evolix
/
ansible-roles
22
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 32 Wiki Activity

Merge branch 'unstable' into stable

This commit is contained in:
Jérémy Lecour 2018-12-04 14:51:33 +01:00 committed by Jérémy Lecour
parent 5cbad9911f 69d9b949e2
commit a84bc70b79
11 changed files with 144 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGELOG.md
View File

@ -18,6 +18,18 @@ The **patch** part changes incrementally at each release.
### Security
## [9.6.0] - 2018-12-04
### Added
* evolinux-base: deploy custom motd if template are present
* minifirewall: all variables are configurable (untouched by default)
* minifirewall: main file is configurable
* squid: minifirewall main file is configurable
### Changed
* minifirewall: compare config before/after (for restart condition)
* squid: better replacement in minifirewall config
## [9.5.0] - 2018-11-14
### Added
@ -42,6 +54,7 @@ The **patch** part changes incrementally at each release.
* packweb-apache: mod-security config is already included elsewhere
* redis: for permissions on log and lib directories
* redis: fix shell for instance users
* evoacme: fix error handling in sed_cert_path_for_(apache|nginx)
## [9.4.2] - 2018-10-12

9
evoacme/files/evoacme.sh
View File

@ -55,10 +55,8 @@ sed_cert_path_for_apache() {
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
debug "Config in ${vhost_full_path} has been updated"
$(command -v apache2ctl) -t 2>&1 | grep -v "Syntax OK"
if [ "${PIPESTATUS[0]}" != "0" ]; then
error "Apache config test has exited with a non-zero exit code"
fi
$(command -v apache2ctl) -t 2>/dev/null
[ "${?}" -eq 0 ] || $(command -v apache2ctl) -t
fi
}
sed_cert_path_for_nginx() {
@ -76,7 +74,8 @@ sed_cert_path_for_nginx() {
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
debug "Config in ${vhost_full_path} has been updated"
$(command -v nginx) -t
$(command -v nginx) -t 2>/dev/null
[ "${?}" -eq 0 ] || $(command -v nginx) -t
fi
}
x509_verify() {

2
evolinux-base/tasks/main.yml
View File

@ -96,6 +96,8 @@
include: log2mail.yml
when: evolinux_log2mail_include
- include: motd.yml
- name: Munin
include_role:
name: munin

17
evolinux-base/tasks/motd.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Deploy custom motd
template:
src: "{{ item }}"
dest: /etc/motd
force: True
owner: root
group: root
mode: "0644"
with_first_found:
- files:
- "motd/motd.{{ inventory_hostname }}.j2"
- "motd/motd.{{ host_group }}.j2"
- "motd/motd.default.j2"
skip: True
tags:
- motd

12
minifirewall/defaults/main.yml
View File

@ -1,5 +1,6 @@
---
minifirewall_main_file: /etc/default/minifirewall
minifirewall_tail_file: /etc/default/minifirewall.tail
minifirewall_tail_included: False
minifirewall_tail_force: True
@ -25,6 +26,17 @@ minifirewall_semipublic_ports_udp: []
minifirewall_private_ports_tcp: [5666]
minifirewall_private_ports_udp: []
# Keep a null value to leave the setting as is
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
minifirewall_dns_servers: Null
minifirewall_http_sites: Null
minifirewall_https_sites: Null
minifirewall_ftp_sites: Null
minifirewall_ssh_ok: Null
minifirewall_smtp_ok: Null
minifirewall_smtp_secure_ok: Null
minifirewall_ntp_ok: Null
minifirewall_autostart: False
minifirewall_restart_if_needed: True
minifirewall_restart_force: False

92
minifirewall/tasks/config.yml
View File

@ -7,6 +7,11 @@
var: minifirewall_privilegied_ips
verbosity: 1
- name: Stat minifirewall config file (before)
stat:
path: "{{ minifirewall_main_file }}"
register: minifirewall_before
- name: Check if minifirewall is running
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
changed_when: False
@ -20,14 +25,14 @@
- name: Begin marker for IP addresses
lineinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
create: no
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
insertbefore: '^# Main interface'
- name: End marker for IP addresses
lineinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
create: no
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
insertafter: '^PRIVILEGIEDIPS='
@ -41,7 +46,7 @@
- name: Configure IP addresses
blockinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
create: no
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
content: |
@ -65,21 +70,21 @@
- name: Begin marker for ports
lineinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
create: no
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
insertbefore: '^# Protected services'
- name: End marker for ports
lineinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
create: no
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
insertafter: '^SERVICESUDP3='
- name: Configure ports
blockinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
create: no
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
content: |
@ -101,20 +106,89 @@
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
register: minifirewall_config_ports
- name: Configure DNSSERVEURS
lineinfile:
dest: "{{ minifirewall_main_file }}"
create: no
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
regexp: "DNSSERVEURS='.*'"
when: minifirewall_dns_servers is not none
- name: Configure HTTPSITES
lineinfile:
dest: "{{ minifirewall_main_file }}"
create: no
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
regexp: "HTTPSITES='.*'"
when: minifirewall_http_sites is not none
- name: Configure HTTPSSITES
lineinfile:
dest: "{{ minifirewall_main_file }}"
create: no
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
regexp: "HTTPSSITES='.*'"
when: minifirewall_https_sites is not none
- name: Configure FTPSITES
lineinfile:
dest: "{{ minifirewall_main_file }}"
create: no
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
regexp: "FTPSITES='.*'"
when: minifirewall_ftp_sites is not none
- name: Configure SSHOK
lineinfile:
dest: "{{ minifirewall_main_file }}"
create: no
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
regexp: "SSHOK='.*'"
when: minifirewall_ssh_ok is not none
- name: Configure SMTPOK
lineinfile:
dest: "{{ minifirewall_main_file }}"
create: no
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
regexp: "SMTPOK='.*'"
when: minifirewall_smtp_ok is not none
- name: Configure SMTPSECUREOK
lineinfile:
dest: "{{ minifirewall_main_file }}"
create: no
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
regexp: "SMTPSECUREOK='.*'"
when: minifirewall_smtp_secure_ok is not none
- name: Configure NTPOK
lineinfile:
dest: "{{ minifirewall_main_file }}"
create: no
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
regexp: "NTPOK='.*'"
when: minifirewall_ntp_ok is not none
- name: evomaintenance
lineinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
insertafter: "^# EvoMaintenance"
with_items: "{{ evomaintenance_hosts }}"
- name: remove minifirewall example rule for the evomaintenance
lineinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
state: absent
when: evomaintenance_hosts != []
- name: Stat minifirewall config file (after)
stat:
path: "{{ minifirewall_main_file }}"
register: minifirewall_after
- name: restart minifirewall
# service:
# name: minifirewall
@ -126,7 +200,7 @@
when:
- minifirewall_restart_if_needed
- minifirewall_is_running.rc == 0
- (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
- name: restart minifirewall (noop)
meta: noop

6
minifirewall/tasks/install.yml
View File

@ -8,8 +8,8 @@
- iptables
- name: init script is copied
copy:
src: minifirewall
template:
src: minifirewall.j2
dest: /etc/init.d/minifirewall
force: no
mode: "0700"
@ -19,7 +19,7 @@
- name: configuration is copied
copy:
src: minifirewall.conf
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
force: no
mode: "0600"
owner: root

2
minifirewall/tasks/tail.yml
View File

@ -17,7 +17,7 @@
- name: source minifirewall.tail at the end of the main file
blockinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
block: ". {{ minifirewall_tail_file }}"
insertbefore: EOF

3
minifirewall/files/minifirewall → minifirewall/templates/minifirewall.j2
View File

@ -111,7 +111,7 @@ $IPT -A LOG_ACCEPT -j ACCEPT
# Configuration
oldconfigfile="/etc/firewall.rc"
configfile="/etc/default/minifirewall"
configfile="{{ minifirewall_main_file }}"
if test -f $oldconfigfile; then
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
@ -382,4 +382,3 @@ trap - INT TERM EXIT
esac
exit 0

2
squid/defaults/main.yml
View File

@ -6,3 +6,5 @@ squid_address: "{{ ansible_default_ipv4.address }}"
squid_whitelist_items: []
squid_localproxy_enable: False
minifirewall_main_file: /etc/default/minifirewall

11
squid/tasks/minifirewall.yml
View File

@ -1,28 +1,29 @@
---
- name: Check if Minifirewall is present
stat:
path: /etc/default/minifirewall
path: "{{ minifirewall_main_file }}"
check_mode: no
register: minifirewall_test
- block:
- name: HTTPSITES list is commented in minifirewall
replace:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
regexp: "^(HTTPSITES='[^0-9])"
replace: '#\1'
notify: restart minifirewall
- name: all HTTPSITES are authorized in minifirewall
lineinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
line: "HTTPSITES='0.0.0.0/0'"
regexp: "HTTPSITES='.*'"
insertafter: "^#HTTPSITES="
notify: restart minifirewall
- name: add iptables rules for the proxy
lineinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
regexp: "^#? *{{ item }}"
line: "{{ item }}"
insertafter: "^# Proxy"
@ -35,7 +36,7 @@
- name: remove minifirewall example rule for the proxy
lineinfile:
dest: /etc/default/minifirewall
dest: "{{ minifirewall_main_file }}"
regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)'
state: absent
notify: restart minifirewall