evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 33 Wiki Activity

Merge branch 'unstable' of gitea.evolix.org:evolix/ansible-roles into unstable
All checks were successful
gitea/ansible-roles/pipeline/head This commit looks good
Details

Browse source
This commit is contained in:
Bruno Tatu 2022-12-14 17:53:20 +01:00
parent 6aac8933b8 27a4f574f1
commit ae94f979a4
8 changed files with 44 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
CHANGELOG.md
View file

@ -12,56 +12,67 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added ### Added
* all: Use proper keyrings directory for APT version ### Changed
* all: Add signed-by option for additional APT sources
### Fixed
### Removed
### Security
## [22.12] 2022-12-14
### Added
* all: add signed-by option for additional APT sources
* all: preliminary work to support Debian 12 * all: preliminary work to support Debian 12
* all: use proper keyrings directory for APT version
* evolinux-base: replace regular kernel by cloud kernel on virtual servers * evolinux-base: replace regular kernel by cloud kernel on virtual servers
* lxc-php: set php-fpm umask to 007 * lxc-php: set php-fpm umask to `007`
* nagios-nrpe: check_ceph_* * nagios-nrpe: `check_ceph_*`
* nagios-nrpe: check_haproxy_stats supports DRAIN status * nagios-nrpe: `check_haproxy_stats` supports DRAIN status
* packweb-apache: enable log_forensic module * packweb-apache: enable `log_forensic` module
* varnish: create special tmp directory for syntax validation
* rabbitmq: add link in default page * rabbitmq: add link in default page
* varnish: create special tmp directory for syntax validation
### Changed ### Changed
* certbot: auto-detect HAPEE version in renewal hook * certbot: auto-detect HAPEE version in renewal hook
* evocheck: install script according to Debian version * evocheck: install script according to Debian version
* evolinux-base: utils.yml can be excluded * evolinux-base: `utils.yml` can be excluded
* evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions)
* evolinux-user: Add sudoers privilege for check php\_fpm81 * evolinux-user: add sudoers privilege for check `php_fpm81`
* evomaintenance: allow missing API endpoint if APi is disabled * evomaintenance: allow missing API endpoint if APi is disabled
* java: use default JRE package when version is not specified * java: use default JRE package when version is not specified
* keepalived: change exit code (_warning_ if running but not on expected state ; _critical_ if not running)
* listupgrade: better detection for PostgreSQL * listupgrade: better detection for PostgreSQL
* listupgrade: sort/uniq of packages/services lists in email template * listupgrade: sort/uniq of packages/services lists in email template
* lxc-solr: detect the real partition options * lxc-solr: detect the real partition options
* lxc-solr: download URL according to Solr Version * lxc-solr: download URL according to Solr Version
* lxc-solr: set homedir and port at install * lxc-solr: set homedir and port at install
* minifirewall: whitelist deb.freexian.com * minifirewall: whitelist deb.freexian.com
* openvpn: shellpki upstream release 22.12.2
* openvpn: specifies that the mail for expirations is for OpenVPN
* packweb-apache: manual dependencies resolution * packweb-apache: manual dependencies resolution
* redis: some values should be quoted * redis: some values should be quoted
* redis: variable to disable transparent hugepage (default: do nothing) * redis: variable to disable transparent hugepage (default: do nothing)
* squid: whitelist deb.freexian.com * squid: whitelist `deb.freexian.com`
* varnish: better package facts usage with check mode and tags * varnish: better package facts usage with check mode and tags
* varnish: systemd override depends on Varnish version instead of Debian version * varnish: systemd override depends on Varnish version instead of Debian version
* keepalived: change exit code (warning if running but not on expected state ; critical if not running)
* openvpn: shellpki upstream release 22.12.2
* openvpn: specifies that the mail for expirations is for OpenVPN
### Fixed ### Fixed
* evolinux-user: Fix sudoers privilege for check php\_fpm80 * evolinux-user: Fix sudoers privilege for check `php_fpm80`
* nagios-nrpe: Fix check opendkim for recent change in listening port * nagios-nrpe: Fix check opendkim for recent change in listening port
* varnish: fix missing state, that blocked the task
* proftpd: Fix format of public key files controlled by ansible
* proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody)
* openvpn: Fix mode of shellpki script * openvpn: Fix mode of shellpki script
* proftpd: Fix format of public key files controlled by Ansible
* proftpd: Fix mode of public key directory and files (they have to be accessible by `proftpd:nobody`)
* varnish: fix missing state, that blocked the task
### Removed ### Removed
* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream * openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
### Security
## [22.09] 2022-09-19 ## [22.09] 2022-09-19
@ -194,7 +205,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* minifirewall: tail template follows symlinks * minifirewall: tail template follows symlinks
* mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner
### Fixed ### Fixed
* Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails. * Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails.

3
apache/tasks/main.yml
View file

@ -64,7 +64,6 @@
when: apache_mpm == "prefork" or apache_mpm == "itk" when: apache_mpm == "prefork" or apache_mpm == "itk"
tags: tags:
- apache - apache
when: not ansible_check_mode
- name: Copy Apache defaults config file - name: Copy Apache defaults config file
@ -134,7 +133,6 @@
when: apache_evolinux_default_enabled | bool when: apache_evolinux_default_enabled | bool
tags: tags:
- apache - apache
when: not ansible_check_mode
- include: server_status.yml - include: server_status.yml
tags: tags:
@ -160,7 +158,6 @@
when: envvar_grep_umask.rc != 0 when: envvar_grep_umask.rc != 0
tags: tags:
- apache - apache
when: not ansible_check_mode
- include_role: - include_role:
name: evolix/remount-usr name: evolix/remount-usr

2
evomaintenance/templates/evomaintenance.j2
View file

@ -11,7 +11,7 @@ FULLFROM="{{ evomaintenance_full_from }}"
URGENCYFROM={{ evomaintenance_urgency_from }} URGENCYFROM={{ evomaintenance_urgency_from }}
URGENCYTEL="{{ evomaintenance_urgency_tel }}" URGENCYTEL="{{ evomaintenance_urgency_tel }}"
REALM="{{ evomaintenance_realm }}" REALM="{{ evomaintenance_realm }}"
API_ENDPOINT={{ evomaintenance_api_endpoint }} API_ENDPOINT={{ evomaintenance_api_endpoint }}
API_KEY={{ evomaintenance_api_key }} API_KEY={{ evomaintenance_api_key }}
HOOK_API={{ evomaintenance_hook_api | bool | ternary('1','0') }} HOOK_API={{ evomaintenance_hook_api | bool | ternary('1','0') }}

6
fail2ban/templates/jail.local.j2
View file

@ -38,7 +38,7 @@ bantime = {{ fail2ban_recidive_bantime }}
# Evolix custom jails # Evolix custom jails
[wordpress-hard] [wordpress-hard]
enabled = {{ fail2ban_wordpress_hard }} enabled = {{ fail2ban_wordpress_hard }}
port = http, https port = http, https
filter = wordpress-hard filter = wordpress-hard
logpath = /var/log/auth.log logpath = /var/log/auth.log
@ -47,7 +47,7 @@ findtime = {{ fail2ban_wordpress_hard_findtime }}
bantime = {{ fail2ban_wordpress_hard_bantime }} bantime = {{ fail2ban_wordpress_hard_bantime }}
[wordpress-soft] [wordpress-soft]
enabled = {{ fail2ban_wordpress_soft }} enabled = {{ fail2ban_wordpress_soft }}
port = http, https port = http, https
filter = wordpress-soft filter = wordpress-soft
logpath = /var/log/auth.log logpath = /var/log/auth.log
@ -56,7 +56,7 @@ findtime = {{ fail2ban_wordpress_soft_findtime }}
bantime = {{ fail2ban_wordpress_soft_bantime }} bantime = {{ fail2ban_wordpress_soft_bantime }}
[roundcube] [roundcube]
enabled = {{ fail2ban_roundcube }} enabled = {{ fail2ban_roundcube }}
port = http, https port = http, https
filter = roundcube filter = roundcube
logpath = /var/lib/roundcube/logs/errors logpath = /var/lib/roundcube/logs/errors

10
lxc-php/tasks/umask.yml
View file

@ -1,27 +1,27 @@
# Ajoute UMask=0007 à l'unité systemd PHP-FPM du conteneur LXC # Ajoute UMask=0007 à l'unité systemd PHP-FPM du conteneur LXC
# dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf # dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf
--- ---
- name: "Définis le chemin du système de fichiers du conteneur LXC." - name: "Définis le chemin du système de fichiers du conteneur LXC."
set_fact: set_fact:
lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs"
- name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." - name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC."
ansible.builtin.file: ansible.builtin.file:
path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d"
state: directory state: directory
register: systemd_path register: systemd_path
- name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC." - name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC."
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ systemd_path.path }}/evolinux.conf" path: "{{ systemd_path.path }}/evolinux.conf"
regex: "\\[Service\\]" regex: "\\[Service\\]"
line: "[Service]" line: "[Service]"
create: yes create: yes
- name: "UMask=0007 est présent dans la surchage des services PHP-FPM des conteneurs LXC." - name: "UMask=0007 est présent dans la surchage des services PHP-FPM des conteneurs LXC."
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ systemd_path.path }}/evolinux.conf" path: "{{ systemd_path.path }}/evolinux.conf"
regex: "^UMask=" regex: "^UMask="
line: "UMask=0007" line: "UMask=0007"
insertafter: "\\[Service\\]" insertafter: "\\[Service\\]"

2
packweb-apache/tasks/update_userlogrotate.yml
View file

@ -9,7 +9,7 @@
- name: "Met-à-jour userlogrotate" - name: "Met-à-jour userlogrotate"
ansible.builtin.copy: ansible.builtin.copy:
src: userlogrotate src: userlogrotate
dest: "{{ item }}" dest: "{{ item }}"
mode: "0755" mode: "0755"
loop: "{{ find_logrotate.files }}" loop: "{{ find_logrotate.files }}"
when: find_logrotate.files | length>0 when: find_logrotate.files | length>0

2
tomcat-instance/defaults/main.yml
View file

@ -1,5 +1,5 @@
--- ---
tomcat_instance_java_path: '/usr/lib/jvm/java-7-openjdk-amd64' tomcat_instance_java_path: '/usr/lib/jvm/java-7-openjdk-amd64'
tomcat_instance_root: '/srv/tomcat' tomcat_instance_root: '/srv/tomcat'
tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}" tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}"
tomcat_instance_mps: 256 tomcat_instance_mps: 256

4
vrrpd/tasks/ip.yml
View file

@ -17,4 +17,6 @@
daemon_reload: yes daemon_reload: yes
enabled: yes enabled: yes
state: "{{ vrrp_address.state }}" state: "{{ vrrp_address.state }}"
when: vrrp_systemd_unit is changed when:
- vrrp_systemd_unit is changed
- not ansible_check_mode