Merge branch 'unstable' into stable

CHANGELOG.md

@@ -18,6 +18,36 @@ The **patch** part changes incrementally at each release.
 
 ### Security
 
+## [9.7.0] - 2019-01-17
+
+### Added
+* apache: add Munin configuration for Apache server-status URL
+* evomaintenance: database variables must be set or the task fails
+* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
+* metricbeat: add a variable for the protocol to use with Elasticsearch
+* rbenv: add pkg-config to the list of packages to install
+* redis: Configure munin when working in instance mode
+* redis: add a variable for renamed/disabled commands
+* redis: add a variable to disable the restart handler
+* redis: add a variable to force a restart (even with no change)
+
+### Changed
+* redis: distinction between main and master password
+* evocheck: update evocheck.sh for source install
+* php: added php-zip in the installed package list for debian 9 (and later)
+* squid: added packagist.org in the whitelist
+* java: update Oracle java package to 8u192
+
+### Fixed
+* fail2ban: fix "ignoreip" update
+* metricbeat: fix username/password replacement
+* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
+* nginx: Munin url config is now a template to insert the server-status prefix
+* nodejs: Update yarn repo GPG key (current key expired)
+* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
+* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
+
+
 ## [9.6.0] - 2018-12-04
 
 ### Added
@@ -29,6 +59,7 @@ The **patch** part changes incrementally at each release.
 ### Changed
 * minifirewall: compare config before/after (for restart condition)
 * squid: better replacement in minifirewall config
+* evoadmin-mail: complete refactoring, use Debian Package
 
 ## [9.5.0] - 2018-11-14
 

apache/tasks/server_status.yml

@@ -39,3 +39,17 @@
     dest: /var/www/index.html
     regexp: '__SERVERSTATUS_SUFFIX__'
     replace: "{{ apache_serverstatus_suffix }}"
+
+- name: Munin configuration has a section for apache
+  lineinfile:
+    dest: /etc/munin/plugin-conf.d/munin-node
+    line: "[apache_*]"
+    create: no
+
+- name: apache-status URL is configured for Munin
+  lineinfile:
+    dest: /etc/munin/plugin-conf.d/munin-node
+    line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto"
+    regexp: "env.url http://127.0.0.1/server-status"
+    insertafter: "[apache_*]"
+    create: no

evocheck/files/evocheck.sh

@@ -4,8 +4,8 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-# Repository: https://gitlab.evolix.org/evolix/evocheck
+# Repository: https://gitea.evolix.org/evolix/evocheck
-# Commit: 956877442a3f43243fed89c491d9bdddd1ac77cd
+# Commit: e6e0b8c216ed28a2ee2229e5e122ff1d49701ffc
 
 # Disable LANG*
 export LANG=C
@@ -525,19 +525,17 @@ if [ -e /etc/debian_version ]; then
 
     # Check if no package has been upgraded since $limit.
     if [ "$IS_NOTUPGRADED" = 1 ]; then
-        if zgrep -hq upgrade /var/log/dpkg.log*; then
+        last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
-            last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
+        if grep -sq '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
-        fi
+        || grep -sq -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
-        if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
-        || grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
             # Manual upgrade process
             limit=$(date +%s -d "now - 180 days")
         else
             # Regular process
             limit=$(date +%s -d "now - 90 days")
         fi
-        if [ -d /var/log/installer ]; then
+        if [ -f /var/log/evolinux/00_prepare_system.log ]; then
-            install_date=$(stat -c %Z /var/log/installer)
+            install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log)
         else
             install_date=0
         fi
@@ -591,8 +589,8 @@ if [ -e /etc/debian_version ]; then
 
     if [ "$IS_BACKPORTSCONF" = 1 ]; then
         if is_debianversion stretch; then
-            grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
+            grep -qE "^[^#].*backports" /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
-            grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
+            grep -qE "^[^#].*backports" /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -qE "^[^#].*backports" /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
         fi
     fi
 
@@ -988,9 +986,10 @@ fi
 
 if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then
     for f in /etc/ssl/private/*; do
-        perms=$(stat -c "%a" $f)
+        perms=$(stat -L -c "%a" $f)
         if [ ${perms: -1} != "0" ]; then
             echo 'IS_PRIVKEYWOLRDREADABLE FAILED!'
+            break
         fi
     done
 fi

evolinux-base/tasks/packages.yml

@@ -101,7 +101,7 @@
     line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"'
   when: evolinux_packages_logcheck_recipient
 
-- name: Deleting rpcbin and nfs-common
+- name: Deleting rpcbind and nfs-common
   apt:
     name: "{{ item }}"
     state: absent

evolinux-base/tasks/ssh.yml

@@ -16,12 +16,12 @@
 - name: "Security directives for Evolinux (Debian 10 or later)"
   blockinfile:
     dest: /etc/ssh/sshd_config
+    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
     block: |
       Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
           PasswordAuthentication yes
       Match Group evolix
           PasswordAuthentication no
-    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
     insertafter: EOF
     validate: '/usr/sbin/sshd -T -f %s'
   notify: reload sshd
@@ -32,10 +32,10 @@
 - name: Security directives for Evolinux (Jessie/Stretch)
   blockinfile:
     dest: /etc/ssh/sshd_config
+    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
     block: |
       Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
           PasswordAuthentication yes
-    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
     insertafter: EOF
     validate: '/usr/sbin/sshd -T -f %s'
   notify: reload sshd

evomaintenance/tasks/main.yml

@@ -3,6 +3,14 @@
 - set_fact:
     minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
 
+- assert:
+    that:
+      - evomaintenance_pg_passwd is not none
+      - evomaintenance_pg_db is not none
+      - evomaintenance_pg_table is not none
+      - evomaintenance_pg_host is not none
+    msg: evomaintenance database variables must be set
+
 - include: install_package_debian.yml
   when:
     - not evomaintenance_install_vendor

evomaintenance/templates/evomaintenance.j2

@@ -1,11 +1,11 @@
 HOSTNAME={{ evomaintenance_hostname }}
 EVOMAINTMAIL={{ evomaintenance_alert_email or general_alert_email | mandatory }}
 
-export PGPASSWORD={{ evomaintenance_pg_passwd | mandatory }}
+export PGPASSWORD={{ evomaintenance_pg_passwd }}
 
-PGDB={{ evomaintenance_pg_db | mandatory }}
+PGDB={{ evomaintenance_pg_db }}
-PGTABLE={{ evomaintenance_pg_table | mandatory }}
+PGTABLE={{ evomaintenance_pg_table }}
-PGHOST={{ evomaintenance_pg_host | mandatory }}
+PGHOST={{ evomaintenance_pg_host }}
 FROM={{ evomaintenance_from }}
 FULLFROM="{{ evomaintenance_full_from }}"
 URGENCYFROM={{ evomaintenance_urgency_from }}

fail2ban/tasks/ip_whitelist.yml

@@ -1,10 +1,15 @@
 ---
+
+- set_fact:
+    fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}"
+
 - name: Update ignoreips lists
   ini_file:
     dest: /etc/fail2ban/jail.local
-    section: "[DEFAULT]"
+    section: "DEFAULT"
-    option: "ignoreips"
+    option: "ignoreip"
     value: "{{ fail2ban_ignore_ips | join(' ') }}"
   notify: restart fail2ban
   tags:
     - fail2ban
+    - ips

fail2ban/tasks/main.yml

@@ -13,10 +13,12 @@
     - "/etc/fail2ban"
     - "/etc/fail2ban/filter.d"
   tags:
-  - fail2ban
+    - fail2ban
 
 - set_fact:
-    fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
+    fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}"
+  tags:
+    - fail2ban
 
 - name: local jail is installed
   template:
@@ -26,7 +28,7 @@
     force: no
   notify: restart fail2ban
   tags:
-  - fail2ban
+    - fail2ban
 
 - name: Include ignoredips update task 
   include: ip_whitelist.yml

java/tasks/oracle.yml

@@ -23,19 +23,19 @@
 
 - name: Get Oracle jre archive
   get_url:
-    url: 'http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.tar.gz'
+    url: 'https://download.oracle.com/otn-pub/java/jdk/8u192-b12/750e1c8617c5452694857ad95c3ee230/server-jre-8u192-linux-x64.tar.gz'
     dest: '/srv/java-package/src/'
-    checksum: 'sha256:f08f25aec2bdc86138ccba8fd5b904451e3afa1d24a88c85f28c2d84bfd45bad'
+    checksum: 'sha256:3d811a5ec65dc6fc261f488757bae86ecfe285a79992363b016f60cdb4dbe7e6'
     headers: 'Cookie: oraclelicense=accept-securebackup-cookie'
     mode: "0644"
   tags:
   - java
 
 - name: Make Debian package from Oracle JDK archive
-  shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/jre-8u172-linux-x64.tar.gz"
+  shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/server-jre-8u192-linux-x64.tar.gz"
   args:
     chdir: /srv/java-package
-    creates: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
+    creates: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb
   become: False
   tags:
   - java
@@ -45,14 +45,14 @@
 
 - name: Install java package
   apt:
-    deb: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
+    deb: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb
   tags:
    - java
 
 - name: This openjdk version is the default alternative
   alternatives:
     name: java
-    path: "/usr/lib/jvm/jre-{{ java_version }}-oracle-x64/bin/java"
+    path: "/usr/lib/jvm/oracle-java{{ java_version }}-server-jre-amd64/bin/java"
   when: java_default_alternative
   tags:
     - java

metricbeat/defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 elastic_stack_version: "6.x"
 
+metricbeat_elasticsearch_protocol: ""
 metricbeat_elasticsearch_hosts:
   - "localhost:9200"
 metricbeat_elasticsearch_auth_username: ""

metricbeat/tasks/main.yml

@@ -50,6 +50,15 @@
   when:
     - metricbeat_elasticsearch_hosts
 
+- name: Metricbeat protocol for Elasticsearch
+  lineinfile:
+    dest: /etc/metricbeat/metricbeat.yml
+    regexp: '^  #?protocol: .*'
+    line: "  protocol: \"{{ metricbeat_elasticsearch_protocol }}\""
+    insertafter: "output.elasticsearch:"
+  notify: restart metricbeat
+  when: metricbeat_elasticsearch_protocol == "http" or metricbeat_elasticsearch_protocol == "https"
+
 - name: Metricbeat auth/username for Elasticsearch are configured
   lineinfile:
     dest: /etc/metricbeat/metricbeat.yml
@@ -57,8 +66,8 @@
     line: '{{ item.line }}'
     insertafter: "output.elasticsearch:"
   with_items:
-    - { regexp: '^  #username: .*', line: '  username: "{{ metricbeat_elasticsearch_auth_username }}"' }
+    - { regexp: '^  #?username: .*', line: '  username: "{{ metricbeat_elasticsearch_auth_username }}"' }
-    - { regexp: '^  #password: .*', line: '  password: "{{ metricbeat_elasticsearch_auth_password }}"' }
+    - { regexp: '^  #?password: .*', line: '  password: "{{ metricbeat_elasticsearch_auth_password }}"' }
   notify: restart metricbeat
   when:
     - metricbeat_elasticsearch_auth_username != ""

minifirewall/tasks/config.yml

@@ -26,9 +26,9 @@
 - name: Begin marker for IP addresses
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
     insertbefore: '^# Main interface'
+    create: no
 
 - name: End marker for IP addresses
   lineinfile:
@@ -47,7 +47,6 @@
 - name: Configure IP addresses
   blockinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
     content: |
       # Main interface
@@ -66,26 +65,26 @@
       # Privilegied IPv4 addresses for semi-public services
       # (no need to add again TRUSTEDIPS)
       PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
+    create: no
   register: minifirewall_config_ips
 
 - name: Begin marker for ports
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
     insertbefore: '^# Protected services'
+    create: no
 
 - name: End marker for ports
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
     insertafter: '^SERVICESUDP3='
+    create: no
 
 - name: Configure ports
   blockinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
     content: |
       # Protected services
@@ -104,70 +103,71 @@
       # Private services (IPv4)
       SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
       SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
+    create: no
   register: minifirewall_config_ports
 
 - name: Configure DNSSERVEURS
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
     regexp: "DNSSERVEURS='.*'"
+    create: no
   when: minifirewall_dns_servers is not none
 
 - name: Configure HTTPSITES
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
     regexp: "HTTPSITES='.*'"
+    create: no
   when: minifirewall_http_sites is not none
 
 - name: Configure HTTPSSITES
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
     regexp: "HTTPSSITES='.*'"
+    create: no
   when: minifirewall_https_sites is not none
 
 - name: Configure FTPSITES
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
     regexp: "FTPSITES='.*'"
+    create: no
   when: minifirewall_ftp_sites is not none
 
 - name: Configure SSHOK
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
     regexp: "SSHOK='.*'"
+    create: no
   when: minifirewall_ssh_ok is not none
 
 - name: Configure SMTPOK
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
     regexp: "SMTPOK='.*'"
+    create: no
   when: minifirewall_smtp_ok is not none
 
 - name: Configure SMTPSECUREOK
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
     regexp: "SMTPSECUREOK='.*'"
+    create: no
   when: minifirewall_smtp_secure_ok is not none
 
 - name: Configure NTPOK
   lineinfile:
     dest: "{{ minifirewall_main_file }}"
-    create: no
     line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
     regexp: "NTPOK='.*'"
+    create: no
   when: minifirewall_ntp_ok is not none
 
 - name: evomaintenance

munin/tasks/main.yml

@@ -77,6 +77,7 @@
 - name: adjustments for grsec kernel
   blockinfile:
     dest: /etc/munin/plugin-conf.d/munin-node
+    marker: "# {mark} ANSIBLE MANAGED GRSECURITY CUSTOMIZATIONS"
     block: |
 
       [processes]

nagios-nrpe/files/plugins/check_process

@@ -5,3 +5,5 @@ for proc in cron rsyslogd ntpd munin-node; do
     sudo /usr/lib/nagios//plugins/check_procs -C $proc -c 1:
     rc=$(($rc|$?))
 done
+
+exit $rc

nginx/files/munin/evolinux.nginx

@@ -1,2 +0,0 @@
-[nginx_*]
-env.url http://munin/nginx_status

nginx/tasks/munin_graphs.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Copy Munin config for Nginx
-  copy:
+  template:
     src: munin/evolinux.nginx
     dest: /etc/munin/plugin-conf.d/
     mode: "0644"

nginx/templates/munin/evolinux.nginx

@@ -0,0 +1,2 @@
+[nginx_*]
+env.url http://munin/nginx_status-{{ nginx_serverstatus_suffix }}

nodejs/files/yarnpkg.gpg.key

@@ -147,6 +147,40 @@ r16Zyn6mxYWEHn9HXMh3b+2IYKFFXHffbIBq/mfibDnZtQBrZpn2uyh6F2ZuOsZh
 0LTD7RL53KV3fi90nS00Gs1kbMkPycL1JLqvYQDpllE2oZ1dKDYkwivGyDQhRNfE
 RL6JkjyiSxfZ2c84r2HPgnJTi/WBplloQkM+2NfXrBo6kLHSC6aBndRKk2UmUhrU
 luGcQUyfzYRFH5kVueIYfDaBPus9gb+sjnViFRpqVjefwlXSJEDHWP3Cl2cuo2mJ
-jeDghj400U6pjSUW3bIC/PI=
+jeDghj400U6pjSUW3bIC/PK5Ag0EXCxEEQEQAKVjsdljwPDGO+48879LDa1d7GEu
-=gZNT
+/Jm9HRK6INCQiSiS/0mHkeKa6t4DRgCY2ID9lFiegx2Er+sIgL0chs16XJrFO21u
+kw+bkBdm2HYUKSsUFmr/bms8DkmAM699vRYVUAzO9eXG/g8lVrAzlb3RT7eGHYKd
+15DT5KxXDQB+T+mWE9qD5RJwEyPjSU+4WjYF+Rr9gbSuAt5UySUb9jTR5HRNj9wt
+b4YutfP9jbfqy8esQVG9R/hpWKb2laxvn8Qc2Xj93qNIkBt/SILfx9WDJl0wNUmu
++zUwpiC2wrLFTgNOpq7g9wRPtg5mi8MXExWwSF2DlD54yxOOAvdVACJFBXEcstQ3
+SWg8gxljG8eLMpDjwoIBax3DZwiYZjkjJPeydSulh8vKoFBCQkf2PcImXdOk2HqO
+V1L7FROM6fKydeSLJbx17SNjVdQnq1OsyqSO0catAFNptMHBsN+tiCI29gpGegao
+umV9cnND69aYvyPBgvdtmzPChjSmc6rzW1yXCJDm2qzwm/BcwJNXW5B3EUPxc0qS
+Wste9fUna0G4l/WMuaIzVkuTgXf1/r9HeQbjtxAztxH0d0VgdHAWPDkUYmztcZ4s
+d0PWkVa18qSrOvyhI96gCzdvMRLX17m1kPvP5PlPulvqizjDs8BScqeSzGgSbbQV
+m5Tx4w2uF4/n3FBnABEBAAGJBEQEGAECAA8FAlwsRBECGwIFCQIKEgACKQkQFkaw
+G4blAxDBXSAEGQECAAYFAlwsRBEACgkQI+cWZ4i2Ph6B0g//cPis3v2M6XvAbVoM
+3GIMXnsVj1WAHuwA/ja7UfZJ9+kV/PiMLkAbW0fBj0/y0O3Ry12VVQGXhC+Vo4j6
+C8qwFP4OXa6EsxHXuvWMIztBaX1Kav613aXBtxp6tTrud0FFUh4sDc1RREb3tMr6
+y5cvFJgnrdWcX1gsl6ODcgWBGNc6ZX7H7j48hMR6KmNeZocW7p8W+BgDQJqXYwVN
+L15qOHzVAh0dWsFLE9gwBTmDCY03x9arxSNDGCXyxt6E77LbNVIoSRlEbkvi6j33
+nEbuERICYl6CltXQCyiVKjheJcLMjbgv5+bLCv2zfeJ/WyOmOGKpHRu+lBV1Gvli
+RxUblVlmjWPhYPBZXGyjII16Tqr+ilREcZFW+STccbrVct75JWLbxwlEmix+W1Hw
+SRCR+KHx3Cur4ZPMOBlPsFilOOsNa7ROUB56t7zv21Ef3BeeaCd9c4kzNGN8d1ic
+EqSXoWWPqgST0LZPtZyqWZVnWrHChVHfrioxhSnw8O3wY1A2GSahiCSvvjvOeEoJ
+yU21ZMw6AVyHCh6v42oYadBfGgFwNo5OCMhNxNy/CcUrBSDqyLVTM5QlNsT75Ys7
+kHHnc+Jk+xx4JpiyNCz5LzcPhlwpqnJQcjJdY1hDhK75Ormj/NfCMeZ8g1aVPX4x
+Eq8AMyZYhZ5/lmM+13Rdv8ZW6FK7HQ/+IAKzntxOjw0MzCXkksKdmIOZ2bLeOVI8
+aSLaUmoT5CLuoia9g7iFHlYrSY+01riRrAaPtYx0x8onfyVxL9dlW/Fv5+qc1fF5
+FxdhyIgdqgzm82TnXHu/haUxYmUvNrbsmmNl5UTTOf+YQHMccKFdYfZ2rCBtbN2n
+iXG1tuz2+k83pozu4mJ1rOOLNAsQoY3yR6OODte1FyOgp7blwDhTIoQb8/UiJ7CM
+BI3OPrfoXFAnhYoxeRSAN4UFu9/HIkqfaQgRPCZS1gNerWF6r6yz9AZWUZqjSJss
+jBqXCtK9bGbTYBZk+pw3H9Nd0RJ2WJ9qPqmlmUr1wdqct0ChsJx1xAT86QrssicJ
+/HFFmF45hlnGkHUBWLaVJt8YkLb/DqOIbVbwyCLQtJ80VQLEeupfmu5QNsTpntRY
+NKf8cr00uc8vSYXYFRxa5H5oRT1eoFEEjDDvokNnHXfT+Hya44IjYpzaqvAgeDp6
+sYlOdtWIv/V3s+trxACwTkRN7zw3lLTbT8PK9szK0fYZ5KHG1/AKH+mbZ6qNc/25
+PNbAFRtttLGuEIC3HJ12IAp2JdjioeD2OnWLu4ZeCT2CKKFsleZPrSyCrn3gyZPm
+fYvv5h2JbQNO6uweOrZENWX5SU43OBoplbuKJZsMP6p6NahuGnIeJLlv509JYAf/
+HN4ARyvvOpM=
+=SQ7t
 -----END PGP PUBLIC KEY BLOCK-----

packweb-apache/tasks/main.yml

@@ -3,7 +3,7 @@
 - fail:
     msg: only compatible with Debian >= 8
   when:
-  - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
+    - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
 
 - name: install info.php
   copy:
@@ -23,9 +23,9 @@
     state: "{{ item.state }}"
     mode: "{{ item.mode }}"
   with_items:
-  - { path: log, mode: "0750", state: directory }
+    - { path: log, mode: "0750", state: directory }
-  - { path: awstats, mode: "0750", state: directory }
+    - { path: awstats, mode: "0750", state: directory }
-  - { path: www, mode: "0750", state: directory }
+    - { path: www, mode: "0750", state: directory }
 
 - name: Apache log file (templates) are present
   command: "touch /etc/skel/log/{{ item }}"

php/tasks/main_stretch.yml

@@ -28,6 +28,7 @@
       - php-gettext
       - php-curl
       - php-ssh2
+      - php-zip
       - composer
       - libphp-phpmailer
 

rbenv/tasks/main.yml

@@ -14,6 +14,7 @@
     - libxml2-dev
     - libxslt1-dev
     - zlib1g-dev
+    - pkg-config
   tags:
     - rbenv
     - packages
@@ -78,10 +79,10 @@
 - name: "Rbenv is initialized in profile for {{ username }}"
   blockinfile:
     dest: '~{{ username }}/.profile'
+    marker: "# {mark} ANSIBLE MANAGED RBENV INIT"
     block: |
       export PATH="{{ rbenv_root }}/bin:$PATH"
       eval "$(rbenv init -)"
-    marker: "# {mark} ANSIBLE MANAGED RBENV INIT"
   become_user: "{{ username }}"
   become: yes
   tags:

redis/defaults/main.yml

@@ -8,7 +8,10 @@ redis_unixsocket: '/var/run/redis/redis.sock'
 redis_pidfile: "/var/run/redis/{{ redis_daemon }}.pid"
 redis_timeout: 300
 
+# for client authorization
 redis_password: NULL
+# for slave authorization on master
+redis_password_master: "{{ redis_password }}"
 
 redis_loglevel: "notice"
 redis_logfile: /var/log/redis/redis-server.log
@@ -37,3 +40,8 @@ redis_protected_mode: "yes"
 
 # Add extra include files for local configuration/overrides.
 redis_includes: []
+
+redis_restart_if_needed: True
+redis_restart_force: False
+
+redis_disabled_commands: []

redis/handlers/main.yml

@@ -4,6 +4,11 @@
     name: "{{ redis_daemon }}"
     state: restarted
 
+- name: restart redis (noop)
+  meta: noop
+  failed_when: False
+  changed_when: False
+
 - name: restart munin-node
   service:
     name: munin-node

redis/tasks/instances.yml

@@ -52,6 +52,17 @@
   tags:
     - redis
 
+- name: Ensure redis base folders will be accessible for all instances
+  file:
+    dest: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: "redis"
+    group: "redis"
+  with_items:
+    - "/var/lib/redis"
+    - "/var/log/redis"
+
 - name: Instances directories are present
   file:
     dest: "{{ item }}"
@@ -60,9 +71,7 @@
     owner: "redis-{{ redis_instance_name }}"
     group: "redis-{{ redis_instance_name }}"
   with_items:
-    - "/var/lib/redis"
     - "{{ redis_dbdir }}"
-    - "/var/log/redis"
     - "{{ redis_logfile | dirname }}"
   tags:
     - redis

redis/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+
+- set_fact:
+    redis_restart_handler_name: "{{ redis_restart_if_needed | ternary('restart redis', 'restart redis (noop)') }}"
+
 - name: Redis is installed.
   apt:
     name: "{{ item }}"
@@ -32,7 +36,7 @@
     src: redis.conf.j2
     dest: "{{ redis_conf_path }}"
     mode: "0644"
-  notify: restart redis
+  notify: "{{ redis_restart_handler_name }}"
   when: redis_instance_name is not defined
   tags:
     - redis
@@ -55,7 +59,19 @@
     - munin
 
 - include: munin.yml
-  when: _munin_installed.stat.exists and _munin_installed.stat.isdir
+  when:
+    - _munin_installed.stat.exists
+    - _munin_installed.stat.isdir
+    - redis_instance_name is not defined
+  tags:
+    - redis
+    - munin
+
+- include: munin-instances.yml
+  when:
+    - _munin_installed.stat.exists
+    - _munin_installed.stat.isdir
+    - redis_instance_name is defined
   tags:
     - redis
     - munin
@@ -74,3 +90,8 @@
   tags:
     - redis
     - nrpe
+
+- name: Force restart redis
+  command: /bin/true
+  notify: restart redis
+  when: redis_restart_force

redis/tasks/munin-instances.yml

@@ -0,0 +1,61 @@
+---
+- name: Install munin check dependencies
+  apt:
+    name: libswitch-perl
+    state: present
+  tags:
+    - redis
+
+- include_role:
+    name: remount-usr
+  tags:
+    - redis
+
+- name: Create plugin directory
+  file:
+    name: /usr/local/share/munin/
+    state: directory
+    mode: "0755"
+  tags:
+    - redis
+
+- name: Create plugin directory
+  file:
+    name: /usr/local/share/munin/plugins/
+    state: directory
+    mode: "0755"
+  tags:
+    - redis
+
+- name: Copy redis munin plugin
+  copy:
+    src: munin_redis
+    dest: /usr/local/share/munin/plugins/redis_
+    mode: "0755"
+  notify: restart munin-node
+  tags:
+    - redis
+
+- name: Enable redis munin plugin
+  file:
+    src: /usr/local/share/munin/plugins/redis_
+    dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}"
+    state: link
+  with_items:
+    - connected_clients
+    - key_ratio
+    - keys_per_sec
+    - per_sec
+    - used_keys
+    - used_memory
+  notify: restart munin-node
+  tags:
+    - redis
+
+- name: Configure redis plugin for munin
+  template:
+    src: templates/munin-plugin-instances.conf.j2
+    dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}'
+    mode: 0740
+  notify: restart munin-node
+  tags: redis

redis/tasks/nrpe_stretch.yml

@@ -12,6 +12,18 @@
     dest: /etc/nagios/nrpe.d/evolix.cfg
     regexp: '^command\[check_redis\]=.+'
     replace: 'command[check_redis]=/usr/lib/nagios/plugins/check_redis -H 127.0.0.1'
+  when: redis_instance_name is undefined
+  notify: restart nagios-nrpe-server
+  tags:
+    - redis
+    - nrpe
+
+- name: Replace check_tcp or check_redis by check_redis_instances for NRPE
+  replace:
+    dest: /etc/nagios/nrpe.d/evolix.cfg
+    regexp: '^command\[check_redis\]=.+'
+    replace: 'command[check_redis]=/usr/local/lib/nagios/plugins/check_redis_instances'
+  when: redis_instance_name is defined
   notify: restart nagios-nrpe-server
   tags:
     - redis

redis/templates/munin-plugin-instances.conf.j2

@@ -0,0 +1,8 @@
+# Ansible managed
+
+[{{ redis_instance_name }}_redis_*]
+env.title_prefix Instance {{ redis_instance_name }}
+env.port {{ redis_port }}
+{% if redis_password %}
+env.password {{ redis_password }}
+{% endif %}

redis/templates/redis.conf.j2

@@ -9,7 +9,9 @@ unixsocket {{ redis_unixsocket }}
 
 {% if redis_password %}
 requirepass {{ redis_password }}
-masterauth {{ redis_password }}
+{% endif %}
+{% if redis_password_master %}
+masterauth {{ redis_password_master }}
 {% endif %}
 
 timeout {{ redis_timeout }}
@@ -49,6 +51,10 @@ appendonly {{ redis_appendonly }}
 appendfsync {{ redis_appendfsync }}
 no-appendfsync-on-rewrite no
 
+{% for disabled_command in redis_disabled_commands %}
+rename-command {{ disabled_command }} ""
+{% endfor %}
+
 {% for include in redis_includes %}
 include {{ include }}
 {% endfor %}

squid/files/evolinux-whitelist-defaults.conf

@@ -105,6 +105,7 @@
 ^www\.phpbb\.com$
 ^www\.typolight\.org$
 ^www\.spip\.net$
+^packagist\.org$
 
 ### Feeds / API / WS Tools / ...
 

webapps/evoadmin-mail/defaults/main.yml

@@ -3,22 +3,7 @@ general_alert_email: "root@localhost"
 evoadminmail_contact_email: Null
 evoadminmail_bounce_email: "{{ evoadminmail_contact_email }}"
 
-evoadminmail_username: evoadmin-mail
-evoadminmail_home_dir: "/home/{{ evoadminmail_username }}"
-evoadminmail_document_root: "{{ evoadminmail_home_dir }}/www"
-evoadminmail_log_dir: "{{ evoadminmail_home_dir }}/log"
-evoadminmail_scripts_dir: /usr/share/scripts/
 evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}"
 
 evoadminmail_enable_vhost: True
 evoadminmail_webserver: apache
-
-evoadminmail_tpl_servername: "{{ ansible_fqdn }}"
-evoadminmail_tpl_address:  "{{ ansible_default_ipv4.address }}"
-evoadminmail_tpl_phpmyadmin_url: Null
-evoadminmail_tpl_cgi_suffix: Null
-evoadminmail_tpl_signature: evoadmin
-evoadminmail_tpl_mail_from: root@localhost
-evoadminmail_tpl_mail_bcc: Null
-evoadminmail_tpl_mail_standard: "{{ general_alert_email }}"
-evoadminmail_tpl_mail_urgent: "{{ general_alert_email }}"

webapps/evoadmin-mail/files/pool.evoadmin-mail.conf

@@ -1,6 +1,6 @@
 [evoadmin-mail]
 
-user = www-evoadmin-mail
+user = evoadmin-mail
 group = evoadmin-mail
 
 listen = /run/php/php7.0-evoadmin-mail-fpm.sock
@@ -12,3 +12,4 @@ listen.group = www-data
 pm = ondemand
 pm.max_children = 25
 
+env[EVOADMINMAIL_CONFIG_FILE] = /etc/evoadmin-mail/config.ini

webapps/evoadmin-mail/handlers/main.yml

@@ -11,5 +11,5 @@
 
 - name: reload php-fpm
   service:
-    name: php7.0-fpm 
+    name: php7.0-fpm
-    state: reload 
+    state: reloaded

webapps/evoadmin-mail/tasks/apache.yml

@@ -1,30 +1,27 @@
 ---
-
-- name: "Set custom values for PHP config (Debian 9 or later)"
-  ini_file:
-    dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini
-    section: PHP
-    option: "disable_functions"
-    value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority"
-  notify: reload apache2
-  when: ansible_distribution_major_version | version_compare('9', '>=')
-
 - name: Install evoadminmail VHost
   template:
     src: apache_evoadminmail.conf.j2
     dest: /etc/apache2/sites-available/evoadminmail.conf
   notify: reload apache2
+  tags:
+    - evoadmin-mail
 
 - name: Enable evoadminmail vhost
-  command: "a2ensite evoadminmail.conf"
+  file:
-  register: cmd_a2ensite
+    src: "/etc/apache2/sites-available/evoadminmail.conf"
-  changed_when: "'Enabling site' in cmd_a2ensite.stdout"
+    dest: "/etc/apache2/sites-enabled/evoadminmail.conf"
+    state: link
   notify: reload apache2
   when: evoadminmail_enable_vhost
+  tags:
+    - evoadmin-mail
 
 - name: Disable evoadminmail vhost
-  command: "a2dissite evoadminmail.conf"
+  file:
-  register: cmd_a2dissite
+    dest: "/etc/apache2/sites-enabled/evoadminmail.conf"
-  changed_when: "'Disabling site' in cmd_a2dissite.stdout"
+    state: absent
   notify: reload apache2
   when: not evoadminmail_enable_vhost
+  tags:
+    - evoadmin-mail

webapps/evoadmin-mail/tasks/config.yml

@@ -1,17 +0,0 @@
----
-
-- name: "Create /etc/evolinux"
-  file:
-    dest: "/etc/evolinux"
-    recurse: yes
-    state: directory
-
-#- name: Configure web-add config file
-#  template:
-#    src: web-add.conf.j2
-#    dest: /etc/evolinux/web-add.conf
-#
-#- name: Configure web-add template file for mail
-#  template:
-#    src: web-mail.tpl.j2
-#    dest: "{{ evoadminmail_scripts_dir }}/web-mail.tpl"

webapps/evoadmin-mail/tasks/main.yml

@@ -1,10 +1,19 @@
 ---
+- name: Install evoadmin-mail package
+  apt:
+    name: evoadmin-mail
+    state: present
+  tags:
+    - evoadmin-mail
 
-- include: packages.yml
+- name: Configure contact mail
-
+  ini_file:
-- include: user.yml
+    dest: /etc/evoadmin-mail/config.ini
-
+    section: global
-- include: config.yml
+    option: mail
+    value: "\"{{ evoadminmail_contact_email or general_alert_email | mandatory }}\""
+  tags:
+    - evoadmin-mail
 
 - include: ssl.yml
 
@@ -21,3 +30,5 @@
     regexp: "EvoAdmin-mail"
     line: '            <li><a href="https://{{ evoadminmail_host }}">Interface admin mail (EvoAdmin-mail)</a></li>'
     insertbefore: "</ul>"
+  tags:
+    - evoadmin-mail

webapps/evoadmin-mail/tasks/nginx.yml

@@ -1,25 +1,19 @@
 ---
-
-- name: "Set custom values for PHP config (Debian 9 or later)"
-  ini_file:
-    dest: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini
-    section: PHP
-    option: "disable_functions"
-    value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority"
-  notify: reload nginx
-  when: ansible_distribution_major_version | version_compare('9', '>=')
-
 - name: Copy php-fpm evoadmin-mail pool
   copy:
     src: pool.evoadmin-mail.conf
     dest: /etc/php/7.0/fpm/pool.d/evoadmin-mail.conf
   notify: reload php-fpm
+  tags:
+    - evoadmin-mail
 
 - name: Install evoadminmail VHost
   template:
     src: nginx_evoadminmail.conf.j2
     dest: /etc/nginx/sites-available/evoadminmail.conf
   notify: reload nginx
+  tags:
+    - evoadmin-mail
 
 - name: Active evoadminmail VHost     
   file:
@@ -28,8 +22,14 @@
     state: link
   notify: reload nginx
   when: evoadminmail_enable_vhost
+  tags:
+    - evoadmin-mail
 
 - name: Disable evoadminmail vhost
-  command: "unlink /etc/nginx/sites-enabled/evoadminmail.conf"
+  file:
+    dest: "/etc/nginx/sites-enabled/evoadminmail.conf"
+    state: absent
   notify: reload nginx
   when: not evoadminmail_enable_vhost
+  tags:
+    - evoadmin-mail

webapps/evoadmin-mail/tasks/packages.yml

@@ -1,15 +0,0 @@
----
-
-- include_role:
-    name: apt
-    tasks_from: evolix_public.yml
-
-- name: Install PHP packages
-  apt:
-    name: '{{ item }}'
-    state: present
-  with_items:
-  - php-pear
-  - php-log
-  - php-crypt-chap
-  - php-twig

webapps/evoadmin-mail/tasks/ssl.yml

@@ -1,24 +1,30 @@
 ---
-
-
 - name: ssl-cert package is installed
   apt:
     name: ssl-cert
     state: present
+  tags:
+    - evoadmin-mail
 
 - name: Create private key and csr for default site ({{ ansible_fqdn }})
   command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}"
   args:
     creates: "/etc/ssl/private/{{ evoadminmail_host }}.key"
+  tags:
+    - evoadmin-mail
 
 - name: Adjust rights on private key
   file:
-    path: /etc/ssl/private/{{ evoadminmail_host }}.key
+    dest: /etc/ssl/private/{{ evoadminmail_host }}.key
     owner: root
     group: ssl-cert
     mode: "0640"
+  tags:
+    - evoadmin-mail
 
 - name: Create certificate for default site
   command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt
   args:
     creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt"
+  tags:
+    - evoadmin-mail

webapps/evoadmin-mail/tasks/user.yml

@@ -1,121 +0,0 @@
----
-
-- name: Create evoadmin account
-  user:
-    name: "{{ evoadminmail_username }}"
-    comment: "Evoadmin Web Account"
-    home: "{{ evoadminmail_home_dir}}"
-    shell: /bin/bash
-    password: "!"
-
-- name: Create log/ directory
-  file:
-    path: "{{ evoadminmail_home_dir}}/log"
-    state: directory
-    owner: "{{ evoadminmail_username }}"
-    group: "{{ evoadminmail_username }}"
-    mode: "0750"
-
-- name: Create www-evoadminmail group
-  group:
-    name: "www-{{ evoadminmail_username }}"
-    state: present
-
-- name: "Create www-evoadmin (Debian 9 or later)"
-  user:
-    name: "www-{{ evoadminmail_username }}"
-    home: "{{ evoadminmail_home_dir}}/www"
-    shell: /bin/bash
-    createhome: no
-  when: ansible_distribution_major_version | version_compare('9', '>=')
-
-- name: Add www-data to app's group
-  user:
-    name: 'www-data'           
-    groups: "{{ evoadminmail_username }}"
-    append: yes                
-  when: evoadminmail_webserver == "nginx"
-
-- name: Install Git
-  apt:
-    name: git
-    state: present
-
-- name: "Clone evoadmin repository (Debian 9 or later)"
-  git:
-    repo: https://forge.evolix.org/evoadmin-mail.git
-    dest: "{{ evoadminmail_document_root}}"
-    version: master
-    update: yes
-  when: ansible_distribution_major_version | version_compare('9', '>=')
-
-- name: "Change perms on evoadminmail document root"
-  file:
-    dest: "{{ evoadminmail_document_root }}"
-    owner: "www-{{ evoadminmail_username }}"
-    group: "{{ evoadminmail_username }}"
-    recurse: yes
-
-- name: "Copy connect.php"
-  template:
-    src: connect.php.j2
-    dest: "{{ evoadminmail_document_root }}/htdocs/config/connect.php"
-    owner: "www-{{ evoadminmail_username }}"
-    group: "{{ evoadminmail_username }}"
-  when: ldap_admin_password is defined
-
-- name: "Copy conf.php"
-  template:
-    src: conf.php.j2
-    dest: "{{ evoadminmail_document_root }}/htdocs/config/conf.php"
-    owner: "www-{{ evoadminmail_username }}"
-    group: "{{ evoadminmail_username }}"
-
-- name: create a password for evoadmin user
-  command: "apg -n 1 -m 16 -M lcN"
-  register: evoadminmail_admin_password
-  changed_when: False
-
-- name: upload ldif for evoadmin user
-  template:
-    src: evoadmin.ldif.j2
-    dest: /root/evolinux_evoadminmail_admin.ldif
-    mode: "0640"
-
-- name: inject config
-  command: slapadd -l /root/evolinux_evoadminmail_admin.ldif
-
-- name: create log file
-  file:
-    dest: /var/log/evoadmin-mail.log
-    state: touch
-    owner: "www-{{ evoadminmail_username }}"
-    group: "adm"
-    mode: "0640"
-
-- include_role:
-    name: remount-usr
-  when: evoadminmail_scripts_dir | search ("/usr")
-
-- name: "Create {{ evoadminmail_scripts_dir }}"
-  file:
-    dest: "{{ evoadminmail_scripts_dir }}"
-    # recurse: yes
-    mode: "0700"
-    state: directory
-
-# we use a shell command to have a "changed" thet really reflects the result.
-- name: Fix permissions
-  shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
-  register: command_result
-  changed_when: "'changed' in command_result.stdout"
-  # failed_when: False
-  with_items:
-  - "{{ evoadminmail_home_dir}}/www"
-
-#- name: Add evoadmin sudoers file
-#  template:
-#    src: sudoers.j2
-#    dest: /etc/sudoers.d/evoadmin
-#    mode: "0600"
-#    validate: "visudo -cf %s"

webapps/evoadmin-mail/templates/apache_evoadminmail.conf.j2

@@ -10,7 +10,7 @@
     #ServerAlias {{ evoadminmail_host }}
 
     # Repertoire principal
-    DocumentRoot {{ evoadminmail_document_root }}/htdocs/
+    DocumentRoot /usr/share/evoadmin-mail/
 
     # SSL
     SSLEngine on
@@ -19,7 +19,7 @@
     SSLProtocol all -SSLv2 -SSLv3
 
     # Propriete du repertoire
-    <Directory {{ evoadminmail_document_root }}/htdocs/>
+    <Directory /usr/share/evoadmin-mail/>
         #Options Indexes SymLinksIfOwnerMatch
         Options SymLinksIfOwnerMatch
         AllowOverride AuthConfig Limit FileInfo Indexes
@@ -27,15 +27,15 @@
     </Directory>
 
     # user - group (thanks to sesse@debian.org)
-    AssignUserID www-{{ evoadminmail_username }} {{ evoadminmail_username }}
+    AssignUserID evoadmin-mail evoadmin-mail
 
     # LOG
     CustomLog /var/log/apache2/access.log combined
-    CustomLog {{ evoadminmail_log_dir }}/access.log combined
+    ErrorLog  /var/log/apache2/error.log
-    ErrorLog  {{ evoadminmail_log_dir }}/error.log
 
     # AWSTATS
-    SetEnv AWSTATS_FORCE_CONFIG {{ evoadminmail_username }}
+    SetEnv AWSTATS_FORCE_CONFIG evoadmin-mail
+    SetEnv EVOADMINMAIL_CONFIG_FILE /etc/evoadmin-mail/config.ini
 
     # REWRITE
     UseCanonicalName On
@@ -53,6 +53,5 @@
     #php_admin_value max_execution_time 60
     #php_admin_value upload_max_filesize 8M
     #php_admin_flag allow_url_fopen Off
-    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-{{ evoadminmail_username }}"
     php_admin_value open_basedir "none"
 </VirtualHost>

webapps/evoadmin-mail/templates/conf.php.j2

@@ -1,56 +0,0 @@
-<?php
-
-// Email pour les notifications
-$conf['admin']['mail'] = '{{ evoadminmail_contact_email or general_alert_email | mandatory }}';
-// login des superadmins
-// Note: utile uniquement si domaines/driver=ldap, laisser vide sinon...
-$conf['admin']['logins'] = array('evoadmin');
-// What do you want?
-// 0 = nothing...
-// 1 = only mail accounts
-// 2 = only samba accounts
-// 3 = mail and samba accounts
-$conf['admin']['what'] = 1;
-// use hook.php instead of hook-dist.php
-$conf['admin']['use_hook'] = false;
-// enable quota
-$conf['admin']['quota'] = true;
-
-// compatibilite LDAP
-$conf['evoadmin']['version'] = 3;
-$conf['url']['webroot'] = '/';
-
-$conf['domaines']['onlyone'] = false;
-$conf['domaines']['driver'] = 'ldap';
-$conf['domaines']['file']['all'] = array('example.com');
-$conf['domaines']['file']['gid'] = 1000;
-// Pack Mail "virtuel"... attention
-// uniquement possible si $conf['admin']['what']=1 !!
-$conf['domaines']['ldap']['virtual'] = true;
-
-// Mode cluster
-// Uniquement en mode mail seul et des utilisateurs virtuels
-$conf['evoadmin']['cluster'] = false;
-
-// auth SMTP by default ?
-$conf['evoadmin']['useauthsmtp'] = false;
-
-// Si comptes virtuels
-$conf['unix']['uid'] = 5000;
-
-// Si pas virtuel
-$conf['unix']['minuid'] = 1000;
-$conf['unix']['mingid'] = 1000;
-
-$conf['html']['title'] = "Evoadmin Mail";
-
-// gestion des logs
-$conf['log']['priority'] = PEAR_LOG_DEBUG;
-$conf['log']['name'] = '/var/log/evoadmin-mail.log';
-$conf['log']['software'] = 'evoadminmail';
-$conf['log']['enabled'] = true;
-
-// samba
-$conf['samba']['dn'] = 'DOMAINNAME';
-$conf['samba']['sid'] = 'S-1-5-21-XXX-XXX-XXX';
-$conf['samba']['admin_default'] = false;

webapps/evoadmin-mail/templates/connect.php.j2

@@ -1,28 +0,0 @@
-<?php
-
-/**
- * Secrete parameters
- *
- * $Id: connect-dist.php,v 1.3 2007-05-22 21:12:23 reg Exp $
- *
- * @author Gregory Colpart <reg@evolix.fr>
- * @version 1.0
- */
-
-define("LDAP_URI","ldap://127.0.0.1");
-$ldap_servers = array('ldap://127.0.0.1');
-define("LDAP_BASE","{{ ldap_suffix }}");
-define("LDAP_ADMIN_DN","cn=admin,{{ ldap_suffix }}");
-define("LDAP_ADMIN_PASS","{{ ldap_admin_password.stdout }}");
-
-define("SUDOBIN","/usr/bin/sudo");
-define("SUDOSCRIPT","/usr/share/scripts/evoadmin.sh");
-define("SUDOPASS","xxxxxx");
-
-define('SERVEUR','localhost');
-define('SERVEURPORT',3306);
-define('BASE','horde');
-define('NOM', 'horde');
-define('PASSE', 'xxxx');
-
-?>

webapps/evoadmin-mail/templates/evoadmin.ldif.j2

@@ -1,12 +0,0 @@
-dn: uid=evoadmin,{{ ldap_suffix }}
-uid: evoadmin
-cn: Evoadmin ADM
-uidNumber: 4242
-gidNumber: 4242
-homeDirectory: /dev/null
-isAdmin: TRUE
-mailacceptinggeneralid: evoadmin@{{ ansible_fqdn }}
-objectClass: mailAccount
-objectClass: organizationalRole
-objectClass: posixAccount
-userPassword: {{ evoadminmail_admin_password.stdout }}

webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2

@@ -18,10 +18,10 @@ server {
     access_log  /var/log/nginx/access.log;
     error_log  /var/log/nginx/error.log;
     
-    root {{ evoadminmail_document_root }}/htdocs/;
+    root /usr/share/evoadmin-mail/;
     
     location / {
-        index  index.html index.htm;    
+        try_files $uri $uri/ /index.php?$args;
     }   
         
     location ~ \.php$ {        

webapps/evoadmin-mail/templates/sudoers.j2

@@ -1,3 +0,0 @@
-User_Alias EVOADMIN = www-evoadmin
-Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
-EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB

webapps/evoadmin-mail/templates/web-add.conf.j2

@@ -1,2 +0,0 @@
-CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
-WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"

webapps/evoadmin-mail/templates/web-mail.tpl.j2

@@ -1,86 +0,0 @@
-From: {{ evoadmin_tpl_mail_from }}
-To: RCPTTO
-Bcc: {{ evoadmin_tpl_mail_bcc }}
-Subject: Parametres hebergement web : LOGIN
-
-Bonjour,
-
-Votre compte d'hebergement web a ete cree.
-
-**********************************
-* CONNEXION SFTP/SSH
-**********************************
-
-NOM DU SERVEUR : {{ evoadmin_tpl_servername }}
-USER : LOGIN
-PASSWORD : PASSE1
-
-*****************************************
-* Details sur l'environnement Apache/PHP
-*****************************************
-
-URL du site :
-http://{{ evoadmin_tpl_servername }}
-
-URL des stats :
-http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl
-(acces par IP ou login a demander !)
-
-Repertoire de connexion : HOME_DIR/LOGIN/
-Repertoire pour site web : HOME_DIR/LOGIN/www/
-
-Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
-uniquement *en lecture* aux differents fichiers/repertoires
-(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
-fichiers ce qui est le comportement par defaut).
-
-Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
-fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
-
-***********************************
-* MySQL
-***********************************
-
-SERVEUR : 127.0.0.1
-PORT DU SERVEUR : 3306
-USER : LOGIN
-PASSWORD : PASSE2
-NOM BASE : DBNAME
-URL interface d'admin :
-{{ evoadmin_tpl_phpmyadmin_url }}
-
-***********************************
-* Rappels divers
-***********************************
-
-Votre nom de domaine doit etre configure pour pointer
-sur l'adresse IP {{ evoadmin_tpl_address }} (enregistrement DNS A)
-ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME).
-
-Si vous avez besoin de faire des tests, vous devez
-ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
-ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
-{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }}
-
-Attention, par defaut, toutes les connexions vers l'exterieur
-sont bloquees. Si vous avez besoin de recuperer des donnees
-a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
-afin de mettre en oeuvre les autorisations necessaires.
-
-Afin de securiser au maximum le serveur, certaines URL
-particulieres sont non autorisees pour eviter diverses
-attaques (XSS, robots, trojans, injections, etc.).
-Exemple d'URL refusee :
-http://{{ evoadmin_tpl_servername }}/cmd32.exe
-En cas de soucis avec votre application, prevenez-nous.
-
-Si vous desirez mettre en place des parametres particuliers
-pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab,
-etc.), n'hesitez pas a nous contacter a l'adresse
-{{ evoadmin_tpl_mail_standard }} (ou {{ evoadmin_tpl_mail_urgent }} si votre demande est
-urgente).
-
-
-Cordialement,
---
-{{ evoadmin_tpl_signature }}