Merge remote-tracking branch 'origin/unstable' into unstable
This commit is contained in:
commit
9a93e8d449
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
admin_users: {}
|
||||
admin_users_group: adm
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
|
||||
- include: user.yml
|
||||
|
||||
- include: profile.yml
|
||||
|
||||
- include: ssh.yml
|
||||
|
||||
- include: sudo.yml
|
||||
|
||||
- meta: flush_handlers
|
|
@ -1,48 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "Verify Evolinux sudoers file presence (jessie)"
|
||||
template:
|
||||
src: sudoers_jessie.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Verify Evolinux sudoers file presence (Debian 9 or later)"
|
||||
template:
|
||||
src: sudoers_stretch.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "Verify Evolinux sudoers file permissions"
|
||||
file:
|
||||
path: /etc/sudoers.d/evolinux
|
||||
mode: "0440"
|
||||
state: file
|
||||
|
||||
- name: "Add user in sudoers file for '{{ user.name }}' (jessie)"
|
||||
replace:
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
when:
|
||||
- ansible_distribution_release == "jessie"
|
||||
- not copy_sudoers_evolinux.changed
|
||||
|
||||
- name: "Create evolinux-sudo group (Debian 9 or later)"
|
||||
group:
|
||||
name: evolinux-sudo
|
||||
system: yes
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "Add user to evolinux-sudo group (Debian 9 or later)"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: 'evolinux-sudo'
|
||||
append: yes
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
|
@ -19,9 +19,6 @@
|
|||
tags:
|
||||
- apt
|
||||
|
||||
- debug:
|
||||
var: apt_install_evolix_public
|
||||
|
||||
- name: Install Evolix Public APT repository
|
||||
include: evolix_public.yml
|
||||
when: apt_install_evolix_public
|
||||
|
|
|
@ -5,23 +5,3 @@ Install tools to setup DRBD replication accross servers.
|
|||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
The variable `admin_users` must be a "dict" of one or more users :
|
||||
|
||||
```
|
||||
admin_users:
|
||||
foo:
|
||||
name: foo
|
||||
uid: 1001
|
||||
fullname: 'Mr Foo'
|
||||
password_hash: 'sdfgsdfgsdfgsdfg'
|
||||
ssh_key: 'ssh-rsa AZERTYXYZ'
|
||||
bar:
|
||||
name: bar
|
||||
uid: 1002
|
||||
fullname: 'Mr Bar'
|
||||
password_hash: 'gsdfgsdfgsdfgsdf'
|
||||
ssh_key: 'ssh-rsa QWERTYUIOP'
|
||||
```
|
||||
|
|
|
@ -10,5 +10,5 @@
|
|||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||
|
||||
find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
|
||||
evoacme "$vhost"
|
||||
evoacme "$vhost"
|
||||
done
|
||||
|
|
|
@ -7,78 +7,109 @@
|
|||
# Licence: AGPLv3
|
||||
#
|
||||
|
||||
set -e
|
||||
|
||||
usage() {
|
||||
echo "Usage: $0 NAME"
|
||||
echo ""
|
||||
echo "NAME must be correspond to :"
|
||||
echo "- a CSR in ${CSR_DIR}/NAME.csr"
|
||||
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
|
||||
echo ""
|
||||
echo "Usage: $0 [ --cron ] NAME"
|
||||
echo ""
|
||||
echo "NAME must be correspond to :"
|
||||
echo "- a CSR in ${CSR_DIR}/NAME.csr"
|
||||
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
|
||||
echo ""
|
||||
}
|
||||
|
||||
mkconf_apache() {
|
||||
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||
apache2ctl -t 2>/dev/null && service apache2 reload
|
||||
echo "Apache detected... first configuration"
|
||||
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||
apache2ctl -t
|
||||
}
|
||||
|
||||
mkconf_nginx() {
|
||||
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||
nginx -t 2>/dev/null && service nginx reload
|
||||
}
|
||||
|
||||
mkconf_haproxy() {
|
||||
mkdir -p /etc/ssl/haproxy -m 700
|
||||
cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem"
|
||||
[ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem"
|
||||
haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload
|
||||
echo "Nginx detected... first configuration"
|
||||
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||
nginx -t
|
||||
}
|
||||
|
||||
main() {
|
||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
|
||||
[ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme'
|
||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR=/etc/ssl/private
|
||||
[ -z "${ACME_DIR}" ] && ACME_DIR=/var/lib/letsencrypt
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR=/etc/ssl/requests
|
||||
[ -z "${CRT_DIR}" ] && CRT_DIR=/etc/letsencrypt
|
||||
[ -z "${LOG_DIR}" ] && LOG_DIR=/var/log/evoacme
|
||||
[ -z "${SSL_MINDAY}" ] && SSL_MINDAY=30
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR=/etc/ssl/self-signed
|
||||
[ -z "${DH_DIR}" ] && DH_DIR=etc/ssl/dhparam
|
||||
|
||||
[ "$#" -ne 1 ] && usage && exit 1
|
||||
# misc verifications
|
||||
[ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0
|
||||
which openssl >/dev/null || ( echo "error: openssl command not installed" && exit 1 )
|
||||
which certbot >/dev/null || ( echo "error: certbot command not installed" && exit 1 )
|
||||
[ ! -d $ACME_DIR ] && echo "error: $ACME_DIR is not a directory" && exit 1
|
||||
[ ! -d $CSR_DIR ] && echo "error: $CSR_DIR is not a directory" && exit 1
|
||||
[ ! -d $LOG_DIR ] && echo "error: $LOG_DIR is not a directory" && exit 1
|
||||
[ "$#" -ge 3 ] || [ "$#" -le 0 ] && echo "error: invalid argument(s)" && usage && exit 1
|
||||
[ "$#" -eq 2 ] && [ "$1" != "--cron" ] && echo "error: invalid argument(s)" && usage && exit 1
|
||||
|
||||
vhost=$(basename "$1" .conf)
|
||||
[ "$#" -eq 1 ] && vhost=$(basename "$1" .conf) && CRON=NO
|
||||
[ "$#" -eq 2 ] && vhost=$(basename "$2" .conf) && CRON=YES
|
||||
|
||||
# Check master status for evoadmin-cluster
|
||||
if [ -f "/home/${vhost}/state" ]; then
|
||||
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
|
||||
fi
|
||||
# verify .csr file
|
||||
test ! -f "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr absent" && exit 1
|
||||
test ! -r "$CSR_DIR/${vhost}.csr" && echo "error: $CSR_DIR/${vhost}.csr is not readable" && exit 1
|
||||
openssl req -noout -modulus -in "$CSR_DIR/${vhost}.csr" >/dev/null || ( echo "error: $CSR_DIR/${vhost}.csr is invalid" && exit 1 )
|
||||
[ "$CRON" = "NO" ] && echo "Using CSR file: $CSR_DIR/${vhost}.csr"
|
||||
|
||||
SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs)
|
||||
if [ -n "$SSL_EMAIL" ]; then
|
||||
emailopt="-m $SSL_EMAIL"
|
||||
else
|
||||
emailopt="--register-unsafely-without-email"
|
||||
fi
|
||||
DATE=$(date "+%Y%m%d")
|
||||
# Hook for evoadmin-web in cluster mode : check master status
|
||||
if [ -f "/home/${vhost}/state" ]; then
|
||||
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
|
||||
fi
|
||||
|
||||
if [ -n "$SSL_EMAIL" ]; then
|
||||
emailopt="-m $SSL_EMAIL"
|
||||
else
|
||||
emailopt="--register-unsafely-without-email"
|
||||
fi
|
||||
|
||||
DATE=$(date "+%Y%m%d")
|
||||
[ ! -n "$DATE" ] && echo "error: invalid date" && exit 1
|
||||
|
||||
|
||||
# If live link already exists, it's not our first time...
|
||||
if [ -h "$CRT_DIR/${vhost}/live" ]; then
|
||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: $CRT_DIR/${vhost}/live/cert.crt is invalid" && exit 1 )
|
||||
|
||||
# Verify if our certificate will expire
|
||||
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt" | cut -d= -f2)
|
||||
date_renew=$(date -ud "$crt_end_date - $SSL_MINDAY days" +"%s")
|
||||
date_today=$(date +'%s')
|
||||
[ "$date_today" -lt "$date_renew" ] && ( [ "$CRON" = "NO" ] && echo "Cert $CRT_DIR/${vhost}/live/cert.crt expires at $crt_end_date => more than $SSL_MINDAY days: thxbye." || true ) && exit 0
|
||||
else
|
||||
which apache2ctl >/dev/null && mkconf_apache
|
||||
which nginx >/dev/null && mkconf_nginx
|
||||
fi
|
||||
|
||||
# renew certificate with certbot
|
||||
[ -d "$CRT_DIR/${vhost}/${DATE}" ] && echo "error: $CRT_DIR/${vhost}/${DATE} directory already exists, remove it manually." && exit 1
|
||||
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
|
||||
chown -R acme: "$CRT_DIR/${vhost}/${DATE}"
|
||||
[ "$CRON" = "YES" ] && CERTBOT_OPTS="--quiet"
|
||||
sudo -u acme certbot certonly $CERTBOT_OPTS --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
|
||||
|
||||
# verify if all is right
|
||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/cert.crt is invalid" && exit 1 )
|
||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/fullchain.pem is invalid" && exit 1 )
|
||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/${DATE}/chain.pem" >/dev/null || ( echo "error: new $CRT_DIR/${vhost}/${DATE}/chain.pem is invalid" && exit 1 )
|
||||
|
||||
# link dance
|
||||
[ -h "$CRT_DIR/${vhost}/live" ] && rm "$CRT_DIR/${vhost}/live"
|
||||
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
|
||||
openssl x509 -noout -modulus -in "$CRT_DIR/${vhost}/live/cert.crt" >/dev/null || ( echo "error: new $CRT_DIR/{vhost}/live/cert.crt is invalid" && exit 1 )
|
||||
|
||||
# reload apache or nginx (TODO: need improvments)
|
||||
pidof apache2 >/dev/null && apache2ctl -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Apache detected... reloading" || true ) && systemctl reload apache2
|
||||
pidof nginx >/dev/null && nginx -t 2>/dev/null && ( [ "$CRON" = "NO" ] && echo "Nginx detected... reloading" || true ) && systemctl reload apache2
|
||||
|
||||
if [ -h "$CRT_DIR/${vhost}/live" ]; then
|
||||
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//")
|
||||
date_crt=$(date -ud "$crt_end_date" +"%s")
|
||||
date_today=$(date +'%s')
|
||||
date_diff=$(((date_crt - date_today) / (60*60*24)))
|
||||
[ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0
|
||||
fi
|
||||
rm -rf "$CRT_DIR/${vhost}/${DATE}"
|
||||
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
|
||||
chown -R acme: "$CRT_DIR/${vhost}"
|
||||
sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
|
||||
if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then
|
||||
rm -f "$CRT_DIR/${vhost}/live"
|
||||
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
|
||||
which apache2ctl >/dev/null && mkconf_apache
|
||||
which nginx >/dev/null && mkconf_nginx
|
||||
which haproxy >/dev/null && mkconf_haproxy
|
||||
else
|
||||
rmdir "$CRT_DIR/${vhost}/${DATE}"
|
||||
fi
|
||||
}
|
||||
|
||||
main "$@"
|
||||
|
|
|
@ -8,143 +8,143 @@
|
|||
#
|
||||
|
||||
get_domains() {
|
||||
echo "$vhostfile"|grep -q nginx
|
||||
if [ "$?" -eq 0 ]; then
|
||||
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
|
||||
fi
|
||||
echo "$vhostfile"|grep -q nginx
|
||||
if [ "$?" -eq 0 ]; then
|
||||
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
|
||||
fi
|
||||
|
||||
echo "$vhostfile" |grep -q apache2
|
||||
if [ "$?" -eq 0 ]; then
|
||||
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
|
||||
fi
|
||||
valid_domains=""
|
||||
nb=0
|
||||
echo "$vhostfile" |grep -q apache2
|
||||
if [ "$?" -eq 0 ]; then
|
||||
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
|
||||
fi
|
||||
valid_domains=""
|
||||
nb=0
|
||||
|
||||
echo "Valid(s) domain(s) in $vhost :"
|
||||
for domain in $domains; do
|
||||
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
for ip in $(echo "$SRV_IP"|xargs -n1); do
|
||||
if [ "${ip}" = "${real_ip}" ]; then
|
||||
valid_domains="$valid_domains $domain"
|
||||
nb=$(( nb + 1 ))
|
||||
echo "* $domain -> $real_ip"
|
||||
fi
|
||||
done
|
||||
done
|
||||
echo "Valid(s) domain(s) in $vhost :"
|
||||
for domain in $domains; do
|
||||
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
for ip in $(echo "$SRV_IP"|xargs -n1); do
|
||||
if [ "${ip}" = "${real_ip}" ]; then
|
||||
valid_domains="$valid_domains $domain"
|
||||
nb=$(( nb + 1 ))
|
||||
echo "* $domain -> $real_ip"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ "$nb" -eq 0 ]; then
|
||||
nb=$(echo "$domains"|wc -l)
|
||||
echo "* No valid domain found"
|
||||
echo "All following(s) domain(s) will be used for CSR creation :"
|
||||
for domain in $domains; do
|
||||
echo "* $domain"
|
||||
done
|
||||
else
|
||||
domains="$valid_domains"
|
||||
fi
|
||||
domains=$(echo "$domains"|xargs -n1)
|
||||
if [ "$nb" -eq 0 ]; then
|
||||
nb=$(echo "$domains"|wc -l)
|
||||
echo "* No valid domain found"
|
||||
echo "All following(s) domain(s) will be used for CSR creation :"
|
||||
for domain in $domains; do
|
||||
echo "* $domain"
|
||||
done
|
||||
else
|
||||
domains="$valid_domains"
|
||||
fi
|
||||
domains=$(echo "$domains"|xargs -n1)
|
||||
}
|
||||
|
||||
make_key() {
|
||||
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
|
||||
chown root: "$SSL_KEY_DIR/${vhost}.key"
|
||||
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
|
||||
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
|
||||
chown root: "$SSL_KEY_DIR/${vhost}.key"
|
||||
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
|
||||
}
|
||||
|
||||
make_csr() {
|
||||
domains="$1"
|
||||
nb=$(echo "$domains"|wc -l)
|
||||
config_file="/tmp/make-csr-${vhost}.conf"
|
||||
domains="$1"
|
||||
nb=$(echo "$domains"|wc -l)
|
||||
config_file="/tmp/make-csr-${vhost}.conf"
|
||||
|
||||
mkdir -p "$CSR_DIR" -m 0755
|
||||
mkdir -p "$CSR_DIR" -m 0755
|
||||
|
||||
if [ "$nb" -eq 1 ]; then
|
||||
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||
if [ "$nb" -eq 1 ]; then
|
||||
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||
CN=$domains
|
||||
EOF
|
||||
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
|
||||
elif [ "$nb" -gt 1 ]; then
|
||||
san=''
|
||||
for domain in $domains
|
||||
do
|
||||
san="$san,DNS:$domain"
|
||||
done
|
||||
san=$(echo "$san"|sed 's/,//')
|
||||
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
|
||||
elif [ "$nb" -gt 1 ]; then
|
||||
san=''
|
||||
for domain in $domains
|
||||
do
|
||||
san="$san,DNS:$domain"
|
||||
done
|
||||
san=$(echo "$san"|sed 's/,//')
|
||||
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||
[SAN]
|
||||
subjectAltName=$san
|
||||
EOF
|
||||
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
|
||||
fi
|
||||
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
|
||||
fi
|
||||
|
||||
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
|
||||
chmod 644 "$CSR_DIR/${vhost}.csr"
|
||||
mkdir -p "$SELF_SIGNED_DIR" -m 0755
|
||||
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||
fi
|
||||
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
|
||||
chmod 644 "$CSR_DIR/${vhost}.csr"
|
||||
mkdir -p "$SELF_SIGNED_DIR" -m 0755
|
||||
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||
fi
|
||||
}
|
||||
|
||||
mkconf_apache() {
|
||||
mkdir -p /etc/apache2/ssl
|
||||
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
|
||||
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
|
||||
mkdir -p /etc/apache2/ssl
|
||||
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
|
||||
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
|
||||
SSLEngine On
|
||||
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
|
||||
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
|
||||
EOF
|
||||
else
|
||||
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||
fi
|
||||
else
|
||||
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||
fi
|
||||
}
|
||||
|
||||
mkconf_nginx() {
|
||||
mkdir -p /etc/nginx/ssl
|
||||
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
|
||||
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
|
||||
mkdir -p /etc/nginx/ssl
|
||||
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
|
||||
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
|
||||
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
|
||||
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
|
||||
EOF
|
||||
else
|
||||
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||
fi
|
||||
else
|
||||
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||
fi
|
||||
}
|
||||
|
||||
main() {
|
||||
if [ "$#" -ne 1 ]; then
|
||||
echo "You need to provide one argument !" >&2
|
||||
exit 1
|
||||
fi
|
||||
vhost=$(basename "$1" .conf)
|
||||
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
if [ "$#" -ne 1 ]; then
|
||||
echo "You need to provide one argument !" >&2
|
||||
exit 1
|
||||
fi
|
||||
vhost=$(basename "$1" .conf)
|
||||
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
|
||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
||||
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
|
||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
||||
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
|
||||
|
||||
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
|
||||
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
|
||||
|
||||
if [ ! -h "$vhostfile" ]; then
|
||||
echo "$vhost is not a valid virtualhost !" >&2
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -h "$vhostfile" ]; then
|
||||
echo "$vhost is not a valid virtualhost !" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
|
||||
echo "$vhost key already exist, overwrite it ? (y)"
|
||||
read REPLY
|
||||
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
|
||||
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
|
||||
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
|
||||
fi
|
||||
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
|
||||
echo "$vhost key already exist, overwrite it ? (y)"
|
||||
read REPLY
|
||||
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
|
||||
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
|
||||
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
|
||||
fi
|
||||
|
||||
get_domains
|
||||
make_key
|
||||
make_csr "$domains"
|
||||
which apache2ctl >/dev/null && mkconf_apache
|
||||
get_domains
|
||||
make_key
|
||||
make_csr "$domains"
|
||||
which apache2ctl >/dev/null && mkconf_apache
|
||||
which nginx >/dev/null && mkconf_nginx
|
||||
}
|
||||
|
||||
|
|
|
@ -42,6 +42,18 @@
|
|||
path: /usr/local/bin/certbot
|
||||
state: absent
|
||||
|
||||
- name: stat /etc/cron.d/certbot
|
||||
stat:
|
||||
path: /etc/cron.d/certbot
|
||||
register: etc_cron_d_certbot
|
||||
|
||||
- name: Rename certbot dpkg cron to .disabled
|
||||
copy:
|
||||
remote_src: True
|
||||
src: /etc/cron.d/certbot
|
||||
dest: /etc/cron.d/certbot.disabled
|
||||
when: etc_cron_d_certbot.stat.exists
|
||||
|
||||
- name: Remove certbot dpkg cron
|
||||
file:
|
||||
path: /etc/cron.d/certbot
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- ini_file:
|
||||
dest: /etc/letsencrypt/openssl.cnf
|
||||
dest: "{{ evoacme_crt_dir }}/openssl.cnf"
|
||||
section: 'req'
|
||||
option: "{{ item.name }}"
|
||||
value: "{{ item.var }}"
|
||||
|
|
|
@ -13,7 +13,17 @@
|
|||
|
||||
- include: scripts.yml
|
||||
|
||||
- include: webserver.yml
|
||||
- name: Determine Apache presence
|
||||
stat:
|
||||
path: /etc/apache2/apache2.conf
|
||||
check_mode: no
|
||||
register: sta
|
||||
|
||||
- name: Determine Nginx presence
|
||||
stat:
|
||||
path: /etc/nginx/nginx.conf
|
||||
check_mode: no
|
||||
register: stn
|
||||
|
||||
- include: apache.yml
|
||||
when: sta.stat.isreg is defined and sta.stat.isreg
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
- name: Copy make-csr.sh script
|
||||
copy:
|
||||
src: files/make-csr.sh
|
||||
src: make-csr.sh
|
||||
dest: /usr/local/sbin/make-csr
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -17,7 +17,7 @@
|
|||
|
||||
- name: Copy evoacme script
|
||||
copy:
|
||||
src: files/evoacme.sh
|
||||
src: evoacme.sh
|
||||
dest: /usr/local/sbin/evoacme
|
||||
owner: root
|
||||
group: root
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
---
|
||||
- name: Determine Nginx presence
|
||||
stat:
|
||||
path: /etc/nginx/nginx.conf
|
||||
check_mode: no
|
||||
register: stn
|
||||
|
||||
- name: Determine Apache presence
|
||||
stat:
|
||||
path: /etc/apache2/apache2.conf
|
||||
check_mode: no
|
||||
register: sta
|
|
@ -36,6 +36,6 @@ Main variables are:
|
|||
* `evolinux_additional_packages`: optional additional packages to install (default: `[]`)
|
||||
* `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ;
|
||||
* `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`)
|
||||
* `evolinux_ssh_disable_root`: disable SSH access for root (default: `True`)
|
||||
* `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`)
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
|
|
@ -10,6 +10,21 @@ logcheck_alert_email: Null
|
|||
raid_alert_email: Null
|
||||
postfix_alias_email: Null
|
||||
|
||||
# apt
|
||||
|
||||
evolinux_apt_include: True
|
||||
|
||||
evolinux_apt_conf: True
|
||||
evolinux_apt_hooks: True
|
||||
evolinux_apt_replace_default_sources: True
|
||||
evolinux_apt_public_sources: True
|
||||
evolinux_apt_upgrade: True
|
||||
evolinux_apt_remove_aptitude: True
|
||||
|
||||
# etc-git
|
||||
|
||||
evolinux_etcgit_include: True
|
||||
|
||||
# hostname
|
||||
|
||||
evolinux_hostname_include: True
|
||||
|
@ -31,17 +46,6 @@ evolinux_kernel_disable_tcp_timestamps: True
|
|||
evolinux_kernel_reduce_swapiness: True
|
||||
evolinux_kernel_cve20165696: True
|
||||
|
||||
# apt
|
||||
|
||||
evolinux_apt_include: True
|
||||
|
||||
evolinux_apt_conf: True
|
||||
evolinux_apt_hooks: True
|
||||
evolinux_apt_replace_default_sources: True
|
||||
evolinux_apt_public_sources: True
|
||||
evolinux_apt_upgrade: True
|
||||
evolinux_apt_remove_aptitude: True
|
||||
|
||||
# fstab
|
||||
|
||||
evolinux_fstab_include: True
|
||||
|
@ -96,6 +100,22 @@ evolinux_system_alert5_init: True
|
|||
evolinux_system_alert5_enable: True
|
||||
evolinux_system_eni_auto: True
|
||||
|
||||
# evomaintenance
|
||||
|
||||
evolinux_evomaintenance_include: True
|
||||
|
||||
# ssh
|
||||
|
||||
evolinux_ssh_include: True
|
||||
|
||||
evolinux_ssh_password_auth_addresses: []
|
||||
evolinux_ssh_match_address: True
|
||||
evolinux_ssh_disable_acceptenv: True
|
||||
|
||||
# evolinux users
|
||||
|
||||
evolinux_users_include: True
|
||||
|
||||
# root
|
||||
|
||||
evolinux_root_include: True
|
||||
|
@ -108,15 +128,7 @@ evolinux_root_gitconfig: True
|
|||
evolinux_root_bash_history_appendonly: True
|
||||
evolinux_root_vim_default: True
|
||||
evolinux_root_vim_conf: True
|
||||
|
||||
# ssh
|
||||
|
||||
evolinux_ssh_include: True
|
||||
|
||||
evolinux_ssh_password_auth_addresses: []
|
||||
evolinux_ssh_match_address: True
|
||||
evolinux_ssh_disable_root: True
|
||||
evolinux_ssh_disable_acceptenv: True
|
||||
evolinux_root_disable_ssh: True
|
||||
|
||||
# postfix
|
||||
|
||||
|
|
9
evolinux-base/files/alert5.service
Normal file
9
evolinux-base/files/alert5.service
Normal file
|
@ -0,0 +1,9 @@
|
|||
[Unit]
|
||||
Description=Evolix alert5 script
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/share/scripts/alert5.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -12,6 +12,7 @@ galaxy_info:
|
|||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3'
|
||||
notify: remount /home
|
||||
when:
|
||||
- "' /home ' in fstab_content.stdout"
|
||||
- fstab_content.stdout | regex_search('\s/home\s')
|
||||
- evolinux_fstab_home
|
||||
|
||||
- name: /tmp partition is customized
|
||||
|
@ -25,7 +25,7 @@
|
|||
regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)'
|
||||
replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3'
|
||||
when:
|
||||
- "' /tmp ' in fstab_content.stdout"
|
||||
- fstab_content.stdout | regex_search('\s/tmp\s')
|
||||
- evolinux_fstab_tmp
|
||||
|
||||
- name: /usr partition is customized
|
||||
|
@ -34,7 +34,7 @@
|
|||
regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)'
|
||||
replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3'
|
||||
when:
|
||||
- "' /usr ' in fstab_content.stdout"
|
||||
- fstab_content.stdout | regex_search('\s/usr\s')
|
||||
- evolinux_fstab_usr
|
||||
|
||||
- name: /var partition is customized
|
||||
|
@ -44,7 +44,7 @@
|
|||
replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3'
|
||||
notify: remount /var
|
||||
when:
|
||||
- "' /var ' in fstab_content.stdout"
|
||||
- fstab_content.stdout | regex_search('\s/var\s')
|
||||
- evolinux_fstab_var
|
||||
|
||||
- name: /var/tmp is created
|
||||
|
|
|
@ -5,6 +5,15 @@
|
|||
when:
|
||||
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
|
||||
|
||||
- name: Apt configuration
|
||||
include: apt.yml
|
||||
when: evolinux_apt_include
|
||||
|
||||
- name: /etc versioning with Git
|
||||
include_role:
|
||||
name: etc-git
|
||||
when: evolinux_etcgit_include
|
||||
|
||||
- name: Hostname
|
||||
include: hostname.yml
|
||||
when: evolinux_hostname_include
|
||||
|
@ -13,10 +22,6 @@
|
|||
include: kernel.yml
|
||||
when: evolinux_kernel_include
|
||||
|
||||
- name: Apt configuration and packages install
|
||||
include: apt.yml
|
||||
when: evolinux_apt_include
|
||||
|
||||
- name: Fstab configuration
|
||||
include: fstab.yml
|
||||
when: evolinux_fstab_include
|
||||
|
@ -29,14 +34,24 @@
|
|||
include: system.yml
|
||||
when: evolinux_system_include
|
||||
|
||||
- name: Root user configuration
|
||||
include: root.yml
|
||||
when: evolinux_root_include
|
||||
- name: Evomaintenance
|
||||
include_role:
|
||||
name: evomaintenance
|
||||
when: evolinux_evomaintenance_include
|
||||
|
||||
- name: SSH configuration
|
||||
include: ssh.yml
|
||||
when: evolinux_ssh_include
|
||||
|
||||
- name: Create evolinux users
|
||||
include_role:
|
||||
name: evolinux-users
|
||||
when: evolinux_users_include
|
||||
|
||||
- name: Root user configuration
|
||||
include: root.yml
|
||||
when: evolinux_root_include
|
||||
|
||||
- name: Postfix
|
||||
include: postfix.yml
|
||||
when: evolinux_postfix_include
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
|
||||
- name: packages are installed
|
||||
- name: Postfix packages are installed
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
|
|
|
@ -80,4 +80,12 @@
|
|||
- "set shiftwidth=4"
|
||||
when: evolinux_root_vim_conf
|
||||
|
||||
- name: disable SSH access for root
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin (yes|without-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
when: evolinux_root_disable_ssh
|
||||
|
||||
- meta: flush_handlers
|
||||
|
|
|
@ -17,48 +17,6 @@
|
|||
notify: reload sshd
|
||||
when: not evolinux_ssh_password_auth_addresses == []
|
||||
|
||||
# - name: verify Match Address directive
|
||||
# command: "grep 'Match Address' /etc/ssh/sshd_config"
|
||||
# changed_when: False
|
||||
# failed_when: False
|
||||
# check_mode: no
|
||||
# register: grep_matchaddress_ssh
|
||||
#
|
||||
# - name: Add Match Address sshd directive
|
||||
# lineinfile:
|
||||
# dest: /etc/ssh/sshd_config
|
||||
# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes"
|
||||
# insertafter: '# +ForceCommand cvs server'
|
||||
# validate: '/usr/sbin/sshd -T -f %s'
|
||||
# notify: reload sshd
|
||||
# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != []
|
||||
#
|
||||
# - name: Modify Match Address sshd directive
|
||||
# replace:
|
||||
# dest: /etc/ssh/sshd_config
|
||||
# regexp: '^(Match Address ((?!{{ item }}).)*)$'
|
||||
# replace: '\1,{{ item }}'
|
||||
# validate: '/usr/sbin/sshd -T -f %s'
|
||||
# with_items: "{{ evolinux_ssh_password_auth_addresses }}"
|
||||
# notify: reload sshd
|
||||
# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0
|
||||
#
|
||||
# - name: Add Match Group sudo without password
|
||||
# lineinfile:
|
||||
# dest: /etc/ssh/sshd_config
|
||||
# line: "\nMatch Group sudo\n PasswordAuthentication no"
|
||||
# insertbefore: '^Match Address'
|
||||
# validate: '/usr/sbin/sshd -T -f %s'
|
||||
# notify: reload sshd
|
||||
|
||||
- name: disable SSH access for root
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin (yes|without-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_disable_root
|
||||
|
||||
# We disable AcceptEnv because it can be a security issue, but also because we
|
||||
# do not want clients to push their environment variables like LANG.
|
||||
- name: disable AcceptEnv in ssh config
|
||||
|
|
|
@ -116,29 +116,56 @@
|
|||
|
||||
## alert5
|
||||
|
||||
- name: Install alert5 init script
|
||||
- name: Install alert5 init script (jessie/stretch)
|
||||
template:
|
||||
src: system/init_alert5.j2
|
||||
src: system/alert5.sysvinit.j2
|
||||
dest: /etc/init.d/alert5
|
||||
force: no
|
||||
mode: "0755"
|
||||
when: evolinux_system_alert5_init
|
||||
when:
|
||||
- evolinux_system_alert5_init
|
||||
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
|
||||
|
||||
|
||||
#TODO: switch service/systemd modules with Ansible 2.2+
|
||||
|
||||
- name: Enable alert5 init script
|
||||
- name: Enable alert5 init script (jessie/stretch)
|
||||
service:
|
||||
name: alert5
|
||||
enabled: yes
|
||||
when: evolinux_system_alert5_init and evolinux_system_alert5_enable
|
||||
when:
|
||||
- evolinux_system_alert5_init
|
||||
- evolinux_system_alert5_enable
|
||||
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
|
||||
|
||||
# - name: Enable alert5 init script
|
||||
# systemd:
|
||||
# name: alert5
|
||||
# daemon_reload: yes
|
||||
# enabled: yes
|
||||
# when: evolinux_system_alert5_init and evolinux_system_alert5_enable
|
||||
|
||||
|
||||
- name: Install alert5 init script (buster)
|
||||
template:
|
||||
src: system/alert5.sh.j2
|
||||
dest: /usr/share/scripts/alert5.sh
|
||||
force: no
|
||||
mode: "0755"
|
||||
when:
|
||||
- evolinux_system_alert5_init
|
||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Install alert5 service (buster)
|
||||
copy:
|
||||
src: alert5.service
|
||||
dest: /etc/systemd/system/alert5.service
|
||||
force: yes
|
||||
mode: "0755"
|
||||
when:
|
||||
- evolinux_system_alert5_init
|
||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Enable alert5 init script (buster)
|
||||
systemd:
|
||||
name: alert5
|
||||
daemon_reload: yes
|
||||
enabled: yes
|
||||
when:
|
||||
- evolinux_system_alert5_init
|
||||
- evolinux_system_alert5_enable
|
||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
## network interfaces
|
||||
|
||||
|
|
7
evolinux-base/templates/system/alert5.sh.j2
Normal file
7
evolinux-base/templates/system/alert5.sh.j2
Normal file
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
## sends a mail when booting
|
||||
date | mail -s'boot/reboot' {{ reboot_alert_email or general_alert_email | mandatory }}
|
||||
|
||||
## starts the firewall
|
||||
#/etc/init.d/minifirewall start
|
|
@ -31,7 +31,7 @@ suites:
|
|||
playbook: ./tests/test.yml
|
||||
verifier:
|
||||
patterns:
|
||||
- admin-users/tests/spec/admin-users_spec.rb
|
||||
- evolinux-users/tests/spec/evolinux-users_spec.rb
|
||||
bundler_path: '/usr/local/bin'
|
||||
rspec_path: '/usr/local/bin'
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
# admin-users
|
||||
# evolinux-users
|
||||
|
||||
Creates admin users accounts, based on a configuration data structure.
|
||||
Creates evolinux users accounts, based on a configuration data structure.
|
||||
|
||||
## Tasks
|
||||
|
||||
|
@ -8,20 +8,26 @@ Everything is in the `tasks/main.yml` file.
|
|||
|
||||
## Available variables
|
||||
|
||||
The variable `admin_users` must be a "dict" of one or more users :
|
||||
The variable `evolinux_users` must be a "dict" of one or more users :
|
||||
|
||||
```
|
||||
admin_users:
|
||||
evolinux_users:
|
||||
foo:
|
||||
name: foo
|
||||
uid: 1001
|
||||
fullname: 'Mr Foo'
|
||||
groups: "baz"
|
||||
password_hash: 'sdfgsdfgsdfgsdfg'
|
||||
ssh_key: 'ssh-rsa AZERTYXYZ'
|
||||
bar:
|
||||
name: bar
|
||||
uid: 1002
|
||||
fullname: 'Mr Bar'
|
||||
groups:
|
||||
- "baz"
|
||||
- "qux"
|
||||
password_hash: 'gsdfgsdfgsdfgsdf'
|
||||
ssh_key: 'ssh-rsa QWERTYUIOP'
|
||||
ssh_keys:
|
||||
- 'ssh-rsa QWERTYUIOP'
|
||||
- 'ssh-ed25519 QWERTYUIOP'
|
||||
```
|
3
evolinux-users/defaults/main.yml
Normal file
3
evolinux-users/defaults/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
evolinux_users: {}
|
||||
evolinux_sudo_group: "evolinux-sudo"
|
|
@ -1,6 +1,6 @@
|
|||
galaxy_info:
|
||||
author: Evolix
|
||||
description: Creates admin users accounts.
|
||||
description: Creates evolinux users accounts.
|
||||
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
|
@ -35,19 +35,22 @@
|
|||
update_password: on_create
|
||||
when: loginisbusy.rc != 0 and uidisbusy.rc == 0
|
||||
|
||||
- name: "Create {{ admin_users_group }} group (Debian 9 or later)"
|
||||
- name: "Create secondary groups"
|
||||
group:
|
||||
name: "{{ admin_users_group }}"
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
name: "{{ group }}"
|
||||
with_items: "{{ user.groups }}"
|
||||
loop_control:
|
||||
loop_var: group
|
||||
when: user.groups is defined
|
||||
|
||||
- name: "Add user to {{ admin_users_group }} group (Debian 9 or later)"
|
||||
- name: "Add user '{{ user.name }}' to secondary groups"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: '{{ admin_users_group }}'
|
||||
groups: "{{ user.groups }}"
|
||||
append: yes
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
when: user.groups is defined
|
||||
|
||||
- name: "Fix perms on homedirectory for '{{ user.name }}'"
|
||||
- name: "Fix perms on home directory for '{{ user.name }}'"
|
||||
file:
|
||||
name: '/home/{{ user.name }}'
|
||||
mode: "0700"
|
|
@ -6,11 +6,11 @@
|
|||
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
|
||||
|
||||
- debug:
|
||||
msg: "Warning: empty 'admin_users' variable, tasks will be skipped!"
|
||||
when: admin_users == {}
|
||||
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
||||
when: evolinux_users == {}
|
||||
|
||||
- include: admin_user.yml
|
||||
- include: user.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
with_dict: "{{ admin_users }}"
|
||||
when: admin_users != {}
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when: evolinux_users != {}
|
|
@ -14,6 +14,17 @@
|
|||
user: "{{ user.name }}"
|
||||
key: "{{ user.ssh_key }}"
|
||||
state: present
|
||||
when: user.ssh_key is defined
|
||||
|
||||
- name: "Add user's SSH public keys for '{{ user.name }}'"
|
||||
authorized_key:
|
||||
user: "{{ user.name }}"
|
||||
key: "{{ ssk_key }}"
|
||||
state: present
|
||||
with_items: "{{ user.ssh_keys }}"
|
||||
loop_control:
|
||||
loop_var: ssk_key
|
||||
when: user.ssh_keys is defined
|
||||
|
||||
# we must double-escape caracters, because python
|
||||
- name: verify AllowUsers directive
|
18
evolinux-users/tasks/sudo_jessie.yml
Normal file
18
evolinux-users/tasks/sudo_jessie.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
|
||||
- name: "Verify Evolinux sudoers file presence (jessie)"
|
||||
template:
|
||||
src: sudoers_jessie.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
mode: "0440"
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
|
||||
- name: "Add user in sudoers file for '{{ user.name }}' (jessie)"
|
||||
replace:
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
when: not copy_sudoers_evolinux.changed
|
20
evolinux-users/tasks/sudo_stretch.yml
Normal file
20
evolinux-users/tasks/sudo_stretch.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
|
||||
- name: "Verify Evolinux sudoers file presence (Debian 9 or later)"
|
||||
template:
|
||||
src: sudoers_stretch.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
|
||||
- name: "Create evolinux-sudo group (Debian 9 or later)"
|
||||
group:
|
||||
name: "{{ evolinux_sudo_group }}"
|
||||
system: yes
|
||||
|
||||
- name: "Add user to evolinux-sudo group (Debian 9 or later)"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: "{{ evolinux_sudo_group }}"
|
||||
append: yes
|
15
evolinux-users/tasks/user.yml
Normal file
15
evolinux-users/tasks/user.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
|
||||
- include: account.yml
|
||||
|
||||
- include: profile.yml
|
||||
|
||||
- include: ssh.yml
|
||||
|
||||
- include: sudo_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: sudo_stretch.yml
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- meta: flush_handlers
|
|
@ -5,5 +5,5 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
|
|||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
||||
|
||||
%evolinux-sudo ALL=(ALL:ALL) ALL
|
||||
%evolinux-sudo ALL = NOPASSWD: MAINT
|
||||
%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL
|
||||
%{{ evolinux_sudo_group }} ALL = NOPASSWD: MAINT
|
|
@ -2,7 +2,7 @@
|
|||
- hosts: test-kitchen
|
||||
|
||||
vars:
|
||||
admin_users:
|
||||
evolinux_users:
|
||||
foo:
|
||||
name: foo
|
||||
uid: 1001
|
||||
|
@ -20,4 +20,4 @@
|
|||
# state: directory
|
||||
|
||||
roles:
|
||||
- role: admin-users
|
||||
- role: evolinux-users
|
|
@ -1,4 +1,4 @@
|
|||
# PHP-FPM
|
||||
# Memcached
|
||||
|
||||
Installation and basic configuration of memcached
|
||||
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||
group: nagios
|
||||
mode: "0640"
|
||||
force: no
|
||||
notify: restart nagios-nrpe-server
|
||||
|
||||
- name: Nagios config is secured
|
||||
|
|
|
@ -4,7 +4,7 @@ Install the web pack, with Apache.
|
|||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file for now.
|
||||
See `tasks/main.yml`.
|
||||
|
||||
## Available variables
|
||||
|
||||
|
|
|
@ -9,4 +9,4 @@ postgresql_random_page_cost: 1.5
|
|||
postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
|
||||
|
||||
# PostgreSQL version
|
||||
postgresql_version: '9.4'
|
||||
postgresql_version: '9.6'
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
---
|
||||
|
||||
- include: pgdg-repo.yml
|
||||
when: postgresql_version != '9.4'
|
||||
- include: packages_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: packages.yml
|
||||
- include: packages_stretch.yml
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- include: config.yml
|
||||
|
||||
|
|
11
postgresql/tasks/packages_jessie.yml
Normal file
11
postgresql/tasks/packages_jessie.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- include: pgdg-repo.yml
|
||||
when: postgresql_version != '9.4'
|
||||
|
||||
- name: Install postgresql package
|
||||
apt:
|
||||
name: '{{item}}'
|
||||
with_items:
|
||||
- "postgresql-{{postgresql_version}}"
|
||||
- ptop
|
|
@ -4,5 +4,5 @@
|
|||
apt:
|
||||
name: '{{item}}'
|
||||
with_items:
|
||||
- "postgresql-{{postgresql_version}}"
|
||||
- postgresql
|
||||
- ptop
|
|
@ -3,7 +3,7 @@ shared_buffers = {{ postgresql_shared_buffers }}
|
|||
work_mem = {{ postgresql_work_mem }}
|
||||
#shared_preload_libraries = 'pg_stat_statements'
|
||||
#synchronous_commit = off
|
||||
{% if postgresql_version |version_compare('9.5', '<') %}
|
||||
{% if postgresql_version | version_compare('9.5', '<') %}
|
||||
checkpoint_segments = 30
|
||||
{% else %}
|
||||
max_wal_size = 15GB
|
||||
|
|
1
proftpd/files/vpasswd
Normal file
1
proftpd/files/vpasswd
Normal file
|
@ -0,0 +1 @@
|
|||
# username:password:uid:gid:gecos:homedir:shell
|
|
@ -32,3 +32,12 @@
|
|||
notify: restart proftpd
|
||||
tags:
|
||||
- proftpd
|
||||
|
||||
- name: Put empty vpasswd file if missing
|
||||
copy:
|
||||
src: vpasswd
|
||||
dest: /etc/proftpd/vpasswd
|
||||
force: no
|
||||
mode: "0440"
|
||||
tags:
|
||||
- proftpd
|
||||
|
|
|
@ -16,6 +16,7 @@ Main variables are :
|
|||
* `redis_conf_path`: config file location ;
|
||||
* `redis_port`: listening TCP port ;
|
||||
* `redis_bind_interface`: listening IP address ;
|
||||
* `redis_password`: password for redis. Empty means no password ;
|
||||
* `redis_unixsocket`: Unix socket ;
|
||||
* `redis_loglevel`: log verbosity ;
|
||||
* `redis_logfile`: log file location.
|
||||
|
|
|
@ -7,6 +7,8 @@ redis_bind_interface: 127.0.0.1
|
|||
redis_unixsocket: '/var/run/redis/redis.sock'
|
||||
redis_timeout: 300
|
||||
|
||||
redis_password: NULL
|
||||
|
||||
redis_loglevel: "notice"
|
||||
redis_logfile: /var/log/redis/redis-server.log
|
||||
|
||||
|
|
|
@ -8,3 +8,8 @@
|
|||
service:
|
||||
name: munin-node
|
||||
state: restarted
|
||||
|
||||
- name: restart nagios-nrpe-server
|
||||
service:
|
||||
name: nagios-nrpe-server
|
||||
state: restarted
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
- name: Redis is installed.
|
||||
apt:
|
||||
name: redis-server
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- redis-server
|
||||
- redis-tools
|
||||
tags:
|
||||
- redis
|
||||
- packages
|
||||
|
@ -31,3 +34,12 @@
|
|||
|
||||
- include: munin.yml
|
||||
when: _munin_installed.stat.exists and _munin_installed.stat.isdir
|
||||
|
||||
- name: is NRPE present ?
|
||||
stat:
|
||||
path: /etc/nagios/nrpe.d/evolix.cfg
|
||||
check_mode: no
|
||||
register: nrpe_evolix_config
|
||||
|
||||
- include: nrpe_stretch.yml
|
||||
when: ansible_distribution_release == "stretch" and nrpe_evolix_config.stat.exists == true
|
||||
|
|
|
@ -60,3 +60,25 @@
|
|||
- used_memory
|
||||
notify: restart munin-node
|
||||
tags: redis
|
||||
|
||||
- name: Count redis condif blocks in munin-node configuration
|
||||
command: grep -c "\[redis_" /etc/munin/plugin-conf.d/munin-node
|
||||
register: munin_redis_blocs_in_config
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
|
||||
- name: Add redis password for munin (if no more than 1 config block)
|
||||
ini_file:
|
||||
dest: /etc/munin/plugin-conf.d/munin-node
|
||||
section: 'redis_*'
|
||||
option: env.password
|
||||
value: '{{ redis_password }}'
|
||||
notify: restart munin-node
|
||||
when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} <= 1"
|
||||
tags: redis
|
||||
|
||||
|
||||
- name: Warn if multiple instance in munin-plugins configuration
|
||||
debug:
|
||||
msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed"
|
||||
when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} > 1 "
|
||||
|
|
15
redis/tasks/nrpe_stretch.yml
Normal file
15
redis/tasks/nrpe_stretch.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
- name: Install perl lib-redis (needed by check_redis)
|
||||
apt:
|
||||
name: libredis-perl
|
||||
state: present
|
||||
tags:
|
||||
- redis
|
||||
- nrpe
|
||||
|
||||
- name: Replace check_tcp by check_redis for NRPE
|
||||
replace:
|
||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||
regexp: '^command\[check_redis\]=\/usr\/lib\/nagios\/plugins\/check_tcp -p 6379'
|
||||
replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1'
|
||||
notify: restart nagios-nrpe-server
|
|
@ -7,6 +7,10 @@ bind {{ redis_bind_interface }}
|
|||
unixsocket {{ redis_unixsocket }}
|
||||
{% endif %}
|
||||
|
||||
{% if redis_password %}
|
||||
requirepass {{ redis_password }}
|
||||
{% endif %}
|
||||
|
||||
timeout {{ redis_timeout }}
|
||||
|
||||
loglevel {{ redis_loglevel }}
|
||||
|
|
Loading…
Reference in a new issue