diff --git a/CHANGELOG.md b/CHANGELOG.md index e47f3ba1..4eb149f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,36 @@ The **patch** part changes incrementally at each release. ### Security +## [9.7.0] - 2019-01-17 + +### Added +* apache: add Munin configuration for Apache server-status URL +* evomaintenance: database variables must be set or the task fails +* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml +* metricbeat: add a variable for the protocol to use with Elasticsearch +* rbenv: add pkg-config to the list of packages to install +* redis: Configure munin when working in instance mode +* redis: add a variable for renamed/disabled commands +* redis: add a variable to disable the restart handler +* redis: add a variable to force a restart (even with no change) + +### Changed +* redis: distinction between main and master password +* evocheck: update evocheck.sh for source install +* php: added php-zip in the installed package list for debian 9 (and later) +* squid: added packagist.org in the whitelist +* java: update Oracle java package to 8u192 + +### Fixed +* fail2ban: fix "ignoreip" update +* metricbeat: fix username/password replacement +* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) +* nginx: Munin url config is now a template to insert the server-status prefix +* nodejs: Update yarn repo GPG key (current key expired) +* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script +* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account + + ## [9.6.0] - 2018-12-04 ### Added @@ -29,6 +59,7 @@ The **patch** part changes incrementally at each release. ### Changed * minifirewall: compare config before/after (for restart condition) * squid: better replacement in minifirewall config +* evoadmin-mail: complete refactoring, use Debian Package ## [9.5.0] - 2018-11-14 diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index f9e1aed8..80dbe590 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -39,3 +39,17 @@ dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" + +- name: Munin configuration has a section for apache + lineinfile: + dest: /etc/munin/plugin-conf.d/munin-node + line: "[apache_*]" + create: no + +- name: apache-status URL is configured for Munin + lineinfile: + dest: /etc/munin/plugin-conf.d/munin-node + line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto" + regexp: "env.url http://127.0.0.1/server-status" + insertafter: "[apache_*]" + create: no diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index a8be7eec..2c20b04d 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,8 +4,8 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -# Repository: https://gitlab.evolix.org/evolix/evocheck -# Commit: 956877442a3f43243fed89c491d9bdddd1ac77cd +# Repository: https://gitea.evolix.org/evolix/evocheck +# Commit: e6e0b8c216ed28a2ee2229e5e122ff1d49701ffc # Disable LANG* export LANG=C @@ -525,19 +525,17 @@ if [ -e /etc/debian_version ]; then # Check if no package has been upgraded since $limit. if [ "$IS_NOTUPGRADED" = 1 ]; then - if zgrep -hq upgrade /var/log/dpkg.log*; then - last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) - fi - if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ - || grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then + last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) + if grep -sq '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ + || grep -sq -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then # Manual upgrade process limit=$(date +%s -d "now - 180 days") else # Regular process limit=$(date +%s -d "now - 90 days") fi - if [ -d /var/log/installer ]; then - install_date=$(stat -c %Z /var/log/installer) + if [ -f /var/log/evolinux/00_prepare_system.log ]; then + install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log) else install_date=0 fi @@ -591,8 +589,8 @@ if [ -e /etc/debian_version ]; then if [ "$IS_BACKPORTSCONF" = 1 ]; then if is_debianversion stretch; then - grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!' - grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') + grep -qE "^[^#].*backports" /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!' + grep -qE "^[^#].*backports" /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -qE "^[^#].*backports" /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') fi fi @@ -988,9 +986,10 @@ fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then for f in /etc/ssl/private/*; do - perms=$(stat -c "%a" $f) + perms=$(stat -L -c "%a" $f) if [ ${perms: -1} != "0" ]; then echo 'IS_PRIVKEYWOLRDREADABLE FAILED!' + break fi done fi diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index e50045ed..8d2bab84 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -101,7 +101,7 @@ line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"' when: evolinux_packages_logcheck_recipient -- name: Deleting rpcbin and nfs-common +- name: Deleting rpcbind and nfs-common apt: name: "{{ item }}" state: absent diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 225add01..fd93c4e0 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -16,12 +16,12 @@ - name: "Security directives for Evolinux (Debian 10 or later)" blockinfile: dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" block: | Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes Match Group evolix PasswordAuthentication no - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd @@ -32,10 +32,10 @@ - name: Security directives for Evolinux (Jessie/Stretch) blockinfile: dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" block: | Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 1b58b3e0..d0b9ba3b 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -3,6 +3,14 @@ - set_fact: minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" +- assert: + that: + - evomaintenance_pg_passwd is not none + - evomaintenance_pg_db is not none + - evomaintenance_pg_table is not none + - evomaintenance_pg_host is not none + msg: evomaintenance database variables must be set + - include: install_package_debian.yml when: - not evomaintenance_install_vendor diff --git a/evomaintenance/templates/evomaintenance.j2 b/evomaintenance/templates/evomaintenance.j2 index 79bc0cbf..acb6fd46 100644 --- a/evomaintenance/templates/evomaintenance.j2 +++ b/evomaintenance/templates/evomaintenance.j2 @@ -1,11 +1,11 @@ HOSTNAME={{ evomaintenance_hostname }} EVOMAINTMAIL={{ evomaintenance_alert_email or general_alert_email | mandatory }} -export PGPASSWORD={{ evomaintenance_pg_passwd | mandatory }} +export PGPASSWORD={{ evomaintenance_pg_passwd }} -PGDB={{ evomaintenance_pg_db | mandatory }} -PGTABLE={{ evomaintenance_pg_table | mandatory }} -PGHOST={{ evomaintenance_pg_host | mandatory }} +PGDB={{ evomaintenance_pg_db }} +PGTABLE={{ evomaintenance_pg_table }} +PGHOST={{ evomaintenance_pg_host }} FROM={{ evomaintenance_from }} FULLFROM="{{ evomaintenance_full_from }}" URGENCYFROM={{ evomaintenance_urgency_from }} diff --git a/fail2ban/tasks/ip_whitelist.yml b/fail2ban/tasks/ip_whitelist.yml index 3bdd05f3..f899e618 100644 --- a/fail2ban/tasks/ip_whitelist.yml +++ b/fail2ban/tasks/ip_whitelist.yml @@ -1,10 +1,15 @@ --- + +- set_fact: + fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}" + - name: Update ignoreips lists ini_file: dest: /etc/fail2ban/jail.local - section: "[DEFAULT]" - option: "ignoreips" + section: "DEFAULT" + option: "ignoreip" value: "{{ fail2ban_ignore_ips | join(' ') }}" notify: restart fail2ban tags: - fail2ban + - ips \ No newline at end of file diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index f8b20694..6e97fb2d 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -13,10 +13,12 @@ - "/etc/fail2ban" - "/etc/fail2ban/filter.d" tags: - - fail2ban + - fail2ban - set_fact: - fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}" + fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}" + tags: + - fail2ban - name: local jail is installed template: @@ -26,7 +28,7 @@ force: no notify: restart fail2ban tags: - - fail2ban + - fail2ban - name: Include ignoredips update task include: ip_whitelist.yml diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml index da3473da..dd80303b 100644 --- a/java/tasks/oracle.yml +++ b/java/tasks/oracle.yml @@ -23,19 +23,19 @@ - name: Get Oracle jre archive get_url: - url: 'http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.tar.gz' + url: 'https://download.oracle.com/otn-pub/java/jdk/8u192-b12/750e1c8617c5452694857ad95c3ee230/server-jre-8u192-linux-x64.tar.gz' dest: '/srv/java-package/src/' - checksum: 'sha256:f08f25aec2bdc86138ccba8fd5b904451e3afa1d24a88c85f28c2d84bfd45bad' + checksum: 'sha256:3d811a5ec65dc6fc261f488757bae86ecfe285a79992363b016f60cdb4dbe7e6' headers: 'Cookie: oraclelicense=accept-securebackup-cookie' mode: "0644" tags: - java - name: Make Debian package from Oracle JDK archive - shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/jre-8u172-linux-x64.tar.gz" + shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/server-jre-8u192-linux-x64.tar.gz" args: chdir: /srv/java-package - creates: /srv/java-package/oracle-java8-jre_8u172_amd64.deb + creates: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb become: False tags: - java @@ -45,14 +45,14 @@ - name: Install java package apt: - deb: /srv/java-package/oracle-java8-jre_8u172_amd64.deb + deb: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb tags: - java - name: This openjdk version is the default alternative alternatives: name: java - path: "/usr/lib/jvm/jre-{{ java_version }}-oracle-x64/bin/java" + path: "/usr/lib/jvm/oracle-java{{ java_version }}-server-jre-amd64/bin/java" when: java_default_alternative tags: - java diff --git a/metricbeat/defaults/main.yml b/metricbeat/defaults/main.yml index 28b7e084..ee4cee34 100644 --- a/metricbeat/defaults/main.yml +++ b/metricbeat/defaults/main.yml @@ -1,6 +1,7 @@ --- elastic_stack_version: "6.x" +metricbeat_elasticsearch_protocol: "" metricbeat_elasticsearch_hosts: - "localhost:9200" metricbeat_elasticsearch_auth_username: "" diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 94c75614..ed51dd1f 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -50,6 +50,15 @@ when: - metricbeat_elasticsearch_hosts +- name: Metricbeat protocol for Elasticsearch + lineinfile: + dest: /etc/metricbeat/metricbeat.yml + regexp: '^ #?protocol: .*' + line: " protocol: \"{{ metricbeat_elasticsearch_protocol }}\"" + insertafter: "output.elasticsearch:" + notify: restart metricbeat + when: metricbeat_elasticsearch_protocol == "http" or metricbeat_elasticsearch_protocol == "https" + - name: Metricbeat auth/username for Elasticsearch are configured lineinfile: dest: /etc/metricbeat/metricbeat.yml @@ -57,8 +66,8 @@ line: '{{ item.line }}' insertafter: "output.elasticsearch:" with_items: - - { regexp: '^ #username: .*', line: ' username: "{{ metricbeat_elasticsearch_auth_username }}"' } - - { regexp: '^ #password: .*', line: ' password: "{{ metricbeat_elasticsearch_auth_password }}"' } + - { regexp: '^ #?username: .*', line: ' username: "{{ metricbeat_elasticsearch_auth_username }}"' } + - { regexp: '^ #?password: .*', line: ' password: "{{ metricbeat_elasticsearch_auth_password }}"' } notify: restart metricbeat when: - metricbeat_elasticsearch_auth_username != "" diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index bd71cb48..13cb6145 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -26,9 +26,9 @@ - name: Begin marker for IP addresses lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' + create: no - name: End marker for IP addresses lineinfile: @@ -47,7 +47,6 @@ - name: Configure IP addresses blockinfile: dest: "{{ minifirewall_main_file }}" - create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" content: | # Main interface @@ -66,26 +65,26 @@ # Privilegied IPv4 addresses for semi-public services # (no need to add again TRUSTEDIPS) PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' + create: no register: minifirewall_config_ips - name: Begin marker for ports lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' + create: no - name: End marker for ports lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' + create: no - name: Configure ports blockinfile: dest: "{{ minifirewall_main_file }}" - create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" content: | # Protected services @@ -104,70 +103,71 @@ # Private services (IPv4) SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}' SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' + create: no register: minifirewall_config_ports - name: Configure DNSSERVEURS lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" regexp: "DNSSERVEURS='.*'" + create: no when: minifirewall_dns_servers is not none - name: Configure HTTPSITES lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" + create: no when: minifirewall_http_sites is not none - name: Configure HTTPSSITES lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" regexp: "HTTPSSITES='.*'" + create: no when: minifirewall_https_sites is not none - name: Configure FTPSITES lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" regexp: "FTPSITES='.*'" + create: no when: minifirewall_ftp_sites is not none - name: Configure SSHOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" regexp: "SSHOK='.*'" + create: no when: minifirewall_ssh_ok is not none - name: Configure SMTPOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" regexp: "SMTPOK='.*'" + create: no when: minifirewall_smtp_ok is not none - name: Configure SMTPSECUREOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" regexp: "SMTPSECUREOK='.*'" + create: no when: minifirewall_smtp_secure_ok is not none - name: Configure NTPOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" regexp: "NTPOK='.*'" + create: no when: minifirewall_ntp_ok is not none - name: evomaintenance diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index f08f2005..6dcf1a26 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -77,6 +77,7 @@ - name: adjustments for grsec kernel blockinfile: dest: /etc/munin/plugin-conf.d/munin-node + marker: "# {mark} ANSIBLE MANAGED GRSECURITY CUSTOMIZATIONS" block: | [processes] diff --git a/nagios-nrpe/files/plugins/check_process b/nagios-nrpe/files/plugins/check_process index 780ef233..46ef34dd 100755 --- a/nagios-nrpe/files/plugins/check_process +++ b/nagios-nrpe/files/plugins/check_process @@ -5,3 +5,5 @@ for proc in cron rsyslogd ntpd munin-node; do sudo /usr/lib/nagios//plugins/check_procs -C $proc -c 1: rc=$(($rc|$?)) done + +exit $rc diff --git a/nginx/files/munin/evolinux.nginx b/nginx/files/munin/evolinux.nginx deleted file mode 100644 index c505f929..00000000 --- a/nginx/files/munin/evolinux.nginx +++ /dev/null @@ -1,2 +0,0 @@ -[nginx_*] -env.url http://munin/nginx_status diff --git a/nginx/tasks/munin_graphs.yml b/nginx/tasks/munin_graphs.yml index feabbcad..470f8fd6 100644 --- a/nginx/tasks/munin_graphs.yml +++ b/nginx/tasks/munin_graphs.yml @@ -1,7 +1,7 @@ --- - name: Copy Munin config for Nginx - copy: + template: src: munin/evolinux.nginx dest: /etc/munin/plugin-conf.d/ mode: "0644" diff --git a/nginx/templates/munin/evolinux.nginx b/nginx/templates/munin/evolinux.nginx new file mode 100644 index 00000000..f58c0078 --- /dev/null +++ b/nginx/templates/munin/evolinux.nginx @@ -0,0 +1,2 @@ +[nginx_*] +env.url http://munin/nginx_status-{{ nginx_serverstatus_suffix }} diff --git a/nodejs/files/yarnpkg.gpg.key b/nodejs/files/yarnpkg.gpg.key index 800c737d..c5064ec5 100644 --- a/nodejs/files/yarnpkg.gpg.key +++ b/nodejs/files/yarnpkg.gpg.key @@ -147,6 +147,40 @@ r16Zyn6mxYWEHn9HXMh3b+2IYKFFXHffbIBq/mfibDnZtQBrZpn2uyh6F2ZuOsZh 0LTD7RL53KV3fi90nS00Gs1kbMkPycL1JLqvYQDpllE2oZ1dKDYkwivGyDQhRNfE RL6JkjyiSxfZ2c84r2HPgnJTi/WBplloQkM+2NfXrBo6kLHSC6aBndRKk2UmUhrU luGcQUyfzYRFH5kVueIYfDaBPus9gb+sjnViFRpqVjefwlXSJEDHWP3Cl2cuo2mJ -jeDghj400U6pjSUW3bIC/PI= -=gZNT +jeDghj400U6pjSUW3bIC/PK5Ag0EXCxEEQEQAKVjsdljwPDGO+48879LDa1d7GEu +/Jm9HRK6INCQiSiS/0mHkeKa6t4DRgCY2ID9lFiegx2Er+sIgL0chs16XJrFO21u +kw+bkBdm2HYUKSsUFmr/bms8DkmAM699vRYVUAzO9eXG/g8lVrAzlb3RT7eGHYKd +15DT5KxXDQB+T+mWE9qD5RJwEyPjSU+4WjYF+Rr9gbSuAt5UySUb9jTR5HRNj9wt +b4YutfP9jbfqy8esQVG9R/hpWKb2laxvn8Qc2Xj93qNIkBt/SILfx9WDJl0wNUmu ++zUwpiC2wrLFTgNOpq7g9wRPtg5mi8MXExWwSF2DlD54yxOOAvdVACJFBXEcstQ3 +SWg8gxljG8eLMpDjwoIBax3DZwiYZjkjJPeydSulh8vKoFBCQkf2PcImXdOk2HqO +V1L7FROM6fKydeSLJbx17SNjVdQnq1OsyqSO0catAFNptMHBsN+tiCI29gpGegao +umV9cnND69aYvyPBgvdtmzPChjSmc6rzW1yXCJDm2qzwm/BcwJNXW5B3EUPxc0qS +Wste9fUna0G4l/WMuaIzVkuTgXf1/r9HeQbjtxAztxH0d0VgdHAWPDkUYmztcZ4s +d0PWkVa18qSrOvyhI96gCzdvMRLX17m1kPvP5PlPulvqizjDs8BScqeSzGgSbbQV +m5Tx4w2uF4/n3FBnABEBAAGJBEQEGAECAA8FAlwsRBECGwIFCQIKEgACKQkQFkaw +G4blAxDBXSAEGQECAAYFAlwsRBEACgkQI+cWZ4i2Ph6B0g//cPis3v2M6XvAbVoM +3GIMXnsVj1WAHuwA/ja7UfZJ9+kV/PiMLkAbW0fBj0/y0O3Ry12VVQGXhC+Vo4j6 +C8qwFP4OXa6EsxHXuvWMIztBaX1Kav613aXBtxp6tTrud0FFUh4sDc1RREb3tMr6 +y5cvFJgnrdWcX1gsl6ODcgWBGNc6ZX7H7j48hMR6KmNeZocW7p8W+BgDQJqXYwVN +L15qOHzVAh0dWsFLE9gwBTmDCY03x9arxSNDGCXyxt6E77LbNVIoSRlEbkvi6j33 +nEbuERICYl6CltXQCyiVKjheJcLMjbgv5+bLCv2zfeJ/WyOmOGKpHRu+lBV1Gvli +RxUblVlmjWPhYPBZXGyjII16Tqr+ilREcZFW+STccbrVct75JWLbxwlEmix+W1Hw +SRCR+KHx3Cur4ZPMOBlPsFilOOsNa7ROUB56t7zv21Ef3BeeaCd9c4kzNGN8d1ic +EqSXoWWPqgST0LZPtZyqWZVnWrHChVHfrioxhSnw8O3wY1A2GSahiCSvvjvOeEoJ +yU21ZMw6AVyHCh6v42oYadBfGgFwNo5OCMhNxNy/CcUrBSDqyLVTM5QlNsT75Ys7 +kHHnc+Jk+xx4JpiyNCz5LzcPhlwpqnJQcjJdY1hDhK75Ormj/NfCMeZ8g1aVPX4x +Eq8AMyZYhZ5/lmM+13Rdv8ZW6FK7HQ/+IAKzntxOjw0MzCXkksKdmIOZ2bLeOVI8 +aSLaUmoT5CLuoia9g7iFHlYrSY+01riRrAaPtYx0x8onfyVxL9dlW/Fv5+qc1fF5 +FxdhyIgdqgzm82TnXHu/haUxYmUvNrbsmmNl5UTTOf+YQHMccKFdYfZ2rCBtbN2n +iXG1tuz2+k83pozu4mJ1rOOLNAsQoY3yR6OODte1FyOgp7blwDhTIoQb8/UiJ7CM +BI3OPrfoXFAnhYoxeRSAN4UFu9/HIkqfaQgRPCZS1gNerWF6r6yz9AZWUZqjSJss +jBqXCtK9bGbTYBZk+pw3H9Nd0RJ2WJ9qPqmlmUr1wdqct0ChsJx1xAT86QrssicJ +/HFFmF45hlnGkHUBWLaVJt8YkLb/DqOIbVbwyCLQtJ80VQLEeupfmu5QNsTpntRY +NKf8cr00uc8vSYXYFRxa5H5oRT1eoFEEjDDvokNnHXfT+Hya44IjYpzaqvAgeDp6 +sYlOdtWIv/V3s+trxACwTkRN7zw3lLTbT8PK9szK0fYZ5KHG1/AKH+mbZ6qNc/25 +PNbAFRtttLGuEIC3HJ12IAp2JdjioeD2OnWLu4ZeCT2CKKFsleZPrSyCrn3gyZPm +fYvv5h2JbQNO6uweOrZENWX5SU43OBoplbuKJZsMP6p6NahuGnIeJLlv509JYAf/ +HN4ARyvvOpM= +=SQ7t -----END PGP PUBLIC KEY BLOCK----- diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 230fb41a..f5d0f35e 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -3,7 +3,7 @@ - fail: msg: only compatible with Debian >= 8 when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - name: install info.php copy: @@ -23,9 +23,9 @@ state: "{{ item.state }}" mode: "{{ item.mode }}" with_items: - - { path: log, mode: "0750", state: directory } - - { path: awstats, mode: "0750", state: directory } - - { path: www, mode: "0750", state: directory } + - { path: log, mode: "0750", state: directory } + - { path: awstats, mode: "0750", state: directory } + - { path: www, mode: "0750", state: directory } - name: Apache log file (templates) are present command: "touch /etc/skel/log/{{ item }}" diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index d97ba527..4191519b 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -28,6 +28,7 @@ - php-gettext - php-curl - php-ssh2 + - php-zip - composer - libphp-phpmailer diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 693ff0f6..f2d5844a 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -14,6 +14,7 @@ - libxml2-dev - libxslt1-dev - zlib1g-dev + - pkg-config tags: - rbenv - packages @@ -78,10 +79,10 @@ - name: "Rbenv is initialized in profile for {{ username }}" blockinfile: dest: '~{{ username }}/.profile' + marker: "# {mark} ANSIBLE MANAGED RBENV INIT" block: | export PATH="{{ rbenv_root }}/bin:$PATH" eval "$(rbenv init -)" - marker: "# {mark} ANSIBLE MANAGED RBENV INIT" become_user: "{{ username }}" become: yes tags: diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 363fb0de..a64fb832 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -8,7 +8,10 @@ redis_unixsocket: '/var/run/redis/redis.sock' redis_pidfile: "/var/run/redis/{{ redis_daemon }}.pid" redis_timeout: 300 +# for client authorization redis_password: NULL +# for slave authorization on master +redis_password_master: "{{ redis_password }}" redis_loglevel: "notice" redis_logfile: /var/log/redis/redis-server.log @@ -37,3 +40,8 @@ redis_protected_mode: "yes" # Add extra include files for local configuration/overrides. redis_includes: [] + +redis_restart_if_needed: True +redis_restart_force: False + +redis_disabled_commands: [] diff --git a/redis/handlers/main.yml b/redis/handlers/main.yml index ed452e65..c7f66ffb 100644 --- a/redis/handlers/main.yml +++ b/redis/handlers/main.yml @@ -4,6 +4,11 @@ name: "{{ redis_daemon }}" state: restarted +- name: restart redis (noop) + meta: noop + failed_when: False + changed_when: False + - name: restart munin-node service: name: munin-node diff --git a/redis/tasks/instances.yml b/redis/tasks/instances.yml index 02fe4892..f3cd8f4c 100644 --- a/redis/tasks/instances.yml +++ b/redis/tasks/instances.yml @@ -52,6 +52,17 @@ tags: - redis +- name: Ensure redis base folders will be accessible for all instances + file: + dest: "{{ item }}" + state: directory + mode: "0755" + owner: "redis" + group: "redis" + with_items: + - "/var/lib/redis" + - "/var/log/redis" + - name: Instances directories are present file: dest: "{{ item }}" @@ -60,9 +71,7 @@ owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" with_items: - - "/var/lib/redis" - "{{ redis_dbdir }}" - - "/var/log/redis" - "{{ redis_logfile | dirname }}" tags: - redis diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index c2d57d62..c749b4f2 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -1,4 +1,8 @@ --- + +- set_fact: + redis_restart_handler_name: "{{ redis_restart_if_needed | ternary('restart redis', 'restart redis (noop)') }}" + - name: Redis is installed. apt: name: "{{ item }}" @@ -32,7 +36,7 @@ src: redis.conf.j2 dest: "{{ redis_conf_path }}" mode: "0644" - notify: restart redis + notify: "{{ redis_restart_handler_name }}" when: redis_instance_name is not defined tags: - redis @@ -55,7 +59,19 @@ - munin - include: munin.yml - when: _munin_installed.stat.exists and _munin_installed.stat.isdir + when: + - _munin_installed.stat.exists + - _munin_installed.stat.isdir + - redis_instance_name is not defined + tags: + - redis + - munin + +- include: munin-instances.yml + when: + - _munin_installed.stat.exists + - _munin_installed.stat.isdir + - redis_instance_name is defined tags: - redis - munin @@ -74,3 +90,8 @@ tags: - redis - nrpe + +- name: Force restart redis + command: /bin/true + notify: restart redis + when: redis_restart_force diff --git a/redis/tasks/munin-instances.yml b/redis/tasks/munin-instances.yml new file mode 100644 index 00000000..c8d7cefe --- /dev/null +++ b/redis/tasks/munin-instances.yml @@ -0,0 +1,61 @@ +--- +- name: Install munin check dependencies + apt: + name: libswitch-perl + state: present + tags: + - redis + +- include_role: + name: remount-usr + tags: + - redis + +- name: Create plugin directory + file: + name: /usr/local/share/munin/ + state: directory + mode: "0755" + tags: + - redis + +- name: Create plugin directory + file: + name: /usr/local/share/munin/plugins/ + state: directory + mode: "0755" + tags: + - redis + +- name: Copy redis munin plugin + copy: + src: munin_redis + dest: /usr/local/share/munin/plugins/redis_ + mode: "0755" + notify: restart munin-node + tags: + - redis + +- name: Enable redis munin plugin + file: + src: /usr/local/share/munin/plugins/redis_ + dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}" + state: link + with_items: + - connected_clients + - key_ratio + - keys_per_sec + - per_sec + - used_keys + - used_memory + notify: restart munin-node + tags: + - redis + +- name: Configure redis plugin for munin + template: + src: templates/munin-plugin-instances.conf.j2 + dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}' + mode: 0740 + notify: restart munin-node + tags: redis diff --git a/redis/tasks/nrpe_stretch.yml b/redis/tasks/nrpe_stretch.yml index c78e5a28..5b547071 100644 --- a/redis/tasks/nrpe_stretch.yml +++ b/redis/tasks/nrpe_stretch.yml @@ -12,6 +12,18 @@ dest: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_redis\]=.+' replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1' + when: redis_instance_name is undefined + notify: restart nagios-nrpe-server + tags: + - redis + - nrpe + +- name: Replace check_tcp or check_redis by check_redis_instances for NRPE + replace: + dest: /etc/nagios/nrpe.d/evolix.cfg + regexp: '^command\[check_redis\]=.+' + replace: 'command[check_redis]=/usr/local/lib/nagios/plugins/check_redis_instances' + when: redis_instance_name is defined notify: restart nagios-nrpe-server tags: - redis diff --git a/redis/templates/munin-plugin-instances.conf.j2 b/redis/templates/munin-plugin-instances.conf.j2 new file mode 100644 index 00000000..7e6a00ac --- /dev/null +++ b/redis/templates/munin-plugin-instances.conf.j2 @@ -0,0 +1,8 @@ +# Ansible managed + +[{{ redis_instance_name }}_redis_*] +env.title_prefix Instance {{ redis_instance_name }} +env.port {{ redis_port }} +{% if redis_password %} +env.password {{ redis_password }} +{% endif %} diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index 21873942..4dcdba86 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -9,7 +9,9 @@ unixsocket {{ redis_unixsocket }} {% if redis_password %} requirepass {{ redis_password }} -masterauth {{ redis_password }} +{% endif %} +{% if redis_password_master %} +masterauth {{ redis_password_master }} {% endif %} timeout {{ redis_timeout }} @@ -49,6 +51,10 @@ appendonly {{ redis_appendonly }} appendfsync {{ redis_appendfsync }} no-appendfsync-on-rewrite no +{% for disabled_command in redis_disabled_commands %} +rename-command {{ disabled_command }} "" +{% endfor %} + {% for include in redis_includes %} include {{ include }} {% endfor %} diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index 2bbebf5b..ac0d9f6c 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -105,6 +105,7 @@ ^www\.phpbb\.com$ ^www\.typolight\.org$ ^www\.spip\.net$ +^packagist\.org$ ### Feeds / API / WS Tools / ... diff --git a/webapps/evoadmin-mail/defaults/main.yml b/webapps/evoadmin-mail/defaults/main.yml index b0652522..48aed0b8 100644 --- a/webapps/evoadmin-mail/defaults/main.yml +++ b/webapps/evoadmin-mail/defaults/main.yml @@ -3,22 +3,7 @@ general_alert_email: "root@localhost" evoadminmail_contact_email: Null evoadminmail_bounce_email: "{{ evoadminmail_contact_email }}" -evoadminmail_username: evoadmin-mail -evoadminmail_home_dir: "/home/{{ evoadminmail_username }}" -evoadminmail_document_root: "{{ evoadminmail_home_dir }}/www" -evoadminmail_log_dir: "{{ evoadminmail_home_dir }}/log" -evoadminmail_scripts_dir: /usr/share/scripts/ evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}" evoadminmail_enable_vhost: True evoadminmail_webserver: apache - -evoadminmail_tpl_servername: "{{ ansible_fqdn }}" -evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}" -evoadminmail_tpl_phpmyadmin_url: Null -evoadminmail_tpl_cgi_suffix: Null -evoadminmail_tpl_signature: evoadmin -evoadminmail_tpl_mail_from: root@localhost -evoadminmail_tpl_mail_bcc: Null -evoadminmail_tpl_mail_standard: "{{ general_alert_email }}" -evoadminmail_tpl_mail_urgent: "{{ general_alert_email }}" diff --git a/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf b/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf index 096e199f..9ae03206 100644 --- a/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf +++ b/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf @@ -1,6 +1,6 @@ [evoadmin-mail] -user = www-evoadmin-mail +user = evoadmin-mail group = evoadmin-mail listen = /run/php/php7.0-evoadmin-mail-fpm.sock @@ -12,3 +12,4 @@ listen.group = www-data pm = ondemand pm.max_children = 25 +env[EVOADMINMAIL_CONFIG_FILE] = /etc/evoadmin-mail/config.ini diff --git a/webapps/evoadmin-mail/handlers/main.yml b/webapps/evoadmin-mail/handlers/main.yml index 236d93bf..beb030e2 100644 --- a/webapps/evoadmin-mail/handlers/main.yml +++ b/webapps/evoadmin-mail/handlers/main.yml @@ -11,5 +11,5 @@ - name: reload php-fpm service: - name: php7.0-fpm - state: reload + name: php7.0-fpm + state: reloaded diff --git a/webapps/evoadmin-mail/tasks/apache.yml b/webapps/evoadmin-mail/tasks/apache.yml index b9c33383..e83fc09d 100644 --- a/webapps/evoadmin-mail/tasks/apache.yml +++ b/webapps/evoadmin-mail/tasks/apache.yml @@ -1,30 +1,27 @@ --- - -- name: "Set custom values for PHP config (Debian 9 or later)" - ini_file: - dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini - section: PHP - option: "disable_functions" - value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority" - notify: reload apache2 - when: ansible_distribution_major_version | version_compare('9', '>=') - - name: Install evoadminmail VHost template: src: apache_evoadminmail.conf.j2 dest: /etc/apache2/sites-available/evoadminmail.conf notify: reload apache2 + tags: + - evoadmin-mail - name: Enable evoadminmail vhost - command: "a2ensite evoadminmail.conf" - register: cmd_a2ensite - changed_when: "'Enabling site' in cmd_a2ensite.stdout" + file: + src: "/etc/apache2/sites-available/evoadminmail.conf" + dest: "/etc/apache2/sites-enabled/evoadminmail.conf" + state: link notify: reload apache2 when: evoadminmail_enable_vhost + tags: + - evoadmin-mail - name: Disable evoadminmail vhost - command: "a2dissite evoadminmail.conf" - register: cmd_a2dissite - changed_when: "'Disabling site' in cmd_a2dissite.stdout" + file: + dest: "/etc/apache2/sites-enabled/evoadminmail.conf" + state: absent notify: reload apache2 when: not evoadminmail_enable_vhost + tags: + - evoadmin-mail diff --git a/webapps/evoadmin-mail/tasks/config.yml b/webapps/evoadmin-mail/tasks/config.yml deleted file mode 100644 index 00e342f3..00000000 --- a/webapps/evoadmin-mail/tasks/config.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "Create /etc/evolinux" - file: - dest: "/etc/evolinux" - recurse: yes - state: directory - -#- name: Configure web-add config file -# template: -# src: web-add.conf.j2 -# dest: /etc/evolinux/web-add.conf -# -#- name: Configure web-add template file for mail -# template: -# src: web-mail.tpl.j2 -# dest: "{{ evoadminmail_scripts_dir }}/web-mail.tpl" diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index 7d54c322..e5af6a7f 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -1,10 +1,19 @@ --- +- name: Install evoadmin-mail package + apt: + name: evoadmin-mail + state: present + tags: + - evoadmin-mail -- include: packages.yml - -- include: user.yml - -- include: config.yml +- name: Configure contact mail + ini_file: + dest: /etc/evoadmin-mail/config.ini + section: global + option: mail + value: "\"{{ evoadminmail_contact_email or general_alert_email | mandatory }}\"" + tags: + - evoadmin-mail - include: ssl.yml @@ -21,3 +30,5 @@ regexp: "EvoAdmin-mail" line: '