Merge branch 'buster' into unstable
This commit is contained in:
commit
bea11352be
|
@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
|
|||
### Added
|
||||
* evocheck: explicit PATH
|
||||
* evolinux-base: On debian 10 and later, add noexec on /dev/shm
|
||||
* evolinux-base: default value for "evolinux_ssh_group"
|
||||
* generate-ldif: support MariaDB 10.3
|
||||
* listupgrade: install old-kernel-autoremoval script
|
||||
* mysql: activate binary logs by specifying log_bin path
|
||||
|
@ -25,12 +26,14 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Changed
|
||||
* elasticsearch: listen on local interface only by default
|
||||
* evocheck: upstream version 19.09
|
||||
* evocheck : update (version 19.09) from upstream
|
||||
* evocheck: cron jobs execute in verbose
|
||||
* evomaintenance: upstream version 0.5.1
|
||||
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
||||
* evomaintenance: Turn on API by default (instead of DB)
|
||||
* evomaintenance: upstream version 0.5.1
|
||||
* php: By default, allow 128M for OpCache (instead of 64M)
|
||||
* squid: Remove wait time when we turn off squid
|
||||
* squid: split systemd tasks into own file
|
||||
|
||||
### Fixed
|
||||
* lxc-php: Don't remove the default pool
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
|
||||
# deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
|
||||
deb http://pub.evolix.net/ stretch/
|
||||
|
|
|
@ -79,6 +79,7 @@ evolinux_packages_diagnostic: True
|
|||
evolinux_packages_hardware: True
|
||||
evolinux_packages_common: True
|
||||
evolinux_packages_stretch: True
|
||||
evolinux_packages_buster: True
|
||||
evolinux_packages_serveur_base: True
|
||||
evolinux_packages_purge_openntpd: True
|
||||
evolinux_packages_purge_locate: True
|
||||
|
@ -124,6 +125,7 @@ evolinux_ssh_password_auth_addresses: "{{ evolinux_default_ssh_password_auth_add
|
|||
evolinux_ssh_match_address: True
|
||||
evolinux_ssh_disable_acceptenv: True
|
||||
evolinux_ssh_allow_current_user: False
|
||||
evolinux_ssh_group: "evolinux-ssh"
|
||||
|
||||
### disabled because of a memory leak
|
||||
# # evolinux users
|
||||
|
|
|
@ -95,6 +95,16 @@
|
|||
- evolinux_packages_stretch
|
||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Install/Update packages for Buster and later
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- spectre-meltdown-checker
|
||||
- binutils
|
||||
when:
|
||||
- evolinux_packages_buster
|
||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Customize logcheck recipient
|
||||
lineinfile:
|
||||
dest: /etc/logcheck/logcheck.conf
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# only the first instance of the keyword is applied. »
|
||||
#
|
||||
# We want to allow any user from a list of IP addresses to login with password,
|
||||
# but users of the "evolix" group can't login with password from other IP addresses
|
||||
# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
|
||||
|
||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||
blockinfile:
|
||||
|
@ -20,7 +20,7 @@
|
|||
block: |
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
Match Group evolix
|
||||
Match Group {{ evolinux_internal_group }}
|
||||
PasswordAuthentication no
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
|
|
|
@ -10,7 +10,7 @@ is_alert5_enabled() {
|
|||
if test -f /etc/init.d/alert5; then
|
||||
test -f /etc/rc2.d/S*alert5
|
||||
else
|
||||
systemctl is-active alert5 | grep -q "^active$"
|
||||
systemctl is-enabled alert5 -q
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -24,14 +24,23 @@
|
|||
- mysql
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Install depends for mytop (Debian 9 or later)"
|
||||
- name: "Install depends for mytop (stretch)"
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- mariadb-client-10.1
|
||||
- libconfig-inifiles-perl
|
||||
- libterm-readkey-perl
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- name: "Install depends for mytop (Debian 10 or later)"
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- mariadb-client-10.3
|
||||
- libconfig-inifiles-perl
|
||||
- libterm-readkey-perl
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Read debian-sys-maint password
|
||||
shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3'
|
||||
|
|
|
@ -21,19 +21,19 @@
|
|||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- libapache2-mod-security2
|
||||
- modsecurity-crs
|
||||
- apg
|
||||
- libapache2-mod-security2
|
||||
- modsecurity-crs
|
||||
- apg
|
||||
|
||||
- name: Additional modules are enabled
|
||||
apache2_module:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- ssl
|
||||
- include
|
||||
- negotiation
|
||||
- alias
|
||||
- ssl
|
||||
- include
|
||||
- negotiation
|
||||
- alias
|
||||
|
||||
- name: Copy Apache settings for modules
|
||||
copy:
|
||||
|
@ -58,6 +58,5 @@
|
|||
register: command_result
|
||||
changed_when: "'Enabling' in command_result.stderr"
|
||||
with_items:
|
||||
- evolinux-evasive
|
||||
- evolinux-modsec
|
||||
|
||||
- evolinux-evasive
|
||||
- evolinux-modsec
|
||||
|
|
|
@ -6,23 +6,23 @@
|
|||
changed_when: "'changed' in command_result.stdout"
|
||||
failed_when: False
|
||||
with_items:
|
||||
- /
|
||||
- /etc
|
||||
- /usr
|
||||
- /usr/bin
|
||||
- /var
|
||||
- /var/log
|
||||
- /home
|
||||
- /bin
|
||||
- /sbin
|
||||
- /lib
|
||||
- /usr/lib
|
||||
- /usr/include
|
||||
- /usr/bin
|
||||
- /usr/sbin
|
||||
- /usr/share
|
||||
- /usr/share/doc
|
||||
- /etc/default
|
||||
- /
|
||||
- /etc
|
||||
- /usr
|
||||
- /usr/bin
|
||||
- /var
|
||||
- /var/log
|
||||
- /home
|
||||
- /bin
|
||||
- /sbin
|
||||
- /lib
|
||||
- /usr/lib
|
||||
- /usr/include
|
||||
- /usr/bin
|
||||
- /usr/sbin
|
||||
- /usr/share
|
||||
- /usr/share/doc
|
||||
- /etc/default
|
||||
|
||||
- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...)
|
||||
shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}"
|
||||
|
@ -30,20 +30,21 @@
|
|||
changed_when: "'changed' in command_result.stdout"
|
||||
failed_when: False
|
||||
with_items:
|
||||
- /var/log/apt
|
||||
- /var/lib/dpkg
|
||||
- /var/log/munin
|
||||
- /var/backups
|
||||
- /etc/init.d
|
||||
- /etc/apache2
|
||||
- /etc/network
|
||||
- /etc/phpmyadmin
|
||||
- /var/log/installer
|
||||
- /var/log/apt
|
||||
- /var/lib/dpkg
|
||||
- /var/log/munin
|
||||
- /var/backups
|
||||
- /etc/init.d
|
||||
- /etc/apache2
|
||||
- /etc/network
|
||||
- /etc/phpmyadmin
|
||||
- /var/log/installer
|
||||
|
||||
- name: Change group to www-data for /etc/phpmyadmin/
|
||||
file:
|
||||
dest: /etc/phpmyadmin/
|
||||
group: www-data
|
||||
state: directory
|
||||
|
||||
- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
|
||||
shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
|
||||
|
@ -51,11 +52,11 @@
|
|||
changed_when: "'changed' in command_result.stdout"
|
||||
failed_when: False
|
||||
with_items:
|
||||
- /bin/ping
|
||||
- /bin/ping6
|
||||
- /usr/bin/fping
|
||||
- /usr/bin/fping6
|
||||
- /usr/bin/mtr
|
||||
- /bin/ping
|
||||
- /bin/ping6
|
||||
- /usr/bin/fping
|
||||
- /usr/bin/fping6
|
||||
- /usr/bin/mtr
|
||||
|
||||
- name: Set 640 permission on some files (/var/log/evolix.log, ...)
|
||||
shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}"
|
||||
|
@ -63,6 +64,5 @@
|
|||
changed_when: "'changed' in command_result.stdout"
|
||||
failed_when: False
|
||||
with_items:
|
||||
- /var/log/evolix.log
|
||||
- /etc/warnquota.conf
|
||||
|
||||
- /var/log/evolix.log
|
||||
- /etc/warnquota.conf
|
||||
|
|
|
@ -1,12 +1,23 @@
|
|||
---
|
||||
|
||||
- name: Install phpmyadmin
|
||||
- name: Install apg
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- phpmyadmin
|
||||
- apg
|
||||
name: apg
|
||||
|
||||
- name: Install phpmyadmin (Debian <=9)
|
||||
apt:
|
||||
name: phpmyadmin
|
||||
when: ansible_distribution_major_version | version_compare('9', '<=')
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
||||
# /!\ Warning: this is a temporary hack as phpmyadmin for Buster is not yet
|
||||
# available
|
||||
- name: Install phpmyadmin using sid package (Debian >=10)
|
||||
apt:
|
||||
deb: http://mirror.evolix.org/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-5_all.deb
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Check if phpmyadmin default configuration is present
|
||||
stat:
|
||||
|
|
|
@ -9,4 +9,7 @@
|
|||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: main_stretch.yml
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- include: main_buster.yml
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
|
95
php/tasks/main_buster.yml
Normal file
95
php/tasks/main_buster.yml
Normal file
|
@ -0,0 +1,95 @@
|
|||
---
|
||||
|
||||
- name: "Set variables (Debian 10 or later)"
|
||||
set_fact:
|
||||
php_cli_defaults_ini_file: /etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini
|
||||
php_cli_custom_ini_file: /etc/php/7.3/cli/conf.d/zzz-evolinux-custom.ini
|
||||
php_apache_defaults_ini_file: /etc/php/7.3/apache2/conf.d/z-evolinux-defaults.ini
|
||||
php_apache_custom_ini_file: /etc/php/7.3/apache2/conf.d/zzz-evolinux-custom.ini
|
||||
php_fpm_defaults_ini_file: /etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini
|
||||
php_fpm_custom_ini_file: /etc/php/7.3/fpm/conf.d/zzz-evolinux-custom.ini
|
||||
php_fpm_defaults_conf_file: /etc/php/7.3/fpm/pool.d/z-evolinux-defaults.conf
|
||||
php_fpm_custom_conf_file: /etc/php/7.3/fpm/pool.d/zzz-evolinux-custom.conf
|
||||
php_fpm_service_name: php7.3-fpm
|
||||
|
||||
# Packages
|
||||
|
||||
- name: "Set package list (Debian 9 or later)"
|
||||
set_fact:
|
||||
php_stretch_packages:
|
||||
- php-cli
|
||||
- php-gd
|
||||
- php-intl
|
||||
- php-imap
|
||||
- php-ldap
|
||||
- php-mysql
|
||||
# php-mcrypt is no longer packaged for PHP 7.2
|
||||
- php-pgsql
|
||||
- php-gettext
|
||||
- php-curl
|
||||
- php-ssh2
|
||||
- php-zip
|
||||
- composer
|
||||
- libphp-phpmailer
|
||||
|
||||
- include: sury_pre.yml
|
||||
when: php_sury_enable
|
||||
|
||||
- name: "Install PHP packages (Debian 9 or later)"
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items: "{{ php_stretch_packages }}"
|
||||
|
||||
- name: "Install mod_php packages (Debian 9 or later)"
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- libapache2-mod-php
|
||||
- php
|
||||
when: php_apache_enable
|
||||
|
||||
- name: "Install PHP FPM packages (Debian 9 or later)"
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php-fpm
|
||||
- php
|
||||
when: php_fpm_enable
|
||||
|
||||
# Configuration
|
||||
|
||||
- name: Enforce permissions on PHP directory
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
mode: "0755"
|
||||
with_items:
|
||||
- /etc/php
|
||||
- /etc/php/7.3
|
||||
|
||||
- include: config_cli.yml
|
||||
- name: Enforce permissions on PHP cli directory
|
||||
file:
|
||||
dest: /etc/php/7.3/cli
|
||||
mode: "0755"
|
||||
|
||||
- include: config_fpm.yml
|
||||
when: php_fpm_enable
|
||||
- name: Enforce permissions on PHP fpm directory
|
||||
file:
|
||||
dest: /etc/php/7.3/fpm
|
||||
mode: "0755"
|
||||
when: php_fpm_enable
|
||||
|
||||
- include: config_apache.yml
|
||||
when: php_apache_enable
|
||||
- name: Enforce permissions on PHP apache2 directory
|
||||
file:
|
||||
dest: /etc/php/7.3/apache2
|
||||
mode: "0755"
|
||||
when: php_apache_enable
|
||||
|
||||
- include: sury_post.yml
|
||||
when: php_sury_enable
|
|
@ -4,10 +4,10 @@
|
|||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- spamassassin
|
||||
- evomaintenance
|
||||
- spamassassin
|
||||
- evomaintenance
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
||||
- name: configure SpamAssasin
|
||||
copy:
|
||||
|
@ -16,7 +16,7 @@
|
|||
mode: "0644"
|
||||
notify: restart spamassassin
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
||||
- name: enable SpamAssasin
|
||||
replace:
|
||||
|
@ -25,7 +25,7 @@
|
|||
replace: 'ENABLED=1'
|
||||
notify: restart spamassassin
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
||||
- name: add amavis user to debian-spamd group
|
||||
user:
|
||||
|
@ -33,7 +33,7 @@
|
|||
groups: debian-spamd
|
||||
append: yes
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
||||
- name: fix right on /var/lib/spamassassin
|
||||
file:
|
||||
|
@ -41,12 +41,12 @@
|
|||
state: directory
|
||||
mode: "0750"
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
||||
- name: copy sa-update.sh script
|
||||
copy:
|
||||
|
@ -54,7 +54,7 @@
|
|||
dest: /usr/share/scripts/sa-update.sh
|
||||
mode: "0750"
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
||||
- name: enable sa-update.sh cron
|
||||
lineinfile:
|
||||
|
@ -64,13 +64,13 @@
|
|||
state: present
|
||||
mode: "0640"
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
||||
- name: update SpamAssasin's rules
|
||||
command: "/usr/share/scripts/sa-update.sh"
|
||||
changed_when: false
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
||||
- name: ensure SpamAssasin is started and enabled
|
||||
systemd:
|
||||
|
@ -78,4 +78,4 @@
|
|||
state: started
|
||||
enabled: True
|
||||
tags:
|
||||
- spamassassin
|
||||
- spamassassin
|
||||
|
|
22
squid/files/squid.service
Normal file
22
squid/files/squid.service
Normal file
|
@ -0,0 +1,22 @@
|
|||
## Copyright (C) 1996-2019 The Squid Software Foundation and contributors
|
||||
##
|
||||
## Squid software is distributed under GPLv2+ license and includes
|
||||
## contributions from numerous individuals and organizations.
|
||||
## Please see the COPYING and CONTRIBUTORS files for details.
|
||||
##
|
||||
|
||||
[Unit]
|
||||
Description=Squid Web Proxy Server
|
||||
Documentation=man:squid(8)
|
||||
After=network.target network-online.target nss-lookup.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/var/run/squid.pid
|
||||
ExecStartPre=/usr/sbin/squid --foreground -z
|
||||
ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=mixed
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -134,6 +134,9 @@
|
|||
notify: "reload squid"
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- include: systemd.yml
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- include: logrotate_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
|
|
14
squid/tasks/systemd.yml
Normal file
14
squid/tasks/systemd.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
|
||||
- name: "Set custom systemd unit service (Debian 10 or later)"
|
||||
copy:
|
||||
src: squid.service
|
||||
dest: /etc/systemd/system/squid.service
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: "Reload systemd and restart squid (Debian 10 or later)"
|
||||
systemd:
|
||||
name: squid
|
||||
state: restarted
|
||||
daemon_reload: yes
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
|
@ -4,15 +4,37 @@
|
|||
name: apt
|
||||
tasks_from: evolix_public.yml
|
||||
|
||||
- name: Install PHP packages
|
||||
- name: Install PHP packages (Debian 10 and later)
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php-pear
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
# /!\ Warning, this is a temporary hack
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
||||
# /!\ Warning, this is a temporary hack
|
||||
- name: Install PHP packages from sid (Debian 10 and later)
|
||||
apt:
|
||||
deb: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb'
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Install PHP packages (stretch)
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php-pear
|
||||
- php-log
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- name: Install PHP5 packages
|
||||
- name: Install PHP5 packages (jessie)
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
|
|
Loading…
Reference in a new issue