178 changed files with 7213 additions and 327 deletions
@ -1 +1,6 @@
|
||||
apache_ipaddr_whitelist: [] |
||||
--- |
||||
apache_private_ipaddr_whitelist_present: [] |
||||
apache_private_ipaddr_whitelist_absent: [] |
||||
|
||||
apache_private_htpasswd_present: [] |
||||
apache_private_htpasswd_absent: [] |
||||
|
@ -0,0 +1 @@
|
||||
# user:password for HTTP Basic authentication |
@ -1,23 +0,0 @@
|
||||
--- |
||||
- name: Jessie-backports list is available |
||||
apt_repository: |
||||
repo: "deb http://mirror.evolix.org/debian jessie-backports main contrib non-free" |
||||
update_cache: yes |
||||
state: present |
||||
tags: |
||||
- system |
||||
- packages |
||||
|
||||
- name: Backports have a low priority |
||||
blockinfile: |
||||
dest: /etc/apt/preferences.d/backports |
||||
marker: "// {mark} ANSIBLE MANAGED BLOCK" |
||||
insertafter: EOF |
||||
create: yes |
||||
block: | |
||||
Package: * |
||||
Pin: release a=jessie-backports |
||||
Pin-Priority: 50 |
||||
tags: |
||||
- system |
||||
- packages |
@ -0,0 +1 @@
|
||||
apt_repositories_components: "main" |
@ -0,0 +1,3 @@
|
||||
Package: * |
||||
Pin: release a=jessie-backports |
||||
Pin-Priority: 50 |
@ -0,0 +1,17 @@
|
||||
--- |
||||
|
||||
- name: Backports sources list is installed |
||||
template: |
||||
src: backports.list.j2 |
||||
dest: /etc/apt/sources.list.d/backports.list |
||||
force: yes |
||||
backup: yes |
||||
mode: 0640 |
||||
|
||||
- name: Backports configuration |
||||
copy: |
||||
src: jessie_backports_preferences |
||||
dest: /etc/apt/preferences.d/backports |
||||
force: yes |
||||
backup: yes |
||||
mode: 0640 |
@ -0,0 +1 @@
|
||||
deb http://mirror.evolix.org/debian jessie-backports {{ apt_repositories_components | mandatory }} |
@ -1,13 +0,0 @@
|
||||
# apt-upgrade |
||||
|
||||
Upgrades Debian packages |
||||
|
||||
## Tasks |
||||
|
||||
Everything is in the `tasks/main.yml` file. |
||||
|
||||
## Available variables |
||||
|
||||
* `apt_upgrade_mode` : kind of upgrade to do (cf. http://docs.ansible.com/ansible/apt_module.html#options) |
||||
|
||||
Choice of upgrade mode can be set in a variables file (ex. `vars/main.yml`) or when invoking the role (`- { role: apt-upgrade, apt_upgrade_mode: safe }`). |
@ -1,8 +0,0 @@
|
||||
--- |
||||
- name: Ensure Debian is up-to-date |
||||
apt: |
||||
update_cache: yes |
||||
upgrade: "{{ apt_upgrade_mode | default('safe') }}" |
||||
tags: |
||||
- system |
||||
- packages |
@ -0,0 +1,3 @@
|
||||
--- |
||||
dependencies: |
||||
- nodejs |
@ -0,0 +1,7 @@
|
||||
# etc-git |
||||
|
||||
Put /etc under Git version control. |
||||
|
||||
## Tasks |
||||
|
||||
Everything is in the `tasks/main.yml` file. |
@ -0,0 +1,36 @@
|
||||
--- |
||||
|
||||
- name: Git is installed |
||||
apt: |
||||
name: git |
||||
state: present |
||||
|
||||
- name: /etc is versioned with git |
||||
command: "git init ." |
||||
args: |
||||
chdir: /etc |
||||
creates: /etc/.git/ |
||||
register: git_init |
||||
|
||||
- name: /etc/.gitignore is present |
||||
copy: |
||||
src: gitignore |
||||
dest: /etc/.gitignore |
||||
owner: root |
||||
group: root |
||||
mode: 0600 |
||||
|
||||
- name: does /etc/ have any commit? |
||||
command: "git log" |
||||
args: |
||||
chdir: /etc |
||||
changed_when: False |
||||
failed_when: False |
||||
register: git_log |
||||
|
||||
- name: initial commit is present? |
||||
shell: "git add -A . && git commit -m \"Initial commit via Ansible\"" |
||||
args: |
||||
chdir: /etc |
||||
register: git_commit |
||||
when: git_init.changed or git_log.rc != 0 |
@ -0,0 +1,7 @@
|
||||
# evocheck |
||||
|
||||
Install a script to verify compliance of a Debian/OpenBSD server |
||||
|
||||
## Tasks |
||||
|
||||
Everything is in the `tasks/main.yml` file. |
@ -0,0 +1,3 @@
|
||||
--- |
||||
dependencies: |
||||
- { role: evolinux-sources-list } |
@ -0,0 +1,8 @@
|
||||
--- |
||||
|
||||
- name: evocheck is installed |
||||
command: "apt-get install -yq --allow-unauthenticated evomaintenance" |
||||
register: installed_evomaintenance |
||||
changed_when: not (installed_evomaintenance.stdout | search("0 upgraded") and installed_evomaintenance.stdout | search("0 newly installed")) |
||||
|
||||
# TODO make sure that the package is in the right version |
@ -0,0 +1,29 @@
|
||||
# evolinux-admin-users |
||||
|
||||
Creates admin users accounts, based on a configuration data structure. |
||||
|
||||
## Tasks |
||||
|
||||
Everything is in the `tasks/main.yml` file. |
||||
|
||||
## Available variables |
||||
|
||||
The variable `evolinux_admin_users` must be a "hash" of one or more users : |
||||
|
||||
``` |
||||
evolinux_admin_users: |
||||
- name: foo |
||||
uid: 1001 |
||||
fullname: 'Mr Foo' |
||||
password_hash: 'sdfgsdfgsdfgsdfg' |
||||
ssh_key: 'ssh-rsa AZERTYXYZ' |
||||
- name: bar |
||||
uid: 1002 |
||||
fullname: 'Mr Bar' |
||||
password_hash: 'gsdfgsdfgsdfgsdf' |
||||
ssh_key: 'ssh-rsa QWERTYUIOP' |
||||
``` |
||||
|
||||
* `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`). |
||||
* `listupgrade_scripts_dir`: script directory for listupgrade (default: `general_scripts_dir`). |
||||
* `evomaintenance_scripts_dir`: script directory for evomaintenance (default: `general_scripts_dir`). |
@ -0,0 +1,6 @@
|
||||
--- |
||||
evolinux_admin_users: [] |
||||
|
||||
general_scripts_dir: "/usr/local/bin" |
||||
evomaintenance_scripts_dir: Null |
||||
listupgrade_scripts_dir: Null |
@ -0,0 +1,95 @@
|
||||
--- |
||||
|
||||
- name: Test if uid exists for '{{ user.name }}' |
||||
command: 'getent passwd {{ user.uid }}' |
||||
register: uidisbusy |
||||
failed_when: False |
||||
changed_when: False |
||||
|
||||
- name: Add Unix account with classical uid for '{{ user.name }}' |
||||
user: |
||||
state: present |
||||
uid: '{{ user.uid }}' |
||||
name: '{{ user.name }}' |
||||
comment: '{{ user.fullname }}' |
||||
shell: /bin/bash |
||||
password: '{{ user.password_hash }}' |
||||
update_password: on_create |
||||
when: uidisbusy|failed |
||||
|
||||
- name: Add Unix account with random uid for '{{ user.name }}' |
||||
user: |
||||
state: present |
||||
name: '{{ user.name }}' |
||||
comment: '{{ user.fullname }}' |
||||
shell: /bin/bash |
||||
password: '{{ user.password_hash }}' |
||||
update_password: on_create |
||||
when: uidisbusy|success |
||||
|
||||
- name: Fix perms on homedirectory for '{{ user.name }}' |
||||
file: |
||||
name: '/home/{{ user.name }}' |
||||
mode: 0700 |
||||
state: directory |
||||
|
||||
- name: is evomaintenance installed? |
||||
stat: |
||||
path: "{{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh" |
||||
register: evomaintenance_script |
||||
|
||||
- name: Add evomaintenance trap for '{{ user.name }}' |
||||
lineinfile: |
||||
state: present |
||||
dest: '/home/{{ user.name }}/.profile' |
||||
insertafter: EOF |
||||
line: 'trap "sudo {{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh" 0' |
||||
when: evomaintenance_script.stat.exists |
||||
|
||||
- name: Create .ssh directory for '{{ user.name }}' |
||||
file: |
||||
dest: '/home/{{ user.name }}/.ssh/' |
||||
state: directory |
||||
mode: 0700 |
||||
owner: '{{ user.name }}' |
||||
group: '{{ user.name }}' |
||||
|
||||
- name: Add user's SSH public key for '{{ user.name }}' |
||||
lineinfile: |
||||
dest: '/home/{{ user.name }}/.ssh/authorized_keys' |
||||
create: yes |
||||
line: '{{ user.ssh_key }}' |
||||
owner: '{{ user.name }}' |
||||
group: '{{ user.name }}' |
||||
|
||||
- name: Modify AllowUsers' sshd directive for '{{ user.name }}' |
||||
replace: |
||||
dest: /etc/ssh/sshd_config |
||||
regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$' |
||||
replace: '\1 {{ user.name }}' |
||||
notify: |
||||
- reload sshd |
||||
|
||||
- name: Modify Match User's sshd directive for '{{ user.name }}' |
||||
replace: |
||||
dest: /etc/ssh/sshd_config |
||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$' |
||||
replace: '\1,{{ user.name }}' |
||||
notify: |
||||
- reload sshd |
||||
|
||||
- name: Evolinux sudoers file is present |
||||
template: |
||||
src: sudoers_debian.j2 |
||||
dest: /etc/sudoers.d/evolinux |
||||
force: false |
||||
validate: '/usr/sbin/visudo -cf %s' |
||||
register: copy_sudoers_evolinux |
||||
|
||||
- name: Add user in sudoers file for '{{ user.name }}' |
||||
replace: |
||||
dest: /etc/sudoers.d/evolinux |
||||
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' |
||||
replace: '\1,{{ user.name }}' |
||||
validate: '/usr/sbin/visudo -cf %s' |
||||
when: not copy_sudoers_evolinux.changed |
@ -0,0 +1,8 @@
|
||||
--- |
||||
|
||||
- include: adduser_debian.yml user={{ item }} |
||||
with_items: "{{ evolinux_admin_users }}" |
||||
when: ansible_distribution == "Debian" |
||||
|
||||
# - include: openbsd.yml |
||||
# when: ansible_distribution == "OpenBSD" |
@ -0,0 +1,10 @@
|
||||
Defaults umask=0077 |
||||
|
||||
Cmnd_Alias MAINT = {{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh, {{ listupgrade_scripts_dir or general_scripts_dir | mandatory }}/listupgrade.sh, /usr/bin/apt, /bin/mount |
||||
User_Alias ADMINS = {{ user.name }} |
||||
|
||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs |
||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt |
||||
|
||||
ADMINS ALL = (ALL:ALL) ALL |
||||
ADMINS ALL = NOPASSWD: MAINT |
@ -0,0 +1,24 @@
|
||||
# evolinux-base |
||||
|
||||
Various tasks for Evolinux setup. |
||||
|
||||
## Tasks |
||||
|
||||
* `system.yml` : |
||||
* `apt.yml` : |
||||
* `install_tools.yml` : |
||||
* `root.yml` : |
||||
* `logs.yml` : |
||||
|
||||
## Available variables |
||||
|
||||
Main variables are : |
||||
|
||||
* `evolinux_delete_nfs`: delete NFS tools (default: `True`) |
||||
* `evolinux_ntp_server`: custom NTP server host or IP (default: `Null`) |
||||
* `evolinux_additional_packages`: optional additional packages to install (default: `[]`) |
||||
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`). |
||||
* `apt_alert_email`: email address to send APT messages to (default: `general_alert_email`). |
||||
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). |
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`. |
@ -0,0 +1,41 @@
|
||||
--- |
||||
general_alert_email: "root@localhost" |
||||
reboot_alert_email: Null |
||||
apt_alert_email: Null |
||||
log2mail_alert_email: Null |
||||
raid_alert_email: Null |
||||
|
||||
# hostname |
||||
|
||||
evolinux_hostname: "{{ ansible_hostname }}" |
||||
evolinux_domain: "{{ ansible_domain }}" |
||||
evolinux_fqdn: "{{ ansible_fqdn }}" |
||||
evolinux_internal_hostname: "{{ evolinux_hostname }}" |
||||
|
||||
# apt |
||||
|
||||
evolinux_apt_repositories_components: "main" |
||||
evolinux_apt_hooks: False |
||||
# kernel |
||||
|
||||
evolinux_kernel_reboot_after_panic: True |
||||
evolinux_kernel_disable_tcp_timestamps: True |
||||
evolinux_kernel_reduce_swapiness: True |
||||
evolinux_kernel_cve20165696: True |
||||
|
||||
# providers |
||||
|
||||
evolinux_provider_online: False |
||||
evolinux_provider_orange_fce: False |
||||
|
||||
# default www |
||||
|
||||
evolinux_default_www_redirect_url: "http://evolix.fr" |
||||
evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}" |
||||
evolinux_default_www_nginx_enabled: False |
||||
evolinux_default_www_apache_enabled: False |
||||
|
||||
# misc. |
||||
|
||||
evolinux_ntp_server: Null |
||||
evolinux_delete_nfs: True |
After Width: | Height: | Size: 2.6 KiB |
After Width: | Height: | Size: 1.1 KiB |
@ -0,0 +1,9 @@
|
||||
/var/log/php.log { |
||||
weekly |
||||
missingok |
||||
rotate 52 |
||||
compress |
||||
delaycompress |
||||
notifempty |
||||
create 640 www-data adm |
||||
} |
@ -0,0 +1,16 @@
|
||||
/var/log/apt/term.log { |
||||
rotate 120 |
||||
monthly |
||||
compress |
||||
missingok |
||||
notifempty |
||||
} |
||||
|
||||
/var/log/apt/history.log { |
||||
rotate 120 |
||||
monthly |
||||
compress |
||||
missingok |
||||
notifempty |
||||
} |
||||
|
@ -0,0 +1,14 @@
|
||||
/var/chroot-bind/var/log/bind.log { |
||||
weekly |
||||
missingok |
||||
notifempty |
||||
rotate 4 |
||||
create 640 bind bind |
||||
compress |
||||
delaycompress |
||||
sharedscripts |
||||
postrotate |
||||
rndc reload > /dev/null |
||||
endscript |
||||
} |
||||
|
@ -0,0 +1,9 @@
|
||||
/var/log/dhcp.log { |
||||
weekly |
||||
missingok |
||||
rotate 52 |
||||
compress |
||||
delaycompress |
||||
create 640 root adm |
||||
notifempty |
||||
} |
@ -0,0 +1,19 @@
|
||||
/var/log/dpkg.log { |
||||
monthly |
||||
rotate 120 |
||||
compress |
||||
delaycompress |
||||
missingok |
||||
notifempty |
||||
create 644 root root |
||||
} |
||||
/var/log/alternatives.log { |
||||
monthly |
||||
rotate 120 |
||||
compress |
||||
delaycompress |
||||
missingok |
||||
notifempty |
||||
create 644 root root |
||||
} |
||||
|
@ -0,0 +1,8 @@
|
||||
/var/log/freeradius/*.log { |
||||
weekly |
||||
missingok |
||||
rotate 52 |
||||
compress |
||||
delaycompress |
||||
notifempty |
||||
} |
@ -0,0 +1,31 @@
|
||||
/var/log/proftpd.log { |
||||
weekly |
||||
missingok |
||||
rotate 13 |
||||
compress |
||||
delaycompress |
||||
notifempty |
||||
create 640 root adm |
||||
sharedscripts |
||||
postrotate |
||||
/etc/init.d/proftpd restart > /dev/null |
||||
endscript |
||||
} |
||||
|
||||
|
||||
/var/log/xferlog.log { |
||||
weekly |
||||
rotate 1 |
||||
missingok |
||||
create 640 root adm |
||||
sharedscripts |
||||
postrotate |
||||
DATE=$(date +"%d-%m-%Y") |
||||
cd /var/log |
||||
ftpstats -a -r -l 2 -d i-f xferlog.log.1 2>/dev/null >xferreport.$DATE |
||||
mv xferlog.log.1 xferlog.log.$DATE |
||||
gzip xferlog.log.$DATE |
||||
gzip xferreport.$DATE |
||||
endscript |
||||
} |
||||
|
@ -0,0 +1,9 @@
|
||||
/var/log/openldap.log { |
||||
weekly |
||||
missingok |
||||
rotate 3 |
||||
compress |
||||
notifempty |
||||
create 640 root adm |
||||
} |
||||
|
@ -0,0 +1,19 @@
|
||||
/var/log/lighttpd/*.log { |
||||
weekly |
||||
missingok |
||||
copytruncate |
||||
rotate 52 |
||||
compress |
||||
delaycompress |
||||
notifempty |
||||
sharedscripts |
||||
postrotate |
||||
if [ -f /var/run/lighttpd.pid ]; then \ |
||||
if [ -x /usr/sbin/invoke-rc.d ]; then \ |
||||
invoke-rc.d lighttpd force-reload > /dev/null; \ |
||||
else \ |
||||
/etc/init.d/lighttpd force-reload > /dev/null; \ |
||||
fi; \ |
||||
fi; |
||||
endscript |
||||
} |
@ -0,0 +1,6 @@
|
||||
/var/log/lvm { |
||||
daily |
||||
rotate 3 |
||||
missingok |
||||
create 0640 root adm |
||||
} |
@ -0,0 +1,8 @@
|
||||
/var/log/news.log { |
||||
monthly |
||||
missingok |
||||
notifempty |
||||
rotate 1 |
||||
create 640 root adm |
||||
} |
||||
|
@ -0,0 +1,18 @@
|
||||
/var/log/nginx/*.log { |
||||
weekly |
||||
missingok |
||||
rotate 52 |
||||
compress |
||||
delaycompress |
||||
notifempty |
||||
create 640 root adm |
||||
sharedscripts |
||||
prerotate |
||||
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ |
||||
run-parts /etc/logrotate.d/httpd-prerotate; \ |
||||
fi; \ |
||||
endscript |
||||
postrotate |
||||
[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid` |
||||
endscript |
||||
} |
@ -0,0 +1,14 @@
|
||||
/var/log/ntp.log { |
||||
weekly |
||||
rotate 1 |
||||
missingok |
||||
create 640 root adm |
||||
sharedscripts |
||||
postrotate |
||||
DATE=$(date +"%d-%m-%Y") |
||||
cd /var/log |
||||
mv ntp.log.1 ntp.log.$DATE |
||||
gzip ntp.log.$DATE |
||||
endscript |
||||
} |
||||
|
@ -0,0 +1,7 @@
|
||||
/var/log/postgresql.log { |
||||
weekly |
||||
missingok |
||||
rotate 8 |
||||
create 640 root adm |
||||
} |
||||
|
@ -0,0 +1,11 @@
|
||||
/var/log/procmail.log { |
||||
daily |
||||
rotate 365 |
||||
dateext |
||||
dateyesterday |
||||
dateformat .%Y%m%d |
||||
missingok |
||||
rotate 365 |
||||
create 640 root adm |
||||
} |
||||
|
@ -0,0 +1,14 @@
|
||||
# Attention, bien mettre "log file = /var/log/samba/%m.log" dans la conf Samba |
||||
/var/log/samba/*.log { |
||||
weekly |
||||
missingok |
||||
rotate 52 |
||||
postrotate |
||||
invoke-rc.d --quiet samba reload > /dev/null |
||||
[ ! -f /var/run/samba/nmbd.pid ] || kill -HUP `cat /var/run/samba/nmbd.pid` |
||||
[ -f /var/run/samba/winbindd.pid ] && kill -HUP `cat /var/run/samba/winbindd.pid` || true |
||||
endscript |
||||
compress |
||||
notifempty |
||||
} |
||||
|
@ -0,0 +1,11 @@
|
||||
/var/log/squid3/*.log { |
||||
monthly |
||||
compress |
||||
rotate 12 |
||||
missingok |
||||
create 640 proxy adm |
||||
sharedscripts |
||||
postrotate |
||||
test ! -e /var/run/squid3.pid || /usr/sbin/squid3 -k rotate |
||||
endscript |
||||
} |
@ -0,0 +1,35 @@
|
||||
# Custom EvoLinux |
||||
create 640 root adm |
||||
dateext |
||||
dateyesterday |
||||
dateformat .%Y%m%d |
||||
missingok |
||||
notifempty |
||||
delaycompress |
||||
compress |
||||
postrotate |
||||
invoke-rc.d rsyslog rotate > /dev/null |
||||
endscript |
||||
|
||||
/var/log/daemon.log |
||||
/var/log/kern.log |
||||
/var/log/lpr.log |
||||
{ |
||||
weekly |
||||
rotate 5 |
||||
} |
||||
|
||||
/var/log/auth.log |
||||
/var/log/user.log |
||||
/var/log/cron.log |
||||
/var/log/debug |
||||
/var/log/messages |
||||
/var/log/syslog |
||||
/var/log/mail.info |
||||
/var/log/mail.warn |
||||
/var/log/mail.err |
||||
/var/log/mail.log |
||||
{ |
||||
daily |
||||
rotate 365 |
||||
} |
@ -0,0 +1,122 @@
|
||||
# Syslog for Pack Evolix serveur - Debian Squeeze |
||||
|
||||
|
||||
################# |
||||
#### MODULES #### |
||||
################# |
||||
|
||||
$ModLoad imuxsock # provides support for local system logging |
||||
$ModLoad imklog # provides kernel logging support (previously done by rklogd) |
||||
#$ModLoad immark # provides --MARK-- message capability |
||||
|
||||
# provides UDP syslog reception |
||||
#$ModLoad imudp |
||||
#$UDPServerRun 514 |
||||
|
||||
# provides TCP syslog reception |
||||
#$ModLoad imtcp |
||||
#$InputTCPServerRun 514 |
||||
|
||||
|
||||
########################### |
||||
#### GLOBAL DIRECTIVES #### |
||||
########################### |
||||
|
||||
# |
||||
# Use traditional timestamp format. |
||||
# To enable high precision timestamps, comment out the following line. |
||||
# |
||||
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat |
||||
|
||||
# |
||||
# Set the default permissions for all log files. |
||||
# |
||||
$FileOwner root |
||||
$FileGroup adm |
||||
$FileCreateMode 0640 |
||||
$DirCreateMode 0755 |
||||
$Umask 0022 |
||||
|
||||
# |
||||
# Include all config files in /etc/rsyslog.d/ |
||||
# |
||||
$IncludeConfig /etc/rsyslog.d/*.conf |
||||
|
||||
|
||||
############### |
||||
#### RULES #### |
||||
############### |
||||
|
||||
# |
||||
# First some standard log files. Log by facility. |
||||
# |
||||
auth,authpriv.* /var/log/auth.log |
||||
*.*;auth,authpriv.none;cron,mail,local4,local5.none -/var/log/syslog |
||||
cron.* /var/log/cron.log |
||||
daemon.* -/var/log/daemon.log |
||||
kern.* -/var/log/kern.log |
||||
lpr.* -/var/log/lpr.log |
||||
mail.* -/var/log/mail.log |
||||
user.* -/var/log/user.log |
||||
uucp.* /var/log/uucp.log |
||||
news.* /var/log/news.log |
||||
|
||||
local4.* -/var/log/openldap.log |
||||
local1.* /var/log/sympa.log |
||||
local0.* /var/log/postgresql.log |
||||
local7.* -/var/log/dhcp.log |
||||
local5.* -/var/log/haproxy.log |
||||
|
||||
|
||||
# |
||||
# Logging for the mail system. Split it up so that |
||||
# it is easy to write scripts to parse these files. |
||||
# |
||||
#mail.info -/var/log/mail.info |
||||
#mail.warn -/var/log/mail.warn |
||||
#mail.err /var/log/mail.err |
||||
|
||||
# |
||||
# Logging for INN news system. |
||||
# |
||||
#news.crit /var/log/news/news.crit |
||||
#news.err /var/log/news/news.err |
||||
#news.notice -/var/log/news/news.notice |
||||
|
||||
# |
||||
# Some "catch-all" log files. |
||||
# |
||||
#*.=debug;\ |
||||
# auth,authpriv.none;\ |
||||
# news.none;mail.none -/var/log/debug |
||||
#*.=info;*.=notice;*.=warn;\ |
||||
# auth,authpriv.none;\ |
||||
# cron,daemon.none;\ |
||||
# mail,news.none -/var/log/messages |
||||
|
||||
# |
||||
# Emergencies are sent to everybody logged in. |
||||
# |
||||
*.emerg * |
||||
|
||||
# |
||||
# I like to have messages displayed on the console, but only on a virtual |
||||
# console I usually leave idle. |
||||
# |
||||
#daemon,mail.*;\ |
||||
# news.=crit;news.=err;news.=notice;\ |
||||
# *.=debug;*.=info;\ |
||||
# *.=notice;*.=warn /dev/tty8 |
||||
|
||||
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, |
||||
# you must invoke `xconsole' with the `-file' option: |
||||
# |
||||
# $ xconsole -file /dev/xconsole [...] |
||||
# |
||||
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably |
||||
# busy site.. |
||||
# |
||||
#daemon.*;mail.*;\ |
||||
# news.err;\ |
||||
# *.=debug;*.=info;\ |
||||
# *.=notice;*.=warn |/dev/xconsole |
@ -0,0 +1,22 @@
|
||||
[core] |
||||
filemode = true |
||||
bare = false |
||||
[color] |
||||
branch = auto |
||||
status = auto |
||||
diff = auto |
||||
interactive = auto |
||||
decorate = auto |
||||
grep = auto |
||||
ui = true |
||||
[apply] |
||||
whitespace = nowarn |
||||
[alias] |
||||
a = add |
||||
aa = add -A . |
||||
c = commit -v |
||||
ca = commit -v -a |
||||
d = diff --ignore-space-change --patience --no-prefix |
||||
dw = diff --word-diff |
||||
lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit --date=relative |
||||
s = status -s -b |
@ -0,0 +1,49 @@
|
||||
--- |
||||
- name: dpkg-reconfigure-debconf |
||||
command: dpkg-reconfigure --frontend noninteractive debconf |
||||
|
||||
- name: dpkg-reconfigure-locales |
||||
command: dpkg-reconfigure --frontend noninteractive locales |
||||
|
||||
- name: dpkg-reconfigure-apt |
||||
command: dpkg-reconfigure --frontend noninteractive apt-listchanges |
||||
|
||||
# - name: debconf-set-selections |
||||
# command: debconf-set-selections /root/debconf-preseed |
||||
|
||||
- name: apt update |
||||
apt: |
||||
update_cache: yes |
||||
|
||||
- name: restart rsyslog |
||||
service: |
||||
name: rsyslog |
||||
state: restarted |
||||
|
||||
|
||||
- name: remount /home |
||||
command: mount -o remount /home |
||||
|
||||
- name: remount /var |
||||
command: mount -o remount /var |
||||
|
||||
|
||||
- name: restart nginx |
||||
service: |
||||
name: nginx |
||||
state: restarted |
||||
|
||||
- name: reload nginx |
||||
service: |
||||
name: nginx |
||||
state: reloaded |
||||
|
||||
- name: restart apache |
||||
service: |
||||
name: apache2 |
||||
state: restarted |
||||
|
||||
- name: reload apache |
||||
service: |
||||
name: apache2 |
||||
state: reloaded |
@ -0,0 +1,55 @@
|
||||
--- |
||||
|
||||
- name: Setting apt config |
||||
lineinfile: |
||||
dest: /etc/apt/apt.conf.d/z-evolinux.conf |
||||
line: "{{ item }}" |
||||
create: yes |
||||
state: present |
||||
mode: 0640 |
||||
with_items: |
||||
- "APT::Install-Recommends \"0\";" |
||||
- "APT::Install-Suggests \"0\";" |
||||
|
||||
- name: DPKg invoke hooks |
||||
lineinfile: |
||||
dest: /etc/apt/apt.conf.d/z-evolinux.conf |
||||
line: "{{ item }}" |
||||
create: yes |
||||
state: present |
||||
mode: 0640 |
||||
with_items: |
||||
- "DPkg::Pre-Invoke { \"mount -oremount,exec /tmp && mount -oremount,rw /usr || true\"; };" |
||||
- "DPkg::Post-Invoke { \"mount -oremount /tmp && mount -oremount /usr || exit 0\"; };" |
||||
when: evolinux_apt_hooks |
||||
|
||||
- name: Original repositories are disabled |
||||
replace: |
||||
dest: /etc/apt/sources.list |
||||
regexp: '^(deb(-src)? {{ item }}.+)' |
||||
replace: '# \1' |
||||
with_items: |
||||
# - '.+\.debian\.org' |
||||
- 'cdrom:' |
||||
|
||||
- name: Basic sources list is installed |
||||
lineinfile: |
||||
dest: /etc/apt/sources.list |
||||
line: "{{ item }}" |
||||
with_items: |
||||
- "deb http://security.debian.org/ jessie/updates {{ evolinux_apt_components | mandatory }}" |
||||
- "deb http://mirror.evolix.org/debian/ jessie {{ evolinux_apt_components | mandatory }}" |
||||
- "deb http://mirror.evolix.org/debian/ jessie-updates {{ evolinux_apt_components | mandatory }}" |
||||
|
||||
- name: Evolix public list is installed |
||||
template: |
||||
src: apt/evolix_public.list.j2 |
||||
dest: /etc/apt/sources.list.d/evolix_public.list |
||||
force: yes |
||||
backup: yes |
||||
mode: 0640 |
||||
|
||||
- name: Upgrading system |
||||
apt: |
||||
upgrade: dist |
||||
update_cache: yes |
@ -0,0 +1,14 @@
|
||||
--- |
||||
- name: Install/Update default packages (might take some time) |
||||
command: "apt-get install -yq --allow-unauthenticated {{ evolinux_default_packages | join(' ') }}" |
||||
register: install_default_packages |
||||
changed_when: not (install_default_packages.stdout | search("0 upgraded") and install_default_packages.stdout | search("0 newly installed")) |
||||
|
||||
- name: Deleting rpcbin and nfs-common |
||||
apt: |
||||
name: "{{ item }}" |
||||
state: absent |
||||
with_items: |
||||
- rpcbind |
||||
- nfs-common |
||||
when: evolinux_delete_nfs |
@ -0,0 +1,108 @@
|
||||
--- |
||||
- name: /var/www is present |
||||
file: |
||||
path: /var/www |
||||
state: directory |
||||
mode: 0755 |
||||
|
||||
- name: images are copied |
||||
copy: |
||||
src: default_www/img |
||||
dest: /var/www/ |
||||
mode: 0755 |
||||
directory_mode: 0755 |
||||
follow: yes |
||||
|
||||
- name: index is copied |
||||
template: |
||||
src: default_www/index.html.j2 |
||||
dest: /var/www/index.html |
||||
mode: 0755 |
||||
|
||||
# SSL cert |
||||
|
||||
- name: ssl-cert package is installed |
||||
apt: |
||||
name: ssl-cert |
||||
state: installed |
||||
|
||||
- name: Create private key and csr for default site ({{ ansible_fqdn }}) |
||||
shell: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}" |
||||
args: |
||||
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" |
||||
|
||||
- name: Adjust rights on private key |
||||
file: |
||||
path: /etc/ssl/private/{{ ansible_fqdn }}.key |
||||
owner: root |
||||
group: ssl-cert |
||||
mode: 0640 |
||||
|
||||
- name: Create certificate for default site |
||||
shell: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt |
||||
args: |
||||
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" |
||||
|
||||
|
||||
# Nginx vhost |
||||
|
||||
- name: is Nginx installed? |
||||
stat: |
||||
path: /etc/nginx/sites-available |
||||
register: nginx_sites_available |
||||
|
||||
- block: |
||||
- name: nginx vhost is installed |
||||
template: |
||||
src: default_www/nginx_default_site.j2 |
||||