Merge branch 'unstable' into stable
This commit is contained in:
commit
9102e35fe8
159
CHANGELOG.md
159
CHANGELOG.md
|
@ -1,26 +1,45 @@
|
|||
# Changelog
|
||||
All notable changes to this project will be documented in this file.
|
||||
|
||||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
||||
and this project tries to adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
||||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
||||
|
||||
This project does not follow semantic versioning.
|
||||
The **major** part of the version is aligned with the stable version of Debian.
|
||||
The **minor** part changes with big changes (probably incompatible).
|
||||
The **patch** part changes incrmentally at each release.
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
## [9.1.5]
|
||||
## [9.1.6] - 2018-02-02
|
||||
|
||||
### Added
|
||||
* mongodb: install python-pymongo for monitoring
|
||||
* nagios-nrpe: allowed_hosts can be updated
|
||||
|
||||
### Changed
|
||||
* Changelog: explain the versioning scheme
|
||||
* Changelog: add a release date for 9.1.5
|
||||
* evoacme: exclude typical certbot directories
|
||||
|
||||
### Fixed
|
||||
* fail2ban: fix horrible typo, Python is not Ruby
|
||||
* nginx: fix servers status dirname
|
||||
|
||||
## [9.1.5] - 2018-01-18
|
||||
|
||||
### Added
|
||||
* There is changelog!
|
||||
* Redis: configuration variable for protected mode (v3.2+)
|
||||
* redis: configuration variable for protected mode (v3.2+)
|
||||
* evolinux-users: users are in "adm" group for Debian 9 or later
|
||||
* evolinx-base: purge locate/mlocate packages
|
||||
* evolinx-base: create /etc/evolinux if missing
|
||||
* many Ansible tags for easier fine grained execution of playbooks
|
||||
* apache/nginx: server status suffix management
|
||||
* unbound: retrieve list of root DNS servers
|
||||
* redmine: ability to install thems and plugins
|
||||
* redmine: ability to install themes and plugins
|
||||
|
||||
### Changed
|
||||
* Rbenv: Ruby 2.5 becomes the default version
|
||||
* rbenv: Ruby 2.5 becomes the default version
|
||||
* evocheck: update upstream version embedded in role (c993244)
|
||||
* bind: keep 52 weeks of logs
|
||||
|
||||
|
@ -32,3 +51,131 @@ and this project tries to adheres to [Semantic Versioning](http://semver.org/spe
|
|||
|
||||
### Security
|
||||
* evomaintenance: fix permissions for config file
|
||||
|
||||
## [9.1.4] - 2017-12-20
|
||||
|
||||
### Added
|
||||
* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
|
||||
* mysql: add a check_mysql_slave in nrpe configuration
|
||||
* ldap: slapd tcp port is configurable
|
||||
* elasticsearch: broader patterns for log rotation
|
||||
|
||||
### Changed
|
||||
* split IP lists in 2 – default and additional – for easier customization.
|
||||
|
||||
### Fixed
|
||||
* minifirewall: allow outgoing SSH connections over IPv6
|
||||
* nodejs: rename source.list file
|
||||
|
||||
### Security
|
||||
* evoadmin-web: change config.local.php file permissions
|
||||
* evolinux-base: change default_www file permissions
|
||||
|
||||
## [9.1.3] 2017-12-08
|
||||
|
||||
### Added
|
||||
* evolinux-base: install traceroute package
|
||||
* evolinux-base/ntpd: purge openntpd
|
||||
* tomcat: add Tomcat 8 cmpatibility
|
||||
* log2mail: add "The total blob data length" pattern for MySQL
|
||||
* nagios-nrpe: add bkctld check in evolix.cfg
|
||||
* varnish: reload or restart if needed
|
||||
* rabbitmq: add a munin plugin and an NRPE check
|
||||
* minifirewall: add debug for variables
|
||||
* elastic: option for stack main version
|
||||
|
||||
### Changed
|
||||
* nginx: rename Let's Encrypt snippet
|
||||
* nginx: simpler apt preferences for backports
|
||||
* generate-ldif: add clamd service instead of clamav_db
|
||||
* mysql: parameterize evolinux config files
|
||||
* rbenv: use Rbenv 1.1.1 and Ruby 2.4.2 by default
|
||||
* elasticsearch: update curator debian repository
|
||||
* evoacme: crontab management
|
||||
* evoacme: better documentation
|
||||
* mongodb: comatible with Stretch
|
||||
|
||||
### Removed
|
||||
* mongodb: logfile/pidfile are not configurable on Jessie
|
||||
* minifirewall: remove zidane.evolix.net from HTTPSITES
|
||||
|
||||
### Fixed
|
||||
* nginx: fix munin CGI graphs
|
||||
* ntpd: fix default configuration (localhost only)
|
||||
* logstash: fix permissions on pipeline configuration
|
||||
* postfix/spamassassin: add user in cron job
|
||||
* php: php.ini custom file are now readable
|
||||
* hostname customization needs the dbus package
|
||||
|
||||
## [9.1.2] 2017-12-05
|
||||
|
||||
### Fixed
|
||||
* listupgrade: remount /usr as rw
|
||||
|
||||
## [9.1.1] 2017-11-21
|
||||
|
||||
### Added
|
||||
* amazon-ec2: add egress rules
|
||||
|
||||
### Fixed
|
||||
* evoacme: fix multiple bugs
|
||||
|
||||
## [9.1.0] 2017-11-19
|
||||
|
||||
_Warning: huge release, many entries are missing below._
|
||||
|
||||
### Added
|
||||
* amazon-ec2: new role, for EC2 instances creation
|
||||
* Move /usr rw remount into remount-usr role
|
||||
* kibana: host and basepath configuration
|
||||
* kibana: move optimize and data to /var
|
||||
* logstash: daily job for log rotation
|
||||
* elasticsearch: daily job for log rotation
|
||||
* roundcube: add link in default site index
|
||||
* nagios-nrpe: add opendkim check
|
||||
|
||||
### Changed
|
||||
* Combine evolix and additional trusted IP addresses
|
||||
* amazon-ec2: split tasks
|
||||
* apt: don't upgrade by default
|
||||
* postfix: extract main.cf md5sum into variables
|
||||
* evolinux-base: cache hwraid pgp key locally
|
||||
* evoacme: improve cron task
|
||||
* elasticsearch: use elastic.list APT source list for curator
|
||||
* ldap: better variables
|
||||
|
||||
### Fixed
|
||||
* fail2ban: create config hierarchy beforehand
|
||||
* elasticsearch: fix datadir/tmpdir conditions
|
||||
* elastic: remove double ".list" suffix
|
||||
* nagios-nrpe: fix check_free_mem for OpenBSD 6.2
|
||||
* nagios-nrpe: fix check_amavis
|
||||
|
||||
### Removed
|
||||
|
||||
### Security
|
||||
|
||||
|
||||
## [9.0.1] 2017-10-02
|
||||
|
||||
### Added
|
||||
* haproxy: add a Nagios check
|
||||
* php: add "sury" mode for PHP 7.1 on Stretch
|
||||
* minifirewall: explicit dependency on iptables
|
||||
* apt: remove Gandi source files
|
||||
* docker-host: new variable for docker home
|
||||
|
||||
### Changed
|
||||
* php: install php5/php package after fpm/libapache2-mod-php
|
||||
|
||||
### Fixed
|
||||
* mysql: add "REPLICATION CLIENT" privilege for nrpe
|
||||
* evoadmin-web: revert from variables to keywords in the templates
|
||||
* evoacme: many fixes
|
||||
* etc-git: detect user if root (without su or sudo)
|
||||
* docker-host: clean override of docker systemd unit
|
||||
* varnish: fix systemd unit override
|
||||
|
||||
## [9.0.0] 2017-09-19
|
||||
|
||||
First official release
|
||||
|
|
|
@ -11,5 +11,16 @@ CRT_DIR="${CRT_DIR:-'/etc/letsencrypt'}"
|
|||
|
||||
export QUIET=1
|
||||
|
||||
find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" ! -path "*hooks" -printf "%f\n" \
|
||||
| xargs --max-args=1 --no-run-if-empty evoacme
|
||||
find "${CRT_DIR}" \
|
||||
-maxdepth 1 \
|
||||
-mindepth 1 \
|
||||
-type d \
|
||||
! -path "*accounts" \
|
||||
! -path "*archive" \
|
||||
! -path "*csr" \
|
||||
! -path "*hooks" \
|
||||
! -path "*keys" \
|
||||
! -path "*live" \
|
||||
! -path "*renewal" \
|
||||
-printf "%f\n" \
|
||||
| xargs --max-args=1 --no-run-if-empty evoacme
|
||||
|
|
|
@ -176,8 +176,9 @@ main() {
|
|||
|
||||
[ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually."
|
||||
mkdir -p "${NEW_DIR}"
|
||||
chmod -R 0700 "${CRT_DIR}"
|
||||
chown -R acme: "${CRT_DIR}"
|
||||
chmod -R 0700 "${CRT_DIR}"
|
||||
chmod -R g+rX "${CRT_DIR}"
|
||||
debug "New cert will be created in ${NEW_DIR}"
|
||||
|
||||
readonly NEW_CERT="${NEW_DIR}/cert.crt"
|
||||
|
|
|
@ -3,3 +3,8 @@
|
|||
service:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
|
||||
- name: restart munin-node
|
||||
service:
|
||||
name: munin-node
|
||||
state: restarted
|
||||
|
|
|
@ -47,3 +47,34 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
- packages
|
||||
|
||||
- name: is Munin present ?
|
||||
stat:
|
||||
path: /etc/munin/plugins
|
||||
check_mode: no
|
||||
register: etc_munin_plugins
|
||||
tags:
|
||||
- fail2ban
|
||||
- munin
|
||||
|
||||
- name: is fail2ban Munin plugin available ?
|
||||
stat:
|
||||
path: /usr/share/munin/plugins/fail2ban
|
||||
check_mode: no
|
||||
register: fail2ban_munin_plugin
|
||||
tags:
|
||||
- fail2ban
|
||||
- munin
|
||||
|
||||
- name: Enable Munin plugins
|
||||
file:
|
||||
src: "/usr/share/munin/plugins/fail2ban"
|
||||
dest: "/etc/munin/plugins/fail2ban"
|
||||
state: link
|
||||
notify: restart munin-node
|
||||
when:
|
||||
- etc_munin_plugins.stat.exists
|
||||
- fail2ban_munin_plugin.stat.exists
|
||||
tags:
|
||||
- fail2ban
|
||||
- munin
|
||||
|
|
|
@ -58,6 +58,21 @@
|
|||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: set params for NRPE check
|
||||
ini_file:
|
||||
dest: /etc/nagios/monitoring-plugins.ini
|
||||
owner: root
|
||||
group: nagios
|
||||
section: check_ldap
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value }}"
|
||||
mode: 0640
|
||||
with_items:
|
||||
- { option: 'hostname', value: '127.0.0.1' }
|
||||
- { option: 'base', value: "{{ ldap_suffix }}" }
|
||||
- { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" }
|
||||
- { option: 'pass', value: "{{ ldap_nagios_password.stdout }}" }
|
||||
|
||||
- name: upload ldap initial config
|
||||
template:
|
||||
src: config_ldapvi.j2
|
||||
|
|
|
@ -50,7 +50,7 @@ DNSSERVEURS='0.0.0.0/0'
|
|||
# HTTP authorizations
|
||||
# (you can use DNS names but set cron to reload minifirewall regularly)
|
||||
# (if you have HTTP proxy, set 0.0.0.0/0)
|
||||
HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
|
||||
HTTPSITES='security.debian.org security-cdn.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
|
||||
|
||||
# HTTPS authorizations
|
||||
HTTPSSITES='0.0.0.0/0'
|
||||
|
|
|
@ -17,6 +17,11 @@
|
|||
name: mongodb-org
|
||||
state: installed
|
||||
|
||||
- name: install dependency for monitoring
|
||||
apt:
|
||||
name: python-pymongo
|
||||
state: installed
|
||||
|
||||
- name: Custom configuration
|
||||
template:
|
||||
src: mongod_jessie.conf.j2
|
||||
|
|
|
@ -8,6 +8,11 @@
|
|||
- mongodb
|
||||
- mongo-tools
|
||||
|
||||
- name: install dependency for monitoring
|
||||
apt:
|
||||
name: python-pymongo
|
||||
state: installed
|
||||
|
||||
- name: Custom configuration
|
||||
template:
|
||||
src: mongodb_stretch.conf.j2
|
||||
|
|
|
@ -9,5 +9,6 @@ Everything is in the `tasks/main.yml` file.
|
|||
## Available variables
|
||||
|
||||
* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none).
|
||||
* `nagios_nrpe_force_update_allowed_hosts` : force update list of allowed hosts (default: `False`)
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
|
|
@ -2,11 +2,11 @@
|
|||
nagios_nrpe_default_allowed_hosts: []
|
||||
nagios_nrpe_additional_allowed_hosts: []
|
||||
nagios_nrpe_allowed_hosts: "{{ nagios_nrpe_default_allowed_hosts | union(nagios_nrpe_additional_allowed_hosts) | unique }}"
|
||||
nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
|
||||
nagios_nrpe_ldap_passwd: LDAP_PASSWD
|
||||
nagios_nrpe_pgsql_passwd: PGSQL_PASSWD
|
||||
nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}"
|
||||
|
||||
nagios_nrpe_force_update_allowed_hosts: False
|
||||
|
||||
nagios_nrpe_check_proxy_host: "www.example.com"
|
||||
|
||||
nagios_plugins_directory: "/usr/local/lib/nagios/plugins"
|
||||
|
|
|
@ -10,6 +10,8 @@
|
|||
- nagios-plugins-common
|
||||
- nagios-plugins-contrib
|
||||
- nagios-plugins-standard
|
||||
tags:
|
||||
- nagios-nrpe
|
||||
|
||||
- name: custom configuration is present
|
||||
template:
|
||||
|
@ -19,6 +21,19 @@
|
|||
mode: "0640"
|
||||
force: no
|
||||
notify: restart nagios-nrpe-server
|
||||
tags:
|
||||
- nagios-nrpe
|
||||
|
||||
- name: update allowed_hosts lists
|
||||
lineinfile:
|
||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||
line: "allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}"
|
||||
regexp: '^allowed_hosts='
|
||||
insertafter: '# Allowed IPs'
|
||||
notify: restart nagios-nrpe-server
|
||||
when: nagios_nrpe_force_update_allowed_hosts
|
||||
tags:
|
||||
- nagios-nrpe
|
||||
|
||||
- name: Nagios config is secured
|
||||
file:
|
||||
|
@ -27,12 +42,15 @@
|
|||
group: nagios
|
||||
state: directory
|
||||
notify: restart nagios-nrpe-server
|
||||
tags:
|
||||
- nagios-nrpe
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
when: nagios_plugins_directory | search ("/usr")
|
||||
tags:
|
||||
- nagios-plugins
|
||||
- nagios-nrpe
|
||||
- nagios-plugins
|
||||
|
||||
- name: Nagios plugins are installed
|
||||
copy:
|
||||
|
@ -41,6 +59,7 @@
|
|||
mode: "0755"
|
||||
notify: restart nagios-nrpe-server
|
||||
tags:
|
||||
- nagios-nrpe
|
||||
- nagios-plugins
|
||||
|
||||
- name: Nagios lib is secured
|
||||
|
@ -51,3 +70,5 @@
|
|||
recurse: yes
|
||||
state: directory
|
||||
notify: restart nagios-nrpe-server
|
||||
tags:
|
||||
- nagios-nrpe
|
||||
|
|
|
@ -25,8 +25,8 @@ command[check_mailq]=/usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20
|
|||
command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
|
||||
command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
|
||||
command[check_mysql_slave]=/usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
|
||||
command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 -H localhost -D cn=nagios,ou=ldapusers,{{ nagios_nrpe_ldap_dc }} -P {{ nagios_nrpe_ldap_passwd }} -b {{ nagios_nrpe_ldap_dc }}
|
||||
command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }}
|
||||
command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini
|
||||
command[check_ldaps]=/usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini
|
||||
command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
|
||||
command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
|
||||
command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
|
||||
|
@ -34,7 +34,7 @@ command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
|
|||
command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
|
||||
command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
|
||||
command[check_http]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -H localhost
|
||||
command[check_https]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -S -p 443 -H ssl.evolix.net
|
||||
command[check_https]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
|
||||
command[check_bind]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
|
||||
command[check_unbound]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
|
||||
command[check_smb]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
|
||||
- name: server status dirname exists
|
||||
- name: "server status dirname exists '{{ nginx_serverstatus_suffix_file | dirname }}'"
|
||||
file:
|
||||
dest: "{{ nginx_serverstatus_suffix | dirname }}"
|
||||
dest: "{{ nginx_serverstatus_suffix_file | dirname }}"
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
<Directory {{ evoadminmail_document_root }}/htdocs/>
|
||||
#Options Indexes SymLinksIfOwnerMatch
|
||||
Options SymLinksIfOwnerMatch
|
||||
AllowOverride AuthConfig Limit FileInfo
|
||||
AllowOverride AuthConfig Limit FileInfo Indexes
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
|
|
Loading…
Reference in a new issue