From c17bb035355cabc302ef2be4b7290b9bc722e4e3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 25 Mar 2022 18:16:36 +0100 Subject: [PATCH 1/8] minifirewall: tail template follows symlinks --- CHANGELOG.md | 2 ++ minifirewall/tasks/tail.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 216de3dd..3f8f3596 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* minifirewall: tail template follows symlinks + ### Fixed ### Removed diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index c8c4440e..0af9925d 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -4,6 +4,7 @@ src: "{{ item }}" dest: "{{ minifirewall_tail_file }}" force: "{{ minifirewall_tail_force | bool }}" + follow: yes loop: "{{ query('first_found', templates) }}" vars: templates: From 381acc830dbc8a139a3fd0a66681a354599305bb Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Thu, 21 Apr 2022 11:28:32 +0200 Subject: [PATCH 2/8] Add nagios check for Redis Sentinel synchro --- .../files/plugins/check_redis_sentinel_sync | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 nagios-nrpe/files/plugins/check_redis_sentinel_sync diff --git a/nagios-nrpe/files/plugins/check_redis_sentinel_sync b/nagios-nrpe/files/plugins/check_redis_sentinel_sync new file mode 100755 index 00000000..e8f217aa --- /dev/null +++ b/nagios-nrpe/files/plugins/check_redis_sentinel_sync @@ -0,0 +1,46 @@ +#!/bin/sh +# +# Verify the synchroniation of Redis Sentinel slaves. + +output=$(mktemp --tmpdir $(basename "$0").XXXXXXXXXX) +critical_count=0 +ok_count=0 + +trap "rm -f $output" EXIT + +input=$(redis-cli -p 6380 sentinel slaves redis | sed 'N;s/\n/=/') + +#while read -r line; do +for line in $input; do + case "$line" in + name=*) name=${line#name=} ;; + master-link-status=*) status=${line#master-link-status=} ;; + esac + if [ -n "$name" ] && [ -n "$status" ]; then + if [ "$status" = ok ]; then + echo "OK - $name" >> "$output" + ok_count=$(( ok_count + 1)) + else + echo "CRITICAL - $name" >> "$output" + critical_count=$(( critical_count + 1)) + fi + unset name status + fi +done + +total_count=$(( ok_count + critical_count )) + +plural='' +test "$total_count" -gt 1 && plural='s' + +if [ $ok_count -eq $total_count ]; then + printf "OK - %d/%d Redis Sentinel slave%s are in sync\n\n" \ + "$ok_count" "$total_count" "$plural" + cat "$output" + exit 0 +else + printf "CRITICAL - %d/%d Redis Sentinal slave%s aren't in sync\n\n" \ + "$critical_count" "$total_count" "$plural" + cat "$output" + exit 2 +fi From 96493675b6eabc1f3b60cf53abeb6056cf2d5733 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 10:17:20 +0200 Subject: [PATCH 3/8] fix changelog --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e50f96b8..227adc5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,8 +14,6 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* minifirewall: tail template follows symlinks - ### Fixed ### Removed @@ -36,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker: Allow "live-restore" to be toggled with docker_conf_live_restore * evocheck: upstream release 22.06 +* minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner ## [22.05.1] 2022-05-12 From dd990fe6d57f9fe582473abc207d9fce8b6c4476 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Mon, 13 Jun 2022 17:37:47 +0200 Subject: [PATCH 4/8] Update changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d85ed31..88e45d00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,9 +67,14 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker: Allow "live-restore" to be toggled with docker_conf_live_restore * evocheck: upstream release 22.06 +* evolinux-base: Replacement of variable `evolinux_packages_hardware` by `ansible_virtualization_role == "host"` automatize host type detection and avoids installing smartd & other on VM. * minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner +### Fixed + +* Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails. + ## [22.05.1] 2022-05-12 ### Added From ac85efe8aa9dc02bb1baaaba6b9499fc335d0049 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 14 Dec 2022 11:01:03 +0100 Subject: [PATCH 5/8] vrrpd: Small fix to work in check mode --- vrrpd/tasks/ip.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index 59594395..273c882e 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -17,4 +17,6 @@ daemon_reload: yes enabled: yes state: "{{ vrrp_address.state }}" - when: vrrp_systemd_unit is changed \ No newline at end of file + when: + - vrrp_systemd_unit is changed + - not ansible_check_mode \ No newline at end of file From 21ab9b1e68bb0dfff2848b88bd7ff65879843c24 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 11:30:35 +0100 Subject: [PATCH 6/8] Revert ce5e4b12c68b378628f94b7aacabdec76da0b59a --- apache/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 39c8db24..1a028205 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -64,7 +64,6 @@ when: apache_mpm == "prefork" or apache_mpm == "itk" tags: - apache - when: not ansible_check_mode - name: Copy Apache defaults config file @@ -134,7 +133,6 @@ when: apache_evolinux_default_enabled | bool tags: - apache - when: not ansible_check_mode - include: server_status.yml tags: @@ -160,7 +158,6 @@ when: envvar_grep_umask.rc != 0 tags: - apache - when: not ansible_check_mode - include_role: name: evolix/remount-usr From 240ccee12b37b6e7f85ad32cd128d8929319caf1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 11:37:38 +0100 Subject: [PATCH 7/8] Release 22.12 --- CHANGELOG.md | 47 +++++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e8a249ad..1de94487 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,56 +12,67 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* all: Use proper keyrings directory for APT version -* all: Add signed-by option for additional APT sources +### Changed + +### Fixed + +### Removed + +### Security + +## [22.12] 2022-12-14 + +### Added + +* all: add signed-by option for additional APT sources * all: preliminary work to support Debian 12 +* all: use proper keyrings directory for APT version * evolinux-base: replace regular kernel by cloud kernel on virtual servers -* lxc-php: set php-fpm umask to 007 -* nagios-nrpe: check_ceph_* -* nagios-nrpe: check_haproxy_stats supports DRAIN status -* packweb-apache: enable log_forensic module -* varnish: create special tmp directory for syntax validation +* lxc-php: set php-fpm umask to `007` +* nagios-nrpe: `check_ceph_*` +* nagios-nrpe: `check_haproxy_stats` supports DRAIN status +* packweb-apache: enable `log_forensic` module * rabbitmq: add link in default page +* varnish: create special tmp directory for syntax validation ### Changed * certbot: auto-detect HAPEE version in renewal hook * evocheck: install script according to Debian version -* evolinux-base: utils.yml can be excluded +* evolinux-base: `utils.yml` can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) -* evolinux-user: Add sudoers privilege for check php\_fpm81 +* evolinux-user: add sudoers privilege for check `php_fpm81` * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified +* keepalived: change exit code (_warning_ if running but not on expected state ; _critical_ if not running) * listupgrade: better detection for PostgreSQL * listupgrade: sort/uniq of packages/services lists in email template * lxc-solr: detect the real partition options * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com +* openvpn: shellpki upstream release 22.12.2 +* openvpn: specifies that the mail for expirations is for OpenVPN * packweb-apache: manual dependencies resolution * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) -* squid: whitelist deb.freexian.com +* squid: whitelist `deb.freexian.com` * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version -* keepalived: change exit code (warning if running but not on expected state ; critical if not running) -* openvpn: shellpki upstream release 22.12.2 -* openvpn: specifies that the mail for expirations is for OpenVPN ### Fixed -* evolinux-user: Fix sudoers privilege for check php\_fpm80 +* evolinux-user: Fix sudoers privilege for check `php_fpm80` * nagios-nrpe: Fix check opendkim for recent change in listening port -* varnish: fix missing state, that blocked the task -* proftpd: Fix format of public key files controlled by ansible -* proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody) * openvpn: Fix mode of shellpki script +* proftpd: Fix format of public key files controlled by Ansible +* proftpd: Fix mode of public key directory and files (they have to be accessible by `proftpd:nobody`) +* varnish: fix missing state, that blocked the task ### Removed * openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream -### Security ## [22.09] 2022-09-19 From 0622e9ff1ee8f719e910600198c9b9557deff5db Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 11:47:53 +0100 Subject: [PATCH 8/8] fix non-breaking spaces --- CHANGELOG.md | 2 +- evomaintenance/templates/evomaintenance.j2 | 2 +- fail2ban/templates/jail.local.j2 | 6 +++--- lxc-php/tasks/umask.yml | 10 +++++----- packweb-apache/tasks/update_userlogrotate.yml | 2 +- tomcat-instance/defaults/main.yml | 2 +- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1de94487..8f5e0e0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -205,7 +205,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner -### Fixed +### Fixed * Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails. diff --git a/evomaintenance/templates/evomaintenance.j2 b/evomaintenance/templates/evomaintenance.j2 index 006d1c09..4a068fe6 100644 --- a/evomaintenance/templates/evomaintenance.j2 +++ b/evomaintenance/templates/evomaintenance.j2 @@ -11,7 +11,7 @@ FULLFROM="{{ evomaintenance_full_from }}" URGENCYFROM={{ evomaintenance_urgency_from }} URGENCYTEL="{{ evomaintenance_urgency_tel }}" REALM="{{ evomaintenance_realm }}" -API_ENDPOINT={{ evomaintenance_api_endpoint }} +API_ENDPOINT={{ evomaintenance_api_endpoint }} API_KEY={{ evomaintenance_api_key }} HOOK_API={{ evomaintenance_hook_api | bool | ternary('1','0') }} diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 19c4f35b..3738ee33 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -38,7 +38,7 @@ bantime = {{ fail2ban_recidive_bantime }} # Evolix custom jails [wordpress-hard] -enabled = {{ fail2ban_wordpress_hard }} +enabled = {{ fail2ban_wordpress_hard }} port = http, https filter = wordpress-hard logpath = /var/log/auth.log @@ -47,7 +47,7 @@ findtime = {{ fail2ban_wordpress_hard_findtime }} bantime = {{ fail2ban_wordpress_hard_bantime }} [wordpress-soft] -enabled = {{ fail2ban_wordpress_soft }} +enabled = {{ fail2ban_wordpress_soft }} port = http, https filter = wordpress-soft logpath = /var/log/auth.log @@ -56,7 +56,7 @@ findtime = {{ fail2ban_wordpress_soft_findtime }} bantime = {{ fail2ban_wordpress_soft_bantime }} [roundcube] -enabled = {{ fail2ban_roundcube }} +enabled = {{ fail2ban_roundcube }} port = http, https filter = roundcube logpath = /var/lib/roundcube/logs/errors diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 170851ab..8dc9039a 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -1,27 +1,27 @@ # Ajoute UMask=0007 à l'unité systemd PHP-FPM du conteneur LXC -# dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf +# dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf --- - name: "Définis le chemin du système de fichiers du conteneur LXC." set_fact: - lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" - name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." ansible.builtin.file: - path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" + path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" state: directory register: systemd_path - name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC." ansible.builtin.lineinfile: - path: "{{ systemd_path.path }}/evolinux.conf" + path: "{{ systemd_path.path }}/evolinux.conf" regex: "\\[Service\\]" line: "[Service]" create: yes - name: "UMask=0007 est présent dans la surchage des services PHP-FPM des conteneurs LXC." ansible.builtin.lineinfile: - path: "{{ systemd_path.path }}/evolinux.conf" + path: "{{ systemd_path.path }}/evolinux.conf" regex: "^UMask=" line: "UMask=0007" insertafter: "\\[Service\\]" diff --git a/packweb-apache/tasks/update_userlogrotate.yml b/packweb-apache/tasks/update_userlogrotate.yml index a94080b0..1e8a6d85 100644 --- a/packweb-apache/tasks/update_userlogrotate.yml +++ b/packweb-apache/tasks/update_userlogrotate.yml @@ -9,7 +9,7 @@ - name: "Met-à-jour userlogrotate" ansible.builtin.copy: src: userlogrotate - dest: "{{ item }}" + dest: "{{ item }}" mode: "0755" loop: "{{ find_logrotate.files }}" when: find_logrotate.files | length>0 diff --git a/tomcat-instance/defaults/main.yml b/tomcat-instance/defaults/main.yml index 6a2ec877..92e68738 100644 --- a/tomcat-instance/defaults/main.yml +++ b/tomcat-instance/defaults/main.yml @@ -1,5 +1,5 @@ --- tomcat_instance_java_path: '/usr/lib/jvm/java-7-openjdk-amd64' tomcat_instance_root: '/srv/tomcat' -tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}" +tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}" tomcat_instance_mps: 256