From 6469733d2f50b93cad3a57403a275680a27145d6 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 22 Nov 2018 15:05:38 +0100 Subject: [PATCH 1/9] evoacme: fix error handling in sed_cert_path_for_(apache|nginx) --- CHANGELOG.md | 1 + evoacme/files/evoacme.sh | 9 ++++----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bb77041b..3cac1da8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,7 @@ The **patch** part changes incrementally at each release. * packweb-apache: mod-security config is already included elsewhere * redis: for permissions on log and lib directories * redis: fix shell for instance users +* evoacme: fix error handling in sed_cert_path_for_(apache|nginx) ## [9.4.2] - 2018-10-12 diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index b1837992..770cd8d4 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -55,10 +55,8 @@ sed_cert_path_for_apache() { sed -i "s~${search}~${replace}~" "${vhost_full_path}" debug "Config in ${vhost_full_path} has been updated" - $(command -v apache2ctl) -t 2>&1 | grep -v "Syntax OK" - if [ "${PIPESTATUS[0]}" != "0" ]; then - error "Apache config test has exited with a non-zero exit code" - fi + $(command -v apache2ctl) -t 2>/dev/null + [ "${?}" -eq 0 ] || $(command -v apache2ctl) -t fi } sed_cert_path_for_nginx() { @@ -76,7 +74,8 @@ sed_cert_path_for_nginx() { sed -i "s~${search}~${replace}~" "${vhost_full_path}" debug "Config in ${vhost_full_path} has been updated" - $(command -v nginx) -t + $(command -v nginx) -t 2>/dev/null + [ "${?}" -eq 0 ] || $(command -v nginx) -t fi } x509_verify() { From 74f25e81831c80ce980921c4cbbe0d1fdf640e71 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 30 Nov 2018 15:14:39 +0100 Subject: [PATCH 2/9] evolinux-base: deploy custom motd if template are present --- CHANGELOG.md | 1 + evolinux-base/tasks/main.yml | 2 ++ evolinux-base/tasks/motd.yml | 17 +++++++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 evolinux-base/tasks/motd.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cac1da8..38340cf5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release. ## [Unreleased] ### Added +* evolinux-base: deploy custom motd if template are present ### Changed diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index fafe0a4e..ff0213a8 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -96,6 +96,8 @@ include: log2mail.yml when: evolinux_log2mail_include +- include: motd.yml + - name: Munin include_role: name: munin diff --git a/evolinux-base/tasks/motd.yml b/evolinux-base/tasks/motd.yml new file mode 100644 index 00000000..d1171eb4 --- /dev/null +++ b/evolinux-base/tasks/motd.yml @@ -0,0 +1,17 @@ +--- +- name: Deploy custom motd + template: + src: "{{ item }}" + dest: /etc/motd + force: True + owner: root + group: root + mode: "0644" + with_first_found: + - files: + - "motd/motd.{{ inventory_hostname }}.j2" + - "motd/motd.{{ host_group }}.j2" + - "motd/motd.default.j2" + skip: True + tags: + - motd From c3e4a784428bee8c6787dd21865dccabf53b9594 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 Dec 2018 14:24:14 +0100 Subject: [PATCH 3/9] minifirewall: main file is configurable --- minifirewall/defaults/main.yml | 1 + minifirewall/tasks/config.yml | 16 ++++++++-------- minifirewall/tasks/install.yml | 6 +++--- minifirewall/tasks/tail.yml | 2 +- .../minifirewall => templates/minifirewall.j2} | 3 +-- 5 files changed, 14 insertions(+), 14 deletions(-) rename minifirewall/{files/minifirewall => templates/minifirewall.j2} (99%) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index a331b033..0c473272 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -1,5 +1,6 @@ --- +minifirewall_main_file: /etc/default/minifirewall minifirewall_tail_file: /etc/default/minifirewall.tail minifirewall_tail_included: False minifirewall_tail_force: True diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index c2c81f81..09225cee 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -20,14 +20,14 @@ - name: Begin marker for IP addresses lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' - name: End marker for IP addresses lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' @@ -41,7 +41,7 @@ - name: Configure IP addresses blockinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" content: | @@ -65,21 +65,21 @@ - name: Begin marker for ports lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' - name: End marker for ports lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' - name: Configure ports blockinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" content: | @@ -103,14 +103,14 @@ - name: evomaintenance lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" insertafter: "^# EvoMaintenance" with_items: "{{ evomaintenance_hosts }}" - name: remove minifirewall example rule for the evomaintenance lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' state: absent when: evomaintenance_hosts != [] diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index 5efdd585..77f60c11 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -8,8 +8,8 @@ - iptables - name: init script is copied - copy: - src: minifirewall + template: + src: minifirewall.j2 dest: /etc/init.d/minifirewall force: no mode: "0700" @@ -19,7 +19,7 @@ - name: configuration is copied copy: src: minifirewall.conf - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" force: no mode: "0600" owner: root diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index 4d404136..ab382fe6 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -17,7 +17,7 @@ - name: source minifirewall.tail at the end of the main file blockinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES" block: ". {{ minifirewall_tail_file }}" insertbefore: EOF diff --git a/minifirewall/files/minifirewall b/minifirewall/templates/minifirewall.j2 similarity index 99% rename from minifirewall/files/minifirewall rename to minifirewall/templates/minifirewall.j2 index 94260a96..33b13744 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/templates/minifirewall.j2 @@ -111,7 +111,7 @@ $IPT -A LOG_ACCEPT -j ACCEPT # Configuration oldconfigfile="/etc/firewall.rc" -configfile="/etc/default/minifirewall" +configfile="{{ minifirewall_main_file }}" if test -f $oldconfigfile; then echo "$oldconfigfile is deprecated, rename to $configfile" >&2 @@ -382,4 +382,3 @@ trap - INT TERM EXIT esac exit 0 - From c96e8130ff1cd044c17d1b143def793822b27730 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 Dec 2018 14:24:38 +0100 Subject: [PATCH 4/9] squid: minifirewall main file is configurable --- squid/defaults/main.yml | 2 ++ squid/tasks/minifirewall.yml | 10 +++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/squid/defaults/main.yml b/squid/defaults/main.yml index 1a6db438..2188d606 100644 --- a/squid/defaults/main.yml +++ b/squid/defaults/main.yml @@ -6,3 +6,5 @@ squid_address: "{{ ansible_default_ipv4.address }}" squid_whitelist_items: [] squid_localproxy_enable: False + +minifirewall_main_file: /etc/default/minifirewall diff --git a/squid/tasks/minifirewall.yml b/squid/tasks/minifirewall.yml index 5eea7675..8d018142 100644 --- a/squid/tasks/minifirewall.yml +++ b/squid/tasks/minifirewall.yml @@ -1,28 +1,28 @@ --- - name: Check if Minifirewall is present stat: - path: /etc/default/minifirewall + path: "{{ minifirewall_main_file }}" check_mode: no register: minifirewall_test - block: - name: HTTPSITES list is commented in minifirewall replace: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" regexp: "^(HTTPSITES='[^0-9])" replace: '#\1' notify: restart minifirewall - name: all HTTPSITES are authorized in minifirewall lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" line: "HTTPSITES='0.0.0.0/0'" insertafter: "^#HTTPSITES=" notify: restart minifirewall - name: add iptables rules for the proxy lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" regexp: "^#? *{{ item }}" line: "{{ item }}" insertafter: "^# Proxy" @@ -35,7 +35,7 @@ - name: remove minifirewall example rule for the proxy lineinfile: - dest: /etc/default/minifirewall + dest: "{{ minifirewall_main_file }}" regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)' state: absent notify: restart minifirewall From 33e29657a7b9da14aa3c0e84a7d24c779c730d2a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 Dec 2018 14:25:39 +0100 Subject: [PATCH 5/9] update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 38340cf5..b600215f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes incrementally at each release. ### Added * evolinux-base: deploy custom motd if template are present +* minifirewall: main file is configurable +* squid: minifirewall main file is configurable ### Changed From 59dd03c91e5c973afda2d5210d2337bd40c7b31d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 Dec 2018 14:26:13 +0100 Subject: [PATCH 6/9] squid: better replacement in minifirewall config --- CHANGELOG.md | 1 + squid/tasks/minifirewall.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b600215f..00369813 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release. * squid: minifirewall main file is configurable ### Changed +* squid: better replacement in minifirewall config ### Fixed diff --git a/squid/tasks/minifirewall.yml b/squid/tasks/minifirewall.yml index 8d018142..44c7ada6 100644 --- a/squid/tasks/minifirewall.yml +++ b/squid/tasks/minifirewall.yml @@ -17,6 +17,7 @@ lineinfile: dest: "{{ minifirewall_main_file }}" line: "HTTPSITES='0.0.0.0/0'" + regexp: "HTTPSITES='.*'" insertafter: "^#HTTPSITES=" notify: restart minifirewall From 50e16e0dee1e4d61895826f40efcab884728ec21 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 Dec 2018 14:27:17 +0100 Subject: [PATCH 7/9] minifirewall: compare config before/after (for restart condition) --- CHANGELOG.md | 1 + minifirewall/tasks/config.yml | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 00369813..a1b3595d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release. * squid: minifirewall main file is configurable ### Changed +* minifirewall: compare config before/after (for restart condition) * squid: better replacement in minifirewall config ### Fixed diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 09225cee..96d2120f 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -7,6 +7,11 @@ var: minifirewall_privilegied_ips verbosity: 1 +- name: Stat minifirewall config file (before) + stat: + path: "{{ minifirewall_main_file }}" + register: minifirewall_before + - name: Check if minifirewall is running shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False @@ -115,6 +120,11 @@ state: absent when: evomaintenance_hosts != [] +- name: Stat minifirewall config file (after) + stat: + path: "{{ minifirewall_main_file }}" + register: minifirewall_after + - name: restart minifirewall # service: # name: minifirewall @@ -126,7 +136,7 @@ when: - minifirewall_restart_if_needed - minifirewall_is_running.rc == 0 - - (minifirewall_config_ips | changed or minifirewall_config_ports | changed) + - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum - name: restart minifirewall (noop) meta: noop From 2bcc1133c0a3512d387b2838fd29af7be6df40dc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 Dec 2018 14:30:15 +0100 Subject: [PATCH 8/9] minifirewall: all variables are configurable By default, a Null value keeps the variable current value as-is. Set an Array (can be empty) to replace the value. --- CHANGELOG.md | 1 + minifirewall/defaults/main.yml | 11 ++++++ minifirewall/tasks/config.yml | 64 ++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1b3595d..ae6cface 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added * evolinux-base: deploy custom motd if template are present +* minifirewall: all variables are configurable (untouched by default) * minifirewall: main file is configurable * squid: minifirewall main file is configurable diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 0c473272..3f173962 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -26,6 +26,17 @@ minifirewall_semipublic_ports_udp: [] minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] +# Keep a null value to leave the setting as is +# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']" +minifirewall_dns_servers: Null +minifirewall_http_sites: Null +minifirewall_https_sites: Null +minifirewall_ftp_sites: Null +minifirewall_ssh_ok: Null +minifirewall_smtp_ok: Null +minifirewall_smtp_secure_ok: Null +minifirewall_ntp_ok: Null + minifirewall_autostart: False minifirewall_restart_if_needed: True minifirewall_restart_force: False diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 96d2120f..bd71cb48 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -106,6 +106,70 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' register: minifirewall_config_ports +- name: Configure DNSSERVEURS + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" + regexp: "DNSSERVEURS='.*'" + when: minifirewall_dns_servers is not none + +- name: Configure HTTPSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" + regexp: "HTTPSITES='.*'" + when: minifirewall_http_sites is not none + +- name: Configure HTTPSSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" + regexp: "HTTPSSITES='.*'" + when: minifirewall_https_sites is not none + +- name: Configure FTPSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" + regexp: "FTPSITES='.*'" + when: minifirewall_ftp_sites is not none + +- name: Configure SSHOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" + regexp: "SSHOK='.*'" + when: minifirewall_ssh_ok is not none + +- name: Configure SMTPOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" + regexp: "SMTPOK='.*'" + when: minifirewall_smtp_ok is not none + +- name: Configure SMTPSECUREOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" + regexp: "SMTPSECUREOK='.*'" + when: minifirewall_smtp_secure_ok is not none + +- name: Configure NTPOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" + regexp: "NTPOK='.*'" + when: minifirewall_ntp_ok is not none + - name: evomaintenance lineinfile: dest: "{{ minifirewall_main_file }}" From 69d9b949e2f3f0fa17aa805992180a88359fd3d5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 Dec 2018 14:51:17 +0100 Subject: [PATCH 9/9] Release 9.6.0 --- CHANGELOG.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae6cface..e47f3ba1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,16 @@ The **patch** part changes incrementally at each release. ## [Unreleased] +### Added + +### Changed + +### Fixed + +### Security + +## [9.6.0] - 2018-12-04 + ### Added * evolinux-base: deploy custom motd if template are present * minifirewall: all variables are configurable (untouched by default) @@ -20,10 +30,6 @@ The **patch** part changes incrementally at each release. * minifirewall: compare config before/after (for restart condition) * squid: better replacement in minifirewall config -### Fixed - -### Security - ## [9.5.0] - 2018-11-14 ### Added