Merge branch 'unstable' into stable
This commit is contained in:
commit
b883d63cc5
31
CHANGELOG.md
31
CHANGELOG.md
|
@ -18,6 +18,36 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Security
|
||||
|
||||
## [9.7.0] - 2019-01-17
|
||||
|
||||
### Added
|
||||
* apache: add Munin configuration for Apache server-status URL
|
||||
* evomaintenance: database variables must be set or the task fails
|
||||
* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
|
||||
* metricbeat: add a variable for the protocol to use with Elasticsearch
|
||||
* rbenv: add pkg-config to the list of packages to install
|
||||
* redis: Configure munin when working in instance mode
|
||||
* redis: add a variable for renamed/disabled commands
|
||||
* redis: add a variable to disable the restart handler
|
||||
* redis: add a variable to force a restart (even with no change)
|
||||
|
||||
### Changed
|
||||
* redis: distinction between main and master password
|
||||
* evocheck: update evocheck.sh for source install
|
||||
* php: added php-zip in the installed package list for debian 9 (and later)
|
||||
* squid: added packagist.org in the whitelist
|
||||
* java: update Oracle java package to 8u192
|
||||
|
||||
### Fixed
|
||||
* fail2ban: fix "ignoreip" update
|
||||
* metricbeat: fix username/password replacement
|
||||
* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
|
||||
* nginx: Munin url config is now a template to insert the server-status prefix
|
||||
* nodejs: Update yarn repo GPG key (current key expired)
|
||||
* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
|
||||
* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
|
||||
|
||||
|
||||
## [9.6.0] - 2018-12-04
|
||||
|
||||
### Added
|
||||
|
@ -29,6 +59,7 @@ The **patch** part changes incrementally at each release.
|
|||
### Changed
|
||||
* minifirewall: compare config before/after (for restart condition)
|
||||
* squid: better replacement in minifirewall config
|
||||
* evoadmin-mail: complete refactoring, use Debian Package
|
||||
|
||||
## [9.5.0] - 2018-11-14
|
||||
|
||||
|
|
|
@ -39,3 +39,17 @@
|
|||
dest: /var/www/index.html
|
||||
regexp: '__SERVERSTATUS_SUFFIX__'
|
||||
replace: "{{ apache_serverstatus_suffix }}"
|
||||
|
||||
- name: Munin configuration has a section for apache
|
||||
lineinfile:
|
||||
dest: /etc/munin/plugin-conf.d/munin-node
|
||||
line: "[apache_*]"
|
||||
create: no
|
||||
|
||||
- name: apache-status URL is configured for Munin
|
||||
lineinfile:
|
||||
dest: /etc/munin/plugin-conf.d/munin-node
|
||||
line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto"
|
||||
regexp: "env.url http://127.0.0.1/server-status"
|
||||
insertafter: "[apache_*]"
|
||||
create: no
|
||||
|
|
|
@ -4,8 +4,8 @@
|
|||
# Script to verify compliance of a Debian/OpenBSD server
|
||||
# powered by Evolix
|
||||
|
||||
# Repository: https://gitlab.evolix.org/evolix/evocheck
|
||||
# Commit: 956877442a3f43243fed89c491d9bdddd1ac77cd
|
||||
# Repository: https://gitea.evolix.org/evolix/evocheck
|
||||
# Commit: e6e0b8c216ed28a2ee2229e5e122ff1d49701ffc
|
||||
|
||||
# Disable LANG*
|
||||
export LANG=C
|
||||
|
@ -525,19 +525,17 @@ if [ -e /etc/debian_version ]; then
|
|||
|
||||
# Check if no package has been upgraded since $limit.
|
||||
if [ "$IS_NOTUPGRADED" = 1 ]; then
|
||||
if zgrep -hq upgrade /var/log/dpkg.log*; then
|
||||
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
|
||||
fi
|
||||
if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
||||
|| grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
||||
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
|
||||
if grep -sq '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
||||
|| grep -sq -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
||||
# Manual upgrade process
|
||||
limit=$(date +%s -d "now - 180 days")
|
||||
else
|
||||
# Regular process
|
||||
limit=$(date +%s -d "now - 90 days")
|
||||
fi
|
||||
if [ -d /var/log/installer ]; then
|
||||
install_date=$(stat -c %Z /var/log/installer)
|
||||
if [ -f /var/log/evolinux/00_prepare_system.log ]; then
|
||||
install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log)
|
||||
else
|
||||
install_date=0
|
||||
fi
|
||||
|
@ -591,8 +589,8 @@ if [ -e /etc/debian_version ]; then
|
|||
|
||||
if [ "$IS_BACKPORTSCONF" = 1 ]; then
|
||||
if is_debianversion stretch; then
|
||||
grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
|
||||
grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
|
||||
grep -qE "^[^#].*backports" /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
|
||||
grep -qE "^[^#].*backports" /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -qE "^[^#].*backports" /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -988,9 +986,10 @@ fi
|
|||
|
||||
if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then
|
||||
for f in /etc/ssl/private/*; do
|
||||
perms=$(stat -c "%a" $f)
|
||||
perms=$(stat -L -c "%a" $f)
|
||||
if [ ${perms: -1} != "0" ]; then
|
||||
echo 'IS_PRIVKEYWOLRDREADABLE FAILED!'
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
|
|
@ -101,7 +101,7 @@
|
|||
line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
|
||||
when: evolinux_packages_logcheck_recipient
|
||||
|
||||
- name: Deleting rpcbin and nfs-common
|
||||
- name: Deleting rpcbind and nfs-common
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
|
|
|
@ -16,12 +16,12 @@
|
|||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||
blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||
block: |
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
Match Group evolix
|
||||
PasswordAuthentication no
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
|
@ -32,10 +32,10 @@
|
|||
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||
blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
block: |
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
|
|
|
@ -3,6 +3,14 @@
|
|||
- set_fact:
|
||||
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- evomaintenance_pg_passwd is not none
|
||||
- evomaintenance_pg_db is not none
|
||||
- evomaintenance_pg_table is not none
|
||||
- evomaintenance_pg_host is not none
|
||||
msg: evomaintenance database variables must be set
|
||||
|
||||
- include: install_package_debian.yml
|
||||
when:
|
||||
- not evomaintenance_install_vendor
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
HOSTNAME={{ evomaintenance_hostname }}
|
||||
EVOMAINTMAIL={{ evomaintenance_alert_email or general_alert_email | mandatory }}
|
||||
|
||||
export PGPASSWORD={{ evomaintenance_pg_passwd | mandatory }}
|
||||
export PGPASSWORD={{ evomaintenance_pg_passwd }}
|
||||
|
||||
PGDB={{ evomaintenance_pg_db | mandatory }}
|
||||
PGTABLE={{ evomaintenance_pg_table | mandatory }}
|
||||
PGHOST={{ evomaintenance_pg_host | mandatory }}
|
||||
PGDB={{ evomaintenance_pg_db }}
|
||||
PGTABLE={{ evomaintenance_pg_table }}
|
||||
PGHOST={{ evomaintenance_pg_host }}
|
||||
FROM={{ evomaintenance_from }}
|
||||
FULLFROM="{{ evomaintenance_full_from }}"
|
||||
URGENCYFROM={{ evomaintenance_urgency_from }}
|
||||
|
|
|
@ -1,10 +1,15 @@
|
|||
---
|
||||
|
||||
- set_fact:
|
||||
fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}"
|
||||
|
||||
- name: Update ignoreips lists
|
||||
ini_file:
|
||||
dest: /etc/fail2ban/jail.local
|
||||
section: "[DEFAULT]"
|
||||
option: "ignoreips"
|
||||
section: "DEFAULT"
|
||||
option: "ignoreip"
|
||||
value: "{{ fail2ban_ignore_ips | join(' ') }}"
|
||||
notify: restart fail2ban
|
||||
tags:
|
||||
- fail2ban
|
||||
- ips
|
|
@ -13,10 +13,12 @@
|
|||
- "/etc/fail2ban"
|
||||
- "/etc/fail2ban/filter.d"
|
||||
tags:
|
||||
- fail2ban
|
||||
- fail2ban
|
||||
|
||||
- set_fact:
|
||||
fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
|
||||
fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}"
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: local jail is installed
|
||||
template:
|
||||
|
@ -26,7 +28,7 @@
|
|||
force: no
|
||||
notify: restart fail2ban
|
||||
tags:
|
||||
- fail2ban
|
||||
- fail2ban
|
||||
|
||||
- name: Include ignoredips update task
|
||||
include: ip_whitelist.yml
|
||||
|
|
|
@ -23,19 +23,19 @@
|
|||
|
||||
- name: Get Oracle jre archive
|
||||
get_url:
|
||||
url: 'http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.tar.gz'
|
||||
url: 'https://download.oracle.com/otn-pub/java/jdk/8u192-b12/750e1c8617c5452694857ad95c3ee230/server-jre-8u192-linux-x64.tar.gz'
|
||||
dest: '/srv/java-package/src/'
|
||||
checksum: 'sha256:f08f25aec2bdc86138ccba8fd5b904451e3afa1d24a88c85f28c2d84bfd45bad'
|
||||
checksum: 'sha256:3d811a5ec65dc6fc261f488757bae86ecfe285a79992363b016f60cdb4dbe7e6'
|
||||
headers: 'Cookie: oraclelicense=accept-securebackup-cookie'
|
||||
mode: "0644"
|
||||
tags:
|
||||
- java
|
||||
|
||||
- name: Make Debian package from Oracle JDK archive
|
||||
shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/jre-8u172-linux-x64.tar.gz"
|
||||
shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/server-jre-8u192-linux-x64.tar.gz"
|
||||
args:
|
||||
chdir: /srv/java-package
|
||||
creates: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
|
||||
creates: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb
|
||||
become: False
|
||||
tags:
|
||||
- java
|
||||
|
@ -45,14 +45,14 @@
|
|||
|
||||
- name: Install java package
|
||||
apt:
|
||||
deb: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
|
||||
deb: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb
|
||||
tags:
|
||||
- java
|
||||
|
||||
- name: This openjdk version is the default alternative
|
||||
alternatives:
|
||||
name: java
|
||||
path: "/usr/lib/jvm/jre-{{ java_version }}-oracle-x64/bin/java"
|
||||
path: "/usr/lib/jvm/oracle-java{{ java_version }}-server-jre-amd64/bin/java"
|
||||
when: java_default_alternative
|
||||
tags:
|
||||
- java
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
elastic_stack_version: "6.x"
|
||||
|
||||
metricbeat_elasticsearch_protocol: ""
|
||||
metricbeat_elasticsearch_hosts:
|
||||
- "localhost:9200"
|
||||
metricbeat_elasticsearch_auth_username: ""
|
||||
|
|
|
@ -50,6 +50,15 @@
|
|||
when:
|
||||
- metricbeat_elasticsearch_hosts
|
||||
|
||||
- name: Metricbeat protocol for Elasticsearch
|
||||
lineinfile:
|
||||
dest: /etc/metricbeat/metricbeat.yml
|
||||
regexp: '^ #?protocol: .*'
|
||||
line: " protocol: \"{{ metricbeat_elasticsearch_protocol }}\""
|
||||
insertafter: "output.elasticsearch:"
|
||||
notify: restart metricbeat
|
||||
when: metricbeat_elasticsearch_protocol == "http" or metricbeat_elasticsearch_protocol == "https"
|
||||
|
||||
- name: Metricbeat auth/username for Elasticsearch are configured
|
||||
lineinfile:
|
||||
dest: /etc/metricbeat/metricbeat.yml
|
||||
|
@ -57,8 +66,8 @@
|
|||
line: '{{ item.line }}'
|
||||
insertafter: "output.elasticsearch:"
|
||||
with_items:
|
||||
- { regexp: '^ #username: .*', line: ' username: "{{ metricbeat_elasticsearch_auth_username }}"' }
|
||||
- { regexp: '^ #password: .*', line: ' password: "{{ metricbeat_elasticsearch_auth_password }}"' }
|
||||
- { regexp: '^ #?username: .*', line: ' username: "{{ metricbeat_elasticsearch_auth_username }}"' }
|
||||
- { regexp: '^ #?password: .*', line: ' password: "{{ metricbeat_elasticsearch_auth_password }}"' }
|
||||
notify: restart metricbeat
|
||||
when:
|
||||
- metricbeat_elasticsearch_auth_username != ""
|
||||
|
|
|
@ -26,9 +26,9 @@
|
|||
- name: Begin marker for IP addresses
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
insertbefore: '^# Main interface'
|
||||
create: no
|
||||
|
||||
- name: End marker for IP addresses
|
||||
lineinfile:
|
||||
|
@ -47,7 +47,6 @@
|
|||
- name: Configure IP addresses
|
||||
blockinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
content: |
|
||||
# Main interface
|
||||
|
@ -66,26 +65,26 @@
|
|||
# Privilegied IPv4 addresses for semi-public services
|
||||
# (no need to add again TRUSTEDIPS)
|
||||
PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
|
||||
create: no
|
||||
register: minifirewall_config_ips
|
||||
|
||||
- name: Begin marker for ports
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertbefore: '^# Protected services'
|
||||
create: no
|
||||
|
||||
- name: End marker for ports
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertafter: '^SERVICESUDP3='
|
||||
create: no
|
||||
|
||||
- name: Configure ports
|
||||
blockinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
content: |
|
||||
# Protected services
|
||||
|
@ -104,70 +103,71 @@
|
|||
# Private services (IPv4)
|
||||
SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
|
||||
SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
|
||||
create: no
|
||||
register: minifirewall_config_ports
|
||||
|
||||
- name: Configure DNSSERVEURS
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
|
||||
regexp: "DNSSERVEURS='.*'"
|
||||
create: no
|
||||
when: minifirewall_dns_servers is not none
|
||||
|
||||
- name: Configure HTTPSITES
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
||||
regexp: "HTTPSITES='.*'"
|
||||
create: no
|
||||
when: minifirewall_http_sites is not none
|
||||
|
||||
- name: Configure HTTPSSITES
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
|
||||
regexp: "HTTPSSITES='.*'"
|
||||
create: no
|
||||
when: minifirewall_https_sites is not none
|
||||
|
||||
- name: Configure FTPSITES
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
|
||||
regexp: "FTPSITES='.*'"
|
||||
create: no
|
||||
when: minifirewall_ftp_sites is not none
|
||||
|
||||
- name: Configure SSHOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
|
||||
regexp: "SSHOK='.*'"
|
||||
create: no
|
||||
when: minifirewall_ssh_ok is not none
|
||||
|
||||
- name: Configure SMTPOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
|
||||
regexp: "SMTPOK='.*'"
|
||||
create: no
|
||||
when: minifirewall_smtp_ok is not none
|
||||
|
||||
- name: Configure SMTPSECUREOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
|
||||
regexp: "SMTPSECUREOK='.*'"
|
||||
create: no
|
||||
when: minifirewall_smtp_secure_ok is not none
|
||||
|
||||
- name: Configure NTPOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
create: no
|
||||
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
|
||||
regexp: "NTPOK='.*'"
|
||||
create: no
|
||||
when: minifirewall_ntp_ok is not none
|
||||
|
||||
- name: evomaintenance
|
||||
|
|
|
@ -77,6 +77,7 @@
|
|||
- name: adjustments for grsec kernel
|
||||
blockinfile:
|
||||
dest: /etc/munin/plugin-conf.d/munin-node
|
||||
marker: "# {mark} ANSIBLE MANAGED GRSECURITY CUSTOMIZATIONS"
|
||||
block: |
|
||||
|
||||
[processes]
|
||||
|
|
|
@ -5,3 +5,5 @@ for proc in cron rsyslogd ntpd munin-node; do
|
|||
sudo /usr/lib/nagios//plugins/check_procs -C $proc -c 1:
|
||||
rc=$(($rc|$?))
|
||||
done
|
||||
|
||||
exit $rc
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
[nginx_*]
|
||||
env.url http://munin/nginx_status
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
- name: Copy Munin config for Nginx
|
||||
copy:
|
||||
template:
|
||||
src: munin/evolinux.nginx
|
||||
dest: /etc/munin/plugin-conf.d/
|
||||
mode: "0644"
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
[nginx_*]
|
||||
env.url http://munin/nginx_status-{{ nginx_serverstatus_suffix }}
|
|
@ -147,6 +147,40 @@ r16Zyn6mxYWEHn9HXMh3b+2IYKFFXHffbIBq/mfibDnZtQBrZpn2uyh6F2ZuOsZh
|
|||
0LTD7RL53KV3fi90nS00Gs1kbMkPycL1JLqvYQDpllE2oZ1dKDYkwivGyDQhRNfE
|
||||
RL6JkjyiSxfZ2c84r2HPgnJTi/WBplloQkM+2NfXrBo6kLHSC6aBndRKk2UmUhrU
|
||||
luGcQUyfzYRFH5kVueIYfDaBPus9gb+sjnViFRpqVjefwlXSJEDHWP3Cl2cuo2mJ
|
||||
jeDghj400U6pjSUW3bIC/PI=
|
||||
=gZNT
|
||||
jeDghj400U6pjSUW3bIC/PK5Ag0EXCxEEQEQAKVjsdljwPDGO+48879LDa1d7GEu
|
||||
/Jm9HRK6INCQiSiS/0mHkeKa6t4DRgCY2ID9lFiegx2Er+sIgL0chs16XJrFO21u
|
||||
kw+bkBdm2HYUKSsUFmr/bms8DkmAM699vRYVUAzO9eXG/g8lVrAzlb3RT7eGHYKd
|
||||
15DT5KxXDQB+T+mWE9qD5RJwEyPjSU+4WjYF+Rr9gbSuAt5UySUb9jTR5HRNj9wt
|
||||
b4YutfP9jbfqy8esQVG9R/hpWKb2laxvn8Qc2Xj93qNIkBt/SILfx9WDJl0wNUmu
|
||||
+zUwpiC2wrLFTgNOpq7g9wRPtg5mi8MXExWwSF2DlD54yxOOAvdVACJFBXEcstQ3
|
||||
SWg8gxljG8eLMpDjwoIBax3DZwiYZjkjJPeydSulh8vKoFBCQkf2PcImXdOk2HqO
|
||||
V1L7FROM6fKydeSLJbx17SNjVdQnq1OsyqSO0catAFNptMHBsN+tiCI29gpGegao
|
||||
umV9cnND69aYvyPBgvdtmzPChjSmc6rzW1yXCJDm2qzwm/BcwJNXW5B3EUPxc0qS
|
||||
Wste9fUna0G4l/WMuaIzVkuTgXf1/r9HeQbjtxAztxH0d0VgdHAWPDkUYmztcZ4s
|
||||
d0PWkVa18qSrOvyhI96gCzdvMRLX17m1kPvP5PlPulvqizjDs8BScqeSzGgSbbQV
|
||||
m5Tx4w2uF4/n3FBnABEBAAGJBEQEGAECAA8FAlwsRBECGwIFCQIKEgACKQkQFkaw
|
||||
G4blAxDBXSAEGQECAAYFAlwsRBEACgkQI+cWZ4i2Ph6B0g//cPis3v2M6XvAbVoM
|
||||
3GIMXnsVj1WAHuwA/ja7UfZJ9+kV/PiMLkAbW0fBj0/y0O3Ry12VVQGXhC+Vo4j6
|
||||
C8qwFP4OXa6EsxHXuvWMIztBaX1Kav613aXBtxp6tTrud0FFUh4sDc1RREb3tMr6
|
||||
y5cvFJgnrdWcX1gsl6ODcgWBGNc6ZX7H7j48hMR6KmNeZocW7p8W+BgDQJqXYwVN
|
||||
L15qOHzVAh0dWsFLE9gwBTmDCY03x9arxSNDGCXyxt6E77LbNVIoSRlEbkvi6j33
|
||||
nEbuERICYl6CltXQCyiVKjheJcLMjbgv5+bLCv2zfeJ/WyOmOGKpHRu+lBV1Gvli
|
||||
RxUblVlmjWPhYPBZXGyjII16Tqr+ilREcZFW+STccbrVct75JWLbxwlEmix+W1Hw
|
||||
SRCR+KHx3Cur4ZPMOBlPsFilOOsNa7ROUB56t7zv21Ef3BeeaCd9c4kzNGN8d1ic
|
||||
EqSXoWWPqgST0LZPtZyqWZVnWrHChVHfrioxhSnw8O3wY1A2GSahiCSvvjvOeEoJ
|
||||
yU21ZMw6AVyHCh6v42oYadBfGgFwNo5OCMhNxNy/CcUrBSDqyLVTM5QlNsT75Ys7
|
||||
kHHnc+Jk+xx4JpiyNCz5LzcPhlwpqnJQcjJdY1hDhK75Ormj/NfCMeZ8g1aVPX4x
|
||||
Eq8AMyZYhZ5/lmM+13Rdv8ZW6FK7HQ/+IAKzntxOjw0MzCXkksKdmIOZ2bLeOVI8
|
||||
aSLaUmoT5CLuoia9g7iFHlYrSY+01riRrAaPtYx0x8onfyVxL9dlW/Fv5+qc1fF5
|
||||
FxdhyIgdqgzm82TnXHu/haUxYmUvNrbsmmNl5UTTOf+YQHMccKFdYfZ2rCBtbN2n
|
||||
iXG1tuz2+k83pozu4mJ1rOOLNAsQoY3yR6OODte1FyOgp7blwDhTIoQb8/UiJ7CM
|
||||
BI3OPrfoXFAnhYoxeRSAN4UFu9/HIkqfaQgRPCZS1gNerWF6r6yz9AZWUZqjSJss
|
||||
jBqXCtK9bGbTYBZk+pw3H9Nd0RJ2WJ9qPqmlmUr1wdqct0ChsJx1xAT86QrssicJ
|
||||
/HFFmF45hlnGkHUBWLaVJt8YkLb/DqOIbVbwyCLQtJ80VQLEeupfmu5QNsTpntRY
|
||||
NKf8cr00uc8vSYXYFRxa5H5oRT1eoFEEjDDvokNnHXfT+Hya44IjYpzaqvAgeDp6
|
||||
sYlOdtWIv/V3s+trxACwTkRN7zw3lLTbT8PK9szK0fYZ5KHG1/AKH+mbZ6qNc/25
|
||||
PNbAFRtttLGuEIC3HJ12IAp2JdjioeD2OnWLu4ZeCT2CKKFsleZPrSyCrn3gyZPm
|
||||
fYvv5h2JbQNO6uweOrZENWX5SU43OBoplbuKJZsMP6p6NahuGnIeJLlv509JYAf/
|
||||
HN4ARyvvOpM=
|
||||
=SQ7t
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
- fail:
|
||||
msg: only compatible with Debian >= 8
|
||||
when:
|
||||
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
|
||||
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
|
||||
|
||||
- name: install info.php
|
||||
copy:
|
||||
|
@ -23,9 +23,9 @@
|
|||
state: "{{ item.state }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- { path: log, mode: "0750", state: directory }
|
||||
- { path: awstats, mode: "0750", state: directory }
|
||||
- { path: www, mode: "0750", state: directory }
|
||||
- { path: log, mode: "0750", state: directory }
|
||||
- { path: awstats, mode: "0750", state: directory }
|
||||
- { path: www, mode: "0750", state: directory }
|
||||
|
||||
- name: Apache log file (templates) are present
|
||||
command: "touch /etc/skel/log/{{ item }}"
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
- php-gettext
|
||||
- php-curl
|
||||
- php-ssh2
|
||||
- php-zip
|
||||
- composer
|
||||
- libphp-phpmailer
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
- libxml2-dev
|
||||
- libxslt1-dev
|
||||
- zlib1g-dev
|
||||
- pkg-config
|
||||
tags:
|
||||
- rbenv
|
||||
- packages
|
||||
|
@ -78,10 +79,10 @@
|
|||
- name: "Rbenv is initialized in profile for {{ username }}"
|
||||
blockinfile:
|
||||
dest: '~{{ username }}/.profile'
|
||||
marker: "# {mark} ANSIBLE MANAGED RBENV INIT"
|
||||
block: |
|
||||
export PATH="{{ rbenv_root }}/bin:$PATH"
|
||||
eval "$(rbenv init -)"
|
||||
marker: "# {mark} ANSIBLE MANAGED RBENV INIT"
|
||||
become_user: "{{ username }}"
|
||||
become: yes
|
||||
tags:
|
||||
|
|
|
@ -8,7 +8,10 @@ redis_unixsocket: '/var/run/redis/redis.sock'
|
|||
redis_pidfile: "/var/run/redis/{{ redis_daemon }}.pid"
|
||||
redis_timeout: 300
|
||||
|
||||
# for client authorization
|
||||
redis_password: NULL
|
||||
# for slave authorization on master
|
||||
redis_password_master: "{{ redis_password }}"
|
||||
|
||||
redis_loglevel: "notice"
|
||||
redis_logfile: /var/log/redis/redis-server.log
|
||||
|
@ -37,3 +40,8 @@ redis_protected_mode: "yes"
|
|||
|
||||
# Add extra include files for local configuration/overrides.
|
||||
redis_includes: []
|
||||
|
||||
redis_restart_if_needed: True
|
||||
redis_restart_force: False
|
||||
|
||||
redis_disabled_commands: []
|
||||
|
|
|
@ -4,6 +4,11 @@
|
|||
name: "{{ redis_daemon }}"
|
||||
state: restarted
|
||||
|
||||
- name: restart redis (noop)
|
||||
meta: noop
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
|
||||
- name: restart munin-node
|
||||
service:
|
||||
name: munin-node
|
||||
|
|
|
@ -52,6 +52,17 @@
|
|||
tags:
|
||||
- redis
|
||||
|
||||
- name: Ensure redis base folders will be accessible for all instances
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
owner: "redis"
|
||||
group: "redis"
|
||||
with_items:
|
||||
- "/var/lib/redis"
|
||||
- "/var/log/redis"
|
||||
|
||||
- name: Instances directories are present
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
|
@ -60,9 +71,7 @@
|
|||
owner: "redis-{{ redis_instance_name }}"
|
||||
group: "redis-{{ redis_instance_name }}"
|
||||
with_items:
|
||||
- "/var/lib/redis"
|
||||
- "{{ redis_dbdir }}"
|
||||
- "/var/log/redis"
|
||||
- "{{ redis_logfile | dirname }}"
|
||||
tags:
|
||||
- redis
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
---
|
||||
|
||||
- set_fact:
|
||||
redis_restart_handler_name: "{{ redis_restart_if_needed | ternary('restart redis', 'restart redis (noop)') }}"
|
||||
|
||||
- name: Redis is installed.
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
|
@ -32,7 +36,7 @@
|
|||
src: redis.conf.j2
|
||||
dest: "{{ redis_conf_path }}"
|
||||
mode: "0644"
|
||||
notify: restart redis
|
||||
notify: "{{ redis_restart_handler_name }}"
|
||||
when: redis_instance_name is not defined
|
||||
tags:
|
||||
- redis
|
||||
|
@ -55,7 +59,19 @@
|
|||
- munin
|
||||
|
||||
- include: munin.yml
|
||||
when: _munin_installed.stat.exists and _munin_installed.stat.isdir
|
||||
when:
|
||||
- _munin_installed.stat.exists
|
||||
- _munin_installed.stat.isdir
|
||||
- redis_instance_name is not defined
|
||||
tags:
|
||||
- redis
|
||||
- munin
|
||||
|
||||
- include: munin-instances.yml
|
||||
when:
|
||||
- _munin_installed.stat.exists
|
||||
- _munin_installed.stat.isdir
|
||||
- redis_instance_name is defined
|
||||
tags:
|
||||
- redis
|
||||
- munin
|
||||
|
@ -74,3 +90,8 @@
|
|||
tags:
|
||||
- redis
|
||||
- nrpe
|
||||
|
||||
- name: Force restart redis
|
||||
command: /bin/true
|
||||
notify: restart redis
|
||||
when: redis_restart_force
|
||||
|
|
|
@ -0,0 +1,61 @@
|
|||
---
|
||||
- name: Install munin check dependencies
|
||||
apt:
|
||||
name: libswitch-perl
|
||||
state: present
|
||||
tags:
|
||||
- redis
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
tags:
|
||||
- redis
|
||||
|
||||
- name: Create plugin directory
|
||||
file:
|
||||
name: /usr/local/share/munin/
|
||||
state: directory
|
||||
mode: "0755"
|
||||
tags:
|
||||
- redis
|
||||
|
||||
- name: Create plugin directory
|
||||
file:
|
||||
name: /usr/local/share/munin/plugins/
|
||||
state: directory
|
||||
mode: "0755"
|
||||
tags:
|
||||
- redis
|
||||
|
||||
- name: Copy redis munin plugin
|
||||
copy:
|
||||
src: munin_redis
|
||||
dest: /usr/local/share/munin/plugins/redis_
|
||||
mode: "0755"
|
||||
notify: restart munin-node
|
||||
tags:
|
||||
- redis
|
||||
|
||||
- name: Enable redis munin plugin
|
||||
file:
|
||||
src: /usr/local/share/munin/plugins/redis_
|
||||
dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}"
|
||||
state: link
|
||||
with_items:
|
||||
- connected_clients
|
||||
- key_ratio
|
||||
- keys_per_sec
|
||||
- per_sec
|
||||
- used_keys
|
||||
- used_memory
|
||||
notify: restart munin-node
|
||||
tags:
|
||||
- redis
|
||||
|
||||
- name: Configure redis plugin for munin
|
||||
template:
|
||||
src: templates/munin-plugin-instances.conf.j2
|
||||
dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}'
|
||||
mode: 0740
|
||||
notify: restart munin-node
|
||||
tags: redis
|
|
@ -12,6 +12,18 @@
|
|||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||
regexp: '^command\[check_redis\]=.+'
|
||||
replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1'
|
||||
when: redis_instance_name is undefined
|
||||
notify: restart nagios-nrpe-server
|
||||
tags:
|
||||
- redis
|
||||
- nrpe
|
||||
|
||||
- name: Replace check_tcp or check_redis by check_redis_instances for NRPE
|
||||
replace:
|
||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||
regexp: '^command\[check_redis\]=.+'
|
||||
replace: 'command[check_redis]=/usr/local/lib/nagios/plugins/check_redis_instances'
|
||||
when: redis_instance_name is defined
|
||||
notify: restart nagios-nrpe-server
|
||||
tags:
|
||||
- redis
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
# Ansible managed
|
||||
|
||||
[{{ redis_instance_name }}_redis_*]
|
||||
env.title_prefix Instance {{ redis_instance_name }}
|
||||
env.port {{ redis_port }}
|
||||
{% if redis_password %}
|
||||
env.password {{ redis_password }}
|
||||
{% endif %}
|
|
@ -9,7 +9,9 @@ unixsocket {{ redis_unixsocket }}
|
|||
|
||||
{% if redis_password %}
|
||||
requirepass {{ redis_password }}
|
||||
masterauth {{ redis_password }}
|
||||
{% endif %}
|
||||
{% if redis_password_master %}
|
||||
masterauth {{ redis_password_master }}
|
||||
{% endif %}
|
||||
|
||||
timeout {{ redis_timeout }}
|
||||
|
@ -49,6 +51,10 @@ appendonly {{ redis_appendonly }}
|
|||
appendfsync {{ redis_appendfsync }}
|
||||
no-appendfsync-on-rewrite no
|
||||
|
||||
{% for disabled_command in redis_disabled_commands %}
|
||||
rename-command {{ disabled_command }} ""
|
||||
{% endfor %}
|
||||
|
||||
{% for include in redis_includes %}
|
||||
include {{ include }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -105,6 +105,7 @@
|
|||
^www\.phpbb\.com$
|
||||
^www\.typolight\.org$
|
||||
^www\.spip\.net$
|
||||
^packagist\.org$
|
||||
|
||||
### Feeds / API / WS Tools / ...
|
||||
|
||||
|
|
|
@ -3,22 +3,7 @@ general_alert_email: "root@localhost"
|
|||
evoadminmail_contact_email: Null
|
||||
evoadminmail_bounce_email: "{{ evoadminmail_contact_email }}"
|
||||
|
||||
evoadminmail_username: evoadmin-mail
|
||||
evoadminmail_home_dir: "/home/{{ evoadminmail_username }}"
|
||||
evoadminmail_document_root: "{{ evoadminmail_home_dir }}/www"
|
||||
evoadminmail_log_dir: "{{ evoadminmail_home_dir }}/log"
|
||||
evoadminmail_scripts_dir: /usr/share/scripts/
|
||||
evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}"
|
||||
|
||||
evoadminmail_enable_vhost: True
|
||||
evoadminmail_webserver: apache
|
||||
|
||||
evoadminmail_tpl_servername: "{{ ansible_fqdn }}"
|
||||
evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}"
|
||||
evoadminmail_tpl_phpmyadmin_url: Null
|
||||
evoadminmail_tpl_cgi_suffix: Null
|
||||
evoadminmail_tpl_signature: evoadmin
|
||||
evoadminmail_tpl_mail_from: root@localhost
|
||||
evoadminmail_tpl_mail_bcc: Null
|
||||
evoadminmail_tpl_mail_standard: "{{ general_alert_email }}"
|
||||
evoadminmail_tpl_mail_urgent: "{{ general_alert_email }}"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
[evoadmin-mail]
|
||||
|
||||
user = www-evoadmin-mail
|
||||
user = evoadmin-mail
|
||||
group = evoadmin-mail
|
||||
|
||||
listen = /run/php/php7.0-evoadmin-mail-fpm.sock
|
||||
|
@ -12,3 +12,4 @@ listen.group = www-data
|
|||
pm = ondemand
|
||||
pm.max_children = 25
|
||||
|
||||
env[EVOADMINMAIL_CONFIG_FILE] = /etc/evoadmin-mail/config.ini
|
||||
|
|
|
@ -11,5 +11,5 @@
|
|||
|
||||
- name: reload php-fpm
|
||||
service:
|
||||
name: php7.0-fpm
|
||||
state: reload
|
||||
name: php7.0-fpm
|
||||
state: reloaded
|
||||
|
|
|
@ -1,30 +1,27 @@
|
|||
---
|
||||
|
||||
- name: "Set custom values for PHP config (Debian 9 or later)"
|
||||
ini_file:
|
||||
dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini
|
||||
section: PHP
|
||||
option: "disable_functions"
|
||||
value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority"
|
||||
notify: reload apache2
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Install evoadminmail VHost
|
||||
template:
|
||||
src: apache_evoadminmail.conf.j2
|
||||
dest: /etc/apache2/sites-available/evoadminmail.conf
|
||||
notify: reload apache2
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Enable evoadminmail vhost
|
||||
command: "a2ensite evoadminmail.conf"
|
||||
register: cmd_a2ensite
|
||||
changed_when: "'Enabling site' in cmd_a2ensite.stdout"
|
||||
file:
|
||||
src: "/etc/apache2/sites-available/evoadminmail.conf"
|
||||
dest: "/etc/apache2/sites-enabled/evoadminmail.conf"
|
||||
state: link
|
||||
notify: reload apache2
|
||||
when: evoadminmail_enable_vhost
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Disable evoadminmail vhost
|
||||
command: "a2dissite evoadminmail.conf"
|
||||
register: cmd_a2dissite
|
||||
changed_when: "'Disabling site' in cmd_a2dissite.stdout"
|
||||
file:
|
||||
dest: "/etc/apache2/sites-enabled/evoadminmail.conf"
|
||||
state: absent
|
||||
notify: reload apache2
|
||||
when: not evoadminmail_enable_vhost
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "Create /etc/evolinux"
|
||||
file:
|
||||
dest: "/etc/evolinux"
|
||||
recurse: yes
|
||||
state: directory
|
||||
|
||||
#- name: Configure web-add config file
|
||||
# template:
|
||||
# src: web-add.conf.j2
|
||||
# dest: /etc/evolinux/web-add.conf
|
||||
#
|
||||
#- name: Configure web-add template file for mail
|
||||
# template:
|
||||
# src: web-mail.tpl.j2
|
||||
# dest: "{{ evoadminmail_scripts_dir }}/web-mail.tpl"
|
|
@ -1,10 +1,19 @@
|
|||
---
|
||||
- name: Install evoadmin-mail package
|
||||
apt:
|
||||
name: evoadmin-mail
|
||||
state: present
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- include: packages.yml
|
||||
|
||||
- include: user.yml
|
||||
|
||||
- include: config.yml
|
||||
- name: Configure contact mail
|
||||
ini_file:
|
||||
dest: /etc/evoadmin-mail/config.ini
|
||||
section: global
|
||||
option: mail
|
||||
value: "\"{{ evoadminmail_contact_email or general_alert_email | mandatory }}\""
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- include: ssl.yml
|
||||
|
||||
|
@ -21,3 +30,5 @@
|
|||
regexp: "EvoAdmin-mail"
|
||||
line: ' <li><a href="https://{{ evoadminmail_host }}">Interface admin mail (EvoAdmin-mail)</a></li>'
|
||||
insertbefore: "</ul>"
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
|
|
@ -1,25 +1,19 @@
|
|||
---
|
||||
|
||||
- name: "Set custom values for PHP config (Debian 9 or later)"
|
||||
ini_file:
|
||||
dest: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini
|
||||
section: PHP
|
||||
option: "disable_functions"
|
||||
value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority"
|
||||
notify: reload nginx
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Copy php-fpm evoadmin-mail pool
|
||||
copy:
|
||||
src: pool.evoadmin-mail.conf
|
||||
dest: /etc/php/7.0/fpm/pool.d/evoadmin-mail.conf
|
||||
notify: reload php-fpm
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Install evoadminmail VHost
|
||||
template:
|
||||
src: nginx_evoadminmail.conf.j2
|
||||
dest: /etc/nginx/sites-available/evoadminmail.conf
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Active evoadminmail VHost
|
||||
file:
|
||||
|
@ -28,8 +22,14 @@
|
|||
state: link
|
||||
notify: reload nginx
|
||||
when: evoadminmail_enable_vhost
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Disable evoadminmail vhost
|
||||
command: "unlink /etc/nginx/sites-enabled/evoadminmail.conf"
|
||||
file:
|
||||
dest: "/etc/nginx/sites-enabled/evoadminmail.conf"
|
||||
state: absent
|
||||
notify: reload nginx
|
||||
when: not evoadminmail_enable_vhost
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
|
||||
- include_role:
|
||||
name: apt
|
||||
tasks_from: evolix_public.yml
|
||||
|
||||
- name: Install PHP packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php-pear
|
||||
- php-log
|
||||
- php-crypt-chap
|
||||
- php-twig
|
|
@ -1,24 +1,30 @@
|
|||
---
|
||||
|
||||
|
||||
- name: ssl-cert package is installed
|
||||
apt:
|
||||
name: ssl-cert
|
||||
state: present
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}"
|
||||
args:
|
||||
creates: "/etc/ssl/private/{{ evoadminmail_host }}.key"
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Adjust rights on private key
|
||||
file:
|
||||
path: /etc/ssl/private/{{ evoadminmail_host }}.key
|
||||
dest: /etc/ssl/private/{{ evoadminmail_host }}.key
|
||||
owner: root
|
||||
group: ssl-cert
|
||||
mode: "0640"
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Create certificate for default site
|
||||
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt
|
||||
args:
|
||||
creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt"
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
|
|
@ -1,121 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Create evoadmin account
|
||||
user:
|
||||
name: "{{ evoadminmail_username }}"
|
||||
comment: "Evoadmin Web Account"
|
||||
home: "{{ evoadminmail_home_dir}}"
|
||||
shell: /bin/bash
|
||||
password: "!"
|
||||
|
||||
- name: Create log/ directory
|
||||
file:
|
||||
path: "{{ evoadminmail_home_dir}}/log"
|
||||
state: directory
|
||||
owner: "{{ evoadminmail_username }}"
|
||||
group: "{{ evoadminmail_username }}"
|
||||
mode: "0750"
|
||||
|
||||
- name: Create www-evoadminmail group
|
||||
group:
|
||||
name: "www-{{ evoadminmail_username }}"
|
||||
state: present
|
||||
|
||||
- name: "Create www-evoadmin (Debian 9 or later)"
|
||||
user:
|
||||
name: "www-{{ evoadminmail_username }}"
|
||||
home: "{{ evoadminmail_home_dir}}/www"
|
||||
shell: /bin/bash
|
||||
createhome: no
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Add www-data to app's group
|
||||
user:
|
||||
name: 'www-data'
|
||||
groups: "{{ evoadminmail_username }}"
|
||||
append: yes
|
||||
when: evoadminmail_webserver == "nginx"
|
||||
|
||||
- name: Install Git
|
||||
apt:
|
||||
name: git
|
||||
state: present
|
||||
|
||||
- name: "Clone evoadmin repository (Debian 9 or later)"
|
||||
git:
|
||||
repo: https://forge.evolix.org/evoadmin-mail.git
|
||||
dest: "{{ evoadminmail_document_root}}"
|
||||
version: master
|
||||
update: yes
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "Change perms on evoadminmail document root"
|
||||
file:
|
||||
dest: "{{ evoadminmail_document_root }}"
|
||||
owner: "www-{{ evoadminmail_username }}"
|
||||
group: "{{ evoadminmail_username }}"
|
||||
recurse: yes
|
||||
|
||||
- name: "Copy connect.php"
|
||||
template:
|
||||
src: connect.php.j2
|
||||
dest: "{{ evoadminmail_document_root }}/htdocs/config/connect.php"
|
||||
owner: "www-{{ evoadminmail_username }}"
|
||||
group: "{{ evoadminmail_username }}"
|
||||
when: ldap_admin_password is defined
|
||||
|
||||
- name: "Copy conf.php"
|
||||
template:
|
||||
src: conf.php.j2
|
||||
dest: "{{ evoadminmail_document_root }}/htdocs/config/conf.php"
|
||||
owner: "www-{{ evoadminmail_username }}"
|
||||
group: "{{ evoadminmail_username }}"
|
||||
|
||||
- name: create a password for evoadmin user
|
||||
command: "apg -n 1 -m 16 -M lcN"
|
||||
register: evoadminmail_admin_password
|
||||
changed_when: False
|
||||
|
||||
- name: upload ldif for evoadmin user
|
||||
template:
|
||||
src: evoadmin.ldif.j2
|
||||
dest: /root/evolinux_evoadminmail_admin.ldif
|
||||
mode: "0640"
|
||||
|
||||
- name: inject config
|
||||
command: slapadd -l /root/evolinux_evoadminmail_admin.ldif
|
||||
|
||||
- name: create log file
|
||||
file:
|
||||
dest: /var/log/evoadmin-mail.log
|
||||
state: touch
|
||||
owner: "www-{{ evoadminmail_username }}"
|
||||
group: "adm"
|
||||
mode: "0640"
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
when: evoadminmail_scripts_dir | search ("/usr")
|
||||
|
||||
- name: "Create {{ evoadminmail_scripts_dir }}"
|
||||
file:
|
||||
dest: "{{ evoadminmail_scripts_dir }}"
|
||||
# recurse: yes
|
||||
mode: "0700"
|
||||
state: directory
|
||||
|
||||
# we use a shell command to have a "changed" thet really reflects the result.
|
||||
- name: Fix permissions
|
||||
shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'changed' in command_result.stdout"
|
||||
# failed_when: False
|
||||
with_items:
|
||||
- "{{ evoadminmail_home_dir}}/www"
|
||||
|
||||
#- name: Add evoadmin sudoers file
|
||||
# template:
|
||||
# src: sudoers.j2
|
||||
# dest: /etc/sudoers.d/evoadmin
|
||||
# mode: "0600"
|
||||
# validate: "visudo -cf %s"
|
|
@ -10,7 +10,7 @@
|
|||
#ServerAlias {{ evoadminmail_host }}
|
||||
|
||||
# Repertoire principal
|
||||
DocumentRoot {{ evoadminmail_document_root }}/htdocs/
|
||||
DocumentRoot /usr/share/evoadmin-mail/
|
||||
|
||||
# SSL
|
||||
SSLEngine on
|
||||
|
@ -19,7 +19,7 @@
|
|||
SSLProtocol all -SSLv2 -SSLv3
|
||||
|
||||
# Propriete du repertoire
|
||||
<Directory {{ evoadminmail_document_root }}/htdocs/>
|
||||
<Directory /usr/share/evoadmin-mail/>
|
||||
#Options Indexes SymLinksIfOwnerMatch
|
||||
Options SymLinksIfOwnerMatch
|
||||
AllowOverride AuthConfig Limit FileInfo Indexes
|
||||
|
@ -27,15 +27,15 @@
|
|||
</Directory>
|
||||
|
||||
# user - group (thanks to sesse@debian.org)
|
||||
AssignUserID www-{{ evoadminmail_username }} {{ evoadminmail_username }}
|
||||
AssignUserID evoadmin-mail evoadmin-mail
|
||||
|
||||
# LOG
|
||||
CustomLog /var/log/apache2/access.log combined
|
||||
CustomLog {{ evoadminmail_log_dir }}/access.log combined
|
||||
ErrorLog {{ evoadminmail_log_dir }}/error.log
|
||||
ErrorLog /var/log/apache2/error.log
|
||||
|
||||
# AWSTATS
|
||||
SetEnv AWSTATS_FORCE_CONFIG {{ evoadminmail_username }}
|
||||
SetEnv AWSTATS_FORCE_CONFIG evoadmin-mail
|
||||
SetEnv EVOADMINMAIL_CONFIG_FILE /etc/evoadmin-mail/config.ini
|
||||
|
||||
# REWRITE
|
||||
UseCanonicalName On
|
||||
|
@ -53,6 +53,5 @@
|
|||
#php_admin_value max_execution_time 60
|
||||
#php_admin_value upload_max_filesize 8M
|
||||
#php_admin_flag allow_url_fopen Off
|
||||
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-{{ evoadminmail_username }}"
|
||||
php_admin_value open_basedir "none"
|
||||
</VirtualHost>
|
||||
|
|
|
@ -1,56 +0,0 @@
|
|||
<?php
|
||||
|
||||
// Email pour les notifications
|
||||
$conf['admin']['mail'] = '{{ evoadminmail_contact_email or general_alert_email | mandatory }}';
|
||||
// login des superadmins
|
||||
// Note: utile uniquement si domaines/driver=ldap, laisser vide sinon...
|
||||
$conf['admin']['logins'] = array('evoadmin');
|
||||
// What do you want?
|
||||
// 0 = nothing...
|
||||
// 1 = only mail accounts
|
||||
// 2 = only samba accounts
|
||||
// 3 = mail and samba accounts
|
||||
$conf['admin']['what'] = 1;
|
||||
// use hook.php instead of hook-dist.php
|
||||
$conf['admin']['use_hook'] = false;
|
||||
// enable quota
|
||||
$conf['admin']['quota'] = true;
|
||||
|
||||
// compatibilite LDAP
|
||||
$conf['evoadmin']['version'] = 3;
|
||||
$conf['url']['webroot'] = '/';
|
||||
|
||||
$conf['domaines']['onlyone'] = false;
|
||||
$conf['domaines']['driver'] = 'ldap';
|
||||
$conf['domaines']['file']['all'] = array('example.com');
|
||||
$conf['domaines']['file']['gid'] = 1000;
|
||||
// Pack Mail "virtuel"... attention
|
||||
// uniquement possible si $conf['admin']['what']=1 !!
|
||||
$conf['domaines']['ldap']['virtual'] = true;
|
||||
|
||||
// Mode cluster
|
||||
// Uniquement en mode mail seul et des utilisateurs virtuels
|
||||
$conf['evoadmin']['cluster'] = false;
|
||||
|
||||
// auth SMTP by default ?
|
||||
$conf['evoadmin']['useauthsmtp'] = false;
|
||||
|
||||
// Si comptes virtuels
|
||||
$conf['unix']['uid'] = 5000;
|
||||
|
||||
// Si pas virtuel
|
||||
$conf['unix']['minuid'] = 1000;
|
||||
$conf['unix']['mingid'] = 1000;
|
||||
|
||||
$conf['html']['title'] = "Evoadmin Mail";
|
||||
|
||||
// gestion des logs
|
||||
$conf['log']['priority'] = PEAR_LOG_DEBUG;
|
||||
$conf['log']['name'] = '/var/log/evoadmin-mail.log';
|
||||
$conf['log']['software'] = 'evoadminmail';
|
||||
$conf['log']['enabled'] = true;
|
||||
|
||||
// samba
|
||||
$conf['samba']['dn'] = 'DOMAINNAME';
|
||||
$conf['samba']['sid'] = 'S-1-5-21-XXX-XXX-XXX';
|
||||
$conf['samba']['admin_default'] = false;
|
|
@ -1,28 +0,0 @@
|
|||
<?php
|
||||
|
||||
/**
|
||||
* Secrete parameters
|
||||
*
|
||||
* $Id: connect-dist.php,v 1.3 2007-05-22 21:12:23 reg Exp $
|
||||
*
|
||||
* @author Gregory Colpart <reg@evolix.fr>
|
||||
* @version 1.0
|
||||
*/
|
||||
|
||||
define("LDAP_URI","ldap://127.0.0.1");
|
||||
$ldap_servers = array('ldap://127.0.0.1');
|
||||
define("LDAP_BASE","{{ ldap_suffix }}");
|
||||
define("LDAP_ADMIN_DN","cn=admin,{{ ldap_suffix }}");
|
||||
define("LDAP_ADMIN_PASS","{{ ldap_admin_password.stdout }}");
|
||||
|
||||
define("SUDOBIN","/usr/bin/sudo");
|
||||
define("SUDOSCRIPT","/usr/share/scripts/evoadmin.sh");
|
||||
define("SUDOPASS","xxxxxx");
|
||||
|
||||
define('SERVEUR','localhost');
|
||||
define('SERVEURPORT',3306);
|
||||
define('BASE','horde');
|
||||
define('NOM', 'horde');
|
||||
define('PASSE', 'xxxx');
|
||||
|
||||
?>
|
|
@ -1,12 +0,0 @@
|
|||
dn: uid=evoadmin,{{ ldap_suffix }}
|
||||
uid: evoadmin
|
||||
cn: Evoadmin ADM
|
||||
uidNumber: 4242
|
||||
gidNumber: 4242
|
||||
homeDirectory: /dev/null
|
||||
isAdmin: TRUE
|
||||
mailacceptinggeneralid: evoadmin@{{ ansible_fqdn }}
|
||||
objectClass: mailAccount
|
||||
objectClass: organizationalRole
|
||||
objectClass: posixAccount
|
||||
userPassword: {{ evoadminmail_admin_password.stdout }}
|
|
@ -18,10 +18,10 @@ server {
|
|||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
root {{ evoadminmail_document_root }}/htdocs/;
|
||||
root /usr/share/evoadmin-mail/;
|
||||
|
||||
location / {
|
||||
index index.html index.htm;
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
User_Alias EVOADMIN = www-evoadmin
|
||||
Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
|
||||
EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB
|
|
@ -1,2 +0,0 @@
|
|||
CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
|
||||
WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
|
|
@ -1,86 +0,0 @@
|
|||
From: {{ evoadmin_tpl_mail_from }}
|
||||
To: RCPTTO
|
||||
Bcc: {{ evoadmin_tpl_mail_bcc }}
|
||||
Subject: Parametres hebergement web : LOGIN
|
||||
|
||||
Bonjour,
|
||||
|
||||
Votre compte d'hebergement web a ete cree.
|
||||
|
||||
**********************************
|
||||
* CONNEXION SFTP/SSH
|
||||
**********************************
|
||||
|
||||
NOM DU SERVEUR : {{ evoadmin_tpl_servername }}
|
||||
USER : LOGIN
|
||||
PASSWORD : PASSE1
|
||||
|
||||
*****************************************
|
||||
* Details sur l'environnement Apache/PHP
|
||||
*****************************************
|
||||
|
||||
URL du site :
|
||||
http://{{ evoadmin_tpl_servername }}
|
||||
|
||||
URL des stats :
|
||||
http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl
|
||||
(acces par IP ou login a demander !)
|
||||
|
||||
Repertoire de connexion : HOME_DIR/LOGIN/
|
||||
Repertoire pour site web : HOME_DIR/LOGIN/www/
|
||||
|
||||
Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
|
||||
uniquement *en lecture* aux differents fichiers/repertoires
|
||||
(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
|
||||
fichiers ce qui est le comportement par defaut).
|
||||
|
||||
Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
|
||||
fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
|
||||
|
||||
***********************************
|
||||
* MySQL
|
||||
***********************************
|
||||
|
||||
SERVEUR : 127.0.0.1
|
||||
PORT DU SERVEUR : 3306
|
||||
USER : LOGIN
|
||||
PASSWORD : PASSE2
|
||||
NOM BASE : DBNAME
|
||||
URL interface d'admin :
|
||||
{{ evoadmin_tpl_phpmyadmin_url }}
|
||||
|
||||
***********************************
|
||||
* Rappels divers
|
||||
***********************************
|
||||
|
||||
Votre nom de domaine doit etre configure pour pointer
|
||||
sur l'adresse IP {{ evoadmin_tpl_address }} (enregistrement DNS A)
|
||||
ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME).
|
||||
|
||||
Si vous avez besoin de faire des tests, vous devez
|
||||
ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
|
||||
ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
|
||||
{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }}
|
||||
|
||||
Attention, par defaut, toutes les connexions vers l'exterieur
|
||||
sont bloquees. Si vous avez besoin de recuperer des donnees
|
||||
a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
|
||||
afin de mettre en oeuvre les autorisations necessaires.
|
||||
|
||||
Afin de securiser au maximum le serveur, certaines URL
|
||||
particulieres sont non autorisees pour eviter diverses
|
||||
attaques (XSS, robots, trojans, injections, etc.).
|
||||
Exemple d'URL refusee :
|
||||
http://{{ evoadmin_tpl_servername }}/cmd32.exe
|
||||
En cas de soucis avec votre application, prevenez-nous.
|
||||
|
||||
Si vous desirez mettre en place des parametres particuliers
|
||||
pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab,
|
||||
etc.), n'hesitez pas a nous contacter a l'adresse
|
||||
{{ evoadmin_tpl_mail_standard }} (ou {{ evoadmin_tpl_mail_urgent }} si votre demande est
|
||||
urgente).
|
||||
|
||||
|
||||
Cordialement,
|
||||
--
|
||||
{{ evoadmin_tpl_signature }}
|
Loading…
Reference in New Issue