Merge branch 'unstable' into stable

2018-02-02 21:21:24 +01:00 · 2018-02-02 21:21:24 +01:00 · 9102e35fe8
parent 72695db53b afe2446d54
commit 9102e35fe8
15 changed files with 261 additions and 19 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,26 +1,45 @@
 # Changelog
 All notable changes to this project will be documented in this file.

-The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
-and this project tries to adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
+
+This project does not follow semantic versioning.
+The **major** part of the version is aligned with the stable version of Debian.
+The **minor** part changes with big changes (probably incompatible).
+The **patch** part changes incrmentally at each release.

 ## [Unreleased]

-## [9.1.5]
+## [9.1.6] - 2018-02-02
+
+### Added
+* mongodb: install python-pymongo for monitoring
+* nagios-nrpe: allowed_hosts can be updated
+
+### Changed
+* Changelog: explain the versioning scheme
+* Changelog: add a release date for 9.1.5
+* evoacme: exclude typical certbot directories
+
+### Fixed
+* fail2ban: fix horrible typo, Python is not Ruby
+* nginx: fix servers status dirname
+
+## [9.1.5] - 2018-01-18

 ### Added
 * There is changelog!
-* Redis: configuration variable for protected mode (v3.2+)
+* redis: configuration variable for protected mode (v3.2+)
 * evolinux-users: users are in "adm" group for Debian 9 or later
 * evolinx-base: purge locate/mlocate packages
 * evolinx-base: create /etc/evolinux if missing
 * many Ansible tags for easier fine grained execution of playbooks
 * apache/nginx: server status suffix management
 * unbound: retrieve list of root DNS servers
-* redmine: ability to install thems and plugins
+* redmine: ability to install themes and plugins

 ### Changed
-* Rbenv: Ruby 2.5 becomes the default version
+* rbenv: Ruby 2.5 becomes the default version
 * evocheck: update upstream version embedded in role (c993244)
 * bind: keep 52 weeks of logs

@ -32,3 +51,131 @@ and this project tries to adheres to [Semantic Versioning](http://semver.org/spe

 ### Security
 * evomaintenance: fix permissions for config file
+
+## [9.1.4] - 2017-12-20
+
+### Added
+* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
+* mysql: add a check_mysql_slave in nrpe configuration
+* ldap: slapd tcp port is configurable
+* elasticsearch: broader patterns for log rotation
+
+### Changed
+* split IP lists in 2 – default and additional – for easier customization.
+
+### Fixed
+* minifirewall: allow outgoing SSH connections over IPv6
+* nodejs: rename source.list file
+
+### Security
+* evoadmin-web: change config.local.php file permissions
+* evolinux-base: change default_www file permissions
+
+## [9.1.3] 2017-12-08
+
+### Added
+* evolinux-base: install traceroute package
+* evolinux-base/ntpd: purge openntpd
+* tomcat: add Tomcat 8 cmpatibility
+* log2mail: add "The total blob data length" pattern for MySQL
+* nagios-nrpe: add bkctld check in evolix.cfg
+* varnish: reload or restart if needed
+* rabbitmq: add a munin plugin and an NRPE check
+* minifirewall: add debug for variables
+* elastic: option for stack main version
+
+### Changed
+* nginx: rename Let's Encrypt snippet
+* nginx: simpler apt preferences for backports
+* generate-ldif: add clamd service instead of clamav_db
+* mysql: parameterize evolinux config files
+* rbenv: use Rbenv 1.1.1 and Ruby 2.4.2 by default
+* elasticsearch: update curator debian repository
+* evoacme: crontab management
+* evoacme: better documentation
+* mongodb: comatible with Stretch
+
+### Removed
+* mongodb: logfile/pidfile are not configurable on Jessie
+* minifirewall: remove zidane.evolix.net from HTTPSITES
+
+### Fixed
+* nginx: fix munin CGI graphs
+* ntpd: fix default configuration (localhost only)
+* logstash: fix permissions on pipeline configuration
+* postfix/spamassassin: add user in cron job
+* php: php.ini custom file are now readable
+* hostname customization needs the dbus package
+
+## [9.1.2] 2017-12-05
+
+### Fixed
+* listupgrade: remount /usr as rw
+
+## [9.1.1] 2017-11-21
+
+### Added
+* amazon-ec2: add egress rules
+
+### Fixed
+* evoacme: fix multiple bugs
+
+## [9.1.0] 2017-11-19
+
+_Warning: huge release, many entries are missing below._
+
+### Added
+* amazon-ec2: new role, for EC2 instances creation
+* Move /usr rw remount into remount-usr role
+* kibana: host and basepath configuration
+* kibana: move optimize and data to /var
+* logstash: daily job for log rotation
+* elasticsearch: daily job for log rotation
+* roundcube: add link in default site index
+* nagios-nrpe: add opendkim check
+
+### Changed
+* Combine evolix and additional trusted IP addresses
+* amazon-ec2: split tasks
+* apt: don't upgrade by default
+* postfix: extract main.cf md5sum into variables
+* evolinux-base: cache hwraid pgp key locally
+* evoacme: improve cron task
+* elasticsearch: use elastic.list APT source list for curator
+* ldap: better variables
+
+### Fixed
+* fail2ban: create config hierarchy beforehand
+* elasticsearch: fix datadir/tmpdir conditions
+* elastic: remove double ".list" suffix
+* nagios-nrpe: fix check_free_mem for OpenBSD 6.2
+* nagios-nrpe: fix check_amavis
+
+### Removed
+
+### Security
+
+
+## [9.0.1] 2017-10-02
+
+### Added
+* haproxy: add a Nagios check
+* php: add "sury" mode for PHP 7.1 on Stretch
+* minifirewall: explicit dependency on iptables
+* apt: remove Gandi source files
+* docker-host: new variable for docker home
+
+### Changed
+* php: install php5/php package after fpm/libapache2-mod-php
+
+### Fixed
+* mysql: add "REPLICATION CLIENT" privilege for nrpe
+* evoadmin-web: revert from variables to keywords in the templates
+* evoacme: many fixes
+* etc-git: detect user if root (without su or sudo)
+* docker-host: clean override of docker systemd unit
+* varnish: fix systemd unit override
+
+## [9.0.0] 2017-09-19
+
+First official release
--- a/evoacme/files/evoacme.cron
+++ b/evoacme/files/evoacme.cron
@ -11,5 +11,16 @@ CRT_DIR="${CRT_DIR:-'/etc/letsencrypt'}"

 export QUIET=1

-find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" ! -path "*hooks" -printf "%f\n" \
-  | xargs --max-args=1 --no-run-if-empty evoacme
+find "${CRT_DIR}" \
+    -maxdepth 1 \
+    -mindepth 1 \
+    -type d \
+    ! -path "*accounts" \
+    ! -path "*archive" \
+    ! -path "*csr" \
+    ! -path "*hooks" \
+    ! -path "*keys" \
+    ! -path "*live" \
+    ! -path "*renewal" \
+    -printf "%f\n" \
+        | xargs --max-args=1 --no-run-if-empty evoacme
--- a/evoacme/files/evoacme.sh
+++ b/evoacme/files/evoacme.sh
@ -176,8 +176,9 @@ main() {

    [ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually."
    mkdir -p "${NEW_DIR}"
-    chmod -R 0700 "${CRT_DIR}"
    chown -R acme: "${CRT_DIR}"
+    chmod -R 0700 "${CRT_DIR}"
+    chmod -R g+rX "${CRT_DIR}"
    debug "New cert will be created in ${NEW_DIR}"

    readonly NEW_CERT="${NEW_DIR}/cert.crt"
--- a/fail2ban/handlers/main.yml
+++ b/fail2ban/handlers/main.yml
@ -3,3 +3,8 @@
  service:
    name: fail2ban
    state: restarted
+
+- name: restart munin-node
+  service:
+    name: munin-node
+    state: restarted
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@ -47,3 +47,34 @@
  tags:
    - fail2ban
    - packages
+
+- name: is Munin present ?
+  stat:
+    path: /etc/munin/plugins
+  check_mode: no
+  register: etc_munin_plugins
+  tags:
+    - fail2ban
+    - munin
+
+- name: is fail2ban Munin plugin available ?
+  stat:
+    path: /usr/share/munin/plugins/fail2ban
+  check_mode: no
+  register: fail2ban_munin_plugin
+  tags:
+    - fail2ban
+    - munin
+
+- name: Enable Munin plugins
+  file:
+    src: "/usr/share/munin/plugins/fail2ban"
+    dest: "/etc/munin/plugins/fail2ban"
+    state: link
+  notify: restart munin-node
+  when:
+    - etc_munin_plugins.stat.exists
+    - fail2ban_munin_plugin.stat.exists
+  tags:
+    - fail2ban
+    - munin
--- a/ldap/tasks/main.yml
+++ b/ldap/tasks/main.yml
@ -58,6 +58,21 @@
    mode: "0640"
  when: not root_ldapvirc_path.stat.exists

+- name: set params for NRPE check
+  ini_file:
+    dest: /etc/nagios/monitoring-plugins.ini
+    owner: root
+    group: nagios
+    section: check_ldap
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    mode: 0640
+  with_items:
+  - { option: 'hostname', value: '127.0.0.1' }
+  - { option: 'base', value: "{{ ldap_suffix }}" }
+  - { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" }
+  - { option: 'pass', value: "{{ ldap_nagios_password.stdout }}" }
+
 - name: upload ldap initial config
  template:
    src: config_ldapvi.j2
--- a/minifirewall/files/minifirewall.conf
+++ b/minifirewall/files/minifirewall.conf
@ -50,7 +50,7 @@ DNSSERVEURS='0.0.0.0/0'
 # HTTP authorizations
 # (you can use DNS names but set cron to reload minifirewall regularly)
 # (if you have HTTP proxy, set 0.0.0.0/0)
-HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
+HTTPSITES='security.debian.org security-cdn.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'

 # HTTPS authorizations
 HTTPSSITES='0.0.0.0/0'
--- a/mongodb/tasks/main_jessie.yml
+++ b/mongodb/tasks/main_jessie.yml
@ -17,6 +17,11 @@
    name: mongodb-org
    state: installed

+- name: install dependency for monitoring
+  apt:
+    name: python-pymongo
+    state: installed
+
 - name: Custom configuration
  template:
    src: mongod_jessie.conf.j2
--- a/mongodb/tasks/main_stretch.yml
+++ b/mongodb/tasks/main_stretch.yml
@ -8,6 +8,11 @@
    - mongodb
    - mongo-tools

+- name: install dependency for monitoring
+  apt:
+    name: python-pymongo
+    state: installed
+
 - name: Custom configuration
  template:
    src: mongodb_stretch.conf.j2
--- a/nagios-nrpe/README.md
+++ b/nagios-nrpe/README.md
@ -9,5 +9,6 @@ Everything is in the `tasks/main.yml` file.
 ## Available variables

 * `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none).
+* `nagios_nrpe_force_update_allowed_hosts` : force update list of allowed hosts (default: `False`)

 The full list of variables (with default values) can be found in `defaults/main.yml`.
--- a/nagios-nrpe/defaults/main.yml
+++ b/nagios-nrpe/defaults/main.yml
@ -2,11 +2,11 @@
 nagios_nrpe_default_allowed_hosts: []
 nagios_nrpe_additional_allowed_hosts: []
 nagios_nrpe_allowed_hosts: "{{ nagios_nrpe_default_allowed_hosts | union(nagios_nrpe_additional_allowed_hosts) | unique }}"
-nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
-nagios_nrpe_ldap_passwd: LDAP_PASSWD
 nagios_nrpe_pgsql_passwd: PGSQL_PASSWD
 nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}"

+nagios_nrpe_force_update_allowed_hosts: False
+
 nagios_nrpe_check_proxy_host: "www.example.com"

 nagios_plugins_directory: "/usr/local/lib/nagios/plugins"
--- a/nagios-nrpe/tasks/main.yml
+++ b/nagios-nrpe/tasks/main.yml
@ -10,6 +10,8 @@
    - nagios-plugins-common
    - nagios-plugins-contrib
    - nagios-plugins-standard
+  tags:
+    - nagios-nrpe

 - name: custom configuration is present
  template:
@ -19,6 +21,19 @@
    mode: "0640"
    force: no
  notify: restart nagios-nrpe-server
+  tags:
+    - nagios-nrpe
+
+- name: update allowed_hosts lists
+  lineinfile:
+    dest: /etc/nagios/nrpe.d/evolix.cfg
+    line: "allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}"
+    regexp: '^allowed_hosts='
+    insertafter: '# Allowed IPs'
+  notify: restart nagios-nrpe-server
+  when: nagios_nrpe_force_update_allowed_hosts
+  tags:
+    - nagios-nrpe

 - name: Nagios config is secured
  file:
@ -27,12 +42,15 @@
    group: nagios
    state: directory
  notify: restart nagios-nrpe-server
+  tags:
+    - nagios-nrpe

 - include_role:
    name: remount-usr
  when: nagios_plugins_directory | search ("/usr")
  tags:
-  - nagios-plugins
+    - nagios-nrpe
+    - nagios-plugins

 - name: Nagios plugins are installed
  copy:
@ -41,6 +59,7 @@
    mode: "0755"
  notify: restart nagios-nrpe-server
  tags:
+  - nagios-nrpe
  - nagios-plugins

 - name: Nagios lib is secured
@ -51,3 +70,5 @@
    recurse: yes
    state: directory
  notify: restart nagios-nrpe-server
+  tags:
+    - nagios-nrpe
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@ -25,8 +25,8 @@ command[check_mailq]=/usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20
 command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
 command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
 command[check_mysql_slave]=/usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
-command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 -H localhost -D cn=nagios,ou=ldapusers,{{ nagios_nrpe_ldap_dc }} -P {{ nagios_nrpe_ldap_passwd }} -b {{ nagios_nrpe_ldap_dc }}
-command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }}
+command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 --extra-opts=@/etc/nagios/monitoring-plugins.ini
+command[check_ldaps]=/usr/lib/nagios/plugins/check_ldap -3 -T --extra-opts=@/etc/nagios/monitoring-plugins.ini
 command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
 command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
 command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
@ -34,7 +34,7 @@ command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
 command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
 command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
 command[check_http]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -H localhost
-command[check_https]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -S -p 443 -H ssl.evolix.net
+command[check_https]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
 command[check_bind]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
 command[check_unbound]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
 command[check_smb]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445
--- a/nginx/tasks/server_status.yml
+++ b/nginx/tasks/server_status.yml
@ -1,8 +1,8 @@
 ---

- name: server status dirname exists
+- name: "server status dirname exists '{{ nginx_serverstatus_suffix_file | dirname }}'"
  file:
-    dest: "{{ nginx_serverstatus_suffix | dirname }}"
+    dest: "{{ nginx_serverstatus_suffix_file | dirname }}"
    mode: "0700"
    owner: root
    group: root
--- a/webapps/evoadmin-mail/templates/evoadminmail.conf.j2
+++ b/webapps/evoadmin-mail/templates/evoadminmail.conf.j2
@ -22,7 +22,7 @@
    <Directory {{ evoadminmail_document_root }}/htdocs/>
        #Options Indexes SymLinksIfOwnerMatch
        Options SymLinksIfOwnerMatch
-        AllowOverride AuthConfig Limit FileInfo
+        AllowOverride AuthConfig Limit FileInfo Indexes
        Require all granted
    </Directory>