From cdf086182106958858f2b19304727748656b2d52 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:00:30 +0200 Subject: [PATCH 01/32] More clear without include for determining apache/nginx presence --- evoacme/tasks/main.yml | 12 +++++++++++- evoacme/tasks/webserver.yml | 12 ------------ 2 files changed, 11 insertions(+), 13 deletions(-) delete mode 100644 evoacme/tasks/webserver.yml diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index beac178e..6bc21a02 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -13,7 +13,17 @@ - include: scripts.yml -- include: webserver.yml +- name: Determine Apache presence + stat: + path: /etc/apache2/apache2.conf + check_mode: no + register: sta + +- name: Determine Nginx presence + stat: + path: /etc/nginx/nginx.conf + check_mode: no + register: stn - include: apache.yml when: sta.stat.isreg is defined and sta.stat.isreg diff --git a/evoacme/tasks/webserver.yml b/evoacme/tasks/webserver.yml deleted file mode 100644 index 8092aa98..00000000 --- a/evoacme/tasks/webserver.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Determine Nginx presence - stat: - path: /etc/nginx/nginx.conf - check_mode: no - register: stn - -- name: Determine Apache presence - stat: - path: /etc/apache2/apache2.conf - check_mode: no - register: sta From a006a604f24db0bb9379d360aa3815c3aa0cb902 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:26:59 +0200 Subject: [PATCH 02/32] Rename /etc/cron.d/certbot to .disabled as written in https://wiki.evolix.org/HowtoLetsEncrypt --- evoacme/tasks/certbot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 20658ec2..88f0eb5b 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -42,6 +42,18 @@ path: /usr/local/bin/certbot state: absent +- name: stat /etc/cron.d/certbot + stat: + path: /etc/cron.d/certbot + register: etc_cron_d_certbot + +- name: Rename certbot dpkg cron to .disabled + copy: + remote_src: True + src: /etc/cron.d/certbot + dest: /etc/cron.d/certbot.disabled + when: etc_cron_d_certbot.stat.exists + - name: Remove certbot dpkg cron file: path: /etc/cron.d/certbot From 26d823174f70eaa1b85f9543fb41870ab748f72f Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:32:34 +0200 Subject: [PATCH 03/32] use {{ evoacme_crt_dir }} var everywhere --- evoacme/tasks/conf.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/tasks/conf.yml b/evoacme/tasks/conf.yml index b39b5384..4d9f6704 100644 --- a/evoacme/tasks/conf.yml +++ b/evoacme/tasks/conf.yml @@ -1,6 +1,6 @@ --- - ini_file: - dest: /etc/letsencrypt/openssl.cnf + dest: "{{ evoacme_crt_dir }}/openssl.cnf" section: 'req' option: "{{ item.name }}" value: "{{ item.var }}" From 81698d03de5392a1ae05646a0ce11480a8637d54 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:36:47 +0200 Subject: [PATCH 04/32] by default copy use files/ directory --- evoacme/tasks/scripts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml index 01e61fdb..b1ebe473 100644 --- a/evoacme/tasks/scripts.yml +++ b/evoacme/tasks/scripts.yml @@ -9,7 +9,7 @@ - name: Copy make-csr.sh script copy: - src: files/make-csr.sh + src: make-csr.sh dest: /usr/local/sbin/make-csr owner: root group: root @@ -17,7 +17,7 @@ - name: Copy evoacme script copy: - src: files/evoacme.sh + src: evoacme.sh dest: /usr/local/sbin/evoacme owner: root group: root From 7ea59826117fda8b59869a349de1d8057d8b2a7c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 00:39:06 +0200 Subject: [PATCH 05/32] empty commit, only :retab --- evoacme/files/certbot.cron | 2 +- evoacme/files/evoacme.sh | 104 +++++++++--------- evoacme/files/make-csr.sh | 212 ++++++++++++++++++------------------- 3 files changed, 159 insertions(+), 159 deletions(-) diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index a7c4eef2..eb2ddb3a 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -10,5 +10,5 @@ [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do - evoacme "$vhost" + evoacme "$vhost" done diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index ffbf22ac..0504567e 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -8,12 +8,12 @@ # usage() { - echo "Usage: $0 NAME" - echo "" - echo "NAME must be correspond to :" - echo "- a CSR in ${CSR_DIR}/NAME.csr" - echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" - echo "" + echo "Usage: $0 NAME" + echo "" + echo "NAME must be correspond to :" + echo "- a CSR in ${CSR_DIR}/NAME.csr" + echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" + echo "" } mkconf_apache() { @@ -27,58 +27,58 @@ mkconf_nginx() { } mkconf_haproxy() { - mkdir -p /etc/ssl/haproxy -m 700 - cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" - [ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem" - haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload + mkdir -p /etc/ssl/haproxy -m 700 + cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" + [ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem" + haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload } main() { - [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' - [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' - [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' - [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' - - [ "$#" -ne 1 ] && usage && exit 1 + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' + [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' + [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' + [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' + + [ "$#" -ne 1 ] && usage && exit 1 - vhost=$(basename "$1" .conf) + vhost=$(basename "$1" .conf) - # Check master status for evoadmin-cluster - if [ -f "/home/${vhost}/state" ]; then - grep -q "STATE=master" "/home/${vhost}/state" || exit 0 - fi + # Check master status for evoadmin-cluster + if [ -f "/home/${vhost}/state" ]; then + grep -q "STATE=master" "/home/${vhost}/state" || exit 0 + fi - SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) - if [ -n "$SSL_EMAIL" ]; then - emailopt="-m $SSL_EMAIL" - else - emailopt="--register-unsafely-without-email" - fi - DATE=$(date "+%Y%m%d") - - if [ -h "$CRT_DIR/${vhost}/live" ]; then - crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//") - date_crt=$(date -ud "$crt_end_date" +"%s") - date_today=$(date +'%s') - date_diff=$(((date_crt - date_today) / (60*60*24))) - [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 - fi - rm -rf "$CRT_DIR/${vhost}/${DATE}" - mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" - chown -R acme: "$CRT_DIR/${vhost}" - sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" - if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then - rm -f "$CRT_DIR/${vhost}/live" - ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" - which apache2ctl >/dev/null && mkconf_apache - which nginx >/dev/null && mkconf_nginx - which haproxy >/dev/null && mkconf_haproxy - else - rmdir "$CRT_DIR/${vhost}/${DATE}" - fi + SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) + if [ -n "$SSL_EMAIL" ]; then + emailopt="-m $SSL_EMAIL" + else + emailopt="--register-unsafely-without-email" + fi + DATE=$(date "+%Y%m%d") + + if [ -h "$CRT_DIR/${vhost}/live" ]; then + crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//") + date_crt=$(date -ud "$crt_end_date" +"%s") + date_today=$(date +'%s') + date_diff=$(((date_crt - date_today) / (60*60*24))) + [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 + fi + rm -rf "$CRT_DIR/${vhost}/${DATE}" + mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" + chown -R acme: "$CRT_DIR/${vhost}" + sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" + if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then + rm -f "$CRT_DIR/${vhost}/live" + ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + which apache2ctl >/dev/null && mkconf_apache + which nginx >/dev/null && mkconf_nginx + which haproxy >/dev/null && mkconf_haproxy + else + rmdir "$CRT_DIR/${vhost}/${DATE}" + fi } main "$@" diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 844847ab..5338ba2c 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -8,143 +8,143 @@ # get_domains() { - echo "$vhostfile"|grep -q nginx - if [ "$?" -eq 0 ]; then - domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq) - fi - - echo "$vhostfile" |grep -q apache2 - if [ "$?" -eq 0 ]; then - domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq) - fi - valid_domains="" - nb=0 - - echo "Valid(s) domain(s) in $vhost :" - for domain in $domains; do - real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") - for ip in $(echo "$SRV_IP"|xargs -n1); do - if [ "${ip}" = "${real_ip}" ]; then - valid_domains="$valid_domains $domain" - nb=$(( nb + 1 )) - echo "* $domain -> $real_ip" - fi - done - done - - if [ "$nb" -eq 0 ]; then - nb=$(echo "$domains"|wc -l) - echo "* No valid domain found" - echo "All following(s) domain(s) will be used for CSR creation :" - for domain in $domains; do - echo "* $domain" - done - else - domains="$valid_domains" - fi - domains=$(echo "$domains"|xargs -n1) + echo "$vhostfile"|grep -q nginx + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq) + fi + + echo "$vhostfile" |grep -q apache2 + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq) + fi + valid_domains="" + nb=0 + + echo "Valid(s) domain(s) in $vhost :" + for domain in $domains; do + real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") + for ip in $(echo "$SRV_IP"|xargs -n1); do + if [ "${ip}" = "${real_ip}" ]; then + valid_domains="$valid_domains $domain" + nb=$(( nb + 1 )) + echo "* $domain -> $real_ip" + fi + done + done + + if [ "$nb" -eq 0 ]; then + nb=$(echo "$domains"|wc -l) + echo "* No valid domain found" + echo "All following(s) domain(s) will be used for CSR creation :" + for domain in $domains; do + echo "* $domain" + done + else + domains="$valid_domains" + fi + domains=$(echo "$domains"|xargs -n1) } make_key() { - openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null - chown root: "$SSL_KEY_DIR/${vhost}.key" - chmod 600 "$SSL_KEY_DIR/${vhost}.key" + openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null + chown root: "$SSL_KEY_DIR/${vhost}.key" + chmod 600 "$SSL_KEY_DIR/${vhost}.key" } make_csr() { - domains="$1" - nb=$(echo "$domains"|wc -l) - config_file="/tmp/make-csr-${vhost}.conf" + domains="$1" + nb=$(echo "$domains"|wc -l) + config_file="/tmp/make-csr-${vhost}.conf" - mkdir -p "$CSR_DIR" -m 0755 - - if [ "$nb" -eq 1 ]; then - cat /etc/letsencrypt/openssl.cnf - > "$config_file" < "$config_file" < "$config_file" < "$config_file" < "$CSR_DIR/${vhost}.csr" - fi - - if [ -f "$CSR_DIR/${vhost}.csr" ]; then - chmod 644 "$CSR_DIR/${vhost}.csr" - mkdir -p "$SELF_SIGNED_DIR" -m 0755 - openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem" - [ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem" - fi + openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr" + fi + + if [ -f "$CSR_DIR/${vhost}.csr" ]; then + chmod 644 "$CSR_DIR/${vhost}.csr" + mkdir -p "$SELF_SIGNED_DIR" -m 0755 + openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem" + [ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem" + fi } mkconf_apache() { - mkdir -p /etc/apache2/ssl - if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then - cat > "/etc/apache2/ssl/${vhost}.conf" < "/etc/apache2/ssl/${vhost}.conf" < "/etc/nginx/ssl/${vhost}.conf" < "/etc/nginx/ssl/${vhost}.conf" <&2 - exit 1 - fi - vhost=$(basename "$1" .conf) - local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") + if [ "$#" -ne 1 ]; then + echo "You need to provide one argument !" >&2 + exit 1 + fi + vhost=$(basename "$1" .conf) + local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") - [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' - [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' - [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) - [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip" - - vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) - - if [ ! -h "$vhostfile" ]; then - echo "$vhost is not a valid virtualhost !" >&2 - exit 1 - fi + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' + [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' + [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) + [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip" + + vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) + + if [ ! -h "$vhostfile" ]; then + echo "$vhost is not a valid virtualhost !" >&2 + exit 1 + fi - if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then - echo "$vhost key already exist, overwrite it ? (y)" - read REPLY - [ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0 - rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf" - [ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live" - fi + if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then + echo "$vhost key already exist, overwrite it ? (y)" + read REPLY + [ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0 + rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf" + [ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live" + fi - get_domains - make_key - make_csr "$domains" - which apache2ctl >/dev/null && mkconf_apache + get_domains + make_key + make_csr "$domains" + which apache2ctl >/dev/null && mkconf_apache which nginx >/dev/null && mkconf_nginx } From 30c47fcd502af2c22287d4d096f1dc30d2890629 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 21 Sep 2017 03:29:55 +0200 Subject: [PATCH 06/32] A lot of improvments: add comments, add tests/tests/tests, add --cron option, drop HAProxy support, modify Apache/Nginx conf only first time --- evoacme/files/evoacme.sh | 109 +++++++++++++++++++++++++-------------- 1 file changed, 70 insertions(+), 39 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 0504567e..56f3f0e5 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -7,8 +7,10 @@ # Licence: AGPLv3 # +set -e + usage() { - echo "Usage: $0 NAME" + echo "Usage: $0 [ --cron ] NAME" echo "" echo "NAME must be correspond to :" echo "- a CSR in ${CSR_DIR}/NAME.csr" @@ -17,68 +19,97 @@ usage() { } mkconf_apache() { - [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" - apache2ctl -t 2>/dev/null && service apache2 reload + echo "Apache detected... first configuration" + [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" + apache2ctl -t } mkconf_nginx() { - [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" - nginx -t 2>/dev/null && service nginx reload -} - -mkconf_haproxy() { - mkdir -p /etc/ssl/haproxy -m 700 - cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" - [ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem" - haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload + echo "Nginx detected... first configuration" + [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" + nginx -t } main() { [ -f /etc/default/evoacme ] && . /etc/default/evoacme - [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' - [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' - [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' - [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' - [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' - - [ "$#" -ne 1 ] && usage && exit 1 + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR=/etc/ssl/private + [ -z "${ACME_DIR}" ] && ACME_DIR=/var/lib/letsencrypt + [ -z "${CSR_DIR}" ] && CSR_DIR=/etc/ssl/requests + [ -z "${CRT_DIR}" ] && CRT_DIR=/etc/letsencrypt + [ -z "${LOG_DIR}" ] && LOG_DIR=/var/log/evoacme + [ -z "${SSL_MINDAY}" ] && SSL_MINDAY=30 + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR=/etc/ssl/self-signed + [ -z "${DH_DIR}" ] && DH_DIR=etc/ssl/dhparam - vhost=$(basename "$1" .conf) + # misc verifications + [ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0 + which openssl >/dev/null || ( echo "error: openssl command not installed" && exit 1 ) + which certbot >/dev/null || ( echo "error: certbot command not installed" && exit 1 ) + [ ! -d $ACME_DIR ] && echo "error: $ACME_DIR is not a directory" && exit 1 + [ ! -d $CSR_DIR ] && echo "error: $CSR_DIR is not a directory" && exit 1 + [ ! -d $LOG_DIR ] && echo "error: $LOG_DIR is not a directory" && exit 1 + [ "$#" -ge 3 ] || [ "$#" -le 0 ] && echo "error: invalid argument(s)" && usage && exit 1 + [ "$#" -eq 2 ] && [ "$1" != "--cron" ] && echo "error: invalid argument(s)" && usage && exit 1 - # Check master status for evoadmin-cluster + [ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO + [ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES + + # verify .csr file + test ! -f "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr absent" && exit 1 + test ! -r "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr is not readable" && exit 1 + openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || ( echo "error: $CSR_DIR/${vhost}.csr is invalid" && exit 1 ) + [ "$CRON" = "NO" ] && echo "Using CSR file: $CSR_DIR/${vhost}.csr" + + # Hook for evoadmin-web in cluster mode : check master status if [ -f "/home/${vhost}/state" ]; then grep -q "STATE=master" "/home/${vhost}/state" || exit 0 fi - SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) if [ -n "$SSL_EMAIL" ]; then emailopt="-m $SSL_EMAIL" else emailopt="--register-unsafely-without-email" fi + DATE=$(date "+%Y%m%d") - + [ ! -n "$DATE" ] && echo "error: invalid date" && exit 1 + + + # If live link already exists, it's not our first time... if [ -h "$CRT_DIR/${vhost}/live" ]; then - crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//") - date_crt=$(date -ud "$crt_end_date" +"%s") + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: $CRT_DIR/${vhost}/live/cert.crt is invalid" && exit 1 ) + + # Verify if our certificate will expire + crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2) + date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s") date_today=$(date +'%s') - date_diff=$(((date_crt - date_today) / (60*60*24))) - [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 - fi - rm -rf "$CRT_DIR/${vhost}/${DATE}" - mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" - chown -R acme: "$CRT_DIR/${vhost}" - sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" - if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then - rm -f "$CRT_DIR/${vhost}/live" - ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + [ "$date_today" -lt "$date_renew" ] && ( [ "$CRON" = "NO" ] && echo "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." || true ) && exit 0 + else which apache2ctl >/dev/null && mkconf_apache which nginx >/dev/null && mkconf_nginx - which haproxy >/dev/null && mkconf_haproxy - else - rmdir "$CRT_DIR/${vhost}/${DATE}" fi + + # renew certificate with certbot + [ -d "$CRT_DIR/${vhost}/${DATE}" ] && echo "error: $CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." && exit 1 + mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" + chown -R acme: "$CRT_DIR/${vhost}/${DATE}" + [ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet" + sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" + + # verify if all is right + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" && exit 1 ) + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" && exit 1 ) + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" && exit 1 ) + + # link dance + [ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live" + ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/{vhost}/live/cert.crt is invalid" && exit 1 ) + + # reload apache or nginx (TODO: need improvments) + pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Apache detected... reloading" || true ) && systemctl reload apache2 + pidof nginx >/dev/null && nginx -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Nginx detected... reloading" || true ) && systemctl reload apache2 + } main "$@" From 7fa2dcbb2848fdf9eb6f6e8eec38b6f4a553d8b1 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 27 Sep 2017 17:57:02 +0200 Subject: [PATCH 07/32] Redis: Also install redis-tools --- redis/tasks/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 1b0545fa..eb31749e 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -1,8 +1,11 @@ --- - name: Redis is installed. apt: - name: redis-server + name: "{{ item }}" state: present + with_items: + - redis-server + - redis-tools tags: - redis - packages From eab2c3946a4e644ca0b1a32347b6a1544ccfe4c2 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 27 Sep 2017 18:41:21 +0200 Subject: [PATCH 08/32] Redis: On stretch, make sure nrpe will use check_redis instead of check_tcp check_redis was added in nagios-plugins-contrib in strech. --- redis/handlers/main.yml | 5 +++++ redis/tasks/main.yml | 9 +++++++++ redis/tasks/nrpe_stretch.yml | 15 +++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 redis/tasks/nrpe_stretch.yml diff --git a/redis/handlers/main.yml b/redis/handlers/main.yml index 8a416b0e..49b906a1 100644 --- a/redis/handlers/main.yml +++ b/redis/handlers/main.yml @@ -8,3 +8,8 @@ service: name: munin-node state: restarted + +- name: restart nagios-nrpe-server + service: + name: nagios-nrpe-server + state: restarted diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index eb31749e..3c76eab5 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -34,3 +34,12 @@ - include: munin.yml when: _munin_installed.stat.exists and _munin_installed.stat.isdir + +- name: is NRPE present ? + stat: + path: /etc/nagios/nrpe.d/evolix.cfg + check_mode: no + register: nrpe_evolix_config + +- include: nrpe_stretch.yml + when: ansible_distribution_release == "stretch" and nrpe_evolix_config == true diff --git a/redis/tasks/nrpe_stretch.yml b/redis/tasks/nrpe_stretch.yml new file mode 100644 index 00000000..a2ffba17 --- /dev/null +++ b/redis/tasks/nrpe_stretch.yml @@ -0,0 +1,15 @@ +--- +- name: Install perl lib-redis (needed by check_redis) + apt: + name: libredis-perl + state: present + tags: + - redis + - nrpe + +- name: Replace check_tcp by check_redis for NRPE + replace: + dest: /etc/nagios/nrpe.d/evolix.cfg + regexp: '^command\[check_redis\]=\/usr\/lib\/nagios\/plugins\/check_tcp -p 6379' + replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1' + notify: restart nagios-nrpe-server From c12559193a7fce1f2f3ce472bc5ecae2d274c073 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 28 Sep 2017 15:02:29 +0200 Subject: [PATCH 09/32] Redis: Add the possibility to set an instance password --- redis/README.md | 1 + redis/defaults/main.yml | 2 ++ redis/tasks/munin.yml | 10 ++++++++++ redis/templates/redis.conf.j2 | 4 ++++ 4 files changed, 17 insertions(+) diff --git a/redis/README.md b/redis/README.md index 29ff132f..5a7168b7 100644 --- a/redis/README.md +++ b/redis/README.md @@ -16,6 +16,7 @@ Main variables are : * `redis_conf_path`: config file location ; * `redis_port`: listening TCP port ; * `redis_bind_interface`: listening IP address ; +* `redis_password`: password for redis. Empty means no password ; * `redis_unixsocket`: Unix socket ; * `redis_loglevel`: log verbosity ; * `redis_logfile`: log file location. diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index cf4e5fef..268bdd08 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -7,6 +7,8 @@ redis_bind_interface: 127.0.0.1 redis_unixsocket: '/var/run/redis/redis.sock' redis_timeout: 300 +redis_password: '' + redis_loglevel: "notice" redis_logfile: /var/log/redis/redis-server.log diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 07473e2f..75d44941 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -60,3 +60,13 @@ - used_memory notify: restart munin-node tags: redis + +- name: Add redis password for munin + ini_file: + dest: /etc/munin/plugin-conf.d/munin-node + section: 'redis_*' + option: env.password + value: '{{ redis_password }}' + notify: restart munin-node + when: redis_password != '' + tags: redis diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index f7a7c5f0..78dd0c8c 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -7,6 +7,10 @@ bind {{ redis_bind_interface }} unixsocket {{ redis_unixsocket }} {% endif %} +{% if redis_password %} +requirepass {{ redis_password }} +{% endif %} + timeout {{ redis_timeout }} loglevel {{ redis_loglevel }} From 43d2de5da7e0f969aafc5fa6aa83b67323cf7380 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 28 Sep 2017 18:03:26 +0200 Subject: [PATCH 10/32] Redis: Fix error in the conditional inclusion of nrpe_stretch.yml --- redis/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 3c76eab5..33a70797 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -42,4 +42,4 @@ register: nrpe_evolix_config - include: nrpe_stretch.yml - when: ansible_distribution_release == "stretch" and nrpe_evolix_config == true + when: ansible_distribution_release == "stretch" and nrpe_evolix_config.stat.exists == true From 31a8aa0a326664afc87401ccfb49985dcf116dd8 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 29 Sep 2017 02:22:38 +0200 Subject: [PATCH 11/32] update tasks description. --- packweb-apache/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packweb-apache/README.md b/packweb-apache/README.md index d3f3f5b6..99e25da1 100644 --- a/packweb-apache/README.md +++ b/packweb-apache/README.md @@ -4,7 +4,7 @@ Install the web pack, with Apache. ## Tasks -Everything is in the `tasks/main.yml` file for now. +See `tasks/main.yml`. ## Available variables From 36419c5b3c7c3144466d7c1a4f0d294a1a850e8f Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 2 Oct 2017 17:13:10 +0200 Subject: [PATCH 12/32] Redis: Set pasword variable as NULL instead of '' --- redis/defaults/main.yml | 2 +- redis/tasks/munin.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 268bdd08..6526c887 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -7,7 +7,7 @@ redis_bind_interface: 127.0.0.1 redis_unixsocket: '/var/run/redis/redis.sock' redis_timeout: 300 -redis_password: '' +redis_password: NULL redis_loglevel: "notice" redis_logfile: /var/log/redis/redis-server.log diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 75d44941..04d6449c 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -68,5 +68,5 @@ option: env.password value: '{{ redis_password }}' notify: restart munin-node - when: redis_password != '' + when: redis_password != '' and redis_password != None tags: redis From 27e4512e502870af67aa7665c16b43e71a2ccff8 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 3 Oct 2017 10:21:13 +0200 Subject: [PATCH 13/32] Redis: Ensure that we do not modify munin-node config if there is multiple redis config blocs --- redis/tasks/munin.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 04d6449c..74676e07 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -61,12 +61,24 @@ notify: restart munin-node tags: redis -- name: Add redis password for munin +- name: Count redis condif blocks in munin-node configuration + command: grep -c "\[redis_" /etc/munin/plugin-conf.d/munin-node + register: munin_redis_blocs_in_config + failed_when: False + changed_when: False + +- name: Add redis password for munin (if no more than 1 config block) ini_file: dest: /etc/munin/plugin-conf.d/munin-node section: 'redis_*' option: env.password value: '{{ redis_password }}' notify: restart munin-node - when: redis_password != '' and redis_password != None + when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} <= 1" tags: redis + + +- name: Warn if multiple instance in munin-plugins configuration + debug: + msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed" + when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} > 1 " From 46c1cbd1a4339b12f79eb0b5aefd112bfab323b8 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 3 Oct 2017 23:45:17 +0200 Subject: [PATCH 14/32] update title --- memcached/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memcached/README.md b/memcached/README.md index 3c571029..38e5f89d 100644 --- a/memcached/README.md +++ b/memcached/README.md @@ -1,4 +1,4 @@ -# PHP-FPM +# Memcached Installation and basic configuration of memcached From 5ffc94281fe0b2299fb1cfb065e240c8ed59f4ea Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 4 Oct 2017 14:29:19 +0200 Subject: [PATCH 15/32] evolinux-base: parse fstab with better regex The fstab file usually has fields separated by spaces but sometimes they are separated by tabs. --- evolinux-base/tasks/fstab.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evolinux-base/tasks/fstab.yml b/evolinux-base/tasks/fstab.yml index 6c8b122a..9baa8a70 100644 --- a/evolinux-base/tasks/fstab.yml +++ b/evolinux-base/tasks/fstab.yml @@ -16,7 +16,7 @@ replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3' notify: remount /home when: - - "' /home ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/home\s') - evolinux_fstab_home - name: /tmp partition is customized @@ -25,7 +25,7 @@ regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3' when: - - "' /tmp ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/tmp\s') - evolinux_fstab_tmp - name: /usr partition is customized @@ -34,7 +34,7 @@ regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3' when: - - "' /usr ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/usr\s') - evolinux_fstab_usr - name: /var partition is customized @@ -44,7 +44,7 @@ replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3' notify: remount /var when: - - "' /var ' in fstab_content.stdout" + - fstab_content.stdout | regex_search('\s/var\s') - evolinux_fstab_var - name: /var/tmp is created From 72c1bb483404c3cd05ffcd1a16f7fc367d091785 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 4 Oct 2017 14:54:46 +0200 Subject: [PATCH 16/32] postgresql: version 9.6 by default For Jessie we use external repositories For Stretch we install from Debian repositories --- postgresql/defaults/main.yml | 2 +- postgresql/tasks/main.yml | 7 ++++--- postgresql/tasks/packages.yml | 8 -------- postgresql/templates/postgresql.conf | 2 +- 4 files changed, 6 insertions(+), 13 deletions(-) delete mode 100644 postgresql/tasks/packages.yml diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index 543f1707..6ee57747 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -9,4 +9,4 @@ postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" # PostgreSQL version -postgresql_version: '9.4' +postgresql_version: '9.6' diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml index b090b09d..3bc1f904 100644 --- a/postgresql/tasks/main.yml +++ b/postgresql/tasks/main.yml @@ -1,9 +1,10 @@ --- -- include: pgdg-repo.yml - when: postgresql_version != '9.4' +- include: packages_jessie.yml + when: ansible_distribution_release == "jessie" -- include: packages.yml +- include: packages_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') - include: config.yml diff --git a/postgresql/tasks/packages.yml b/postgresql/tasks/packages.yml deleted file mode 100644 index cd4f3efa..00000000 --- a/postgresql/tasks/packages.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Install postgresql package - apt: - name: '{{item}}' - with_items: - - "postgresql-{{postgresql_version}}" - - ptop diff --git a/postgresql/templates/postgresql.conf b/postgresql/templates/postgresql.conf index eafadeb9..ebb6dde2 100644 --- a/postgresql/templates/postgresql.conf +++ b/postgresql/templates/postgresql.conf @@ -3,7 +3,7 @@ shared_buffers = {{ postgresql_shared_buffers }} work_mem = {{ postgresql_work_mem }} #shared_preload_libraries = 'pg_stat_statements' #synchronous_commit = off -{% if postgresql_version |version_compare('9.5', '<') %} +{% if postgresql_version | version_compare('9.5', '<') %} checkpoint_segments = 30 {% else %} max_wal_size = 15GB From 3f350e795548699be2c4e563aa80590446b35eef Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 4 Oct 2017 17:19:49 +0200 Subject: [PATCH 17/32] nagios: don't overwrite the config file --- nagios-nrpe/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index dbb73903..b52d0425 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -17,6 +17,7 @@ dest: /etc/nagios/nrpe.d/evolix.cfg group: nagios mode: "0640" + force: no notify: restart nagios-nrpe-server - name: Nagios config is secured From d35068cf11693f46580741f1aba2dca8c6021686 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 4 Oct 2017 17:20:33 +0200 Subject: [PATCH 18/32] postgresql: forgotten files, sorry --- postgresql/tasks/packages_jessie.yml | 11 +++++++++++ postgresql/tasks/packages_stretch.yml | 8 ++++++++ 2 files changed, 19 insertions(+) create mode 100644 postgresql/tasks/packages_jessie.yml create mode 100644 postgresql/tasks/packages_stretch.yml diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml new file mode 100644 index 00000000..399a680e --- /dev/null +++ b/postgresql/tasks/packages_jessie.yml @@ -0,0 +1,11 @@ +--- + +- include: pgdg-repo.yml + when: postgresql_version != '9.4' + +- name: Install postgresql package + apt: + name: '{{item}}' + with_items: + - "postgresql-{{postgresql_version}}" + - ptop diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml new file mode 100644 index 00000000..d3a3e8fe --- /dev/null +++ b/postgresql/tasks/packages_stretch.yml @@ -0,0 +1,8 @@ +--- + +- name: Install postgresql package + apt: + name: '{{item}}' + with_items: + - postgresql + - ptop From f050608596230c573254cd51f50ff87a60dae4f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 4 Oct 2017 23:31:29 +0200 Subject: [PATCH 19/32] evolinux-base/meta: compatible with stretch --- evolinux-base/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evolinux-base/meta/main.yml b/evolinux-base/meta/main.yml index 2d640995..2b6aed3c 100644 --- a/evolinux-base/meta/main.yml +++ b/evolinux-base/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch dependencies: [] # List your role dependencies here, one per line. From ee80235e14f212a87ccc9f16796726133a8cb3cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 4 Oct 2017 23:32:27 +0200 Subject: [PATCH 20/32] evolinux-base: etc-git is included after apt customization APT sources must be customized before installing any package --- evolinux-base/defaults/main.yml | 26 +++++++++++++++----------- evolinux-base/tasks/main.yml | 13 +++++++++---- 2 files changed, 24 insertions(+), 15 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index e0c91fd1..37cc826d 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -10,6 +10,21 @@ logcheck_alert_email: Null raid_alert_email: Null postfix_alias_email: Null +# apt + +evolinux_apt_include: True + +evolinux_apt_conf: True +evolinux_apt_hooks: True +evolinux_apt_replace_default_sources: True +evolinux_apt_public_sources: True +evolinux_apt_upgrade: True +evolinux_apt_remove_aptitude: True + +# etc-git + +evolinux_etcgit_include: True + # hostname evolinux_hostname_include: True @@ -31,17 +46,6 @@ evolinux_kernel_disable_tcp_timestamps: True evolinux_kernel_reduce_swapiness: True evolinux_kernel_cve20165696: True -# apt - -evolinux_apt_include: True - -evolinux_apt_conf: True -evolinux_apt_hooks: True -evolinux_apt_replace_default_sources: True -evolinux_apt_public_sources: True -evolinux_apt_upgrade: True -evolinux_apt_remove_aptitude: True - # fstab evolinux_fstab_include: True diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 5c1ad594..f44cfa11 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -5,6 +5,15 @@ when: - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') +- name: Apt configuration + include: apt.yml + when: evolinux_apt_include + +- name: /etc versioning with Git + include_role: + name: etc-git + when: evolinux_etcgit_include + - name: Hostname include: hostname.yml when: evolinux_hostname_include @@ -13,10 +22,6 @@ include: kernel.yml when: evolinux_kernel_include -- name: Apt configuration and packages install - include: apt.yml - when: evolinux_apt_include - - name: Fstab configuration include: fstab.yml when: evolinux_fstab_include From 622698fb99ccb18239f369104bd16038a660e649 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 4 Oct 2017 23:43:33 +0200 Subject: [PATCH 21/32] Don't disable root access by default It will be caught by evocheck if we forget to disable it but will prevent locking ourselves out if we don't create users --- evolinux-base/README.md | 2 +- evolinux-base/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/README.md b/evolinux-base/README.md index 8ef7a70e..570e2313 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -36,6 +36,6 @@ Main variables are: * `evolinux_additional_packages`: optional additional packages to install (default: `[]`) * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ; * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`) -* `evolinux_ssh_disable_root`: disable SSH access for root (default: `True`) +* `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 37cc826d..4328b241 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -119,7 +119,7 @@ evolinux_ssh_include: True evolinux_ssh_password_auth_addresses: [] evolinux_ssh_match_address: True -evolinux_ssh_disable_root: True +evolinux_ssh_disable_root: False evolinux_ssh_disable_acceptenv: True # postfix From be32fd9a23201266cc1ace6c1840e15d70d58e15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 4 Oct 2017 23:43:55 +0200 Subject: [PATCH 22/32] Remove useless comments --- evolinux-base/tasks/ssh.yml | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 2b7273b5..6fc80292 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -17,40 +17,6 @@ notify: reload sshd when: not evolinux_ssh_password_auth_addresses == [] -# - name: verify Match Address directive -# command: "grep 'Match Address' /etc/ssh/sshd_config" -# changed_when: False -# failed_when: False -# check_mode: no -# register: grep_matchaddress_ssh -# -# - name: Add Match Address sshd directive -# lineinfile: -# dest: /etc/ssh/sshd_config -# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" -# insertafter: '# +ForceCommand cvs server' -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd -# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != [] -# -# - name: Modify Match Address sshd directive -# replace: -# dest: /etc/ssh/sshd_config -# regexp: '^(Match Address ((?!{{ item }}).)*)$' -# replace: '\1,{{ item }}' -# validate: '/usr/sbin/sshd -T -f %s' -# with_items: "{{ evolinux_ssh_password_auth_addresses }}" -# notify: reload sshd -# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0 -# -# - name: Add Match Group sudo without password -# lineinfile: -# dest: /etc/ssh/sshd_config -# line: "\nMatch Group sudo\n PasswordAuthentication no" -# insertbefore: '^Match Address' -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd - - name: disable SSH access for root replace: dest: /etc/ssh/sshd_config From 24948cf4faf0d0f6dd53723ffe20e8dbdb5a170c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 5 Oct 2017 18:46:40 +0200 Subject: [PATCH 23/32] proftpd: blank vpasswd if missing --- proftpd/files/vpasswd | 1 + proftpd/tasks/main.yml | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 proftpd/files/vpasswd diff --git a/proftpd/files/vpasswd b/proftpd/files/vpasswd new file mode 100644 index 00000000..c7f074ae --- /dev/null +++ b/proftpd/files/vpasswd @@ -0,0 +1 @@ +# username:password:uid:gid:gecos:homedir:shell diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 3f6b3abe..76056e15 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -32,3 +32,12 @@ notify: restart proftpd tags: - proftpd + +- name: Put empty vpasswd file if missing + copy: + src: vpasswd + dest: /etc/proftpd/vpasswd + force: no + mode: "0440" + tags: + - proftpd From b180ca432bea4ac2a93754dc47cee7b6bb89202e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 00:21:00 +0200 Subject: [PATCH 24/32] apt: remove a debug task --- apt/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 7bb8950e..af7980c8 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -19,9 +19,6 @@ tags: - apt -- debug: - var: apt_install_evolix_public - - name: Install Evolix Public APT repository include: evolix_public.yml when: apt_install_evolix_public From 116f086b861b623473002b1b14ff56d464eb8d4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 00:21:19 +0200 Subject: [PATCH 25/32] drbd: cleanup readme --- drbd/README.md | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/drbd/README.md b/drbd/README.md index 86ae3aa6..f08d30f4 100644 --- a/drbd/README.md +++ b/drbd/README.md @@ -5,23 +5,3 @@ Install tools to setup DRBD replication accross servers. ## Tasks Everything is in the `tasks/main.yml` file. - -## Available variables - -The variable `admin_users` must be a "dict" of one or more users : - -``` -admin_users: - foo: - name: foo - uid: 1001 - fullname: 'Mr Foo' - password_hash: 'sdfgsdfgsdfgsdfg' - ssh_key: 'ssh-rsa AZERTYXYZ' - bar: - name: bar - uid: 1002 - fullname: 'Mr Bar' - password_hash: 'gsdfgsdfgsdfgsdf' - ssh_key: 'ssh-rsa QWERTYUIOP' -``` From 7b88393ccf95e38a8d5784617c70eb850919d1f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 5 Oct 2017 23:55:34 +0200 Subject: [PATCH 26/32] Refactoring of admin-users + evolinux-base roles * rename admin-users to evolinux-users * splitting the "sudo" part for users between jessie and stretch * with stretch, the sudo group is customizable and properly configured * import evolinux-users role from evolinux-base at proper time to ensure ssh connections are possible for other users before cutting root's access * evomaintenance is also included in evolinux-base to have it available when users are created --- admin-users/defaults/main.yml | 3 -- admin-users/tasks/admin_user.yml | 11 ----- admin-users/tasks/sudo.yml | 48 ------------------- evolinux-base/defaults/main.yml | 26 ++++++---- evolinux-base/tasks/main.yml | 16 +++++-- evolinux-base/tasks/root.yml | 8 ++++ evolinux-base/tasks/ssh.yml | 8 ---- {admin-users => evolinux-users}/.kitchen.yml | 2 +- {admin-users => evolinux-users}/README.md | 8 ++-- evolinux-users/defaults/main.yml | 3 ++ .../handlers/main.yml | 0 {admin-users => evolinux-users}/meta/main.yml | 2 +- .../tasks/account.yml | 12 ----- .../tasks/main.yml | 10 ++-- .../tasks/profile.yml | 0 {admin-users => evolinux-users}/tasks/ssh.yml | 0 evolinux-users/tasks/sudo_jessie.yml | 21 ++++++++ evolinux-users/tasks/sudo_stretch.yml | 23 +++++++++ evolinux-users/tasks/user.yml | 15 ++++++ .../templates/sudoers_jessie.j2 | 0 .../templates/sudoers_stretch.j2 | 4 +- .../tests/spec/evolinux-users_spec.rb | 0 .../tests/test.yml | 4 +- 23 files changed, 115 insertions(+), 109 deletions(-) delete mode 100644 admin-users/defaults/main.yml delete mode 100644 admin-users/tasks/admin_user.yml delete mode 100644 admin-users/tasks/sudo.yml rename {admin-users => evolinux-users}/.kitchen.yml (92%) rename {admin-users => evolinux-users}/README.md (66%) create mode 100644 evolinux-users/defaults/main.yml rename {admin-users => evolinux-users}/handlers/main.yml (100%) rename {admin-users => evolinux-users}/meta/main.yml (88%) rename admin-users/tasks/user.yml => evolinux-users/tasks/account.yml (72%) rename {admin-users => evolinux-users}/tasks/main.yml (52%) rename {admin-users => evolinux-users}/tasks/profile.yml (100%) rename {admin-users => evolinux-users}/tasks/ssh.yml (100%) create mode 100644 evolinux-users/tasks/sudo_jessie.yml create mode 100644 evolinux-users/tasks/sudo_stretch.yml create mode 100644 evolinux-users/tasks/user.yml rename {admin-users => evolinux-users}/templates/sudoers_jessie.j2 (100%) rename {admin-users => evolinux-users}/templates/sudoers_stretch.j2 (75%) rename admin-users/tests/spec/admin-users_spec.rb => evolinux-users/tests/spec/evolinux-users_spec.rb (100%) rename {admin-users => evolinux-users}/tests/test.yml (94%) diff --git a/admin-users/defaults/main.yml b/admin-users/defaults/main.yml deleted file mode 100644 index ad5f42cb..00000000 --- a/admin-users/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -admin_users: {} -admin_users_group: adm diff --git a/admin-users/tasks/admin_user.yml b/admin-users/tasks/admin_user.yml deleted file mode 100644 index 329ce50e..00000000 --- a/admin-users/tasks/admin_user.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- include: user.yml - -- include: profile.yml - -- include: ssh.yml - -- include: sudo.yml - -- meta: flush_handlers diff --git a/admin-users/tasks/sudo.yml b/admin-users/tasks/sudo.yml deleted file mode 100644 index e05ac614..00000000 --- a/admin-users/tasks/sudo.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -- name: "Verify Evolinux sudoers file presence (jessie)" - template: - src: sudoers_jessie.j2 - dest: /etc/sudoers.d/evolinux - force: no - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - when: ansible_distribution_release == "jessie" - -- name: "Verify Evolinux sudoers file presence (Debian 9 or later)" - template: - src: sudoers_stretch.j2 - dest: /etc/sudoers.d/evolinux - force: no - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Verify Evolinux sudoers file permissions" - file: - path: /etc/sudoers.d/evolinux - mode: "0440" - state: file - -- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" - replace: - dest: /etc/sudoers.d/evolinux - regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/visudo -cf %s' - when: - - ansible_distribution_release == "jessie" - - not copy_sudoers_evolinux.changed - -- name: "Create evolinux-sudo group (Debian 9 or later)" - group: - name: evolinux-sudo - system: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Add user to evolinux-sudo group (Debian 9 or later)" - user: - name: '{{ user.name }}' - groups: 'evolinux-sudo' - append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 4328b241..174fc2d0 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -100,6 +100,22 @@ evolinux_system_alert5_init: True evolinux_system_alert5_enable: True evolinux_system_eni_auto: True +# evomaintenance + +evolinux_evomaintenance_include: True + +# ssh + +evolinux_ssh_include: True + +evolinux_ssh_password_auth_addresses: [] +evolinux_ssh_match_address: True +evolinux_ssh_disable_acceptenv: True + +# evolinux users + +evolinux_users_include: True + # root evolinux_root_include: True @@ -112,15 +128,7 @@ evolinux_root_gitconfig: True evolinux_root_bash_history_appendonly: True evolinux_root_vim_default: True evolinux_root_vim_conf: True - -# ssh - -evolinux_ssh_include: True - -evolinux_ssh_password_auth_addresses: [] -evolinux_ssh_match_address: True -evolinux_ssh_disable_root: False -evolinux_ssh_disable_acceptenv: True +evolinux_root_disable_ssh: True # postfix diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index f44cfa11..b400e334 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -34,14 +34,24 @@ include: system.yml when: evolinux_system_include -- name: Root user configuration - include: root.yml - when: evolinux_root_include +- name: Evomaintenance + include_role: + name: evomaintenance + when: evolinux_evomaintenance_include - name: SSH configuration include: ssh.yml when: evolinux_ssh_include +- name: Create evolinux users + include_role: + name: evolinux-users + when: evolinux_users_include + +- name: Root user configuration + include: root.yml + when: evolinux_root_include + - name: Postfix include: postfix.yml when: evolinux_postfix_include diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index ffe64fe1..4c66324a 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -80,4 +80,12 @@ - "set shiftwidth=4" when: evolinux_root_vim_conf +- name: disable SSH access for root + replace: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin (yes|without-password)' + replace: "PermitRootLogin no" + notify: reload sshd + when: evolinux_root_disable_ssh + - meta: flush_handlers diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 6fc80292..8094d8bc 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -17,14 +17,6 @@ notify: reload sshd when: not evolinux_ssh_password_auth_addresses == [] -- name: disable SSH access for root - replace: - dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password)' - replace: "PermitRootLogin no" - notify: reload sshd - when: evolinux_ssh_disable_root - # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. - name: disable AcceptEnv in ssh config diff --git a/admin-users/.kitchen.yml b/evolinux-users/.kitchen.yml similarity index 92% rename from admin-users/.kitchen.yml rename to evolinux-users/.kitchen.yml index f9ea107a..0c97cc85 100644 --- a/admin-users/.kitchen.yml +++ b/evolinux-users/.kitchen.yml @@ -31,7 +31,7 @@ suites: playbook: ./tests/test.yml verifier: patterns: - - admin-users/tests/spec/admin-users_spec.rb + - evolinux-users/tests/spec/evolinux-users_spec.rb bundler_path: '/usr/local/bin' rspec_path: '/usr/local/bin' diff --git a/admin-users/README.md b/evolinux-users/README.md similarity index 66% rename from admin-users/README.md rename to evolinux-users/README.md index 68b0044d..83d69172 100644 --- a/admin-users/README.md +++ b/evolinux-users/README.md @@ -1,6 +1,6 @@ -# admin-users +# evolinux-users -Creates admin users accounts, based on a configuration data structure. +Creates evolinux users accounts, based on a configuration data structure. ## Tasks @@ -8,10 +8,10 @@ Everything is in the `tasks/main.yml` file. ## Available variables -The variable `admin_users` must be a "dict" of one or more users : +The variable `evolinux_users` must be a "dict" of one or more users : ``` -admin_users: +evolinux_users: foo: name: foo uid: 1001 diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml new file mode 100644 index 00000000..f0947958 --- /dev/null +++ b/evolinux-users/defaults/main.yml @@ -0,0 +1,3 @@ +--- +evolinux_users: {} +evolinux_sudo_group: "evolinux-sudo" diff --git a/admin-users/handlers/main.yml b/evolinux-users/handlers/main.yml similarity index 100% rename from admin-users/handlers/main.yml rename to evolinux-users/handlers/main.yml diff --git a/admin-users/meta/main.yml b/evolinux-users/meta/main.yml similarity index 88% rename from admin-users/meta/main.yml rename to evolinux-users/meta/main.yml index 006768d3..9bae9e73 100644 --- a/admin-users/meta/main.yml +++ b/evolinux-users/meta/main.yml @@ -1,6 +1,6 @@ galaxy_info: author: Evolix - description: Creates admin users accounts. + description: Creates evolinux users accounts. issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues diff --git a/admin-users/tasks/user.yml b/evolinux-users/tasks/account.yml similarity index 72% rename from admin-users/tasks/user.yml rename to evolinux-users/tasks/account.yml index 94f1a0c3..453eca66 100644 --- a/admin-users/tasks/user.yml +++ b/evolinux-users/tasks/account.yml @@ -35,18 +35,6 @@ update_password: on_create when: loginisbusy.rc != 0 and uidisbusy.rc == 0 -- name: "Create {{ admin_users_group }} group (Debian 9 or later)" - group: - name: "{{ admin_users_group }}" - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Add user to {{ admin_users_group }} group (Debian 9 or later)" - user: - name: '{{ user.name }}' - groups: '{{ admin_users_group }}' - append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - - name: "Fix perms on homedirectory for '{{ user.name }}'" file: name: '/home/{{ user.name }}' diff --git a/admin-users/tasks/main.yml b/evolinux-users/tasks/main.yml similarity index 52% rename from admin-users/tasks/main.yml rename to evolinux-users/tasks/main.yml index 6a1d1506..f168ae08 100644 --- a/admin-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -6,11 +6,11 @@ - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - debug: - msg: "Warning: empty 'admin_users' variable, tasks will be skipped!" - when: admin_users == {} + msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" + when: evolinux_users == {} -- include: admin_user.yml +- include: user.yml vars: user: "{{ item.value }}" - with_dict: "{{ admin_users }}" - when: admin_users != {} + with_dict: "{{ evolinux_users }}" + when: evolinux_users != {} diff --git a/admin-users/tasks/profile.yml b/evolinux-users/tasks/profile.yml similarity index 100% rename from admin-users/tasks/profile.yml rename to evolinux-users/tasks/profile.yml diff --git a/admin-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml similarity index 100% rename from admin-users/tasks/ssh.yml rename to evolinux-users/tasks/ssh.yml diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml new file mode 100644 index 00000000..fd854c1f --- /dev/null +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -0,0 +1,21 @@ +--- + +- name: "Verify Evolinux sudoers file presence (jessie)" + template: + src: sudoers_jessie.j2 + dest: /etc/sudoers.d/evolinux + force: no + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + when: ansible_distribution_release == "jessie" + +- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" + replace: + dest: /etc/sudoers.d/evolinux + regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' + replace: '\1,{{ user.name }}' + validate: '/usr/sbin/visudo -cf %s' + when: + - ansible_distribution_release == "jessie" + - not copy_sudoers_evolinux.changed diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml new file mode 100644 index 00000000..7358fbf1 --- /dev/null +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -0,0 +1,23 @@ +--- + +- name: "Verify Evolinux sudoers file presence (Debian 9 or later)" + template: + src: sudoers_stretch.j2 + dest: /etc/sudoers.d/evolinux + force: no + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Create evolinux-sudo group (Debian 9 or later)" + group: + name: "{{ evolinux_sudo_group }}" + system: yes + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Add user to evolinux-sudo group (Debian 9 or later)" + user: + name: '{{ user.name }}' + groups: "{{ evolinux_sudo_group }}" + append: yes + when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml new file mode 100644 index 00000000..73fea728 --- /dev/null +++ b/evolinux-users/tasks/user.yml @@ -0,0 +1,15 @@ +--- + +- include: account.yml + +- include: profile.yml + +- include: ssh.yml + +- include: sudo_jessie.yml + when: ansible_distribution_release == "jessie" + +- include: sudo_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') + +- meta: flush_handlers diff --git a/admin-users/templates/sudoers_jessie.j2 b/evolinux-users/templates/sudoers_jessie.j2 similarity index 100% rename from admin-users/templates/sudoers_jessie.j2 rename to evolinux-users/templates/sudoers_jessie.j2 diff --git a/admin-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 similarity index 75% rename from admin-users/templates/sudoers_stretch.j2 rename to evolinux-users/templates/sudoers_stretch.j2 index 8de1bbc6..289a65ee 100644 --- a/admin-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -5,5 +5,5 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt -%evolinux-sudo ALL=(ALL:ALL) ALL -%evolinux-sudo ALL = NOPASSWD: MAINT +%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL +%{{ evolinux_sudo_group }} ALL = NOPASSWD: MAINT diff --git a/admin-users/tests/spec/admin-users_spec.rb b/evolinux-users/tests/spec/evolinux-users_spec.rb similarity index 100% rename from admin-users/tests/spec/admin-users_spec.rb rename to evolinux-users/tests/spec/evolinux-users_spec.rb diff --git a/admin-users/tests/test.yml b/evolinux-users/tests/test.yml similarity index 94% rename from admin-users/tests/test.yml rename to evolinux-users/tests/test.yml index 06c29643..f622eebf 100644 --- a/admin-users/tests/test.yml +++ b/evolinux-users/tests/test.yml @@ -2,7 +2,7 @@ - hosts: test-kitchen vars: - admin_users: + evolinux_users: foo: name: foo uid: 1001 @@ -20,4 +20,4 @@ # state: directory roles: - - role: admin-users + - role: evolinux-users From ef93d5679939f37356d61bf1ad29ddd4ae19cff9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 00:21:44 +0200 Subject: [PATCH 27/32] evolinux-base: better task name for postfix --- evolinux-base/tasks/postfix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 9aad67e4..84bb06a2 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -1,6 +1,6 @@ --- -- name: packages are installed +- name: Postfix packages are installed apt: name: "{{ item }}" state: present From f759b849a53180f9014bbc63cd81cdc0946d76f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 00:51:20 +0200 Subject: [PATCH 28/32] evolinux-users: install many ssh keys if needed --- evolinux-users/tasks/ssh.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index d74a51f2..85d01a8b 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -14,6 +14,17 @@ user: "{{ user.name }}" key: "{{ user.ssh_key }}" state: present + when: user.ssh_key is defined + +- name: "Add user's SSH public keys for '{{ user.name }}'" + authorized_key: + user: "{{ user.name }}" + key: "{{ ssk_key }}" + state: present + with_items: "{{ user.ssh_keys }}" + loop_control: + loop_var: ssk_key + when: user.ssh_keys is defined # we must double-escape caracters, because python - name: verify AllowUsers directive From 2b253e075c7b5fd7ee70a3dc0ba3b6e081fbddb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 01:04:48 +0200 Subject: [PATCH 29/32] Users can be added to secondary groups --- evolinux-users/README.md | 8 +++++++- evolinux-users/tasks/account.yml | 17 ++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/evolinux-users/README.md b/evolinux-users/README.md index 83d69172..439bd898 100644 --- a/evolinux-users/README.md +++ b/evolinux-users/README.md @@ -16,12 +16,18 @@ evolinux_users: name: foo uid: 1001 fullname: 'Mr Foo' + groups: "baz" password_hash: 'sdfgsdfgsdfgsdfg' ssh_key: 'ssh-rsa AZERTYXYZ' bar: name: bar uid: 1002 fullname: 'Mr Bar' + groups: + - "baz" + - "qux" password_hash: 'gsdfgsdfgsdfgsdf' - ssh_key: 'ssh-rsa QWERTYUIOP' + ssh_keys: + - 'ssh-rsa QWERTYUIOP' + - 'ssh-ed25519 QWERTYUIOP' ``` diff --git a/evolinux-users/tasks/account.yml b/evolinux-users/tasks/account.yml index 453eca66..1ed142f9 100644 --- a/evolinux-users/tasks/account.yml +++ b/evolinux-users/tasks/account.yml @@ -35,7 +35,22 @@ update_password: on_create when: loginisbusy.rc != 0 and uidisbusy.rc == 0 -- name: "Fix perms on homedirectory for '{{ user.name }}'" +- name: "Create secondary groups" + group: + name: "{{ group }}" + with_items: "{{ user.groups }}" + loop_control: + loop_var: group + when: user.groups is defined + +- name: "Add user '{{ user.name }}' to secondary groups" + user: + name: '{{ user.name }}' + groups: "{{ user.groups }}" + append: yes + when: user.groups is defined + +- name: "Fix perms on home directory for '{{ user.name }}'" file: name: '/home/{{ user.name }}' mode: "0700" From fedbc5b579321d06ee93c5b84aca0580e37b6f0e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 6 Oct 2017 12:05:07 +0200 Subject: [PATCH 30/32] evolinux-users: no need to repeat condition --- evolinux-users/tasks/sudo_jessie.yml | 5 +---- evolinux-users/tasks/sudo_stretch.yml | 3 --- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml index fd854c1f..f675954e 100644 --- a/evolinux-users/tasks/sudo_jessie.yml +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -8,7 +8,6 @@ mode: "0440" validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux - when: ansible_distribution_release == "jessie" - name: "Add user in sudoers file for '{{ user.name }}' (jessie)" replace: @@ -16,6 +15,4 @@ regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' validate: '/usr/sbin/visudo -cf %s' - when: - - ansible_distribution_release == "jessie" - - not copy_sudoers_evolinux.changed + when: not copy_sudoers_evolinux.changed diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml index 7358fbf1..f77ae484 100644 --- a/evolinux-users/tasks/sudo_stretch.yml +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -7,17 +7,14 @@ force: no validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux - when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Create evolinux-sudo group (Debian 9 or later)" group: name: "{{ evolinux_sudo_group }}" system: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Add user to evolinux-sudo group (Debian 9 or later)" user: name: '{{ user.name }}' groups: "{{ evolinux_sudo_group }}" append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') From ed17676432557c49a3b4c4059789fd8a50325cfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 5 Oct 2017 00:25:13 +0200 Subject: [PATCH 31/32] A real systemd unit for alert5 --- evolinux-base/files/alert5.service | 9 +++ evolinux-base/tasks/system.yml | 55 ++++++++++++++----- evolinux-base/templates/system/alert5.sh.j2 | 7 +++ .../{init_alert5.j2 => alert5.sysvinit.j2} | 0 4 files changed, 57 insertions(+), 14 deletions(-) create mode 100644 evolinux-base/files/alert5.service create mode 100644 evolinux-base/templates/system/alert5.sh.j2 rename evolinux-base/templates/system/{init_alert5.j2 => alert5.sysvinit.j2} (100%) diff --git a/evolinux-base/files/alert5.service b/evolinux-base/files/alert5.service new file mode 100644 index 00000000..ea560a51 --- /dev/null +++ b/evolinux-base/files/alert5.service @@ -0,0 +1,9 @@ +[Unit] +Description=Evolix alert5 script + +[Service] +Type=oneshot +ExecStart=/usr/share/scripts/alert5.sh + +[Install] +WantedBy=multi-user.target diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 261ef1a9..74051657 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -116,29 +116,56 @@ ## alert5 -- name: Install alert5 init script +- name: Install alert5 init script (jessie) template: - src: system/init_alert5.j2 + src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 force: no mode: "0755" - when: evolinux_system_alert5_init + when: + - evolinux_system_alert5_init + - ansible_distribution_release == "jessie" - -#TODO: switch service/systemd modules with Ansible 2.2+ - -- name: Enable alert5 init script +- name: Enable alert5 init script (jessie) service: name: alert5 enabled: yes - when: evolinux_system_alert5_init and evolinux_system_alert5_enable + when: + - evolinux_system_alert5_init + - evolinux_system_alert5_enable + - ansible_distribution_release == "jessie" -# - name: Enable alert5 init script -# systemd: -# name: alert5 -# daemon_reload: yes -# enabled: yes -# when: evolinux_system_alert5_init and evolinux_system_alert5_enable + + +- name: Install alert5 init script (stretch) + template: + src: system/alert5.sh.j2 + dest: /usr/share/scripts/alert5.sh + force: no + mode: "0755" + when: + - evolinux_system_alert5_init + - ansible_distribution_major_version | version_compare('9', '>=') + +- name: Install alert5 service (stretch) + copy: + src: alert5.service + dest: /etc/systemd/system/alert5.service + force: yes + mode: "0755" + when: + - evolinux_system_alert5_init + - ansible_distribution_major_version | version_compare('9', '>=') + +- name: Enable alert5 init script (stretch) + systemd: + name: alert5 + daemon_reload: yes + enabled: yes + when: + - evolinux_system_alert5_init + - evolinux_system_alert5_enable + - ansible_distribution_major_version | version_compare('9', '>=') ## network interfaces diff --git a/evolinux-base/templates/system/alert5.sh.j2 b/evolinux-base/templates/system/alert5.sh.j2 new file mode 100644 index 00000000..7949af28 --- /dev/null +++ b/evolinux-base/templates/system/alert5.sh.j2 @@ -0,0 +1,7 @@ +#!/bin/sh + +## sends a mail when booting +date | mail -s'boot/reboot' {{ reboot_alert_email or general_alert_email | mandatory }} + +## starts the firewall +#/etc/init.d/minifirewall start diff --git a/evolinux-base/templates/system/init_alert5.j2 b/evolinux-base/templates/system/alert5.sysvinit.j2 similarity index 100% rename from evolinux-base/templates/system/init_alert5.j2 rename to evolinux-base/templates/system/alert5.sysvinit.j2 From 7f4eb747de5db5d326be1a0a7cb343a71ac46a2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 6 Oct 2017 01:09:48 +0200 Subject: [PATCH 32/32] change alert5 only for buster --- evolinux-base/tasks/system.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 74051657..2102765b 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -116,7 +116,7 @@ ## alert5 -- name: Install alert5 init script (jessie) +- name: Install alert5 init script (jessie/stretch) template: src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 @@ -124,20 +124,20 @@ mode: "0755" when: - evolinux_system_alert5_init - - ansible_distribution_release == "jessie" + - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" -- name: Enable alert5 init script (jessie) +- name: Enable alert5 init script (jessie/stretch) service: name: alert5 enabled: yes when: - evolinux_system_alert5_init - evolinux_system_alert5_enable - - ansible_distribution_release == "jessie" + - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" -- name: Install alert5 init script (stretch) +- name: Install alert5 init script (buster) template: src: system/alert5.sh.j2 dest: /usr/share/scripts/alert5.sh @@ -145,9 +145,9 @@ mode: "0755" when: - evolinux_system_alert5_init - - ansible_distribution_major_version | version_compare('9', '>=') + - ansible_distribution_major_version | version_compare('10', '>=') -- name: Install alert5 service (stretch) +- name: Install alert5 service (buster) copy: src: alert5.service dest: /etc/systemd/system/alert5.service @@ -155,9 +155,9 @@ mode: "0755" when: - evolinux_system_alert5_init - - ansible_distribution_major_version | version_compare('9', '>=') + - ansible_distribution_major_version | version_compare('10', '>=') -- name: Enable alert5 init script (stretch) +- name: Enable alert5 init script (buster) systemd: name: alert5 daemon_reload: yes @@ -165,7 +165,7 @@ when: - evolinux_system_alert5_init - evolinux_system_alert5_enable - - ansible_distribution_major_version | version_compare('9', '>=') + - ansible_distribution_major_version | version_compare('10', '>=') ## network interfaces