evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Merge remote-tracking branch 'origin/unstable' into unstable

Browse source
This commit is contained in:
Benoît S. 2017-10-06 15:45:09 +02:00
parent 50cba28f7b 7f4eb747de
commit 9a93e8d449
58 changed files with 541 additions and 388 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
admin-users/defaults/main.yml
View file

@ -1,3 +0,0 @@
---
admin_users: {}
admin_users_group: adm

11
admin-users/tasks/admin_user.yml
View file

@ -1,11 +0,0 @@
---
- include: user.yml
- include: profile.yml
- include: ssh.yml
- include: sudo.yml
- meta: flush_handlers

48
admin-users/tasks/sudo.yml
View file

@ -1,48 +0,0 @@
---
- name: "Verify Evolinux sudoers file presence (jessie)"
template:
src: sudoers_jessie.j2
dest: /etc/sudoers.d/evolinux
force: no
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux
when: ansible_distribution_release == "jessie"
- name: "Verify Evolinux sudoers file presence (Debian 9 or later)"
template:
src: sudoers_stretch.j2
dest: /etc/sudoers.d/evolinux
force: no
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux
when: ansible_distribution_major_version | version_compare('9', '>=')
- name: "Verify Evolinux sudoers file permissions"
file:
path: /etc/sudoers.d/evolinux
mode: "0440"
state: file
- name: "Add user in sudoers file for '{{ user.name }}' (jessie)"
replace:
dest: /etc/sudoers.d/evolinux
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/visudo -cf %s'
when:
- ansible_distribution_release == "jessie"
- not copy_sudoers_evolinux.changed
- name: "Create evolinux-sudo group (Debian 9 or later)"
group:
name: evolinux-sudo
system: yes
when: ansible_distribution_major_version | version_compare('9', '>=')
- name: "Add user to evolinux-sudo group (Debian 9 or later)"
user:
name: '{{ user.name }}'
groups: 'evolinux-sudo'
append: yes
when: ansible_distribution_major_version | version_compare('9', '>=')

3
apt/tasks/main.yml
View file

@ -19,9 +19,6 @@
tags:
- apt
- debug:
var: apt_install_evolix_public
- name: Install Evolix Public APT repository
include: evolix_public.yml
when: apt_install_evolix_public

20
drbd/README.md
View file

@ -5,23 +5,3 @@ Install tools to setup DRBD replication accross servers.
## Tasks
Everything is in the `tasks/main.yml` file.
## Available variables
The variable `admin_users` must be a "dict" of one or more users :
```
admin_users:
foo:
name: foo
uid: 1001
fullname: 'Mr Foo'
password_hash: 'sdfgsdfgsdfgsdfg'
ssh_key: 'ssh-rsa AZERTYXYZ'
bar:
name: bar
uid: 1002
fullname: 'Mr Bar'
password_hash: 'gsdfgsdfgsdfgsdf'
ssh_key: 'ssh-rsa QWERTYUIOP'
```

2
evoacme/files/certbot.cron
View file

@ -10,5 +10,5 @@
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
evoacme "$vhost"
evoacme "$vhost"
done

149
evoacme/files/evoacme.sh
View file

@ -7,78 +7,109 @@
# Licence: AGPLv3
#
set -e
usage() {
echo "Usage: $0 NAME"
echo ""
echo "NAME must be correspond to :"
echo "- a CSR in ${CSR_DIR}/NAME.csr"
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
echo ""
echo "Usage: $0 [ --cron ] NAME"
echo ""
echo "NAME must be correspond to :"
echo "- a CSR in ${CSR_DIR}/NAME.csr"
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
echo ""
}
mkconf_apache() {
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
apache2ctl -t 2>/dev/null && service apache2 reload
echo "Apache detected... first configuration"
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
apache2ctl -t
}
mkconf_nginx() {
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
nginx -t 2>/dev/null && service nginx reload
}
mkconf_haproxy() {
mkdir -p /etc/ssl/haproxy -m 700
cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem"
[ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem"
haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload
echo "Nginx detected... first configuration"
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
nginx -t
}
main() {
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
[ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme'
[ "$#" -ne 1 ] && usage && exit 1
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR=/etc/ssl/private
[ -z "${ACME_DIR}" ] && ACME_DIR=/var/lib/letsencrypt
[ -z "${CSR_DIR}" ] && CSR_DIR=/etc/ssl/requests
[ -z "${CRT_DIR}" ] && CRT_DIR=/etc/letsencrypt
[ -z "${LOG_DIR}" ] && LOG_DIR=/var/log/evoacme
[ -z "${SSL_MINDAY}" ] && SSL_MINDAY=30
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR=/etc/ssl/self-signed
[ -z "${DH_DIR}" ] && DH_DIR=etc/ssl/dhparam
vhost=$(basename "$1" .conf)
# misc verifications
[ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0
which openssl >/dev/null || ( echo "error: openssl command not installed" && exit 1 )
which certbot >/dev/null || ( echo "error: certbot command not installed" && exit 1 )
[ ! -d $ACME_DIR ] && echo "error: $ACME_DIR is not a directory" && exit 1
[ ! -d $CSR_DIR ] && echo "error: $CSR_DIR is not a directory" && exit 1
[ ! -d $LOG_DIR ] && echo "error: $LOG_DIR is not a directory" && exit 1
[ "$#" -ge 3 ] || [ "$#" -le 0 ] && echo "error: invalid argument(s)" && usage && exit 1
[ "$#" -eq 2 ] && [ "$1" != "--cron" ] && echo "error: invalid argument(s)" && usage && exit 1
# Check master status for evoadmin-cluster
if [ -f "/home/${vhost}/state" ]; then
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
fi
[ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO
[ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES
# verify .csr file
test ! -f "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr absent" && exit 1
test ! -r "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr is not readable" && exit 1
openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || ( echo "error: $CSR_DIR/${vhost}.csr is invalid" && exit 1 )
[ "$CRON" = "NO" ] && echo "Using CSR file: $CSR_DIR/${vhost}.csr"
# Hook for evoadmin-web in cluster mode : check master status
if [ -f "/home/${vhost}/state" ]; then
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
fi
if [ -n "$SSL_EMAIL" ]; then
emailopt="-m $SSL_EMAIL"
else
emailopt="--register-unsafely-without-email"
fi
DATE=$(date "+%Y%m%d")
[ ! -n "$DATE" ] && echo "error: invalid date" && exit 1
# If live link already exists, it's not our first time...
if [ -h "$CRT_DIR/${vhost}/live" ]; then
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: $CRT_DIR/${vhost}/live/cert.crt is invalid" && exit 1 )
# Verify if our certificate will expire
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2)
date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s")
date_today=$(date +'%s')
[ "$date_today" -lt "$date_renew" ] && ( [ "$CRON" = "NO" ] && echo "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." || true ) && exit 0
else
which apache2ctl >/dev/null && mkconf_apache
which nginx >/dev/null && mkconf_nginx
fi
# renew certificate with certbot
[ -d "$CRT_DIR/${vhost}/${DATE}" ] && echo "error: $CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." && exit 1
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
chown -R acme: "$CRT_DIR/${vhost}/${DATE}"
[ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet"
sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
# verify if all is right
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" && exit 1 )
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" && exit 1 )
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" && exit 1 )
# link dance
[ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live"
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/{vhost}/live/cert.crt is invalid" && exit 1 )
# reload apache or nginx (TODO: need improvments)
pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Apache detected... reloading" || true ) && systemctl reload apache2
pidof nginx >/dev/null && nginx -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Nginx detected... reloading" || true ) && systemctl reload apache2
SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs)
if [ -n "$SSL_EMAIL" ]; then
emailopt="-m $SSL_EMAIL"
else
emailopt="--register-unsafely-without-email"
fi
DATE=$(date "+%Y%m%d")
if [ -h "$CRT_DIR/${vhost}/live" ]; then
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//")
date_crt=$(date -ud "$crt_end_date" +"%s")
date_today=$(date +'%s')
date_diff=$(((date_crt - date_today) / (60*60*24)))
[ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0
fi
rm -rf "$CRT_DIR/${vhost}/${DATE}"
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
chown -R acme: "$CRT_DIR/${vhost}"
sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then
rm -f "$CRT_DIR/${vhost}/live"
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
which apache2ctl >/dev/null && mkconf_apache
which nginx >/dev/null && mkconf_nginx
which haproxy >/dev/null && mkconf_haproxy
else
rmdir "$CRT_DIR/${vhost}/${DATE}"
fi
}
main "$@"

212
evoacme/files/make-csr.sh
View file

@ -8,143 +8,143 @@
#
get_domains() {
echo "$vhostfile"|grep -q nginx
if [ "$?" -eq 0 ]; then
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
fi
echo "$vhostfile" |grep -q apache2
if [ "$?" -eq 0 ]; then
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
fi
valid_domains=""
nb=0
echo "Valid(s) domain(s) in $vhost :"
for domain in $domains; do
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
for ip in $(echo "$SRV_IP"|xargs -n1); do
if [ "${ip}" = "${real_ip}" ]; then
valid_domains="$valid_domains $domain"
nb=$(( nb + 1 ))
echo "* $domain -> $real_ip"
fi
done
done
if [ "$nb" -eq 0 ]; then
nb=$(echo "$domains"|wc -l)
echo "* No valid domain found"
echo "All following(s) domain(s) will be used for CSR creation :"
for domain in $domains; do
echo "* $domain"
done
else
domains="$valid_domains"
fi
domains=$(echo "$domains"|xargs -n1)
echo "$vhostfile"|grep -q nginx
if [ "$?" -eq 0 ]; then
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
fi
echo "$vhostfile" |grep -q apache2
if [ "$?" -eq 0 ]; then
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
fi
valid_domains=""
nb=0
echo "Valid(s) domain(s) in $vhost :"
for domain in $domains; do
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
for ip in $(echo "$SRV_IP"|xargs -n1); do
if [ "${ip}" = "${real_ip}" ]; then
valid_domains="$valid_domains $domain"
nb=$(( nb + 1 ))
echo "* $domain -> $real_ip"
fi
done
done
if [ "$nb" -eq 0 ]; then
nb=$(echo "$domains"|wc -l)
echo "* No valid domain found"
echo "All following(s) domain(s) will be used for CSR creation :"
for domain in $domains; do
echo "* $domain"
done
else
domains="$valid_domains"
fi
domains=$(echo "$domains"|xargs -n1)
}
make_key() {
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
chown root: "$SSL_KEY_DIR/${vhost}.key"
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
chown root: "$SSL_KEY_DIR/${vhost}.key"
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
}
make_csr() {
domains="$1"
nb=$(echo "$domains"|wc -l)
config_file="/tmp/make-csr-${vhost}.conf"
domains="$1"
nb=$(echo "$domains"|wc -l)
config_file="/tmp/make-csr-${vhost}.conf"
mkdir -p "$CSR_DIR" -m 0755
if [ "$nb" -eq 1 ]; then
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
mkdir -p "$CSR_DIR" -m 0755
if [ "$nb" -eq 1 ]; then
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
CN=$domains
EOF
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
elif [ "$nb" -gt 1 ]; then
san=''
for domain in $domains
do
san="$san,DNS:$domain"
done
san=$(echo "$san"|sed 's/,//')
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
elif [ "$nb" -gt 1 ]; then
san=''
for domain in $domains
do
san="$san,DNS:$domain"
done
san=$(echo "$san"|sed 's/,//')
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
[SAN]
subjectAltName=$san
EOF
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
fi
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
chmod 644 "$CSR_DIR/${vhost}.csr"
mkdir -p "$SELF_SIGNED_DIR" -m 0755
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
fi
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
fi
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
chmod 644 "$CSR_DIR/${vhost}.csr"
mkdir -p "$SELF_SIGNED_DIR" -m 0755
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
fi
}
mkconf_apache() {
mkdir -p /etc/apache2/ssl
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
mkdir -p /etc/apache2/ssl
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
SSLEngine On
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
EOF
else
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
fi
else
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
fi
}
mkconf_nginx() {
mkdir -p /etc/nginx/ssl
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
mkdir -p /etc/nginx/ssl
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
EOF
else
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
fi
else
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
fi
}
main() {
if [ "$#" -ne 1 ]; then
echo "You need to provide one argument !" >&2
exit 1
fi
vhost=$(basename "$1" .conf)
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
if [ "$#" -ne 1 ]; then
echo "You need to provide one argument !" >&2
exit 1
fi
vhost=$(basename "$1" .conf)
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
if [ ! -h "$vhostfile" ]; then
echo "$vhost is not a valid virtualhost !" >&2
exit 1
fi
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
if [ ! -h "$vhostfile" ]; then
echo "$vhost is not a valid virtualhost !" >&2
exit 1
fi
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
echo "$vhost key already exist, overwrite it ? (y)"
read REPLY
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
fi
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
echo "$vhost key already exist, overwrite it ? (y)"
read REPLY
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
fi
get_domains
make_key
make_csr "$domains"
which apache2ctl >/dev/null && mkconf_apache
get_domains
make_key
make_csr "$domains"
which apache2ctl >/dev/null && mkconf_apache
which nginx >/dev/null && mkconf_nginx
}

12
evoacme/tasks/certbot.yml
View file

@ -42,6 +42,18 @@
path: /usr/local/bin/certbot
state: absent
- name: stat /etc/cron.d/certbot
stat:
path: /etc/cron.d/certbot
register: etc_cron_d_certbot
- name: Rename certbot dpkg cron to .disabled
copy:
remote_src: True
src: /etc/cron.d/certbot
dest: /etc/cron.d/certbot.disabled
when: etc_cron_d_certbot.stat.exists
- name: Remove certbot dpkg cron
file:
path: /etc/cron.d/certbot

2
evoacme/tasks/conf.yml
View file

@ -1,6 +1,6 @@
---
- ini_file:
dest: /etc/letsencrypt/openssl.cnf
dest: "{{ evoacme_crt_dir }}/openssl.cnf"
section: 'req'
option: "{{ item.name }}"
value: "{{ item.var }}"

12
evoacme/tasks/main.yml
View file

@ -13,7 +13,17 @@
- include: scripts.yml
- include: webserver.yml
- name: Determine Apache presence
stat:
path: /etc/apache2/apache2.conf
check_mode: no
register: sta
- name: Determine Nginx presence
stat:
path: /etc/nginx/nginx.conf
check_mode: no
register: stn
- include: apache.yml
when: sta.stat.isreg is defined and sta.stat.isreg

4
evoacme/tasks/scripts.yml
View file

@ -9,7 +9,7 @@
- name: Copy make-csr.sh script
copy:
src: files/make-csr.sh
src: make-csr.sh
dest: /usr/local/sbin/make-csr
owner: root
group: root
@ -17,7 +17,7 @@
- name: Copy evoacme script
copy:
src: files/evoacme.sh
src: evoacme.sh
dest: /usr/local/sbin/evoacme
owner: root
group: root

12
evoacme/tasks/webserver.yml
View file

@ -1,12 +0,0 @@
---
- name: Determine Nginx presence
stat:
path: /etc/nginx/nginx.conf
check_mode: no
register: stn
- name: Determine Apache presence
stat:
path: /etc/apache2/apache2.conf
check_mode: no
register: sta

2
evolinux-base/README.md
View file

@ -36,6 +36,6 @@ Main variables are:
* `evolinux_additional_packages`: optional additional packages to install (default: `[]`)
* `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ;
* `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`)
* `evolinux_ssh_disable_root`: disable SSH access for root (default: `True`)
* `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`)
The full list of variables (with default values) can be found in `defaults/main.yml`.

52
evolinux-base/defaults/main.yml
View file

@ -10,6 +10,21 @@ logcheck_alert_email: Null
raid_alert_email: Null
postfix_alias_email: Null
# apt
evolinux_apt_include: True
evolinux_apt_conf: True
evolinux_apt_hooks: True
evolinux_apt_replace_default_sources: True
evolinux_apt_public_sources: True
evolinux_apt_upgrade: True
evolinux_apt_remove_aptitude: True
# etc-git
evolinux_etcgit_include: True
# hostname
evolinux_hostname_include: True
@ -31,17 +46,6 @@ evolinux_kernel_disable_tcp_timestamps: True
evolinux_kernel_reduce_swapiness: True
evolinux_kernel_cve20165696: True
# apt
evolinux_apt_include: True
evolinux_apt_conf: True
evolinux_apt_hooks: True
evolinux_apt_replace_default_sources: True
evolinux_apt_public_sources: True
evolinux_apt_upgrade: True
evolinux_apt_remove_aptitude: True
# fstab
evolinux_fstab_include: True
@ -96,6 +100,22 @@ evolinux_system_alert5_init: True
evolinux_system_alert5_enable: True
evolinux_system_eni_auto: True
# evomaintenance
evolinux_evomaintenance_include: True
# ssh
evolinux_ssh_include: True
evolinux_ssh_password_auth_addresses: []
evolinux_ssh_match_address: True
evolinux_ssh_disable_acceptenv: True
# evolinux users
evolinux_users_include: True
# root
evolinux_root_include: True
@ -108,15 +128,7 @@ evolinux_root_gitconfig: True
evolinux_root_bash_history_appendonly: True
evolinux_root_vim_default: True
evolinux_root_vim_conf: True
# ssh
evolinux_ssh_include: True
evolinux_ssh_password_auth_addresses: []
evolinux_ssh_match_address: True
evolinux_ssh_disable_root: True
evolinux_ssh_disable_acceptenv: True
evolinux_root_disable_ssh: True
# postfix

9
evolinux-base/files/alert5.service Normal file
View file

@ -0,0 +1,9 @@
[Unit]
Description=Evolix alert5 script
[Service]
Type=oneshot
ExecStart=/usr/share/scripts/alert5.sh
[Install]
WantedBy=multi-user.target

1
evolinux-base/meta/main.yml
View file

@ -12,6 +12,7 @@ galaxy_info:
- name: Debian
versions:
- jessie
- stretch
dependencies: []
# List your role dependencies here, one per line.

8
evolinux-base/tasks/fstab.yml
View file

@ -16,7 +16,7 @@
replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3'
notify: remount /home
when:
- "' /home ' in fstab_content.stdout"
- fstab_content.stdout | regex_search('\s/home\s')
- evolinux_fstab_home
- name: /tmp partition is customized
@ -25,7 +25,7 @@
regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3'
when:
- "' /tmp ' in fstab_content.stdout"
- fstab_content.stdout | regex_search('\s/tmp\s')
- evolinux_fstab_tmp
- name: /usr partition is customized
@ -34,7 +34,7 @@
regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)'
replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3'
when:
- "' /usr ' in fstab_content.stdout"
- fstab_content.stdout | regex_search('\s/usr\s')
- evolinux_fstab_usr
- name: /var partition is customized
@ -44,7 +44,7 @@
replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3'
notify: remount /var
when:
- "' /var ' in fstab_content.stdout"
- fstab_content.stdout | regex_search('\s/var\s')
- evolinux_fstab_var
- name: /var/tmp is created

29
evolinux-base/tasks/main.yml
View file

@ -5,6 +5,15 @@
when:
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
- name: Apt configuration
include: apt.yml
when: evolinux_apt_include
- name: /etc versioning with Git
include_role:
name: etc-git
when: evolinux_etcgit_include
- name: Hostname
include: hostname.yml
when: evolinux_hostname_include
@ -13,10 +22,6 @@
include: kernel.yml
when: evolinux_kernel_include
- name: Apt configuration and packages install
include: apt.yml
when: evolinux_apt_include
- name: Fstab configuration
include: fstab.yml
when: evolinux_fstab_include
@ -29,14 +34,24 @@
include: system.yml
when: evolinux_system_include
- name: Root user configuration
include: root.yml
when: evolinux_root_include
- name: Evomaintenance
include_role:
name: evomaintenance
when: evolinux_evomaintenance_include
- name: SSH configuration
include: ssh.yml
when: evolinux_ssh_include
- name: Create evolinux users
include_role:
name: evolinux-users
when: evolinux_users_include
- name: Root user configuration
include: root.yml
when: evolinux_root_include
- name: Postfix
include: postfix.yml
when: evolinux_postfix_include

2
evolinux-base/tasks/postfix.yml
View file

@ -1,6 +1,6 @@
---
- name: packages are installed
- name: Postfix packages are installed
apt:
name: "{{ item }}"
state: present

8
evolinux-base/tasks/root.yml
View file

@ -80,4 +80,12 @@
- "set shiftwidth=4"
when: evolinux_root_vim_conf
- name: disable SSH access for root
replace:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin (yes|without-password)'
replace: "PermitRootLogin no"
notify: reload sshd
when: evolinux_root_disable_ssh
- meta: flush_handlers

42
evolinux-base/tasks/ssh.yml
View file

@ -17,48 +17,6 @@
notify: reload sshd
when: not evolinux_ssh_password_auth_addresses == []
# - name: verify Match Address directive
# command: "grep 'Match Address' /etc/ssh/sshd_config"
# changed_when: False
# failed_when: False
# check_mode: no
# register: grep_matchaddress_ssh
#
# - name: Add Match Address sshd directive
# lineinfile:
# dest: /etc/ssh/sshd_config
# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes"
# insertafter: '# +ForceCommand cvs server'
# validate: '/usr/sbin/sshd -T -f %s'
# notify: reload sshd
# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
#
# - name: Modify Match Address sshd directive
# replace:
# dest: /etc/ssh/sshd_config
# regexp: '^(Match Address ((?!{{ item }}).)*)$'
# replace: '\1,{{ item }}'
# validate: '/usr/sbin/sshd -T -f %s'
# with_items: "{{ evolinux_ssh_password_auth_addresses }}"
# notify: reload sshd
# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0
#
# - name: Add Match Group sudo without password
# lineinfile:
# dest: /etc/ssh/sshd_config
# line: "\nMatch Group sudo\n PasswordAuthentication no"
# insertbefore: '^Match Address'
# validate: '/usr/sbin/sshd -T -f %s'
# notify: reload sshd
- name: disable SSH access for root
replace:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin (yes|without-password)'
replace: "PermitRootLogin no"
notify: reload sshd
when: evolinux_ssh_disable_root
# We disable AcceptEnv because it can be a security issue, but also because we
# do not want clients to push their environment variables like LANG.
- name: disable AcceptEnv in ssh config

55
evolinux-base/tasks/system.yml
View file

@ -116,29 +116,56 @@
## alert5
- name: Install alert5 init script
- name: Install alert5 init script (jessie/stretch)
template:
src: system/init_alert5.j2
src: system/alert5.sysvinit.j2
dest: /etc/init.d/alert5
force: no
mode: "0755"
when: evolinux_system_alert5_init
when:
- evolinux_system_alert5_init
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
#TODO: switch service/systemd modules with Ansible 2.2+
- name: Enable alert5 init script
- name: Enable alert5 init script (jessie/stretch)
service:
name: alert5
enabled: yes
when: evolinux_system_alert5_init and evolinux_system_alert5_enable
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_enable
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
# - name: Enable alert5 init script
# systemd:
# name: alert5
# daemon_reload: yes
# enabled: yes
# when: evolinux_system_alert5_init and evolinux_system_alert5_enable
- name: Install alert5 init script (buster)
template:
src: system/alert5.sh.j2
dest: /usr/share/scripts/alert5.sh
force: no
mode: "0755"
when:
- evolinux_system_alert5_init
- ansible_distribution_major_version | version_compare('10', '>=')
- name: Install alert5 service (buster)
copy:
src: alert5.service
dest: /etc/systemd/system/alert5.service
force: yes
mode: "0755"
when:
- evolinux_system_alert5_init
- ansible_distribution_major_version | version_compare('10', '>=')
- name: Enable alert5 init script (buster)
systemd:
name: alert5
daemon_reload: yes
enabled: yes
when:
- evolinux_system_alert5_init
- evolinux_system_alert5_enable
- ansible_distribution_major_version | version_compare('10', '>=')
## network interfaces

7
evolinux-base/templates/system/alert5.sh.j2 Normal file
View file

@ -0,0 +1,7 @@
#!/bin/sh
## sends a mail when booting
date | mail -s'boot/reboot' {{ reboot_alert_email or general_alert_email | mandatory }}
## starts the firewall
#/etc/init.d/minifirewall start

0
evolinux-base/templates/system/init_alert5.j2 → evolinux-base/templates/system/alert5.sysvinit.j2
View file

2
admin-users/.kitchen.yml → evolinux-users/.kitchen.yml
View file

@ -31,7 +31,7 @@ suites:
playbook: ./tests/test.yml
verifier:
patterns:
- admin-users/tests/spec/admin-users_spec.rb
- evolinux-users/tests/spec/evolinux-users_spec.rb
bundler_path: '/usr/local/bin'
rspec_path: '/usr/local/bin'

16
admin-users/README.md → evolinux-users/README.md
View file

@ -1,6 +1,6 @@
# admin-users
# evolinux-users
Creates admin users accounts, based on a configuration data structure.
Creates evolinux users accounts, based on a configuration data structure.
## Tasks
@ -8,20 +8,26 @@ Everything is in the `tasks/main.yml` file.
## Available variables
The variable `admin_users` must be a "dict" of one or more users :
The variable `evolinux_users` must be a "dict" of one or more users :
```
admin_users:
evolinux_users:
foo:
name: foo
uid: 1001
fullname: 'Mr Foo'
groups: "baz"
password_hash: 'sdfgsdfgsdfgsdfg'
ssh_key: 'ssh-rsa AZERTYXYZ'
bar:
name: bar
uid: 1002
fullname: 'Mr Bar'
groups:
- "baz"
- "qux"
password_hash: 'gsdfgsdfgsdfgsdf'
ssh_key: 'ssh-rsa QWERTYUIOP'
ssh_keys:
- 'ssh-rsa QWERTYUIOP'
- 'ssh-ed25519 QWERTYUIOP'
```

3
evolinux-users/defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
evolinux_users: {}
evolinux_sudo_group: "evolinux-sudo"

0
admin-users/handlers/main.yml → evolinux-users/handlers/main.yml
View file

2
admin-users/meta/main.yml → evolinux-users/meta/main.yml
View file

@ -1,6 +1,6 @@
galaxy_info:
author: Evolix
description: Creates admin users accounts.
description: Creates evolinux users accounts.
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues

17
admin-users/tasks/user.yml → evolinux-users/tasks/account.yml
View file

@ -35,19 +35,22 @@
update_password: on_create
when: loginisbusy.rc != 0 and uidisbusy.rc == 0
- name: "Create {{ admin_users_group }} group (Debian 9 or later)"
- name: "Create secondary groups"
group:
name: "{{ admin_users_group }}"
when: ansible_distribution_major_version | version_compare('9', '>=')
name: "{{ group }}"
with_items: "{{ user.groups }}"
loop_control:
loop_var: group
when: user.groups is defined
- name: "Add user to {{ admin_users_group }} group (Debian 9 or later)"
- name: "Add user '{{ user.name }}' to secondary groups"
user:
name: '{{ user.name }}'
groups: '{{ admin_users_group }}'
groups: "{{ user.groups }}"
append: yes
when: ansible_distribution_major_version | version_compare('9', '>=')
when: user.groups is defined
- name: "Fix perms on homedirectory for '{{ user.name }}'"
- name: "Fix perms on home directory for '{{ user.name }}'"
file:
name: '/home/{{ user.name }}'
mode: "0700"

10
admin-users/tasks/main.yml → evolinux-users/tasks/main.yml
View file

@ -6,11 +6,11 @@
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
- debug:
msg: "Warning: empty 'admin_users' variable, tasks will be skipped!"
when: admin_users == {}
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
when: evolinux_users == {}
- include: admin_user.yml
- include: user.yml
vars:
user: "{{ item.value }}"
with_dict: "{{ admin_users }}"
when: admin_users != {}
with_dict: "{{ evolinux_users }}"
when: evolinux_users != {}

0
admin-users/tasks/profile.yml → evolinux-users/tasks/profile.yml
View file

11
admin-users/tasks/ssh.yml → evolinux-users/tasks/ssh.yml
View file

@ -14,6 +14,17 @@
user: "{{ user.name }}"
key: "{{ user.ssh_key }}"
state: present
when: user.ssh_key is defined
- name: "Add user's SSH public keys for '{{ user.name }}'"
authorized_key:
user: "{{ user.name }}"
key: "{{ ssk_key }}"
state: present
with_items: "{{ user.ssh_keys }}"
loop_control:
loop_var: ssk_key
when: user.ssh_keys is defined
# we must double-escape caracters, because python
- name: verify AllowUsers directive

18
evolinux-users/tasks/sudo_jessie.yml Normal file
View file

@ -0,0 +1,18 @@
---
- name: "Verify Evolinux sudoers file presence (jessie)"
template:
src: sudoers_jessie.j2
dest: /etc/sudoers.d/evolinux
force: no
mode: "0440"
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux
- name: "Add user in sudoers file for '{{ user.name }}' (jessie)"
replace:
dest: /etc/sudoers.d/evolinux
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/visudo -cf %s'
when: not copy_sudoers_evolinux.changed

20
evolinux-users/tasks/sudo_stretch.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: "Verify Evolinux sudoers file presence (Debian 9 or later)"
template:
src: sudoers_stretch.j2
dest: /etc/sudoers.d/evolinux
force: no
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux
- name: "Create evolinux-sudo group (Debian 9 or later)"
group:
name: "{{ evolinux_sudo_group }}"
system: yes
- name: "Add user to evolinux-sudo group (Debian 9 or later)"
user:
name: '{{ user.name }}'
groups: "{{ evolinux_sudo_group }}"
append: yes

15
evolinux-users/tasks/user.yml Normal file
View file

@ -0,0 +1,15 @@
---
- include: account.yml
- include: profile.yml
- include: ssh.yml
- include: sudo_jessie.yml
when: ansible_distribution_release == "jessie"
- include: sudo_stretch.yml
when: ansible_distribution_major_version | version_compare('9', '>=')
- meta: flush_handlers

0
admin-users/templates/sudoers_jessie.j2 → evolinux-users/templates/sudoers_jessie.j2
View file

4
admin-users/templates/sudoers_stretch.j2 → evolinux-users/templates/sudoers_stretch.j2
View file

@ -5,5 +5,5 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
%evolinux-sudo ALL=(ALL:ALL) ALL
%evolinux-sudo ALL = NOPASSWD: MAINT
%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL
%{{ evolinux_sudo_group }} ALL = NOPASSWD: MAINT

0
admin-users/tests/spec/admin-users_spec.rb → evolinux-users/tests/spec/evolinux-users_spec.rb
View file

4
admin-users/tests/test.yml → evolinux-users/tests/test.yml
View file

@ -2,7 +2,7 @@
- hosts: test-kitchen
vars:
admin_users:
evolinux_users:
foo:
name: foo
uid: 1001
@ -20,4 +20,4 @@
# state: directory
roles:
- role: admin-users
- role: evolinux-users

2
memcached/README.md
View file

@ -1,4 +1,4 @@
# PHP-FPM
# Memcached
Installation and basic configuration of memcached

1
nagios-nrpe/tasks/main.yml
View file

@ -17,6 +17,7 @@
dest: /etc/nagios/nrpe.d/evolix.cfg
group: nagios
mode: "0640"
force: no
notify: restart nagios-nrpe-server
- name: Nagios config is secured

2
packweb-apache/README.md
View file

@ -4,7 +4,7 @@ Install the web pack, with Apache.
## Tasks
Everything is in the `tasks/main.yml` file for now.
See `tasks/main.yml`.
## Available variables

2
postgresql/defaults/main.yml
View file

@ -9,4 +9,4 @@ postgresql_random_page_cost: 1.5
postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
# PostgreSQL version
postgresql_version: '9.4'
postgresql_version: '9.6'

7
postgresql/tasks/main.yml
View file

@ -1,9 +1,10 @@
---
- include: pgdg-repo.yml
when: postgresql_version != '9.4'
- include: packages_jessie.yml
when: ansible_distribution_release == "jessie"
- include: packages.yml
- include: packages_stretch.yml
when: ansible_distribution_major_version | version_compare('9', '>=')
- include: config.yml

11
postgresql/tasks/packages_jessie.yml Normal file
View file

@ -0,0 +1,11 @@
---
- include: pgdg-repo.yml
when: postgresql_version != '9.4'
- name: Install postgresql package
apt:
name: '{{item}}'
with_items:
- "postgresql-{{postgresql_version}}"
- ptop

2
postgresql/tasks/packages.yml → postgresql/tasks/packages_stretch.yml
View file

@ -4,5 +4,5 @@
apt:
name: '{{item}}'
with_items:
- "postgresql-{{postgresql_version}}"
- postgresql
- ptop

2
postgresql/templates/postgresql.conf
View file

@ -3,7 +3,7 @@ shared_buffers = {{ postgresql_shared_buffers }}
work_mem = {{ postgresql_work_mem }}
#shared_preload_libraries = 'pg_stat_statements'
#synchronous_commit = off
{% if postgresql_version |version_compare('9.5', '<') %}
{% if postgresql_version | version_compare('9.5', '<') %}
checkpoint_segments = 30
{% else %}
max_wal_size = 15GB

1
proftpd/files/vpasswd Normal file
View file

@ -0,0 +1 @@
# username:password:uid:gid:gecos:homedir:shell

9
proftpd/tasks/main.yml
View file

@ -32,3 +32,12 @@
notify: restart proftpd
tags:
- proftpd
- name: Put empty vpasswd file if missing
copy:
src: vpasswd
dest: /etc/proftpd/vpasswd
force: no
mode: "0440"
tags:
- proftpd

1
redis/README.md
View file

@ -16,6 +16,7 @@ Main variables are :
* `redis_conf_path`: config file location ;
* `redis_port`: listening TCP port ;
* `redis_bind_interface`: listening IP address ;
* `redis_password`: password for redis. Empty means no password ;
* `redis_unixsocket`: Unix socket ;
* `redis_loglevel`: log verbosity ;
* `redis_logfile`: log file location.

2
redis/defaults/main.yml
View file

@ -7,6 +7,8 @@ redis_bind_interface: 127.0.0.1
redis_unixsocket: '/var/run/redis/redis.sock'
redis_timeout: 300
redis_password: NULL
redis_loglevel: "notice"
redis_logfile: /var/log/redis/redis-server.log

5
redis/handlers/main.yml
View file

@ -8,3 +8,8 @@
service:
name: munin-node
state: restarted
- name: restart nagios-nrpe-server
service:
name: nagios-nrpe-server
state: restarted

14
redis/tasks/main.yml
View file

@ -1,8 +1,11 @@
---
- name: Redis is installed.
apt:
name: redis-server
name: "{{ item }}"
state: present
with_items:
- redis-server
- redis-tools
tags:
- redis
- packages
@ -31,3 +34,12 @@
- include: munin.yml
when: _munin_installed.stat.exists and _munin_installed.stat.isdir
- name: is NRPE present ?
stat:
path: /etc/nagios/nrpe.d/evolix.cfg
check_mode: no
register: nrpe_evolix_config
- include: nrpe_stretch.yml
when: ansible_distribution_release == "stretch" and nrpe_evolix_config.stat.exists == true

22
redis/tasks/munin.yml
View file

@ -60,3 +60,25 @@
- used_memory
notify: restart munin-node
tags: redis
- name: Count redis condif blocks in munin-node configuration
command: grep -c "\[redis_" /etc/munin/plugin-conf.d/munin-node
register: munin_redis_blocs_in_config
failed_when: False
changed_when: False
- name: Add redis password for munin (if no more than 1 config block)
ini_file:
dest: /etc/munin/plugin-conf.d/munin-node
section: 'redis_*'
option: env.password
value: '{{ redis_password }}'
notify: restart munin-node
when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} <= 1"
tags: redis
- name: Warn if multiple instance in munin-plugins configuration
debug:
msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed"
when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} > 1 "

15
redis/tasks/nrpe_stretch.yml Normal file
View file

@ -0,0 +1,15 @@
---
- name: Install perl lib-redis (needed by check_redis)
apt:
name: libredis-perl
state: present
tags:
- redis
- nrpe
- name: Replace check_tcp by check_redis for NRPE
replace:
dest: /etc/nagios/nrpe.d/evolix.cfg
regexp: '^command\[check_redis\]=\/usr\/lib\/nagios\/plugins\/check_tcp -p 6379'
replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1'
notify: restart nagios-nrpe-server

4
redis/templates/redis.conf.j2
View file

@ -7,6 +7,10 @@ bind {{ redis_bind_interface }}
unixsocket {{ redis_unixsocket }}
{% endif %}
{% if redis_password %}
requirepass {{ redis_password }}
{% endif %}
timeout {{ redis_timeout }}
loglevel {{ redis_loglevel }}