Merge branch 'unstable' into stable

CHANGELOG.md

@@ -18,6 +18,18 @@ The **patch** part changes incrementally at each release.
 
 ### Security
 
+## [9.6.0] - 2018-12-04
+
+### Added
+* evolinux-base: deploy custom motd if template are present
+* minifirewall: all variables are configurable (untouched by default)
+* minifirewall: main file is configurable
+* squid: minifirewall main file is configurable
+
+### Changed
+* minifirewall: compare config before/after (for restart condition)
+* squid: better replacement in minifirewall config
+
 ## [9.5.0] - 2018-11-14
 
 ### Added
@@ -42,6 +54,7 @@ The **patch** part changes incrementally at each release.
 * packweb-apache: mod-security config is already included elsewhere
 * redis: for permissions on log and lib directories
 * redis: fix shell for instance users
+* evoacme: fix error handling in sed_cert_path_for_(apache|nginx)
 
 ## [9.4.2] - 2018-10-12
 

evoacme/files/evoacme.sh

@@ -55,10 +55,8 @@ sed_cert_path_for_apache() {
 
         sed -i "s~${search}~${replace}~" "${vhost_full_path}"
         debug "Config in ${vhost_full_path} has been updated"
-        $(command -v apache2ctl) -t 2>&1 | grep -v "Syntax OK"
+        $(command -v apache2ctl) -t 2>/dev/null
-        if [ "${PIPESTATUS[0]}" != "0" ]; then
+        [ "${?}" -eq 0 ] || $(command -v apache2ctl) -t
-            error "Apache config test has exited with a non-zero exit code"
-        fi
     fi
 }
 sed_cert_path_for_nginx() {
@@ -76,7 +74,8 @@ sed_cert_path_for_nginx() {
 
         sed -i "s~${search}~${replace}~" "${vhost_full_path}"
         debug "Config in ${vhost_full_path} has been updated"
-        $(command -v nginx) -t
+        $(command -v nginx) -t 2>/dev/null
+        [ "${?}" -eq 0 ] || $(command -v nginx) -t
     fi
 }
 x509_verify() {

evolinux-base/tasks/main.yml

@@ -96,6 +96,8 @@
   include: log2mail.yml
   when: evolinux_log2mail_include
 
+- include: motd.yml
+
 - name: Munin
   include_role:
     name: munin

evolinux-base/tasks/motd.yml

@@ -0,0 +1,17 @@
+---
+- name: Deploy custom motd
+  template:
+    src: "{{ item }}"
+    dest: /etc/motd
+    force: True
+    owner: root
+    group: root
+    mode: "0644"
+  with_first_found:
+    - files:
+      - "motd/motd.{{ inventory_hostname }}.j2"
+      - "motd/motd.{{ host_group }}.j2"
+      - "motd/motd.default.j2"
+      skip: True
+  tags:
+    - motd

minifirewall/defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 
+minifirewall_main_file: /etc/default/minifirewall
 minifirewall_tail_file: /etc/default/minifirewall.tail
 minifirewall_tail_included: False
 minifirewall_tail_force: True
@@ -25,6 +26,17 @@ minifirewall_semipublic_ports_udp: []
 minifirewall_private_ports_tcp: [5666]
 minifirewall_private_ports_udp: []
 
+# Keep a null value to leave the setting as is
+# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
+minifirewall_dns_servers: Null
+minifirewall_http_sites: Null
+minifirewall_https_sites: Null
+minifirewall_ftp_sites: Null
+minifirewall_ssh_ok: Null
+minifirewall_smtp_ok: Null
+minifirewall_smtp_secure_ok: Null
+minifirewall_ntp_ok: Null
+
 minifirewall_autostart: False
 minifirewall_restart_if_needed: True
 minifirewall_restart_force: False

minifirewall/tasks/config.yml

@@ -7,6 +7,11 @@
     var: minifirewall_privilegied_ips
     verbosity: 1
 
+- name: Stat minifirewall config file (before)
+  stat:
+    path: "{{ minifirewall_main_file }}"
+  register: minifirewall_before
+
 - name: Check if minifirewall is running
   shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
   changed_when: False
@@ -20,14 +25,14 @@
 
 - name: Begin marker for IP addresses
   lineinfile:
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     create: no
     line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
     insertbefore: '^# Main interface'
 
 - name: End marker for IP addresses
   lineinfile:
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     create: no
     line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
     insertafter: '^PRIVILEGIEDIPS='
@@ -41,7 +46,7 @@
 
 - name: Configure IP addresses
   blockinfile:
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     create: no
     marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
     content: |
@@ -65,21 +70,21 @@
 
 - name: Begin marker for ports
   lineinfile:
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     create: no
     line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
     insertbefore: '^# Protected services'
 
 - name: End marker for ports
   lineinfile:
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     create: no
     line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
     insertafter: '^SERVICESUDP3='
 
 - name: Configure ports
   blockinfile:
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     create: no
     marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
     content: |
@@ -101,20 +106,89 @@
       SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
   register: minifirewall_config_ports
 
+- name: Configure DNSSERVEURS
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    create: no
+    line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
+    regexp: "DNSSERVEURS='.*'"
+  when: minifirewall_dns_servers is not none
+
+- name: Configure HTTPSITES
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    create: no
+    line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
+    regexp: "HTTPSITES='.*'"
+  when: minifirewall_http_sites is not none
+
+- name: Configure HTTPSSITES
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    create: no
+    line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
+    regexp: "HTTPSSITES='.*'"
+  when: minifirewall_https_sites is not none
+
+- name: Configure FTPSITES
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    create: no
+    line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
+    regexp: "FTPSITES='.*'"
+  when: minifirewall_ftp_sites is not none
+
+- name: Configure SSHOK
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    create: no
+    line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
+    regexp: "SSHOK='.*'"
+  when: minifirewall_ssh_ok is not none
+
+- name: Configure SMTPOK
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    create: no
+    line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
+    regexp: "SMTPOK='.*'"
+  when: minifirewall_smtp_ok is not none
+
+- name: Configure SMTPSECUREOK
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    create: no
+    line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
+    regexp: "SMTPSECUREOK='.*'"
+  when: minifirewall_smtp_secure_ok is not none
+
+- name: Configure NTPOK
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    create: no
+    line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
+    regexp: "NTPOK='.*'"
+  when: minifirewall_ntp_ok is not none
+
 - name: evomaintenance
   lineinfile:
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
     insertafter: "^# EvoMaintenance"
   with_items: "{{ evomaintenance_hosts }}"
 
 - name: remove minifirewall example rule for the evomaintenance
   lineinfile:
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
     state: absent
   when: evomaintenance_hosts != []
 
+- name: Stat minifirewall config file (after)
+  stat:
+    path: "{{ minifirewall_main_file }}"
+  register: minifirewall_after
+
 - name: restart minifirewall
   # service:
   #   name: minifirewall
@@ -126,7 +200,7 @@
   when:
     - minifirewall_restart_if_needed
     - minifirewall_is_running.rc == 0
-    - (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
+    - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
 
 - name: restart minifirewall (noop)
   meta: noop

minifirewall/tasks/install.yml

@@ -8,8 +8,8 @@
   - iptables
 
 - name: init script is copied
-  copy:
+  template:
-    src: minifirewall
+    src: minifirewall.j2
     dest: /etc/init.d/minifirewall
     force: no
     mode: "0700"
@@ -19,7 +19,7 @@
 - name: configuration is copied
   copy:
     src: minifirewall.conf
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     force: no
     mode: "0600"
     owner: root

minifirewall/tasks/tail.yml

@@ -17,7 +17,7 @@
 
 - name: source minifirewall.tail at the end of the main file
   blockinfile:
-    dest: /etc/default/minifirewall
+    dest: "{{ minifirewall_main_file }}"
     marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
     block: ". {{ minifirewall_tail_file }}"
     insertbefore: EOF

minifirewall/templates/minifirewall.j2

@@ -111,7 +111,7 @@ $IPT -A LOG_ACCEPT -j ACCEPT
 
 # Configuration
 oldconfigfile="/etc/firewall.rc"
-configfile="/etc/default/minifirewall"
+configfile="{{ minifirewall_main_file }}"
 
 if test -f $oldconfigfile; then
     echo "$oldconfigfile is deprecated, rename to $configfile" >&2
@@ -382,4 +382,3 @@ trap - INT TERM EXIT
 esac
 
 exit 0
-

squid/defaults/main.yml

@@ -6,3 +6,5 @@ squid_address: "{{ ansible_default_ipv4.address }}"
 squid_whitelist_items: []
 
 squid_localproxy_enable: False
+
+minifirewall_main_file: /etc/default/minifirewall

squid/tasks/minifirewall.yml

@@ -1,28 +1,29 @@
 ---
 - name: Check if Minifirewall is present
   stat:
-    path: /etc/default/minifirewall
+    path: "{{ minifirewall_main_file }}"
   check_mode: no
   register: minifirewall_test
 
 - block:
   - name: HTTPSITES list is commented in minifirewall
     replace:
-      dest: /etc/default/minifirewall
+      dest: "{{ minifirewall_main_file }}"
       regexp: "^(HTTPSITES='[^0-9])"
       replace: '#\1'
     notify: restart minifirewall
 
   - name: all HTTPSITES are authorized in minifirewall
     lineinfile:
-      dest: /etc/default/minifirewall
+      dest: "{{ minifirewall_main_file }}"
       line: "HTTPSITES='0.0.0.0/0'"
+      regexp: "HTTPSITES='.*'"
       insertafter: "^#HTTPSITES="
     notify: restart minifirewall
 
   - name: add iptables rules for the proxy
     lineinfile:
-      dest: /etc/default/minifirewall
+      dest: "{{ minifirewall_main_file }}"
       regexp: "^#? *{{ item }}"
       line: "{{ item }}"
       insertafter: "^# Proxy"
@@ -35,7 +36,7 @@
 
   - name: remove minifirewall example rule for the proxy
     lineinfile:
-      dest: /etc/default/minifirewall
+      dest: "{{ minifirewall_main_file }}"
       regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)'
       state: absent
     notify: restart minifirewall