diff --git a/admin-users/defaults/main.yml b/admin-users/defaults/main.yml deleted file mode 100644 index ad5f42cb..00000000 --- a/admin-users/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -admin_users: {} -admin_users_group: adm diff --git a/admin-users/tasks/admin_user.yml b/admin-users/tasks/admin_user.yml deleted file mode 100644 index 329ce50e..00000000 --- a/admin-users/tasks/admin_user.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- include: user.yml - -- include: profile.yml - -- include: ssh.yml - -- include: sudo.yml - -- meta: flush_handlers diff --git a/admin-users/tasks/sudo.yml b/admin-users/tasks/sudo.yml deleted file mode 100644 index e05ac614..00000000 --- a/admin-users/tasks/sudo.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- name: "Verify Evolinux sudoers file presence (jessie)" - template: - src: sudoers_jessie.j2 - dest: /etc/sudoers.d/evolinux - force: no - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - when: ansible_distribution_release == "jessie" - -- name: "Verify Evolinux sudoers file presence (Debian 9 or later)" - template: - src: sudoers_stretch.j2 - dest: /etc/sudoers.d/evolinux - force: no - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Verify Evolinux sudoers file permissions" - file: - path: /etc/sudoers.d/evolinux - mode: "0440" - state: file - -- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" - replace: - dest: /etc/sudoers.d/evolinux - regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/visudo -cf %s' - when: - - ansible_distribution_release == "jessie" - - not copy_sudoers_evolinux.changed - -- name: "Create evolinux-sudo group (Debian 9 or later)" - group: - name: evolinux-sudo - system: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Add user to evolinux-sudo group (Debian 9 or later)" - user: - name: '{{ user.name }}' - groups: 'evolinux-sudo' - append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 7bb8950e..af7980c8 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -19,9 +19,6 @@ tags: - apt -- debug: - var: apt_install_evolix_public - - name: Install Evolix Public APT repository include: evolix_public.yml when: apt_install_evolix_public diff --git a/drbd/README.md b/drbd/README.md index 86ae3aa6..f08d30f4 100644 --- a/drbd/README.md +++ b/drbd/README.md @@ -5,23 +5,3 @@ Install tools to setup DRBD replication accross servers. ## Tasks Everything is in the `tasks/main.yml` file. - -## Available variables - -The variable `admin_users` must be a "dict" of one or more users : - -``` -admin_users: - foo: - name: foo - uid: 1001 - fullname: 'Mr Foo' - password_hash: 'sdfgsdfgsdfgsdfg' - ssh_key: 'ssh-rsa AZERTYXYZ' - bar: - name: bar - uid: 1002 - fullname: 'Mr Bar' - password_hash: 'gsdfgsdfgsdfgsdf' - ssh_key: 'ssh-rsa QWERTYUIOP' -``` diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index a7c4eef2..eb2ddb3a 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -10,5 +10,5 @@ [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do - evoacme "$vhost" + evoacme "$vhost" done diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index ffbf22ac..56f3f0e5 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -7,78 +7,109 @@ # Licence: AGPLv3 # +set -e + usage() { - echo "Usage: $0 NAME" - echo "" - echo "NAME must be correspond to :" - echo "- a CSR in ${CSR_DIR}/NAME.csr" - echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" - echo "" + echo "Usage: $0 [ --cron ] NAME" + echo "" + echo "NAME must be correspond to :" + echo "- a CSR in ${CSR_DIR}/NAME.csr" + echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" + echo "" } mkconf_apache() { - [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" - apache2ctl -t 2>/dev/null && service apache2 reload + echo "Apache detected... first configuration" + [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" + apache2ctl -t } mkconf_nginx() { - [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" - nginx -t 2>/dev/null && service nginx reload -} - -mkconf_haproxy() { - mkdir -p /etc/ssl/haproxy -m 700 - cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" - [ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem" - haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload + echo "Nginx detected... first configuration" + [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" + nginx -t } main() { - [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' - [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' - [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' - [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' - - [ "$#" -ne 1 ] && usage && exit 1 + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR=/etc/ssl/private + [ -z "${ACME_DIR}" ] && ACME_DIR=/var/lib/letsencrypt + [ -z "${CSR_DIR}" ] && CSR_DIR=/etc/ssl/requests + [ -z "${CRT_DIR}" ] && CRT_DIR=/etc/letsencrypt + [ -z "${LOG_DIR}" ] && LOG_DIR=/var/log/evoacme + [ -z "${SSL_MINDAY}" ] && SSL_MINDAY=30 + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR=/etc/ssl/self-signed + [ -z "${DH_DIR}" ] && DH_DIR=etc/ssl/dhparam - vhost=$(basename "$1" .conf) + # misc verifications + [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 + which openssl >/dev/null || ( echo "error: openssl command not installed" && exit 1 ) + which certbot >/dev/null || ( echo "error: certbot command not installed" && exit 1 ) + [ ! -d $ACME_DIR ] && echo "error: $ACME_DIR is not a directory" && exit 1 + [ ! -d $CSR_DIR ] && echo "error: $CSR_DIR is not a directory" && exit 1 + [ ! -d $LOG_DIR ] && echo "error: $LOG_DIR is not a directory" && exit 1 + [ "$#" -ge 3 ] || [ "$#" -le 0 ] && echo "error: invalid argument(s)" && usage && exit 1 + [ "$#" -eq 2 ] && [ "$1" != "--cron" ] && echo "error: invalid argument(s)" && usage && exit 1 - # Check master status for evoadmin-cluster - if [ -f "/home/${vhost}/state" ]; then - grep -q "STATE=master" "/home/${vhost}/state" || exit 0 - fi + [ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO + [ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES + + # verify .csr file + test ! -f "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr absent" && exit 1 + test ! -r "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr is not readable" && exit 1 + openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || ( echo "error: $CSR_DIR/${vhost}.csr is invalid" && exit 1 ) + [ "$CRON" = "NO" ] && echo "Using CSR file: $CSR_DIR/${vhost}.csr" + + # Hook for evoadmin-web in cluster mode : check master status + if [ -f "/home/${vhost}/state" ]; then + grep -q "STATE=master" "/home/${vhost}/state" || exit 0 + fi + + if [ -n "$SSL_EMAIL" ]; then + emailopt="-m $SSL_EMAIL" + else + emailopt="--register-unsafely-without-email" + fi + + DATE=$(date "+%Y%m%d") + [ ! -n "$DATE" ] && echo "error: invalid date" && exit 1 + + + # If live link already exists, it's not our first time... + if [ -h "$CRT_DIR/${vhost}/live" ]; then + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: $CRT_DIR/${vhost}/live/cert.crt is invalid" && exit 1 ) + + # Verify if our certificate will expire + crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2) + date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s") + date_today=$(date +'%s') + [ "$date_today" -lt "$date_renew" ] && ( [ "$CRON" = "NO" ] && echo "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." || true ) && exit 0 + else + which apache2ctl >/dev/null && mkconf_apache + which nginx >/dev/null && mkconf_nginx + fi + + # renew certificate with certbot + [ -d "$CRT_DIR/${vhost}/${DATE}" ] && echo "error: $CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." && exit 1 + mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" + chown -R acme: "$CRT_DIR/${vhost}/${DATE}" + [ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet" + sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" + + # verify if all is right + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" && exit 1 ) + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" && exit 1 ) + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" && exit 1 ) + + # link dance + [ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live" + ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/{vhost}/live/cert.crt is invalid" && exit 1 ) + + # reload apache or nginx (TODO: need improvments) + pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Apache detected... reloading" || true ) && systemctl reload apache2 + pidof nginx >/dev/null && nginx -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Nginx detected... reloading" || true ) && systemctl reload apache2 - SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) - if [ -n "$SSL_EMAIL" ]; then - emailopt="-m $SSL_EMAIL" - else - emailopt="--register-unsafely-without-email" - fi - DATE=$(date "+%Y%m%d") - - if [ -h "$CRT_DIR/${vhost}/live" ]; then - crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//") - date_crt=$(date -ud "$crt_end_date" +"%s") - date_today=$(date +'%s') - date_diff=$(((date_crt - date_today) / (60*60*24))) - [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 - fi - rm -rf "$CRT_DIR/${vhost}/${DATE}" - mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" - chown -R acme: "$CRT_DIR/${vhost}" - sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" - if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then - rm -f "$CRT_DIR/${vhost}/live" - ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" - which apache2ctl >/dev/null && mkconf_apache - which nginx >/dev/null && mkconf_nginx - which haproxy >/dev/null && mkconf_haproxy - else - rmdir "$CRT_DIR/${vhost}/${DATE}" - fi } main "$@" diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 844847ab..5338ba2c 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -8,143 +8,143 @@ # get_domains() { - echo "$vhostfile"|grep -q nginx - if [ "$?" -eq 0 ]; then - domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq) - fi - - echo "$vhostfile" |grep -q apache2 - if [ "$?" -eq 0 ]; then - domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq) - fi - valid_domains="" - nb=0 - - echo "Valid(s) domain(s) in $vhost :" - for domain in $domains; do - real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") - for ip in $(echo "$SRV_IP"|xargs -n1); do - if [ "${ip}" = "${real_ip}" ]; then - valid_domains="$valid_domains $domain" - nb=$(( nb + 1 )) - echo "* $domain -> $real_ip" - fi - done - done - - if [ "$nb" -eq 0 ]; then - nb=$(echo "$domains"|wc -l) - echo "* No valid domain found" - echo "All following(s) domain(s) will be used for CSR creation :" - for domain in $domains; do - echo "* $domain" - done - else - domains="$valid_domains" - fi - domains=$(echo "$domains"|xargs -n1) + echo "$vhostfile"|grep -q nginx + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq) + fi + + echo "$vhostfile" |grep -q apache2 + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq) + fi + valid_domains="" + nb=0 + + echo "Valid(s) domain(s) in $vhost :" + for domain in $domains; do + real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") + for ip in $(echo "$SRV_IP"|xargs -n1); do + if [ "${ip}" = "${real_ip}" ]; then + valid_domains="$valid_domains $domain" + nb=$(( nb + 1 )) + echo "* $domain -> $real_ip" + fi + done + done + + if [ "$nb" -eq 0 ]; then + nb=$(echo "$domains"|wc -l) + echo "* No valid domain found" + echo "All following(s) domain(s) will be used for CSR creation :" + for domain in $domains; do + echo "* $domain" + done + else + domains="$valid_domains" + fi + domains=$(echo "$domains"|xargs -n1) } make_key() { - openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null - chown root: "$SSL_KEY_DIR/${vhost}.key" - chmod 600 "$SSL_KEY_DIR/${vhost}.key" + openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null + chown root: "$SSL_KEY_DIR/${vhost}.key" + chmod 600 "$SSL_KEY_DIR/${vhost}.key" } make_csr() { - domains="$1" - nb=$(echo "$domains"|wc -l) - config_file="/tmp/make-csr-${vhost}.conf" + domains="$1" + nb=$(echo "$domains"|wc -l) + config_file="/tmp/make-csr-${vhost}.conf" - mkdir -p "$CSR_DIR" -m 0755 - - if [ "$nb" -eq 1 ]; then - cat /etc/letsencrypt/openssl.cnf - > "$config_file" < "$config_file" < "$config_file" < "$config_file" < "$CSR_DIR/${vhost}.csr" - fi - - if [ -f "$CSR_DIR/${vhost}.csr" ]; then - chmod 644 "$CSR_DIR/${vhost}.csr" - mkdir -p "$SELF_SIGNED_DIR" -m 0755 - openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem" - [ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem" - fi + openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr" + fi + + if [ -f "$CSR_DIR/${vhost}.csr" ]; then + chmod 644 "$CSR_DIR/${vhost}.csr" + mkdir -p "$SELF_SIGNED_DIR" -m 0755 + openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem" + [ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem" + fi } mkconf_apache() { - mkdir -p /etc/apache2/ssl - if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then - cat > "/etc/apache2/ssl/${vhost}.conf" < "/etc/apache2/ssl/${vhost}.conf" < "/etc/nginx/ssl/${vhost}.conf" < "/etc/nginx/ssl/${vhost}.conf" <&2 - exit 1 - fi - vhost=$(basename "$1" .conf) - local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") + if [ "$#" -ne 1 ]; then + echo "You need to provide one argument !" >&2 + exit 1 + fi + vhost=$(basename "$1" .conf) + local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") - [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' - [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' - [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) - [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip" - - vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) - - if [ ! -h "$vhostfile" ]; then - echo "$vhost is not a valid virtualhost !" >&2 - exit 1 - fi + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' + [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' + [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) + [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip" + + vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) + + if [ ! -h "$vhostfile" ]; then + echo "$vhost is not a valid virtualhost !" >&2 + exit 1 + fi - if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then - echo "$vhost key already exist, overwrite it ? (y)" - read REPLY - [ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0 - rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf" - [ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live" - fi + if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then + echo "$vhost key already exist, overwrite it ? (y)" + read REPLY + [ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0 + rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf" + [ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live" + fi - get_domains - make_key - make_csr "$domains" - which apache2ctl >/dev/null && mkconf_apache + get_domains + make_key + make_csr "$domains" + which apache2ctl >/dev/null && mkconf_apache which nginx >/dev/null && mkconf_nginx } diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 20658ec2..88f0eb5b 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -42,6 +42,18 @@ path: /usr/local/bin/certbot state: absent +- name: stat /etc/cron.d/certbot + stat: + path: /etc/cron.d/certbot + register: etc_cron_d_certbot + +- name: Rename certbot dpkg cron to .disabled + copy: + remote_src: True + src: /etc/cron.d/certbot + dest: /etc/cron.d/certbot.disabled + when: etc_cron_d_certbot.stat.exists + - name: Remove certbot dpkg cron file: path: /etc/cron.d/certbot diff --git a/evoacme/tasks/conf.yml b/evoacme/tasks/conf.yml index b39b5384..4d9f6704 100644 --- a/evoacme/tasks/conf.yml +++ b/evoacme/tasks/conf.yml @@ -1,6 +1,6 @@ --- - ini_file: - dest: /etc/letsencrypt/openssl.cnf + dest: "{{ evoacme_crt_dir }}/openssl.cnf" section: 'req' option: "{{ item.name }}" value: "{{ item.var }}" diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index beac178e..6bc21a02 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -13,7 +13,17 @@ - include: scripts.yml -- include: webserver.yml +- name: Determine Apache presence + stat: + path: /etc/apache2/apache2.conf + check_mode: no + register: sta + +- name: Determine Nginx presence + stat: + path: /etc/nginx/nginx.conf + check_mode: no + register: stn - include: apache.yml when: sta.stat.isreg is defined and sta.stat.isreg diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml index 01e61fdb..b1ebe473 100644 --- a/evoacme/tasks/scripts.yml +++ b/evoacme/tasks/scripts.yml @@ -9,7 +9,7 @@ - name: Copy make-csr.sh script copy: - src: files/make-csr.sh + src: make-csr.sh dest: /usr/local/sbin/make-csr owner: root group: root @@ -17,7 +17,7 @@ - name: Copy evoacme script copy: - src: files/evoacme.sh + src: evoacme.sh dest: /usr/local/sbin/evoacme owner: root group: root diff --git a/evoacme/tasks/webserver.yml b/evoacme/tasks/webserver.yml deleted file mode 100644 index 8092aa98..00000000 --- a/evoacme/tasks/webserver.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Determine Nginx presence - stat: - path: /etc/nginx/nginx.conf - check_mode: no - register: stn - -- name: Determine Apache presence - stat: - path: /etc/apache2/apache2.conf - check_mode: no - register: sta diff --git a/evolinux-base/README.md b/evolinux-base/README.md index 8ef7a70e..570e2313 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -36,6 +36,6 @@ Main variables are: * `evolinux_additional_packages`: optional additional packages to install (default: `[]`) * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ; * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`) -* `evolinux_ssh_disable_root`: disable SSH access for root (default: `True`) +* `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index e0c91fd1..174fc2d0 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -10,6 +10,21 @@ logcheck_alert_email: Null raid_alert_email: Null postfix_alias_email: Null +# apt + +evolinux_apt_include: True + +evolinux_apt_conf: True +evolinux_apt_hooks: True +evolinux_apt_replace_default_sources: True +evolinux_apt_public_sources: True +evolinux_apt_upgrade: True +evolinux_apt_remove_aptitude: True + +# etc-git + +evolinux_etcgit_include: True + # hostname evolinux_hostname_include: True @@ -31,17 +46,6 @@ evolinux_kernel_disable_tcp_timestamps: True evolinux_kernel_reduce_swapiness: True evolinux_kernel_cve20165696: True -# apt - -evolinux_apt_include: True - -evolinux_apt_conf: True -evolinux_apt_hooks: True -evolinux_apt_replace_default_sources: True -evolinux_apt_public_sources: True -evolinux_apt_upgrade: True -evolinux_apt_remove_aptitude: True - # fstab evolinux_fstab_include: True @@ -96,6 +100,22 @@ evolinux_system_alert5_init: True evolinux_system_alert5_enable: True evolinux_system_eni_auto: True +# evomaintenance + +evolinux_evomaintenance_include: True + +# ssh + +evolinux_ssh_include: True + +evolinux_ssh_password_auth_addresses: [] +evolinux_ssh_match_address: True +evolinux_ssh_disable_acceptenv: True + +# evolinux users + +evolinux_users_include: True + # root evolinux_root_include: True @@ -108,15 +128,7 @@ evolinux_root_gitconfig: True evolinux_root_bash_history_appendonly: True evolinux_root_vim_default: True evolinux_root_vim_conf: True - -# ssh - -evolinux_ssh_include: True - -evolinux_ssh_password_auth_addresses: [] -evolinux_ssh_match_address: True -evolinux_ssh_disable_root: True -evolinux_ssh_disable_acceptenv: True +evolinux_root_disable_ssh: True # postfix diff --git a/evolinux-base/files/alert5.service b/evolinux-base/files/alert5.service new file mode 100644 index 00000000..ea560a51 --- /dev/null +++ b/evolinux-base/files/alert5.service @@ -0,0 +1,9 @@ +[Unit] +Description=Evolix alert5 script + +[Service] +Type=oneshot +ExecStart=/usr/share/scripts/alert5.sh + +[Install] +WantedBy=multi-user.target diff --git a/evolinux-base/meta/main.yml b/evolinux-base/meta/main.yml index 2d640995..2b6aed3c 100644 --- a/evolinux-base/meta/main.yml +++ b/evolinux-base/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch dependencies: [] # List your role dependencies here, one per line. diff --git a/evolinux-base/tasks/fstab.yml b/evolinux-base/tasks/fstab.yml index 6c8b122a..9baa8a70 100644 --- a/evolinux-base/tasks/fstab.yml +++ b/evolinux-base/tasks/fstab.yml @@ -16,7 +16,7 @@ replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3' notify: remount /home when: - - "' /home ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/home\s') - evolinux_fstab_home - name: /tmp partition is customized @@ -25,7 +25,7 @@ regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3' when: - - "' /tmp ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/tmp\s') - evolinux_fstab_tmp - name: /usr partition is customized @@ -34,7 +34,7 @@ regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3' when: - - "' /usr ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/usr\s') - evolinux_fstab_usr - name: /var partition is customized @@ -44,7 +44,7 @@ replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3' notify: remount /var when: - - "' /var ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/var\s') - evolinux_fstab_var - name: /var/tmp is created diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 5c1ad594..b400e334 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -5,6 +5,15 @@ when: - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') +- name: Apt configuration + include: apt.yml + when: evolinux_apt_include + +- name: /etc versioning with Git + include_role: + name: etc-git + when: evolinux_etcgit_include + - name: Hostname include: hostname.yml when: evolinux_hostname_include @@ -13,10 +22,6 @@ include: kernel.yml when: evolinux_kernel_include -- name: Apt configuration and packages install - include: apt.yml - when: evolinux_apt_include - - name: Fstab configuration include: fstab.yml when: evolinux_fstab_include @@ -29,14 +34,24 @@ include: system.yml when: evolinux_system_include -- name: Root user configuration - include: root.yml - when: evolinux_root_include +- name: Evomaintenance + include_role: + name: evomaintenance + when: evolinux_evomaintenance_include - name: SSH configuration include: ssh.yml when: evolinux_ssh_include +- name: Create evolinux users + include_role: + name: evolinux-users + when: evolinux_users_include + +- name: Root user configuration + include: root.yml + when: evolinux_root_include + - name: Postfix include: postfix.yml when: evolinux_postfix_include diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 9aad67e4..84bb06a2 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -1,6 +1,6 @@ --- -- name: packages are installed +- name: Postfix packages are installed apt: name: "{{ item }}" state: present diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index ffe64fe1..4c66324a 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -80,4 +80,12 @@ - "set shiftwidth=4" when: evolinux_root_vim_conf +- name: disable SSH access for root + replace: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin (yes|without-password)' + replace: "PermitRootLogin no" + notify: reload sshd + when: evolinux_root_disable_ssh + - meta: flush_handlers diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 2b7273b5..8094d8bc 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -17,48 +17,6 @@ notify: reload sshd when: not evolinux_ssh_password_auth_addresses == [] -# - name: verify Match Address directive -# command: "grep 'Match Address' /etc/ssh/sshd_config" -# changed_when: False -# failed_when: False -# check_mode: no -# register: grep_matchaddress_ssh -# -# - name: Add Match Address sshd directive -# lineinfile: -# dest: /etc/ssh/sshd_config -# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" -# insertafter: '# +ForceCommand cvs server' -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd -# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != [] -# -# - name: Modify Match Address sshd directive -# replace: -# dest: /etc/ssh/sshd_config -# regexp: '^(Match Address ((?!{{ item }}).)*)$' -# replace: '\1,{{ item }}' -# validate: '/usr/sbin/sshd -T -f %s' -# with_items: "{{ evolinux_ssh_password_auth_addresses }}" -# notify: reload sshd -# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0 -# -# - name: Add Match Group sudo without password -# lineinfile: -# dest: /etc/ssh/sshd_config -# line: "\nMatch Group sudo\n PasswordAuthentication no" -# insertbefore: '^Match Address' -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd - -- name: disable SSH access for root - replace: - dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password)' - replace: "PermitRootLogin no" - notify: reload sshd - when: evolinux_ssh_disable_root - # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. - name: disable AcceptEnv in ssh config diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 261ef1a9..2102765b 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -116,29 +116,56 @@ ## alert5 -- name: Install alert5 init script +- name: Install alert5 init script (jessie/stretch) template: - src: system/init_alert5.j2 + src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 force: no mode: "0755" - when: evolinux_system_alert5_init + when: + - evolinux_system_alert5_init + - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" - -#TODO: switch service/systemd modules with Ansible 2.2+ - -- name: Enable alert5 init script +- name: Enable alert5 init script (jessie/stretch) service: name: alert5 enabled: yes - when: evolinux_system_alert5_init and evolinux_system_alert5_enable + when: + - evolinux_system_alert5_init + - evolinux_system_alert5_enable + - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" -# - name: Enable alert5 init script -# systemd: -# name: alert5 -# daemon_reload: yes -# enabled: yes -# when: evolinux_system_alert5_init and evolinux_system_alert5_enable + + +- name: Install alert5 init script (buster) + template: + src: system/alert5.sh.j2 + dest: /usr/share/scripts/alert5.sh + force: no + mode: "0755" + when: + - evolinux_system_alert5_init + - ansible_distribution_major_version | version_compare('10', '>=') + +- name: Install alert5 service (buster) + copy: + src: alert5.service + dest: /etc/systemd/system/alert5.service + force: yes + mode: "0755" + when: + - evolinux_system_alert5_init + - ansible_distribution_major_version | version_compare('10', '>=') + +- name: Enable alert5 init script (buster) + systemd: + name: alert5 + daemon_reload: yes + enabled: yes + when: + - evolinux_system_alert5_init + - evolinux_system_alert5_enable + - ansible_distribution_major_version | version_compare('10', '>=') ## network interfaces diff --git a/evolinux-base/templates/system/alert5.sh.j2 b/evolinux-base/templates/system/alert5.sh.j2 new file mode 100644 index 00000000..7949af28 --- /dev/null +++ b/evolinux-base/templates/system/alert5.sh.j2 @@ -0,0 +1,7 @@ +#!/bin/sh + +## sends a mail when booting +date | mail -s'boot/reboot' {{ reboot_alert_email or general_alert_email | mandatory }} + +## starts the firewall +#/etc/init.d/minifirewall start diff --git a/evolinux-base/templates/system/init_alert5.j2 b/evolinux-base/templates/system/alert5.sysvinit.j2 similarity index 100% rename from evolinux-base/templates/system/init_alert5.j2 rename to evolinux-base/templates/system/alert5.sysvinit.j2 diff --git a/admin-users/.kitchen.yml b/evolinux-users/.kitchen.yml similarity index 92% rename from admin-users/.kitchen.yml rename to evolinux-users/.kitchen.yml index f9ea107a..0c97cc85 100644 --- a/admin-users/.kitchen.yml +++ b/evolinux-users/.kitchen.yml @@ -31,7 +31,7 @@ suites: playbook: ./tests/test.yml verifier: patterns: - - admin-users/tests/spec/admin-users_spec.rb + - evolinux-users/tests/spec/evolinux-users_spec.rb bundler_path: '/usr/local/bin' rspec_path: '/usr/local/bin' diff --git a/admin-users/README.md b/evolinux-users/README.md similarity index 50% rename from admin-users/README.md rename to evolinux-users/README.md index 68b0044d..439bd898 100644 --- a/admin-users/README.md +++ b/evolinux-users/README.md @@ -1,6 +1,6 @@ -# admin-users +# evolinux-users -Creates admin users accounts, based on a configuration data structure. +Creates evolinux users accounts, based on a configuration data structure. ## Tasks @@ -8,20 +8,26 @@ Everything is in the `tasks/main.yml` file. ## Available variables -The variable `admin_users` must be a "dict" of one or more users : +The variable `evolinux_users` must be a "dict" of one or more users : ``` -admin_users: +evolinux_users: foo: name: foo uid: 1001 fullname: 'Mr Foo' + groups: "baz" password_hash: 'sdfgsdfgsdfgsdfg' ssh_key: 'ssh-rsa AZERTYXYZ' bar: name: bar uid: 1002 fullname: 'Mr Bar' + groups: + - "baz" + - "qux" password_hash: 'gsdfgsdfgsdfgsdf' - ssh_key: 'ssh-rsa QWERTYUIOP' + ssh_keys: + - 'ssh-rsa QWERTYUIOP' + - 'ssh-ed25519 QWERTYUIOP' ``` diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml new file mode 100644 index 00000000..f0947958 --- /dev/null +++ b/evolinux-users/defaults/main.yml @@ -0,0 +1,3 @@ +--- +evolinux_users: {} +evolinux_sudo_group: "evolinux-sudo" diff --git a/admin-users/handlers/main.yml b/evolinux-users/handlers/main.yml similarity index 100% rename from admin-users/handlers/main.yml rename to evolinux-users/handlers/main.yml diff --git a/admin-users/meta/main.yml b/evolinux-users/meta/main.yml similarity index 88% rename from admin-users/meta/main.yml rename to evolinux-users/meta/main.yml index 006768d3..9bae9e73 100644 --- a/admin-users/meta/main.yml +++ b/evolinux-users/meta/main.yml @@ -1,6 +1,6 @@ galaxy_info: author: Evolix - description: Creates admin users accounts. + description: Creates evolinux users accounts. issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues diff --git a/admin-users/tasks/user.yml b/evolinux-users/tasks/account.yml similarity index 72% rename from admin-users/tasks/user.yml rename to evolinux-users/tasks/account.yml index 94f1a0c3..1ed142f9 100644 --- a/admin-users/tasks/user.yml +++ b/evolinux-users/tasks/account.yml @@ -35,19 +35,22 @@ update_password: on_create when: loginisbusy.rc != 0 and uidisbusy.rc == 0 -- name: "Create {{ admin_users_group }} group (Debian 9 or later)" +- name: "Create secondary groups" group: - name: "{{ admin_users_group }}" - when: ansible_distribution_major_version | version_compare('9', '>=') + name: "{{ group }}" + with_items: "{{ user.groups }}" + loop_control: + loop_var: group + when: user.groups is defined -- name: "Add user to {{ admin_users_group }} group (Debian 9 or later)" +- name: "Add user '{{ user.name }}' to secondary groups" user: name: '{{ user.name }}' - groups: '{{ admin_users_group }}' + groups: "{{ user.groups }}" append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') + when: user.groups is defined -- name: "Fix perms on homedirectory for '{{ user.name }}'" +- name: "Fix perms on home directory for '{{ user.name }}'" file: name: '/home/{{ user.name }}' mode: "0700" diff --git a/admin-users/tasks/main.yml b/evolinux-users/tasks/main.yml similarity index 52% rename from admin-users/tasks/main.yml rename to evolinux-users/tasks/main.yml index 6a1d1506..f168ae08 100644 --- a/admin-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -6,11 +6,11 @@ - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - debug: - msg: "Warning: empty 'admin_users' variable, tasks will be skipped!" - when: admin_users == {} + msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" + when: evolinux_users == {} -- include: admin_user.yml +- include: user.yml vars: user: "{{ item.value }}" - with_dict: "{{ admin_users }}" - when: admin_users != {} + with_dict: "{{ evolinux_users }}" + when: evolinux_users != {} diff --git a/admin-users/tasks/profile.yml b/evolinux-users/tasks/profile.yml similarity index 100% rename from admin-users/tasks/profile.yml rename to evolinux-users/tasks/profile.yml diff --git a/admin-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml similarity index 86% rename from admin-users/tasks/ssh.yml rename to evolinux-users/tasks/ssh.yml index d74a51f2..85d01a8b 100644 --- a/admin-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -14,6 +14,17 @@ user: "{{ user.name }}" key: "{{ user.ssh_key }}" state: present + when: user.ssh_key is defined + +- name: "Add user's SSH public keys for '{{ user.name }}'" + authorized_key: + user: "{{ user.name }}" + key: "{{ ssk_key }}" + state: present + with_items: "{{ user.ssh_keys }}" + loop_control: + loop_var: ssk_key + when: user.ssh_keys is defined # we must double-escape caracters, because python - name: verify AllowUsers directive diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml new file mode 100644 index 00000000..f675954e --- /dev/null +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -0,0 +1,18 @@ +--- + +- name: "Verify Evolinux sudoers file presence (jessie)" + template: + src: sudoers_jessie.j2 + dest: /etc/sudoers.d/evolinux + force: no + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + +- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" + replace: + dest: /etc/sudoers.d/evolinux + regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' + replace: '\1,{{ user.name }}' + validate: '/usr/sbin/visudo -cf %s' + when: not copy_sudoers_evolinux.changed diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml new file mode 100644 index 00000000..f77ae484 --- /dev/null +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -0,0 +1,20 @@ +--- + +- name: "Verify Evolinux sudoers file presence (Debian 9 or later)" + template: + src: sudoers_stretch.j2 + dest: /etc/sudoers.d/evolinux + force: no + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + +- name: "Create evolinux-sudo group (Debian 9 or later)" + group: + name: "{{ evolinux_sudo_group }}" + system: yes + +- name: "Add user to evolinux-sudo group (Debian 9 or later)" + user: + name: '{{ user.name }}' + groups: "{{ evolinux_sudo_group }}" + append: yes diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml new file mode 100644 index 00000000..73fea728 --- /dev/null +++ b/evolinux-users/tasks/user.yml @@ -0,0 +1,15 @@ +--- + +- include: account.yml + +- include: profile.yml + +- include: ssh.yml + +- include: sudo_jessie.yml + when: ansible_distribution_release == "jessie" + +- include: sudo_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') + +- meta: flush_handlers diff --git a/admin-users/templates/sudoers_jessie.j2 b/evolinux-users/templates/sudoers_jessie.j2 similarity index 100% rename from admin-users/templates/sudoers_jessie.j2 rename to evolinux-users/templates/sudoers_jessie.j2 diff --git a/admin-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 similarity index 75% rename from admin-users/templates/sudoers_stretch.j2 rename to evolinux-users/templates/sudoers_stretch.j2 index 8de1bbc6..289a65ee 100644 --- a/admin-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -5,5 +5,5 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt -%evolinux-sudo ALL=(ALL:ALL) ALL -%evolinux-sudo ALL = NOPASSWD: MAINT +%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL +%{{ evolinux_sudo_group }} ALL = NOPASSWD: MAINT diff --git a/admin-users/tests/spec/admin-users_spec.rb b/evolinux-users/tests/spec/evolinux-users_spec.rb similarity index 100% rename from admin-users/tests/spec/admin-users_spec.rb rename to evolinux-users/tests/spec/evolinux-users_spec.rb diff --git a/admin-users/tests/test.yml b/evolinux-users/tests/test.yml similarity index 94% rename from admin-users/tests/test.yml rename to evolinux-users/tests/test.yml index 06c29643..f622eebf 100644 --- a/admin-users/tests/test.yml +++ b/evolinux-users/tests/test.yml @@ -2,7 +2,7 @@ - hosts: test-kitchen vars: - admin_users: + evolinux_users: foo: name: foo uid: 1001 @@ -20,4 +20,4 @@ # state: directory roles: - - role: admin-users + - role: evolinux-users diff --git a/memcached/README.md b/memcached/README.md index 3c571029..38e5f89d 100644 --- a/memcached/README.md +++ b/memcached/README.md @@ -1,4 +1,4 @@ -# PHP-FPM +# Memcached Installation and basic configuration of memcached diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index dbb73903..b52d0425 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -17,6 +17,7 @@ dest: /etc/nagios/nrpe.d/evolix.cfg group: nagios mode: "0640" + force: no notify: restart nagios-nrpe-server - name: Nagios config is secured diff --git a/packweb-apache/README.md b/packweb-apache/README.md index d3f3f5b6..99e25da1 100644 --- a/packweb-apache/README.md +++ b/packweb-apache/README.md @@ -4,7 +4,7 @@ Install the web pack, with Apache. ## Tasks -Everything is in the `tasks/main.yml` file for now. +See `tasks/main.yml`. ## Available variables diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index 543f1707..6ee57747 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -9,4 +9,4 @@ postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" # PostgreSQL version -postgresql_version: '9.4' +postgresql_version: '9.6' diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml index b090b09d..3bc1f904 100644 --- a/postgresql/tasks/main.yml +++ b/postgresql/tasks/main.yml @@ -1,9 +1,10 @@ --- -- include: pgdg-repo.yml - when: postgresql_version != '9.4' +- include: packages_jessie.yml + when: ansible_distribution_release == "jessie" -- include: packages.yml +- include: packages_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') - include: config.yml diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml new file mode 100644 index 00000000..399a680e --- /dev/null +++ b/postgresql/tasks/packages_jessie.yml @@ -0,0 +1,11 @@ +--- + +- include: pgdg-repo.yml + when: postgresql_version != '9.4' + +- name: Install postgresql package + apt: + name: '{{item}}' + with_items: + - "postgresql-{{postgresql_version}}" + - ptop diff --git a/postgresql/tasks/packages.yml b/postgresql/tasks/packages_stretch.yml similarity index 69% rename from postgresql/tasks/packages.yml rename to postgresql/tasks/packages_stretch.yml index cd4f3efa..d3a3e8fe 100644 --- a/postgresql/tasks/packages.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -4,5 +4,5 @@ apt: name: '{{item}}' with_items: - - "postgresql-{{postgresql_version}}" + - postgresql - ptop diff --git a/postgresql/templates/postgresql.conf b/postgresql/templates/postgresql.conf index eafadeb9..ebb6dde2 100644 --- a/postgresql/templates/postgresql.conf +++ b/postgresql/templates/postgresql.conf @@ -3,7 +3,7 @@ shared_buffers = {{ postgresql_shared_buffers }} work_mem = {{ postgresql_work_mem }} #shared_preload_libraries = 'pg_stat_statements' #synchronous_commit = off -{% if postgresql_version |version_compare('9.5', '<') %} +{% if postgresql_version | version_compare('9.5', '<') %} checkpoint_segments = 30 {% else %} max_wal_size = 15GB diff --git a/proftpd/files/vpasswd b/proftpd/files/vpasswd new file mode 100644 index 00000000..c7f074ae --- /dev/null +++ b/proftpd/files/vpasswd @@ -0,0 +1 @@ +# username:password:uid:gid:gecos:homedir:shell diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 3f6b3abe..76056e15 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -32,3 +32,12 @@ notify: restart proftpd tags: - proftpd + +- name: Put empty vpasswd file if missing + copy: + src: vpasswd + dest: /etc/proftpd/vpasswd + force: no + mode: "0440" + tags: + - proftpd diff --git a/redis/README.md b/redis/README.md index 29ff132f..5a7168b7 100644 --- a/redis/README.md +++ b/redis/README.md @@ -16,6 +16,7 @@ Main variables are : * `redis_conf_path`: config file location ; * `redis_port`: listening TCP port ; * `redis_bind_interface`: listening IP address ; +* `redis_password`: password for redis. Empty means no password ; * `redis_unixsocket`: Unix socket ; * `redis_loglevel`: log verbosity ; * `redis_logfile`: log file location. diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index cf4e5fef..6526c887 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -7,6 +7,8 @@ redis_bind_interface: 127.0.0.1 redis_unixsocket: '/var/run/redis/redis.sock' redis_timeout: 300 +redis_password: NULL + redis_loglevel: "notice" redis_logfile: /var/log/redis/redis-server.log diff --git a/redis/handlers/main.yml b/redis/handlers/main.yml index 8a416b0e..49b906a1 100644 --- a/redis/handlers/main.yml +++ b/redis/handlers/main.yml @@ -8,3 +8,8 @@ service: name: munin-node state: restarted + +- name: restart nagios-nrpe-server + service: + name: nagios-nrpe-server + state: restarted diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 1b0545fa..33a70797 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -1,8 +1,11 @@ --- - name: Redis is installed. apt: - name: redis-server + name: "{{ item }}" state: present + with_items: + - redis-server + - redis-tools tags: - redis - packages @@ -31,3 +34,12 @@ - include: munin.yml when: _munin_installed.stat.exists and _munin_installed.stat.isdir + +- name: is NRPE present ? + stat: + path: /etc/nagios/nrpe.d/evolix.cfg + check_mode: no + register: nrpe_evolix_config + +- include: nrpe_stretch.yml + when: ansible_distribution_release == "stretch" and nrpe_evolix_config.stat.exists == true diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 07473e2f..74676e07 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -60,3 +60,25 @@ - used_memory notify: restart munin-node tags: redis + +- name: Count redis condif blocks in munin-node configuration + command: grep -c "\[redis_" /etc/munin/plugin-conf.d/munin-node + register: munin_redis_blocs_in_config + failed_when: False + changed_when: False + +- name: Add redis password for munin (if no more than 1 config block) + ini_file: + dest: /etc/munin/plugin-conf.d/munin-node + section: 'redis_*' + option: env.password + value: '{{ redis_password }}' + notify: restart munin-node + when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} <= 1" + tags: redis + + +- name: Warn if multiple instance in munin-plugins configuration + debug: + msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed" + when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} > 1 " diff --git a/redis/tasks/nrpe_stretch.yml b/redis/tasks/nrpe_stretch.yml new file mode 100644 index 00000000..a2ffba17 --- /dev/null +++ b/redis/tasks/nrpe_stretch.yml @@ -0,0 +1,15 @@ +--- +- name: Install perl lib-redis (needed by check_redis) + apt: + name: libredis-perl + state: present + tags: + - redis + - nrpe + +- name: Replace check_tcp by check_redis for NRPE + replace: + dest: /etc/nagios/nrpe.d/evolix.cfg + regexp: '^command\[check_redis\]=\/usr\/lib\/nagios\/plugins\/check_tcp -p 6379' + replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1' + notify: restart nagios-nrpe-server diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index f7a7c5f0..78dd0c8c 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -7,6 +7,10 @@ bind {{ redis_bind_interface }} unixsocket {{ redis_unixsocket }} {% endif %} +{% if redis_password %} +requirepass {{ redis_password }} +{% endif %} + timeout {{ redis_timeout }} loglevel {{ redis_loglevel }}