From c9ba37614c61470a1d3378299ef08900edeceadd Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 5 Dec 2018 16:25:48 +0100 Subject: [PATCH 01/29] nginx: Munin url config is now a template to insert the server-status prefix --- CHANGELOG.md | 1 + nginx/files/munin/evolinux.nginx | 2 -- nginx/tasks/munin_graphs.yml | 2 +- nginx/templates/munin/evolinux.nginx | 2 ++ 4 files changed, 4 insertions(+), 3 deletions(-) delete mode 100644 nginx/files/munin/evolinux.nginx create mode 100644 nginx/templates/munin/evolinux.nginx diff --git a/CHANGELOG.md b/CHANGELOG.md index e47f3ba1..3a62d280 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. ### Changed ### Fixed +* nginx: Munin url config is now a template to insert the server-status prefix ### Security diff --git a/nginx/files/munin/evolinux.nginx b/nginx/files/munin/evolinux.nginx deleted file mode 100644 index c505f929..00000000 --- a/nginx/files/munin/evolinux.nginx +++ /dev/null @@ -1,2 +0,0 @@ -[nginx_*] -env.url http://munin/nginx_status diff --git a/nginx/tasks/munin_graphs.yml b/nginx/tasks/munin_graphs.yml index feabbcad..470f8fd6 100644 --- a/nginx/tasks/munin_graphs.yml +++ b/nginx/tasks/munin_graphs.yml @@ -1,7 +1,7 @@ --- - name: Copy Munin config for Nginx - copy: + template: src: munin/evolinux.nginx dest: /etc/munin/plugin-conf.d/ mode: "0644" diff --git a/nginx/templates/munin/evolinux.nginx b/nginx/templates/munin/evolinux.nginx new file mode 100644 index 00000000..f58c0078 --- /dev/null +++ b/nginx/templates/munin/evolinux.nginx @@ -0,0 +1,2 @@ +[nginx_*] +env.url http://munin/nginx_status-{{ nginx_serverstatus_suffix }} From f2f595af139e7c304e5e8ca3372f8c4c84343f24 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 5 Dec 2018 16:37:52 +0100 Subject: [PATCH 02/29] redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script --- CHANGELOG.md | 1 + redis/tasks/nrpe_stretch.yml | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a62d280..d34ca1ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release. ### Fixed * nginx: Munin url config is now a template to insert the server-status prefix +* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script ### Security diff --git a/redis/tasks/nrpe_stretch.yml b/redis/tasks/nrpe_stretch.yml index c78e5a28..5b547071 100644 --- a/redis/tasks/nrpe_stretch.yml +++ b/redis/tasks/nrpe_stretch.yml @@ -12,6 +12,18 @@ dest: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_redis\]=.+' replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1' + when: redis_instance_name is undefined + notify: restart nagios-nrpe-server + tags: + - redis + - nrpe + +- name: Replace check_tcp or check_redis by check_redis_instances for NRPE + replace: + dest: /etc/nagios/nrpe.d/evolix.cfg + regexp: '^command\[check_redis\]=.+' + replace: 'command[check_redis]=/usr/local/lib/nagios/plugins/check_redis_instances' + when: redis_instance_name is defined notify: restart nagios-nrpe-server tags: - redis From 2a6cb3b381be3189e16f7e583b5ec169935099dc Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 5 Dec 2018 14:59:19 +0100 Subject: [PATCH 03/29] evoadmin-mail: complete refactoring, use Debian Package --- CHANGELOG.md | 1 + webapps/evoadmin-mail/defaults/main.yml | 15 --- .../files/pool.evoadmin-mail.conf | 3 +- webapps/evoadmin-mail/handlers/main.yml | 4 +- webapps/evoadmin-mail/tasks/apache.yml | 29 ++--- webapps/evoadmin-mail/tasks/config.yml | 17 --- webapps/evoadmin-mail/tasks/main.yml | 21 ++- webapps/evoadmin-mail/tasks/nginx.yml | 22 ++-- webapps/evoadmin-mail/tasks/packages.yml | 15 --- webapps/evoadmin-mail/tasks/ssl.yml | 12 +- webapps/evoadmin-mail/tasks/user.yml | 121 ------------------ .../templates/apache_evoadminmail.conf.j2 | 13 +- webapps/evoadmin-mail/templates/conf.php.j2 | 56 -------- .../evoadmin-mail/templates/connect.php.j2 | 28 ---- .../evoadmin-mail/templates/evoadmin.ldif.j2 | 12 -- .../templates/nginx_evoadminmail.conf.j2 | 4 +- webapps/evoadmin-mail/templates/sudoers.j2 | 3 - .../evoadmin-mail/templates/web-add.conf.j2 | 2 - .../evoadmin-mail/templates/web-mail.tpl.j2 | 86 ------------- 19 files changed, 62 insertions(+), 402 deletions(-) delete mode 100644 webapps/evoadmin-mail/tasks/config.yml delete mode 100644 webapps/evoadmin-mail/tasks/packages.yml delete mode 100644 webapps/evoadmin-mail/tasks/user.yml delete mode 100644 webapps/evoadmin-mail/templates/conf.php.j2 delete mode 100644 webapps/evoadmin-mail/templates/connect.php.j2 delete mode 100644 webapps/evoadmin-mail/templates/evoadmin.ldif.j2 delete mode 100644 webapps/evoadmin-mail/templates/sudoers.j2 delete mode 100644 webapps/evoadmin-mail/templates/web-add.conf.j2 delete mode 100644 webapps/evoadmin-mail/templates/web-mail.tpl.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index d34ca1ee..2e409c6b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release. ### Changed * minifirewall: compare config before/after (for restart condition) * squid: better replacement in minifirewall config +* evoadmin-mail: complete refactoring, use Debian Package ## [9.5.0] - 2018-11-14 diff --git a/webapps/evoadmin-mail/defaults/main.yml b/webapps/evoadmin-mail/defaults/main.yml index b0652522..48aed0b8 100644 --- a/webapps/evoadmin-mail/defaults/main.yml +++ b/webapps/evoadmin-mail/defaults/main.yml @@ -3,22 +3,7 @@ general_alert_email: "root@localhost" evoadminmail_contact_email: Null evoadminmail_bounce_email: "{{ evoadminmail_contact_email }}" -evoadminmail_username: evoadmin-mail -evoadminmail_home_dir: "/home/{{ evoadminmail_username }}" -evoadminmail_document_root: "{{ evoadminmail_home_dir }}/www" -evoadminmail_log_dir: "{{ evoadminmail_home_dir }}/log" -evoadminmail_scripts_dir: /usr/share/scripts/ evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}" evoadminmail_enable_vhost: True evoadminmail_webserver: apache - -evoadminmail_tpl_servername: "{{ ansible_fqdn }}" -evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}" -evoadminmail_tpl_phpmyadmin_url: Null -evoadminmail_tpl_cgi_suffix: Null -evoadminmail_tpl_signature: evoadmin -evoadminmail_tpl_mail_from: root@localhost -evoadminmail_tpl_mail_bcc: Null -evoadminmail_tpl_mail_standard: "{{ general_alert_email }}" -evoadminmail_tpl_mail_urgent: "{{ general_alert_email }}" diff --git a/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf b/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf index 096e199f..9ae03206 100644 --- a/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf +++ b/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf @@ -1,6 +1,6 @@ [evoadmin-mail] -user = www-evoadmin-mail +user = evoadmin-mail group = evoadmin-mail listen = /run/php/php7.0-evoadmin-mail-fpm.sock @@ -12,3 +12,4 @@ listen.group = www-data pm = ondemand pm.max_children = 25 +env[EVOADMINMAIL_CONFIG_FILE] = /etc/evoadmin-mail/config.ini diff --git a/webapps/evoadmin-mail/handlers/main.yml b/webapps/evoadmin-mail/handlers/main.yml index 236d93bf..beb030e2 100644 --- a/webapps/evoadmin-mail/handlers/main.yml +++ b/webapps/evoadmin-mail/handlers/main.yml @@ -11,5 +11,5 @@ - name: reload php-fpm service: - name: php7.0-fpm - state: reload + name: php7.0-fpm + state: reloaded diff --git a/webapps/evoadmin-mail/tasks/apache.yml b/webapps/evoadmin-mail/tasks/apache.yml index b9c33383..e83fc09d 100644 --- a/webapps/evoadmin-mail/tasks/apache.yml +++ b/webapps/evoadmin-mail/tasks/apache.yml @@ -1,30 +1,27 @@ --- - -- name: "Set custom values for PHP config (Debian 9 or later)" - ini_file: - dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini - section: PHP - option: "disable_functions" - value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority" - notify: reload apache2 - when: ansible_distribution_major_version | version_compare('9', '>=') - - name: Install evoadminmail VHost template: src: apache_evoadminmail.conf.j2 dest: /etc/apache2/sites-available/evoadminmail.conf notify: reload apache2 + tags: + - evoadmin-mail - name: Enable evoadminmail vhost - command: "a2ensite evoadminmail.conf" - register: cmd_a2ensite - changed_when: "'Enabling site' in cmd_a2ensite.stdout" + file: + src: "/etc/apache2/sites-available/evoadminmail.conf" + dest: "/etc/apache2/sites-enabled/evoadminmail.conf" + state: link notify: reload apache2 when: evoadminmail_enable_vhost + tags: + - evoadmin-mail - name: Disable evoadminmail vhost - command: "a2dissite evoadminmail.conf" - register: cmd_a2dissite - changed_when: "'Disabling site' in cmd_a2dissite.stdout" + file: + dest: "/etc/apache2/sites-enabled/evoadminmail.conf" + state: absent notify: reload apache2 when: not evoadminmail_enable_vhost + tags: + - evoadmin-mail diff --git a/webapps/evoadmin-mail/tasks/config.yml b/webapps/evoadmin-mail/tasks/config.yml deleted file mode 100644 index 00e342f3..00000000 --- a/webapps/evoadmin-mail/tasks/config.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "Create /etc/evolinux" - file: - dest: "/etc/evolinux" - recurse: yes - state: directory - -#- name: Configure web-add config file -# template: -# src: web-add.conf.j2 -# dest: /etc/evolinux/web-add.conf -# -#- name: Configure web-add template file for mail -# template: -# src: web-mail.tpl.j2 -# dest: "{{ evoadminmail_scripts_dir }}/web-mail.tpl" diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index 7d54c322..e5af6a7f 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -1,10 +1,19 @@ --- +- name: Install evoadmin-mail package + apt: + name: evoadmin-mail + state: present + tags: + - evoadmin-mail -- include: packages.yml - -- include: user.yml - -- include: config.yml +- name: Configure contact mail + ini_file: + dest: /etc/evoadmin-mail/config.ini + section: global + option: mail + value: "\"{{ evoadminmail_contact_email or general_alert_email | mandatory }}\"" + tags: + - evoadmin-mail - include: ssl.yml @@ -21,3 +30,5 @@ regexp: "EvoAdmin-mail" line: '
  • Interface admin mail (EvoAdmin-mail)
    • ' insertbefore: "" + tags: + - evoadmin-mail diff --git a/webapps/evoadmin-mail/tasks/nginx.yml b/webapps/evoadmin-mail/tasks/nginx.yml index b942c024..5ede64e7 100644 --- a/webapps/evoadmin-mail/tasks/nginx.yml +++ b/webapps/evoadmin-mail/tasks/nginx.yml @@ -1,25 +1,19 @@ --- - -- name: "Set custom values for PHP config (Debian 9 or later)" - ini_file: - dest: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini - section: PHP - option: "disable_functions" - value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority" - notify: reload nginx - when: ansible_distribution_major_version | version_compare('9', '>=') - - name: Copy php-fpm evoadmin-mail pool copy: src: pool.evoadmin-mail.conf dest: /etc/php/7.0/fpm/pool.d/evoadmin-mail.conf notify: reload php-fpm + tags: + - evoadmin-mail - name: Install evoadminmail VHost template: src: nginx_evoadminmail.conf.j2 dest: /etc/nginx/sites-available/evoadminmail.conf notify: reload nginx + tags: + - evoadmin-mail - name: Active evoadminmail VHost file: @@ -28,8 +22,14 @@ state: link notify: reload nginx when: evoadminmail_enable_vhost + tags: + - evoadmin-mail - name: Disable evoadminmail vhost - command: "unlink /etc/nginx/sites-enabled/evoadminmail.conf" + file: + dest: "/etc/nginx/sites-enabled/evoadminmail.conf" + state: absent notify: reload nginx when: not evoadminmail_enable_vhost + tags: + - evoadmin-mail diff --git a/webapps/evoadmin-mail/tasks/packages.yml b/webapps/evoadmin-mail/tasks/packages.yml deleted file mode 100644 index b92aa5a0..00000000 --- a/webapps/evoadmin-mail/tasks/packages.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- include_role: - name: apt - tasks_from: evolix_public.yml - -- name: Install PHP packages - apt: - name: '{{ item }}' - state: present - with_items: - - php-pear - - php-log - - php-crypt-chap - - php-twig diff --git a/webapps/evoadmin-mail/tasks/ssl.yml b/webapps/evoadmin-mail/tasks/ssl.yml index 3dd91590..b6f47127 100644 --- a/webapps/evoadmin-mail/tasks/ssl.yml +++ b/webapps/evoadmin-mail/tasks/ssl.yml @@ -1,24 +1,30 @@ --- - - - name: ssl-cert package is installed apt: name: ssl-cert state: present + tags: + - evoadmin-mail - name: Create private key and csr for default site ({{ ansible_fqdn }}) command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}" args: creates: "/etc/ssl/private/{{ evoadminmail_host }}.key" + tags: + - evoadmin-mail - name: Adjust rights on private key file: - path: /etc/ssl/private/{{ evoadminmail_host }}.key + dest: /etc/ssl/private/{{ evoadminmail_host }}.key owner: root group: ssl-cert mode: "0640" + tags: + - evoadmin-mail - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt args: creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt" + tags: + - evoadmin-mail diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml deleted file mode 100644 index a45d09ec..00000000 --- a/webapps/evoadmin-mail/tasks/user.yml +++ /dev/null @@ -1,121 +0,0 @@ ---- - -- name: Create evoadmin account - user: - name: "{{ evoadminmail_username }}" - comment: "Evoadmin Web Account" - home: "{{ evoadminmail_home_dir}}" - shell: /bin/bash - password: "!" - -- name: Create log/ directory - file: - path: "{{ evoadminmail_home_dir}}/log" - state: directory - owner: "{{ evoadminmail_username }}" - group: "{{ evoadminmail_username }}" - mode: "0750" - -- name: Create www-evoadminmail group - group: - name: "www-{{ evoadminmail_username }}" - state: present - -- name: "Create www-evoadmin (Debian 9 or later)" - user: - name: "www-{{ evoadminmail_username }}" - home: "{{ evoadminmail_home_dir}}/www" - shell: /bin/bash - createhome: no - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: Add www-data to app's group - user: - name: 'www-data' - groups: "{{ evoadminmail_username }}" - append: yes - when: evoadminmail_webserver == "nginx" - -- name: Install Git - apt: - name: git - state: present - -- name: "Clone evoadmin repository (Debian 9 or later)" - git: - repo: https://forge.evolix.org/evoadmin-mail.git - dest: "{{ evoadminmail_document_root}}" - version: master - update: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Change perms on evoadminmail document root" - file: - dest: "{{ evoadminmail_document_root }}" - owner: "www-{{ evoadminmail_username }}" - group: "{{ evoadminmail_username }}" - recurse: yes - -- name: "Copy connect.php" - template: - src: connect.php.j2 - dest: "{{ evoadminmail_document_root }}/htdocs/config/connect.php" - owner: "www-{{ evoadminmail_username }}" - group: "{{ evoadminmail_username }}" - when: ldap_admin_password is defined - -- name: "Copy conf.php" - template: - src: conf.php.j2 - dest: "{{ evoadminmail_document_root }}/htdocs/config/conf.php" - owner: "www-{{ evoadminmail_username }}" - group: "{{ evoadminmail_username }}" - -- name: create a password for evoadmin user - command: "apg -n 1 -m 16 -M lcN" - register: evoadminmail_admin_password - changed_when: False - -- name: upload ldif for evoadmin user - template: - src: evoadmin.ldif.j2 - dest: /root/evolinux_evoadminmail_admin.ldif - mode: "0640" - -- name: inject config - command: slapadd -l /root/evolinux_evoadminmail_admin.ldif - -- name: create log file - file: - dest: /var/log/evoadmin-mail.log - state: touch - owner: "www-{{ evoadminmail_username }}" - group: "adm" - mode: "0640" - -- include_role: - name: remount-usr - when: evoadminmail_scripts_dir | search ("/usr") - -- name: "Create {{ evoadminmail_scripts_dir }}" - file: - dest: "{{ evoadminmail_scripts_dir }}" - # recurse: yes - mode: "0700" - state: directory - -# we use a shell command to have a "changed" thet really reflects the result. -- name: Fix permissions - shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}" - register: command_result - changed_when: "'changed' in command_result.stdout" - # failed_when: False - with_items: - - "{{ evoadminmail_home_dir}}/www" - -#- name: Add evoadmin sudoers file -# template: -# src: sudoers.j2 -# dest: /etc/sudoers.d/evoadmin -# mode: "0600" -# validate: "visudo -cf %s" diff --git a/webapps/evoadmin-mail/templates/apache_evoadminmail.conf.j2 b/webapps/evoadmin-mail/templates/apache_evoadminmail.conf.j2 index 6ac7c103..2b74e9fd 100644 --- a/webapps/evoadmin-mail/templates/apache_evoadminmail.conf.j2 +++ b/webapps/evoadmin-mail/templates/apache_evoadminmail.conf.j2 @@ -10,7 +10,7 @@ #ServerAlias {{ evoadminmail_host }} # Repertoire principal - DocumentRoot {{ evoadminmail_document_root }}/htdocs/ + DocumentRoot /usr/share/evoadmin-mail/ # SSL SSLEngine on @@ -19,7 +19,7 @@ SSLProtocol all -SSLv2 -SSLv3 # Propriete du repertoire - + #Options Indexes SymLinksIfOwnerMatch Options SymLinksIfOwnerMatch AllowOverride AuthConfig Limit FileInfo Indexes @@ -27,15 +27,15 @@ # user - group (thanks to sesse@debian.org) - AssignUserID www-{{ evoadminmail_username }} {{ evoadminmail_username }} + AssignUserID evoadmin-mail evoadmin-mail # LOG CustomLog /var/log/apache2/access.log combined - CustomLog {{ evoadminmail_log_dir }}/access.log combined - ErrorLog {{ evoadminmail_log_dir }}/error.log + ErrorLog /var/log/apache2/error.log # AWSTATS - SetEnv AWSTATS_FORCE_CONFIG {{ evoadminmail_username }} + SetEnv AWSTATS_FORCE_CONFIG evoadmin-mail + SetEnv EVOADMINMAIL_CONFIG_FILE /etc/evoadmin-mail/config.ini # REWRITE UseCanonicalName On @@ -53,6 +53,5 @@ #php_admin_value max_execution_time 60 #php_admin_value upload_max_filesize 8M #php_admin_flag allow_url_fopen Off - php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-{{ evoadminmail_username }}" php_admin_value open_basedir "none" diff --git a/webapps/evoadmin-mail/templates/conf.php.j2 b/webapps/evoadmin-mail/templates/conf.php.j2 deleted file mode 100644 index bac22bfd..00000000 --- a/webapps/evoadmin-mail/templates/conf.php.j2 +++ /dev/null @@ -1,56 +0,0 @@ - - * @version 1.0 - */ - -define("LDAP_URI","ldap://127.0.0.1"); -$ldap_servers = array('ldap://127.0.0.1'); -define("LDAP_BASE","{{ ldap_suffix }}"); -define("LDAP_ADMIN_DN","cn=admin,{{ ldap_suffix }}"); -define("LDAP_ADMIN_PASS","{{ ldap_admin_password.stdout }}"); - -define("SUDOBIN","/usr/bin/sudo"); -define("SUDOSCRIPT","/usr/share/scripts/evoadmin.sh"); -define("SUDOPASS","xxxxxx"); - -define('SERVEUR','localhost'); -define('SERVEURPORT',3306); -define('BASE','horde'); -define('NOM', 'horde'); -define('PASSE', 'xxxx'); - -?> diff --git a/webapps/evoadmin-mail/templates/evoadmin.ldif.j2 b/webapps/evoadmin-mail/templates/evoadmin.ldif.j2 deleted file mode 100644 index 389fdff9..00000000 --- a/webapps/evoadmin-mail/templates/evoadmin.ldif.j2 +++ /dev/null @@ -1,12 +0,0 @@ -dn: uid=evoadmin,{{ ldap_suffix }} -uid: evoadmin -cn: Evoadmin ADM -uidNumber: 4242 -gidNumber: 4242 -homeDirectory: /dev/null -isAdmin: TRUE -mailacceptinggeneralid: evoadmin@{{ ansible_fqdn }} -objectClass: mailAccount -objectClass: organizationalRole -objectClass: posixAccount -userPassword: {{ evoadminmail_admin_password.stdout }} diff --git a/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2 b/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2 index b3502d17..b8ef073e 100644 --- a/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2 +++ b/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2 @@ -18,10 +18,10 @@ server { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; - root {{ evoadminmail_document_root }}/htdocs/; + root /usr/share/evoadmin-mail/; location / { - index index.html index.htm; + try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { diff --git a/webapps/evoadmin-mail/templates/sudoers.j2 b/webapps/evoadmin-mail/templates/sudoers.j2 deleted file mode 100644 index 4dfd71c1..00000000 --- a/webapps/evoadmin-mail/templates/sudoers.j2 +++ /dev/null @@ -1,3 +0,0 @@ -User_Alias EVOADMIN = www-evoadmin -Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh -EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB diff --git a/webapps/evoadmin-mail/templates/web-add.conf.j2 b/webapps/evoadmin-mail/templates/web-add.conf.j2 deleted file mode 100644 index 86eabd29..00000000 --- a/webapps/evoadmin-mail/templates/web-add.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}" -WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}" diff --git a/webapps/evoadmin-mail/templates/web-mail.tpl.j2 b/webapps/evoadmin-mail/templates/web-mail.tpl.j2 deleted file mode 100644 index 262995c3..00000000 --- a/webapps/evoadmin-mail/templates/web-mail.tpl.j2 +++ /dev/null @@ -1,86 +0,0 @@ -From: {{ evoadmin_tpl_mail_from }} -To: RCPTTO -Bcc: {{ evoadmin_tpl_mail_bcc }} -Subject: Parametres hebergement web : LOGIN - -Bonjour, - -Votre compte d'hebergement web a ete cree. - -********************************** -* CONNEXION SFTP/SSH -********************************** - -NOM DU SERVEUR : {{ evoadmin_tpl_servername }} -USER : LOGIN -PASSWORD : PASSE1 - -***************************************** -* Details sur l'environnement Apache/PHP -***************************************** - -URL du site : -http://{{ evoadmin_tpl_servername }} - -URL des stats : -http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl -(acces par IP ou login a demander !) - -Repertoire de connexion : HOME_DIR/LOGIN/ -Repertoire pour site web : HOME_DIR/LOGIN/www/ - -Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces -uniquement *en lecture* aux differents fichiers/repertoires -(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les -fichiers ce qui est le comportement par defaut). - -Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains -fichiers/repertoires, il suffit d'ajouter le droit 'g+w'. - -*********************************** -* MySQL -*********************************** - -SERVEUR : 127.0.0.1 -PORT DU SERVEUR : 3306 -USER : LOGIN -PASSWORD : PASSE2 -NOM BASE : DBNAME -URL interface d'admin : -{{ evoadmin_tpl_phpmyadmin_url }} - -*********************************** -* Rappels divers -*********************************** - -Votre nom de domaine doit etre configure pour pointer -sur l'adresse IP {{ evoadmin_tpl_address }} (enregistrement DNS A) -ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME). - -Si vous avez besoin de faire des tests, vous devez -ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix -ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP : -{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }} - -Attention, par defaut, toutes les connexions vers l'exterieur -sont bloquees. Si vous avez besoin de recuperer des donnees -a l'exterieur (flux RSS, BDD externe, etc.), contactez nous -afin de mettre en oeuvre les autorisations necessaires. - -Afin de securiser au maximum le serveur, certaines URL -particulieres sont non autorisees pour eviter diverses -attaques (XSS, robots, trojans, injections, etc.). -Exemple d'URL refusee : -http://{{ evoadmin_tpl_servername }}/cmd32.exe -En cas de soucis avec votre application, prevenez-nous. - -Si vous desirez mettre en place des parametres particuliers -pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab, -etc.), n'hesitez pas a nous contacter a l'adresse -{{ evoadmin_tpl_mail_standard }} (ou {{ evoadmin_tpl_mail_urgent }} si votre demande est -urgente). - - -Cordialement, --- -{{ evoadmin_tpl_signature }} From d0b3b6d6b8e3e14644ef80b8526e5f5e5d6d71ab Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 11 Dec 2018 10:50:07 +0100 Subject: [PATCH 04/29] evomaintenance: database variables must be set or the task fails --- CHANGELOG.md | 1 + evomaintenance/tasks/main.yml | 8 ++++++++ evomaintenance/templates/evomaintenance.j2 | 8 ++++---- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e409c6b..b6ef84cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release. ## [Unreleased] ### Added +* evomaintenance: database variables must be set or the task fails ### Changed diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 1b58b3e0..d0b9ba3b 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -3,6 +3,14 @@ - set_fact: minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" +- assert: + that: + - evomaintenance_pg_passwd is not none + - evomaintenance_pg_db is not none + - evomaintenance_pg_table is not none + - evomaintenance_pg_host is not none + msg: evomaintenance database variables must be set + - include: install_package_debian.yml when: - not evomaintenance_install_vendor diff --git a/evomaintenance/templates/evomaintenance.j2 b/evomaintenance/templates/evomaintenance.j2 index 79bc0cbf..acb6fd46 100644 --- a/evomaintenance/templates/evomaintenance.j2 +++ b/evomaintenance/templates/evomaintenance.j2 @@ -1,11 +1,11 @@ HOSTNAME={{ evomaintenance_hostname }} EVOMAINTMAIL={{ evomaintenance_alert_email or general_alert_email | mandatory }} -export PGPASSWORD={{ evomaintenance_pg_passwd | mandatory }} +export PGPASSWORD={{ evomaintenance_pg_passwd }} -PGDB={{ evomaintenance_pg_db | mandatory }} -PGTABLE={{ evomaintenance_pg_table | mandatory }} -PGHOST={{ evomaintenance_pg_host | mandatory }} +PGDB={{ evomaintenance_pg_db }} +PGTABLE={{ evomaintenance_pg_table }} +PGHOST={{ evomaintenance_pg_host }} FROM={{ evomaintenance_from }} FULLFROM="{{ evomaintenance_full_from }}" URGENCYFROM={{ evomaintenance_urgency_from }} From f46f5ccbde344a475550e74f2a97cbbc1f35bec9 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 12 Dec 2018 14:58:12 +0100 Subject: [PATCH 05/29] nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) --- CHANGELOG.md | 1 + nagios-nrpe/files/plugins/check_process | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b6ef84cc..a133f47d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release. ### Fixed * nginx: Munin url config is now a template to insert the server-status prefix * redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script +* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) ### Security diff --git a/nagios-nrpe/files/plugins/check_process b/nagios-nrpe/files/plugins/check_process index 780ef233..46ef34dd 100755 --- a/nagios-nrpe/files/plugins/check_process +++ b/nagios-nrpe/files/plugins/check_process @@ -5,3 +5,5 @@ for proc in cron rsyslogd ntpd munin-node; do sudo /usr/lib/nagios//plugins/check_procs -C $proc -c 1: rc=$(($rc|$?)) done + +exit $rc From fa49f249e734450b1e89a4c18b669255a8e61092 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 17 Dec 2018 14:43:42 +0100 Subject: [PATCH 06/29] redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account --- CHANGELOG.md | 1 + redis/tasks/instances.yml | 13 +++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a133f47d..31ff6564 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release. ### Fixed * nginx: Munin url config is now a template to insert the server-status prefix * redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script +* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account * nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) ### Security diff --git a/redis/tasks/instances.yml b/redis/tasks/instances.yml index 02fe4892..f3cd8f4c 100644 --- a/redis/tasks/instances.yml +++ b/redis/tasks/instances.yml @@ -52,6 +52,17 @@ tags: - redis +- name: Ensure redis base folders will be accessible for all instances + file: + dest: "{{ item }}" + state: directory + mode: "0755" + owner: "redis" + group: "redis" + with_items: + - "/var/lib/redis" + - "/var/log/redis" + - name: Instances directories are present file: dest: "{{ item }}" @@ -60,9 +71,7 @@ owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" with_items: - - "/var/lib/redis" - "{{ redis_dbdir }}" - - "/var/log/redis" - "{{ redis_logfile | dirname }}" tags: - redis From effdb4c7eb23d8ecb60d80142b73e126bc1146f2 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 17 Dec 2018 14:47:07 +0100 Subject: [PATCH 07/29] redis: Configure munin when working in instance mode --- CHANGELOG.md | 1 + redis/tasks/main.yml | 14 ++++- redis/tasks/munin-instances.yml | 61 +++++++++++++++++++ .../templates/munin-plugin-instances.conf.j2 | 8 +++ 4 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 redis/tasks/munin-instances.yml create mode 100644 redis/templates/munin-plugin-instances.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 31ff6564..da9acdf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added * evomaintenance: database variables must be set or the task fails +* redis: Configure munin when working in instance mode ### Changed diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index c2d57d62..65b065df 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -55,7 +55,19 @@ - munin - include: munin.yml - when: _munin_installed.stat.exists and _munin_installed.stat.isdir + when: + - _munin_installed.stat.exists + - _munin_installed.stat.isdir + - redis_instance_name is not defined + tags: + - redis + - munin + +- include: munin-instances.yml + when: + - _munin_installed.stat.exists + - _munin_installed.stat.isdir + - redis_instance_name is defined tags: - redis - munin diff --git a/redis/tasks/munin-instances.yml b/redis/tasks/munin-instances.yml new file mode 100644 index 00000000..c8d7cefe --- /dev/null +++ b/redis/tasks/munin-instances.yml @@ -0,0 +1,61 @@ +--- +- name: Install munin check dependencies + apt: + name: libswitch-perl + state: present + tags: + - redis + +- include_role: + name: remount-usr + tags: + - redis + +- name: Create plugin directory + file: + name: /usr/local/share/munin/ + state: directory + mode: "0755" + tags: + - redis + +- name: Create plugin directory + file: + name: /usr/local/share/munin/plugins/ + state: directory + mode: "0755" + tags: + - redis + +- name: Copy redis munin plugin + copy: + src: munin_redis + dest: /usr/local/share/munin/plugins/redis_ + mode: "0755" + notify: restart munin-node + tags: + - redis + +- name: Enable redis munin plugin + file: + src: /usr/local/share/munin/plugins/redis_ + dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}" + state: link + with_items: + - connected_clients + - key_ratio + - keys_per_sec + - per_sec + - used_keys + - used_memory + notify: restart munin-node + tags: + - redis + +- name: Configure redis plugin for munin + template: + src: templates/munin-plugin-instances.conf.j2 + dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}' + mode: 0740 + notify: restart munin-node + tags: redis diff --git a/redis/templates/munin-plugin-instances.conf.j2 b/redis/templates/munin-plugin-instances.conf.j2 new file mode 100644 index 00000000..7e6a00ac --- /dev/null +++ b/redis/templates/munin-plugin-instances.conf.j2 @@ -0,0 +1,8 @@ +# Ansible managed + +[{{ redis_instance_name }}_redis_*] +env.title_prefix Instance {{ redis_instance_name }} +env.port {{ redis_port }} +{% if redis_password %} +env.password {{ redis_password }} +{% endif %} From 776839fe6168e0db80ee77914949fa4abc6b0a34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 19 Dec 2018 15:58:47 +0100 Subject: [PATCH 08/29] Typo: rcpbind and not rcpbin --- evolinux-base/tasks/packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index e50045ed..8d2bab84 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -101,7 +101,7 @@ line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"' when: evolinux_packages_logcheck_recipient -- name: Deleting rpcbin and nfs-common +- name: Deleting rpcbind and nfs-common apt: name: "{{ item }}" state: absent From 3b63172532c869aca0cc8df6982c14a0357b8aa6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Dec 2018 11:08:18 +0100 Subject: [PATCH 09/29] redis: distinction between main and master password --- CHANGELOG.md | 1 + redis/defaults/main.yml | 3 +++ redis/templates/redis.conf.j2 | 4 +++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index da9acdf7..638d9649 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. * redis: Configure munin when working in instance mode ### Changed +* redis: distinction between main and master password ### Fixed * nginx: Munin url config is now a template to insert the server-status prefix diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 363fb0de..200d2ca2 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -8,7 +8,10 @@ redis_unixsocket: '/var/run/redis/redis.sock' redis_pidfile: "/var/run/redis/{{ redis_daemon }}.pid" redis_timeout: 300 +# for client authorization redis_password: NULL +# for slave authorization on master +redis_password_master: "{{ redis_password }}" redis_loglevel: "notice" redis_logfile: /var/log/redis/redis-server.log diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index 21873942..a585d61c 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -9,7 +9,9 @@ unixsocket {{ redis_unixsocket }} {% if redis_password %} requirepass {{ redis_password }} -masterauth {{ redis_password }} +{% endif %} +{% if redis_password_master %} +masterauth {{ redis_password_master }} {% endif %} timeout {{ redis_timeout }} From 92a25a9502238f80000b84a65235075857092252 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Dec 2018 11:11:15 +0100 Subject: [PATCH 10/29] redis: add variables to prevent or force restart --- CHANGELOG.md | 2 ++ redis/defaults/main.yml | 3 +++ redis/handlers/main.yml | 5 +++++ redis/tasks/main.yml | 11 ++++++++++- 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 638d9649..11a80bc9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ The **patch** part changes incrementally at each release. ### Added * evomaintenance: database variables must be set or the task fails * redis: Configure munin when working in instance mode +* redis: add a variable to disable the restart handler +* redis: add a variable to force a restart (even with no change) ### Changed * redis: distinction between main and master password diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 200d2ca2..8413e0d7 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -40,3 +40,6 @@ redis_protected_mode: "yes" # Add extra include files for local configuration/overrides. redis_includes: [] + +redis_restart_if_needed: True +redis_restart_force: False diff --git a/redis/handlers/main.yml b/redis/handlers/main.yml index ed452e65..c7f66ffb 100644 --- a/redis/handlers/main.yml +++ b/redis/handlers/main.yml @@ -4,6 +4,11 @@ name: "{{ redis_daemon }}" state: restarted +- name: restart redis (noop) + meta: noop + failed_when: False + changed_when: False + - name: restart munin-node service: name: munin-node diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 65b065df..58f105d7 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -1,4 +1,8 @@ --- + +- set_fact: + redis_restart_handler_name: "{{ redis_restart_if_needed | ternary('restart redis', 'restart redis (noop)') }}" + - name: Redis is installed. apt: name: "{{ item }}" @@ -32,7 +36,7 @@ src: redis.conf.j2 dest: "{{ redis_conf_path }}" mode: "0644" - notify: restart redis + notify: "{{ redis_restart_handler_name }}" when: redis_instance_name is not defined tags: - redis @@ -86,3 +90,8 @@ tags: - redis - nrpe + +- name: Force restart redis + command: /bin/true + notify: restart redis + when: redis_restart_force From 42d1cb79066e770254bba972611b87ca66e1a71f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Dec 2018 11:13:40 +0100 Subject: [PATCH 11/29] redis: indentation typo --- redis/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 58f105d7..c749b4f2 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -92,6 +92,6 @@ - nrpe - name: Force restart redis - command: /bin/true - notify: restart redis - when: redis_restart_force + command: /bin/true + notify: restart redis + when: redis_restart_force From a94c94018c893dd64e59adc98b2881db605def80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 1 Jan 2019 20:02:50 +0100 Subject: [PATCH 12/29] normalize some arguments positions --- evolinux-base/tasks/ssh.yml | 4 ++-- minifirewall/tasks/config.yml | 26 +++++++++++++------------- munin/tasks/main.yml | 1 + rbenv/tasks/main.yml | 2 +- 4 files changed, 17 insertions(+), 16 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 225add01..fd93c4e0 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -16,12 +16,12 @@ - name: "Security directives for Evolinux (Debian 10 or later)" blockinfile: dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" block: | Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes Match Group evolix PasswordAuthentication no - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd @@ -32,10 +32,10 @@ - name: Security directives for Evolinux (Jessie/Stretch) blockinfile: dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" block: | Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index bd71cb48..13cb6145 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -26,9 +26,9 @@ - name: Begin marker for IP addresses lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' + create: no - name: End marker for IP addresses lineinfile: @@ -47,7 +47,6 @@ - name: Configure IP addresses blockinfile: dest: "{{ minifirewall_main_file }}" - create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" content: | # Main interface @@ -66,26 +65,26 @@ # Privilegied IPv4 addresses for semi-public services # (no need to add again TRUSTEDIPS) PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' + create: no register: minifirewall_config_ips - name: Begin marker for ports lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' + create: no - name: End marker for ports lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' + create: no - name: Configure ports blockinfile: dest: "{{ minifirewall_main_file }}" - create: no marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" content: | # Protected services @@ -104,70 +103,71 @@ # Private services (IPv4) SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}' SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' + create: no register: minifirewall_config_ports - name: Configure DNSSERVEURS lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" regexp: "DNSSERVEURS='.*'" + create: no when: minifirewall_dns_servers is not none - name: Configure HTTPSITES lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" + create: no when: minifirewall_http_sites is not none - name: Configure HTTPSSITES lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" regexp: "HTTPSSITES='.*'" + create: no when: minifirewall_https_sites is not none - name: Configure FTPSITES lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" regexp: "FTPSITES='.*'" + create: no when: minifirewall_ftp_sites is not none - name: Configure SSHOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" regexp: "SSHOK='.*'" + create: no when: minifirewall_ssh_ok is not none - name: Configure SMTPOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" regexp: "SMTPOK='.*'" + create: no when: minifirewall_smtp_ok is not none - name: Configure SMTPSECUREOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" regexp: "SMTPSECUREOK='.*'" + create: no when: minifirewall_smtp_secure_ok is not none - name: Configure NTPOK lineinfile: dest: "{{ minifirewall_main_file }}" - create: no line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" regexp: "NTPOK='.*'" + create: no when: minifirewall_ntp_ok is not none - name: evomaintenance diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index f08f2005..2219cf17 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -77,6 +77,7 @@ - name: adjustments for grsec kernel blockinfile: dest: /etc/munin/plugin-conf.d/munin-node + marker: "# {mark} GRSECURITY CUSTOMIZATIONS" block: | [processes] diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 693ff0f6..47e1f0cc 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -78,10 +78,10 @@ - name: "Rbenv is initialized in profile for {{ username }}" blockinfile: dest: '~{{ username }}/.profile' + marker: "# {mark} ANSIBLE MANAGED RBENV INIT" block: | export PATH="{{ rbenv_root }}/bin:$PATH" eval "$(rbenv init -)" - marker: "# {mark} ANSIBLE MANAGED RBENV INIT" become_user: "{{ username }}" become: yes tags: From 1d2a64824192a3a202df0053dc844e2a33ec5ab0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 1 Jan 2019 20:04:56 +0100 Subject: [PATCH 13/29] whitespaces --- packweb-apache/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 230fb41a..f5d0f35e 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -3,7 +3,7 @@ - fail: msg: only compatible with Debian >= 8 when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - name: install info.php copy: @@ -23,9 +23,9 @@ state: "{{ item.state }}" mode: "{{ item.mode }}" with_items: - - { path: log, mode: "0750", state: directory } - - { path: awstats, mode: "0750", state: directory } - - { path: www, mode: "0750", state: directory } + - { path: log, mode: "0750", state: directory } + - { path: awstats, mode: "0750", state: directory } + - { path: www, mode: "0750", state: directory } - name: Apache log file (templates) are present command: "touch /etc/skel/log/{{ item }}" From 6fadd4edb1317b9cce5e204c47a6eabc9ee56771 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 1 Jan 2019 20:06:05 +0100 Subject: [PATCH 14/29] munin: better marker for blockinfile --- munin/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index 2219cf17..6dcf1a26 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -77,7 +77,7 @@ - name: adjustments for grsec kernel blockinfile: dest: /etc/munin/plugin-conf.d/munin-node - marker: "# {mark} GRSECURITY CUSTOMIZATIONS" + marker: "# {mark} ANSIBLE MANAGED GRSECURITY CUSTOMIZATIONS" block: | [processes] From 41c1ed5a70defb9bfab6b1f6d346b151dd97fc71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Tue, 1 Jan 2019 21:08:51 +0100 Subject: [PATCH 15/29] apache: add Munin configuration for Apache server-status URL --- CHANGELOG.md | 3 ++- apache/tasks/server_status.yml | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11a80bc9..a534bed5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release. ## [Unreleased] ### Added +* apache: add Munin configuration for Apache server-status URL * evomaintenance: database variables must be set or the task fails * redis: Configure munin when working in instance mode * redis: add a variable to disable the restart handler @@ -22,7 +23,7 @@ The **patch** part changes incrementally at each release. ### Fixed * nginx: Munin url config is now a template to insert the server-status prefix * redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script -* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account +* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account * nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) ### Security diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index f9e1aed8..80dbe590 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -39,3 +39,17 @@ dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" + +- name: Munin configuration has a section for apache + lineinfile: + dest: /etc/munin/plugin-conf.d/munin-node + line: "[apache_*]" + create: no + +- name: apache-status URL is configured for Munin + lineinfile: + dest: /etc/munin/plugin-conf.d/munin-node + line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto" + regexp: "env.url http://127.0.0.1/server-status" + insertafter: "[apache_*]" + create: no From 11184869935aa5eac892329d3cde61635afe2962 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 3 Jan 2019 10:16:46 +0100 Subject: [PATCH 16/29] rbenv: add pkg-config to the list of packages to install MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some Ruby gems (Nokogiri…) need this to detect system libraries. --- CHANGELOG.md | 1 + rbenv/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a534bed5..0e7fe10f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * apache: add Munin configuration for Apache server-status URL * evomaintenance: database variables must be set or the task fails +* rbenv: add pkg-config to the list of packages to install * redis: Configure munin when working in instance mode * redis: add a variable to disable the restart handler * redis: add a variable to force a restart (even with no change) diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 47e1f0cc..f2d5844a 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -14,6 +14,7 @@ - libxml2-dev - libxslt1-dev - zlib1g-dev + - pkg-config tags: - rbenv - packages From ebd65b2395c63bba9a892333df541c56a137b654 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 8 Jan 2019 10:02:04 +0100 Subject: [PATCH 17/29] metricbeat: fix username/password replacement --- CHANGELOG.md | 3 ++- metricbeat/tasks/main.yml | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e7fe10f..56758994 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,10 +22,11 @@ The **patch** part changes incrementally at each release. * redis: distinction between main and master password ### Fixed +* metricbeat: fix username/password replacement +* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) * nginx: Munin url config is now a template to insert the server-status prefix * redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script * redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account -* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) ### Security diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 94c75614..3e7fbea7 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -57,8 +57,8 @@ line: '{{ item.line }}' insertafter: "output.elasticsearch:" with_items: - - { regexp: '^ #username: .*', line: ' username: "{{ metricbeat_elasticsearch_auth_username }}"' } - - { regexp: '^ #password: .*', line: ' password: "{{ metricbeat_elasticsearch_auth_password }}"' } + - { regexp: '^ #?username: .*', line: ' username: "{{ metricbeat_elasticsearch_auth_username }}"' } + - { regexp: '^ #?password: .*', line: ' password: "{{ metricbeat_elasticsearch_auth_password }}"' } notify: restart metricbeat when: - metricbeat_elasticsearch_auth_username != "" From 921c92fd5b08e70104d8b21d03a9c56762282c88 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 8 Jan 2019 10:04:27 +0100 Subject: [PATCH 18/29] redis: add a variable for renamed/disabled commands --- CHANGELOG.md | 1 + redis/defaults/main.yml | 2 ++ redis/templates/redis.conf.j2 | 4 ++++ 3 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56758994..71f2b034 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. * evomaintenance: database variables must be set or the task fails * rbenv: add pkg-config to the list of packages to install * redis: Configure munin when working in instance mode +* redis: add a variable for renamed/disabled commands * redis: add a variable to disable the restart handler * redis: add a variable to force a restart (even with no change) diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 8413e0d7..a64fb832 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -43,3 +43,5 @@ redis_includes: [] redis_restart_if_needed: True redis_restart_force: False + +redis_disabled_commands: [] diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index a585d61c..4dcdba86 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -51,6 +51,10 @@ appendonly {{ redis_appendonly }} appendfsync {{ redis_appendfsync }} no-appendfsync-on-rewrite no +{% for disabled_command in redis_disabled_commands %} +rename-command {{ disabled_command }} "" +{% endfor %} + {% for include in redis_includes %} include {{ include }} {% endfor %} From 719e9b35b20b3cf5ded6ba5daf716428be6aa0cc Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 8 Jan 2019 10:24:47 +0100 Subject: [PATCH 19/29] evocheck: update evocheck.sh for source install --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 23 +++++++++++------------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71f2b034..9b64d002 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes incrementally at each release. ### Changed * redis: distinction between main and master password +* evocheck: update evocheck.sh for source install ### Fixed * metricbeat: fix username/password replacement diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index a8be7eec..2c20b04d 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,8 +4,8 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -# Repository: https://gitlab.evolix.org/evolix/evocheck -# Commit: 956877442a3f43243fed89c491d9bdddd1ac77cd +# Repository: https://gitea.evolix.org/evolix/evocheck +# Commit: e6e0b8c216ed28a2ee2229e5e122ff1d49701ffc # Disable LANG* export LANG=C @@ -525,19 +525,17 @@ if [ -e /etc/debian_version ]; then # Check if no package has been upgraded since $limit. if [ "$IS_NOTUPGRADED" = 1 ]; then - if zgrep -hq upgrade /var/log/dpkg.log*; then - last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) - fi - if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ - || grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then + last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) + if grep -sq '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ + || grep -sq -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then # Manual upgrade process limit=$(date +%s -d "now - 180 days") else # Regular process limit=$(date +%s -d "now - 90 days") fi - if [ -d /var/log/installer ]; then - install_date=$(stat -c %Z /var/log/installer) + if [ -f /var/log/evolinux/00_prepare_system.log ]; then + install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log) else install_date=0 fi @@ -591,8 +589,8 @@ if [ -e /etc/debian_version ]; then if [ "$IS_BACKPORTSCONF" = 1 ]; then if is_debianversion stretch; then - grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!' - grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') + grep -qE "^[^#].*backports" /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!' + grep -qE "^[^#].*backports" /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -qE "^[^#].*backports" /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') fi fi @@ -988,9 +986,10 @@ fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then for f in /etc/ssl/private/*; do - perms=$(stat -c "%a" $f) + perms=$(stat -L -c "%a" $f) if [ ${perms: -1} != "0" ]; then echo 'IS_PRIVKEYWOLRDREADABLE FAILED!' + break fi done fi From 7c2feea561c7b6626d8fe8710aed1bb4dc8ff92d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 8 Jan 2019 11:05:20 +0100 Subject: [PATCH 20/29] metricbeat: add a variable for the protocol to use with Elasticsearch --- CHANGELOG.md | 1 + metricbeat/defaults/main.yml | 1 + metricbeat/tasks/main.yml | 9 +++++++++ 3 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b64d002..44cbf7b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * apache: add Munin configuration for Apache server-status URL * evomaintenance: database variables must be set or the task fails +* metricbeat: add a variable for the protocol to use with Elasticsearch * rbenv: add pkg-config to the list of packages to install * redis: Configure munin when working in instance mode * redis: add a variable for renamed/disabled commands diff --git a/metricbeat/defaults/main.yml b/metricbeat/defaults/main.yml index 28b7e084..ee4cee34 100644 --- a/metricbeat/defaults/main.yml +++ b/metricbeat/defaults/main.yml @@ -1,6 +1,7 @@ --- elastic_stack_version: "6.x" +metricbeat_elasticsearch_protocol: "" metricbeat_elasticsearch_hosts: - "localhost:9200" metricbeat_elasticsearch_auth_username: "" diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 3e7fbea7..ed51dd1f 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -50,6 +50,15 @@ when: - metricbeat_elasticsearch_hosts +- name: Metricbeat protocol for Elasticsearch + lineinfile: + dest: /etc/metricbeat/metricbeat.yml + regexp: '^ #?protocol: .*' + line: " protocol: \"{{ metricbeat_elasticsearch_protocol }}\"" + insertafter: "output.elasticsearch:" + notify: restart metricbeat + when: metricbeat_elasticsearch_protocol == "http" or metricbeat_elasticsearch_protocol == "https" + - name: Metricbeat auth/username for Elasticsearch are configured lineinfile: dest: /etc/metricbeat/metricbeat.yml From 67d7458ba6cbaabb38fe33acc5346b3baa2d33cb Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 9 Jan 2019 10:49:20 +0100 Subject: [PATCH 21/29] nodejs: Update yarn repo GPG key (current key expired) Ref: https://github.com/yarnpkg/yarn/issues/6865 --- CHANGELOG.md | 1 + nodejs/files/yarnpkg.gpg.key | 38 ++++++++++++++++++++++++++++++++++-- 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 44cbf7b8..b1e9a679 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes incrementally at each release. * metricbeat: fix username/password replacement * nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) * nginx: Munin url config is now a template to insert the server-status prefix +* nodejs: Update yarn repo GPG key (current key expired) * redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script * redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account diff --git a/nodejs/files/yarnpkg.gpg.key b/nodejs/files/yarnpkg.gpg.key index 800c737d..c5064ec5 100644 --- a/nodejs/files/yarnpkg.gpg.key +++ b/nodejs/files/yarnpkg.gpg.key @@ -147,6 +147,40 @@ r16Zyn6mxYWEHn9HXMh3b+2IYKFFXHffbIBq/mfibDnZtQBrZpn2uyh6F2ZuOsZh 0LTD7RL53KV3fi90nS00Gs1kbMkPycL1JLqvYQDpllE2oZ1dKDYkwivGyDQhRNfE RL6JkjyiSxfZ2c84r2HPgnJTi/WBplloQkM+2NfXrBo6kLHSC6aBndRKk2UmUhrU luGcQUyfzYRFH5kVueIYfDaBPus9gb+sjnViFRpqVjefwlXSJEDHWP3Cl2cuo2mJ -jeDghj400U6pjSUW3bIC/PI= -=gZNT +jeDghj400U6pjSUW3bIC/PK5Ag0EXCxEEQEQAKVjsdljwPDGO+48879LDa1d7GEu +/Jm9HRK6INCQiSiS/0mHkeKa6t4DRgCY2ID9lFiegx2Er+sIgL0chs16XJrFO21u +kw+bkBdm2HYUKSsUFmr/bms8DkmAM699vRYVUAzO9eXG/g8lVrAzlb3RT7eGHYKd +15DT5KxXDQB+T+mWE9qD5RJwEyPjSU+4WjYF+Rr9gbSuAt5UySUb9jTR5HRNj9wt +b4YutfP9jbfqy8esQVG9R/hpWKb2laxvn8Qc2Xj93qNIkBt/SILfx9WDJl0wNUmu ++zUwpiC2wrLFTgNOpq7g9wRPtg5mi8MXExWwSF2DlD54yxOOAvdVACJFBXEcstQ3 +SWg8gxljG8eLMpDjwoIBax3DZwiYZjkjJPeydSulh8vKoFBCQkf2PcImXdOk2HqO +V1L7FROM6fKydeSLJbx17SNjVdQnq1OsyqSO0catAFNptMHBsN+tiCI29gpGegao +umV9cnND69aYvyPBgvdtmzPChjSmc6rzW1yXCJDm2qzwm/BcwJNXW5B3EUPxc0qS +Wste9fUna0G4l/WMuaIzVkuTgXf1/r9HeQbjtxAztxH0d0VgdHAWPDkUYmztcZ4s +d0PWkVa18qSrOvyhI96gCzdvMRLX17m1kPvP5PlPulvqizjDs8BScqeSzGgSbbQV +m5Tx4w2uF4/n3FBnABEBAAGJBEQEGAECAA8FAlwsRBECGwIFCQIKEgACKQkQFkaw +G4blAxDBXSAEGQECAAYFAlwsRBEACgkQI+cWZ4i2Ph6B0g//cPis3v2M6XvAbVoM +3GIMXnsVj1WAHuwA/ja7UfZJ9+kV/PiMLkAbW0fBj0/y0O3Ry12VVQGXhC+Vo4j6 +C8qwFP4OXa6EsxHXuvWMIztBaX1Kav613aXBtxp6tTrud0FFUh4sDc1RREb3tMr6 +y5cvFJgnrdWcX1gsl6ODcgWBGNc6ZX7H7j48hMR6KmNeZocW7p8W+BgDQJqXYwVN +L15qOHzVAh0dWsFLE9gwBTmDCY03x9arxSNDGCXyxt6E77LbNVIoSRlEbkvi6j33 +nEbuERICYl6CltXQCyiVKjheJcLMjbgv5+bLCv2zfeJ/WyOmOGKpHRu+lBV1Gvli +RxUblVlmjWPhYPBZXGyjII16Tqr+ilREcZFW+STccbrVct75JWLbxwlEmix+W1Hw +SRCR+KHx3Cur4ZPMOBlPsFilOOsNa7ROUB56t7zv21Ef3BeeaCd9c4kzNGN8d1ic +EqSXoWWPqgST0LZPtZyqWZVnWrHChVHfrioxhSnw8O3wY1A2GSahiCSvvjvOeEoJ +yU21ZMw6AVyHCh6v42oYadBfGgFwNo5OCMhNxNy/CcUrBSDqyLVTM5QlNsT75Ys7 +kHHnc+Jk+xx4JpiyNCz5LzcPhlwpqnJQcjJdY1hDhK75Ormj/NfCMeZ8g1aVPX4x +Eq8AMyZYhZ5/lmM+13Rdv8ZW6FK7HQ/+IAKzntxOjw0MzCXkksKdmIOZ2bLeOVI8 +aSLaUmoT5CLuoia9g7iFHlYrSY+01riRrAaPtYx0x8onfyVxL9dlW/Fv5+qc1fF5 +FxdhyIgdqgzm82TnXHu/haUxYmUvNrbsmmNl5UTTOf+YQHMccKFdYfZ2rCBtbN2n +iXG1tuz2+k83pozu4mJ1rOOLNAsQoY3yR6OODte1FyOgp7blwDhTIoQb8/UiJ7CM +BI3OPrfoXFAnhYoxeRSAN4UFu9/HIkqfaQgRPCZS1gNerWF6r6yz9AZWUZqjSJss +jBqXCtK9bGbTYBZk+pw3H9Nd0RJ2WJ9qPqmlmUr1wdqct0ChsJx1xAT86QrssicJ +/HFFmF45hlnGkHUBWLaVJt8YkLb/DqOIbVbwyCLQtJ80VQLEeupfmu5QNsTpntRY +NKf8cr00uc8vSYXYFRxa5H5oRT1eoFEEjDDvokNnHXfT+Hya44IjYpzaqvAgeDp6 +sYlOdtWIv/V3s+trxACwTkRN7zw3lLTbT8PK9szK0fYZ5KHG1/AKH+mbZ6qNc/25 +PNbAFRtttLGuEIC3HJ12IAp2JdjioeD2OnWLu4ZeCT2CKKFsleZPrSyCrn3gyZPm +fYvv5h2JbQNO6uweOrZENWX5SU43OBoplbuKJZsMP6p6NahuGnIeJLlv509JYAf/ +HN4ARyvvOpM= +=SQ7t -----END PGP PUBLIC KEY BLOCK----- From 42ec5d62c86e29bdbfc007af0792828587ba7dda Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 9 Jan 2019 16:43:35 +0100 Subject: [PATCH 22/29] whitespaces --- fail2ban/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index f8b20694..9dd89aeb 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -13,7 +13,7 @@ - "/etc/fail2ban" - "/etc/fail2ban/filter.d" tags: - - fail2ban + - fail2ban - set_fact: fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}" @@ -26,7 +26,7 @@ force: no notify: restart fail2ban tags: - - fail2ban + - fail2ban - name: Include ignoredips update task include: ip_whitelist.yml From df308b0396c59af329df32d5e72c7fdc7a17c351 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 9 Jan 2019 16:44:16 +0100 Subject: [PATCH 23/29] fail2ban: fix "ignoreip" update --- CHANGELOG.md | 1 + fail2ban/tasks/ip_whitelist.yml | 8 ++++++-- fail2ban/tasks/main.yml | 4 +++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b1e9a679..c07fdd21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes incrementally at each release. * evocheck: update evocheck.sh for source install ### Fixed +* fail2ban: fix "ignoreip" update * metricbeat: fix username/password replacement * nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) * nginx: Munin url config is now a template to insert the server-status prefix diff --git a/fail2ban/tasks/ip_whitelist.yml b/fail2ban/tasks/ip_whitelist.yml index 3bdd05f3..77f7c21c 100644 --- a/fail2ban/tasks/ip_whitelist.yml +++ b/fail2ban/tasks/ip_whitelist.yml @@ -1,9 +1,13 @@ --- + +- set_fact: + fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}" + - name: Update ignoreips lists ini_file: dest: /etc/fail2ban/jail.local - section: "[DEFAULT]" - option: "ignoreips" + section: "DEFAULT" + option: "ignoreip" value: "{{ fail2ban_ignore_ips | join(' ') }}" notify: restart fail2ban tags: diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 9dd89aeb..6e97fb2d 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -16,7 +16,9 @@ - fail2ban - set_fact: - fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}" + fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}" + tags: + - fail2ban - name: local jail is installed template: From f6ca2279bfa669d73e8d26513f416930b6022fde Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 10 Jan 2019 16:10:03 +0100 Subject: [PATCH 24/29] java: update Oracle java package to 8u192 --- CHANGELOG.md | 1 + java/tasks/oracle.yml | 12 ++++++------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c07fdd21..d8fb4150 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release. ### Changed * redis: distinction between main and master password * evocheck: update evocheck.sh for source install +* java: update Oracle java package to 8u192 ### Fixed * fail2ban: fix "ignoreip" update diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml index da3473da..dd80303b 100644 --- a/java/tasks/oracle.yml +++ b/java/tasks/oracle.yml @@ -23,19 +23,19 @@ - name: Get Oracle jre archive get_url: - url: 'http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.tar.gz' + url: 'https://download.oracle.com/otn-pub/java/jdk/8u192-b12/750e1c8617c5452694857ad95c3ee230/server-jre-8u192-linux-x64.tar.gz' dest: '/srv/java-package/src/' - checksum: 'sha256:f08f25aec2bdc86138ccba8fd5b904451e3afa1d24a88c85f28c2d84bfd45bad' + checksum: 'sha256:3d811a5ec65dc6fc261f488757bae86ecfe285a79992363b016f60cdb4dbe7e6' headers: 'Cookie: oraclelicense=accept-securebackup-cookie' mode: "0644" tags: - java - name: Make Debian package from Oracle JDK archive - shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/jre-8u172-linux-x64.tar.gz" + shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/server-jre-8u192-linux-x64.tar.gz" args: chdir: /srv/java-package - creates: /srv/java-package/oracle-java8-jre_8u172_amd64.deb + creates: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb become: False tags: - java @@ -45,14 +45,14 @@ - name: Install java package apt: - deb: /srv/java-package/oracle-java8-jre_8u172_amd64.deb + deb: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb tags: - java - name: This openjdk version is the default alternative alternatives: name: java - path: "/usr/lib/jvm/jre-{{ java_version }}-oracle-x64/bin/java" + path: "/usr/lib/jvm/oracle-java{{ java_version }}-server-jre-amd64/bin/java" when: java_default_alternative tags: - java From c4c091b362be0421b776efd253c113fbf0296ad5 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 10 Jan 2019 17:57:51 +0100 Subject: [PATCH 25/29] squid: added packagist.org in the whitelist --- CHANGELOG.md | 3 ++- squid/files/evolinux-whitelist-defaults.conf | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d8fb4150..a1e89fd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release. ### Changed * redis: distinction between main and master password * evocheck: update evocheck.sh for source install +* squid: added packagist.org in the whitelist * java: update Oracle java package to 8u192 ### Fixed @@ -30,7 +31,7 @@ The **patch** part changes incrementally at each release. * metricbeat: fix username/password replacement * nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) * nginx: Munin url config is now a template to insert the server-status prefix -* nodejs: Update yarn repo GPG key (current key expired) +* nodejs: Update yarn repo GPG key (current key expired) * redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script * redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index 2bbebf5b..ac0d9f6c 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -105,6 +105,7 @@ ^www\.phpbb\.com$ ^www\.typolight\.org$ ^www\.spip\.net$ +^packagist\.org$ ### Feeds / API / WS Tools / ... From 40b265414138dc998dd69c9c99718510888fd4d3 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 10 Jan 2019 19:12:53 +0100 Subject: [PATCH 26/29] php: added php-zip in the installed package list for debian 9 (and later) --- CHANGELOG.md | 1 + php/tasks/main_stretch.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1e89fd9..3066f9ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release. ### Changed * redis: distinction between main and master password * evocheck: update evocheck.sh for source install +* php: added php-zip in the installed package list for debian 9 (and later) * squid: added packagist.org in the whitelist * java: update Oracle java package to 8u192 diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index d97ba527..4191519b 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -28,6 +28,7 @@ - php-gettext - php-curl - php-ssh2 + - php-zip - composer - libphp-phpmailer From 59c479582e1fcf26c7c3a8e59e4a2101c3c226a0 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 10 Jan 2019 17:03:14 -0500 Subject: [PATCH 27/29] Adds ips tag to fail2ban/tasks/ip_whitelist.yml You can already skip nginx and apache ip_whitelist tasks with this tags, it makes sense for fail2ban to follow suite. --- CHANGELOG.md | 1 + fail2ban/tasks/ip_whitelist.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3066f9ea..310f51f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes incrementally at each release. * redis: add a variable for renamed/disabled commands * redis: add a variable to disable the restart handler * redis: add a variable to force a restart (even with no change) +* "ips" tag added to fail2ban/tasks/ip_whitelist.yml ### Changed * redis: distinction between main and master password diff --git a/fail2ban/tasks/ip_whitelist.yml b/fail2ban/tasks/ip_whitelist.yml index 77f7c21c..f899e618 100644 --- a/fail2ban/tasks/ip_whitelist.yml +++ b/fail2ban/tasks/ip_whitelist.yml @@ -12,3 +12,4 @@ notify: restart fail2ban tags: - fail2ban + - ips \ No newline at end of file From fc0b1d69680039696649e8767838d07e303b1f9d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 17 Jan 2019 17:42:18 +0100 Subject: [PATCH 28/29] update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 310f51f2..7cf3001d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,13 +13,13 @@ The **patch** part changes incrementally at each release. ### Added * apache: add Munin configuration for Apache server-status URL * evomaintenance: database variables must be set or the task fails +* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml * metricbeat: add a variable for the protocol to use with Elasticsearch * rbenv: add pkg-config to the list of packages to install * redis: Configure munin when working in instance mode * redis: add a variable for renamed/disabled commands * redis: add a variable to disable the restart handler * redis: add a variable to force a restart (even with no change) -* "ips" tag added to fail2ban/tasks/ip_whitelist.yml ### Changed * redis: distinction between main and master password From 87860d5b7fa38fcc5b6b4cc7fdd5d0443be62022 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 17 Jan 2019 18:11:46 +0100 Subject: [PATCH 29/29] Release 9.7.0 --- CHANGELOG.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7cf3001d..4eb149f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,16 @@ The **patch** part changes incrementally at each release. ## [Unreleased] +### Added + +### Changed + +### Fixed + +### Security + +## [9.7.0] - 2019-01-17 + ### Added * apache: add Munin configuration for Apache server-status URL * evomaintenance: database variables must be set or the task fails @@ -37,7 +47,6 @@ The **patch** part changes incrementally at each release. * redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script * redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account -### Security ## [9.6.0] - 2018-12-04