Merge branch 'unstable' into stable
This commit is contained in:
commit
a84bc70b79
13
CHANGELOG.md
13
CHANGELOG.md
|
@ -18,6 +18,18 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [9.6.0] - 2018-12-04
|
||||||
|
|
||||||
|
### Added
|
||||||
|
* evolinux-base: deploy custom motd if template are present
|
||||||
|
* minifirewall: all variables are configurable (untouched by default)
|
||||||
|
* minifirewall: main file is configurable
|
||||||
|
* squid: minifirewall main file is configurable
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
* minifirewall: compare config before/after (for restart condition)
|
||||||
|
* squid: better replacement in minifirewall config
|
||||||
|
|
||||||
## [9.5.0] - 2018-11-14
|
## [9.5.0] - 2018-11-14
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
@ -42,6 +54,7 @@ The **patch** part changes incrementally at each release.
|
||||||
* packweb-apache: mod-security config is already included elsewhere
|
* packweb-apache: mod-security config is already included elsewhere
|
||||||
* redis: for permissions on log and lib directories
|
* redis: for permissions on log and lib directories
|
||||||
* redis: fix shell for instance users
|
* redis: fix shell for instance users
|
||||||
|
* evoacme: fix error handling in sed_cert_path_for_(apache|nginx)
|
||||||
|
|
||||||
## [9.4.2] - 2018-10-12
|
## [9.4.2] - 2018-10-12
|
||||||
|
|
||||||
|
|
|
@ -55,10 +55,8 @@ sed_cert_path_for_apache() {
|
||||||
|
|
||||||
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
|
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
|
||||||
debug "Config in ${vhost_full_path} has been updated"
|
debug "Config in ${vhost_full_path} has been updated"
|
||||||
$(command -v apache2ctl) -t 2>&1 | grep -v "Syntax OK"
|
$(command -v apache2ctl) -t 2>/dev/null
|
||||||
if [ "${PIPESTATUS[0]}" != "0" ]; then
|
[ "${?}" -eq 0 ] || $(command -v apache2ctl) -t
|
||||||
error "Apache config test has exited with a non-zero exit code"
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
sed_cert_path_for_nginx() {
|
sed_cert_path_for_nginx() {
|
||||||
|
@ -76,7 +74,8 @@ sed_cert_path_for_nginx() {
|
||||||
|
|
||||||
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
|
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
|
||||||
debug "Config in ${vhost_full_path} has been updated"
|
debug "Config in ${vhost_full_path} has been updated"
|
||||||
$(command -v nginx) -t
|
$(command -v nginx) -t 2>/dev/null
|
||||||
|
[ "${?}" -eq 0 ] || $(command -v nginx) -t
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
x509_verify() {
|
x509_verify() {
|
||||||
|
|
|
@ -96,6 +96,8 @@
|
||||||
include: log2mail.yml
|
include: log2mail.yml
|
||||||
when: evolinux_log2mail_include
|
when: evolinux_log2mail_include
|
||||||
|
|
||||||
|
- include: motd.yml
|
||||||
|
|
||||||
- name: Munin
|
- name: Munin
|
||||||
include_role:
|
include_role:
|
||||||
name: munin
|
name: munin
|
||||||
|
|
17
evolinux-base/tasks/motd.yml
Normal file
17
evolinux-base/tasks/motd.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
- name: Deploy custom motd
|
||||||
|
template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /etc/motd
|
||||||
|
force: True
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
with_first_found:
|
||||||
|
- files:
|
||||||
|
- "motd/motd.{{ inventory_hostname }}.j2"
|
||||||
|
- "motd/motd.{{ host_group }}.j2"
|
||||||
|
- "motd/motd.default.j2"
|
||||||
|
skip: True
|
||||||
|
tags:
|
||||||
|
- motd
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
minifirewall_main_file: /etc/default/minifirewall
|
||||||
minifirewall_tail_file: /etc/default/minifirewall.tail
|
minifirewall_tail_file: /etc/default/minifirewall.tail
|
||||||
minifirewall_tail_included: False
|
minifirewall_tail_included: False
|
||||||
minifirewall_tail_force: True
|
minifirewall_tail_force: True
|
||||||
|
@ -25,6 +26,17 @@ minifirewall_semipublic_ports_udp: []
|
||||||
minifirewall_private_ports_tcp: [5666]
|
minifirewall_private_ports_tcp: [5666]
|
||||||
minifirewall_private_ports_udp: []
|
minifirewall_private_ports_udp: []
|
||||||
|
|
||||||
|
# Keep a null value to leave the setting as is
|
||||||
|
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
|
||||||
|
minifirewall_dns_servers: Null
|
||||||
|
minifirewall_http_sites: Null
|
||||||
|
minifirewall_https_sites: Null
|
||||||
|
minifirewall_ftp_sites: Null
|
||||||
|
minifirewall_ssh_ok: Null
|
||||||
|
minifirewall_smtp_ok: Null
|
||||||
|
minifirewall_smtp_secure_ok: Null
|
||||||
|
minifirewall_ntp_ok: Null
|
||||||
|
|
||||||
minifirewall_autostart: False
|
minifirewall_autostart: False
|
||||||
minifirewall_restart_if_needed: True
|
minifirewall_restart_if_needed: True
|
||||||
minifirewall_restart_force: False
|
minifirewall_restart_force: False
|
||||||
|
|
|
@ -7,6 +7,11 @@
|
||||||
var: minifirewall_privilegied_ips
|
var: minifirewall_privilegied_ips
|
||||||
verbosity: 1
|
verbosity: 1
|
||||||
|
|
||||||
|
- name: Stat minifirewall config file (before)
|
||||||
|
stat:
|
||||||
|
path: "{{ minifirewall_main_file }}"
|
||||||
|
register: minifirewall_before
|
||||||
|
|
||||||
- name: Check if minifirewall is running
|
- name: Check if minifirewall is running
|
||||||
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
@ -20,14 +25,14 @@
|
||||||
|
|
||||||
- name: Begin marker for IP addresses
|
- name: Begin marker for IP addresses
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
create: no
|
||||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
||||||
insertbefore: '^# Main interface'
|
insertbefore: '^# Main interface'
|
||||||
|
|
||||||
- name: End marker for IP addresses
|
- name: End marker for IP addresses
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
create: no
|
||||||
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
||||||
insertafter: '^PRIVILEGIEDIPS='
|
insertafter: '^PRIVILEGIEDIPS='
|
||||||
|
@ -41,7 +46,7 @@
|
||||||
|
|
||||||
- name: Configure IP addresses
|
- name: Configure IP addresses
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
create: no
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||||
content: |
|
content: |
|
||||||
|
@ -65,21 +70,21 @@
|
||||||
|
|
||||||
- name: Begin marker for ports
|
- name: Begin marker for ports
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
create: no
|
||||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
insertbefore: '^# Protected services'
|
insertbefore: '^# Protected services'
|
||||||
|
|
||||||
- name: End marker for ports
|
- name: End marker for ports
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
create: no
|
||||||
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
insertafter: '^SERVICESUDP3='
|
insertafter: '^SERVICESUDP3='
|
||||||
|
|
||||||
- name: Configure ports
|
- name: Configure ports
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
create: no
|
create: no
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
content: |
|
content: |
|
||||||
|
@ -101,20 +106,89 @@
|
||||||
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
||||||
register: minifirewall_config_ports
|
register: minifirewall_config_ports
|
||||||
|
|
||||||
|
- name: Configure DNSSERVEURS
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
create: no
|
||||||
|
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
|
||||||
|
regexp: "DNSSERVEURS='.*'"
|
||||||
|
when: minifirewall_dns_servers is not none
|
||||||
|
|
||||||
|
- name: Configure HTTPSITES
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
create: no
|
||||||
|
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
||||||
|
regexp: "HTTPSITES='.*'"
|
||||||
|
when: minifirewall_http_sites is not none
|
||||||
|
|
||||||
|
- name: Configure HTTPSSITES
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
create: no
|
||||||
|
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
|
||||||
|
regexp: "HTTPSSITES='.*'"
|
||||||
|
when: minifirewall_https_sites is not none
|
||||||
|
|
||||||
|
- name: Configure FTPSITES
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
create: no
|
||||||
|
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
|
||||||
|
regexp: "FTPSITES='.*'"
|
||||||
|
when: minifirewall_ftp_sites is not none
|
||||||
|
|
||||||
|
- name: Configure SSHOK
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
create: no
|
||||||
|
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
|
||||||
|
regexp: "SSHOK='.*'"
|
||||||
|
when: minifirewall_ssh_ok is not none
|
||||||
|
|
||||||
|
- name: Configure SMTPOK
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
create: no
|
||||||
|
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
|
||||||
|
regexp: "SMTPOK='.*'"
|
||||||
|
when: minifirewall_smtp_ok is not none
|
||||||
|
|
||||||
|
- name: Configure SMTPSECUREOK
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
create: no
|
||||||
|
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
|
||||||
|
regexp: "SMTPSECUREOK='.*'"
|
||||||
|
when: minifirewall_smtp_secure_ok is not none
|
||||||
|
|
||||||
|
- name: Configure NTPOK
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
create: no
|
||||||
|
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
|
||||||
|
regexp: "NTPOK='.*'"
|
||||||
|
when: minifirewall_ntp_ok is not none
|
||||||
|
|
||||||
- name: evomaintenance
|
- name: evomaintenance
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||||
insertafter: "^# EvoMaintenance"
|
insertafter: "^# EvoMaintenance"
|
||||||
with_items: "{{ evomaintenance_hosts }}"
|
with_items: "{{ evomaintenance_hosts }}"
|
||||||
|
|
||||||
- name: remove minifirewall example rule for the evomaintenance
|
- name: remove minifirewall example rule for the evomaintenance
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
|
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
|
||||||
state: absent
|
state: absent
|
||||||
when: evomaintenance_hosts != []
|
when: evomaintenance_hosts != []
|
||||||
|
|
||||||
|
- name: Stat minifirewall config file (after)
|
||||||
|
stat:
|
||||||
|
path: "{{ minifirewall_main_file }}"
|
||||||
|
register: minifirewall_after
|
||||||
|
|
||||||
- name: restart minifirewall
|
- name: restart minifirewall
|
||||||
# service:
|
# service:
|
||||||
# name: minifirewall
|
# name: minifirewall
|
||||||
|
@ -126,7 +200,7 @@
|
||||||
when:
|
when:
|
||||||
- minifirewall_restart_if_needed
|
- minifirewall_restart_if_needed
|
||||||
- minifirewall_is_running.rc == 0
|
- minifirewall_is_running.rc == 0
|
||||||
- (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
|
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
|
||||||
|
|
||||||
- name: restart minifirewall (noop)
|
- name: restart minifirewall (noop)
|
||||||
meta: noop
|
meta: noop
|
||||||
|
|
|
@ -8,8 +8,8 @@
|
||||||
- iptables
|
- iptables
|
||||||
|
|
||||||
- name: init script is copied
|
- name: init script is copied
|
||||||
copy:
|
template:
|
||||||
src: minifirewall
|
src: minifirewall.j2
|
||||||
dest: /etc/init.d/minifirewall
|
dest: /etc/init.d/minifirewall
|
||||||
force: no
|
force: no
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
|
@ -19,7 +19,7 @@
|
||||||
- name: configuration is copied
|
- name: configuration is copied
|
||||||
copy:
|
copy:
|
||||||
src: minifirewall.conf
|
src: minifirewall.conf
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
force: no
|
force: no
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
owner: root
|
owner: root
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
|
|
||||||
- name: source minifirewall.tail at the end of the main file
|
- name: source minifirewall.tail at the end of the main file
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
|
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
|
||||||
block: ". {{ minifirewall_tail_file }}"
|
block: ". {{ minifirewall_tail_file }}"
|
||||||
insertbefore: EOF
|
insertbefore: EOF
|
||||||
|
|
|
@ -111,7 +111,7 @@ $IPT -A LOG_ACCEPT -j ACCEPT
|
||||||
|
|
||||||
# Configuration
|
# Configuration
|
||||||
oldconfigfile="/etc/firewall.rc"
|
oldconfigfile="/etc/firewall.rc"
|
||||||
configfile="/etc/default/minifirewall"
|
configfile="{{ minifirewall_main_file }}"
|
||||||
|
|
||||||
if test -f $oldconfigfile; then
|
if test -f $oldconfigfile; then
|
||||||
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
||||||
|
@ -382,4 +382,3 @@ trap - INT TERM EXIT
|
||||||
esac
|
esac
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
@ -6,3 +6,5 @@ squid_address: "{{ ansible_default_ipv4.address }}"
|
||||||
squid_whitelist_items: []
|
squid_whitelist_items: []
|
||||||
|
|
||||||
squid_localproxy_enable: False
|
squid_localproxy_enable: False
|
||||||
|
|
||||||
|
minifirewall_main_file: /etc/default/minifirewall
|
||||||
|
|
|
@ -1,28 +1,29 @@
|
||||||
---
|
---
|
||||||
- name: Check if Minifirewall is present
|
- name: Check if Minifirewall is present
|
||||||
stat:
|
stat:
|
||||||
path: /etc/default/minifirewall
|
path: "{{ minifirewall_main_file }}"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: minifirewall_test
|
register: minifirewall_test
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: HTTPSITES list is commented in minifirewall
|
- name: HTTPSITES list is commented in minifirewall
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
regexp: "^(HTTPSITES='[^0-9])"
|
regexp: "^(HTTPSITES='[^0-9])"
|
||||||
replace: '#\1'
|
replace: '#\1'
|
||||||
notify: restart minifirewall
|
notify: restart minifirewall
|
||||||
|
|
||||||
- name: all HTTPSITES are authorized in minifirewall
|
- name: all HTTPSITES are authorized in minifirewall
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
line: "HTTPSITES='0.0.0.0/0'"
|
line: "HTTPSITES='0.0.0.0/0'"
|
||||||
|
regexp: "HTTPSITES='.*'"
|
||||||
insertafter: "^#HTTPSITES="
|
insertafter: "^#HTTPSITES="
|
||||||
notify: restart minifirewall
|
notify: restart minifirewall
|
||||||
|
|
||||||
- name: add iptables rules for the proxy
|
- name: add iptables rules for the proxy
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
regexp: "^#? *{{ item }}"
|
regexp: "^#? *{{ item }}"
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
insertafter: "^# Proxy"
|
insertafter: "^# Proxy"
|
||||||
|
@ -35,7 +36,7 @@
|
||||||
|
|
||||||
- name: remove minifirewall example rule for the proxy
|
- name: remove minifirewall example rule for the proxy
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: "{{ minifirewall_main_file }}"
|
||||||
regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)'
|
regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)'
|
||||||
state: absent
|
state: absent
|
||||||
notify: restart minifirewall
|
notify: restart minifirewall
|
||||||
|
|
Loading…
Reference in a new issue