diff --git a/CHANGELOG.md b/CHANGELOG.md index a03d0c98..06abf68b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,19 +12,33 @@ The **patch** part changes incrementally at each release. ### Added +* Preliminary support for Debian 11 « Bullseye » +* apache: new variable for mpm mode (+ updated default config accordingly) * certbot: add script for manual deploy hooks execution * listupgrade: crontab is configurable +* mongodb: create munin plugins directory if missing +* redis: instance service for Debian 11 ### Changed +* Use python3 modules for Debian 11 and later +* elasticsearch: 7.x by default +* evolinux-base: force Debian version to buster for Evolix repository (temporary) +* kibana: 7.x by default * listupgrade: upstream release 21.06.3 +* mysql: mariadb-client-10.5 on Debian 11 +* mysql: use python3 with Debian 11 and later * squid: improve default whitelist (more specific patterns) +* squid: must be started in foreground mode for systemd +* squid: remove obsolete variable on Squid 4 ### Fixed * certbot: sync_remote excludes itself ### Removed +* php: remove php-gettext for 7.4 + ### Security ## [10.6.0] 2021-06-28 diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 2ca77951..efd2b00e 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -33,6 +33,7 @@ - debug: var: apache_serverstatus_suffix + verbosity: 1 - name: replace server-status suffix in default site index replace: diff --git a/apt/files/bullseye_backports_preferences b/apt/files/bullseye_backports_preferences new file mode 100644 index 00000000..3a667c93 --- /dev/null +++ b/apt/files/bullseye_backports_preferences @@ -0,0 +1,3 @@ +Package: * +Pin: release a=bullseye-backports +Pin-Priority: 50 diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml index fee1430a..33c79129 100644 --- a/apt/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -19,6 +19,7 @@ - /etc/apt/sources.list.d/debian-jessie.list - /etc/apt/sources.list.d/debian-stretch.list - /etc/apt/sources.list.d/debian-buster.list + - /etc/apt/sources.list.d/debian-bullseye.list - /etc/apt/sources.list.d/debian-update.list when: apt_clean_gandi_sourceslist | bool tags: diff --git a/apt/templates/bullseye_backports.list.j2 b/apt/templates/bullseye_backports.list.j2 new file mode 100644 index 00000000..ab989dec --- /dev/null +++ b/apt/templates/bullseye_backports.list.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components | mandatory }} diff --git a/apt/templates/bullseye_basics.list.j2 b/apt/templates/bullseye_basics.list.j2 new file mode 100644 index 00000000..5e0a0a53 --- /dev/null +++ b/apt/templates/bullseye_basics.list.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} +deb http://security.debian.org/ bullseye-security {{ apt_basics_components | mandatory }} diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index 06de99c0..25156cd0 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,8 @@ # {{ ansible_managed }} +{% if ansible_distribution_release == 'bullseye' %} +# Force previous Debian version (temporary) +deb http://pub.evolix.net/ buster/ +{% else %} deb http://pub.evolix.net/ {{ ansible_distribution_release }}/ +{% endif %} diff --git a/bullseye-detect/tasks/main.yml b/bullseye-detect/tasks/main.yml new file mode 100644 index 00000000..6f97db0a --- /dev/null +++ b/bullseye-detect/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +# Force facts until Debian 11 is released because Ansible is dumb +- set_fact: + ansible_distribution_major_version: 11 + ansible_distribution: "Debian" + ansible_distribution_release: "bullseye" + when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'" \ No newline at end of file diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index d3a41a28..796c800d 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -40,9 +40,20 @@ apt: name: - docker-ce - - python-docker update_cache: yes +- name: python-docker is installed + apt: + name: python-docker + state: present + when: ansible_distribution_major_version is version('10', '<=') + +- name: python3-docker is installed + apt: + name: python3-docker + state: present + when: ansible_distribution_major_version is version('10', '>') + - name: Copy Docker daemon configuration file template: src: daemon.json.j2 diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index eb254807..2b891953 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -1,5 +1,5 @@ --- -elastic_stack_version: "6.x" +elastic_stack_version: "7.x" elasticsearch_cluster_name: Null elasticsearch_cluster_members: Null diff --git a/elasticsearch/files/elastic.gpg b/elasticsearch/files/elastic.gpg new file mode 100644 index 00000000..2508ddc9 Binary files /dev/null and b/elasticsearch/files/elastic.gpg differ diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index da154593..b1291d4a 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -52,4 +52,4 @@ name: elasticsearch enabled: yes tags: - - elasticsearch + - elasticsearch diff --git a/evolinux-base/meta/main.yml b/evolinux-base/meta/main.yml index 84c001c1..83ed8538 100644 --- a/evolinux-base/meta/main.yml +++ b/evolinux-base/meta/main.yml @@ -14,6 +14,7 @@ galaxy_info: - jessie - stretch - buster + - bullseye galaxy_tags: [] # List tags for your role here, one per line. A tag is diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index 76965f47..b49968f1 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -26,7 +26,7 @@ - name: Disable net.ipv4.tcp_timestamps sysctl: name: net.ipv4.tcp_timestamps - value: 0 + value: '0' sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 53fa243c..554bb02a 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -153,7 +153,7 @@ -- name: Install alert5 init script (buster) +- name: Install alert5 init script (buster and later) template: src: system/alert5.sh.j2 dest: /usr/share/scripts/alert5.sh @@ -163,7 +163,7 @@ - evolinux_system_alert5_init | bool - ansible_distribution_major_version is version('10', '>=') -- name: Install alert5 service (buster) +- name: Install alert5 service (buster and later) copy: src: alert5.service dest: /etc/systemd/system/alert5.service @@ -173,7 +173,7 @@ - evolinux_system_alert5_init | bool - ansible_distribution_major_version is version('10', '>=') -- name: Enable alert5 init script (buster) +- name: Enable alert5 init script (buster and later) systemd: name: alert5 daemon_reload: yes diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml index b94d2872..0745f1a9 100644 --- a/haproxy/defaults/main.yml +++ b/haproxy/defaults/main.yml @@ -34,3 +34,4 @@ haproxy_deny_ips: [] haproxy_backports_packages_stretch: haproxy libssl1.0.0 haproxy_backports_packages_buster: haproxy +haproxy_backports_packages_bullseye: haproxy diff --git a/haproxy/tasks/packages_backports.yml b/haproxy/tasks/packages_backports.yml index 9a682120..eab4fbca 100644 --- a/haproxy/tasks/packages_backports.yml +++ b/haproxy/tasks/packages_backports.yml @@ -15,6 +15,10 @@ haproxy_backports_packages: "{{ haproxy_backports_packages_buster }}" when: ansible_distribution_release == 'buster' +- set_fact: + haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}" + when: ansible_distribution_release == 'bullseye' + - name: Prefer HAProxy package from backports template: src: haproxy_apt_preferences.j2 diff --git a/kibana/defaults/main.yml b/kibana/defaults/main.yml index e167c21f..7107398c 100644 --- a/kibana/defaults/main.yml +++ b/kibana/defaults/main.yml @@ -1,5 +1,5 @@ --- -elastic_stack_version: "5.x" +elastic_stack_version: "7.x" kibana_server_host: "127.0.0.1" kibana_server_basepath: "" diff --git a/kibana/files/elastic.gpg b/kibana/files/elastic.gpg new file mode 100644 index 00000000..2508ddc9 Binary files /dev/null and b/kibana/files/elastic.gpg differ diff --git a/kibana/files/elasticsearch.key b/kibana/files/elasticsearch.key deleted file mode 100644 index 1b50dcca..00000000 --- a/kibana/files/elasticsearch.key +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.14 (GNU/Linux) - -mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD -A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 -CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ -j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd -1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD -2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg -KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy -Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC -F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 -nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ -7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm -TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe -8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ -eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl -zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT -RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ -1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ -Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt -KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww -EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 -c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J -TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j -6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 -vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM -cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ -qPDlGRlOgVTd9xUfHFkzB52c70E= -=92oX ------END PGP PUBLIC KEY BLOCK----- diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 1ed342e0..8ebbe752 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -129,3 +129,5 @@ - include: proxy_nginx.yml when: kibana_proxy_nginx | bool + tags: + - kibana diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 1cceab35..ce8a935d 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -18,4 +18,4 @@ lxc_php_container_releases: php56: "jessie" php70: "stretch" php73: "buster" - php74: "buster" + php74: "bullseye" diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 2c4538e8..9438dcc7 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -13,8 +13,8 @@ create: yes mode: "0644" loop: - - "deb https://packages.sury.org/php/ buster main" - - "deb http://pub.evolix.net/ buster-php74/" + - "deb https://packages.sury.org/php/ bullseye main" + - "deb http://pub.evolix.net/ bullseye-php74/" - name: copy pub.evolix.net GPG key copy: @@ -40,7 +40,7 @@ - name: "{{ lxc_php_version }} - Install PHP packages" lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-zip php-mbstring php-zip composer libphp-phpmailer" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index a3a31cf5..74ba69ae 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -5,7 +5,18 @@ - lxc - debootstrap - xz-utils - - python-lxc + +- name: python-lxc is installed + apt: + name: python-lxc + state: present + when: ansible_distribution_major_version is version('10', '<=') + +- name: python3-lxc is installed + apt: + name: python3-lxc + state: present + when: ansible_distribution_major_version is version('10', '>') - name: Install additional packages on Buster apt: diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 640a8902..ded5d008 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -121,13 +121,13 @@ src: "{{ item }}" dest: /etc/metricbeat/metricbeat.yml force: "{{ metricbeat_force_config }}" - loop: "{{ query('first_found', templates) }}" - vars: - templates: - - "templates/metricbeat/metricbeat.{{ inventory_hostname }}.yml.j2" - - "templates/metricbeat/metricbeat.{{ host_group | default('all') }}.yml.j2" - - "templates/metricbeat/metricbeat.default.yml.j2" - - "templates/metricbeat.default.yml.j2" - notify: restart metricbeat + loop: "{{ query('first_found', templates) }}" + vars: + templates: + - "templates/metricbeat/metricbeat.{{ inventory_hostname }}.yml.j2" + - "templates/metricbeat/metricbeat.{{ host_group | default('all') }}.yml.j2" + - "templates/metricbeat/metricbeat.default.yml.j2" + - "templates/metricbeat.default.yml.j2" + notify: restart metricbeat when: metricbeat_update_config | bool when: metricbeat_use_config_template | bool diff --git a/mongodb/files/server-4.4.asc b/mongodb/files/server-4.4.asc new file mode 100644 index 00000000..9f4d9161 --- /dev/null +++ b/mongodb/files/server-4.4.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBFzteqwBEADSirbLWsjgkQmdWr06jXPN8049MCqXQIZ2ovy9uJPyLkHgOCta +8dmX+8Fkk5yNOLScjB1HUGJxAWJG+AhldW1xQGeo6loDfTW1mlfetq/zpW7CKbUp +qve9eYYulneAy/81M/UoUZSzHqj6XY39wzJCH20H+Qx3WwcqXgSU7fSFXyJ4EBYs +kWybbrAra5v29LUTBd7OvvS+Swovdh4T31YijUOUUL/gJkBI9UneVyV7/8DdUoVJ +a8ym2pZ6ALy+GZrWBHcCKD/rQjEkXJnDglu+FSUI50SzaC9YX31TTzEMJijiPi6I +MIZJMXLH7GpCIDcvyrLWIRYVJAQRoYJB4rmp42HTyed4eg4RnSiFrxVV5xQaDnSl +/8zSOdVMBVewp8ipv34VeRXgNTgRkhA2JmL+KlALMkPo7MbRkJF01DiOOsIdz3Iu +43oYg3QYmqxZI6kZNtXpUMnJeuRmMQJJN8yc9ZdOA9Ll2TTcIql8XEsjGcM7IWM9 +CP6zGwCcbrv72Ka+h/bGaLpwLbpkr5I8PjjSECn9fBcgnVX6HfKH7u3y11+Va1nh +a8ZEE1TuOqRxnVDQ+K4iwaZFgFYsBMKo2ghoU2ZbZxu14vs6Eksn6UFsm8DpPwfy +jtLtdje8jrbYAqAy5zIMLoW+I6Rb5sU3Olh9nI7NW4T5qQeemBcuRAwB4QARAQAB +tDdNb25nb0RCIDQuNCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u +Z29kYi5jb20+iQI+BBMBAgAoBQJc7XqsAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE +FgIDAQIeAQIXgAAKCRBlZAjjkM+x9SKmD/9BzdjFAgBPPkUnD5pJQgsBQKUEkDsu +cht6Q0Y4M635K7okpqJvXtZV5Mo+ajWZjUeHn4wPdVgzF2ItwVLRjjak3tIZfe3+ +ME5Y27Aej3LeqQC3Q5g6SnpeZwVEhWzU35CnyhQecP4AhDG3FO0gKUn3GkEgmsd6 +rnXAQLEw3VUYO8boxqBF3zjmFLIIaODYNmO1bLddJgvZlefUC62lWBBUs6Z7PBnl +q7qBQFhz9qV9zXZwCT2/vgGLg5JcwVdcJXwAsQSr1WCVd7Y79+JcA7BZiSg9FAQd +4t2dCkkctoUKgXsAH5fPwErGNj5L6iUnhFODPvdDJ7l35UcIZ2h74lqfEh+jh8eo +UgxkcI2y2FY/lPapcPPKe0FHzCxG2U/NRdM+sqrIfp9+s88Bj+Eub7OhW4dF3AlL +bh/BGHL9R8xAJRDLv8v7nsKkZWUnJaskeDFCKX3rjcTyTRWTG7EuMCmCn0Ou1hKc +R3ECvIq0pVfVh+qk0hu+A5Dvj6k3QDcTfse+KfSAJkYvRKiuRuq5KgYcX3YSzL6K +aZitMyu18XsQxKavpIGzaDhWyrVAig3XXF//zxowYVwuOikr5czgqizu87cqjpyn +S0vVG4Q3+LswH4xVTn3UWadY/9FkM167ecouu4g3op29VDi7hCKsMeFvFP6OOIls +G4vQ/QbzucK77Q== +=eD3N +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/mongodb/files/server-4.4.gpg b/mongodb/files/server-4.4.gpg new file mode 100644 index 00000000..f1b1730e Binary files /dev/null and b/mongodb/files/server-4.4.gpg differ diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index a054a5fd..1d238b00 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -12,4 +12,7 @@ when: ansible_distribution_release == "stretch" - include: main_buster.yml - when: ansible_distribution_major_version is version('10', '>=') + when: ansible_distribution_release == "buster" + +- include: main_bullseye.yml + when: ansible_distribution_major_version is version('11', '>=') diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml new file mode 100644 index 00000000..63b2193b --- /dev/null +++ b/mongodb/tasks/main_bullseye.yml @@ -0,0 +1,95 @@ +--- + +# https://wiki.debian.org/DebianRepository/UseThirdParty +- name: MongoDB embedded GPG key is absent + apt_key: + id: "B8612B5D" + keyring: /etc/apt/trusted.gpg + state: absent + +- name: Add MongoDB GPG key + copy: + src: server-4.4.asc + dest: /etc/apt/trusted.gpg.d/mongodb-server-4.4.asc + force: yes + mode: "0644" + owner: root + group: root + +- name: enable APT sources list + apt_repository: + repo: deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main + state: present + filename: mongodb-org-4.4 + update_cache: yes + +- name: Install packages + apt: + name: mongodb-org + update_cache: yes + state: present + register: _mongodb_install_package + +- name: MongoDB service in enabled and started + systemd: + name: mongod + enabled: yes + state: started + when: _mongodb_install_package.changed + +- name: install dependency for monitoring + apt: + name: python3-pymongo + state: present + +- name: Custom configuration + template: + src: mongodb_bullseye.conf.j2 + dest: "/etc/mongod.conf" + force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" + notify: restart mongod + +- name: Configure logrotate + template: + src: logrotate_bullseye.j2 + dest: /etc/logrotate.d/mongodb + force: yes + backup: no + +- name: Munin plugins local directory exists + file: + dest: /usr/local/share/munin/plugins/ + state: directory + mode: "0755" + +- name: Munin plugins are present + copy: + src: "munin/{{ item }}" + dest: '/usr/local/share/munin/plugins/{{ item }}' + force: yes + with_items: + - mongo_btree + - mongo_collections + - mongo_conn + - mongo_docs + - mongo_lock + - mongo_mem + - mongo_ops + - mongo_page_faults + notify: restart munin-node + +- name: Enable core Munin plugins + file: + src: '/usr/local/share/munin/plugins/{{ item }}' + dest: /etc/munin/plugins/{{ item }} + state: link + with_items: + - mongo_btree + - mongo_collections + - mongo_conn + - mongo_docs + - mongo_lock + - mongo_mem + - mongo_ops + - mongo_page_faults + notify: restart munin-node diff --git a/mongodb/templates/logrotate_bullseye.j2 b/mongodb/templates/logrotate_bullseye.j2 new file mode 100644 index 00000000..8239e880 --- /dev/null +++ b/mongodb/templates/logrotate_bullseye.j2 @@ -0,0 +1,15 @@ +# {{ ansible_managed }} + +/var/log/mongodb/mongod.log { + daily + missingok + rotate 365 + dateext + compress + delaycompress + notifempty + sharedscripts + postrotate + pidof mongod | xargs kill -USR1 + endscript +} diff --git a/mongodb/templates/mongodb_bullseye.conf.j2 b/mongodb/templates/mongodb_bullseye.conf.j2 new file mode 100644 index 00000000..b61479bd --- /dev/null +++ b/mongodb/templates/mongodb_bullseye.conf.j2 @@ -0,0 +1,39 @@ +# mongodb.conf - {{ ansible_managed }} + +# for documentation of all options, see: +# http://docs.mongodb.org/manual/reference/configuration-options/ + +# Where and how to store data. +storage: + dbPath: /var/lib/mongodb + journal: + enabled: true +# engine: +# mmapv1: +# wiredTiger: + +# where to write logging data. +systemLog: + destination: file + logRotate: reopen + logAppend: true + path: /var/log/mongodb/mongodb.log + +# network interfaces +net: + port: {{ mongodb_port }} + bindIp: {{ mongodb_bind }} + +#security: + +#operationProfiling: + +#replication: + +#sharding: + +## Enterprise-Only Options: + +#auditLog: + +#snmp: diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml index da1ca05f..e5a7e3da 100644 --- a/mysql-oracle/tasks/users.yml +++ b/mysql-oracle/tasks/users.yml @@ -5,6 +5,16 @@ apt: name: python-mysqldb state: present + when: ansible_distribution_major_version is version('10', '<=') + tags: + - mysql + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') tags: - mysql diff --git a/mysql-oracle/tasks/utils.yml b/mysql-oracle/tasks/utils.yml index e7573afe..e0520cee 100644 --- a/mysql-oracle/tasks/utils.yml +++ b/mysql-oracle/tasks/utils.yml @@ -17,7 +17,7 @@ # mytop -- name: "mytop is installed (jessie)" +- name: "mytop is installed (Debian 9)" apt: name: mytop state: present @@ -32,7 +32,7 @@ # name: mysql-utilities # when: ansible_distribution_major_version is version('9', '>=') -- name: "mytop dependencies are installed (stretch)" +- name: "mytop dependencies are installed (Buster)" apt: name: - libconfig-inifiles-perl @@ -46,13 +46,21 @@ - mysql when: ansible_distribution_release == "stretch" -- name: "Install dependencies for mytop (Debian 10 or later)" +- name: "Install dependencies for mytop (Debian 10)" apt: name: - mariadb-client-10.3 - libconfig-inifiles-perl - libterm-readkey-perl - when: ansible_distribution_major_version is version('10', '>=') + when: ansible_distribution_release == "buster" + +- name: "Install dependencies for mytop (Debian 11 or later)" + apt: + name: + - mariadb-client-10.5 + - libconfig-inifiles-perl + - libterm-readkey-perl + when: ansible_distribution_major_version is version('11', '>=') - include_role: name: evolix/remount-usr diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml index 99dd2d04..3a56a63d 100644 --- a/mysql/tasks/users_jessie.yml +++ b/mysql/tasks/users_jessie.yml @@ -6,13 +6,22 @@ when: mysql_variant == "mariadb" # dependency for mysql_user and mysql_db - - name: python-mysqldb is installed (Ansible dependency) apt: name: python-mysqldb state: present + when: ansible_distribution_major_version is version('10', '<=') tags: - - mysql + - mysql + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') + tags: + - mysql - name: create a password for mysqladmin command: "apg -n 1 -m 16 -M lcN" diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml index 574399af..2b9bec6b 100644 --- a/mysql/tasks/users_stretch.yml +++ b/mysql/tasks/users_stretch.yml @@ -1,13 +1,22 @@ --- # dependency for mysql_user and mysql_db - - name: python-mysqldb is installed (Ansible dependency) apt: name: python-mysqldb state: present + when: ansible_distribution_major_version is version('10', '<=') tags: - - mysql + - mysql + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') + tags: + - mysql - name: create a password for mysqladmin command: "apg -n 1 -m 16 -M lcN" diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index b4abf059..f1a9cb24 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -17,7 +17,7 @@ # mytop -- name: "Install mytop (jessie)" +- name: "Install mytop (Debian 9)" apt: name: mytop state: present @@ -27,7 +27,7 @@ - mysql when: ansible_distribution_release == "jessie" -- name: "Install dependencies for mytop (stretch)" +- name: "Install dependencies for mytop (Debian 9)" apt: name: - mariadb-client-10.1 @@ -35,13 +35,21 @@ - libterm-readkey-perl when: ansible_distribution_release == "stretch" -- name: "Install dependencies for mytop (Debian 10 or later)" +- name: "Install dependencies for mytop (Debian 10)" apt: name: - mariadb-client-10.3 - libconfig-inifiles-perl - libterm-readkey-perl - when: ansible_distribution_major_version is version('10', '>=') + when: ansible_distribution_release == "buster" + +- name: "Install dependencies for mytop (Debian 11 or later)" + apt: + name: + - mariadb-client-10.5 + - libconfig-inifiles-perl + - libterm-readkey-perl + when: ansible_distribution_major_version is version('11', '>=') - name: Read debian-sys-maint password shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' diff --git a/packweb-apache/templates/phpmyadmin_apt_preferences.j2 b/packweb-apache/templates/phpmyadmin_apt_preferences.j2 index 02578c0d..3a2d2833 100644 --- a/packweb-apache/templates/phpmyadmin_apt_preferences.j2 +++ b/packweb-apache/templates/phpmyadmin_apt_preferences.j2 @@ -1,3 +1,3 @@ Package: phpmyadmin php-twig Pin: release a=buster-backports -Pin-Priority: 999 \ No newline at end of file +Pin-Priority: 999 diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 1aade6c1..973c0069 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -14,3 +14,8 @@ service: name: php7.3-fpm state: restarted + +- name: restart php7.4-fpm + service: + name: php7.4-fpm + state: restarted diff --git a/php/tasks/main.yml b/php/tasks/main.yml index e9687e67..5cf46bec 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -12,3 +12,6 @@ - include: main_buster.yml when: ansible_distribution_release == "buster" + +- include: main_bullseye.yml + when: ansible_distribution_release == "bullseye" diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml new file mode 100644 index 00000000..bdeffe56 --- /dev/null +++ b/php/tasks/main_bullseye.yml @@ -0,0 +1,96 @@ +--- + +- name: "Set variables (Debian 10 or later)" + set_fact: + php_cli_defaults_ini_file: /etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini + php_cli_custom_ini_file: /etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini + php_apache_defaults_ini_file: /etc/php/7.4/apache2/conf.d/z-evolinux-defaults.ini + php_apache_custom_ini_file: /etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_ini_file: /etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini + php_fpm_custom_ini_file: /etc/php/7.4/fpm/conf.d/zzz-evolinux-custom.ini + php_fpm_debian_default_pool_file: /etc/php/7.4/fpm/pool.d/www.conf + php_fpm_default_pool_file: /etc/php/7.4/fpm/pool.d/www-evolinux-defaults.conf + php_fpm_default_pool_custom_file: /etc/php/7.4/fpm/pool.d/www-evolinux-zcustom.conf + php_fpm_default_pool_socket: /var/run/php/php7.4-fpm.sock + php_fpm_service_name: php7.4-fpm + +# Packages + +- name: "Set package list (Debian 9 or later)" + set_fact: + php_stretch_packages: + - php-cli + - php-gd + - php-intl + - php-imap + - php-ldap + - php-mysql + # php-mcrypt is no longer packaged for PHP 7.2 + - php-pgsql + - php-sqlite3 + - php-curl + - php-ssh2 + - php-zip + - composer + - libphp-phpmailer + +- include: sury_pre.yml + when: php_sury_enable + +- name: "Install PHP packages (Debian 9 or later)" + apt: + name: '{{ php_stretch_packages }}' + state: present + +- name: "Install mod_php packages (Debian 9 or later)" + apt: + name: + - libapache2-mod-php + - php + state: present + when: php_apache_enable + +- name: "Install PHP FPM packages (Debian 9 or later)" + apt: + name: + - php-fpm + - php + state: present + when: php_fpm_enable + +# Configuration + +- name: Enforce permissions on PHP directory + file: + dest: "{{ item }}" + mode: "0755" + with_items: + - /etc/php + - /etc/php/7.4 + +- include: config_cli.yml +- name: Enforce permissions on PHP cli directory + file: + dest: /etc/php/7.4/cli + mode: "0755" + +- include: config_fpm.yml + when: php_fpm_enable + +- name: Enforce permissions on PHP fpm directory + file: + dest: /etc/php/7.4/fpm + mode: "0755" + when: php_fpm_enable + +- include: config_apache.yml + when: php_apache_enable + +- name: Enforce permissions on PHP apache2 directory + file: + dest: /etc/php/7.4/apache2 + mode: "0755" + when: php_apache_enable + +- include: sury_post.yml + when: php_sury_enable diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml index fbe22989..1783a763 100644 --- a/postgresql/tasks/main.yml +++ b/postgresql/tasks/main.yml @@ -5,10 +5,10 @@ when: ansible_distribution_release == "jessie" - include: packages_stretch.yml - when: ansible_distribution_major_version is version('9', '=') + when: ansible_distribution_release == "stretch" - include: packages_buster.yml - when: ansible_distribution_major_version is version('10', '=') + when: ansible_distribution_release == "buster" - include: packages_bullseye.yml when: ansible_distribution_major_version is version('11', '>=') diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml index 740c7b08..9c22e293 100644 --- a/postgresql/tasks/nrpe.yml +++ b/postgresql/tasks/nrpe.yml @@ -9,10 +9,17 @@ register: postgresql_nrpe_password changed_when: False -- name: Install python dependencies for postgresql_user +- name: python-psycopg2 is installed (Ansible dependency) apt: name: python-psycopg2 state: present + when: ansible_distribution_major_version is version('10', '<=') + +- name: python3-psycopg2 is installed (Ansible dependency) + apt: + name: python3-psycopg2 + state: present + when: ansible_distribution_major_version is version('10', '>') - name: Is nrpe present ? stat: diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index c4c700df..75b37043 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -1,9 +1,16 @@ --- -- name: check_rabbitmq dependencies +- name: python-requests is installed (check_rabbitmq dependency) apt: name: python-requests state: present + when: ansible_distribution_major_version is version('10', '<=') + +- name: python3-requests is installed (check_rabbitmq dependency) + apt: + name: python3-requests + state: present + when: ansible_distribution_major_version is version('10', '>') - include_role: name: evolix/remount-usr diff --git a/redis/templates/redis-server@bullseye.service.j2 b/redis/templates/redis-server@bullseye.service.j2 new file mode 100644 index 00000000..623eb919 --- /dev/null +++ b/redis/templates/redis-server@bullseye.service.j2 @@ -0,0 +1,45 @@ +[Unit] +Description=Advanced key-value store +After=network.target +Documentation=http://redis.io/documentation, man:redis-server(1) + +[Service] +Type=notify +ExecStart=/usr/bin/redis-server {{ redis_conf_dir_prefix }}-%i/redis.conf --supervised systemd --daemonize no +PIDFile=/run/redis-%i/redis-server.pid +TimeoutStopSec=0 +Restart=always +User=redis-%i +Group=redis-%i +RuntimeDirectory=redis-%i +RuntimeDirectoryMode=2755 + +UMask=007 +PrivateTmp=yes +LimitNOFILE=65535 +PrivateDevices=yes +ProtectHome={{ redis_data_dir_prefix is match('/home') | ternary('no', 'yes') }} +ReadOnlyDirectories=/ +ReadWritePaths=-{{ redis_data_dir_prefix }}-%i +ReadWritePaths=-{{ redis_log_dir_prefix }}-%i +ReadWritePaths=-{{ redis_pid_dir_prefix }}-%i +ReadWritePaths=-{{ redis_socket_dir_prefix }}-%i + +NoNewPrivileges=true +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE +MemoryDenyWriteExecute=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictRealtime=true +RestrictNamespaces=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + +# redis-server can write to its own config file when in cluster mode so we +# permit writing there by default. If you are not using this feature, it is +# recommended that you replace the following lines with "ProtectSystem=full". +ProtectSystem=true +ReadWriteDirectories=-{{ redis_conf_dir_prefix }}-%i + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/redmine/tasks/packages.yml b/redmine/tasks/packages.yml index b2be8faa..0c65df44 100644 --- a/redmine/tasks/packages.yml +++ b/redmine/tasks/packages.yml @@ -1,5 +1,5 @@ --- -- name: Install dependancy +- name: Install dependency apt: name: - libpam-systemd @@ -14,7 +14,24 @@ - libmagickwand-dev - libmagickcore-dev - libmariadbclient-dev - - python-mysqldb state: present tags: - redmine + +# dependency for mysql_user and mysql_db +- name: python-mysqldb is installed (Ansible dependency) + apt: + name: python-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '<=') + tags: + - redmine + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') + tags: + - redmine \ No newline at end of file diff --git a/squid/files/systemd-override.conf b/squid/files/systemd-override.conf deleted file mode 100644 index eab76a17..00000000 --- a/squid/files/systemd-override.conf +++ /dev/null @@ -1,4 +0,0 @@ -# systemd override for Squid -[Service] -ExecStart= -ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 9e00dcb0..4a3cab4d 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -22,6 +22,13 @@ - squidclient state: present +- name: Fetch packages + package_facts: + manager: auto + +- debug: + var: ansible_facts.packages[squid_daemon_name] + - name: "Set alternative config file (Debian 9 or later)" copy: src: default_squid diff --git a/squid/tasks/systemd.yml b/squid/tasks/systemd.yml index 82b8760c..ac9eb7e9 100644 --- a/squid/tasks/systemd.yml +++ b/squid/tasks/systemd.yml @@ -16,8 +16,8 @@ mode: "0755" - name: "Squid systemd unit service is present" - copy: - src: systemd-override.conf + template: + src: systemd-override.conf.j2 dest: /etc/systemd/system/squid.service.d/override.conf force: yes register: _squid_systemd_override diff --git a/squid/templates/evolinux-custom.conf.j2 b/squid/templates/evolinux-custom.conf.j2 index cc465dc7..27c97cc2 100644 --- a/squid/templates/evolinux-custom.conf.j2 +++ b/squid/templates/evolinux-custom.conf.j2 @@ -1,4 +1,4 @@ http_port 8888 transparent cache deny all -ignore_expect_100 on +{% if ansible_facts.packages[squid_daemon_name][0]['version'] is version (4, '<') %}ignore_expect_100 on{% endif %} tcp_outgoing_address {{ squid_address }} diff --git a/squid/templates/systemd-override.conf.j2 b/squid/templates/systemd-override.conf.j2 new file mode 100644 index 00000000..ee3ff666 --- /dev/null +++ b/squid/templates/systemd-override.conf.j2 @@ -0,0 +1,8 @@ +# systemd override for Squid +[Service] +ExecStart= +{% if ansible_distribution_major_version is version('11', '>=') %} +ExecStart=/usr/sbin/squid --foreground -sYC -f /etc/squid/evolinux-defaults.conf +{% else %} +ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf +{% endif %} diff --git a/tomcat/tasks/packages.yml b/tomcat/tasks/packages.yml index 900dffd0..9b7995cc 100644 --- a/tomcat/tasks/packages.yml +++ b/tomcat/tasks/packages.yml @@ -21,6 +21,13 @@ - ansible_distribution_release == "buster" - tomcat_version is not defined +- name: Set Tomcat version to 10 on Debian 11 if missing + set_fact: + tomcat_version: 10 + when: + - ansible_distribution_release == "bullseye" + - tomcat_version is not defined + - name: Install packages apt: name: diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 95a720c8..75268841 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -52,6 +52,7 @@ - config - update-config +# TODO: verify if it's still necessary for Debian 11 - name: Override Varnish systemd unit (Buster and later) template: src: varnish.conf.buster.j2 diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 2c525114..c63291f1 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -16,7 +16,24 @@ - php-apcu - php-redis - php-bcmath - - python-mysqldb + tags: + - nextcloud + +# dependency for mysql_user and mysql_db +- name: python-mysqldb is installed (Ansible dependency) + apt: + name: python-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '<=') + tags: + - nextcloud + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') tags: - nextcloud