parent
a3a56cdc3e
commit
c0ab8f99ce
@ -0,0 +1,158 @@
|
||||
# Conventions
|
||||
|
||||
## Roles
|
||||
|
||||
We can use the `ansible-galaxy init` command to bootstrap a new role :
|
||||
|
||||
$ ansible-galaxy init foo
|
||||
- foo was created successfully
|
||||
$ tree foo
|
||||
foo
|
||||
├── defaults
|
||||
│ └── main.yml
|
||||
├── files
|
||||
├── handlers
|
||||
│ └── main.yml
|
||||
├── meta
|
||||
│ └── main.yml
|
||||
├── README.md
|
||||
├── tasks
|
||||
│ └── main.yml
|
||||
├── templates
|
||||
├── tests
|
||||
│ ├── inventory
|
||||
│ └── test.yml
|
||||
└── vars
|
||||
└── main.yml
|
||||
|
||||
All `main.yml` file will be picked up by Ansible automatically, with respect to their own responsibility.
|
||||
|
||||
The main directory is `tasks`. It will contains tasks, either all in the `main.yml` file, or grouped in files that can be included in the main file.
|
||||
|
||||
`defaults/main.yml` is the place to put the list of all variables for the role with a default value.
|
||||
|
||||
`vars` will hold files with variables definitions. Those differ from the defaults because of a much higher precedence (see below).
|
||||
|
||||
`files` is the directory where we'll put files to copy on hosts. They will be copied "as-is". When a role has multiple logical groups of tasks, it's best to create a sub-directroy for each group that needs files. The name of files in these directories doesn't have to be the same as the destination name. Example :
|
||||
|
||||
copy:
|
||||
src: apt/jessie_backports_preferences
|
||||
dest: /etc/apt/apt.conf.d/backports
|
||||
|
||||
`templates` is the twin brother of `files`, but differs in that it contains files that can be pre-processed by the Jinja2 templating language. It can contain variables that will be extrapolated before copying the file to its destination.
|
||||
|
||||
`handlers` is the place to put special tasks that can be triggered by the `notify` argument of modules. For example an `nginx -s reload` command.
|
||||
|
||||
`meta/main.yml` contains … well … "meta" information. There we can define role dependencies, but also some "galaxy" information like the desired Ansible version, supported OS and distributions, a destription, author/ownership, license…
|
||||
|
||||
`tests` and `.travis.yml` are here to help testing with a test matrix, a test inventory and a test playbook.
|
||||
|
||||
We can delete parts we don't need.
|
||||
|
||||
### How much goes into a role
|
||||
|
||||
We create roles (instead of a plain tasks files) when it makes sense as a whole, and it is more that a series of tasks. It often has variables, files/templates, handlers…
|
||||
|
||||
## Syntax
|
||||
|
||||
### Pure YAML
|
||||
|
||||
It's possible to use a compact (Ansible specific) syntax,
|
||||
|
||||
- name: Add evomaintenance trap for '{{ user.name }}'
|
||||
lineinfile: state=present dest='/home/{{ user.name }}/.profile' insertafter=EOF line='trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
|
||||
when: evomaintenance_script.stat.exists
|
||||
|
||||
but we prefer the pure-YAML syntax
|
||||
|
||||
- name: Add evomaintenance trap for '{{ user.name }}'
|
||||
lineinfile:
|
||||
state: present
|
||||
dest: '/home/{{ user.name }}/.profile'
|
||||
insertafter: EOF
|
||||
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
|
||||
when: evomaintenance_script.stat.exists
|
||||
|
||||
Here are some reasons :
|
||||
|
||||
* when lines get long, it's easier to read ;
|
||||
* it's a pure YAML syntax, so there is no Ansible-specific preprocessing
|
||||
* … with means that IDE can show the proper syntax highligthing ;
|
||||
* each argument stands on its own.
|
||||
|
||||
## Variables
|
||||
|
||||
### defaults
|
||||
|
||||
When a role is using variables, they must be defined (for example in the `defaults/main.yml`) with a default value (possibly Ǹull). That way, there will never be an "foo is undefined" situation.
|
||||
|
||||
### progressive specificity
|
||||
|
||||
In many roles, we use a *progressive specificity* pattern for some variables.
|
||||
The most common is for "alert_email" ; we want to have a default email address where all alerts or message will be sent, but it can be customized globally, and also customized per task/role.
|
||||
|
||||
For the *evolinux-base* role we have those defaults :
|
||||
|
||||
general_alert_email: "root@localhost"
|
||||
reboot_alert_email: Null
|
||||
log2mail_alert_email: Null
|
||||
raid_alert_email: Null
|
||||
|
||||
In the *log2mail* template, we set the email address like this :
|
||||
|
||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||
|
||||
if nothing is customize, the mail will be sent to root@localhost, if geeral_alert_email is changed, it will be use, but if log2mail_alert_email is set to a non-null value, it will have precedence.
|
||||
|
||||
## precedence
|
||||
|
||||
There are multiple places where we can define variables ans there is a specific precedence order for the resolution. Here is [the (ascending) order](http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) :
|
||||
|
||||
* role defaults
|
||||
* inventory vars
|
||||
* inventory group_vars
|
||||
* inventory host_vars
|
||||
* playbook group_vars
|
||||
* playbook host_vars
|
||||
* host facts
|
||||
* play vars
|
||||
* play vars_prompt
|
||||
* play vars_files
|
||||
* registered vars
|
||||
* set_facts
|
||||
* role and include vars
|
||||
* block vars (only for tasks in block)
|
||||
* task vars (only for the task)
|
||||
* extra vars (always win precedence)
|
||||
|
||||
## Configuration patterns
|
||||
|
||||
### lineinfile vs. blockinfile vs. copy/template
|
||||
|
||||
When possible, we prefer using the [lineinfile](http://docs.ansible.com/ansible/lineinfile_module.html) module to make very specific changes.
|
||||
If a `regexp` argument is specified, every line that matches the pattern will be updated. It's a good way to comment/uncomment variable, of add a piece inside a line.
|
||||
|
||||
When it's not possible (multi-line changes, for example), we can use the [blockinfile](http://docs.ansible.com/ansible/blockinfile_module.html) module. It managed blocs of text with begin/end markers. The marker can be customized, mostly to use the proper comment syntax, but also to prevent collisions within a file.
|
||||
|
||||
If none of the previous ca be used, we can use [copy](http://docs.ansible.com/ansible/copy_module.html) or [template](http://docs.ansible.com/ansible/template_module.html) modules to copy an entire file.
|
||||
|
||||
### defaults and custom files
|
||||
|
||||
We try not to alter configuration files managed by packages. It makes upgrading easier, so when a piece of software has a "foo.d" configuration directory, we add custom files there.
|
||||
|
||||
We usually put a `z-evolinux-defaults` with our core configuration. This file can be changed later via Ansible and must not be edited by hand. Example :
|
||||
|
||||
copy:
|
||||
src: evolinux-defaults.cnf
|
||||
dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf
|
||||
force: yes
|
||||
|
||||
|
||||
We also create a blank `zzz-evolinux-custom` file, with commented examples, to allow custom configuration that will never be reverted by Ansible. Example :
|
||||
|
||||
copy:
|
||||
src: evolinux-custom.cnf
|
||||
dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf
|
||||
force: no
|
||||
|
||||
The source file or template shouldn't to be prefixed for ordering (eg. `z-` or `zzz-`). It's the task's responsibility to choose how destination files must be ordered.
|
||||
@ -1 +1,6 @@
|
||||
apache_ipaddr_whitelist: []
|
||||
---
|
||||
apache_private_ipaddr_whitelist_present: []
|
||||
apache_private_ipaddr_whitelist_absent: []
|
||||
|
||||
apache_private_htpasswd_present: []
|
||||
apache_private_htpasswd_absent: []
|
||||
|
||||
@ -0,0 +1 @@
|
||||
# user:password for HTTP Basic authentication
|
||||
@ -1,23 +0,0 @@
|
||||
---
|
||||
- name: Jessie-backports list is available
|
||||
apt_repository:
|
||||
repo: "deb http://mirror.evolix.org/debian jessie-backports main contrib non-free"
|
||||
update_cache: yes
|
||||
state: present
|
||||
tags:
|
||||
- system
|
||||
- packages
|
||||
|
||||
- name: Backports have a low priority
|
||||
blockinfile:
|
||||
dest: /etc/apt/preferences.d/backports
|
||||
marker: "// {mark} ANSIBLE MANAGED BLOCK"
|
||||
insertafter: EOF
|
||||
create: yes
|
||||
block: |
|
||||
Package: *
|
||||
Pin: release a=jessie-backports
|
||||
Pin-Priority: 50
|
||||
tags:
|
||||
- system
|
||||
- packages
|
||||
@ -0,0 +1 @@
|
||||
apt_repositories_components: "main"
|
||||
@ -0,0 +1,3 @@
|
||||
Package: *
|
||||
Pin: release a=jessie-backports
|
||||
Pin-Priority: 50
|
||||
@ -0,0 +1,17 @@
|
||||
---
|
||||
|
||||
- name: Backports sources list is installed
|
||||
template:
|
||||
src: backports.list.j2
|
||||
dest: /etc/apt/sources.list.d/backports.list
|
||||
force: yes
|
||||
backup: yes
|
||||
mode: 0640
|
||||
|
||||
- name: Backports configuration
|
||||
copy:
|
||||
src: jessie_backports_preferences
|
||||
dest: /etc/apt/preferences.d/backports
|
||||
force: yes
|
||||
backup: yes
|
||||
mode: 0640
|
||||
@ -0,0 +1 @@
|
||||
deb http://mirror.evolix.org/debian jessie-backports {{ apt_repositories_components | mandatory }}
|
||||
@ -1,13 +0,0 @@
|
||||
# apt-upgrade
|
||||
|
||||
Upgrades Debian packages
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
* `apt_upgrade_mode` : kind of upgrade to do (cf. http://docs.ansible.com/ansible/apt_module.html#options)
|
||||
|
||||
Choice of upgrade mode can be set in a variables file (ex. `vars/main.yml`) or when invoking the role (`- { role: apt-upgrade, apt_upgrade_mode: safe }`).
|
||||
@ -1,8 +0,0 @@
|
||||
---
|
||||
- name: Ensure Debian is up-to-date
|
||||
apt:
|
||||
update_cache: yes
|
||||
upgrade: "{{ apt_upgrade_mode | default('safe') }}"
|
||||
tags:
|
||||
- system
|
||||
- packages
|
||||
@ -0,0 +1,3 @@
|
||||
---
|
||||
dependencies:
|
||||
- nodejs
|
||||
@ -0,0 +1,7 @@
|
||||
# etc-git
|
||||
|
||||
Put /etc under Git version control.
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
@ -0,0 +1 @@
|
||||
aliases.db
|
||||
@ -0,0 +1,36 @@
|
||||
---
|
||||
|
||||
- name: Git is installed
|
||||
apt:
|
||||
name: git
|
||||
state: present
|
||||
|
||||
- name: /etc is versioned with git
|
||||
command: "git init ."
|
||||
args:
|
||||
chdir: /etc
|
||||
creates: /etc/.git/
|
||||
register: git_init
|
||||
|
||||
- name: /etc/.gitignore is present
|
||||
copy:
|
||||
src: gitignore
|
||||
dest: /etc/.gitignore
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
|
||||
- name: does /etc/ have any commit?
|
||||
command: "git log"
|
||||
args:
|
||||
chdir: /etc
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: git_log
|
||||
|
||||
- name: initial commit is present?
|
||||
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
|
||||
args:
|
||||
chdir: /etc
|
||||
register: git_commit
|
||||
when: git_init.changed or git_log.rc != 0
|
||||
@ -0,0 +1,7 @@
|
||||
# evocheck
|
||||
|
||||
Install a script to verify compliance of a Debian/OpenBSD server
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
@ -0,0 +1,3 @@
|
||||
---
|
||||
dependencies:
|
||||
- { role: evolinux-sources-list }
|
||||
@ -0,0 +1,8 @@
|
||||
---
|
||||
|
||||
- name: evocheck is installed
|
||||
command: "apt-get install -yq --allow-unauthenticated evomaintenance"
|
||||
register: installed_evomaintenance
|
||||
changed_when: not (installed_evomaintenance.stdout | search("0 upgraded") and installed_evomaintenance.stdout | search("0 newly installed"))
|
||||
|
||||
# TODO make sure that the package is in the right version
|
||||
@ -0,0 +1,29 @@
|
||||
# evolinux-admin-users
|
||||
|
||||
Creates admin users accounts, based on a configuration data structure.
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
The variable `evolinux_admin_users` must be a "hash" of one or more users :
|
||||
|
||||
```
|
||||
evolinux_admin_users:
|
||||
- name: foo
|
||||
uid: 1001
|
||||
fullname: 'Mr Foo'
|
||||
password_hash: 'sdfgsdfgsdfgsdfg'
|
||||
ssh_key: 'ssh-rsa AZERTYXYZ'
|
||||
- name: bar
|
||||
uid: 1002
|
||||
fullname: 'Mr Bar'
|
||||
password_hash: 'gsdfgsdfgsdfgsdf'
|
||||
ssh_key: 'ssh-rsa QWERTYUIOP'
|
||||
```
|
||||
|
||||
* `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`).
|
||||
* `listupgrade_scripts_dir`: script directory for listupgrade (default: `general_scripts_dir`).
|
||||
* `evomaintenance_scripts_dir`: script directory for evomaintenance (default: `general_scripts_dir`).
|
||||
@ -0,0 +1,6 @@
|
||||
---
|
||||
evolinux_admin_users: []
|
||||
|
||||
general_scripts_dir: "/usr/local/bin"
|
||||
evomaintenance_scripts_dir: Null
|
||||
listupgrade_scripts_dir: Null
|
||||
@ -0,0 +1,95 @@
|
||||
---
|
||||
|
||||
- name: Test if uid exists for '{{ user.name }}'
|
||||
command: 'getent passwd {{ user.uid }}'
|
||||
register: uidisbusy
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
|
||||
- name: Add Unix account with classical uid for '{{ user.name }}'
|
||||
user:
|
||||
state: present
|
||||
uid: '{{ user.uid }}'
|
||||
name: '{{ user.name }}'
|
||||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
when: uidisbusy|failed
|
||||
|
||||
- name: Add Unix account with random uid for '{{ user.name }}'
|
||||
user:
|
||||
state: present
|
||||
name: '{{ user.name }}'
|
||||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
when: uidisbusy|success
|
||||
|
||||
- name: Fix perms on homedirectory for '{{ user.name }}'
|
||||
file:
|
||||
name: '/home/{{ user.name }}'
|
||||
mode: 0700
|
||||
state: directory
|
||||
|
||||
- name: is evomaintenance installed?
|
||||
stat:
|
||||
path: "{{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh"
|
||||
register: evomaintenance_script
|
||||
|
||||
- name: Add evomaintenance trap for '{{ user.name }}'
|
||||
lineinfile:
|
||||
state: present
|
||||
dest: '/home/{{ user.name }}/.profile'
|
||||
insertafter: EOF
|
||||
line: 'trap "sudo {{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh" 0'
|
||||
when: evomaintenance_script.stat.exists
|
||||
|
||||
- name: Create .ssh directory for '{{ user.name }}'
|
||||
file:
|
||||
dest: '/home/{{ user.name }}/.ssh/'
|
||||
state: directory
|
||||
mode: 0700
|
||||
owner: '{{ user.name }}'
|
||||
group: '{{ user.name }}'
|
||||
|
||||
- name: Add user's SSH public key for '{{ user.name }}'
|
||||
lineinfile:
|
||||
dest: '/home/{{ user.name }}/.ssh/authorized_keys'
|
||||
create: yes
|
||||
line: '{{ user.ssh_key }}'
|
||||
owner: '{{ user.name }}'
|
||||
group: '{{ user.name }}'
|
||||
|
||||
- name: Modify AllowUsers' sshd directive for '{{ user.name }}'
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$'
|
||||
replace: '\1 {{ user.name }}'
|
||||
notify:
|
||||
- reload sshd
|
||||
|
||||
- name: Modify Match User's sshd directive for '{{ user.name }}'
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
notify:
|
||||
- reload sshd
|
||||
|
||||
- name: Evolinux sudoers file is present
|
||||
template:
|
||||
src: sudoers_debian.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: false
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
|
||||
- name: Add user in sudoers file for '{{ user.name }}'
|
||||
replace:
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
when: not copy_sudoers_evolinux.changed
|
||||
@ -0,0 +1,8 @@
|
||||
---
|
||||
|
||||
- include: adduser_debian.yml user={{ item }}
|
||||
with_items: "{{ evolinux_admin_users }}"
|
||||
when: ansible_distribution == "Debian"
|
||||
|
||||
# - include: openbsd.yml
|
||||
# when: ansible_distribution == "OpenBSD"
|
||||
@ -0,0 +1,10 @@
|
||||
Defaults umask=0077
|
||||
|
||||
Cmnd_Alias MAINT = {{ evomaintenance_scripts_dir or general_scripts_dir | mandatory }}/evomaintenance.sh, {{ listupgrade_scripts_dir or general_scripts_dir | mandatory }}/listupgrade.sh, /usr/bin/apt, /bin/mount
|
||||
User_Alias ADMINS = {{ user.name }}
|
||||
|
||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
||||
|
||||
ADMINS ALL = (ALL:ALL) ALL
|
||||
ADMINS ALL = NOPASSWD: MAINT
|
||||
@ -0,0 +1,24 @@
|
||||
# evolinux-base
|
||||
|
||||
Various tasks for Evolinux setup.
|
||||
|
||||
## Tasks
|
||||
|
||||
* `system.yml` :
|
||||
* `apt.yml` :
|
||||
* `install_tools.yml` :
|
||||
* `root.yml` :
|
||||
* `logs.yml` :
|
||||
|
||||
## Available variables
|
||||
|
||||
Main variables are :
|
||||
|
||||
* `evolinux_delete_nfs`: delete NFS tools (default: `True`)
|
||||
* `evolinux_ntp_server`: custom NTP server host or IP (default: `Null`)
|
||||
* `evolinux_additional_packages`: optional additional packages to install (default: `[]`)
|
||||
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
|
||||
* `apt_alert_email`: email address to send APT messages to (default: `general_alert_email`).
|
||||
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
@ -0,0 +1,41 @@
|
||||
---
|
||||
general_alert_email: "root@localhost"
|
||||
reboot_alert_email: Null
|
||||
apt_alert_email: Null
|
||||
log2mail_alert_email: Null
|
||||
raid_alert_email: Null
|
||||
|
||||
# hostname
|
||||
|
||||
evolinux_hostname: "{{ ansible_hostname }}"
|
||||
evolinux_domain: "{{ ansible_domain }}"
|
||||
evolinux_fqdn: "{{ ansible_fqdn }}"
|
||||
evolinux_internal_hostname: "{{ evolinux_hostname }}"
|
||||
|
||||
# apt
|
||||
|
||||
evolinux_apt_repositories_components: "main"
|
||||
evolinux_apt_hooks: False
|
||||
# kernel
|
||||
|
||||
evolinux_kernel_reboot_after_panic: True
|
||||
evolinux_kernel_disable_tcp_timestamps: True
|
||||
evolinux_kernel_reduce_swapiness: True
|
||||
evolinux_kernel_cve20165696: True
|
||||
|
||||
# providers
|
||||
|
||||
evolinux_provider_online: False
|
||||
evolinux_provider_orange_fce: False
|
||||
|
||||
# default www
|
||||
|
||||
evolinux_default_www_redirect_url: "http://evolix.fr"
|
||||
evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}"
|
||||
evolinux_default_www_nginx_enabled: False
|
||||
evolinux_default_www_apache_enabled: False
|
||||
|
||||
# misc.
|
||||
|
||||
evolinux_ntp_server: Null
|
||||
evolinux_delete_nfs: True
|
||||
|
After Width: | Height: | Size: 2.6 KiB |
|
After Width: | Height: | Size: 1.1 KiB |
@ -0,0 +1,9 @@
|
||||
/var/log/php.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 52
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
create 640 www-data adm
|
||||
}
|
||||
@ -0,0 +1,16 @@
|
||||
/var/log/apt/term.log {
|
||||
rotate 120
|
||||
monthly
|
||||
compress
|
||||
missingok
|
||||
notifempty
|
||||
}
|
||||
|
||||
/var/log/apt/history.log {
|
||||
rotate 120
|
||||
monthly
|
||||
compress
|
||||
missingok
|
||||
notifempty
|
||||
}
|
||||
|
||||
@ -0,0 +1,14 @@
|
||||
/var/chroot-bind/var/log/bind.log {
|
||||
weekly
|
||||
missingok
|
||||
notifempty
|
||||
rotate 4
|
||||
create 640 bind bind
|
||||
compress
|
||||
delaycompress
|
||||
sharedscripts
|
||||
postrotate
|
||||
rndc reload > /dev/null
|
||||
endscript
|
||||
}
|
||||
|
||||
@ -0,0 +1,9 @@
|
||||
/var/log/dhcp.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 52
|
||||
compress
|
||||
delaycompress
|
||||
create 640 root adm
|
||||
notifempty
|
||||
}
|
||||
@ -0,0 +1,19 @@
|
||||
/var/log/dpkg.log {
|
||||
monthly
|
||||
rotate 120
|
||||
compress
|
||||
delaycompress
|
||||
missingok
|
||||
notifempty
|
||||
create 644 root root
|
||||
}
|
||||
/var/log/alternatives.log {
|
||||
monthly
|
||||
rotate 120
|
||||
compress
|
||||
delaycompress
|
||||
missingok
|
||||
notifempty
|
||||
create 644 root root
|
||||
}
|
||||
|
||||
@ -0,0 +1,8 @@
|
||||
/var/log/freeradius/*.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 52
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
}
|
||||
@ -0,0 +1,31 @@
|
||||
/var/log/proftpd.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 13
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
create 640 root adm
|
||||
sharedscripts
|
||||
postrotate
|
||||
/etc/init.d/proftpd restart > /dev/null
|
||||
endscript
|
||||
}
|
||||
|
||||
|
||||
/var/log/xferlog.log {
|
||||
weekly
|
||||
rotate 1
|
||||
missingok
|
||||
create 640 root adm
|
||||
sharedscripts
|
||||
postrotate
|
||||
DATE=$(date +"%d-%m-%Y")
|
||||
cd /var/log
|
||||
ftpstats -a -r -l 2 -d i-f xferlog.log.1 2>/dev/null >xferreport.$DATE
|
||||
mv xferlog.log.1 xferlog.log.$DATE
|
||||
gzip xferlog.log.$DATE
|
||||
gzip xferreport.$DATE
|
||||
endscript
|
||||
}
|
||||
|
||||
@ -0,0 +1,9 @@
|
||||
/var/log/openldap.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 3
|
||||
compress
|
||||
notifempty
|
||||
create 640 root adm
|
||||
}
|
||||
|
||||
@ -0,0 +1,19 @@
|
||||
/var/log/lighttpd/*.log {
|
||||
weekly
|
||||
missingok
|
||||
copytruncate
|
||||
rotate 52
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
sharedscripts
|
||||
postrotate
|
||||
if [ -f /var/run/lighttpd.pid ]; then \
|
||||
if [ -x /usr/sbin/invoke-rc.d ]; then \
|
||||
invoke-rc.d lighttpd force-reload > /dev/null; \
|
||||
else \
|
||||
/etc/init.d/lighttpd force-reload > /dev/null; \
|
||||
fi; \
|
||||
fi;
|
||||
endscript
|
||||
}
|
||||
@ -0,0 +1,6 @@
|
||||
/var/log/lvm {
|
||||
daily
|
||||
rotate 3
|
||||
missingok
|
||||
create 0640 root adm
|
||||
}
|
||||
@ -0,0 +1,8 @@
|
||||
/var/log/news.log {
|
||||
monthly
|
||||
missingok
|
||||
notifempty
|
||||
rotate 1
|
||||
create 640 root adm
|
||||
}
|
||||
|
||||
@ -0,0 +1,18 @@
|
||||
/var/log/nginx/*.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 52
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
create 640 root adm
|
||||
sharedscripts
|
||||
prerotate
|
||||
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
|
||||
run-parts /etc/logrotate.d/httpd-prerotate; \
|
||||
fi; \
|
||||
endscript
|
||||
postrotate
|
||||
[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
|
||||
endscript
|
||||
}
|
||||
@ -0,0 +1,14 @@
|
||||
/var/log/ntp.log {
|
||||
weekly
|
||||
rotate 1
|
||||
missingok
|
||||
create 640 root adm
|
||||
sharedscripts
|
||||
postrotate
|
||||
DATE=$(date +"%d-%m-%Y")
|
||||
cd /var/log
|
||||
mv ntp.log.1 ntp.log.$DATE
|
||||
gzip ntp.log.$DATE
|
||||
endscript
|
||||
}
|
||||
|
||||
@ -0,0 +1,7 @@
|
||||
/var/log/postgresql.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 8
|
||||
create 640 root adm
|
||||
}
|
||||
|
||||
@ -0,0 +1,11 @@
|
||||
/var/log/procmail.log {
|
||||
daily
|
||||
rotate 365
|
||||
dateext
|
||||
dateyesterday
|
||||
dateformat .%Y%m%d
|
||||
missingok
|
||||
rotate 365
|
||||
create 640 root adm
|
||||
}
|
||||
|
||||
@ -0,0 +1,14 @@
|
||||
# Attention, bien mettre "log file = /var/log/samba/%m.log" dans la conf Samba
|
||||
/var/log/samba/*.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 52
|
||||
postrotate
|
||||
invoke-rc.d --quiet samba reload > /dev/null
|
||||
[ ! -f /var/run/samba/nmbd.pid ] || kill -HUP `cat /var/run/samba/nmbd.pid`
|
||||
[ -f /var/run/samba/winbindd.pid ] && kill -HUP `cat /var/run/samba/winbindd.pid` || true
|
||||
endscript
|
||||
compress
|
||||
notifempty
|
||||
}
|
||||
|
||||
@ -0,0 +1,11 @@
|
||||
/var/log/squid3/*.log {
|
||||
monthly
|
||||
compress
|
||||
rotate 12
|
||||
missingok
|
||||
create 640 proxy adm
|
||||
sharedscripts
|
||||
postrotate
|
||||
test ! -e /var/run/squid3.pid || /usr/sbin/squid3 -k rotate
|
||||
endscript
|
||||
}
|
||||
@ -0,0 +1,35 @@
|
||||
# Custom EvoLinux
|
||||
create 640 root adm
|
||||
dateext
|
||||
dateyesterday
|
||||
dateformat .%Y%m%d
|
||||
missingok
|
||||
notifempty
|
||||
delaycompress
|
||||
compress
|
||||
postrotate
|
||||
invoke-rc.d rsyslog rotate > /dev/null
|
||||
endscript
|
||||
|
||||
/var/log/daemon.log
|
||||
/var/log/kern.log
|
||||
/var/log/lpr.log
|
||||
{
|
||||
weekly
|
||||
rotate 5
|
||||
}
|
||||
|
||||
/var/log/auth.log
|
||||
/var/log/user.log
|
||||
/var/log/cron.log
|
||||
/var/log/debug
|
||||
/var/log/messages
|
||||
/var/log/syslog
|
||||
/var/log/mail.info
|
||||
/var/log/mail.warn
|
||||
/var/log/mail.err
|
||||
/var/log/mail.log
|
||||
{
|
||||
daily
|
||||
rotate 365
|
||||
}
|
||||
@ -0,0 +1,122 @@
|
||||
# Syslog for Pack Evolix serveur - Debian Squeeze
|
||||
|
||||
|
||||
#################
|
||||
#### MODULES ####
|
||||
#################
|
||||
|
||||
$ModLoad imuxsock # provides support for local system logging
|
||||
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
|
||||
#$ModLoad immark # provides --MARK-- message capability
|
||||
|
||||
# provides UDP syslog reception
|
||||
#$ModLoad imudp
|
||||
#$UDPServerRun 514
|
||||
|
||||
# provides TCP syslog reception
|
||||
#$ModLoad imtcp
|
||||
#$InputTCPServerRun 514
|
||||
|
||||
|
||||
###########################
|
||||
#### GLOBAL DIRECTIVES ####
|
||||
###########################
|
||||
|
||||
#
|
||||
# Use traditional timestamp format.
|
||||
# To enable high precision timestamps, comment out the following line.
|
||||
#
|
||||
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
|
||||
|
||||
#
|
||||
# Set the default permissions for all log files.
|
||||
#
|
||||
$FileOwner root
|
||||
$FileGroup adm
|
||||
$FileCreateMode 0640
|
||||
$DirCreateMode 0755
|
||||
$Umask 0022
|
||||
|
||||
#
|
||||
# Include all config files in /etc/rsyslog.d/
|
||||
#
|
||||
$IncludeConfig /etc/rsyslog.d/*.conf
|
||||
|
||||
|
||||
###############
|
||||
#### RULES ####
|
||||
###############
|
||||
|
||||
#
|
||||
# First some standard log files. Log by facility.
|
||||
#
|
||||
auth,authpriv.* /var/log/auth.log
|
||||
*.*;auth,authpriv.none;cron,mail,local4,local5.none -/var/log/syslog
|
||||
cron.* /var/log/cron.log
|
||||
daemon.* -/var/log/daemon.log
|
||||
kern.* -/var/log/kern.log
|
||||
lpr.* -/var/log/lpr.log
|
||||
mail.* -/var/log/mail.log
|
||||
user.* -/var/log/user.log
|
||||
uucp.* /var/log/uucp.log
|
||||
news.* /var/log/news.log
|
||||
|
||||
local4.* -/var/log/openldap.log
|
||||
local1.* /var/log/sympa.log
|
||||
local0.* /var/log/postgresql.log
|
||||
local7.* -/var/log/dhcp.log
|
||||
local5.* -/var/log/haproxy.log
|
||||
|
||||
|
||||
#
|
||||
# Logging for the mail system. Split it up so that
|
||||
# it is easy to write scripts to parse these files.
|
||||
#
|
||||
#mail.info -/var/log/mail.info
|
||||
#mail.warn -/var/log/mail.warn
|
||||
#mail.err /var/log/mail.err
|
||||
|
||||
#
|
||||
# Logging for INN news system.
|
||||
#
|
||||
#news.crit /var/log/news/news.crit
|
||||
#news.err /var/log/news/news.err
|
||||
#news.notice -/var/log/news/news.notice
|
||||
|
||||
#
|
||||
# Some "catch-all" log files.
|
||||
#
|
||||
#*.=debug;\
|
||||
# auth,authpriv.none;\
|
||||
# news.none;mail.none -/var/log/debug
|
||||
#*.=info;*.=notice;*.=warn;\
|
||||
# auth,authpriv.none;\
|
||||
# cron,daemon.none;\
|
||||
# mail,news.none -/var/log/messages
|
||||
|
||||
#
|
||||
# Emergencies are sent to everybody logged in.
|
||||
#
|
||||
*.emerg *
|
||||
|
||||
#
|
||||
# I like to have messages displayed on the console, but only on a virtual
|
||||
# console I usually leave idle.
|
||||
#
|
||||
#daemon,mail.*;\
|
||||
# news.=crit;news.=err;news.=notice;\
|
||||
# *.=debug;*.=info;\
|
||||
# *.=notice;*.=warn /dev/tty8
|
||||
|
||||
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
|
||||
# you must invoke `xconsole' with the `-file' option:
|
||||
#
|
||||
# $ xconsole -file /dev/xconsole [...]
|
||||
#
|
||||
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
|
||||
# busy site..
|
||||
#
|
||||
#daemon.*;mail.*;\
|
||||
# news.err;\
|
||||
# *.=debug;*.=info;\
|
||||
# *.=notice;*.=warn |/dev/xconsole
|
||||
@ -0,0 +1,22 @@
|
||||
[core]
|
||||
filemode = true
|
||||
bare = false
|
||||
[color]
|
||||
branch = auto
|
||||
status = auto
|
||||
diff = auto
|
||||
interactive = auto
|
||||
decorate = auto
|
||||
grep = auto
|
||||
ui = true
|
||||
[apply]
|
||||
whitespace = nowarn
|
||||
[alias]
|
||||
a = add
|
||||
aa = add -A .
|
||||
c = commit -v
|
||||
ca = commit -v -a
|
||||
d = diff --ignore-space-change --patience --no-prefix
|
||||
dw = diff --word-diff
|
||||
lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit --date=relative
|
||||
s = status -s -b
|
||||
@ -0,0 +1,49 @@
|
||||
---
|
||||
- name: dpkg-reconfigure-debconf
|
||||
command: dpkg-reconfigure --frontend noninteractive debconf
|
||||
|
||||
- name: dpkg-reconfigure-locales
|
||||
command: dpkg-reconfigure --frontend noninteractive locales
|
||||
|
||||
- name: dpkg-reconfigure-apt
|
||||
command: dpkg-reconfigure --frontend noninteractive apt-listchanges
|
||||
|
||||
# - name: debconf-set-selections
|
||||
# command: debconf-set-selections /root/debconf-preseed
|
||||
|
||||
- name: apt update
|
||||
apt:
|
||||
update_cache: yes
|
||||
|
||||
- name: restart rsyslog
|
||||
service:
|
||||
name: rsyslog
|
||||
state: restarted
|
||||
|
||||
|
||||
- name: remount /home
|
||||
command: mount -o remount /home
|
||||
|
||||
- name: remount /var
|
||||
command: mount -o remount /var
|
||||
|
||||
|
||||
- name: restart nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: restarted
|
||||
|
||||
- name: reload nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
|
||||
- name: restart apache
|
||||
service:
|
||||
name: apache2
|
||||
state: restarted
|
||||
|
||||
- name: reload apache
|
||||
service:
|
||||
name: apache2
|
||||
state: reloaded
|
||||
@ -0,0 +1,55 @@
|
||||
---
|
||||
|
||||
- name: Setting apt config
|
||||
lineinfile:
|
||||
dest: /etc/apt/apt.conf.d/z-evolinux.conf
|
||||
line: "{{ item }}"
|
||||
create: yes
|
||||
state: present
|
||||
mode: 0640
|
||||
with_items:
|
||||
- "APT::Install-Recommends \"0\";"
|
||||
- "APT::Install-Suggests \"0\";"
|
||||
|
||||
- name: DPKg invoke hooks
|
||||
lineinfile:
|
||||
dest: /etc/apt/apt.conf.d/z-evolinux.conf
|
||||
line: "{{ item }}"
|
||||
create: yes
|
||||
state: present
|
||||
mode: 0640
|
||||
with_items:
|
||||
- "DPkg::Pre-Invoke { \"mount -oremount,exec /tmp && mount -oremount,rw /usr || true\"; };"
|
||||
- "DPkg::Post-Invoke { \"mount -oremount /tmp && mount -oremount /usr || exit 0\"; };"
|
||||
when: evolinux_apt_hooks
|
||||
|
||||
- name: Original repositories are disabled
|
||||
replace:
|
||||
dest: /etc/apt/sources.list
|
||||
regexp: '^(deb(-src)? {{ item }}.+)'
|
||||
replace: '# \1'
|
||||
with_items:
|
||||
# - '.+\.debian\.org'
|
||||
- 'cdrom:'
|
||||
|
||||
- name: Basic sources list is installed
|
||||
lineinfile:
|
||||
dest: /etc/apt/sources.list
|
||||
line: "{{ item }}"
|
||||
with_items:
|
||||
- "deb http://security.debian.org/ jessie/updates {{ evolinux_apt_components | mandatory }}"
|
||||
- "deb http://mirror.evolix.org/debian/ jessie {{ evolinux_apt_components | mandatory }}"
|
||||
- "deb http://mirror.evolix.org/debian/ jessie-updates {{ evolinux_apt_components | mandatory }}"
|
||||
|
||||
- name: Evolix public list is installed
|
||||
template:
|
||||
src: apt/evolix_public.list.j2
|
||||
dest: /etc/apt/sources.list.d/evolix_public.list
|
||||
force: yes
|
||||
backup: yes
|
||||
mode: 0640
|
||||
|
||||
- name: Upgrading system
|
||||
apt:
|
||||
upgrade: dist
|
||||
update_cache: yes
|
||||
@ -0,0 +1,14 @@
|
||||
---
|
||||
- name: Install/Update default packages (might take some time)
|
||||
command: "apt-get install -yq --allow-unauthenticated {{ evolinux_default_packages | join(' ') }}"
|
||||
register: install_default_packages
|
||||
changed_when: not (install_default_packages.stdout | search("0 upgraded") and install_default_packages.stdout | search("0 newly installed"))
|
||||
|
||||
- name: Deleting rpcbin and nfs-common
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- rpcbind
|
||||
- nfs-common
|
||||
when: evolinux_delete_nfs
|
||||
@ -0,0 +1,108 @@
|
||||
---
|
||||
- name: /var/www is present
|
||||
file:
|
||||
path: /var/www
|
||||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: images are copied
|
||||
copy:
|
||||
src: default_www/img
|
||||
dest: /var/www/
|
||||
mode: 0755
|
||||
directory_mode: 0755
|
||||
follow: yes
|
||||
|
||||
- name: index is copied
|
||||
template:
|
||||
src: default_www/index.html.j2
|
||||
dest: /var/www/index.html
|
||||
mode: 0755
|
||||
|
||||
# SSL cert
|
||||
|
||||
- name: ssl-cert package is installed
|
||||
apt:
|
||||
name: ssl-cert
|
||||
state: installed
|
||||
|
||||
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||
shell: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}"
|
||||
args:
|
||||
creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
|
||||
|
||||
- name: Adjust rights on private key
|
||||
file:
|
||||
path: /etc/ssl/private/{{ ansible_fqdn }}.key
|
||||
owner: root
|
||||
group: ssl-cert
|
||||
mode: 0640
|
||||
|
||||
- name: Create certificate for default site
|
||||
shell: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||
args:
|
||||
creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
|
||||
|
||||
|
||||
# Nginx vhost
|
||||
|
||||
- name: is Nginx installed?
|
||||
stat:
|
||||
path: /etc/nginx/sites-available
|
||||
register: nginx_sites_available
|
||||
|
||||
- block:
|
||||
- name: nginx vhost is installed
|
||||
template:
|
||||
src: default_www/nginx_default_site.j2
|
||||
dest: /etc/nginx/sites-available/000-default
|
||||
mode: 0640
|
||||
# force: yes
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
|
||||
- name: nginx vhost is enabled
|
||||
file:
|
||||
src: /etc/nginx/sites-available/000-default
|
||||
dest: /etc/nginx/sites-enabled/000-default
|
||||
state: link
|
||||
notify: reload nginx
|
||||
when: evolinux_default_www_nginx_enabled
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
when: nginx_sites_available.stat.exists
|
||||
|
||||
|
||||
# Apache vhost
|
||||
|
||||
- name: is Apache installed?
|
||||
stat:
|
||||
path: /etc/apache2/sites-available
|
||||
register: apache_sites_available
|
||||
|
||||
- block:
|
||||
- name: Apache vhost is installed
|
||||
template:
|
||||
src: default_www/apache_default_site.j2
|
||||
dest: /etc/apache2/sites-available/000-default
|
||||
mode: 0640
|
||||
# force: yes
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
||||
- name: Apache vhost is enabled
|
||||
file:
|
||||
src: /etc/apache2/sites-available/000-default
|
||||
dest: /etc/apache2/sites-enabled/000-default
|
||||
state: link
|
||||
notify: reload apache
|
||||
when: evolinux_default_www_apache_enabled
|
||||
tags:
|
||||
- apache
|
||||
|
||||
when: apache_sites_available.stat.exists
|
||||
@ -0,0 +1,53 @@
|
||||
---
|
||||
# TODO: trouver comment faire une copie initiale de /etc/fstab
|
||||
# TODO: try to use the custom mount_uuid module for a different approach
|
||||
|
||||
- name: Fetch fstab content
|
||||
shell: "grep -v '^#' /etc/fstab"
|
||||
register: fstab_content
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
|
||||
- name: /home partition is customized (noexec,nosuid,nodev)
|
||||
replace:
|
||||
dest: /etc/fstab
|
||||
regexp: '(\s+/home\s+\w+\s+defaults)(\s+)'
|
||||
replace: '\1,noexec,nosuid,nodev\2'
|
||||
backup: yes
|
||||
notify: remount /home
|
||||
when: "' /home ' in fstab_content.stdout"
|
||||
|
||||
- name: /tmp partition is customized (noexec,nosuid,nodev)
|
||||
replace:
|
||||
dest: /etc/fstab
|
||||
regexp: '(\s+/tmp\s+\w+\s+defaults)(\s+)'
|
||||
replace: '\1,noexec,nosuid,nodev\2'
|
||||
backup: yes
|
||||
when: "' /tmp ' in fstab_content.stdout"
|
||||
|
||||
- name: /usr partition is customized (ro)
|
||||
replace:
|
||||
dest: /etc/fstab
|
||||
regexp: '(\s+/usr\s+\w+\s+defaults)(\s+)'
|
||||
replace: '\1,ro\2'
|
||||
backup: yes
|
||||
when: "' /usr ' in fstab_content.stdout"
|
||||
|
||||
- name: /var partition is customized (nosuid)
|
||||
replace:
|
||||
dest: /etc/fstab
|
||||
regexp: '(\s+/var\s+\w+\s+defaults)(\s+)'
|
||||
replace: '\1,nosuid\2'
|
||||
backup: yes
|
||||
notify: remount /var
|
||||
when: "' /var ' in fstab_content.stdout"
|
||||
|
||||
- name: /var/tmp is created
|
||||
mount:
|
||||
src: tmpfs
|
||||
name: /var/tmpfs
|
||||
fstype: tmpfs
|
||||
opts: defaults,noexec,nosuid,nodev,size=1024m
|
||||
state: mounted
|
||||
|
||||
- meta: flush_handlers
|
||||
@ -0,0 +1,71 @@
|
||||
---
|
||||
- name: | ||||