Merge branch 'unstable' into stable
This commit is contained in:
commit
a84bc70b79
13
CHANGELOG.md
13
CHANGELOG.md
|
@ -18,6 +18,18 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Security
|
||||
|
||||
## [9.6.0] - 2018-12-04
|
||||
|
||||
### Added
|
||||
* evolinux-base: deploy custom motd if template are present
|
||||
* minifirewall: all variables are configurable (untouched by default)
|
||||
* minifirewall: main file is configurable
|
||||
* squid: minifirewall main file is configurable
|
||||
|
||||
### Changed
|
||||
* minifirewall: compare config before/after (for restart condition)
|
||||
* squid: better replacement in minifirewall config
|
||||
|
||||
## [9.5.0] - 2018-11-14
|
||||
|
||||
### Added
|
||||
|
@ -42,6 +54,7 @@ The **patch** part changes incrementally at each release.
|
|||
* packweb-apache: mod-security config is already included elsewhere
|
||||
* redis: for permissions on log and lib directories
|
||||
* redis: fix shell for instance users
|
||||
* evoacme: fix error handling in sed_cert_path_for_(apache|nginx)
|
||||
|
||||
## [9.4.2] - 2018-10-12
|
||||
|
||||
|
|
|
@ -55,10 +55,8 @@ sed_cert_path_for_apache() {
|
|||
|
||||
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
|
||||
debug "Config in ${vhost_full_path} has been updated"
|
||||
$(command -v apache2ctl) -t 2>&1 | grep -v "Syntax OK"
|
||||
if [ "${PIPESTATUS[0]}" != "0" ]; then
|
||||
error "Apache config test has exited with a non-zero exit code"
|
||||
fi
|
||||
$(command -v apache2ctl) -t 2>/dev/null
|
||||
[ "${?}" -eq 0 ] || $(command -v apache2ctl) -t
|
||||
fi
|
||||
}
|
||||
sed_cert_path_for_nginx() {
|
||||
|
@ -76,7 +74,8 @@ sed_cert_path_for_nginx() {
|
|||
|
||||
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
|
||||
debug "Config in ${vhost_full_path} has been updated"
|
||||
$(command -v nginx) -t
|
||||
$(command -v nginx) -t 2>/dev/null
|
||||
[ "${?}" -eq 0 ] || $(command -v nginx) -t
|
||||
fi
|
||||
}
|
||||
x509_verify() {
|
||||
|
|
|
@ -96,6 +96,8 @@
|
|||
include: log2mail.yml
|
||||
when: evolinux_log2mail_include
|
||||
|
||||
- include: motd.yml
|
||||
|
||||
- name: Munin
|
||||
include_role:
|
||||
name: munin
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
- name: Deploy custom motd
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/motd
|
||||
force: True
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
with_first_found:
|
||||
- files:
|
||||
- "motd/motd.{{ inventory_hostname }}.j2"
|
||||
- "motd/motd.{{ host_group }}.j2"
|
||||
- "motd/motd.default.j2"
|
||||
skip: True
|
||||
tags:
|
||||
- motd
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
|
||||
minifirewall_main_file: /etc/default/minifirewall
|
||||
minifirewall_tail_file: /etc/default/minifirewall.tail
|
||||
minifirewall_tail_included: False
|
||||
minifirewall_tail_force: True
|
||||
|
@ -25,6 +26,17 @@ minifirewall_semipublic_ports_udp: []
|
|||
minifirewall_private_ports_tcp: [5666]
|
||||
minifirewall_private_ports_udp: []
|
||||
|
||||
# Keep a null value to leave the setting as is
|
||||
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
|
||||
minifirewall_dns_servers: Null
|
||||
minifirewall_http_sites: Null
|
||||
minifirewall_https_sites: Null
|
||||
minifirewall_ftp_sites: Null
|
||||
minifirewall_ssh_ok: Null
|
||||
minifirewall_smtp_ok: Null
|
||||
minifirewall_smtp_secure_ok: Null
|
||||
minifirewall_ntp_ok: Null
|
||||
|
||||
minifirewall_autostart: False
|
||||
minifirewall_restart_if_needed: True
|
||||
minifirewall_restart_force: False
|
||||
|
|
|
@ -7,6 +7,11 @@
|
|||
var: minifirewall_privilegied_ips
|
||||
verbosity: 1
|
||||
|
||||
- name: Stat minifirewall config file (before)
|
||||
stat:
|
||||
path: "{{ minifirewall_main_file }}"
|
||||
register: minifirewall_before
|
||||
|
||||
- name: Check if minifirewall is running
|
||||
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||
changed_when: False
|
||||
|
@ -20,14 +25,14 @@
|
|||
|
||||
- name: Begin marker for IP addresses
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
insertbefore: '^# Main interface'
|
||||
|
||||
- name: End marker for IP addresses
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
insertafter: '^PRIVILEGIEDIPS='
|
||||
|
@ -41,7 +46,7 @@
|
|||
|
||||
- name: Configure IP addresses
|
||||
blockinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
content: |
|
||||
|
@ -65,21 +70,21 @@
|
|||
|
||||
- name: Begin marker for ports
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertbefore: '^# Protected services'
|
||||
|
||||
- name: End marker for ports
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertafter: '^SERVICESUDP3='
|
||||
|
||||
- name: Configure ports
|
||||
blockinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
content: |
|
||||
|
@ -101,20 +106,89 @@
|
|||
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
||||
register: minifirewall_config_ports
|
||||
|
||||
- name: Configure DNSSERVEURS
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
|
||||
regexp: "DNSSERVEURS='.*'"
|
||||
when: minifirewall_dns_servers is not none
|
||||
|
||||
- name: Configure HTTPSITES
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
||||
regexp: "HTTPSITES='.*'"
|
||||
when: minifirewall_http_sites is not none
|
||||
|
||||
- name: Configure HTTPSSITES
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
|
||||
regexp: "HTTPSSITES='.*'"
|
||||
when: minifirewall_https_sites is not none
|
||||
|
||||
- name: Configure FTPSITES
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
|
||||
regexp: "FTPSITES='.*'"
|
||||
when: minifirewall_ftp_sites is not none
|
||||
|
||||
- name: Configure SSHOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
|
||||
regexp: "SSHOK='.*'"
|
||||
when: minifirewall_ssh_ok is not none
|
||||
|
||||
- name: Configure SMTPOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
|
||||
regexp: "SMTPOK='.*'"
|
||||
when: minifirewall_smtp_ok is not none
|
||||
|
||||
- name: Configure SMTPSECUREOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
|
||||
regexp: "SMTPSECUREOK='.*'"
|
||||
when: minifirewall_smtp_secure_ok is not none
|
||||
|
||||
- name: Configure NTPOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
|
||||
regexp: "NTPOK='.*'"
|
||||
when: minifirewall_ntp_ok is not none
|
||||
|
||||
- name: evomaintenance
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||
insertafter: "^# EvoMaintenance"
|
||||
with_items: "{{ evomaintenance_hosts }}"
|
||||
|
||||
- name: remove minifirewall example rule for the evomaintenance
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
|
||||
state: absent
|
||||
when: evomaintenance_hosts != []
|
||||
|
||||
- name: Stat minifirewall config file (after)
|
||||
stat:
|
||||
path: "{{ minifirewall_main_file }}"
|
||||
register: minifirewall_after
|
||||
|
||||
- name: restart minifirewall
|
||||
# service:
|
||||
# name: minifirewall
|
||||
|
@ -126,7 +200,7 @@
|
|||
when:
|
||||
- minifirewall_restart_if_needed
|
||||
- minifirewall_is_running.rc == 0
|
||||
- (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
|
||||
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
|
||||
|
||||
- name: restart minifirewall (noop)
|
||||
meta: noop
|
||||
|
|
|
@ -8,8 +8,8 @@
|
|||
- iptables
|
||||
|
||||
- name: init script is copied
|
||||
copy:
|
||||
src: minifirewall
|
||||
template:
|
||||
src: minifirewall.j2
|
||||
dest: /etc/init.d/minifirewall
|
||||
force: no
|
||||
mode: "0700"
|
||||
|
@ -19,7 +19,7 @@
|
|||
- name: configuration is copied
|
||||
copy:
|
||||
src: minifirewall.conf
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
force: no
|
||||
mode: "0600"
|
||||
owner: root
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
|
||||
- name: source minifirewall.tail at the end of the main file
|
||||
blockinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
|
||||
block: ". {{ minifirewall_tail_file }}"
|
||||
insertbefore: EOF
|
||||
|
|
|
@ -111,7 +111,7 @@ $IPT -A LOG_ACCEPT -j ACCEPT
|
|||
|
||||
# Configuration
|
||||
oldconfigfile="/etc/firewall.rc"
|
||||
configfile="/etc/default/minifirewall"
|
||||
configfile="{{ minifirewall_main_file }}"
|
||||
|
||||
if test -f $oldconfigfile; then
|
||||
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
||||
|
@ -382,4 +382,3 @@ trap - INT TERM EXIT
|
|||
esac
|
||||
|
||||
exit 0
|
||||
|
|
@ -6,3 +6,5 @@ squid_address: "{{ ansible_default_ipv4.address }}"
|
|||
squid_whitelist_items: []
|
||||
|
||||
squid_localproxy_enable: False
|
||||
|
||||
minifirewall_main_file: /etc/default/minifirewall
|
||||
|
|
|
@ -1,28 +1,29 @@
|
|||
---
|
||||
- name: Check if Minifirewall is present
|
||||
stat:
|
||||
path: /etc/default/minifirewall
|
||||
path: "{{ minifirewall_main_file }}"
|
||||
check_mode: no
|
||||
register: minifirewall_test
|
||||
|
||||
- block:
|
||||
- name: HTTPSITES list is commented in minifirewall
|
||||
replace:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
regexp: "^(HTTPSITES='[^0-9])"
|
||||
replace: '#\1'
|
||||
notify: restart minifirewall
|
||||
|
||||
- name: all HTTPSITES are authorized in minifirewall
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
line: "HTTPSITES='0.0.0.0/0'"
|
||||
regexp: "HTTPSITES='.*'"
|
||||
insertafter: "^#HTTPSITES="
|
||||
notify: restart minifirewall
|
||||
|
||||
- name: add iptables rules for the proxy
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
regexp: "^#? *{{ item }}"
|
||||
line: "{{ item }}"
|
||||
insertafter: "^# Proxy"
|
||||
|
@ -35,7 +36,7 @@
|
|||
|
||||
- name: remove minifirewall example rule for the proxy
|
||||
lineinfile:
|
||||
dest: /etc/default/minifirewall
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)'
|
||||
state: absent
|
||||
notify: restart minifirewall
|
||||
|
|
Loading…
Reference in New Issue