 3e12be6a0c6f660023a5e2e217b755333a0351a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 21:42:33 +0200 Subject: [PATCH 059/266] poftpd is compatible with stretch --- proftpd/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/proftpd/meta/main.yml b/proftpd/meta/main.yml index 7b590850..d08211b1 100644 --- a/proftpd/meta/main.yml +++ b/proftpd/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch dependencies: [] # List your role dependencies here, one per line. From 8e86429ea4c579fcc9eddc49b6961e2f7f4200a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 21:43:05 +0200 Subject: [PATCH 060/266] proftpd: enforce permissions on password file --- proftpd/tasks/main.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 76056e15..4e6a6884 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -38,6 +38,19 @@ src: vpasswd dest: /etc/proftpd/vpasswd force: no - mode: "0440" + notify: restart proftpd + tags: + - proftpd + +# Why 440? Because should be edited with ftpasswd. +# So, readonly when opened with vim. +# Then readable by group. +- name: Enforce permissions on password file + file: + path: /etc/proftpd/vpasswd + mode: "0440" + owner: root + group: root + notify: restart proftpd tags: - proftpd From 3a34a7804580d8af047634f13ad5ce8e5cbed7d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 21:43:36 +0200 Subject: [PATCH 061/266] evoadmin-web: remove a trailing / --- webapps/evoadmin-web/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-web/defaults/main.yml b/webapps/evoadmin-web/defaults/main.yml index 58200cf1..c57c3b54 100644 --- a/webapps/evoadmin-web/defaults/main.yml +++ b/webapps/evoadmin-web/defaults/main.yml @@ -6,7 +6,7 @@ evoadmin_bounce_email: "{{ evoadmin_contact_email }}" evoadmin_home_dir: "/home/{{ evoadmin_username }}" evoadmin_document_root: "{{ evoadmin_home_dir }}/www" evoadmin_log_dir: "{{ evoadmin_home_dir }}/log" -evoadmin_scripts_dir: /usr/share/scripts/evoadmin/ +evoadmin_scripts_dir: /usr/share/scripts/evoadmin evoadmin_host: "evoadmin.{{ ansible_fqdn }}" evoadmin_username: evoadmin From 89fe1561b8fa9ac7662450be94e90f6694f5c859 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 21:45:46 +0200 Subject: [PATCH 062/266] evoadmin-web depends on proftpd --- .../files/{ => ftp}/evolinux.conf.diff | 0 webapps/evoadmin-web/meta/main.yml | 18 +++++++++++ webapps/evoadmin-web/tasks/ftp.yml | 31 ++++++------------- 3 files changed, 27 insertions(+), 22 deletions(-) rename webapps/evoadmin-web/files/{ => ftp}/evolinux.conf.diff (100%) create mode 100644 webapps/evoadmin-web/meta/main.yml diff --git a/webapps/evoadmin-web/files/evolinux.conf.diff b/webapps/evoadmin-web/files/ftp/evolinux.conf.diff similarity index 100% rename from webapps/evoadmin-web/files/evolinux.conf.diff rename to webapps/evoadmin-web/files/ftp/evolinux.conf.diff diff --git a/webapps/evoadmin-web/meta/main.yml b/webapps/evoadmin-web/meta/main.yml new file mode 100644 index 00000000..82440b08 --- /dev/null +++ b/webapps/evoadmin-web/meta/main.yml @@ -0,0 +1,18 @@ +galaxy_info: + author: Evolix + description: Installation of evoadmin-web + + issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - jessie + - stretch + +dependencies: + - proftpd diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index 83913d01..a78150a1 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -1,25 +1,12 @@ --- -- name: Verify if proftpd has evolinux config file - stat: - path: /etc/proftpd/conf.d/z-evolinux.conf - register: proftpd_config +- name: patch must be installed + apt: + name: patch + state: installed -- block: - - name: Patch ProFTPd config file - patch: - remote_src: no - src: evolinux.conf.diff - dest: /etc/proftpd/conf.d/z-evolinux.conf - - # Why 440? Because should be edited with ftpasswd. - # So, readonly when opened with vim. - # Then readable by group. - - name: Create /etc/proftpd/vpasswd file in 0440 mode - file: - state: touch - path: /etc/proftpd/vpasswd - mode: "0440" - owner: root - group: root - when: proftpd_config.stat.exists +- name: Patch ProFTPd config file + patch: + remote_src: no + src: ftp/evolinux.conf.diff + dest: /etc/proftpd/conf.d/z-evolinux.conf From c4bdd88e27f6dc3f4b1c97713c17fed8af44b749 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 21:48:00 +0200 Subject: [PATCH 063/266] evoadmin-web: stay privileged Becoming an unprivilegied user is problemetic for Ansible. We continue being root, but change the permissions on created files. --- webapps/evoadmin-web/tasks/user.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index c5e5a35b..67c38e16 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -35,8 +35,6 @@ dest: "{{ evoadmin_document_root}}" version: jessie update: no - # Warning: Need sudo! - become_user: "{{ evoadmin_username }}" when: ansible_distribution_release == "jessie" - name: "Clone evoadmin repository (Debian 9 or later)" @@ -45,10 +43,14 @@ dest: "{{ evoadmin_document_root}}" version: master update: yes - # Warning: Need sudo! - become_user: "{{ evoadmin_username }}" when: ansible_distribution_major_version | version_compare('9', '>=') +- name: Change ownership on git repository + file: + dest: "{{ evoadmin_document_root}}" + owner: "{{ evoadmin_username }}" + recurse: yes + - include: remount_usr_rw.yml when: evoadmin_scripts_dir | search ("/usr") From 094ad8c28db15b651281c944edeb270781071f0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 22:15:51 +0200 Subject: [PATCH 064/266] evolinux-base: improve AllowUsers for current user --- evolinux-base/tasks/ssh.yml | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 20b93fed..9cec1bd2 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -41,11 +41,31 @@ check_mode: no when: evolinux_ssh_allow_current_user -- name: "Allow current user" - lineinfile: - dest: /etc/ssh/sshd_config - line: "AllowUsers {{ logname.stdout }}" - insertafter: 'Subsystem' +# we must double-escape caracters, because python +- name: verify AllowUsers directive + shell: "egrep '^AllowUsers' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + register: grep_allowusers_ssh + check_mode: no when: evolinux_ssh_allow_current_user +- name: "Add AllowUsers sshd directive for current user" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowUsers {{ logname.stdout }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 + +- name: "Modify AllowUsers sshd directive for current user" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' + replace: '\1 {{ logname.stdout }}' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 + - meta: flush_handlers From 518353268a386985a572d970325ab76ecd902d31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 22:56:37 +0200 Subject: [PATCH 065/266] evolinux-base: logname command doesn't change --- evolinux-base/tasks/ssh.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 9cec1bd2..60807207 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -39,6 +39,7 @@ command: logname register: logname check_mode: no + changed_when: False when: evolinux_ssh_allow_current_user # we must double-escape caracters, because python From ccaecf690cc70b0756a95deab636b6f86c1f5728 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 22:57:30 +0200 Subject: [PATCH 066/266] proftpd: don't overwrite z-evolinux.conf --- proftpd/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 4e6a6884..a0c5fbb2 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -20,6 +20,7 @@ src: evolinux.conf.j2 dest: /etc/proftpd/conf.d/z-evolinux.conf mode: "0644" + force: no notify: restart proftpd tags: - proftpd From 2480088f8b9dacf6064302d1edd757875e105a18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 22:59:06 +0200 Subject: [PATCH 067/266] Change DIR_MODE only if adduser.conf is pristine --- evolinux-base/tasks/system.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 2102765b..6ffee396 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -59,7 +59,7 @@ - name: Set /etc/adduser.conf DIR_MODE to 0700 replace: dest: /etc/adduser.conf - regexp: "^DIR_MODE=.*$" + regexp: "^DIR_MODE=0755$" replace: "DIR_MODE=0700" when: evolinux_system_dirmode_adduser From 2a8e571f044b191981020ab6904f5dfc65647c48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 23:04:47 +0200 Subject: [PATCH 068/266] evoadmin-web: clarify ansible code --- webapps/evoadmin-web/tasks/user.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 67c38e16..2b6e31bc 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -24,7 +24,7 @@ name: www-evoadmin when: ansible_distribution_major_version | version_compare('9', '>=') -- name: Install Git +- name: Git is needed to clone the evoadmin repository apt: name: git state: present @@ -68,12 +68,12 @@ # we use a shell command to have a "changed" thet really reflects the result. - name: Fix permissions - shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}" + command: "chmod -R --verbose u=rwX,g=rX,o= {{ evoadmin_document_root }}" register: command_result changed_when: "'changed' in command_result.stdout" # failed_when: False - with_items: - - "{{ evoadmin_home_dir}}/www" + args: + warn: no - name: Add evoadmin sudoers file template: From 64080ead239023dde835d8ad1227ad138fd041c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 23:05:20 +0200 Subject: [PATCH 069/266] evoadmin-web: document root should belong to group too --- webapps/evoadmin-web/tasks/user.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 2b6e31bc..4370070f 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -49,6 +49,7 @@ file: dest: "{{ evoadmin_document_root}}" owner: "{{ evoadmin_username }}" + group: "{{ evoadmin_username }}" recurse: yes - include: remount_usr_rw.yml From 98c56197216d55c4c95c047b9d2e96aae7ed1f58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 23:37:25 +0200 Subject: [PATCH 070/266] minifirewall: install dependencies in install.yml --- minifirewall/tasks/install.yml | 7 +++++++ minifirewall/tasks/main.yml | 7 ------- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index 47d72b44..5efdd585 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -1,5 +1,12 @@ --- +- name: dependencies are satisfied + apt: + name: '{{ item }}' + state: present + with_items: + - iptables + - name: init script is copied copy: src: minifirewall diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 0208313a..851d1917 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -1,12 +1,5 @@ --- -- name: packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - iptables - - include: install.yml - include: config.yml From 97b0225232e975b917b364b9f733d02d6d7e09ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 23:39:50 +0200 Subject: [PATCH 071/266] Minifirewall can deal with evomaintenance Each role has to know how to deal with the other. Otherwise, depending on order of execution, the firewall might not allow connections for evomaintenance --- minifirewall/defaults/main.yml | 2 ++ minifirewall/tasks/config.yml | 14 ++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 2b55884f..02828d66 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -19,3 +19,5 @@ minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] minifirewall_autostart: "no" + +evomaintenance_hosts: [] diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 80acf5d0..ea6b1a9e 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -94,6 +94,20 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' register: minifirewall_config_ports +- name: evomaintenance + lineinfile: + dest: /etc/default/minifirewall + line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" + insertafter: "^# EvoMaintenance" + with_items: "{{ evomaintenance_hosts }}" + +- name: remove minifirewall example rule for the evomaintenance + lineinfile: + dest: /etc/default/minifirewall + regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' + state: absent + when: evomaintenance_hosts != [] + - name: restart minifirewall # service: # name: minifirewall From 6984c121c2b9288ee1ff54b1f9a0e0f28e5226f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 8 Oct 2017 12:48:56 +0200 Subject: [PATCH 072/266] evolinux-base/ssh: syntax clarity "X != []" seems better than "not X == []" when the variable name is quite long and even more when we already use "X == []" in a previous condition --- evolinux-base/tasks/ssh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 60807207..165ea2cd 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -15,7 +15,7 @@ insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd - when: not evolinux_ssh_password_auth_addresses == [] + when: evolinux_ssh_password_auth_addresses != [] # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. From a07d1d873ad6b6c815cb054d2195d7d339169238 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 8 Oct 2017 12:49:55 +0200 Subject: [PATCH 073/266] evolinux-base: bad group for password restrictions --- evolinux-base/tasks/ssh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 165ea2cd..49ff85b8 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -7,7 +7,7 @@ blockinfile: dest: /etc/ssh/sshd_config block: | - Match Group evolinux-sudo + Match Group evolix PasswordAuthentication no Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes From 8c1024c23cb24238b490586cc02ac42f5a89e83e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 8 Oct 2017 14:23:21 +0200 Subject: [PATCH 074/266] No need to add individual users, a group is enough --- evolinux-users/tasks/ssh.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 85d01a8b..796ff341 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -59,13 +59,14 @@ register: grep_matchuser_ssh check_mode: no -- name: "Add Match User sshd directive for '{{ user.name }}'" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: grep_matchuser_ssh.rc != 0 +# - name: "Add Match User sshd directive for '{{ user.name }}'" +# lineinfile: +# dest: /etc/ssh/sshd_config +# line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" +# insertbefore: "# BEGIN EVOLINUX PASSWORD RESTRICTIONS" +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd +# when: grep_matchuser_ssh.rc != 0 - name: "Modify Match User's sshd directive for '{{ user.name }}'" replace: From c4ca8c3764bcd9d284d75ea830bd8c6fd1ce4461 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 8 Oct 2017 22:31:22 +0200 Subject: [PATCH 075/266] cleanup with dependencies on java8 --- elasticsearch/meta/main.yml | 4 +++- elasticsearch/tasks/packages.yml | 7 ------- filebeat/meta/main.yml | 1 + filebeat/tasks/main.yml | 2 +- jenkins/meta/main.yml | 27 +++++++++++++++++++++++++++ jenkins/tasks/main.yml | 4 ---- kibana/meta/main.yml | 1 + kibana/tasks/main.yml | 6 +----- logstash/meta/main.yml | 6 ++---- logstash/tasks/main.yml | 8 +------- 10 files changed, 37 insertions(+), 29 deletions(-) create mode 100644 jenkins/meta/main.yml diff --git a/elasticsearch/meta/main.yml b/elasticsearch/meta/main.yml index a2f662c3..54156392 100644 --- a/elasticsearch/meta/main.yml +++ b/elasticsearch/meta/main.yml @@ -13,6 +13,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch galaxy_tags: [] # List tags for your role here, one per line. A tag is @@ -23,4 +24,5 @@ galaxy_info: # NOTE: A tag is limited to a single word comprised of # alphanumeric characters. Maximum 20 tags per role. -dependencies: [] +dependencies: + - java8 diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 05d5bf46..3530d139 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -1,12 +1,5 @@ --- -- name: install java8 - include_role: - name: java8 - tags: - - elasticsearch - - packages - - name: APT https transport is enabled apt: name: apt-transport-https diff --git a/filebeat/meta/main.yml b/filebeat/meta/main.yml index 4e6139af..37aa6319 100644 --- a/filebeat/meta/main.yml +++ b/filebeat/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch dependencies: [] # List your role dependencies here, one per line. diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index bc038b93..5029d6d4 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -36,7 +36,7 @@ - packages - name: Filebeat service is enabled - service: + systemd: name: filebeat enabled: yes diff --git a/jenkins/meta/main.yml b/jenkins/meta/main.yml new file mode 100644 index 00000000..eda76a17 --- /dev/null +++ b/jenkins/meta/main.yml @@ -0,0 +1,27 @@ +--- +galaxy_info: + author: Evolix + description: Install Jenkins + + issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - jessie + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: + - java8 diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 88db3b90..19496958 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -1,9 +1,5 @@ --- -- name: Include java8 role - include_role: - name: java8 - - name: Add jenkins GPG key apt_key: # url: https://jenkins-ci.org/debian/jenkins-ci.org.key diff --git a/kibana/meta/main.yml b/kibana/meta/main.yml index d0e7a891..dce2560a 100644 --- a/kibana/meta/main.yml +++ b/kibana/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch dependencies: [] # List your role dependencies here, one per line. diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 9cf74638..9e0d6ce6 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -1,9 +1,5 @@ --- -- name: Install java8 - include_role: - name: java8 - - name: APT https transport is enabled apt: name: apt-transport-https @@ -39,7 +35,7 @@ - packages - name: Kibana service is enabled and started - service: + systemd: name: kibana enabled: yes state: started diff --git a/logstash/meta/main.yml b/logstash/meta/main.yml index 629e9f67..c74021e7 100644 --- a/logstash/meta/main.yml +++ b/logstash/meta/main.yml @@ -13,7 +13,5 @@ galaxy_info: versions: - jessie -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. +dependencies: + - java8 diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 16e9ae79..086bd4b3 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -1,11 +1,5 @@ --- -- name: Install java8 - include_role: - name: java8 - tags: - - packages - - name: APT https transport is enabled apt: name: apt-transport-https @@ -41,7 +35,7 @@ - packages - name: Logstash service is enabled - service: + systemd: name: logstash enabled: yes From 3d22cbf927f50116d6f07c41b631379aaf44bd97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 8 Oct 2017 22:33:49 +0200 Subject: [PATCH 076/266] java8: we only need the headless variant --- java8/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java8/tasks/main.yml b/java8/tasks/main.yml index 22107bd5..8e24def3 100644 --- a/java8/tasks/main.yml +++ b/java8/tasks/main.yml @@ -11,7 +11,7 @@ - name: Java 8 is installed apt: - name: openjdk-8-jre + name: openjdk-8-jre-headless default_release: "{{ java8_apt_release }}" state: present tags: From 13e1c0486b928d05af2fd0b534381e87faa94df4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 8 Oct 2017 22:47:03 +0200 Subject: [PATCH 077/266] "egrep" is deprecated, use "grep -E" --- evolinux-base/tasks/ssh.yml | 2 +- evolinux-users/tasks/ssh.yml | 2 +- postfix/tasks/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 49ff85b8..17246565 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -44,7 +44,7 @@ # we must double-escape caracters, because python - name: verify AllowUsers directive - shell: "egrep '^AllowUsers' /etc/ssh/sshd_config" + shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False register: grep_allowusers_ssh diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 796ff341..4bf9e5dc 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -28,7 +28,7 @@ # we must double-escape caracters, because python - name: verify AllowUsers directive - shell: "egrep '^AllowUsers' /etc/ssh/sshd_config" + shell: "grep -E '^AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False register: grep_allowusers_ssh diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 49ccb2ac..77a4fb95 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -7,7 +7,7 @@ - mailgraph - name: check if main.cf is default - shell: egrep -v "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum - + shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum - changed_when: False check_mode: no register: default_main_cf From 1e68bcb2fcab0a3a35b6ae544abab814947ead16 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 9 Oct 2017 11:56:34 +0200 Subject: [PATCH 078/266] Nginx: fix missing double quote --- nginx/tasks/main_regular.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 6249e92b..847675aa 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -43,7 +43,7 @@ - name: "Rename private_ipaddr_whitelist if present" - command: "mv /etc/nginx/snippets/private_ipaddr_whitelist /etc/nginx/snippets/ipaddr_whitelist + command: "mv /etc/nginx/snippets/private_ipaddr_whitelist /etc/nginx/snippets/ipaddr_whitelist" args: removes: /etc/nginx/snippets/private_ipaddr_whitelist creates: /etc/nginx/snippets/ipaddr_whitelist From 9fe76d40da39a1ab87b3de4d55cbbfa81c3347dc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 9 Oct 2017 15:57:38 +0200 Subject: [PATCH 079/266] Let's keep the currently deployed line --- evolinux-base/tasks/apt.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/apt.yml b/evolinux-base/tasks/apt.yml index 8966e4d9..03781a8b 100644 --- a/evolinux-base/tasks/apt.yml +++ b/evolinux-base/tasks/apt.yml @@ -26,8 +26,8 @@ state: present mode: "0640" with_items: - - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" - - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" + - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" + - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" when: evolinux_apt_hooks From 97980221924118b3f5265b1058e1bf79e5dc70de Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 9 Oct 2017 16:13:26 +0200 Subject: [PATCH 080/266] Nginx: fix ipaddr_whitelist path --- .../nginx/snippets/{private_ipaddr_whitelist => ipaddr_whitelist} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename nginx/files/nginx/snippets/{private_ipaddr_whitelist => ipaddr_whitelist} (100%) diff --git a/nginx/files/nginx/snippets/private_ipaddr_whitelist b/nginx/files/nginx/snippets/ipaddr_whitelist similarity index 100% rename from nginx/files/nginx/snippets/private_ipaddr_whitelist rename to nginx/files/nginx/snippets/ipaddr_whitelist From ae745d89ff8f2ab98bc6120ab1862163157dfe55 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 9 Oct 2017 16:35:38 +0200 Subject: [PATCH 081/266] Nginx: don't overwrite the default vhost --- nginx/tasks/main_regular.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 847675aa..a4611b6f 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -119,6 +119,7 @@ src: evolinux-default.conf.j2 dest: /etc/nginx/sites-available/evolinux-default.conf mode: "0640" + force: no notify: reload nginx tags: - nginx From 9af98e7ebe70fe7b15eefdd5c9731d0c47bb671a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 9 Oct 2017 16:36:03 +0200 Subject: [PATCH 082/266] ES/head: use https to clone the repository --- elasticsearch/tasks/plugin_head.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elasticsearch/tasks/plugin_head.yml b/elasticsearch/tasks/plugin_head.yml index c309f185..2c4fd264 100644 --- a/elasticsearch/tasks/plugin_head.yml +++ b/elasticsearch/tasks/plugin_head.yml @@ -11,7 +11,7 @@ - block: - name: Head repository is checked-out git: - repo: "git://github.com/mobz/elasticsearch-head.git" + repo: "https://github.com/mobz/elasticsearch-head.git" dest: "{{ elasticsearch_plugin_head_clone_dir }}" clone: yes tags: From 2a95325dc6db13016e563ae38b03c6ee82f474aa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 9 Oct 2017 17:45:51 +0200 Subject: [PATCH 083/266] systemd unit for elasticsearch-head --- elasticsearch/tasks/plugin_head.yml | 20 ++++++++++++++++++- .../templates/elasticsearch-head.service.j2 | 14 +++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 elasticsearch/templates/elasticsearch-head.service.j2 diff --git a/elasticsearch/tasks/plugin_head.yml b/elasticsearch/tasks/plugin_head.yml index 2c4fd264..4be19572 100644 --- a/elasticsearch/tasks/plugin_head.yml +++ b/elasticsearch/tasks/plugin_head.yml @@ -6,7 +6,7 @@ home: "{{ elasticsearch_plugin_head_home }}" createhome: yes system: yes - shell: /bin/false + shell: /bin/bash - block: - name: Head repository is checked-out @@ -53,3 +53,21 @@ - restart elasticsearch tags: - elasticsearch + +- name: Install systemd unit + template: + src: elasticsearch-head.service.j2 + dest: /etc/systemd/system/elasticsearch-head.service + tags: + - elasticsearch + - systemd + +- name: Enable systemd unit + systemd: + name: elasticsearch-head + daemon_reload: yes + enabled: yes + state: started + tags: + - elasticsearch + - systemd diff --git a/elasticsearch/templates/elasticsearch-head.service.j2 b/elasticsearch/templates/elasticsearch-head.service.j2 new file mode 100644 index 00000000..4e409ed0 --- /dev/null +++ b/elasticsearch/templates/elasticsearch-head.service.j2 @@ -0,0 +1,14 @@ +[Service] +Type=simple +ExecStart=/usr/bin/npm run start +User={{ elasticsearch_plugin_head_owner }} +Group={{ elasticsearch_plugin_head_group }} +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=elasticsearch-head +Restart=always +WorkingDirectory={{ elasticsearch_plugin_head_clone_dir }} +Environment=NODE_ENV=production + +[Install] +WantedBy=multi-user.target From 517c0e672bd3d2b2a737a54be7ff1e50a9673097 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 10 Oct 2017 09:57:29 +0200 Subject: [PATCH 084/266] Nginx: completely rename ipaddr_whitelist --- nginx/tasks/main_regular.yml | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index a4611b6f..bd25952f 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -37,10 +37,7 @@ tags: - nginx -# TODO: verify that those permissions are correct : -# not too strict for ipaddr_whitelist -# and not too loose for private_htpasswd - +### Compatibility : change private_ipaddr_whitelist to ipaddr_whitelist ######## - name: "Rename private_ipaddr_whitelist if present" command: "mv /etc/nginx/snippets/private_ipaddr_whitelist /etc/nginx/snippets/ipaddr_whitelist" @@ -48,6 +45,28 @@ removes: /etc/nginx/snippets/private_ipaddr_whitelist creates: /etc/nginx/snippets/ipaddr_whitelist +- name: "search vhosts with private_ipaddr_whitelist" + command: "grep -lr private_ipaddr_whitelist /etc/nginx/sites-available/" + register: vhosts_with_private + changed_when: False + failed_when: False + check_mode: no + +- name: "change inclusion of ipaddr_whitelist in default vhost" + replace: + dest: /etc/nginx/sites-available/evolinux-default.conf + regexp: 'include /etc/nginx/snippets/private_ipaddr_whitelist;' + replace: 'include /etc/nginx/snippets/ipaddr_whitelist;' + notify: reload nginx + with_items: "{{ vhosts_with_private.stdout_lines }}" + when: vhosts_with_private.rc == 0 + +################################################################################ + +# TODO: verify that those permissions are correct : +# not too strict for ipaddr_whitelist +# and not too loose for private_htpasswd + - name: Copy ipaddr_whitelist copy: src: nginx/snippets/ipaddr_whitelist From fae9cd9208eceb617a11625d7fca0d2a6ced9111 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 10 Oct 2017 16:34:53 +0200 Subject: [PATCH 085/266] extract APT configuration into apt role --- apt/README.md | 1 + apt/defaults/main.yml | 6 ++++++ apt/tasks/config.yml | 44 +++++++++++++++++++++++++++++++++++++++++++ apt/tasks/main.yml | 6 ++++++ 4 files changed, 57 insertions(+) create mode 100644 apt/tasks/config.yml diff --git a/apt/README.md b/apt/README.md index ec4da5b6..f3a8b13f 100644 --- a/apt/README.md +++ b/apt/README.md @@ -11,6 +11,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` : ## Available variables +* `apt_config` : customize apt configuration (default: `True`) ; * `apt_install_basics` : change basic sources components (default: `True`) ; * `apt_basics_components` : basic sources components (default: `main`) ; * `apt_install_backports` : install backports sources (default: `False`) ; diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index 4e1cee3d..c648c3c5 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -1,4 +1,10 @@ --- +apt_config: True +apt_evolinux_config: True +apt_hooks: True +apt_remove_aptitude: True +apt_upgrade: True + apt_install_basics: True apt_basics_components: "main" diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml new file mode 100644 index 00000000..264e8dd7 --- /dev/null +++ b/apt/tasks/config.yml @@ -0,0 +1,44 @@ +--- + +- name: Evolinux config for APT + lineinfile: + dest: /etc/apt/apt.conf.d/z-evolinux.conf + line: "{{ item.line }}" + regexp: "{{ item.regexp }}" + create: yes + state: present + mode: "0640" + with_items: + - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } + - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } + when: apt_evolinux_config + +- name: DPkg invoke hooks + lineinfile: + dest: /etc/apt/apt.conf.d/z-evolinux.conf + line: "{{ item }}" + create: yes + state: present + mode: "0640" + with_items: + - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" + - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" + - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" + - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" + when: apt_hooks + +- name: Remove Aptitude + apt: + name: aptitude + state: absent + when: apt_remove_aptitude + +- name: Updating APT cache + apt: + update_cache: yes + changed_when: False + +- name: Upgrading system + apt: + upgrade: dist + when: apt_upgrade diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index af7980c8..72960d02 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -7,6 +7,12 @@ tags: - apt +- name: Custom configuration + include: config.yml + when: apt_config + tags: + - apt + - name: Install basics repositories include: basics.yml when: apt_install_basics From e09a6ace319fd0479b434d09d09d042bfcfee108 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 10 Oct 2017 16:35:23 +0200 Subject: [PATCH 086/266] evolinux-base: use apt role for all APT configuration --- evolinux-base/tasks/apt.yml | 51 ------------------------------------ evolinux-base/tasks/main.yml | 6 ++++- 2 files changed, 5 insertions(+), 52 deletions(-) delete mode 100644 evolinux-base/tasks/apt.yml diff --git a/evolinux-base/tasks/apt.yml b/evolinux-base/tasks/apt.yml deleted file mode 100644 index 03781a8b..00000000 --- a/evolinux-base/tasks/apt.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- - -- include_role: - name: apt - vars: - apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" - apt_install_evolix_public: "{{ evolinux_apt_public_sources }}" - -- name: Setting apt config - lineinfile: - dest: /etc/apt/apt.conf.d/z-evolinux.conf - line: "{{ item }}" - create: yes - state: present - mode: "0640" - with_items: - - "APT::Install-Recommends \"false\";" - - "APT::Install-Suggests \"false\";" - when: evolinux_apt_conf - -- name: DPKG invoke hooks - lineinfile: - dest: /etc/apt/apt.conf.d/z-evolinux.conf - line: "{{ item }}" - create: yes - state: present - mode: "0640" - with_items: - - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" - - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" - - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" - - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" - when: evolinux_apt_hooks - -- name: Remove Aptitude - apt: - name: aptitude - state: absent - when: evolinux_apt_remove_aptitude - -- name: Updating APT cache - apt: - update_cache: yes - changed_when: False - -- name: Upgrading system - apt: - upgrade: dist - when: evolinux_apt_upgrade - -- meta: flush_handlers diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 09321bab..bb2d56a5 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -6,7 +6,11 @@ - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - name: Apt configuration - include: apt.yml + include_role: + name: apt + vars: + apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" + apt_install_evolix_public: "{{ evolinux_apt_public_sources }}" when: evolinux_apt_include - name: /etc versioning with Git From bf2cd96793a4cf0bfd6cc7d7505878954713af02 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 10 Oct 2017 20:52:49 +0200 Subject: [PATCH 087/266] evolinux-users must not be included as is There is a major problem with memory consumption, probably a leak, when the role is included. If it is played in the playbook, the whole run takes ~200 MB. If it is played as an included role, the run takes 2.4GB. --- evolinux-base/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index bb2d56a5..2849b062 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -47,10 +47,10 @@ include: ssh.yml when: evolinux_ssh_include -- name: Create evolinux users - include_role: - name: evolinux-users - when: evolinux_users_include +# - name: Create evolinux users +# include_role: +# name: evolinux-users +# when: evolinux_users_include - name: Root user configuration include: root.yml From 79e57b77875bb11789ee17193f438d4415ec1ee3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 10 Oct 2017 21:58:03 +0200 Subject: [PATCH 088/266] evolinux-base: don't disable root ssh by default --- evolinux-base/defaults/main.yml | 9 +++++---- evolinux-base/tasks/main.yml | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 9d9d90b3..f23bd344 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -113,9 +113,10 @@ evolinux_ssh_match_address: True evolinux_ssh_disable_acceptenv: True evolinux_ssh_allow_current_user: False -# evolinux users - -evolinux_users_include: True +### disabled because of a memory leak +# # evolinux users +# +# evolinux_users_include: True # root @@ -129,7 +130,7 @@ evolinux_root_gitconfig: True evolinux_root_bash_history_appendonly: True evolinux_root_vim_default: True evolinux_root_vim_conf: True -evolinux_root_disable_ssh: True +evolinux_root_disable_ssh: False # postfix diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 2849b062..28cefe04 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -47,6 +47,7 @@ include: ssh.yml when: evolinux_ssh_include +### disabled because of a memory leak # - name: Create evolinux users # include_role: # name: evolinux-users From 707aabb404355979bd173070ec1048d1d7caed55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 10 Oct 2017 21:59:43 +0200 Subject: [PATCH 089/266] evolinux-base : remove root from AllowUsers directive when disabling root login, also remove it from AllowUsers if present --- evolinux-base/tasks/root.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 4c66324a..71cb9f3d 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -88,4 +88,13 @@ notify: reload sshd when: evolinux_root_disable_ssh +- name: remove root from AllowUsers directive + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' + replace: '\1\4' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: evolinux_root_disable_ssh + - meta: flush_handlers From 8435ac192d0a2df354b1aba2d0835af8236740f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 10 Oct 2017 22:01:12 +0200 Subject: [PATCH 090/266] evolinux-users: better detection of AllowUsers --- evolinux-users/tasks/main.yml | 3 ++- evolinux-users/tasks/ssh.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index f168ae08..b28dd377 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -9,7 +9,8 @@ msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" when: evolinux_users == {} -- include: user.yml +- name: Create user accounts + include: user.yml vars: user: "{{ item.value }}" with_dict: "{{ evolinux_users }}" diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 4bf9e5dc..519c53ee 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -46,7 +46,7 @@ - name: "Modify AllowUsers sshd directive for '{{ user.name }}'" replace: dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$' + regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' replace: '\1 {{ user.name }}' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd From ae4b9675c2ef397fac0bd2112eb38bab5e7806cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 10 Oct 2017 22:01:44 +0200 Subject: [PATCH 091/266] evolix-users: disable root ssh login by default --- evolinux-users/defaults/main.yml | 1 + evolinux-users/tasks/main.yml | 3 +++ evolinux-users/tasks/root_disable_ssh.yml | 16 ++++++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 evolinux-users/tasks/root_disable_ssh.yml diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml index f0947958..d7d6f958 100644 --- a/evolinux-users/defaults/main.yml +++ b/evolinux-users/defaults/main.yml @@ -1,3 +1,4 @@ --- evolinux_users: {} evolinux_sudo_group: "evolinux-sudo" +evolinux_root_disable_ssh: True diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index b28dd377..ec1400bd 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -15,3 +15,6 @@ user: "{{ item.value }}" with_dict: "{{ evolinux_users }}" when: evolinux_users != {} + +- include: root_disable_ssh.yml + when: evolinux_root_disable_ssh diff --git a/evolinux-users/tasks/root_disable_ssh.yml b/evolinux-users/tasks/root_disable_ssh.yml new file mode 100644 index 00000000..f7cd727b --- /dev/null +++ b/evolinux-users/tasks/root_disable_ssh.yml @@ -0,0 +1,16 @@ +--- + +- name: disable root login + replace: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin (yes|without-password)' + replace: "PermitRootLogin no" + notify: reload sshd + +- name: remove root from AllowUsers directive + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' + replace: '\1\4' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd From 20e8a852fae590e5ad0080e794e88c6065636f66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 10 Oct 2017 23:50:14 +0200 Subject: [PATCH 092/266] Handle "PermitRootLogin prohibit-password" --- evolinux-base/tasks/root.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 71cb9f3d..7e79b657 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -83,7 +83,7 @@ - name: disable SSH access for root replace: dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password)' + regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd when: evolinux_root_disable_ssh From cca3b2921f104885f1e42052289ff733e03bf290 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 11 Oct 2017 12:10:44 +0200 Subject: [PATCH 093/266] Public role for "generate-ldif" --- generate-ldif/README.md | 22 + generate-ldif/defaults/main.yml | 7 + generate-ldif/tasks/exec.yml | 15 + generate-ldif/tasks/main.yml | 11 + generate-ldif/tasks/remount_usr_rw.yml | 15 + generate-ldif/templates/generateldif.sh.j2 | 542 +++++++++++++++++++++ 6 files changed, 612 insertions(+) create mode 100644 generate-ldif/README.md create mode 100644 generate-ldif/defaults/main.yml create mode 100644 generate-ldif/tasks/exec.yml create mode 100644 generate-ldif/tasks/main.yml create mode 100644 generate-ldif/tasks/remount_usr_rw.yml create mode 100755 generate-ldif/templates/generateldif.sh.j2 diff --git a/generate-ldif/README.md b/generate-ldif/README.md new file mode 100644 index 00000000..a71be619 --- /dev/null +++ b/generate-ldif/README.md @@ -0,0 +1,22 @@ +# generate-ldif + +Install generateldif ; a script for building an ldif file, ready to import into LDAP. + +## Tasks + +The roles install the script, but doesn't run it. + +A separate `exec.yml` task file can be played manually in playbooks or roles to execute the script. Example : + +``` +- include_role: + name: generate-ldif + tasks_from: exec.yml +``` +## Variables + +* `general_scripts_dir` : parent directory for the script +* `client_number` : client number (default: `XXX`) +* `monitoring_mode` : `everytime` or `worktime` (default: `everytime`) +* `monitoring_type` : `icmp` or `nrpe` (default: `icmp`) +* `monitoring_timeout` : timeout for nrpe checks, in seconds (default: `10`) diff --git a/generate-ldif/defaults/main.yml b/generate-ldif/defaults/main.yml new file mode 100644 index 00000000..48bd19fc --- /dev/null +++ b/generate-ldif/defaults/main.yml @@ -0,0 +1,7 @@ +--- +general_scripts_dir: "/usr/share/scripts" + +client_number: XXX +monitoring_mode: "everytime" +monitoring_type: "icmp" +monitoring_timeout: "10" diff --git a/generate-ldif/tasks/exec.yml b/generate-ldif/tasks/exec.yml new file mode 100644 index 00000000..6450c6bc --- /dev/null +++ b/generate-ldif/tasks/exec.yml @@ -0,0 +1,15 @@ +--- +- name: run generateldif + command: '{{ general_scripts_dir }}/generateldif.sh' + register: generateldif_run + changed_when: False + failed_when: False + check_mode: no + tags: + - generateldif-exec + +- debug: + var: generateldif_run.stdout_lines + verbosity: 1 + tags: + - generateldif-exec diff --git a/generate-ldif/tasks/main.yml b/generate-ldif/tasks/main.yml new file mode 100644 index 00000000..03b9505e --- /dev/null +++ b/generate-ldif/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- include: remount_usr_rw.yml + when: general_scripts_dir | search("/usr") + +- name: "copy generateldif.sh" + template: + src: templates/generateldif.sh.j2 + dest: '{{ general_scripts_dir }}/generateldif.sh' + owner: root + group: root + mode: "0750" diff --git a/generate-ldif/tasks/remount_usr_rw.yml b/generate-ldif/tasks/remount_usr_rw.yml new file mode 100644 index 00000000..8c51aee2 --- /dev/null +++ b/generate-ldif/tasks/remount_usr_rw.yml @@ -0,0 +1,15 @@ +--- +- name: Get mount options for partitions + shell: "mount | grep 'on /usr type'" + args: + warn: no + register: mount + changed_when: False + failed_when: False + when: not ansible_check_mode + +- name: Remount /usr if it is a partition and it is not mounted in rw + command: "mount -o remount,rw /usr" + when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + args: + warn: no diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 new file mode 100755 index 00000000..0f3abcf2 --- /dev/null +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -0,0 +1,542 @@ +#!/bin/sh + +if [ $(id -u) != 0 ]; then + echo "You must be root" 2>&1 + exit 1 +fi + +is_pkg_installed() { + dpkg -l "$1" 2>/dev/null | grep -q '^ii' +} + +get_pkg_version() { + dpkg-query -W -f='${Version}\n' "$1" | \ + sed 's/[~+-].\+//' | sed 's/.\+://' | sed 's/p.*//' | cut -d'.' -f1,2 +} + +clientNumber="{{ client_number | mandatory }}" +monitoringMode="{{ monitoring_mode | mandatory }}" +monitoringType="{{ monitoring_type | mandatory }}" +monitoringTimeout="{{ monitoring_timeout | mandatory }}" +isActive="TRUE" +NagiosEnabled="TRUE" + +EvoComputerName=$(hostname -s) +dnsPTRrecord=$(hostname -f) +HardwareMark=$(dmidecode -s system-manufacturer | grep -v '^#') +computerIP=$(hostname -i | cut -d' ' -f1) +computerOS=$(lsb_release -s -d | sed 's#\..##') +computerKernel=$(uname -r) +HardwareSerial=$(dmidecode -s system-serial-number | grep -v '^#') + +type="baremetal" +lscpu | grep -q KVM && type="kvm" +lscpu | grep -q Oracle && type="virtualbox" + +if [ "$type" = "kvm" ]; then + HardwareMark="KVM" + HardwareModel="Virtual Machine" + + cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3) + cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" + cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz" +elif [ "$type" = "virtualbox" ]; then + HardwareMark="VirtualBox" + HardwareModel="Virtual Machine" + + cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3) + cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" + cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz" +else + HardwareModel=$(dmidecode -s system-product-name | grep -v '^#') + + cpuMark=$(dmidecode -s processor-manufacturer | grep -v '^#' | head -1) + cpuModel=$(dmidecode -s processor-version | grep -v '^#' | head -1) + cpuFreq=$(dmidecode -s processor-frequency | grep -v '^#' | head -1) +fi + +# lspci is not available on OpenVZ container. +if ( test -d /proc/vz && ! test -d /proc/bc ); then + screen0Mark="No screen on OpenVZ container" + screen0Model="No screen on OpenVZ container" + sdaSize="Total SIMFS $(df -h -t simfs --total | tail -1 | tr -s '\t' ' ' | cut -d' ' -f2)" +else + screen0Mark=$(lspci -q -vm | grep VGA -A3 | grep Vendor | tr -d '\t' | cut -d':' -f2 | head -1) + screen0Model=$(lspci -q -vm | grep VGA -A3 | grep Device | tr -d '\t' | cut -d':' -f2 | head -1) + sdaSize=$(lsblk -d -r -n -o TYPE,SIZE | grep disk | sed 's/^disk //'| xargs | sed 's/ / + /g') + raidModel=$(lspci -q -vm | grep RAID -A3 | grep Device | tr -d '\t' | cut -d':' -f2 | head -1) +fi + +if (test -b /dev/vda); then + sdaModel="Virtual VirtIO Disk" +elif [ -d /proc/vz ] && [ ! -d /proc/bc ]; then + sdaModel="OpenVZ SIMFS disk" +else + hdparm -I /dev/sda 2>&1 | grep -q bad + if [ $? -eq 0 ]; then + if (test -n "${raidModel}"); then + sdaModel=${raidModel} + else + sdaModel="Model unknown, RAID HW?" + fi + else + sdaModel=$(hdparm -I /dev/sda | grep Model | tr -s '\t' ' ' | cut -d' ' -f4-) + fi +fi + +ldif_file="/root/${EvoComputerName}.$(date +"%Y%m%d%H%M%S").ldif" + +computer_dn="EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net" + +# Generic services. +cat < "${ldif_file}" +## Generated on $(date --iso-8601=seconds) +## Can be injected in LDAP with this command: +# ldapvi --profile evolix --add --in ${EvoComputerName}.ldif + +dn: ${computer_dn} +dnsArecord: ${EvoComputerName} +EvoComputerName: ${EvoComputerName} +HardwareMark: ${HardwareMark} +HardwareModel: ${HardwareModel} +dnsZone: evolix.net +objectClass: EvoComputer +objectClass: top +computerIP: ${computerIP} +dnsPTRrecord: ${dnsPTRrecord} +computerOS: ${computerOS} +computerKernel: Linux ${computerKernel} +isActive: ${isActive} +NagiosEnabled: ${NagiosEnabled} +NagiosComments: ${monitoringType},${monitoringMode},${monitoringTimeout} +HardwareSerial: ${HardwareSerial} +clientNumber: ${clientNumber} +EOT + +# CPU +if [ -n "${cpuMark}" ]; then + cat <> "${ldif_file}" + +dn: HardwareName=cpu0,${computer_dn} +HardwareMark: ${cpuMark} +objectClass: EvoHardware +HardwareName: cpu0 +HardwareSize: ${cpuFreq} +HardwareType: CPU +HardwareModel: ${cpuModel} +EOT +fi + +# Memory +mem=$(free -h | grep Mem: | tr -s ' ' | cut -d ' ' -f2) +if [ -n "${mem}" ]; then + cat <> "${ldif_file}" + +dn: HardwareName=ram0,${computer_dn} +HardwareName: ram0 +objectClass: EvoHardware +HardwareSize: ${mem} +HardwareType: mem +NagiosEnabled: TRUE +EOT +fi + +# Screen +swap=$(free -h | grep Swap: | tr -s ' ' | cut -d ' ' -f2) +if [ -n "${screen0Mark}" ]; then + cat <> "${ldif_file}" + +dn: HardwareName=screen0,${computer_dn} +HardwareMark: ${screen0Mark} +HardwareName: screen0 +objectClass: EvoHardware +HardwareModel: ${screen0Model} +HardwareType: video +EOT +fi + +# /dev/sda +if [ -n "${sdaModel}" ]; then + cat <> "${ldif_file}" + +dn: HardwareName=sda,${computer_dn} +objectClass: EvoHardware +HardwareName: sda +HardwareSize: ${sdaSize} +HardwareType: disk +HardwareModel: ${sdaModel} +HardwarePartitioncount: 1 +NagiosEnabled: TRUE +EOT +fi + +# Swap +swap=$(free -h | grep Swap: | tr -s ' ' | cut -d ' ' -f2) +if [ -n "${swap}" ]; then + cat <> "${ldif_file}" + +dn: HardwareName=swap,${computer_dn} +objectClass: EvoHardware +HardwareName: swap +HardwareSize: ${swap} +HardwareType: mem +NagiosEnabled: TRUE +EOT +fi + +# NRPE +nrpe_version=$(get_pkg_version nagios-nrpe-server) +if [ -n "${nrpe_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=nrpe,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: TCP +ServiceVersion: NRPE ${nrpe_version} +objectClass: EvoService +ServiceName: nrpe +ipServicePort: 5666 +ServiceType: monitoring +EOT +fi + +# Postfix +postfix_version=$(get_pkg_version postfix) +if [ -n "${postfix_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=postfix,${computer_dn} +ipServiceProtocol: tcp +NagiosEnabled: TRUE +objectClass: EvoService +ServiceName: postfix +ipServicePort: 25 +ServiceType: smtp +ServiceVersion: Postfix ${postfix_version} +EOT +fi + +# OpenSSH +openssh_version=$(get_pkg_version openssh-server) +if [ -n "${openssh_version}" ]; then + opensshFingerprintRSA=$(ssh-keyscan -t rsa localhost 2>/dev/null\ + | sed -e 's/localhost //' -e 's/ssh-rsa /ssh-rsa,/') + opensshFingerprintED25519=$(ssh-keyscan -t ed25519 localhost 2>/dev/null\ + | sed -e 's/localhost //' -e 's/ssh-ed25519 /ssh-ed25519,/') + opensshFingerprintECDSA=$(ssh-keyscan -t ecdsa-sha2-nistp256 localhost 2>/dev/null\ + | sed -e 's/localhost //' -e 's/ecdsa-sha2-nistp256 /ecdsa-sha2-nistp256,/') + opensshFingerprint="${opensshFingerprintRSA}${opensshFingerprintRSA:+;}${opensshFingerprintED25519}${opensshFingerprintED25519:+;}${opensshFingerprintECDSA}" + + cat <> "${ldif_file}" + +dn: ServiceName=openssh,${computer_dn} +ipServiceProtocol: tcp +NagiosEnabled: TRUE +objectClass: EvoService +ipServicePort: 22 +ServiceName: openssh +ServiceType: ssh +ServiceVersion: OpenSSH ${openssh_version} +ServiceFingerprint: ${opensshFingerprint} +EOT +fi + +# NTP +ntp_version=$(get_pkg_version ntp) +if [ -n "${ntp_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=ntp,${computer_dn} +NagiosEnabled: TRUE +objectClass: EvoService +ServiceName: ntp +ServiceType: ntp +ServiceVersion: NTP ${ntp_version} +EOT +fi + +for net in $(ls /sys/class/net); do + path=$(readlink -e /sys/class/net/${net}) + echo $path | grep -q virtual + if [ $? -ne 0 ]; then + hw=$(cat ${path}/address) + vendor_id=$(cat ${path}/device/vendor) + dev_id=$(cat ${path}/device/device) + [ "${dev_id}" = "0x0001" ] && dev_id="0x1000" + dev=$(lspci -d "${vendor_id}:${dev_id}" -vm) + vendor=$(echo "${dev}" | grep -E "^Vendor" | cut -d':' -f2 | xargs) + model=$(echo "${dev}" | grep -E "^Vendor" -A1 | grep -E "^Device" | cut -d':' -f2 | xargs) + size=$(cat ${path}/tx_queue_len) + ips=$(ip -o addr show "${net}" | grep "global" | awk '{print $4 }' | xargs | cut -d'/' -f1) + cat <> "${ldif_file}" + +dn: HardwareName=$net,EvoComputerName=$(hostname),ou=computer,dc=evolix,dc=net +objectClass: EvoHardware +HardwareAddress: ${hw} +EOT + [ -n "$ips" ] && echo "HardwareIP: ${ips}" >> "${ldif_file}" + cat <> "${ldif_file}" +HardwareMark: ${vendor} +HardwareModel: ${model} +HardwareName: ${net} +HardwareSize: ${size} +HardwareType: netcard +EOT + fi +done + +# Apache +if is_pkg_installed apache2-data; then + apache_version=$(get_pkg_version apache2-data) +fi +if [ -n "${apache_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=apache,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: apache +ipServicePort: 80 +ServiceType: http +ServiceVersion: Apache ${apache_version} + +dn: ServiceName=apache-ssl,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: apache-ssl +ipServicePort: 443 +ServiceType: http +ServiceVersion: Apache ${apache_version} +EOT +fi + +# Nginx +if is_pkg_installed nginx-common; then + nginx_version=$(get_pkg_version nginx-common) +fi +if [ -n "${nginx_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=nginx,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: nginx +ipServicePort: 80 +ServiceType: http +ServiceVersion: Nginx ${nginx_version} + +dn: ServiceName=nginx-ssl,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ipServicePort: 443 +ServiceName: nginx-ssl +ServiceType: https +ServiceVersion: Nginx ${nginx_version} +EOT +fi + +# MySQL +if is_pkg_installed mysql-server-5.5; then + mysql_version=$(get_pkg_version mysql-server-5.5) +elif is_pkg_installed mysql-server-5.7; then + mysql_version=$(get_pkg_version mysql-server-5.7) +fi +if [ -n "${mysql_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=mysql,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: mysql +ipServicePort: 3306 +ServiceType: sql +ServiceVersion: MySQL ${mysql_version} +EOT +fi + +# MariaDB +if is_pkg_installed mariadb-server-10.1; then + mariadb_version=$(get_pkg_version mariadb-server-10.1) +elif is_pkg_installed mariadb-server-10.0; then + mariadb_version=$(get_pkg_version mariadb-server-10.0) +fi +if [ -n "${mariadb_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=mysql,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: mysql +ipServicePort: 3306 +ServiceType: sql +ServiceVersion: MariaDB ${mariadb_version} +EOT +fi + +# Squid +if is_pkg_installed squid; then + # squid on Debian 9+ + squid_version=$(get_pkg_version squid) +elif is_pkg_installed squid3-common; then + # squid on Debian 8 + squid_version=$(get_pkg_version squid3-common) +fi +if [ -n "${squid_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=squid,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: squid +ipServicePort: 3128 +ServiceType: proxy +ServiceVersion: Squid ${squid_version} +EOT +fi + +# ProFTPD +if is_pkg_installed proftpd-basic; then + proftpd_version=$(get_pkg_version proftpd-basic) +fi +if [ -n "${proftpd_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=proftpd,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: proftpd +ipServicePort: 3128 +ServiceType: ftp +ServiceVersion: ProFTPD ${proftpd_version} +EOT +fi + +# OpenLDAP +if is_pkg_installed slapd; then + ldap_version=$(get_pkg_version slapd) +fi +if [ -n "${ldap_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=openldap,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: openldap +ipServicePort: 389 +ServiceType: ldap +ServiceVersion: OpenLDAP ${ldap_version} +EOT +fi + +# Dovecot +if is_pkg_installed dovecot-common; then + dovecot_version=$(get_pkg_version dovecot-common) +fi +if [ -n "${dovecot_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=dovecot-pop,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: dovecot-pop +ipServicePort: 110 +ServiceType: pop +ServiceVersion: Dovecot ${dovecot_version} + +dn: ServiceName=dovecot-pop-ssl,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: dovecot-pop-ssl +ipServicePort: 995 +ServiceType: pop +ServiceVersion: Dovecot ${dovecot_version} + +dn: ServiceName=dovecot-imap,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: dovecot-imap +ipServicePort: 143 +ServiceType: imap +ServiceVersion: Dovecot ${dovecot_version} + +dn: ServiceName=dovecot-imap-ssl,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: dovecot-imap-ssl +ipServicePort: 993 +ServiceType: imap +ServiceVersion: Dovecot ${dovecot_version} +EOT +fi + +# Amavis +if is_pkg_installed amavisd-new; then + amavis_version=$(get_pkg_version amavisd-new) +fi +if [ -n "${amavis_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=amavisd-new,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: amavisd-new +ipServicePort: 10024 +ServiceType: smtp +ServiceVersion: amavisd-new ${amavis_version} +EOT +fi + +# ClamAV +if is_pkg_installed clamav-daemon; then + clamav_version=$(get_pkg_version clamav-daemon) +fi +if [ -n "${clamav_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=clamav_db,${computer_dn} +NagiosEnabled: TRUE +objectClass: EvoService +ServiceName: clamav_db +ServiceType: antivirus +ServiceVersion: ClamAV ${clamav_version} +EOT +fi + +# Elasticsearch +if is_pkg_installed elasticsearch; then + elasticsearch_version=$(get_pkg_version elasticsearch) +fi +if [ -n "${elasticsearch_version}" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=elasticsearch,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: elasticsearch +ipServicePort: 9200 +ServiceType: http +ServiceVersion: Elasticsearch ${elasticsearch_version} +EOT +fi + +# test if we have a stdout +if [ -t 1 ]; then + echo "Output is in ${ldif_file}" +fi + +exit 0 From 4bc76355021c791f96fcee436d561e696142ebaf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 11 Oct 2017 12:10:59 +0200 Subject: [PATCH 094/266] Include generate-ldif in evolinux-base --- evolinux-base/defaults/main.yml | 6 ++++++ evolinux-base/tasks/main.yml | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index f23bd344..6f2961a7 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -184,7 +184,13 @@ evolinux_munin_include: True evolinux_nagios_nrpe_include: True # fail2ban + evolinux_fail2ban_include: True # Listupgrade + evolinux_listupgrade_include: True + +# Generate ldif + +evolinux_generateldif_include: True diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 28cefe04..4784b084 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -109,3 +109,8 @@ include_role: name: listupgrade when: evolinux_listupgrade_include + +- name: Generate ldif script + include_role: + name: generate-ldif + when: evolinux_generateldif_include From 745c45f88dd595967f520febf1b68e64bfef79df Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 11 Oct 2017 17:58:18 +0200 Subject: [PATCH 095/266] Fix remount_usr_rw/yml --- apache/tasks/remount_usr_rw.yml | 6 +++++- evocheck/tasks/remount_usr_rw.yml | 6 +++++- evolinux-base/tasks/remount_usr_rw.yml | 6 +++++- generate-ldif/tasks/remount_usr_rw.yml | 6 +++++- kibana/tasks/remount_usr_rw.yml | 6 +++++- mysql/tasks/remount_usr_rw.yml | 6 +++++- nagios-nrpe/tasks/remount_usr_rw.yml | 6 +++++- varnish/tasks/remount_usr_rw.yml | 6 +++++- webapps/evoadmin-web/tasks/remount_usr_rw.yml | 6 +++++- 9 files changed, 45 insertions(+), 9 deletions(-) diff --git a/apache/tasks/remount_usr_rw.yml b/apache/tasks/remount_usr_rw.yml index 8c51aee2..60162607 100644 --- a/apache/tasks/remount_usr_rw.yml +++ b/apache/tasks/remount_usr_rw.yml @@ -10,6 +10,10 @@ - name: Remount /usr if it is a partition and it is not mounted in rw command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + when: + - not ansible_check_mode + - mount.rc == 0 + - not mount.stdout_lines.0 | search("rw") + check_mode: yes args: warn: no diff --git a/evocheck/tasks/remount_usr_rw.yml b/evocheck/tasks/remount_usr_rw.yml index 8c51aee2..60162607 100644 --- a/evocheck/tasks/remount_usr_rw.yml +++ b/evocheck/tasks/remount_usr_rw.yml @@ -10,6 +10,10 @@ - name: Remount /usr if it is a partition and it is not mounted in rw command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + when: + - not ansible_check_mode + - mount.rc == 0 + - not mount.stdout_lines.0 | search("rw") + check_mode: yes args: warn: no diff --git a/evolinux-base/tasks/remount_usr_rw.yml b/evolinux-base/tasks/remount_usr_rw.yml index 8c51aee2..60162607 100644 --- a/evolinux-base/tasks/remount_usr_rw.yml +++ b/evolinux-base/tasks/remount_usr_rw.yml @@ -10,6 +10,10 @@ - name: Remount /usr if it is a partition and it is not mounted in rw command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + when: + - not ansible_check_mode + - mount.rc == 0 + - not mount.stdout_lines.0 | search("rw") + check_mode: yes args: warn: no diff --git a/generate-ldif/tasks/remount_usr_rw.yml b/generate-ldif/tasks/remount_usr_rw.yml index 8c51aee2..60162607 100644 --- a/generate-ldif/tasks/remount_usr_rw.yml +++ b/generate-ldif/tasks/remount_usr_rw.yml @@ -10,6 +10,10 @@ - name: Remount /usr if it is a partition and it is not mounted in rw command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + when: + - not ansible_check_mode + - mount.rc == 0 + - not mount.stdout_lines.0 | search("rw") + check_mode: yes args: warn: no diff --git a/kibana/tasks/remount_usr_rw.yml b/kibana/tasks/remount_usr_rw.yml index 8c51aee2..60162607 100644 --- a/kibana/tasks/remount_usr_rw.yml +++ b/kibana/tasks/remount_usr_rw.yml @@ -10,6 +10,10 @@ - name: Remount /usr if it is a partition and it is not mounted in rw command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + when: + - not ansible_check_mode + - mount.rc == 0 + - not mount.stdout_lines.0 | search("rw") + check_mode: yes args: warn: no diff --git a/mysql/tasks/remount_usr_rw.yml b/mysql/tasks/remount_usr_rw.yml index 8c51aee2..60162607 100644 --- a/mysql/tasks/remount_usr_rw.yml +++ b/mysql/tasks/remount_usr_rw.yml @@ -10,6 +10,10 @@ - name: Remount /usr if it is a partition and it is not mounted in rw command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + when: + - not ansible_check_mode + - mount.rc == 0 + - not mount.stdout_lines.0 | search("rw") + check_mode: yes args: warn: no diff --git a/nagios-nrpe/tasks/remount_usr_rw.yml b/nagios-nrpe/tasks/remount_usr_rw.yml index 8c51aee2..60162607 100644 --- a/nagios-nrpe/tasks/remount_usr_rw.yml +++ b/nagios-nrpe/tasks/remount_usr_rw.yml @@ -10,6 +10,10 @@ - name: Remount /usr if it is a partition and it is not mounted in rw command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + when: + - not ansible_check_mode + - mount.rc == 0 + - not mount.stdout_lines.0 | search("rw") + check_mode: yes args: warn: no diff --git a/varnish/tasks/remount_usr_rw.yml b/varnish/tasks/remount_usr_rw.yml index 8c51aee2..60162607 100644 --- a/varnish/tasks/remount_usr_rw.yml +++ b/varnish/tasks/remount_usr_rw.yml @@ -10,6 +10,10 @@ - name: Remount /usr if it is a partition and it is not mounted in rw command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + when: + - not ansible_check_mode + - mount.rc == 0 + - not mount.stdout_lines.0 | search("rw") + check_mode: yes args: warn: no diff --git a/webapps/evoadmin-web/tasks/remount_usr_rw.yml b/webapps/evoadmin-web/tasks/remount_usr_rw.yml index 8c51aee2..60162607 100644 --- a/webapps/evoadmin-web/tasks/remount_usr_rw.yml +++ b/webapps/evoadmin-web/tasks/remount_usr_rw.yml @@ -10,6 +10,10 @@ - name: Remount /usr if it is a partition and it is not mounted in rw command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + when: + - not ansible_check_mode + - mount.rc == 0 + - not mount.stdout_lines.0 | search("rw") + check_mode: yes args: warn: no From 8518902ec925fe418491d379fb8f1bcc35bcdcd8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 11 Oct 2017 17:58:03 +0200 Subject: [PATCH 096/266] Elasticsearch-head: no need to have a shell --- elasticsearch/tasks/plugin_head.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elasticsearch/tasks/plugin_head.yml b/elasticsearch/tasks/plugin_head.yml index 4be19572..29b2f1f7 100644 --- a/elasticsearch/tasks/plugin_head.yml +++ b/elasticsearch/tasks/plugin_head.yml @@ -6,7 +6,7 @@ home: "{{ elasticsearch_plugin_head_home }}" createhome: yes system: yes - shell: /bin/bash + shell: /bin/false - block: - name: Head repository is checked-out From c77bc14e95d7bc283ff71ce49b54cccbea47562d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 11 Oct 2017 17:58:42 +0200 Subject: [PATCH 097/266] Evolinux: don't remove root from AllowUsers list --- evolinux-base/tasks/root.yml | 18 ++++++++++-------- evolinux-users/tasks/root_disable_ssh.yml | 15 ++++++++------- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 7e79b657..8fb2d113 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -85,16 +85,18 @@ dest: /etc/ssh/sshd_config regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" - notify: reload sshd - when: evolinux_root_disable_ssh - -- name: remove root from AllowUsers directive - replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' - replace: '\1\4' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd when: evolinux_root_disable_ssh +### Disabled : it seems useless and too dangerous for now +# - name: remove root from AllowUsers directive +# replace: +# dest: /etc/ssh/sshd_config +# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' +# replace: '\1\4' +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd +# when: evolinux_root_disable_ssh + - meta: flush_handlers diff --git a/evolinux-users/tasks/root_disable_ssh.yml b/evolinux-users/tasks/root_disable_ssh.yml index f7cd727b..b9fc5708 100644 --- a/evolinux-users/tasks/root_disable_ssh.yml +++ b/evolinux-users/tasks/root_disable_ssh.yml @@ -7,10 +7,11 @@ replace: "PermitRootLogin no" notify: reload sshd -- name: remove root from AllowUsers directive - replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' - replace: '\1\4' - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd +### Disabled : it seems useless and too dangerous for now +# - name: remove root from AllowUsers directive +# replace: +# dest: /etc/ssh/sshd_config +# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' +# replace: '\1\4' +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd From 9527aff68a97ce6cba62e4ed834c10f45f6d0ac8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 11 Oct 2017 18:13:15 +0200 Subject: [PATCH 098/266] apache/nginx: remove compatibility mode --- apache/tasks/auth.yml | 6 ------ nginx/tasks/main_regular.yml | 26 -------------------------- 2 files changed, 32 deletions(-) diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index 4be44bea..dff100ce 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -1,11 +1,5 @@ --- -- name: "Rename private_ipaddr_whitelist if present" - command: "mv /etc/apache2/private_ipaddr_whitelist.conf /etc/apache2/ipaddr_whitelist.conf" - args: - removes: /etc/apache2/private_ipaddr_whitelist.conf - creates: /etc/apache2/ipaddr_whitelist.conf - - name: Init ipaddr_whitelist.conf file copy: src: ipaddr_whitelist.conf diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index bd25952f..f6563b76 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -37,32 +37,6 @@ tags: - nginx -### Compatibility : change private_ipaddr_whitelist to ipaddr_whitelist ######## - -- name: "Rename private_ipaddr_whitelist if present" - command: "mv /etc/nginx/snippets/private_ipaddr_whitelist /etc/nginx/snippets/ipaddr_whitelist" - args: - removes: /etc/nginx/snippets/private_ipaddr_whitelist - creates: /etc/nginx/snippets/ipaddr_whitelist - -- name: "search vhosts with private_ipaddr_whitelist" - command: "grep -lr private_ipaddr_whitelist /etc/nginx/sites-available/" - register: vhosts_with_private - changed_when: False - failed_when: False - check_mode: no - -- name: "change inclusion of ipaddr_whitelist in default vhost" - replace: - dest: /etc/nginx/sites-available/evolinux-default.conf - regexp: 'include /etc/nginx/snippets/private_ipaddr_whitelist;' - replace: 'include /etc/nginx/snippets/ipaddr_whitelist;' - notify: reload nginx - with_items: "{{ vhosts_with_private.stdout_lines }}" - when: vhosts_with_private.rc == 0 - -################################################################################ - # TODO: verify that those permissions are correct : # not too strict for ipaddr_whitelist # and not too loose for private_htpasswd From 2dbdfb6600b97f133bfd8e8fe0e8a68d89c50e1c Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 3 Oct 2017 09:50:53 +0200 Subject: [PATCH 099/266] evoacme: add error and debug function --- evoacme/files/evoacme.sh | 56 +++++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 23 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 56f3f0e5..a3ea6585 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -18,14 +18,24 @@ usage() { echo "" } +debug() { + [ "$CRON" = "NO" ] && echo "$1" +} + +error() { + echo "error: $1" >&2 + [ "$1" = "invalid argument(s)" ] && usage + exit 1 +} + mkconf_apache() { - echo "Apache detected... first configuration" + debug "Apache detected... first configuration" [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" apache2ctl -t } mkconf_nginx() { - echo "Nginx detected... first configuration" + debug "Nginx detected... first configuration" [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" nginx -t } @@ -43,22 +53,22 @@ main() { # misc verifications [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 - which openssl >/dev/null || ( echo "error: openssl command not installed" && exit 1 ) - which certbot >/dev/null || ( echo "error: certbot command not installed" && exit 1 ) - [ ! -d $ACME_DIR ] && echo "error: $ACME_DIR is not a directory" && exit 1 - [ ! -d $CSR_DIR ] && echo "error: $CSR_DIR is not a directory" && exit 1 - [ ! -d $LOG_DIR ] && echo "error: $LOG_DIR is not a directory" && exit 1 - [ "$#" -ge 3 ] || [ "$#" -le 0 ] && echo "error: invalid argument(s)" && usage && exit 1 - [ "$#" -eq 2 ] && [ "$1" != "--cron" ] && echo "error: invalid argument(s)" && usage && exit 1 + which openssl >/dev/null || error "openssl command not installed" + which certbot >/dev/null || error "certbot command not installed" + [ ! -d $ACME_DIR ] && error "$ACME_DIR is not a directory" + [ ! -d $CSR_DIR ] && error "$CSR_DIR is not a directory" + [ ! -d $LOG_DIR ] && error "$LOG_DIR is not a directory" + [ "$#" -ge 3 ] || [ "$#" -le 0 ] && error "invalid argument(s)" + [ "$#" -eq 2 ] && [ "$1" != "--cron" ] && error "invalid argument(s)" [ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO [ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES # verify .csr file - test ! -f "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr absent" && exit 1 - test ! -r "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr is not readable" && exit 1 - openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || ( echo "error: $CSR_DIR/${vhost}.csr is invalid" && exit 1 ) - [ "$CRON" = "NO" ] && echo "Using CSR file: $CSR_DIR/${vhost}.csr" + [ ! -f "$CSR_DIR/${vhost}.csr" ] && error "$CSR_DIR/${vhost}.csr absent" + [ ! -r "$CSR_DIR/${vhost}.csr" ] && error "$C´SR_DIR/${vhost}.csr is not readable" + openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || error "$CSR_DIR/${vhost}.csr is invalid" + debug "Using CSR file: $CSR_DIR/${vhost}.csr" # Hook for evoadmin-web in cluster mode : check master status if [ -f "/home/${vhost}/state" ]; then @@ -72,43 +82,43 @@ main() { fi DATE=$(date "+%Y%m%d") - [ ! -n "$DATE" ] && echo "error: invalid date" && exit 1 + [ ! -n "$DATE" ] && error "invalid date" # If live link already exists, it's not our first time... if [ -h "$CRT_DIR/${vhost}/live" ]; then - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: $CRT_DIR/${vhost}/live/cert.crt is invalid" && exit 1 ) + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || error "$CRT_DIR/${vhost}/live/cert.crt is invalid" # Verify if our certificate will expire crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2) date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s") date_today=$(date +'%s') - [ "$date_today" -lt "$date_renew" ] && ( [ "$CRON" = "NO" ] && echo "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." || true ) && exit 0 + [ "$date_today" -lt "$date_renew" ] && debug "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." && exit 0 else which apache2ctl >/dev/null && mkconf_apache which nginx >/dev/null && mkconf_nginx fi # renew certificate with certbot - [ -d "$CRT_DIR/${vhost}/${DATE}" ] && echo "error: $CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." && exit 1 + [ -d "$CRT_DIR/${vhost}/${DATE}" ] && error "$CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" chown -R acme: "$CRT_DIR/${vhost}/${DATE}" [ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet" sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" # verify if all is right - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" && exit 1 ) - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" && exit 1 ) - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" && exit 1 ) + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || error "new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || error "new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || error "new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" # link dance [ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live" ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/{vhost}/live/cert.crt is invalid" && exit 1 ) + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || error "new $CRT_DIR/{vhost}/live/cert.crt is invalid" # reload apache or nginx (TODO: need improvments) - pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Apache detected... reloading" || true ) && systemctl reload apache2 - pidof nginx >/dev/null && nginx -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Nginx detected... reloading" || true ) && systemctl reload apache2 + pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && debug "Apache detected... reloading" && systemctl reload apache2 + pidof nginx >/dev/null && nginx -t 2>/dev/null && debug "Nginx detected... reloading" && systemctl reload apache2 } From 1c244f556bc22edc362bfbbb4c9482dec259a38f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 3 Oct 2017 10:44:20 +0200 Subject: [PATCH 100/266] evoacme: better apache/nginx reload --- evoacme/files/evoacme.sh | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index a3ea6585..4d8fa6fd 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -116,10 +116,26 @@ main() { ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || error "new $CRT_DIR/{vhost}/live/cert.crt is invalid" - # reload apache or nginx (TODO: need improvments) - pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && debug "Apache detected... reloading" && systemctl reload apache2 - pidof nginx >/dev/null && nginx -t 2>/dev/null && debug "Nginx detected... reloading" && systemctl reload apache2 - + # reload apache or nginx + set +e + pidof apache2 >/dev/null + if [ "$?" -eq 0 ]; then + apache2ctl -t 2>/dev/null + if [ "$?" -eq 0 ]; then + debug "Apache detected... reloading" && service apache2 reload + else + error "Apache config is broken, you must fix it !" + fi + fi + pidof nginx >/dev/null + if [ "$?" -eq 0 ]; then + nginx -t 2>/dev/null + if [ "$?" -eq 0 ]; then + debug "Nginx detected... reloading" && service nginx reload + else + error "Nginx config is broken, you must fix it !" + fi + fi } main "$@" From 1091dfeeed8e758e840ce73af746833a0dcb7528 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 11 Oct 2017 22:17:52 +0200 Subject: [PATCH 101/266] evolinux-users: Handle "PermitRootLogin prohibit-password" --- evolinux-users/tasks/root_disable_ssh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-users/tasks/root_disable_ssh.yml b/evolinux-users/tasks/root_disable_ssh.yml index b9fc5708..7906307f 100644 --- a/evolinux-users/tasks/root_disable_ssh.yml +++ b/evolinux-users/tasks/root_disable_ssh.yml @@ -3,7 +3,7 @@ - name: disable root login replace: dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password)' + regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd From 0d0c21f9085a2ff56bee02e1077153104a80f97a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 12 Oct 2017 00:29:21 +0200 Subject: [PATCH 102/266] Evoacme: refactoring * add a lot of variables, to reduce possible typos * add a lot of debug statements * add many comments and line breaks for readability * extract functions for complex openssl commands * explode the big certbot command into multiple lines * allow certbot to make test certs (for API query limits) * allow certbot to run in "dry run" mode * regroup some lines together when they do related things --- evoacme/files/evoacme.sh | 219 ++++++++++++++++++++++++++++----------- 1 file changed, 160 insertions(+), 59 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 4d8fa6fd..1b2c060d 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -28,16 +28,36 @@ error() { exit 1 } -mkconf_apache() { - debug "Apache detected... first configuration" - [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" - apache2ctl -t +change_cert_path_for_apache() { + vhost=$1 + vhost_full_path="/etc/apache2/ssl/${vhost}.conf" + cert_path=$2 + + debug "Apache detected... first configuration in ${vhost_full_path}" + [ -f "${vhost_full_path}" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile ${cert_path}~" "${vhost_full_path}" + ${APACHE2CTL_BIN} -t } -mkconf_nginx() { - debug "Nginx detected... first configuration" - [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" - nginx -t +change_cert_path_for_nginx() { + vhost=$1 + vhost_full_path="/etc/nginx/ssl/${vhost}.conf" + cert_path=$2 + + debug "Nginx detected... first configuration in ${vhost_full_path}" + [ -f "${vhost_full_path}" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate ${cert_path};~" "${vhost_full_path}" + ${NGINX_BIN} -t +} + +x509_verify() { + file=$1 + + ${OPENSSL_BIN} x509 -noout -modulus -in "${file}" >/dev/null +} + +x509_enddate() { + file=$1 + + ${OPENSSL_BIN} x509 -noout -enddate -in "${file}" } main() { @@ -51,87 +71,168 @@ main() { [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR=/etc/ssl/self-signed [ -z "${DH_DIR}" ] && DH_DIR=etc/ssl/dhparam - # misc verifications [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 - which openssl >/dev/null || error "openssl command not installed" - which certbot >/dev/null || error "certbot command not installed" - [ ! -d $ACME_DIR ] && error "$ACME_DIR is not a directory" - [ ! -d $CSR_DIR ] && error "$CSR_DIR is not a directory" - [ ! -d $LOG_DIR ] && error "$LOG_DIR is not a directory" + # check arguments [ "$#" -ge 3 ] || [ "$#" -le 0 ] && error "invalid argument(s)" [ "$#" -eq 2 ] && [ "$1" != "--cron" ] && error "invalid argument(s)" - [ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO - [ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES + [ "$#" -eq 1 ] && VHOST=$(basename "$1" .conf) && CRON=NO + [ "$#" -eq 2 ] && VHOST=$(basename "$2" .conf) && CRON=YES + + # check for important programs + OPENSSL_BIN=$(command -v openssl) + if [ "$?" -eq 0 ]; then + error "openssl command not installed" + fi + CERTBOT_BIN=$(command -v certbot) + if [ "$?" -eq 0 ]; then + error "certbot command not installed" + fi + + APACHE2CTL_BIN=$(command -v apache2ctl) + NGINX_BIN=$(command -v nginx) + + # double check for directories + [ ! -d "${ACME_DIR}" ] && error "${ACME_DIR} is not a directory" + [ ! -d "${CSR_DIR}" ] && error "${CSR_DIR} is not a directory" + [ ! -d "${LOG_DIR} "] && error "${LOG_DIR} is not a directory" + + #### CSR VALIDATION # verify .csr file - [ ! -f "$CSR_DIR/${vhost}.csr" ] && error "$CSR_DIR/${vhost}.csr absent" - [ ! -r "$CSR_DIR/${vhost}.csr" ] && error "$C´SR_DIR/${vhost}.csr is not readable" - openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || error "$CSR_DIR/${vhost}.csr is invalid" - debug "Using CSR file: $CSR_DIR/${vhost}.csr" + CSR_FILE="${CSR_DIR}/${VHOST}.csr" + debug "Using CSR file: ${CSR_FILE}" + [ ! -f "${CSR_FILE}" ] && error "${CSR_FILE} absent" + [ ! -r "${CSR_FILE}" ] && error "${CSR_FILE} is not readable" + + x509_verify "${CSR_FILE}" || error "${CSR_FILE} is invalid" # Hook for evoadmin-web in cluster mode : check master status - if [ -f "/home/${vhost}/state" ]; then - grep -q "STATE=master" "/home/${vhost}/state" || exit 0 + evoadmin_state_file="/home/${VHOST}/state" + if [ -f "${evoadmin_state_file}" ]; then + grep -q "STATE=master" "${evoadmin_state_file}" + if [ "$?" != 0 ]; then + debug "We are not the master of this evoadmin cluster. Quit!" + exit 0 + fi fi - if [ -n "$SSL_EMAIL" ]; then - emailopt="-m $SSL_EMAIL" - else - emailopt="--register-unsafely-without-email" - fi + #### INIT OR RENEW? - DATE=$(date "+%Y%m%d") - [ ! -n "$DATE" ] && error "invalid date" + LIVE_DIR="${CRT_DIR}/${VHOST}/live" + LIVE_CERT="${LIVE_DIR}/cert.crt" + LIVE_FULLCHAIN="${LIVE_DIR}/fullchain.pem" + LIVE_CHAIN="${LIVE_DIR}/chain.pem" - - # If live link already exists, it's not our first time... - if [ -h "$CRT_DIR/${vhost}/live" ]; then - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || error "$CRT_DIR/${vhost}/live/cert.crt is invalid" + # If live symlink already exists, it's not our first time... + if [ -h "${LIVE_DIR}" ]; then + # we have a live symlink + # let's see if there is a cert to renew + x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid" # Verify if our certificate will expire - crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2) - date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s") + crt_end_date=$(x509_enddate "${LIVE_CERT}" | cut -d= -f2) + date_renew=$(date -ud "${crt_end_date} - ${SSL_MINDAY} days" +"%s") date_today=$(date +'%s') - [ "$date_today" -lt "$date_renew" ] && debug "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." && exit 0 + if [ "${date_today}" -lt "${date_renew}" ]; then + debug "Cert ${LIVE_CERT} expires at ${crt_end_date} => more than ${SSL_MINDAY} days: kthxbye." + exit 0 + fi else - which apache2ctl >/dev/null && mkconf_apache - which nginx >/dev/null && mkconf_nginx + # We don't have a live symlink yet + # Let's start from scratch and configure our web server(s) + if [ -n "${APACHE2CTL_BIN}" ]; then + change_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" + fi + if [ -n "${NGINX_BIN}" ]; then + change_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" + fi fi - # renew certificate with certbot - [ -d "$CRT_DIR/${vhost}/${DATE}" ] && error "$CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." - mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" - chown -R acme: "$CRT_DIR/${vhost}/${DATE}" - [ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet" - sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" + #### CERTIFICATE CREATION WITH CERTBOT + + ITERATION=$(date "+%Y%m%d") + [ -z "${ITERATION}" ] && error "invalid iteration (${ITERATION})" + + NEW_DIR="${CRT_DIR}/${VHOST}/${ITERATION}" + + [ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually." + mkdir -pm 755 "${NEW_DIR}" + chown -R acme: "${NEW_DIR}" + debug "New cert will be created in ${NEW_DIR}" + + NEW_CERT="${NEW_DIR}/cert.crt" + NEW_FULLCHAIN="${NEW_DIR}/fullchain.pem" + NEW_CHAIN="${NEW_DIR}/chain.pem" + + CERTBOT_MODE="" + [ "$TEST" = "YES" ] && CERTBOT_MODE="${CERTBOT_MODE} --test-cert" + [ "$CRON" = "YES" ] && CERTBOT_MODE="${CERTBOT_MODE} --quiet" + [ "$DRY_RUN" = "YES" ] && CERTBOT_MODE="${CERTBOT_MODE} --dry-run" + + CERTBOT_REGISTRATION="--agree-tos" + if [ -n "${SSL_EMAIL}" ]; then + debug "Registering at certbot with ${SSL_EMAIL} as email" + CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} -m ${SSL_EMAIL}" + else + debug "Registering at certbot without email" + CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} --register-unsafely-without-email" + fi + + # create a certificate with certbot + sudo -u acme ${CERTBOT_BIN} \ + certonly \ + ${CERTBOT_MODE} \ + ${CERTBOT_REGISTRATION} \ + --non-interactive \ + --webroot \ + --csr "${CSR_FILE}" \ + --webroot-path "${ACME_DIR}" \ + --cert-path "${NEW_CERT}" \ + --fullchain-path "${NEW_FULLCHAIN}" \ + --chain-path "${NEW_CHAIN}" \ + --logs-dir "$LOG_DIR" \ + 2>&1 \ + | grep -v "certbot.crypto_util" # verify if all is right - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || error "new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || error "new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || error "new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" + x509_verify "${NEW_CERT}" || error "${NEW_CERT} is invalid" + x509_verify "${NEW_FULLCHAIN}" || error "${NEW_FULLCHAIN} is invalid" + x509_verify "${NEW_CHAIN}" || error "${NEW_CHAIN} is invalid" + + #### CERTIFICATE ACTIVATION # link dance - [ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live" - ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" - openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || error "new $CRT_DIR/{vhost}/live/cert.crt is invalid" + if [ -h "${LIVE_DIR}" ]; then + rm "${LIVE_DIR}" + debug "Remove ${LIVE_DIR} link" + fi + ln -s "${NEW_DIR}" "${LIVE_DIR}" + debug "Link ${NEW_DIR} to ${LIVE_DIR}" + # verify final path + x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid" - # reload apache or nginx + # disable error catching + # below this point anything can break set +e - pidof apache2 >/dev/null - if [ "$?" -eq 0 ]; then - apache2ctl -t 2>/dev/null + + # reload apache if present + if [ -n "$(pidof apache2)" ]; then + ${APACHE2CTL_BIN} -t 2>/dev/null if [ "$?" -eq 0 ]; then - debug "Apache detected... reloading" && service apache2 reload + debug "Apache detected... reloading" + service apache2 reload else error "Apache config is broken, you must fix it !" fi fi - pidof nginx >/dev/null - if [ "$?" -eq 0 ]; then - nginx -t 2>/dev/null + + # reload nginx if present + if [ -n "$(pidof nginx)" ]; then + ${NGINX_BIN} -t 2>/dev/null if [ "$?" -eq 0 ]; then - debug "Nginx detected... reloading" && service nginx reload + debug "Nginx detected... reloading" + service nginx reload else error "Nginx config is broken, you must fix it !" fi From 5e9795435bd09af7acd7755a38eeb5685da547b3 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 12 Oct 2017 15:38:07 +0200 Subject: [PATCH 103/266] nginx: fix ip filtering in default vhost --- nginx/templates/evolinux-default.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/nginx/templates/evolinux-default.conf.j2 b/nginx/templates/evolinux-default.conf.j2 index 2ec13fd8..cc2d7f46 100644 --- a/nginx/templates/evolinux-default.conf.j2 +++ b/nginx/templates/evolinux-default.conf.j2 @@ -24,7 +24,6 @@ server { # Auth. include /etc/nginx/snippets/ipaddr_whitelist; - deny all; auth_basic "Reserved {{ ansible_fqdn }}"; auth_basic_user_file /etc/nginx/snippets/private_htpasswd; satisfy any; From 3c61484448b23125570feaa1edd5f47d27147c62 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 12 Oct 2017 18:19:09 +0200 Subject: [PATCH 104/266] evoacme: don't allow uninitialized variables --- evoacme/files/evoacme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 1b2c060d..49947b33 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -8,6 +8,7 @@ # set -e +set -u usage() { echo "Usage: $0 [ --cron ] NAME" From 118a9759af73f936294440614d7f06d3040c3c3d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 12 Oct 2017 18:19:53 +0200 Subject: [PATCH 105/266] evoacme: change function name to be more specific --- evoacme/files/evoacme.sh | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 49947b33..35593bb9 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -29,7 +29,7 @@ error() { exit 1 } -change_cert_path_for_apache() { +sed_cert_path_for_apache() { vhost=$1 vhost_full_path="/etc/apache2/ssl/${vhost}.conf" cert_path=$2 @@ -39,7 +39,7 @@ change_cert_path_for_apache() { ${APACHE2CTL_BIN} -t } -change_cert_path_for_nginx() { +sed_cert_path_for_nginx() { vhost=$1 vhost_full_path="/etc/nginx/ssl/${vhost}.conf" cert_path=$2 @@ -142,12 +142,8 @@ main() { else # We don't have a live symlink yet # Let's start from scratch and configure our web server(s) - if [ -n "${APACHE2CTL_BIN}" ]; then - change_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" - fi - if [ -n "${NGINX_BIN}" ]; then - change_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" - fi + command -v apache2ctl && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" + command -v nginx && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" fi #### CERTIFICATE CREATION WITH CERTBOT From 30434a70d863474c8b0f771e01297720029a86c6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 12 Oct 2017 18:20:49 +0200 Subject: [PATCH 106/266] evoacme: csr verification is a different function call --- evoacme/files/evoacme.sh | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 35593bb9..a72408ab 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -50,15 +50,13 @@ sed_cert_path_for_nginx() { } x509_verify() { - file=$1 - - ${OPENSSL_BIN} x509 -noout -modulus -in "${file}" >/dev/null + ${OPENSSL_BIN} x509 -noout -modulus -in "$1" >/dev/null +} +csr_verify() { + ${OPENSSL_BIN} req -noout -modulus -in "$1" >/dev/null } - x509_enddate() { - file=$1 - - ${OPENSSL_BIN} x509 -noout -enddate -in "${file}" + ${OPENSSL_BIN} x509 -noout -enddate -in "$1" } main() { @@ -106,7 +104,7 @@ main() { [ ! -f "${CSR_FILE}" ] && error "${CSR_FILE} absent" [ ! -r "${CSR_FILE}" ] && error "${CSR_FILE} is not readable" - x509_verify "${CSR_FILE}" || error "${CSR_FILE} is invalid" + csr_verify "${CSR_FILE}" || error "${CSR_FILE} is invalid" # Hook for evoadmin-web in cluster mode : check master status evoadmin_state_file="/home/${VHOST}/state" From 65ccc2c0b5677a9b778be225a4a4b64bb2d0725a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 12 Oct 2017 18:22:06 +0200 Subject: [PATCH 107/266] evoacme: use env variables for execution modes --- evoacme/files/evoacme.sh | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index a72408ab..f9b99c97 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -11,16 +11,20 @@ set -e set -u usage() { - echo "Usage: $0 [ --cron ] NAME" + echo "Usage: $0 NAME" echo "" echo "NAME must be correspond to :" echo "- a CSR in ${CSR_DIR}/NAME.csr" echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" echo "" + echo "If env variable TEST=1, certbot is run in staging mode" + echo "If env variable DRY_RUN=1, certbot is run in dry-run mode" + echo "If env variable CRON=1, no message is output" + echo "" } debug() { - [ "$CRON" = "NO" ] && echo "$1" + [ "${CRON}" = "0" ] && echo "$1" } error() { @@ -70,6 +74,10 @@ main() { [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR=/etc/ssl/self-signed [ -z "${DH_DIR}" ] && DH_DIR=etc/ssl/dhparam + CRON=${CRON:-"0"} + TEST=${TEST:-"0"} + DRY_RUN=${DRY_RUN:-"0"} + [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 # check arguments [ "$#" -ge 3 ] || [ "$#" -le 0 ] && error "invalid argument(s)" @@ -161,9 +169,9 @@ main() { NEW_CHAIN="${NEW_DIR}/chain.pem" CERTBOT_MODE="" - [ "$TEST" = "YES" ] && CERTBOT_MODE="${CERTBOT_MODE} --test-cert" - [ "$CRON" = "YES" ] && CERTBOT_MODE="${CERTBOT_MODE} --quiet" - [ "$DRY_RUN" = "YES" ] && CERTBOT_MODE="${CERTBOT_MODE} --dry-run" + [ "${TEST}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --test-cert" + [ "${CRON}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --quiet" + [ "${DRY_RUN}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --dry-run" CERTBOT_REGISTRATION="--agree-tos" if [ -n "${SSL_EMAIL}" ]; then From 9fccd7e682de0e09d9fbd5bad974060823dd0c94 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 12 Oct 2017 18:22:43 +0200 Subject: [PATCH 108/266] evoacme: improve variables --- evoacme/files/evoacme.sh | 86 +++++++++++++++++----------------------- 1 file changed, 37 insertions(+), 49 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index f9b99c97..41109a76 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -40,7 +40,7 @@ sed_cert_path_for_apache() { debug "Apache detected... first configuration in ${vhost_full_path}" [ -f "${vhost_full_path}" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile ${cert_path}~" "${vhost_full_path}" - ${APACHE2CTL_BIN} -t + $(command -v apache2ctl) -t } sed_cert_path_for_nginx() { @@ -50,7 +50,7 @@ sed_cert_path_for_nginx() { debug "Nginx detected... first configuration in ${vhost_full_path}" [ -f "${vhost_full_path}" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate ${cert_path};~" "${vhost_full_path}" - ${NGINX_BIN} -t + $(command -v nginx) -t } x509_verify() { @@ -64,15 +64,18 @@ x509_enddate() { } main() { + # Read configuration file, if it exists [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR=/etc/ssl/private - [ -z "${ACME_DIR}" ] && ACME_DIR=/var/lib/letsencrypt - [ -z "${CSR_DIR}" ] && CSR_DIR=/etc/ssl/requests - [ -z "${CRT_DIR}" ] && CRT_DIR=/etc/letsencrypt - [ -z "${LOG_DIR}" ] && LOG_DIR=/var/log/evoacme - [ -z "${SSL_MINDAY}" ] && SSL_MINDAY=30 - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR=/etc/ssl/self-signed - [ -z "${DH_DIR}" ] && DH_DIR=etc/ssl/dhparam + + # Default value for main variables + SSL_KEY_DIR=${SSL_KEY_DIR:-"/etc/ssl/private"} + ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"} + CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"} + CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"} + LOG_DIR=${LOG_DIR:-"/var/log/evoacme"} + SSL_MINDAY=${SSL_MINDAY:-"30"} + SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-"/etc/ssl/self-signed"} + SSL_EMAIL=${SSL_EMAIL:-""} CRON=${CRON:-"0"} TEST=${TEST:-"0"} @@ -80,24 +83,13 @@ main() { [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 # check arguments - [ "$#" -ge 3 ] || [ "$#" -le 0 ] && error "invalid argument(s)" - [ "$#" -eq 2 ] && [ "$1" != "--cron" ] && error "invalid argument(s)" + [ "$#" -eq 1 ] || error "invalid argument(s)" - [ "$#" -eq 1 ] && VHOST=$(basename "$1" .conf) && CRON=NO - [ "$#" -eq 2 ] && VHOST=$(basename "$2" .conf) && CRON=YES + VHOST=$(basename "$1" .conf) # check for important programs - OPENSSL_BIN=$(command -v openssl) - if [ "$?" -eq 0 ]; then - error "openssl command not installed" - fi - CERTBOT_BIN=$(command -v certbot) - if [ "$?" -eq 0 ]; then - error "certbot command not installed" - fi - - APACHE2CTL_BIN=$(command -v apache2ctl) - NGINX_BIN=$(command -v nginx) + OPENSSL_BIN=$(command -v openssl) || error "openssl command not installed" + CERTBOT_BIN=$(command -v certbot) || error "certbot command not installed" # double check for directories [ ! -d "${ACME_DIR}" ] && error "${ACME_DIR} is not a directory" @@ -116,13 +108,10 @@ main() { # Hook for evoadmin-web in cluster mode : check master status evoadmin_state_file="/home/${VHOST}/state" - if [ -f "${evoadmin_state_file}" ]; then - grep -q "STATE=master" "${evoadmin_state_file}" - if [ "$?" != 0 ]; then - debug "We are not the master of this evoadmin cluster. Quit!" - exit 0 - fi - fi + [ -f "${evoadmin_state_file}" ] \ + && grep -q "STATE=slave" "${evoadmin_state_file}" \ + && debug "We are slave of this evoadmin cluster. Quit!" \ + && exit 0 #### INIT OR RENEW? @@ -183,20 +172,21 @@ main() { fi # create a certificate with certbot - sudo -u acme ${CERTBOT_BIN} \ + sudo -u acme \ + ${CERTBOT_BIN} \ certonly \ - ${CERTBOT_MODE} \ - ${CERTBOT_REGISTRATION} \ - --non-interactive \ - --webroot \ - --csr "${CSR_FILE}" \ - --webroot-path "${ACME_DIR}" \ - --cert-path "${NEW_CERT}" \ - --fullchain-path "${NEW_FULLCHAIN}" \ - --chain-path "${NEW_CHAIN}" \ - --logs-dir "$LOG_DIR" \ - 2>&1 \ - | grep -v "certbot.crypto_util" + ${CERTBOT_MODE} \ + ${CERTBOT_REGISTRATION} \ + --non-interactive \ + --webroot \ + --csr "${CSR_FILE}" \ + --webroot-path "${ACME_DIR}" \ + --cert-path "${NEW_CERT}" \ + --fullchain-path "${NEW_FULLCHAIN}" \ + --chain-path "${NEW_CHAIN}" \ + --logs-dir "$LOG_DIR" \ + 2>&1 \ + | grep -v "certbot.crypto_util" # verify if all is right x509_verify "${NEW_CERT}" || error "${NEW_CERT} is invalid" @@ -221,8 +211,7 @@ main() { # reload apache if present if [ -n "$(pidof apache2)" ]; then - ${APACHE2CTL_BIN} -t 2>/dev/null - if [ "$?" -eq 0 ]; then + if [ $(${APACHE2CTL_BIN} -t 2>/dev/null) ]; then debug "Apache detected... reloading" service apache2 reload else @@ -232,8 +221,7 @@ main() { # reload nginx if present if [ -n "$(pidof nginx)" ]; then - ${NGINX_BIN} -t 2>/dev/null - if [ "$?" -eq 0 ]; then + if [ $(${NGINX_BIN} -t 2>/dev/null) ]; then debug "Nginx detected... reloading" service nginx reload else From fb0c22dfd16fec1babee6fdf9075aa631e5b7077 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 13 Oct 2017 00:47:02 +0200 Subject: [PATCH 109/266] evoacme: refactoring for make-csr inspired from recent refactoring or evoacme itself --- evoacme/files/make-csr.sh | 215 ++++++++++++++++++++++++-------------- 1 file changed, 136 insertions(+), 79 deletions(-) diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 5338ba2c..f4a53533 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -1,151 +1,208 @@ #!/bin/sh # -# make-csr is a shell script designed to automatically generate a +# make-csr is a shell script designed to automatically generate a # certificate signing request (CSR) from an Apache or a Nginx vhost # # Author: Victor Laborie # Licence: AGPLv3 # +real_ip_for_domain() { + dig +short "$1" | grep -oE "([0-9]+\.){3}[0-9]+" +} + get_domains() { - echo "$vhostfile"|grep -q nginx + echo "$vhostfile" | grep -q nginx if [ "$?" -eq 0 ]; then - domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq) + domains=$( + grep -oE "^( )*[^#]+" "$vhostfile" \ + | grep -oE "[^\$]server_name.*;$" \ + | sed 's/server_name//' \ + | tr -d ';' \ + | sed 's/\s\{1,\}//' \ + | sed 's/\s\{1,\}/\n/g' \ + | sort \ + | uniq + ) fi - - echo "$vhostfile" |grep -q apache2 + + echo "$vhostfile" | grep -q apache2 if [ "$?" -eq 0 ]; then - domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq) + domains=$( + grep -oE "^( )*[^#]+" "$vhostfile" \ + | grep -oE "(ServerName|ServerAlias).*" \ + | sed 's/ServerName//' \ + | sed 's/ServerAlias//' \ + | sed 's/\s\{1,\}//' \ + | sort \ + | uniq + ) fi valid_domains="" nb=0 - - echo "Valid(s) domain(s) in $vhost :" + + echo "Valid(s) domain(s) in ${VHOST} :" for domain in $domains; do - real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") - for ip in $(echo "$SRV_IP"|xargs -n1); do + real_ip=$(real_ip_for_domain "${domain}") + for ip in $(echo "${SRV_IP}" | xargs -n1); do if [ "${ip}" = "${real_ip}" ]; then - valid_domains="$valid_domains $domain" - nb=$(( nb + 1 )) - echo "* $domain -> $real_ip" + valid_domains="${valid_domains} ${domain}" + nb=$(( nb + 1 )) + echo "* ${domain} -> ${real_ip}" fi done done - - if [ "$nb" -eq 0 ]; then - nb=$(echo "$domains"|wc -l) + + if [ "${nb}" -eq 0 ]; then + nb=$(echo "${domains}" | wc -l) echo "* No valid domain found" echo "All following(s) domain(s) will be used for CSR creation :" for domain in $domains; do - echo "* $domain" + echo "* ${domain}" done else - domains="$valid_domains" + domains="${valid_domains}" fi - domains=$(echo "$domains"|xargs -n1) + + domains=$(echo "$domains" | xargs -n1) } make_key() { - openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null - chown root: "$SSL_KEY_DIR/${vhost}.key" - chmod 600 "$SSL_KEY_DIR/${vhost}.key" + openssl genrsa -out "${SSL_KEY_FILE}" "${SSL_KEY_SIZE}" 2>/dev/null + chown root: "${SSL_KEY_FILE}" + chmod 600 "${SSL_KEY_FILE}" } make_csr() { domains="$1" - nb=$(echo "$domains"|wc -l) - config_file="/tmp/make-csr-${vhost}.conf" + nb=$(echo "${domains}" | wc -l) + config_file="/tmp/make-csr-${VHOST}.conf" - mkdir -p "$CSR_DIR" -m 0755 - - if [ "$nb" -eq 1 ]; then - cat /etc/letsencrypt/openssl.cnf - > "$config_file" < "${config_file}" < "$config_file" < "${config_file}" < "$CSR_DIR/${vhost}.csr" + openssl req -new -sha256 -key "${SSL_KEY_FILE}" -reqexts SAN -config "${config_file}" > "${CSR_FILE}" fi - - if [ -f "$CSR_DIR/${vhost}.csr" ]; then - chmod 644 "$CSR_DIR/${vhost}.csr" - mkdir -p "$SELF_SIGNED_DIR" -m 0755 - openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem" - [ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem" + + if [ -f "${CSR_FILE}" ]; then + chmod 644 "${CSR_FILE}" + mkdir -p -m 0755 "${SELF_SIGNED_DIR}" + openssl x509 -req -sha256 -days 365 -in "${CSR_FILE}" -signkey "${SSL_KEY_FILE}" -out "${SELF_SIGNED_FILE}" + [ -f "${SELF_SIGNED_FILE}" ] && chmod 644 "${SELF_SIGNED_FILE}" fi } -mkconf_apache() { - mkdir -p /etc/apache2/ssl - if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then - cat > "/etc/apache2/ssl/${vhost}.conf" < "${apache_ssl_vhost_path}" < "/etc/nginx/ssl/${vhost}.conf" < "${nginx_ssl_vhost_path}" </dev/null \ + | head -n 1 +} + +default_key_size() { + grep default_bits ${SSL_CONFIG_FILE} \ + | cut -d'=' -f2 \ + | xargs +} + main() { if [ "$#" -ne 1 ]; then echo "You need to provide one argument !" >&2 exit 1 fi - vhost=$(basename "$1" .conf) - local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") + # Read configuration file, if it exists [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' - [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' - [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) - [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip" - - vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) - - if [ ! -h "$vhostfile" ]; then - echo "$vhost is not a valid virtualhost !" >&2 + + # Default value for main variables + CSR_DIR=${CSR_DIR:-'/etc/ssl/requests'} + CRT_DIR=${CRT_DIR:-'/etc/letsencrypt'} + SSL_CONFIG_FILE=${SSL_CONFIG_FILE:-"${CRT_DIR}/openssl.cnf"} + SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-'/etc/ssl/self-signed'} + SSL_KEY_DIR=${SSL_KEY_DIR:-'/etc/ssl/private'} + SSL_KEY_SIZE=${SSL_KEY_SIZE:-$(default_key_size)} + SRV_IP=${SRV_IP:-""} + + VHOST=$(basename "$1" .conf) + SELF_SIGNED_FILE="${SELF_SIGNED_DIR}/${VHOST}.pem" + SSL_KEY_FILE="${SSL_KEY_DIR}/${VHOST}.key" + LIVE_DIR="${CRT_DIR}/${VHOST}/live" + CSR_FILE="${CSR_DIR}/${VHOST}.csr" + + local_ip=$(ip a | grep brd | cut -d'/' -f1 | grep -oE "([0-9]+\.){3}[0-9]+") + if [ -n "${SRV_IP}" ]; then + SRV_IP="${SRV_IP} ${local_ip}" + else + SRV_IP="${local_ip}" + fi + + vhostfile=$(first_vhost_file_found "${VHOST}") + + if [ ! -h "${vhostfile}" ]; then + echo "${VHOST} is not a valid virtualhost !" >&2 exit 1 fi - if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then - echo "$vhost key already exist, overwrite it ? (y)" + if [ -f "${SSL_KEY_FILE}" ]; then + echo "${VHOST} key already exist, overwrite it? [yN]" read REPLY - [ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0 - rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf" - [ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live" + + [ "${REPLY}" = "Y" ] || [ "${REPLY}" = "y" ] || exit 0 + rm -f "/etc/apache2/ssl/${VHOST}.conf /etc/nginx/ssl/${VHOST}.conf" + [ -h "${LIVE_DIR}" ] && rm "${LIVE_DIR}" fi get_domains make_key - make_csr "$domains" - which apache2ctl >/dev/null && mkconf_apache - which nginx >/dev/null && mkconf_nginx + make_csr "${domains}" + + command -v apache2ctl >/dev/null && sed_selfsigned_cert_path_for_apache "/etc/apache2/ssl/${VHOST}.conf" + command -v nginx >/dev/null && sed_selfsigned_cert_path_for_nginx "/etc/nginx/ssl/${VHOST}.conf" } main "$@" From bced7561c96b74248a97cc2c45fc062eb155d446 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 11:16:21 +0200 Subject: [PATCH 110/266] make-csr: extract a few functions --- evoacme/files/make-csr.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index f4a53533..1e39bef9 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -10,6 +10,9 @@ real_ip_for_domain() { dig +short "$1" | grep -oE "([0-9]+\.){3}[0-9]+" } +local_ip() { + ip a | grep brd | cut -d'/' -f1 | grep -oE "([0-9]+\.){3}[0-9]+" +} get_domains() { echo "$vhostfile" | grep -q nginx @@ -174,11 +177,11 @@ main() { LIVE_DIR="${CRT_DIR}/${VHOST}/live" CSR_FILE="${CSR_DIR}/${VHOST}.csr" - local_ip=$(ip a | grep brd | cut -d'/' -f1 | grep -oE "([0-9]+\.){3}[0-9]+") + LOCAL_IP=$(local_ip) if [ -n "${SRV_IP}" ]; then - SRV_IP="${SRV_IP} ${local_ip}" + SRV_IP="${SRV_IP} ${LOCAL_IP}" else - SRV_IP="${local_ip}" + SRV_IP="${LOCAL_IP}" fi vhostfile=$(first_vhost_file_found "${VHOST}") From 5e71da94d3bb630bc99797c83c6fdc0373c318bc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 11:16:46 +0200 Subject: [PATCH 111/266] evoacme: fix typo --- evoacme/files/evoacme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 41109a76..b555d374 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -94,7 +94,7 @@ main() { # double check for directories [ ! -d "${ACME_DIR}" ] && error "${ACME_DIR} is not a directory" [ ! -d "${CSR_DIR}" ] && error "${CSR_DIR} is not a directory" - [ ! -d "${LOG_DIR} "] && error "${LOG_DIR} is not a directory" + [ ! -d "${LOG_DIR}" ] && error "${LOG_DIR} is not a directory" #### CSR VALIDATION From 88600039d396dc2c5141a79083d9372b43fa0319 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 11:17:32 +0200 Subject: [PATCH 112/266] evoacme: daily iterations are not enough --- evoacme/files/evoacme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index b555d374..dffe334e 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -143,7 +143,7 @@ main() { #### CERTIFICATE CREATION WITH CERTBOT - ITERATION=$(date "+%Y%m%d") + ITERATION=$(date "+%Y%m%d%H%M%S") [ -z "${ITERATION}" ] && error "invalid iteration (${ITERATION})" NEW_DIR="${CRT_DIR}/${VHOST}/${ITERATION}" From 6d6d0760cd904813b9ecddc8ddf7654f093c47b6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 11:18:15 +0200 Subject: [PATCH 113/266] evoacme: sed cert path after cert creation --- evoacme/files/evoacme.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index dffe334e..1019e1c4 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -134,11 +134,6 @@ main() { debug "Cert ${LIVE_CERT} expires at ${crt_end_date} => more than ${SSL_MINDAY} days: kthxbye." exit 0 fi - else - # We don't have a live symlink yet - # Let's start from scratch and configure our web server(s) - command -v apache2ctl && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" - command -v nginx && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" fi #### CERTIFICATE CREATION WITH CERTBOT @@ -195,6 +190,13 @@ main() { #### CERTIFICATE ACTIVATION + if [ -h "${LIVE_DIR}" ]; then + # We don't have a live symlink yet + # Let's start from scratch and configure our web server(s) + command -v apache2ctl && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" + command -v nginx && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" + fi + # link dance if [ -h "${LIVE_DIR}" ]; then rm "${LIVE_DIR}" From e11958d101c8766f29a2f923a1d4faa9e272f918 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 11:18:37 +0200 Subject: [PATCH 114/266] evoacme: fix web servers config check --- evoacme/files/evoacme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 1019e1c4..74e2abc1 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -213,7 +213,7 @@ main() { # reload apache if present if [ -n "$(pidof apache2)" ]; then - if [ $(${APACHE2CTL_BIN} -t 2>/dev/null) ]; then + if $($(command -v apache2ctl) -t 2>/dev/null); then debug "Apache detected... reloading" service apache2 reload else @@ -223,7 +223,7 @@ main() { # reload nginx if present if [ -n "$(pidof nginx)" ]; then - if [ $(${NGINX_BIN} -t 2>/dev/null) ]; then + if $($(command -v nginx) -t 2>/dev/null); then debug "Nginx detected... reloading" service nginx reload else From 0022071462db8d14a5a7407b06c0903c505981fb Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 12:08:47 +0200 Subject: [PATCH 115/266] evoacme: add tests to fail with proper messages --- evoacme/files/evoacme.sh | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 74e2abc1..60bbddcd 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -54,13 +54,19 @@ sed_cert_path_for_nginx() { } x509_verify() { - ${OPENSSL_BIN} x509 -noout -modulus -in "$1" >/dev/null + file="$1" + [ -f "$file" ] || error "File ${file} not found" + ${OPENSSL_BIN} x509 -noout -modulus -in "$file" >/dev/null } csr_verify() { - ${OPENSSL_BIN} req -noout -modulus -in "$1" >/dev/null + file="$1" + [ -f "$file" ] || error "File ${file} not found" + ${OPENSSL_BIN} req -noout -modulus -in "$file" >/dev/null } x509_enddate() { - ${OPENSSL_BIN} x509 -noout -enddate -in "$1" + file="$1" + [ -f "$file" ] || error "File ${file} not found" + ${OPENSSL_BIN} x509 -noout -enddate -in "$file" } main() { @@ -144,8 +150,9 @@ main() { NEW_DIR="${CRT_DIR}/${VHOST}/${ITERATION}" [ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually." - mkdir -pm 755 "${NEW_DIR}" - chown -R acme: "${NEW_DIR}" + mkdir -p "${NEW_DIR}" + chmod -R 0700 "${CRT_DIR}" + chown -R acme: "${CRT_DIR}" debug "New cert will be created in ${NEW_DIR}" NEW_CERT="${NEW_DIR}/cert.crt" @@ -166,6 +173,10 @@ main() { CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} --register-unsafely-without-email" fi + # Permissions checks for acme user + sudo -u acme test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable by user 'acme'" + sudo -u acme test -w "${NEW_DIR}" || error "File ${NEW_DIR} is not writable by user 'acme'" + # create a certificate with certbot sudo -u acme \ ${CERTBOT_BIN} \ From 3c283d2bb416794e17fe5e71e1a93e7116dc7b0f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 12:09:12 +0200 Subject: [PATCH 116/266] evoacme: execute evoacme in cron mode --- evoacme/files/certbot.cron | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index eb2ddb3a..60007b4c 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -7,7 +7,9 @@ # [ -f /etc/default/evoacme ] && . /etc/default/evoacme -[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' +CRT_DIR="${CRT_DIR:-'/etc/letsencrypt'}" + +export CRON=1 find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do evoacme "$vhost" From 9bccbd9496f19fadb45c79e1a87efc6c999df9a1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 12:28:44 +0200 Subject: [PATCH 117/266] evoacme: check for readability, not just presence --- evoacme/files/evoacme.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 60bbddcd..c20714c4 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -55,23 +55,23 @@ sed_cert_path_for_nginx() { x509_verify() { file="$1" - [ -f "$file" ] || error "File ${file} not found" + [ -r "$file" ] || error "File ${file} not found" ${OPENSSL_BIN} x509 -noout -modulus -in "$file" >/dev/null } csr_verify() { file="$1" - [ -f "$file" ] || error "File ${file} not found" + [ -r "$file" ] || error "File ${file} not found" ${OPENSSL_BIN} req -noout -modulus -in "$file" >/dev/null } x509_enddate() { file="$1" - [ -f "$file" ] || error "File ${file} not found" + [ -r "$file" ] || error "File ${file} not found" ${OPENSSL_BIN} x509 -noout -enddate -in "$file" } main() { # Read configuration file, if it exists - [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -r /etc/default/evoacme ] && . /etc/default/evoacme # Default value for main variables SSL_KEY_DIR=${SSL_KEY_DIR:-"/etc/ssl/private"} @@ -114,7 +114,7 @@ main() { # Hook for evoadmin-web in cluster mode : check master status evoadmin_state_file="/home/${VHOST}/state" - [ -f "${evoadmin_state_file}" ] \ + [ -r "${evoadmin_state_file}" ] \ && grep -q "STATE=slave" "${evoadmin_state_file}" \ && debug "We are slave of this evoadmin cluster. Quit!" \ && exit 0 From 31a19114e5e701900902b6544ddebddd12de123b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 12:30:24 +0200 Subject: [PATCH 118/266] evoacme: readability of tests change from : "what I don't want" && error to : "what I want" || error --- evoacme/files/evoacme.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index c20714c4..342ab9b1 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -98,17 +98,17 @@ main() { CERTBOT_BIN=$(command -v certbot) || error "certbot command not installed" # double check for directories - [ ! -d "${ACME_DIR}" ] && error "${ACME_DIR} is not a directory" - [ ! -d "${CSR_DIR}" ] && error "${CSR_DIR} is not a directory" - [ ! -d "${LOG_DIR}" ] && error "${LOG_DIR} is not a directory" + [ -d "${ACME_DIR}" ] || error "${ACME_DIR} is not a directory" + [ -d "${CSR_DIR}" ] || error "${CSR_DIR} is not a directory" + [ -d "${LOG_DIR}" ] || error "${LOG_DIR} is not a directory" #### CSR VALIDATION # verify .csr file CSR_FILE="${CSR_DIR}/${VHOST}.csr" debug "Using CSR file: ${CSR_FILE}" - [ ! -f "${CSR_FILE}" ] && error "${CSR_FILE} absent" - [ ! -r "${CSR_FILE}" ] && error "${CSR_FILE} is not readable" + [ -f "${CSR_FILE}" ] || error "${CSR_FILE} absent" + [ -r "${CSR_FILE}" ] || error "${CSR_FILE} is not readable" csr_verify "${CSR_FILE}" || error "${CSR_FILE} is invalid" @@ -145,7 +145,7 @@ main() { #### CERTIFICATE CREATION WITH CERTBOT ITERATION=$(date "+%Y%m%d%H%M%S") - [ -z "${ITERATION}" ] && error "invalid iteration (${ITERATION})" + [ -n "${ITERATION}" ] || error "invalid iteration (${ITERATION})" NEW_DIR="${CRT_DIR}/${VHOST}/${ITERATION}" From 06a3965fde6a4361488e1f0dcc511f35dd015387 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 12:30:34 +0200 Subject: [PATCH 119/266] whitespaces --- evoacme/files/evoacme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 342ab9b1..dc9fc001 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -195,9 +195,9 @@ main() { | grep -v "certbot.crypto_util" # verify if all is right - x509_verify "${NEW_CERT}" || error "${NEW_CERT} is invalid" + x509_verify "${NEW_CERT}" || error "${NEW_CERT} is invalid" x509_verify "${NEW_FULLCHAIN}" || error "${NEW_FULLCHAIN} is invalid" - x509_verify "${NEW_CHAIN}" || error "${NEW_CHAIN} is invalid" + x509_verify "${NEW_CHAIN}" || error "${NEW_CHAIN} is invalid" #### CERTIFICATE ACTIVATION From 1c5e5e965bb732df0cbe045e12adb1861c9a91f5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 12:32:16 +0200 Subject: [PATCH 120/266] evoacme: fix typo --- evoacme/files/evoacme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index dc9fc001..323d7647 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -175,7 +175,7 @@ main() { # Permissions checks for acme user sudo -u acme test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable by user 'acme'" - sudo -u acme test -w "${NEW_DIR}" || error "File ${NEW_DIR} is not writable by user 'acme'" + sudo -u acme test -w "${NEW_DIR}" || error "Directory ${NEW_DIR} is not writable by user 'acme'" # create a certificate with certbot sudo -u acme \ From baa5eae78498d61cfda58d713966f673940401ce Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 12:46:40 +0200 Subject: [PATCH 121/266] evoacme: add many tests --- evoacme/files/evoacme.sh | 8 ++++++++ evoacme/files/make-csr.sh | 14 ++++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 323d7647..0a36262a 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -83,6 +83,14 @@ main() { SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-"/etc/ssl/self-signed"} SSL_EMAIL=${SSL_EMAIL:-""} + [ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable" + [ -w "${ACME_DIR}" ] || error "Directory ${ACME_DIR} is not writable" + [ -w "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not writable" + [ -w "${CRT_DIR}" ] || error "Directory ${CRT_DIR} is not writable" + [ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable" + [ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable" + [ -r "${SSL_CONFIG_FILE}" ] || error "File ${SSL_CONFIG_FILE} is not readable" + CRON=${CRON:-"0"} TEST=${TEST:-"0"} DRY_RUN=${DRY_RUN:-"0"} diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 1e39bef9..33aa77b0 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -81,7 +81,7 @@ make_csr() { nb=$(echo "${domains}" | wc -l) config_file="/tmp/make-csr-${VHOST}.conf" - mkdir -p -m 0755 "${CSR_DIR}" + mkdir -p -m 0755 "${CSR_DIR}" || error "Unable to mkdir ${CSR_DIR}" if [ "${nb}" -eq 1 ]; then cat ${SSL_CONFIG_FILE} - > "${config_file}" < Date: Fri, 13 Oct 2017 14:05:05 +0200 Subject: [PATCH 122/266] evoacme: invert test logic --- evoacme/files/evoacme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 0a36262a..2b4767b8 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -209,7 +209,7 @@ main() { #### CERTIFICATE ACTIVATION - if [ -h "${LIVE_DIR}" ]; then + if [ ! -h "${LIVE_DIR}" ]; then # We don't have a live symlink yet # Let's start from scratch and configure our web server(s) command -v apache2ctl && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" From 2066a79f2eb60700f207f9fba300e9d3033b9874 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 17:13:14 +0200 Subject: [PATCH 123/266] evoacme: exit after certbot in dry-run mode --- evoacme/files/evoacme.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 2b4767b8..0593743b 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -202,6 +202,11 @@ main() { 2>&1 \ | grep -v "certbot.crypto_util" + if [ "${DRY_RUN}" = "1" ]; then + echo "In dry-run mode, we stop here. Bye" + exit 0 + fi + # verify if all is right x509_verify "${NEW_CERT}" || error "${NEW_CERT} is invalid" x509_verify "${NEW_FULLCHAIN}" || error "${NEW_FULLCHAIN} is invalid" From 1941f9a3f94d12a9867c23806f2c470cf737b56a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 13 Oct 2017 17:14:03 +0200 Subject: [PATCH 124/266] evoacme: improve webserver config logic --- evoacme/files/evoacme.sh | 50 +++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 0593743b..5f109bae 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -24,7 +24,7 @@ usage() { } debug() { - [ "${CRON}" = "0" ] && echo "$1" + [ "${CRON}" != "1" ] && echo "$1" } error() { @@ -38,9 +38,18 @@ sed_cert_path_for_apache() { vhost_full_path="/etc/apache2/ssl/${vhost}.conf" cert_path=$2 - debug "Apache detected... first configuration in ${vhost_full_path}" - [ -f "${vhost_full_path}" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile ${cert_path}~" "${vhost_full_path}" - $(command -v apache2ctl) -t + [ ! -r "${vhost_full_path}" ] || return 0 + + search="^SSLCertificateFile.*$" + replace="SSLCertificateFile ${cert_path}" + + if ! $(grep -qE "${search}" "${vhost_full_path}"); then + [ -w "${vhost_full_path}" ] || error "File ${vhost_full_path} is not writable" + + sed -i "s~^${search}~${replace}~" "${vhost_full_path}" + debug "Config in ${vhost_full_path} has been updated" + $(command -v apache2ctl) -t + fi } sed_cert_path_for_nginx() { @@ -48,9 +57,18 @@ sed_cert_path_for_nginx() { vhost_full_path="/etc/nginx/ssl/${vhost}.conf" cert_path=$2 - debug "Nginx detected... first configuration in ${vhost_full_path}" - [ -f "${vhost_full_path}" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate ${cert_path};~" "${vhost_full_path}" - $(command -v nginx) -t + [ ! -r "${vhost_full_path}" ] || return 0 + + search="^ssl_certificate[^_].*$" + replace="ssl_certificate ${cert_path};" + + if ! $(grep -qE "${search}" "${vhost_full_path}"); then + [ -w "${vhost_full_path}" ] || error "File ${vhost_full_path} is not writable" + + sed -i "s~${search}~${replace}~" "${vhost_full_path}" + debug "Config in ${vhost_full_path} has been updated" + $(command -v nginx) -t + fi } x509_verify() { @@ -89,7 +107,6 @@ main() { [ -w "${CRT_DIR}" ] || error "Directory ${CRT_DIR} is not writable" [ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable" [ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable" - [ -r "${SSL_CONFIG_FILE}" ] || error "File ${SSL_CONFIG_FILE} is not readable" CRON=${CRON:-"0"} TEST=${TEST:-"0"} @@ -214,13 +231,6 @@ main() { #### CERTIFICATE ACTIVATION - if [ ! -h "${LIVE_DIR}" ]; then - # We don't have a live symlink yet - # Let's start from scratch and configure our web server(s) - command -v apache2ctl && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" - command -v nginx && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" - fi - # link dance if [ -h "${LIVE_DIR}" ]; then rm "${LIVE_DIR}" @@ -231,11 +241,8 @@ main() { # verify final path x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid" - # disable error catching - # below this point anything can break - set +e - - # reload apache if present + # update and reload Apache + command -v apache2ctl > /dev/null && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" if [ -n "$(pidof apache2)" ]; then if $($(command -v apache2ctl) -t 2>/dev/null); then debug "Apache detected... reloading" @@ -245,7 +252,8 @@ main() { fi fi - # reload nginx if present + # update and reload Nginx + command -v nginx > /dev/null && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" if [ -n "$(pidof nginx)" ]; then if $($(command -v nginx) -t 2>/dev/null); then debug "Nginx detected... reloading" From 3b4bf6d13afb0fb0874396111cee62fa4d0f6948 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 16 Oct 2017 17:46:55 +0200 Subject: [PATCH 125/266] php: fix right on custom conf files --- php/tasks/apache.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/php/tasks/apache.yml b/php/tasks/apache.yml index df352848..cefeb95c 100644 --- a/php/tasks/apache.yml +++ b/php/tasks/apache.yml @@ -52,6 +52,7 @@ section: PHP option: disable_functions value: "exec,shell-exec,system,passthru,putenv,popen" + mode: "0644" - name: Custom php.ini copy: @@ -59,6 +60,7 @@ content: | ; Put customized values here. ; default_charset = "ISO-8859-1" + mode: "0644" force: no - name: "Set custom values for PHP to enable Symfony" From 104a5c962e532342ac1abc73562db5682e58ab92 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 17 Oct 2017 10:24:19 +0200 Subject: [PATCH 126/266] wordpress: refactoring into role --- webapps/README.md | 13 ----- webapps/defaults/main.yml | 6 --- webapps/handlers/main.yml | 2 - webapps/tasks/main.yml | 4 -- webapps/tasks/wordpress.yml | 48 ----------------- webapps/vars/main.yml | 2 - webapps/wordpress/defaults/main.yml | 4 ++ webapps/{ => wordpress}/meta/main.yml | 2 +- webapps/wordpress/tasks/main.yml | 78 +++++++++++++++++++++++++++ 9 files changed, 83 insertions(+), 76 deletions(-) delete mode 100644 webapps/README.md delete mode 100644 webapps/defaults/main.yml delete mode 100644 webapps/handlers/main.yml delete mode 100644 webapps/tasks/main.yml delete mode 100644 webapps/tasks/wordpress.yml delete mode 100644 webapps/vars/main.yml create mode 100644 webapps/wordpress/defaults/main.yml rename webapps/{ => wordpress}/meta/main.yml (90%) create mode 100644 webapps/wordpress/tasks/main.yml diff --git a/webapps/README.md b/webapps/README.md deleted file mode 100644 index 2c74fa01..00000000 --- a/webapps/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# webapps - -Install popular webapps - -## Tasks - -Tasks are extracted in several files, included in `tasks/main.yml` : - -* `wordpress.yml` : wordpress installation - -## Available variables - -* `webapp_wordpress_install` : enable wordpress installation diff --git a/webapps/defaults/main.yml b/webapps/defaults/main.yml deleted file mode 100644 index 1c25888f..00000000 --- a/webapps/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -webapps_wordpress_install: False -webapps_wordpress_version: 4.7-branch -webapps_wordpress_upstream: https://github.com/WordPress/WordPress -webapps_wordpress_upstream_default_title: "new blog Evolix SaaS" - diff --git a/webapps/handlers/main.yml b/webapps/handlers/main.yml deleted file mode 100644 index b1d39d12..00000000 --- a/webapps/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for webapps diff --git a/webapps/tasks/main.yml b/webapps/tasks/main.yml deleted file mode 100644 index a86da0fd..00000000 --- a/webapps/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -- include: wordpress.yml - when: webapps_wordpress_install diff --git a/webapps/tasks/wordpress.yml b/webapps/tasks/wordpress.yml deleted file mode 100644 index e85433c1..00000000 --- a/webapps/tasks/wordpress.yml +++ /dev/null @@ -1,48 +0,0 @@ - #- name: Init global variables - # include: './tasks/var_common.yml' - - - name: init dir_wpcli - set_fact: dir_wpcli="{{ dir }}/wp-cli" - - - debug: var=dir_wpcli - when: debug_mode - tags: debug_mode - - - name: Git clone Wordpress repository - include: './tasks/git.yml' - vars: - service_git: WordPress - url_git: "{{ webapps_wordpress_upstream }}" - dest_git: "{{ dir_www }}" - version_git: "{{ webapps_wordpress_version }}" - - - name: Creation directory wp-cli - file: > - path: "{{ dir_wpcli }}" - state: directory - - - name: Download wp-cli.phar - include: './tasks/download.yml' - vars: - url: 'https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar' - dest: "{{ dir_wpcli }}" - - - name: Configuration for db - shell: > - php wp-cli.phar core config --dbname="{{ db_name }}" --dbuser="{{ db_user }}" --dbpass="{{ db_pwd }}" --dbhost="{{ db_host }}" --path="{{ dir_www }}" - chdir: "{{ dir_wpcli }}" - - - name: Wordpress site installation - shell: > - php wp-cli.phar core install --url="{{ host }}" --title="{{ site_title }}" --admin_user="admin" --admin_password="{{ admin_pwd }}" --admin_email="{{ user }}@{{ ansible_fqdn }}" --skip-email --path="{{ dir_www }}" - chdir: "{{ dir_wpcli }}" - - - name: Init variables to sending the email about the installation - include: './tasks/var_email_install.yml' - vars: - admin_user: 'admin' - type: 'Installation' - - - name: Send email - include: './tasks/email.yml' - diff --git a/webapps/vars/main.yml b/webapps/vars/main.yml deleted file mode 100644 index 5ec52e44..00000000 --- a/webapps/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for webapps diff --git a/webapps/wordpress/defaults/main.yml b/webapps/wordpress/defaults/main.yml new file mode 100644 index 00000000..b7d6f998 --- /dev/null +++ b/webapps/wordpress/defaults/main.yml @@ -0,0 +1,4 @@ +--- +wordpress_host: "{{ ansible_fqdn }}" +wordpress_title: "Wordpress Saas Evolix" +wordpress_email: "root@localhost" diff --git a/webapps/meta/main.yml b/webapps/wordpress/meta/main.yml similarity index 90% rename from webapps/meta/main.yml rename to webapps/wordpress/meta/main.yml index a8204bf9..73c6e08f 100644 --- a/webapps/meta/main.yml +++ b/webapps/wordpress/meta/main.yml @@ -1,6 +1,6 @@ galaxy_info: author: Evolix - description: your description + description: Install Wordpress site issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues diff --git a/webapps/wordpress/tasks/main.yml b/webapps/wordpress/tasks/main.yml new file mode 100644 index 00000000..0de874e8 --- /dev/null +++ b/webapps/wordpress/tasks/main.yml @@ -0,0 +1,78 @@ +--- +- name: Create bin dir + file: + state: directory + dest: "{{ ansible_env.HOME }}/bin" + mode: "0750" + +- name: Download wp-cli + get_url: + url: "https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar" + dest: "{{ ansible_env.HOME }}/bin/wp-cli.phar" + mode: "0750" + +- name: Download Wordpress + shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core download --locale=fr_FR --version=latest --path={{ ansible_env.HOME }}/www' + args: + creates: "{{ ansible_env.HOME }}/www/index.php" + +- name: Retrieve .my.cnf + fetch: + src: "{{ ansible_env.HOME }}/.my.cnf" + dest: "/tmp/wordpress-{{ ansible_user }}.cnf" + flat: yes + +- name: Generate random password + command: apg -n1 -m 12 -M SCN + register: shell_password + changed_when: false + +- name: Read mysql config from .my.cnf + set_fact: + db_host: "{{ lookup('ini', 'host section=client file=/tmp/wordpress-{{ ansible_user }}.cnf default=127.0.0.1') }}" + db_user: "{{ lookup('ini', 'user section=client file=/tmp/wordpress-{{ ansible_user }}.cnf default={{ ansible_user }}') }}" + db_pwd: "{{ lookup('ini', 'password section=client file=/tmp/wordpress-{{ ansible_user }}.cnf') }}" + db_name: "{{ lookup('ini', 'database section=mysql file=/tmp/wordpress-{{ ansible_user }}.cnf default={{ ansible_user }}') }}" + admin_pwd: "{{ shell_password.stdout }}" + +- name: Remove local .my.cnf + file: + path: "/tmp/wordpress-{{ ansible_user }}.cnf" + state: absent + delegate_to: localhost + +- name: Configure Wordpress (wp-config.php) + shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core config --path={{ ansible_env.HOME }}/www/ --dbhost={{ db_host }} --dbuser={{ db_user }} --dbpass={{ db_pwd }} --dbname={{ db_name }}' + args: + creates: "{{ ansible_env.HOME }}/www/wp-config.php" + +- name: Check if Wordpress is up to date + shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core check-update --path={{ ansible_env.HOME }}/www | grep -q Success' + register: check_version + check_mode: no + failed_when: false + changed_when: check_version.rc + +- name: Update Wordpress + shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core update --path={{ ansible_env.HOME }}/www' + args: + removes: "{{ ansible_env.HOME }}/www/index.php" + when: check_version.rc + +- name: Configure site + shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password={{ admin_pwd | quote }} --admin_email={{ wordpress_email }} --path={{ ansible_env.HOME }}/www' + +- name: Send a summary mail + mail: + host: 'localhost' + port: 25 + to: "{{ wordpress_email }}" + from: "{{ ansible_user }}@{{ ansible_fqdn }}" + subject: "Accès Wordpress {{ wordpress_host }}" + body: | + Installation du Wordpress {{ ansible_user }} sur {{ ansible_fqdn }} + + Server : {{ ansible_fqdn }} + Url : http://{{ wordpress_host }} + Utilisateur : admin + Mot de passe : {{ admin_pwd }} From b4e4b14fc63111e655d4aee42969698c206bb45e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 17 Oct 2017 10:26:55 +0200 Subject: [PATCH 127/266] Invert SSH Match User directives --- evolinux-base/tasks/ssh.yml | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 17246565..e4f51a81 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -3,19 +3,45 @@ msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" when: evolinux_ssh_password_auth_addresses == [] -- name: Security directives for Evolinux +# From 'man sshd_config' : +# « If all of the criteria on the Match line are satisfied, the keywords +# on the following lines override those set in the global section of the config +# file, until either another Match line or the end of the file. +# If a keyword appears in multiple Match blocks that are satisfied, +# only the first instance of the keyword is applied. » +# +# We want to allow any user from a list of IP addresses to login with password, +# but users of the "evolix" group can't login with password from other IP addresses + +- name: Security directives for Evolinux (Debian 9 or later)" blockinfile: dest: /etc/ssh/sshd_config block: | - Match Group evolix - PasswordAuthentication no Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes + Match Group evolix + PasswordAuthentication no marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd - when: evolinux_ssh_password_auth_addresses != [] + when: + - evolinux_ssh_password_auth_addresses != [] + - ansible_distribution_major_version | version_compare('9', '>=') + +- name: Security directives for Evolinux (Jessie) + blockinfile: + dest: /etc/ssh/sshd_config + block: | + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + insertafter: EOF + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: + - evolinux_ssh_password_auth_addresses != [] + - ansible_distribution_release == "jessie" # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. From 71cd04029ca6e162a893fe6f02ecef3cf203a23b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 17 Oct 2017 10:28:02 +0200 Subject: [PATCH 128/266] Insert "Match User" if missing (Jessie only) --- evolinux-users/tasks/ssh.yml | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 519c53ee..8982dd6c 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -52,27 +52,31 @@ notify: reload sshd when: grep_allowusers_ssh.rc == 0 -- name: verify Match User directive +- name: "verify Match User directive" command: "grep 'Match User' /etc/ssh/sshd_config" changed_when: False failed_when: False register: grep_matchuser_ssh check_mode: no -# - name: "Add Match User sshd directive for '{{ user.name }}'" -# lineinfile: -# dest: /etc/ssh/sshd_config -# line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" -# insertbefore: "# BEGIN EVOLINUX PASSWORD RESTRICTIONS" -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd -# when: grep_matchuser_ssh.rc != 0 +- name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" + insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: + - ansible_distribution_release == "jessie" + - grep_matchuser_ssh.rc != 0 -- name: "Modify Match User's sshd directive for '{{ user.name }}'" +- name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)" replace: dest: /etc/ssh/sshd_config regexp: '^(Match User ((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd - when: grep_matchuser_ssh.rc == 0 + when: + - ansible_distribution_release == "jessie" + - grep_matchuser_ssh.rc == 0 From 35f1ec91d86536b18337e9af8a0ce59c44132ace Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 17 Oct 2017 11:00:44 +0200 Subject: [PATCH 129/266] wordpress: configure site before update it --- webapps/wordpress/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/webapps/wordpress/tasks/main.yml b/webapps/wordpress/tasks/main.yml index 0de874e8..a0117605 100644 --- a/webapps/wordpress/tasks/main.yml +++ b/webapps/wordpress/tasks/main.yml @@ -46,6 +46,9 @@ args: creates: "{{ ansible_env.HOME }}/www/wp-config.php" +- name: Configure site + shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password={{ admin_pwd | quote }} --admin_email={{ wordpress_email }} --path={{ ansible_env.HOME }}/www' + - name: Check if Wordpress is up to date shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core check-update --path={{ ansible_env.HOME }}/www | grep -q Success' register: check_version @@ -59,9 +62,6 @@ removes: "{{ ansible_env.HOME }}/www/index.php" when: check_version.rc -- name: Configure site - shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password={{ admin_pwd | quote }} --admin_email={{ wordpress_email }} --path={{ ansible_env.HOME }}/www' - - name: Send a summary mail mail: host: 'localhost' From 8f9151c66e06f14ee10c5442151d75d891293f9e Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 17 Oct 2017 11:01:30 +0200 Subject: [PATCH 130/266] wordpress: don't use special caracter in admin password --- webapps/wordpress/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/wordpress/tasks/main.yml b/webapps/wordpress/tasks/main.yml index a0117605..3132e06f 100644 --- a/webapps/wordpress/tasks/main.yml +++ b/webapps/wordpress/tasks/main.yml @@ -23,7 +23,7 @@ flat: yes - name: Generate random password - command: apg -n1 -m 12 -M SCN + command: apg -n1 -m 12 -M LCN register: shell_password changed_when: false From c5844fa193ce829077ac5bf6a7f8f3ac32e340e4 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 17 Oct 2017 11:18:02 +0200 Subject: [PATCH 131/266] wordpress: fix summary mail --- webapps/wordpress/tasks/main.yml | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/webapps/wordpress/tasks/main.yml b/webapps/wordpress/tasks/main.yml index 3132e06f..d898141f 100644 --- a/webapps/wordpress/tasks/main.yml +++ b/webapps/wordpress/tasks/main.yml @@ -47,7 +47,7 @@ creates: "{{ ansible_env.HOME }}/www/wp-config.php" - name: Configure site - shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password={{ admin_pwd | quote }} --admin_email={{ wordpress_email }} --path={{ ansible_env.HOME }}/www' + shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password={{ admin_pwd | quote }} --admin_email={{ wordpress_email }} --path={{ ansible_env.HOME }}/www --skip-email' - name: Check if Wordpress is up to date shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core check-update --path={{ ansible_env.HOME }}/www | grep -q Success' @@ -68,11 +68,20 @@ port: 25 to: "{{ wordpress_email }}" from: "{{ ansible_user }}@{{ ansible_fqdn }}" - subject: "Accès Wordpress {{ wordpress_host }}" + subject: "Nouveau site Wordpress {{ ansible_user }}" + charset: "utf-8" body: | - Installation du Wordpress {{ ansible_user }} sur {{ ansible_fqdn }} - - Server : {{ ansible_fqdn }} - Url : http://{{ wordpress_host }} - Utilisateur : admin + Votre nouveau site WordPress a bien été installé à l’adresse : + + http://{{ wordpress_host }} + + Vous pouvez vous y connecter en tant qu’administrateur avec les informations suivantes : + + Identifiant : admin Mot de passe : {{ admin_pwd }} + Connectez-vous ici : http://{{ wordpress_host }}/wp-login.php + + Nous espérons que vous aimerez votre nouveau site ! Merci à vous ! + -- + Équipe Evolix + Evolix - Hébergement et Infogérance Open Source http://www.evolix.fr/ From beff333a1a53fed8c60110c0eab221dd3331c719 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 17 Oct 2017 14:46:26 +0200 Subject: [PATCH 132/266] Evoacme: big refactoring * debug messages are sent to stdout * domains discovery from vhosts is extracted to "vhost-domains" * fixes suggested by shellcheck * variables are "local" or "readonly" wherever possible --- evoacme/files/evoacme.sh | 161 ++++++++-------- evoacme/files/make-csr.sh | 331 +++++++++++++++++---------------- evoacme/files/vhost-domains.sh | 151 +++++++++++++++ 3 files changed, 411 insertions(+), 232 deletions(-) create mode 100755 evoacme/files/vhost-domains.sh diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 5f109bae..4d9f9f47 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -11,37 +11,40 @@ set -e set -u usage() { - echo "Usage: $0 NAME" - echo "" - echo "NAME must be correspond to :" - echo "- a CSR in ${CSR_DIR}/NAME.csr" - echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" - echo "" - echo "If env variable TEST=1, certbot is run in staging mode" - echo "If env variable DRY_RUN=1, certbot is run in dry-run mode" - echo "If env variable CRON=1, no message is output" - echo "" + cat <&2 echo "${PROGNAME}: $1" } - error() { - echo "error: $1" >&2 - [ "$1" = "invalid argument(s)" ] && usage + >&2 echo "${PROGNAME}: $1" + [ "$1" = "invalid argument(s)" ] && >&2 usage exit 1 } sed_cert_path_for_apache() { - vhost=$1 - vhost_full_path="/etc/apache2/ssl/${vhost}.conf" - cert_path=$2 + local vhost=$1 + local vhost_full_path="/etc/apache2/ssl/${vhost}.conf" + local cert_path=$2 [ ! -r "${vhost_full_path}" ] || return 0 - search="^SSLCertificateFile.*$" - replace="SSLCertificateFile ${cert_path}" + local search="^SSLCertificateFile.*$" + local replace="SSLCertificateFile ${cert_path}" if ! $(grep -qE "${search}" "${vhost_full_path}"); then [ -w "${vhost_full_path}" ] || error "File ${vhost_full_path} is not writable" @@ -51,16 +54,15 @@ sed_cert_path_for_apache() { $(command -v apache2ctl) -t fi } - sed_cert_path_for_nginx() { - vhost=$1 - vhost_full_path="/etc/nginx/ssl/${vhost}.conf" - cert_path=$2 + local vhost=$1 + local vhost_full_path="/etc/nginx/ssl/${vhost}.conf" + local cert_path=$2 [ ! -r "${vhost_full_path}" ] || return 0 - search="^ssl_certificate[^_].*$" - replace="ssl_certificate ${cert_path};" + local search="^ssl_certificate[^_].*$" + local replace="ssl_certificate ${cert_path};" if ! $(grep -qE "${search}" "${vhost_full_path}"); then [ -w "${vhost_full_path}" ] || error "File ${vhost_full_path} is not writable" @@ -70,36 +72,27 @@ sed_cert_path_for_nginx() { $(command -v nginx) -t fi } - x509_verify() { - file="$1" + local file="$1" [ -r "$file" ] || error "File ${file} not found" - ${OPENSSL_BIN} x509 -noout -modulus -in "$file" >/dev/null -} -csr_verify() { - file="$1" - [ -r "$file" ] || error "File ${file} not found" - ${OPENSSL_BIN} req -noout -modulus -in "$file" >/dev/null + "${OPENSSL_BIN}" x509 -noout -modulus -in "$file" >/dev/null } x509_enddate() { - file="$1" + local file="$1" [ -r "$file" ] || error "File ${file} not found" - ${OPENSSL_BIN} x509 -noout -enddate -in "$file" + "${OPENSSL_BIN}" x509 -noout -enddate -in "$file" +} +csr_verify() { + local file="$1" + [ -r "$file" ] || error "File ${file} not found" + "${OPENSSL_BIN}" req -noout -modulus -in "$file" >/dev/null } main() { - # Read configuration file, if it exists - [ -r /etc/default/evoacme ] && . /etc/default/evoacme - - # Default value for main variables - SSL_KEY_DIR=${SSL_KEY_DIR:-"/etc/ssl/private"} - ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"} - CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"} - CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"} - LOG_DIR=${LOG_DIR:-"/var/log/evoacme"} - SSL_MINDAY=${SSL_MINDAY:-"30"} - SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-"/etc/ssl/self-signed"} - SSL_EMAIL=${SSL_EMAIL:-""} + [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 + # check arguments + echo "1: '$1'" + [ "$#" -eq 1 ] || error "invalid argument(s)" [ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable" [ -w "${ACME_DIR}" ] || error "Directory ${ACME_DIR} is not writable" @@ -108,19 +101,11 @@ main() { [ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable" [ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable" - CRON=${CRON:-"0"} - TEST=${TEST:-"0"} - DRY_RUN=${DRY_RUN:-"0"} - - [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 - # check arguments - [ "$#" -eq 1 ] || error "invalid argument(s)" - - VHOST=$(basename "$1" .conf) + readonly VHOST=$(basename "$1" .conf) # check for important programs - OPENSSL_BIN=$(command -v openssl) || error "openssl command not installed" - CERTBOT_BIN=$(command -v certbot) || error "certbot command not installed" + readonly OPENSSL_BIN=$(command -v openssl) || error "openssl command not installed" + readonly CERTBOT_BIN=$(command -v certbot) || error "certbot command not installed" # double check for directories [ -d "${ACME_DIR}" ] || error "${ACME_DIR} is not a directory" @@ -130,7 +115,7 @@ main() { #### CSR VALIDATION # verify .csr file - CSR_FILE="${CSR_DIR}/${VHOST}.csr" + readonly CSR_FILE="${CSR_DIR}/${VHOST}.csr" debug "Using CSR file: ${CSR_FILE}" [ -f "${CSR_FILE}" ] || error "${CSR_FILE} absent" [ -r "${CSR_FILE}" ] || error "${CSR_FILE} is not readable" @@ -138,7 +123,7 @@ main() { csr_verify "${CSR_FILE}" || error "${CSR_FILE} is invalid" # Hook for evoadmin-web in cluster mode : check master status - evoadmin_state_file="/home/${VHOST}/state" + local evoadmin_state_file="/home/${VHOST}/state" [ -r "${evoadmin_state_file}" ] \ && grep -q "STATE=slave" "${evoadmin_state_file}" \ && debug "We are slave of this evoadmin cluster. Quit!" \ @@ -146,10 +131,10 @@ main() { #### INIT OR RENEW? - LIVE_DIR="${CRT_DIR}/${VHOST}/live" - LIVE_CERT="${LIVE_DIR}/cert.crt" - LIVE_FULLCHAIN="${LIVE_DIR}/fullchain.pem" - LIVE_CHAIN="${LIVE_DIR}/chain.pem" + readonly LIVE_DIR="${CRT_DIR}/${VHOST}/live" + readonly LIVE_CERT="${LIVE_DIR}/cert.crt" + readonly LIVE_FULLCHAIN="${LIVE_DIR}/fullchain.pem" + readonly LIVE_CHAIN="${LIVE_DIR}/chain.pem" # If live symlink already exists, it's not our first time... if [ -h "${LIVE_DIR}" ]; then @@ -169,10 +154,10 @@ main() { #### CERTIFICATE CREATION WITH CERTBOT - ITERATION=$(date "+%Y%m%d%H%M%S") - [ -n "${ITERATION}" ] || error "invalid iteration (${ITERATION})" + local iteration=$(date "+%Y%m%d%H%M%S") + [ -n "${iteration}" ] || error "invalid iteration (${iteration})" - NEW_DIR="${CRT_DIR}/${VHOST}/${ITERATION}" + readonly NEW_DIR="${CRT_DIR}/${VHOST}/${iteration}" [ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually." mkdir -p "${NEW_DIR}" @@ -180,16 +165,16 @@ main() { chown -R acme: "${CRT_DIR}" debug "New cert will be created in ${NEW_DIR}" - NEW_CERT="${NEW_DIR}/cert.crt" - NEW_FULLCHAIN="${NEW_DIR}/fullchain.pem" - NEW_CHAIN="${NEW_DIR}/chain.pem" + readonly NEW_CERT="${NEW_DIR}/cert.crt" + readonly NEW_FULLCHAIN="${NEW_DIR}/fullchain.pem" + readonly NEW_CHAIN="${NEW_DIR}/chain.pem" - CERTBOT_MODE="" + local CERTBOT_MODE="" [ "${TEST}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --test-cert" - [ "${CRON}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --quiet" + [ "${QUIET}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --quiet" [ "${DRY_RUN}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --dry-run" - CERTBOT_REGISTRATION="--agree-tos" + local CERTBOT_REGISTRATION="--agree-tos" if [ -n "${SSL_EMAIL}" ]; then debug "Registering at certbot with ${SSL_EMAIL} as email" CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} -m ${SSL_EMAIL}" @@ -204,7 +189,7 @@ main() { # create a certificate with certbot sudo -u acme \ - ${CERTBOT_BIN} \ + "${CERTBOT_BIN}" \ certonly \ ${CERTBOT_MODE} \ ${CERTBOT_REGISTRATION} \ @@ -220,7 +205,7 @@ main() { | grep -v "certbot.crypto_util" if [ "${DRY_RUN}" = "1" ]; then - echo "In dry-run mode, we stop here. Bye" + debug "In dry-run mode, we stop here. Bye" exit 0 fi @@ -229,6 +214,8 @@ main() { x509_verify "${NEW_FULLCHAIN}" || error "${NEW_FULLCHAIN} is invalid" x509_verify "${NEW_CHAIN}" || error "${NEW_CHAIN} is invalid" + log "New certificate available at ${NEW_CERT}" + #### CERTIFICATE ACTIVATION # link dance @@ -264,4 +251,26 @@ main() { fi } -main "$@" +readonly PROGNAME=$(basename "$0") +readonly PROGDIR=$(readlink -m $(dirname "$0")) +readonly ARGS=$@ + +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} +readonly TEST=${TEST:-"0"} +readonly DRY_RUN=${DRY_RUN:-"0"} + +# Read configuration file, if it exists +[ -r /etc/default/evoacme ] && . /etc/default/evoacme + +# Default value for main variables +readonly SSL_KEY_DIR=${SSL_KEY_DIR:-"/etc/ssl/private"} +readonly ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"} +readonly CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"} +readonly CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"} +readonly LOG_DIR=${LOG_DIR:-"/var/log/evoacme"} +readonly SSL_MINDAY=${SSL_MINDAY:-"30"} +readonly SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-"/etc/ssl/self-signed"} +readonly SSL_EMAIL=${SSL_EMAIL:-""} + +main ${ARGS} diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 33aa77b0..6bd27125 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -7,110 +7,38 @@ # Licence: AGPLv3 # -real_ip_for_domain() { - dig +short "$1" | grep -oE "([0-9]+\.){3}[0-9]+" +set -u + +usage() { + cat <&2 echo "${PROGNAME}: $1" + fi +} +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 } -get_domains() { - echo "$vhostfile" | grep -q nginx - if [ "$?" -eq 0 ]; then - domains=$( - grep -oE "^( )*[^#]+" "$vhostfile" \ - | grep -oE "[^\$]server_name.*;$" \ - | sed 's/server_name//' \ - | tr -d ';' \ - | sed 's/\s\{1,\}//' \ - | sed 's/\s\{1,\}/\n/g' \ - | sort \ - | uniq - ) - fi - - echo "$vhostfile" | grep -q apache2 - if [ "$?" -eq 0 ]; then - domains=$( - grep -oE "^( )*[^#]+" "$vhostfile" \ - | grep -oE "(ServerName|ServerAlias).*" \ - | sed 's/ServerName//' \ - | sed 's/ServerAlias//' \ - | sed 's/\s\{1,\}//' \ - | sort \ - | uniq - ) - fi - valid_domains="" - nb=0 - - echo "Valid(s) domain(s) in ${VHOST} :" - for domain in $domains; do - real_ip=$(real_ip_for_domain "${domain}") - for ip in $(echo "${SRV_IP}" | xargs -n1); do - if [ "${ip}" = "${real_ip}" ]; then - valid_domains="${valid_domains} ${domain}" - nb=$(( nb + 1 )) - echo "* ${domain} -> ${real_ip}" - fi - done - done - - if [ "${nb}" -eq 0 ]; then - nb=$(echo "${domains}" | wc -l) - echo "* No valid domain found" - echo "All following(s) domain(s) will be used for CSR creation :" - for domain in $domains; do - echo "* ${domain}" - done - else - domains="${valid_domains}" - fi - - domains=$(echo "$domains" | xargs -n1) -} - -make_key() { - openssl genrsa -out "${SSL_KEY_FILE}" "${SSL_KEY_SIZE}" 2>/dev/null - chown root: "${SSL_KEY_FILE}" - chmod 600 "${SSL_KEY_FILE}" -} - -make_csr() { - domains="$1" - nb=$(echo "${domains}" | wc -l) - config_file="/tmp/make-csr-${VHOST}.conf" - - mkdir -p -m 0755 "${CSR_DIR}" || error "Unable to mkdir ${CSR_DIR}" - - if [ "${nb}" -eq 1 ]; then - cat ${SSL_CONFIG_FILE} - > "${config_file}" < "${config_file}" < "${CSR_FILE}" - fi - - if [ -f "${CSR_FILE}" ]; then - chmod 644 "${CSR_FILE}" - mkdir -p -m 0755 "${SELF_SIGNED_DIR}" - openssl x509 -req -sha256 -days 365 -in "${CSR_FILE}" -signkey "${SSL_KEY_FILE}" -out "${SELF_SIGNED_FILE}" - [ -f "${SELF_SIGNED_FILE}" ] && chmod 644 "${SELF_SIGNED_FILE}" - fi +default_key_size() { + grep default_bits "${SSL_CONFIG_FILE}" | cut -d'=' -f2 | xargs } sed_selfsigned_cert_path_for_apache() { - apache_ssl_vhost_path="$1" + local apache_ssl_vhost_path="$1" mkdir -p $(dirname "${apache_ssl_vhost_path}") if [ ! -f "${apache_ssl_vhost_path}" ]; then @@ -119,13 +47,18 @@ SSLEngine On SSLCertificateFile ${SELF_SIGNED_FILE} SSLCertificateKeyFile ${SSL_KEY_FILE} EOF + debug "SSL config added in ${apache_ssl_vhost_path}" else - sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile ${SELF_SIGNED_FILE}~" "${apache_ssl_vhost_path}" + local search="^SSLCertificateFile.*$" + local replace="SSLCertificateFile ${SELF_SIGNED_FILE}" + + sed -i "s~${search}~${replace}~" "${apache_ssl_vhost_path}" + debug "SSL config updated in ${apache_ssl_vhost_path}" fi } sed_selfsigned_cert_path_for_nginx() { - nginx_ssl_vhost_path="$1" + local nginx_ssl_vhost_path="$1" mkdir -p $(dirname "${nginx_ssl_vhost_path}") if [ ! -f "${nginx_ssl_vhost_path}" ]; then @@ -133,85 +66,171 @@ sed_selfsigned_cert_path_for_nginx() { ssl_certificate ${SELF_SIGNED_FILE}; ssl_certificate_key ${SSL_KEY_FILE}; EOF + debug "SSL config added in ${nginx_ssl_vhost_path}" else - sed -i "s~^ssl_certificate[^_].*$~ssl_certificate ${SELF_SIGNED_FILE};~" "${nginx_ssl_vhost_path}" + local search="^ssl_certificate[^_].*$" + local replace="ssl_certificate ${SELF_SIGNED_FILE};" + + sed -i "s~${search}~${replace}~" "${nginx_ssl_vhost_path}" + debug "SSL config updated in ${nginx_ssl_vhost_path}" fi } -first_vhost_file_found() { - vhost=$1 +openssl_selfsigned() { + local csr="$1" + local key="$2" + local crt="$3" + local crt_dir=$(dirname ${crt}) - ls "/etc/nginx/sites-enabled/${vhost}" \ - "/etc/nginx/sites-enabled/${vhost}.conf" \ - "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null \ - | head -n 1 + [ -r "${csr}" ] || error "File ${csr} is not readable" + [ -r "${key}" ] || error "File ${key} is not readable" + [ -w "${crt_dir}" ] || error "Directory ${crt_dir} is not writable" + + "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null +} +openssl_key(){ + local key="$1" + local key_dir=$(dirname "${key}") + local size="$2" + + [ -w "${key_dir}" ] || error "Directory ${key_dir} is not writable" + + "${OPENSSL_BIN}" genrsa -out "${key}" "${size}" 2> /dev/null +} +openssl_csr_san() { + local csr="$1" + local csr_dir=$(dirname "${csr}") + local key="$2" + local cfg="$3" + + [ -w "${csr_dir}" ] || error "Directory ${csr_dir} is not writable" + + "${OPENSSL_BIN}" req -new -sha256 -key "${key}" -reqexts SAN -config "${cfg}" -out "${csr}" +} +openssl_csr_single() { + local csr="$1" + local csr_dir=$(dirname "${csr}") + local key="$2" + local cfg="$3" + + [ -w "${csr_dir}" ] || error "Directory ${csr_dir} is not writable" + + "${OPENSSL_BIN}" req -new -sha256 -key "${key}" -config "${cfg}" -out "${csr}" } -default_key_size() { - grep default_bits ${SSL_CONFIG_FILE} \ - | cut -d'=' -f2 \ - | xargs +make_key() { + local key="$1" + local size="$2" + + openssl_key "${key}" "${size}" + debug "Private key stored at ${key}" + + chown root: "${key}" + chmod 600 "${key}" +} + +make_csr() { + local domains=$@ + local nb=$# + local config_file="/tmp/make-csr-${VHOST}.conf" + local san= + + mkdir -p -m 0755 "${CSR_DIR}" || error "Unable to mkdir ${CSR_DIR}" + + if [ "${nb}" -eq 1 ]; then + cat "${SSL_CONFIG_FILE}" - > "${config_file}" < "${config_file}" <&2 - exit 1 + if [ -t 0 ]; then + # We have STDIN, so we should have at least 2 arguments + if [ "$#" -lt 2 ]; then + >&2 echo "invalid arguments" + >&2 usage + exit 1 + fi + # read VHOST from first argument + readonly VHOST="$1" + # remove the first argument + shift + # read domains from remaining arguments + readonly DOMAINS=$@ + else + # We don't have STDIN, so we should have only 1 argument + if [ "$#" != 1 ]; then + >&2 echo "invalid arguments" + >&2 usage + exit 1 + fi + # read VHOST from first argument + readonly VHOST="$1" + # read domains from input + DOMAINS= + while read -r line ; do + DOMAINS="${DOMAINS} ${line}" + done + # trim the string to remove leading/trailing spaces + DOMAINS=$(echo "${DOMAINS}" | xargs) fi - # Read configuration file, if it exists - [ -r /etc/default/evoacme ] && . /etc/default/evoacme - - # Default value for main variables - CSR_DIR=${CSR_DIR:-'/etc/ssl/requests'} - CRT_DIR=${CRT_DIR:-'/etc/letsencrypt'} - SSL_CONFIG_FILE=${SSL_CONFIG_FILE:-"${CRT_DIR}/openssl.cnf"} - SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-'/etc/ssl/self-signed'} - SSL_KEY_DIR=${SSL_KEY_DIR:-'/etc/ssl/private'} - SSL_KEY_SIZE=${SSL_KEY_SIZE:-$(default_key_size)} - SRV_IP=${SRV_IP:-""} - [ -w "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not writable" - [ -w "${CRT_DIR}" ] || error "Directory ${CRT_DIR} is not writable" [ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable" [ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable" [ -r "${SSL_CONFIG_FILE}" ] || error "File ${SSL_CONFIG_FILE} is not readable" - VHOST=$(basename "$1" .conf) + # check for important programs + readonly OPENSSL_BIN=$(command -v openssl) || error "openssl command not installed" + SELF_SIGNED_FILE="${SELF_SIGNED_DIR}/${VHOST}.pem" SSL_KEY_FILE="${SSL_KEY_DIR}/${VHOST}.key" - LIVE_DIR="${CRT_DIR}/${VHOST}/live" CSR_FILE="${CSR_DIR}/${VHOST}.csr" - LOCAL_IP=$(local_ip) - if [ -n "${SRV_IP}" ]; then - SRV_IP="${SRV_IP} ${LOCAL_IP}" - else - SRV_IP="${LOCAL_IP}" - fi - - vhostfile=$(first_vhost_file_found "${VHOST}") - - if [ ! -h "${vhostfile}" ]; then - echo "${VHOST} is not a valid virtualhost !" >&2 - exit 1 - fi - - if [ -f "${SSL_KEY_FILE}" ]; then - echo "${VHOST} key already exist, overwrite it? [yN]" - read REPLY - - [ "${REPLY}" = "Y" ] || [ "${REPLY}" = "y" ] || exit 0 - rm -f "/etc/apache2/ssl/${VHOST}.conf /etc/nginx/ssl/${VHOST}.conf" - [ -h "${LIVE_DIR}" ] && rm "${LIVE_DIR}" - fi - - get_domains - make_key - make_csr "${domains}" + make_key "${SSL_KEY_FILE}" "${SSL_KEY_SIZE}" + make_csr ${DOMAINS} command -v apache2ctl >/dev/null && sed_selfsigned_cert_path_for_apache "/etc/apache2/ssl/${VHOST}.conf" command -v nginx >/dev/null && sed_selfsigned_cert_path_for_nginx "/etc/nginx/ssl/${VHOST}.conf" } -main "$@" +readonly PROGNAME=$(basename "$0") +readonly PROGDIR=$(readlink -m $(dirname "$0")) +readonly ARGS=$@ + +readonly VERBOSE=${VERBOSE:-"0"} + +# Read configuration file, if it exists +[ -r /etc/default/evoacme ] && . /etc/default/evoacme + +# Default value for main variables +CSR_DIR=${CSR_DIR:-'/etc/ssl/requests'} +SSL_CONFIG_FILE=${SSL_CONFIG_FILE:-"${CRT_DIR}/openssl.cnf"} +SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-'/etc/ssl/self-signed'} +SSL_KEY_DIR=${SSL_KEY_DIR:-'/etc/ssl/private'} +SSL_KEY_SIZE=${SSL_KEY_SIZE:-$(default_key_size)} + +main ${ARGS} diff --git a/evoacme/files/vhost-domains.sh b/evoacme/files/vhost-domains.sh new file mode 100755 index 00000000..d8cdd2f4 --- /dev/null +++ b/evoacme/files/vhost-domains.sh @@ -0,0 +1,151 @@ +#!/bin/sh +# +# make-csr is a shell script designed to automatically generate a +# certificate signing request (CSR) from an Apache or a Nginx vhost +# +# Author: Victor Laborie +# Licence: AGPLv3 +# + +set -u + +usage() { + cat <&2 echo "${PROGNAME}: $1" +} +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} + +real_ip_for_domain() { + dig +short "$1" | grep -oE "([0-9]+\.){3}[0-9]+" +} +local_ip() { + ip a | grep brd | cut -d'/' -f1 | grep -oE "([0-9]+\.){3}[0-9]+" +} + +nginx_domains() { + local vhost_file="$1" + + grep -oE "^( )*[^#]+" "${vhost_file}" \ + | grep -oE "[^\$]server_name.*;$" \ + | sed 's/server_name//' \ + | tr -d ';' \ + | sed 's/\s\{1,\}//' \ + | sed 's/\s\{1,\}/\n/g' \ + | sort \ + | uniq +} + +apache_domains() { + local vhost_file="$1" + + grep -oE "^( )*[^#]+" "${vhost_file}" \ + | grep -oE "(ServerName|ServerAlias).*" \ + | sed 's/ServerName//' \ + | sed 's/ServerAlias//' \ + | sed 's/\s\{1,\}//' \ + | sort \ + | uniq +} + +get_domains() { + local vhost_file="$1" + local ips="$2" + local domains="" + local valid_domains="" + local nb=0 + + if $(echo "${vhost_file}" | grep -q nginx); then + debug "Nginx vhost file used" + domains=$(nginx_domains "${vhost_file}") + fi + if $(echo "${vhost_file}" | grep -q apache2); then + debug "Apache vhost file used" + domains=$(apache_domains "${vhost_file}") + fi + + debug "Valid(s) domain(s) in ${vhost_file} :" + for domain in ${domains}; do + real_ip=$(real_ip_for_domain "${domain}") + for ip in $(echo "${ips}" | xargs -n1); do + if [ "${ip}" = "${real_ip}" ]; then + valid_domains="${valid_domains} ${domain}" + nb=$(( nb + 1 )) + debug "* ${domain} -> ${real_ip}" + fi + done + done + + if [ "${nb}" -eq 0 ]; then + nb=$(echo "${domains}" | wc -l) + debug "* No valid domain found" + debug "All following(s) domain(s) will be used for CSR creation :" + for domain in ${domains}; do + debug "* ${domain}" + done + else + domains="${valid_domains}" + fi + + echo "${domains}" | xargs -n 1 +} + +first_vhost_file_found() { + local vhost_name="$1" + + ls "/etc/nginx/sites-enabled/${vhost_name}" \ + "/etc/nginx/sites-enabled/${vhost_name}.conf" \ + "/etc/apache2/sites-enabled/${vhost_name}.conf" \ + 2>/dev/null \ + | head -n 1 +} + +main() { + if [ "$#" != 1 ]; then + >&2 usage + exit 1 + fi + if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + usage + exit 0 + fi + + local vhost_name=$(basename "$1" .conf) + local vhost_file=$(first_vhost_file_found "${vhost_name}") + + if [ ! -h "${vhost_file}" ]; then + >&2 echo "No virtualhost has been found for '${vhost_name}'." + exit 1 + fi + + local ips=$(local_ip) + if [ -n "${SRV_IP}" ]; then + ips="${ips} ${SRV_IP}" + fi + + get_domains "${vhost_file}" "${ips}" +} + +readonly PROGNAME=$(basename "$0") +readonly PROGDIR=$(readlink -m $(dirname "$0")) +readonly ARGS=$@ + +readonly VERBOSE=${VERBOSE:-"0"} +readonly SRV_IP=${SRV_IP:-""} + +main $ARGS From b7cede765436ec856bd34005ab14dad2eef76b50 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 17 Oct 2017 18:07:51 +0200 Subject: [PATCH 133/266] Don't add the trap if it is present or commented --- evolinux-users/tasks/profile.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/evolinux-users/tasks/profile.yml b/evolinux-users/tasks/profile.yml index 0101d4be..99af2512 100644 --- a/evolinux-users/tasks/profile.yml +++ b/evolinux-users/tasks/profile.yml @@ -1,15 +1,16 @@ --- -- name: is evomaintenance installed? - stat: - path: "/usr/share/scripts/evomaintenance.sh" - register: evomaintenance_script - check_mode: no +- name: search profile for presence of evomaintenance + command: 'grep -q "trap.*sudo.*evomaintenance.sh"' + changed_when: False + failed_when: False + register: grep_profile_evomaintenance +# Don't add the trap if it is present or commented - name: "Add evomaintenance trap for '{{ user.name }}'" lineinfile: state: present dest: '/home/{{ user.name }}/.profile' insertafter: EOF line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - when: evomaintenance_script.stat.exists + when: grep_profile_evomaintenance.rc != 0 From 21f698b62c1304f543fc8b9e0d2f5545376680e3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 17 Oct 2017 18:08:18 +0200 Subject: [PATCH 134/266] chmod 700 /etc/evolinux --- listupgrade/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 74944eca..de9fdb2c 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -22,7 +22,7 @@ state: directory owner: root group: root - mode: "0600" + mode: "0700" - name: Copy listupgrade config template: From 232648a9b047e666f2bcd0b5df1bd5bc39d06724 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 18 Oct 2017 00:42:15 +0200 Subject: [PATCH 135/266] readlink -> realpath better portability on BSD systems --- evoacme/files/evoacme.sh | 2 +- evoacme/files/make-csr.sh | 2 +- evoacme/files/vhost-domains.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 4d9f9f47..50fc4cb7 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -252,7 +252,7 @@ main() { } readonly PROGNAME=$(basename "$0") -readonly PROGDIR=$(readlink -m $(dirname "$0")) +readonly PROGDIR=$(realpath -m $(dirname "$0")) readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 6bd27125..9fa380a4 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -218,7 +218,7 @@ main() { } readonly PROGNAME=$(basename "$0") -readonly PROGDIR=$(readlink -m $(dirname "$0")) +readonly PROGDIR=$(realpath -m $(dirname "$0")) readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} diff --git a/evoacme/files/vhost-domains.sh b/evoacme/files/vhost-domains.sh index d8cdd2f4..dee4ecd1 100755 --- a/evoacme/files/vhost-domains.sh +++ b/evoacme/files/vhost-domains.sh @@ -142,7 +142,7 @@ main() { } readonly PROGNAME=$(basename "$0") -readonly PROGDIR=$(readlink -m $(dirname "$0")) +readonly PROGDIR=$(realpath -m $(dirname "$0")) readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} From cd8ea40336a20e32484abc680201edc469818291 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 18 Oct 2017 00:43:33 +0200 Subject: [PATCH 136/266] readability and whitespaces --- evoacme/files/evoacme.sh | 8 +- evoacme/files/vhost-domains.sh | 160 +++++++++++++++++---------------- 2 files changed, 87 insertions(+), 81 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 50fc4cb7..cdf41fe1 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -25,10 +25,14 @@ EOT } log() { - [ "${QUIET}" != "1" ] && echo "${PROGNAME}: $1" + if [ "${QUIET}" != "1" ]; then + echo "${PROGNAME}: $1" + fi } debug() { - [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ] && >&2 echo "${PROGNAME}: $1" + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi } error() { >&2 echo "${PROGNAME}: $1" diff --git a/evoacme/files/vhost-domains.sh b/evoacme/files/vhost-domains.sh index dee4ecd1..33569a80 100755 --- a/evoacme/files/vhost-domains.sh +++ b/evoacme/files/vhost-domains.sh @@ -24,7 +24,9 @@ EOT } debug() { - [ "${VERBOSE}" = 1 ] && >&2 echo "${PROGNAME}: $1" + if [ "${VERBOSE}" = 1 ]; then + >&2 echo "${PROGNAME}: $1" + fi } error() { >&2 echo "${PROGNAME}: $1" @@ -32,113 +34,113 @@ error() { } real_ip_for_domain() { - dig +short "$1" | grep -oE "([0-9]+\.){3}[0-9]+" + dig +short "$1" | grep -oE "([0-9]+\.){3}[0-9]+" } local_ip() { - ip a | grep brd | cut -d'/' -f1 | grep -oE "([0-9]+\.){3}[0-9]+" + ip a | grep brd | cut -d'/' -f1 | grep -oE "([0-9]+\.){3}[0-9]+" } nginx_domains() { - local vhost_file="$1" + local vhost_file="$1" - grep -oE "^( )*[^#]+" "${vhost_file}" \ - | grep -oE "[^\$]server_name.*;$" \ - | sed 's/server_name//' \ - | tr -d ';' \ - | sed 's/\s\{1,\}//' \ - | sed 's/\s\{1,\}/\n/g' \ - | sort \ - | uniq + grep -oE "^( )*[^#]+" "${vhost_file}" \ + | grep -oE "[^\$]server_name.*;$" \ + | sed 's/server_name//' \ + | tr -d ';' \ + | sed 's/\s\{1,\}//' \ + | sed 's/\s\{1,\}/\n/g' \ + | sort \ + | uniq } apache_domains() { - local vhost_file="$1" + local vhost_file="$1" - grep -oE "^( )*[^#]+" "${vhost_file}" \ - | grep -oE "(ServerName|ServerAlias).*" \ - | sed 's/ServerName//' \ - | sed 's/ServerAlias//' \ - | sed 's/\s\{1,\}//' \ - | sort \ - | uniq + grep -oE "^( )*[^#]+" "${vhost_file}" \ + | grep -oE "(ServerName|ServerAlias).*" \ + | sed 's/ServerName//' \ + | sed 's/ServerAlias//' \ + | sed 's/\s\{1,\}//' \ + | sort \ + | uniq } get_domains() { - local vhost_file="$1" - local ips="$2" - local domains="" - local valid_domains="" - local nb=0 + local vhost_file="$1" + local ips="$2" + local domains="" + local valid_domains="" + local nb=0 - if $(echo "${vhost_file}" | grep -q nginx); then - debug "Nginx vhost file used" - domains=$(nginx_domains "${vhost_file}") - fi - if $(echo "${vhost_file}" | grep -q apache2); then - debug "Apache vhost file used" - domains=$(apache_domains "${vhost_file}") - fi + if $(echo "${vhost_file}" | grep -q nginx); then + debug "Nginx vhost file used" + domains=$(nginx_domains "${vhost_file}") + fi + if $(echo "${vhost_file}" | grep -q apache2); then + debug "Apache vhost file used" + domains=$(apache_domains "${vhost_file}") + fi - debug "Valid(s) domain(s) in ${vhost_file} :" - for domain in ${domains}; do - real_ip=$(real_ip_for_domain "${domain}") - for ip in $(echo "${ips}" | xargs -n1); do - if [ "${ip}" = "${real_ip}" ]; then - valid_domains="${valid_domains} ${domain}" - nb=$(( nb + 1 )) - debug "* ${domain} -> ${real_ip}" - fi - done - done - - if [ "${nb}" -eq 0 ]; then - nb=$(echo "${domains}" | wc -l) - debug "* No valid domain found" - debug "All following(s) domain(s) will be used for CSR creation :" + debug "Valid(s) domain(s) in ${vhost_file} :" for domain in ${domains}; do - debug "* ${domain}" + real_ip=$(real_ip_for_domain "${domain}") + for ip in $(echo "${ips}" | xargs -n1); do + if [ "${ip}" = "${real_ip}" ]; then + valid_domains="${valid_domains} ${domain}" + nb=$(( nb + 1 )) + debug "* ${domain} -> ${real_ip}" + fi + done done - else - domains="${valid_domains}" - fi - echo "${domains}" | xargs -n 1 + if [ "${nb}" -eq 0 ]; then + nb=$(echo "${domains}" | wc -l) + debug "* No valid domain found" + debug "All following(s) domain(s) will be used for CSR creation :" + for domain in ${domains}; do + debug "* ${domain}" + done + else + domains="${valid_domains}" + fi + + echo "${domains}" | xargs -n 1 } first_vhost_file_found() { - local vhost_name="$1" + local vhost_name="$1" - ls "/etc/nginx/sites-enabled/${vhost_name}" \ - "/etc/nginx/sites-enabled/${vhost_name}.conf" \ - "/etc/apache2/sites-enabled/${vhost_name}.conf" \ - 2>/dev/null \ - | head -n 1 + ls "/etc/nginx/sites-enabled/${vhost_name}" \ + "/etc/nginx/sites-enabled/${vhost_name}.conf" \ + "/etc/apache2/sites-enabled/${vhost_name}.conf" \ + 2>/dev/null \ + | head -n 1 } main() { - if [ "$#" != 1 ]; then - >&2 usage - exit 1 - fi - if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then - usage - exit 0 - fi + if [ "$#" != 1 ]; then + >&2 usage + exit 1 + fi + if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + usage + exit 0 + fi - local vhost_name=$(basename "$1" .conf) - local vhost_file=$(first_vhost_file_found "${vhost_name}") + local vhost_name=$(basename "$1" .conf) + local vhost_file=$(first_vhost_file_found "${vhost_name}") - if [ ! -h "${vhost_file}" ]; then - >&2 echo "No virtualhost has been found for '${vhost_name}'." - exit 1 - fi + if [ ! -h "${vhost_file}" ]; then + >&2 echo "No virtualhost has been found for '${vhost_name}'." + exit 1 + fi - local ips=$(local_ip) - if [ -n "${SRV_IP}" ]; then - ips="${ips} ${SRV_IP}" - fi + local ips=$(local_ip) + if [ -n "${SRV_IP}" ]; then + ips="${ips} ${SRV_IP}" + fi - get_domains "${vhost_file}" "${ips}" + get_domains "${vhost_file}" "${ips}" } readonly PROGNAME=$(basename "$0") From d8960e2afa1ad0fde3b7556acb13572c6ed09af5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 18 Oct 2017 00:44:04 +0200 Subject: [PATCH 137/266] simplify CSR generation --- evoacme/files/make-csr.sh | 43 ++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 9fa380a4..226c4311 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -87,6 +87,8 @@ openssl_selfsigned() { [ -w "${crt_dir}" ] || error "Directory ${crt_dir} is not writable" "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null + + [ -r "${crt}" ] || error "Something went wrong, ${crt} has not been generated" } openssl_key(){ local key="$1" @@ -96,8 +98,10 @@ openssl_key(){ [ -w "${key_dir}" ] || error "Directory ${key_dir} is not writable" "${OPENSSL_BIN}" genrsa -out "${key}" "${size}" 2> /dev/null + + [ -r "${key}" ] || error "Something went wrong, ${key} has not been generated" } -openssl_csr_san() { +openssl_csr() { local csr="$1" local csr_dir=$(dirname "${csr}") local key="$2" @@ -105,17 +109,15 @@ openssl_csr_san() { [ -w "${csr_dir}" ] || error "Directory ${csr_dir} is not writable" - "${OPENSSL_BIN}" req -new -sha256 -key "${key}" -reqexts SAN -config "${cfg}" -out "${csr}" -} -openssl_csr_single() { - local csr="$1" - local csr_dir=$(dirname "${csr}") - local key="$2" - local cfg="$3" + if $(grep -q "DNS:" "${cfg}"); then + # CSR with SAN + "${OPENSSL_BIN}" req -new -sha256 -key "${key}" -reqexts SAN -config "${cfg}" -out "${csr}" + else + # Single domain CSR + "${OPENSSL_BIN}" req -new -sha256 -key "${key}" -config "${cfg}" -out "${csr}" + fi - [ -w "${csr_dir}" ] || error "Directory ${csr_dir} is not writable" - - "${OPENSSL_BIN}" req -new -sha256 -key "${key}" -config "${cfg}" -out "${csr}" + [ -r "${csr}" ] || error "Something went wrong, ${csr} has not been generated" } make_key() { @@ -141,18 +143,17 @@ make_csr() { cat "${SSL_CONFIG_FILE}" - > "${config_file}" < "${config_file}" < "${config_file}" < Date: Wed, 18 Oct 2017 14:23:03 +0200 Subject: [PATCH 138/266] wordpress: install wp-fail2ban plugin by default --- webapps/wordpress/defaults/main.yml | 3 +++ webapps/wordpress/tasks/main.yml | 26 +++++++++++++++++++++----- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/webapps/wordpress/defaults/main.yml b/webapps/wordpress/defaults/main.yml index b7d6f998..f2508aff 100644 --- a/webapps/wordpress/defaults/main.yml +++ b/webapps/wordpress/defaults/main.yml @@ -1,4 +1,7 @@ --- +wordpress_wpcli: "php {{ ansible_env.HOME }}/bin/wp-cli.phar --path={{ ansible_env.HOME }}/www" +wordpress_version: 'latest' +wordpress_plugins: ['wp-fail2ban'] wordpress_host: "{{ ansible_fqdn }}" wordpress_title: "Wordpress Saas Evolix" wordpress_email: "root@localhost" diff --git a/webapps/wordpress/tasks/main.yml b/webapps/wordpress/tasks/main.yml index d898141f..d8a4598b 100644 --- a/webapps/wordpress/tasks/main.yml +++ b/webapps/wordpress/tasks/main.yml @@ -12,7 +12,7 @@ mode: "0750" - name: Download Wordpress - shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core download --locale=fr_FR --version=latest --path={{ ansible_env.HOME }}/www' + shell: '{{ wordpress_wpcli }} core download --locale=fr_FR --version={{ wordpress_version }}' args: creates: "{{ ansible_env.HOME }}/www/index.php" @@ -42,26 +42,42 @@ delegate_to: localhost - name: Configure Wordpress (wp-config.php) - shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core config --path={{ ansible_env.HOME }}/www/ --dbhost={{ db_host }} --dbuser={{ db_user }} --dbpass={{ db_pwd }} --dbname={{ db_name }}' + shell: '{{ wordpress_wpcli }} core config --dbhost={{ db_host }} --dbuser={{ db_user }} --dbpass={{ db_pwd }} --dbname={{ db_name }}' args: creates: "{{ ansible_env.HOME }}/www/wp-config.php" - name: Configure site - shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password={{ admin_pwd | quote }} --admin_email={{ wordpress_email }} --path={{ ansible_env.HOME }}/www --skip-email' + shell: '{{ wordpress_wpcli }} core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password="{{ admin_pwd | quote }}" --admin_email={{ wordpress_email }} --skip-email' + changed_when: false - name: Check if Wordpress is up to date - shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core check-update --path={{ ansible_env.HOME }}/www | grep -q Success' + shell: '{{ wordpress_wpcli }} core check-update | grep -q Success' register: check_version check_mode: no failed_when: false changed_when: check_version.rc - name: Update Wordpress - shell: 'php {{ ansible_env.HOME }}/bin/wp-cli.phar core update --path={{ ansible_env.HOME }}/www' + shell: '{{ wordpress_wpcli }} core update --version={{ wordpress_version }}' args: removes: "{{ ansible_env.HOME }}/www/index.php" when: check_version.rc +- name: Install default plugin + shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} || {{ wordpress_wpcli }} plugin install {{ item }}' + changed_when: false + with_items: "{{ wordpress_plugins }}" + +- name: Update default plugins + shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin update {{ item }}' + changed_when: false + with_items: "{{ wordpress_plugins }}" + +- name: Activate default plugins + shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin activate {{ item }}' + changed_when: false + with_items: "{{ wordpress_plugins }}" + - name: Send a summary mail mail: host: 'localhost' From 97e4abb37c98b4e6c42ac18e19388b5e1be71daa Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 18 Oct 2017 15:44:20 +0200 Subject: [PATCH 139/266] fail2ban: add wordpress filters --- fail2ban/defaults/main.yml | 1 + fail2ban/files/wordpress-hard.conf | 31 ++++++++++++++++++++++++++++ fail2ban/files/wordpress-soft.conf | 33 ++++++++++++++++++++++++++++++ fail2ban/tasks/main.yml | 2 ++ fail2ban/templates/jail.local.j2 | 18 ++++++++++++++++ 5 files changed, 85 insertions(+) create mode 100644 fail2ban/files/wordpress-hard.conf create mode 100644 fail2ban/files/wordpress-soft.conf diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 2fe40951..5c4df4f0 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -2,3 +2,4 @@ general_alert_email: "root@localhost" fail2ban_alert_email: Null fail2ban_ignore_ips: [] +fail2ban_wordpress: False diff --git a/fail2ban/files/wordpress-hard.conf b/fail2ban/files/wordpress-hard.conf new file mode 100644 index 00000000..0eba3cf0 --- /dev/null +++ b/fail2ban/files/wordpress-hard.conf @@ -0,0 +1,31 @@ +# Fail2Ban configuration file soft +# +# Author: Charles Lecklider +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = (?:wordpress|wp) + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)sAuthentication failure for .* from $ + ^%(__prefix_line)sXML-RPC authentication failure from $ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/fail2ban/files/wordpress-soft.conf b/fail2ban/files/wordpress-soft.conf new file mode 100644 index 00000000..345aab68 --- /dev/null +++ b/fail2ban/files/wordpress-soft.conf @@ -0,0 +1,33 @@ +# Fail2Ban configuration file hard +# +# Author: Charles Lecklider +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = (?:wordpress|wp) + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from ( via XML-RPC)?$ + ^%(__prefix_line)sBlocked authentication attempt for .* from ( via XML-RPC)?$ + ^%(__prefix_line)sBlocked user enumeration attempt from $ + ^%(__prefix_line)sPingback error .* generated from $ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 7a47a0ce..fbed85eb 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -38,6 +38,8 @@ with_items: - dovecot-evolix.conf - sasl-evolix.conf + - wordpress-soft.conf + - wordpress-hard.conf notify: restart fail2ban tags: - fail2ban diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 2f4d6bc3..b336e535 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -26,3 +26,21 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action = %(action_mwl)s + +{% if fail2ban_wordpress %} +[wordpress-hard] +enabled = true +port = http,https +filter = wordpress-hard +logpath = /var/log/auth.log +maxretry = 1 +findtime = 300 + +[wordpress-soft] +enabled = true +port = http,https +filter = wordpress-soft +logpath = /var/log/auth.log +maxretry = 5 +findtime = 300 +{% endif %} From 95e16287c877dc45058c123079ff6d57e0321f2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 18 Oct 2017 22:48:22 +0200 Subject: [PATCH 140/266] Extract hook scripts for Apache and Nginx --- evoacme/files/apahe_update_and_reload.sh | 47 ++++++++++++++++++++++++ evoacme/files/nginx_update_and_reload.sh | 47 ++++++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 evoacme/files/apahe_update_and_reload.sh create mode 100644 evoacme/files/nginx_update_and_reload.sh diff --git a/evoacme/files/apahe_update_and_reload.sh b/evoacme/files/apahe_update_and_reload.sh new file mode 100644 index 00000000..66b73df1 --- /dev/null +++ b/evoacme/files/apahe_update_and_reload.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} + +readonly PROGNAME=$(basename "$0") + +readonly VERBOSE=${VERBOSE:-"0"} + +if [ -z "${EVOACME_VHOST_PATH}"]; then + error "Missing EVOACME_VHOST_PATH environment variable" +fi +if [ -z "${EVOACME_CERT_PATH}"]; then + error "Missing EVOACME_CERT_PATH environment variable" +fi + +readonly APACHE2CTL_BIN=$(command -v apache2ctl) || error "apache2ctl command not installed" + +[ -r "${EVOACME_VHOST_PATH}"] || error "File ${EVOACME_VHOST_PATH} is not readable" + +local search="^SSLCertificateFile.*$" +local replace="SSLCertificateFile ${EVOACME_VHOST_PATH}" + +if ! $(grep -qE "${search}" "${EVOACME_VHOST_PATH}"); then + [ -w "${EVOACME_VHOST_PATH}" ] || error "File ${EVOACME_VHOST_PATH} is not writable" + + sed -i "s~${search}~${replace}~" "${EVOACME_VHOST_PATH}" + debug "Config in ${EVOACME_VHOST_PATH} has been updated" +fi + +if [ -n "$(pidof apache2)" ]; then + if $(${APACHE2CTL_BIN} -t 2> /dev/null); then + debug "Apache detected... reloading" + service apache2 reload + else + error "Apache config is broken, you must fix it !" + fi +fi + +exit 0 diff --git a/evoacme/files/nginx_update_and_reload.sh b/evoacme/files/nginx_update_and_reload.sh new file mode 100644 index 00000000..988c7389 --- /dev/null +++ b/evoacme/files/nginx_update_and_reload.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} + +readonly PROGNAME=$(basename "$0") + +readonly VERBOSE=${VERBOSE:-"0"} + +if [ -z "${EVOACME_VHOST_PATH}"]; then + error "Missing EVOACME_VHOST_PATH environment variable" +fi +if [ -z "${EVOACME_CERT_PATH}"]; then + error "Missing EVOACME_CERT_PATH environment variable" +fi + +readonly NGINX_BIN=$(command -v nginx) || error "nginx command not installed" + +[ -r "${EVOACME_VHOST_PATH}"] || error "File ${EVOACME_VHOST_PATH} is not readable" + +readonly search="^ssl_certificate[^_].*$" +readonly replace="ssl_certificate ${EVOACME_CERT_PATH};" + +if ! $(grep -qE "${search}" "${EVOACME_VHOST_PATH}"); then + [ -w "${EVOACME_VHOST_PATH}" ] || error "File ${EVOACME_VHOST_PATH} is not writable" + + sed -i "s~${search}~${replace}~" "${EVOACME_VHOST_PATH}" + debug "Config in ${EVOACME_VHOST_PATH} has been updated" +fi + +if [ -n "$(pidof nginx)" ]; then + if $(${NGINX_BIN} -t 2> /dev/null); then + debug "Nginx detected... reloading" + service nginx reload + else + error "Nginx config is broken, you must fix it !" + fi +fi + +exit 0 From 34365a145ce57ba5993c0e3058561bbefb514aad Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 19 Oct 2017 01:39:08 +0200 Subject: [PATCH 141/266] Typo: rename script --- .../{apahe_update_and_reload.sh => apache_update_and_reload.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename evoacme/files/{apahe_update_and_reload.sh => apache_update_and_reload.sh} (100%) diff --git a/evoacme/files/apahe_update_and_reload.sh b/evoacme/files/apache_update_and_reload.sh similarity index 100% rename from evoacme/files/apahe_update_and_reload.sh rename to evoacme/files/apache_update_and_reload.sh From 4d3ed7ed975a28c439ab4e31aa3be82c7ba4086b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 19 Oct 2017 07:59:43 +0200 Subject: [PATCH 142/266] evoacme: remove a debug statement --- evoacme/files/evoacme.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index cdf41fe1..a623ee7d 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -95,7 +95,6 @@ csr_verify() { main() { [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 # check arguments - echo "1: '$1'" [ "$#" -eq 1 ] || error "invalid argument(s)" [ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable" From e47371f3470fedc05812f34570afc2b37056fb96 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 19 Oct 2017 11:05:54 +0200 Subject: [PATCH 143/266] Use bash, for proper readonly/local support "readonly" is a safety bonus, but "local" is really important not to overwrite variables from functions. --- evoacme/files/evoacme.sh | 2 +- evoacme/files/make-csr.sh | 18 ++++++++++-------- evoacme/files/vhost-domains.sh | 2 +- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index a623ee7d..c1298211 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # evoacme is a shell script to manage Let's Encrypt certificate with # certbot tool but with a dedicated user (no-root) and from a csr diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 226c4311..62079721 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # make-csr is a shell script designed to automatically generate a # certificate signing request (CSR) from an Apache or a Nginx vhost @@ -135,7 +135,7 @@ make_csr() { local domains=$@ local nb=$# local config_file="/tmp/make-csr-${VHOST}.conf" - local san= + local san="" mkdir -p -m 0755 "${CSR_DIR}" || error "Unable to mkdir ${CSR_DIR}" @@ -176,11 +176,11 @@ main() { exit 1 fi # read VHOST from first argument - readonly VHOST="$1" + VHOST="$1" # remove the first argument shift # read domains from remaining arguments - readonly DOMAINS=$@ + DOMAINS=$@ else # We don't have STDIN, so we should have only 1 argument if [ "$#" != 1 ]; then @@ -189,7 +189,7 @@ main() { exit 1 fi # read VHOST from first argument - readonly VHOST="$1" + VHOST="$1" # read domains from input DOMAINS= while read -r line ; do @@ -198,6 +198,8 @@ main() { # trim the string to remove leading/trailing spaces DOMAINS=$(echo "${DOMAINS}" | xargs) fi + readonly VHOST + readonly DOMAINS [ -w "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not writable" [ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable" @@ -207,9 +209,9 @@ main() { # check for important programs readonly OPENSSL_BIN=$(command -v openssl) || error "openssl command not installed" - SELF_SIGNED_FILE="${SELF_SIGNED_DIR}/${VHOST}.pem" - SSL_KEY_FILE="${SSL_KEY_DIR}/${VHOST}.key" - CSR_FILE="${CSR_DIR}/${VHOST}.csr" + readonly SELF_SIGNED_FILE="${SELF_SIGNED_DIR}/${VHOST}.pem" + readonly SSL_KEY_FILE="${SSL_KEY_DIR}/${VHOST}.key" + readonly CSR_FILE="${CSR_DIR}/${VHOST}.csr" make_key "${SSL_KEY_FILE}" "${SSL_KEY_SIZE}" make_csr ${DOMAINS} diff --git a/evoacme/files/vhost-domains.sh b/evoacme/files/vhost-domains.sh index 33569a80..fd25ce86 100755 --- a/evoacme/files/vhost-domains.sh +++ b/evoacme/files/vhost-domains.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # make-csr is a shell script designed to automatically generate a # certificate signing request (CSR) from an Apache or a Nginx vhost From 266ac7fc073a406faec0d2456a3ad9194c9f58e6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 19 Oct 2017 11:07:45 +0200 Subject: [PATCH 144/266] evoacme: create important directories --- evoacme/files/evoacme.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index c1298211..7f5eff51 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -98,9 +98,19 @@ main() { [ "$#" -eq 1 ] || error "invalid argument(s)" [ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable" + + mkdir -p "${ACME_DIR}" + chown root: "${ACME_DIR}" [ -w "${ACME_DIR}" ] || error "Directory ${ACME_DIR} is not writable" - [ -w "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not writable" + + [ -d "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not found" + + mkdir -p "${CRT_DIR}" + chown root: "${CRT_DIR}" [ -w "${CRT_DIR}" ] || error "Directory ${CRT_DIR} is not writable" + + mkdir -p "${LOG_DIR}" + chown root: "${LOG_DIR}" [ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable" [ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable" From 37cd22a4667321f07af046c14932bf06a8d1acba Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 19 Oct 2017 11:08:01 +0200 Subject: [PATCH 145/266] evoacme: remove useless variables --- evoacme/files/evoacme.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 7f5eff51..b1fcb27b 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -97,7 +97,6 @@ main() { # check arguments [ "$#" -eq 1 ] || error "invalid argument(s)" - [ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable" mkdir -p "${ACME_DIR}" chown root: "${ACME_DIR}" @@ -112,7 +111,6 @@ main() { mkdir -p "${LOG_DIR}" chown root: "${LOG_DIR}" [ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable" - [ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable" readonly VHOST=$(basename "$1" .conf) @@ -283,7 +281,6 @@ readonly CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"} readonly CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"} readonly LOG_DIR=${LOG_DIR:-"/var/log/evoacme"} readonly SSL_MINDAY=${SSL_MINDAY:-"30"} -readonly SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-"/etc/ssl/self-signed"} readonly SSL_EMAIL=${SSL_EMAIL:-""} main ${ARGS} From d2f86f79503e14eacf6f6973d874d7866e78f88f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 19 Oct 2017 11:08:16 +0200 Subject: [PATCH 146/266] evoacme: check for arguments first --- evoacme/files/evoacme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index b1fcb27b..022f8599 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -93,10 +93,10 @@ csr_verify() { } main() { - [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 # check arguments [ "$#" -eq 1 ] || error "invalid argument(s)" + [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 mkdir -p "${ACME_DIR}" chown root: "${ACME_DIR}" From 1fa4ccc33805ce7853be28a5b43ddacfa5a4fb39 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 19 Oct 2017 11:08:35 +0200 Subject: [PATCH 147/266] make-csr: create important directories --- evoacme/files/make-csr.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 62079721..10c0f8e9 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -201,9 +201,18 @@ main() { readonly VHOST readonly DOMAINS + mkdir -p "${CSR_DIR}" + chown root: "${CSR_DIR}" [ -w "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not writable" + + mkdir -p "${SELF_SIGNED_DIR}" + chown root: "${SELF_SIGNED_DIR}" [ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable" + + mkdir -p "${SSL_KEY_DIR}" + chown root: "${SSL_KEY_DIR}" [ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable" + [ -r "${SSL_CONFIG_FILE}" ] || error "File ${SSL_CONFIG_FILE} is not readable" # check for important programs From 4d6853f844c98f21130b9a18c52e1d952c4ae2a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 19 Oct 2017 22:21:18 +0200 Subject: [PATCH 148/266] evoacme: use hooks after certificate creation --- evoacme/files/apache_update_and_reload.sh | 47 ----------------------- evoacme/files/evoacme.sh | 44 +++++++++++---------- evoacme/files/hooks/reload_apache | 28 ++++++++++++++ evoacme/files/hooks/reload_nginx | 28 ++++++++++++++ evoacme/files/nginx_update_and_reload.sh | 47 ----------------------- 5 files changed, 80 insertions(+), 114 deletions(-) delete mode 100644 evoacme/files/apache_update_and_reload.sh create mode 100755 evoacme/files/hooks/reload_apache create mode 100755 evoacme/files/hooks/reload_nginx delete mode 100644 evoacme/files/nginx_update_and_reload.sh diff --git a/evoacme/files/apache_update_and_reload.sh b/evoacme/files/apache_update_and_reload.sh deleted file mode 100644 index 66b73df1..00000000 --- a/evoacme/files/apache_update_and_reload.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -error() { - >&2 echo "${PROGNAME}: $1" - exit 1 -} -debug() { - if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then - >&2 echo "${PROGNAME}: $1" - fi -} - -readonly PROGNAME=$(basename "$0") - -readonly VERBOSE=${VERBOSE:-"0"} - -if [ -z "${EVOACME_VHOST_PATH}"]; then - error "Missing EVOACME_VHOST_PATH environment variable" -fi -if [ -z "${EVOACME_CERT_PATH}"]; then - error "Missing EVOACME_CERT_PATH environment variable" -fi - -readonly APACHE2CTL_BIN=$(command -v apache2ctl) || error "apache2ctl command not installed" - -[ -r "${EVOACME_VHOST_PATH}"] || error "File ${EVOACME_VHOST_PATH} is not readable" - -local search="^SSLCertificateFile.*$" -local replace="SSLCertificateFile ${EVOACME_VHOST_PATH}" - -if ! $(grep -qE "${search}" "${EVOACME_VHOST_PATH}"); then - [ -w "${EVOACME_VHOST_PATH}" ] || error "File ${EVOACME_VHOST_PATH} is not writable" - - sed -i "s~${search}~${replace}~" "${EVOACME_VHOST_PATH}" - debug "Config in ${EVOACME_VHOST_PATH} has been updated" -fi - -if [ -n "$(pidof apache2)" ]; then - if $(${APACHE2CTL_BIN} -t 2> /dev/null); then - debug "Apache detected... reloading" - service apache2 reload - else - error "Apache config is broken, you must fix it !" - fi -fi - -exit 0 diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 022f8599..9e971028 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -92,6 +92,20 @@ csr_verify() { "${OPENSSL_BIN}" req -noout -modulus -in "$file" >/dev/null } +exec_hooks() { + local hooks_dir="$1" + + export EVOACME_VHOST_NAME="${VHOST}" + export EVOACME_LIVE_FULLCHAIN="${LIVE_FULLCHAIN}" + + for hook in $(find ${HOOKS_DIR} -type f | grep -v ".disabled$"); do + if [ -x "${hook}" ]; then + debug "Executing ${hook}" + ${hook} + fi + done +} + main() { # check arguments [ "$#" -eq 1 ] || error "invalid argument(s)" @@ -112,6 +126,10 @@ main() { chown root: "${LOG_DIR}" [ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable" + mkdir -p "${HOOKS_DIR}" + chown root: "${HOOKS_DIR}" + [ -d "${HOOKS_DIR}" ] || error "Directory ${HOOKS_DIR} is not found" + readonly VHOST=$(basename "$1" .conf) # check for important programs @@ -239,27 +257,12 @@ main() { # verify final path x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid" - # update and reload Apache - command -v apache2ctl > /dev/null && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" - if [ -n "$(pidof apache2)" ]; then - if $($(command -v apache2ctl) -t 2>/dev/null); then - debug "Apache detected... reloading" - service apache2 reload - else - error "Apache config is broken, you must fix it !" - fi - fi + # update Apache + sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}" + # update Nginx + sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" - # update and reload Nginx - command -v nginx > /dev/null && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" - if [ -n "$(pidof nginx)" ]; then - if $($(command -v nginx) -t 2>/dev/null); then - debug "Nginx detected... reloading" - service nginx reload - else - error "Nginx config is broken, you must fix it !" - fi - fi + exec_hooks "${HOOKS_DIR}" } readonly PROGNAME=$(basename "$0") @@ -280,6 +283,7 @@ readonly ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"} readonly CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"} readonly CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"} readonly LOG_DIR=${LOG_DIR:-"/var/log/evoacme"} +readonly HOOKS_DIR=${HOOKS_DIR:-"${CRT_DIR}/hooks"} readonly SSL_MINDAY=${SSL_MINDAY:-"30"} readonly SSL_EMAIL=${SSL_EMAIL:-""} diff --git a/evoacme/files/hooks/reload_apache b/evoacme/files/hooks/reload_apache new file mode 100755 index 00000000..2cceb972 --- /dev/null +++ b/evoacme/files/hooks/reload_apache @@ -0,0 +1,28 @@ +#!/bin/sh + +readonly PROGNAME=$(basename "$0") +readonly ARGS=$@ + +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} + +if [ -n "$(pidof apache2)" ]; then + if $($(command -v apache2ctl) -t 2> /dev/null); then + debug "Apache detected... reloading" + service apache2 reload + else + error " Apache config is broken, you must fix it !" + fi +else + debug "Apache is not running. Skip." +fi diff --git a/evoacme/files/hooks/reload_nginx b/evoacme/files/hooks/reload_nginx new file mode 100755 index 00000000..35db3787 --- /dev/null +++ b/evoacme/files/hooks/reload_nginx @@ -0,0 +1,28 @@ +#!/bin/sh + +readonly PROGNAME=$(basename "$0") +readonly ARGS=$@ + +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} + +if [ -n "$(pidof nginx)" ]; then + if $($(command -v nginx) -t 2> /dev/null); then + debug "Nginx detected... reloading" + service nginx reload + else + error "Nginx config is broken, you must fix it !" + fi +else + debug "Nginx is not running. Skip." +fi diff --git a/evoacme/files/nginx_update_and_reload.sh b/evoacme/files/nginx_update_and_reload.sh deleted file mode 100644 index 988c7389..00000000 --- a/evoacme/files/nginx_update_and_reload.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -error() { - >&2 echo "${PROGNAME}: $1" - exit 1 -} -debug() { - if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then - >&2 echo "${PROGNAME}: $1" - fi -} - -readonly PROGNAME=$(basename "$0") - -readonly VERBOSE=${VERBOSE:-"0"} - -if [ -z "${EVOACME_VHOST_PATH}"]; then - error "Missing EVOACME_VHOST_PATH environment variable" -fi -if [ -z "${EVOACME_CERT_PATH}"]; then - error "Missing EVOACME_CERT_PATH environment variable" -fi - -readonly NGINX_BIN=$(command -v nginx) || error "nginx command not installed" - -[ -r "${EVOACME_VHOST_PATH}"] || error "File ${EVOACME_VHOST_PATH} is not readable" - -readonly search="^ssl_certificate[^_].*$" -readonly replace="ssl_certificate ${EVOACME_CERT_PATH};" - -if ! $(grep -qE "${search}" "${EVOACME_VHOST_PATH}"); then - [ -w "${EVOACME_VHOST_PATH}" ] || error "File ${EVOACME_VHOST_PATH} is not writable" - - sed -i "s~${search}~${replace}~" "${EVOACME_VHOST_PATH}" - debug "Config in ${EVOACME_VHOST_PATH} has been updated" -fi - -if [ -n "$(pidof nginx)" ]; then - if $(${NGINX_BIN} -t 2> /dev/null); then - debug "Nginx detected... reloading" - service nginx reload - else - error "Nginx config is broken, you must fix it !" - fi -fi - -exit 0 From 3d3e45faef61b9baa5b2a475a0475ecf5fdb9c97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 19 Oct 2017 23:18:11 +0200 Subject: [PATCH 149/266] evoacme: use local variable --- evoacme/files/evoacme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 9e971028..d4c3406d 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -98,7 +98,7 @@ exec_hooks() { export EVOACME_VHOST_NAME="${VHOST}" export EVOACME_LIVE_FULLCHAIN="${LIVE_FULLCHAIN}" - for hook in $(find ${HOOKS_DIR} -type f | grep -v ".disabled$"); do + for hook in $(find ${hooks_dir} -type f | grep -v ".disabled$"); do if [ -x "${hook}" ]; then debug "Executing ${hook}" ${hook} From 1b50dfb0b36fc96299c4b61a85230ae33048e572 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 19 Oct 2017 23:23:51 +0200 Subject: [PATCH 150/266] evoacme: inline hooks calls + export variables --- evoacme/files/evoacme.sh | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index d4c3406d..b7e5f68c 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -92,20 +92,6 @@ csr_verify() { "${OPENSSL_BIN}" req -noout -modulus -in "$file" >/dev/null } -exec_hooks() { - local hooks_dir="$1" - - export EVOACME_VHOST_NAME="${VHOST}" - export EVOACME_LIVE_FULLCHAIN="${LIVE_FULLCHAIN}" - - for hook in $(find ${hooks_dir} -type f | grep -v ".disabled$"); do - if [ -x "${hook}" ]; then - debug "Executing ${hook}" - ${hook} - fi - done -} - main() { # check arguments [ "$#" -eq 1 ] || error "invalid argument(s)" @@ -262,7 +248,22 @@ main() { # update Nginx sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}" - exec_hooks "${HOOKS_DIR}" + #### EXECUTE HOOKS + # + # executable scripts placed in ${HOOKS_DIR} + # are executed, unless their name ends with ".disabled" + + export EVOACME_VHOST_NAME="${VHOST}" + export EVOACME_CERT="${LIVE_CERT}" + export EVOACME_CHAIN="${LIVE_CHAIN}" + export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}" + + for hook in $(find ${HOOKS_DIR} -type f | grep -v ".disabled$"); do + if [ -x "${hook}" ]; then + debug "Executing ${hook}" + ${hook} + fi + done } readonly PROGNAME=$(basename "$0") From 0ed1ca13563558340316a9f4281d3002fbec8e67 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 20 Oct 2017 10:14:46 +0200 Subject: [PATCH 151/266] evoacme: install hooks --- evoacme/defaults/main.yml | 1 + evoacme/tasks/acme.yml | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/evoacme/defaults/main.yml b/evoacme/defaults/main.yml index 4194b5aa..3d0842bc 100644 --- a/evoacme/defaults/main.yml +++ b/evoacme/defaults/main.yml @@ -5,6 +5,7 @@ evoacme_dhparam_size: 2048 evoacme_acme_dir: /var/lib/letsencrypt evoacme_csr_dir: /etc/ssl/requests evoacme_crt_dir: /etc/letsencrypt +evoacme_hooks_dir: "{{ evoacme_crt_dir }}/hooks" evoacme_log_dir: /var/log/evoacme evoacme_ssl_minday: 30 evoacme_ssl_ct: 'FR' diff --git a/evoacme/tasks/acme.yml b/evoacme/tasks/acme.yml index e28b3b12..4d8bde73 100644 --- a/evoacme/tasks/acme.yml +++ b/evoacme/tasks/acme.yml @@ -22,6 +22,38 @@ group: acme state: directory +- name: "Fix hooks directory permissions" + file: + path: "{{ evoacme_hooks_dir }}" + mode: "0700" + owner: acme + group: acme + state: directory + +- name: "Search for reload_apache hook" + command: "find {{ evoacme_hooks_dir }} -type f \( -name 'reload_apache' -o -name 'reload_apache.*' \)" + check_mode: no + register: find_apache_hook + +- name: "Copy reload_apache hook if missing" + copy: + src: "hooks/reload_apache" + dest: "{{ evoacme_hooks_dir }}/hooks/reload_apache" + mode: "0750" + when: find_apache_hook.stdout == "" + +- name: "Search for reload_nginx hook" + command: "find {{ evoacme_hooks_dir }} -type f \( -name 'reload_nginx' -o -name 'reload_nginx.*' \)" + check_mode: no + register: find_nginx_hook + +- name: "Copy reload_nginx hook if missing" + copy: + src: "hooks/reload_nginx" + dest: "{{ evoacme_hooks_dir }}/hooks/reload_nginx" + mode: "0750" + when: find_nginx_hook.stdout == "" + - name: Fix log dir's right file: path: "{{ evoacme_log_dir }}" From 8567160596a1f5246c581980206d01dd9747b2a5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 20 Oct 2017 10:15:12 +0200 Subject: [PATCH 152/266] evoacme: don't execute hooks with dots in file name --- evoacme/files/evoacme.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index b7e5f68c..e095dad2 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -258,8 +258,10 @@ main() { export EVOACME_CHAIN="${LIVE_CHAIN}" export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}" - for hook in $(find ${HOOKS_DIR} -type f | grep -v ".disabled$"); do - if [ -x "${hook}" ]; then + # search for files in hooks directory + for hook in $(find ${HOOKS_DIR} -type f); do + # keep only executables files, not containing a "." + if [ -x "${hook}" ] && $(basename "${hook}" | grep -vq .); then debug "Executing ${hook}" ${hook} fi From 172b21b613013bf653152f82b4eb84f81e35a0d5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 20 Oct 2017 10:25:34 +0200 Subject: [PATCH 153/266] mysql: add more Munin plugins --- mysql/tasks/munin.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/mysql/tasks/munin.yml b/mysql/tasks/munin.yml index 0903def1..52b6eed4 100644 --- a/mysql/tasks/munin.yml +++ b/mysql/tasks/munin.yml @@ -36,18 +36,25 @@ dest: '/etc/munin/plugins/mysql_{{ item }}' state: link with_items: + - commands - connections - files_tables - innodb_bpool - innodb_bpool_act + - innodb_insert_buf - innodb_io + - innodb_io_pend - innodb_log - innodb_rows - innodb_semaphores - myisam_indexes + - network_traffic - qcache - qcache_mem + - select_types + - slow - sorts + - table_locks - tmp_tables notify: restart munin-node From 3d3d4affe1915a289c3fa9470e80e5556c0820eb Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 20 Oct 2017 10:54:35 +0200 Subject: [PATCH 154/266] redmine: use default target instead of multi-user for puma service --- redmine/files/puma.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redmine/files/puma.service b/redmine/files/puma.service index 65aab8fb..6e993607 100644 --- a/redmine/files/puma.service +++ b/redmine/files/puma.service @@ -13,5 +13,5 @@ KillMode=process #Restart=on-failure [Install] -WantedBy=multi-user.target +WantedBy=default.target Alias=puma.service From e7987d9b99758e1f2dc09fa2fbcee6f2e9f1da60 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 20 Oct 2017 11:15:19 +0200 Subject: [PATCH 155/266] postgresql: Add missing package, libdbd-pg-perl needed by munin-plugins --- postgresql/tasks/packages_jessie.yml | 1 + postgresql/tasks/packages_stretch.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index 399a680e..abf0ad08 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -9,3 +9,4 @@ with_items: - "postgresql-{{postgresql_version}}" - ptop + - libdbd-pg-perl diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index d3a3e8fe..334a1dff 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -6,3 +6,4 @@ with_items: - postgresql - ptop + - libdbd-pg-perl From 0e5396faa7e2c7ae1e31dd4283059f314d92ca90 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 24 Oct 2017 17:37:15 +0200 Subject: [PATCH 156/266] change from CRON to QUIET --- evoacme/files/certbot.cron | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index 60007b4c..48289e09 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -9,8 +9,6 @@ [ -f /etc/default/evoacme ] && . /etc/default/evoacme CRT_DIR="${CRT_DIR:-'/etc/letsencrypt'}" -export CRON=1 - -find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do - evoacme "$vhost" +find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" ! -path "*hooks" -exec basename {} \; | while read vhost; do + QUIET=1 evoacme "$vhost" done From 131eac4499e0bcfe57fc2f6f06c9df9621451967 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 24 Oct 2017 17:37:46 +0200 Subject: [PATCH 157/266] Fix: return if file is not readable --- evoacme/files/evoacme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index e095dad2..c840cba2 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -45,7 +45,7 @@ sed_cert_path_for_apache() { local vhost_full_path="/etc/apache2/ssl/${vhost}.conf" local cert_path=$2 - [ ! -r "${vhost_full_path}" ] || return 0 + [ ! -r "${vhost_full_path}" ] && return 0 local search="^SSLCertificateFile.*$" local replace="SSLCertificateFile ${cert_path}" @@ -63,7 +63,7 @@ sed_cert_path_for_nginx() { local vhost_full_path="/etc/nginx/ssl/${vhost}.conf" local cert_path=$2 - [ ! -r "${vhost_full_path}" ] || return 0 + [ ! -r "${vhost_full_path}" ] && return 0 local search="^ssl_certificate[^_].*$" local replace="ssl_certificate ${cert_path};" From 56e5cfc06d2fafedbd74ca707c38318ad7a90cad Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 24 Oct 2017 17:38:05 +0200 Subject: [PATCH 158/266] evoacme: directories must be owned by "acme" --- evoacme/files/evoacme.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index c840cba2..8223392a 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -99,21 +99,21 @@ main() { [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 mkdir -p "${ACME_DIR}" - chown root: "${ACME_DIR}" + chown acme: "${ACME_DIR}" [ -w "${ACME_DIR}" ] || error "Directory ${ACME_DIR} is not writable" [ -d "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not found" mkdir -p "${CRT_DIR}" - chown root: "${CRT_DIR}" + chown acme: "${CRT_DIR}" [ -w "${CRT_DIR}" ] || error "Directory ${CRT_DIR} is not writable" mkdir -p "${LOG_DIR}" - chown root: "${LOG_DIR}" + chown acme: "${LOG_DIR}" [ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable" mkdir -p "${HOOKS_DIR}" - chown root: "${HOOKS_DIR}" + chown acme: "${HOOKS_DIR}" [ -d "${HOOKS_DIR}" ] || error "Directory ${HOOKS_DIR} is not found" readonly VHOST=$(basename "$1" .conf) From 330d500de64f98964f627788b86743f25fee8c62 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 24 Oct 2017 17:38:59 +0200 Subject: [PATCH 159/266] evoacme: fix hooks execution Disable regex for grep with "-F" --- evoacme/files/evoacme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 8223392a..e35c97b9 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -261,7 +261,7 @@ main() { # search for files in hooks directory for hook in $(find ${HOOKS_DIR} -type f); do # keep only executables files, not containing a "." - if [ -x "${hook}" ] && $(basename "${hook}" | grep -vq .); then + if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF "."); then debug "Executing ${hook}" ${hook} fi From 608b0a5bbc3f7fb87e8be0cd69fee1956483b0be Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 24 Oct 2017 17:39:32 +0200 Subject: [PATCH 160/266] evoacme: fix hooks tasks --- evoacme/tasks/acme.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evoacme/tasks/acme.yml b/evoacme/tasks/acme.yml index 4d8bde73..86f6cfcf 100644 --- a/evoacme/tasks/acme.yml +++ b/evoacme/tasks/acme.yml @@ -31,26 +31,26 @@ state: directory - name: "Search for reload_apache hook" - command: "find {{ evoacme_hooks_dir }} -type f \( -name 'reload_apache' -o -name 'reload_apache.*' \)" + command: "find {{ evoacme_hooks_dir }} -type f \\( -name 'reload_apache' -o -name 'reload_apache.*' \\)" check_mode: no register: find_apache_hook - name: "Copy reload_apache hook if missing" copy: src: "hooks/reload_apache" - dest: "{{ evoacme_hooks_dir }}/hooks/reload_apache" + dest: "{{ evoacme_hooks_dir }}/reload_apache" mode: "0750" when: find_apache_hook.stdout == "" - name: "Search for reload_nginx hook" - command: "find {{ evoacme_hooks_dir }} -type f \( -name 'reload_nginx' -o -name 'reload_nginx.*' \)" + command: "find {{ evoacme_hooks_dir }} -type f \\( -name 'reload_nginx' -o -name 'reload_nginx.*' \\)" check_mode: no register: find_nginx_hook - name: "Copy reload_nginx hook if missing" copy: src: "hooks/reload_nginx" - dest: "{{ evoacme_hooks_dir }}/hooks/reload_nginx" + dest: "{{ evoacme_hooks_dir }}/reload_nginx" mode: "0750" when: find_nginx_hook.stdout == "" From 2aa26e2d684f0f6deca1e01d7ed42eedfc6bbb3b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 24 Oct 2017 17:39:49 +0200 Subject: [PATCH 161/266] copy vhosts-domains script --- evoacme/tasks/scripts.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml index b1ebe473..77e7b75a 100644 --- a/evoacme/tasks/scripts.yml +++ b/evoacme/tasks/scripts.yml @@ -15,6 +15,14 @@ group: root mode: "0755" +- name: Copy vhost-domains.sh script + copy: + src: vhost-domains.sh + dest: /usr/local/sbin/vhost-domains + owner: root + group: root + mode: "0755" + - name: Copy evoacme script copy: src: evoacme.sh From 95408a240959b2ea4d838aaf9de31bbfe1f775a4 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 3 Oct 2017 22:58:49 +0200 Subject: [PATCH 162/266] Improve ldap role --- ldap/defaults/main.yml | 3 +- ldap/tasks/main.yml | 64 ++++++++++++++++++++++++++++ ldap/templates/config_ldapvi.j2 | 8 ++++ ldap/templates/first-entries.ldif.j2 | 30 +++++++++++++ ldap/templates/ldapvirc.j2 | 6 +++ 5 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 ldap/templates/config_ldapvi.j2 create mode 100644 ldap/templates/first-entries.ldif.j2 create mode 100644 ldap/templates/ldapvirc.j2 diff --git a/ldap/defaults/main.yml b/ldap/defaults/main.yml index 1e90583f..2f208f98 100644 --- a/ldap/defaults/main.yml +++ b/ldap/defaults/main.yml @@ -1,4 +1,5 @@ --- ldap_domain: "{{ ansible_fqdn }}" ldap_organization: "{{ ansible_domain }}" -#ldap_password=$(apg -n1 -m 12 -c cl_seed) +ldap_suffix: "dc=example,dc=com" +ldap_suffix_dc: "example" diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index c28c01fe..be3a8bd1 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -6,8 +6,72 @@ - slapd - ldap-utils - ldapvi + - shelldap + +- name: "Is /root/.ldapvirc present ?" + stat: + path: /root/.ldapvirc + check_mode: no + register: root_ldapvirc_path - name: apg package is installed apt: name: apg state: present + when: not root_ldapvirc_path.stat.exists + +- name: create a password for cn=admin + command: "apg -n 1 -m 16 -M lcN" + register: ldap_admin_password + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: create a password for cn=nagios + command: "apg -n 1 -m 16 -M lcN" + register: ldap_nagios_password + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: hash password for cn=admin + command: "slappasswd -s {{ ldap_admin_password.stdout }}" + register: ldap_admin_password_ssha + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: hash password for cn=nagios + command: "slappasswd -s {{ ldap_nagios_password.stdout }}" + register: ldap_nagios_password_ssha + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: create ldapvirc config + template: + src: ldapvirc.j2 + dest: /root/.ldapvirc + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +- name: upload ldap initial config + template: + src: config_ldapvi.j2 + dest: /root/evolinux_ldap_config.ldapvi + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +- name: upload ldap initial entries + template: + src: first-entries.ldif.j2 + dest: /root/evolinux_ldap_first-entries.ldif + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +- name: inject config + command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi + environment: + TERM: xterm + when: not root_ldapvirc_path.stat.exists + +- name: inject first entries + command: slapadd -l /root/evolinux_ldap_first-entries.ldif + when: not root_ldapvirc_path.stat.exists + diff --git a/ldap/templates/config_ldapvi.j2 b/ldap/templates/config_ldapvi.j2 new file mode 100644 index 00000000..9be8044c --- /dev/null +++ b/ldap/templates/config_ldapvi.j2 @@ -0,0 +1,8 @@ +modify: olcDatabase={1}mdb,cn=config +olcSuffix: {{ ldap_suffix }} +olcRootDN: cn=admin,{{ ldap_suffix }} +olcRootPW: {{ ldap_admin_password_ssha.stdout }} +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break +olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none +olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read +olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read diff --git a/ldap/templates/first-entries.ldif.j2 b/ldap/templates/first-entries.ldif.j2 new file mode 100644 index 00000000..56828636 --- /dev/null +++ b/ldap/templates/first-entries.ldif.j2 @@ -0,0 +1,30 @@ +dn: {{ ldap_suffix }} +objectClass: top +objectClass: dcObject +objectClass: organization +o: {{ ldap_suffix_dc }} +dc: {{ ldap_suffix_dc }} + +dn: cn=admin,{{ ldap_suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: admin +description: LDAP administrator +userPassword: {{ ldap_admin_password_ssha.stdout }} + +dn: ou=ldapusers,{{ ldap_suffix }} +objectClass: top +objectClass: organizationalUnit +ou: ldapusers + +dn: cn=perl,ou=ldapusers,{{ ldap_suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: perl +userPassword: {{ ldap_admin_password_ssha.stdout }} + +dn: cn=nagios,ou=ldapusers,{{ ldap_suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: nagios +userPassword: {{ ldap_nagios_password_ssha.stdout }} diff --git a/ldap/templates/ldapvirc.j2 b/ldap/templates/ldapvirc.j2 new file mode 100644 index 00000000..e61a7524 --- /dev/null +++ b/ldap/templates/ldapvirc.j2 @@ -0,0 +1,6 @@ +profile default +host: ldap://127.0.0.1 +base: {{ ldap_suffix }} +user: cn=admin,{{ ldap_suffix }} +bind: simple +password: {{ ldap_admin_password.stdout }} From 1d7d45eb44263ba2808d523c03c66c76ac9aa0ab Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 10 Oct 2017 00:03:22 +0200 Subject: [PATCH 163/266] Add dovecot role, evoadmin-mail role and packmail role --- dovecot/.kitchen.yml | 36 +++++ dovecot/README.md | 11 ++ dovecot/defaults/main.yml | 2 + dovecot/files/munin_plugin | 126 ++++++++++++++++++ dovecot/handlers/main.yml | 5 + dovecot/tasks/main.yml | 11 ++ dovecot/tasks/munin.yml | 20 +++ packmail/README.md | 15 +++ packmail/defaults/main.yml | 5 + packmail/files/cn4evolix.ldif | 63 +++++++++ packmail/handlers/main.yml | 10 ++ packmail/tasks/apache.yml | 21 +++ packmail/tasks/main.yml | 46 +++++++ webapps/evoadmin-mail/defaults/main.yml | 23 ++++ webapps/evoadmin-mail/handlers/main.yml | 6 + webapps/evoadmin-mail/tasks/config.yml | 17 +++ webapps/evoadmin-mail/tasks/main.yml | 19 +++ webapps/evoadmin-mail/tasks/packages.yml | 16 +++ .../evoadmin-mail/tasks/remount_usr_rw.yml | 15 +++ webapps/evoadmin-mail/tasks/ssl.yml | 24 ++++ webapps/evoadmin-mail/tasks/user.yml | 67 ++++++++++ webapps/evoadmin-mail/tasks/web.yml | 39 ++++++ .../templates/config.local.php.j2 | 8 ++ .../templates/evoadminmail.conf.j2 | 58 ++++++++ webapps/evoadmin-mail/templates/sudoers.j2 | 3 + .../evoadmin-mail/templates/web-add.conf.j2 | 2 + .../evoadmin-mail/templates/web-mail.tpl.j2 | 86 ++++++++++++ webapps/evoadmin-web/tasks/web.yml | 4 +- 28 files changed, 756 insertions(+), 2 deletions(-) create mode 100644 dovecot/.kitchen.yml create mode 100644 dovecot/README.md create mode 100644 dovecot/defaults/main.yml create mode 100755 dovecot/files/munin_plugin create mode 100644 dovecot/handlers/main.yml create mode 100644 dovecot/tasks/main.yml create mode 100644 dovecot/tasks/munin.yml create mode 100644 packmail/README.md create mode 100644 packmail/defaults/main.yml create mode 100644 packmail/files/cn4evolix.ldif create mode 100644 packmail/handlers/main.yml create mode 100644 packmail/tasks/apache.yml create mode 100644 packmail/tasks/main.yml create mode 100644 webapps/evoadmin-mail/defaults/main.yml create mode 100644 webapps/evoadmin-mail/handlers/main.yml create mode 100644 webapps/evoadmin-mail/tasks/config.yml create mode 100644 webapps/evoadmin-mail/tasks/main.yml create mode 100644 webapps/evoadmin-mail/tasks/packages.yml create mode 100644 webapps/evoadmin-mail/tasks/remount_usr_rw.yml create mode 100644 webapps/evoadmin-mail/tasks/ssl.yml create mode 100644 webapps/evoadmin-mail/tasks/user.yml create mode 100644 webapps/evoadmin-mail/tasks/web.yml create mode 100644 webapps/evoadmin-mail/templates/config.local.php.j2 create mode 100644 webapps/evoadmin-mail/templates/evoadminmail.conf.j2 create mode 100644 webapps/evoadmin-mail/templates/sudoers.j2 create mode 100644 webapps/evoadmin-mail/templates/web-add.conf.j2 create mode 100644 webapps/evoadmin-mail/templates/web-mail.tpl.j2 diff --git a/dovecot/.kitchen.yml b/dovecot/.kitchen.yml new file mode 100644 index 00000000..687c2033 --- /dev/null +++ b/dovecot/.kitchen.yml @@ -0,0 +1,36 @@ +--- +driver: + name: docker + privileged: true + use_sudo: false + +provisioner: + name: ansible_playbook + hosts: test-kitchen + roles_path: ../ + ansible_verbose: true + require_ansible_source: false + require_chef_for_busser: false + idempotency_test: true + +platforms: + - name: debian + driver_config: + image: evolix/ansible:2.2.1 + +verifier: + name: serverspec + +suites: + - name: default + provisioner: + name: ansible_playbook + playbook: ./tests/test.yml + verifier: + patterns: + - nginx/tests/spec/memcached_spec.rb + bundler_path: '/usr/local/bin' + rspec_path: '/usr/local/bin' + +transport: + max_ssh_sessions: 6 diff --git a/dovecot/README.md b/dovecot/README.md new file mode 100644 index 00000000..736b95dc --- /dev/null +++ b/dovecot/README.md @@ -0,0 +1,11 @@ +# Dovecot + +Installation and basic configuration of dovecot + +## Tasks + +Minimal configuration is in `tasks/main.yml` + +## Available variables + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml new file mode 100644 index 00000000..884bc1ca --- /dev/null +++ b/dovecot/defaults/main.yml @@ -0,0 +1,2 @@ +--- +dovecot_foo: bar diff --git a/dovecot/files/munin_plugin b/dovecot/files/munin_plugin new file mode 100755 index 00000000..e5a6d1d1 --- /dev/null +++ b/dovecot/files/munin_plugin @@ -0,0 +1,126 @@ +#! /bin/bash +# +# Munin Plugin +# to count logins to your dovecot mailserver +# +# Created by Dominik Schulz +# http://developer.gauner.org/munin/ +# Contributions by: +# - Stephane Enten +# - Steve Schnepp +# +# Parameters understood: +# +# config (required) +# autoconf (optional - used by munin-config) +# +# Config variables: +# +# logfile - Where to find the syslog file +# +# Add the following line to a file in /etc/munin/plugin-conf.d: +# env.logfile /var/log/your/logfile.log +# +# Magic markers (optional - used by munin-config and installation scripts): +# +#%# family=auto +#%# capabilities=autoconf + +###################### +# Configuration +###################### +EXPR_BIN=/usr/bin/expr +LOGFILE=${logfile:-/var/log/mail.log} +###################### + +if [ "$1" = "autoconf" ]; then + echo yes + exit 0 +fi + +if [ "$1" = "config" ]; then + echo 'graph_title Dovecot Logins' + echo 'graph_category Mail' + echo 'graph_args --base 1000 -l 0' + echo 'graph_vlabel Login Counters' + + for t in Total TLS SSL IMAP POP3 + do + field=$(echo $t | tr '[:upper:]' '[:lower:]') + echo "login_$field.label $t Logins" + echo "login_$field.type DERIVE" + echo "login_$field.min 0" + done + + echo 'connected.label Connected Users' + + exit 0 +fi + +###################### +# Total Logins +###################### +echo -en "login_total.value " +VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n +###################### +# Connected Users +###################### +DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE) +CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE) +VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS) +if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then + VALUE=0 +fi +echo -en "connected.value " +echo $VALUE +echo -n +###################### +# TLS Logins +###################### +echo -en "login_tls.value " +VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n +###################### +# SSL Logins +###################### +echo -en "login_ssl.value " +VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n +###################### +# IMAP Logins +###################### +echo -en "login_imap.value " +VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n +###################### +# POP3 Logins +###################### +echo -en "login_pop3.value " +VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE) +if [ ! -z "$VALUE" ]; then + echo "$VALUE" +else + echo "0" +fi +echo -n diff --git a/dovecot/handlers/main.yml b/dovecot/handlers/main.yml new file mode 100644 index 00000000..0ea64b61 --- /dev/null +++ b/dovecot/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart dovecot + service: + name: dovecot + state: restarted diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml new file mode 100644 index 00000000..8909aea6 --- /dev/null +++ b/dovecot/tasks/main.yml @@ -0,0 +1,11 @@ +- name: ensure packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - dovecot-ldap + - dovecot-imapd + - dovecot-pop3d + - dovecot-sieve + +- include: munin.yml diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml new file mode 100644 index 00000000..7f5003f0 --- /dev/null +++ b/dovecot/tasks/munin.yml @@ -0,0 +1,20 @@ +--- + +- name: is Munin present ? + stat: + path: /etc/munin/plugin-conf.d/munin-node + check_mode: no + register: munin_node_plugins_config + +- block: + - name: Install munin plugin + copy: + src: munin_plugin + dest: /etc/munin/plugins/dovecot + mode: "0755" + +# TODO : add in /etc/munin/plugin-conf.d/munin-node +# [dovecot] +# group adm + + when: munin_node_plugins_config.stat.exists diff --git a/packmail/README.md b/packmail/README.md new file mode 100644 index 00000000..f4cbbee3 --- /dev/null +++ b/packmail/README.md @@ -0,0 +1,15 @@ +# packmail + +Install the mail pack, with Postfix/Dovecot/LDAP/evoadmin-mail. + +## Tasks + +See `tasks/main.yml`. + +## Available variables + +Main variables are : + +* `packmail_enable_evoadmin_vhost` : enable VirtualHost for evoadmin (web interface to create mail accounts) + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/packmail/defaults/main.yml b/packmail/defaults/main.yml new file mode 100644 index 00000000..fc1d2a9f --- /dev/null +++ b/packmail/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for packmail +general_alert_email: "root@localhost" + +packmail_enable_evoadmin_vhost: True diff --git a/packmail/files/cn4evolix.ldif b/packmail/files/cn4evolix.ldif new file mode 100644 index 00000000..d92d0414 --- /dev/null +++ b/packmail/files/cn4evolix.ldif @@ -0,0 +1,63 @@ +dn: cn={4}evolix,cn=config +objectClass: olcSchemaConfig +cn: {4}evolix +olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo + rward' SUP mail ) +olcAttributeTypes: {1}( 1.3.6.1.4.1.24331.22.1.2 NAME 'mailacceptinggeneralid' + DESC 'mail alias' SUP mail ) +olcAttributeTypes: {2}( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' DESC 'boolean + to verify an global account is active or not' EQUALITY booleanMatch SYNTAX 1 + .3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {3}( 1.3.6.1.4.1.24331.22.1.4 NAME 'accountActive' DESC 'bo + olean to verify if an mail account is active' EQUALITY booleanMatch SYNTAX 1. + 3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {4}( 1.3.6.1.4.1.24331.22.1.5 NAME 'authsmtpActive' DESC 'b + oolean to verify if SMTP-AUTH is enabled for entry' EQUALITY booleanMatch SYN + TAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {5}( 1.3.6.1.4.1.24331.22.1.6 NAME 'courierActive' DESC 'bo + olean to verify if Courier POP/IMAP is enabled for entry' EQUALITY booleanMat + ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {6}( 1.3.6.1.4.1.24331.22.1.7 NAME 'webmailActive' DESC 'bo + olean to verify if webmail is enabled for entry' EQUALITY booleanMatch SYNTAX + 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {7}( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' DESC 'boolean + to verify if entry is admin for entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {8}( 1.3.6.1.4.1.24331.22.1.9 NAME 'postfixTransport' DESC + 'transport for Postfix' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.11 + 5.121.1.26{20} SINGLE-VALUE ) +olcAttributeTypes: {9}( 1.3.6.1.4.1.24331.22.1.10 NAME 'domain' DESC 'Postfix + domain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTA + X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {10}( 1.3.6.1.4.1.24331.22.1.11 NAME 'quota' DESC 'Courier + maildir quota' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 26 SINGLE-VALUE ) +olcAttributeTypes: {11}( 1.3.6.1.4.1.24331.22.1.16 NAME 'vacationActive' DESC + 'A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1.3 + .6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {12}( 1.3.6.1.4.1.24331.22.1.17 NAME 'vacationInfo' DESC 'A + bsentee note to leave behind, while on vacation' EQUALITY octetStringMatch SY + NTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) +olcAttributeTypes: {13}( 1.3.6.1.4.1.24331.22.1.18 NAME 'vacationStart' DESC ' + Beginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115. + 121.1.40 SINGLE-VALUE ) +olcAttributeTypes: {14}( 1.3.6.1.4.1.24331.22.1.19 NAME 'vacationEnd' DESC 'En + d of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +olcAttributeTypes: {15}( 1.3.6.1.4.1.24331.22.1.20 NAME 'vacationForward' DESC + 'Where to forward mails to, while on vacation' EQUALITY caseIgnoreIA5Match S + UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} + ) +olcAttributeTypes: {16}( 1.3.6.1.4.1.24331.22.1.21 NAME 'smbActive' DESC 'bool + ean to verify if an Samba account is active' EQUALITY booleanMatch SYNTAX 1.3 + .6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcObjectClasses: {0}( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' DESC 'LDAP/ + Unix mail account or virtual account' SUP top AUXILIARY MUST ( uid $ mailacce + ptinggeneralid ) MAY ( accountActive $ authsmtpActive $ quota $ isActive $ co + urierActive $ webmailActive $ isAdmin $ vacationActive $ vacationInfo $ vacat + ionStart $ vacationEnd $ vacationForward $ maildrop ) ) +olcObjectClasses: {1}( 1.3.6.1.4.1.24331.22.2.2 NAME 'mailAlias' DESC 'Mail al + iasing/forwarding entry' SUP top STRUCTURAL MUST ( mailacceptinggeneralid $ m + aildrop ) MAY ( cn $ isActive ) ) +olcObjectClasses: {2}( 1.3.6.1.4.1.24331.22.2.4 NAME 'postfixDomain' DESC 'Pos + tfix domain' SUP posixGroup STRUCTURAL MAY ( postfixTransport $ isActive ) ) diff --git a/packmail/handlers/main.yml b/packmail/handlers/main.yml new file mode 100644 index 00000000..92228e1c --- /dev/null +++ b/packmail/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart postfix + service: + name: postfix + state: restarted + +- name: restart dovecot + service: + name: dovecot + state: restarted diff --git a/packmail/tasks/apache.yml b/packmail/tasks/apache.yml new file mode 100644 index 00000000..aebae199 --- /dev/null +++ b/packmail/tasks/apache.yml @@ -0,0 +1,21 @@ +--- + +- name: Additional packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-security2 + - modsecurity-crs + - apg + +- name: Additional modules are enabled + apache2_module: + name: '{{ item }}' + state: present + with_items: + - ssl + - include + - negotiation + - alias + diff --git a/packmail/tasks/main.yml b/packmail/tasks/main.yml new file mode 100644 index 00000000..24543d19 --- /dev/null +++ b/packmail/tasks/main.yml @@ -0,0 +1,46 @@ +--- + +- fail: + msg: only compatible with Debian >= 9 + when: + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('9', '<') + +- name: Include ldap role + include_role: + name: ldap + +- name: upload evolix schema + copy: + src: cn4evolix.ldif + dest: /root/cn4evolix.ldif + mode: "0640" + +- name: inject evolix schema + command: ldapadd -Y EXTERNAL -H ldapi:/// -f /root/cn4evolix.ldif + +- name: Include postfix role + include_role: + name: postfix + +- name: Include dovecot role + include_role: + name: dovecot + +- name: Include apache role + include_role: + name: apache + +- name: Include PHP role + include_role: + name: php + vars: + php_apache_enable: True + +- include: apache.yml + +- name: Install Evoadmin + include_role: + name: webapps/evoadmin-mail + vars: + evoadminmail_enable_vhost: '{{ packmail_enable_evoadmin_vhost }}' + diff --git a/webapps/evoadmin-mail/defaults/main.yml b/webapps/evoadmin-mail/defaults/main.yml new file mode 100644 index 00000000..000be699 --- /dev/null +++ b/webapps/evoadmin-mail/defaults/main.yml @@ -0,0 +1,23 @@ +--- +general_alert_email: "root@localhost" +evoadminmail_contact_email: Null +evoadminmail_bounce_email: "{{ evoadminmail_contact_email }}" + +evoadminmail_username: evoadmin-mail +evoadminmail_home_dir: "/home/{{ evoadminmail_username }}" +evoadminmail_document_root: "{{ evoadminmail_home_dir }}/www" +evoadminmail_log_dir: "{{ evoadminmail_home_dir }}/log" +evoadminmail_scripts_dir: /usr/share/scripts/ +evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}" + +evoadminmail_enable_vhost: True + +evoadminmail_tpl_servername: "{{ ansible_fqdn }}" +evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}" +evoadminmail_tpl_phpmyadmin_url: Null +evoadminmail_tpl_cgi_suffix: Null +evoadminmail_tpl_signature: evoadmin +evoadminmail_tpl_mail_from: root@localhost +evoadminmail_tpl_mail_bcc: Null +evoadminmail_tpl_mail_standard: "{{ general_alert_email }}" +evoadminmail_tpl_mail_urgent: "{{ general_alert_email }}" diff --git a/webapps/evoadmin-mail/handlers/main.yml b/webapps/evoadmin-mail/handlers/main.yml new file mode 100644 index 00000000..c4cdb576 --- /dev/null +++ b/webapps/evoadmin-mail/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: reload apache2 + service: + name: apache2 + state: reloaded diff --git a/webapps/evoadmin-mail/tasks/config.yml b/webapps/evoadmin-mail/tasks/config.yml new file mode 100644 index 00000000..00e342f3 --- /dev/null +++ b/webapps/evoadmin-mail/tasks/config.yml @@ -0,0 +1,17 @@ +--- + +- name: "Create /etc/evolinux" + file: + dest: "/etc/evolinux" + recurse: yes + state: directory + +#- name: Configure web-add config file +# template: +# src: web-add.conf.j2 +# dest: /etc/evolinux/web-add.conf +# +#- name: Configure web-add template file for mail +# template: +# src: web-mail.tpl.j2 +# dest: "{{ evoadminmail_scripts_dir }}/web-mail.tpl" diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml new file mode 100644 index 00000000..f5e84d0b --- /dev/null +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- include: packages.yml + +- include: user.yml + +- include: config.yml + +- include: ssl.yml + +- include: web.yml + +- name: enable evoadmin-mail link in default site index + blockinfile: + dest: /var/www/index.html + marker: "" + block: | +
  • Interface admin mail (EvoAdmin-mail)
    • + diff --git a/webapps/evoadmin-mail/tasks/packages.yml b/webapps/evoadmin-mail/tasks/packages.yml new file mode 100644 index 00000000..ea9b176e --- /dev/null +++ b/webapps/evoadmin-mail/tasks/packages.yml @@ -0,0 +1,16 @@ +--- + +- include_role: + name: apt + tasks_from: evolix_public.yml + +- meta: flush_handlers + +- name: Install PHP packages + apt: + name: '{{ item }}' + state: present + with_items: + - php-pear + - php-log + - php-crypt-chap diff --git a/webapps/evoadmin-mail/tasks/remount_usr_rw.yml b/webapps/evoadmin-mail/tasks/remount_usr_rw.yml new file mode 100644 index 00000000..8c51aee2 --- /dev/null +++ b/webapps/evoadmin-mail/tasks/remount_usr_rw.yml @@ -0,0 +1,15 @@ +--- +- name: Get mount options for partitions + shell: "mount | grep 'on /usr type'" + args: + warn: no + register: mount + changed_when: False + failed_when: False + when: not ansible_check_mode + +- name: Remount /usr if it is a partition and it is not mounted in rw + command: "mount -o remount,rw /usr" + when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + args: + warn: no diff --git a/webapps/evoadmin-mail/tasks/ssl.yml b/webapps/evoadmin-mail/tasks/ssl.yml new file mode 100644 index 00000000..3dd91590 --- /dev/null +++ b/webapps/evoadmin-mail/tasks/ssl.yml @@ -0,0 +1,24 @@ +--- + + +- name: ssl-cert package is installed + apt: + name: ssl-cert + state: present + +- name: Create private key and csr for default site ({{ ansible_fqdn }}) + command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}" + args: + creates: "/etc/ssl/private/{{ evoadminmail_host }}.key" + +- name: Adjust rights on private key + file: + path: /etc/ssl/private/{{ evoadminmail_host }}.key + owner: root + group: ssl-cert + mode: "0640" + +- name: Create certificate for default site + command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt + args: + creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt" diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml new file mode 100644 index 00000000..67b2fdcd --- /dev/null +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -0,0 +1,67 @@ +--- + +- name: Create evoadmin account + user: + name: "{{ evoadminmail_username }}" + comment: "Evoadmin Web Account" + home: "{{ evoadminmail_home_dir}}" + password: "!" + +- name: Create log/ directory + file: + path: "{{ evoadminmail_home_dir}}/log" + state: directory + owner: "{{ evoadminmail_username }}" + group: "{{ evoadminmail_username }}" + mode: "0750" + +- name: Create www-evoadminmail group + group: + name: "www-{{ evoadminmail_username }}" + state: present + +- name: "Create www-evoadmin (Debian 9 or later)" + user: + name: "www-{{ evoadminmail_username }}" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: Install Git + apt: + name: git + state: present + +- name: "Clone evoadmin repository (Debian 9 or later)" + git: + repo: https://forge.evolix.org/evoadmin-mail.git + dest: "{{ evoadminmail_document_root}}" + version: master + update: yes + # Warning: Need sudo! + become_user: "{{ evoadminmail_username }}" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- include: remount_usr_rw.yml + when: evoadminmail_scripts_dir | search ("/usr") + +- name: "Create {{ evoadminmail_scripts_dir }}" + file: + dest: "{{ evoadminmail_scripts_dir }}" + # recurse: yes + mode: "0700" + state: directory + +# we use a shell command to have a "changed" thet really reflects the result. +- name: Fix permissions + shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + # failed_when: False + with_items: + - "{{ evoadminmail_home_dir}}/www" + +#- name: Add evoadmin sudoers file +# template: +# src: sudoers.j2 +# dest: /etc/sudoers.d/evoadmin +# mode: "0600" +# validate: "visudo -cf %s" diff --git a/webapps/evoadmin-mail/tasks/web.yml b/webapps/evoadmin-mail/tasks/web.yml new file mode 100644 index 00000000..95eabe1d --- /dev/null +++ b/webapps/evoadmin-mail/tasks/web.yml @@ -0,0 +1,39 @@ +--- + +- name: "Set custom values for PHP config (Debian 9 or later)" + ini_file: + dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini + section: PHP + option: "disable_functions" + value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority" + notify: reload apache2 + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: Install evoadminmail VHost + template: + src: evoadminmail.conf.j2 + dest: /etc/apache2/sites-available/evoadminmail.conf + notify: reload apache2 + +- name: Enable evoadminmail vhost + command: "a2ensite evoadminmail.conf" + register: cmd_a2ensite + changed_when: "'Enabling site' in cmd_a2ensite.stdout" + notify: reload apache2 + when: evoadminmail_enable_vhost + +- name: Disable evoadminmail vhost + command: "a2dissite evoadminmail.conf" + register: cmd_a2dissite + changed_when: "'Disabling site' in cmd_a2dissite.stdout" + notify: reload apache2 + when: not evoadminmail_enable_vhost + +#- name: Copy config file for evoadmin +# template: +# src: config.local.php.j2 +# dest: "{{ evoadminmail_document_root}}/conf/config.local.php" +# mode: "0644" +# owner: evoadmin +# group: evoadmin +# force: no diff --git a/webapps/evoadmin-mail/templates/config.local.php.j2 b/webapps/evoadmin-mail/templates/config.local.php.j2 new file mode 100644 index 00000000..3e159bcd --- /dev/null +++ b/webapps/evoadmin-mail/templates/config.local.php.j2 @@ -0,0 +1,8 @@ + + ServerName {{ evoadminmail_host }} + Redirect permanent / https://{{ evoadminmail_host }}/ + + + + + # FQDN principal + ServerName {{ evoadminmail_host }} + #ServerAlias {{ evoadminmail_host }} + + # Repertoire principal + DocumentRoot {{ evoadminmail_document_root }}/evoadmin/htdocs/ + + # SSL + SSLEngine on + SSLCertificateFile /etc/ssl/certs/{{ evoadminmail_host }}.crt + SSLCertificateKeyFile /etc/ssl/private/{{ evoadminmail_host }}.key + SSLProtocol all -SSLv2 -SSLv3 + + # Propriete du repertoire + + #Options Indexes SymLinksIfOwnerMatch + Options SymLinksIfOwnerMatch + AllowOverride AuthConfig Limit FileInfo + Require all granted + + + # user - group (thanks to sesse@debian.org) + AssignUserID www-{{ evoadminmail_username }} {{ evoadminmail_username }} + + # LOG + CustomLog /var/log/apache2/access.log combined + CustomLog {{ evoadminmail_log_dir }}/access.log combined + ErrorLog {{ evoadminmail_log_dir }}/error.log + + # AWSTATS + SetEnv AWSTATS_FORCE_CONFIG {{ evoadminmail_username }} + + # REWRITE + UseCanonicalName On + RewriteEngine On + RewriteCond %{HTTP_HOST} !^{{ evoadminmail_host }}$ + RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R] + + # PHP + #php_admin_flag engine off + #AddType text/html .html + #php_admin_flag display_errors On + #php_flag short_open_tag On + #php_flag register_globals On + #php_admin_value memory_limit 256M + #php_admin_value max_execution_time 60 + #php_admin_value upload_max_filesize 8M + #php_admin_flag allow_url_fopen Off + php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-{{ evoadminmail_username }}" + php_admin_value open_basedir "none" + diff --git a/webapps/evoadmin-mail/templates/sudoers.j2 b/webapps/evoadmin-mail/templates/sudoers.j2 new file mode 100644 index 00000000..4dfd71c1 --- /dev/null +++ b/webapps/evoadmin-mail/templates/sudoers.j2 @@ -0,0 +1,3 @@ +User_Alias EVOADMIN = www-evoadmin +Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh +EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB diff --git a/webapps/evoadmin-mail/templates/web-add.conf.j2 b/webapps/evoadmin-mail/templates/web-add.conf.j2 new file mode 100644 index 00000000..86eabd29 --- /dev/null +++ b/webapps/evoadmin-mail/templates/web-add.conf.j2 @@ -0,0 +1,2 @@ +CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}" +WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}" diff --git a/webapps/evoadmin-mail/templates/web-mail.tpl.j2 b/webapps/evoadmin-mail/templates/web-mail.tpl.j2 new file mode 100644 index 00000000..262995c3 --- /dev/null +++ b/webapps/evoadmin-mail/templates/web-mail.tpl.j2 @@ -0,0 +1,86 @@ +From: {{ evoadmin_tpl_mail_from }} +To: RCPTTO +Bcc: {{ evoadmin_tpl_mail_bcc }} +Subject: Parametres hebergement web : LOGIN + +Bonjour, + +Votre compte d'hebergement web a ete cree. + +********************************** +* CONNEXION SFTP/SSH +********************************** + +NOM DU SERVEUR : {{ evoadmin_tpl_servername }} +USER : LOGIN +PASSWORD : PASSE1 + +***************************************** +* Details sur l'environnement Apache/PHP +***************************************** + +URL du site : +http://{{ evoadmin_tpl_servername }} + +URL des stats : +http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl +(acces par IP ou login a demander !) + +Repertoire de connexion : HOME_DIR/LOGIN/ +Repertoire pour site web : HOME_DIR/LOGIN/www/ + +Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces +uniquement *en lecture* aux differents fichiers/repertoires +(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les +fichiers ce qui est le comportement par defaut). + +Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains +fichiers/repertoires, il suffit d'ajouter le droit 'g+w'. + +*********************************** +* MySQL +*********************************** + +SERVEUR : 127.0.0.1 +PORT DU SERVEUR : 3306 +USER : LOGIN +PASSWORD : PASSE2 +NOM BASE : DBNAME +URL interface d'admin : +{{ evoadmin_tpl_phpmyadmin_url }} + +*********************************** +* Rappels divers +*********************************** + +Votre nom de domaine doit etre configure pour pointer +sur l'adresse IP {{ evoadmin_tpl_address }} (enregistrement DNS A) +ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME). + +Si vous avez besoin de faire des tests, vous devez +ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix +ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP : +{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }} + +Attention, par defaut, toutes les connexions vers l'exterieur +sont bloquees. Si vous avez besoin de recuperer des donnees +a l'exterieur (flux RSS, BDD externe, etc.), contactez nous +afin de mettre en oeuvre les autorisations necessaires. + +Afin de securiser au maximum le serveur, certaines URL +particulieres sont non autorisees pour eviter diverses +attaques (XSS, robots, trojans, injections, etc.). +Exemple d'URL refusee : +http://{{ evoadmin_tpl_servername }}/cmd32.exe +En cas de soucis avec votre application, prevenez-nous. + +Si vous desirez mettre en place des parametres particuliers +pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab, +etc.), n'hesitez pas a nous contacter a l'adresse +{{ evoadmin_tpl_mail_standard }} (ou {{ evoadmin_tpl_mail_urgent }} si votre demande est +urgente). + + +Cordialement, +-- +{{ evoadmin_tpl_signature }} diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 0944c2cd..59c41582 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -6,7 +6,7 @@ section: PHP option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" - notify: reload apache + notify: reload apache2 when: ansible_distribution_release == "jessie" - name: "Set custom values for PHP config (Debian 9 or later)" @@ -15,7 +15,7 @@ section: PHP option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" - notify: reload apache + notify: reload apache2 when: ansible_distribution_major_version | version_compare('9', '>=') - name: Install evoadmin VHost From 0640a9f8fd9cb36459789d0bc7025765a3bfba7c Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 10 Oct 2017 16:12:08 +0200 Subject: [PATCH 164/266] ldap: custom schema can be passed with ldap_schema --- ldap/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index be3a8bd1..b1554725 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -75,3 +75,13 @@ command: slapadd -l /root/evolinux_ldap_first-entries.ldif when: not root_ldapvirc_path.stat.exists +- name: upload custom schema + copy: + src: "{{ ldap_schema }}" + dest: "/root/{{ ldap_schema }}" + mode: "0640" + when: ldap_schema is defined + +- name: inject custom schema + command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" + when: ldap_schema is defined From a6499b67128dc594eb38aff7f1b2547da7a444c0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 10 Oct 2017 16:13:12 +0200 Subject: [PATCH 165/266] packmail: use role dependencies instead of include_role --- packmail/meta/main.yml | 7 ++++++ packmail/tasks/apache.yml | 21 ----------------- packmail/tasks/main.yml | 49 ++++++++++++++------------------------- 3 files changed, 24 insertions(+), 53 deletions(-) create mode 100644 packmail/meta/main.yml delete mode 100644 packmail/tasks/apache.yml diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml new file mode 100644 index 00000000..65101536 --- /dev/null +++ b/packmail/meta/main.yml @@ -0,0 +1,7 @@ +--- +dependencies: + - { role: ldap, ldap_schema: 'cn4evolix.ldif' } + - { role: postfix } + - { role: dovecot } + - { role: apache } + - { role: php, php_apache_enable: True } diff --git a/packmail/tasks/apache.yml b/packmail/tasks/apache.yml deleted file mode 100644 index aebae199..00000000 --- a/packmail/tasks/apache.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Additional packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-security2 - - modsecurity-crs - - apg - -- name: Additional modules are enabled - apache2_module: - name: '{{ item }}' - state: present - with_items: - - ssl - - include - - negotiation - - alias - diff --git a/packmail/tasks/main.yml b/packmail/tasks/main.yml index 24543d19..214d8d77 100644 --- a/packmail/tasks/main.yml +++ b/packmail/tasks/main.yml @@ -1,42 +1,27 @@ --- - - fail: msg: only compatible with Debian >= 9 when: - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('9', '<') -- name: Include ldap role - include_role: - name: ldap +- name: Additional packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-security2 + - modsecurity-crs + - apg -- name: upload evolix schema - copy: - src: cn4evolix.ldif - dest: /root/cn4evolix.ldif - mode: "0640" - -- name: inject evolix schema - command: ldapadd -Y EXTERNAL -H ldapi:/// -f /root/cn4evolix.ldif - -- name: Include postfix role - include_role: - name: postfix - -- name: Include dovecot role - include_role: - name: dovecot - -- name: Include apache role - include_role: - name: apache - -- name: Include PHP role - include_role: - name: php - vars: - php_apache_enable: True - -- include: apache.yml +- name: Additional modules are enabled + apache2_module: + name: '{{ item }}' + state: present + with_items: + - ssl + - include + - negotiation + - alias - name: Install Evoadmin include_role: From 251299cee637082bbcab1e3f51a2636553fdc626 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 10 Oct 2017 16:14:18 +0200 Subject: [PATCH 166/266] evoadmin-mail: fix git clone of evoadmin-mail repo --- webapps/evoadmin-mail/tasks/user.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml index 67b2fdcd..efbebf72 100644 --- a/webapps/evoadmin-mail/tasks/user.yml +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -36,10 +36,15 @@ dest: "{{ evoadminmail_document_root}}" version: master update: yes - # Warning: Need sudo! - become_user: "{{ evoadminmail_username }}" when: ansible_distribution_major_version | version_compare('9', '>=') +- name: "Change perms on evoadminmail document root" + file: + dest: "{{ evoadminmail_document_root}}" + owner: "www-{{ evoadminmail_username }}" + group: "{{ evoadminmail_username }}" + recurse: yes + - include: remount_usr_rw.yml when: evoadminmail_scripts_dir | search ("/usr") From a0006a1318e33e7ed7bd3c83d54df2a465081b56 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 10 Oct 2017 17:25:50 +0200 Subject: [PATCH 167/266] dovecot: default conf for packmail --- dovecot/handlers/main.yml | 5 ++ dovecot/tasks/main.yml | 49 +++++++++++++++++ dovecot/templates/z-evolinux-defaults.conf.j2 | 53 +++++++++++++++++++ 3 files changed, 107 insertions(+) create mode 100644 dovecot/templates/z-evolinux-defaults.conf.j2 diff --git a/dovecot/handlers/main.yml b/dovecot/handlers/main.yml index 0ea64b61..8d1b78d8 100644 --- a/dovecot/handlers/main.yml +++ b/dovecot/handlers/main.yml @@ -3,3 +3,8 @@ service: name: dovecot state: restarted + +- name: reload dovecot + service: + name: dovecot + state: reloaded diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 8909aea6..5e9968e0 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -7,5 +7,54 @@ - dovecot-imapd - dovecot-pop3d - dovecot-sieve + - dovecot-managesieved + tags: + - dovecot + +- name: update ldap auth + lineinfile: + dest: /etc/dovecot/dovecot-ldap.conf.ext + line: "{{ item.key }} = {{ item.value }}" + regexp: "^#*{{ item.key }}" + state: present + with_items: + - { key: 'hosts', value: '127.0.0.1' } + - { key: 'auth_bind', value: 'yes' } + - { key: 'ldap_version', value: 3 } + - { key: 'base', value: "{{ ldap_suffix }}" } + - { key: 'user_attrs', value: 'homeDirectory=home' } + - { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' } + - { key: 'pass_attrs', value: 'uid=user,userPassword=password' } + when: ldap_suffix is defined + notify: reload dovecot + tags: + - dovecot + +- name: create vmail group + group: + name: vmail + gid: 5000 + tags: + - dovecot + +- name: create vmail user + user: + name: vmail + group: vmail + uid: 5000 + shell: /bin/false + tags: + - dovecot + +- name: deploy evolix config + template: + src: z-evolinux-defaults.conf.j2 + dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf + mode: "0644" + notify: reload dovecot + tags: + - dovecot - include: munin.yml + tags: + - dovecot diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2 new file mode 100644 index 00000000..8fe84694 --- /dev/null +++ b/dovecot/templates/z-evolinux-defaults.conf.j2 @@ -0,0 +1,53 @@ +# {{ ansible_managed }} + +disable_plaintext_auth = no +auth_mechanisms = plain login +!include auth-ldap.conf.ext +service auth { + unix_listener auth-userdb { + mode = 0600 + user = vmail + group = vmail + } + unix_listener /var/spool/postfix/private/auth-client { + mode = 0666 + user = postfix + group = postfix + } +} + +mail_location = maildir:/home/vmail/%d/%n +mail_uid = 5000 +mail_gid = 5000 + +protocol lda { + mail_plugins = sieve +} + +service managesieve-login { + inet_listener sieve { + port = 4190 + } + + inet_listener sieve_deprecated { + port = 2000 + } + service_count = 1 + process_min_avail = 0 + vsz_limit = 64M +} + +service managesieve { + +} + +protocol sieve { + managesieve_max_line_length = 65536 + mail_max_userip_connections = 10 + mail_plugins = + managesieve_logout_format = bytes=%i/%o + managesieve_implementation_string = Dovecot Pigeonhole + managesieve_sieve_capability = + managesieve_notify_capability = + managesieve_max_compile_errors = 5 +} From 3f77c0cb2449c9944402d9fa73b7b64b382084ad Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 11 Oct 2017 02:28:49 +0200 Subject: [PATCH 168/266] Fix: argh, forgot cn=schema in DN :( --- packmail/files/cn4evolix.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packmail/files/cn4evolix.ldif b/packmail/files/cn4evolix.ldif index d92d0414..a17532ad 100644 --- a/packmail/files/cn4evolix.ldif +++ b/packmail/files/cn4evolix.ldif @@ -1,4 +1,4 @@ -dn: cn={4}evolix,cn=config +dn: cn={4}evolix,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}evolix olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo From a4c4de21a8c259cc985df6a12eccbbf7485631c2 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 11:04:47 +0200 Subject: [PATCH 169/266] evoadmin-mail: fix evoadmin-mail link insertion --- webapps/evoadmin-mail/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index f5e84d0b..0647bbcb 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -11,9 +11,9 @@ - include: web.yml - name: enable evoadmin-mail link in default site index - blockinfile: + lineinfile: dest: /var/www/index.html - marker: "" - block: | -
  • Interface admin mail (EvoAdmin-mail)
    • - + state: present + regexp: "EvoAdmin-mail" + line: '
  • Interface admin mail (EvoAdmin-mail)
    • ' + insertbefore: "" From e0c9de352bf6604da2e7ca6db0c4169b4d366eba Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 11:10:43 +0200 Subject: [PATCH 170/266] postfix: add config for packmail --- packmail/meta/main.yml | 2 +- postfix/defaults/main.yml | 2 + postfix/tasks/main.yml | 68 +++- postfix/tasks/slow_transport.yml | 23 +- postfix/templates/evolinux_main.cf.j2 | 16 + postfix/templates/packmail_main.cf.j2 | 415 ++++++++++++++++++++++ postfix/templates/virtual_aliases.cf.j2 | 5 + postfix/templates/virtual_domains.cf.j2 | 5 + postfix/templates/virtual_mailboxes.cf.j2 | 5 + 9 files changed, 507 insertions(+), 34 deletions(-) create mode 100644 postfix/templates/packmail_main.cf.j2 create mode 100644 postfix/templates/virtual_aliases.cf.j2 create mode 100644 postfix/templates/virtual_domains.cf.j2 create mode 100644 postfix/templates/virtual_mailboxes.cf.j2 diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index 65101536..f9138046 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -1,7 +1,7 @@ --- dependencies: - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - - { role: postfix } + - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index f0673d65..7aac9a2d 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -1,3 +1,5 @@ --- postfix_hostname: "{{ ansible_fqdn }}" postfix_slow_transport_include: False +postfix_force_main_cf: False +postfix_packmail: False diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 77a4fb95..8e24ad54 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -5,26 +5,72 @@ with_items: - postfix - mailgraph + tags: + - postfix + +- name: ensure ldap packages are installed + apt: + name: "postfix-ldap" + state: present + when: postfix_packmail == True + tags: + - postfix - name: check if main.cf is default shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum - changed_when: False check_mode: no register: default_main_cf + tags: + - postfix -- name: create minimal main.cf - template: - src: evolinux_main.cf.j2 - dest: /etc/postfix/main.cf - owner: root - group: root - mode: "0644" - force: yes - when: default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or +- block: + + - name: create minimal main.cf + template: + src: evolinux_main.cf.j2 + dest: /etc/postfix/main.cf + owner: root + group: root + mode: "0644" + force: yes + when: postfix_packmail != True + notify: restart postfix + tags: + - postfix + + - name: create packmail main.cf + template: + src: packmail_main.cf.j2 + dest: /etc/postfix/main.cf + owner: root + group: root + mode: "0644" + force: yes + when: postfix_packmail == True + notify: restart postfix + tags: + - postfix + + when: postfix_force_main_cf == True or + default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" - notify: restart postfix -- meta: flush_handlers +- name: deploy ldap postfix config + template: + src: "{{ item }}.j2" + dest: "/etc/postfix/{{ item }}" + mode: "0644" + with_items: + - virtual_aliases.cf + - virtual_domains.cf + - virtual_mailboxes.cf + when: postfix_packmail == True + notify: restart postfix + tags: + - postfix - include: slow_transport.yml when: postfix_slow_transport_include + tags: + - postfix diff --git a/postfix/tasks/slow_transport.yml b/postfix/tasks/slow_transport.yml index 3bf8ae6d..d5566bdb 100644 --- a/postfix/tasks/slow_transport.yml +++ b/postfix/tasks/slow_transport.yml @@ -1,10 +1,10 @@ --- - - name: slow transport is defined in master.cf lineinfile: dest: /etc/postfix/master.cf regexp: "^slow " line: "slow unix - - n - - smtp" + notify: restart postfix - name: list of providers for slow transport lineinfile: @@ -21,24 +21,3 @@ - "hotmail.fr slow:" - "hotmail.com slow:" notify: postmap transport - -- name: main.cf is configured for slow transports - blockinfile: - dest: /etc/postfix/main.cf - marker: "# {mark} Slow transports configuration (installed by Ansible)" - block: | - minimal_backoff_time = 2h - maximal_backoff_time = 6h - maximal_queue_lifetime = 4d - queue_run_delay = 100s - bounce_queue_lifetime = 1d - initial_destination_concurrency = 5 - default_destination_concurrency_limit = 20 - slow_destination_rate_delay = 0 - slow_destination_concurrency_limit = 1 - slow_destination_concurrency_failed_cohort_limit = 100 - slow_destination_recipient_limit = 25 - transport_maps = hash:$config_directory/transport - notify: restart postfix - -- meta: flush_handlers diff --git a/postfix/templates/evolinux_main.cf.j2 b/postfix/templates/evolinux_main.cf.j2 index 429e6602..e42a413f 100644 --- a/postfix/templates/evolinux_main.cf.j2 +++ b/postfix/templates/evolinux_main.cf.j2 @@ -13,3 +13,19 @@ recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 disable_vrfy_command = yes + +{% if postfix_slow_transport_include == True %} +# Slow transports configuration +minimal_backoff_time = 2h +maximal_backoff_time = 6h +maximal_queue_lifetime = 4d +queue_run_delay = 100s +bounce_queue_lifetime = 1d +initial_destination_concurrency = 5 +default_destination_concurrency_limit = 20 +slow_destination_rate_delay = 0 +slow_destination_concurrency_limit = 1 +slow_destination_concurrency_failed_cohort_limit = 100 +slow_destination_recipient_limit = 25 +transport_maps = hash:$config_directory/transport +{% endif %} diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 new file mode 100644 index 00000000..a5700cb9 --- /dev/null +++ b/postfix/templates/packmail_main.cf.j2 @@ -0,0 +1,415 @@ +## fichier principal de configuration de Postfix +## commentaires de Gregory Colpart reg AT evolix DOT fr +## version 1.0 : 1ere version publique (05.04.2010) + +######################## +# Section : Emplacements +######################## + +# Repertoire ou se trouvent les commandes de postfix [OBLIGATOIRE] +#par defaut, = $program_directory +command_directory = /usr/sbin + +# Repertoire ou se trouvent les demons de postfix [OBLIGATOIRE] +#par defaut, = $program_directory +daemon_directory = /usr/lib/postfix + +# Variable pour indiquer les emplacements des commandes et demons de postfix +#program_directory = /usr/lib/postfix + +# Repertoire contenant les fichiers de boites aux lettres +#par defaut, = /var/mail +#mail_spool_directory = + +# Repertoire de la file d'attente de postfix +#par defaut, = /var/spool/postfix +#queue_directory = + +# Boites aux lettres +#par defaut, = +home_mailbox = Maildir/ + +# Transmettre les mails a un MDA +#par defaut, = +#mailbox_command = /usr/bin/procmail + +# Separateur entre noms d'utilisateur et extensions d'adresse +# mettre + pour integration avec amavis +#par defaut, = +recipient_delimiter = + + +# Controle si le repertoire existe (souvent pour les systemes de fichiers montes) +#par defaut, = no +#require_home_directory = + +# Commande pour transmettre le courrier a un MDA +#par defaut, = +#mailbox_command = /usr/bin/procmail + +# Banniere SMTP affichee +#par default, = $myhostname ESMTP $mail_name +smtpd_banner = $myhostname ESMTP mail server + +# Groupe des commandes set-gid ayant des acces en ecriture +#par defaut, = postdrop +# setgid_group = postdrop + +# Produire des "biff notifications" aux utilisateurs pour +# prevenir de l'arrivee de nouveaux mails +# par default, = yes +#biff = no + + +#################### +# Section : domaines +#################### + +# Indique le nom d'hote pleinement qualifie ou se trouve postfix [OBLIGATOIRE] +#par defaut, = [retour de la commande Unix hostname] +myhostname = {{ ansible_fqdn }} + +# Variable indiquant le domaine dans lequel se trouve la machine +#par defaut, = [partie domain de la variable $myhostname] +#mydomain = + +# Liste des noms de domaine (ou IP) consideres comme local +#par defaut, = $myhostname, localhost.$mydomain, localhost +mydestination = $myhostname + +# Indique le domaine apparaissant dans le courrier envoye +#par defaut, = $myhostname +myorigin = {{ ansible_fqdn }} + +# Liste de domaine fonctionnant UNIQUEMENT avec des alias virtuels +#par defaut, = $virtual_alias_maps +#virtual_alias_domains = [ domaines avec alias virtuels ] + +# Liste de domaine fonctionnant avec des comptes virtuels +#par defaut, = $virtual_mailbox_maps +virtual_mailbox_domains = ldap:$config_directory/virtual_domains.cf + +# Repertoire de base de l'espace de stockage +#par defaut, = +virtual_mailbox_base = / + +# Ajoute $mydomain aux adresse ne compoirtant que la partie hote sans le domaine +#par defaut, = yes +#append_dot_mydomain = no + +# Ajoute $myorigin aux adresses ne comportant pas de composante de domaine +#par defaut, = yes +#append_at_myorigin = no + +# Liste de domaines cachant des sous-domaines internes +#par defaut, = +#masquerade_domains = + +# A l'exception de certains comptes : +#par defaut, = +#masquerade_exceptions = root, admin + +# Champs d'application de la reecriture des sous-domaines caches +#par defaut, = envelope_sender, header_sender, header_recipient +#masquerade_classes = + +# Sites eligibles pour un vidage rapide (postqueue -s [domain.tld]) +#par defaut, = $relay_domains +#fast_flush_domains = + +# Interfaces sur lesquelles ecoutent postfix +#par defaut, = all +#inet_interfaces = all + +# Adresse IP externe du firewall/proxy si derriere NAT ou proxy +# evite principalement les boucles si MX secondaire et MX primaire indisponible +#par defaut, = +#proxy_interfaces = [adresse IP] + +# Domaines acceptes pour faire relai (MX 2aire) +#relay_domains = [domaine a relayer] + + +########################### +# Section : base de donnees +########################### + +# Liste des bases de donnees utilisees par l'agent de distribution locale +# Pour regenerer une base de donnees : postalias /etc/aliases (par ex) +#par defaut, = hash:/etc/aliases, nis:mail.aliases +alias_maps = hash:/etc/aliases + +# Liste des bases de donnees locales +# Pour regenerer avec newaliases +#par defaut, = hash:/etc/aliases +alias_database = hash:/etc/aliases + +# Chemin vers la commande newaliases +#par defaut, = /usr/bin/newaliases +#newaliases_path = + +# Base de donnes d'alias virtuels +# ne pas oublier : postmap /etc/postfix/virtual +#par defaut, = $virtual_maps +virtual_alias_maps = hash:$config_directory/virtual, ldap:$config_directory/virtual_aliases.cf + +# Base de donners des boites virtuelles +# ne pas oublier : postmap /etc/postfix/vmailbox +#par defaut, = +virtual_mailbox_maps = ldap:$config_directory/virtual_mailboxes.cf + +virtual_uid_maps = static:5000 +virtual_gid_maps = static:5000 +virtual_transport = dovecot +dovecot_destination_recipient_limit = 1 + +# Reecriture des adresses +#par defaut, = +#canonical_maps = hash:/etc/postfix/canonical + +# Reecriture des adresses a l'arrivee (ecrase $canonical_maps) +#par defaut, = +#recipient_canonical_maps = hash:/etc/postfix/canonical + +# Reecriture des adresses au depart +#par defaut, = +#sender_canonical_maps = hash:/etc/postfix/canonical + +# Adresses changees +#relocated_maps = hash:/etc/postfix/relocated + +# Boite pour receptionner tous les utilisateurs inconnus +#luser_relay = spam + +# Liste de base de donnees contenant les adresses locales permettant de rejeter les messages aux utilisateurs inconnus +# (sera nulle pour recuperer les courriels vers les utilisateurs inconnus) +#par defaut, = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# MAILING-LIST nommee xx +# dans le fichier /etc/aliases : +# xx: user1@domain1 user2@domain2 etc. +# owner-xx: admin@domain +# Utiliser ou non l'alias xx-owner comme adresse d'enveloppe d'expedition +#par defaut, = yes +#owner_request_special = + +# Utiliser l'adresse relle de l'admin au lieu de xx-owner +#par defaut, = no +#expand_owner_alias = + + +########################################### +# Section : parametres de la file d'attente +########################################### + +# Lorsqu'un message n'a pas ete delivre, Postfix adjoint une marque indiquant le moment ou la prochaine tentaive pourra avoir lieu + +# Delai au-dela duquel les messages non delivres seront renvoyes a l'expediteur +#par defaut, = 5d +#maximal_queue_lifetime = + +# Delai au-dela duquel les *bounces* non delivres ne seront plus envoyes +#par defaut, = 5d +bounce_queue_lifetime = 1d + +# Intervalle de temps ou postfix examinera la file +# Il examine notamment la file deferred pour voir si de NOUVEAUX messages sont arrives +# Il faut aussi que la marque indique qu'ils soient prets +#par defaut, = 1000s +#queue_run_delay = + +# A chaque echec, le delai de la prochaine distribution double, avec les restrictions suivantes : +# Delai minimal +#par defaut, = 1000s +#minimal_backoff_time = +# Delai maximal +#par defaut, = 4000s +#maximal_backoff_time = + +# Si maxproc est vide (master.cf), nombre maximal est : +#par defaut, = 100 +#default_process_limit = + +# Nombre maximal de destinataires stockes en memoire par qmgr pour un transport particulier +#par defaut, = 10000 +#default_recipient_limit = + +# Nombre limitant de messages envoyes simultanement INITIALEMENT pour une destination particuliere +# (forcement majoree par maxproc du master.cf ou $default_process_limit) +#par defaut, = 5 +#initial_destination_concurrency = + +# Une fois ces messages distribues, si il reste des messages dans la file d'attente pour cette destination +# particuliere, postfix augmente le nombre de tentative tant qu'il ne detecte pas de probleme avec +# la destination, avec la limite suivante : +#par defaut, = 20 +#default_destination_concurrency_limit = + +# Cette limite peut etre differente selon le type de transport utilise : +#par defaut, = $default_destination_concurrency_limit +#lmtp_destination_concurrency_limit = +#par defaut, = 2 +#local_destination_concurrency_limit = +#par defaut, = $default_destination_concurrency_limit +#relay_destination_concurrency_limit = +#par defaut, = $default_destination_concurrency_limit +#smtp_destination_concurrency_limit = +#par defaut, = $default_destination_concurrency_limit +#virtual_destination_concurrency_limit = + +# On peut aussi limiter le nombre maximum de destinataire pour un meme message +# Si le nombre de destinataire depasse la limite, postfix divise en groupe d'adresses plus petites et envoie des copies distinctes du message +#par defaut, = 10000 +#default_destination_recipient_limit = +#par defaut, = $default_destination_recipient_limit +#lmtp_destination_recipient_limit = +#par defaut, = 1 +#local_destination_recipient_limit = +#par defaut, = 20000 +#qmgr_message_recipient_limit = +#par defaut, = $default_destination_recipient_limit +#relay_destination_recipient_limit = +#par defaut, = $default_destination_recipient_limit +#smtp_destination_recipient_limit = +#par defaut, = 1000 +#smtpd_recipient_limit = +#par defaut, = $default_destination_recipient_limit +#virtual_destination_recipient_limit = + +# Nombre maximum de destinataires pour un transport lorsque priorite superieure de transport +#par defaut, = 1000 +#default_extra_recipient_limit = + +slow_destination_rate_delay = 0 +slow_destination_concurrency_limit = 1 +slow_destination_recipient_limit = 25 +slow_destination_concurrency_failed_cohort_limit = 100 + +# Types d'incidents a rapporter +# resource : message non delivre pour probleme de ressource +# software : message non delivre pour probleme de logiciels +# policy : envoie le transcription smtp d'un message rejete par restrictions +# protocol : envoie toute transcription smtp erronee +# delay : envoie les entetes de messages differes +# bounce : envoie les entetes de tous les message renvoyes +# 2bounce : envoie les entetes de tous les messages renvoyes non delivres +#par defaut, = resource, software +notify_classes = resource, software, bounce, 2bounce, delay, policy, protocol + +# A qui les reporter ? +#Pour delay +#par defaut, = postmaster +delay_notice_recipient = delay +#Pour policy, protocol, resource, software +#par defaut, = postmaster +error_notice_recipient = error +#Pour bounce +#par defaut, = postmaster +bounce_notice_recipient = bounce +#Pour 2bounce +#par defaut, = postmaster +2bounce_notice_recipient = bounce + + +######################## +# Section : restrictions +######################## + +# Restrictions au depart de la conversation +#par defaut, = +smtpd_client_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + cidr:$config_directory/spamd.cidr, + +# Restrictions au niveau de la commande HELO/EHLO +#par defaut, = +smtpd_helo_restrictions = + reject_invalid_hostname + +# Restrictions au niveau de la commande MAIL FROM +#par defaut, = +smtpd_sender_restrictions = + permit_mynetworks, + check_sender_access hash:$config_directory/sa-blacklist.access + +# Restrictions au niveau de la commande MAIL FROM +#par defaut, = permit_mynetworks, reject_unauth_destination +smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination, + check_client_access hash:$config_directory/client.access_local, + check_client_access hash:$config_directory/client.access, + check_sender_access hash:$config_directory/sender.access_local, + check_sender_access hash:$config_directory/sender.access, + check_recipient_access hash:$config_directory/recipient.access_local, + check_recipient_access hash:$config_directory/recipient.access, + reject_unlisted_recipient, + reject_unknown_sender_domain, + reject_non_fqdn_sender, + reject_unauth_pipelining, + +header_checks = + regexp:$config_directory/header_kill_local, + regexp:$config_directory/header_kill + +transport_maps = hash:$config_directory/transport + +# Attendre la commande 'RCPT TO' avant d'evaluer les restrictions ? +# (peut poser pb avec certains clients et permet d'avoir renseignements suppl) +#par defaut, = yes +#smtpd_delay_reject = + +# Definition des plages IP appartenant a mynetworks +#par defaut, toutes les plages d'adresses IPv4 (et IPv6) des interfaces +mynetworks = 127.0.0.0/8,[::1]/128,10.0.0.0/16 + +# Exiger la commande HELO/EHLO +#par defaut, = no +smtpd_helo_required = yes + +# Exiger syntaxe conforme dans les commandes MAIL FROM ou RCPT TO +#par defaut, = no +strict_rfc821_envelopes = yes + +# Rejeter le courrier provenant d'une adresse inexistante ? +#par defaut, = no +#smtpd_reject_unlisted_sender = + +# Rejeter le courrier a destination d'une adresse inexistante ? +#par defaut, = yes +#smtpd_reject_unlisted_recipient = + + +####################### +# Section : Chiffrement +####################### + +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# SASL +smtpd_sasl_auth_enable = yes +broken_sasl_auth_clients = yes +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth-client + +{% if postfix_slow_transport_include == True %} +# Slow transports configuration +minimal_backoff_time = 2h +maximal_backoff_time = 6h +maximal_queue_lifetime = 4d +queue_run_delay = 100s +bounce_queue_lifetime = 1d +initial_destination_concurrency = 5 +default_destination_concurrency_limit = 20 +slow_destination_rate_delay = 0 +slow_destination_concurrency_limit = 1 +slow_destination_concurrency_failed_cohort_limit = 100 +slow_destination_recipient_limit = 25 +transport_maps = hash:$config_directory/transport +{% endif %} diff --git a/postfix/templates/virtual_aliases.cf.j2 b/postfix/templates/virtual_aliases.cf.j2 new file mode 100644 index 00000000..1a6e5f9c --- /dev/null +++ b/postfix/templates/virtual_aliases.cf.j2 @@ -0,0 +1,5 @@ +search_base = {{ ldap_suffix }} +query_filter = (&(mailacceptinggeneralid=%u@%d)(isActive=TRUE)) +result_attribute = maildrop +version = 3 +aliases_scope = sub diff --git a/postfix/templates/virtual_domains.cf.j2 b/postfix/templates/virtual_domains.cf.j2 new file mode 100644 index 00000000..97e9ebb3 --- /dev/null +++ b/postfix/templates/virtual_domains.cf.j2 @@ -0,0 +1,5 @@ +search_base = {{ ldap_suffix }} +query_filter = (&(cn=%s)(objectClass=postfixDomain)(isActive=TRUE)) +result_attribute = cn +scope = sub +version = 3 diff --git a/postfix/templates/virtual_mailboxes.cf.j2 b/postfix/templates/virtual_mailboxes.cf.j2 new file mode 100644 index 00000000..0796bdf6 --- /dev/null +++ b/postfix/templates/virtual_mailboxes.cf.j2 @@ -0,0 +1,5 @@ +search_base = {{ ldap_suffix }} +query_filter = (&(mailacceptinggeneralid=%s)(objectClass=mailAccount)(isActive=TRUE)(accountActive=TRUE)) +result_attribute = homeDirectory +scope = sub +version = 3 From 556311a60799d954a9134511070246697d776398 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 15:17:58 +0200 Subject: [PATCH 171/266] evoadmin-mail: fix default config and evoadmin user --- webapps/evoadmin-mail/tasks/user.yml | 39 ++++++++++++- webapps/evoadmin-mail/tasks/web.yml | 9 --- webapps/evoadmin-mail/templates/conf.php.j2 | 56 +++++++++++++++++++ .../templates/config.local.php.j2 | 8 --- .../evoadmin-mail/templates/connect.php.j2 | 28 ++++++++++ .../evoadmin-mail/templates/evoadmin.ldif.j2 | 12 ++++ 6 files changed, 134 insertions(+), 18 deletions(-) create mode 100644 webapps/evoadmin-mail/templates/conf.php.j2 delete mode 100644 webapps/evoadmin-mail/templates/config.local.php.j2 create mode 100644 webapps/evoadmin-mail/templates/connect.php.j2 create mode 100644 webapps/evoadmin-mail/templates/evoadmin.ldif.j2 diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml index efbebf72..cf260c4f 100644 --- a/webapps/evoadmin-mail/tasks/user.yml +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -40,11 +40,48 @@ - name: "Change perms on evoadminmail document root" file: - dest: "{{ evoadminmail_document_root}}" + dest: "{{ evoadminmail_document_root }}" owner: "www-{{ evoadminmail_username }}" group: "{{ evoadminmail_username }}" recurse: yes +- name: "Copy connect.php" + template: + src: connect.php.j2 + dest: "{{ evoadminmail_document_root }}/evoadmin/htdocs/connect.php" + owner: "www-{{ evoadminmail_username }}" + group: "{{ evoadminmail_username }}" + when: ldap_admin_password is defined + +- name: "Copy conf.php" + template: + src: conf.php.j2 + dest: "{{ evoadminmail_document_root }}/evoadmin/htdocs/config/conf.php" + owner: "www-{{ evoadminmail_username }}" + group: "{{ evoadminmail_username }}" + +- name: create a password for evoadmin user + command: "apg -n 1 -m 16 -M lcN" + register: evoadminmail_admin_password + changed_when: False + +- name: upload ldif for evoadmin user + template: + src: evoadmin.ldif.j2 + dest: /root/evolinux_evoadminmail_admin.ldif + mode: "0640" + +- name: inject config + command: slapadd -l /root/evolinux_evoadminmail_admin.ldif + +- name: create log file + file: + dest: /var/log/evoadmin-mail.log + state: touch + owner: "www-{{ evoadminmail_username }}" + group: "adm" + mode: "0640" + - include: remount_usr_rw.yml when: evoadminmail_scripts_dir | search ("/usr") diff --git a/webapps/evoadmin-mail/tasks/web.yml b/webapps/evoadmin-mail/tasks/web.yml index 95eabe1d..e7d915a3 100644 --- a/webapps/evoadmin-mail/tasks/web.yml +++ b/webapps/evoadmin-mail/tasks/web.yml @@ -28,12 +28,3 @@ changed_when: "'Disabling site' in cmd_a2dissite.stdout" notify: reload apache2 when: not evoadminmail_enable_vhost - -#- name: Copy config file for evoadmin -# template: -# src: config.local.php.j2 -# dest: "{{ evoadminmail_document_root}}/conf/config.local.php" -# mode: "0644" -# owner: evoadmin -# group: evoadmin -# force: no diff --git a/webapps/evoadmin-mail/templates/conf.php.j2 b/webapps/evoadmin-mail/templates/conf.php.j2 new file mode 100644 index 00000000..b534d0d0 --- /dev/null +++ b/webapps/evoadmin-mail/templates/conf.php.j2 @@ -0,0 +1,56 @@ + + * @version 1.0 + */ + +define("LDAP_URI","ldap://127.0.0.1"); +$ldap_servers = array('ldap://127.0.0.1'); +define("LDAP_BASE","{{ ldap_suffix }}"); +define("LDAP_ADMIN_DN","cn=admin,{{ ldap_suffix }}"); +define("LDAP_ADMIN_PASS","{{ ldap_admin_password.stdout }}"); + +define("SUDOBIN","/usr/bin/sudo"); +define("SUDOSCRIPT","/usr/share/scripts/evoadmin.sh"); +define("SUDOPASS","xxxxxx"); + +define('SERVEUR','localhost'); +define('SERVEURPORT',3306); +define('BASE','horde'); +define('NOM', 'horde'); +define('PASSE', 'xxxx'); + +?> diff --git a/webapps/evoadmin-mail/templates/evoadmin.ldif.j2 b/webapps/evoadmin-mail/templates/evoadmin.ldif.j2 new file mode 100644 index 00000000..389fdff9 --- /dev/null +++ b/webapps/evoadmin-mail/templates/evoadmin.ldif.j2 @@ -0,0 +1,12 @@ +dn: uid=evoadmin,{{ ldap_suffix }} +uid: evoadmin +cn: Evoadmin ADM +uidNumber: 4242 +gidNumber: 4242 +homeDirectory: /dev/null +isAdmin: TRUE +mailacceptinggeneralid: evoadmin@{{ ansible_fqdn }} +objectClass: mailAccount +objectClass: organizationalRole +objectClass: posixAccount +userPassword: {{ evoadminmail_admin_password.stdout }} From fbd1761cc23500cbca549e5f2599b9e0e4d35b0a Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 16:36:49 +0200 Subject: [PATCH 172/266] postfix: fix daemon_directory var --- postfix/templates/packmail_main.cf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index a5700cb9..a81a991b 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -12,7 +12,7 @@ command_directory = /usr/sbin # Repertoire ou se trouvent les demons de postfix [OBLIGATOIRE] #par defaut, = $program_directory -daemon_directory = /usr/lib/postfix +daemon_directory = /usr/lib/postfix/sbin # Variable pour indiquer les emplacements des commandes et demons de postfix #program_directory = /usr/lib/postfix From 6d2dee033875980006add45c0594fed268a696c3 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 18:05:04 +0200 Subject: [PATCH 173/266] evoadmin-mail: use / instead of /evoadmin by default --- webapps/evoadmin-mail/templates/conf.php.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-mail/templates/conf.php.j2 b/webapps/evoadmin-mail/templates/conf.php.j2 index b534d0d0..8927a476 100644 --- a/webapps/evoadmin-mail/templates/conf.php.j2 +++ b/webapps/evoadmin-mail/templates/conf.php.j2 @@ -18,7 +18,7 @@ $conf['admin']['quota'] = true; // compatibilite LDAP $conf['evoadmin']['version'] = 3; -$conf['url']['webroot'] = '/evoadmin'; +$conf['url']['webroot'] = '/'; $conf['domaines']['onlyone'] = false; $conf['domaines']['driver'] = 'ldap'; From b6761213f921970a5d38050dbc080e728f6dc119 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 11 Oct 2017 18:07:19 +0200 Subject: [PATCH 174/266] evoadmin-mail: fix mail var --- webapps/evoadmin-mail/templates/conf.php.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-mail/templates/conf.php.j2 b/webapps/evoadmin-mail/templates/conf.php.j2 index 8927a476..54fda585 100644 --- a/webapps/evoadmin-mail/templates/conf.php.j2 +++ b/webapps/evoadmin-mail/templates/conf.php.j2 @@ -1,7 +1,7 @@ Date: Thu, 12 Oct 2017 10:00:16 +0200 Subject: [PATCH 175/266] evoadmin-mail: Fix default title --- webapps/evoadmin-mail/templates/conf.php.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-mail/templates/conf.php.j2 b/webapps/evoadmin-mail/templates/conf.php.j2 index 54fda585..bac22bfd 100644 --- a/webapps/evoadmin-mail/templates/conf.php.j2 +++ b/webapps/evoadmin-mail/templates/conf.php.j2 @@ -42,7 +42,7 @@ $conf['unix']['uid'] = 5000; $conf['unix']['minuid'] = 1000; $conf['unix']['mingid'] = 1000; -$conf['html']['title'] = "Interface d'administration XXX"; +$conf['html']['title'] = "Evoadmin Mail"; // gestion des logs $conf['log']['priority'] = PEAR_LOG_DEBUG; From 9aaf4fe0588a3247fdaf695f2b3eaa3df083445f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 13 Oct 2017 12:30:02 +0200 Subject: [PATCH 176/266] evoadmin-mail: fix document root path --- webapps/evoadmin-mail/tasks/user.yml | 4 ++-- webapps/evoadmin-mail/templates/evoadminmail.conf.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml index cf260c4f..7c0d593a 100644 --- a/webapps/evoadmin-mail/tasks/user.yml +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -48,7 +48,7 @@ - name: "Copy connect.php" template: src: connect.php.j2 - dest: "{{ evoadminmail_document_root }}/evoadmin/htdocs/connect.php" + dest: "{{ evoadminmail_document_root }}/htdocs/config/connect.php" owner: "www-{{ evoadminmail_username }}" group: "{{ evoadminmail_username }}" when: ldap_admin_password is defined @@ -56,7 +56,7 @@ - name: "Copy conf.php" template: src: conf.php.j2 - dest: "{{ evoadminmail_document_root }}/evoadmin/htdocs/config/conf.php" + dest: "{{ evoadminmail_document_root }}/htdocs/config/conf.php" owner: "www-{{ evoadminmail_username }}" group: "{{ evoadminmail_username }}" diff --git a/webapps/evoadmin-mail/templates/evoadminmail.conf.j2 b/webapps/evoadmin-mail/templates/evoadminmail.conf.j2 index d65a64ef..026fe00d 100644 --- a/webapps/evoadmin-mail/templates/evoadminmail.conf.j2 +++ b/webapps/evoadmin-mail/templates/evoadminmail.conf.j2 @@ -10,7 +10,7 @@ #ServerAlias {{ evoadminmail_host }} # Repertoire principal - DocumentRoot {{ evoadminmail_document_root }}/evoadmin/htdocs/ + DocumentRoot {{ evoadminmail_document_root }}/htdocs/ # SSL SSLEngine on From 2f7192536341c6d0859052c36f8a93373783be01 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 13 Oct 2017 12:44:37 +0200 Subject: [PATCH 177/266] dovecot: disable pam auth --- dovecot/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 5e9968e0..1a835160 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -11,6 +11,14 @@ tags: - dovecot +- name: disable pam auth + replace: + dest: /etc/dovecot/conf.d/10-auth.conf + regexp: "[^#]!include auth-system.conf.ext" + replace: "#!include auth-system.conf.ext" + tags: + - dovecot + - name: update ldap auth lineinfile: dest: /etc/dovecot/dovecot-ldap.conf.ext From 3ac2a9b73073a2083ddd1340fe8c384f759ecaf4 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 13 Oct 2017 12:45:53 +0200 Subject: [PATCH 178/266] dovecot: update default config --- dovecot/templates/z-evolinux-defaults.conf.j2 | 35 +++++-------------- 1 file changed, 8 insertions(+), 27 deletions(-) diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2 index 8fe84694..10fefcf2 100644 --- a/dovecot/templates/z-evolinux-defaults.conf.j2 +++ b/dovecot/templates/z-evolinux-defaults.conf.j2 @@ -1,7 +1,10 @@ # {{ ansible_managed }} +# Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS disable_plaintext_auth = no auth_mechanisms = plain login + +# Authentification LDAP + intégration avec Postfix pour l'auth SMTP !include auth-ldap.conf.ext service auth { unix_listener auth-userdb { @@ -16,38 +19,16 @@ service auth { } } +# Stockage des emails dans /home/mail avec UID/GID 5000/5000 mail_location = maildir:/home/vmail/%d/%n mail_uid = 5000 mail_gid = 5000 +# Activation Sieve protocol lda { mail_plugins = sieve } -service managesieve-login { - inet_listener sieve { - port = 4190 - } - - inet_listener sieve_deprecated { - port = 2000 - } - service_count = 1 - process_min_avail = 0 - vsz_limit = 64M -} - -service managesieve { - -} - -protocol sieve { - managesieve_max_line_length = 65536 - mail_max_userip_connections = 10 - mail_plugins = - managesieve_logout_format = bytes=%i/%o - managesieve_implementation_string = Dovecot Pigeonhole - managesieve_sieve_capability = - managesieve_notify_capability = - managesieve_max_compile_errors = 5 -} +# Optimisations +login_max_processes_count = 256 +mail_max_userip_connections = 42 From d5ffb3c472f1cafec2785c59925f297dd5b2156b Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 17 Oct 2017 11:59:07 +0200 Subject: [PATCH 179/266] evoadmin-mail: fix shell and home for evoadmin-mail users --- webapps/evoadmin-mail/tasks/user.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml index 7c0d593a..7e4cb90c 100644 --- a/webapps/evoadmin-mail/tasks/user.yml +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -5,6 +5,7 @@ name: "{{ evoadminmail_username }}" comment: "Evoadmin Web Account" home: "{{ evoadminmail_home_dir}}" + shell: /bin/bash password: "!" - name: Create log/ directory @@ -23,6 +24,9 @@ - name: "Create www-evoadmin (Debian 9 or later)" user: name: "www-{{ evoadminmail_username }}" + home: "{{ evoadminmail_home_dir}}/www" + shell: /bin/bash + createhome: no when: ansible_distribution_major_version | version_compare('9', '>=') - name: Install Git From dee2e2296c1faab57b3d9b1b80d2fe38b746bf11 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 17 Oct 2017 13:27:05 +0200 Subject: [PATCH 180/266] postfix: deploy packmail master.cf and filter files --- postfix/files/filter | 1 + postfix/files/packmail_master.cf | 132 +++++++++++++++++++++++++++++++ postfix/tasks/main.yml | 50 ++++++++++++ 3 files changed, 183 insertions(+) create mode 100644 postfix/files/filter create mode 100644 postfix/files/packmail_master.cf diff --git a/postfix/files/filter b/postfix/files/filter new file mode 100644 index 00000000..586574a1 --- /dev/null +++ b/postfix/files/filter @@ -0,0 +1 @@ +# Default empty file diff --git a/postfix/files/packmail_master.cf b/postfix/files/packmail_master.cf new file mode 100644 index 00000000..2043f488 --- /dev/null +++ b/postfix/files/packmail_master.cf @@ -0,0 +1,132 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +relay unix - - y - - smtp + -o smtp_fallback_relay= +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + +slow unix - - n - - smtp + +dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} + +scan unix - - y - 10 smtp +localhost:10026 inet n - y - 10 smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o myhostname=filter.mynetwork.local + -o smtpd_helo_restrictions= + -o smtpd_client_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o mynetworks=127.0.0.0/8 diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 8e24ad54..99111a23 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -56,6 +56,56 @@ default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" +- name: deploy packmail master.cf + copy: + src: packmail_master.cf + dest: /etc/postfix/master.cf + mode: "0644" + when: postfix_packmail == True + notify: restart postfix + tags: + - postfix + +- name: copy default filter files + copy: + src: filter + dest: "/etc/postfix/{{ item }}" + force: no + with_items: + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr + when: postfix_packmail == True + register: postfix_copy_filter + tags: + - postfix + +- name: postmap filter files + command: "postmap /etc/postfix/{{ item }}" + with_items: + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr + when: postfix_packmail == True and postfix_copy_filter.changed + tags: + - postfix + - name: deploy ldap postfix config template: src: "{{ item }}.j2" From 10ff2747e2dc78154840ed90a22930f59e20dc11 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 15:09:14 +0200 Subject: [PATCH 181/266] Add amavis, clamav and spamassasin roles --- amavis/defaults/main.yml | 2 + amavis/files/spam.sh | 87 +++++++++++++ amavis/handlers/main.yml | 5 + amavis/tasks/main.yml | 43 +++++++ amavis/templates/amavis.conf.j2 | 57 +++++++++ clamav/handlers/main.yml | 5 + clamav/meta/main.yml | 3 + clamav/tasks/main.yml | 111 +++++++++++++++++ packmail/meta/main.yml | 3 + postfix/tasks/main.yml | 4 +- postfix/templates/packmail_main.cf.j2 | 4 + .../packmail_master.cf.j2} | 37 ++++++ spamassasin/files/sa-update.sh | 68 ++++++++++ spamassasin/files/spamassassin.cf | 117 ++++++++++++++++++ spamassasin/handlers/main.yml | 5 + spamassasin/meta/main.yml | 3 + spamassasin/tasks/main.yml | 51 ++++++++ 17 files changed, 603 insertions(+), 2 deletions(-) create mode 100644 amavis/defaults/main.yml create mode 100644 amavis/files/spam.sh create mode 100644 amavis/handlers/main.yml create mode 100644 amavis/tasks/main.yml create mode 100644 amavis/templates/amavis.conf.j2 create mode 100644 clamav/handlers/main.yml create mode 100644 clamav/meta/main.yml create mode 100644 clamav/tasks/main.yml rename postfix/{files/packmail_master.cf => templates/packmail_master.cf.j2} (83%) create mode 100644 spamassasin/files/sa-update.sh create mode 100644 spamassasin/files/spamassassin.cf create mode 100644 spamassasin/handlers/main.yml create mode 100644 spamassasin/meta/main.yml create mode 100644 spamassasin/tasks/main.yml diff --git a/amavis/defaults/main.yml b/amavis/defaults/main.yml new file mode 100644 index 00000000..5c727eff --- /dev/null +++ b/amavis/defaults/main.yml @@ -0,0 +1,2 @@ +--- +amavis_is_active: True diff --git a/amavis/files/spam.sh b/amavis/files/spam.sh new file mode 100644 index 00000000..10d5e62a --- /dev/null +++ b/amavis/files/spam.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +#set -x + +umask 022 + +tmp_file=$(mktemp) + +tmp=$(mktemp -d) + +if [ -f $tmp_file ] ; + then rm $tmp_file ; +fi + +sleep $[ $RANDOM / 1024 ] + +# Postfix +cd $tmp + +wget -q -t 3 http://antispam00.evolix.org/spam/client.access -O $tmp_file +cp $tmp_file /etc/postfix/client.access +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/sender.access -O $tmp_file +cp $tmp_file /etc/postfix/sender.access +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/recipient.access -O $tmp_file +cp $tmp_file /etc/postfix/recipient.access +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/header_kill -O $tmp_file +cp $tmp_file /etc/postfix/header_kill +rm $tmp_file + +wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access -O sa-blacklist.access +wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access.md5 -O $tmp_file +if md5sum -c $tmp_file > /dev/null && [ -s sa-blacklist.access ] ; then + cp sa-blacklist.access /etc/postfix/sa-blacklist.access +fi +rm sa-blacklist.access +rm $tmp_file + +/usr/sbin/postmap hash:/etc/postfix/client.access +/usr/sbin/postmap hash:/etc/postfix/sender.access +/usr/sbin/postmap hash:/etc/postfix/recipient.access +/usr/sbin/postmap -r hash:/etc/postfix/sa-blacklist.access + +wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr -O spamd.cidr +wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr.md5 -O $tmp_file +if md5sum -c $tmp_file > /dev/null && [ -s spamd.cidr ] ; then + cp spamd.cidr /etc/postfix/spamd.cidr +fi +rm spamd.cidr +rm $tmp_file + + +# SpamAssassin +cd $tmp +wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf -O evolix_rules.cf +wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf.md5 -O $tmp_file +if md5sum -c $tmp_file > /dev/null && [ -s evolix_rules.cf ] ; then + dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp evolix_rules.cf /etc/spamassassin + dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/spamassassin reload > /dev/null + if [ -d /etc/spamassassin/sa-update-hooks.d ]; then + run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d + fi +fi + +# ClamAV +cd $tmp +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file +dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb +if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then + dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/ +fi +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb +wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file +dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb +if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then + dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/ +fi +dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null +rm $tmp_file + +rm -rf $tmp diff --git a/amavis/handlers/main.yml b/amavis/handlers/main.yml new file mode 100644 index 00000000..62049999 --- /dev/null +++ b/amavis/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart amavis + service: + name: amavis + state: restarted diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml new file mode 100644 index 00000000..880c3a66 --- /dev/null +++ b/amavis/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: install Amavis + apt: + name: "{{ item }}" + state: present + with_items: + - postgrey + - amavisd-new + tags: + - amavis + +- name: configure Amavis + template: + src: amavis.conf.j2 + dest: /etc/amavis/conf.d/49-evolinux-defaults.conf + mode: "0644" + notify: restart amavis + tags: + - amavis + +- name: copy spam.sh script + copy: + src: spam.sh + dest: /usr/share/scripts/spam.sh + mode: "0700" + tags: + - amavis + +- name: enable spam.sh cron + lineinfile: + dest: /etc/cron.d/spam + line: "42 * * * * /usr/share/scripts/spam.sh" + create: yes + state: present + mode: "0640" + tags: + - amavis + +- name: update antispam list + command: /usr/share/scripts/spam.sh + changed_when: false + tags: + - amavis diff --git a/amavis/templates/amavis.conf.j2 b/amavis/templates/amavis.conf.j2 new file mode 100644 index 00000000..cbe597a2 --- /dev/null +++ b/amavis/templates/amavis.conf.j2 @@ -0,0 +1,57 @@ +use strict; + +## Liste des domaines considérés comme locaux +#@local_domains_acl = qw(.); +@local_domains_acl = (".example.net","example.com"); + +# On customise la ligne ajoutée dans les entêtes +$X_HEADER_LINE = "by Amavis at $mydomain"; + +# On precise les FROM pour etre (bugs dans certaines version d'Amavis) +$mailfrom_notify_admin = "postmaster\@$mydomain"; +$mailfrom_notify_recip = "postmaster\@$mydomain"; +$mailfrom_notify_spamadmin = "postmaster\@$mydomain"; + +# Notifications de fichiers bannis / virus +$virus_admin = "postmaster\@$mydomain"; +# Ne pas recevoir des notifications pour les mails UNCHECKED +delete $admin_maps_by_ccat{&CC_UNCHECKED}; + +# Que faire avec les messages détectés +$final_virus_destiny = D_DISCARD; +$final_banned_destiny = D_BOUNCE; +$final_spam_destiny = D_BOUNCE; +$final_bad_header_destiny = D_PASS; + +# Pour recevoir des bounces (mails originals) des fichiers bloqués / virus +#$banned_quarantine_to = "banned\@$mydomain"; +#$virus_quarantine_to = "virus\@$mydomain"; + +# Note tueuse +$sa_tag2_level_deflt = 6.31; +# Pour un comportement "normal" de SA +$sa_tag_level_deflt = -1999; +$sa_kill_level_deflt = 1999; +$sa_dsn_cutoff_level = -99; +$sa_spam_subject_tag = '[SPAM]'; + +# log +$log_level = 2; + +# En fonction besoin/ressources, on a juste le nbre de process +$max_servers = 2; + +$enable_ldap = 1; +$default_ldap = { + hostname => '127.0.0.1', tls => 0, + base => '{{ ldap_suffix }}', scope => 'sub', + query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))' +}; + +# Activer l'antivirus et antivirus +@bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); + +1; # ensure a defined return diff --git a/clamav/handlers/main.yml b/clamav/handlers/main.yml new file mode 100644 index 00000000..e053f01a --- /dev/null +++ b/clamav/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart clamav + service: + name: clamav-daemon + state: restarted diff --git a/clamav/meta/main.yml b/clamav/meta/main.yml new file mode 100644 index 00000000..510b6855 --- /dev/null +++ b/clamav/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: amavis } diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml new file mode 100644 index 00000000..c6cd16a4 --- /dev/null +++ b/clamav/tasks/main.yml @@ -0,0 +1,111 @@ +--- +- name: install ClamAV + apt: + name: "{{ item }}" + state: present + with_items: + - clamav-daemon + - clamav + - clamdscan + - clamav-freshclam + - arc + - arj + - zoo + - pax + - bzip2 + - cabextract + - rpm + - lzop + - razor + tags: + - clamav + +- name: add clamav user to amavis group + user: + name: clamav + groups: amavis + append: True + tags: + - clamav + +- name: allow supplementary groups + replace: + dest: /etc/clamav/clamd.conf + regexp: 'AllowSupplementaryGroups false' + replace: 'AllowSupplementaryGroups true' + notify: restart clamav + tags: + - clamav + +- name: configure clamav-daemon + debconf: + name: clamav-daemon + question: "{{ item.key }}" + value: "{{ item.value }}" + vtype: "{{ item.type }}" + with_items: + - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' } + - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' } + - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' } + - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' } + - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' } + - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' } + - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' } + - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' } + - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' } + - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' } + - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' } + - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' } + - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' } + - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' } + - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' } + - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' } + - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' } + - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' } + - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' } + - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' } + - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' } + - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' } + - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' } + - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' } + - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' } + - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' } + tags: + - clamav + +- name: configure clamav-freshclam + debconf: + name: clamav-freshclam + question: "{{ item.key }}" + value: "{{ item.value }}" + vtype: "{{ item.type }}" + with_items: + - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' } + - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' } + - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' } + - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' } + - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' } + - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' } + - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' } + - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' } + tags: + - clamav diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index f9138046..9b144692 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -2,6 +2,9 @@ dependencies: - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } + - { role: amavis } + - { role: spamassasin } + - { role: clamav } - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 99111a23..bc4f2240 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -57,8 +57,8 @@ default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" - name: deploy packmail master.cf - copy: - src: packmail_master.cf + template: + src: packmail_master.cf.j2 dest: /etc/postfix/master.cf mode: "0644" when: postfix_packmail == True diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index a81a991b..86a03768 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -413,3 +413,7 @@ slow_destination_concurrency_failed_cohort_limit = 100 slow_destination_recipient_limit = 25 transport_maps = hash:$config_directory/transport {% endif %} + +{% if amavis_is_active is defined and amavis_is_active == True %} +content_filter = smtp-amavis:[127.0.0.1]:10024 +{% endif %} diff --git a/postfix/files/packmail_master.cf b/postfix/templates/packmail_master.cf.j2 similarity index 83% rename from postfix/files/packmail_master.cf rename to postfix/templates/packmail_master.cf.j2 index 2043f488..69964605 100644 --- a/postfix/files/packmail_master.cf +++ b/postfix/templates/packmail_master.cf.j2 @@ -130,3 +130,40 @@ localhost:10026 inet n - y - 10 smtpd -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 + +{% if amavis_is_active is defined and amavis_is_active == True %} +smtp-amavis unix - - y - 2 lmtp + -o lmtp_data_done_timeout=1200 + -o lmtp_send_xforward_command=yes + +127.0.0.1:10025 inet n - y - - smtpd + -o content_filter= + -o local_recipient_maps= + -o relay_recipient_maps= + -o smtpd_restriction_classes= + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions=reject_unauth_pipelining + -o smtpd_end_of_data_restrictions= + -o mynetworks=127.0.0.0/8 + -o strict_rfc821_envelopes=yes + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_client_connection_count_limit=0 + -o smtpd_client_connection_rate_limit=0 + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks + +pre-cleanup unix n - n - 0 cleanup + -o virtual_alias_maps= + -o canonical_maps= + -o sender_canonical_maps= + -o recipient_canonical_maps= + -o masquerade_domains= + -o always_bcc= + -o sender_bcc_maps= + -o recipient_bcc_maps= +{% endif %} diff --git a/spamassasin/files/sa-update.sh b/spamassasin/files/sa-update.sh new file mode 100644 index 00000000..b138c285 --- /dev/null +++ b/spamassasin/files/sa-update.sh @@ -0,0 +1,68 @@ +#!/bin/sh + +# Evolix sa-update, based on: +# Duncan Findlay +# duncf@debian.org + +mail=$(grep EVOMAINTMAIL /etc/evomaintenance.cf | cut -d'=' -f2) +test -x /usr/bin/sa-update || exit 0 +test -x /etc/init.d/spamassassin || exit 0 + +# If there's a problem with the ruleset or configs, print the output +# of spamassassin --lint (which will typically get emailed to root) +# and abort. +die_with_lint() { + su debian-spamd -c "spamassassin --lint -D 2>&1" + exit 1 +} + +do_compile() { +# Compile, if rules have previously been compiled, and it's possible + if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \ + -a -d /var/lib/spamassassin/compiled ]; then + su debian-spamd -c "sa-compile --quiet" + # Fixup perms -- group and other should be able to + # read and execute, but never write. Works around + # sa-compile's failure to obey umask. + chmod -R go-w,go+rX /var/lib/spamassassin/compiled + fi +} + +# Tell a running spamd to reload its configs and rules. +reload() { + # Reload + if which invoke-rc.d >/dev/null 2>&1; then + invoke-rc.d spamassassin reload > /dev/null + else + /etc/init.d/spamassassin reload > /dev/null + fi + if [ -d /etc/spamassassin/sa-update-hooks.d ]; then + run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d + fi +} + +# Update +umask 022 +su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys" + +case $? in + 0) + # got updates! + su debian-spamd -c "spamassassin --lint" || die_with_lint + do_compile + reload + echo -e "Les règles SpamAsassin ont été mises à jour. Merci de reporter toute anomalie." | \ + mail -s "SpamAsassin's rules updated." $mail + ;; + 1) + # no updates + exit 0 + ;; + 2) + # lint failed! + die_with_lint + ;; + *) + echo "sa-update failed for unknown reasons" 1>&2 + ;; +esac diff --git a/spamassasin/files/spamassassin.cf b/spamassasin/files/spamassassin.cf new file mode 100644 index 00000000..821f51d4 --- /dev/null +++ b/spamassasin/files/spamassassin.cf @@ -0,0 +1,117 @@ +#required_score 5 -> assure par Amavis +report_safe 0 +#rewrite_header Subject [SPAM] -> assure par Amavis +add_header all Report _REPORT_ + +# filtre bayesien +# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/ +use_bayes 1 +bayes_auto_learn 1 +bayes_path /var/spool/spam/bayes +bayes_file_mode 0777 + +# AWL : AutoWhitelist +# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/ +loadplugin Mail::SpamAssassin::Plugin::AWL +use_auto_whitelist 1 +auto_whitelist_path /var/spool/spam/auto_whitelist +auto_whitelist_file_mode 0666 + +# LANG TESTS +loadplugin Mail::SpamAssassin::Plugin::TextCat +ok_languages en fr es it +ok_locales en fr es it + +score BODY_8BITS 1.500 +score CHARSET_FARAWAY 3.200 +score CHARSET_FARAWAY_HEADER 3.200 +score HTML_CHARSET_FARAWAY 0.500 +score MIME_CHARSET_FARAWAY 2.450 +score UNWANTED_LANGUAGE_BODY 2.800 + +# DCC +# use_dcc 1 => un plugin maintenant... +score DCC_CHECK 2.9 + +# RAZOR : http://razor.sourceforge.net +use_razor2 1 +score RAZOR2_CHECK 2.9 +score RAZOR2_CF_RANGE_51_100 1.3 + +# pyzor : http://pyzor.sourceforge.net/ +use_pyzor 0 + +# RBL (Realtime Blackhole List) +skip_rbl_checks 0 +score RCVD_IN_BL_SPAMCOP_NET 3 + +# misc +score HELO_DYNAMIC_IPADDR 0.3 +score BIZ_TLD 0.1 +score PRIORITY_NO_NAME 0.2 + +# disable HTML tests + +score HTML_MESSAGE 0 +score HTML_00_10 0 +score HTML_10_20 0 +score HTML_20_30 0 +score HTML_30_40 0 +score HTML_40_50 0 +score HTML_50_60 0 +score HTML_60_70 0 +score HTML_70_80 0 +score HTML_80_90 0 +score HTML_90_100 0 +#score HTML_COMMENT_8BITS 0 +score UPPERCASE_25_50 0 +score UPPERCASE_50_75 0 +score UPPERCASE_75_100 0 +score MIME_HTML_ONLY 0.1 +# From http://maxime.ritter.eu.org/Spam/user_prefs +# Trop de faux negatifs avec BAYES_(0|1|2|3|4)* +score BAYES_00 0 0 -0.01 -0.01 +score BAYES_01 0 0 -0.01 -0.01 +score BAYES_10 0 0 -0.01 -0.01 +score BAYES_20 0 0 -0.01 -0.01 +score BAYES_30 0 0 -0.01 -0.01 +score BAYES_40 0 0 -0.01 -0.01 +score BAYES_44 0 0 -0.01 -0.01 +score BAYES_50 0 0 0.1 0.1 +score BAYES_56 0 0 0.5 0.5 +score BAYES_60 0 0 1.0 1.0 +score BAYES_70 0 0 2.5 2.5 +score BAYES_80 0 0 3.5 3.5 +score BAYES_90 0 0 4.5 4.5 +score BAYES_99 0 0 8.0 8.0 + +score RCVD_IN_SORBS_DUL 0.3 +score SUBJ_ILLEGAL_CHARS 0 +score RCVD_IN_NJABL_DUL 0.3 + +score ADDRESS_IN_SUBJECT 0.1 + +score HELO_LH_HOME 1.0 + +#internal_networks 192.168.XXX/24 +trusted_networks 62.212.111.216 88.179.18.233 85.118.59.50 31.170.8.0/21 +#score ALL_TRUSTED 0.3 +score HELO_DYNAMIC_IPADDR 0.3 + +score FORGED_MUA_OUTLOOK 0.5 + +# Eudora sucks +score EXTRA_MPART_TYPE 0.1 +score MIME_BOUND_EQ_REL 0.1 +score MIME_QP_LONG_LINE 0.1 + +# SMTP senders *have* dynamic IP addresses +# A.B.C.D.dnsbl.sorbs.net -> 127.0.0.10 +score RCVD_IN_DYNABLOCK 0 +score HELO_DYNAMIC_IPADDR 0.3 +score RCVD_IN_SORBS 0.1 +score RCVD_IN_PBL 0.1 +score RCVD_IN_SORBS_DUL 0 + +# old bug... +score FH_DATE_PAST_20XX 0.0 diff --git a/spamassasin/handlers/main.yml b/spamassasin/handlers/main.yml new file mode 100644 index 00000000..7479d736 --- /dev/null +++ b/spamassasin/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart spamassassin + service: + name: spamassassin + state: restarted diff --git a/spamassasin/meta/main.yml b/spamassasin/meta/main.yml new file mode 100644 index 00000000..510b6855 --- /dev/null +++ b/spamassasin/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: amavis } diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml new file mode 100644 index 00000000..ba6d7c3c --- /dev/null +++ b/spamassasin/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: install SpamAssasin + apt: + name: "{{ item }}" + state: present + with_items: + - spamassassin + tags: + - spamassassin + +- name: configure SpamAssasin + copy: + src: spamassassin.cf + dest: /etc/spamassassin/local_evolix.cf + mode: "0644" + notify: restart spamassassin + tags: + - spamassassin + +- name: enable SpamAssasin + replace: + dest: /etc/default/spamassassin + regexp: 'ENABLED=0' + replace: 'ENABLED=1' + notify: restart spamassassin + tags: + - spamassassin + +- name: copy sa-update.sh script + copy: + src: sa-update.sh + dest: /usr/share/scripts/sa-update.sh + mode: "0750" + tags: + - spamassassin + +- name: enable sa-update.sh cron + lineinfile: + dest: /etc/cron.d/sa-update + line: "42 6 5 1,4,7,10 * /usr/share/scripts/sa-update.sh" + create: yes + state: present + mode: "0640" + tags: + - spamassassin + +- name: update SpamAssasin's rules + command: /usr/share/scripts/sa-update.sh + changed_when: false + tags: + - spamassassin From 82cf150c05c55d8161da229bf41aa769f8a57e02 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 15:23:52 +0200 Subject: [PATCH 182/266] postfix: move spam.sh script from amavis role --- amavis/tasks/main.yml | 24 ------------------------ packmail/meta/main.yml | 2 +- {amavis => postfix}/files/spam.sh | 0 postfix/tasks/main.yml | 27 +++++++++++++++++++++++++++ 4 files changed, 28 insertions(+), 25 deletions(-) rename {amavis => postfix}/files/spam.sh (100%) diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml index 880c3a66..810ba505 100644 --- a/amavis/tasks/main.yml +++ b/amavis/tasks/main.yml @@ -17,27 +17,3 @@ notify: restart amavis tags: - amavis - -- name: copy spam.sh script - copy: - src: spam.sh - dest: /usr/share/scripts/spam.sh - mode: "0700" - tags: - - amavis - -- name: enable spam.sh cron - lineinfile: - dest: /etc/cron.d/spam - line: "42 * * * * /usr/share/scripts/spam.sh" - create: yes - state: present - mode: "0640" - tags: - - amavis - -- name: update antispam list - command: /usr/share/scripts/spam.sh - changed_when: false - tags: - - amavis diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index 9b144692..b86b35e9 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -1,10 +1,10 @@ --- dependencies: - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } - { role: amavis } - { role: spamassasin } - { role: clamav } + - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/amavis/files/spam.sh b/postfix/files/spam.sh similarity index 100% rename from amavis/files/spam.sh rename to postfix/files/spam.sh diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index bc4f2240..628e0eab 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -120,6 +120,33 @@ tags: - postfix +- name: copy spam.sh script + copy: + src: spam.sh + dest: /usr/share/scripts/spam.sh + mode: "0700" + when: postfix_packmail == True + tags: + - postfix + +- name: enable spam.sh cron + lineinfile: + dest: /etc/cron.d/spam + line: "42 * * * * /usr/share/scripts/spam.sh" + create: yes + state: present + mode: "0640" + when: postfix_packmail == True + tags: + - postfix + +- name: update antispam list + command: /usr/share/scripts/spam.sh + changed_when: false + when: postfix_packmail == True + tags: + - postfix + - include: slow_transport.yml when: postfix_slow_transport_include tags: From 64928db22b70d5737b6d8911a7adc0aea5fa6a80 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 15:25:55 +0200 Subject: [PATCH 183/266] postfix: add slow transport for packmail by default --- packmail/meta/main.yml | 2 +- postfix/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index b86b35e9..06186051 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -4,7 +4,7 @@ dependencies: - { role: amavis } - { role: spamassasin } - { role: clamav } - - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True, postfix_slow_transport_include: True } + - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True } - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index 7aac9a2d..55ab72cd 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -1,5 +1,5 @@ --- postfix_hostname: "{{ ansible_fqdn }}" -postfix_slow_transport_include: False postfix_force_main_cf: False postfix_packmail: False +postfix_slow_transport_include: "{{ postfix_packmail }}" From 71f64d2c2476da78009c54d953448175cff021b7 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 17:00:10 +0200 Subject: [PATCH 184/266] clamav: configure debconf before install packages --- clamav/tasks/main.yml | 76 +++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml index c6cd16a4..6e3058dd 100644 --- a/clamav/tasks/main.yml +++ b/clamav/tasks/main.yml @@ -1,42 +1,4 @@ --- -- name: install ClamAV - apt: - name: "{{ item }}" - state: present - with_items: - - clamav-daemon - - clamav - - clamdscan - - clamav-freshclam - - arc - - arj - - zoo - - pax - - bzip2 - - cabextract - - rpm - - lzop - - razor - tags: - - clamav - -- name: add clamav user to amavis group - user: - name: clamav - groups: amavis - append: True - tags: - - clamav - -- name: allow supplementary groups - replace: - dest: /etc/clamav/clamd.conf - regexp: 'AllowSupplementaryGroups false' - replace: 'AllowSupplementaryGroups true' - notify: restart clamav - tags: - - clamav - - name: configure clamav-daemon debconf: name: clamav-daemon @@ -109,3 +71,41 @@ - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' } tags: - clamav + +- name: install ClamAV + apt: + name: "{{ item }}" + state: present + with_items: + - clamav-daemon + - clamav + - clamdscan + - clamav-freshclam + - arc + - arj + - zoo + - pax + - bzip2 + - cabextract + - rpm + - lzop + - razor + tags: + - clamav + +- name: add clamav user to amavis group + user: + name: clamav + groups: amavis + append: True + tags: + - clamav + +- name: allow supplementary groups + replace: + dest: /etc/clamav/clamd.conf + regexp: 'AllowSupplementaryGroups false' + replace: 'AllowSupplementaryGroups true' + notify: restart clamav + tags: + - clamav From 77b8a807535eb112066bf0ff0dcba7950afafaed Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 17:00:44 +0200 Subject: [PATCH 185/266] Add roundcube role --- packmail/tasks/main.yml | 3 ++ webapps/roundcube/defaults/main.yml | 2 + webapps/roundcube/tasks/main.yml | 43 +++++++++++++++++++++ webapps/roundcube/templates/apache2.conf.j2 | 41 ++++++++++++++++++++ 4 files changed, 89 insertions(+) create mode 100644 webapps/roundcube/defaults/main.yml create mode 100644 webapps/roundcube/tasks/main.yml create mode 100644 webapps/roundcube/templates/apache2.conf.j2 diff --git a/packmail/tasks/main.yml b/packmail/tasks/main.yml index 214d8d77..36d23365 100644 --- a/packmail/tasks/main.yml +++ b/packmail/tasks/main.yml @@ -29,3 +29,6 @@ vars: evoadminmail_enable_vhost: '{{ packmail_enable_evoadmin_vhost }}' +- name: Install Roundcube + include_role: + name: webapps/roundcube diff --git a/webapps/roundcube/defaults/main.yml b/webapps/roundcube/defaults/main.yml new file mode 100644 index 00000000..220720e3 --- /dev/null +++ b/webapps/roundcube/defaults/main.yml @@ -0,0 +1,2 @@ +--- +roundcube_host: "roundcube.{{ ansible_fqdn }}" diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml new file mode 100644 index 00000000..4832043e --- /dev/null +++ b/webapps/roundcube/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: configure roundcube-core + debconf: + name: roundcube-core + question: "{{ item.key }}" + value: "{{ item.value }}" + vtype: "{{ item.type }}" + with_items: + - { key: 'roundcube/dbconfig-reinstall', type: 'boolean', value: 'true' } + - { key: 'roundcube/language', type: 'select', value: 'fr_FR' } + - { key: 'roundcube/hosts', type: 'string', value: '127.0.0.1' } + - { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' } + - { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' } + tags: + - roundcube + +- name: install Roundcube + apt: + name: "{{ item }}" + state: present + with_items: + - roundcube + - roundcube-sqlite3 + tags: + - roundcube + +- name: deploy roundcube vhost + template: + src: apache2.conf.j2 + dest: /etc/apache2/sites-available/rouncube.conf + mode: "0640" + notify: reload apache2 + tags: + - roundcube + +- name: enable roundcube vhost + file: + src: /etc/apache2/sites-available/rouncube.conf + dest: /etc/apache2/sites-enabled/rouncube.conf + state: link + notify: reload apache2 + tags: + - roundcube diff --git a/webapps/roundcube/templates/apache2.conf.j2 b/webapps/roundcube/templates/apache2.conf.j2 new file mode 100644 index 00000000..23868992 --- /dev/null +++ b/webapps/roundcube/templates/apache2.conf.j2 @@ -0,0 +1,41 @@ + + ServerName {{ roundcube_host }} + Redirect permanent / https://{{ roundcube_host }} + + + + + # FQDN principal + ServerName {{ roundcube_host }} + + # Repertoire principal + DocumentRoot /var/lib/roundcube/ + + Include /etc/roundcube/apache.conf + + # LOG + CustomLog /var/log/apache2/access.log vhost_combined + CustomLog /var/lib/roundcube/logs/access.log combined + ErrorLog /var/lib/roundcube/logs/error.log + + # REWRITE + UseCanonicalName On + RewriteEngine On + RewriteCond %{HTTP_HOST} !^{{ roundcube_host }}$ + RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R] + + # PHP + #php_admin_flag engine off + #AddType text/html .html + #php_admin_flag display_errors On + #php_flag short_open_tag On + #php_flag register_globals On + #php_admin_value memory_limit 256M + #php_admin_value max_execution_time 60 + #php_admin_value upload_max_filesize 8M + #php_admin_flag allow_url_fopen Off + php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-roundcube" + php_admin_value error_log "/home/roundcube/log/php.log" + #php_admin_value open_basedir "/usr/share/php:/home/roundcube:/tmp" + + From 8e6d7ed56890af768830094d35557191457b6185 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 17:42:58 +0200 Subject: [PATCH 186/266] roundcube: install default plugins --- webapps/roundcube/tasks/main.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 4832043e..cf5a10b7 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -21,6 +21,25 @@ with_items: - roundcube - roundcube-sqlite3 + - roundcube-plugins + - php-net-sieve + tags: + - roundcube + +- name: configure managesieve plugin + copy: + src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist + dest: /etc/roundcube/plugins/managesieve/config.inc.php + mode: "0644" + remote_src: True + tags: + - roundcube + +- name: enable default plugins + replace: + dest: /etc/roundcube/config.inc.php + regexp: "^\\$config\\['plugins'\\] array($" + replace: "$config['plugins'] = array('zipdownload','managesieve'" tags: - roundcube From 628a043ba7801e4284229b30ad51b3a775f057eb Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 17:55:57 +0200 Subject: [PATCH 187/266] dovecot: login_max_processes_count is obsolete --- dovecot/templates/z-evolinux-defaults.conf.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2 index 10fefcf2..b6d8d5e5 100644 --- a/dovecot/templates/z-evolinux-defaults.conf.j2 +++ b/dovecot/templates/z-evolinux-defaults.conf.j2 @@ -30,5 +30,7 @@ protocol lda { } # Optimisations -login_max_processes_count = 256 +service login { + process_limit = 256 +} mail_max_userip_connections = 42 From e10166249dced04443fb05227f63eb460c34c76c Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 24 Oct 2017 18:53:22 +0200 Subject: [PATCH 188/266] roundcube: use imapproxy --- imapproxy/tasks/main.yml | 15 +++++++++++++++ webapps/roundcube/meta/main.yml | 3 +++ webapps/roundcube/tasks/main.yml | 1 + 3 files changed, 19 insertions(+) create mode 100644 imapproxy/tasks/main.yml create mode 100644 webapps/roundcube/meta/main.yml diff --git a/imapproxy/tasks/main.yml b/imapproxy/tasks/main.yml new file mode 100644 index 00000000..0dc62a60 --- /dev/null +++ b/imapproxy/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: install imapproxy + apt: + name: imapproxy + state: present + tags: + - imapproxy + +- name: enable imapproxy + service: + name: imapproxy + state: started + enabled: True + tags: + - imapproxy diff --git a/webapps/roundcube/meta/main.yml b/webapps/roundcube/meta/main.yml new file mode 100644 index 00000000..ddd0e27c --- /dev/null +++ b/webapps/roundcube/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: imapproxy } diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index cf5a10b7..4b793967 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -8,6 +8,7 @@ with_items: - { key: 'roundcube/dbconfig-reinstall', type: 'boolean', value: 'true' } - { key: 'roundcube/language', type: 'select', value: 'fr_FR' } + - { key: 'roundcube/remote/port', type: 'string', value: '1143' } - { key: 'roundcube/hosts', type: 'string', value: '127.0.0.1' } - { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' } - { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' } From ee58a845886ee9e9205d2ec9e366a8c65ad0c60f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 10:17:13 +0200 Subject: [PATCH 189/266] roundcube: fix regex for enabling plugins --- webapps/roundcube/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 4b793967..aa92d1f5 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -39,7 +39,7 @@ - name: enable default plugins replace: dest: /etc/roundcube/config.inc.php - regexp: "^\\$config\\['plugins'\\] array($" + regexp: "^\\$config\\['plugins'\\] = array\\($" replace: "$config['plugins'] = array('zipdownload','managesieve'" tags: - roundcube From 33fccf3b5142602c0aa938160ef2199c311fede2 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 10:46:30 +0200 Subject: [PATCH 190/266] roundcube: use lineinfile for configure IMAP server and port --- webapps/roundcube/tasks/main.yml | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index aa92d1f5..3baf6a74 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -6,10 +6,6 @@ value: "{{ item.value }}" vtype: "{{ item.type }}" with_items: - - { key: 'roundcube/dbconfig-reinstall', type: 'boolean', value: 'true' } - - { key: 'roundcube/language', type: 'select', value: 'fr_FR' } - - { key: 'roundcube/remote/port', type: 'string', value: '1143' } - - { key: 'roundcube/hosts', type: 'string', value: '127.0.0.1' } - { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' } - { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' } tags: @@ -27,6 +23,23 @@ tags: - roundcube +- name: configure roundcube imap host + lineinfile: + dest: /etc/roundcube/config.inc.php + regexp: "\\$config\\['default_host'\\]" + line: "$config['default_host'] = array('127.0.0.1');" + tags: + - roundcube + +- name: configure roudcube imap port + lineinfile: + dest: /etc/roundcube/config.inc.php + regexp: "\\$config\\['default_port'\\]" + insertafter: "\\$config\\['default_host'\\]" + line: "$config['default_port'] = 1143;" + tags: + - roundcube + - name: configure managesieve plugin copy: src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist From 1ea40127362f4217202288653c273498b105ec05 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 11:05:52 +0200 Subject: [PATCH 191/266] spamassasin: custom sa-update nead evomaintenance package --- spamassasin/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index ba6d7c3c..2e5cd4cc 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -5,6 +5,7 @@ state: present with_items: - spamassassin + - evomaintenance tags: - spamassassin From 302fc2ffcc31e70d02932d35b28bfe817d35a3d9 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 11:07:38 +0200 Subject: [PATCH 192/266] roundcube: zipdownload plugin nead php-zip --- webapps/roundcube/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 3baf6a74..474fffb0 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -20,6 +20,7 @@ - roundcube-sqlite3 - roundcube-plugins - php-net-sieve + - php-zip tags: - roundcube From d0cceb7e808d7fbc2d4236926f36aa15e0d0da75 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 11:32:44 +0200 Subject: [PATCH 193/266] roundcube: return 503 if imapproxy doesn't run --- webapps/roundcube/templates/apache2.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/webapps/roundcube/templates/apache2.conf.j2 b/webapps/roundcube/templates/apache2.conf.j2 index 23868992..47865c01 100644 --- a/webapps/roundcube/templates/apache2.conf.j2 +++ b/webapps/roundcube/templates/apache2.conf.j2 @@ -11,6 +11,11 @@ # Repertoire principal DocumentRoot /var/lib/roundcube/ + # Return 503 if imapproxy doesn't run + + Redirect 503 / + + Include /etc/roundcube/apache.conf # LOG From f1349816ced90a9cdbec0739d025fe436cc0b8ca Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 11:41:53 +0200 Subject: [PATCH 194/266] nagios-nrpe: add check for imapproxy --- nagios-nrpe/templates/evolix.cfg.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 45223167..d85f9844 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -28,6 +28,7 @@ command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 -H localhost -D cn=nag command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }} command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993 +command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143 command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995 command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost From 8f7004c977b92d00c8fc2821563e11c412cc31f0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 12:11:46 +0200 Subject: [PATCH 195/266] fail2ban: install filter before package --- fail2ban/tasks/main.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index fbed85eb..886b454b 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -22,14 +22,6 @@ tags: - fail2ban -- name: package is installed - apt: - name: fail2ban - state: present - tags: - - fail2ban - - packages - - name: custom filters are installed copy: src: "{{ item }}" @@ -43,3 +35,12 @@ notify: restart fail2ban tags: - fail2ban + +- name: package is installed + apt: + name: fail2ban + state: present + tags: + - fail2ban + - packages + From 206e2e8a0ae6201cec0c1ed0218c463b933dcd38 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 25 Oct 2017 12:12:18 +0200 Subject: [PATCH 196/266] fail2ban: add roundcube filter --- fail2ban/defaults/main.yml | 1 + fail2ban/files/roundcube.conf | 2 ++ fail2ban/tasks/main.yml | 1 + fail2ban/templates/jail.local.j2 | 9 +++++++++ 4 files changed, 13 insertions(+) create mode 100644 fail2ban/files/roundcube.conf diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 5c4df4f0..d0716d95 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -3,3 +3,4 @@ general_alert_email: "root@localhost" fail2ban_alert_email: Null fail2ban_ignore_ips: [] fail2ban_wordpress: False +fail2ban_roundcube: False diff --git a/fail2ban/files/roundcube.conf b/fail2ban/files/roundcube.conf new file mode 100644 index 00000000..d4ad016a --- /dev/null +++ b/fail2ban/files/roundcube.conf @@ -0,0 +1,2 @@ +[Definition] +failregex = Login failed for .*. from diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 886b454b..6a9a6ff7 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -32,6 +32,7 @@ - sasl-evolix.conf - wordpress-soft.conf - wordpress-hard.conf + - roundcube.conf notify: restart fail2ban tags: - fail2ban diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index b336e535..73b5f21f 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -44,3 +44,12 @@ logpath = /var/log/auth.log maxretry = 5 findtime = 300 {% endif %} + +{% if fail2ban_roundcube %} +[roundcube] +enabled = true +port = http,https +filter = roundcube +logpath = /var/lib/roundcube/logs/errors +maxretry = 5 +{% endif %} From 3532cb3f2d940ccf18cd82551f5a44c2181ca404 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 26 Oct 2017 15:06:14 +0200 Subject: [PATCH 197/266] evolinux-base: harware tasks. Add http://hwraid.le-vert.net/debian repo on stretch for megacli packages --- evolinux-base/tasks/hardware.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 16d26cd7..49a3a4f6 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -53,6 +53,17 @@ when: "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - block: + - name: Add HW tool GPG key + apt_key: + url: https://hwraid.le-vert.net/debian/hwraid.le-vert.net.gpg.key + when: ansible_distribution_release == "stretch" + + - name: Add HW tool repository + apt_repository: + repo: 'deb http://hwraid.le-vert.net/debian stretch main' + state: present + when: ansible_distribution_release == "stretch" + - name: Install packages for DELL/LSI hardware apt: name: "{{ item }}" From 6a110768b40449d90e142b8428b247917a9eeb80 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 26 Oct 2017 15:50:27 +0200 Subject: [PATCH 198/266] kvm-host: add script add-vm.sh --- kvm-host/files/add-vm.sh | 205 +++++++++++++++++++++++++++++++++++++++ kvm-host/tasks/main.yml | 6 ++ 2 files changed, 211 insertions(+) create mode 100644 kvm-host/files/add-vm.sh diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh new file mode 100644 index 00000000..3d93de37 --- /dev/null +++ b/kvm-host/files/add-vm.sh @@ -0,0 +1,205 @@ +#!/bin/bash +# Add-VM script to add a VM on evoKVM. +# _ ____ ____ __ ____ __ +# / \ | _ \| _ \ \ \ / / \/ | +# / _ \ | | | | | | |____\ \ / /| |\/| | +# / ___ \| |_| | |_| |_____\ V / | | | | +# /_/ \_\____/|____/ \_/ |_| |_| +# +# Need packages: dialog +# Bash strict mode +set -euo pipefail + +dryRun() { + + if ($doDryRun); then + echo -e "\e[34mDoing:" $* "\e[39m" + else + echo -e "\e[34mDoing:" $* "\e[39m" + $* + fi +} + +critical() { + echo -ne "\e[31m${1}\e[39m\n" && exit 1 +} + +warn() { + + echo -ne "\e[33m${1}\e[39m\n" +} + +masterKVMIP="" +slaveKVMIP="" +[ -f "/etc/evolinux/add-vm.cnf" ] && . /etc/evolinux/add-vm.cnf +[ -z "$masterKVMIP" ] && critical "You must define masterKVMIP in /etc/evolinux/add-vm.cnf!!" +[ -z "$slaveKVMIP" ] && critical "You must define slaveKVMIP in /etc/evolinux/add-vm.cnf!!" + +export DIALOGOUT=$(mktemp --tmpdir=/tmp addvm.XXX) +# TODO: How to replace _ with a space?? +export DIALOG="$(which dialog) --backtitle Add-VM_Press_F1_for_help" +export DIALOGRC=.dialogrc +export HELPFILE=$(mktemp --tmpdir=/tmp addvm.XXX) +tmpResFile=$(mktemp --tmpdir=/tmp addvm.XXX) +xmlVM=$(mktemp --tmpdir=/tmp addvm.XXX) +masterKVM="$(hostname -s)" +slaveKVM="$(ssh $slaveKVMIP hostname -s)" +doDryRun=false + +# Exit & Cleanup function. +clean() { + + echo -e "\nBye! Cleaning..." + [ -f $DIALOGOUT ] && rm $DIALOGOUT + [ -f $HELPFILE ] && rm $HELPFILE +# [ -f $tmpResFile ] && rm $tmpResFile +# [ -f $xmlVM ] && rm $xmlVM + exit +} +trap clean EXIT SIGINT + +$DIALOG --hfile $HELPFILE --title "KVM Config" --form "Set the right config. "\ +"If you do not want a type of disk, type none." 0 0 0 \ + "vCPU" 1 1 "2" 1 10 20 0 \ + "memory" 2 1 "4G" 2 10 20 0 \ + "volroot" 3 1 "ssd-20G" 3 10 20 0 \ + "volhome" 4 1 "hdd-40G" 4 10 20 0 \ + "vmName" 5 1 "" 5 10 20 0 \ + 2>$DIALOGOUT +vCPU=$(sed 1'q;d' $DIALOGOUT) +memory=$(sed 2'q;d' $DIALOGOUT) +volroot=$(sed 3'q;d' $DIALOGOUT) +volhome=$(sed 4'q;d' $DIALOGOUT) +vmName=$(sed 5'q;d' $DIALOGOUT) + +[ -z "$vmName" ] && critical "You need a VM Name!!" + +$DIALOG --title "Continue?" --clear "$@" \ + --yesno "Will create a VM named $vmName on $masterKVM with $vCPU vCPU, "\ +"$memory memory, $volroot for / (and /usr, ...) and $volhome for /home." 10 80 +if [[ $? -ne 0 ]]; then + exit 1 +fi + +if ! [[ "$volroot" =~ (ssd|hdd)-([0-9]+G) ]]; then + critical "No volume for root device (/dev/vda)?!!" +else + volrootDisk="${BASH_REMATCH[1]}" + volrootSize="${BASH_REMATCH[2]}" + dryRun lvcreate -L$volrootSize -n${vmName}_root $volrootDisk + dryRun ssh $slaveKVMIP lvcreate -L$volrootSize -n${vmName}_root $volrootDisk +fi + +if ! [[ "$volhome" =~ (ssd|hdd)-([0-9]+G) ]]; then + warn "No volume for home device (/dev/vdb)... Okay, not doing it!" + volhomeDisk="none" +else + volhomeDisk="${BASH_REMATCH[1]}" + volhomeSize="${BASH_REMATCH[2]}" + dryRun lvcreate -L$volhomeSize -n${vmName}_home $volhomeDisk + dryRun ssh $slaveKVMIP lvcreate -L$volhomeSize -n${vmName}_home $volhomeDisk +fi + +if [[ -f "/etc/drbd.d/${vmName}.res" ]]; then + warn "The DRBD resource file ${vmName}.res is already present! Continue? [y/N]" + read + if ! [[ "$REPLY" =~ (Y|y) ]]; then + exit 1 + fi +fi + +# Generates drbd resource file. + +if [ $(ls /etc/drbd.d/|wc -l) -gt 1 ]; then + lastdrbdPort=$(grep -hEo ':[0-9]{4}' /etc/drbd.d/*.res | sort | uniq | tail -1 | sed 's/://') + drbdPort=$((lastdrbdPort+1)) + lastMinor=$(grep -hEo 'minor [0-9]{1,}' /etc/drbd.d/*.res | sed 's/minor //' | sort -n | tail -1) + minorvol0=$((lastMinor+1)) + minorvol1=$((lastMinor+2)) +else + drbdPort=7900 + minorvol0=0 + minorvol1=1 +fi + +cat << EOT > $tmpResFile +resource "${vmName}" { + net { + cram-hmac-alg "sha1"; + shared-secret "$(apg -m21 -n1)"; + # Si pas de lien dedié 10G, passer en protocol A + # Et desactiver allow-two-primaries; + protocol C; + allow-two-primaries; + # Tuning perf. + max-buffers 8000; + max-epoch-size 8000; + sndbuf-size 0; + } + # A utiliser si RAID HW avec cache + batterie + disk { + disk-barrier no; + disk-flushes no; + } + volume 0 { + device minor ${minorvol0}; + disk /dev/${volrootDisk}/${vmName}_root; + meta-disk internal; + } +EOT +if [[ "$volhomeDisk" != "none" ]]; then + cat << EOT >> $tmpResFile + volume 1 { + device minor ${minorvol1}; + disk /dev/${volhomeDisk}/${vmName}_home; + meta-disk internal; + } +EOT +fi +cat << EOT >> $tmpResFile + on $masterKVM { + address ${masterKVMIP}:${drbdPort}; + } + on $slaveKVM { + address ${slaveKVMIP}:${drbdPort}; + } +} +EOT + +# Create/Activate the new drbd resources. +dryRun install -m 600 $tmpResFile /etc/drbd.d/${vmName}.res +dryRun scp /etc/drbd.d/${vmName}.res ${slaveKVMIP}:/etc/drbd.d/ +dryRun drbdadm create-md "$vmName" +dryRun ssh $slaveKVMIP drbdadm create-md "$vmName" +($doDryRun) && drbdadm -d adjust "$vmName" +($doDryRun) || drbdadm adjust "$vmName" +($doDryRun) && ssh $slaveKVMIP drbdadm -d adjust "$vmName" +($doDryRun) || ssh $slaveKVMIP drbdadm adjust "$vmName" +dryRun drbdadm -- --overwrite-data-of-peer primary "$vmName" +sleep 5 && drbd-overview | tail -4 + +drbdDiskPath="/dev/drbd/by-res/${vmName}/0" +if ! [[ -b "$drbdDiskPath" ]]; then + warn "$drbdDiskPath not found! Continue? [y/N]" + read + if ! [[ "$REPLY" =~ (Y|y) ]]; then + exit 1 + fi +fi + +virtHome="" +[ "$volhomeDisk" != "none" ] && virtHome="--disk path=/dev/drbd/by-disk/${volhomeDisk}/${vmName}_home,bus=virtio,io=threads,cache=none,format=raw" + +dryRun virt-install --connect=qemu:///system \ + --name=${vmName} \ + --cpu mode=host-passthrough --vcpus=${vCPU} \ + --ram=${memory%%G} \ + --disk path=/dev/drbd/by-disk/${volrootDisk}/${vmName}_root,bus=virtio,io=threads,cache=none,format=raw \ + $virtHome \ + --network=bridge:br0,model=virtio \ + --noautoconsole --graphics vnc,listen=127.0.0.1,keymap=fr \ + --rng /dev/random \ + --os-variant=none \ + --pxe + +echo -e "\e[32mDone! Now you can install your VM with virt-manager.\e[39m" diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml index a3ee3556..e54b4b35 100644 --- a/kvm-host/tasks/main.yml +++ b/kvm-host/tasks/main.yml @@ -21,6 +21,12 @@ changed_when: False when: usr_partition.rc == 0 +- name: Copy add-vm script + copy: + src: add-vm.sh + dest: /usr/share/scripts/add-vm.sh + mode: "0750" + - include: munin.yml - include: images.yml From 7cf08cec1a4f2ae4efc1d1725716968e7df7c089 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 26 Oct 2017 15:57:12 +0200 Subject: [PATCH 199/266] kvm-host: fix shared-secret generation --- kvm-host/files/add-vm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh index 3d93de37..4f0a97b2 100644 --- a/kvm-host/files/add-vm.sh +++ b/kvm-host/files/add-vm.sh @@ -126,7 +126,7 @@ cat << EOT > $tmpResFile resource "${vmName}" { net { cram-hmac-alg "sha1"; - shared-secret "$(apg -m21 -n1)"; + shared-secret "$(apg -n 1 -m 16 -M lcN)"; # Si pas de lien dedié 10G, passer en protocol A # Et desactiver allow-two-primaries; protocol C; From 4a626df981c6496b12a7c1fdea432bce31a75eab Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 26 Oct 2017 16:29:57 +0200 Subject: [PATCH 200/266] kvm-host: fix memory allocation in add-vm.sh --- kvm-host/files/add-vm.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh index 4f0a97b2..6eb94cdc 100644 --- a/kvm-host/files/add-vm.sh +++ b/kvm-host/files/add-vm.sh @@ -68,6 +68,7 @@ $DIALOG --hfile $HELPFILE --title "KVM Config" --form "Set the right config. "\ 2>$DIALOGOUT vCPU=$(sed 1'q;d' $DIALOGOUT) memory=$(sed 2'q;d' $DIALOGOUT) +memory=$(($memory * 1024)) volroot=$(sed 3'q;d' $DIALOGOUT) volhome=$(sed 4'q;d' $DIALOGOUT) vmName=$(sed 5'q;d' $DIALOGOUT) @@ -193,7 +194,7 @@ virtHome="" dryRun virt-install --connect=qemu:///system \ --name=${vmName} \ --cpu mode=host-passthrough --vcpus=${vCPU} \ - --ram=${memory%%G} \ + --memory=${memory} \ --disk path=/dev/drbd/by-disk/${volrootDisk}/${vmName}_root,bus=virtio,io=threads,cache=none,format=raw \ $virtHome \ --network=bridge:br0,model=virtio \ From 1075abed23ce57ca9ae42590f7ac5c481620477a Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 26 Oct 2017 16:44:31 +0200 Subject: [PATCH 201/266] kvm-host: fix memory allocation in add-vm.sh (again) --- kvm-host/files/add-vm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh index 6eb94cdc..0ea43921 100644 --- a/kvm-host/files/add-vm.sh +++ b/kvm-host/files/add-vm.sh @@ -67,7 +67,7 @@ $DIALOG --hfile $HELPFILE --title "KVM Config" --form "Set the right config. "\ "vmName" 5 1 "" 5 10 20 0 \ 2>$DIALOGOUT vCPU=$(sed 1'q;d' $DIALOGOUT) -memory=$(sed 2'q;d' $DIALOGOUT) +memory=$(sed 2'q;d' $DIALOGOUT|tr -d 'G') memory=$(($memory * 1024)) volroot=$(sed 3'q;d' $DIALOGOUT) volhome=$(sed 4'q;d' $DIALOGOUT) From bdc3ec7fd8771a38007c078b966b33c602a78e11 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 26 Oct 2017 16:45:35 +0200 Subject: [PATCH 202/266] kvm-host: make an evomaintenance with add-vm.sh --- kvm-host/files/add-vm.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh index 0ea43921..ccad9772 100644 --- a/kvm-host/files/add-vm.sh +++ b/kvm-host/files/add-vm.sh @@ -203,4 +203,6 @@ dryRun virt-install --connect=qemu:///system \ --os-variant=none \ --pxe +[ -x /usr/share/scripts/evomaintenance.sh ] && echo "Install VM ${vmName} (add-vm.sh)" | /usr/share/scripts/evomaintenance.sh + echo -e "\e[32mDone! Now you can install your VM with virt-manager.\e[39m" From bcda3b013eb331710c4a5fa0716bf7e22a9a9604 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 26 Oct 2017 17:19:04 +0200 Subject: [PATCH 203/266] kvm-host: move add-vm.sh script into another GIT repository --- kvm-host/files/add-vm.sh | 208 --------------------------------------- kvm-host/tasks/main.yml | 4 +- 2 files changed, 2 insertions(+), 210 deletions(-) delete mode 100644 kvm-host/files/add-vm.sh diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh deleted file mode 100644 index ccad9772..00000000 --- a/kvm-host/files/add-vm.sh +++ /dev/null @@ -1,208 +0,0 @@ -#!/bin/bash -# Add-VM script to add a VM on evoKVM. -# _ ____ ____ __ ____ __ -# / \ | _ \| _ \ \ \ / / \/ | -# / _ \ | | | | | | |____\ \ / /| |\/| | -# / ___ \| |_| | |_| |_____\ V / | | | | -# /_/ \_\____/|____/ \_/ |_| |_| -# -# Need packages: dialog -# Bash strict mode -set -euo pipefail - -dryRun() { - - if ($doDryRun); then - echo -e "\e[34mDoing:" $* "\e[39m" - else - echo -e "\e[34mDoing:" $* "\e[39m" - $* - fi -} - -critical() { - echo -ne "\e[31m${1}\e[39m\n" && exit 1 -} - -warn() { - - echo -ne "\e[33m${1}\e[39m\n" -} - -masterKVMIP="" -slaveKVMIP="" -[ -f "/etc/evolinux/add-vm.cnf" ] && . /etc/evolinux/add-vm.cnf -[ -z "$masterKVMIP" ] && critical "You must define masterKVMIP in /etc/evolinux/add-vm.cnf!!" -[ -z "$slaveKVMIP" ] && critical "You must define slaveKVMIP in /etc/evolinux/add-vm.cnf!!" - -export DIALOGOUT=$(mktemp --tmpdir=/tmp addvm.XXX) -# TODO: How to replace _ with a space?? -export DIALOG="$(which dialog) --backtitle Add-VM_Press_F1_for_help" -export DIALOGRC=.dialogrc -export HELPFILE=$(mktemp --tmpdir=/tmp addvm.XXX) -tmpResFile=$(mktemp --tmpdir=/tmp addvm.XXX) -xmlVM=$(mktemp --tmpdir=/tmp addvm.XXX) -masterKVM="$(hostname -s)" -slaveKVM="$(ssh $slaveKVMIP hostname -s)" -doDryRun=false - -# Exit & Cleanup function. -clean() { - - echo -e "\nBye! Cleaning..." - [ -f $DIALOGOUT ] && rm $DIALOGOUT - [ -f $HELPFILE ] && rm $HELPFILE -# [ -f $tmpResFile ] && rm $tmpResFile -# [ -f $xmlVM ] && rm $xmlVM - exit -} -trap clean EXIT SIGINT - -$DIALOG --hfile $HELPFILE --title "KVM Config" --form "Set the right config. "\ -"If you do not want a type of disk, type none." 0 0 0 \ - "vCPU" 1 1 "2" 1 10 20 0 \ - "memory" 2 1 "4G" 2 10 20 0 \ - "volroot" 3 1 "ssd-20G" 3 10 20 0 \ - "volhome" 4 1 "hdd-40G" 4 10 20 0 \ - "vmName" 5 1 "" 5 10 20 0 \ - 2>$DIALOGOUT -vCPU=$(sed 1'q;d' $DIALOGOUT) -memory=$(sed 2'q;d' $DIALOGOUT|tr -d 'G') -memory=$(($memory * 1024)) -volroot=$(sed 3'q;d' $DIALOGOUT) -volhome=$(sed 4'q;d' $DIALOGOUT) -vmName=$(sed 5'q;d' $DIALOGOUT) - -[ -z "$vmName" ] && critical "You need a VM Name!!" - -$DIALOG --title "Continue?" --clear "$@" \ - --yesno "Will create a VM named $vmName on $masterKVM with $vCPU vCPU, "\ -"$memory memory, $volroot for / (and /usr, ...) and $volhome for /home." 10 80 -if [[ $? -ne 0 ]]; then - exit 1 -fi - -if ! [[ "$volroot" =~ (ssd|hdd)-([0-9]+G) ]]; then - critical "No volume for root device (/dev/vda)?!!" -else - volrootDisk="${BASH_REMATCH[1]}" - volrootSize="${BASH_REMATCH[2]}" - dryRun lvcreate -L$volrootSize -n${vmName}_root $volrootDisk - dryRun ssh $slaveKVMIP lvcreate -L$volrootSize -n${vmName}_root $volrootDisk -fi - -if ! [[ "$volhome" =~ (ssd|hdd)-([0-9]+G) ]]; then - warn "No volume for home device (/dev/vdb)... Okay, not doing it!" - volhomeDisk="none" -else - volhomeDisk="${BASH_REMATCH[1]}" - volhomeSize="${BASH_REMATCH[2]}" - dryRun lvcreate -L$volhomeSize -n${vmName}_home $volhomeDisk - dryRun ssh $slaveKVMIP lvcreate -L$volhomeSize -n${vmName}_home $volhomeDisk -fi - -if [[ -f "/etc/drbd.d/${vmName}.res" ]]; then - warn "The DRBD resource file ${vmName}.res is already present! Continue? [y/N]" - read - if ! [[ "$REPLY" =~ (Y|y) ]]; then - exit 1 - fi -fi - -# Generates drbd resource file. - -if [ $(ls /etc/drbd.d/|wc -l) -gt 1 ]; then - lastdrbdPort=$(grep -hEo ':[0-9]{4}' /etc/drbd.d/*.res | sort | uniq | tail -1 | sed 's/://') - drbdPort=$((lastdrbdPort+1)) - lastMinor=$(grep -hEo 'minor [0-9]{1,}' /etc/drbd.d/*.res | sed 's/minor //' | sort -n | tail -1) - minorvol0=$((lastMinor+1)) - minorvol1=$((lastMinor+2)) -else - drbdPort=7900 - minorvol0=0 - minorvol1=1 -fi - -cat << EOT > $tmpResFile -resource "${vmName}" { - net { - cram-hmac-alg "sha1"; - shared-secret "$(apg -n 1 -m 16 -M lcN)"; - # Si pas de lien dedié 10G, passer en protocol A - # Et desactiver allow-two-primaries; - protocol C; - allow-two-primaries; - # Tuning perf. - max-buffers 8000; - max-epoch-size 8000; - sndbuf-size 0; - } - # A utiliser si RAID HW avec cache + batterie - disk { - disk-barrier no; - disk-flushes no; - } - volume 0 { - device minor ${minorvol0}; - disk /dev/${volrootDisk}/${vmName}_root; - meta-disk internal; - } -EOT -if [[ "$volhomeDisk" != "none" ]]; then - cat << EOT >> $tmpResFile - volume 1 { - device minor ${minorvol1}; - disk /dev/${volhomeDisk}/${vmName}_home; - meta-disk internal; - } -EOT -fi -cat << EOT >> $tmpResFile - on $masterKVM { - address ${masterKVMIP}:${drbdPort}; - } - on $slaveKVM { - address ${slaveKVMIP}:${drbdPort}; - } -} -EOT - -# Create/Activate the new drbd resources. -dryRun install -m 600 $tmpResFile /etc/drbd.d/${vmName}.res -dryRun scp /etc/drbd.d/${vmName}.res ${slaveKVMIP}:/etc/drbd.d/ -dryRun drbdadm create-md "$vmName" -dryRun ssh $slaveKVMIP drbdadm create-md "$vmName" -($doDryRun) && drbdadm -d adjust "$vmName" -($doDryRun) || drbdadm adjust "$vmName" -($doDryRun) && ssh $slaveKVMIP drbdadm -d adjust "$vmName" -($doDryRun) || ssh $slaveKVMIP drbdadm adjust "$vmName" -dryRun drbdadm -- --overwrite-data-of-peer primary "$vmName" -sleep 5 && drbd-overview | tail -4 - -drbdDiskPath="/dev/drbd/by-res/${vmName}/0" -if ! [[ -b "$drbdDiskPath" ]]; then - warn "$drbdDiskPath not found! Continue? [y/N]" - read - if ! [[ "$REPLY" =~ (Y|y) ]]; then - exit 1 - fi -fi - -virtHome="" -[ "$volhomeDisk" != "none" ] && virtHome="--disk path=/dev/drbd/by-disk/${volhomeDisk}/${vmName}_home,bus=virtio,io=threads,cache=none,format=raw" - -dryRun virt-install --connect=qemu:///system \ - --name=${vmName} \ - --cpu mode=host-passthrough --vcpus=${vCPU} \ - --memory=${memory} \ - --disk path=/dev/drbd/by-disk/${volrootDisk}/${vmName}_root,bus=virtio,io=threads,cache=none,format=raw \ - $virtHome \ - --network=bridge:br0,model=virtio \ - --noautoconsole --graphics vnc,listen=127.0.0.1,keymap=fr \ - --rng /dev/random \ - --os-variant=none \ - --pxe - -[ -x /usr/share/scripts/evomaintenance.sh ] && echo "Install VM ${vmName} (add-vm.sh)" | /usr/share/scripts/evomaintenance.sh - -echo -e "\e[32mDone! Now you can install your VM with virt-manager.\e[39m" diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml index e54b4b35..cb0040f4 100644 --- a/kvm-host/tasks/main.yml +++ b/kvm-host/tasks/main.yml @@ -22,8 +22,8 @@ when: usr_partition.rc == 0 - name: Copy add-vm script - copy: - src: add-vm.sh + get_url: + url: https://forge.evolix.org/projects/kvm-tools/repository/revisions/master/raw/add-vm.sh dest: /usr/share/scripts/add-vm.sh mode: "0750" From a3744bbe59acd93bca32e1bbf3fba7bd5b94b693 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 11:41:31 +0200 Subject: [PATCH 204/266] Add opendkim role --- opendkim/defaults/main.yml | 2 + opendkim/files/opendkim.conf | 18 +++++++ opendkim/handlers/main.yml | 10 ++++ opendkim/tasks/main.yml | 67 +++++++++++++++++++++++++++ packmail/meta/main.yml | 1 + postfix/templates/packmail_main.cf.j2 | 5 ++ 6 files changed, 103 insertions(+) create mode 100644 opendkim/defaults/main.yml create mode 100644 opendkim/files/opendkim.conf create mode 100644 opendkim/handlers/main.yml create mode 100644 opendkim/tasks/main.yml diff --git a/opendkim/defaults/main.yml b/opendkim/defaults/main.yml new file mode 100644 index 00000000..582c19d6 --- /dev/null +++ b/opendkim/defaults/main.yml @@ -0,0 +1,2 @@ +--- +opendkim_is_active: True diff --git a/opendkim/files/opendkim.conf b/opendkim/files/opendkim.conf new file mode 100644 index 00000000..e881694b --- /dev/null +++ b/opendkim/files/opendkim.conf @@ -0,0 +1,18 @@ +UserID opendkim +Socket inet:54321:127.0.0.1 +PidFile /var/run/opendkim/opendkim.pid +OversignHeaders From +TrustAnchorFile /usr/share/dns/root.key +Selector default +Canonicalization relaxed/relaxed +ExternalIgnoreList refile:/etc/opendkim/TrustedHosts +InternalHosts refile:/etc/opendkim/TrustedHosts +KeyTable refile:/etc/opendkim/KeyTable +LogResults Yes +LogWhy Yes +Mode sv +SigningTable refile:/etc/opendkim/SigningTable +Syslog Yes +SyslogSuccess Yes +TemporaryDirectory /var/tmp +UMask 007 diff --git a/opendkim/handlers/main.yml b/opendkim/handlers/main.yml new file mode 100644 index 00000000..ccf166a8 --- /dev/null +++ b/opendkim/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: reload opendkim + systemd: + name: opendkim + state: reloaded + +- name: restart opendkim + systemd: + name: opendkim + state: restarted diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml new file mode 100644 index 00000000..c5d6fb8e --- /dev/null +++ b/opendkim/tasks/main.yml @@ -0,0 +1,67 @@ +--- +- name: install OpenDKIM + apt: + name: "{{ item }}" + state: present + with_items: + - opendkim + - opendkim-tools + tags: + - opendkim + +- name: create keys directory + file: + name: "{{ item }}" + state: directory + owner: opendkim + group: opendkim + mode: "0750" + with_items: + - '/etc/opendkim' + - '/etc/opendkim/keys' + tags: + - opendkim + +- name: add 127.0.0.1 to TrustedHosts + lineinfile: + dest: '/etc/opendkim/TrustedHosts' + line: '127.0.0.1' + create: True + owner: opendkim + group: opendkim + mode: "0640" + notify: reload opendkim + tags: + - opendkim + +- name: create config files + file: + name: "/etc/opendkim/{{ item }}" + state: touch + owner: opendkim + group: opendkim + mode: "0640" + with_items: + - 'KeyTable' + - 'SigningTable' + changed_when: False + tags: + - opendkim + +- name: copy OpenDKIM config + copy: + src: opendkim.conf + dest: /etc/opendkim.conf + mode: "0644" + force: yes + notify: restart opendkim + tags: + - opendkim + +- name: ensure opendkim is started and enabled + systemd: + name: opendkim + state: started + enabled: True + tags: + - opendkim diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index 06186051..2f99ef2c 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -4,6 +4,7 @@ dependencies: - { role: amavis } - { role: spamassasin } - { role: clamav } + - { role: opendkim } - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True } - { role: dovecot } - { role: apache } diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 86a03768..2f0fb75f 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -417,3 +417,8 @@ transport_maps = hash:$config_directory/transport {% if amavis_is_active is defined and amavis_is_active == True %} content_filter = smtp-amavis:[127.0.0.1]:10024 {% endif %} + +{% if opendkim_is_active is defined and opendkim_is_active == True %} +smtpd_milters = inet:127.0.0.1:54321 +non_smtpd_milters = inet:127.0.0.1:54321 +{% endif %} From 0cdae8b246f32365ee49deab9c1a10dea161a12e Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 11:52:03 +0200 Subject: [PATCH 205/266] postfix: split main task into minimal and packmail --- postfix/tasks/main.yml | 144 +------------------------------ postfix/tasks/minimal.yml | 24 ++++++ postfix/tasks/packmail.yml | 111 ++++++++++++++++++++++++ postfix/tasks/slow_transport.yml | 4 + 4 files changed, 143 insertions(+), 140 deletions(-) create mode 100644 postfix/tasks/minimal.yml create mode 100644 postfix/tasks/packmail.yml diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 628e0eab..714787d6 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -1,21 +1,4 @@ -- name: ensure packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - postfix - - mailgraph - tags: - - postfix - -- name: ensure ldap packages are installed - apt: - name: "postfix-ldap" - state: present - when: postfix_packmail == True - tags: - - postfix - +--- - name: check if main.cf is default shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum - changed_when: False @@ -24,130 +7,11 @@ tags: - postfix -- block: +- include: minimal.yml + when: postfix_packmail == False - - name: create minimal main.cf - template: - src: evolinux_main.cf.j2 - dest: /etc/postfix/main.cf - owner: root - group: root - mode: "0644" - force: yes - when: postfix_packmail != True - notify: restart postfix - tags: - - postfix - - - name: create packmail main.cf - template: - src: packmail_main.cf.j2 - dest: /etc/postfix/main.cf - owner: root - group: root - mode: "0644" - force: yes - when: postfix_packmail == True - notify: restart postfix - tags: - - postfix - - when: postfix_force_main_cf == True or - default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or - default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" - -- name: deploy packmail master.cf - template: - src: packmail_master.cf.j2 - dest: /etc/postfix/master.cf - mode: "0644" +- include: packmail.yml when: postfix_packmail == True - notify: restart postfix - tags: - - postfix - -- name: copy default filter files - copy: - src: filter - dest: "/etc/postfix/{{ item }}" - force: no - with_items: - - virtual - - client.access - - client.access_local - - header_kill - - header_kill_local - - recipient.access - - recipient.access_local - - sa-blacklist.access - - sender.access - - sender.access_local - - spamd.cidr - when: postfix_packmail == True - register: postfix_copy_filter - tags: - - postfix - -- name: postmap filter files - command: "postmap /etc/postfix/{{ item }}" - with_items: - - virtual - - client.access - - client.access_local - - header_kill - - header_kill_local - - recipient.access - - recipient.access_local - - sa-blacklist.access - - sender.access - - sender.access_local - - spamd.cidr - when: postfix_packmail == True and postfix_copy_filter.changed - tags: - - postfix - -- name: deploy ldap postfix config - template: - src: "{{ item }}.j2" - dest: "/etc/postfix/{{ item }}" - mode: "0644" - with_items: - - virtual_aliases.cf - - virtual_domains.cf - - virtual_mailboxes.cf - when: postfix_packmail == True - notify: restart postfix - tags: - - postfix - -- name: copy spam.sh script - copy: - src: spam.sh - dest: /usr/share/scripts/spam.sh - mode: "0700" - when: postfix_packmail == True - tags: - - postfix - -- name: enable spam.sh cron - lineinfile: - dest: /etc/cron.d/spam - line: "42 * * * * /usr/share/scripts/spam.sh" - create: yes - state: present - mode: "0640" - when: postfix_packmail == True - tags: - - postfix - -- name: update antispam list - command: /usr/share/scripts/spam.sh - changed_when: false - when: postfix_packmail == True - tags: - - postfix - include: slow_transport.yml when: postfix_slow_transport_include - tags: - - postfix diff --git a/postfix/tasks/minimal.yml b/postfix/tasks/minimal.yml new file mode 100644 index 00000000..99b99003 --- /dev/null +++ b/postfix/tasks/minimal.yml @@ -0,0 +1,24 @@ +--- +- name: ensure packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - postfix + tags: + - postfix + +- name: create minimal main.cf + template: + src: evolinux_main.cf.j2 + dest: /etc/postfix/main.cf + owner: root + group: root + mode: "0644" + force: yes + notify: restart postfix + when: postfix_force_main_cf == True or + default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or + default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" + tags: + - postfix diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml new file mode 100644 index 00000000..e485d6b1 --- /dev/null +++ b/postfix/tasks/packmail.yml @@ -0,0 +1,111 @@ +--- +- name: ensure packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - postfix + - postfix-ldap + - mailgraph + tags: + - postfix + +- name: create packmail main.cf + template: + src: packmail_main.cf.j2 + dest: /etc/postfix/main.cf + owner: root + group: root + mode: "0644" + force: yes + notify: restart postfix + when: postfix_force_main_cf == True or + default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or + default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" + tags: + - postfix + +- name: deploy packmail master.cf + template: + src: packmail_master.cf.j2 + dest: /etc/postfix/master.cf + mode: "0644" + notify: restart postfix + tags: + - postfix + +- name: copy default filter files + copy: + src: filter + dest: "/etc/postfix/{{ item }}" + force: no + with_items: + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr + register: postfix_copy_filter + tags: + - postfix + +- name: postmap filter files + command: "postmap /etc/postfix/{{ item }}" + with_items: + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr + when: postfix_copy_filter.changed + tags: + - postfix + +- name: deploy ldap postfix config + template: + src: "{{ item }}.j2" + dest: "/etc/postfix/{{ item }}" + mode: "0644" + with_items: + - virtual_aliases.cf + - virtual_domains.cf + - virtual_mailboxes.cf + notify: restart postfix + tags: + - postfix + +- name: copy spam.sh script + copy: + src: spam.sh + dest: /usr/share/scripts/spam.sh + mode: "0700" + tags: + - postfix + +- name: enable spam.sh cron + lineinfile: + dest: /etc/cron.d/spam + line: "42 * * * * /usr/share/scripts/spam.sh" + create: yes + state: present + mode: "0640" + tags: + - postfix + +- name: update antispam list + command: /usr/share/scripts/spam.sh + changed_when: false + tags: + - postfix diff --git a/postfix/tasks/slow_transport.yml b/postfix/tasks/slow_transport.yml index d5566bdb..2f4cab1e 100644 --- a/postfix/tasks/slow_transport.yml +++ b/postfix/tasks/slow_transport.yml @@ -5,6 +5,8 @@ regexp: "^slow " line: "slow unix - - n - - smtp" notify: restart postfix + tags: + - postfix - name: list of providers for slow transport lineinfile: @@ -21,3 +23,5 @@ - "hotmail.fr slow:" - "hotmail.com slow:" notify: postmap transport + tags: + - postfix From 7413ebdd2b73ebab1f4f0435d83ade8660108731 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 12:02:27 +0200 Subject: [PATCH 206/266] postfix: add spf verification to packmail config --- postfix/tasks/packmail.yml | 1 + postfix/templates/packmail_main.cf.j2 | 3 +++ postfix/templates/packmail_master.cf.j2 | 3 +++ 3 files changed, 7 insertions(+) diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index e485d6b1..d7c37611 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -6,6 +6,7 @@ with_items: - postfix - postfix-ldap + - postfix-policyd-spf-python - mailgraph tags: - postfix diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 2f0fb75f..5e80dbf5 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -339,6 +339,7 @@ smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, + check_policy_service unix:private/policyd-spf, check_client_access hash:$config_directory/client.access_local, check_client_access hash:$config_directory/client.access, check_sender_access hash:$config_directory/sender.access_local, @@ -350,6 +351,8 @@ smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_unauth_pipelining, +policyd-spf_time_limit = 3600 + header_checks = regexp:$config_directory/header_kill_local, regexp:$config_directory/header_kill diff --git a/postfix/templates/packmail_master.cf.j2 b/postfix/templates/packmail_master.cf.j2 index 69964605..6f693c8a 100644 --- a/postfix/templates/packmail_master.cf.j2 +++ b/postfix/templates/packmail_master.cf.j2 @@ -116,6 +116,9 @@ mailman unix - n n - - pipe slow unix - - n - - smtp +policyd-spf unix - n n - 0 spawn + user=policyd-spf argv=/usr/bin/policyd-spf + dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} From 3c1416cf280c1a55dc4998a004fc5e475e23c1a0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 14:16:08 +0200 Subject: [PATCH 207/266] opendkim: fix UserID and Socket --- opendkim/files/opendkim.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/opendkim/files/opendkim.conf b/opendkim/files/opendkim.conf index e881694b..c8c4d385 100644 --- a/opendkim/files/opendkim.conf +++ b/opendkim/files/opendkim.conf @@ -1,5 +1,5 @@ -UserID opendkim -Socket inet:54321:127.0.0.1 +UserID opendkim:opendkim +Socket inet:54321@127.0.0.1 PidFile /var/run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key From 210b0095b6139aaddb2775c3d9eb48dae064dd95 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 14:23:35 +0200 Subject: [PATCH 208/266] postfix: always include amavis and opendkim config when packmail --- amavis/defaults/main.yml | 2 -- opendkim/defaults/main.yml | 2 -- postfix/templates/packmail_main.cf.j2 | 14 +++++--------- postfix/templates/packmail_master.cf.j2 | 2 -- 4 files changed, 5 insertions(+), 15 deletions(-) delete mode 100644 amavis/defaults/main.yml delete mode 100644 opendkim/defaults/main.yml diff --git a/amavis/defaults/main.yml b/amavis/defaults/main.yml deleted file mode 100644 index 5c727eff..00000000 --- a/amavis/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -amavis_is_active: True diff --git a/opendkim/defaults/main.yml b/opendkim/defaults/main.yml deleted file mode 100644 index 582c19d6..00000000 --- a/opendkim/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -opendkim_is_active: True diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 5e80dbf5..9f14ec50 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -401,6 +401,11 @@ broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client +# Amavis and OpenDKIM +content_filter = smtp-amavis:[127.0.0.1]:10024 +smtpd_milters = inet:[127.0.0.1]:54321 +non_smtpd_milters = inet:[127.0.0.1]:54321 + {% if postfix_slow_transport_include == True %} # Slow transports configuration minimal_backoff_time = 2h @@ -416,12 +421,3 @@ slow_destination_concurrency_failed_cohort_limit = 100 slow_destination_recipient_limit = 25 transport_maps = hash:$config_directory/transport {% endif %} - -{% if amavis_is_active is defined and amavis_is_active == True %} -content_filter = smtp-amavis:[127.0.0.1]:10024 -{% endif %} - -{% if opendkim_is_active is defined and opendkim_is_active == True %} -smtpd_milters = inet:127.0.0.1:54321 -non_smtpd_milters = inet:127.0.0.1:54321 -{% endif %} diff --git a/postfix/templates/packmail_master.cf.j2 b/postfix/templates/packmail_master.cf.j2 index 6f693c8a..c3d0e40e 100644 --- a/postfix/templates/packmail_master.cf.j2 +++ b/postfix/templates/packmail_master.cf.j2 @@ -134,7 +134,6 @@ localhost:10026 inet n - y - 10 smtpd -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -{% if amavis_is_active is defined and amavis_is_active == True %} smtp-amavis unix - - y - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes @@ -169,4 +168,3 @@ pre-cleanup unix n - n - 0 cleanup -o always_bcc= -o sender_bcc_maps= -o recipient_bcc_maps= -{% endif %} From 6b620f4877b236ab3cb05ad5ee1867a32c935c93 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 14:34:43 +0200 Subject: [PATCH 209/266] postfix/packmail: fix dependencies --- packmail/meta/main.yml | 5 ----- postfix/meta/main.yml | 9 +++++---- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml index 2f99ef2c..c98ef251 100644 --- a/packmail/meta/main.yml +++ b/packmail/meta/main.yml @@ -1,11 +1,6 @@ --- dependencies: - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - - { role: amavis } - - { role: spamassasin } - - { role: clamav } - - { role: opendkim } - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True } - - { role: dovecot } - { role: apache } - { role: php, php_apache_enable: True } diff --git a/postfix/meta/main.yml b/postfix/meta/main.yml index a4cc6bd0..d9c76f96 100644 --- a/postfix/meta/main.yml +++ b/postfix/meta/main.yml @@ -13,7 +13,8 @@ galaxy_info: versions: - jessie -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. +dependencies: + - { role: spamassasin, when: postfix_packmail == True } + - { role: clamav, when: postfix_packmail == True } + - { role: opendkim, when: postfix_packmail == True } + - { role: dovecot, when: postfix_packmail == True } From b31110fb850bef822ad870d4ae947a51de4a1f1f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 14:47:01 +0200 Subject: [PATCH 210/266] postfix: merge packmail role into postfix role --- packmail/README.md | 15 ---------- packmail/defaults/main.yml | 5 ---- packmail/handlers/main.yml | 10 ------- packmail/meta/main.yml | 6 ---- packmail/tasks/main.yml | 34 ---------------------- {packmail => postfix}/files/cn4evolix.ldif | 0 postfix/meta/main.yml | 1 + 7 files changed, 1 insertion(+), 70 deletions(-) delete mode 100644 packmail/README.md delete mode 100644 packmail/defaults/main.yml delete mode 100644 packmail/handlers/main.yml delete mode 100644 packmail/meta/main.yml delete mode 100644 packmail/tasks/main.yml rename {packmail => postfix}/files/cn4evolix.ldif (100%) diff --git a/packmail/README.md b/packmail/README.md deleted file mode 100644 index f4cbbee3..00000000 --- a/packmail/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# packmail - -Install the mail pack, with Postfix/Dovecot/LDAP/evoadmin-mail. - -## Tasks - -See `tasks/main.yml`. - -## Available variables - -Main variables are : - -* `packmail_enable_evoadmin_vhost` : enable VirtualHost for evoadmin (web interface to create mail accounts) - -The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/packmail/defaults/main.yml b/packmail/defaults/main.yml deleted file mode 100644 index fc1d2a9f..00000000 --- a/packmail/defaults/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# defaults file for packmail -general_alert_email: "root@localhost" - -packmail_enable_evoadmin_vhost: True diff --git a/packmail/handlers/main.yml b/packmail/handlers/main.yml deleted file mode 100644 index 92228e1c..00000000 --- a/packmail/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: restart postfix - service: - name: postfix - state: restarted - -- name: restart dovecot - service: - name: dovecot - state: restarted diff --git a/packmail/meta/main.yml b/packmail/meta/main.yml deleted file mode 100644 index c98ef251..00000000 --- a/packmail/meta/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -dependencies: - - { role: ldap, ldap_schema: 'cn4evolix.ldif' } - - { role: postfix, postfix_packmail: True, postfix_force_main_cf: True } - - { role: apache } - - { role: php, php_apache_enable: True } diff --git a/packmail/tasks/main.yml b/packmail/tasks/main.yml deleted file mode 100644 index 36d23365..00000000 --- a/packmail/tasks/main.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -- fail: - msg: only compatible with Debian >= 9 - when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('9', '<') - -- name: Additional packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-security2 - - modsecurity-crs - - apg - -- name: Additional modules are enabled - apache2_module: - name: '{{ item }}' - state: present - with_items: - - ssl - - include - - negotiation - - alias - -- name: Install Evoadmin - include_role: - name: webapps/evoadmin-mail - vars: - evoadminmail_enable_vhost: '{{ packmail_enable_evoadmin_vhost }}' - -- name: Install Roundcube - include_role: - name: webapps/roundcube diff --git a/packmail/files/cn4evolix.ldif b/postfix/files/cn4evolix.ldif similarity index 100% rename from packmail/files/cn4evolix.ldif rename to postfix/files/cn4evolix.ldif diff --git a/postfix/meta/main.yml b/postfix/meta/main.yml index d9c76f96..3c7b219a 100644 --- a/postfix/meta/main.yml +++ b/postfix/meta/main.yml @@ -14,6 +14,7 @@ galaxy_info: - jessie dependencies: + - { role: ldap, ldap_schema: 'cn4evolix.ldif', when: postfix_packmail == True } - { role: spamassasin, when: postfix_packmail == True } - { role: clamav, when: postfix_packmail == True } - { role: opendkim, when: postfix_packmail == True } From 2d1504ddf68eb6bcebf0a62e6fde8fc65fe5873f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 15:01:06 +0200 Subject: [PATCH 211/266] apache: add somes modules by defaults --- apache/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index ed99fe5a..35ffcf44 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -38,6 +38,10 @@ - expires - headers - cgi + - ssl + - include + - negotiation + - alias notify: reload apache tags: - apache From 79e6c5526574aac7fe280e2c442e8e11e23349be Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 15:29:41 +0200 Subject: [PATCH 212/266] postfix: update README --- postfix/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/postfix/README.md b/postfix/README.md index 67f56298..04bf879a 100644 --- a/postfix/README.md +++ b/postfix/README.md @@ -4,9 +4,10 @@ Installation and basic configuration of Postfix. ## Tasks -Minimal configuration is in `tasks/main.yml` and optional customization in : +Minimal configuration is in `tasks/minimal.yml` and optional customization in : * `slow_transport.yml` : slow transport to specific destination. +* `packmail.yml` : config for virtual mail accounts with OpenLDAP ## Available variables @@ -14,5 +15,7 @@ Main variables are : * `postfix_hostname` : hostname for Postfix ; * `postfix_slow_transport` : enable customization for delivrability. +* `postfix_force_main_cf` : force copy of main.cf +* `postfix_packmail` : install an Evolix Packmail instead of lite postfix config The full list of variables (with default values) can be found in `defaults/main.yml`. From 91d2cce7d4cee70d3db400e8a5b680e8dcd9a739 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 16:04:59 +0200 Subject: [PATCH 213/266] opendkim: deploy script for add DKIM domain --- opendkim/files/opendkim-add.sh | 46 ++++++++++++++++++++++++++++++++++ opendkim/tasks/main.yml | 28 +++++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 opendkim/files/opendkim-add.sh diff --git a/opendkim/files/opendkim-add.sh b/opendkim/files/opendkim-add.sh new file mode 100644 index 00000000..a7da1ce0 --- /dev/null +++ b/opendkim/files/opendkim-add.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +if [ "$#" -ne 1 ]; then + echo "Usage : $0 example.com" >&2 + exit 1 +fi + +domain="$(echo "$1"|xargs)" + +mkdir -pm 0750 "/etc/opendkim/keys/${domain}" +chown opendkim:opendkim "/etc/opendkim/keys/${domain}" + +if [ ! -f "/etc/opendkim/keys/${domain}/default.private" ]; then + cd "/etc/opendkim/keys/${domain}" + echo "Generate DKIM keys ..." + sudo -u opendkim opendkim-genkey -r -d "${domain}" + chmod 640 /etc/opendkim/keys/${domain}/* +fi + +grep -q "${domain}" /etc/opendkim/TrustedHosts +if [ "$?" -ne 0 ]; then + echo "Add ${domain} to TrustedHosts ..." + echo "${domain}" >> /etc/opendkim/TrustedHosts +fi + +grep -q "${domain}" /etc/opendkim/KeyTable +if [ "$?" -ne 0 ]; then + echo "Add ${domain} to KeyTable ..." + echo "default._domainkey.${domain} ${domain}:default:/etc/opendkim/keys/${domain}/default.private" >> /etc/opendkim/KeyTable +fi + +grep -q "${domain}" /etc/opendkim/SigningTable +if [ "$?" -ne 0 ]; then + echo "Add ${domain} to SigningTable ..." + echo "*@${domain} default._domainkey.${domain}" >> /etc/opendkim/SigningTable +fi + +systemctl reload opendkim +if [ "$?" -eq 0 ]; then + echo "OpenDKIM successfully reloaded" + echo "Public key is in : /etc/opendkim/keys/${domain}/default.txt" + exit 0 +else + echo "An error has occurred while opendkim reload, please FIX configuration !" >&2 + exit 1 +fi diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index c5d6fb8e..d491cd39 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -65,3 +65,31 @@ enabled: True tags: - opendkim + +- name: check if /usr is a partition + shell: "mount | grep 'on /usr type'" + args: + warn: no + changed_when: False + failed_when: False + register: usr_partition + check_mode: no + tags: + - opendkim + +- name: mount /usr in rw + command: mount -o remount,rw /usr + args: + warn: no + changed_when: False + when: usr_partition.rc == 0 + tags: + - opendkim + +- name: deploy opendkim-add.sh script + copy: + src: opendkim-add.sh + dest: /usr/share/scripts/opendkim-add.sh + mode: "0750" + tags: + - opendkim From 940be65acbe535c57c4fcef8da7a654761f291b2 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 27 Oct 2017 17:59:15 +0200 Subject: [PATCH 214/266] roundcube: merge imapproxy role into roundcube --- imapproxy/tasks/main.yml | 15 --------------- webapps/roundcube/defaults/main.yml | 2 ++ webapps/roundcube/handlers/main.yml | 5 +++++ webapps/roundcube/meta/main.yml | 3 --- webapps/roundcube/tasks/main.yml | 27 +++++++++++++++++++++++++++ 5 files changed, 34 insertions(+), 18 deletions(-) delete mode 100644 imapproxy/tasks/main.yml create mode 100644 webapps/roundcube/handlers/main.yml delete mode 100644 webapps/roundcube/meta/main.yml diff --git a/imapproxy/tasks/main.yml b/imapproxy/tasks/main.yml deleted file mode 100644 index 0dc62a60..00000000 --- a/imapproxy/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: install imapproxy - apt: - name: imapproxy - state: present - tags: - - imapproxy - -- name: enable imapproxy - service: - name: imapproxy - state: started - enabled: True - tags: - - imapproxy diff --git a/webapps/roundcube/defaults/main.yml b/webapps/roundcube/defaults/main.yml index 220720e3..5e0c1a81 100644 --- a/webapps/roundcube/defaults/main.yml +++ b/webapps/roundcube/defaults/main.yml @@ -1,2 +1,4 @@ --- roundcube_host: "roundcube.{{ ansible_fqdn }}" +roundcube_imap_host: "localhost" +roundcube_imap_port: 143 diff --git a/webapps/roundcube/handlers/main.yml b/webapps/roundcube/handlers/main.yml new file mode 100644 index 00000000..bdba6e6b --- /dev/null +++ b/webapps/roundcube/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart imapproxy + systemd: + name: imapproxy + state: restarted diff --git a/webapps/roundcube/meta/main.yml b/webapps/roundcube/meta/main.yml deleted file mode 100644 index ddd0e27c..00000000 --- a/webapps/roundcube/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - { role: imapproxy } diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 474fffb0..37ef1afe 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -16,6 +16,7 @@ name: "{{ item }}" state: present with_items: + - imapproxy - roundcube - roundcube-sqlite3 - roundcube-plugins @@ -24,6 +25,32 @@ tags: - roundcube +- name: configure imapproxy imap host + lineinfile: + dest: /etc/imapproxy.conf + regexp: "^server_hostname" + line: "server_hostname {{ roundcube_imap_host }}" + notify: restart imapproxy + tags: + - roundcube + +- name: configure imapproxy imap port + lineinfile: + dest: /etc/imapproxy.conf + regexp: "^server_port" + line: "server_port {{ roundcube_imap_port }}" + notify: reload imapproxy + tags: + - roundcube + +- name: enable and start imapproxy + service: + name: imapproxy + state: started + enabled: True + tags: + - roundcube + - name: configure roundcube imap host lineinfile: dest: /etc/roundcube/config.inc.php From 78d57cf66f692a355b3e18d62bde2ad34cbbe721 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 30 Oct 2017 11:46:35 +0100 Subject: [PATCH 215/266] redmine: set loglevel to warn --- redmine/templates/additional_environment.rb.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/redmine/templates/additional_environment.rb.j2 b/redmine/templates/additional_environment.rb.j2 index b1211a2e..b6065a57 100644 --- a/redmine/templates/additional_environment.rb.j2 +++ b/redmine/templates/additional_environment.rb.j2 @@ -1 +1,2 @@ config.paths['log'] = "/home/{{ redmine_user }}/log/redmine.log" +config.log_level = :warn From 69aa3ab8b8f5354eb26c7ac1cecd3d0b7932a5ce Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 10:36:18 +0100 Subject: [PATCH 216/266] ldap: don't inject custom schema if ldap is already configured --- ldap/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index b1554725..84bed58d 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -80,8 +80,8 @@ src: "{{ ldap_schema }}" dest: "/root/{{ ldap_schema }}" mode: "0640" - when: ldap_schema is defined + when: not root_ldapvirc_path.stat.exists and ldap_schema is defined - name: inject custom schema command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" - when: ldap_schema is defined + when: not root_ldapvirc_path.stat.exists and ldap_schema is defined From be3d3c97ef8cd0e4c604c886c0ced1110e53ddb6 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 12:25:26 +0100 Subject: [PATCH 217/266] postfix: don't use milter with amavis --- postfix/templates/packmail_master.cf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/postfix/templates/packmail_master.cf.j2 b/postfix/templates/packmail_master.cf.j2 index c3d0e40e..7326cb35 100644 --- a/postfix/templates/packmail_master.cf.j2 +++ b/postfix/templates/packmail_master.cf.j2 @@ -140,6 +140,7 @@ smtp-amavis unix - - y - 2 lmtp 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= + -o smtpd_milters= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= From 1f70b148963f82a29406ab00a4a1c65a58d33ef7 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 15:13:52 +0100 Subject: [PATCH 218/266] spamassasin: mount usr in rw before copy sa-update.sh --- spamassasin/tasks/main.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index 2e5cd4cc..4f010650 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -27,6 +27,22 @@ tags: - spamassassin +- name: update ansible_mounts facts + setup: + filter: ansible_mounts + tags: + - spamassassin + +- name: mount /usr in rw + command: mount -o remount,rw /usr + args: + warn: no + changed_when: false + when: item.mount == '/usr' and item.options | match(".*ro.*") + with_items: "{{ ansible_mounts }}" + tags: + - spamassassin + - name: copy sa-update.sh script copy: src: sa-update.sh From bee42c57d2e48c660b94b3a05df9833edc531ef0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 15:17:18 +0100 Subject: [PATCH 219/266] postfix: mount usr in rw before copy spam.sh --- postfix/tasks/packmail.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index d7c37611..69d41581 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -87,6 +87,22 @@ tags: - postfix +- name: update ansible_mounts facts + setup: + filter: ansible_mounts + tags: + - postfix + +- name: mount /usr in rw + command: mount -o remount,rw /usr + args: + warn: no + changed_when: false + when: item.mount == '/usr' and item.options | match(".*ro.*") + with_items: "{{ ansible_mounts }}" + tags: + - postfix + - name: copy spam.sh script copy: src: spam.sh From ce89d5c5a59df5cc1832716286fe44be2002ffe4 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 15:28:42 +0100 Subject: [PATCH 220/266] apache: fix usr rw remount --- apache/tasks/remount_usr_rw.yml | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/apache/tasks/remount_usr_rw.yml b/apache/tasks/remount_usr_rw.yml index 60162607..1f6d064d 100644 --- a/apache/tasks/remount_usr_rw.yml +++ b/apache/tasks/remount_usr_rw.yml @@ -1,19 +1,12 @@ --- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode +- name: update ansible_mounts facts + setup: + filter: ansible_mounts -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes +- name: mount /usr in rw + command: mount -o remount,rw /usr args: warn: no + changed_when: false + when: item.mount == '/usr' and item.options | match(".*ro.*") + with_items: "{{ ansible_mounts }}" From 17ddda8ed3c86d72d162e4d9ccea27caaff06f25 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 15:50:25 +0100 Subject: [PATCH 221/266] apt: use conditionnal instead of handler for update --- apt/handlers/main.yml | 4 ---- apt/tasks/backports.yml | 10 ++++++---- apt/tasks/basics.yml | 8 +++++--- apt/tasks/evolix_public.yml | 8 +++++--- 4 files changed, 16 insertions(+), 14 deletions(-) delete mode 100644 apt/handlers/main.yml diff --git a/apt/handlers/main.yml b/apt/handlers/main.yml deleted file mode 100644 index e68f5c28..00000000 --- a/apt/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: apt update - apt: - update_cache: yes diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml index fd459a34..67b193d4 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -13,7 +13,7 @@ dest: /etc/apt/sources.list.d/backports.list force: yes mode: "0640" - notify: apt update + register: apt_backports_list tags: - apt @@ -23,11 +23,13 @@ dest: /etc/apt/preferences.d/0-backports-defaults force: yes mode: "0640" - notify: apt update + register: apt_backports_config tags: - apt -- name: Intermediate flush of handlers - meta: flush_handlers +- name: Apt update + apt: + update_cache: yes + when: apt_backports_list | changed or apt_backports_config | changed tags: - apt diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml index d68e6063..f615c030 100644 --- a/apt/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -6,7 +6,7 @@ dest: /etc/apt/sources.list mode: "0644" force: yes - notify: apt update + register: apt_basic_list tags: - apt @@ -20,7 +20,9 @@ - /etc/apt/sources.list.d/debian-update.list when: apt_clean_gandi_sourceslist -- name: Intermediate flush of handlers - meta: flush_handlers +- name: Apt update + apt: + update_cache: yes + when: apt_basic_list | changed tags: - apt diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 5bfb3287..b1db38ab 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -19,11 +19,13 @@ dest: /etc/apt/sources.list.d/evolix_public.list force: yes mode: "0640" - notify: apt update + register: apt_evolix_public tags: - apt -- name: Intermediate flush of handlers - meta: flush_handlers +- name: Apt update + apt: + update_cache: yes + when: apt_evolix_public | changed tags: - apt From ba5b9beb8c0b26f586fa62aab8e60b68444d5c74 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 15:52:53 +0100 Subject: [PATCH 222/266] evoadmin-mail: remove unnecessary flush_handlers --- webapps/evoadmin-mail/handlers/main.yml | 1 - webapps/evoadmin-mail/tasks/packages.yml | 2 -- 2 files changed, 3 deletions(-) diff --git a/webapps/evoadmin-mail/handlers/main.yml b/webapps/evoadmin-mail/handlers/main.yml index c4cdb576..6866dc8b 100644 --- a/webapps/evoadmin-mail/handlers/main.yml +++ b/webapps/evoadmin-mail/handlers/main.yml @@ -1,5 +1,4 @@ --- - - name: reload apache2 service: name: apache2 diff --git a/webapps/evoadmin-mail/tasks/packages.yml b/webapps/evoadmin-mail/tasks/packages.yml index ea9b176e..b1b8a1dd 100644 --- a/webapps/evoadmin-mail/tasks/packages.yml +++ b/webapps/evoadmin-mail/tasks/packages.yml @@ -4,8 +4,6 @@ name: apt tasks_from: evolix_public.yml -- meta: flush_handlers - - name: Install PHP packages apt: name: '{{ item }}' From d70e541fb746c86c81f26eb386bab642fe031db3 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 31 Oct 2017 15:55:43 +0100 Subject: [PATCH 223/266] evoadmin-web: remove unnecessary flush_handlers --- webapps/evoadmin-web/tasks/packages.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/webapps/evoadmin-web/tasks/packages.yml b/webapps/evoadmin-web/tasks/packages.yml index e0b1fe05..79d1e312 100644 --- a/webapps/evoadmin-web/tasks/packages.yml +++ b/webapps/evoadmin-web/tasks/packages.yml @@ -4,8 +4,6 @@ name: apt tasks_from: evolix_public.yml -- meta: flush_handlers - - name: Install PHP packages apt: name: '{{ item }}' From 7decf3599493647f3b40c7691e457d18af508f61 Mon Sep 17 00:00:00 2001 From: Bruno TATU Date: Fri, 3 Nov 2017 13:54:23 +0100 Subject: [PATCH 224/266] proftpd: add default_address + port --- proftpd/README.md | 2 ++ proftpd/defaults/main.yml | 2 ++ proftpd/templates/evolinux.conf.j2 | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/proftpd/README.md b/proftpd/README.md index 4b2faa95..1fcb4910 100644 --- a/proftpd/README.md +++ b/proftpd/README.md @@ -12,5 +12,7 @@ Main variables are : * `proftpd_hostname`: hostname (default: `ansible_hostname`) * `proftpd_fqdn`: fully qualified domain name (default: `ansible_fqdn`) +* `proftpd_default_address` : address for the server to listen on (default: `[]`) +* `proftpd_port` : port for the control socket (default: `21`) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/proftpd/defaults/main.yml b/proftpd/defaults/main.yml index 5355ea43..3dc9511c 100644 --- a/proftpd/defaults/main.yml +++ b/proftpd/defaults/main.yml @@ -1,3 +1,5 @@ --- proftpd_hostname: "{{ ansible_hostname }}" proftpd_fqdn: "{{ ansible_fqdn }}" +proftpd_default_address: [] +proftpd_port: "21" diff --git a/proftpd/templates/evolinux.conf.j2 b/proftpd/templates/evolinux.conf.j2 index d6e8b565..8a810a99 100644 --- a/proftpd/templates/evolinux.conf.j2 +++ b/proftpd/templates/evolinux.conf.j2 @@ -15,6 +15,10 @@ PassivePorts 60000 61000 UseReverseDNS off IdentLookups off TimesGMT off +Port {{ proftpd_port }} +{% if proftpd_default_address != [] %} +DefaultAddress {{ proftpd_default_address | join(' ') }} +{% endif %} # Local permissions DefaultRoot ~ From b0df53a6eee9bd6900d2b0b09ac0ad12c8281d16 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 6 Nov 2017 11:04:13 +0100 Subject: [PATCH 225/266] evoacme: add postix hook --- evoacme/files/hooks/reload_postfix | 32 ++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100755 evoacme/files/hooks/reload_postfix diff --git a/evoacme/files/hooks/reload_postfix b/evoacme/files/hooks/reload_postfix new file mode 100755 index 00000000..50ee20ce --- /dev/null +++ b/evoacme/files/hooks/reload_postfix @@ -0,0 +1,32 @@ +#!/bin/sh + +readonly PROGNAME=$(basename "$0") +readonly ARGS=$@ + +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} + +if [ -n "$(pidof master)" ]; then + if $($(command -v postconf) > /dev/null); then + if $($(command -v postconf)|grep -E "^smtpd_tls_cert_file"|grep -q "letsencrypt"); then + debug "Postfix detected... reloading" + service postfix reload + else + debug "Postfix doesn't use Let's Encrypt certificate. Skip." + fi + else + error "Postfix config is broken, you must fix it !" + fi +else + debug "Postfix is not running. Skip." +fi From 0ef627e4bd9c4587343c54b2269031a2f55918b3 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 6 Nov 2017 11:04:26 +0100 Subject: [PATCH 226/266] evoacme: add dovecot hook --- evoacme/files/hooks/reload_dovecot | 32 ++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100755 evoacme/files/hooks/reload_dovecot diff --git a/evoacme/files/hooks/reload_dovecot b/evoacme/files/hooks/reload_dovecot new file mode 100755 index 00000000..31da4fb4 --- /dev/null +++ b/evoacme/files/hooks/reload_dovecot @@ -0,0 +1,32 @@ +#!/bin/sh + +readonly PROGNAME=$(basename "$0") +readonly ARGS=$@ + +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} + +if [ -n "$(pidof dovecot)" ]; then + if $($(command -v doveconf) > /dev/null); then + if $($(command -v doveconf)|grep -E "^ssl_cert[^_]"|grep -q "letsencrypt"); then + debug "Dovecot detected... reloading" + service dovecot reload + else + debug "Dovecot doesn't use Let's Encrypt certificate. Skip." + fi + else + error "Dovecot config is broken, you must fix it !" + fi +else + debug "Dovecot is not running. Skip." +fi From 6f0fb575951e7a3f531a263389b674ad572df1b2 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 6 Nov 2017 11:29:15 +0100 Subject: [PATCH 227/266] packweb-apache: fix awstats cron --- packweb-apache/tasks/awstats.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index 1919b17d..6d8d9eba 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -46,3 +46,12 @@ create: yes regexp: '-config=awstats' line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" + +- name: Remove default awstat cron's tasks + lineinfile: + dest: /etc/cron.d/awstats + regexp: "{{ item }}" + state: absent + with_items: + - 'update\.sh' + - 'buildstatic\.sh' From 6d2506a0ce2e5fae665d95fa85b259adc77f1993 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 6 Nov 2017 11:51:01 +0100 Subject: [PATCH 228/266] packweb-apache: comment cron task instead of remove it and don't remove buildstatic.sh --- packweb-apache/tasks/awstats.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index 6d8d9eba..5ea0fa57 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -47,11 +47,10 @@ regexp: '-config=awstats' line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" -- name: Remove default awstat cron's tasks +- name: Comment default awstat cron's tasks lineinfile: dest: /etc/cron.d/awstats - regexp: "{{ item }}" - state: absent - with_items: - - 'update\.sh' - - 'buildstatic\.sh' + regexp: "(?i)^([^#]*update\\.sh.*)" + line: '#\1' + backrefs: yes + state: present From c0c7183605c0b55e79c1ea63939734b9c81f0793 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 6 Nov 2017 17:26:24 +0100 Subject: [PATCH 229/266] ldap: fix domain and cn --- ldap/defaults/main.yml | 7 +++---- ldap/templates/first-entries.ldif.j2 | 4 ++-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/ldap/defaults/main.yml b/ldap/defaults/main.yml index 2f208f98..88631a11 100644 --- a/ldap/defaults/main.yml +++ b/ldap/defaults/main.yml @@ -1,5 +1,4 @@ --- -ldap_domain: "{{ ansible_fqdn }}" -ldap_organization: "{{ ansible_domain }}" -ldap_suffix: "dc=example,dc=com" -ldap_suffix_dc: "example" +ldap_hostname: "{{ ansible_hostname }}" +ldap_domain: "{{ ansible_domain }}" +ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}" diff --git a/ldap/templates/first-entries.ldif.j2 b/ldap/templates/first-entries.ldif.j2 index 56828636..0e82ddbc 100644 --- a/ldap/templates/first-entries.ldif.j2 +++ b/ldap/templates/first-entries.ldif.j2 @@ -2,8 +2,8 @@ dn: {{ ldap_suffix }} objectClass: top objectClass: dcObject objectClass: organization -o: {{ ldap_suffix_dc }} -dc: {{ ldap_suffix_dc }} +o: {{ ldap_domain }} +dc: {{ ldap_hostname }} dn: cn=admin,{{ ldap_suffix }} objectClass: simpleSecurityObject From 33f85b565c5d655f14ce2bc8b602a7f4aac7861a Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 6 Nov 2017 18:32:56 +0100 Subject: [PATCH 230/266] nagios-nrpe: add date to check_amavis test mail --- nagios-nrpe/files/plugins/check_amavis | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nagios-nrpe/files/plugins/check_amavis b/nagios-nrpe/files/plugins/check_amavis index 43e69bcb..7b82cd93 100755 --- a/nagios-nrpe/files/plugins/check_amavis +++ b/nagios-nrpe/files/plugins/check_amavis @@ -3,12 +3,14 @@ use Getopt::Long; use MIME::Entity; use Net::SMTP; +use POSIX qw(strftime); my $server = ''; my $port = 10024; my $from = ''; my $to = ''; my $debug = 0; +my $date = strftime "%a, %d %b %g %X %z", localtime; $result = GetOptions ( "server|s=s" => \$server, @@ -32,6 +34,7 @@ my $top = MIME::Entity->build( Type =>"multipart/mixed", From => $from, To => $to, + Date => $date, Subject => "EICAR test", Data => "This is a test", ); From 42c4a20b1f9b96c33bc09203a6d6db8eaa3fbfe7 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 6 Nov 2017 18:41:38 +0100 Subject: [PATCH 231/266] nagios-nrpe: fix expected return message of test mail --- nagios-nrpe/files/plugins/check_amavis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/files/plugins/check_amavis b/nagios-nrpe/files/plugins/check_amavis index 7b82cd93..d364dba3 100755 --- a/nagios-nrpe/files/plugins/check_amavis +++ b/nagios-nrpe/files/plugins/check_amavis @@ -65,7 +65,7 @@ $smtp->close(); print "$result\n"; -if ($result =~/2.7.0 Ok, discarded/) { +if ($result =~/2.5.0 Ok, id=[^,]+, BOUNCE/) { print "OK - All fine\n"; exit 0; } else { From 37c1325c1aeaf5f411b0f3fa1b737de0e6ed30c9 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 7 Nov 2017 11:13:21 +0100 Subject: [PATCH 232/266] nagios-nrpe: add opendkim check --- nagios-nrpe/templates/evolix.cfg.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index d85f9844..38e29b27 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -49,6 +49,7 @@ command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 1728 command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211 +command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321 # Local checks (not packaged) command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10 From 1c48df025c3147f47949e3fa215804537578e553 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 7 Nov 2017 12:18:02 +0100 Subject: [PATCH 233/266] Move /usr rw remount into remount-usr role --- apache/tasks/main.yml | 5 +++- apache/tasks/remount_usr_rw.yml | 12 ---------- drbd/tasks/nagios.yml | 19 ++------------- evoacme/tasks/certbot.yml | 18 ++------------ evocheck/tasks/install_local.yml | 3 ++- evocheck/tasks/remount_usr_rw.yml | 19 --------------- evolinux-base/tasks/remount_usr_rw.yml | 19 --------------- evolinux-base/tasks/system.yml | 3 ++- filebeat/tasks/main.yml | 24 ++----------------- generate-ldif/tasks/main.yml | 3 ++- generate-ldif/tasks/remount_usr_rw.yml | 19 --------------- kibana/tasks/main.yml | 12 ++-------- kibana/tasks/remount_usr_rw.yml | 19 --------------- kvm-host/tasks/main.yml | 17 ++----------- mysql/tasks/remount_usr_rw.yml | 19 --------------- mysql/tasks/utils.yml | 9 ++++--- nagios-nrpe/tasks/main.yml | 3 ++- nagios-nrpe/tasks/remount_usr_rw.yml | 19 --------------- opendkim/tasks/main.yml | 21 ++-------------- postfix/tasks/packmail.yml | 15 ++---------- redis/tasks/munin.yml | 21 ++++------------ remount-usr/handlers/main.yml | 6 +++++ remount-usr/tasks/main.yml | 16 +++++++++++++ spamassasin/tasks/main.yml | 15 ++---------- tomcat/tasks/nagios.yml | 17 ++----------- varnish/tasks/munin.yml | 4 +++- varnish/tasks/remount_usr_rw.yml | 19 --------------- .../evoadmin-mail/tasks/remount_usr_rw.yml | 15 ------------ webapps/evoadmin-mail/tasks/user.yml | 3 ++- webapps/evoadmin-web/tasks/remount_usr_rw.yml | 19 --------------- webapps/evoadmin-web/tasks/user.yml | 3 ++- 31 files changed, 69 insertions(+), 347 deletions(-) delete mode 100644 apache/tasks/remount_usr_rw.yml delete mode 100644 evocheck/tasks/remount_usr_rw.yml delete mode 100644 evolinux-base/tasks/remount_usr_rw.yml delete mode 100644 generate-ldif/tasks/remount_usr_rw.yml delete mode 100644 kibana/tasks/remount_usr_rw.yml delete mode 100644 mysql/tasks/remount_usr_rw.yml delete mode 100644 nagios-nrpe/tasks/remount_usr_rw.yml create mode 100644 remount-usr/handlers/main.yml create mode 100644 remount-usr/tasks/main.yml delete mode 100644 varnish/tasks/remount_usr_rw.yml delete mode 100644 webapps/evoadmin-mail/tasks/remount_usr_rw.yml delete mode 100644 webapps/evoadmin-web/tasks/remount_usr_rw.yml diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 35ffcf44..3820fad2 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -131,7 +131,10 @@ tags: - apache -- include: remount_usr_rw.yml +- include_role: + name: remount-usr + tags: + - apache - name: "Install save_apache_status.sh" copy: diff --git a/apache/tasks/remount_usr_rw.yml b/apache/tasks/remount_usr_rw.yml deleted file mode 100644 index 1f6d064d..00000000 --- a/apache/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: update ansible_mounts facts - setup: - filter: ansible_mounts - -- name: mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: false - when: item.mount == '/usr' and item.options | match(".*ro.*") - with_items: "{{ ansible_mounts }}" diff --git a/drbd/tasks/nagios.yml b/drbd/tasks/nagios.yml index 5ce44d7c..91b06c57 100644 --- a/drbd/tasks/nagios.yml +++ b/drbd/tasks/nagios.yml @@ -8,23 +8,8 @@ tags: - drbd -- name: Check if /usr is a partition - shell: "mount | grep 'on /usr type'" - args: - warn: no - changed_when: False - failed_when: False - register: usr_partition - check_mode: no - tags: - - drbd - -- name: Mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: False - when: usr_partition.rc == 0 and nagios_plugins_dir.stat.exists +- include_role: + name: remount-usr tags: - drbd diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 88f0eb5b..f01cc668 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -20,22 +20,8 @@ name: certbot state: latest -- name: Check if /usr is a partition - shell: "mount | grep 'on /usr type'" - args: - warn: no - changed_when: False - failed_when: False - check_mode: no - - register: usr_partition - -- name: Mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: False - when: usr_partition.rc == 0 +- include_role: + name: remount-usr - name: Remove certbot symlink for apt install file: diff --git a/evocheck/tasks/install_local.yml b/evocheck/tasks/install_local.yml index d98ce0ae..7c0580c1 100644 --- a/evocheck/tasks/install_local.yml +++ b/evocheck/tasks/install_local.yml @@ -1,5 +1,6 @@ --- -- include: remount_usr_rw.yml +- include_role: + name: remount-usr when: evocheck_bin_dir | search ("/usr") - name: Scripts dir is present diff --git a/evocheck/tasks/remount_usr_rw.yml b/evocheck/tasks/remount_usr_rw.yml deleted file mode 100644 index 60162607..00000000 --- a/evocheck/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes - args: - warn: no diff --git a/evolinux-base/tasks/remount_usr_rw.yml b/evolinux-base/tasks/remount_usr_rw.yml deleted file mode 100644 index 60162607..00000000 --- a/evolinux-base/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes - args: - warn: no diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 6ffee396..4ef08fa3 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -33,7 +33,8 @@ # TODO : find a way to force the console-data configuration # non-interactively (like tzdata ↑) -- include: remount_usr_rw.yml +- include_role: + name: remount-usr - name: Ensure automagic vim conf is disabled lineinfile: diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 5029d6d4..7938ce78 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -59,31 +59,11 @@ when: filebeat_logstash_plugin and logstash_plugin.stat.exists - block: - - name: Check if /usr is a partition - shell: "mount | grep 'on /usr type'" - args: - warn: no - changed_when: False - failed_when: False - check_mode: no - register: usr_partition - - - name: Mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: False - when: usr_partition.rc == 0 + - include_role: + name: remount-usr - name: Logstash plugin is installed command: /usr/share/logstash/bin/logstash-plugin install logstash-input-beats - - - name: /usr is remounted - command: mount -oremount /usr - args: - warn: no - changed_when: False - when: usr_partition.rc == 0 when: - filebeat_logstash_plugin - logstash_plugin.stat.exists diff --git a/generate-ldif/tasks/main.yml b/generate-ldif/tasks/main.yml index 03b9505e..35da06be 100644 --- a/generate-ldif/tasks/main.yml +++ b/generate-ldif/tasks/main.yml @@ -1,5 +1,6 @@ --- -- include: remount_usr_rw.yml +- include_role: + name: remount-usr when: general_scripts_dir | search("/usr") - name: "copy generateldif.sh" diff --git a/generate-ldif/tasks/remount_usr_rw.yml b/generate-ldif/tasks/remount_usr_rw.yml deleted file mode 100644 index 60162607..00000000 --- a/generate-ldif/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes - args: - warn: no diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 9e0d6ce6..475aa9ce 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -58,10 +58,8 @@ when: not ansible_check_mode - block: - - name: Remount /usr as writable - command: "mount -o remount,rw /usr" - args: - warn: no + - include_role: + name: remount-usr - name: Move kibana optimize directory shell: "mv /usr/share/kibana/optimize /var/lib/kibana/optimize && ln -s /var/lib/kibana/optimize /usr/share/kibana/optimize" @@ -69,11 +67,5 @@ creates: /var/lib/kibana/optimize notify: restart kibana - - name: Remount /usr as read-only - command: "mount -o remount /usr" - args: - warn: no - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") - - include: proxy_nginx.yml when: kibana_proxy_nginx diff --git a/kibana/tasks/remount_usr_rw.yml b/kibana/tasks/remount_usr_rw.yml deleted file mode 100644 index 60162607..00000000 --- a/kibana/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes - args: - warn: no diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml index cb0040f4..9fc73e93 100644 --- a/kvm-host/tasks/main.yml +++ b/kvm-host/tasks/main.yml @@ -5,21 +5,8 @@ - include: packages.yml -- name: Check if /usr is a partition - shell: "mount | grep 'on /usr type'" - args: - warn: no - changed_when: False - failed_when: False - check_mode: no - register: usr_partition - -- name: Mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: False - when: usr_partition.rc == 0 +- include_role: + name: remount-usr - name: Copy add-vm script get_url: diff --git a/mysql/tasks/remount_usr_rw.yml b/mysql/tasks/remount_usr_rw.yml deleted file mode 100644 index 60162607..00000000 --- a/mysql/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes - args: - warn: no diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index d0fe71a8..0f0ad068 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -48,7 +48,8 @@ # mysqltuner -- include: remount_usr_rw.yml +- include_role: + name: remount-usr when: (mysql_scripts_dir or general_scripts_dir) | search ("/usr") - name: Install mysqltuner @@ -71,7 +72,8 @@ # automatic optimizations -- include: remount_usr_rw.yml +- include_role: + name: remount-usr when: (mysql_scripts_dir or general_scripts_dir) | search ("/usr") - name: Optimize script for MySQL @@ -133,7 +135,8 @@ # my-add.sh -- include: remount_usr_rw.yml +- include_role: + name: remount-usr when: (mysql_scripts_dir or general_scripts_dir) | search ("/usr") - name: Install my-add.sh diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index b52d0425..d0298c6c 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -28,7 +28,8 @@ state: directory notify: restart nagios-nrpe-server -- include: remount_usr_rw.yml +- include_role: + name: remount-usr when: nagios_plugins_directory | search ("/usr") tags: - nagios-plugins diff --git a/nagios-nrpe/tasks/remount_usr_rw.yml b/nagios-nrpe/tasks/remount_usr_rw.yml deleted file mode 100644 index 60162607..00000000 --- a/nagios-nrpe/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes - args: - warn: no diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index d491cd39..8c81b686 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -66,25 +66,8 @@ tags: - opendkim -- name: check if /usr is a partition - shell: "mount | grep 'on /usr type'" - args: - warn: no - changed_when: False - failed_when: False - register: usr_partition - check_mode: no - tags: - - opendkim - -- name: mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: False - when: usr_partition.rc == 0 - tags: - - opendkim +- include_role: + name: remount-usr - name: deploy opendkim-add.sh script copy: diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 69d41581..3ffd096f 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -87,19 +87,8 @@ tags: - postfix -- name: update ansible_mounts facts - setup: - filter: ansible_mounts - tags: - - postfix - -- name: mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: false - when: item.mount == '/usr' and item.options | match(".*ro.*") - with_items: "{{ ansible_mounts }}" +- include_role: + name: remount-usr tags: - postfix diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 74676e07..6837edb3 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -6,23 +6,10 @@ tags: - redis -- name: Check if /usr is a partition - shell: "mount | grep 'on /usr type'" - args: - warn: no - changed_when: False - failed_when: False - check_mode: no - register: usr_partition - tags: redis - -- name: Mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: False - when: usr_partition.rc == 0 - tags: redis +- include_role: + name: remount-usr + tags: + - redis - name: Create plugin directory file: diff --git a/remount-usr/handlers/main.yml b/remount-usr/handlers/main.yml new file mode 100644 index 00000000..c75bacb7 --- /dev/null +++ b/remount-usr/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: remount usr + command: mount -o remount /usr + failed_when: false + args: + warn: no diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml new file mode 100644 index 00000000..40fddc30 --- /dev/null +++ b/remount-usr/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: check if /usr is a read-only partition + command: grep -E " /usr.*ro" /proc/mounts + args: + warn: no + changed_when: False + failed_when: False + check_mode: no + register: usr_partition + +- name: mount /usr in rw + command: mount -o remount,rw /usr + args: + warn: no + when: usr_partition.rc == 0 + notify: remount usr diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index 4f010650..939f235d 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -27,19 +27,8 @@ tags: - spamassassin -- name: update ansible_mounts facts - setup: - filter: ansible_mounts - tags: - - spamassassin - -- name: mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: false - when: item.mount == '/usr' and item.options | match(".*ro.*") - with_items: "{{ ansible_mounts }}" +- include_role: + name: remount-usr tags: - spamassassin diff --git a/tomcat/tasks/nagios.yml b/tomcat/tasks/nagios.yml index 01de5348..69c99810 100644 --- a/tomcat/tasks/nagios.yml +++ b/tomcat/tasks/nagios.yml @@ -4,21 +4,8 @@ name: monitoring-plugins state: present -- name: Check if /usr is a partition - shell: "mount | grep 'on /usr type'" - args: - warn: no - changed_when: False - failed_when: False - check_mode: no - register: usr_partition - -- name: Mount /usr in rw - command: mount -o remount,rw /usr - args: - warn: no - changed_when: False - when: usr_partition.rc == 0 +- include_role: + name: remount-usr - name: Create Nagios plugins dir file: diff --git a/varnish/tasks/munin.yml b/varnish/tasks/munin.yml index 1c2ad790..552c8a34 100644 --- a/varnish/tasks/munin.yml +++ b/varnish/tasks/munin.yml @@ -4,7 +4,9 @@ name: libxml-parser-perl tags: varnish -- include: remount_usr_rw.yml +- include_role: + name: remount-usr + tags: varnish - name: Create plugin directory file: diff --git a/varnish/tasks/remount_usr_rw.yml b/varnish/tasks/remount_usr_rw.yml deleted file mode 100644 index 60162607..00000000 --- a/varnish/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes - args: - warn: no diff --git a/webapps/evoadmin-mail/tasks/remount_usr_rw.yml b/webapps/evoadmin-mail/tasks/remount_usr_rw.yml deleted file mode 100644 index 8c51aee2..00000000 --- a/webapps/evoadmin-mail/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") - args: - warn: no diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml index 7e4cb90c..5b267e72 100644 --- a/webapps/evoadmin-mail/tasks/user.yml +++ b/webapps/evoadmin-mail/tasks/user.yml @@ -86,7 +86,8 @@ group: "adm" mode: "0640" -- include: remount_usr_rw.yml +- include_role: + name: remount-usr when: evoadminmail_scripts_dir | search ("/usr") - name: "Create {{ evoadminmail_scripts_dir }}" diff --git a/webapps/evoadmin-web/tasks/remount_usr_rw.yml b/webapps/evoadmin-web/tasks/remount_usr_rw.yml deleted file mode 100644 index 60162607..00000000 --- a/webapps/evoadmin-web/tasks/remount_usr_rw.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Get mount options for partitions - shell: "mount | grep 'on /usr type'" - args: - warn: no - register: mount - changed_when: False - failed_when: False - when: not ansible_check_mode - -- name: Remount /usr if it is a partition and it is not mounted in rw - command: "mount -o remount,rw /usr" - when: - - not ansible_check_mode - - mount.rc == 0 - - not mount.stdout_lines.0 | search("rw") - check_mode: yes - args: - warn: no diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 4370070f..4070a52a 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -52,7 +52,8 @@ group: "{{ evoadmin_username }}" recurse: yes -- include: remount_usr_rw.yml +- include_role: + name: remount-usr when: evoadmin_scripts_dir | search ("/usr") - name: "Create {{ evoadmin_scripts_dir }}" From 4d007c8eb0a6ee3027531034834495788863a606 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 7 Nov 2017 18:14:03 +0100 Subject: [PATCH 234/266] roundcube: add link in default site index --- webapps/roundcube/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 37ef1afe..9eac3dd9 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -102,3 +102,13 @@ notify: reload apache2 tags: - roundcube + +- name: enable roundcube link in default site index + lineinfile: + dest: /var/www/index.html + state: present + regexp: "Webmail" + line: '
  • Webmail
    • ' + insertbefore: "" + tags: + - roundcube From 019ce03e3aa6e66b037a73bfd990b2d111ac3fa0 Mon Sep 17 00:00:00 2001 From: Daniel Jakots Date: Wed, 8 Nov 2017 11:45:00 -0500 Subject: [PATCH 235/266] Fix for OpenBSD 6.2 https://github.com/openbsd/src/commit/758d4ba9a7f1fc4efa964ccc998d5c82acfa02fb#diff-d3ca8881345ccaf84b784637f5244eac changes the way vmstat prints free memory --- nagios-nrpe/files/plugins_bsd/check_free_mem.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/files/plugins_bsd/check_free_mem.sh b/nagios-nrpe/files/plugins_bsd/check_free_mem.sh index f2261ea9..f0b79c8a 100755 --- a/nagios-nrpe/files/plugins_bsd/check_free_mem.sh +++ b/nagios-nrpe/files/plugins_bsd/check_free_mem.sh @@ -64,7 +64,7 @@ __EOT # Total memory size (in MB) tot_mem=$(( `/sbin/sysctl -n hw.physmem` / BYTES_IN_MB)) # Free memory size (in MB) -free_mem=$(( `/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $5 }'` / KB_IN_MB )) +free_mem=$(/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $4 }' | tr -d 'M') # Free memory size (in percentage) free_mem_perc=$(( free_mem * 100 / tot_mem )) From 54d72ad9e0e931dd7580aee6b0887ce97b87460b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 13 Nov 2017 15:40:18 +0100 Subject: [PATCH 236/266] typo + whitespaces --- amazon-ec2/README | 4 ++-- amazon-ec2/defaults/main.yml | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/amazon-ec2/README b/amazon-ec2/README index d3be7dc3..c47de370 100644 --- a/amazon-ec2/README +++ b/amazon-ec2/README @@ -5,9 +5,9 @@ Manage Amazon EC2 instances. This role is intended to be called before any other role to setup and start EC2 instances. -## Dependancies +## Dependencies -You should first ensure that you have python-boto package installed on your +You should first ensure that you have `python-boto` package installed on your machine and an Amazon security access key pair created for your account. ## Tasks diff --git a/amazon-ec2/defaults/main.yml b/amazon-ec2/defaults/main.yml index d53371dc..fde898bd 100644 --- a/amazon-ec2/defaults/main.yml +++ b/amazon-ec2/defaults/main.yml @@ -2,12 +2,12 @@ aws_region: ca-central-1 ec2_public_ip: False ec2_instance_count: 1 -ec2_security_group: "{{ec2_evolinux_security_group}}" -ec2_base_ami: "{{ec2_debian_base_ami[aws_region]}}" +ec2_security_group: "{{ ec2_evolinux_security_group }}" +ec2_base_ami: "{{ ec2_debian_base_ami[aws_region] }}" ec2_instance_type: t2.micro # Note: Do not try to put your ED25519 key here, AWS does not support it... ssh_pubkey_file: ~/.ssh/id_rsa.pub -ec2_keyname: "{{lookup('env', 'USER')}}" +ec2_keyname: "{{ lookup('env', 'USER') }}" # From https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch ec2_debian_base_ami: @@ -45,4 +45,3 @@ ec2_evolinux_security_group: rules_egress: - proto: all cidr_ip: 0.0.0.0/0 - From 549cb2f9175e994f3fe7c08cd502507894a1e40b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 13 Nov 2017 17:48:50 +0100 Subject: [PATCH 237/266] Supervisor: handlers name + tags --- supervisord/handlers/main.yml | 2 +- supervisord/tasks/main.yml | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/supervisord/handlers/main.yml b/supervisord/handlers/main.yml index 3bf89428..be10ba0a 100644 --- a/supervisord/handlers/main.yml +++ b/supervisord/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: Restart supervisord +- name: restart supervisor service: name: supervisor state: restarted diff --git a/supervisord/tasks/main.yml b/supervisord/tasks/main.yml index 500c5d68..17d7737a 100644 --- a/supervisord/tasks/main.yml +++ b/supervisord/tasks/main.yml @@ -1,13 +1,17 @@ --- -- name: Install supervisord +- name: Install Supervisor apt: name: supervisor + tags: + - supervisord -- name: Add http configuration for supvervisord +- name: Add http configuration for Supervisor copy: src: http.conf dest: /etc/supervisor/conf.d/ mode: "0644" force: no - notify: Restart supervisord + notify: restart supervisor when: supervisord_enable_http + tags: + - supervisord From 1d68340b3bb55cc2b93ef96175a9feda46110413 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 14 Nov 2017 09:39:24 +0100 Subject: [PATCH 238/266] mysql: better support for check mode --- mysql/tasks/users_jessie.yml | 1 + mysql/tasks/utils.yml | 3 ++- redis/tasks/munin.yml | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml index a8c22cf8..e1a02130 100644 --- a/mysql/tasks/users_jessie.yml +++ b/mysql/tasks/users_jessie.yml @@ -13,6 +13,7 @@ command: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False + check_mode: no tags: - mysql diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 0f0ad068..a6fc307c 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -30,9 +30,10 @@ when: ansible_distribution_major_version | version_compare('9', '>=') - name: Read debian-sys-maint password - shell: cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3 + shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' register: mysql_debian_password changed_when: False + check_mode: no tags: - mysql diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 6837edb3..0d8a27f6 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -53,6 +53,7 @@ register: munin_redis_blocs_in_config failed_when: False changed_when: False + check_mode: no - name: Add redis password for munin (if no more than 1 config block) ini_file: From 430f36c0e77c77377dbaff8669ab857692a6cd03 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 14 Nov 2017 10:26:48 +0100 Subject: [PATCH 239/266] Elastic: fix source list filename --- elasticsearch/tasks/packages.yml | 2 +- filebeat/tasks/main.yml | 2 +- kibana/tasks/main.yml | 2 +- logstash/tasks/main.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 3530d139..ff395cb5 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -20,7 +20,7 @@ - name: Elastic sources list is available apt_repository: repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" - filename: elastic.list + filename: elastic state: present update_cache: yes tags: diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 7938ce78..75f4bc2b 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -20,7 +20,7 @@ - name: Elastic sources list is available apt_repository: repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" - filename: elastic.list + filename: elastic state: present update_cache: yes tags: diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 475aa9ce..cf29e270 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -20,7 +20,7 @@ - name: Elastic sources list is available apt_repository: repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" - filename: elastic.list + filename: elastic state: present update_cache: yes tags: diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 086bd4b3..67d9e375 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -20,7 +20,7 @@ - name: Elastic sources list is available apt_repository: repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" - filename: elastic.list + filename: elastic state: present update_cache: yes tags: From 5800159830d812b0bb7a85052ac05abe3ad61941 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 14 Nov 2017 11:05:54 +0100 Subject: [PATCH 240/266] elasticsearch: fix datadir/tmpdir conditions --- elasticsearch/tasks/datadir.yml | 14 +++++++++----- elasticsearch/tasks/tmpdir.yml | 2 +- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/elasticsearch/tasks/datadir.yml b/elasticsearch/tasks/datadir.yml index a0b87ad5..38d2218a 100644 --- a/elasticsearch/tasks/datadir.yml +++ b/elasticsearch/tasks/datadir.yml @@ -7,16 +7,16 @@ register: elasticsearch_custom_datadir_test check_mode: no - - name: "read the real datadir" command: readlink -f /var/lib/elasticsearch changed_when: false register: elasticsearch_current_real_datadir_test check_mode: no - tags: - elasticsearch - when: elasticsearch_custom_datadir + when: + - elasticsearch_custom_datadir != '' + - elasticsearch_custom_datadir != None - block: - name: elasticsearch is stopped @@ -40,5 +40,9 @@ name: elasticsearch state: started tags: - - elasticsearch - when: elasticsearch_custom_datadir and elasticsearch_custom_datadir != elasticsearch_current_real_datadir_test.stdout and not elasticsearch_custom_datadir_test.stat.exists + - elasticsearch + when: + - elasticsearch_custom_datadir != '' + - elasticsearch_custom_datadir != None + - elasticsearch_custom_datadir != elasticsearch_current_real_datadir_test.stdout + - not elasticsearch_custom_datadir_test.stat.exists diff --git a/elasticsearch/tasks/tmpdir.yml b/elasticsearch/tasks/tmpdir.yml index 380fb190..b6bd445a 100644 --- a/elasticsearch/tasks/tmpdir.yml +++ b/elasticsearch/tasks/tmpdir.yml @@ -28,4 +28,4 @@ - restart elasticsearch tags: - elasticsearch - when: elasticsearch_custom_tmpdir or fstab_tmp_noexec | success + when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec | success From bcbfcf9080ba088ac66946246aeb355480294de8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 14 Nov 2017 11:06:24 +0100 Subject: [PATCH 241/266] Elasticsearch: use elastic.list APT source list for curator --- elasticsearch/tasks/curator.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/elasticsearch/tasks/curator.yml b/elasticsearch/tasks/curator.yml index c1a10658..e2546c7a 100644 --- a/elasticsearch/tasks/curator.yml +++ b/elasticsearch/tasks/curator.yml @@ -3,6 +3,7 @@ - name: Curator sources list is available apt_repository: repo: "deb http://packages.elastic.co/curator/4/debian stable main" + filename: elastic update_cache: yes state: present tags: From 4746354c54696bb9297eb1666eaaa86378eeb689 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 14 Nov 2017 11:07:06 +0100 Subject: [PATCH 242/266] Elasticsearch: daily job for log rotation --- elasticsearch/defaults/main.yml | 1 + elasticsearch/tasks/logs.yml | 9 +++++++++ elasticsearch/tasks/main.yml | 2 ++ elasticsearch/templates/rotate_elasticsearch_logs.j2 | 9 +++++++++ 4 files changed, 21 insertions(+) create mode 100644 elasticsearch/tasks/logs.yml create mode 100644 elasticsearch/templates/rotate_elasticsearch_logs.j2 diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 77e36070..5fce4ef6 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -8,6 +8,7 @@ elasticsearch_custom_tmpdir: Null elasticsearch_default_tmpdir: /var/lib/elasticsearch/tmp elasticsearch_jvm_xms: 2g elasticsearch_jvm_xmx: 2g +elasticsearch_log_rotate_days: 365 elasticsearch_curator: False diff --git a/elasticsearch/tasks/logs.yml b/elasticsearch/tasks/logs.yml new file mode 100644 index 00000000..ee3d7680 --- /dev/null +++ b/elasticsearch/tasks/logs.yml @@ -0,0 +1,9 @@ +--- + +- name: "log rotation script" + template: + src: rotate_elasticsearch_logs.j2 + dest: /etc/cron.daily/rotate_elasticsearch_logs + owner: root + group: root + mode: "0750" diff --git a/elasticsearch/tasks/main.yml b/elasticsearch/tasks/main.yml index 00be05ed..bc43bebd 100644 --- a/elasticsearch/tasks/main.yml +++ b/elasticsearch/tasks/main.yml @@ -10,6 +10,8 @@ - include: tmpdir.yml +- include: logs.yml + - include: plugin_head.yml when: elasticsearch_plugin_head diff --git a/elasticsearch/templates/rotate_elasticsearch_logs.j2 b/elasticsearch/templates/rotate_elasticsearch_logs.j2 new file mode 100644 index 00000000..14d2d31d --- /dev/null +++ b/elasticsearch/templates/rotate_elasticsearch_logs.j2 @@ -0,0 +1,9 @@ +#!/bin/sh +# {{ ansible_managed }} + +LOG_DIR=/var/log/elasticsearch +USER=elasticsearch +MAX_AGE={{ elasticsearch_log_rotate_days | mandatory }} + +find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??" -exec gzip --best {} \; +find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??.gz" -mtime +${MAX_AGE} -delete From 888336e6fea5c76ab2d62ce4d832680a0b171f7a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 14 Nov 2017 11:07:13 +0100 Subject: [PATCH 243/266] logstash: daily job for log rotation --- logstash/defaults/main.yml | 1 + logstash/tasks/logs.yml | 9 +++++++++ logstash/tasks/main.yml | 2 ++ logstash/templates/rotate_logstash_logs.j2 | 9 +++++++++ 4 files changed, 21 insertions(+) create mode 100644 logstash/tasks/logs.yml create mode 100644 logstash/templates/rotate_logstash_logs.j2 diff --git a/logstash/defaults/main.yml b/logstash/defaults/main.yml index 2d3c7b40..e563f517 100644 --- a/logstash/defaults/main.yml +++ b/logstash/defaults/main.yml @@ -1,3 +1,4 @@ --- logstash_jvm_xms: 256m logstash_jvm_xmx: 1g +logstash_log_rotate_days: 365 diff --git a/logstash/tasks/logs.yml b/logstash/tasks/logs.yml new file mode 100644 index 00000000..9d5b5023 --- /dev/null +++ b/logstash/tasks/logs.yml @@ -0,0 +1,9 @@ +--- + +- name: "log rotation script" + template: + src: rotate_logstash_logs.j2 + dest: /etc/cron.daily/rotate_logstash_logs + owner: root + group: root + mode: "0750" diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 67d9e375..71be5614 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -70,3 +70,5 @@ - debug: var: logstash_template verbosity: 1 + +- include: logs.yml diff --git a/logstash/templates/rotate_logstash_logs.j2 b/logstash/templates/rotate_logstash_logs.j2 new file mode 100644 index 00000000..40155506 --- /dev/null +++ b/logstash/templates/rotate_logstash_logs.j2 @@ -0,0 +1,9 @@ +#!/bin/sh +# {{ ansible_managed }} + +LOG_DIR=/var/log/logstash +MAX_AGE={{ logstash_log_rotate_days | mandatory }} + +find ${LOG_DIR} -type f -user logstash -name "logstash.log.*.gz" -mtime +${MAX_AGE} -delete +find ${LOG_DIR} -type f -user root -name "logstash.err.*.gz" -mtime +${MAX_AGE} -delete +find ${LOG_DIR} -type f -user root -name "logstash.stdout.*.gz" -mtime +${MAX_AGE} -delete From 72d08388a5346eeeffdd497eb7fb47723a0be123 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 14 Nov 2017 14:20:40 +0100 Subject: [PATCH 244/266] kibana: host and basepath configuration --- kibana/README.md | 2 ++ kibana/defaults/main.yml | 4 ++++ kibana/tasks/main.yml | 16 ++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/kibana/README.md b/kibana/README.md index 5d95b5a7..7239adf7 100644 --- a/kibana/README.md +++ b/kibana/README.md @@ -8,6 +8,8 @@ Everything is in the `tasks/main.yml` file. ## Available variables +* `kibana_server_host` : Specifies the address to which the Kibana server will bind (default: `127.0.0.1`) ; +* `kibana_server_basepath` : where to mount the application (default: empty) ; * `kibana_proxy_nginx` : configure an Nginx proxy (not enabled) for Kibana (default: `False`) ; * `kibana_proxy_domain` : domain to use for the proxy ; * `kibana_proxy_ssl_cert` : certificate to use for the proxy ; diff --git a/kibana/defaults/main.yml b/kibana/defaults/main.yml index 7e7555f1..6fd7e16f 100644 --- a/kibana/defaults/main.yml +++ b/kibana/defaults/main.yml @@ -1,4 +1,8 @@ --- + +kibana_server_host: "127.0.0.1" +kibana_server_basepath: "" + kibana_proxy_nginx: False kibana_proxy_domain: "kibana.{{ ansible_fqdn }}" diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index cf29e270..b67c68e5 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -34,6 +34,22 @@ tags: - packages +- name: kibana server host configuration + lineinfile: + src: /etc/kibana/kibana.yml + line: "server.host: \"{{ kibana_server_host }}\"" + regexp: '^server.host:' + insertafter: '^#server.host:' + notify: restart kibana + +- name: kibana server basepath configuration + lineinfile: + src: /etc/kibana/kibana.yml + line: "server.basePath: \"{{ kibana_server_basepath }}\"" + regexp: '^server.basePath:' + insertafter: '^#server.basePath:' + notify: restart kibana + - name: Kibana service is enabled and started systemd: name: kibana From 7bc668963bab558a8d76a4c3273256d139ccd85b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 14 Nov 2017 14:21:00 +0100 Subject: [PATCH 245/266] kibana: move optimize and data to /var --- kibana/tasks/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index b67c68e5..2396b1a3 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -78,10 +78,13 @@ name: remount-usr - name: Move kibana optimize directory - shell: "mv /usr/share/kibana/optimize /var/lib/kibana/optimize && ln -s /var/lib/kibana/optimize /usr/share/kibana/optimize" + shell: "mv /usr/share/kibana/{{ item }} /var/lib/kibana/{{ item }} && ln -s /var/lib/kibana/{{ item }} /usr/share/kibana/{{ item }}" args: - creates: /var/lib/kibana/optimize + creates: "/var/lib/kibana/{{ item }}" notify: restart kibana + with_items: + - optimize + - data - include: proxy_nginx.yml when: kibana_proxy_nginx From 4f7cb9cb23b58a40b205f329df39302e528a2e21 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 14 Nov 2017 16:06:47 +0100 Subject: [PATCH 246/266] listupgrade: add missing include remount-usr role --- listupgrade/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index de9fdb2c..316e2f70 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -1,4 +1,8 @@ --- +- include_role: + name: remount-usr + when: evocheck_bin_dir | search ("/usr") + - name: Scripts dir is present file: path: "/usr/share/scripts" From cf190a76ff516c2f20d156f1aa4b35917874c402 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 14 Nov 2017 16:17:13 +0100 Subject: [PATCH 247/266] Revert "listupgrade: add missing include remount-usr role" This reverts commit 4f7cb9cb23b58a40b205f329df39302e528a2e21. I broke things --- listupgrade/tasks/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 316e2f70..de9fdb2c 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -1,8 +1,4 @@ --- -- include_role: - name: remount-usr - when: evocheck_bin_dir | search ("/usr") - - name: Scripts dir is present file: path: "/usr/share/scripts" From b801bdb576e2cee1925eab89400e2b1921372368 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 14 Nov 2017 17:01:51 +0100 Subject: [PATCH 248/266] evoacme: use -printf instead of -exec basename --- evoacme/files/certbot.cron | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index 48289e09..2d8d4c1d 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -9,6 +9,6 @@ [ -f /etc/default/evoacme ] && . /etc/default/evoacme CRT_DIR="${CRT_DIR:-'/etc/letsencrypt'}" -find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" ! -path "*hooks" -exec basename {} \; | while read vhost; do +find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" ! -path "*hooks" -printf "%f\n" | while read vhost; do QUIET=1 evoacme "$vhost" done From ce3b5b7cbd1182447c078fbcee312d22997ab001 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 14 Nov 2017 17:19:15 +0100 Subject: [PATCH 249/266] evoacme: use xargs instead of while --- evoacme/files/certbot.cron | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index 2d8d4c1d..a16bcf69 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -9,6 +9,6 @@ [ -f /etc/default/evoacme ] && . /etc/default/evoacme CRT_DIR="${CRT_DIR:-'/etc/letsencrypt'}" -find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" ! -path "*hooks" -printf "%f\n" | while read vhost; do - QUIET=1 evoacme "$vhost" -done +export QUIET=1 + +find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" ! -path "*hooks" -printf "%f\n" | xargs -n1 evoacme From 419c7f4cdf5b74e8597bc394125abac48fb1a7eb Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 14 Nov 2017 22:10:57 +0100 Subject: [PATCH 250/266] Add meta/main.yml file for ansible galaxy cloning --- meta/main.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 meta/main.yml diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 00000000..b32a44cf --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,2 @@ +--- +galaxy_info: From e2e7aba7394e57db5d61533f5960ddd930ba7dbb Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 10:57:43 +0100 Subject: [PATCH 251/266] redis: looser regexp for check_redis replace --- redis/tasks/nrpe_stretch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redis/tasks/nrpe_stretch.yml b/redis/tasks/nrpe_stretch.yml index a2ffba17..c34679e0 100644 --- a/redis/tasks/nrpe_stretch.yml +++ b/redis/tasks/nrpe_stretch.yml @@ -10,6 +10,6 @@ - name: Replace check_tcp by check_redis for NRPE replace: dest: /etc/nagios/nrpe.d/evolix.cfg - regexp: '^command\[check_redis\]=\/usr\/lib\/nagios\/plugins\/check_tcp -p 6379' + regexp: '^command\[check_redis\]=.+' replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1' notify: restart nagios-nrpe-server From 6608f13421dab1ed71595618d46c32261d7a35ad Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 10:57:51 +0100 Subject: [PATCH 252/266] redis: add missing tags --- redis/tasks/nrpe_stretch.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/redis/tasks/nrpe_stretch.yml b/redis/tasks/nrpe_stretch.yml index c34679e0..c78e5a28 100644 --- a/redis/tasks/nrpe_stretch.yml +++ b/redis/tasks/nrpe_stretch.yml @@ -13,3 +13,6 @@ regexp: '^command\[check_redis\]=.+' replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1' notify: restart nagios-nrpe-server + tags: + - redis + - nrpe From 5c6c92ab69d3fce8a744ab73ffb368c9287a23a1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 11:17:58 +0100 Subject: [PATCH 253/266] evoacme: install hooks in a loop --- evoacme/tasks/acme.yml | 24 ------------------------ evoacme/tasks/evoacme_hook.yml | 14 ++++++++++++++ evoacme/tasks/main.yml | 9 +++++++++ 3 files changed, 23 insertions(+), 24 deletions(-) create mode 100644 evoacme/tasks/evoacme_hook.yml diff --git a/evoacme/tasks/acme.yml b/evoacme/tasks/acme.yml index 86f6cfcf..16417ca6 100644 --- a/evoacme/tasks/acme.yml +++ b/evoacme/tasks/acme.yml @@ -30,30 +30,6 @@ group: acme state: directory -- name: "Search for reload_apache hook" - command: "find {{ evoacme_hooks_dir }} -type f \\( -name 'reload_apache' -o -name 'reload_apache.*' \\)" - check_mode: no - register: find_apache_hook - -- name: "Copy reload_apache hook if missing" - copy: - src: "hooks/reload_apache" - dest: "{{ evoacme_hooks_dir }}/reload_apache" - mode: "0750" - when: find_apache_hook.stdout == "" - -- name: "Search for reload_nginx hook" - command: "find {{ evoacme_hooks_dir }} -type f \\( -name 'reload_nginx' -o -name 'reload_nginx.*' \\)" - check_mode: no - register: find_nginx_hook - -- name: "Copy reload_nginx hook if missing" - copy: - src: "hooks/reload_nginx" - dest: "{{ evoacme_hooks_dir }}/reload_nginx" - mode: "0750" - when: find_nginx_hook.stdout == "" - - name: Fix log dir's right file: path: "{{ evoacme_log_dir }}" diff --git a/evoacme/tasks/evoacme_hook.yml b/evoacme/tasks/evoacme_hook.yml new file mode 100644 index 00000000..200bcbc4 --- /dev/null +++ b/evoacme/tasks/evoacme_hook.yml @@ -0,0 +1,14 @@ +--- + +- name: "Search for {{ hook_name }} hook" + command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)" + check_mode: no + changed_when: False + register: _find_hook + +- name: "Copy {{ hook_name }} hook if missing" + copy: + src: "hooks/{{ hook_name }}" + dest: "{{ evoacme_hooks_dir }}/{{ hook_name }}" + mode: "0750" + when: _find_hook.stdout == "" diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index 6bc21a02..08bb980a 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -9,6 +9,15 @@ - include: acme.yml +- include: evoacme_hook.yml + vars: + hook_name: "{{ item }}" + with_items: + - reload_apache + - reload_nginx + - reload_dovecot + - reload_postfix + - include: conf.yml - include: scripts.yml From 46d70b3cd5b759f221764a46e8782ec7875eaefe Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 11:26:42 +0100 Subject: [PATCH 254/266] evolnux-base: cache pgp key locally --- .../files/hwraid.le-vert.net.gpg.key | 31 +++++++++++++++++++ evolinux-base/tasks/hardware.yml | 3 +- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 evolinux-base/files/hwraid.le-vert.net.gpg.key diff --git a/evolinux-base/files/hwraid.le-vert.net.gpg.key b/evolinux-base/files/hwraid.le-vert.net.gpg.key new file mode 100644 index 00000000..6d2f49d3 --- /dev/null +++ b/evolinux-base/files/hwraid.le-vert.net.gpg.key @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.12 (GNU/Linux) + +mQENBFHwGLoBCADGXHFostxbz4UzGFYtmox4pvyN1gMhq2KCuQ6f+FESa4HTd9L6 +XVhXWPCad3cdxBIls+41+AdZTWxWMu7DUdy8nMU1Ikfw6JeHcSx97G5BdxBVMjK4 +iMGfPdLfDgWf4BQ2h0dnTEWobt31WaqgNiNjNrKktqbymmF94pwYkwL53ydIA4zl +8ZQRZooFigkS9WdoKjh30Pv/SWakILSLcSQFHK0dvSkeGd1NxT9dMNPAXXqLom4+ +7kCc0s04sS+0DwW16b0Hpb46mtsR9kzOnrE/Smj24uOGzNZen0oCc2Y7bfZlyaN+ +RlTkWEze7lemc4Byup/QWkhT0Er8F8uxexy5ABEBAAG0PEhXUmFpZCAoaHR0cDov +L2h3cmFpZC5sZS12ZXJ0Lm5ldCkgPHJvb3RAaHdyYWlkLmxlLXZlcnQubmV0PokB +OAQTAQIAIgUCUfAYugIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQYAUh +DiOz07Rc4Af+N3dEZZHzLNVTjQ0+fCyeg8/flWOkR8DhP10cyoJhSHFTZRdXVshn +kP4VmmUycVeURh76DmrIRe/9Oyca6aGXccRMqvq+HMgBPVwD5qNhcJPIuzqEvmlO +6UIeW2ydil/v1pWu740fGntyFRQcsfqjReVPXw9K588F7MDMyL+31vLm6aorLSzR +hvLhOmGisTs0wg2Oz9f4muauRy6cpQPw/Zi/P/F4WkQYscbHrSbhszj6OIg/vftR +UbZ7QB26/+40B0ag4JzLpmj3scFxf/WdUl5LXazqhsbkurk7huV41BNKXi1+BS3c +x6pFzWEHpiuG1j7U/nScGzEQpsMlUW9D+rkBDQRR8Bi6AQgAuhH1H0VLwcROI/5n +9yTxSbTIZbyhUan3raAbit3pgo0zLagfUtp3vULVnm5ISqQcYFGLZoE1MUkmjGOL +38W0lsIiZTaKOKXxBbLlPhhrvlXnNWAG/S1wnq7K+DV179KCTkUzaLRDbHvv999j +9odBRtAkiTnCfHTMCN4AhydEejNxtlzJo4E5FecH4reimLI5euUdTltgCjixrbsa +KbQftYpSMdXnLy2+00QZoXu0U/h4WZcMhOSEEiyGP9BY6m5G76n03HIeQ6eALDFu +ryAgO+SB9rBrm/VN0kR/TZq0iA3uzLHC7zCw2aImipkr+rIuJOku0wH9MyowBbia +bQtnCQARAQABiQEfBBgBAgAJBQJR8Bi6AhsMAAoJEGAFIQ4js9O0d5YH/3fNQgsC +LvD0g2wdoksv5bG9CUOi9Bs0JHqI0LhXmPvMsbDojZ+zZle7KWNfK2227mWhmoG1 +WLujJSmTtxhEO1fXIdYjlDfk2uLJKuFi2wQX9n8dFDUmKY3CUJgeVZof1uQ/5C3D +O06CcuOtf2d/+iijuW112aV1q1hoQqw71ojTET0iIV6lD/0i1eEBSSe1Ohb9yTGR +VxTVrB78zU9hih4/Oq8wJT/Fv25aO1MDSc26CXAg0JA6IWvKal3BSPNhtz4L4FIg +lXleArf9oJqxDO3TsV5zcLyxsIuRuxyP0+AKdSQUqv0dFi4Jf79OmvOmgwydhHjY ++f7quLbwiiDmPbU= +=Yv6D +-----END PGP PUBLIC KEY BLOCK----- diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 49a3a4f6..8607a586 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -55,7 +55,8 @@ - block: - name: Add HW tool GPG key apt_key: - url: https://hwraid.le-vert.net/debian/hwraid.le-vert.net.gpg.key + # url: https://hwraid.le-vert.net/debian/hwraid.le-vert.net.gpg.key + data: "{{ lookup('file', 'hwraid.le-vert.net.gpg.key') }}" when: ansible_distribution_release == "stretch" - name: Add HW tool repository From da3838e3e923b82c2a5328e88c1d2d42a6ef350a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 11:46:53 +0100 Subject: [PATCH 255/266] fail2ban: create config hierarchy beforehand --- fail2ban/tasks/main.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 6a9a6ff7..579e143d 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -2,13 +2,16 @@ # We have to copy the local jail before installing the package # or we risk being jailed by fail2ban -- name: Prepare /etc/fail2ban +- name: Prepare fail2ban hierarchy file: - path: /etc/fail2ban + path: "{{ item }}" state: directory owner: root group: root mode: "0755" + with_items: + - "/etc/fail2ban" + - "/etc/fail2ban/filter.d" tags: - fail2ban @@ -44,4 +47,3 @@ tags: - fail2ban - packages - From 8a479eee3f6ecbad079474b42a752abb06a35db2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 12:00:25 +0100 Subject: [PATCH 256/266] postfix: quote shell command --- postfix/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 714787d6..6272be33 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: check if main.cf is default - shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum - + shell: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -' changed_when: False check_mode: no register: default_main_cf From d355532a2498bf7add16af5b79b6c3d933c81743 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 12:10:10 +0100 Subject: [PATCH 257/266] Postfix: extract main.cf md5sum into variables --- postfix/tasks/main.yml | 2 +- postfix/tasks/minimal.yml | 4 ++-- postfix/tasks/packmail.yml | 4 ++-- postfix/vars/main.yml | 5 +++++ 4 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 postfix/vars/main.yml diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 6272be33..a1b5a424 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: check if main.cf is default - shell: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -' + shell: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -' changed_when: False check_mode: no register: default_main_cf diff --git a/postfix/tasks/minimal.yml b/postfix/tasks/minimal.yml index 99b99003..d1e4b4c5 100644 --- a/postfix/tasks/minimal.yml +++ b/postfix/tasks/minimal.yml @@ -18,7 +18,7 @@ force: yes notify: restart postfix when: postfix_force_main_cf == True or - default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or - default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" + postfix_maincf_md5_jessie in default_main_cf.stdout or + postfix_maincf_md5_stretch in default_main_cf.stdout tags: - postfix diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 3ffd096f..de9ee7ad 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -21,8 +21,8 @@ force: yes notify: restart postfix when: postfix_force_main_cf == True or - default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or - default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" + postfix_maincf_md5_jessie in default_main_cf.stdout or + postfix_maincf_md5_stretch in default_main_cf.stdout tags: - postfix diff --git a/postfix/vars/main.yml b/postfix/vars/main.yml new file mode 100644 index 00000000..e8a773c9 --- /dev/null +++ b/postfix/vars/main.yml @@ -0,0 +1,5 @@ +--- +## MD5 hash of default main.cf filter, obtained with this command : +# grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum - +postfix_maincf_md5_jessie: "5450c05d65878e99dad696c7c722e511" +postfix_maincf_md5_stretch: "30022953f1f61f002bfb72e163ecb27e" From 6007c98b43224f0bea477730a5c82520071f9940 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 12:21:30 +0100 Subject: [PATCH 258/266] remount-usr: quote commands --- remount-usr/handlers/main.yml | 2 +- remount-usr/tasks/main.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/remount-usr/handlers/main.yml b/remount-usr/handlers/main.yml index c75bacb7..5f197e78 100644 --- a/remount-usr/handlers/main.yml +++ b/remount-usr/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: remount usr - command: mount -o remount /usr + command: "mount -o remount /usr" failed_when: false args: warn: no diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml index 40fddc30..cdc7e10e 100644 --- a/remount-usr/tasks/main.yml +++ b/remount-usr/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: check if /usr is a read-only partition - command: grep -E " /usr.*ro" /proc/mounts +- name: "check if /usr is a read-only partition" + command: 'grep -E " /usr.*ro" /proc/mounts' args: warn: no changed_when: False @@ -8,8 +8,8 @@ check_mode: no register: usr_partition -- name: mount /usr in rw - command: mount -o remount,rw /usr +- name: "mount /usr in rw" + command: 'mount -o remount,rw /usr' args: warn: no when: usr_partition.rc == 0 From 97d3465ea56e50e36cf0ebd021b8d834fa61a06b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 12:22:50 +0100 Subject: [PATCH 259/266] spamassassin: quote command --- spamassasin/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index 939f235d..cfcfa09b 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -51,7 +51,7 @@ - spamassassin - name: update SpamAssasin's rules - command: /usr/share/scripts/sa-update.sh + command: "/usr/share/scripts/sa-update.sh" changed_when: false tags: - spamassassin From a80ced9efd6ad3c6d21f9fb863889fbbf6943efb Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Nov 2017 18:25:38 +0100 Subject: [PATCH 260/266] apt: don't upgrade by default --- apt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index c648c3c5..0960fd16 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -3,7 +3,7 @@ apt_config: True apt_evolinux_config: True apt_hooks: True apt_remove_aptitude: True -apt_upgrade: True +apt_upgrade: False apt_install_basics: True apt_basics_components: "main" From 2fe548ce4e47731a4ec1da4f39157108dcd34d50 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Wed, 15 Nov 2017 17:25:43 -0500 Subject: [PATCH 261/266] Open standart ports in default security group --- amazon-ec2/defaults/main.yml | 88 ++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/amazon-ec2/defaults/main.yml b/amazon-ec2/defaults/main.yml index fde898bd..c22b9df4 100644 --- a/amazon-ec2/defaults/main.yml +++ b/amazon-ec2/defaults/main.yml @@ -42,6 +42,94 @@ ec2_evolinux_security_group: from_port: 5666 to_port: 5666 cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 53 + to_port: 53 + cidr_ip: 0.0.0.0/0 + - proto: udp + from_port: 53 + to_port: 53 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 389 + to_port: 389 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 636 + to_port: 636 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 143 + to_port: 143 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 993 + to_port: 993 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 110 + to_port: 110 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 995 + to_port: 995 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 25 + to_port: 25 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 443 + to_port: 443 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 21 + to_port: 21 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 20 + to_port: 20 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 5001 + to_port: 5001 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 465 + to_port: 465 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 587 + to_port: 587 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 8181 + to_port: 8181 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 8282 + to_port: 8282 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 9091 + to_port: 9091 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 2222 + to_port: 2222 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 2223 + to_port: 2223 + cidr_ip: 0.0.0.0/0 + - proto: udp + from_port: 123 + to_port: 123 + cidr_ip: 0.0.0.0/0 rules_egress: - proto: all cidr_ip: 0.0.0.0/0 From 16a1111345d8ad18d6fd3b7fdaeb8ad36181372d Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Wed, 15 Nov 2017 17:32:18 -0500 Subject: [PATCH 262/266] Add a post-install task file --- amazon-ec2/README | 1 + amazon-ec2/tasks/post-install.yml | 5 +++++ 2 files changed, 6 insertions(+) create mode 100644 amazon-ec2/tasks/post-install.yml diff --git a/amazon-ec2/README b/amazon-ec2/README index c47de370..80442d05 100644 --- a/amazon-ec2/README +++ b/amazon-ec2/README @@ -15,6 +15,7 @@ machine and an Amazon security access key pair created for your account. By default, this role does nothing (no `main.yml` file). * `create-instance.yml`: create new EC2 instances +* `post-install.yml`: remove admin user created on Debian instances ## Variables diff --git a/amazon-ec2/tasks/post-install.yml b/amazon-ec2/tasks/post-install.yml new file mode 100644 index 00000000..369f4941 --- /dev/null +++ b/amazon-ec2/tasks/post-install.yml @@ -0,0 +1,5 @@ +--- +- name: Remove admin user + user: + name: admin + state: absent From 8ef9554746ba8a91075bbe55f9091e5a0d185b82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 15 Nov 2017 23:29:25 +0100 Subject: [PATCH 263/266] Combine evolix and additional trusted IP addresses --- apache/defaults/main.yml | 5 ++++- evolinux-base/defaults/main.yml | 5 ++++- evomaintenance/defaults/main.yml | 5 ++++- fail2ban/defaults/main.yml | 7 ++++++- minifirewall/defaults/main.yml | 7 ++++++- nagios-nrpe/defaults/main.yml | 5 ++++- nginx/defaults/main.yml | 5 ++++- 7 files changed, 32 insertions(+), 7 deletions(-) diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 390adb43..b21e1d59 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -1,5 +1,8 @@ --- -apache_ipaddr_whitelist_present: [] +evolix_trusted_ips: [] +additional_trusted_ips: [] +# Let's merge evolix_trusted_ips with additional_trusted_ips +apache_ipaddr_whitelist_present: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" apache_ipaddr_whitelist_absent: [] apache_private_htpasswd_present: [] diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 6f2961a7..54e5d85c 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -108,7 +108,10 @@ evolinux_evomaintenance_include: True evolinux_ssh_include: True -evolinux_ssh_password_auth_addresses: [] +evolix_trusted_ips: [] +additional_trusted_ips: [] +# Let's merge evolix_trusted_ips with additional_trusted_ips +evolinux_ssh_password_auth_addresses: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" evolinux_ssh_match_address: True evolinux_ssh_disable_acceptenv: True evolinux_ssh_allow_current_user: False diff --git a/evomaintenance/defaults/main.yml b/evomaintenance/defaults/main.yml index fc584481..2d0bf1b6 100644 --- a/evomaintenance/defaults/main.yml +++ b/evomaintenance/defaults/main.yml @@ -17,4 +17,7 @@ evomaintenance_urgency_tel: "06.00.00.00.00" evomaintenance_realm: "{{ ansible_domain }}" -evomaintenance_hosts: [] +evolix_trusted_ips: [] +additional_trusted_ips: [] +# Let's merge evolix_trusted_ips with additional_trusted_ips +evomaintenance_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index d0716d95..73cd46cb 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -1,6 +1,11 @@ --- general_alert_email: "root@localhost" fail2ban_alert_email: Null -fail2ban_ignore_ips: [] + +evolix_trusted_ips: [] +additional_trusted_ips: [] +# Let's merge evolix_trusted_ips with additional_trusted_ips +fail2ban_ignore_ips: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" + fail2ban_wordpress: False fail2ban_roundcube: False diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 02828d66..4c8498cf 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -6,7 +6,12 @@ minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" minifirewall_ipv6: "on" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" -minifirewall_trusted_ips: ["0.0.0.0/0"] + +evolix_trusted_ips: [] +additional_trusted_ips: [] +# Let's merge evolix_trusted_ips with additional_trusted_ips +# and default to ['0.0.0.0/0'] if the result is still empty +minifirewall_trusted_ips: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique | default(['0.0.0.0/0'], true) }}" minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] diff --git a/nagios-nrpe/defaults/main.yml b/nagios-nrpe/defaults/main.yml index c9ee2603..96c3ddd3 100644 --- a/nagios-nrpe/defaults/main.yml +++ b/nagios-nrpe/defaults/main.yml @@ -1,5 +1,8 @@ --- -nagios_nrpe_allowed_hosts: [] +evolix_trusted_ips: [] +additional_trusted_ips: [] +# Let's merge evolix_trusted_ips with additional_trusted_ips +nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT" nagios_nrpe_ldap_passwd: LDAP_PASSWD nagios_nrpe_pgsql_passwd: PGSQL_PASSWD diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index dd6e58d7..38dcbb89 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -3,7 +3,10 @@ nginx_minimal: False nginx_jessie_backports: False -nginx_ipaddr_whitelist_present: [] +evolix_trusted_ips: [] +additional_trusted_ips: [] +# Let's merge evolix_trusted_ips with additional_trusted_ips +nginx_ipaddr_whitelist_present: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" nginx_ipaddr_whitelist_absent: [] nginx_private_htpasswd_present: [] From 49d3118976e60d12bc699016d8a9bc4dc4d6322d Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 16 Nov 2017 16:00:27 +0100 Subject: [PATCH 264/266] evoacme: Fix nginx on deb9 for LE challenge --- evoacme/templates/nginx.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/evoacme/templates/nginx.conf.j2 b/evoacme/templates/nginx.conf.j2 index dbb8a769..378d37cb 100644 --- a/evoacme/templates/nginx.conf.j2 +++ b/evoacme/templates/nginx.conf.j2 @@ -1,5 +1,9 @@ location ~ /.well-known/acme-challenge { +{% if ansible_distribution_major_version > 8 %} + alias {{ evoacme_acme_dir }}/; +{% else %} alias {{ evoacme_acme_dir }}/.well-known/acme-challenge; +{% endif %} try_files $uri =404; allow all; } From 8cd754fd5576f711efe07af79f0b680fa45121a4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 17 Nov 2017 11:30:30 +0100 Subject: [PATCH 265/266] kibana: use the right argument :/ --- kibana/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 2396b1a3..6803568a 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -36,7 +36,7 @@ - name: kibana server host configuration lineinfile: - src: /etc/kibana/kibana.yml + dest: /etc/kibana/kibana.yml line: "server.host: \"{{ kibana_server_host }}\"" regexp: '^server.host:' insertafter: '^#server.host:' @@ -44,7 +44,7 @@ - name: kibana server basepath configuration lineinfile: - src: /etc/kibana/kibana.yml + dest: /etc/kibana/kibana.yml line: "server.basePath: \"{{ kibana_server_basepath }}\"" regexp: '^server.basePath:' insertafter: '^#server.basePath:' From 28b3243e5d9a3c27f0ae8a6e7f95fc4dba4e738b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Nov 2017 22:58:09 +0100 Subject: [PATCH 266/266] split amazon-ec2 tasks --- amazon-ec2/README | 1 + amazon-ec2/amazon-ec2-evolinux.yml | 3 +++ amazon-ec2/tasks/create-instance.yml | 19 ------------------- amazon-ec2/tasks/setup.yml | 20 ++++++++++++++++++++ 4 files changed, 24 insertions(+), 19 deletions(-) create mode 100644 amazon-ec2/tasks/setup.yml diff --git a/amazon-ec2/README b/amazon-ec2/README index 80442d05..15f8b129 100644 --- a/amazon-ec2/README +++ b/amazon-ec2/README @@ -14,6 +14,7 @@ machine and an Amazon security access key pair created for your account. By default, this role does nothing (no `main.yml` file). +* `setup.yml`: create a security group and ssh keys * `create-instance.yml`: create new EC2 instances * `post-install.yml`: remove admin user created on Debian instances diff --git a/amazon-ec2/amazon-ec2-evolinux.yml b/amazon-ec2/amazon-ec2-evolinux.yml index 282b8353..5c7a5e4e 100644 --- a/amazon-ec2/amazon-ec2-evolinux.yml +++ b/amazon-ec2/amazon-ec2-evolinux.yml @@ -9,6 +9,9 @@ aws_region: ca-central-1 tasks: + - include_role: + name: amazon-ec2 + tasks_from: setup.yml - include_role: name: amazon-ec2 tasks_from: create-instance.yml diff --git a/amazon-ec2/tasks/create-instance.yml b/amazon-ec2/tasks/create-instance.yml index 25b5c620..470cac72 100644 --- a/amazon-ec2/tasks/create-instance.yml +++ b/amazon-ec2/tasks/create-instance.yml @@ -1,23 +1,4 @@ --- -- name: Create default security group - ec2_group: - name: "{{ec2_security_group.name}}" - state: present - aws_access_key: "{{aws_access_key}}" - aws_secret_key: "{{aws_secret_key}}" - region: "{{aws_region}}" - description: "{{ec2_security_group.description}}" - rules: "{{ec2_security_group.rules}}" - -- name: Create key pair - ec2_key: - name: "{{ec2_keyname}}" - state: present - aws_access_key: "{{aws_access_key}}" - aws_secret_key: "{{aws_secret_key}}" - region: "{{aws_region}}" - key_material: "{{item}}" - with_file: "{{ssh_pubkey_file}}" - name: Launch new instance(s) ec2: diff --git a/amazon-ec2/tasks/setup.yml b/amazon-ec2/tasks/setup.yml new file mode 100644 index 00000000..27a1d8b0 --- /dev/null +++ b/amazon-ec2/tasks/setup.yml @@ -0,0 +1,20 @@ +--- +- name: Create default security group + ec2_group: + name: "{{ec2_security_group.name}}" + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + description: "{{ec2_security_group.description}}" + rules: "{{ec2_security_group.rules}}" + +- name: Create key pair + ec2_key: + name: "{{ec2_keyname}}" + state: present + aws_access_key: "{{aws_access_key}}" + aws_secret_key: "{{aws_secret_key}}" + region: "{{aws_region}}" + key_material: "{{item}}" + with_file: "{{ssh_pubkey_file}}"