Merge branch 'buster' into unstable
This commit is contained in:
commit
bea11352be
|
@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
|
|||
### Added
|
||||
* evocheck: explicit PATH
|
||||
* evolinux-base: On debian 10 and later, add noexec on /dev/shm
|
||||
* evolinux-base: default value for "evolinux_ssh_group"
|
||||
* generate-ldif: support MariaDB 10.3
|
||||
* listupgrade: install old-kernel-autoremoval script
|
||||
* mysql: activate binary logs by specifying log_bin path
|
||||
|
@ -25,12 +26,14 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Changed
|
||||
* elasticsearch: listen on local interface only by default
|
||||
* evocheck: upstream version 19.09
|
||||
* evocheck : update (version 19.09) from upstream
|
||||
* evocheck: cron jobs execute in verbose
|
||||
* evomaintenance: upstream version 0.5.1
|
||||
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
||||
* evomaintenance: Turn on API by default (instead of DB)
|
||||
* evomaintenance: upstream version 0.5.1
|
||||
* php: By default, allow 128M for OpCache (instead of 64M)
|
||||
* squid: Remove wait time when we turn off squid
|
||||
* squid: split systemd tasks into own file
|
||||
|
||||
### Fixed
|
||||
* lxc-php: Don't remove the default pool
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
|
||||
# deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
|
||||
deb http://pub.evolix.net/ stretch/
|
||||
|
|
|
@ -79,6 +79,7 @@ evolinux_packages_diagnostic: True
|
|||
evolinux_packages_hardware: True
|
||||
evolinux_packages_common: True
|
||||
evolinux_packages_stretch: True
|
||||
evolinux_packages_buster: True
|
||||
evolinux_packages_serveur_base: True
|
||||
evolinux_packages_purge_openntpd: True
|
||||
evolinux_packages_purge_locate: True
|
||||
|
@ -124,6 +125,7 @@ evolinux_ssh_password_auth_addresses: "{{ evolinux_default_ssh_password_auth_add
|
|||
evolinux_ssh_match_address: True
|
||||
evolinux_ssh_disable_acceptenv: True
|
||||
evolinux_ssh_allow_current_user: False
|
||||
evolinux_ssh_group: "evolinux-ssh"
|
||||
|
||||
### disabled because of a memory leak
|
||||
# # evolinux users
|
||||
|
|
|
@ -95,6 +95,16 @@
|
|||
- evolinux_packages_stretch
|
||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Install/Update packages for Buster and later
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- spectre-meltdown-checker
|
||||
- binutils
|
||||
when:
|
||||
- evolinux_packages_buster
|
||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Customize logcheck recipient
|
||||
lineinfile:
|
||||
dest: /etc/logcheck/logcheck.conf
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# only the first instance of the keyword is applied. »
|
||||
#
|
||||
# We want to allow any user from a list of IP addresses to login with password,
|
||||
# but users of the "evolix" group can't login with password from other IP addresses
|
||||
# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
|
||||
|
||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||
blockinfile:
|
||||
|
@ -20,7 +20,7 @@
|
|||
block: |
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
Match Group evolix
|
||||
Match Group {{ evolinux_internal_group }}
|
||||
PasswordAuthentication no
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
|
|
|
@ -10,7 +10,7 @@ is_alert5_enabled() {
|
|||
if test -f /etc/init.d/alert5; then
|
||||
test -f /etc/rc2.d/S*alert5
|
||||
else
|
||||
systemctl is-active alert5 | grep -q "^active$"
|
||||
systemctl is-enabled alert5 -q
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
@ -24,14 +24,23 @@
|
|||
- mysql
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Install depends for mytop (Debian 9 or later)"
|
||||
- name: "Install depends for mytop (stretch)"
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- mariadb-client-10.1
|
||||
- libconfig-inifiles-perl
|
||||
- libterm-readkey-perl
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- name: "Install depends for mytop (Debian 10 or later)"
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
with_items:
|
||||
- mariadb-client-10.3
|
||||
- libconfig-inifiles-perl
|
||||
- libterm-readkey-perl
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Read debian-sys-maint password
|
||||
shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3'
|
||||
|
|
|
@ -60,4 +60,3 @@
|
|||
with_items:
|
||||
- evolinux-evasive
|
||||
- evolinux-modsec
|
||||
|
||||
|
|
|
@ -44,6 +44,7 @@
|
|||
file:
|
||||
dest: /etc/phpmyadmin/
|
||||
group: www-data
|
||||
state: directory
|
||||
|
||||
- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
|
||||
shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
|
||||
|
@ -65,4 +66,3 @@
|
|||
with_items:
|
||||
- /var/log/evolix.log
|
||||
- /etc/warnquota.conf
|
||||
|
||||
|
|
|
@ -1,12 +1,23 @@
|
|||
---
|
||||
|
||||
- name: Install phpmyadmin
|
||||
- name: Install apg
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- phpmyadmin
|
||||
- apg
|
||||
name: apg
|
||||
|
||||
- name: Install phpmyadmin (Debian <=9)
|
||||
apt:
|
||||
name: phpmyadmin
|
||||
when: ansible_distribution_major_version | version_compare('9', '<=')
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
||||
# /!\ Warning: this is a temporary hack as phpmyadmin for Buster is not yet
|
||||
# available
|
||||
- name: Install phpmyadmin using sid package (Debian >=10)
|
||||
apt:
|
||||
deb: http://mirror.evolix.org/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-5_all.deb
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Check if phpmyadmin default configuration is present
|
||||
stat:
|
||||
|
|
|
@ -9,4 +9,7 @@
|
|||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: main_stretch.yml
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- include: main_buster.yml
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
|
95
php/tasks/main_buster.yml
Normal file
95
php/tasks/main_buster.yml
Normal file
|
@ -0,0 +1,95 @@
|
|||
---
|
||||
|
||||
- name: "Set variables (Debian 10 or later)"
|
||||
set_fact:
|
||||
php_cli_defaults_ini_file: /etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini
|
||||
php_cli_custom_ini_file: /etc/php/7.3/cli/conf.d/zzz-evolinux-custom.ini
|
||||
php_apache_defaults_ini_file: /etc/php/7.3/apache2/conf.d/z-evolinux-defaults.ini
|
||||
php_apache_custom_ini_file: /etc/php/7.3/apache2/conf.d/zzz-evolinux-custom.ini
|
||||
php_fpm_defaults_ini_file: /etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini
|
||||
php_fpm_custom_ini_file: /etc/php/7.3/fpm/conf.d/zzz-evolinux-custom.ini
|
||||
php_fpm_defaults_conf_file: /etc/php/7.3/fpm/pool.d/z-evolinux-defaults.conf
|
||||
php_fpm_custom_conf_file: /etc/php/7.3/fpm/pool.d/zzz-evolinux-custom.conf
|
||||
php_fpm_service_name: php7.3-fpm
|
||||
|
||||
# Packages
|
||||
|
||||
- name: "Set package list (Debian 9 or later)"
|
||||
set_fact:
|
||||
php_stretch_packages:
|
||||
- php-cli
|
||||
- php-gd
|
||||
- php-intl
|
||||
- php-imap
|
||||
- php-ldap
|
||||
- php-mysql
|
||||
# php-mcrypt is no longer packaged for PHP 7.2
|
||||
- php-pgsql
|
||||
- php-gettext
|
||||
- php-curl
|
||||
- php-ssh2
|
||||
- php-zip
|
||||
- composer
|
||||
- libphp-phpmailer
|
||||
|
||||
- include: sury_pre.yml
|
||||
when: php_sury_enable
|
||||
|
||||
- name: "Install PHP packages (Debian 9 or later)"
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items: "{{ php_stretch_packages }}"
|
||||
|
||||
- name: "Install mod_php packages (Debian 9 or later)"
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- libapache2-mod-php
|
||||
- php
|
||||
when: php_apache_enable
|
||||
|
||||
- name: "Install PHP FPM packages (Debian 9 or later)"
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php-fpm
|
||||
- php
|
||||
when: php_fpm_enable
|
||||
|
||||
# Configuration
|
||||
|
||||
- name: Enforce permissions on PHP directory
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
mode: "0755"
|
||||
with_items:
|
||||
- /etc/php
|
||||
- /etc/php/7.3
|
||||
|
||||
- include: config_cli.yml
|
||||
- name: Enforce permissions on PHP cli directory
|
||||
file:
|
||||
dest: /etc/php/7.3/cli
|
||||
mode: "0755"
|
||||
|
||||
- include: config_fpm.yml
|
||||
when: php_fpm_enable
|
||||
- name: Enforce permissions on PHP fpm directory
|
||||
file:
|
||||
dest: /etc/php/7.3/fpm
|
||||
mode: "0755"
|
||||
when: php_fpm_enable
|
||||
|
||||
- include: config_apache.yml
|
||||
when: php_apache_enable
|
||||
- name: Enforce permissions on PHP apache2 directory
|
||||
file:
|
||||
dest: /etc/php/7.3/apache2
|
||||
mode: "0755"
|
||||
when: php_apache_enable
|
||||
|
||||
- include: sury_post.yml
|
||||
when: php_sury_enable
|
22
squid/files/squid.service
Normal file
22
squid/files/squid.service
Normal file
|
@ -0,0 +1,22 @@
|
|||
## Copyright (C) 1996-2019 The Squid Software Foundation and contributors
|
||||
##
|
||||
## Squid software is distributed under GPLv2+ license and includes
|
||||
## contributions from numerous individuals and organizations.
|
||||
## Please see the COPYING and CONTRIBUTORS files for details.
|
||||
##
|
||||
|
||||
[Unit]
|
||||
Description=Squid Web Proxy Server
|
||||
Documentation=man:squid(8)
|
||||
After=network.target network-online.target nss-lookup.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/var/run/squid.pid
|
||||
ExecStartPre=/usr/sbin/squid --foreground -z
|
||||
ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=mixed
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -134,6 +134,9 @@
|
|||
notify: "reload squid"
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- include: systemd.yml
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- include: logrotate_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
|
|
14
squid/tasks/systemd.yml
Normal file
14
squid/tasks/systemd.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
|
||||
- name: "Set custom systemd unit service (Debian 10 or later)"
|
||||
copy:
|
||||
src: squid.service
|
||||
dest: /etc/systemd/system/squid.service
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: "Reload systemd and restart squid (Debian 10 or later)"
|
||||
systemd:
|
||||
name: squid
|
||||
state: restarted
|
||||
daemon_reload: yes
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
|
@ -4,15 +4,37 @@
|
|||
name: apt
|
||||
tasks_from: evolix_public.yml
|
||||
|
||||
- name: Install PHP packages
|
||||
- name: Install PHP packages (Debian 10 and later)
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php-pear
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
# /!\ Warning, this is a temporary hack
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
||||
# /!\ Warning, this is a temporary hack
|
||||
- name: Install PHP packages from sid (Debian 10 and later)
|
||||
apt:
|
||||
deb: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb'
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Install PHP packages (stretch)
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php-pear
|
||||
- php-log
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- name: Install PHP5 packages
|
||||
- name: Install PHP5 packages (jessie)
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
|
|
Loading…
Reference in a new issue