Merge branch 'buster' into unstable

CHANGELOG.md

@@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
 ### Added
 * evocheck: explicit PATH
 * evolinux-base: On debian 10 and later, add noexec on /dev/shm
+* evolinux-base: default value for "evolinux_ssh_group"
 * generate-ldif: support MariaDB 10.3
 * listupgrade: install old-kernel-autoremoval script
 * mysql: activate binary logs by specifying log_bin path
@@ -25,12 +26,14 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 * elasticsearch: listen on local interface only by default
-* evocheck: upstream version 19.09
+* evocheck : update (version 19.09) from upstream
 * evocheck: cron jobs execute in verbose
-* evomaintenance: upstream version 0.5.1
+* evolinux-base: use "evolinux_internal_group" for SSH authentication
 * evomaintenance: Turn on API by default (instead of DB)
+* evomaintenance: upstream version 0.5.1
 * php: By default, allow 128M for OpCache (instead of 64M)
 * squid: Remove wait time when we turn off squid
+* squid: split systemd tasks into own file
 
 ### Fixed
 * lxc-php: Don't remove the default pool

apt/templates/evolix_public.list.j2

@@ -1,3 +1,4 @@
 # {{ ansible_managed }}
 
-deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
+# deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
+deb http://pub.evolix.net/ stretch/

evolinux-base/defaults/main.yml

@@ -79,6 +79,7 @@ evolinux_packages_diagnostic: True
 evolinux_packages_hardware: True
 evolinux_packages_common: True
 evolinux_packages_stretch: True
+evolinux_packages_buster: True
 evolinux_packages_serveur_base: True
 evolinux_packages_purge_openntpd: True
 evolinux_packages_purge_locate: True
@@ -124,6 +125,7 @@ evolinux_ssh_password_auth_addresses: "{{ evolinux_default_ssh_password_auth_add
 evolinux_ssh_match_address: True
 evolinux_ssh_disable_acceptenv: True
 evolinux_ssh_allow_current_user: False
+evolinux_ssh_group: "evolinux-ssh"
 
 ### disabled because of a memory leak
 # # evolinux users

evolinux-base/tasks/packages.yml

@@ -95,6 +95,16 @@
   - evolinux_packages_stretch
   - ansible_distribution_major_version | version_compare('9', '>=')
 
+- name: Install/Update packages for Buster and later
+  apt:
+    name: "{{ item }}"
+  with_items:
+  - spectre-meltdown-checker
+  - binutils
+  when:
+  - evolinux_packages_buster
+  - ansible_distribution_major_version | version_compare('10', '>=')
+
 - name: Customize logcheck recipient
   lineinfile:
     dest: /etc/logcheck/logcheck.conf

evolinux-base/tasks/ssh.yml

@@ -11,7 +11,7 @@
 # only the first instance of the keyword is applied. »
 #
 # We want to allow any user from a list of IP addresses to login with password,
-# but users of the "evolix" group can't login with password from other IP addresses
+# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
 
 - name: "Security directives for Evolinux (Debian 10 or later)"
   blockinfile:
@@ -20,7 +20,7 @@
     block: |
       Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
           PasswordAuthentication yes
-      Match Group evolix
+      Match Group {{ evolinux_internal_group }}
           PasswordAuthentication no
     insertafter: EOF
     validate: '/usr/sbin/sshd -t -f %s'

minifirewall/files/check_minifirewall

@@ -10,7 +10,7 @@ is_alert5_enabled() {
   if test -f /etc/init.d/alert5; then
     test -f /etc/rc2.d/S*alert5
   else
-    systemctl is-active alert5 | grep -q "^active$"
+    systemctl is-enabled alert5 -q
   fi
 }
 

mysql/tasks/utils.yml

@@ -24,14 +24,23 @@
     - mysql
   when: ansible_distribution_release == "jessie"
 
-- name: "Install depends for mytop (Debian 9 or later)"
+- name: "Install depends for mytop (stretch)"
   apt:
     name: "{{ item }}"
   with_items:
   - mariadb-client-10.1
   - libconfig-inifiles-perl
   - libterm-readkey-perl
-  when: ansible_distribution_major_version | version_compare('9', '>=')
+  when: ansible_distribution_release == "stretch"
+
+- name: "Install depends for mytop (Debian 10 or later)"
+  apt:
+    name: "{{ item }}"
+  with_items:
+  - mariadb-client-10.3
+  - libconfig-inifiles-perl
+  - libterm-readkey-perl
+  when: ansible_distribution_major_version | version_compare('10', '>=')
 
 - name: Read debian-sys-maint password
   shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3'

packweb-apache/tasks/apache.yml

@@ -21,19 +21,19 @@
     name: '{{ item }}'
     state: present
   with_items:
-  - libapache2-mod-security2
-  - modsecurity-crs
-  - apg
+    - libapache2-mod-security2
+    - modsecurity-crs
+    - apg
 
 - name: Additional modules are enabled
   apache2_module:
     name: '{{ item }}'
     state: present
   with_items:
-  - ssl
-  - include
-  - negotiation
-  - alias
+    - ssl
+    - include
+    - negotiation
+    - alias
 
 - name: Copy Apache settings for modules
   copy:
@@ -58,6 +58,5 @@
   register: command_result
   changed_when: "'Enabling' in command_result.stderr"
   with_items:
-  - evolinux-evasive
-  - evolinux-modsec
-
+    - evolinux-evasive
+    - evolinux-modsec

packweb-apache/tasks/fhs_retrictions.yml

@@ -6,23 +6,23 @@
   changed_when: "'changed' in command_result.stdout"
   failed_when: False
   with_items:
-  - /
-  - /etc
-  - /usr
-  - /usr/bin
-  - /var
-  - /var/log
-  - /home
-  - /bin
-  - /sbin
-  - /lib
-  - /usr/lib
-  - /usr/include
-  - /usr/bin
-  - /usr/sbin
-  - /usr/share
-  - /usr/share/doc
-  - /etc/default
+    - /
+    - /etc
+    - /usr
+    - /usr/bin
+    - /var
+    - /var/log
+    - /home
+    - /bin
+    - /sbin
+    - /lib
+    - /usr/lib
+    - /usr/include
+    - /usr/bin
+    - /usr/sbin
+    - /usr/share
+    - /usr/share/doc
+    - /etc/default
 
 - name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...)
   shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}"
@@ -30,20 +30,21 @@
   changed_when: "'changed' in command_result.stdout"
   failed_when: False
   with_items:
-  - /var/log/apt
-  - /var/lib/dpkg
-  - /var/log/munin
-  - /var/backups
-  - /etc/init.d
-  - /etc/apache2
-  - /etc/network
-  - /etc/phpmyadmin
-  - /var/log/installer
+    - /var/log/apt
+    - /var/lib/dpkg
+    - /var/log/munin
+    - /var/backups
+    - /etc/init.d
+    - /etc/apache2
+    - /etc/network
+    - /etc/phpmyadmin
+    - /var/log/installer
 
 - name: Change group to www-data for /etc/phpmyadmin/
   file:
     dest: /etc/phpmyadmin/
     group: www-data
+    state: directory
 
 - name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
   shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
@@ -51,11 +52,11 @@
   changed_when: "'changed' in command_result.stdout"
   failed_when: False
   with_items:
-  - /bin/ping
-  - /bin/ping6
-  - /usr/bin/fping
-  - /usr/bin/fping6
-  - /usr/bin/mtr
+    - /bin/ping
+    - /bin/ping6
+    - /usr/bin/fping
+    - /usr/bin/fping6
+    - /usr/bin/mtr
 
 - name: Set 640 permission on some files (/var/log/evolix.log, ...)
   shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}"
@@ -63,6 +64,5 @@
   changed_when: "'changed' in command_result.stdout"
   failed_when: False
   with_items:
-  - /var/log/evolix.log
-  - /etc/warnquota.conf
-
+    - /var/log/evolix.log
+    - /etc/warnquota.conf

packweb-apache/tasks/phpmyadmin.yml

@@ -1,12 +1,23 @@
 ---
 
-- name: Install phpmyadmin
+- name: Install apg
   apt:
-    name: '{{ item }}'
-    state: present
-  with_items:
-  - phpmyadmin
-  - apg
+    name: apg
+
+- name: Install phpmyadmin (Debian <=9)
+  apt:
+    name: phpmyadmin
+  when: ansible_distribution_major_version | version_compare('9', '<=')
+
+- include_role:
+    name: remount-usr
+
+# /!\ Warning: this is a temporary hack as phpmyadmin for Buster is not yet
+# available
+- name: Install phpmyadmin using sid package (Debian >=10)
+  apt:
+    deb: http://mirror.evolix.org/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-5_all.deb
+  when: ansible_distribution_major_version | version_compare('10', '>=')
 
 - name: Check if phpmyadmin default configuration is present
   stat:

php/tasks/main.yml

@@ -9,4 +9,7 @@
   when: ansible_distribution_release == "jessie"
 
 - include: main_stretch.yml
+  when: ansible_distribution_release == "stretch"
+
+- include: main_buster.yml
   when: ansible_distribution_major_version | version_compare('9', '>=')

php/tasks/main_buster.yml

@@ -0,0 +1,95 @@
+---
+
+- name: "Set variables (Debian 10 or later)"
+  set_fact:
+    php_cli_defaults_ini_file: /etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini
+    php_cli_custom_ini_file: /etc/php/7.3/cli/conf.d/zzz-evolinux-custom.ini
+    php_apache_defaults_ini_file: /etc/php/7.3/apache2/conf.d/z-evolinux-defaults.ini
+    php_apache_custom_ini_file: /etc/php/7.3/apache2/conf.d/zzz-evolinux-custom.ini
+    php_fpm_defaults_ini_file: /etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini
+    php_fpm_custom_ini_file: /etc/php/7.3/fpm/conf.d/zzz-evolinux-custom.ini
+    php_fpm_defaults_conf_file: /etc/php/7.3/fpm/pool.d/z-evolinux-defaults.conf
+    php_fpm_custom_conf_file: /etc/php/7.3/fpm/pool.d/zzz-evolinux-custom.conf
+    php_fpm_service_name: php7.3-fpm
+
+# Packages
+
+- name: "Set package list (Debian 9 or later)"
+  set_fact:
+    php_stretch_packages:
+      - php-cli
+      - php-gd
+      - php-intl
+      - php-imap
+      - php-ldap
+      - php-mysql
+      # php-mcrypt is no longer packaged for PHP 7.2
+      - php-pgsql
+      - php-gettext
+      - php-curl
+      - php-ssh2
+      - php-zip
+      - composer
+      - libphp-phpmailer
+
+- include: sury_pre.yml
+  when: php_sury_enable
+
+- name: "Install PHP packages (Debian 9 or later)"
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items: "{{ php_stretch_packages }}"
+
+- name: "Install mod_php packages (Debian 9 or later)"
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+    - libapache2-mod-php
+    - php
+  when: php_apache_enable
+
+- name: "Install PHP FPM packages (Debian 9 or later)"
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+    - php-fpm
+    - php
+  when: php_fpm_enable
+
+# Configuration
+
+- name: Enforce permissions on PHP directory
+  file:
+    dest: "{{ item }}"
+    mode: "0755"
+  with_items:
+    - /etc/php
+    - /etc/php/7.3
+
+- include: config_cli.yml
+- name: Enforce permissions on PHP cli directory
+  file:
+    dest: /etc/php/7.3/cli
+    mode: "0755"
+
+- include: config_fpm.yml
+  when: php_fpm_enable
+- name: Enforce permissions on PHP fpm directory
+  file:
+    dest: /etc/php/7.3/fpm
+    mode: "0755"
+  when: php_fpm_enable
+
+- include: config_apache.yml
+  when: php_apache_enable
+- name: Enforce permissions on PHP apache2 directory
+  file:
+    dest: /etc/php/7.3/apache2
+    mode: "0755"
+  when: php_apache_enable
+
+- include: sury_post.yml
+  when: php_sury_enable

spamassasin/tasks/main.yml

@@ -4,10 +4,10 @@
     name: "{{ item }}"
     state: present
   with_items:
-  - spamassassin
-  - evomaintenance
+    - spamassassin
+    - evomaintenance
   tags:
-  - spamassassin
+    - spamassassin
 
 - name: configure SpamAssasin
   copy:
@@ -16,7 +16,7 @@
     mode: "0644"
   notify: restart spamassassin
   tags:
-  - spamassassin
+    - spamassassin
 
 - name: enable SpamAssasin
   replace:
@@ -25,7 +25,7 @@
     replace: 'ENABLED=1'
   notify: restart spamassassin
   tags:
-  - spamassassin
+    - spamassassin
 
 - name: add amavis user to debian-spamd group
   user:
@@ -33,7 +33,7 @@
     groups: debian-spamd
     append: yes
   tags:
-  - spamassassin
+    - spamassassin
 
 - name: fix right on /var/lib/spamassassin
   file:
@@ -41,12 +41,12 @@
     state: directory
     mode: "0750"
   tags:
-  - spamassassin
+    - spamassassin
 
 - include_role:
     name: remount-usr
   tags:
-  - spamassassin
+    - spamassassin
 
 - name: copy sa-update.sh script
   copy:
@@ -54,7 +54,7 @@
     dest: /usr/share/scripts/sa-update.sh
     mode: "0750"
   tags:
-  - spamassassin
+    - spamassassin
 
 - name: enable sa-update.sh cron
   lineinfile:
@@ -64,13 +64,13 @@
     state: present
     mode: "0640"
   tags:
-  - spamassassin
+    - spamassassin
 
 - name: update SpamAssasin's rules
   command: "/usr/share/scripts/sa-update.sh"
   changed_when: false
   tags:
-  - spamassassin
+    - spamassassin
 
 - name: ensure SpamAssasin is started and enabled
   systemd:
@@ -78,4 +78,4 @@
     state: started
     enabled: True
   tags:
-  - spamassassin
+    - spamassassin

squid/files/squid.service

@@ -0,0 +1,22 @@
+## Copyright (C) 1996-2019 The Squid Software Foundation and contributors
+##
+## Squid software is distributed under GPLv2+ license and includes
+## contributions from numerous individuals and organizations.
+## Please see the COPYING and CONTRIBUTORS files for details.
+##
+
+[Unit]
+Description=Squid Web Proxy Server
+Documentation=man:squid(8)
+After=network.target network-online.target nss-lookup.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/squid.pid
+ExecStartPre=/usr/sbin/squid --foreground -z
+ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target

squid/tasks/main.yml

@@ -134,6 +134,9 @@
   notify: "reload squid"
   when: ansible_distribution_major_version | version_compare('9', '>=')
 
+- include: systemd.yml
+  when: ansible_distribution_major_version | version_compare('10', '>=')
+
 - include: logrotate_jessie.yml
   when: ansible_distribution_release == "jessie"
 

squid/tasks/systemd.yml

@@ -0,0 +1,14 @@
+---
+
+- name: "Set custom systemd unit service (Debian 10 or later)"
+  copy:
+    src: squid.service
+    dest: /etc/systemd/system/squid.service
+  when: ansible_distribution_major_version | version_compare('10', '>=')
+
+- name: "Reload systemd and restart squid (Debian 10 or later)"
+  systemd:
+    name: squid
+    state: restarted
+    daemon_reload: yes
+  when: ansible_distribution_major_version | version_compare('10', '>=')

webapps/evoadmin-web/tasks/packages.yml

@@ -4,15 +4,37 @@
     name: apt
     tasks_from: evolix_public.yml
 
-- name: Install PHP packages
+- name: Install PHP packages (Debian 10 and later)
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+    - php-pear
+  when: ansible_distribution_major_version | version_compare('10', '>=')
+
+# /!\ Warning, this is a temporary hack
+- include_role:
+    name: remount-usr
+
+# /!\ Warning, this is a temporary hack
+- name: Install PHP packages from sid (Debian 10 and later)
+  apt:
+    deb: '{{ item }}'
+    state: present
+  with_items:
+    - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb'
+  when: ansible_distribution_major_version | version_compare('10', '>=')
+
+- name: Install PHP packages (stretch)
   apt:
     name: '{{ item }}'
     state: present
   with_items:
     - php-pear
     - php-log
+  when: ansible_distribution_release == "stretch"
 
-- name: Install PHP5 packages
+- name: Install PHP5 packages (jessie)
   apt:
     name: '{{ item }}'
     state: present