From 58f458c90de9cae4dc5a8af2fc61067dc41a5431 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 5 Jul 2017 11:33:29 +0200 Subject: [PATCH 001/277] Don't check debian.org for check_proxy debian.org is not reliable enough, let's use an internal ipv4-only domain --- nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 53c0c8c1..561aba2c 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -41,7 +41,7 @@ command[check_jboss-http]=/usr/lib/nagios/plugins/check_tcp -p 8080 command[check_jboss-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009 command[check_tomcat-http]=/usr/lib/nagios/plugins/check_tcp -p 8080 command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009 -command[check_proxy]=/usr/lib/nagios/plugins/check_http -H www.debian.org +command[check_proxy]=/usr/lib/nagios/plugins/check_http -H ipv4.evolix.org command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 From d3795150a7cd0a809c0b8434a7efb72083b2d06c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 5 Jul 2017 11:38:47 +0200 Subject: [PATCH 002/277] Let's use a variable, with a default value (non-internal) --- nagios-nrpe/defaults/main.yml | 2 ++ nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/nagios-nrpe/defaults/main.yml b/nagios-nrpe/defaults/main.yml index b02a8be5..f1a4731b 100644 --- a/nagios-nrpe/defaults/main.yml +++ b/nagios-nrpe/defaults/main.yml @@ -5,4 +5,6 @@ nagios_nrpe_ldap_passwd: LDAP_PASSWD nagios_nrpe_pgsql_passwd: PGSQL_PASSWD nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}" +nagios_nrpe_check_proxy_host: "www.debian.org" + nagios_plugins_directory: "/usr/local/lib/nagios/plugins" diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 561aba2c..000ea905 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -41,7 +41,7 @@ command[check_jboss-http]=/usr/lib/nagios/plugins/check_tcp -p 8080 command[check_jboss-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009 command[check_tomcat-http]=/usr/lib/nagios/plugins/check_tcp -p 8080 command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009 -command[check_proxy]=/usr/lib/nagios/plugins/check_http -H ipv4.evolix.org +command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }} command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 From c97eacbaf302376fbc9f23a08c262729d9fa55ab Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 6 Jul 2017 12:42:08 +0200 Subject: [PATCH 003/277] tomcat: disable default tomcat7 service --- tomcat/tasks/packages.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tomcat/tasks/packages.yml b/tomcat/tasks/packages.yml index 158e1a06..033d4f0e 100644 --- a/tomcat/tasks/packages.yml +++ b/tomcat/tasks/packages.yml @@ -21,3 +21,9 @@ src: 'tomcat.service' dest: "/etc/systemd/user/tomcat.service" mode: "0755" + +- name: Disable default tomcat7 service + service: + name: tomcat7 + state: stopped + enabled: false From e11b2e5a38c236bd87bc7d9df2fb0347c8da2f08 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 5 Jul 2017 11:46:52 +0200 Subject: [PATCH 004/277] Use evoadmin_host for the TLS certificate --- evoadmin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoadmin/defaults/main.yml b/evoadmin/defaults/main.yml index 30ba8010..35cdcb6c 100644 --- a/evoadmin/defaults/main.yml +++ b/evoadmin/defaults/main.yml @@ -9,6 +9,6 @@ evoadmin_log_dir: "{{ evoadmin_home_dir }}/log" evoadmin_scripts_dir: /usr/share/scripts/evoadmin/ evoadmin_host: "evoadmin.{{ ansible_fqdn }}" evoadmin_username: evoadmin -evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}" +evoadmin_ssl_subject: "/CN={{ evoadmin_host }}" evoadmin_enable_vhost: True From 666dc7ba2add3d3888d4870891fe1258f454d183 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 5 Jul 2017 11:47:22 +0200 Subject: [PATCH 005/277] evoadmin: append group instead of replacing --- evoadmin/tasks/web.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evoadmin/tasks/web.yml b/evoadmin/tasks/web.yml index 7bbc67be..5c4795f0 100644 --- a/evoadmin/tasks/web.yml +++ b/evoadmin/tasks/web.yml @@ -40,3 +40,4 @@ user: name: www-evoadmin groups: shadow + append: yes From e99145231b7bb908e95b7ae260f352ce940dc202 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 5 Jul 2017 11:49:33 +0200 Subject: [PATCH 006/277] remove useless file --- packweb-apache/tasks/web-add.yml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 packweb-apache/tasks/web-add.yml diff --git a/packweb-apache/tasks/web-add.yml b/packweb-apache/tasks/web-add.yml deleted file mode 100644 index 60bc20a8..00000000 --- a/packweb-apache/tasks/web-add.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -# TODO: ... From 57f6b45570b50ee4bda1d0d0526b119a66f8ffde Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 5 Jul 2017 11:49:53 +0200 Subject: [PATCH 007/277] whitespaces --- evoadmin/tasks/ftp.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evoadmin/tasks/ftp.yml b/evoadmin/tasks/ftp.yml index e4eacabf..83913d01 100644 --- a/evoadmin/tasks/ftp.yml +++ b/evoadmin/tasks/ftp.yml @@ -11,6 +11,7 @@ remote_src: no src: evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf + # Why 440? Because should be edited with ftpasswd. # So, readonly when opened with vim. # Then readable by group. From de37aac243765964d29c13e027c87541a0200567 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 5 Jul 2017 11:50:04 +0200 Subject: [PATCH 008/277] Don't overwrite default apache vhost --- evolinux-base/tasks/default_www.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 0fdf03f9..209fe7e2 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -92,7 +92,7 @@ - name: Apache vhost is installed template: src: default_www/apache_default_site.j2 - dest: /etc/apache2/sites-available/000-default.conf + dest: /etc/apache2/sites-available/000-evolinux-default.conf mode: "0640" # force: yes notify: reload apache @@ -101,8 +101,8 @@ - name: Apache vhost is enabled file: - src: /etc/apache2/sites-available/000-default.conf - dest: /etc/apache2/sites-enabled/000-default.conf + src: /etc/apache2/sites-available/000-evolinux-default.conf + dest: /etc/apache2/sites-enabled/000-evolinux-default.conf state: link notify: reload apache when: evolinux_default_www_apache_enabled From 0e0bc1cbbddff69b2e57c9a2ccf877cd33d9dd71 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 5 Jul 2017 18:22:00 +0200 Subject: [PATCH 009/277] Split default vhost into nginx ad apache roles --- apache/defaults/main.yml | 6 ++ apache/tasks/main.yml | 33 ++++++++++ .../templates/evolinux-default.conf.j2 | 5 +- evolinux-base/defaults/main.yml | 8 --- evolinux-base/tasks/default_www.yml | 63 ------------------- .../templates/default_www/index.html.j2 | 6 +- nginx/defaults/main.yml | 6 ++ nginx/tasks/main.yml | 32 ++++++++++ .../templates/evolinux-default.conf.j2 | 2 +- 9 files changed, 84 insertions(+), 77 deletions(-) rename evolinux-base/templates/default_www/apache_default_site.j2 => apache/templates/evolinux-default.conf.j2 (90%) rename evolinux-base/templates/default_www/nginx_default_site.j2 => nginx/templates/evolinux-default.conf.j2 (95%) diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 70140cad..10be7acb 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -4,3 +4,9 @@ apache_private_ipaddr_whitelist_absent: [] apache_private_htpasswd_present: [] apache_private_htpasswd_absent: [] + +apache_default_redirect_url: "http://evolix.fr" +apache_evolinux_default_enabled: True + +apache_phpmyadmin_suffix: "{{ lookup('env', 'RANDOM') }}" +apache_serverstatus_suffix: "{{ lookup('env', 'RANDOM') }}" diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index dce83867..8f5b51c4 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -152,6 +152,39 @@ tags: - apache +- name: default vhost is installed + template: + src: evolinux-default.conf.j2 + dest: /etc/apache2/sites-available/000-evolinux-default.conf + mode: "0640" + # force: yes + notify: reload apache + tags: + - apache + +- name: default vhost is enabled + file: + src: /etc/apache2/sites-available/000-evolinux-default.conf + dest: /etc/apache2/sites-enabled/000-default.conf + state: link + force: yes + notify: reload apache + when: apache_evolinux_default_enabled + tags: + - apache + +- name: replace phpmyadmin suffix in default site index + replace: + dest: /var/www/index.html + regexp: '__PHPMYADMIN_SUFFIX__' + replace: "{{ apache_phpmyadmin_suffix }}" + +- name: replace server-status suffix in default site index + replace: + dest: /var/www/index.html + regexp: '__SERVERSTATUS_SUFFIX__' + replace: "{{ apache_serverstatus_suffix }}" + - name: is umask already present? command: "grep -E '^umask ' /etc/apache2/envvars" failed_when: False diff --git a/evolinux-base/templates/default_www/apache_default_site.j2 b/apache/templates/evolinux-default.conf.j2 similarity index 90% rename from evolinux-base/templates/default_www/apache_default_site.j2 rename to apache/templates/evolinux-default.conf.j2 index 8f29785a..3c56568a 100644 --- a/evolinux-base/templates/default_www/apache_default_site.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -11,6 +11,7 @@ # Redirect to HTTPS, execpt for server-status, because Munin plugin # can't handle HTTPS! :( RewriteEngine on + RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] @@ -39,13 +40,13 @@ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - ErrorDocument 403 {{ evolinux_default_www_redirect_url }} + ErrorDocument 403 {{ apache_default_redirect_url }} CustomLog /var/log/apache2/access.log vhost_combined ErrorLog /var/log/apache2/error.log LogLevel warn Alias /munin /var/cache/munin/www - Alias /phpmyadmin-SED_RANDOM /usr/share/phpmyadmin/ + Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/ IncludeOptional /etc/apache2/conf-available/phpmyadmin* diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 50635b05..26428674 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -135,14 +135,6 @@ evolinux_default_www_files: True evolinux_default_www_ssl_cert: True evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}" -evolinux_default_www_nginx_vhost: True -evolinux_default_www_nginx_enabled: False - -evolinux_default_www_apache_vhost: True -evolinux_default_www_apache_enabled: False - -evolinux_default_www_redirect_url: "http://evolix.fr" - # hardware evolinux_hardware_include: True diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 209fe7e2..b6219772 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -48,67 +48,4 @@ creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" when: evolinux_default_www_ssl_cert -# Nginx vhost - -- name: is Nginx installed? - stat: - path: /etc/nginx/sites-available - check_mode: no - register: nginx_sites_available - -- block: - - name: nginx vhost is installed - template: - src: default_www/nginx_default_site.j2 - dest: /etc/nginx/sites-available/000-default - mode: "0640" - # force: yes - notify: reload nginx - tags: - - nginx - - - name: nginx vhost is enabled - file: - src: /etc/nginx/sites-available/000-default - dest: /etc/nginx/sites-enabled/000-default - state: link - notify: reload nginx - when: evolinux_default_www_nginx_enabled - tags: - - nginx - - when: evolinux_default_www_nginx_vhost and nginx_sites_available.stat.exists - - -# Apache vhost - -- name: is Apache installed? - stat: - path: /etc/apache2/sites-available - check_mode: no - register: apache_sites_available - -- block: - - name: Apache vhost is installed - template: - src: default_www/apache_default_site.j2 - dest: /etc/apache2/sites-available/000-evolinux-default.conf - mode: "0640" - # force: yes - notify: reload apache - tags: - - apache - - - name: Apache vhost is enabled - file: - src: /etc/apache2/sites-available/000-evolinux-default.conf - dest: /etc/apache2/sites-enabled/000-evolinux-default.conf - state: link - notify: reload apache - when: evolinux_default_www_apache_enabled - tags: - - apache - - when: evolinux_default_www_apache_vhost and apache_sites_available.stat.exists - - meta: flush_handlers diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2 index 25a967b4..717b93c6 100644 --- a/evolinux-base/templates/default_www/index.html.j2 +++ b/evolinux-base/templates/default_www/index.html.j2 @@ -57,15 +57,15 @@

{{ ansible_hostname }}

-
    + diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index bff60300..e9423c72 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -4,3 +4,9 @@ nginx_private_ipaddr_whitelist_absent: [] nginx_private_htpasswd_present: [] nginx_private_htpasswd_absent: [] + +nginx_default_redirect_url: "http://evolix.fr" +nginx_evolinux_default_enabled: True + +# nginx_phpmyadmin_suffix: "{{ lookup('env', 'RANDOM') }}" +# nginx_serverstatus_suffix: "{{ lookup('env', 'RANDOM') }}" diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index caffaad1..69eca6d4 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -109,6 +109,38 @@ tags: - nginx +- name: nginx vhost is installed + template: + src: evolinux-default.conf.j2 + dest: /etc/nginx/sites-available/evolinux-default.conf + mode: "0640" + notify: reload nginx + tags: + - nginx + +- name: default vhost is enabled + file: + src: /etc/nginx/sites-available/evolinux-default.conf + dest: /etc/nginx/sites-enabled/default.conf + state: link + force: yes + notify: reload nginx + when: nginx_evolinux_default_enabled + tags: + - nginx + +# - name: replace phpmyadmin suffix in default site index +# replace: +# dest: /var/www/index.html +# regexp: '__PHPMYADMIN_SUFFIX__' +# replace: "{{ nginx_phpmyadmin_suffix }}" +# +# - name: replace server-status suffix in default site index +# replace: +# dest: /var/www/index.html +# regexp: '__SERVERSTATUS_SUFFIX__' +# replace: "{{ nginx_serverstatus_suffix }}" + - name: Verify that the service is enabled and started service: name: nginx diff --git a/evolinux-base/templates/default_www/nginx_default_site.j2 b/nginx/templates/evolinux-default.conf.j2 similarity index 95% rename from evolinux-base/templates/default_www/nginx_default_site.j2 rename to nginx/templates/evolinux-default.conf.j2 index 803ff4ad..1e1ceab5 100644 --- a/evolinux-base/templates/default_www/nginx_default_site.j2 +++ b/nginx/templates/evolinux-default.conf.j2 @@ -18,7 +18,7 @@ server { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; - error_page 403 {{ evolinux_default_www_redirect_url }}; + error_page 403 {{ nginx_default_redirect_url }}; root /var/www; From 34f6354a9e61f71ac2a896c4909495053f2d416c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 6 Jul 2017 11:33:35 +0200 Subject: [PATCH 010/277] random suffices for phpmyadmin abnd server-status with apg --- apache/defaults/main.yml | 4 ++-- apache/tasks/main.yml | 22 ++++++++++++++++++++++ nginx/defaults/main.yml | 4 ++-- nginx/tasks/main.yml | 22 ++++++++++++++++++++++ 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 10be7acb..325e6056 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -8,5 +8,5 @@ apache_private_htpasswd_absent: [] apache_default_redirect_url: "http://evolix.fr" apache_evolinux_default_enabled: True -apache_phpmyadmin_suffix: "{{ lookup('env', 'RANDOM') }}" -apache_serverstatus_suffix: "{{ lookup('env', 'RANDOM') }}" +apache_phpmyadmin_suffix: "" +apache_serverstatus_suffix: "" diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 8f5b51c4..78055141 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -173,12 +173,34 @@ tags: - apache +- block: + - name: generate random string for phpmyadmin suffix + command: "apg -a 1 -M N -n 1" + changed_when: False + register: _random_phpmyadmin_suffix + + - name: overwrite apache_phpmyadmin_suffix + set_fact: + apache_phpmyadmin_suffix: "{{ _random_phpmyadmin_suffix.stdout }}" + when: apache_phpmyadmin_suffix == "" + - name: replace phpmyadmin suffix in default site index replace: dest: /var/www/index.html regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ apache_phpmyadmin_suffix }}" +- block: + - name: generate random string for serverstatus suffix + command: "apg -a 1 -M N -n 1" + changed_when: False + register: _random_serverstatus_suffix + + - name: overwrite apache_serverstatus_suffix + set_fact: + apache_serverstatus_suffix: "{{ _random_serverstatus_suffix.stdout }}" + when: apache_serverstatus_suffix == "" + - name: replace server-status suffix in default site index replace: dest: /var/www/index.html diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index e9423c72..10a4b83e 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -8,5 +8,5 @@ nginx_private_htpasswd_absent: [] nginx_default_redirect_url: "http://evolix.fr" nginx_evolinux_default_enabled: True -# nginx_phpmyadmin_suffix: "{{ lookup('env', 'RANDOM') }}" -# nginx_serverstatus_suffix: "{{ lookup('env', 'RANDOM') }}" +# nginx_phpmyadmin_suffix: "" +# nginx_serverstatus_suffix: "" diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index 69eca6d4..0fe672a7 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -129,12 +129,34 @@ tags: - nginx +# - block: +# - name: generate random string for phpmyadmin suffix +# command: "apg -a 1 -M N -n 1" +# changed_when: False +# register: random_phpmyadmin_suffix +# +# - name: overwrite nginx_phpmyadmin_suffix +# set_fact: +# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}" +# when: nginx_phpmyadmin_suffix == "" +# # - name: replace phpmyadmin suffix in default site index # replace: # dest: /var/www/index.html # regexp: '__PHPMYADMIN_SUFFIX__' # replace: "{{ nginx_phpmyadmin_suffix }}" # +# - block: +# - name: generate random string for serverstatus suffix +# command: "apg -a 1 -M N -n 1" +# changed_when: False +# register: random_serverstatus_suffix +# +# - name: overwrite nginx_serverstatus_suffix +# set_fact: +# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}" +# when: nginx_serverstatus_suffix == "" +# # - name: replace server-status suffix in default site index # replace: # dest: /var/www/index.html From 242c005f6d35d929a612e1710d2293558e7ae966 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 6 Jul 2017 14:51:40 +0200 Subject: [PATCH 011/277] Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file --- apache/files/private_ipaddr_whitelist.conf | 2 +- apache/tasks/main.yml | 11 ++++-- apache/templates/evolinux-default.conf.j2 | 40 ++++++++++++---------- 3 files changed, 32 insertions(+), 21 deletions(-) diff --git a/apache/files/private_ipaddr_whitelist.conf b/apache/files/private_ipaddr_whitelist.conf index 34e7da20..6c42b58c 100644 --- a/apache/files/private_ipaddr_whitelist.conf +++ b/apache/files/private_ipaddr_whitelist.conf @@ -1,2 +1,2 @@ # Whitelisted IP addresses, add `Include ipaddr_whitelist.conf` to use it -#Allow from 192.0.2.42 +#Require ip 192.0.2.42 diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 78055141..a90a3144 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -103,7 +103,7 @@ - name: add IP addresses to private IP whitelist lineinfile: dest: /etc/apache2/private_ipaddr_whitelist.conf - line: "Allow from {{ item }}" + line: "Require ip {{ item }}" state: present with_items: "{{ apache_private_ipaddr_whitelist_present }}" notify: reload apache @@ -113,13 +113,20 @@ - name: remove IP addresses from private IP whitelist lineinfile: dest: /etc/apache2/private_ipaddr_whitelist.conf - line: "Allow from {{ item }}" + line: "Require ip {{ item }}" state: absent with_items: "{{ apache_private_ipaddr_whitelist_absent }}" notify: reload apache tags: - apache +- name: include private IP whitelist for server-status + lineinfile: + dest: /etc/apache2/mods-available/status.conf + line: " include /etc/apache2/private_ipaddr_whitelist.conf" + insertafter: 'SetHandler server-status' + state: present + - name: Copy private_htpasswd copy: src: private_htpasswd diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 3c56568a..744c4319 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -1,36 +1,40 @@ - + ServerName {{ ansible_fqdn }} ServerAdmin webmaster@localhost + + RewriteEngine on + RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] + # RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] + RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] + + + + ServerName {{ ansible_fqdn }} + ServerAdmin webmaster@localhost + DocumentRoot /var/www/ SSLEngine on SSLCertificateFile /etc/ssl/certs/{{ ansible_fqdn }}.crt SSLCertificateKeyFile /etc/ssl/private/{{ ansible_fqdn }}.key - SSLProtocol all -SSLv2 -SSLv3 + # SSLProtocol all -SSLv2 -SSLv3 - # Redirect to HTTPS, execpt for server-status, because Munin plugin - # can't handle HTTPS! :( - RewriteEngine on - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] - RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] - RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] - - - Options FollowSymLinks + + Options +Indexes +FollowSymLinks +MultiViews AllowOverride None - Deny from all + Include /etc/apache2/private_ipaddr_whitelist.conf - - Options Indexes FollowSymLinks MultiViews + Alias /munin /var/cache/munin/www + + Options +Indexes +FollowSymLinks +MultiViews AllowOverride None + + Include /etc/apache2/private_ipaddr_whitelist.conf - Deny from all - Allow from 127.0.0.1 Include /etc/apache2/private_ipaddr_whitelist.conf @@ -41,11 +45,11 @@ ErrorDocument 403 {{ apache_default_redirect_url }} + CustomLog /var/log/apache2/access.log vhost_combined ErrorLog /var/log/apache2/error.log LogLevel warn - Alias /munin /var/cache/munin/www Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/ IncludeOptional /etc/apache2/conf-available/phpmyadmin* From 3d77f086ed222bb2cb7738d0d6b75dfed26b558b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 6 Jul 2017 14:53:52 +0200 Subject: [PATCH 012/277] Disable random URL for server-status (probably temporary) --- apache/tasks/main.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index a90a3144..cf3dc16b 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -197,22 +197,22 @@ regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ apache_phpmyadmin_suffix }}" -- block: - - name: generate random string for serverstatus suffix - command: "apg -a 1 -M N -n 1" - changed_when: False - register: _random_serverstatus_suffix - - - name: overwrite apache_serverstatus_suffix - set_fact: - apache_serverstatus_suffix: "{{ _random_serverstatus_suffix.stdout }}" - when: apache_serverstatus_suffix == "" - -- name: replace server-status suffix in default site index - replace: - dest: /var/www/index.html - regexp: '__SERVERSTATUS_SUFFIX__' - replace: "{{ apache_serverstatus_suffix }}" +# - block: +# - name: generate random string for serverstatus suffix +# command: "apg -a 1 -M N -n 1" +# changed_when: False +# register: _random_serverstatus_suffix +# +# - name: overwrite apache_serverstatus_suffix +# set_fact: +# apache_serverstatus_suffix: "{{ _random_serverstatus_suffix.stdout }}" +# when: apache_serverstatus_suffix == "" +# +# - name: replace server-status suffix in default site index +# replace: +# dest: /var/www/index.html +# regexp: '__SERVERSTATUS_SUFFIX__' +# replace: "{{ apache_serverstatus_suffix }}" - name: is umask already present? command: "grep -E '^umask ' /etc/apache2/envvars" From 553025d199be2f8269347eba842bdc7f95c393c1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 6 Jul 2017 14:55:22 +0200 Subject: [PATCH 013/277] enable server-status in default site --- evolinux-base/templates/default_www/index.html.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2 index 717b93c6..49c20a79 100644 --- a/evolinux-base/templates/default_www/index.html.j2 +++ b/evolinux-base/templates/default_www/index.html.j2 @@ -59,13 +59,13 @@ From 0fdc1565a89a5e3171910194709088902eb34492 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 6 Jul 2017 14:56:44 +0200 Subject: [PATCH 014/277] Default site CSS slightly beautified --- .../templates/default_www/index.html.j2 | 87 +++++++++---------- 1 file changed, 43 insertions(+), 44 deletions(-) diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2 index 49c20a79..dc8e0ce3 100644 --- a/evolinux-base/templates/default_www/index.html.j2 +++ b/evolinux-base/templates/default_www/index.html.j2 @@ -6,50 +6,49 @@ {{ ansible_hostname }} From 4237a4fb21f1ac5e72d74a64bc59499d3a77014e Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 7 Jul 2017 11:34:28 +0200 Subject: [PATCH 015/277] tomcat-instance: move handler in tasks --- tomcat-instance/handlers/main.yml | 3 --- tomcat-instance/tasks/user.yml | 6 +++++- 2 files changed, 5 insertions(+), 4 deletions(-) delete mode 100644 tomcat-instance/handlers/main.yml diff --git a/tomcat-instance/handlers/main.yml b/tomcat-instance/handlers/main.yml deleted file mode 100644 index 3849b184..00000000 --- a/tomcat-instance/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: new aliases - command: newaliases diff --git a/tomcat-instance/tasks/user.yml b/tomcat-instance/tasks/user.yml index 1a95b459..56fb76ff 100644 --- a/tomcat-instance/tasks/user.yml +++ b/tomcat-instance/tasks/user.yml @@ -33,7 +33,11 @@ line: "{{ tomcat_instance_name }}: {{ tomcat_instance_mail }}" regexp: "{{ tomcat_instance_name }}:" when: etc_aliases.stat.exists and tomcat_instance_mail is defined - notify: new aliases + register: tomcat_instance_mail_alias + +- name: Run newaliases + command: newaliases + when: tomcat_instance_mail_alias | changed - name: Enable sudo right lineinfile: From 61685dfa40165a182ac545fab6f52628eecb3119 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 7 Jul 2017 12:12:05 +0200 Subject: [PATCH 016/277] tomcat-instance: fix default vars --- tomcat-instance/defaults/main.yml | 2 ++ tomcat-instance/tasks/check.yml | 14 -------------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/tomcat-instance/defaults/main.yml b/tomcat-instance/defaults/main.yml index e555e2cd..0f6c7735 100644 --- a/tomcat-instance/defaults/main.yml +++ b/tomcat-instance/defaults/main.yml @@ -1,2 +1,4 @@ --- tomcat_instance_root: '/srv/tomcat' +tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}" +tomcat_instance_mps: 256 diff --git a/tomcat-instance/tasks/check.yml b/tomcat-instance/tasks/check.yml index 996a0773..3c2319d0 100644 --- a/tomcat-instance/tasks/check.yml +++ b/tomcat-instance/tasks/check.yml @@ -21,17 +21,3 @@ #- name: Check use of http port # command: grep ' Date: Sun, 28 May 2017 10:19:50 +0200 Subject: [PATCH 017/277] easy deny User-Agent --- apache/files/evolinux-custom.conf | 5 +++++ apache/files/evolinux-defaults.conf | 1 + 2 files changed, 6 insertions(+) diff --git a/apache/files/evolinux-custom.conf b/apache/files/evolinux-custom.conf index def69d90..397f351b 100644 --- a/apache/files/evolinux-custom.conf +++ b/apache/files/evolinux-custom.conf @@ -3,3 +3,8 @@ #StartServers 100 #MinSpareServers 40 #MaxSpareServers 60 + +SetEnvIf User-Agent "^BadBot$" GoAway=1 +SetEnvIf User-Agent "Nutch" GoAway=1 +SetEnvIf User-Agent "ApacheBench" GoAway=1 + diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index 511396e5..9eba4f6e 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -12,4 +12,5 @@ MaxRequestsPerChild 0 AllowOverride None Require all granted + Deny from env=GoAway From 0d0937aa4e86f25b6c681e18fcc2613d71fb0e4e Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sat, 17 Jun 2017 20:10:32 +0200 Subject: [PATCH 018/277] Use "false" instead of "0" to be more explicit --- evolinux-base/tasks/apt.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/apt.yml b/evolinux-base/tasks/apt.yml index 43369eca..5fabf08a 100644 --- a/evolinux-base/tasks/apt.yml +++ b/evolinux-base/tasks/apt.yml @@ -14,8 +14,8 @@ state: present mode: "0640" with_items: - - "APT::Install-Recommends \"0\";" - - "APT::Install-Suggests \"0\";" + - "APT::Install-Recommends \"false\";" + - "APT::Install-Suggests \"false\";" when: evolinux_apt_conf - name: DPKg invoke hooks From 8505ef5b5e4a45c2bda7a4cfba595f827d56d254 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sat, 17 Jun 2017 20:32:37 +0200 Subject: [PATCH 019/277] exit 0 -> true --- evolinux-base/tasks/apt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/apt.yml b/evolinux-base/tasks/apt.yml index 5fabf08a..2955b4e9 100644 --- a/evolinux-base/tasks/apt.yml +++ b/evolinux-base/tasks/apt.yml @@ -27,7 +27,7 @@ mode: "0640" with_items: - "DPkg::Pre-Invoke { \"mount -oremount,exec /tmp && mount -oremount,rw /usr || true\"; };" - - "DPkg::Post-Invoke { \"mount -oremount /tmp && mount -oremount /usr || exit 0\"; };" + - "DPkg::Post-Invoke { \"mount -oremount /tmp && mount -oremount /usr || true\"; };" when: evolinux_apt_hooks - name: Remove Aptitude From 0d79db4ed58e237056103271bcd82183e8258fc3 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 10 Jul 2017 21:52:57 +0200 Subject: [PATCH 020/277] Improve dpkg pre / post - invoke --- evolinux-base/tasks/apt.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/apt.yml b/evolinux-base/tasks/apt.yml index 2955b4e9..0e0df00a 100644 --- a/evolinux-base/tasks/apt.yml +++ b/evolinux-base/tasks/apt.yml @@ -26,8 +26,10 @@ state: present mode: "0640" with_items: - - "DPkg::Pre-Invoke { \"mount -oremount,exec /tmp && mount -oremount,rw /usr || true\"; };" - - "DPkg::Post-Invoke { \"mount -oremount /tmp && mount -oremount /usr || true\"; };" + - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" + - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" + - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" + - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" when: evolinux_apt_hooks - name: Remove Aptitude From 05b7588953d453cc71a663c6a3e8f86bea18afee Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 10 Jul 2017 22:17:58 +0200 Subject: [PATCH 021/277] no more apt-listchanges in Stretch --- evolinux-base/tasks/packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 13b735c7..8ce7b640 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -104,6 +104,6 @@ with_items: - { option: "confirm", value: "1" } - { option: "which", value: "both" } - when: evolinux_packages_listchanges + when: evolinux_packages_listchanges and ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '<') - meta: flush_handlers From 45c729c5d7f117a7de4f8bd65ccb2db4bf7c9d36 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 10 Jul 2017 22:49:11 +0200 Subject: [PATCH 022/277] Use mirror.evolix.org --- apt-repositories/templates/stretch_basics.list.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apt-repositories/templates/stretch_basics.list.j2 b/apt-repositories/templates/stretch_basics.list.j2 index dada4cab..aee02c5c 100644 --- a/apt-repositories/templates/stretch_basics.list.j2 +++ b/apt-repositories/templates/stretch_basics.list.j2 @@ -1,4 +1,4 @@ # {{ ansible_managed }} -deb http://deb.debian.org/debian stretch {{ apt_repositories_basics_components | mandatory }} +deb http://mirror.evolix.org/debian stretch {{ apt_repositories_basics_components | mandatory }} deb http://security.debian.org/debian-security stretch/updates {{ apt_repositories_basics_components | mandatory }} From feee230885caa52bf9bdb618b0a0c10331fbb1c2 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 10 Jul 2017 22:49:38 +0200 Subject: [PATCH 023/277] use stretch-updates --- apt-repositories/templates/stretch_basics.list.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/apt-repositories/templates/stretch_basics.list.j2 b/apt-repositories/templates/stretch_basics.list.j2 index aee02c5c..eac2c1fb 100644 --- a/apt-repositories/templates/stretch_basics.list.j2 +++ b/apt-repositories/templates/stretch_basics.list.j2 @@ -1,4 +1,5 @@ # {{ ansible_managed }} deb http://mirror.evolix.org/debian stretch {{ apt_repositories_basics_components | mandatory }} +deb http://mirror.evolix.org/debian/ stretch-updates {{ apt_repositories_basics_components | mandatory }} deb http://security.debian.org/debian-security stretch/updates {{ apt_repositories_basics_components | mandatory }} From eab03993d0ccb7736ef40aeb3bf40078f26f9338 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 11 Jul 2017 00:29:06 +0200 Subject: [PATCH 024/277] improvment, don't touch to /etc/profile and instead use /etc/profile.d/evolinux.sh --- evolinux-base/tasks/system.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 732f52db..cd7eaaad 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -76,8 +76,9 @@ - name: Setting TMOUT to deconnect inactive users lineinfile: - dest: /etc/profile + dest: /etc/profile.d/evolinux.sh line: "export TMOUT=36000" + create: yes state: present when: evolinux_system_dirmode_adduser From 12b5d9a97ab933ae71fee965fe762bdbf5948004 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 11 Jul 2017 00:42:38 +0200 Subject: [PATCH 025/277] Fix #2207 : set -L 15 for Cron --- evolinux-base/defaults/main.yml | 5 +++++ evolinux-base/tasks/system.yml | 16 ++++++++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 26428674..71a980e4 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -81,6 +81,11 @@ evolinux_system_timezone: "Europe/Paris" evolinux_system_vim_default: True evolinux_system_profile: True evolinux_system_dirmode_adduser: True +evolinux_system_restrict_securetty: False +evolinux_system_set_timeout: True +evolinux_system_cron_verboselog: True +evolinux_system_cron_umask: True +evolinux_system_cron_random: True evolinux_system_alert5_init: True evolinux_system_alert5_enable: True evolinux_system_eni_auto: True diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index cd7eaaad..78dc09f7 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -72,7 +72,7 @@ line: "tty2" create: yes state: present - when: evolinux_system_dirmode_adduser + when: evolinux_system_restrict_securetty - name: Setting TMOUT to deconnect inactive users lineinfile: @@ -80,17 +80,25 @@ line: "export TMOUT=36000" create: yes state: present - when: evolinux_system_dirmode_adduser + when: evolinux_system_set_timeout #- name: Customizing /etc/fstab +- name: Set verbose logging for cron deamon + lineinfile: + dest: /etc/default/cron + line: "EXTRA_OPTS='-L 15'" + create: yes + state: present + when: evolinux_system_cron_verboselog + - name: Modify default umask for cron deamon lineinfile: dest: /etc/default/cron line: "umask 022" create: yes state: present - when: evolinux_system_dirmode_adduser + when: evolinux_system_cron_umask - name: Randomize periodic crontabs replace: @@ -103,7 +111,7 @@ - {regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"} - {regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"} - {regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"} - when: evolinux_system_dirmode_adduser + when: evolinux_system_cron_random # NTP server address From 1cdbcaa5fb4dbc6ca2467790d44682e8d01198a5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 11 Jul 2017 18:40:05 +0200 Subject: [PATCH 026/277] Install packages for Stretch and later --- evolinux-base/defaults/main.yml | 1 + evolinux-base/tasks/packages.yml | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 71a980e4..38097e6f 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -65,6 +65,7 @@ evolinux_packages_system: True evolinux_packages_diagnostic: True evolinux_packages_hardware: True evolinux_packages_common: True +evolinux_packages_stretch: True evolinux_packages_serveur_base: True evolinux_packages_invalid_mta: True evolinux_packages_delete_nfs: True diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 8ce7b640..51bed262 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -63,6 +63,16 @@ allow_unauthenticated: yes when: evolinux_packages_serveur_base +- name: Install/Update packages for Stretch and later + apt: + name: "{{ item }}" + with_items: + - net-tools + when: + - evolinux_packages_stretch + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '>=') + - name: Customize logcheck recipient lineinfile: dest: /etc/logcheck/logcheck.conf From 6514f64a1fbae0c61b26d388ff559176568168db Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 12 Jul 2017 09:34:46 +0200 Subject: [PATCH 027/277] Better english --- evolinux-base/tasks/system.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 78dc09f7..899aebb8 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -74,7 +74,7 @@ state: present when: evolinux_system_restrict_securetty -- name: Setting TMOUT to deconnect inactive users +- name: Setting TMOUT to disconnect inactive users lineinfile: dest: /etc/profile.d/evolinux.sh line: "export TMOUT=36000" From a318e6065c39de3a87b94ec8e5d1028f942858c7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 12 Jul 2017 10:15:47 +0200 Subject: [PATCH 028/277] Disable new vim defaults --- evolinux-base/defaults/main.yml | 3 ++- evolinux-base/tasks/system.yml | 9 ++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 38097e6f..6ac368fe 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -79,7 +79,8 @@ evolinux_system_include: True evolinux_system_chmod_tmp: True evolinux_system_locales: True evolinux_system_timezone: "Europe/Paris" -evolinux_system_vim_default: True +evolinux_system_vim_skip_defaults: true +evolinux_system_vim_default_editor: True evolinux_system_profile: True evolinux_system_dirmode_adduser: True evolinux_system_restrict_securetty: False diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 899aebb8..28f0c82d 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -43,11 +43,18 @@ - include: remount_usr_rw.yml +- name: Ensure automagic vim conf is disabled + lineinfile: + dest: /etc/vim/vimrc + regexp: 'let g:skip_defaults_vim =' + line: 'let g:skip_defaults_vim = 1' + when: evolinux_system_vim_skip_defaults + - name: Setting vim as default editor alternatives: name: editor path: /usr/bin/vim.basic - when: evolinux_system_vim_default + when: evolinux_system_vim_default_editor - name: Add "umask 027" to /etc/profile.d/evolinux.sh lineinfile: From ce37282feb528af45bf0b595cab33e0ebe397630 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 12 Jul 2017 10:23:21 +0200 Subject: [PATCH 029/277] Effectively change the timezone --- evolinux-base/handlers/main.yml | 4 ++++ evolinux-base/tasks/system.yml | 19 +++++++------------ 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index dccd6e9f..3458490c 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -52,6 +52,10 @@ name: apache2 state: reloaded +- name: restart cron + service: + name: cron + state: restarted - name: newaliases command: newaliases diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 28f0c82d..f8eb62e8 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -25,19 +25,11 @@ when: evolinux_system_locales and default_locales | changed - name: Setting default timezone - lineinfile: - dest: /etc/timezone - regexp: '^\w+/\w+$' - line: "{{ evolinux_system_timezone | mandatory }}" - insertbefore: BOF - create: yes - register: change_timezone + timezone: + name: "{{ evolinux_system_timezone | mandatory }}" + notify: restart cron when: evolinux_system_timezone != False -- name: Reconfigure tzdata - command: dpkg-reconfigure --frontend noninteractive tzdata - when: evolinux_system_timezone != False and change_timezone | changed - # TODO : find a way to force the console-data configuration # non-interactively (like tzdata ↑) @@ -48,7 +40,10 @@ dest: /etc/vim/vimrc regexp: 'let g:skip_defaults_vim =' line: 'let g:skip_defaults_vim = 1' - when: evolinux_system_vim_skip_defaults + when: + - evolinux_system_vim_skip_defaults + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9.0', '>=') - name: Setting vim as default editor alternatives: From e23edbd5f491d67b0546c04bac21fd0ffe77e2fe Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 12 Jul 2017 10:24:09 +0200 Subject: [PATCH 030/277] this have nothing to do in the previous commit --- evolinux-base/tasks/system.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index f8eb62e8..35396688 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -40,10 +40,7 @@ dest: /etc/vim/vimrc regexp: 'let g:skip_defaults_vim =' line: 'let g:skip_defaults_vim = 1' - when: - - evolinux_system_vim_skip_defaults - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('9.0', '>=') + when: evolinux_system_vim_skip_defaults - name: Setting vim as default editor alternatives: From eedeab6be2112203e3ab8cccb629ba69a4963087 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 12 Jul 2017 10:55:50 +0200 Subject: [PATCH 031/277] tomcat-instance: possibility to surcharge java path --- tomcat-instance/defaults/main.yml | 1 + tomcat-instance/templates/env.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tomcat-instance/defaults/main.yml b/tomcat-instance/defaults/main.yml index 0f6c7735..6a2ec877 100644 --- a/tomcat-instance/defaults/main.yml +++ b/tomcat-instance/defaults/main.yml @@ -1,4 +1,5 @@ --- +tomcat_instance_java_path: '/usr/lib/jvm/java-7-openjdk-amd64' tomcat_instance_root: '/srv/tomcat' tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}" tomcat_instance_mps: 256 diff --git a/tomcat-instance/templates/env.j2 b/tomcat-instance/templates/env.j2 index a2e329c8..ea4920f7 100644 --- a/tomcat-instance/templates/env.j2 +++ b/tomcat-instance/templates/env.j2 @@ -2,5 +2,5 @@ # Xmx Max memory allocated to instance. # Xms Allocated memory at startup. # XX:MaxPermSize Memory allocated to internal objects. -JAVA_HOME="/usr/lib/jvm/java-1.7.0-openjdk-amd64" +JAVA_HOME="{{ tomcat_instance_java_path }}" JAVA_OPTS="-server -Xmx{{ tomcat_instance_ram }}m -Xms{{ tomcat_instance_ram }}m -XX:MaxPermSize={{ tomcat_instance_mps }}m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSPermGenSweepingEnabled -XX:+CMSClassUnloadingEnabled -Xverify:none" From 0c5117dd4eabbdc865f9339f20ee0190fbb4f2ad Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 12 Jul 2017 12:10:14 +0200 Subject: [PATCH 032/277] Jenkins: the repository key is stored locally --- jenkins/files/jenkins.key | 144 ++++++++++++++++++++++++++++++++++++++ jenkins/tasks/main.yml | 3 +- 2 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 jenkins/files/jenkins.key diff --git a/jenkins/files/jenkins.key b/jenkins/files/jenkins.key new file mode 100644 index 00000000..bab880e5 --- /dev/null +++ b/jenkins/files/jenkins.key @@ -0,0 +1,144 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQGiBEmFQG0RBACXScOxb6BTV6rQE/tcJopAEWsdvmE0jNIRWjDDzB7HovX6Anrq +n7+Vq4spAReSFbBVaYiiOx2cGDymj2dyx2i9NAI/9/cQXJOU+RPdDzHVlO1Edksp +5rKn0cGPWY5sLxRf8s/tO5oyKgwCVgTaB5a8gBHaoGms3nNC4YYf+lqlpwCgjbti +3u1iMIx6Rs+dG0+xw1oi5FUD/2tLJMx7vCUQHhPRupeYFPoD8vWpcbGb5nHfHi4U +8/x4qZspAIwvXtGw0UBHildGpqe9onp22Syadn/7JgMWhHoFw5Ke/rTMlxREL7pa +TiXuagD2G84tjJ66oJP1FigslJzrnG61y85V7THL61OFqDg6IOP4onbsdqHby4VD +zZj9A/9uQxIn5250AGLNpARStAcNPJNJbHOQuv0iF3vnG8uO7/oscB0TYb8/juxr +hs9GdSN0U0BxENR+8KWy5lttpqLMKlKRknQYy34UstQiyFgAQ9Epncu9uIbVDgWt +y7utnqXN033EyYkcWx5EhLAgHkC7wSzeSWABV3JSXN7CeeOif7QiS29oc3VrZSBL +YXdhZ3VjaGkgPGtrQGtvaHN1a2Uub3JnPohjBBMRAgAjAhsDBgsJCAcDAgQVAggD +BBYCAwECHgECF4AFAko/7vYCGQEACgkQm30y8tUFguabhgCgi54IQR4rpJZ/uUHe +ZB879zUWTQwAniQDBO+Zly7Fsvm0Mcvqvl02UzxCiGAEExECACAFAkmFQG0CGwMG +CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRCbfTLy1QWC5qtXAJ9hPRisOhkexWXJ +nXQMl9cOTvm4LgCdGint1TONoZ2I4JtOiFzOmeP3ju3RzcvNyQEQAAEBAAAAAAAA +AAAAAAAA/9j/4AAQSkZJRgABAQEAYABgAAD/4QBgRXhpZgAASUkqAAgAAAAEADEB +AgAZAAAAPgAAABBRAQABAAAAAUOQABFRBAABAAAAEgsAABJRBAABAAAAEgsAAAAA +AABNYWNyb21lZGlhIEZpcmV3b3JrcyA0LjAAAP/bAEMACAYGBwYFCAcHBwkJCAoM +FA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0 +Mv/bAEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy +MjIyMjIyMjIyMjIyMjIyMjIyMjIyMv/AABEIAK4AlgMBIgACEQEDEQH/xAAfAAAB +BQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0B +AgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygp +KjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImK +kpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj +5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJ +Cgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGh +scEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZ +WmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1 +tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEA +AhEDEQA/APcBI/8Afb86XzH/AL7fnUYpwqRknmN/fP50u9v7x/OmCgUASb2/vH86 +Xe394/nTBS0AP3t/eP50u4+p/OmUopgO3H1NO3H1NR5xThQA7cfWlyfU0ylFMQ/J +9aXPvTKdQAuaM0lLQAtJmiigAzRSdqKAKApwpopc1mUOpRSUopgKKWkFLQAueKzr +zXbCwk2Tzxq3cFwK8v8Aih8V30aaTQ9DKtegYnuTyIvZR3b+VfP1/q17fzvLc3Ms +sjHJZ2JJNGr2HZdT6j8U/FbR/DcKsM3VxLkpGh6AetcI37Ql4Zcx6LAYx2aUgmvD +1ju7obgJHA7nmmmG4TqjDHtS+ZXL1sfVPhT4yeH/ABFNHaXYbS71zhVnYGNz6B+n +4HFejK2RmvhJJSDiTj6ivYvht8XptE8rSPEEklxpxwkFyTue39j6p+op3a3Javsf +RuacDVaC4juIUmhkWSKRQyspyGB7ipgasgfmlpoNLmgBaKSigBaKM0UAUBS0lKKz +KFFLSUooAdWR4o1qLw/4bvtSmZVEMRK57t2H51rCvJPj7etD4WsbQMQJ7jkDuFBN +D2GlqfP13dS3k89zM5eaZy7sTySTWvovhw3JWWdcqeQtUNGsWvtQRMfIvJr0u0t1 +hjUKOnpXFi8Q6a5Y7npYLDqfvyILXQolRVWMdOwp1x4cjYH5QPwrftQcDippFavM +UpvW569ktLHnOp+FFaNiijcOlcfcW8tlN5UgI+tezXEeSeM5rmtf0OK/tSVUCVOV +Irsw+KlF8s9jhxWFjNc0dzpfgh49MV1/wimozExyndYOx+6/eP6HqPcEd697Vq+I +baWbTb+G5hJWe3lWVCDj5lOf6V9naTqUeraRZ6jEMR3UKTKM9NwzivXj2PDmrM1A +1PqBTUoNMlDqKSloAKKOpopAUacKbS1mWOFKKbS0xC14p+0Gw+z6Ihb+ORsfgK9r +rxT9oO3X7Ho1zn5vMePHrxn+lJjW55t4QgZbOe7CbmJ2IPU10sltriIDaSW7ORlg +44HsKz/BCbtFyBysjVdvo9bcTNDMyEFfKCEDdzzknpx04NeVUles9vme3Rjairdu +hoaXqOqwt5Wo2cSjoHRuv4VuTXKCAuBzjoa5myW9SKJLmVpH25lLEEBs9sVuTgGw +BGN3f3rOU7SaOqEW43Me7l1a8l225SCL+9tyajfT7lHS4SdmkH+sVujj+lQakuo3 +ELC0uGjkBwqh9qlceuM5z/L3q1p9nfwyqzzs8WxQVkOTuxycjsT2q7+7e6MXH3mr +M898QWgtNbmVeEcbwK+l/hdK7/DXQjI+4iAgH0AY4FfO/jWMx6+oxx5QP619B/Cx +Wj+G2i7twzExww7bzj8K9bDO8UeJitJv1O5U1Mp4qshqdTW7RzpklLmmg0tSULmi +kopAU6WkFFZlDqWm0tMQteX/ABe8MXPiBLCSN1SODcq5H8bY5+mB+teoVi+KbQ3e +gXAU4dPnB9MVFS/I+Xc0pNKa5tjw/wAJ2L6fpbWsw2zRzOsg9wa6RIlk6Diszy5L +a5kYksJTuyfWrUN2xbArxpyUpczPoKS5VyiXKQwHoBk/mamID2AIFZ89w6SlvKSV +ugDNjFK2p3It/L8uIAc//WpRhd3RtKaSs2WLNIpQeAcGrjosYIFZVvcPLIr7Fibo +Qpzmp5rp/N24prTQmT0uYOv6LDrWt2avIIkSJjI3qMjAHuTmveNEsU0rRbGwjPyW +0CRr9AK8k0y0S81yMMAzllQL3xnnAr2cdfavXwLbT8jwcwsmrbssoamU8VXQ1Otd +jOBEoNOBqMGnA1BY6ikHNFAypS0lLWRQtFFApgLTJoknheKQZRwVYe1OopiPO/GP +hq202xgu7RX+VishZs9a4pmaMtsGSRkAV7Xq9gupaXPasPvr8v17V4jKHt7qS3k4 +kjYqa8vF0lCSaWh6uDrOSab1KAuLia9a2CJCQu7zLhgoI9q2f+Ecv2h877XZbTuB +Ikz0x/jVK4RZVAdckDg1QfEY8kW6EeoYgH6jOKwi0z0emkrfK5LcyXNpex2YEVyz +ruEkD5Cj1NX1Lbt0hyVHP1qpbxiFCyqN5HYYAq/pcH2/WbSyLcSyAMfbqaduaSij +KpJRTdz03w3p0dpo1m7RL57JvLFRuG7nr16YrdWolAHAGB2qVa+hjFRioo+YlJyk +5MnSp1NQpUopMESCnA+tMFOBqS0Oz6UUlFIZWopKXNZFi0UlFMQuaM0maM0wOU8Z +/ELRfA8UQ1Ayz3kw3RWkABcrnG4k8KPr17CvIbjWR4lSXXbW2Nv5srHyS+4gA9Cc +DNYfxfl+1fEbVCsm8xFI+T0wo4/CrHg9kt9OFm88TyffwrA43DOPw71y4xfuk13O +zBfxGn2NWDU4ZFXLbXHDKamN7a7cfLn3qCWyt2nKyxAj3FLJo9hFGH8sNu5HJrzo +2PTbkupHPqcafLHlnPCqKu6VqMfhy4h1nUEkdIDvdIwC2MYwM455rMW502wlzLLD +Cq+p5P4dax9e8S2N5aSWtuXcOMFsYH61vSpzlNOKMKs4qLUme6+EvHWk+MRcLp6X +EUtuAzxzqAcHjIwTmuqQ185/CTXo9J8XRW0iqsF+v2bcxxtbOVOfcjH419EqcHBr +3FqeDJWZbQ1KDVeNqmBqWCJRTs1GDTgakseKKQc0UgK1LTaq6lqljo9g99qV3Fa2 +qfellbAz6DuT7DmsjQuU15FiiaWR1SNBlndgFUe5PSvGfEfx02s8HhzTwR0F3eDr +7rGP/Zj+FeU674u1zxE5bVtUuLlc5ETNiNfogwo/KrUWFj37xF8YfC+hiSK1mfVb +tePLtf8AVg+8h4/LNeSa/wDGHxRrcjpb3Q0u3OcRWZ2nHu5+Y/p9K89Z9x5ppOM8 +1SihXHTTyO7NIzO7MWZmOSxPUk+tQrKyNuUkEdwcGnFs8EVGV9Kom5YGoXqtuW7n +B9fMNPOrag67Wvbgr6eYap4OelA5qeSPYrnl3Jg7McsxJ9SakTrzUCg+1SgqgyTm +rJLkbjII6e9dfp/xR8VaciLFqjTxxAKI7pFkBHuTz+tcL5xI9AeAKcpGSSe1Az37 +wx8adPv3S3122FjKeBPES8R+o6r+tepWl7b3tulxazxTwvyskbBlP4ivjASAnA4r +Z0DxVrHh2787TL+WDP3kzlG+qng0XFyo+wlfIp4NeN+FfjbaXs0dp4gt1tGPH2uH +Jjz/ALS9R9RmvWra6huoEnt5o5oXGUkjYMrD2IpE2aLgoqMOMUUWC5ka/rVv4e0K +71W5G6O3QsEBwXboFH1OK+WPE3irVfE2pNeapcM7ZPlxA4jhX+6i9h+p71698dNZ ++z6Np+ko3zXMpmkH+yvA/U/pXgcz7k9x/KogtDR6DXmJ71EXOKYTzSE5qybi7uaU +mmd6UcimITPNKDmmnrQKAJM8Ck3egpuaQUAPBJ6k4ozknjimk9qB0oGO3E04NUYp +aQEu/wBqXOFAPeohyQKV25NMCdJDng103hjxnq/hm7WTTrp1jJy8LHMb/Vf8muU+ +6g9TThIUGB1Pf0osNM+wPCnie18U6HHqNspjbOyaInJjcdR7jnINFeY/APUUJ1jS +pZVQER3K7jjn7rf+y0U1YiWj0OW+NmoG68dvbhsrawIgHoTyf515qzbth9eDXQ+P +NQOo+NNUus5DzED6Dj+lc0DnI9DmohsXLcaTQOaG6n60CqJEpVpM0A80ADDmkpzd +RSUALRRRQACiijvQAtFJRmgY9B3po5b605DhGNN70CHu2CT+ApEwX5+ppG5AP1pM +4GB1PWmBraZez2rvJBM8TMMEocHFFVLViFOKKm1y0xb9zNI0pJLFiT+PNUlPz5NW +Jm+/9RVYjGPenYlisMufrSE05vu5qOgQtA60dqB1oAe3QU2nN0plAC0tJSjrQAlL +miigAptL0pO9AEi8RfU0mM8560H/AFaikzx+NMBxx0H40zOeaU8KffikHSgCxC+y +LPqaKYeAq+gooHc//9mIYAQTEQIAIAUCSj/3IAIbAwYLCQgHAwIEFQIIAwQWAgMB +Ah4BAheAAAoJEJt9MvLVBYLmt2sAnRUJQoS4J/5+LW+Iy3tUYMTsR8aLAJ9gp9qD +YbGfdcFG+HeSbh/PEwrqbLQzS29oc3VrZSBLYXdhZ3VjaGkgPGtvaHN1a2Uua2F3 +YWd1Y2hpQGNsb3VkYmVlcy5jb20+iGIEExECACIFAk0GnroCGwMGCwkIBwMCBhUI +AgkKCwQWAgMBAh4BAheAAAoJEJt9MvLVBYLmfugAnRb1qac6CqRaNUhHbzd1m/5S +niNzAJ9NJUC2Fjk7uEyvQ5bDJ+hAFbkQVLQpS29oc3VrZSBLYXdhZ3VjaGkgPGtv +aHN1a2VAY2xvdWRiZWVzLmNvbT6IYgQTEQIAIgUCVh045AIbAwYLCQgHAwIGFQgC +CQoLBBYCAwECHgECF4AACgkQm30y8tUFguZVLgCdElQ2ydLBp33/9SFyVEz3cFMk +0DkAn2qWsQlPT549lAqeSnkhCOcGJAx0tCxLb2hzdWtlIEthd2FndWNoaSA8a2th +d2FndWNoaUBjbG91ZGJlZXMuY29tPohiBBMRAgAiBQJWHTjzAhsDBgsJCAcDAgYV +CAIJCgsEFgIDAQIeAQIXgAAKCRCbfTLy1QWC5sMTAKCA5kH0uH0x0HoTuxjrU740 +pU/53gCfaFWE6s7nBFMkJ3RyxjtZBGnY2Jm5Ag0ESYVAbRAIAOoBdaCKKzjKL3qi +zdBmYrnzT2iONNOeUgKBvO2tPnlwxVMMFz1Kd7JFCULRxL4zXPgOjqWPzWw0l0mI +E+pNhgDX57FMW+znMLE8icM/eG+pfEdM/XjZc3WF3O3ndHuyafw7TDI75EIFRvjh +702S6y8F3lQ/cl7jj2GelcnhY7dxUwWbiCHGzsRGWkCLk1MSxVV0zx2odtkm2TyB +vN0AcfTJuIBeZbIsUZkO64qIUCSqb9aV53uJ3o35w/HXTt3AFyXA/HN8RgoSonVg +MMegOXJ/HjTXbLXnd7mwbJqH8g8Fiussx8b5aaLCvmcJfS2bA5zK6S4T3iFvMkJf +bAF1tYsAAwYIALOXdy4ziUa3/CvmWIziCi1elkCilj4SdssgG44cVddHsefICBJP +WMf8BRtp+8+PIOESQUPJQ/Xhe0c0gCqw3VSm7Jhsz3Rsw8BZcnGtrMyxIX5O/nIj +EeLLhxzWmOiocDaTCogYeZPFjM485LX1lZAC16+hMTqkIBGmFjR3OmxwJZpcaz9m +o0CGMv3pYthXU6hS372ZOc5yzpW7FrGnbA3ZLkMrVL2B0jFYRzzAxQ+JB7wJiTQ7 +JJ05EhuUyzdsaoMWgzkdwEBk/ViVeK08fachG/QO05AYxA4KSpRaZC5ABSApX5g7 +zqU7hLsSFMRP8Y+xBvo/t5+b8KzzBur/DIiISQQYEQIACQUCSYVAbQIbDAAKCRCb +fTLy1QWC5raYAJ4k0FbiycMLg7OMpTpBPfzr8YD2ywCfe8vNLCfw3XG/kyKFYavm +RXO9oTa5Ag0EWBjgRgEQALze0WQartDG4x1DaOpqKLAol9pfxSX+O88Nafw9dDdV +v80CD7Q66p6X5o1TOOqEAqsI/dUFzDoZzW/EBN5TVKdNhV55WsIbvFJnJ9ccQ1yk +fCYVQAH/eCIdM8dujAOZLjKSapz/wBdFbbOffvz7GLmsjn1wCruZfIOcaIcfaUfY +QWsafzwU9VsRLSDrbwpylQJkvblfeb+ohQ/AYlVJmD1HcKF81AajgxbTUDCBxslY +4kL6FmqqfLJDWXyg0aG7UEbP3ye7/61qrsKR0g84BHYgkLzQkdgsAGAMo3HvQzss +BAqhZy2QSWKZCe6OQuIEzL01oTWJOWJYAoak9pSkjuFDsRbFRHC4YiaCIvwFHA8C +3nCaa/jAXQ/NrBFyc1TsrDdxiXi6cEgER9WichpQaD/NCKGGHbEzzHow1Ni+pABq +1leoVAfAEw8OwRYEftfoAQ5O8VdWe754xK2I5wFWjGKM0IHruEqnRgbWXL9Vy6Cv +NTrQIoJbVuO/kQWH4jZ63TzsBnxHzdnRSuCNGXnuneIju8+wr33y+r914cNziCHm +Tt0UsyTcf7xfzVB++obS0sCyklDIy+1EEzLePkUYl7Ebkst5tKgbVRNyH1niKRwX +xoyowmIRznO79l46u9JMdlt9VO9oo+yR9DqMgNqUnc9Z+rt8EyUam87838FfF+OF +ABEBAAGJAmgEGBECAAkFAlgY4EYCGwICKQkQm30y8tUFgubBXSAEGQECAAYFAlgY +4EYACgkQlHo/RMJzQlXPTg//UpZd7vx0wNm6dPSUc9Agw5tQU5oCR4BUaDOBFDfb +nKPNa8JQPVdH6lrt1Zaqc9Uka+l1eVK8SZiujohr3bCyal+5ParAdVbTt08pvh5d +3YllLIKKad82Qy6WsUlAQmUpba+Fn5naXdd8WDN03J7LVOqYCQUWZu65r5oqmv8B +eh+vcZO5ozEt/Huy+ruCsdb0WavbgI5+Pj6sKJtKBo5WwZzbDpbPUEUd3/T5zFbJ +G/XDk77qfBP4DKC96tphzGp6EaEtrZ9Qto8AisCYGvhDptYqXqZm4J1mJj/SI+4C +/1kVY0EEf4ySLy4/8f91h/jzcEliQNnmNZWgUTmP/nyUS+iLqUa4NmhdO45NYBfJ +PZyviHsFxJhYppiPt32n5FpGrXM8fWaQsA+aKOL2D+AWeC8W/pPmDurLbYA1yRk7 +T7E1llz4wDf53CumQGtT4gKwmUdGbwp0TNZKggv+/6auOMoBVjvWCRM0erxR+fAL +FKruuoXjQ69I2bTiZfoSHtDxqa+YMnNqqFOZdyJsH13Fx/Ma3k0EVI4uOuX5RoJ8 +BN3SAkBSiZu/yRf9XF/ikKvrb3YcaPaUgRPVP3EweJJx98whWxPmgSbv/GvQCQa7 +GyvwvqvWuiw+kgl4RlCGvL354zQwSoD+li+ZgnuhzRlSnj962O2cobvY+UzW1fiO +vTrGzQCgg7/WrciTjK8wtd8e/E26mU1agOMAniYHo/aFmpsSFfNp4n419EI+mCXU +=fBn8 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 03daa2ed..734b8a91 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -1,7 +1,8 @@ --- - name: Add jenkins GPG key apt_key: - url: https://jenkins-ci.org/debian/jenkins-ci.org.key + # url: https://jenkins-ci.org/debian/jenkins-ci.org.key + data: "{{ lookup('file', 'jenkins.key') }}" - name: Check if Squid is present stat: From bc99227259f9a85c9b457a15d16636ebf99740b5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 12 Jul 2017 12:17:33 +0200 Subject: [PATCH 033/277] Better squid/squid3 whitelist and reload --- evoacme/handlers/main.yml | 5 +++++ evoacme/tasks/certbot.yml | 19 +++++++++++++------ jenkins/handlers/main.yml | 8 ++++++-- jenkins/tasks/main.yml | 25 +++++++++++++++++-------- mongodb/tasks/main.yml | 25 +++++++++++++++++-------- newrelic-sources/handlers/main.yml | 7 ++++++- newrelic-sources/tasks/main.yml | 20 ++++++++++++++++++-- squid/defaults/main.yml | 2 ++ 8 files changed, 84 insertions(+), 27 deletions(-) diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index abaa8099..1ea11783 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -18,3 +18,8 @@ service: name: squid3 state: reloaded + +- name: reload squid + service: + name: squid + state: reloaded diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 1677a22f..b076f61f 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -53,17 +53,24 @@ dest: /etc/cron.daily/certbot mode: "0755" -- name: Find squid3 config whitelist - shell: find /etc/squid3/whitelist-custom.conf /etc/squid3/whitelist.conf 2> /dev/null +- name: Find squid config whitelist + shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null failed_when: false changed_when: false check_mode: no - register: squid3_whitelist_files + register: squid_whitelist_files + +- name: set squid_service_name=squid3 for Debian < 9 + set_fact: + squid_service_name: squid3 + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '<') - name: Let's Encrypt OCSP server is authorized by squid lineinfile: - dest: "{{ squid3_whitelist_files.stdout_lines | first }}" + dest: "{{ squid_whitelist_files.stdout_lines | first }}" line: "http://.*.letsencrypt.org/.*" state: present - notify: reload squid3 - when: squid3_whitelist_files.stdout != "" + notify: "reload {{ squid_service_name | default('squid') }}" + when: squid_whitelist_files.stdout != "" diff --git a/jenkins/handlers/main.yml b/jenkins/handlers/main.yml index 58b03f3f..b7d269cf 100644 --- a/jenkins/handlers/main.yml +++ b/jenkins/handlers/main.yml @@ -1,5 +1,10 @@ --- -- name: Reload Squid +- name: reload squid + service: + name: squid + state: reloaded + +- name: reload squid3 service: name: squid3 state: reloaded @@ -8,4 +13,3 @@ service: name: jenkins state: restarted - diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 734b8a91..70f6771d 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -4,23 +4,32 @@ # url: https://jenkins-ci.org/debian/jenkins-ci.org.key data: "{{ lookup('file', 'jenkins.key') }}" -- name: Check if Squid is present - stat: - path: /etc/squid3/whitelist-custom.conf - register: _squid3_whitelist +- name: Find squid config whitelist + shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null + failed_when: false + changed_when: false check_mode: no + register: squid_whitelist_files -- name: Append jenkins repositories to Squid whitelist +- name: set squid_service_name=squid3 for Debian < 9 + set_fact: + squid_service_name: squid3 + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '<') + +- name: Append packages.dotdeb.org to Squid whitelist lineinfile: - name: /etc/squid3/whitelist-custom.conf + dest: "{{ squid_whitelist_files.stdout_lines | first }}" line: "{{ item }}" + state: present with_items: - "http://pkg.jenkins-ci.org/.*" - "http://mirrors.jenkins.io/.*" - "http://jenkins.mirror.isppower.de/.*" - "http://ftp.icm.edu.pl/.*" - notify: Reload Squid - when: _squid3_whitelist.stat.exists + notify: "reload {{ squid_service_name | default('squid') }}" + when: squid_whitelist_files.stdout != "" - meta: flush_handlers diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index f3c0c244..f659df2d 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -1,21 +1,30 @@ --- # tasks file for mongodb -- name: Check if Squid is present - stat: - path: /etc/squid3/whitelist-custom.conf - register: _squid3_whitelist +- name: Find squid config whitelist + shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null + failed_when: false + changed_when: false check_mode: no + register: squid_whitelist_files -- name: add keyserver to Squid whitelist +- name: set squid_service_name=squid3 for Debian < 9 + set_fact: + squid_service_name: squid3 + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '<') + +- name: Append packages.dotdeb.org to Squid whitelist lineinfile: - dest: /etc/squid3/whitelist-custom.conf + dest: "{{ squid_whitelist_files.stdout_lines | first }}" line: "{{ item }}" - notify: reload squid3 + state: present with_items: - "http://keyserver.ubuntu.com/.*" - "hkp://keyserver.ubuntu.com/.*" - "http://repo.mongodb.org/.*" - when: _squid3_whitelist.stat.exists + notify: "reload {{ squid_service_name | default('squid') }}" + when: squid_whitelist_files.stdout != "" - meta: flush_handlers diff --git a/newrelic-sources/handlers/main.yml b/newrelic-sources/handlers/main.yml index 0a402c8b..3e8e7d5a 100644 --- a/newrelic-sources/handlers/main.yml +++ b/newrelic-sources/handlers/main.yml @@ -1,10 +1,15 @@ --- -- name: Reload Squid +- name: reload squid3 service: name: squid3 state: reloaded +- name: reload squid + service: + name: squid + state: reloaded + - name: apt update apt: update_cache: yes diff --git a/newrelic-sources/tasks/main.yml b/newrelic-sources/tasks/main.yml index 5a8ecf6b..86b6a1d4 100644 --- a/newrelic-sources/tasks/main.yml +++ b/newrelic-sources/tasks/main.yml @@ -4,11 +4,27 @@ # url: https://download.newrelic.com/548C16BF.gpg data: "{{ lookup('file', '548C16BF.gpg') }}" +- name: Find squid config whitelist + shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null + failed_when: false + changed_when: false + check_mode: no + register: squid_whitelist_files + +- name: set squid_service_name=squid3 for Debian < 9 + set_fact: + squid_service_name: squid3 + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '<') + - name: Append packages.dotdeb.org to Squid whitelist lineinfile: - name: /etc/squid3/whitelist-custom.conf + dest: "{{ squid_whitelist_files.stdout_lines | first }}" line: "http://apt.newrelic.com/.*" - notify: Reload Squid + state: present + notify: "reload {{ squid_service_name | default('squid') }}" + when: squid_whitelist_files.stdout != "" - meta: flush_handlers diff --git a/squid/defaults/main.yml b/squid/defaults/main.yml index 8964de16..2f81cc43 100644 --- a/squid/defaults/main.yml +++ b/squid/defaults/main.yml @@ -4,3 +4,5 @@ log2mail_alert_email: Null squid_address: "{{ ansible_default_ipv4.address }}" squid_whitelist_items: [] + +squid_service_name: squid From a044aea42a778f1940f30cb032916079d4308a7a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 12 Jul 2017 13:35:05 +0200 Subject: [PATCH 034/277] squid: add log_path --- squid/templates/squid.j2 | 2 +- squid/vars/Debian-jessie.yml | 1 + squid/vars/Debian-stretch.yml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/squid/templates/squid.j2 b/squid/templates/squid.j2 index f0bafb91..c983f7ff 100644 --- a/squid/templates/squid.j2 +++ b/squid/templates/squid.j2 @@ -17,4 +17,4 @@ tcp_outgoing_address {{ squid_address }} # Logs logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh -access_log /var/log/squid3/access.log combined +access_log {{ squid_log_path }}/access.log combined diff --git a/squid/vars/Debian-jessie.yml b/squid/vars/Debian-jessie.yml index c5326e3b..91b0e615 100644 --- a/squid/vars/Debian-jessie.yml +++ b/squid/vars/Debian-jessie.yml @@ -3,3 +3,4 @@ squid_package: squid3 squid_daemon: squid3 squid_conf_path: /etc/squid3 squid_conf_file: /etc/squid3/squid.conf +squid_log_path: /var/log/squid3 diff --git a/squid/vars/Debian-stretch.yml b/squid/vars/Debian-stretch.yml index 5e455921..4ed3046e 100644 --- a/squid/vars/Debian-stretch.yml +++ b/squid/vars/Debian-stretch.yml @@ -3,3 +3,4 @@ squid_package: squid squid_daemon: squid squid_conf_path: /etc/squid squid_conf_file: /etc/squid/squid.conf +squid_log_path: /var/log/squid From 3c2656b531424a8eb8ee8830f3c7cbb6123e4026 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 12 Jul 2017 13:48:54 +0200 Subject: [PATCH 035/277] fail2ban doesn't seem to like line breaks --- fail2ban/templates/jail.local.j2 | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 01b83d46..63d69947 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -3,11 +3,7 @@ [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host -ignoreip = \ -{% for ip in fail2ban_ignoreip %} -{{ ip }} \ -{% endfor %} -127.0.0.1/8 +ignoreip = {{ (['127.0.0.1/8'] + fail2ban_ignoreip) | join(' ') }} bantime = 600 maxretry = 3 From fcfea428b77ffd23daabaf99d6d855ffdfb46ebe Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 13 Jul 2017 01:18:25 +0200 Subject: [PATCH 036/277] pet commit: remove not ecessary params --- evolinux-base/tasks/system.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 35396688..0a3a6495 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -28,7 +28,7 @@ timezone: name: "{{ evolinux_system_timezone | mandatory }}" notify: restart cron - when: evolinux_system_timezone != False + when: evolinux_system_timezone # TODO : find a way to force the console-data configuration # non-interactively (like tzdata ↑) @@ -120,7 +120,7 @@ regexp: "^server .*$" replace: "server {{ evolinux_system_ntp_server }}" backup: yes - when: evolinux_system_ntp_server != False + when: evolinux_system_ntp_server ## alert5 From ea4ec27f08ee4bae486a53ff8016cbf365b1e432 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 13 Jul 2017 02:20:28 +0200 Subject: [PATCH 037/277] Oops, last commit was broken. I think "when: TAG" need always to be boolean, then I patch for that. --- evolinux-base/defaults/main.yml | 7 ++++++- evolinux-base/tasks/system.yml | 6 +++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 6ac368fe..b3c2085b 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -78,7 +78,10 @@ evolinux_system_include: True evolinux_system_chmod_tmp: True evolinux_system_locales: True + +evolinux_system_set_timezone: True evolinux_system_timezone: "Europe/Paris" + evolinux_system_vim_skip_defaults: true evolinux_system_vim_default_editor: True evolinux_system_profile: True @@ -91,7 +94,9 @@ evolinux_system_cron_random: True evolinux_system_alert5_init: True evolinux_system_alert5_enable: True evolinux_system_eni_auto: True -evolinux_system_ntp_server: False + +evolinux_system_set_ntpserver: True +evolinux_system_ntpserver: "ntp.evolix.net" # root diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 0a3a6495..53ce06c2 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -28,7 +28,7 @@ timezone: name: "{{ evolinux_system_timezone | mandatory }}" notify: restart cron - when: evolinux_system_timezone + when: evolinux_system_set_timezone # TODO : find a way to force the console-data configuration # non-interactively (like tzdata ↑) @@ -118,9 +118,9 @@ replace: dest: /etc/ntp.conf regexp: "^server .*$" - replace: "server {{ evolinux_system_ntp_server }}" + replace: "server {{ evolinux_system_ntpserver }}" backup: yes - when: evolinux_system_ntp_server + when: evolinux_system_set_ntpserver ## alert5 From f78e93e0ff6cf33e9516d774bbd29ceeac0966b9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 13 Jul 2017 02:41:12 +0200 Subject: [PATCH 038/277] we want always packages ssl-cert et ca-certificates (probably will go to serveur-base package, we will see) --- evolinux-base/tasks/default_www.yml | 4 ---- evolinux-base/tasks/packages.yml | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index b6219772..2e67eb97 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -25,10 +25,6 @@ # SSL cert - block: - - name: ssl-cert package is installed - apt: - name: ssl-cert - state: present - name: Create private key and csr for default site ({{ ansible_fqdn }}) command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}" diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 51bed262..36381a2a 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -14,6 +14,8 @@ - apg - conntrack - logrotate + - ssl-cert + - ca-certificates when: evolinux_packages_system - name: Install/Update diagnostic tools From ec9e8d3d8b887a64b2b6cee15bbc8527a77a12c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 13 Jul 2017 09:47:29 +0200 Subject: [PATCH 039/277] merge haproxy roles --- haproxy-backports-preferences/.kitchen.yml | 28 ------------------- haproxy-backports-preferences/README.md | 5 ---- .../handlers/main.yml | 4 --- haproxy-backports-preferences/meta/main.yml | 19 ------------- haproxy-backports-preferences/tasks/main.yml | 10 ------- haproxy-backports-preferences/tests/test.yml | 4 --- haproxy/README.md | 2 +- haproxy/defaults/main.yml | 3 ++ .../files/haproxy_apt_preferences | 0 haproxy/tasks/main.yml | 6 ++++ haproxy/tasks/packages_jessie_backports.yml | 20 +++++++++++++ 11 files changed, 30 insertions(+), 71 deletions(-) delete mode 100644 haproxy-backports-preferences/.kitchen.yml delete mode 100644 haproxy-backports-preferences/README.md delete mode 100644 haproxy-backports-preferences/handlers/main.yml delete mode 100644 haproxy-backports-preferences/meta/main.yml delete mode 100644 haproxy-backports-preferences/tasks/main.yml delete mode 100644 haproxy-backports-preferences/tests/test.yml create mode 100644 haproxy/defaults/main.yml rename haproxy-backports-preferences/files/haproxy_preferences => haproxy/files/haproxy_apt_preferences (100%) create mode 100644 haproxy/tasks/packages_jessie_backports.yml diff --git a/haproxy-backports-preferences/.kitchen.yml b/haproxy-backports-preferences/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/haproxy-backports-preferences/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/haproxy-backports-preferences/README.md b/haproxy-backports-preferences/README.md deleted file mode 100644 index ad4ffbf9..00000000 --- a/haproxy-backports-preferences/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# haproxy-backports-preferences - -Configure APT to prefer haproxy package from jessie-backports. - -There is no variable, just a files copied to `/etc/apt/preferences.d/`. diff --git a/haproxy-backports-preferences/handlers/main.yml b/haproxy-backports-preferences/handlers/main.yml deleted file mode 100644 index e68f5c28..00000000 --- a/haproxy-backports-preferences/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: apt update - apt: - update_cache: yes diff --git a/haproxy-backports-preferences/meta/main.yml b/haproxy-backports-preferences/meta/main.yml deleted file mode 100644 index 9483c01e..00000000 --- a/haproxy-backports-preferences/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Configure APT to prefer haproxy package from jessie-backports - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/haproxy-backports-preferences/tasks/main.yml b/haproxy-backports-preferences/tasks/main.yml deleted file mode 100644 index 8d096541..00000000 --- a/haproxy-backports-preferences/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Prefer HAProxy package from jessie-backports - copy: - src: haproxy_preferences - dest: /etc/apt/preferences.d/999-haproxy - force: yes - mode: "0640" - notify: apt update - -- meta: flush_handlers diff --git a/haproxy-backports-preferences/tests/test.yml b/haproxy-backports-preferences/tests/test.yml deleted file mode 100644 index 8d667e49..00000000 --- a/haproxy-backports-preferences/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: haproxy-backports-preferences diff --git a/haproxy/README.md b/haproxy/README.md index 864a9601..9f597baa 100644 --- a/haproxy/README.md +++ b/haproxy/README.md @@ -8,7 +8,7 @@ Everything is in the `tasks/main.yml` file. ## Available variables -There is no variable. +* `haproxy_jessie_backports` : on Debian Jessie, we can prefer v1.7 from backports (default: `False`) ## Configuration templates diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml new file mode 100644 index 00000000..ea4a8e38 --- /dev/null +++ b/haproxy/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +haproxy_jessie_backports: False diff --git a/haproxy-backports-preferences/files/haproxy_preferences b/haproxy/files/haproxy_apt_preferences similarity index 100% rename from haproxy-backports-preferences/files/haproxy_preferences rename to haproxy/files/haproxy_apt_preferences diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index a699b366..4f0e7820 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -5,6 +5,10 @@ state: installed tags: - haproxy + - packages + +- include: jessie_backports.yml + when: ansible_distribution_release == "jessie" and haproxy_jessie_backports - name: Install HAProxy package apt: @@ -12,6 +16,7 @@ state: installed tags: - haproxy + - packages - name: Copy HAProxy configuration template: @@ -26,3 +31,4 @@ notify: reload haproxy tags: - haproxy + - config diff --git a/haproxy/tasks/packages_jessie_backports.yml b/haproxy/tasks/packages_jessie_backports.yml new file mode 100644 index 00000000..024909c3 --- /dev/null +++ b/haproxy/tasks/packages_jessie_backports.yml @@ -0,0 +1,20 @@ +--- + +- name: Prefer HAProxy package from jessie-backports + copy: + src: haproxy_apt_preferences + dest: /etc/apt/preferences.d/999-haproxy + force: yes + mode: "0640" + register: haproxy_apt_preferences + tags: + - haproxy + - packages + +- name: update apt + apt: + update_cache: yes + when: haproxy_apt_preferences | changed + tags: + - haproxy + - packages From da974b6cb07cfad3ec0e12d0e19c56cab8875d23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 13 Jul 2017 09:59:37 +0200 Subject: [PATCH 040/277] merge nginx roles --- nginx-backports-preferences/.kitchen.yml | 28 ------------------- nginx-backports-preferences/README.md | 5 ---- nginx-backports-preferences/handlers/main.yml | 4 --- nginx-backports-preferences/meta/main.yml | 19 ------------- nginx-backports-preferences/tasks/main.yml | 10 ------- nginx-backports-preferences/tests/test.yml | 4 --- nginx/README.md | 1 + nginx/defaults/main.yml | 2 ++ .../files/apt}/nginx_preferences | 0 nginx/tasks/main.yml | 14 ++++------ nginx/tasks/packages_jessie.yml | 11 ++++++++ nginx/tasks/packages_jessie_backports.yml | 20 +++++++++++++ nginx/tasks/packages_stretch.yml | 11 ++++++++ 13 files changed, 51 insertions(+), 78 deletions(-) delete mode 100644 nginx-backports-preferences/.kitchen.yml delete mode 100644 nginx-backports-preferences/README.md delete mode 100644 nginx-backports-preferences/handlers/main.yml delete mode 100644 nginx-backports-preferences/meta/main.yml delete mode 100644 nginx-backports-preferences/tasks/main.yml delete mode 100644 nginx-backports-preferences/tests/test.yml rename {nginx-backports-preferences/files => nginx/files/apt}/nginx_preferences (100%) create mode 100644 nginx/tasks/packages_jessie.yml create mode 100644 nginx/tasks/packages_jessie_backports.yml create mode 100644 nginx/tasks/packages_stretch.yml diff --git a/nginx-backports-preferences/.kitchen.yml b/nginx-backports-preferences/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/nginx-backports-preferences/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/nginx-backports-preferences/README.md b/nginx-backports-preferences/README.md deleted file mode 100644 index 23f7000c..00000000 --- a/nginx-backports-preferences/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# nginx-backports-preferences - -Configure APT to prefer nginx package from jessie-backports. - -There is no variable, just a files copied to `/etc/apt/preferences.d/`. diff --git a/nginx-backports-preferences/handlers/main.yml b/nginx-backports-preferences/handlers/main.yml deleted file mode 100644 index e68f5c28..00000000 --- a/nginx-backports-preferences/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: apt update - apt: - update_cache: yes diff --git a/nginx-backports-preferences/meta/main.yml b/nginx-backports-preferences/meta/main.yml deleted file mode 100644 index 34235bde..00000000 --- a/nginx-backports-preferences/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Configure APT to prefer Nginx package from jessie-backports - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/nginx-backports-preferences/tasks/main.yml b/nginx-backports-preferences/tasks/main.yml deleted file mode 100644 index 8184b317..00000000 --- a/nginx-backports-preferences/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Prefer Nginx package from jessie-backports - copy: - src: nginx_preferences - dest: /etc/apt/preferences.d/999-nginx - force: yes - mode: "0640" - notify: apt update - -- meta: flush_handlers diff --git a/nginx-backports-preferences/tests/test.yml b/nginx-backports-preferences/tests/test.yml deleted file mode 100644 index a4b0c2fd..00000000 --- a/nginx-backports-preferences/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: nginx-backports-preferences diff --git a/nginx/README.md b/nginx/README.md index c724a0cc..f58fefc7 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -10,6 +10,7 @@ Everything is in the `tasks/main.yml` file. Main variables are : +* `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ; * `nginx_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; * `nginx_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ; * `nginx_private_htpasswd_present` : list of users to have in the private htpasswd ; diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 10a4b83e..e35001d8 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -1,4 +1,6 @@ --- +nginx_jessie_backports: False + nginx_private_ipaddr_whitelist_present: [] nginx_private_ipaddr_whitelist_absent: [] diff --git a/nginx-backports-preferences/files/nginx_preferences b/nginx/files/apt/nginx_preferences similarity index 100% rename from nginx-backports-preferences/files/nginx_preferences rename to nginx/files/apt/nginx_preferences diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index 0fe672a7..7f11ed32 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -1,12 +1,10 @@ --- -- name: Ensure Nginx is installed - apt: - name: nginx-full - state: present - notify: restart nginx - tags: - - nginx - - packages + +- include: packages_jessie.yml + when: ansible_distribution_release == "jessie" + +- include: packages_stretch.yml + when: ansible_distribution_release == "stretch" # TODO: find a way to override the main configuration # without touching the main file diff --git a/nginx/tasks/packages_jessie.yml b/nginx/tasks/packages_jessie.yml new file mode 100644 index 00000000..67733d09 --- /dev/null +++ b/nginx/tasks/packages_jessie.yml @@ -0,0 +1,11 @@ +- include: jessie_backports.yml + when: ansible_distribution_release == "jessie" and nginx_jessie_backports + +- name: Ensure Nginx is installed + apt: + name: nginx-full + state: present + notify: restart nginx + tags: + - nginx + - packages diff --git a/nginx/tasks/packages_jessie_backports.yml b/nginx/tasks/packages_jessie_backports.yml new file mode 100644 index 00000000..8423c30a --- /dev/null +++ b/nginx/tasks/packages_jessie_backports.yml @@ -0,0 +1,20 @@ +--- + +- name: Prefer Nginx packages from jessie-backports + copy: + src: apt/nginx_preferences + dest: /etc/apt/preferences.d/999-nginx + force: yes + mode: "0640" + register: nginx_apt_preferences + tags: + - nginx + - packages + +- name: update apt + apt: + update_cache: yes + when: nginx_apt_preferences | changed + tags: + - nginx + - packages diff --git a/nginx/tasks/packages_stretch.yml b/nginx/tasks/packages_stretch.yml new file mode 100644 index 00000000..637cb044 --- /dev/null +++ b/nginx/tasks/packages_stretch.yml @@ -0,0 +1,11 @@ +--- +# TODO: install "nginx" + only necessary modules, instead of "nginx-full" + +- name: Ensure Nginx is installed + apt: + name: nginx-full + state: present + notify: restart nginx + tags: + - nginx + - packages From 00a8947da1c80262e24e5fb4f9fbbe503789e0ad Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 13 Jul 2017 13:50:48 +0200 Subject: [PATCH 041/277] tomcat-instance: default rng set to /dev/urandom --- tomcat-instance/templates/env.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tomcat-instance/templates/env.j2 b/tomcat-instance/templates/env.j2 index ea4920f7..c76687a8 100644 --- a/tomcat-instance/templates/env.j2 +++ b/tomcat-instance/templates/env.j2 @@ -2,5 +2,6 @@ # Xmx Max memory allocated to instance. # Xms Allocated memory at startup. # XX:MaxPermSize Memory allocated to internal objects. +# Djava.security.egd -> https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source JAVA_HOME="{{ tomcat_instance_java_path }}" -JAVA_OPTS="-server -Xmx{{ tomcat_instance_ram }}m -Xms{{ tomcat_instance_ram }}m -XX:MaxPermSize={{ tomcat_instance_mps }}m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSPermGenSweepingEnabled -XX:+CMSClassUnloadingEnabled -Xverify:none" +JAVA_OPTS="-server -Xmx{{ tomcat_instance_ram }}m -Xms{{ tomcat_instance_ram }}m -XX:MaxPermSize={{ tomcat_instance_mps }}m -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSPermGenSweepingEnabled -XX:+CMSClassUnloadingEnabled -Xverify:none -Djava.security.egd=file:/dev/./urandom" From 927dbfa88921bf6f0e05a29c217144c912734aa7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 12 Jul 2017 18:03:07 +0200 Subject: [PATCH 042/277] MySQL: adapt users on distribution For Jessie, there is a "debian-sys-maint", that we're using to create "mysqladmin" for root, then delete "root". For Stretch, the is a "root" without assword, so we create both "mysqladmin" for root and "debian-sys-maint" for Debian scripts, then delete "root". --- mysql/tasks/main.yml | 6 +- mysql/tasks/{users.yml => users_jessie.yml} | 10 +-- mysql/tasks/users_stretch.yml | 90 +++++++++++++++++++++ mysql/tasks/utils.yml | 26 ++++-- 4 files changed, 115 insertions(+), 17 deletions(-) rename mysql/tasks/{users.yml => users_jessie.yml} (86%) create mode 100644 mysql/tasks/users_stretch.yml diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index 273960a9..ca3f0571 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -2,7 +2,11 @@ - include: packages.yml -- include: users.yml +- include: users_stretch.yml + when: ansible_distribution_release == "stretch" + +- include: users_jessie.yml + when: ansible_distribution_release == "jessie" - include: config.yml diff --git a/mysql/tasks/users.yml b/mysql/tasks/users_jessie.yml similarity index 86% rename from mysql/tasks/users.yml rename to mysql/tasks/users_jessie.yml index 82c9b213..4d225317 100644 --- a/mysql/tasks/users.yml +++ b/mysql/tasks/users_jessie.yml @@ -46,14 +46,8 @@ - name: remove root user mysql_user: name: root - #host_all: yes - host: "{{ item }}" - config_file: "/etc/mysql/debian.cnf" + host_all: yes + config_file: "/root/.my.cnf" state: absent - with_items: - - "localhost" - - "127.0.0.1" - - "::1" - - "{{ ansible_hostname }}" tags: - mysql diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml new file mode 100644 index 00000000..0a3238eb --- /dev/null +++ b/mysql/tasks/users_stretch.yml @@ -0,0 +1,90 @@ +--- + +# dependency for mysql_user and mysql_db + +- name: python-mysqldb is installed (Ansible dependency) + apt: + name: python-mysqldb + state: present + tags: + - mysql + +- name: create a password for mysqladmin + shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' + register: mysql_admin_password + changed_when: False + tags: + - mysql + +- name: there is a mysqladmin user + mysql_user: + name: mysqladmin + password: '{{ mysql_admin_password.stdout }}' + priv: "*.*:ALL,GRANT" + update_password: on_create + state: present + config_file: "/etc/mysql/debian.cnf" + register: create_mysqladmin_user + tags: + - mysql + +- name: mysqladmin is the default user + ini_file: + dest: /root/.my.cnf + mode: "0600" + section: client + option: '{{ item.option }}' + value: '{{ item.value }}' + create: yes + with_items: + - { option: 'user', value: 'mysqladmin' } + - { option: password, value: '{{ mysql_admin_password.stdout }}' } + when: create_mysqladmin_user.changed + tags: + - mysql + + +- name: create a password for debian-sys-maint + shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' + register: mysql_debian_password + changed_when: False + tags: + - mysql + +- name: there is a debian-sys-maint user + mysql_user: + name: debian-sys-maint + password: '{{ mysql_debian_password.stdout }}' + priv: "*.*:ALL,GRANT" + update_password: on_create + state: present + config_file: "/root/.my.cnf" + register: create_debian_user + tags: + - mysql + +- name: store debian-sys-maint user credentials + ini_file: + dest: /etc/mysql/debian.cnf + mode: "0600" + section: "{{ item[0] }}" + option: '{{ item[1].option }}' + value: '{{ item[1].value }}' + create: yes + with_nested: + - [ "client", "mysql_upgrade" ] + - [ { option: 'user', value: 'debian-sys-maint' }, + { option: password, value: '{{ mysql_debian_password.stdout }}' } + ] + when: create_debian_user.changed + tags: + - mysql + +- name: remove root user + mysql_user: + name: root + host_all: yes + config_file: "/root/.my.cnf" + state: absent + tags: + - mysql diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 58faeee4..262dcd0f 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -1,7 +1,24 @@ --- +- name: Ensure /usr/share/scripts exists + file: + dest: /usr/share/scripts + mode: "0700" + state: directory + tags: + - mysql + # mytop +# mytop is installed with MariaB +# the package has been removed of Stretch repositories +- name: Is mytop available ? + command: which mytop + failed_when: False + changed_when: False + check_mode: no + register: which_mytop + - name: Install mytop apt: name: mytop @@ -10,6 +27,7 @@ - packages - mytop - mysql + when: which_mytop.rc != 0 - name: Read debian-sys-maint password shell: cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3 @@ -91,14 +109,6 @@ - include: remount_usr_rw.yml when: (mysql_scripts_dir or general_scripts_dir) | search ("/usr") -- name: Ensure /usr/share/scripts exists - file: - dest: /usr/share/scripts - mode: "0700" - state: directory - tags: - - mysql - - name: Install my-add.sh copy: src: my-add.sh From 9dbed2dd599ead378716d45cb02151be5ee442a5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 14:08:24 +0200 Subject: [PATCH 043/277] packweb: split jessie/stretch --- packweb-apache/tasks/apache.yml | 12 ++++++- packweb-apache/tasks/main.yml | 4 +++ packweb-apache/tasks/php.yml | 42 +++++++++++----------- packweb-apache/tasks/php5.yml | 64 +++++++++++++++++++++++++++++++++ 4 files changed, 100 insertions(+), 22 deletions(-) create mode 100644 packweb-apache/tasks/php5.yml diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 76756d10..18ce16ca 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -16,14 +16,24 @@ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin when: envvar_grep_path.rc != 0 +- name: Install ITK module for Jessie + apt: + name: apache2-mpm-itk + when: ansible_distribution_release == "jessie" + +- name: Install ITK module for Stretch + apt: + name: libapache2-mpm-itk + when: ansible_distribution_release == "stretch" + - name: Additional packages are installed apt: name: '{{ item }}' state: present with_items: - - apache2-mpm-itk - libapache2-mod-evasive - libapache2-mod-security2 + - modsecurity-crs - name: Copy Apache settings for modules copy: diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 8aa0f26c..491ecc46 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -38,7 +38,11 @@ - include: apache.yml +- include: php5.yml + when: ansible_distribution_release == "jessie" + - include: php.yml + when: ansible_distribution_release == "stretch" - include: phpmyadmin.yml diff --git a/packweb-apache/tasks/php.yml b/packweb-apache/tasks/php.yml index ee65fd2f..074d4f55 100644 --- a/packweb-apache/tasks/php.yml +++ b/packweb-apache/tasks/php.yml @@ -1,48 +1,48 @@ --- -- name: Install PHP5 packages +- name: Install PHP packages apt: name: '{{ item }}' state: present with_items: - - libapache2-mod-php5 - - php5 - - php5-gd - - php5-imap - - php5-ldap - - php5-mcrypt - - php5-mysql - - php5-pgsql + - libapache2-mod-php7.0 + - php7.0 + - php7.0-gd + - php7.0-imap + - php7.0-ldap + - php7.0-mcrypt + - php7.0-mysql + - php7.0-pgsql + - php7.0-curl - php-gettext - - php5-curl - - libssh2-php + - php-ssh2 tags: - apache - name: Set variables for php config files set_fact: - php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini - php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini + php7_apache_defaults_file: /etc/php/7.0/apache2/conf.d/z-evolinux_defaults.ini + php7_apache_custom_file: /etc/php/7.0/apache2/conf.d/zzz-evolinux_custom.ini - name: Set default values for PHP ini_file: - dest: "{{ php5_apache5_defaults_file }}" + dest: "{{ php7_apache_defaults_file }}" section: PHP option: "{{ item.option }}" value: "{{ item.value }}" mode: "0644" create: yes with_items: - - { option: "short_open_tag", value: "Off" } - - { option: "expose_php", value: "Off" } - - { option: "display_errors", value: "Off" } - - { option: "log_errors", value: "On" } + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } - { option: "allow_url_fopen", value: "Off" } notify: reload apache - name: Disable PHP exec function without evoadmin ini_file: - dest: "{{ php5_apache5_defaults_file }}" + dest: "{{ php7_apache_defaults_file }}" section: PHP option: disable_functions value: "exec,shell-exec,system,passthru,putenv,popen" @@ -50,7 +50,7 @@ - name: Don't disable PHP exec function with evoadmin ini_file: - dest: "{{ php5_apache5_defaults_file }}" + dest: "{{ php7_apache_defaults_file }}" section: PHP option: disable_functions value: "shell-exec,system,passthru,putenv,popen" @@ -58,7 +58,7 @@ - name: Custom php.ini copy: - dest: "{{ php5_apache5_custom_file }}" + dest: "{{ php7_apache_custom_file }}" content: | # Put customized values here. force: no diff --git a/packweb-apache/tasks/php5.yml b/packweb-apache/tasks/php5.yml new file mode 100644 index 00000000..ee65fd2f --- /dev/null +++ b/packweb-apache/tasks/php5.yml @@ -0,0 +1,64 @@ +--- + +- name: Install PHP5 packages + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-php5 + - php5 + - php5-gd + - php5-imap + - php5-ldap + - php5-mcrypt + - php5-mysql + - php5-pgsql + - php-gettext + - php5-curl + - libssh2-php + tags: + - apache + +- name: Set variables for php config files + set_fact: + php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini + +- name: Set default values for PHP + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "allow_url_fopen", value: "Off" } + notify: reload apache + +- name: Disable PHP exec function without evoadmin + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + when: not packweb_enable_evoadmin_vhost + +- name: Don't disable PHP exec function with evoadmin + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: disable_functions + value: "shell-exec,system,passthru,putenv,popen" + when: packweb_enable_evoadmin_vhost + +- name: Custom php.ini + copy: + dest: "{{ php5_apache5_custom_file }}" + content: | + # Put customized values here. + force: no From b4ca2dd68675bce626d167c03365656b1eb04b60 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 14:09:24 +0200 Subject: [PATCH 044/277] apache/evoadmin : split jessie/stretch --- apache/tasks/auth.yml | 73 ++++++++++++++++ apache/tasks/main.yml | 170 +++++++++++++----------------------- apache/tasks/phpmyadmin.yml | 24 +++++ evoadmin/tasks/packages.yml | 9 +- evoadmin/tasks/web.yml | 9 ++ 5 files changed, 177 insertions(+), 108 deletions(-) create mode 100644 apache/tasks/auth.yml create mode 100644 apache/tasks/phpmyadmin.yml diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml new file mode 100644 index 00000000..32b9966a --- /dev/null +++ b/apache/tasks/auth.yml @@ -0,0 +1,73 @@ +--- + +- name: Init private_ipaddr_whitelist.conf file + copy: + src: private_ipaddr_whitelist.conf + dest: /etc/apache2/private_ipaddr_whitelist.conf + owner: root + group: root + mode: "0640" + force: no + tags: + - apache + +- name: add IP addresses to private IP whitelist + lineinfile: + dest: /etc/apache2/private_ipaddr_whitelist.conf + line: "Require ip {{ item }}" + state: present + with_items: "{{ apache_private_ipaddr_whitelist_present }}" + notify: reload apache + tags: + - apache + +- name: remove IP addresses from private IP whitelist + lineinfile: + dest: /etc/apache2/private_ipaddr_whitelist.conf + line: "Require ip {{ item }}" + state: absent + with_items: "{{ apache_private_ipaddr_whitelist_absent }}" + notify: reload apache + tags: + - apache + +- name: include private IP whitelist for server-status + lineinfile: + dest: /etc/apache2/mods-available/status.conf + line: " include /etc/apache2/private_ipaddr_whitelist.conf" + insertafter: 'SetHandler server-status' + state: present + tags: + - apache + +- name: Copy private_htpasswd + copy: + src: private_htpasswd + dest: /etc/apache2/private_htpasswd + owner: root + group: root + mode: "0640" + force: no + notify: reload apache + tags: + - apache + +- name: add user:pwd to private htpasswd + lineinfile: + dest: /etc/apache2/private_htpasswd + line: "{{ item }}" + state: present + with_items: "{{ apache_private_htpasswd_present }}" + notify: reload apache + tags: + - apache + +- name: remove user:pwd from private htpasswd + lineinfile: + dest: /etc/apache2/private_htpasswd + line: "{{ item }}" + state: absent + with_items: "{{ apache_private_htpasswd_absent }}" + notify: reload apache + tags: + - apache diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index cf3dc16b..230a112e 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -1,24 +1,41 @@ -- name: packages are installed +--- + +- name: Main packages are installed apt: name: '{{ item }}' state: present with_items: - apache2 - - apache2-mpm-prefork - - apachetop - - libwww-perl tags: - apache + - packages + +- name: Install packages for Jessie + apt: + name: '{{ item }}' + state: present + with_items: + - apache2-mpm-prefork + tags: + - apache + - packages + when: ansible_distribution_release == "jessie" - name: manually disable mpm_event command: a2dismod mpm_event register: cmd_disable_event changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout" + notify: restart apache + tags: + - apache - name: manually enable mpm_prefork command: a2enmod mpm_prefork register: cmd_disable_prefork changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout" + notify: restart apache + tags: + - apache # With Ansible 2.2 the module check the config for conflicts # With 2.3 it can be disabled. @@ -32,6 +49,18 @@ # tags: # - apache +- name: Additional packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - apg + - apachetop + - libwww-perl + tags: + - apache + - packages + - name: basic modules are enabled apache2_module: name: '{{ item }}' @@ -89,75 +118,7 @@ tags: - apache -- name: Init private_ipaddr_whitelist.conf file - copy: - src: private_ipaddr_whitelist.conf - dest: /etc/apache2/private_ipaddr_whitelist.conf - owner: root - group: root - mode: "0640" - force: no - tags: - - apache - -- name: add IP addresses to private IP whitelist - lineinfile: - dest: /etc/apache2/private_ipaddr_whitelist.conf - line: "Require ip {{ item }}" - state: present - with_items: "{{ apache_private_ipaddr_whitelist_present }}" - notify: reload apache - tags: - - apache - -- name: remove IP addresses from private IP whitelist - lineinfile: - dest: /etc/apache2/private_ipaddr_whitelist.conf - line: "Require ip {{ item }}" - state: absent - with_items: "{{ apache_private_ipaddr_whitelist_absent }}" - notify: reload apache - tags: - - apache - -- name: include private IP whitelist for server-status - lineinfile: - dest: /etc/apache2/mods-available/status.conf - line: " include /etc/apache2/private_ipaddr_whitelist.conf" - insertafter: 'SetHandler server-status' - state: present - -- name: Copy private_htpasswd - copy: - src: private_htpasswd - dest: /etc/apache2/private_htpasswd - owner: root - group: root - mode: "0640" - force: no - notify: reload apache - tags: - - apache - -- name: add user:pwd to private htpasswd - lineinfile: - dest: /etc/apache2/private_htpasswd - line: "{{ item }}" - state: present - with_items: "{{ apache_private_htpasswd_present }}" - notify: reload apache - tags: - - apache - -- name: remove user:pwd from private htpasswd - lineinfile: - dest: /etc/apache2/private_htpasswd - line: "{{ item }}" - state: absent - with_items: "{{ apache_private_htpasswd_absent }}" - notify: reload apache - tags: - - apache +- include: auth.yml - name: default vhost is installed template: @@ -180,40 +141,6 @@ tags: - apache -- block: - - name: generate random string for phpmyadmin suffix - command: "apg -a 1 -M N -n 1" - changed_when: False - register: _random_phpmyadmin_suffix - - - name: overwrite apache_phpmyadmin_suffix - set_fact: - apache_phpmyadmin_suffix: "{{ _random_phpmyadmin_suffix.stdout }}" - when: apache_phpmyadmin_suffix == "" - -- name: replace phpmyadmin suffix in default site index - replace: - dest: /var/www/index.html - regexp: '__PHPMYADMIN_SUFFIX__' - replace: "{{ apache_phpmyadmin_suffix }}" - -# - block: -# - name: generate random string for serverstatus suffix -# command: "apg -a 1 -M N -n 1" -# changed_when: False -# register: _random_serverstatus_suffix -# -# - name: overwrite apache_serverstatus_suffix -# set_fact: -# apache_serverstatus_suffix: "{{ _random_serverstatus_suffix.stdout }}" -# when: apache_serverstatus_suffix == "" -# -# - name: replace server-status suffix in default site index -# replace: -# dest: /var/www/index.html -# regexp: '__SERVERSTATUS_SUFFIX__' -# replace: "{{ apache_serverstatus_suffix }}" - - name: is umask already present? command: "grep -E '^umask ' /etc/apache2/envvars" failed_when: False @@ -234,3 +161,32 @@ when: envvar_grep_umask.rc != 0 tags: - apache + +- name: Stat /default index + stat: + path: /var/www/index.html + register: _default_index + check_mode: no + tags: + - apache + +- include: phpmyadmin.yml + when: _default_index.stat.exists + + +# - block: +# - name: generate random string for serverstatus suffix +# command: "apg -a 1 -M N -n 1" +# changed_when: False +# register: _random_serverstatus_suffix +# +# - name: overwrite apache_serverstatus_suffix +# set_fact: +# apache_serverstatus_suffix: "{{ _random_serverstatus_suffix.stdout }}" +# when: apache_serverstatus_suffix == "" +# +# - name: replace server-status suffix in default site index +# replace: +# dest: /var/www/index.html +# regexp: '__SERVERSTATUS_SUFFIX__' +# replace: "{{ apache_serverstatus_suffix }}" diff --git a/apache/tasks/phpmyadmin.yml b/apache/tasks/phpmyadmin.yml new file mode 100644 index 00000000..889336a9 --- /dev/null +++ b/apache/tasks/phpmyadmin.yml @@ -0,0 +1,24 @@ +--- + +- block: + - name: generate random string for phpmyadmin suffix + command: "apg -a 1 -M N -n 1" + changed_when: False + register: _random_phpmyadmin_suffix + + - name: overwrite apache_phpmyadmin_suffix + set_fact: + apache_phpmyadmin_suffix: "{{ _random_phpmyadmin_suffix.stdout }}" + when: apache_phpmyadmin_suffix == "" + tags: + - apache + - phpmyadmin + +- name: replace phpmyadmin suffix in default site index + replace: + dest: /var/www/index.html + regexp: '__PHPMYADMIN_SUFFIX__' + replace: "{{ apache_phpmyadmin_suffix }}" + tags: + - apache + - phpmyadmin diff --git a/evoadmin/tasks/packages.yml b/evoadmin/tasks/packages.yml index f0dd16d3..7fd32de3 100644 --- a/evoadmin/tasks/packages.yml +++ b/evoadmin/tasks/packages.yml @@ -10,8 +10,15 @@ apt: name: '{{ item }}' state: present - allow_unauthenticated: yes with_items: - php-pear - php-log + +- name: Install PHP5 packages + apt: + name: '{{ item }}' + state: present + allow_unauthenticated: yes + with_items: - php5-pam + when: ansible_distribution_release == "jessie" diff --git a/evoadmin/tasks/web.yml b/evoadmin/tasks/web.yml index 5c4795f0..7cf6c9d2 100644 --- a/evoadmin/tasks/web.yml +++ b/evoadmin/tasks/web.yml @@ -7,7 +7,16 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache + when: ansible_distribution_release == "jessie" +- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + ini_file: + dest: /etc/php/7.0/apache2/conf.d/z-evolinux_defaults.ini + section: PHP + option: "disable_functions" + value: "shell-exec,system,passthru,putenv,popen" + notify: reload apache + when: ansible_distribution_release == "stretch" - name: Install evoadmin VHost template: From dbf4a3d0fa30a2c1dccd02482d72e997fde2d61f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 14:16:51 +0200 Subject: [PATCH 045/277] haproxy/nginx: add sources if backports are needed --- haproxy/tasks/packages_jessie_backports.yml | 7 +++++++ nginx/tasks/packages_jessie_backports.yml | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/haproxy/tasks/packages_jessie_backports.yml b/haproxy/tasks/packages_jessie_backports.yml index 024909c3..2449029d 100644 --- a/haproxy/tasks/packages_jessie_backports.yml +++ b/haproxy/tasks/packages_jessie_backports.yml @@ -1,5 +1,12 @@ --- +- include_role: + name: apt-repositories + tasks_from: backports.yml + tags: + - haproxy + - packages + - name: Prefer HAProxy package from jessie-backports copy: src: haproxy_apt_preferences diff --git a/nginx/tasks/packages_jessie_backports.yml b/nginx/tasks/packages_jessie_backports.yml index 8423c30a..e5d29f8a 100644 --- a/nginx/tasks/packages_jessie_backports.yml +++ b/nginx/tasks/packages_jessie_backports.yml @@ -1,5 +1,12 @@ --- +- include_role: + name: apt-repositories + tasks_from: backports.yml + tags: + - haproxy + - packages + - name: Prefer Nginx packages from jessie-backports copy: src: apt/nginx_preferences From aedc0d345226932fac5343f30be981a5b5d4490a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 14:43:07 +0200 Subject: [PATCH 046/277] merge elastic sources back into roles --- elastic-sources-list/.kitchen.yml | 28 -------------------- elastic-sources-list/README.md | 9 ------- elastic-sources-list/meta/main.yml | 28 -------------------- elastic-sources-list/tasks/main.yml | 30 ---------------------- elastic-sources-list/tests/test.yml | 4 --- elasticsearch/files/elasticsearch.key | 31 ++++++++++++++++++++++ elasticsearch/tasks/packages.yml | 37 ++++++++++++++++++++++++--- filebeat/files/elasticsearch.key | 31 ++++++++++++++++++++++ filebeat/tasks/main.yml | 32 ++++++++++++++++++++--- kibana/files/elasticsearch.key | 31 ++++++++++++++++++++++ kibana/tasks/main.yml | 29 ++++++++++++++++++--- logstash/files/elasticsearch.key | 31 ++++++++++++++++++++++ logstash/tasks/main.yml | 29 ++++++++++++++++++--- 13 files changed, 236 insertions(+), 114 deletions(-) delete mode 100644 elastic-sources-list/.kitchen.yml delete mode 100644 elastic-sources-list/README.md delete mode 100644 elastic-sources-list/meta/main.yml delete mode 100644 elastic-sources-list/tasks/main.yml delete mode 100644 elastic-sources-list/tests/test.yml create mode 100644 elasticsearch/files/elasticsearch.key create mode 100644 filebeat/files/elasticsearch.key create mode 100644 kibana/files/elasticsearch.key create mode 100644 logstash/files/elasticsearch.key diff --git a/elastic-sources-list/.kitchen.yml b/elastic-sources-list/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/elastic-sources-list/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/elastic-sources-list/README.md b/elastic-sources-list/README.md deleted file mode 100644 index 7ed88d17..00000000 --- a/elastic-sources-list/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# elastic-source-list - -Install Elastic sources list for APT. - -## Tasks - -Everything is in the `tasks/main.yml` file. - -## Available variables diff --git a/elastic-sources-list/meta/main.yml b/elastic-sources-list/meta/main.yml deleted file mode 100644 index 3be58c98..00000000 --- a/elastic-sources-list/meta/main.yml +++ /dev/null @@ -1,28 +0,0 @@ -galaxy_info: - author: Evolix - description: Install Elastic sources list for APT. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is - # a keyword that describes and categorizes the role. - # Users find roles by searching for tags. Be sure to - # remove the '[]' above if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of - # alphanumeric characters. Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/elastic-sources-list/tasks/main.yml b/elastic-sources-list/tasks/main.yml deleted file mode 100644 index 09c52cc5..00000000 --- a/elastic-sources-list/tasks/main.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - elastic - - system - - packages - -- name: Elastic GPG key is installed - apt_key: - url: https://artifacts.elastic.co/GPG-KEY-elasticsearch - state: present - tags: - - elastic - - system - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" - filename: elastic.list - state: present - update_cache: yes - tags: - - elastic - - system - - packages diff --git a/elastic-sources-list/tests/test.yml b/elastic-sources-list/tests/test.yml deleted file mode 100644 index f8b2eeae..00000000 --- a/elastic-sources-list/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: elastic-sources-list diff --git a/elasticsearch/files/elasticsearch.key b/elasticsearch/files/elasticsearch.key new file mode 100644 index 00000000..1b50dcca --- /dev/null +++ b/elasticsearch/files/elasticsearch.key @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 5a18b1e9..05d5bf46 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -3,19 +3,48 @@ - name: install java8 include_role: name: java8 + tags: + - elasticsearch + - packages -- name: install Elastic sources list - include_role: - name: elastic-sources-list +- name: APT https transport is enabled + apt: + name: apt-transport-https + state: present + tags: + - elasticsearch + - packages + +- name: Elastic GPG key is installed + apt_key: + # url: https://artifacts.elastic.co/GPG-KEY-elasticsearch + data: "{{ lookup('file', 'elasticsearch.key') }}" + state: present + tags: + - elasticsearch + - packages + +- name: Elastic sources list is available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" + filename: elastic.list + state: present + update_cache: yes + tags: + - elasticsearch + - packages - name: Elasticsearch is installed apt: name: elasticsearch state: present tags: - - packages + - elasticsearch + - packages - name: Elasticsearch service is enabled service: name: elasticsearch enabled: yes + tags: + - elasticsearch diff --git a/filebeat/files/elasticsearch.key b/filebeat/files/elasticsearch.key new file mode 100644 index 00000000..1b50dcca --- /dev/null +++ b/filebeat/files/elasticsearch.key @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index a18a02b5..bc038b93 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -1,15 +1,39 @@ --- -- name: Install Elastic sources list - include_role: - name: elastic-sources-list +- name: APT https transport is enabled + apt: + name: apt-transport-https + state: present + tags: + - filebeat + - packages + +- name: Elastic GPG key is installed + apt_key: + # url: https://artifacts.elastic.co/GPG-KEY-elasticsearch + data: "{{ lookup('file', 'elasticsearch.key') }}" + state: present + tags: + - filebeat + - packages + +- name: Elastic sources list is available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" + filename: elastic.list + state: present + update_cache: yes + tags: + - filebeat + - packages - name: Filebeat is installed apt: name: filebeat state: present tags: - - packages + - filebeat + - packages - name: Filebeat service is enabled service: diff --git a/kibana/files/elasticsearch.key b/kibana/files/elasticsearch.key new file mode 100644 index 00000000..1b50dcca --- /dev/null +++ b/kibana/files/elasticsearch.key @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 50b1285b..f5d20066 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -4,9 +4,32 @@ include_role: name: java8 -- name: Install Elastic sources list - include_role: - name: elastic-sources-list +- name: APT https transport is enabled + apt: + name: apt-transport-https + state: present + tags: + - kibana + - packages + +- name: Elastic GPG key is installed + apt_key: + # url: https://artifacts.elastic.co/GPG-KEY-elasticsearch + data: "{{ lookup('file', 'elasticsearch.key') }}" + state: present + tags: + - kibana + - packages + +- name: Elastic sources list is available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" + filename: elastic.list + state: present + update_cache: yes + tags: + - kibana + - packages - name: Kibana is installed apt: diff --git a/logstash/files/elasticsearch.key b/logstash/files/elasticsearch.key new file mode 100644 index 00000000..1b50dcca --- /dev/null +++ b/logstash/files/elasticsearch.key @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index fcaef9bb..16e9ae79 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -6,11 +6,32 @@ tags: - packages -- name: Install Elastic sources list - include_role: - name: elastic-sources-list +- name: APT https transport is enabled + apt: + name: apt-transport-https + state: present tags: - - packages + - logstash + - packages + +- name: Elastic GPG key is installed + apt_key: + # url: https://artifacts.elastic.co/GPG-KEY-elasticsearch + data: "{{ lookup('file', 'elasticsearch.key') }}" + state: present + tags: + - logstash + - packages + +- name: Elastic sources list is available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/5.x/apt stable main" + filename: elastic.list + state: present + update_cache: yes + tags: + - logstash + - packages - name: Logstash is installed apt: From 913e547f0401ae4e5378ed92b46186e181f8bf28 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 14:58:44 +0200 Subject: [PATCH 047/277] Kibana: merge the proxy back into the main role --- kibana-proxy-nginx/README.md | 15 --------------- kibana-proxy-nginx/meta/main.yml | 19 ------------------- kibana/README.md | 6 ++++-- .../defaults/main.yml | 2 ++ kibana/tasks/main.yml | 3 +++ .../main.yml => kibana/tasks/proxy_nginx.yml | 0 .../templates/nginx_proxy_kibana_nossl.j2 | 0 .../templates/nginx_proxy_kibana_ssl.j2 | 2 +- 8 files changed, 10 insertions(+), 37 deletions(-) delete mode 100644 kibana-proxy-nginx/README.md delete mode 100644 kibana-proxy-nginx/meta/main.yml rename {kibana-proxy-nginx => kibana}/defaults/main.yml (86%) rename kibana-proxy-nginx/tasks/main.yml => kibana/tasks/proxy_nginx.yml (100%) rename {kibana-proxy-nginx => kibana}/templates/nginx_proxy_kibana_nossl.j2 (100%) rename {kibana-proxy-nginx => kibana}/templates/nginx_proxy_kibana_ssl.j2 (97%) diff --git a/kibana-proxy-nginx/README.md b/kibana-proxy-nginx/README.md deleted file mode 100644 index 637497f0..00000000 --- a/kibana-proxy-nginx/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# kibana - -Install kibana proxy configurations (with or without SSL) for Nginx. - -## Tasks - -Everything is in the `tasks/main.yml` file. - -## Available variables - -The only variables are derived from gathered facts. - -By default, Kibana will bind to localhost:5601. - -The configurations are installed but not enabled. diff --git a/kibana-proxy-nginx/meta/main.yml b/kibana-proxy-nginx/meta/main.yml deleted file mode 100644 index ffa851f0..00000000 --- a/kibana-proxy-nginx/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Install kibana proxy configurations (with or without SSL) for Nginx. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/kibana/README.md b/kibana/README.md index feda6871..5d95b5a7 100644 --- a/kibana/README.md +++ b/kibana/README.md @@ -8,7 +8,9 @@ Everything is in the `tasks/main.yml` file. ## Available variables -The only variables are derived from gathered facts. +* `kibana_proxy_nginx` : configure an Nginx proxy (not enabled) for Kibana (default: `False`) ; +* `kibana_proxy_domain` : domain to use for the proxy ; +* `kibana_proxy_ssl_cert` : certificate to use for the proxy ; +* `kibana_proxy_ssl_key` : private key to use for the proxy ; By default, Kibana will bind to localhost:5601. -If Nginx is installed, a typical proxy configuration is copied into `/etc/nginx/sites-available`. It can be tweeked and enabled by hand. diff --git a/kibana-proxy-nginx/defaults/main.yml b/kibana/defaults/main.yml similarity index 86% rename from kibana-proxy-nginx/defaults/main.yml rename to kibana/defaults/main.yml index 28477d87..7e7555f1 100644 --- a/kibana-proxy-nginx/defaults/main.yml +++ b/kibana/defaults/main.yml @@ -1,4 +1,6 @@ --- +kibana_proxy_nginx: False + kibana_proxy_domain: "kibana.{{ ansible_fqdn }}" kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key" diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index f5d20066..9cf74638 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -78,3 +78,6 @@ args: warn: no when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + +- include: proxy_nginx.yml + when: kibana_proxy_nginx diff --git a/kibana-proxy-nginx/tasks/main.yml b/kibana/tasks/proxy_nginx.yml similarity index 100% rename from kibana-proxy-nginx/tasks/main.yml rename to kibana/tasks/proxy_nginx.yml diff --git a/kibana-proxy-nginx/templates/nginx_proxy_kibana_nossl.j2 b/kibana/templates/nginx_proxy_kibana_nossl.j2 similarity index 100% rename from kibana-proxy-nginx/templates/nginx_proxy_kibana_nossl.j2 rename to kibana/templates/nginx_proxy_kibana_nossl.j2 diff --git a/kibana-proxy-nginx/templates/nginx_proxy_kibana_ssl.j2 b/kibana/templates/nginx_proxy_kibana_ssl.j2 similarity index 97% rename from kibana-proxy-nginx/templates/nginx_proxy_kibana_ssl.j2 rename to kibana/templates/nginx_proxy_kibana_ssl.j2 index 8903ca76..ea2e06c9 100644 --- a/kibana-proxy-nginx/templates/nginx_proxy_kibana_ssl.j2 +++ b/kibana/templates/nginx_proxy_kibana_ssl.j2 @@ -11,7 +11,7 @@ server { server { charset utf-8; - listen 443 ssl spdy; + listen 443 ssl; server_name {{ kibana_proxy_domain }}; From b2278a151c041d6dade3c533443a030eb0d08f5a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 15:06:49 +0200 Subject: [PATCH 048/277] minifirewall: merge the "tail" pattern back into the main role --- minifirewall-tail/README.md | 10 ---------- minifirewall-tail/meta/main.yml | 19 ------------------- minifirewall/README.md | 13 ++++++++++++- minifirewall/defaults/main.yml | 2 ++ minifirewall/tasks/main.yml | 3 +++ .../main.yml => minifirewall/tasks/tail.yml | 0 .../templates/minifirewall.default.tail.j2 | 0 7 files changed, 17 insertions(+), 30 deletions(-) delete mode 100644 minifirewall-tail/README.md delete mode 100644 minifirewall-tail/meta/main.yml rename minifirewall-tail/tasks/main.yml => minifirewall/tasks/tail.yml (100%) rename {minifirewall-tail => minifirewall}/templates/minifirewall.default.tail.j2 (100%) diff --git a/minifirewall-tail/README.md b/minifirewall-tail/README.md deleted file mode 100644 index 6be689dd..00000000 --- a/minifirewall-tail/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# minifirewall-tail - -Compiles a `minifirewall.tail` file based on templates and source it at the end of minifirewall configuration. - -Templates are looked up in that order : -1. `{{ playbook_dir}}/templates/minifirewall-tail/minifirewall.{{ inventory_hostname}}.tail.j2` -2. `{{ playbook_dir}}/templates/minifirewall-tail/minifirewall.{{ host_group}}.tail.j2` (NB : `host_group` is not a core variable, it must be defined in `group_vars` files.) -3. `{{ playbook_dir}}/templates/minifirewall-tail/minifirewall.default.tail.j2` - -If nothing is found, the role falls back to the template embedded in the role : `templates/minifirewall.default.tail.j2` diff --git a/minifirewall-tail/meta/main.yml b/minifirewall-tail/meta/main.yml deleted file mode 100644 index 5cbe5e02..00000000 --- a/minifirewall-tail/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Additionla configuration for Minifirewall - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/minifirewall/README.md b/minifirewall/README.md index ab0e6abf..67b389f1 100644 --- a/minifirewall/README.md +++ b/minifirewall/README.md @@ -15,7 +15,18 @@ Everything is in the `tasks/main.yml` file. * `minifirewall_int_lan`: (default: IP/32) * `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none) * `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none) - +* `minifirewall_tail_included` : source a "tail" file at the end of the main config file. (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. **Some IP/hosts must be configured or the server will be inaccessible via network.** + +## minifirewall-tail + +Compiles a `minifirewall.tail` file based on templates and source it at the end of minifirewall configuration. + +Templates are looked up in that order : +1. `{{ playbook_dir}}/templates/minifirewall-tail/minifirewall.{{ inventory_hostname}}.tail.j2` +2. `{{ playbook_dir}}/templates/minifirewall-tail/minifirewall.{{ host_group}}.tail.j2` (NB : `host_group` is not a core variable, it must be defined in `group_vars` files.) +3. `{{ playbook_dir}}/templates/minifirewall-tail/minifirewall.default.tail.j2` + +If nothing is found, the role falls back to the template embedded in the role : `templates/minifirewall.default.tail.j2` diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 760b35cc..c3e2af96 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -1,4 +1,6 @@ --- +minifirewall_tail_included: False + minifirewall_git_url: "https://forge.evolix.org/minifirewall.git" minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 7727308b..851d1917 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -5,3 +5,6 @@ - include: config.yml - include: activate.yml + +- include: tail.yml + when: minifirewall_tail_included diff --git a/minifirewall-tail/tasks/main.yml b/minifirewall/tasks/tail.yml similarity index 100% rename from minifirewall-tail/tasks/main.yml rename to minifirewall/tasks/tail.yml diff --git a/minifirewall-tail/templates/minifirewall.default.tail.j2 b/minifirewall/templates/minifirewall.default.tail.j2 similarity index 100% rename from minifirewall-tail/templates/minifirewall.default.tail.j2 rename to minifirewall/templates/minifirewall.default.tail.j2 From 183c46762177e95c541b130d08b7089b2e73ca51 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 15:23:23 +0200 Subject: [PATCH 049/277] Elasticsearch: merge the head plugin install back into the main role --- elasticsearch-plugin-head/README.md | 22 --------------- elasticsearch-plugin-head/defaults/main.yml | 6 ----- elasticsearch-plugin-head/handlers/main.yml | 6 ----- elasticsearch-plugin-head/meta/main.yml | 27 ------------------- elasticsearch/README.md | 16 +++++++++++ elasticsearch/defaults/main.yml | 7 +++++ elasticsearch/handlers/main.yml | 3 ++- elasticsearch/tasks/main.yml | 3 +++ .../tasks/plugin_head.yml | 0 9 files changed, 28 insertions(+), 62 deletions(-) delete mode 100644 elasticsearch-plugin-head/README.md delete mode 100644 elasticsearch-plugin-head/defaults/main.yml delete mode 100644 elasticsearch-plugin-head/handlers/main.yml delete mode 100644 elasticsearch-plugin-head/meta/main.yml rename elasticsearch-plugin-head/tasks/main.yml => elasticsearch/tasks/plugin_head.yml (100%) diff --git a/elasticsearch-plugin-head/README.md b/elasticsearch-plugin-head/README.md deleted file mode 100644 index 442550b5..00000000 --- a/elasticsearch-plugin-head/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# elasticsearch-plugin-head - -Install Head (Elasticsearch plugin). - -## Tasks - -Everything is in the `tasks/main.yml` file. - -## Variables - -* `elasticsearch_plugin_head_basedir`: base directory (default : `/var/www`) ; -* `elasticsearch_plugin_head_clone_name`: directory name for git clone. - -## Misc - -To use this plugin, you have to run the built-in webserver (using Grunt/NodeJS), or point a webserver to the path. More details here : https://github.com/mobz/elasticsearch-head#running-with-built-in-server - -For example, to run the built-in server, with "www-data" user : - -``` -# sudo -u www-data bash -c 'cd /var/www/elasticsearch-head && grunt server' -``` diff --git a/elasticsearch-plugin-head/defaults/main.yml b/elasticsearch-plugin-head/defaults/main.yml deleted file mode 100644 index d12d9b4a..00000000 --- a/elasticsearch-plugin-head/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -elasticsearch_plugin_head_owner: "elasticsearch-head" -elasticsearch_plugin_head_group: "{{ elasticsearch_plugin_head_owner }}" -elasticsearch_plugin_head_home: "/home/{{ elasticsearch_plugin_head_owner }}" -elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www" -elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp" diff --git a/elasticsearch-plugin-head/handlers/main.yml b/elasticsearch-plugin-head/handlers/main.yml deleted file mode 100644 index 84a96121..00000000 --- a/elasticsearch-plugin-head/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: restart elasticsearch - service: - name: elasticsearch - state: restarted diff --git a/elasticsearch-plugin-head/meta/main.yml b/elasticsearch-plugin-head/meta/main.yml deleted file mode 100644 index cd899a1a..00000000 --- a/elasticsearch-plugin-head/meta/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -galaxy_info: - author: Evolix - description: Install the Head plugin for Elasticsearch. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is - # a keyword that describes and categorizes the role. - # Users find roles by searching for tags. Be sure to - # remove the '[]' above if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of - # alphanumeric characters. Maximum 20 tags per role. - -dependencies: - - nodejs diff --git a/elasticsearch/README.md b/elasticsearch/README.md index acdd1552..113fe4a7 100644 --- a/elasticsearch/README.md +++ b/elasticsearch/README.md @@ -24,3 +24,19 @@ Tasks are extracted in several files, included in `tasks/main.yml` : * `elasticsearch_jvm_xmx`: maximum heap size reserved for the JVM (defaults to 2g). By default, Elasticsearch will listen to the public interfaces (`_site_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host), so you will have to secure it, with firewall rules for example. + +## Head plugin + +The "head" plugin can be installed : + +* `elasticsearch_plugin_head` : enable the plugin installation (default: `False`) ; +* `elasticsearch_plugin_head_basedir`: base directory (default : `/var/www`) ; +* `elasticsearch_plugin_head_clone_name`: directory name for git clone. + +To use this plugin, you have to run the built-in webserver (using Grunt/NodeJS), or point a webserver to the path. More details here : https://github.com/mobz/elasticsearch-head#running-with-built-in-server + +For example, to run the built-in server, with "www-data" user : + +``` +# sudo -u www-data bash -c 'cd /var/www/elasticsearch-head && grunt server' +``` diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index a3a7180f..8a80c92e 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -8,3 +8,10 @@ elasticsearch_custom_tmpdir: Null elasticsearch_default_tmpdir: /var/lib/elasticsearch/tmp elasticsearch_jvm_xms: 2g elasticsearch_jvm_xmx: 2g + +elasticsearch_plugin_head: False +elasticsearch_plugin_head_owner: "elasticsearch-head" +elasticsearch_plugin_head_group: "{{ elasticsearch_plugin_head_owner }}" +elasticsearch_plugin_head_home: "/home/{{ elasticsearch_plugin_head_owner }}" +elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www" +elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp" diff --git a/elasticsearch/handlers/main.yml b/elasticsearch/handlers/main.yml index f21919c2..e1249341 100644 --- a/elasticsearch/handlers/main.yml +++ b/elasticsearch/handlers/main.yml @@ -6,4 +6,5 @@ state: restarted - name: reload elasticsearch unit - command: systemctl daemon-reload + systemd: + daemon_reload: yes diff --git a/elasticsearch/tasks/main.yml b/elasticsearch/tasks/main.yml index 89515c05..6cb09943 100644 --- a/elasticsearch/tasks/main.yml +++ b/elasticsearch/tasks/main.yml @@ -9,3 +9,6 @@ - include: datadir.yml - include: tmpdir.yml + +- include: plugin_head.yml + when: elasticsearch_plugin_head diff --git a/elasticsearch-plugin-head/tasks/main.yml b/elasticsearch/tasks/plugin_head.yml similarity index 100% rename from elasticsearch-plugin-head/tasks/main.yml rename to elasticsearch/tasks/plugin_head.yml From f31a9db64c9d21af367981373aa7dff22516b589 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 15:31:04 +0200 Subject: [PATCH 050/277] Elasticsearch: merge the curator role back into the main role --- elasticsearch-curator/README.md | 9 ------ elasticsearch-curator/meta/main.yml | 29 ------------------- elasticsearch/README.md | 6 ++++ elasticsearch/defaults/main.yml | 2 ++ .../tasks/curator.yml | 22 ++++---------- elasticsearch/tasks/main.yml | 3 ++ 6 files changed, 16 insertions(+), 55 deletions(-) delete mode 100644 elasticsearch-curator/README.md delete mode 100644 elasticsearch-curator/meta/main.yml rename elasticsearch-curator/tasks/main.yml => elasticsearch/tasks/curator.yml (51%) diff --git a/elasticsearch-curator/README.md b/elasticsearch-curator/README.md deleted file mode 100644 index 39e3da46..00000000 --- a/elasticsearch-curator/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# elasticsearch-curator - -Install Elasticsearch Curtor, for index management. - -## Tasks - -Everything is in the `tasks/main.yml` file. - -## Available variables diff --git a/elasticsearch-curator/meta/main.yml b/elasticsearch-curator/meta/main.yml deleted file mode 100644 index 0b48e8c4..00000000 --- a/elasticsearch-curator/meta/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -galaxy_info: - author: Evolix - description: Install Elasticsearch Curtor, for index management. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is - # a keyword that describes and categorizes the role. - # Users find roles by searching for tags. Be sure to - # remove the '[]' above if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of - # alphanumeric characters. Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/elasticsearch/README.md b/elasticsearch/README.md index 113fe4a7..a6fa0b14 100644 --- a/elasticsearch/README.md +++ b/elasticsearch/README.md @@ -25,6 +25,12 @@ Tasks are extracted in several files, included in `tasks/main.yml` : By default, Elasticsearch will listen to the public interfaces (`_site_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host), so you will have to secure it, with firewall rules for example. +## Curator + +Curator can be installed. : + +* `elasticsearch_curator` : enable the package installation (default: `False`) ; + ## Head plugin The "head" plugin can be installed : diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 8a80c92e..77e36070 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -9,6 +9,8 @@ elasticsearch_default_tmpdir: /var/lib/elasticsearch/tmp elasticsearch_jvm_xms: 2g elasticsearch_jvm_xmx: 2g +elasticsearch_curator: False + elasticsearch_plugin_head: False elasticsearch_plugin_head_owner: "elasticsearch-head" elasticsearch_plugin_head_group: "{{ elasticsearch_plugin_head_owner }}" diff --git a/elasticsearch-curator/tasks/main.yml b/elasticsearch/tasks/curator.yml similarity index 51% rename from elasticsearch-curator/tasks/main.yml rename to elasticsearch/tasks/curator.yml index 4fef07b9..c1a10658 100644 --- a/elasticsearch-curator/tasks/main.yml +++ b/elasticsearch/tasks/curator.yml @@ -1,30 +1,18 @@ --- -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - system - - packages - -- name: Elastic GPG key is installed - apt_key: - url: https://packages.elastic.co/GPG-KEY-elasticsearch - state: present - tags: - - system - - packages - - name: Curator sources list is available apt_repository: repo: "deb http://packages.elastic.co/curator/4/debian stable main" + update_cache: yes state: present tags: - - system + - curator - packages - name: Curator package is installed apt: name: elasticsearch-curator state: present + tags: + - curator + - packages diff --git a/elasticsearch/tasks/main.yml b/elasticsearch/tasks/main.yml index 6cb09943..00be05ed 100644 --- a/elasticsearch/tasks/main.yml +++ b/elasticsearch/tasks/main.yml @@ -12,3 +12,6 @@ - include: plugin_head.yml when: elasticsearch_plugin_head + +- include: curator.yml + when: elasticsearch_curator From 9caf04e01f95500e2bbba60a6f44871b4d516cf4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 15:31:59 +0200 Subject: [PATCH 051/277] elastic-stack: this meta role is useless --- elastic-stack/README.md | 10 ---------- elastic-stack/meta/main.yml | 26 -------------------------- elastic-stack/tasks/main.yml | 13 ------------- 3 files changed, 49 deletions(-) delete mode 100644 elastic-stack/README.md delete mode 100644 elastic-stack/meta/main.yml delete mode 100644 elastic-stack/tasks/main.yml diff --git a/elastic-stack/README.md b/elastic-stack/README.md deleted file mode 100644 index 22f09223..00000000 --- a/elastic-stack/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# elastic-stack - -Install the Elastic Stack. - -It is a "meta-role" for : - -- elasticsearch -- elasticsearch-plugin-head -- logstash -- kibana diff --git a/elastic-stack/meta/main.yml b/elastic-stack/meta/main.yml deleted file mode 100644 index 94d60626..00000000 --- a/elastic-stack/meta/main.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -galaxy_info: - author: Evolix - description: Single server install of the Elastic Stack (Elasticsearch, Logstash, Kibana) - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is - # a keyword that describes and categorizes the role. - # Users find roles by searching for tags. Be sure to - # remove the '[]' above if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of - # alphanumeric characters. Maximum 20 tags per role. - -dependencies: [] diff --git a/elastic-stack/tasks/main.yml b/elastic-stack/tasks/main.yml deleted file mode 100644 index ad01cef0..00000000 --- a/elastic-stack/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- include_role: - name: elasticsearch - -- include_role: - name: elasticsearch-plugin-head - -- include_role: - name: logstash - -- include_role: - name: kibana From 13b4fbb6bb3d838538729bb8fea72f03abf3ba9b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 15:57:42 +0200 Subject: [PATCH 052/277] Newrelic: merge roles --- newrelic-php/README.md | 14 ---------- newrelic-php/meta/main.yml | 19 ------------- newrelic-sources/.kitchen.yml | 28 ------------------- newrelic-sources/README.md | 9 ------ newrelic-sources/meta/main.yml | 19 ------------- newrelic-sources/tests/test.yml | 4 --- newrelic-sysmond/.kitchen.yml | 28 ------------------- newrelic-sysmond/README.md | 13 --------- newrelic-sysmond/defaults/main.yml | 2 -- newrelic-sysmond/handlers/main.yml | 6 ---- newrelic-sysmond/tests/test.yml | 4 --- {newrelic-php => newrelic}/.kitchen.yml | 0 newrelic/README.md | 17 +++++++++++ {newrelic-php => newrelic}/defaults/main.yml | 4 +++ .../files/548C16BF.gpg | 0 .../handlers/main.yml | 5 ++++ {newrelic-sysmond => newrelic}/meta/main.yml | 2 +- newrelic/tasks/main.yml | 9 ++++++ .../tasks/main.yml => newrelic/tasks/php.yml | 3 +- .../main.yml => newrelic/tasks/sources.yml | 18 ++++++------ .../main.yml => newrelic/tasks/sysmond.yml | 2 -- {newrelic-php => newrelic}/tests/test.yml | 2 +- 22 files changed, 47 insertions(+), 161 deletions(-) delete mode 100644 newrelic-php/README.md delete mode 100644 newrelic-php/meta/main.yml delete mode 100644 newrelic-sources/.kitchen.yml delete mode 100644 newrelic-sources/README.md delete mode 100644 newrelic-sources/meta/main.yml delete mode 100644 newrelic-sources/tests/test.yml delete mode 100644 newrelic-sysmond/.kitchen.yml delete mode 100644 newrelic-sysmond/README.md delete mode 100644 newrelic-sysmond/defaults/main.yml delete mode 100644 newrelic-sysmond/handlers/main.yml delete mode 100644 newrelic-sysmond/tests/test.yml rename {newrelic-php => newrelic}/.kitchen.yml (100%) create mode 100644 newrelic/README.md rename {newrelic-php => newrelic}/defaults/main.yml (50%) rename {newrelic-sources => newrelic}/files/548C16BF.gpg (100%) rename {newrelic-sources => newrelic}/handlers/main.yml (67%) rename {newrelic-sysmond => newrelic}/meta/main.yml (88%) create mode 100644 newrelic/tasks/main.yml rename newrelic-php/tasks/main.yml => newrelic/tasks/php.yml (96%) rename newrelic-sources/tasks/main.yml => newrelic/tasks/sources.yml (84%) rename newrelic-sysmond/tasks/main.yml => newrelic/tasks/sysmond.yml (88%) rename {newrelic-php => newrelic}/tests/test.yml (58%) diff --git a/newrelic-php/README.md b/newrelic-php/README.md deleted file mode 100644 index 36903349..00000000 --- a/newrelic-php/README.md +++ /dev/null @@ -1,14 +0,0 @@ -# newrelic-php - -Installation of NewRelic PHP agent. - -## Tasks - -Everything is in the `tasks/main.yml` file. - -A license key and an application name can be provided to pre-configure the agent. - -## Variables - -* `newrelic_license`: license key (default: empty). -* `newrelic_appname`: application name (default: empty). diff --git a/newrelic-php/meta/main.yml b/newrelic-php/meta/main.yml deleted file mode 100644 index 90f90d1b..00000000 --- a/newrelic-php/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Installation of NewRelic PHP agent. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/newrelic-sources/.kitchen.yml b/newrelic-sources/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/newrelic-sources/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/newrelic-sources/README.md b/newrelic-sources/README.md deleted file mode 100644 index 2b9ddb9d..00000000 --- a/newrelic-sources/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# newrelic-sources - -Installation of NewRelic repository for APT sources. - -## Tasks - -Everything is in the `tasks/main.yml` file. - -NB : the repository key is store in the role and not fetched online, for performance reasons. diff --git a/newrelic-sources/meta/main.yml b/newrelic-sources/meta/main.yml deleted file mode 100644 index 19506b43..00000000 --- a/newrelic-sources/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Installation of NewRelic repository for APT sources. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/newrelic-sources/tests/test.yml b/newrelic-sources/tests/test.yml deleted file mode 100644 index 3813409e..00000000 --- a/newrelic-sources/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: newrelic-sources diff --git a/newrelic-sysmond/.kitchen.yml b/newrelic-sysmond/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/newrelic-sysmond/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/newrelic-sysmond/README.md b/newrelic-sysmond/README.md deleted file mode 100644 index c63e4d05..00000000 --- a/newrelic-sysmond/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# newrelic-sysmond - -Installation of NewRelic sysmond. - -## Tasks - -Everything is in the `tasks/main.yml` file. - -if a license key is provided, the daemon is configured. - -## Variables - -* `newrelic_license`: license key (default: empty). diff --git a/newrelic-sysmond/defaults/main.yml b/newrelic-sysmond/defaults/main.yml deleted file mode 100644 index e2d18908..00000000 --- a/newrelic-sysmond/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -newrelic_license: "" diff --git a/newrelic-sysmond/handlers/main.yml b/newrelic-sysmond/handlers/main.yml deleted file mode 100644 index 5f5a2562..00000000 --- a/newrelic-sysmond/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: restart newrelic-sysmond - systemd: - name: newrelic-sysmond - state: restarted diff --git a/newrelic-sysmond/tests/test.yml b/newrelic-sysmond/tests/test.yml deleted file mode 100644 index 69165293..00000000 --- a/newrelic-sysmond/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: newrelic-sysmond diff --git a/newrelic-php/.kitchen.yml b/newrelic/.kitchen.yml similarity index 100% rename from newrelic-php/.kitchen.yml rename to newrelic/.kitchen.yml diff --git a/newrelic/README.md b/newrelic/README.md new file mode 100644 index 00000000..ee22f3bc --- /dev/null +++ b/newrelic/README.md @@ -0,0 +1,17 @@ +# newrelic-sources + +Installation of NewRelic tools. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +NB : the repository key is store in the role and not fetched online, for performance reasons. + +## Variables + +* `newrelic_license`: license key (default: empty). +* `newrelic_appname`: application name (default: empty). + +* `newrelic_php` : install the php module (default: `False`) +* `newrelic_sysmond` : install the sysmond agent (default: `True`) diff --git a/newrelic-php/defaults/main.yml b/newrelic/defaults/main.yml similarity index 50% rename from newrelic-php/defaults/main.yml rename to newrelic/defaults/main.yml index b568b78e..cddbcb0b 100644 --- a/newrelic-php/defaults/main.yml +++ b/newrelic/defaults/main.yml @@ -1,3 +1,7 @@ --- +newrelic_sysmond: True + +newrelic_php: False + newrelic_license: "" newrelic_appname: "" diff --git a/newrelic-sources/files/548C16BF.gpg b/newrelic/files/548C16BF.gpg similarity index 100% rename from newrelic-sources/files/548C16BF.gpg rename to newrelic/files/548C16BF.gpg diff --git a/newrelic-sources/handlers/main.yml b/newrelic/handlers/main.yml similarity index 67% rename from newrelic-sources/handlers/main.yml rename to newrelic/handlers/main.yml index 3e8e7d5a..4ad78be9 100644 --- a/newrelic-sources/handlers/main.yml +++ b/newrelic/handlers/main.yml @@ -13,3 +13,8 @@ - name: apt update apt: update_cache: yes + +- name: restart newrelic-sysmond + systemd: + name: newrelic-sysmond + state: restarted diff --git a/newrelic-sysmond/meta/main.yml b/newrelic/meta/main.yml similarity index 88% rename from newrelic-sysmond/meta/main.yml rename to newrelic/meta/main.yml index cd47e809..b355644e 100644 --- a/newrelic-sysmond/meta/main.yml +++ b/newrelic/meta/main.yml @@ -1,6 +1,6 @@ galaxy_info: author: Evolix - description: Installation of NewRelic sysmond. + description: Installation of NewRelic tools. issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues diff --git a/newrelic/tasks/main.yml b/newrelic/tasks/main.yml new file mode 100644 index 00000000..7537214d --- /dev/null +++ b/newrelic/tasks/main.yml @@ -0,0 +1,9 @@ +--- + +- include: sources.yml + +- include: php.yml + when: newrelic_php + +- include: sysmond.yml + when: newrelic_sysmond diff --git a/newrelic-php/tasks/main.yml b/newrelic/tasks/php.yml similarity index 96% rename from newrelic-php/tasks/main.yml rename to newrelic/tasks/php.yml index c5ce2fe5..712b42f2 100644 --- a/newrelic-php/tasks/main.yml +++ b/newrelic/tasks/php.yml @@ -1,6 +1,4 @@ --- -- include_role: - name: newrelic-sources - name: Pre-seed package configuration with app name debconf: @@ -41,3 +39,4 @@ - name: Install package for PHP apt: name: newrelic-php5 + state: installed diff --git a/newrelic-sources/tasks/main.yml b/newrelic/tasks/sources.yml similarity index 84% rename from newrelic-sources/tasks/main.yml rename to newrelic/tasks/sources.yml index 86b6a1d4..cdcf5dc2 100644 --- a/newrelic-sources/tasks/main.yml +++ b/newrelic/tasks/sources.yml @@ -1,16 +1,10 @@ --- + - name: Add dotdeb GPG key apt_key: # url: https://download.newrelic.com/548C16BF.gpg data: "{{ lookup('file', '548C16BF.gpg') }}" -- name: Find squid config whitelist - shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null - failed_when: false - changed_when: false - check_mode: no - register: squid_whitelist_files - - name: set squid_service_name=squid3 for Debian < 9 set_fact: squid_service_name: squid3 @@ -18,6 +12,13 @@ - ansible_distribution == "Debian" - ansible_distribution_major_version | version_compare('9', '<') +- name: Find squid config whitelist + shell: find /etc/{{ squid_service_name | default('squid') }}/whitelist-custom.conf /etc/{{ squid_service_name | default('squid') }}/whitelist.conf 2> /dev/null + failed_when: false + changed_when: false + check_mode: no + register: squid_whitelist_files + - name: Append packages.dotdeb.org to Squid whitelist lineinfile: dest: "{{ squid_whitelist_files.stdout_lines | first }}" @@ -33,5 +34,4 @@ repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" state: present filename: newrelic - -- meta: flush_handlers + update_cache: yes diff --git a/newrelic-sysmond/tasks/main.yml b/newrelic/tasks/sysmond.yml similarity index 88% rename from newrelic-sysmond/tasks/main.yml rename to newrelic/tasks/sysmond.yml index a586efbf..5d72a470 100644 --- a/newrelic-sysmond/tasks/main.yml +++ b/newrelic/tasks/sysmond.yml @@ -1,6 +1,4 @@ --- -- include_role: - name: newrelic-sources - name: Install system monitor daemon apt: diff --git a/newrelic-php/tests/test.yml b/newrelic/tests/test.yml similarity index 58% rename from newrelic-php/tests/test.yml rename to newrelic/tests/test.yml index c85b0f1c..3a6d806e 100644 --- a/newrelic-php/tests/test.yml +++ b/newrelic/tests/test.yml @@ -1,4 +1,4 @@ --- - hosts: test-kitchen roles: - - role: newrelic-php + - role: newrelic From b6fac44dabd7a238865f58854c62f3ef3f2560c6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 16:09:51 +0200 Subject: [PATCH 053/277] Rename ntp to ntpd --- {ntp => ntpd}/defaults/main.yml | 0 {ntp => ntpd}/handlers/main.yml | 0 {ntp => ntpd}/tasks/main.yml | 0 {ntp => ntpd}/templates/ntp.conf.j2 | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename {ntp => ntpd}/defaults/main.yml (100%) rename {ntp => ntpd}/handlers/main.yml (100%) rename {ntp => ntpd}/tasks/main.yml (100%) rename {ntp => ntpd}/templates/ntp.conf.j2 (100%) diff --git a/ntp/defaults/main.yml b/ntpd/defaults/main.yml similarity index 100% rename from ntp/defaults/main.yml rename to ntpd/defaults/main.yml diff --git a/ntp/handlers/main.yml b/ntpd/handlers/main.yml similarity index 100% rename from ntp/handlers/main.yml rename to ntpd/handlers/main.yml diff --git a/ntp/tasks/main.yml b/ntpd/tasks/main.yml similarity index 100% rename from ntp/tasks/main.yml rename to ntpd/tasks/main.yml diff --git a/ntp/templates/ntp.conf.j2 b/ntpd/templates/ntp.conf.j2 similarity index 100% rename from ntp/templates/ntp.conf.j2 rename to ntpd/templates/ntp.conf.j2 From 5175ea679b91ff8384939cb26e1c559fd209e509 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 16:10:11 +0200 Subject: [PATCH 054/277] Rename dhcp to dhcpd --- {dhcp => dhcpd}/.kitchen.yml | 0 {dhcp => dhcpd}/README.md | 0 {dhcp => dhcpd}/defaults/main.yml | 0 {dhcp => dhcpd}/handlers/main.yml | 0 {dhcp => dhcpd}/meta/main.yml | 0 {dhcp => dhcpd}/tasks/main.yml | 0 {dhcp => dhcpd}/tests/test.yml | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename {dhcp => dhcpd}/.kitchen.yml (100%) rename {dhcp => dhcpd}/README.md (100%) rename {dhcp => dhcpd}/defaults/main.yml (100%) rename {dhcp => dhcpd}/handlers/main.yml (100%) rename {dhcp => dhcpd}/meta/main.yml (100%) rename {dhcp => dhcpd}/tasks/main.yml (100%) rename {dhcp => dhcpd}/tests/test.yml (100%) diff --git a/dhcp/.kitchen.yml b/dhcpd/.kitchen.yml similarity index 100% rename from dhcp/.kitchen.yml rename to dhcpd/.kitchen.yml diff --git a/dhcp/README.md b/dhcpd/README.md similarity index 100% rename from dhcp/README.md rename to dhcpd/README.md diff --git a/dhcp/defaults/main.yml b/dhcpd/defaults/main.yml similarity index 100% rename from dhcp/defaults/main.yml rename to dhcpd/defaults/main.yml diff --git a/dhcp/handlers/main.yml b/dhcpd/handlers/main.yml similarity index 100% rename from dhcp/handlers/main.yml rename to dhcpd/handlers/main.yml diff --git a/dhcp/meta/main.yml b/dhcpd/meta/main.yml similarity index 100% rename from dhcp/meta/main.yml rename to dhcpd/meta/main.yml diff --git a/dhcp/tasks/main.yml b/dhcpd/tasks/main.yml similarity index 100% rename from dhcp/tasks/main.yml rename to dhcpd/tasks/main.yml diff --git a/dhcp/tests/test.yml b/dhcpd/tests/test.yml similarity index 100% rename from dhcp/tests/test.yml rename to dhcpd/tests/test.yml From 65c8b4a81ff41a0861d77c9f0c1ec9042376cd74 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 16:11:25 +0200 Subject: [PATCH 055/277] Rename drbd-utils to drbd --- {drbd-utils => drbd}/.kitchen.yml | 0 {drbd-utils => drbd}/README.md | 0 {drbd-utils => drbd}/files/munin/drbd-config | 0 {drbd-utils => drbd}/files/munin/drbd-plugin | 0 {drbd-utils => drbd}/files/nagios/check_drbd | 0 {drbd-utils => drbd}/handlers/main.yml | 0 {drbd-utils => drbd}/meta/main.yml | 0 {drbd-utils => drbd}/tasks/main.yml | 0 {drbd-utils => drbd}/tasks/munin.yml | 0 {drbd-utils => drbd}/tasks/nagios.yml | 0 {drbd-utils => drbd}/tasks/packages.yml | 0 {drbd-utils => drbd}/tests/test.yml | 0 12 files changed, 0 insertions(+), 0 deletions(-) rename {drbd-utils => drbd}/.kitchen.yml (100%) rename {drbd-utils => drbd}/README.md (100%) rename {drbd-utils => drbd}/files/munin/drbd-config (100%) rename {drbd-utils => drbd}/files/munin/drbd-plugin (100%) rename {drbd-utils => drbd}/files/nagios/check_drbd (100%) rename {drbd-utils => drbd}/handlers/main.yml (100%) rename {drbd-utils => drbd}/meta/main.yml (100%) rename {drbd-utils => drbd}/tasks/main.yml (100%) rename {drbd-utils => drbd}/tasks/munin.yml (100%) rename {drbd-utils => drbd}/tasks/nagios.yml (100%) rename {drbd-utils => drbd}/tasks/packages.yml (100%) rename {drbd-utils => drbd}/tests/test.yml (100%) diff --git a/drbd-utils/.kitchen.yml b/drbd/.kitchen.yml similarity index 100% rename from drbd-utils/.kitchen.yml rename to drbd/.kitchen.yml diff --git a/drbd-utils/README.md b/drbd/README.md similarity index 100% rename from drbd-utils/README.md rename to drbd/README.md diff --git a/drbd-utils/files/munin/drbd-config b/drbd/files/munin/drbd-config similarity index 100% rename from drbd-utils/files/munin/drbd-config rename to drbd/files/munin/drbd-config diff --git a/drbd-utils/files/munin/drbd-plugin b/drbd/files/munin/drbd-plugin similarity index 100% rename from drbd-utils/files/munin/drbd-plugin rename to drbd/files/munin/drbd-plugin diff --git a/drbd-utils/files/nagios/check_drbd b/drbd/files/nagios/check_drbd similarity index 100% rename from drbd-utils/files/nagios/check_drbd rename to drbd/files/nagios/check_drbd diff --git a/drbd-utils/handlers/main.yml b/drbd/handlers/main.yml similarity index 100% rename from drbd-utils/handlers/main.yml rename to drbd/handlers/main.yml diff --git a/drbd-utils/meta/main.yml b/drbd/meta/main.yml similarity index 100% rename from drbd-utils/meta/main.yml rename to drbd/meta/main.yml diff --git a/drbd-utils/tasks/main.yml b/drbd/tasks/main.yml similarity index 100% rename from drbd-utils/tasks/main.yml rename to drbd/tasks/main.yml diff --git a/drbd-utils/tasks/munin.yml b/drbd/tasks/munin.yml similarity index 100% rename from drbd-utils/tasks/munin.yml rename to drbd/tasks/munin.yml diff --git a/drbd-utils/tasks/nagios.yml b/drbd/tasks/nagios.yml similarity index 100% rename from drbd-utils/tasks/nagios.yml rename to drbd/tasks/nagios.yml diff --git a/drbd-utils/tasks/packages.yml b/drbd/tasks/packages.yml similarity index 100% rename from drbd-utils/tasks/packages.yml rename to drbd/tasks/packages.yml diff --git a/drbd-utils/tests/test.yml b/drbd/tests/test.yml similarity index 100% rename from drbd-utils/tests/test.yml rename to drbd/tests/test.yml From d02cef44bde49904bded40618af88ac77d063c8b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 16:26:14 +0200 Subject: [PATCH 056/277] nginx: fix file path --- nginx/tasks/packages_jessie.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/tasks/packages_jessie.yml b/nginx/tasks/packages_jessie.yml index 67733d09..ce806ba2 100644 --- a/nginx/tasks/packages_jessie.yml +++ b/nginx/tasks/packages_jessie.yml @@ -1,4 +1,4 @@ -- include: jessie_backports.yml +- include: packages_jessie_backports.yml when: ansible_distribution_release == "jessie" and nginx_jessie_backports - name: Ensure Nginx is installed From fc2bd395b9f39dc869be7b5cab2202a43c5dca6a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 16:36:27 +0200 Subject: [PATCH 057/277] Minifirewall: install Git for tests --- minifirewall/tests/test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/minifirewall/tests/test.yml b/minifirewall/tests/test.yml index 427cd2f3..43dd567f 100644 --- a/minifirewall/tests/test.yml +++ b/minifirewall/tests/test.yml @@ -2,5 +2,8 @@ - hosts: test-kitchen vars: - minifirewall_trusted_ips: ["{{ ansible_default_ipv4.address }}/24"] + pre_tasks: + - apt: + name: git roles: - role: minifirewall From 61116984946184253cea8d6fb78e482bc42adaef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 14 Jul 2017 11:17:49 +0200 Subject: [PATCH 058/277] Samba: move to a feature branch --- samba/.kitchen.yml | 28 ---------------------------- samba/README.md | 11 ----------- samba/defaults/main.yml | 1 - samba/handlers/main.yml | 10 ---------- samba/meta/main.yml | 19 ------------------- samba/tasks/main.yml | 4 ---- samba/tests/test.yml | 4 ---- 7 files changed, 77 deletions(-) delete mode 100644 samba/.kitchen.yml delete mode 100644 samba/README.md delete mode 100644 samba/defaults/main.yml delete mode 100644 samba/handlers/main.yml delete mode 100644 samba/meta/main.yml delete mode 100644 samba/tasks/main.yml delete mode 100644 samba/tests/test.yml diff --git a/samba/.kitchen.yml b/samba/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/samba/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/samba/README.md b/samba/README.md deleted file mode 100644 index 7e3f4f12..00000000 --- a/samba/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Amavis - -Installation and basic configuration of samba. - -## Tasks - -Minimal configuration is in `tasks/main.yml` - -## Available variables - -The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/samba/defaults/main.yml b/samba/defaults/main.yml deleted file mode 100644 index ed97d539..00000000 --- a/samba/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/samba/handlers/main.yml b/samba/handlers/main.yml deleted file mode 100644 index e5ff2eeb..00000000 --- a/samba/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: restart nmbd - service: - name: nmbd - state: restarted - -- name: restart smbd - service: - name: smbd - state: restarted diff --git a/samba/meta/main.yml b/samba/meta/main.yml deleted file mode 100644 index caf4c3c0..00000000 --- a/samba/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Installation and basic configuration of samba. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/samba/tasks/main.yml b/samba/tasks/main.yml deleted file mode 100644 index 79dba4b9..00000000 --- a/samba/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: ensure packages are installed - apt: - name: samba - state: present diff --git a/samba/tests/test.yml b/samba/tests/test.yml deleted file mode 100644 index 79e5cdab..00000000 --- a/samba/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: samba From c396536a55e63e48570c26a769cc9ef792353ba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 14 Jul 2017 11:20:38 +0200 Subject: [PATCH 059/277] Spamassasin: move to a feature branch --- spamassassin/.kitchen.yml | 28 ---------------------------- spamassassin/README.md | 11 ----------- spamassassin/defaults/main.yml | 1 - spamassassin/handlers/main.yml | 5 ----- spamassassin/meta/main.yml | 19 ------------------- spamassassin/tasks/main.yml | 4 ---- spamassassin/tests/test.yml | 4 ---- 7 files changed, 72 deletions(-) delete mode 100644 spamassassin/.kitchen.yml delete mode 100644 spamassassin/README.md delete mode 100644 spamassassin/defaults/main.yml delete mode 100644 spamassassin/handlers/main.yml delete mode 100644 spamassassin/meta/main.yml delete mode 100644 spamassassin/tasks/main.yml delete mode 100644 spamassassin/tests/test.yml diff --git a/spamassassin/.kitchen.yml b/spamassassin/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/spamassassin/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/spamassassin/README.md b/spamassassin/README.md deleted file mode 100644 index c337ed92..00000000 --- a/spamassassin/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Spamassassin - -Installation and basic configuration of spamassassin - -## Tasks - -Minimal configuration is in `tasks/main.yml` - -## Available variables - -The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/spamassassin/defaults/main.yml b/spamassassin/defaults/main.yml deleted file mode 100644 index ed97d539..00000000 --- a/spamassassin/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/spamassassin/handlers/main.yml b/spamassassin/handlers/main.yml deleted file mode 100644 index 7479d736..00000000 --- a/spamassassin/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart spamassassin - service: - name: spamassassin - state: restarted diff --git a/spamassassin/meta/main.yml b/spamassassin/meta/main.yml deleted file mode 100644 index 53c77c38..00000000 --- a/spamassassin/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Installation and basic configuration of spamassassin. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/spamassassin/tasks/main.yml b/spamassassin/tasks/main.yml deleted file mode 100644 index 0b6cc161..00000000 --- a/spamassassin/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: ensure packages are installed - apt: - name: spamassassin - state: present diff --git a/spamassassin/tests/test.yml b/spamassassin/tests/test.yml deleted file mode 100644 index 931049bd..00000000 --- a/spamassassin/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: spamassassin From 340ca0e9a0322d84e260a1ecbef6bc8ca1c80a41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 14 Jul 2017 11:34:28 +0200 Subject: [PATCH 060/277] More amavis to a feature branch --- amavis/.kitchen.yml | 28 ---------------------------- amavis/README.md | 11 ----------- amavis/defaults/main.yml | 1 - amavis/handlers/main.yml | 5 ----- amavis/meta/main.yml | 19 ------------------- amavis/tasks/main.yml | 4 ---- amavis/tests/test.yml | 4 ---- 7 files changed, 72 deletions(-) delete mode 100644 amavis/.kitchen.yml delete mode 100644 amavis/README.md delete mode 100644 amavis/defaults/main.yml delete mode 100644 amavis/handlers/main.yml delete mode 100644 amavis/meta/main.yml delete mode 100644 amavis/tasks/main.yml delete mode 100644 amavis/tests/test.yml diff --git a/amavis/.kitchen.yml b/amavis/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/amavis/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/amavis/README.md b/amavis/README.md deleted file mode 100644 index b62ec0ed..00000000 --- a/amavis/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Amavis - -Installation and basic configuration of amavis. - -## Tasks - -Minimal configuration is in `tasks/main.yml` - -## Available variables - -The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/amavis/defaults/main.yml b/amavis/defaults/main.yml deleted file mode 100644 index ed97d539..00000000 --- a/amavis/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/amavis/handlers/main.yml b/amavis/handlers/main.yml deleted file mode 100644 index 62049999..00000000 --- a/amavis/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart amavis - service: - name: amavis - state: restarted diff --git a/amavis/meta/main.yml b/amavis/meta/main.yml deleted file mode 100644 index affdf9c9..00000000 --- a/amavis/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Installation and basic configuration of amavis. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml deleted file mode 100644 index d4dc7803..00000000 --- a/amavis/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: ensure packages are installed - apt: - name: amavis - state: present diff --git a/amavis/tests/test.yml b/amavis/tests/test.yml deleted file mode 100644 index b54bdaea..00000000 --- a/amavis/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: amavis From 19e8b55c83ca681f7eaed7e5965005630e5e3c07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 14 Jul 2017 11:35:37 +0200 Subject: [PATCH 061/277] More clamav to a feature branch --- clamav/.kitchen.yml | 27 --------------------------- clamav/README.md | 11 ----------- clamav/defaults/main.yml | 1 - clamav/handlers/main.yml | 9 --------- clamav/meta/main.yml | 19 ------------------- clamav/tasks/main.yml | 7 ------- clamav/tests/test.yml | 4 ---- 7 files changed, 78 deletions(-) delete mode 100644 clamav/.kitchen.yml delete mode 100644 clamav/README.md delete mode 100644 clamav/defaults/main.yml delete mode 100644 clamav/handlers/main.yml delete mode 100644 clamav/meta/main.yml delete mode 100644 clamav/tasks/main.yml delete mode 100644 clamav/tests/test.yml diff --git a/clamav/.kitchen.yml b/clamav/.kitchen.yml deleted file mode 100644 index c2afb64d..00000000 --- a/clamav/.kitchen.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/clamav/README.md b/clamav/README.md deleted file mode 100644 index ba5fe895..00000000 --- a/clamav/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Clamav - -Installation and basic configuration of clamav - -## Tasks - -Minimal configuration is in `tasks/main.yml` - -## Available variables - -The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/clamav/defaults/main.yml b/clamav/defaults/main.yml deleted file mode 100644 index ed97d539..00000000 --- a/clamav/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/clamav/handlers/main.yml b/clamav/handlers/main.yml deleted file mode 100644 index 4f445b18..00000000 --- a/clamav/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: restart clamav-daemon - service: - name: clamav-daemon - state: restarted -- name: restart clamav-freshclam - service: - name: clamav-freshclam - state: restarted diff --git a/clamav/meta/main.yml b/clamav/meta/main.yml deleted file mode 100644 index 732965a4..00000000 --- a/clamav/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Installation and basic configuration of clamav. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml deleted file mode 100644 index 88b0ba99..00000000 --- a/clamav/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: ensure packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - clamav-daemon - - clamav-freshclam diff --git a/clamav/tests/test.yml b/clamav/tests/test.yml deleted file mode 100644 index 91b1f55f..00000000 --- a/clamav/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: clamav From 68130495c1de0ab56e940d69a268e56088e452a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 14 Jul 2017 11:36:01 +0200 Subject: [PATCH 062/277] More courier to a feature branch --- courier/.kitchen.yml | 28 ---------------------------- courier/README.md | 11 ----------- courier/defaults/main.yml | 1 - courier/handlers/main.yml | 25 ------------------------- courier/meta/main.yml | 19 ------------------- courier/tasks/main.yml | 17 ----------------- courier/tests/test.yml | 4 ---- 7 files changed, 105 deletions(-) delete mode 100644 courier/.kitchen.yml delete mode 100644 courier/README.md delete mode 100644 courier/defaults/main.yml delete mode 100644 courier/handlers/main.yml delete mode 100644 courier/meta/main.yml delete mode 100644 courier/tasks/main.yml delete mode 100644 courier/tests/test.yml diff --git a/courier/.kitchen.yml b/courier/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/courier/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/courier/README.md b/courier/README.md deleted file mode 100644 index b743ab4c..00000000 --- a/courier/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Courier - -Installation and basic configuration of courier. - -## Tasks - -Minimal configuration is in `tasks/main.yml` - -## Available variables - -The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/courier/defaults/main.yml b/courier/defaults/main.yml deleted file mode 100644 index ed97d539..00000000 --- a/courier/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/courier/handlers/main.yml b/courier/handlers/main.yml deleted file mode 100644 index 6f71b11f..00000000 --- a/courier/handlers/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: restart courier-authdaemon - service: - name: courier-authdaemon - state: restarted -- name: restart courier-imap - service: - name: courier-imap - state: restarted -- name: restart courier-imap-ssl - service: - name: courier-imap-ssl - state: restarted -- name: restart courier-ldap - service: - name: courier-ldap - state: restarted -- name: restart courier-pop - service: - name: courier-pop - state: restarted -- name: restart courier-pop-ssl - service: - name: courier-pop-ssl - state: restarted diff --git a/courier/meta/main.yml b/courier/meta/main.yml deleted file mode 100644 index b7605b2d..00000000 --- a/courier/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - author: Evolix - description: Installation and basic configuration of courier. - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: Debian - versions: - - jessie - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/courier/tasks/main.yml b/courier/tasks/main.yml deleted file mode 100644 index 59212743..00000000 --- a/courier/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: ensure packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - courier-authdaemon - - courier-authlib - - courier-authlib-ldap - - courier-authlib-userdb - - courier-base - - courier-imap - - courier-imap-ssl - - courier-ldap - - courier-pop - - courier-pop-ssl - - courier-ssl - diff --git a/courier/tests/test.yml b/courier/tests/test.yml deleted file mode 100644 index 288625cb..00000000 --- a/courier/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: courier From a6db2c94287989817642b46f8d598fe127b7ffbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 14 Jul 2017 11:36:18 +0200 Subject: [PATCH 063/277] More ipsec to a feature branch --- ipsec/files/check_ipsecctl.sh | 23 ---------- ipsec/files/check_ipsecctl_multi.sh | 29 ------------- ipsec/tasks/main.yml | 65 ----------------------------- ipsec/templates/ipsec.conf.j2 | 10 ----- 4 files changed, 127 deletions(-) delete mode 100644 ipsec/files/check_ipsecctl.sh delete mode 100644 ipsec/files/check_ipsecctl_multi.sh delete mode 100644 ipsec/tasks/main.yml delete mode 100644 ipsec/templates/ipsec.conf.j2 diff --git a/ipsec/files/check_ipsecctl.sh b/ipsec/files/check_ipsecctl.sh deleted file mode 100644 index 4cdeaa94..00000000 --- a/ipsec/files/check_ipsecctl.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -IPSECCTL="/sbin/ipsecctl -s sa" -STATUS=0 - -LINE1=`$IPSECCTL | grep "from $1 to $2" ` -if [ $? -eq 1 ]; then - STATUS=2; - OUTPUT1="No VPN from $1 to $2 " -fi - -LINE2=`$IPSECCTL | grep "from $2 to $1" ` -if [ $? -eq 1 ]; then - STATUS=2; - OUTPUT2="No VPN from $2 to $1" -fi - -if [ $STATUS -eq 0 ]; then - echo "VPN OK - $3 is up" - exit $STATUS -else - echo "VPN DOWN - $3 is down ($OUTPUT1 $OUTPUT2)" - exit $STATUS -fi diff --git a/ipsec/files/check_ipsecctl_multi.sh b/ipsec/files/check_ipsecctl_multi.sh deleted file mode 100644 index 09cf6aa2..00000000 --- a/ipsec/files/check_ipsecctl_multi.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh" -STATUS=0 -VPN_KO="" - -default_int=$(route -n show|grep default|awk '{ print $8 }') -default_ip=$(ifconfig $default_int|grep inet|awk '{ print $2 }') - -for vpn in $(ls /etc/ipsec/); do - vpn=$(basename $vpn .conf) - local_ip=$(grep -E "local_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") - ifconfig|grep -q $local_ip - [ $? -ne 0 ] && local_ip=$default_ip - remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf|grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") - $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null - if [ $? -ne 0 ]; then - STATUS=2 - VPN_KO="$VPN_KO $vpn" - fi -done - -if [ $STATUS -eq 0 ]; then - echo "ALL VPN(s) UP(s)" - exit 0 -else - echo "VPN(s) down(s) :$VPN_KO" - exit 2 -fi diff --git a/ipsec/tasks/main.yml b/ipsec/tasks/main.yml deleted file mode 100644 index 85d1b69a..00000000 --- a/ipsec/tasks/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -- name: Create /etc/ipsec dir - file: - path: /etc/ipsec - state: directory - mode: "0700" - owner: root - group: wheel - tags: - - ipsec - -- name: Enable and start isakmpd service - service: - name: isakmpd - arguments: '-K' - state: started - enabled: yes - tags: - - ipsec - -- name: Deploy nrpe scripts - copy: - src: "{{ item }}" - dest: /usr/local/libexec/nagios/ - mode: "0755" - with_items: - - 'check_ipsecctl.sh' - - 'check_ipsecctl_multi.sh' - tags: - - ipsec - -- name: Add sudo right to _nrpe for check ipsecctl - lineinfile: - dest: /etc/sudoers - line: "{{ item }}" - state: present - validate: "visudo -cf %s" - with_items: - - "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl_multi.sh" - - "_nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl.sh" - tags: - - ipsec - -- name: "Copy /etc/ipsec/{{ ipsec_name }}.conf" - template: - src: ipsec.conf.j2 - dest: "/etc/ipsec/{{ ipsec_name }}.conf" - mode: "0600" - owner: root - group: wheel - register: ipsec_conf - tags: - - ipsec - -- name: "Check {{ ipsec_name }} config" - command: "ipsecctl -nf /etc/ipsec/{{ ipsec_name }}.conf" - changed_when: false - tags: - - ipsec - -- name: "Reload ipsec {{ ipsec_name }}" - command: "ipsecctl -f /etc/ipsec/{{ ipsec_name }}.conf" - when: ipsec_conf.changed - tags: - - ipsec diff --git a/ipsec/templates/ipsec.conf.j2 b/ipsec/templates/ipsec.conf.j2 deleted file mode 100644 index 862cf686..00000000 --- a/ipsec/templates/ipsec.conf.j2 +++ /dev/null @@ -1,10 +0,0 @@ -local_ip="{{ ipsec_local_ip }}" -local_network="{{ ipsec_local_network }}" - -remote_ip_{{ ipsec_name }}="{{ ipsec_remote_ip }}" -remote_networks_{{ ipsec_name }}="{{ ipsec_remote_network }}" - -ike esp from $local_network to $remote_networks_{{ ipsec_name }} peer $remote_ip_{{ ipsec_name }} \ -main auth hmac-sha2-512 enc aes group modp4096 \ -quick auth hmac-sha2-512 enc aes group modp4096 \ -psk "{{ ipsec_psk }}" From a179f824f185be88d91cf2bda59e18546410587d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 14 Jul 2017 15:42:36 +0200 Subject: [PATCH 064/277] merge nginx-light into nginx --- nginx-light/.kitchen.yml | 36 ---- nginx-light/README.md | 9 - nginx-light/handlers/main.yml | 5 - nginx-light/tests/spec/nginx_light_spec.rb | 9 - nginx-light/tests/test.yml | 4 - nginx/README.md | 7 + nginx/defaults/main.yml | 2 + nginx/tasks/main.yml | 194 +----------------- .../main.yml => nginx/tasks/main_minimal.yml | 10 +- nginx/tasks/main_regular.yml | 193 +++++++++++++++++ .../evolinux-default.minimal.conf.j2 | 0 11 files changed, 211 insertions(+), 258 deletions(-) delete mode 100644 nginx-light/.kitchen.yml delete mode 100644 nginx-light/README.md delete mode 100644 nginx-light/handlers/main.yml delete mode 100644 nginx-light/tests/spec/nginx_light_spec.rb delete mode 100644 nginx-light/tests/test.yml rename nginx-light/tasks/main.yml => nginx/tasks/main_minimal.yml (65%) create mode 100644 nginx/tasks/main_regular.yml rename nginx-light/templates/default.j2 => nginx/templates/evolinux-default.minimal.conf.j2 (100%) diff --git a/nginx-light/.kitchen.yml b/nginx-light/.kitchen.yml deleted file mode 100644 index f63ccd3a..00000000 --- a/nginx-light/.kitchen.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -verifier: - name: serverspec - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - verifier: - patterns: - - nginx/tests/spec/nginx_light_spec.rb - bundler_path: '/usr/local/bin' - rspec_path: '/usr/local/bin' - -transport: - max_ssh_sessions: 6 diff --git a/nginx-light/README.md b/nginx-light/README.md deleted file mode 100644 index 17d20719..00000000 --- a/nginx-light/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# nginx-light - -Install Nginx light with a simply default vhost config. - -Used for hypervisors and backups servers. - -## Tasks - -Everything is in the `tasks/main.yml` file. diff --git a/nginx-light/handlers/main.yml b/nginx-light/handlers/main.yml deleted file mode 100644 index d4e42ca0..00000000 --- a/nginx-light/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: reload nginx - service: - name: nginx - state: reloaded diff --git a/nginx-light/tests/spec/nginx_light_spec.rb b/nginx-light/tests/spec/nginx_light_spec.rb deleted file mode 100644 index f7818739..00000000 --- a/nginx-light/tests/spec/nginx_light_spec.rb +++ /dev/null @@ -1,9 +0,0 @@ -require 'net/http' -require 'uri' - -require 'serverspec' -set :backend, :exec - -describe port(80) do - it { should be_listening } -end diff --git a/nginx-light/tests/test.yml b/nginx-light/tests/test.yml deleted file mode 100644 index 01e20fec..00000000 --- a/nginx-light/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: nginx-light diff --git a/nginx/README.md b/nginx/README.md index f58fefc7..d519608b 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -6,10 +6,17 @@ Install Nginx. Everything is in the `tasks/main.yml` file. +There are 2 modes : minimal and regular. + +The minimal mode is for servers without real web apps, and only access to munin graphs… + +The regular mode is for full fledged web services with optimized defaults. + ## Available variables Main variables are : +* `nginx_minimal` : very basic install and config (default: `False`) ; * `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ; * `nginx_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; * `nginx_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ; diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index e35001d8..16398ee4 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -1,4 +1,6 @@ --- + +nginx_minimal: False nginx_jessie_backports: False nginx_private_ipaddr_whitelist_present: [] diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index 7f11ed32..e1144a39 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -1,193 +1,7 @@ --- -- include: packages_jessie.yml - when: ansible_distribution_release == "jessie" +- include: main_minimal.yml + when: nginx_minimal -- include: packages_stretch.yml - when: ansible_distribution_release == "stretch" - -# TODO: find a way to override the main configuration -# without touching the main file - -- name: customize worker_connections - lineinfile: - dest: /etc/nginx/nginx.conf - regexp: '^(\s*worker_connections)\s+.+;' - line: ' worker_connections 1024;' - insertafter: 'events \{' - tags: - - nginx - -- name: use epoll - lineinfile: - dest: /etc/nginx/nginx.conf - regexp: '^(\s*use)\s+.+;' - line: ' use epoll;' - insertafter: 'events \{' - tags: - - nginx - -- name: Install Nginx http configuration - copy: - src: nginx/evolinux-defaults.conf - dest: /etc/nginx/conf.d/z-evolinux-defaults.conf - mode: "0640" - # force: yes - notify: reload nginx - tags: - - nginx - -# TODO: verify that those permissions are correct : -# not too strict for private_ipaddr_whitelist -# and not too loose for private_htpasswd - -- name: Copy private_ipaddr_whitelist - copy: - src: nginx/snippets/private_ipaddr_whitelist - dest: /etc/nginx/snippets/private_ipaddr_whitelist - owner: www-data - group: www-data - directory_mode: "0640" - mode: "0640" - force: no - notify: reload nginx - tags: - - nginx - -- name: add IP addresses to private IP whitelist - lineinfile: - dest: /etc/nginx/snippets/private_ipaddr_whitelist - line: "allow {{ item }};" - state: present - with_items: "{{ nginx_private_ipaddr_whitelist_present }}" - notify: reload nginx - tags: - - nginx - -- name: remove IP addresses from private IP whitelist - lineinfile: - dest: /etc/nginx/snippets/private_ipaddr_whitelist - line: "allow {{ item }};" - state: absent - with_items: "{{ nginx_private_ipaddr_whitelist_absent }}" - notify: reload nginx - tags: - - nginx - -- name: Copy private_htpasswd - copy: - src: nginx/snippets/private_htpasswd - dest: /etc/nginx/snippets/private_htpasswd - owner: www-data - group: www-data - directory_mode: "0640" - mode: "0640" - force: no - notify: reload nginx - tags: - - nginx - -- name: add user:pwd to private htpasswd - lineinfile: - dest: /etc/nginx/snippets/private_htpasswd - line: "{{ item }}" - state: present - with_items: "{{ nginx_private_htpasswd_present }}" - notify: reload nginx - tags: - - nginx - -- name: remove user:pwd from private htpasswd - lineinfile: - dest: /etc/nginx/snippets/private_htpasswd - line: "{{ item }}" - state: absent - with_items: "{{ nginx_private_htpasswd_absent }}" - notify: reload nginx - tags: - - nginx - -- name: nginx vhost is installed - template: - src: evolinux-default.conf.j2 - dest: /etc/nginx/sites-available/evolinux-default.conf - mode: "0640" - notify: reload nginx - tags: - - nginx - -- name: default vhost is enabled - file: - src: /etc/nginx/sites-available/evolinux-default.conf - dest: /etc/nginx/sites-enabled/default.conf - state: link - force: yes - notify: reload nginx - when: nginx_evolinux_default_enabled - tags: - - nginx - -# - block: -# - name: generate random string for phpmyadmin suffix -# command: "apg -a 1 -M N -n 1" -# changed_when: False -# register: random_phpmyadmin_suffix -# -# - name: overwrite nginx_phpmyadmin_suffix -# set_fact: -# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}" -# when: nginx_phpmyadmin_suffix == "" -# -# - name: replace phpmyadmin suffix in default site index -# replace: -# dest: /var/www/index.html -# regexp: '__PHPMYADMIN_SUFFIX__' -# replace: "{{ nginx_phpmyadmin_suffix }}" -# -# - block: -# - name: generate random string for serverstatus suffix -# command: "apg -a 1 -M N -n 1" -# changed_when: False -# register: random_serverstatus_suffix -# -# - name: overwrite nginx_serverstatus_suffix -# set_fact: -# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}" -# when: nginx_serverstatus_suffix == "" -# -# - name: replace server-status suffix in default site index -# replace: -# dest: /var/www/index.html -# regexp: '__SERVERSTATUS_SUFFIX__' -# replace: "{{ nginx_serverstatus_suffix }}" - -- name: Verify that the service is enabled and started - service: - name: nginx - enabled: yes - state: started - tags: - - nginx - -- name: Check if Munin is installed - stat: - path: /etc/munin/plugin-conf.d/munin-node - check_mode: no - register: stat_munin_node - tags: - - nginx - - munin - -- include: munin_vhost.yml - when: stat_munin_node.stat.exists - tags: - - nginx - - munin - -- include: munin_graphs.yml - when: stat_munin_node.stat.exists - tags: - - nginx - - munin - -- include: logrotate.yml +- include: main_regular.yml + when: not nginx_minimal diff --git a/nginx-light/tasks/main.yml b/nginx/tasks/main_minimal.yml similarity index 65% rename from nginx-light/tasks/main.yml rename to nginx/tasks/main_minimal.yml index cc727f28..1cded8ea 100644 --- a/nginx-light/tasks/main.yml +++ b/nginx/tasks/main_minimal.yml @@ -1,5 +1,5 @@ --- -- name: Ensure Nginx (light) is installed +- name: Ensure Nginx is installed apt: name: "{{ item }}" state: present @@ -13,8 +13,8 @@ - name: Copy default vhost template: - src: default.j2 - dest: /etc/nginx/sites-available/default + src: evolinux-default.minimal.conf.j2 + dest: /etc/nginx/sites-available/evolinux-default.minimal.conf mode: 0644 notify: reload nginx tags: @@ -23,8 +23,8 @@ - name: Enable default vhost file: - src: /etc/nginx/sites-available/default - dest: /etc/nginx/sites-enabled/default + src: /etc/nginx/sites-available/evolinux-default.minimal.conf + dest: /etc/nginx/sites-enabled/default.conf state: link notify: reload nginx tags: diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml new file mode 100644 index 00000000..7f11ed32 --- /dev/null +++ b/nginx/tasks/main_regular.yml @@ -0,0 +1,193 @@ +--- + +- include: packages_jessie.yml + when: ansible_distribution_release == "jessie" + +- include: packages_stretch.yml + when: ansible_distribution_release == "stretch" + +# TODO: find a way to override the main configuration +# without touching the main file + +- name: customize worker_connections + lineinfile: + dest: /etc/nginx/nginx.conf + regexp: '^(\s*worker_connections)\s+.+;' + line: ' worker_connections 1024;' + insertafter: 'events \{' + tags: + - nginx + +- name: use epoll + lineinfile: + dest: /etc/nginx/nginx.conf + regexp: '^(\s*use)\s+.+;' + line: ' use epoll;' + insertafter: 'events \{' + tags: + - nginx + +- name: Install Nginx http configuration + copy: + src: nginx/evolinux-defaults.conf + dest: /etc/nginx/conf.d/z-evolinux-defaults.conf + mode: "0640" + # force: yes + notify: reload nginx + tags: + - nginx + +# TODO: verify that those permissions are correct : +# not too strict for private_ipaddr_whitelist +# and not too loose for private_htpasswd + +- name: Copy private_ipaddr_whitelist + copy: + src: nginx/snippets/private_ipaddr_whitelist + dest: /etc/nginx/snippets/private_ipaddr_whitelist + owner: www-data + group: www-data + directory_mode: "0640" + mode: "0640" + force: no + notify: reload nginx + tags: + - nginx + +- name: add IP addresses to private IP whitelist + lineinfile: + dest: /etc/nginx/snippets/private_ipaddr_whitelist + line: "allow {{ item }};" + state: present + with_items: "{{ nginx_private_ipaddr_whitelist_present }}" + notify: reload nginx + tags: + - nginx + +- name: remove IP addresses from private IP whitelist + lineinfile: + dest: /etc/nginx/snippets/private_ipaddr_whitelist + line: "allow {{ item }};" + state: absent + with_items: "{{ nginx_private_ipaddr_whitelist_absent }}" + notify: reload nginx + tags: + - nginx + +- name: Copy private_htpasswd + copy: + src: nginx/snippets/private_htpasswd + dest: /etc/nginx/snippets/private_htpasswd + owner: www-data + group: www-data + directory_mode: "0640" + mode: "0640" + force: no + notify: reload nginx + tags: + - nginx + +- name: add user:pwd to private htpasswd + lineinfile: + dest: /etc/nginx/snippets/private_htpasswd + line: "{{ item }}" + state: present + with_items: "{{ nginx_private_htpasswd_present }}" + notify: reload nginx + tags: + - nginx + +- name: remove user:pwd from private htpasswd + lineinfile: + dest: /etc/nginx/snippets/private_htpasswd + line: "{{ item }}" + state: absent + with_items: "{{ nginx_private_htpasswd_absent }}" + notify: reload nginx + tags: + - nginx + +- name: nginx vhost is installed + template: + src: evolinux-default.conf.j2 + dest: /etc/nginx/sites-available/evolinux-default.conf + mode: "0640" + notify: reload nginx + tags: + - nginx + +- name: default vhost is enabled + file: + src: /etc/nginx/sites-available/evolinux-default.conf + dest: /etc/nginx/sites-enabled/default.conf + state: link + force: yes + notify: reload nginx + when: nginx_evolinux_default_enabled + tags: + - nginx + +# - block: +# - name: generate random string for phpmyadmin suffix +# command: "apg -a 1 -M N -n 1" +# changed_when: False +# register: random_phpmyadmin_suffix +# +# - name: overwrite nginx_phpmyadmin_suffix +# set_fact: +# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}" +# when: nginx_phpmyadmin_suffix == "" +# +# - name: replace phpmyadmin suffix in default site index +# replace: +# dest: /var/www/index.html +# regexp: '__PHPMYADMIN_SUFFIX__' +# replace: "{{ nginx_phpmyadmin_suffix }}" +# +# - block: +# - name: generate random string for serverstatus suffix +# command: "apg -a 1 -M N -n 1" +# changed_when: False +# register: random_serverstatus_suffix +# +# - name: overwrite nginx_serverstatus_suffix +# set_fact: +# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}" +# when: nginx_serverstatus_suffix == "" +# +# - name: replace server-status suffix in default site index +# replace: +# dest: /var/www/index.html +# regexp: '__SERVERSTATUS_SUFFIX__' +# replace: "{{ nginx_serverstatus_suffix }}" + +- name: Verify that the service is enabled and started + service: + name: nginx + enabled: yes + state: started + tags: + - nginx + +- name: Check if Munin is installed + stat: + path: /etc/munin/plugin-conf.d/munin-node + check_mode: no + register: stat_munin_node + tags: + - nginx + - munin + +- include: munin_vhost.yml + when: stat_munin_node.stat.exists + tags: + - nginx + - munin + +- include: munin_graphs.yml + when: stat_munin_node.stat.exists + tags: + - nginx + - munin + +- include: logrotate.yml diff --git a/nginx-light/templates/default.j2 b/nginx/templates/evolinux-default.minimal.conf.j2 similarity index 100% rename from nginx-light/templates/default.j2 rename to nginx/templates/evolinux-default.minimal.conf.j2 From 7d4e3881415329e32e98c19c32266bb7a3109ca3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 13 Jul 2017 16:44:39 +0200 Subject: [PATCH 065/277] apache: use snakeoil cert by default --- apache/defaults/main.yml | 2 ++ apache/templates/evolinux-default.conf.j2 | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 325e6056..9704ee24 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -7,6 +7,8 @@ apache_private_htpasswd_absent: [] apache_default_redirect_url: "http://evolix.fr" apache_evolinux_default_enabled: True +apache_evolinux_default_ssl_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem +apache_evolinux_default_ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key apache_phpmyadmin_suffix: "" apache_serverstatus_suffix: "" diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 744c4319..8a5259f5 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -15,8 +15,8 @@ DocumentRoot /var/www/ SSLEngine on - SSLCertificateFile /etc/ssl/certs/{{ ansible_fqdn }}.crt - SSLCertificateKeyFile /etc/ssl/private/{{ ansible_fqdn }}.key + SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} + SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} # SSLProtocol all -SSLv2 -SSLv3 From a189b7935b8ab51cbf74c7d070edb70ab360bd2c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 17 Jul 2017 14:21:32 +0200 Subject: [PATCH 066/277] NTPD : Listen only on lo interface by default --- evolinux-base/defaults/main.yml | 1 + evolinux-base/handlers/main.yml | 5 +++++ evolinux-base/tasks/system.yml | 9 +++++++++ 3 files changed, 15 insertions(+) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index b3c2085b..f58ab6e5 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -95,6 +95,7 @@ evolinux_system_alert5_init: True evolinux_system_alert5_enable: True evolinux_system_eni_auto: True +evolinux_system_ntprestrict: True evolinux_system_set_ntpserver: True evolinux_system_ntpserver: "ntp.evolix.net" diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index 3458490c..002cd978 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -71,3 +71,8 @@ service: name: postfix state: reloaded + +- name: restart ntp + service: + name: ntp + state: restarted diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 53ce06c2..6c7766d5 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -112,7 +112,15 @@ - {regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"} when: evolinux_system_cron_random +# NTP listen retriction +- name: Listen only on lo interface + # NTP server address + lineinfile: + dest: /etc/ntp.conf + line: "interface ignore wildcard" + notify: restart ntp + when: evolinux_system_ntprestrict - name: Configure NTP replace: @@ -120,6 +128,7 @@ regexp: "^server .*$" replace: "server {{ evolinux_system_ntpserver }}" backup: yes + notify: restart ntp when: evolinux_system_set_ntpserver ## alert5 From 639a4baf750eded49ef9aa12154ee5b71cbd5c47 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 17 Jul 2017 14:45:36 +0200 Subject: [PATCH 067/277] Bind: use the chroot variable for Munin --- bind/templates/bind9.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bind/templates/bind9.j2 b/bind/templates/bind9.j2 index 1eb1eaea..9c62388d 100644 --- a/bind/templates/bind9.j2 +++ b/bind/templates/bind9.j2 @@ -1,6 +1,6 @@ [bind*] user root -env.logfile {{ bind_query_file }} -env.querystats /var/chroot-bind{{ bind_statistics_file }} +env.logfile {{ bind_query_file }} +env.querystats {{ bind_chroot_root }}{{ bind_statistics_file }} env.MUNIN_PLUGSTATE /var/lib/munin timeout 120 From be68f9ac0a66cda2e6d2ad9bac12dce21a1eab32 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 17 Jul 2017 14:46:01 +0200 Subject: [PATCH 068/277] remove a few useless "backup: yes" --- ansible-managed/tasks/main.yml | 1 - apt-repositories/tasks/backports.yml | 2 -- apt-repositories/tasks/basics.yml | 1 - apt-repositories/tasks/evolix_public.yml | 1 - evolinux-base/tasks/fstab.yml | 4 ---- evolinux-base/tasks/system.yml | 10 ++++------ newsyslog/tasks/openbsd.yml | 1 - 7 files changed, 4 insertions(+), 16 deletions(-) diff --git a/ansible-managed/tasks/main.yml b/ansible-managed/tasks/main.yml index 7fcbc1fc..16e7b0d4 100644 --- a/ansible-managed/tasks/main.yml +++ b/ansible-managed/tasks/main.yml @@ -4,4 +4,3 @@ src: motd.j2 dest: /etc/motd force: yes - backup: yes diff --git a/apt-repositories/tasks/backports.yml b/apt-repositories/tasks/backports.yml index f079a35b..ad606fe8 100644 --- a/apt-repositories/tasks/backports.yml +++ b/apt-repositories/tasks/backports.yml @@ -12,7 +12,6 @@ src: '{{ ansible_distribution_release }}_backports.list.j2' dest: /etc/apt/sources.list.d/backports.list force: yes - backup: yes mode: "0640" notify: apt update tags: @@ -23,7 +22,6 @@ src: '{{ ansible_distribution_release }}_backports_preferences' dest: /etc/apt/preferences.d/0-backports-defaults force: yes - backup: yes mode: "0640" notify: apt update tags: diff --git a/apt-repositories/tasks/basics.yml b/apt-repositories/tasks/basics.yml index a6aa0f5c..78e16810 100644 --- a/apt-repositories/tasks/basics.yml +++ b/apt-repositories/tasks/basics.yml @@ -6,7 +6,6 @@ dest: /etc/apt/sources.list mode: "0644" force: yes - backup: yes notify: apt update tags: - apt-repositories diff --git a/apt-repositories/tasks/evolix_public.yml b/apt-repositories/tasks/evolix_public.yml index 282255ba..bd1e10ce 100644 --- a/apt-repositories/tasks/evolix_public.yml +++ b/apt-repositories/tasks/evolix_public.yml @@ -18,7 +18,6 @@ src: evolix_public.list.j2 dest: /etc/apt/sources.list.d/evolix_public.list force: yes - backup: yes mode: "0640" notify: apt update tags: diff --git a/evolinux-base/tasks/fstab.yml b/evolinux-base/tasks/fstab.yml index 42ebb79d..6c8b122a 100644 --- a/evolinux-base/tasks/fstab.yml +++ b/evolinux-base/tasks/fstab.yml @@ -14,7 +14,6 @@ dest: /etc/fstab regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3' - backup: yes notify: remount /home when: - "' /home ' in fstab_content.stdout" @@ -25,7 +24,6 @@ dest: /etc/fstab regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3' - backup: yes when: - "' /tmp ' in fstab_content.stdout" - evolinux_fstab_tmp @@ -35,7 +33,6 @@ dest: /etc/fstab regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3' - backup: yes when: - "' /usr ' in fstab_content.stdout" - evolinux_fstab_usr @@ -45,7 +42,6 @@ dest: /etc/fstab regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3' - backup: yes notify: remount /var when: - "' /var ' in fstab_content.stdout" diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 6c7766d5..a11049c4 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -104,12 +104,11 @@ dest: /etc/crontab regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" - backup: "{{ item.backup }}" with_items: - - {regexp: '^17((\s*\*){4})', replace: '{{ 59|random(start=1) }}\1', backup: "yes"} - - {regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"} - - {regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"} - - {regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1', backup: "no"} + - { regexp: '^17((\s*\*){4})', replace: '{{ 59|random(start=1) }}\1' } + - { regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } + - { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } + - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } when: evolinux_system_cron_random # NTP listen retriction @@ -127,7 +126,6 @@ dest: /etc/ntp.conf regexp: "^server .*$" replace: "server {{ evolinux_system_ntpserver }}" - backup: yes notify: restart ntp when: evolinux_system_set_ntpserver diff --git a/newsyslog/tasks/openbsd.yml b/newsyslog/tasks/openbsd.yml index 97926869..28be4862 100644 --- a/newsyslog/tasks/openbsd.yml +++ b/newsyslog/tasks/openbsd.yml @@ -7,7 +7,6 @@ owner: root group: wheel mode: "0644" - backup: yes tags: - log - newsyslog From fa3047bdc4fa6093b0ae6aab46869a61779c444e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Mon, 17 Jul 2017 16:17:32 +0200 Subject: [PATCH 069/277] Fix #2198. Purge openntpd --- evolinux-base/defaults/main.yml | 1 + evolinux-base/tasks/packages.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index f58ab6e5..ae012b8b 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -67,6 +67,7 @@ evolinux_packages_hardware: True evolinux_packages_common: True evolinux_packages_stretch: True evolinux_packages_serveur_base: True +evolinux_packages_purge_openntpd: True evolinux_packages_invalid_mta: True evolinux_packages_delete_nfs: True evolinux_packages_listchanges: True diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 36381a2a..9ef40229 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -65,6 +65,13 @@ allow_unauthenticated: yes when: evolinux_packages_serveur_base +- name: Be sure that openntpd package is absent/purged + apt: + name: openntpd + state: absent + purge: yes + when: evolinux_packages_purge_openntpd + - name: Install/Update packages for Stretch and later apt: name: "{{ item }}" From 62534baccfa052b51d5f660659c1c6f57ebbdeda Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 17 Jul 2017 16:44:16 +0200 Subject: [PATCH 070/277] squid: add UserTrust OCSP endpoint to whitelist --- squid/files/whitelist-evolinux.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index 063df876..407e7645 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -13,6 +13,9 @@ http://pear.php.net/.* # Let's Encrypt http://.*.letsencrypt.org/.* +# Other OCSP endpoint +http://ocsp.usertrust.com/.* + ### CMS / Wordpress / Drupal / ... # Wordpress http://.*akismet.com/.* From c1e53f7fe4d7ae3f3634d7772c6bb3d0c820389e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Tue, 18 Jul 2017 10:26:54 +0200 Subject: [PATCH 071/277] Set html_errors to Off for Stretch. --- packweb-apache/tasks/php.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/packweb-apache/tasks/php.yml b/packweb-apache/tasks/php.yml index 074d4f55..d97b5fc4 100644 --- a/packweb-apache/tasks/php.yml +++ b/packweb-apache/tasks/php.yml @@ -36,6 +36,7 @@ - { option: "short_open_tag", value: "Off" } - { option: "expose_php", value: "Off" } - { option: "display_errors", value: "Off" } + - { option: "html_errors", value: "Off" } - { option: "log_errors", value: "On" } - { option: "allow_url_fopen", value: "Off" } notify: reload apache From 7d87a53a2f8ca83fe1652a18b8aeab797787fc07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Tue, 18 Jul 2017 10:42:26 +0200 Subject: [PATCH 072/277] Fix #1836. We add -e 200 to nagios's check_http. --- nagios-nrpe/files/plugins/check_http_many | 4 ++-- nagios-nrpe/templates/evolix.cfg.j2 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nagios-nrpe/files/plugins/check_http_many b/nagios-nrpe/files/plugins/check_http_many index 90d8d9e2..8dd8e99a 100644 --- a/nagios-nrpe/files/plugins/check_http_many +++ b/nagios-nrpe/files/plugins/check_http_many @@ -35,7 +35,7 @@ check_state() { sites="" for site in $sites; do echo -n "Site ${site}: " >> $result - /usr/lib/nagios/plugins/check_http -f critical -I 127.0.0.1 -H ${site%%/*} -u /${site#*/} >> $result + /usr/lib/nagios/plugins/check_http -f critical -e 200 -I 127.0.0.1 -H ${site%%/*} -u /${site#*/} >> $result check_state $? done @@ -43,7 +43,7 @@ done sites="" for site in $sites; do echo -n "Site ${site}: " >> $result - /usr/lib/nagios/plugins/check_http -w4 -c6 -f critical -p 443 -S -I 127.0.0.1 -H ${site%%/*} -u /${site#*/} >> $result + /usr/lib/nagios/plugins/check_http -w4 -c6 -f critical -e 200 -p 443 -S -I 127.0.0.1 -H ${site%%/*} -u /${site#*/} >> $result check_state $? done diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index f30ff669..e2c01f45 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -31,8 +31,8 @@ command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993 command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995 command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost -command[check_http]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -H localhost -command[check_https]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net +command[check_http]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -H localhost +command[check_https]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -S -p 443 -H ssl.evolix.net command[check_bind]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost command[check_unbound]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost command[check_smb]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445 From d2f0996445b0bd76bfb97214e92e1ed1c7185993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Tue, 18 Jul 2017 10:45:07 +0200 Subject: [PATCH 073/277] Remove custom values. Someone has copied this script from a production server with custom values. --- nagios-nrpe/files/plugins/check_http_many | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/files/plugins/check_http_many b/nagios-nrpe/files/plugins/check_http_many index 90d8d9e2..cd753cbe 100644 --- a/nagios-nrpe/files/plugins/check_http_many +++ b/nagios-nrpe/files/plugins/check_http_many @@ -43,7 +43,7 @@ done sites="" for site in $sites; do echo -n "Site ${site}: " >> $result - /usr/lib/nagios/plugins/check_http -w4 -c6 -f critical -p 443 -S -I 127.0.0.1 -H ${site%%/*} -u /${site#*/} >> $result + /usr/lib/nagios/plugins/check_http -f critical -p 443 -S -I 127.0.0.1 -H ${site%%/*} -u /${site#*/} >> $result check_state $? done From 54d9dbf7aa03e436cfe558f2865d6d5475c8bc40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Tue, 18 Jul 2017 15:37:31 +0200 Subject: [PATCH 074/277] Implement #1092. We use custom error pages for Apache Note: The pack web will maybe modify these pages to have Evolix logo or theme, or other things to customize. --- .../error-pages/HTTP_BAD_GATEWAY.html.var | 320 +++++++++++ .../error-pages/HTTP_BAD_REQUEST.html.var | 230 ++++++++ .../files/error-pages/HTTP_FORBIDDEN.html.var | 411 +++++++++++++++ apache/files/error-pages/HTTP_GONE.html.var | 466 ++++++++++++++++ .../HTTP_INTERNAL_SERVER_ERROR.html.var | 499 ++++++++++++++++++ .../error-pages/HTTP_LENGTH_REQUIRED.html.var | 241 +++++++++ .../HTTP_METHOD_NOT_ALLOWED.html.var | 231 ++++++++ .../files/error-pages/HTTP_NOT_FOUND.html.var | 464 ++++++++++++++++ .../error-pages/HTTP_NOT_IMPLEMENTED.html.var | 219 ++++++++ .../HTTP_PRECONDITION_FAILED.html.var | 222 ++++++++ .../HTTP_REQUEST_ENTITY_TOO_LARGE.html.var | 246 +++++++++ .../HTTP_REQUEST_TIME_OUT.html.var | 234 ++++++++ .../HTTP_REQUEST_URI_TOO_LARGE.html.var | 235 +++++++++ .../HTTP_SERVICE_UNAVAILABLE.html.var | 250 +++++++++ .../error-pages/HTTP_UNAUTHORIZED.html.var | 370 +++++++++++++ .../HTTP_UNSUPPORTED_MEDIA_TYPE.html.var | 217 ++++++++ .../HTTP_VARIANT_ALSO_VARIES.html.var | 242 +++++++++ apache/files/error-pages/README | 38 ++ apache/files/error-pages/contact.html.var | 127 +++++ apache/files/error-pages/include/bottom.html | 12 + apache/files/error-pages/include/spacer.html | 2 + apache/files/error-pages/include/top.html | 21 + .../files/evolinux-localized-error-pages.conf | 35 ++ apache/tasks/main.yml | 36 ++ apache/templates/evolinux-default.conf.j2 | 2 - 25 files changed, 5368 insertions(+), 2 deletions(-) create mode 100644 apache/files/error-pages/HTTP_BAD_GATEWAY.html.var create mode 100644 apache/files/error-pages/HTTP_BAD_REQUEST.html.var create mode 100644 apache/files/error-pages/HTTP_FORBIDDEN.html.var create mode 100644 apache/files/error-pages/HTTP_GONE.html.var create mode 100644 apache/files/error-pages/HTTP_INTERNAL_SERVER_ERROR.html.var create mode 100644 apache/files/error-pages/HTTP_LENGTH_REQUIRED.html.var create mode 100644 apache/files/error-pages/HTTP_METHOD_NOT_ALLOWED.html.var create mode 100644 apache/files/error-pages/HTTP_NOT_FOUND.html.var create mode 100644 apache/files/error-pages/HTTP_NOT_IMPLEMENTED.html.var create mode 100644 apache/files/error-pages/HTTP_PRECONDITION_FAILED.html.var create mode 100644 apache/files/error-pages/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var create mode 100644 apache/files/error-pages/HTTP_REQUEST_TIME_OUT.html.var create mode 100644 apache/files/error-pages/HTTP_REQUEST_URI_TOO_LARGE.html.var create mode 100644 apache/files/error-pages/HTTP_SERVICE_UNAVAILABLE.html.var create mode 100644 apache/files/error-pages/HTTP_UNAUTHORIZED.html.var create mode 100644 apache/files/error-pages/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var create mode 100644 apache/files/error-pages/HTTP_VARIANT_ALSO_VARIES.html.var create mode 100644 apache/files/error-pages/README create mode 100644 apache/files/error-pages/contact.html.var create mode 100644 apache/files/error-pages/include/bottom.html create mode 100644 apache/files/error-pages/include/spacer.html create mode 100644 apache/files/error-pages/include/top.html create mode 100644 apache/files/evolinux-localized-error-pages.conf diff --git a/apache/files/error-pages/HTTP_BAD_GATEWAY.html.var b/apache/files/error-pages/HTTP_BAD_GATEWAY.html.var new file mode 100644 index 00000000..a9061b30 --- /dev/null +++ b/apache/files/error-pages/HTTP_BAD_GATEWAY.html.var @@ -0,0 +1,320 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Proxy server obdržel od nadřazeného + serveru chybnou odpověď. + + + + + + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Der Proxy-Server erhielt eine fehlerhafte Antwort + eines übergeordneten Servers oder Proxies. + + + + + + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The proxy server received an invalid + response from an upstream server. + + + + + + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + El servidor 'proxy' ha recibido; información + no válida del servidor de origen. + + + + + + + + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + Le serveur proxy a reçu une réponse + incorrecte de la part d'un serveur supérieur. + + + + + + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Fuair an seachfhreastalaí freagairt neamhbhailí + ó freastalaí thuasthrutha. + + + + + + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Il server proxy ha ricevuto una risposta + non valida dal server precedente. + + + + + + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + プロクシサーバは上流サーバから不正な応答を受信しました。 + + + + + + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 프록시 서버가 더 윗쪽의 서버로부터 잘못된 응답을 받았습니다. + + + + + + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + De proxy server heeft een ongeldig + antwoord ontvangen van een gecontacteerde server. + + + + + + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Proxyserveren mottok et ugyldig svar fra + en oppstrøms server. + + + + + + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Serwer otrzymał nieprawidłową odpowiedź + od kolejnego serwera. + + + + + + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + O servidor proxy recebeu uma resposta + inválida do servidor destino. + + + + + + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O servidor de proxy recebeu uma resposta + inválida de um outro servidor externo a ele. + + + + + + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Serverul proxy a primit un raspuns invalid + de la serverul precedent. + + + + + + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Посреднички сервер је примио неисправан + одговор од следећег сервера у низу. + + + + + + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Proxyservern mottog ett felaktigt svar från + en tidigare server. + + + + + + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Vekil sunucu üstbirim sunucudan + anlamsız bir yanıt aldı. + + + + + + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_BAD_REQUEST.html.var b/apache/files/error-pages/HTTP_BAD_REQUEST.html.var new file mode 100644 index 00000000..8f892c78 --- /dev/null +++ b/apache/files/error-pages/HTTP_BAD_REQUEST.html.var @@ -0,0 +1,230 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Váš prohlížeč (nebo proxy server) vyslal požadavek, + kterému tento server nerozuměl. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Ihr Browser (oder Proxy) hat eine ungültige Anfrage + gesendet, die vom Server nicht beantwortet werden kann. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + Your browser (or proxy) sent a request that + this server could not understand. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + Su navegador (o 'proxy') ha enviado una petición + que el servidor no ha podido entender. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + Votre navigateur (ou votre proxy) a envoyé + une demande que ce serveur n'a pas comprise. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Seol do chuid brabhsálaí (nó + seachfhreastalaí) freagairt nárbh fhéidir leis an + fhreastalaí seo a thuisceant. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Il tuo browser (o il proxy) ha inviato a + questo server una richiesta incomprensibile. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + お使いのブラウザ (またはプロクシ) + が、サーバの理解できないリクエストを送信しました。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 브라우저 또는 프록시가 + 이 서버가 처리할 수 없는 잘못된 요청을 보냈습니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + Uw browser (of proxy) stuurde een vraag die + deze server niet kon begrijpen. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Din nettleser eller proxy sendte en forespørsel + som denne serveren ikke kunne forstå. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Twoja przeglądarka (lub serwer pośredniczący) wysłał żądanie, + którego ten serwer nie potrafi obsłużyć. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + Seu "browser" (ou o servidor proxy) enviou uma + requisição inválida ao servidor. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O seu browser ou proxy enviou + um pedido que este servidor não compreendeu. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Browserul (sau proxy-ul) dumneavoastra a trimis + serverului o cerere ce nu poate fi procesata. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Ваш читач (или посреднички сервер) послао је захтев који + овај сервер није могао да разуме. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Din webbläsare eller proxy skickade en förfrågan + som denna server inte kunde förstå. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Tarayıcınız (veya vekil sunucunuz) bu sunucunun + anlayamadığı bir istekte bulundu. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_FORBIDDEN.html.var b/apache/files/error-pages/HTTP_FORBIDDEN.html.var new file mode 100644 index 00000000..16995cab --- /dev/null +++ b/apache/files/error-pages/HTTP_FORBIDDEN.html.var @@ -0,0 +1,411 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + + + Nemáte právo pro přístup do požadovaného adresáře. Buď neexistuje žádný + dokument s obsahem (tzv. index), nebo je adresář chráněn proti čtení. + + + + Nemáte právo pro přístup k požadovanému objektu. + Buď je chráněn proti čtení, nebo není serverem čitelný. + + + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + + + Der Zugriff auf das angeforderte Verzeichnis ist nicht möglich. + Entweder ist kein Index-Dokument vorhanden oder das Verzeichnis + ist zugriffsgeschützt. + + + + Der Zugriff auf das angeforderte Objekt ist nicht möglich. + Entweder kann es vom Server nicht gelesen werden oder es + ist zugriffsgeschützt. + + + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + + + You don't have permission to access the requested directory. + There is either no index document or the directory is read-protected. + + + + You don't have permission to access the requested object. + It is either read-protected or not readable by the server. + + + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + + + Usted no tiene permiso para acceder al directorio solicitado. + No existe un documento índice, o el directorio está + protegido contra lectura. + + + + Usted no tiene permiso para acceder al objeto solicitado. + El objeto está protegido contra lectura o + el servidor no puede leerlo. + + + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + + + Vous n'avez pas le droit d'accéder au répertoire + demandé. Soit il n'y a pas de document index soit le répertoire + est protégé. + + + + Vous n'avez pas le droit d'accéder à l'objet + demandé. Soit celui-ci est protégé, soit il ne peut + être lu par le serveur. + + + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + + + Níl cead agat rochtain a dhéanamh ar an comhadlann faoi + iarratais. Is féidir nach bhfuil aon doiciméad + innéacs, nó go bhfuil cosaint ar lémh an comhadlann. + + + + Níl cead agat rochtain a dhéanamh ar an aidhm faoi iarratais. + Is féidir go bhfuil cosaint ar lé air, nó go bhfuil + sé doléite don freastalaí. + + + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + + + Non disponi dei permessi necessari per accedere alla + directory richiesta oppure non esiste il documento indice. + + + + Non disponi dei permessi necessari per accedere all'oggetto + richiesto, oppure l'oggetto non può essere letto dal server. + + + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + + + 要求されたディレクトリへのアクセス権限がありません。 + インデックスドキュメントが存在しないか、 + ディレクトリの読み込みが許可されていません。 + + + + 要求されたオブジェクトへのアクセス権がありません。 + 読み込みが許可されていないか、 + サーバが読み込みに失敗したかでしょう。 + + + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + + + 요청한 디렉토리에 접근할 수 있는 권한이 없습니다. + 디렉토리에 첫 페이지가 없거나 아니면 읽기 보호가 되어 있습니다. + + + + 요청한 객체에 접근할 수 있는 권한이 없습니다. + 읽기 보호가 되어 있거나 웹서버가 읽을 수 없도록 되어 있습니다. + + + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + + + U hebt niet de toestemming om toegang te krijgen tot de gevraagde map. + Er is of wel geen index document of de map is beveiligd tegen lezen. + + + + U hebt niet de toestemming om toegang te krijgen tot de gevraagde map. + Die is ofwel beveiligd tegen lezen of onleesbaar door de server. + + + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + + + Du har ikke tilstrekkelige rettigheter for å få tilgang til den + ønskede katalogen. Det eksisterer ikke et indeksdokument, eller + katalogen er lesebeskyttet. + + + + Du har ikke tilstrekkelige rettigheter for å få adgang til det + ønskede dokumentet. Objektet er lesebeskyttet, eller ikke lesbart + for serveren. + + + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + + + Nie masz prawa dostępu do żądanego katalogu. W katalogu nie + ma indeksu lub katalog jest zabezpieczony przed odczytem. + + + + Nie masz dostępu do żądanego obiektu. Jest on zabezpieczony + przed odczytem lub nie może być odczytany przez serwer. + + + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + + + Você não tem permissão para acessar o + diretório requisitado. + Pode não existir o arquivo de índice ou + o diretório pode estar protegido contra leitura. + + + + Você não tem permissão para acessar o + objeto requisitado. Ele pode estar protegido contra leitura ou + não ser legível pelo servidor. + + + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + + + Não tem permissão para aceder ao directório + que deseja. Ou não existe o documento de índice + ou o directório está protegido contra leitura. + + + + Não tem permissão para aceder ao objecto + que deseja. Este está protegido contra leitura ou + o servidor não o consegue ler. + + + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + + + Nu aveti permisiunea sa accesati directorul cerut. + Nu este nici un document index sau directorul este protejat la citire. + + + + Nu aveti permisiunea sa accesati obiectul cerut. + Este protejat la citire sau nu poate fi citit de server. + + + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + + + Немате дозволу да приступите захтеваном директоријуму. + Могуће је да нема индексног документа, или да је директоријум заштићен од читања. + + + + Немате дозволу да приступите захтеваном објекту. + Могуће је да је заштићен од читања, или да га сервер не може прочитати. + + + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + + + Du har inte tillräckliga rättigheter för att få + tillgång till den önskade katalogen. Det existerar inget + indexdokument eller så är katalogen lässkyddad. + + + + Du har inte tillräckliga rättigheter för att få + tillgång till det önskade objektet. Objektet är + lässkyddat eller inte läsbart för servern. + + + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + + + Talep ettiğiniz dizine erişim izniniz yok. + Ya dizin içerik dosyası yok, ya da dizin okumaya karşı korumalı. + + + + Talep ettiğiniz dizine erişim izniniz yok. + Dizin, ya okumaya karşı korumalı + ya da sunucu tarafından okunamıyor. + + + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_GONE.html.var b/apache/files/error-pages/HTTP_GONE.html.var new file mode 100644 index 00000000..cd58bccf --- /dev/null +++ b/apache/files/error-pages/HTTP_GONE.html.var @@ -0,0 +1,466 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Požadované URL již není na tomto serveru k dispozici, ani není k dispozici + žádná adresa k přesměrování. + + + + Informujte, prosím, autora + ">odkazující + stránky, že odkaz je zastaralý. + + + + Pokud jste následovali odkaz z cizí stránky, kontaktujte, prosím, + jejího autora. + + + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Der angeforderte URL existiert auf dem Server nicht mehr + und wurde dauerhaft entfernt. + Eine Weiterleitungsadresse ist nicht verfügbar. + + + + Bitte informieren Sie den Autor der + ">verweisenden + Seite, dass der Link nicht mehr aktuell ist. + + + + Falls Sie einem Link von einer anderen Seite gefolgt sind, + informieren Sie bitte den Autor dieser Seite hierüber. + + + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The requested URL is no longer available on this server and there is no + forwarding address. + + + + Please inform the author of the + ">referring + page that the link is outdated. + + + + If you followed a link from a foreign page, please contact the + author of this page. + + + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + La URL solicitada ya no está disponible en este servidor y + no existe una dirección a la cual remitirle. + + + + Por favor, comunique al autor de la + ">página + que le ha remitido que la URL está obsoleta. + + + + Si usted ha seguido un enlace de una página externa, + por favor contacte con el autor de esa página. + + + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + L'URL demandée n'est plus accessible sur ce serveur et il + n'y a pas d'adresse de redirection. + + + + Nous vous prions d'informer l'auteur de + ">la + page en question que la référence n'est plus valable. + + + + Si vous avez suivi une référence issue d'une page autre, + veuillez contacter l'auteur de cette page. + + + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Níl an URL iarraithe ar fáil ar an fhreastalaí seo + a thuilleadh, agus níl aon seoladh nua ann dó. + + + + Cur in úil do úadar an + ">leathanach + thagarthach go bhfuil an nasc as-dáta, le do thoil. + + + + Má leanfá nasc ó leathanach iasachta, téigh i + dteaghmháil le úadar an leathanach sin, le do thoil. + + + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + L'URL richiesto non è più disponibile su questo server + e non esistono indirizzi verso i quali sia possibile inoltrare + la richiesta. + + + + Per favore, informa l'autore della + ">pagina + di provenienza che il link non è più valido. + + + + Se sei arrivato da una pagina esterna, informa l'autore della + pagina di provenienza che il link non è più valido. + + + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + 要求された URL は既に本サーバでは利用できませんし、 + 移動先もわかりません。 + + + + " + >参照元ページの著者に、 + リンクが古くなっていることをご連絡ください。 + + + + 他のページからのリンクを辿ってきた場合は、 + そのページの著者にご連絡ください。 + + + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 요청한 URL은 더 이상 이 서버에 남아있지 않으며, + 그 객체가 옮겨진 다른 URL 역시 남아있지 않습니다. + + + + ">이전 + 페이지의 만든이에게 주소가 잘못되었다고 알려주시기 바랍니다. + + + + 다른 페이지의 링크를 따라오셨다면, 그 페이지의 만든이에게 연락을 하시기 + 바랍니다. + + + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + De gevraagde URL is niet langer beschikbaar op deze server en er is geen + doorverwijsadres. + + + + Gelieve aan de auteur van + ">deze pagina + te melden dat deze link niet langer actueel is. + + + + Indien u deze link hebt gekregen van een andere pagina, gelieve + de auteur van deze pagina te contacteren. + + + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Den ønskede adressen er ikke lenger tilgjengelig hos denne + serveren og det finnes ingen adresse for videresending. + + + + Venligst informer forfatteren bak + ">den + aktuelle siden om at lenken er utdatert. + + + + Om du fulgte en lenke fra en ekstern side, venligst kontakt + forfatteren bak den siden. + + + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Poszukiwany zasób nie jest już dostępny na tym serwerze i nie + podano nowego adresu zasobu. + + + + Prosimy poinformować autora + ">referującej + strony o nieaktualnym linku. + + + + Jeśli podążyłeś za linkiem z innej strony, skontaktuj się z jej + autorem. + + + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + A URL solicitada não está disponível neste servidor + e não existe um endereço alternativo. + + + + Por favor informe o autor da + ">página + referida que a URL está desatualizada. + + + + Se você seguiu um "link" de uma página externa, por favor + entre em contato com o autor desta página e o informe sobre a + mudança do "link". + + + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O URL desejado já não está disponível + neste servidor e não existe endereço alternativo. + + + + Por favor informe o autor da + ">página + originária que a hiperligação está + desactualizada. + + + + Se chegou aqui a partir de uma hiperligação externa, + por favor contacte o autor dessa página. + + + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + URL-ul cerut nu mai este disponibil pe acest server si nu + exista o adresa de inaintare. + + + + Va rugam informati autorul + ">paginii + referite ca link-ul nu mai este de actualitate. + + + + Va rugam contactati autorul acestei pagini daca ati urmat + un link dintr-o pagina externa. + + + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Захтевани УРЛ није више доступан на овом серверу и нема + адресе на коју бисте могли бити прослеђени. + + + + Молимо обавестите аутора + ">исходишне + странице да је веза застарела. + + + + Ако сте пратили везу са спољне странице, молимо обавестите + аутора те странице. + + + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Den önskade adressen är inte längre tillgänglig hos + denna server och det finns inte någon adress för vidarebefodran. + + + + Vänligen informera författaren bakom + ">den aktuella + sidan att länken är inaktuell. + + + + Om du följde en länk från en extern sida, vänligen + kontakta författaren av den sidan. + + + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Talep ettiğiniz URL artık kullanılabilir değil + ve herhangi bir yönlendirme de mevcut değil. + + + + Lütfen + ">istenen sayfanın + yazarına, bu bağlantının güncel olmadığını bildirin. + + + + Başka bir sunucudaki bir bağlantıyı izleyerek buraya geldiyseniz, + lütfen sözkonusu sayfanın yazarına bağlantının güncel olmadığını bildirin. + + + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_INTERNAL_SERVER_ERROR.html.var b/apache/files/error-pages/HTTP_INTERNAL_SERVER_ERROR.html.var new file mode 100644 index 00000000..7cb84203 --- /dev/null +++ b/apache/files/error-pages/HTTP_INTERNAL_SERVER_ERROR.html.var @@ -0,0 +1,499 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + + + Nastala vnitřní chyba a server nebyl schopen + dokončit Váš požadavek. + + + + Chybová zpráva +
    + + + + Nastala vnitřní chyba a server nebyl schopen + dokončit Váš požadavek. Buď je server + přetížen, nebo došlo k chybě v CGI skriptu. + + + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + + + Die Anfrage kann nicht beantwortet werden, da im Server + ein interner Fehler aufgetreten ist. + + + + Fehlermeldung: +
    + + + + Die Anfrage kann nicht beantwortet werden, da im Server + ein interner Fehler aufgetreten ist. + Der Server ist entweder überlastet oder ein Fehler in + einem CGI-Skript ist aufgetreten. + + + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + + + The server encountered an internal error and was + unable to complete your request. + + + + Error message: +
    + + + + The server encountered an internal error and was + unable to complete your request. Either the server is + overloaded or there was an error in a CGI script. + + + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + Se ha producido un error interno en el servidor y no + se ha podido completar su solicitud. + + + + + Mensaje de error:
    + + + + + Se ha producido un error interno en el servidor y no se + ha podido completar su solicitud. O el servidor está + sobrecargado o ha habido un fallo en la ejecución de + un programa CGI. + + + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + + + Le serveur a été victime d'une erreur interne et n'a pas + été capable de faire aboutir votre requête. + + + + Message d'erreur: +
    + + + + Le serveur a été victime d'une erreur interne et n'a pas + été capable de faire aboutir votre requête. + Soit le server est surchargé soit il s'agit d'une erreur dans + le script CGI. + + + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + + + Thit an freastalaí ar earráid inmheánach + agus theip air do chuid iarratais a comhlíonadh. + + + + Teachtaireacht earráide: +
    + + + + Thit an freastalaí ar earráid inmheánach + agus theip air do chuid iarratais a comhlíonadh. + Is féidir go bhfuil an freastalaí + rólóaidithe, nó go raibh earráid + i script CGI éigin. + + + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + + + Il server ha generato un errore interno e non è + in grado di soddisfare la richiesta. + + + + Messaggio di errore: +
    + + + + Il server ha generato un errore interno e non è + in grado di soddisfare la richiesta. Il server potrebbe + essere sovraccarico oppure si è verificato un + errore in uno script CGI. + + + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + + + サーバ内部で障害が発生し、 + リクエストに応えることができませんでした。 + + + + Error message: +
    + + + + サーバ内部で障害が発生し、 + リクエストに応えることができませんでした。 + サーバが過負荷であるか、 + CGI スクリプトにエラーがあります。 + + + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + + + 서버에 내부 오류가 발생하여 요청을 끝까지 처리하지 못했습니다. + + + + 오류 내용: +
    + + + + 서버에 내부 오류가 생겨 요청을 끝까지 처리하지 못했습니다. + 서버에 과부하가 걸렸거나 아니면 CGI 프로그램에 오류가 있었습니다. + + + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + + + + + Foutbericht: +
    + + + + De server kreeg een interne fout en kon + uw vraag niet beantwoorden. De server is overbelast + of er was een fout in een CGI script. + + + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + + + Det inntraff en intern feil hos serveren, og det var ikke mulig å + gjennomføre din forespørsel. + + + + Feilmelding: +
    + + + + Det inntraff en intern feil hos serveren, og det var ikke mulig å + gjennomføre din forespørsel. Serveren er enten overbelastet, eller + CGI-skriptet inneholder feil. + + + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + + + Serwer napotkał błąd wewnętrzny i nie jest w stanie + zrealizować twojego żądania. + + + + Informacja o błędzie: +
    + + + + Serwer napotkał błąd wewnętrzny i nie jest w stanie + zrealizować twojego żądania. Serwer jest przeciążony lub + napotkał na błąd w skrypcie CGI. + + + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + + + O servidor encontrou um erro interno e não pode + completar sua requisição. + + + + Mensagem de Erro: +
    + + + + O servidor encontrou um erro interno e não + foi possível completar sua requisição. + O servidor está sobrecarregado ou existe um + erro em um script CGI. + + + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + + + O servidor encontrou um erro interno e não pode completar + o seu pedido. + + + + Mensagem de erro: +
    + + + + O servidor encontrou um erro interno e não pode completar + o seu pedido. Ou o servidor está sobrecarregado, ou ocorreu + um erro num script CGI. + + + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + + + Serverul a intalnit o eroare interna si nu a + putut rezolva cererea dumneavoastra. + + + + Mesajul de eroare : +
    + + + + Serverul a intalnit o eroare interna si nu a + putut rezolva cererea dumneavoastra. Serverul este + supraincarcat sau a fost o eroare intr-un script CGI. + + + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + + + Сервер је имао унутрашњу грешку и није био + у могућности да испуни ваш захтев. + + + + Порука о грешци: +
    + + + + Сервер је имао унутрашњу грешку и није био + у могућности да испуни ваш захтев. Могуће је да је сервер + преоптерећен, или да се десила грешка у CGI скрипти. + + + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + + + Servern råkade ut för ett internt fel och det var inte möjligt + att slutföra din begäran. + + + + Felmeddelande: +
    + + + + Servern råkade ut för ett internt fel och det var inte möjligt + att slutföra din begäran. Servern är antingen överbelastad + eller så innehåller CGI-skriptet fel. + + + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + + + Sunucuda içsel bir hata oluştuğundan sunucu isteğinizi yerine getiremiyor. + + + + Hata iletisi: +
    + + + + Sunucuda içsel bir hata oluştuğundan sunucu isteğinizi yerine getiremiyor. + Ya sunucu aşırı yüklü ya da CGI betiğinde bir hata oluştu. + + + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_LENGTH_REQUIRED.html.var b/apache/files/error-pages/HTTP_LENGTH_REQUIRED.html.var new file mode 100644 index 00000000..f542b9d4 --- /dev/null +++ b/apache/files/error-pages/HTTP_LENGTH_REQUIRED.html.var @@ -0,0 +1,241 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Požadavek metodou + vyžaduje korektní hlavičku Content-Length. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Die Anfrage kann nicht beantwortet werden. + Bei Verwendung der -Methode + muß ein korrekter Content-Length-Header + angegeben werden. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + A request with the + method requires a valid Content-Length header. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + Una petición con el método requiere que el encabezado + Content-Length sea válido. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + Une requête utilisant la méthode nécessite un en-tête + Content-Length (indiquant la longueur) valable. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Is gá go mbhéadh ceanntáisc + Content-Length + bhailí do iarratais faoin modh + . + + +----------ga-- + + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Una richiesta con il metodo + + richiede che venga specificato un header Content-Length + valido. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + + メソッドのリクエストでは、 + 正しい Content-Length ヘッダが必要になります。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 방식을 쓰는 + 요청은 올바른 Content-Length 헤더도 함께 보내야만 합니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + Een vraag met het + type methode heeft een correcte Content-Length lijn nodig. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + En forespørsel med + metoden krever en korrekt Content-Length header. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Żądanie + wymaga poprawnego nagłówka Content-Length. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + Uma requisição + do método + requer um cabeçalho Content-Length válido. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + Um pedido com o método + necessita de um cabeçalho Content-Length válido. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + O cerere cu metoda + necesita un header Content-Length valid. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Захтев са + методом мора имати исправно Content-Length + (дужина садржаја) заглавље. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + En förfrågan med + metoden kräver ett korrekt Content-Length huvud. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + yöntemini kullanan bir istek + geçerli bir Content-Length (içerik uzunluğu) başlığı gerektirir. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_METHOD_NOT_ALLOWED.html.var b/apache/files/error-pages/HTTP_METHOD_NOT_ALLOWED.html.var new file mode 100644 index 00000000..1eefb9d7 --- /dev/null +++ b/apache/files/error-pages/HTTP_METHOD_NOT_ALLOWED.html.var @@ -0,0 +1,231 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Metoda + není pro požadované URL povolena. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Die -Methode + ist für den angeforderten URL nicht erlaubt. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The + method is not allowed for the requested URL. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + No se permite el método + para la URL solicitada. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + La méthode + n'est pas utilisable pour l'URL demandée. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Níl cead an modh + + a úasáid leis an URL iarraithe. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Il metodo + non è consentito per l'URL richiesto. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + + メソッドは、要求された URL に対しては許可されていません。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 방식은 + 요청한 URL에 사용할 수 없습니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + Het + type methode is niet toegelaten voor de gevraagde URL. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + metoden er ikke + tillatt for den forespurte adressen. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Metoda + jest niedozwolona dla podanego URL-a. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + O método + não é permitido para a URL requisitada. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O método não + é permitido para o URL pedido. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Metoda + nu este permisa pentru URL-ul cerut. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + + метод није дозвољен за захтевани УРЛ. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + + metoden är inte tillåten för den förfrågade + adressen. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + + yöntemi istediğiniz URL için kullanılamaz. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_NOT_FOUND.html.var b/apache/files/error-pages/HTTP_NOT_FOUND.html.var new file mode 100644 index 00000000..442f4968 --- /dev/null +++ b/apache/files/error-pages/HTTP_NOT_FOUND.html.var @@ -0,0 +1,464 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Požadované URL nebylo na tomto serveru nalezeno. + + + + Zdá se, že odkaz na + ">odkazující + stránce je chybný nebo zastaralý. Informujte, prosím, autora + ">této stránky + o chybě. + + + + Pokud jste zadal(a) URL ručně, zkontrolujte, prosím, + zda jste zadal(a) URL správně, a zkuste to znovu. + + + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Der angeforderte URL konnte auf dem Server nicht gefunden werden. + + + + Der Link auf der + ">verweisenden + Seite scheint falsch oder nicht mehr aktuell zu sein. + Bitte informieren Sie den Autor + ">dieser Seite + über den Fehler. + + + + Sofern Sie den URL manuell eingegeben haben, + überprüfen Sie bitte die Schreibweise und versuchen Sie es erneut. + + + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The requested URL was not found on this server. + + + + The link on the + ">referring + page seems to be wrong or outdated. Please inform the author of + ">that page + about the error. + + + + If you entered the URL manually please check your + spelling and try again. + + + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + No se ha localizado la URL solicitada en este servidor. + + + + La URL de la ">página que le ha remitido + parece ser errónea o estar obsoleta. Por favor, informe del error + al autor de ">esa + página. + + + + Si usted ha introducido la URL manualmente, por favor revise su + ortografía e inténtelo de nuevo. + + + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + L'URL demandée n'a pas pu être trouvée sur ce serveur. + + + + La référence sur + ">la page + citée + semble être erronée ou perimée. Nous vous prions + d'informer l'auteur de + ">cette page + de cette erreur. + + + + Si vous avez tapé l'URL à la main, veuillez vérifier + l'orthographe et réessayer. + + + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Níor aimsigh an URL iarraithe ar an fhreastalaí seo. + + + + Is cosúil go bhfuil an nasc ar an + ">leathanach + thagarthach mícheart nó as dáta. + Cur in iúl d'úadar + " + >an leathanach sin go bhfuil earráid ann, le do thoil. + + + + Má chuir tú isteach an URL tú féin, deimhnigh + go bhfuil sé litrithe i gceart agat, agus déan iarracht eile + le do thoil. + + + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + L'URL richiesto non esiste su questo server. + + + + Il link della + ">pagina da cui + sei arrivato potrebbe essere errato o non essere più valido. + Per favore, informa dell'errore l'autore della + ">pagina. + + + + Se hai scritto l'URL a mano, per favore controlla che + non ci siano errori. + + + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + 要求された URL は本サーバでは見つかりませんでした。 + + + + "> + 参照元ページのリンクが間違っているか、古くなってしまっているようです。 + " + >ページの著者にこのエラーをお知らせ下さい。 + + + + もし手入力で URL を入力した場合は、綴りを確認して再度お試し下さい。 + + + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 요청한 URL을 이 서버에서 찾을 수 없습니다. + + + + ">이전 + 페이지에 있는 링크가 잘못되었거나 오래되어 없어진 것 같습니다. + ">그 페이지를 + 만든이에게 이 사실을 알려주시기 바랍니다. + + + + URL을 직접 입력하셨다면 바르게 입력하셨는지 확인하시고 다시 시도하시기 + 바랍니다. + + + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + De gevraagde URL was niet gevonden op deze server. + + + + De link op + ">deze pagina + pagina is verkeerd of achterhaald. Gelieve de auteur van + ">die pagina + in te lichten over deze fout. + + + + Indien u de URL manueel hebt ingevuld, gelieve uw + spelling te controleren en probeer opnieuw. + + + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Den etterspurte adressen finnes ikke på denne serveren. + + + + Lenken på den + ">forrige siden +ser ut til å være feil eller utdatert. Venligst informer forfatteren av + ">siden + om feilen. + + + + Om du skrev inn adressen manuelt, vennligst kontroller stavingen og + forsøk igjen. + + + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Nie znaleziono żądanego URL-a na tym serwerze. + + + + Odnośnik na + ">referującej stronie + wydaje się być nieprawidłowy lub nieaktualny. Poinformuj autora + ">tej strony + o problemie. + + + Jeśli wpisałeś URL-a ręcznie, sprawdź, czy się nie pomyliłeś. + + + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + A URL requisitada não foi encontrada neste servidor. + + + + O link na + ">página + referida parece estar com algum erro ou desatualizado. Por favor informe o + autor ">desta + página sobre o erro. + + + + Se você digitou o endereço (URL) manualmente, + por favor verifique novamente a sintaxe do endereço. + + + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O método não + é permitido para o URL pedido. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + URL-ul cerut nu a fost gasit pe acest server. + + + + Link-ul de pe + ">pagina + de unde ati venit pare a fi gresit sau invechit. Va rugam informati autorul + ">acestei pagini + despre eroare. + + + + Daca ati introdus URL-ul manual, va rugam verificati + corectitudinea si incercati din nou. + + + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Захтевани УРЛ није пронађен на овом серверу. + + + + Изгледа да је веза на + ">исходишној + страници погрешна или застарела. Молимо обавестите аутора + ">те странице + о грешци. + + + + Уколико сте УРЛ унели ручно, молимо проверите могуће + грешке и пробајте поново. + + + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Den efterfrågade adressen hittades inte på denna server. + + + + Länken på den + ">tidigare sidan + verkar vara felaktig eller inaktuell. Vänligen informera författaren av + ">sidan + om felet. + + + + Om du skrev in adressen manuellt så kontrollera din stavning och + försök igen. + + + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Talep ettiğiniz URL, sunucu üzerinde bulunmuyor. + + + + ">İstek yapılan sayfa + üzerindeki bağlantı güncel değil. Lütfen ">sayfa yazarını hata hakkında bilgilendirin. + + + + URL'yi elle girdiyseniz, yazdıklarınızı gözden geçirip yeniden deneyin. + + + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_NOT_IMPLEMENTED.html.var b/apache/files/error-pages/HTTP_NOT_IMPLEMENTED.html.var new file mode 100644 index 00000000..8dc2f7d9 --- /dev/null +++ b/apache/files/error-pages/HTTP_NOT_IMPLEMENTED.html.var @@ -0,0 +1,219 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Server nepodporuje akci požadovanou prohlížečem. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Die vom Browser angeforderte Aktion wird vom Server + nicht unterstützt. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The server does not support the action requested by the browser. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + El servidor no soporta la acción + solicitada por el navegador. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + Le serveur n'est pas en mesure d'effectuer l'action + demandée par le navigateur. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Níl tacaíocht ag an fhreastalaí don gníomh + atá á iarraidh ag an mbrabhsálaí. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Il server non supporta il tipo di azione richiesta dal browser. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + ブラウザの要求したアクションは、サポートしていません。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 브라우저가 보낸 요청을 이 서버가 지원하지 않습니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + De server ondersteunt de actie, gevraagd door de browser, niet. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Serveren støtter ikke den handlingen som ønskes utført av + nettleseren. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Ten serwer nie obsługuje żądania przesłanego przez przeglądarkę. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + O servidor não suporta a ação requisitada pelo + seu "browser". + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O servidor não suporta a acção pedida pelo + browser. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Serverul nu suporta actiunea ceruta de browser. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Сервер не подржава акцију коју је читач захтевао. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Servern stödjer inte den handling som önskades + av webbläsaren. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Sunucu, tarayıcı tarafından istenen eylemi desteklemiyor. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_PRECONDITION_FAILED.html.var b/apache/files/error-pages/HTTP_PRECONDITION_FAILED.html.var new file mode 100644 index 00000000..da69e2b6 --- /dev/null +++ b/apache/files/error-pages/HTTP_PRECONDITION_FAILED.html.var @@ -0,0 +1,222 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Vstupní podmínka pro požadavek o zadané URL nesplnila pozitivní + vyhodnocení. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Die für den Abruf der angeforderten URL notwendige + Vorbedingung wurde nicht erfüllt. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The precondition on the request for the URL failed positive evaluation. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + No se ha evaluado positivamente la pre-condición + de la petición para la URL. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + La précondition pour l'URL demandé a été + évaluée négativement. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Theip meastóireacht an réamhchoinníoll + don iarratais den URL. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + I criteri di precondizione per consentire l'invio dell'URL + richiesto non sono stati soddisfatti. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + 指定された URL へのリクエストにおける事前条件が満たされませんでした。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 미리 주어진 조건이 만족되지 않아서 URL 요청을 처리할 수 없습니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + Een startvoorwaarde werd niet voldaan bij verwerking van de vraag naar de URL. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Den nødvendige forutsetningen for forespørselen passerte ikke + vurderingen med positivt resultat. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Warunek wstępny dla URL-a nie został spełniony. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + A condição necessária para a + requisição da URL foi avaliada como falsa. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + A condição necessária ao pedido do URL + foi avaliada com resultado negativo. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Preconditionarea pentru cererea URL-ului nu a fost evaluata pozitiv. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Предуслов за захтев УРЛ-а није испуњен. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Den nödvändiga förutsättningen för + adressförfrågan passerade inte utvärderingen + med acceptabelt resultat. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + URL talebinin önkoşulu olumlanamadı. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var b/apache/files/error-pages/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var new file mode 100644 index 00000000..20bceff6 --- /dev/null +++ b/apache/files/error-pages/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var @@ -0,0 +1,246 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Metoda + nedovoluje přenos dat nebo objem dat + přesahuje kapacitní limit. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Die bei der Anfrage übermittelten Daten sind für + die -Methode + nicht erlaubt oder die Datenmenge hat das Maximum überschritten. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The + method does not allow the data transmitted, or the data volume + exceeds the capacity limit. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + El método + no permite transmitir la información, o el + volumen de la información excede los límites + de capacidad del mismo. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + La méthode + n'autorise pas le transfert de ces données ou bien le volume + des données excède la limite de capacité. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Ní ligeann an modh an + tarchur sonraíocht tríd, nó tá an méid + sonraíocht breis ar an teoireann cumas. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Il metodo + non consente di trasferire dati, oppure la quantità di dati + richiesti è eccessiva. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + + メソッドがデータの送信を許可していないか、 + データ量が許容量を超えています。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 방식의 + 요청으로는 내용을 보낼 수 없거나, 또는 보내온 내용이 그 방식에서 허용하는 + 최대 길이를 넘었습니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + Het type methode laat niet toe + data te versturen of het datavolume is groter dan maximaal toegelaten. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + metoden tillater ikke + de sendte data eller så overskrider datamengenden + kapasitetsbegrensningen. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Metoda + nie zezwala na typ przesyłanych danych lub rozmiar danych przekracza + ustalony limit. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + O método + não permite a transmissão dos dados, + ou o volume de dados excede a capacidade limite. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O método + não permite todos os dados que foram transmitidos, + ou o volume de dados excede o limite da capacidade. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Metoda + nu permite transmiterea datelor, sau volumul de date + depaseste limita capacitatii. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + + метод не дозвољава пренос ових података, или количина података + премашује ограничења могућности. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + metoden tillåter + inte den skickade datan eller så överskrider datavolymen + kapacitetsnivån. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + yöntemi ya veri aktarımına + izin vermiyor ya da veri hacmi işlenemeyecek kadar büyük. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_REQUEST_TIME_OUT.html.var b/apache/files/error-pages/HTTP_REQUEST_TIME_OUT.html.var new file mode 100644 index 00000000..85004a0e --- /dev/null +++ b/apache/files/error-pages/HTTP_REQUEST_TIME_OUT.html.var @@ -0,0 +1,234 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Server uzavřel síťové spojení, protože prohlížeč + nedokončil požadavek ve stanoveném čase. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Der Server konnte nicht mehr länger auf die Beendigung + der Browseranfrage warten; die Netzwerkverbindung wurde + vom Server geschlossen. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The server closed the network connection because the browser + didn't finish the request within the specified time. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + El servidor ha cerrado la conexión de red + debido a que el navegador no ha finalizado la solicitud + dentro del tiempo permitido. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + Le serveur a fermé la connection car le navigateur n'a pas + fini la requête dans le temps spécifié. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Dún an freastalaí an nasc líonra, + mar níor chríochnaidh an brabhsálaí + leis an iarratais, taobh istigh den am sonraithe. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Il server ha chiuso la connessione in quanto è stato + superato il limite di tempo entro il quale il browser avrebbe + dovuto eseguire la richiesta. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + ブラウザが指定時間以内にリクエストを完了しなかったので、 + サーバは接続を切りました。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 브라우저가 너무 오랫동안 요청을 끝내지 않아서 서버가 네트워크 연결을 + 강제로 끊었습니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + De server heeft de netwerkverbinding gesloten omdat de browser + de vraag niet heeft beëindigd binnen een gestelde tijd. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Serveren stengte forbindelsen fordi nettleseren ikke avsluttet + forespørselen innen tidsgrensen. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Serwer zamknął połączenie sieciowe, ponieważ przeglądarka + nie zakończyła operacji w przewidywanym czasie. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + O servidor encerrou a conexão porque o "browser" + não finalizou a requisição dentro + do tempo limite. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O servidor interrompeu a ligação de rede porque o + browser não terminou o pedido dentro do tempo limite. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Serverul a terminat conexiunea cu browserul pentru ca acesta + nu a terminat cererea in limita timpului specificat. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Сервер је прекинуо везу са мрежом јер читач + није завршио захтев за дозвољено време. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Servern stängde förbindelsen därför att + webbläsaren inte avslutade förfrågan inom + förbestämd tid. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Tarayıcı isteği zamanında tamamlayamadığından sunucu ağ bağlantısını kapattı. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_REQUEST_URI_TOO_LARGE.html.var b/apache/files/error-pages/HTTP_REQUEST_URI_TOO_LARGE.html.var new file mode 100644 index 00000000..4831c472 --- /dev/null +++ b/apache/files/error-pages/HTTP_REQUEST_URI_TOO_LARGE.html.var @@ -0,0 +1,235 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Délka požadovaného URL přesahuje kapacitní limit tohoto + serveru. Požadavek nemůže být zpracován. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Der bei der Anfrage übermittelte URI überschreitet + die maximale Länge. + Die Anfrage kann nicht ausgeführt werden. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The length of the requested URL exceeds the capacity limit for + this server. The request cannot be processed. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + La longitud de la URL solicitada excede el límite de + capacidad para este servidor. No se puede procesar la solicitud. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + La longueur de l'URL demandée excède la limite de + capacitè pour ce serveur. Nous ne pouvons donner suite + à votre requête. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Tá faid an URL iarraithe breis ar an teorainn cumas don + freastalaí seo. Ní féidir an iarratas a + phróiseáil. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + La lunghezza dell'indirizzo (URL) trasmesso supera il + limite massimo imposto da questo server. + La richiesta non può essere soddisfatta. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + リクエストの URL の長さが、扱える長さを超えています。 + リクエストの処理を続けられません。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 요청한 URL이 너무 길어서 이 서버가 처리할 수 없습니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + De lengte van de aangeboden URL overschreidt het maximum + voor deze server. De vraag kan niet verwerkt worden. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Lengden på adressen som etterspurtes overskrider + kapasitetsgrensen for denne serveren. Forespørselen kan + ikke prosesseres. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Długość żądanego URL-a przekracza limit ustanowiony dla tego + serwera. Żądanie nie może zostać zrealizowane. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + O tamanho do endereço (URL) excede a capacidade limite + desse servidor. A requisição não pode ser + processada. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O tamanho do URL pedido excede o limite da capacidade deste + servidor. O pedido não pode ser processado. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Lungimea URL-ului cerut depaseste limita capacitatii pentru + acest server. Cererea nu poate fi procesata. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Дужина захтеваног УРЛ-а премашује ограничења могућности + овог сервера. Захтев не може бити обрађен. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Längden på adressen som efterfrågas överskrider + kapacitetsgränsen för denna server. Förfrågan kan + inte verkställas. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Talep edilen URI'nin uzunluğu, sunucunun sınırlarını + aştığından istek yerine getirilemiyor. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_SERVICE_UNAVAILABLE.html.var b/apache/files/error-pages/HTTP_SERVICE_UNAVAILABLE.html.var new file mode 100644 index 00000000..e5905ebb --- /dev/null +++ b/apache/files/error-pages/HTTP_SERVICE_UNAVAILABLE.html.var @@ -0,0 +1,250 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Server dočasně nemůže zpracovat Váš požadavek + kvůli údržbě nebo kapacitním problémům. + Zkuste to, prosím, později. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Der Server ist derzeit nicht in der Lage die Anfrage + zu bearbeiten. Entweder ist der Server derzeit überlastet + oder wegen Wartungsarbeiten nicht verfügbar. + Bitte versuchen Sie es später wieder. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The server is temporarily unable to service your + request due to maintenance downtime or capacity + problems. Please try again later. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + El servidor no puede procesar su solicitud en este momento + debido a tareas de mantenimiento o a problemas de capacidad. + Por favor, inténtelo de nuevo más tarde. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + En raison de travaux de maintenance ou de problèmes + de capacité le serveur n'est pas en mesure de répondre + à votre requête pour l'instant. Veuillez réessayer + plus tard. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Níl an freastalaí seo in ann do chuid + iarratais a líonadh ag an am seo, toisc + cóthábháil nó fhaidhbeanna cumas. + Déan iarracht eile níos déanaí, le do thoil. + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Il server in questo momento non è in grado di + soddisfare la richiesta per motivi di manutenzione + o di sovraccarico del sistema. + Per favore, riprova più tardi. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + メンテナンスで停止中か、サーバの処理能力の問題のため、 + 現在リクエストに応じることができません。 + 後ほど再度お試し下さい。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 관리 작업이나 용량 문제로 서버가 잠시동안 요청을 처리할 수 없습니다. + 나중에 다시 시도해주시기 바랍니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + De server kan tijdelijk uw vraag niet verwerken + door onderhoud of problemen met de capaciteit van de server. + Gelieve later nog eens opnieuw te proberen. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Serveren er midlertidig ikke i stand til å utføre din + forespørsel. Vennligst prøv igjen senere. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Serwer nie może zrealizować twojego żądania + ze względu na konserwację lub zbyt duże obciążenie. + Prosimy spróbować później. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + O servidor está temporariamente fora de serviço + para manutanção ou devido a problemas de capacidade. + Por favor tente acessar mais tarde. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O servidor está temporáriamente incapaz de servir + o seu pedido devido a uma interrupção para + manutenção ou problemas de capacidade. Por favor + tente de novo mais tarde. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Serverul nu poate, temporar, sa raspunda cererii + dumneavoastra datorita intretinerii acestuia sau a + unor probleme de capacitate. Va rugam incercati mai tarziu. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Сервер тренутно није у могућности да услужи ваш + захтев пошто је затворен због одржавања или има недовољан + капацитет. Молимо покушајте поново касније. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Servern är för tillfället oförmögen att + utföra din förfrågan på grund av underhåll + eller kapacitetsbegränsningar. Vänligen försök + igen senare. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Sunucu, bakım gerektiren çeşitli sorunlardan ötürü, + bir süreliğine taleplerinize yanıt veremiyor. + Lütfen daha sonra tekrar deneyin. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_UNAUTHORIZED.html.var b/apache/files/error-pages/HTTP_UNAUTHORIZED.html.var new file mode 100644 index 00000000..2a8994f0 --- /dev/null +++ b/apache/files/error-pages/HTTP_UNAUTHORIZED.html.var @@ -0,0 +1,370 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Server nemohl ověřit, že jste autorizován(a) k přístupu + k URL "". + Buď jste dodal(a) neplatné pověření (např. chybné heslo) nebo Váš + prohlížeč neumí dodat požadované ověření. + + + + V případě, že smíte požadovat tento dokument, zkontrolujte, prosím, + Vaši uživatelskou identifikaci a heslo a zkuste to znovu. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Der Server konnte nicht verifizieren, ob Sie autorisiert sind, + auf den URL "" zuzugreifen. + Entweder wurden falsche Referenzen (z.B. ein falsches Passwort) + angegeben oder ihr Browser versteht nicht, wie die geforderten + Referenzen zu übermitteln sind. + + + + Sofern Sie für den Zugriff berechtigt sind, überprüfen + Sie bitte die eingegebene User-ID und das Passwort und versuchen Sie + es erneut. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + This server could not verify that you are authorized to access + the URL "". + You either supplied the wrong credentials (e.g., bad password), or your + browser doesn't understand how to supply the credentials required. + + + + In case you are allowed to request the document, please + check your user-id and password and try again. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + El servidor no puede certificar que usted esté autorizado + para acceder a la URL "". + Ha podido suministrar información incorrecta (ej. + contraseña no válida) o el navegador no sabe + cómo suministrar la información requerida. + + + + En caso de que usted tenga permiso para acceder al documento, + por favor verifique su nombre de usuario y contraseña y + vuélvalo a intentar. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + Ce server n'a pas été en mesure de vérifier que + vous êtes autorisé à accéder à cette + URL "". + + Vous avez ou bien fourni des coordonnées erronées + (p.ex. mot de passe inexact) ou bien votre navigateur ne parvient + pas à fournir les données exactes. + + + + Si vous êtes autorisé à requérir le document, + veuillez vérifier votre nom d'utilisateur et votre mot de passe + et réessayer. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Níorbh fhéidir leis an freastalaí a dheimhniú + go bhfuil an údaráis agat rochtain a dheanamh ar an URL + "". Is féidir go + soláthair tú faisnéis mícheart (m.s., + pasfhocail mícheart), nó nach dtuigeann do chuid + brabhsálaí conas an faisnéis is gá a + soláthair i gceart. + + + + Más é gur ceart go mbhéadh cead agat iarratais a + dheanamh don doiciméid, deimhnigh go bhfuil do chuid ainm + úsáideora agus pasfhocal i gceart, agus dean iarracht eile, + le do thoil. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Questo server non può verificare l'autorizzazione + all'accesso a "". + Questo errore potrebbe essere causato da credenziali errate + (nome utente o password errata) oppure da un browser che non + riesce a comunicare il nome utente e la password in modo corretto. + + + + Nel caso in cui ritieni di aver diritto ad accedere al documento, + controlla il nome utente e la password forniti e riprova. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + URL "" + へのアクセス権限があることを確認できませんでした。 + 間違った資格情報 (例えば、誤ったパスワード) を入力したか、 + ブラウザが必要な資格情報を送信する方法を理解していないかです。 + + + + ドキュメントを要求できる筈である場合は、 + ユーザ ID とパスワードを再確認して下さい。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 이 서버가 "" URL을 + 접근할 수 있는 권한이 있는지 확인하지 못했습니다. + 잘못된 인증 정보(가령, 잘못된 암호)를 보냈거나 아니면 + 사용하시는 브라우저가 필요한 인증 정보를 어떻게 보내는지 모르는 것입니다. + + + + 이 문서를 사용할 수 있도록 허가를 받았는데도 이런다면, + 사용자 ID와 암호를 확인하시고 다시 시도하시기 바랍니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + De server kon niet controleren of u gemachtigd bent om toegang te krijgen + tot de URL "". + U hebt zich onvoldoende geauthenticeerd ( vb : verkeerd paswoord ), of + uw browser is niet in staat de nodige authentificatiegegevens door te geven. + + + + Indien u toch gemachtigd bent toegang te krijgen tot het document, + controleer uw gebruikersnaam en paswoord en probeer opnieuw. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Serveren kunne ikke verifisere at du har tillatelse til å besøke + adressen "". Enten + oppga du feil opplysninger (f.eks. feil passord) eller så støtter + ikke din nettleser dette autentiseringsystemet. + + + + Om du har tillatelse til å besøke siden, vennligst kontroler ditt + brukernavn og passord og forsøk igjen. + + +----------nb-- + + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Serwer nie może zweryfikować, że masz uprawnienia dostępu do + URL-a "". + Nie podałeś prawidłowych danych autoryzacyjnych (np. hasła) + lub twoja przeglądarka nie potrafi ich przesłać. + + + + Jeśli masz prawo dostępu do żądanego dokumentu, sprawdź + podaną nazwę użytkownika i hasło. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + Este servidor não pode autorizar o seu acesso à URL + "". + Você deve ter fornecido dados incorretos (ex. senha errada), ou o seu + "browser" não fornece as credenciais necessárias. + + + + No caso de você realmente possuir permissão para este documento, + por favor checar seu login e sua senha e tentar novamente. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + Este servidor não conseguiu validar a sua autoridade para aceder + ao URL "". + Ou forneceu as credenciais erradas (e.g.: senha incorrecta) + ou o seu browser não sabe como fornecer as credenciais + necessárias. + + + + Caso lhe seja permitido aceder ao documento, por favor verifique o + seu nome de utilizador e senha e tente de novo. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Acest server nu a putut verifica daca sunteti autorizat sa accesati + URL-ul "". + Ati furnizat parametrii de acreditare gresiti (ex: parola gresita), sau browserul + dumneavoastra nu poate furniza aceste detalii de acreditare. + + + + In cazul in care nu va este permis sa cereti un document, va rugam + sa va verificati numele de utilizator si parola si sa incercati din nou. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Овај сервер није могао да потврди да сте овлашћени да приступите + УРЛ-у "". + Могуће је или да сте навели погрешне личне податке (нпр. нетачну лозинку), или да + ваш читач не разуме како да пошаље захтеване личне податке. + + + + Уколико вам је дозвољено да преузимате документ, молимо да + проверите своје корисничко име и лозинку и пробате поново. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Servern kunde inte verifiera att du har tillåtelse att besöka + adressen "". + Antingen angav du felaktiga uppgifter (ex. fel lösenord) eller så + stödjer inte din webbläsare detta autentiseringssätt. + + + + Om du har tillåtelse att besöka sidan, vänligen kontrollera ditt + användarnamn samt lösenord och försök igen. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Sunucu "" adresine erişim + izninizi doğrulayamadı. Ya sağladığınız kanıtlar yanlış (yanlış parola gibi) + ya da tarayıcınız bu kanıtların nasıl sağlanacağını bilmiyor. + + + + Eğer erişim izniniz olduğuna eminseniz, lütfen kullanıcı adınızı + ve parolanızı gözden geçirip yeniden deneyin. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var b/apache/files/error-pages/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var new file mode 100644 index 00000000..44094cde --- /dev/null +++ b/apache/files/error-pages/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var @@ -0,0 +1,217 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Server nepodporuje typ prostředku (media) přeneseného v požadavku. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Das bei der Anfrage übermittelte Format (Media Type) + wird vom Server nicht unterstützt. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + The server does not support the media type transmitted in the request. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + El servidor no soporta el tipo + de medio transmitido en la solicitud. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + Le serveur ne supporte pas le type de média utilisé + dans votre requête. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Ní tachaíonn an fhreastalaí an cineáil + meán a sheoladh san iarratais. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Il server non è in grado di gestire il + tipo del formato dei dati trasmesso nella richiesta. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + リクエストで指定されたメディアタイプはサポートされていません。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 요청으로 보내온 미디어 형식을 이 서버가 지원하지 않습니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + De server ondersteunt het gevraagde formaat ( media type ) niet. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + Serveren støtter ikke den mediatypen som ble forespurt. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Serwer nie zna typu danych przesłanych w żądaniu. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + O servidor não suporta o tipo de mídia + transmitida nesta requisição. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + O servidor não suporta o media type transmitido no pedido. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + Serverul nu suporta tipul de date trimise in cerere. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Сервер не подржава врсту медија пренесену у захтеву. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + Servern stödjer inte den mediatyp som skickats i förfrågan. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + Sunucu, istekte belirtilen ortam türünü desteklemiyor. + + +----------tr-- diff --git a/apache/files/error-pages/HTTP_VARIANT_ALSO_VARIES.html.var b/apache/files/error-pages/HTTP_VARIANT_ALSO_VARIES.html.var new file mode 100644 index 00000000..ba9609c6 --- /dev/null +++ b/apache/files/error-pages/HTTP_VARIANT_ALSO_VARIES.html.var @@ -0,0 +1,242 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- + + + Varianta požadované entity má sama více variant. Přístup není možný. + + +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- + + + Ein Zugriff auf das angeforderte Objekt bzw. einer + Variante dieses Objektes ist nicht möglich, da es ebenfalls + ein variables Objekt darstellt. + + +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- + + + A variant for the requested entity + is itself a negotiable resource. + Access not possible. + + +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- + + + + Una variante de la entidad solicitada es por si misma + un recurso negociable. + No es posible tener acceso a la entidad. + + +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- + + + Une variante pour l'entité demandée + est elle-même une ressource négociable. + L'accès est impossible. + + +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- + + + Is é ceann de na athraithaí + don aonán iarraithe acmhainn + intráchta féin. + Rochtain dodhéanta. + + +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- + + + Non è possibile accedere all'entità + richiesta perché è essa stessa + una risorsa negoziabile. + + +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- + + + リクエストされたものの variant + はそれ自体もまた、ネゴシエーション可能なリソースです。 + アクセスできませんでした。 + + +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- + + + 요청한 객체의 형태 또한 여러 형태를 가지고 있어서 + 접근이 불가능합니다. + + +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- + + + Een variant van het gevraagde object + is op zich ook een te onderhandelen variant. + Toegang is niet mogelijk. + + +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- + + + En variant av den forespurte enheten er i seg selv en forhandelbar + ressurs. Tilgang ikke mulig. + + +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- + + + Wariant żądanego zasobu jest również zasobem negocjowalnym. + Dostęp jest niemożliwy. + + +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- + + + Uma variante da entidade de requisição + é por si mesma um recurso negociável. + Acesso não é possível. + + +-------pt-br-- + +Content-language: pt +Content-type: text/html; charset=ISO-8859-1 +Body:----------pt-- + + + A variante relativa à entidade pedida é ela mesma + um recurso negociável. Não é possível + ter acesso. + + +----------pt-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- + + + O varianta pentru entitatea ceruta + este ea insasi o resursa negociabila. + Accesul nu este posibil. + + +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- + + + Варијанта захтеваног ентитета + је и сама ресурс који постоји у више варијанти. + Приступ није могућ. + + +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- + + + En variant av den förfrågade enheten är i + sig själv en giltig resurs. Åtkomst är inte + möjlig. + + +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- + + + İstenen gösterim çeşidinin kendisi zaten kendi içinde uzlaşımlı. + Erişim mümkün değil. + + +----------tr-- diff --git a/apache/files/error-pages/README b/apache/files/error-pages/README new file mode 100644 index 00000000..b660d07e --- /dev/null +++ b/apache/files/error-pages/README @@ -0,0 +1,38 @@ + + Multi Language Custom Error Documents + ------------------------------------- + + The 'error' directory contains HTTP error messages in multiple languages. + If the preferred language of a client is available it is selected + automatically via the MultiViews feature. This feature is enabled + by default via the Options, Language and ErrorDocument directives. + + You may configure the design and markup of the documents by modifying + the HTML files in the directory 'error/include'. + + Supported Languages: + + +-----------------------+------------------------------------------+ + | Language | Contributed by | + +-----------------------+------------------------------------------+ + | Brazilian (pt-br) | Ricardo Leite | + | Czech (cs) | Marcel Kolaja | + | Dutch (nl) | Peter Van Biesen | + | English (en) | Lars Eilebrecht | + | French (fr) | Cecile de Crecy | + | German (de) | Lars Eilebrecht | + | Italian (it) | Luigi Rosa | + | Japanese (ja) | TAKAHASHI Makoto | + | Korean (ko) | Jaeho Shin | + | Norwegian Bokmål (nb) | Tom Fredrik Klaussen | + | Polish (pl) | Tomasz Kepczynski | + | Romanian (ro) | Andrei Besleaga | + | Serbian (sr) | Nikola Smolenski | + | Spanish (es) | Karla Quintero | + | Swedish (sv) | Thomas Sjögren | + | Turkish (tr) | Emre Sokullu & Nilgün Belma Bugüner | + | Irish (ga) | Noirin Shirley | + +-----------------------+------------------------------------------+ + (Please see http://httpd.apache.org/docs-project/ if you would + like to contribute the pages in an additional language.) + diff --git a/apache/files/error-pages/contact.html.var b/apache/files/error-pages/contact.html.var new file mode 100644 index 00000000..62044cf0 --- /dev/null +++ b/apache/files/error-pages/contact.html.var @@ -0,0 +1,127 @@ +Content-language: cs +Content-type: text/html; charset=UTF-8 +Body:----------cs-- +Pokud si myslíte, že toto je chyba serveru, kontaktujte, prosím, +">webmastera. +----------cs-- + +Content-language: de +Content-type: text/html; charset=UTF-8 +Body:----------de-- +Sofern Sie dies für eine Fehlfunktion des Servers halten, +informieren Sie bitte den +">Webmaster +hierüber. +----------de-- + +Content-language: en +Content-type: text/html; charset=UTF-8 +Body:----------en-- +If you think this is a server error, please contact +the ">webmaster. +----------en-- + +Content-language: es +Content-type: text/html +Body:----------es-- +Si usted cree que esto es un error del servidor, por favor comuníqueselo al +">administrador +del portal. +----------es-- + +Content-language: fr +Content-type: text/html; charset=UTF-8 +Body:----------fr-- +Si vous pensez qu'il s'agit d'une erreur du serveur, veuillez contacter le +">webmestre. +----------fr-- + +Content-language: ga +Content-type: text/html; charset=UTF-8 +Body:----------ga-- +Má cheapann tú gur earráid fhreastalaí í seo, +téigh i dteagmháil leis an +"> +stiúrthóir gréasáin, le do thoil. +----------ga-- + +Content-language: it +Content-type: text/html; charset=UTF-8 +Body:----------it-- +Se pensi che questo sia un errore del server, per favore contatta il +">webmaster. +----------it-- + +Content-language: ja +Content-type: text/html; charset=UTF-8 +Body:----------ja-- +サーバーの障害と思われる場合は、" +>ウェブ管理者までご連絡ください。 +----------ja-- + +Content-language: ko +Content-type: text/html; charset=UTF-8 +Body:----------ko-- +만약 이것이 서버 오류라고 생각되면, +">웹 관리자에게 연락하시기 바랍니다. +----------ko-- + +Content-language: nl +Content-type: text/html; charset=UTF-8 +Body:----------nl-- +Indien u van oordeel bent dat deze server in fout is, gelieve +de ">webmaster te contacteren. +----------nl-- + +Content-language: nb +Content-type: text/html; charset=UTF-8 +Body:----------nb-- +Om du tror dette skyldes en serverfeil, venligst kontakt +">webansvarlig. +----------nb-- + +Content-language: pl +Content-type: text/html; charset=UTF-8 +Body:----------pl-- +Jeśli myślisz, że jest to błąd tego serwera, skontaktuj się z +">administratorem. +----------pl-- + +Content-language: pt-br +Content-type: text/html; charset=UTF-8 +Body:-------pt-br-- +Se você acredita ter encontrado um problema no servidor, +por favor entre em contato com o +">webmaster. +-------pt-br-- + +Content-language: ro +Content-type: text/html; charset=UTF-8 +Body:----------ro-- +Va rugam sa il contactati pe +">webmaster +in cazul in care credeti ca aceasta este o eroare a serverului. +----------ro-- + +Content-language: sr +Content-type: text/html; charset=UTF-8 +Body:----------sr-- +Ако мислите да је ово грешка сервера, молимо обавестите +">вебмастера. +----------sr-- + +Content-language: sv +Content-type: text/html; charset=UTF-8 +Body:----------sv-- +Om du tror att detta beror på ett serverfel, vänligen kontakta +">webbansvarig. +----------sv-- + +Content-language: tr +Content-type: text/html; charset=UTF-8 +Body:----------tr-- +Bunun bir sunucu hatası olduğunu düşünüyorsanız, lütfen +">site +yöneticisi ile iletişime geçin. +----------tr-- diff --git a/apache/files/error-pages/include/bottom.html b/apache/files/error-pages/include/bottom.html new file mode 100644 index 00000000..971de02b --- /dev/null +++ b/apache/files/error-pages/include/bottom.html @@ -0,0 +1,12 @@ +

    +

    + +

    + +

    Error

    +
    +
    + +
    + + diff --git a/apache/files/error-pages/include/spacer.html b/apache/files/error-pages/include/spacer.html new file mode 100644 index 00000000..7d5e5953 --- /dev/null +++ b/apache/files/error-pages/include/spacer.html @@ -0,0 +1,2 @@ +

    +

    diff --git a/apache/files/error-pages/include/top.html b/apache/files/error-pages/include/top.html new file mode 100644 index 00000000..ae63020e --- /dev/null +++ b/apache/files/error-pages/include/top.html @@ -0,0 +1,21 @@ + + +" xml:lang=""> + +<!--#echo encoding="none" var="TITLE" --> +" /> + + + + +

    +

    diff --git a/apache/files/evolinux-localized-error-pages.conf b/apache/files/evolinux-localized-error-pages.conf new file mode 100644 index 00000000..0658a03e --- /dev/null +++ b/apache/files/evolinux-localized-error-pages.conf @@ -0,0 +1,35 @@ + + + + + Alias /error/ "/usr/local/share/apache2/error/" + + + Options IncludesNoExec + AddOutputFilter Includes html + AddHandler type-map var + Require all granted + LanguagePriority en fr de es cs it nl sv pt-br ro + ForceLanguagePriority Prefer Fallback + + + ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var + ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var + ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var + ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var + ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var + ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var + ErrorDocument 410 /error/HTTP_GONE.html.var + ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var + ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var + ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var + ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var + ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var + ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var + ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var + ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var + ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var + ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var + + + diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 230a112e..a6a46eb8 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -71,6 +71,9 @@ - headers - cgi - ssl + - include + - negotiation + - alias tags: - apache @@ -85,6 +88,38 @@ tags: - apache +- name: Copy Apache localized error pages config file + copy: + src: evolinux-localized-error-pages.conf + dest: "/etc/apache2/conf-available/z-evolinux-localized-error-pages.conf" + owner: root + group: root + mode: "0644" + force: yes + tags: + - apache + +- name: Create directory which will contain apache error pages + file: + path: /usr/local/share/apache2/error + mode: u=rwX,g=rX,o=rX + owner: root + group: root + state: directory + tags: + - apache + +- name: Copy apache error pages + copy: + src: error-pages/ + dest: "/usr/local/share/apache2/error/" + directory_mode: u=rwX,g=rX,o=rX + mode: u=rw,g=r,o=r + owner: root + group: root + tags: + - apache + - name: Copy Apache custom config file copy: src: evolinux-custom.conf @@ -113,6 +148,7 @@ changed_when: "'Enabling' in command_result.stderr" with_items: - z-evolinux-defaults.conf + - z-evolinux-localized-error-pages.conf - zzz-evolinux-custom.conf - evolinux-ssl.conf tags: diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 8a5259f5..81bdefc3 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -44,8 +44,6 @@ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - ErrorDocument 403 {{ apache_default_redirect_url }} - CustomLog /var/log/apache2/access.log vhost_combined ErrorLog /var/log/apache2/error.log LogLevel warn From 8981ea42281718ee21ac263c151d8574da6cb7f6 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 18 Jul 2017 16:48:53 +0200 Subject: [PATCH 075/277] Fix for Debian 9, _apt user need right to apt stuff --- packweb-apache/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 491ecc46..17e3909c 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -82,9 +82,7 @@ - /var/lib/dpkg - /var/log/munin - /var/backups - - /var/cache/apt - /etc/init.d - - /etc/apt - /etc/apache2 - /etc/network - /etc/phpmyadmin From 92f699b84c3e4609a0379ef0e23dce2fba1e727e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Tue, 18 Jul 2017 17:05:47 +0200 Subject: [PATCH 076/277] A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. --- apache/templates/evolinux-default.conf.j2 | 51 +++++++++++++++-------- 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 8a5259f5..2c8f3971 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -2,10 +2,19 @@ ServerName {{ ansible_fqdn }} ServerAdmin webmaster@localhost + DocumentRoot /var/www/ + RewriteEngine on - RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] - # RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] + # Redirect to HTTPS, execpt for munin, because some plugins + # can't handle HTTPS! :( + RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR] + RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] + + + Require ip 127.0.0.1 + + @@ -17,31 +26,39 @@ SSLEngine on SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} - # SSLProtocol all -SSLv2 -SSLv3 + # We override these 2 Directory directives setted in apache2.conf. + # We want no access except from allowed IP address. + + Options -Indexes + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + - Options +Indexes +FollowSymLinks +MultiViews - AllowOverride None - + Options -Indexes + Require all denied Include /etc/apache2/private_ipaddr_whitelist.conf + # Munin. We need to set Directory directive as Alias take precedence. Alias /munin /var/cache/munin/www - - Options +Indexes +FollowSymLinks +MultiViews - AllowOverride None - + + Options -Indexes + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + + + Options -Indexes + Require all denied Include /etc/apache2/private_ipaddr_whitelist.conf - - Include /etc/apache2/private_ipaddr_whitelist.conf - - + # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - - AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf ErrorDocument 403 {{ apache_default_redirect_url }} @@ -54,7 +71,7 @@ IncludeOptional /etc/apache2/conf-available/phpmyadmin* - deny from all + Require all denied From 0c2170cf5c49de6e36e4be02bc9010c18eb31b1f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 18 Jul 2017 19:38:03 +0200 Subject: [PATCH 077/277] Remove some backups, again --- bind/tasks/main.yml | 1 - bind/tasks/munin.yml | 5 ++--- evolinux-base/tasks/system.yml | 1 - squid/tasks/main.yml | 1 - varnish/tasks/main.yml | 1 - 5 files changed, 2 insertions(+), 7 deletions(-) diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 2c8e0278..c23cbf20 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -29,7 +29,6 @@ group: root mode: "0644" force: yes - backup: yes notify: restart bind - name: Create directories diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 51ee9b64..98f275cf 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -1,4 +1,4 @@ ---- +--- - name: is Munin present ? stat: @@ -14,7 +14,7 @@ src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link - with_items: + with_items: - bind9 - bind9_rndc notify: restart munin @@ -31,7 +31,6 @@ group: root mode: "0644" force: yes - backup: yes notify: restart munin when: munin_node_plugins_config.stat.exists tags: diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index a11049c4..67638b55 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -169,7 +169,6 @@ dest: /etc/network/interfaces regexp: "allow-hotplug" replace: "auto" - backup: yes when: evolinux_system_eni_auto and grep_hotplug_eni.rc == 0 - meta: flush_handlers diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index adc8ea8f..eaf690a6 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -19,7 +19,6 @@ src: whitelist-evolinux.conf dest: "{{ squid_conf_path }}/whitelist-evolinux.conf" force: yes - backup: yes notify: "reload {{ squid_daemon }}" - name: custom whitelist is present diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 9671768f..798f7aec 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -39,7 +39,6 @@ src: varnish.conf.j2 dest: /etc/systemd/system/varnish.service.d/varnish.conf force: yes - backup: yes notify: reload systemd tags: - varnish From 4110d228023a564ca307efebb0431e2cc761e67c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 18 Jul 2017 19:40:56 +0200 Subject: [PATCH 078/277] Remove yet some other backups --- evocheck/tasks/main.yml | 1 - listupgrade/tasks/main.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/evocheck/tasks/main.yml b/evocheck/tasks/main.yml index 664b7c00..ad6d8b4e 100644 --- a/evocheck/tasks/main.yml +++ b/evocheck/tasks/main.yml @@ -18,7 +18,6 @@ mode: "0700" owner: root force: yes - backup: yes tags: - evocheck diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 962ccf9b..74944eca 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -15,7 +15,6 @@ owner: root group: root force: yes - backup: yes - name: Create /etc/evolinux file: From 20c575ee1e7b518bdbf1c27199d35e4a0a2b7418 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 18 Jul 2017 19:42:54 +0200 Subject: [PATCH 079/277] named.conf.options is managed by ansible --- bind/templates/named.conf.options.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bind/templates/named.conf.options.j2 b/bind/templates/named.conf.options.j2 index 7ffa4aeb..79969a9d 100644 --- a/bind/templates/named.conf.options.j2 +++ b/bind/templates/named.conf.options.j2 @@ -1,3 +1,5 @@ +// {{ ansible_managed }} + options { directory "/var/cache/bind"; From 8505bb9d3c799534d25399013ee83a23634d4054 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 18 Jul 2017 19:43:28 +0200 Subject: [PATCH 080/277] =?UTF-8?q?=E2=80=A6=20so=20the=20backup=20is=20no?= =?UTF-8?q?t=20needed=20anymore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bind/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index c23cbf20..dc74029f 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -11,7 +11,6 @@ group: bind mode: "0644" force: yes - backup: yes notify: restart bind - name: Modify OPTIONS in /etc/default/bind9 From 388a2c058e709513291af68ec9511cd6afaadb62 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 18 Jul 2017 20:00:20 +0200 Subject: [PATCH 081/277] Over-simplified /root/.gitconfig --- evolinux-base/files/root/gitconfig | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/evolinux-base/files/root/gitconfig b/evolinux-base/files/root/gitconfig index 06e6b2a8..126f6f7f 100644 --- a/evolinux-base/files/root/gitconfig +++ b/evolinux-base/files/root/gitconfig @@ -1,22 +1,4 @@ -[core] - filemode = true - bare = false [color] - branch = auto - status = auto - diff = auto - interactive = auto - decorate = auto - grep = auto ui = true -[apply] - whitespace = nowarn [alias] - a = add - aa = add -A . - c = commit -v - ca = commit -v -a - d = diff --ignore-space-change --patience --no-prefix - dw = diff --word-diff lg = log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit --date=relative - s = status -s -b From 3e3e1c368e628605770e81dd07959743c1294efa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 18 Jul 2017 20:03:57 +0200 Subject: [PATCH 082/277] Lighter /root/.vimrc --- evolinux-base/tasks/root.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 56aaa7cb..ffe64fe1 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -73,13 +73,11 @@ state: present with_items: - "syntax on" - - "set hlsearch" - "set background=dark" - "set expandtab" - "set tabstop=4" - - "set softtabstop=0" + - "set softtabstop=4" - "set shiftwidth=4" - - "set smarttab" when: evolinux_root_vim_conf - meta: flush_handlers From 3a8093fb12d4f8b6268344f6eaa70680108114ff Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 18 Jul 2017 20:13:58 +0200 Subject: [PATCH 083/277] Apache: use "Require" http://httpd.apache.org/docs/2.4/howto/auth.html --- apache/files/evolinux-defaults.conf | 2 +- evoacme/templates/apache.conf.j2 | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index 9eba4f6e..af2b4089 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -12,5 +12,5 @@ MaxRequestsPerChild 0 AllowOverride None Require all granted - Deny from env=GoAway + Require not env GoAway diff --git a/evoacme/templates/apache.conf.j2 b/evoacme/templates/apache.conf.j2 index 6cd3d2ea..014c4d3f 100644 --- a/evoacme/templates/apache.conf.j2 +++ b/evoacme/templates/apache.conf.j2 @@ -7,6 +7,5 @@ Alias /.well-known/acme-challenge {{ evoacme_acme_dir }}/.well-known/acme-challenge Options -Indexes - Allow from all Require all granted From 9c797ea27374018a2335a3fe47d275116b31bdd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 19 Jul 2017 01:34:13 +0200 Subject: [PATCH 084/277] kvm-host: images path is customizable --- kvm-host/README.md | 2 +- kvm-host/defaults/main.yml | 2 ++ kvm-host/tasks/images.yml | 49 +++++++++++++++++++++++++++---------- kvm-host/tasks/main.yml | 2 ++ kvm-host/tasks/packages.yml | 3 ++- 5 files changed, 43 insertions(+), 15 deletions(-) create mode 100644 kvm-host/defaults/main.yml diff --git a/kvm-host/README.md b/kvm-host/README.md index ae6f24ef..15ed4e13 100644 --- a/kvm-host/README.md +++ b/kvm-host/README.md @@ -8,4 +8,4 @@ Everything is in the `tasks/main.yml` file. ## Available variables -There is no variable. +* `kvm_custom_libvirt_images_path`: a custom directory for libvirt images (default: empty) ; diff --git a/kvm-host/defaults/main.yml b/kvm-host/defaults/main.yml new file mode 100644 index 00000000..4c77a2ff --- /dev/null +++ b/kvm-host/defaults/main.yml @@ -0,0 +1,2 @@ +--- +kvm_custom_libvirt_images_path: '' diff --git a/kvm-host/tasks/images.yml b/kvm-host/tasks/images.yml index 00f85759..527eb048 100644 --- a/kvm-host/tasks/images.yml +++ b/kvm-host/tasks/images.yml @@ -1,15 +1,38 @@ --- -- name: Create images directory - file: - path: '/home/images' - state: directory - owner: root - group: libvirt - mode: 02775 -- name: Symlink for libvirt images directory - file: - src: '/home/images' - dest: '/var/lib/libvirt/images' - state: link - force: yes +- block: + - name: "Is {{ kvm_custom_libvirt_images_path }} present ?" + stat: + path: "{{ kvm_custom_libvirt_images_path }}" + check_mode: no + register: kvm_custom_libvirt_images_path_test + + - name: "read the real datadir" + command: readlink -f /var/lib/libvirt/images + changed_when: False + check_mode: no + register: kvm_libvirt_images_current_real_path_test + when: kvm_custom_libvirt_images_path != '' + +- block: + - name: "Move libvirt images to {{ kvm_custom_libvirt_images_path }}" + command: mv /var/lib/libvirt/images {{ kvm_custom_libvirt_images_path }} + args: + creates: "{{ kvm_custom_libvirt_images_path }}" + + - name: Fix owner/group/permissions + file: + path: "{{ kvm_custom_libvirt_images_path }}" + owner: root + group: libvirt + mode: "02775" + + - name: "Symlink {{ kvm_custom_libvirt_images_path }} to /var/lib/libvirt/images" + file: + src: "{{ kvm_custom_libvirt_images_path }}" + dest: '/var/lib/libvirt/images' + state: link + when: + - kvm_custom_libvirt_images_path != '' + - kvm_custom_libvirt_images_path != kvm_libvirt_images_current_real_path_test.stdout + - not kvm_custom_libvirt_images_path_test.stat.exists diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml index c4d6e622..a3ee3556 100644 --- a/kvm-host/tasks/main.yml +++ b/kvm-host/tasks/main.yml @@ -1,4 +1,6 @@ --- + +## TODO: check why it's disabled #- include: ssh.yml - include: packages.yml diff --git a/kvm-host/tasks/packages.yml b/kvm-host/tasks/packages.yml index b4ddd22f..7188239a 100644 --- a/kvm-host/tasks/packages.yml +++ b/kvm-host/tasks/packages.yml @@ -3,9 +3,10 @@ apt: name: "{{ item }}" with_items: - - libvirt-bin - qemu-kvm - netcat-openbsd - bridge-utils - qemu-utils - virtinst + - libvirt-daemon-system + - libvirt-clients From 62fbbd2016887890e7172c7f76d95c6e256633ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 19 Jul 2017 08:56:46 +0200 Subject: [PATCH 085/277] Rename role "apt-repositories" to "apt" --- apt-repositories/README.md | 57 ------------------- apt-repositories/defaults/main.yml | 7 --- .../templates/jessie_backports.list.j2 | 3 - .../templates/jessie_basics.list.j2 | 5 -- .../templates/stretch_backports.list.j2 | 3 - .../templates/stretch_basics.list.j2 | 5 -- apt-repositories/tests/test.yml | 10 ---- {apt-repositories => apt}/.kitchen.yml | 2 +- apt/README.md | 57 +++++++++++++++++++ apt/defaults/main.yml | 7 +++ .../files/jessie_backports_preferences | 0 .../files/stretch_backports_preferences | 0 {apt-repositories => apt}/handlers/main.yml | 0 {apt-repositories => apt}/meta/main.yml | 0 {apt-repositories => apt}/tasks/backports.yml | 8 +-- {apt-repositories => apt}/tasks/basics.yml | 4 +- .../tasks/evolix_public.yml | 6 +- {apt-repositories => apt}/tasks/main.yml | 16 +++--- .../templates/evolix_public.list.j2 | 0 apt/templates/jessie_backports.list.j2 | 3 + apt/templates/jessie_basics.list.j2 | 5 ++ apt/templates/stretch_backports.list.j2 | 3 + apt/templates/stretch_basics.list.j2 | 5 ++ .../tests/spec/main_spec.rb | 0 apt/tests/test.yml | 10 ++++ evoacme/tasks/certbot.yml | 2 +- evoadmin/tasks/packages.yml | 2 +- evolinux-base/tasks/apt.yml | 6 +- evolinux-base/tasks/hardware.yml | 4 +- evomaintenance/tasks/main.yml | 2 +- haproxy/tasks/packages_jessie_backports.yml | 2 +- java8/tasks/main.yml | 2 +- nginx/tasks/packages_jessie_backports.yml | 2 +- vrrpd/tasks/main.yml | 2 +- 34 files changed, 120 insertions(+), 120 deletions(-) delete mode 100644 apt-repositories/README.md delete mode 100644 apt-repositories/defaults/main.yml delete mode 100644 apt-repositories/templates/jessie_backports.list.j2 delete mode 100644 apt-repositories/templates/jessie_basics.list.j2 delete mode 100644 apt-repositories/templates/stretch_backports.list.j2 delete mode 100644 apt-repositories/templates/stretch_basics.list.j2 delete mode 100644 apt-repositories/tests/test.yml rename {apt-repositories => apt}/.kitchen.yml (92%) create mode 100644 apt/README.md create mode 100644 apt/defaults/main.yml rename {apt-repositories => apt}/files/jessie_backports_preferences (100%) rename {apt-repositories => apt}/files/stretch_backports_preferences (100%) rename {apt-repositories => apt}/handlers/main.yml (100%) rename {apt-repositories => apt}/meta/main.yml (100%) rename {apt-repositories => apt}/tasks/backports.yml (88%) rename {apt-repositories => apt}/tasks/basics.yml (86%) rename {apt-repositories => apt}/tasks/evolix_public.yml (90%) rename {apt-repositories => apt}/tasks/main.yml (66%) rename {apt-repositories => apt}/templates/evolix_public.list.j2 (100%) create mode 100644 apt/templates/jessie_backports.list.j2 create mode 100644 apt/templates/jessie_basics.list.j2 create mode 100644 apt/templates/stretch_backports.list.j2 create mode 100644 apt/templates/stretch_basics.list.j2 rename {apt-repositories => apt}/tests/spec/main_spec.rb (100%) create mode 100644 apt/tests/test.yml diff --git a/apt-repositories/README.md b/apt-repositories/README.md deleted file mode 100644 index 7eaff8b5..00000000 --- a/apt-repositories/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# apt-repositories - -A few APT related operations, like easily install backports of change components for repositories. - -## Tasks - -Tasks are extracted in several files, included in `tasks/main.yml` : - -* `backports.yml` : add a sources list for backports ; -* `basics_components.yml` : replace components for the basic sources. - -## Available variables - -* `apt_repositories_install_basics` : change basic sources components (default: `True`) ; -* `apt_repositories_basics_components` : basic sources components (default: `main`) ; -* `apt_repositories_install_backports` : install backports sources (default: `False`) ; -* `apt_repositories_backports_components` : backports sources (default: `main`) ; -* `apt_repositories_install_evolix_public` : install Evolix public repositories (default: `True`). - -## Examples - -To add "non-free" and "contrib" components to basic sources lists : - -``` -{ role: apt-repositories, - apt_repositories_install_basics: True, - apt_repositories_basics_components: "main non-free contrib" -} -``` - -To install backports sources lists : - -``` -{ role: apt-repositories, - apt_repositories_install_backports: True -} -``` - -To install backports sources lists with "non-free" and "contrib" : - -``` -{ role: apt-repositories, - apt_repositories_install_backports: True, - apt_repositories_backports_components: "main non-free contrib" -} -``` - -To install backports sources lists and have "non-free" and "contrib" for each repository : - -``` -{ role: apt-repositories, - apt_repositories_install_basics: True, - apt_repositories_basics_components: "main non-free contrib", - apt_repositories_install_backports: True, - apt_repositories_backports_components: "main non-free contrib" -} -``` diff --git a/apt-repositories/defaults/main.yml b/apt-repositories/defaults/main.yml deleted file mode 100644 index 47c3016f..00000000 --- a/apt-repositories/defaults/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -apt_repositories_install_basics: True -apt_repositories_basics_components: "main" - -apt_repositories_install_backports: False -apt_repositories_backports_components: "main" - -apt_repositories_install_evolix_public: True diff --git a/apt-repositories/templates/jessie_backports.list.j2 b/apt-repositories/templates/jessie_backports.list.j2 deleted file mode 100644 index 863c242c..00000000 --- a/apt-repositories/templates/jessie_backports.list.j2 +++ /dev/null @@ -1,3 +0,0 @@ -# {{ ansible_managed }} - -deb http://mirror.evolix.org/debian jessie-backports {{ apt_repositories_backports_components | mandatory }} diff --git a/apt-repositories/templates/jessie_basics.list.j2 b/apt-repositories/templates/jessie_basics.list.j2 deleted file mode 100644 index 90237365..00000000 --- a/apt-repositories/templates/jessie_basics.list.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -deb http://mirror.evolix.org/debian/ jessie {{ apt_repositories_basics_components | mandatory }} -deb http://mirror.evolix.org/debian/ jessie-updates {{ apt_repositories_basics_components | mandatory }} -deb http://security.debian.org/ jessie/updates {{ apt_repositories_basics_components | mandatory }} diff --git a/apt-repositories/templates/stretch_backports.list.j2 b/apt-repositories/templates/stretch_backports.list.j2 deleted file mode 100644 index ce887449..00000000 --- a/apt-repositories/templates/stretch_backports.list.j2 +++ /dev/null @@ -1,3 +0,0 @@ -# {{ ansible_managed }} - -deb http://mirror.evolix.org/debian stretch-backports {{ apt_repositories_backports_components | mandatory }} diff --git a/apt-repositories/templates/stretch_basics.list.j2 b/apt-repositories/templates/stretch_basics.list.j2 deleted file mode 100644 index eac2c1fb..00000000 --- a/apt-repositories/templates/stretch_basics.list.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -deb http://mirror.evolix.org/debian stretch {{ apt_repositories_basics_components | mandatory }} -deb http://mirror.evolix.org/debian/ stretch-updates {{ apt_repositories_basics_components | mandatory }} -deb http://security.debian.org/debian-security stretch/updates {{ apt_repositories_basics_components | mandatory }} diff --git a/apt-repositories/tests/test.yml b/apt-repositories/tests/test.yml deleted file mode 100644 index a6c49fe6..00000000 --- a/apt-repositories/tests/test.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- hosts: test-kitchen - - vars: - apt_repositories_basics_components: "main contrib non-free" - apt_repositories_install_backports: True - apt_repositories_backports_components: "main contrib non-free" - - roles: - - role: apt-repositories diff --git a/apt-repositories/.kitchen.yml b/apt/.kitchen.yml similarity index 92% rename from apt-repositories/.kitchen.yml rename to apt/.kitchen.yml index 65139ac6..a950bb61 100644 --- a/apt-repositories/.kitchen.yml +++ b/apt/.kitchen.yml @@ -28,7 +28,7 @@ suites: playbook: ./tests/test.yml verifier: patterns: - - apt-repositories/tests/spec/main_spec.rb + - apt/tests/spec/main_spec.rb bundler_path: '/usr/local/bin' rspec_path: '/usr/local/bin' diff --git a/apt/README.md b/apt/README.md new file mode 100644 index 00000000..ec4da5b6 --- /dev/null +++ b/apt/README.md @@ -0,0 +1,57 @@ +# apt + +A few APT related operations, like easily install backports of change components for repositories. + +## Tasks + +Tasks are extracted in several files, included in `tasks/main.yml` : + +* `backports.yml` : add a sources list for backports ; +* `basics_components.yml` : replace components for the basic sources. + +## Available variables + +* `apt_install_basics` : change basic sources components (default: `True`) ; +* `apt_basics_components` : basic sources components (default: `main`) ; +* `apt_install_backports` : install backports sources (default: `False`) ; +* `apt_backports_components` : backports sources (default: `main`) ; +* `apt_install_evolix_public` : install Evolix public repositories (default: `True`). + +## Examples + +To add "non-free" and "contrib" components to basic sources lists : + +``` +{ role: apt, + apt_install_basics: True, + apt_basics_components: "main non-free contrib" +} +``` + +To install backports sources lists : + +``` +{ role: apt, + apt_install_backports: True +} +``` + +To install backports sources lists with "non-free" and "contrib" : + +``` +{ role: apt, + apt_install_backports: True, + apt_backports_components: "main non-free contrib" +} +``` + +To install backports sources lists and have "non-free" and "contrib" for each repository : + +``` +{ role: apt, + apt_install_basics: True, + apt_basics_components: "main non-free contrib", + apt_install_backports: True, + apt_backports_components: "main non-free contrib" +} +``` diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml new file mode 100644 index 00000000..671bc8b2 --- /dev/null +++ b/apt/defaults/main.yml @@ -0,0 +1,7 @@ +apt_install_basics: True +apt_basics_components: "main" + +apt_install_backports: False +apt_backports_components: "main" + +apt_install_evolix_public: True diff --git a/apt-repositories/files/jessie_backports_preferences b/apt/files/jessie_backports_preferences similarity index 100% rename from apt-repositories/files/jessie_backports_preferences rename to apt/files/jessie_backports_preferences diff --git a/apt-repositories/files/stretch_backports_preferences b/apt/files/stretch_backports_preferences similarity index 100% rename from apt-repositories/files/stretch_backports_preferences rename to apt/files/stretch_backports_preferences diff --git a/apt-repositories/handlers/main.yml b/apt/handlers/main.yml similarity index 100% rename from apt-repositories/handlers/main.yml rename to apt/handlers/main.yml diff --git a/apt-repositories/meta/main.yml b/apt/meta/main.yml similarity index 100% rename from apt-repositories/meta/main.yml rename to apt/meta/main.yml diff --git a/apt-repositories/tasks/backports.yml b/apt/tasks/backports.yml similarity index 88% rename from apt-repositories/tasks/backports.yml rename to apt/tasks/backports.yml index ad606fe8..fd459a34 100644 --- a/apt-repositories/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -5,7 +5,7 @@ regexp: "backports" state: absent tags: - - apt-repositories + - apt - name: Backports sources list is installed template: @@ -15,7 +15,7 @@ mode: "0640" notify: apt update tags: - - apt-repositories + - apt - name: Backports configuration copy: @@ -25,9 +25,9 @@ mode: "0640" notify: apt update tags: - - apt-repositories + - apt - name: Intermediate flush of handlers meta: flush_handlers tags: - - apt-repositories + - apt diff --git a/apt-repositories/tasks/basics.yml b/apt/tasks/basics.yml similarity index 86% rename from apt-repositories/tasks/basics.yml rename to apt/tasks/basics.yml index 78e16810..5fefbbfc 100644 --- a/apt-repositories/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -8,9 +8,9 @@ force: yes notify: apt update tags: - - apt-repositories + - apt - name: Intermediate flush of handlers meta: flush_handlers tags: - - apt-repositories + - apt diff --git a/apt-repositories/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml similarity index 90% rename from apt-repositories/tasks/evolix_public.yml rename to apt/tasks/evolix_public.yml index bd1e10ce..9b04c971 100644 --- a/apt-repositories/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -5,7 +5,7 @@ # msg: "Error: Evolix public repository is not compatble with 'Debian Stretch' yet." # when: ansible_distribution_release == "stretch" # tags: -# - apt-repositories +# - apt - name: Add Evolix GPG key @@ -21,9 +21,9 @@ mode: "0640" notify: apt update tags: - - apt-repositories + - apt - name: Intermediate flush of handlers meta: flush_handlers tags: - - apt-repositories + - apt diff --git a/apt-repositories/tasks/main.yml b/apt/tasks/main.yml similarity index 66% rename from apt-repositories/tasks/main.yml rename to apt/tasks/main.yml index a70febd5..b179ba4f 100644 --- a/apt-repositories/tasks/main.yml +++ b/apt/tasks/main.yml @@ -7,25 +7,25 @@ - ansible_distribution_release != "jessie" - ansible_distribution_release != "stretch" tags: - - apt-repositories + - apt - name: Install basics repositories include: basics.yml - when: apt_repositories_install_basics + when: apt_install_basics tags: - - apt-repositories + - apt - name: Install APT Backports repository include: backports.yml - when: apt_repositories_install_backports + when: apt_install_backports tags: - - apt-repositories + - apt - debug: - var: apt_repositories_install_evolix_public + var: apt_install_evolix_public - name: Install Evolix Public APT repository include: evolix_public.yml - when: apt_repositories_install_evolix_public + when: apt_install_evolix_public tags: - - apt-repositories + - apt diff --git a/apt-repositories/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 similarity index 100% rename from apt-repositories/templates/evolix_public.list.j2 rename to apt/templates/evolix_public.list.j2 diff --git a/apt/templates/jessie_backports.list.j2 b/apt/templates/jessie_backports.list.j2 new file mode 100644 index 00000000..cba40470 --- /dev/null +++ b/apt/templates/jessie_backports.list.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian jessie-backports {{ apt_backports_components | mandatory }} diff --git a/apt/templates/jessie_basics.list.j2 b/apt/templates/jessie_basics.list.j2 new file mode 100644 index 00000000..684b7bb3 --- /dev/null +++ b/apt/templates/jessie_basics.list.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian/ jessie-updates {{ apt_basics_components | mandatory }} +deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }} diff --git a/apt/templates/stretch_backports.list.j2 b/apt/templates/stretch_backports.list.j2 new file mode 100644 index 00000000..4f69547d --- /dev/null +++ b/apt/templates/stretch_backports.list.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }} diff --git a/apt/templates/stretch_basics.list.j2 b/apt/templates/stretch_basics.list.j2 new file mode 100644 index 00000000..2f0bf99e --- /dev/null +++ b/apt/templates/stretch_basics.list.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian stretch {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian/ stretch-updates {{ apt_basics_components | mandatory }} +deb http://security.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }} diff --git a/apt-repositories/tests/spec/main_spec.rb b/apt/tests/spec/main_spec.rb similarity index 100% rename from apt-repositories/tests/spec/main_spec.rb rename to apt/tests/spec/main_spec.rb diff --git a/apt/tests/test.yml b/apt/tests/test.yml new file mode 100644 index 00000000..fce03b45 --- /dev/null +++ b/apt/tests/test.yml @@ -0,0 +1,10 @@ +--- +- hosts: test-kitchen + + vars: + apt_basics_components: "main contrib non-free" + apt_install_backports: True + apt_backports_components: "main contrib non-free" + + roles: + - role: apt diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index b076f61f..eae7ba86 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -3,7 +3,7 @@ - block: - name: install jessie-backports include_role: - name: apt-repositories + name: apt tasks_from: backports.yml - name: Add exceptions for certbot dependances diff --git a/evoadmin/tasks/packages.yml b/evoadmin/tasks/packages.yml index 7fd32de3..e0b1fe05 100644 --- a/evoadmin/tasks/packages.yml +++ b/evoadmin/tasks/packages.yml @@ -1,7 +1,7 @@ --- - include_role: - name: apt-repositories + name: apt tasks_from: evolix_public.yml - meta: flush_handlers diff --git a/evolinux-base/tasks/apt.yml b/evolinux-base/tasks/apt.yml index 0e0df00a..bb0be3fc 100644 --- a/evolinux-base/tasks/apt.yml +++ b/evolinux-base/tasks/apt.yml @@ -1,10 +1,10 @@ --- - include_role: - name: apt-repositories + name: apt vars: - apt_repositories_install_basics: "{{ evolinux_apt_replace_default_sources }}" - apt_repositories_install_evolix_public: "{{ evolinux_apt_public_sources }}" + apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" + apt_install_evolix_public: "{{ evolinux_apt_public_sources }}" - name: Setting apt config lineinfile: diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index c74b25fe..69ab0889 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -18,10 +18,10 @@ - name: Add non-free repo for Broadcom NetXtreme II include_role: - name: apt-repositories + name: apt tasks_from: basics.yml vars: - apt_repositories_basics_components: "main contrib non-free" + apt_basics_components: "main contrib non-free" when: broadcom|success ## RAID diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 9fbc10b4..091c59d5 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install Evolix public repositry include_role: - name: apt-repositories + name: apt tasks_from: evolix_public.yml - name: evomaintenance is installed diff --git a/haproxy/tasks/packages_jessie_backports.yml b/haproxy/tasks/packages_jessie_backports.yml index 2449029d..17218ee6 100644 --- a/haproxy/tasks/packages_jessie_backports.yml +++ b/haproxy/tasks/packages_jessie_backports.yml @@ -1,7 +1,7 @@ --- - include_role: - name: apt-repositories + name: apt tasks_from: backports.yml tags: - haproxy diff --git a/java8/tasks/main.yml b/java8/tasks/main.yml index 1ecebbee..f206b2f3 100644 --- a/java8/tasks/main.yml +++ b/java8/tasks/main.yml @@ -5,7 +5,7 @@ - name: install jessie-backports include_role: - name: apt-repositories + name: apt tasks_from: backports.yml when: ansible_distribution_release == "jessie" diff --git a/nginx/tasks/packages_jessie_backports.yml b/nginx/tasks/packages_jessie_backports.yml index e5d29f8a..703b9e2a 100644 --- a/nginx/tasks/packages_jessie_backports.yml +++ b/nginx/tasks/packages_jessie_backports.yml @@ -1,7 +1,7 @@ --- - include_role: - name: apt-repositories + name: apt tasks_from: backports.yml tags: - haproxy diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index ee1bad90..b4f9b118 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install Evolix public repositry include_role: - name: apt-repositories + name: apt tasks_from: evolix_public.yml - name: Install vrrpd packages From 6e329d28205a8297fb443f37c9af8b70ed3e0c65 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 19 Jul 2017 10:20:54 +0200 Subject: [PATCH 086/277] Deny by default (default conf allow from all) --- apache/templates/evolinux-default.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 8a5259f5..084a7b6e 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -22,6 +22,7 @@ Options +Indexes +FollowSymLinks +MultiViews AllowOverride None + Require all denied Include /etc/apache2/private_ipaddr_whitelist.conf From 86e1e057a8dfe3801035942b88ba9f2be9514981 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 19 Jul 2017 10:21:37 +0200 Subject: [PATCH 087/277] We don't want anymore a 301 redirect for 403 errors, it's too confusing --- apache/templates/evolinux-default.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 084a7b6e..569fd8fc 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -45,7 +45,7 @@ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - ErrorDocument 403 {{ apache_default_redirect_url }} + #ErrorDocument 403 {{ apache_default_redirect_url }} CustomLog /var/log/apache2/access.log vhost_combined ErrorLog /var/log/apache2/error.log From cb128a897b742e6c375a4574bd530552e7e328b0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 11:20:13 +0200 Subject: [PATCH 088/277] Apache: new syntax for auth --- apache/templates/evolinux-default.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 569fd8fc..bcbd742d 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -55,7 +55,7 @@ IncludeOptional /etc/apache2/conf-available/phpmyadmin* - deny from all + Require all denied From 0115a16675787e9c3047a1df0131983c55ca7e32 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 11:22:37 +0200 Subject: [PATCH 089/277] whitespaces --- admin-users/tasks/adduser_debian.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/admin-users/tasks/adduser_debian.yml b/admin-users/tasks/adduser_debian.yml index 56c934d5..42816d41 100644 --- a/admin-users/tasks/adduser_debian.yml +++ b/admin-users/tasks/adduser_debian.yml @@ -7,7 +7,6 @@ changed_when: False check_mode: no - - name: "Add Unix account with classical uid for '{{ user.name }}'" user: state: present @@ -17,7 +16,7 @@ shell: /bin/bash password: '{{ user.password_hash }}' update_password: on_create - when: uidisbusy|failed + when: uidisbusy | failed - name: "Add Unix account with random uid for '{{ user.name }}'" user: @@ -27,7 +26,7 @@ shell: /bin/bash password: '{{ user.password_hash }}' update_password: on_create - when: uidisbusy|success + when: uidisbusy | success - name: "Fix perms on homedirectory for '{{ user.name }}'" file: @@ -41,7 +40,6 @@ register: evomaintenance_script check_mode: no - - name: "Add evomaintenance trap for '{{ user.name }}'" lineinfile: state: present @@ -97,7 +95,6 @@ register: grep_matchuser_ssh check_mode: no - - name: "Add Match User sshd directive for '{{ user.name }}'" lineinfile: dest: /etc/ssh/sshd_config From 7c92645c5c576efba337579b3860c3d3f9116e06 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 11:24:53 +0200 Subject: [PATCH 090/277] admin users: fix uidisbusy for proper rc check because of "failed_when: False", the register would never fail so we check the return code of "getent passwd" --- admin-users/tasks/adduser_debian.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/admin-users/tasks/adduser_debian.yml b/admin-users/tasks/adduser_debian.yml index 42816d41..9fca4725 100644 --- a/admin-users/tasks/adduser_debian.yml +++ b/admin-users/tasks/adduser_debian.yml @@ -16,7 +16,7 @@ shell: /bin/bash password: '{{ user.password_hash }}' update_password: on_create - when: uidisbusy | failed + when: uidisbusy.rc == 0 - name: "Add Unix account with random uid for '{{ user.name }}'" user: @@ -26,7 +26,7 @@ shell: /bin/bash password: '{{ user.password_hash }}' update_password: on_create - when: uidisbusy | success + when: uidisbusy.rc != 0 - name: "Fix perms on homedirectory for '{{ user.name }}'" file: From 2077af2992c740d0a90c13634ec18f315f875b90 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 11:39:09 +0200 Subject: [PATCH 091/277] fail2ban: change ips variables --- fail2ban/README.md | 1 + fail2ban/defaults/main.yml | 2 +- fail2ban/templates/jail.local.j2 | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/fail2ban/README.md b/fail2ban/README.md index 55168279..af94e38a 100644 --- a/fail2ban/README.md +++ b/fail2ban/README.md @@ -12,5 +12,6 @@ Main variables are : * `general_alert_email`: email address to send various alert messages (default: `root@localhost`). * `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`). +* `fail2ban_ignore_ips`: list of IPs to ignore (default: empty). The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index f08bdf6a..2fe40951 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -1,4 +1,4 @@ --- general_alert_email: "root@localhost" fail2ban_alert_email: Null -fail2ban_ignoreip: [] +fail2ban_ignore_ips: [] diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 63d69947..2f4d6bc3 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -3,7 +3,7 @@ [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host -ignoreip = {{ (['127.0.0.1/8'] + fail2ban_ignoreip) | join(' ') }} +ignoreip = {{ (['127.0.0.1/8'] + fail2ban_ignore_ips) | join(' ') }} bantime = 600 maxretry = 3 From 3b93ba07687873516578f51cf4c1562b479b783a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 11:39:38 +0200 Subject: [PATCH 092/277] fail2ban: install local jail before starting --- fail2ban/tasks/main.yml | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index b5583a98..b9df04ca 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -1,4 +1,26 @@ --- +# We have to copy the local jail before installing the package +# or we risk being jailed by fail2ban + +- name: Prepare /etc/fail2ban + file: + path: /etc/fail2ban + state: directory + owner: root + group: root + mode: "0755" + tags: + - fail2ban + +- name: local jail is installed + template: + src: jail.local.j2 + dest: /etc/fail2ban/jail.local + mode: "0644" + notify: restart fail2ban + tags: + - fail2ban + - name: package is installed apt: name: fail2ban @@ -18,12 +40,3 @@ notify: restart fail2ban tags: - fail2ban - -- name: local jail is installed - template: - src: jail.local.j2 - dest: /etc/fail2ban/jail.local - mode: "0644" - notify: restart fail2ban - tags: - - fail2ban From 44c679eb645b37eec9c07b181eeb19a2879eea19 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 11:54:01 +0200 Subject: [PATCH 093/277] admin_users: fix logic error --- admin-users/tasks/adduser_debian.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/admin-users/tasks/adduser_debian.yml b/admin-users/tasks/adduser_debian.yml index 9fca4725..5c16f385 100644 --- a/admin-users/tasks/adduser_debian.yml +++ b/admin-users/tasks/adduser_debian.yml @@ -16,7 +16,7 @@ shell: /bin/bash password: '{{ user.password_hash }}' update_password: on_create - when: uidisbusy.rc == 0 + when: uidisbusy.rc != 0 - name: "Add Unix account with random uid for '{{ user.name }}'" user: @@ -26,7 +26,7 @@ shell: /bin/bash password: '{{ user.password_hash }}' update_password: on_create - when: uidisbusy.rc != 0 + when: uidisbusy.rc == 0 - name: "Fix perms on homedirectory for '{{ user.name }}'" file: From 4099d2a3a413cfc0335cba8710204e6afd9c6eec Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 11:55:04 +0200 Subject: [PATCH 094/277] fail2ban: the local jail should not be overwritten --- fail2ban/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index b9df04ca..cf366539 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -18,6 +18,7 @@ dest: /etc/fail2ban/jail.local mode: "0644" notify: restart fail2ban + force: no tags: - fail2ban From da4b7ca41a41618bb004ef528c7671b4fbf258be Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 11:55:58 +0200 Subject: [PATCH 095/277] apache: disable GoAway criteria --- apache/files/evolinux-defaults.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index af2b4089..6e7aaeda 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -12,5 +12,6 @@ MaxRequestsPerChild 0 AllowOverride None Require all granted - Require not env GoAway + # "Require not env XXX" is not supported + # Deny from env=GoAway From 030425d9f817d3da08a0ff6c24f9d8b176d7e60f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 12:06:19 +0200 Subject: [PATCH 096/277] fail2ban: unindent notify attribute --- fail2ban/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index cf366539..7a47a0ce 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -17,8 +17,8 @@ src: jail.local.j2 dest: /etc/fail2ban/jail.local mode: "0644" - notify: restart fail2ban force: no + notify: restart fail2ban tags: - fail2ban From 987e35f104985c72fbba8c9c90104607213c38dd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 12:08:06 +0200 Subject: [PATCH 097/277] admin-users: better grep for AllowUsers detection Now it behaves correctly if the directive exists, but commented --- admin-users/tasks/adduser_debian.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/admin-users/tasks/adduser_debian.yml b/admin-users/tasks/adduser_debian.yml index 5c16f385..bcf24a0f 100644 --- a/admin-users/tasks/adduser_debian.yml +++ b/admin-users/tasks/adduser_debian.yml @@ -63,13 +63,12 @@ state: present - name: verify AllowUsers directive - command: "grep AllowUsers /etc/ssh/sshd_config" + command: "egrep '^\s+AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False register: grep_allowusers_ssh check_mode: no - - name: "Add AllowUsers sshd directive for '{{ user.name }}'" lineinfile: dest: /etc/ssh/sshd_config From 43e9f69314ae73012165633dbc530e91b6c3d780 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 12:33:35 +0200 Subject: [PATCH 098/277] admin-users: double-escape, dream hands !! --- admin-users/tasks/adduser_debian.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/admin-users/tasks/adduser_debian.yml b/admin-users/tasks/adduser_debian.yml index bcf24a0f..93a869cf 100644 --- a/admin-users/tasks/adduser_debian.yml +++ b/admin-users/tasks/adduser_debian.yml @@ -62,8 +62,9 @@ key: "{{ user.ssh_key }}" state: present +# we must double-escape caracters, because python - name: verify AllowUsers directive - command: "egrep '^\s+AllowUsers' /etc/ssh/sshd_config" + command: "egrep '^\\s+AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False register: grep_allowusers_ssh From adc3bd7a9337266dd7a239fa3e07e10f23140e66 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 13:49:08 +0200 Subject: [PATCH 099/277] Fix ssh LogLevel * the directive can be present but commented * the version comparison was wrong --- evolinux-base/tasks/ssh.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index ddfbd38c..d74dcef3 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -44,11 +44,11 @@ - name: Set log level to verbose (for Debian >= 9) replace: dest: /etc/ssh/sshd_config - regexp: '^LogLevel [A-Z]+' + regexp: '^#?LogLevel [A-Z]+' replace: "LogLevel VERBOSE" notify: reload sshd when: - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('9.0', '>=') + - ansible_distribution_major_version | version_compare('9', '>=') - meta: flush_handlers From 6106a0a8f557f5ed726925ddb7e7e6b2f96dbb9b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 13:54:18 +0200 Subject: [PATCH 100/277] admin-users: fix AllowUsers * the command module was doing weird escaping, let's use the shell module * insert after a more appropriate position --- admin-users/tasks/adduser_debian.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/admin-users/tasks/adduser_debian.yml b/admin-users/tasks/adduser_debian.yml index 93a869cf..87899375 100644 --- a/admin-users/tasks/adduser_debian.yml +++ b/admin-users/tasks/adduser_debian.yml @@ -64,7 +64,7 @@ # we must double-escape caracters, because python - name: verify AllowUsers directive - command: "egrep '^\\s+AllowUsers' /etc/ssh/sshd_config" + shell: "egrep '^AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False register: grep_allowusers_ssh @@ -74,7 +74,7 @@ lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ user.name }}" - insertafter: '^UsePAM' + insertafter: '^# ForceCommand cvs server' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd when: grep_allowusers_ssh.rc != 0 From dac4276cadb1f949f8fe08c6238e7c756f66715a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 13:57:23 +0200 Subject: [PATCH 101/277] Move ansible-managed to a feature branch --- ansible-managed/.kitchen.yml | 28 ---------------------------- ansible-managed/README.md | 11 ----------- ansible-managed/defaults/main.yml | 2 -- ansible-managed/tasks/main.yml | 6 ------ ansible-managed/templates/motd.j2 | 4 ---- ansible-managed/tests/test.yml | 4 ---- 6 files changed, 55 deletions(-) delete mode 100644 ansible-managed/.kitchen.yml delete mode 100644 ansible-managed/README.md delete mode 100644 ansible-managed/defaults/main.yml delete mode 100644 ansible-managed/tasks/main.yml delete mode 100644 ansible-managed/templates/motd.j2 delete mode 100644 ansible-managed/tests/test.yml diff --git a/ansible-managed/.kitchen.yml b/ansible-managed/.kitchen.yml deleted file mode 100644 index b21cc3db..00000000 --- a/ansible-managed/.kitchen.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -driver: - name: docker - privileged: true - use_sudo: false - -provisioner: - name: ansible_playbook - hosts: test-kitchen - roles_path: ../ - ansible_verbose: true - require_ansible_source: false - require_chef_for_busser: false - idempotency_test: true - -platforms: - - name: debian - driver_config: - image: evolix/ansible:2.2.1 - -suites: - - name: default - provisioner: - name: ansible_playbook - playbook: ./tests/test.yml - -transport: - max_ssh_sessions: 6 diff --git a/ansible-managed/README.md b/ansible-managed/README.md deleted file mode 100644 index 5b0f0e9c..00000000 --- a/ansible-managed/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# ansible-managed - -Set some indications that the server is managed by Ansible and extra care yshould be given not no mess with it manually. - -## Tasks - -Everything is in the `tasks/main.yml` file. - -## Available variables - -* `project_repository` : project URL for the repository. diff --git a/ansible-managed/defaults/main.yml b/ansible-managed/defaults/main.yml deleted file mode 100644 index 7d7ef4da..00000000 --- a/ansible-managed/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -project_repository: "/!\\ No repository set, contact Evolix" diff --git a/ansible-managed/tasks/main.yml b/ansible-managed/tasks/main.yml deleted file mode 100644 index 16e7b0d4..00000000 --- a/ansible-managed/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Set message of the day - template: - src: motd.j2 - dest: /etc/motd - force: yes diff --git a/ansible-managed/templates/motd.j2 b/ansible-managed/templates/motd.j2 deleted file mode 100644 index 58b468d2..00000000 --- a/ansible-managed/templates/motd.j2 +++ /dev/null @@ -1,4 +0,0 @@ - -SERVER MANAGED BY EVOLIX VIA ANSIBLE ------------------------------------- -{{ project_repository | mandatory }} diff --git a/ansible-managed/tests/test.yml b/ansible-managed/tests/test.yml deleted file mode 100644 index f6e76a31..00000000 --- a/ansible-managed/tests/test.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: test-kitchen - roles: - - role: ansible-managed From 360dacf9d843ba9ba3bb10284b54d01f16e7589f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 14:17:10 +0200 Subject: [PATCH 102/277] evocheck: don't fail, just print stdout --- evocheck/tasks/exec.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evocheck/tasks/exec.yml b/evocheck/tasks/exec.yml index bee39ab9..244d0347 100644 --- a/evocheck/tasks/exec.yml +++ b/evocheck/tasks/exec.yml @@ -3,13 +3,13 @@ command: "{{ evocheck_bin_dir }}/evocheck.sh" register: evocheck_run changed_when: False - failed_when: evocheck_run.stdout != "" + failed_when: False check_mode: no tags: - evocheck-exec - debug: - var: evocheck_run - verbosity: 1 + var: evocheck_run.stdout_lines + when: evocheck_run.stdout != "" tags: - evocheck-exec From 6f566533a30a38458d37656cd2fd051fdd6ecda5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Jul 2017 14:36:30 +0200 Subject: [PATCH 103/277] evocheck: don't install by default (but possible) --- evocheck/README.md | 8 +++++++- evocheck/defaults/main.yml | 1 + evocheck/tasks/install_local.yml | 29 ++++++++++++++++++++++++++++ evocheck/tasks/install_package.yml | 5 +++++ evocheck/tasks/main.yml | 31 ++++-------------------------- 5 files changed, 46 insertions(+), 28 deletions(-) create mode 100644 evocheck/tasks/install_local.yml create mode 100644 evocheck/tasks/install_package.yml diff --git a/evocheck/README.md b/evocheck/README.md index b4438d3f..4a0e80de 100644 --- a/evocheck/README.md +++ b/evocheck/README.md @@ -4,7 +4,8 @@ Install and run evocheck ; a script for checking various settings automatically. ## Tasks -The tasks in `main.yml` install the script. This is temporary as evocheck is a package on Debian which is a bit outdated for the moment. For OpenBSD, it should also be packaged, but the work is not done yet. +The roles does not install evocheck by default as it should be installed through dependencies. +For OpenBSD, it should be packaged, but the work is not done yet. A separate `exec.yml` file can be imported manually in playbooks or roles to execute the script. Example : @@ -13,3 +14,8 @@ A separate `exec.yml` file can be imported manually in playbooks or roles to exe name: evocheck tasks_from: exec.yml ``` +## Variables + +We can force install via : +* `evocheck_force_install: local` : will copy the script provided by the role +* `evocheck_force_install: package` : will install the package via repositories diff --git a/evocheck/defaults/main.yml b/evocheck/defaults/main.yml index 8160768d..565849e3 100644 --- a/evocheck/defaults/main.yml +++ b/evocheck/defaults/main.yml @@ -1,2 +1,3 @@ --- +evocheck_force_install: False evocheck_bin_dir: /usr/share/scripts diff --git a/evocheck/tasks/install_local.yml b/evocheck/tasks/install_local.yml new file mode 100644 index 00000000..d98ce0ae --- /dev/null +++ b/evocheck/tasks/install_local.yml @@ -0,0 +1,29 @@ +--- +- include: remount_usr_rw.yml + when: evocheck_bin_dir | search ("/usr") + +- name: Scripts dir is present + file: + path: "{{ evocheck_bin_dir }}" + state: directory + owner: root + group: root + mode: "0700" + +- name: Copy evocheck.sh + copy: + src: evocheck.sh + dest: "{{ evocheck_bin_dir }}/evocheck.sh" + mode: "0700" + owner: root + force: yes + tags: + - evocheck + +- name: Copy evocheck.cf + copy: + src: evocheck.cf + dest: /etc/evocheck.cf + force: no + tags: + - evocheck diff --git a/evocheck/tasks/install_package.yml b/evocheck/tasks/install_package.yml new file mode 100644 index 00000000..7a2f875e --- /dev/null +++ b/evocheck/tasks/install_package.yml @@ -0,0 +1,5 @@ +--- +- name: install evocheck from package + apt: + name: evocheck + state: installed diff --git a/evocheck/tasks/main.yml b/evocheck/tasks/main.yml index ad6d8b4e..769dbbfe 100644 --- a/evocheck/tasks/main.yml +++ b/evocheck/tasks/main.yml @@ -1,30 +1,7 @@ --- -- include: remount_usr_rw.yml - when: evocheck_bin_dir | search ("/usr") +- include: install_local.yml + when: evocheck_force_install == "local" -- name: Scripts dir is present - file: - path: "{{ evocheck_bin_dir }}" - state: directory - owner: root - group: root - mode: "0700" - -- name: Copy evocheck.sh - copy: - src: evocheck.sh - dest: "{{ evocheck_bin_dir }}/evocheck.sh" - mode: "0700" - owner: root - force: yes - tags: - - evocheck - -- name: Copy evocheck.cf - copy: - src: evocheck.cf - dest: /etc/evocheck.cf - force: no - tags: - - evocheck +- include: install_package.yml + when: evocheck_force_install == "package" From 64a134355bac5cd7a9cd6dbf2bf3d2b47a0be271 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 19 Jul 2017 16:03:36 +0200 Subject: [PATCH 104/277] evolinux-base: override logmail service --- evolinux-base/files/log2mail.service | 14 ++++++++++++++ evolinux-base/tasks/log2mail.yml | 18 ++++++++++++++++++ evolinux-base/tasks/main.yml | 4 ++++ 3 files changed, 36 insertions(+) create mode 100644 evolinux-base/files/log2mail.service create mode 100644 evolinux-base/tasks/log2mail.yml diff --git a/evolinux-base/files/log2mail.service b/evolinux-base/files/log2mail.service new file mode 100644 index 00000000..e941cdb9 --- /dev/null +++ b/evolinux-base/files/log2mail.service @@ -0,0 +1,14 @@ +[Unit] +Description=Daemon watching logfiles and mailing lines matching patterns +After=network.target + +[Service] +Type=forking +ExecStart=/usr/sbin/log2mail -- -f /etc/log2mail/config +KillMode=control-group +Restart=always +User=log2mail +Group=adm + +[Install] +WantedBy=multi-user.target diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml new file mode 100644 index 00000000..126bc48e --- /dev/null +++ b/evolinux-base/tasks/log2mail.yml @@ -0,0 +1,18 @@ +--- +- name: Deploy log2mail systemd unit + copy: + src: log2mail.service + dest: /etc/systemd/system/log2mail.service + mode: "0644" + +- name: Remove log2mail sysvinit service + file: + path: /etc/init.d/log2mail + state: absent + +- name: Enable and start log2mail service + systemd: + name: log2mail + daemon-reload: yes + state: restarted + enabled: yes diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 44eb7f70..8514d7f0 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -54,3 +54,7 @@ - name: Customize for Orange FCE include: provider_orange_fce.yml when: evolinux_provider_orange_fce_include + +- name: Override Logmail service + include: log2mail.yml + when: evolinux_packages_serveur_base From af1045d788b13dc34d78ec3e6dc3216523fd46a8 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 19 Jul 2017 17:20:44 +0200 Subject: [PATCH 105/277] nagios-nrpe: add check_clamav_db to defaults check --- nagios-nrpe/templates/evolix.cfg.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index e2c01f45..45223167 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -44,6 +44,7 @@ command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009 command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }} command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v +command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/evolix.ndb command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211 From 499b2c7deff1b906ec7b8951d10c406f69cafbd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Thu, 20 Jul 2017 10:43:13 +0200 Subject: [PATCH 106/277] Added a perl mandatory package If not installed: install_driver(mysql) failed: Can't locate DBD/mysql.pm in @INC (you may need to install the DBD::mysql module) --- mysql/tasks/munin.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/mysql/tasks/munin.yml b/mysql/tasks/munin.yml index 59560867..13e48223 100644 --- a/mysql/tasks/munin.yml +++ b/mysql/tasks/munin.yml @@ -10,10 +10,13 @@ - munin - block: - - name: Install libcache-cache-perl for Munin + - name: Install perl mandatory packages for Munin's MariaDB plugins apt: - name: libcache-cache-perl + name: "{{ item }}" state: present + with_items: + - libdbd-mysql-perl + - libcache-cache-perl - name: Enable core Munin plugins file: From 6e38890808587d4dec268f577a1ae4ceb0990c9f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 20 Jul 2017 18:21:46 +0200 Subject: [PATCH 107/277] java8: fix install on stretch --- java8/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/java8/tasks/main.yml b/java8/tasks/main.yml index f206b2f3..22107bd5 100644 --- a/java8/tasks/main.yml +++ b/java8/tasks/main.yml @@ -14,7 +14,6 @@ name: openjdk-8-jre default_release: "{{ java8_apt_release }}" state: present - when: ansible_distribution_release == "jessie" tags: - java - packages From b4bfccd7ebef9e1caf0cea925b3bb359e1db9182 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sat, 22 Jul 2017 07:57:46 +0200 Subject: [PATCH 108/277] no fail when admin_users is empty because we want keep easy the usability --- admin-users/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/admin-users/tasks/main.yml b/admin-users/tasks/main.yml index 11800373..50c43468 100644 --- a/admin-users/tasks/main.yml +++ b/admin-users/tasks/main.yml @@ -1,14 +1,14 @@ --- -- fail: - msg: "Error: empty variable 'admin_users'!" +- debug: + msg: "Warning: empty variable 'admin_users' admin-users tasks will skipped!" when: admin_users == {} - include: adduser_debian.yml vars: user: "{{ item.value }}" with_dict: "{{ admin_users }}" - when: ansible_distribution == "Debian" + when: ansible_distribution == "Debian" and admin_users != {} # - include: adduser_openbsd.yml user={{ item.value }} # with_dict: "{{ admin_users }}" From bbb0e579a676e7151a796f74285bb4ba1f4526b9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sat, 22 Jul 2017 08:19:14 +0200 Subject: [PATCH 109/277] Fix #2154 : we don't need lsb-invalid-mta and package is not anymore in stretch --- evolinux-base/tasks/packages.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 9ef40229..399f3f8f 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -89,20 +89,6 @@ line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"' when: evolinux_packages_logcheck_recipient -- name: is an MTA installed? - command: "dpkg -S /usr/sbin/sendmail" - check_mode: no - - register: mta_installed - failed_when: False - changed_when: False - -- name: Install lsb-invalid-mta - apt: - name: lsb-invalid-mta - when: evolinux_packages_invalid_mta and mta_installed.rc != 0 - - - name: Deleting rpcbin and nfs-common apt: name: "{{ item }}" From 3b78613b2ed52fdd350c07926a5ebdfcca0d3b31 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sat, 22 Jul 2017 18:40:00 +0200 Subject: [PATCH 110/277] Big review of role Bind, sync with https://wiki.evolix.org/HowtoBind --- bind/README.md | 2 + bind/defaults/main.yml | 7 +- bind/files/chroot-bind.sh | 76 +++++ bind/handlers/main.yml | 4 +- bind/tasks/main.yml | 264 ++++++------------ bind/tasks/munin.yml | 11 +- bind/templates/bind9.service.j2 | 2 - bind/templates/logrotate_bind | 10 + bind/templates/logrotate_bind_chroot.j2 | 10 + .../{bind9.j2 => munin-env_bind9.j2} | 2 +- bind/templates/named.conf.options.j2 | 58 ---- .../named.conf.options_authoritative.j2 | 35 +++ .../templates/named.conf.options_recursive.j2 | 16 ++ 13 files changed, 256 insertions(+), 241 deletions(-) create mode 100644 bind/files/chroot-bind.sh create mode 100644 bind/templates/logrotate_bind create mode 100644 bind/templates/logrotate_bind_chroot.j2 rename bind/templates/{bind9.j2 => munin-env_bind9.j2} (60%) delete mode 100644 bind/templates/named.conf.options.j2 create mode 100644 bind/templates/named.conf.options_authoritative.j2 create mode 100644 bind/templates/named.conf.options_recursive.j2 diff --git a/bind/README.md b/bind/README.md index a802498e..53f693a8 100644 --- a/bind/README.md +++ b/bind/README.md @@ -9,3 +9,5 @@ Minimal configuration is in `tasks/main.yml` ## Available variables The full list of variables (with default values) can be found in `defaults/main.yml`. + +waening : sync chroot-bind.sh diff --git a/bind/defaults/main.yml b/bind/defaults/main.yml index 52c6ac66..b7bc2090 100644 --- a/bind/defaults/main.yml +++ b/bind/defaults/main.yml @@ -1,6 +1,9 @@ --- +bind_recursive_server: False +bind_authoritative_server: True +bind_chroot_set: True +bind_chroot_path: /var/chroot-bind bind_systemd_service_path: /etc/systemd/system/bind9.service -bind_chroot_root: /var/chroot-bind bind_statistics_file: /var/run/named.stats bind_log_file: /var/log/bind.log -bind_query_file: /var/log/query.log +bind_query_file: /var/log/bind_queries.log diff --git a/bind/files/chroot-bind.sh b/bind/files/chroot-bind.sh new file mode 100644 index 00000000..08c665e8 --- /dev/null +++ b/bind/files/chroot-bind.sh @@ -0,0 +1,76 @@ +#!/bin/sh + +# Gregory Colpart +# chroot (or re-chroot) script for bind9 + +# tested on Debian Wheezy/Jessie/Stretch +# Exec this script after `(apt-get|aptitude|apt) install bind9` +# and after *each* bind9 upgrade + +# When the script is finished, ensure you have +# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9 +# and /etc/init.d/bind9 (re)start +# +# for Jessie/systemd only: +# cp -a /lib/systemd/system/bind9.service /etc/systemd/system/ +# and modify section [Service] to have : +# EnvironmentFile=-/etc/default/bind9 +# ExecStart=/usr/sbin/named -f $OPTIONS + +# essential dirs +mkdir -p /var/chroot-bind +mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \ + /var/chroot-bind/lib /var/chroot-bind/usr/lib \ + /var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \ + /var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \ + /var/chroot-bind/run/named/ + +# for conf +if [ ! -h "/etc/bind" ]; then + mv /etc/bind/ /var/chroot-bind/etc/ + ln -s /var/chroot-bind/etc/bind/ /etc/bind +fi + +# for logs +touch /var/chroot-bind/var/log/bind.log +if [ ! -h "/var/log/bind.log" ]; then + ln -s /var/chroot-bind/var/log/bind.log /var/log/bind.log +fi + +# for pid +if [ -f "/var/run/named/named.pid" ]; then + cat /var/run/named/named.pid > /var/chroot-bind/var/run/named/named.pid + rm -f /var/run/named/named.pid +fi + +if [ ! -e "/var/chroot-bind/dev/random" ]; then + mknod /var/chroot-bind/dev/random c 1 8 + chmod 666 /var/chroot-bind/dev/random +fi + +if [ ! -e "/var/chroot-bind/dev/urandom" ]; then + mknod /var/chroot-bind/dev/urandom c 1 9 + chmod 666 /var/chroot-bind/dev/urandom +fi + +# essential dev (hum, null is required ??) +#mknod /var/chroot-bind/dev/null c 1 3 +#chmod 666 /var/chroot-bind/dev/{null,random} + +# essential libs +for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \ + /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do + install -D $i /var/chroot-bind/${i##/} +done + +# essential (hum, bash is required ??) +#cp /bin/bash /var/chroot-bind/bin/ +cp /usr/sbin/named /var/chroot-bind/usr/sbin/ + +# minimal passwd & group file (hum, is required ??) +#grep "bind\|root" /etc/passwd > /var/chroot-bind/etc/passwd +#grep "bind\|root" /etc/group > /var/chroot-bind/etc/group + +# just bind +chown -R bind.bind /var/chroot-bind/ + diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index 4bc9719f..1eee71f6 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -1,4 +1,7 @@ --- +- name: reload systemd + command: systemctl daemon-reload + - name: restart bind service: name: bind9 @@ -9,4 +12,3 @@ name: munin-node state: restarted - diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index dc74029f..1d190135 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -1,24 +1,40 @@ -- name: Ensure bind9 installed +- name: package are installed apt: - name: bind9 + name: '{{ item }}' state: present + with_items: + - bind9 + - dnstop -- name: Set bind configuration +- name: Set bind configuration for recursive server template: - src: named.conf.options.j2 + src: named.conf.options_recursive.j2 dest: /etc/bind/named.conf.options owner: bind group: bind mode: "0644" force: yes notify: restart bind + when: bind_recursive_server -- name: Modify OPTIONS in /etc/default/bind9 - replace: - dest: /etc/default/bind9 - regexp: '^OPTIONS=.*' - replace: 'OPTIONS="-u bind -t {{ bind_chroot_root }}"' +- name: enable zones.rfc1918 for recursive server + lineinfile: + dest: /etc/bind/named.conf.local + line: 'include "/etc/bind/zones.rfc1918";' + regexp: "zones.rfc1918" notify: restart bind + when: bind_recursive_server + +- name: Set bind configuration for authoritative server + template: + src: named.conf.options_authoritative.j2 + dest: /etc/bind/named.conf.options + owner: bind + group: bind + mode: "0644" + force: yes + notify: restart bind + when: bind_authoritative_server - name: Create systemd service template: @@ -28,174 +44,78 @@ group: root mode: "0644" force: yes - notify: restart bind + notify: + - reload systemd + - restart bind + when: ansible_distribution_release == "jessie" -- name: Create directories +- name: touch /var/log/bind.log if non chroot file: - path: "{{ bind_chroot_root }}/{{ item }}" - state: directory + path: /var/log/bind.log owner: bind - group: bind - mode: "0700" - recurse: no - with_items: - - bin - - dev - - etc - - lib - - usr/lib - - usr/sbin - - var/cache/bind - - var/log - - var/run/bind/run - register: create_bind_dir - notify: restart bind - -- name: Stat /etc/bind - stat: - path: "/etc/bind" - check_mode: no - register: etc_bind - -- name: Move /etc/bind in chroot - command: "mv /etc/bind/ {{ bind_chroot_root }}/etc/" - when: etc_bind.stat.exists and not etc_bind.stat.islnk - notify: restart bind - -- name: Create symlink - file: - src: "{{ bind_chroot_root }}/etc/bind" - dest: "/etc/bind" - state: link - notify: restart bind - -- name: is there a log file? - stat: - path: "{{ bind_chroot_root }}/var/log/bind.log" - register: bind_log - -- name: create log file - file: - path: "{{ bind_chroot_root }}/var/log/bind.log" - state: touch - when: not bind_log.stat.exists - -- name: verify log file permissions - file: - path: "{{ bind_chroot_root }}/var/log/bind.log" - owner: bind - group: bind + group: adm mode: "0640" - state: file + state: touch + when: bind_chroot_set == False -- name: Create log symlink +- name: touch /var/log/bind_queries.log if non chroot file: - src: "{{ bind_chroot_root }}/var/log/bind.log" - dest: "/var/log/bind.log" - state: link - notify: restart bind - -- name: Create run directory - file: - path: "/var/run/bind/run" - state: directory - owner: root - group: bind - mode: "0770" - recurse: yes - notify: restart bind - -- name: "Stat var/run/bind/run/named in chroot" - stat: - path: "{{ bind_chroot_root }}/var/run/bind/run/named" - check_mode: no - register: named_run - -- name: "Clean var/run/bind/run/named in chroot" - file: - path: "{{ bind_chroot_root }}/var/run/bind/run/named" - state: absent - when: named_run.stat.exists and named_run.stat.isdir - -- name: Clean /var/run/bind/run/named.pid - file: - path: "/var/run/bind/run/named.pid" - state: absent - when: named_run.stat.exists and named_run.stat.isdir - -- name: Stat /var/run/bind/run/named.pid - stat: - path: "/var/run/bind/run/named.pid" - check_mode: no - register: named_pid - -- name: Cat pid content - command: "cat /var/run/bind/run/named.pid > {{ bind_chroot_root }}/var/run/bind/run/named.pid" - when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk - -- name: Clean /var/run/bind/run/named.pid - file: - path: "/var/run/bind/run/named.pid" - state: absent - when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk - -- name: Clean /var/run/bind/run/named.pid - file: - path: "/var/run/bind/run/named.pid" - state: absent - when: named_pid.stat.exists and not named_pid.stat.islnk - -- name: Create pid symlink in chroot - file: - src: "{{ bind_chroot_root }}/var/run/bind/run/named.pid" - dest: "/var/run/bind/run/named.pid" - state: link - when: named_pid.stat.exists and not named_pid.stat.islnk - notify: restart bind - -- name: "Stat dev/random in chroot" - stat: - path: "{{ bind_chroot_root }}/dev/random" - check_mode: no - register: named_random - -- name: clean dev/random in chroot - shell: "mv {{ bind_chroot_root }}/dev/random {{ bind_chroot_root }}/dev/random.$(date +%s)" - when: named_random.stat.exists and not named_random.stat.ischr - -- name: mknod dev/random in chroot - command: "mknod -m 666 {{ bind_chroot_root }}/dev/random c 1 3" - args: - creates: "{{ bind_chroot_root }}/dev/random" - notify: restart bind - -- name: get essential libraries - shell: 'ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1 | grep -oE "\S+"' - register: bind_ldd - check_mode: no - changed_when: False - -- name: copy essential libs - command: "install -D {{ item }} {{ bind_chroot_root }}{{ item }}" - args: - creates: "{{ bind_chroot_root }}{{ item }}" - with_items: - - "{{ bind_ldd.stdout_lines }}" - - /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so - register: install_libraries - notify: restart bind - -- name: Copy bind - copy: - src: /usr/sbin/named - dest: "{{ bind_chroot_root }}/usr/sbin/" - remote_src: True - notify: restart bind - -- name: Set the good rights - file: - path: "{{ bind_chroot_root }}" + path: /var/log/bind_queries.log owner: bind - group: bind - recurse: yes + group: adm + mode: "0640" + state: touch + when: bind_authoritative_server and bind_chroot_set == False + +- name: send chroot-bind.sh in /root + copy: + src: chroot-bind.sh + dest: /root/chroot-bind.sh + mode: "0700" + owner: root + force: yes + backup: yes + when: bind_chroot_set + +- name: exec chroot-bind.sh + command: "/root/chroot-bind.sh" + register: chrootbind_run + changed_when: False + check_mode: no + when: bind_chroot_set + +- debug: + var: chrootbind_run.stdout_lines + when: bind_chroot_set and chrootbind_run.stdout != "" + +- name: Modify OPTIONS in /etc/default/bind9 for chroot + replace: + dest: /etc/default/bind9 + regexp: '^OPTIONS=.*' + replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' notify: restart bind + when: bind_chroot_set + +- name: logrotate for non chroot bind + template: + src: logrotate_bind + dest: /etc/logrotate.d/bind + owner: root + group: root + mode: "0644" + force: yes + notify: restart bind + when: bind_chroot_set == False + +- name: logrotate for chroot bind + template: + src: logrotate_bind_chroot.j2 + dest: /etc/logrotate.d/bind + owner: root + group: root + mode: "0644" + force: yes + notify: restart bind + when: bind_chroot_set + + diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 98f275cf..a31e6b06 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -8,6 +8,7 @@ tags: - bind - munin + when: bind_authoritative_server - name: Enable munin plugins file: @@ -17,22 +18,22 @@ with_items: - bind9 - bind9_rndc - notify: restart munin - when: munin_node_plugins_config.stat.exists + notify: restart munin-node + when: bind_authoritative_server and munin_node_plugins_config.stat.exists tags: - bind - munin - name: Add munin plugin configuration template: - src: bind9.j2 + src: munin-env_bind9.j2 dest: /etc/munin/plugin-conf.d/bind9 owner: root group: root mode: "0644" force: yes - notify: restart munin - when: munin_node_plugins_config.stat.exists + notify: restart munin-node + when: bind_authoritative_server and munin_node_plugins_config.stat.exists tags: - bind - munin diff --git a/bind/templates/bind9.service.j2 b/bind/templates/bind9.service.j2 index e0906300..f43d448b 100644 --- a/bind/templates/bind9.service.j2 +++ b/bind/templates/bind9.service.j2 @@ -1,5 +1,3 @@ -# {{ ansible_managed }} - [Unit] Description=BIND Domain Name Server Documentation=man:named(8) diff --git a/bind/templates/logrotate_bind b/bind/templates/logrotate_bind new file mode 100644 index 00000000..d1471fcb --- /dev/null +++ b/bind/templates/logrotate_bind @@ -0,0 +1,10 @@ +/var/log/bind.log { + weekly + missingok + rotate 8 + create 640 bind bind + sharedscripts + postrotate + rndc reload > /dev/null + endscript +} diff --git a/bind/templates/logrotate_bind_chroot.j2 b/bind/templates/logrotate_bind_chroot.j2 new file mode 100644 index 00000000..5db5d494 --- /dev/null +++ b/bind/templates/logrotate_bind_chroot.j2 @@ -0,0 +1,10 @@ +{{ bind_chroot_path }}/var/log/bind.log { + weekly + missingok + rotate 52 + create 640 bind bind + sharedscripts + postrotate + rndc reload > /dev/null + endscript +} diff --git a/bind/templates/bind9.j2 b/bind/templates/munin-env_bind9.j2 similarity index 60% rename from bind/templates/bind9.j2 rename to bind/templates/munin-env_bind9.j2 index 9c62388d..f1d4b41e 100644 --- a/bind/templates/bind9.j2 +++ b/bind/templates/munin-env_bind9.j2 @@ -1,6 +1,6 @@ [bind*] user root env.logfile {{ bind_query_file }} -env.querystats {{ bind_chroot_root }}{{ bind_statistics_file }} +env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }} env.MUNIN_PLUGSTATE /var/lib/munin timeout 120 diff --git a/bind/templates/named.conf.options.j2 b/bind/templates/named.conf.options.j2 deleted file mode 100644 index 79969a9d..00000000 --- a/bind/templates/named.conf.options.j2 +++ /dev/null @@ -1,58 +0,0 @@ -// {{ ansible_managed }} - -options { - directory "/var/cache/bind"; - - // If there is a firewall between you and nameservers you want - // to talk to, you may need to fix the firewall to allow multiple - // ports to talk. See http://www.kb.cert.org/vuls/id/800113 - - // If your ISP provided one or more IP addresses for stable - // nameservers, you probably want to use them as forwarders. - // Uncomment the following block, and insert the addresses replacing - // the all-0's placeholder. - - // forwarders { - // 0.0.0.0; - // }; - - version "Bingo"; - - auth-nxdomain no; # conform to RFC1035 - //listen-on-v6 { ::1; }; - //listen-on { 127.0.0.1; }; - - allow-query { localhost;}; - allow-transfer { localhost; }; - allow-recursion { localhost; }; - - statistics-file "/var/run/named.stats"; -}; - -logging { - //category default { default_syslog; default_debug; }; - category default { default_debug; }; - - channel default_syslog { - syslog daemon; - severity info; - }; - - channel default_debug { - file "/var/log/bind.log"; - severity debug; - }; - channel query { - file "/var/log/query.log" versions 2 size 1m; - print-time yes; - severity info; - }; - category queries { query; }; -}; - -//key "external" { -// algorithm hmac-md5; -// secret "UOQfHEoBzBSC6sD4mwfxLw=="; -//}; -// -//server 85.118.59.1 { keys external; }; diff --git a/bind/templates/named.conf.options_authoritative.j2 b/bind/templates/named.conf.options_authoritative.j2 new file mode 100644 index 00000000..04ab2551 --- /dev/null +++ b/bind/templates/named.conf.options_authoritative.j2 @@ -0,0 +1,35 @@ +acl "foo" { + ::ffff:192.0.2.21; 192.0.2.21; + 2001:db8::21; +}; + +options { + directory "/var/cache/bind"; + version "Bingo"; + auth-nxdomain no; + masterfile-format text; + statistics-file "/var/run/named.stats"; + + listen-on-v6 { any; }; + listen-on { any; }; + + allow-query { localhost; }; + allow-recursion { localhost; }; + allow-transfer { localhost; }; +}; + +logging { + category default { default_file; }; + category queries { query_logging; }; + + channel default_file { + file "/var/log/bind.log"; + severity info; + }; + channel query_logging { + file "/var/log/bind_queries.log" versions 2 size 128M; + print-category yes; + print-severity yes; + print-time yes; + }; +}; diff --git a/bind/templates/named.conf.options_recursive.j2 b/bind/templates/named.conf.options_recursive.j2 new file mode 100644 index 00000000..555230d0 --- /dev/null +++ b/bind/templates/named.conf.options_recursive.j2 @@ -0,0 +1,16 @@ +options { + directory "/var/cache/bind"; + version "Bingo"; + auth-nxdomain no; + listen-on-v6 { ::1; }; + listen-on { 127.0.0.1; }; + allow-recursion { ::1; 127.0.0.1; }; +}; + +logging { + category default { default_file; }; + channel default_file { + file "/var/log/bind.log"; + severity info; + }; +}; From a0ccc2e9d59aaa461c89f92233421d76a77b9c6c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sat, 22 Jul 2017 22:40:31 +0200 Subject: [PATCH 111/277] Review of role Apache, sync with https://wiki.evolix.org/HowtoApache --- apache/defaults/main.yml | 2 +- .../error-pages/HTTP_BAD_GATEWAY.html.var | 320 ----------- .../error-pages/HTTP_BAD_REQUEST.html.var | 230 -------- .../files/error-pages/HTTP_FORBIDDEN.html.var | 411 --------------- apache/files/error-pages/HTTP_GONE.html.var | 466 ---------------- .../HTTP_INTERNAL_SERVER_ERROR.html.var | 499 ------------------ .../error-pages/HTTP_LENGTH_REQUIRED.html.var | 241 --------- .../HTTP_METHOD_NOT_ALLOWED.html.var | 231 -------- .../files/error-pages/HTTP_NOT_FOUND.html.var | 464 ---------------- .../error-pages/HTTP_NOT_IMPLEMENTED.html.var | 219 -------- .../HTTP_PRECONDITION_FAILED.html.var | 222 -------- .../HTTP_REQUEST_ENTITY_TOO_LARGE.html.var | 246 --------- .../HTTP_REQUEST_TIME_OUT.html.var | 234 -------- .../HTTP_REQUEST_URI_TOO_LARGE.html.var | 235 --------- .../HTTP_SERVICE_UNAVAILABLE.html.var | 250 --------- .../error-pages/HTTP_UNAUTHORIZED.html.var | 370 ------------- .../HTTP_UNSUPPORTED_MEDIA_TYPE.html.var | 217 -------- .../HTTP_VARIANT_ALSO_VARIES.html.var | 242 --------- apache/files/error-pages/README | 38 -- apache/files/error-pages/contact.html.var | 127 ----- apache/files/error-pages/include/bottom.html | 12 - apache/files/error-pages/include/spacer.html | 2 - apache/files/error-pages/include/top.html | 21 - apache/files/evolinux-custom.conf | 12 + apache/files/evolinux-defaults.conf | 11 +- .../files/evolinux-localized-error-pages.conf | 35 -- apache/files/evolinux-ssl.conf | 11 - apache/tasks/main.yml | 125 +---- apache/tasks/phpmyadmin.yml | 8 + apache/templates/evolinux-default.conf.j2 | 99 ++-- 30 files changed, 116 insertions(+), 5484 deletions(-) delete mode 100644 apache/files/error-pages/HTTP_BAD_GATEWAY.html.var delete mode 100644 apache/files/error-pages/HTTP_BAD_REQUEST.html.var delete mode 100644 apache/files/error-pages/HTTP_FORBIDDEN.html.var delete mode 100644 apache/files/error-pages/HTTP_GONE.html.var delete mode 100644 apache/files/error-pages/HTTP_INTERNAL_SERVER_ERROR.html.var delete mode 100644 apache/files/error-pages/HTTP_LENGTH_REQUIRED.html.var delete mode 100644 apache/files/error-pages/HTTP_METHOD_NOT_ALLOWED.html.var delete mode 100644 apache/files/error-pages/HTTP_NOT_FOUND.html.var delete mode 100644 apache/files/error-pages/HTTP_NOT_IMPLEMENTED.html.var delete mode 100644 apache/files/error-pages/HTTP_PRECONDITION_FAILED.html.var delete mode 100644 apache/files/error-pages/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var delete mode 100644 apache/files/error-pages/HTTP_REQUEST_TIME_OUT.html.var delete mode 100644 apache/files/error-pages/HTTP_REQUEST_URI_TOO_LARGE.html.var delete mode 100644 apache/files/error-pages/HTTP_SERVICE_UNAVAILABLE.html.var delete mode 100644 apache/files/error-pages/HTTP_UNAUTHORIZED.html.var delete mode 100644 apache/files/error-pages/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var delete mode 100644 apache/files/error-pages/HTTP_VARIANT_ALSO_VARIES.html.var delete mode 100644 apache/files/error-pages/README delete mode 100644 apache/files/error-pages/contact.html.var delete mode 100644 apache/files/error-pages/include/bottom.html delete mode 100644 apache/files/error-pages/include/spacer.html delete mode 100644 apache/files/error-pages/include/top.html delete mode 100644 apache/files/evolinux-localized-error-pages.conf delete mode 100644 apache/files/evolinux-ssl.conf diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 9704ee24..65048f14 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -5,10 +5,10 @@ apache_private_ipaddr_whitelist_absent: [] apache_private_htpasswd_present: [] apache_private_htpasswd_absent: [] -apache_default_redirect_url: "http://evolix.fr" apache_evolinux_default_enabled: True apache_evolinux_default_ssl_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem apache_evolinux_default_ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key +apache_phpmyadmin_set: False apache_phpmyadmin_suffix: "" apache_serverstatus_suffix: "" diff --git a/apache/files/error-pages/HTTP_BAD_GATEWAY.html.var b/apache/files/error-pages/HTTP_BAD_GATEWAY.html.var deleted file mode 100644 index a9061b30..00000000 --- a/apache/files/error-pages/HTTP_BAD_GATEWAY.html.var +++ /dev/null @@ -1,320 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Proxy server obdržel od nadřazeného - serveru chybnou odpověď. - - - - - - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Der Proxy-Server erhielt eine fehlerhafte Antwort - eines übergeordneten Servers oder Proxies. - - - - - - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The proxy server received an invalid - response from an upstream server. - - - - - - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - El servidor 'proxy' ha recibido; información - no válida del servidor de origen. - - - - - - - - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - Le serveur proxy a reçu une réponse - incorrecte de la part d'un serveur supérieur. - - - - - - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Fuair an seachfhreastalaí freagairt neamhbhailí - ó freastalaí thuasthrutha. - - - - - - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Il server proxy ha ricevuto una risposta - non valida dal server precedente. - - - - - - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - プロクシサーバは上流サーバから不正な応答を受信しました。 - - - - - - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 프록시 서버가 더 윗쪽의 서버로부터 잘못된 응답을 받았습니다. - - - - - - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - De proxy server heeft een ongeldig - antwoord ontvangen van een gecontacteerde server. - - - - - - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Proxyserveren mottok et ugyldig svar fra - en oppstrøms server. - - - - - - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Serwer otrzymał nieprawidłową odpowiedź - od kolejnego serwera. - - - - - - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - O servidor proxy recebeu uma resposta - inválida do servidor destino. - - - - - - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O servidor de proxy recebeu uma resposta - inválida de um outro servidor externo a ele. - - - - - - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Serverul proxy a primit un raspuns invalid - de la serverul precedent. - - - - - - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Посреднички сервер је примио неисправан - одговор од следећег сервера у низу. - - - - - - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Proxyservern mottog ett felaktigt svar från - en tidigare server. - - - - - - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Vekil sunucu üstbirim sunucudan - anlamsız bir yanıt aldı. - - - - - - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_BAD_REQUEST.html.var b/apache/files/error-pages/HTTP_BAD_REQUEST.html.var deleted file mode 100644 index 8f892c78..00000000 --- a/apache/files/error-pages/HTTP_BAD_REQUEST.html.var +++ /dev/null @@ -1,230 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Váš prohlížeč (nebo proxy server) vyslal požadavek, - kterému tento server nerozuměl. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Ihr Browser (oder Proxy) hat eine ungültige Anfrage - gesendet, die vom Server nicht beantwortet werden kann. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - Your browser (or proxy) sent a request that - this server could not understand. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - Su navegador (o 'proxy') ha enviado una petición - que el servidor no ha podido entender. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - Votre navigateur (ou votre proxy) a envoyé - une demande que ce serveur n'a pas comprise. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Seol do chuid brabhsálaí (nó - seachfhreastalaí) freagairt nárbh fhéidir leis an - fhreastalaí seo a thuisceant. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Il tuo browser (o il proxy) ha inviato a - questo server una richiesta incomprensibile. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - お使いのブラウザ (またはプロクシ) - が、サーバの理解できないリクエストを送信しました。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 브라우저 또는 프록시가 - 이 서버가 처리할 수 없는 잘못된 요청을 보냈습니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - Uw browser (of proxy) stuurde een vraag die - deze server niet kon begrijpen. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Din nettleser eller proxy sendte en forespørsel - som denne serveren ikke kunne forstå. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Twoja przeglądarka (lub serwer pośredniczący) wysłał żądanie, - którego ten serwer nie potrafi obsłużyć. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - Seu "browser" (ou o servidor proxy) enviou uma - requisição inválida ao servidor. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O seu browser ou proxy enviou - um pedido que este servidor não compreendeu. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Browserul (sau proxy-ul) dumneavoastra a trimis - serverului o cerere ce nu poate fi procesata. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Ваш читач (или посреднички сервер) послао је захтев који - овај сервер није могао да разуме. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Din webbläsare eller proxy skickade en förfrågan - som denna server inte kunde förstå. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Tarayıcınız (veya vekil sunucunuz) bu sunucunun - anlayamadığı bir istekte bulundu. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_FORBIDDEN.html.var b/apache/files/error-pages/HTTP_FORBIDDEN.html.var deleted file mode 100644 index 16995cab..00000000 --- a/apache/files/error-pages/HTTP_FORBIDDEN.html.var +++ /dev/null @@ -1,411 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - - - Nemáte právo pro přístup do požadovaného adresáře. Buď neexistuje žádný - dokument s obsahem (tzv. index), nebo je adresář chráněn proti čtení. - - - - Nemáte právo pro přístup k požadovanému objektu. - Buď je chráněn proti čtení, nebo není serverem čitelný. - - - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - - - Der Zugriff auf das angeforderte Verzeichnis ist nicht möglich. - Entweder ist kein Index-Dokument vorhanden oder das Verzeichnis - ist zugriffsgeschützt. - - - - Der Zugriff auf das angeforderte Objekt ist nicht möglich. - Entweder kann es vom Server nicht gelesen werden oder es - ist zugriffsgeschützt. - - - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - - - You don't have permission to access the requested directory. - There is either no index document or the directory is read-protected. - - - - You don't have permission to access the requested object. - It is either read-protected or not readable by the server. - - - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - - - Usted no tiene permiso para acceder al directorio solicitado. - No existe un documento índice, o el directorio está - protegido contra lectura. - - - - Usted no tiene permiso para acceder al objeto solicitado. - El objeto está protegido contra lectura o - el servidor no puede leerlo. - - - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - - - Vous n'avez pas le droit d'accéder au répertoire - demandé. Soit il n'y a pas de document index soit le répertoire - est protégé. - - - - Vous n'avez pas le droit d'accéder à l'objet - demandé. Soit celui-ci est protégé, soit il ne peut - être lu par le serveur. - - - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - - - Níl cead agat rochtain a dhéanamh ar an comhadlann faoi - iarratais. Is féidir nach bhfuil aon doiciméad - innéacs, nó go bhfuil cosaint ar lémh an comhadlann. - - - - Níl cead agat rochtain a dhéanamh ar an aidhm faoi iarratais. - Is féidir go bhfuil cosaint ar lé air, nó go bhfuil - sé doléite don freastalaí. - - - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - - - Non disponi dei permessi necessari per accedere alla - directory richiesta oppure non esiste il documento indice. - - - - Non disponi dei permessi necessari per accedere all'oggetto - richiesto, oppure l'oggetto non può essere letto dal server. - - - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - - - 要求されたディレクトリへのアクセス権限がありません。 - インデックスドキュメントが存在しないか、 - ディレクトリの読み込みが許可されていません。 - - - - 要求されたオブジェクトへのアクセス権がありません。 - 読み込みが許可されていないか、 - サーバが読み込みに失敗したかでしょう。 - - - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - - - 요청한 디렉토리에 접근할 수 있는 권한이 없습니다. - 디렉토리에 첫 페이지가 없거나 아니면 읽기 보호가 되어 있습니다. - - - - 요청한 객체에 접근할 수 있는 권한이 없습니다. - 읽기 보호가 되어 있거나 웹서버가 읽을 수 없도록 되어 있습니다. - - - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - - - U hebt niet de toestemming om toegang te krijgen tot de gevraagde map. - Er is of wel geen index document of de map is beveiligd tegen lezen. - - - - U hebt niet de toestemming om toegang te krijgen tot de gevraagde map. - Die is ofwel beveiligd tegen lezen of onleesbaar door de server. - - - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - - - Du har ikke tilstrekkelige rettigheter for å få tilgang til den - ønskede katalogen. Det eksisterer ikke et indeksdokument, eller - katalogen er lesebeskyttet. - - - - Du har ikke tilstrekkelige rettigheter for å få adgang til det - ønskede dokumentet. Objektet er lesebeskyttet, eller ikke lesbart - for serveren. - - - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - - - Nie masz prawa dostępu do żądanego katalogu. W katalogu nie - ma indeksu lub katalog jest zabezpieczony przed odczytem. - - - - Nie masz dostępu do żądanego obiektu. Jest on zabezpieczony - przed odczytem lub nie może być odczytany przez serwer. - - - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - - - Você não tem permissão para acessar o - diretório requisitado. - Pode não existir o arquivo de índice ou - o diretório pode estar protegido contra leitura. - - - - Você não tem permissão para acessar o - objeto requisitado. Ele pode estar protegido contra leitura ou - não ser legível pelo servidor. - - - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - - - Não tem permissão para aceder ao directório - que deseja. Ou não existe o documento de índice - ou o directório está protegido contra leitura. - - - - Não tem permissão para aceder ao objecto - que deseja. Este está protegido contra leitura ou - o servidor não o consegue ler. - - - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - - - Nu aveti permisiunea sa accesati directorul cerut. - Nu este nici un document index sau directorul este protejat la citire. - - - - Nu aveti permisiunea sa accesati obiectul cerut. - Este protejat la citire sau nu poate fi citit de server. - - - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - - - Немате дозволу да приступите захтеваном директоријуму. - Могуће је да нема индексног документа, или да је директоријум заштићен од читања. - - - - Немате дозволу да приступите захтеваном објекту. - Могуће је да је заштићен од читања, или да га сервер не може прочитати. - - - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - - - Du har inte tillräckliga rättigheter för att få - tillgång till den önskade katalogen. Det existerar inget - indexdokument eller så är katalogen lässkyddad. - - - - Du har inte tillräckliga rättigheter för att få - tillgång till det önskade objektet. Objektet är - lässkyddat eller inte läsbart för servern. - - - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - - - Talep ettiğiniz dizine erişim izniniz yok. - Ya dizin içerik dosyası yok, ya da dizin okumaya karşı korumalı. - - - - Talep ettiğiniz dizine erişim izniniz yok. - Dizin, ya okumaya karşı korumalı - ya da sunucu tarafından okunamıyor. - - - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_GONE.html.var b/apache/files/error-pages/HTTP_GONE.html.var deleted file mode 100644 index cd58bccf..00000000 --- a/apache/files/error-pages/HTTP_GONE.html.var +++ /dev/null @@ -1,466 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Požadované URL již není na tomto serveru k dispozici, ani není k dispozici - žádná adresa k přesměrování. - - - - Informujte, prosím, autora - ">odkazující - stránky, že odkaz je zastaralý. - - - - Pokud jste následovali odkaz z cizí stránky, kontaktujte, prosím, - jejího autora. - - - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Der angeforderte URL existiert auf dem Server nicht mehr - und wurde dauerhaft entfernt. - Eine Weiterleitungsadresse ist nicht verfügbar. - - - - Bitte informieren Sie den Autor der - ">verweisenden - Seite, dass der Link nicht mehr aktuell ist. - - - - Falls Sie einem Link von einer anderen Seite gefolgt sind, - informieren Sie bitte den Autor dieser Seite hierüber. - - - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The requested URL is no longer available on this server and there is no - forwarding address. - - - - Please inform the author of the - ">referring - page that the link is outdated. - - - - If you followed a link from a foreign page, please contact the - author of this page. - - - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - La URL solicitada ya no está disponible en este servidor y - no existe una dirección a la cual remitirle. - - - - Por favor, comunique al autor de la - ">página - que le ha remitido que la URL está obsoleta. - - - - Si usted ha seguido un enlace de una página externa, - por favor contacte con el autor de esa página. - - - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - L'URL demandée n'est plus accessible sur ce serveur et il - n'y a pas d'adresse de redirection. - - - - Nous vous prions d'informer l'auteur de - ">la - page en question que la référence n'est plus valable. - - - - Si vous avez suivi une référence issue d'une page autre, - veuillez contacter l'auteur de cette page. - - - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Níl an URL iarraithe ar fáil ar an fhreastalaí seo - a thuilleadh, agus níl aon seoladh nua ann dó. - - - - Cur in úil do úadar an - ">leathanach - thagarthach go bhfuil an nasc as-dáta, le do thoil. - - - - Má leanfá nasc ó leathanach iasachta, téigh i - dteaghmháil le úadar an leathanach sin, le do thoil. - - - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - L'URL richiesto non è più disponibile su questo server - e non esistono indirizzi verso i quali sia possibile inoltrare - la richiesta. - - - - Per favore, informa l'autore della - ">pagina - di provenienza che il link non è più valido. - - - - Se sei arrivato da una pagina esterna, informa l'autore della - pagina di provenienza che il link non è più valido. - - - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - 要求された URL は既に本サーバでは利用できませんし、 - 移動先もわかりません。 - - - - " - >参照元ページの著者に、 - リンクが古くなっていることをご連絡ください。 - - - - 他のページからのリンクを辿ってきた場合は、 - そのページの著者にご連絡ください。 - - - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 요청한 URL은 더 이상 이 서버에 남아있지 않으며, - 그 객체가 옮겨진 다른 URL 역시 남아있지 않습니다. - - - - ">이전 - 페이지의 만든이에게 주소가 잘못되었다고 알려주시기 바랍니다. - - - - 다른 페이지의 링크를 따라오셨다면, 그 페이지의 만든이에게 연락을 하시기 - 바랍니다. - - - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - De gevraagde URL is niet langer beschikbaar op deze server en er is geen - doorverwijsadres. - - - - Gelieve aan de auteur van - ">deze pagina - te melden dat deze link niet langer actueel is. - - - - Indien u deze link hebt gekregen van een andere pagina, gelieve - de auteur van deze pagina te contacteren. - - - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Den ønskede adressen er ikke lenger tilgjengelig hos denne - serveren og det finnes ingen adresse for videresending. - - - - Venligst informer forfatteren bak - ">den - aktuelle siden om at lenken er utdatert. - - - - Om du fulgte en lenke fra en ekstern side, venligst kontakt - forfatteren bak den siden. - - - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Poszukiwany zasób nie jest już dostępny na tym serwerze i nie - podano nowego adresu zasobu. - - - - Prosimy poinformować autora - ">referującej - strony o nieaktualnym linku. - - - - Jeśli podążyłeś za linkiem z innej strony, skontaktuj się z jej - autorem. - - - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - A URL solicitada não está disponível neste servidor - e não existe um endereço alternativo. - - - - Por favor informe o autor da - ">página - referida que a URL está desatualizada. - - - - Se você seguiu um "link" de uma página externa, por favor - entre em contato com o autor desta página e o informe sobre a - mudança do "link". - - - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O URL desejado já não está disponível - neste servidor e não existe endereço alternativo. - - - - Por favor informe o autor da - ">página - originária que a hiperligação está - desactualizada. - - - - Se chegou aqui a partir de uma hiperligação externa, - por favor contacte o autor dessa página. - - - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - URL-ul cerut nu mai este disponibil pe acest server si nu - exista o adresa de inaintare. - - - - Va rugam informati autorul - ">paginii - referite ca link-ul nu mai este de actualitate. - - - - Va rugam contactati autorul acestei pagini daca ati urmat - un link dintr-o pagina externa. - - - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Захтевани УРЛ није више доступан на овом серверу и нема - адресе на коју бисте могли бити прослеђени. - - - - Молимо обавестите аутора - ">исходишне - странице да је веза застарела. - - - - Ако сте пратили везу са спољне странице, молимо обавестите - аутора те странице. - - - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Den önskade adressen är inte längre tillgänglig hos - denna server och det finns inte någon adress för vidarebefodran. - - - - Vänligen informera författaren bakom - ">den aktuella - sidan att länken är inaktuell. - - - - Om du följde en länk från en extern sida, vänligen - kontakta författaren av den sidan. - - - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Talep ettiğiniz URL artık kullanılabilir değil - ve herhangi bir yönlendirme de mevcut değil. - - - - Lütfen - ">istenen sayfanın - yazarına, bu bağlantının güncel olmadığını bildirin. - - - - Başka bir sunucudaki bir bağlantıyı izleyerek buraya geldiyseniz, - lütfen sözkonusu sayfanın yazarına bağlantının güncel olmadığını bildirin. - - - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_INTERNAL_SERVER_ERROR.html.var b/apache/files/error-pages/HTTP_INTERNAL_SERVER_ERROR.html.var deleted file mode 100644 index 7cb84203..00000000 --- a/apache/files/error-pages/HTTP_INTERNAL_SERVER_ERROR.html.var +++ /dev/null @@ -1,499 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - - - Nastala vnitřní chyba a server nebyl schopen - dokončit Váš požadavek. - - - - Chybová zpráva -
    - - - - Nastala vnitřní chyba a server nebyl schopen - dokončit Váš požadavek. Buď je server - přetížen, nebo došlo k chybě v CGI skriptu. - - - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - - - Die Anfrage kann nicht beantwortet werden, da im Server - ein interner Fehler aufgetreten ist. - - - - Fehlermeldung: -
    - - - - Die Anfrage kann nicht beantwortet werden, da im Server - ein interner Fehler aufgetreten ist. - Der Server ist entweder überlastet oder ein Fehler in - einem CGI-Skript ist aufgetreten. - - - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - - - The server encountered an internal error and was - unable to complete your request. - - - - Error message: -
    - - - - The server encountered an internal error and was - unable to complete your request. Either the server is - overloaded or there was an error in a CGI script. - - - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - Se ha producido un error interno en el servidor y no - se ha podido completar su solicitud. - - - - - Mensaje de error:
    - - - - - Se ha producido un error interno en el servidor y no se - ha podido completar su solicitud. O el servidor está - sobrecargado o ha habido un fallo en la ejecución de - un programa CGI. - - - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - - - Le serveur a été victime d'une erreur interne et n'a pas - été capable de faire aboutir votre requête. - - - - Message d'erreur: -
    - - - - Le serveur a été victime d'une erreur interne et n'a pas - été capable de faire aboutir votre requête. - Soit le server est surchargé soit il s'agit d'une erreur dans - le script CGI. - - - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - - - Thit an freastalaí ar earráid inmheánach - agus theip air do chuid iarratais a comhlíonadh. - - - - Teachtaireacht earráide: -
    - - - - Thit an freastalaí ar earráid inmheánach - agus theip air do chuid iarratais a comhlíonadh. - Is féidir go bhfuil an freastalaí - rólóaidithe, nó go raibh earráid - i script CGI éigin. - - - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - - - Il server ha generato un errore interno e non è - in grado di soddisfare la richiesta. - - - - Messaggio di errore: -
    - - - - Il server ha generato un errore interno e non è - in grado di soddisfare la richiesta. Il server potrebbe - essere sovraccarico oppure si è verificato un - errore in uno script CGI. - - - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - - - サーバ内部で障害が発生し、 - リクエストに応えることができませんでした。 - - - - Error message: -
    - - - - サーバ内部で障害が発生し、 - リクエストに応えることができませんでした。 - サーバが過負荷であるか、 - CGI スクリプトにエラーがあります。 - - - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - - - 서버에 내부 오류가 발생하여 요청을 끝까지 처리하지 못했습니다. - - - - 오류 내용: -
    - - - - 서버에 내부 오류가 생겨 요청을 끝까지 처리하지 못했습니다. - 서버에 과부하가 걸렸거나 아니면 CGI 프로그램에 오류가 있었습니다. - - - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - - - - - Foutbericht: -
    - - - - De server kreeg een interne fout en kon - uw vraag niet beantwoorden. De server is overbelast - of er was een fout in een CGI script. - - - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - - - Det inntraff en intern feil hos serveren, og det var ikke mulig å - gjennomføre din forespørsel. - - - - Feilmelding: -
    - - - - Det inntraff en intern feil hos serveren, og det var ikke mulig å - gjennomføre din forespørsel. Serveren er enten overbelastet, eller - CGI-skriptet inneholder feil. - - - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - - - Serwer napotkał błąd wewnętrzny i nie jest w stanie - zrealizować twojego żądania. - - - - Informacja o błędzie: -
    - - - - Serwer napotkał błąd wewnętrzny i nie jest w stanie - zrealizować twojego żądania. Serwer jest przeciążony lub - napotkał na błąd w skrypcie CGI. - - - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - - - O servidor encontrou um erro interno e não pode - completar sua requisição. - - - - Mensagem de Erro: -
    - - - - O servidor encontrou um erro interno e não - foi possível completar sua requisição. - O servidor está sobrecarregado ou existe um - erro em um script CGI. - - - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - - - O servidor encontrou um erro interno e não pode completar - o seu pedido. - - - - Mensagem de erro: -
    - - - - O servidor encontrou um erro interno e não pode completar - o seu pedido. Ou o servidor está sobrecarregado, ou ocorreu - um erro num script CGI. - - - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - - - Serverul a intalnit o eroare interna si nu a - putut rezolva cererea dumneavoastra. - - - - Mesajul de eroare : -
    - - - - Serverul a intalnit o eroare interna si nu a - putut rezolva cererea dumneavoastra. Serverul este - supraincarcat sau a fost o eroare intr-un script CGI. - - - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - - - Сервер је имао унутрашњу грешку и није био - у могућности да испуни ваш захтев. - - - - Порука о грешци: -
    - - - - Сервер је имао унутрашњу грешку и није био - у могућности да испуни ваш захтев. Могуће је да је сервер - преоптерећен, или да се десила грешка у CGI скрипти. - - - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - - - Servern råkade ut för ett internt fel och det var inte möjligt - att slutföra din begäran. - - - - Felmeddelande: -
    - - - - Servern råkade ut för ett internt fel och det var inte möjligt - att slutföra din begäran. Servern är antingen överbelastad - eller så innehåller CGI-skriptet fel. - - - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - - - Sunucuda içsel bir hata oluştuğundan sunucu isteğinizi yerine getiremiyor. - - - - Hata iletisi: -
    - - - - Sunucuda içsel bir hata oluştuğundan sunucu isteğinizi yerine getiremiyor. - Ya sunucu aşırı yüklü ya da CGI betiğinde bir hata oluştu. - - - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_LENGTH_REQUIRED.html.var b/apache/files/error-pages/HTTP_LENGTH_REQUIRED.html.var deleted file mode 100644 index f542b9d4..00000000 --- a/apache/files/error-pages/HTTP_LENGTH_REQUIRED.html.var +++ /dev/null @@ -1,241 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Požadavek metodou - vyžaduje korektní hlavičku Content-Length. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Die Anfrage kann nicht beantwortet werden. - Bei Verwendung der -Methode - muß ein korrekter Content-Length-Header - angegeben werden. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - A request with the - method requires a valid Content-Length header. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - Una petición con el método requiere que el encabezado - Content-Length sea válido. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - Une requête utilisant la méthode nécessite un en-tête - Content-Length (indiquant la longueur) valable. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Is gá go mbhéadh ceanntáisc - Content-Length - bhailí do iarratais faoin modh - . - - -----------ga-- - - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Una richiesta con il metodo - - richiede che venga specificato un header Content-Length - valido. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - - メソッドのリクエストでは、 - 正しい Content-Length ヘッダが必要になります。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 방식을 쓰는 - 요청은 올바른 Content-Length 헤더도 함께 보내야만 합니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - Een vraag met het - type methode heeft een correcte Content-Length lijn nodig. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - En forespørsel med - metoden krever en korrekt Content-Length header. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Żądanie - wymaga poprawnego nagłówka Content-Length. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - Uma requisição - do método - requer um cabeçalho Content-Length válido. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - Um pedido com o método - necessita de um cabeçalho Content-Length válido. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - O cerere cu metoda - necesita un header Content-Length valid. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Захтев са - методом мора имати исправно Content-Length - (дужина садржаја) заглавље. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - En förfrågan med - metoden kräver ett korrekt Content-Length huvud. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - yöntemini kullanan bir istek - geçerli bir Content-Length (içerik uzunluğu) başlığı gerektirir. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_METHOD_NOT_ALLOWED.html.var b/apache/files/error-pages/HTTP_METHOD_NOT_ALLOWED.html.var deleted file mode 100644 index 1eefb9d7..00000000 --- a/apache/files/error-pages/HTTP_METHOD_NOT_ALLOWED.html.var +++ /dev/null @@ -1,231 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Metoda - není pro požadované URL povolena. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Die -Methode - ist für den angeforderten URL nicht erlaubt. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The - method is not allowed for the requested URL. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - No se permite el método - para la URL solicitada. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - La méthode - n'est pas utilisable pour l'URL demandée. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Níl cead an modh - - a úasáid leis an URL iarraithe. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Il metodo - non è consentito per l'URL richiesto. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - - メソッドは、要求された URL に対しては許可されていません。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 방식은 - 요청한 URL에 사용할 수 없습니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - Het - type methode is niet toegelaten voor de gevraagde URL. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - metoden er ikke - tillatt for den forespurte adressen. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Metoda - jest niedozwolona dla podanego URL-a. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - O método - não é permitido para a URL requisitada. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O método não - é permitido para o URL pedido. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Metoda - nu este permisa pentru URL-ul cerut. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - - метод није дозвољен за захтевани УРЛ. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - - metoden är inte tillåten för den förfrågade - adressen. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - - yöntemi istediğiniz URL için kullanılamaz. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_NOT_FOUND.html.var b/apache/files/error-pages/HTTP_NOT_FOUND.html.var deleted file mode 100644 index 442f4968..00000000 --- a/apache/files/error-pages/HTTP_NOT_FOUND.html.var +++ /dev/null @@ -1,464 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Požadované URL nebylo na tomto serveru nalezeno. - - - - Zdá se, že odkaz na - ">odkazující - stránce je chybný nebo zastaralý. Informujte, prosím, autora - ">této stránky - o chybě. - - - - Pokud jste zadal(a) URL ručně, zkontrolujte, prosím, - zda jste zadal(a) URL správně, a zkuste to znovu. - - - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Der angeforderte URL konnte auf dem Server nicht gefunden werden. - - - - Der Link auf der - ">verweisenden - Seite scheint falsch oder nicht mehr aktuell zu sein. - Bitte informieren Sie den Autor - ">dieser Seite - über den Fehler. - - - - Sofern Sie den URL manuell eingegeben haben, - überprüfen Sie bitte die Schreibweise und versuchen Sie es erneut. - - - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The requested URL was not found on this server. - - - - The link on the - ">referring - page seems to be wrong or outdated. Please inform the author of - ">that page - about the error. - - - - If you entered the URL manually please check your - spelling and try again. - - - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - No se ha localizado la URL solicitada en este servidor. - - - - La URL de la ">página que le ha remitido - parece ser errónea o estar obsoleta. Por favor, informe del error - al autor de ">esa - página. - - - - Si usted ha introducido la URL manualmente, por favor revise su - ortografía e inténtelo de nuevo. - - - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - L'URL demandée n'a pas pu être trouvée sur ce serveur. - - - - La référence sur - ">la page - citée - semble être erronée ou perimée. Nous vous prions - d'informer l'auteur de - ">cette page - de cette erreur. - - - - Si vous avez tapé l'URL à la main, veuillez vérifier - l'orthographe et réessayer. - - - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Níor aimsigh an URL iarraithe ar an fhreastalaí seo. - - - - Is cosúil go bhfuil an nasc ar an - ">leathanach - thagarthach mícheart nó as dáta. - Cur in iúl d'úadar - " - >an leathanach sin go bhfuil earráid ann, le do thoil. - - - - Má chuir tú isteach an URL tú féin, deimhnigh - go bhfuil sé litrithe i gceart agat, agus déan iarracht eile - le do thoil. - - - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - L'URL richiesto non esiste su questo server. - - - - Il link della - ">pagina da cui - sei arrivato potrebbe essere errato o non essere più valido. - Per favore, informa dell'errore l'autore della - ">pagina. - - - - Se hai scritto l'URL a mano, per favore controlla che - non ci siano errori. - - - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - 要求された URL は本サーバでは見つかりませんでした。 - - - - "> - 参照元ページのリンクが間違っているか、古くなってしまっているようです。 - " - >ページの著者にこのエラーをお知らせ下さい。 - - - - もし手入力で URL を入力した場合は、綴りを確認して再度お試し下さい。 - - - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 요청한 URL을 이 서버에서 찾을 수 없습니다. - - - - ">이전 - 페이지에 있는 링크가 잘못되었거나 오래되어 없어진 것 같습니다. - ">그 페이지를 - 만든이에게 이 사실을 알려주시기 바랍니다. - - - - URL을 직접 입력하셨다면 바르게 입력하셨는지 확인하시고 다시 시도하시기 - 바랍니다. - - - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - De gevraagde URL was niet gevonden op deze server. - - - - De link op - ">deze pagina - pagina is verkeerd of achterhaald. Gelieve de auteur van - ">die pagina - in te lichten over deze fout. - - - - Indien u de URL manueel hebt ingevuld, gelieve uw - spelling te controleren en probeer opnieuw. - - - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Den etterspurte adressen finnes ikke på denne serveren. - - - - Lenken på den - ">forrige siden -ser ut til å være feil eller utdatert. Venligst informer forfatteren av - ">siden - om feilen. - - - - Om du skrev inn adressen manuelt, vennligst kontroller stavingen og - forsøk igjen. - - - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Nie znaleziono żądanego URL-a na tym serwerze. - - - - Odnośnik na - ">referującej stronie - wydaje się być nieprawidłowy lub nieaktualny. Poinformuj autora - ">tej strony - o problemie. - - - Jeśli wpisałeś URL-a ręcznie, sprawdź, czy się nie pomyliłeś. - - - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - A URL requisitada não foi encontrada neste servidor. - - - - O link na - ">página - referida parece estar com algum erro ou desatualizado. Por favor informe o - autor ">desta - página sobre o erro. - - - - Se você digitou o endereço (URL) manualmente, - por favor verifique novamente a sintaxe do endereço. - - - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O método não - é permitido para o URL pedido. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - URL-ul cerut nu a fost gasit pe acest server. - - - - Link-ul de pe - ">pagina - de unde ati venit pare a fi gresit sau invechit. Va rugam informati autorul - ">acestei pagini - despre eroare. - - - - Daca ati introdus URL-ul manual, va rugam verificati - corectitudinea si incercati din nou. - - - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Захтевани УРЛ није пронађен на овом серверу. - - - - Изгледа да је веза на - ">исходишној - страници погрешна или застарела. Молимо обавестите аутора - ">те странице - о грешци. - - - - Уколико сте УРЛ унели ручно, молимо проверите могуће - грешке и пробајте поново. - - - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Den efterfrågade adressen hittades inte på denna server. - - - - Länken på den - ">tidigare sidan - verkar vara felaktig eller inaktuell. Vänligen informera författaren av - ">sidan - om felet. - - - - Om du skrev in adressen manuellt så kontrollera din stavning och - försök igen. - - - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Talep ettiğiniz URL, sunucu üzerinde bulunmuyor. - - - - ">İstek yapılan sayfa - üzerindeki bağlantı güncel değil. Lütfen ">sayfa yazarını hata hakkında bilgilendirin. - - - - URL'yi elle girdiyseniz, yazdıklarınızı gözden geçirip yeniden deneyin. - - - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_NOT_IMPLEMENTED.html.var b/apache/files/error-pages/HTTP_NOT_IMPLEMENTED.html.var deleted file mode 100644 index 8dc2f7d9..00000000 --- a/apache/files/error-pages/HTTP_NOT_IMPLEMENTED.html.var +++ /dev/null @@ -1,219 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Server nepodporuje akci požadovanou prohlížečem. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Die vom Browser angeforderte Aktion wird vom Server - nicht unterstützt. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The server does not support the action requested by the browser. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - El servidor no soporta la acción - solicitada por el navegador. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - Le serveur n'est pas en mesure d'effectuer l'action - demandée par le navigateur. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Níl tacaíocht ag an fhreastalaí don gníomh - atá á iarraidh ag an mbrabhsálaí. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Il server non supporta il tipo di azione richiesta dal browser. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - ブラウザの要求したアクションは、サポートしていません。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 브라우저가 보낸 요청을 이 서버가 지원하지 않습니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - De server ondersteunt de actie, gevraagd door de browser, niet. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Serveren støtter ikke den handlingen som ønskes utført av - nettleseren. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Ten serwer nie obsługuje żądania przesłanego przez przeglądarkę. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - O servidor não suporta a ação requisitada pelo - seu "browser". - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O servidor não suporta a acção pedida pelo - browser. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Serverul nu suporta actiunea ceruta de browser. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Сервер не подржава акцију коју је читач захтевао. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Servern stödjer inte den handling som önskades - av webbläsaren. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Sunucu, tarayıcı tarafından istenen eylemi desteklemiyor. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_PRECONDITION_FAILED.html.var b/apache/files/error-pages/HTTP_PRECONDITION_FAILED.html.var deleted file mode 100644 index da69e2b6..00000000 --- a/apache/files/error-pages/HTTP_PRECONDITION_FAILED.html.var +++ /dev/null @@ -1,222 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Vstupní podmínka pro požadavek o zadané URL nesplnila pozitivní - vyhodnocení. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Die für den Abruf der angeforderten URL notwendige - Vorbedingung wurde nicht erfüllt. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The precondition on the request for the URL failed positive evaluation. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - No se ha evaluado positivamente la pre-condición - de la petición para la URL. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - La précondition pour l'URL demandé a été - évaluée négativement. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Theip meastóireacht an réamhchoinníoll - don iarratais den URL. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - I criteri di precondizione per consentire l'invio dell'URL - richiesto non sono stati soddisfatti. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - 指定された URL へのリクエストにおける事前条件が満たされませんでした。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 미리 주어진 조건이 만족되지 않아서 URL 요청을 처리할 수 없습니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - Een startvoorwaarde werd niet voldaan bij verwerking van de vraag naar de URL. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Den nødvendige forutsetningen for forespørselen passerte ikke - vurderingen med positivt resultat. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Warunek wstępny dla URL-a nie został spełniony. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - A condição necessária para a - requisição da URL foi avaliada como falsa. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - A condição necessária ao pedido do URL - foi avaliada com resultado negativo. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Preconditionarea pentru cererea URL-ului nu a fost evaluata pozitiv. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Предуслов за захтев УРЛ-а није испуњен. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Den nödvändiga förutsättningen för - adressförfrågan passerade inte utvärderingen - med acceptabelt resultat. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - URL talebinin önkoşulu olumlanamadı. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var b/apache/files/error-pages/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var deleted file mode 100644 index 20bceff6..00000000 --- a/apache/files/error-pages/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +++ /dev/null @@ -1,246 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Metoda - nedovoluje přenos dat nebo objem dat - přesahuje kapacitní limit. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Die bei der Anfrage übermittelten Daten sind für - die -Methode - nicht erlaubt oder die Datenmenge hat das Maximum überschritten. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The - method does not allow the data transmitted, or the data volume - exceeds the capacity limit. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - El método - no permite transmitir la información, o el - volumen de la información excede los límites - de capacidad del mismo. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - La méthode - n'autorise pas le transfert de ces données ou bien le volume - des données excède la limite de capacité. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Ní ligeann an modh an - tarchur sonraíocht tríd, nó tá an méid - sonraíocht breis ar an teoireann cumas. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Il metodo - non consente di trasferire dati, oppure la quantità di dati - richiesti è eccessiva. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - - メソッドがデータの送信を許可していないか、 - データ量が許容量を超えています。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 방식의 - 요청으로는 내용을 보낼 수 없거나, 또는 보내온 내용이 그 방식에서 허용하는 - 최대 길이를 넘었습니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - Het type methode laat niet toe - data te versturen of het datavolume is groter dan maximaal toegelaten. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - metoden tillater ikke - de sendte data eller så overskrider datamengenden - kapasitetsbegrensningen. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Metoda - nie zezwala na typ przesyłanych danych lub rozmiar danych przekracza - ustalony limit. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - O método - não permite a transmissão dos dados, - ou o volume de dados excede a capacidade limite. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O método - não permite todos os dados que foram transmitidos, - ou o volume de dados excede o limite da capacidade. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Metoda - nu permite transmiterea datelor, sau volumul de date - depaseste limita capacitatii. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - - метод не дозвољава пренос ових података, или количина података - премашује ограничења могућности. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - metoden tillåter - inte den skickade datan eller så överskrider datavolymen - kapacitetsnivån. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - yöntemi ya veri aktarımına - izin vermiyor ya da veri hacmi işlenemeyecek kadar büyük. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_REQUEST_TIME_OUT.html.var b/apache/files/error-pages/HTTP_REQUEST_TIME_OUT.html.var deleted file mode 100644 index 85004a0e..00000000 --- a/apache/files/error-pages/HTTP_REQUEST_TIME_OUT.html.var +++ /dev/null @@ -1,234 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Server uzavřel síťové spojení, protože prohlížeč - nedokončil požadavek ve stanoveném čase. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Der Server konnte nicht mehr länger auf die Beendigung - der Browseranfrage warten; die Netzwerkverbindung wurde - vom Server geschlossen. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The server closed the network connection because the browser - didn't finish the request within the specified time. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - El servidor ha cerrado la conexión de red - debido a que el navegador no ha finalizado la solicitud - dentro del tiempo permitido. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - Le serveur a fermé la connection car le navigateur n'a pas - fini la requête dans le temps spécifié. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Dún an freastalaí an nasc líonra, - mar níor chríochnaidh an brabhsálaí - leis an iarratais, taobh istigh den am sonraithe. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Il server ha chiuso la connessione in quanto è stato - superato il limite di tempo entro il quale il browser avrebbe - dovuto eseguire la richiesta. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - ブラウザが指定時間以内にリクエストを完了しなかったので、 - サーバは接続を切りました。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 브라우저가 너무 오랫동안 요청을 끝내지 않아서 서버가 네트워크 연결을 - 강제로 끊었습니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - De server heeft de netwerkverbinding gesloten omdat de browser - de vraag niet heeft beëindigd binnen een gestelde tijd. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Serveren stengte forbindelsen fordi nettleseren ikke avsluttet - forespørselen innen tidsgrensen. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Serwer zamknął połączenie sieciowe, ponieważ przeglądarka - nie zakończyła operacji w przewidywanym czasie. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - O servidor encerrou a conexão porque o "browser" - não finalizou a requisição dentro - do tempo limite. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O servidor interrompeu a ligação de rede porque o - browser não terminou o pedido dentro do tempo limite. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Serverul a terminat conexiunea cu browserul pentru ca acesta - nu a terminat cererea in limita timpului specificat. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Сервер је прекинуо везу са мрежом јер читач - није завршио захтев за дозвољено време. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Servern stängde förbindelsen därför att - webbläsaren inte avslutade förfrågan inom - förbestämd tid. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Tarayıcı isteği zamanında tamamlayamadığından sunucu ağ bağlantısını kapattı. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_REQUEST_URI_TOO_LARGE.html.var b/apache/files/error-pages/HTTP_REQUEST_URI_TOO_LARGE.html.var deleted file mode 100644 index 4831c472..00000000 --- a/apache/files/error-pages/HTTP_REQUEST_URI_TOO_LARGE.html.var +++ /dev/null @@ -1,235 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Délka požadovaného URL přesahuje kapacitní limit tohoto - serveru. Požadavek nemůže být zpracován. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Der bei der Anfrage übermittelte URI überschreitet - die maximale Länge. - Die Anfrage kann nicht ausgeführt werden. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The length of the requested URL exceeds the capacity limit for - this server. The request cannot be processed. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - La longitud de la URL solicitada excede el límite de - capacidad para este servidor. No se puede procesar la solicitud. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - La longueur de l'URL demandée excède la limite de - capacitè pour ce serveur. Nous ne pouvons donner suite - à votre requête. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Tá faid an URL iarraithe breis ar an teorainn cumas don - freastalaí seo. Ní féidir an iarratas a - phróiseáil. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - La lunghezza dell'indirizzo (URL) trasmesso supera il - limite massimo imposto da questo server. - La richiesta non può essere soddisfatta. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - リクエストの URL の長さが、扱える長さを超えています。 - リクエストの処理を続けられません。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 요청한 URL이 너무 길어서 이 서버가 처리할 수 없습니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - De lengte van de aangeboden URL overschreidt het maximum - voor deze server. De vraag kan niet verwerkt worden. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Lengden på adressen som etterspurtes overskrider - kapasitetsgrensen for denne serveren. Forespørselen kan - ikke prosesseres. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Długość żądanego URL-a przekracza limit ustanowiony dla tego - serwera. Żądanie nie może zostać zrealizowane. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - O tamanho do endereço (URL) excede a capacidade limite - desse servidor. A requisição não pode ser - processada. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O tamanho do URL pedido excede o limite da capacidade deste - servidor. O pedido não pode ser processado. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Lungimea URL-ului cerut depaseste limita capacitatii pentru - acest server. Cererea nu poate fi procesata. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Дужина захтеваног УРЛ-а премашује ограничења могућности - овог сервера. Захтев не може бити обрађен. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Längden på adressen som efterfrågas överskrider - kapacitetsgränsen för denna server. Förfrågan kan - inte verkställas. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Talep edilen URI'nin uzunluğu, sunucunun sınırlarını - aştığından istek yerine getirilemiyor. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_SERVICE_UNAVAILABLE.html.var b/apache/files/error-pages/HTTP_SERVICE_UNAVAILABLE.html.var deleted file mode 100644 index e5905ebb..00000000 --- a/apache/files/error-pages/HTTP_SERVICE_UNAVAILABLE.html.var +++ /dev/null @@ -1,250 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Server dočasně nemůže zpracovat Váš požadavek - kvůli údržbě nebo kapacitním problémům. - Zkuste to, prosím, později. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Der Server ist derzeit nicht in der Lage die Anfrage - zu bearbeiten. Entweder ist der Server derzeit überlastet - oder wegen Wartungsarbeiten nicht verfügbar. - Bitte versuchen Sie es später wieder. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The server is temporarily unable to service your - request due to maintenance downtime or capacity - problems. Please try again later. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - El servidor no puede procesar su solicitud en este momento - debido a tareas de mantenimiento o a problemas de capacidad. - Por favor, inténtelo de nuevo más tarde. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - En raison de travaux de maintenance ou de problèmes - de capacité le serveur n'est pas en mesure de répondre - à votre requête pour l'instant. Veuillez réessayer - plus tard. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Níl an freastalaí seo in ann do chuid - iarratais a líonadh ag an am seo, toisc - cóthábháil nó fhaidhbeanna cumas. - Déan iarracht eile níos déanaí, le do thoil. - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Il server in questo momento non è in grado di - soddisfare la richiesta per motivi di manutenzione - o di sovraccarico del sistema. - Per favore, riprova più tardi. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - メンテナンスで停止中か、サーバの処理能力の問題のため、 - 現在リクエストに応じることができません。 - 後ほど再度お試し下さい。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 관리 작업이나 용량 문제로 서버가 잠시동안 요청을 처리할 수 없습니다. - 나중에 다시 시도해주시기 바랍니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - De server kan tijdelijk uw vraag niet verwerken - door onderhoud of problemen met de capaciteit van de server. - Gelieve later nog eens opnieuw te proberen. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Serveren er midlertidig ikke i stand til å utføre din - forespørsel. Vennligst prøv igjen senere. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Serwer nie może zrealizować twojego żądania - ze względu na konserwację lub zbyt duże obciążenie. - Prosimy spróbować później. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - O servidor está temporariamente fora de serviço - para manutanção ou devido a problemas de capacidade. - Por favor tente acessar mais tarde. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O servidor está temporáriamente incapaz de servir - o seu pedido devido a uma interrupção para - manutenção ou problemas de capacidade. Por favor - tente de novo mais tarde. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Serverul nu poate, temporar, sa raspunda cererii - dumneavoastra datorita intretinerii acestuia sau a - unor probleme de capacitate. Va rugam incercati mai tarziu. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Сервер тренутно није у могућности да услужи ваш - захтев пошто је затворен због одржавања или има недовољан - капацитет. Молимо покушајте поново касније. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Servern är för tillfället oförmögen att - utföra din förfrågan på grund av underhåll - eller kapacitetsbegränsningar. Vänligen försök - igen senare. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Sunucu, bakım gerektiren çeşitli sorunlardan ötürü, - bir süreliğine taleplerinize yanıt veremiyor. - Lütfen daha sonra tekrar deneyin. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_UNAUTHORIZED.html.var b/apache/files/error-pages/HTTP_UNAUTHORIZED.html.var deleted file mode 100644 index 2a8994f0..00000000 --- a/apache/files/error-pages/HTTP_UNAUTHORIZED.html.var +++ /dev/null @@ -1,370 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Server nemohl ověřit, že jste autorizován(a) k přístupu - k URL "". - Buď jste dodal(a) neplatné pověření (např. chybné heslo) nebo Váš - prohlížeč neumí dodat požadované ověření. - - - - V případě, že smíte požadovat tento dokument, zkontrolujte, prosím, - Vaši uživatelskou identifikaci a heslo a zkuste to znovu. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Der Server konnte nicht verifizieren, ob Sie autorisiert sind, - auf den URL "" zuzugreifen. - Entweder wurden falsche Referenzen (z.B. ein falsches Passwort) - angegeben oder ihr Browser versteht nicht, wie die geforderten - Referenzen zu übermitteln sind. - - - - Sofern Sie für den Zugriff berechtigt sind, überprüfen - Sie bitte die eingegebene User-ID und das Passwort und versuchen Sie - es erneut. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - This server could not verify that you are authorized to access - the URL "". - You either supplied the wrong credentials (e.g., bad password), or your - browser doesn't understand how to supply the credentials required. - - - - In case you are allowed to request the document, please - check your user-id and password and try again. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - El servidor no puede certificar que usted esté autorizado - para acceder a la URL "". - Ha podido suministrar información incorrecta (ej. - contraseña no válida) o el navegador no sabe - cómo suministrar la información requerida. - - - - En caso de que usted tenga permiso para acceder al documento, - por favor verifique su nombre de usuario y contraseña y - vuélvalo a intentar. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - Ce server n'a pas été en mesure de vérifier que - vous êtes autorisé à accéder à cette - URL "". - - Vous avez ou bien fourni des coordonnées erronées - (p.ex. mot de passe inexact) ou bien votre navigateur ne parvient - pas à fournir les données exactes. - - - - Si vous êtes autorisé à requérir le document, - veuillez vérifier votre nom d'utilisateur et votre mot de passe - et réessayer. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Níorbh fhéidir leis an freastalaí a dheimhniú - go bhfuil an údaráis agat rochtain a dheanamh ar an URL - "". Is féidir go - soláthair tú faisnéis mícheart (m.s., - pasfhocail mícheart), nó nach dtuigeann do chuid - brabhsálaí conas an faisnéis is gá a - soláthair i gceart. - - - - Más é gur ceart go mbhéadh cead agat iarratais a - dheanamh don doiciméid, deimhnigh go bhfuil do chuid ainm - úsáideora agus pasfhocal i gceart, agus dean iarracht eile, - le do thoil. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Questo server non può verificare l'autorizzazione - all'accesso a "". - Questo errore potrebbe essere causato da credenziali errate - (nome utente o password errata) oppure da un browser che non - riesce a comunicare il nome utente e la password in modo corretto. - - - - Nel caso in cui ritieni di aver diritto ad accedere al documento, - controlla il nome utente e la password forniti e riprova. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - URL "" - へのアクセス権限があることを確認できませんでした。 - 間違った資格情報 (例えば、誤ったパスワード) を入力したか、 - ブラウザが必要な資格情報を送信する方法を理解していないかです。 - - - - ドキュメントを要求できる筈である場合は、 - ユーザ ID とパスワードを再確認して下さい。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 이 서버가 "" URL을 - 접근할 수 있는 권한이 있는지 확인하지 못했습니다. - 잘못된 인증 정보(가령, 잘못된 암호)를 보냈거나 아니면 - 사용하시는 브라우저가 필요한 인증 정보를 어떻게 보내는지 모르는 것입니다. - - - - 이 문서를 사용할 수 있도록 허가를 받았는데도 이런다면, - 사용자 ID와 암호를 확인하시고 다시 시도하시기 바랍니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - De server kon niet controleren of u gemachtigd bent om toegang te krijgen - tot de URL "". - U hebt zich onvoldoende geauthenticeerd ( vb : verkeerd paswoord ), of - uw browser is niet in staat de nodige authentificatiegegevens door te geven. - - - - Indien u toch gemachtigd bent toegang te krijgen tot het document, - controleer uw gebruikersnaam en paswoord en probeer opnieuw. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Serveren kunne ikke verifisere at du har tillatelse til å besøke - adressen "". Enten - oppga du feil opplysninger (f.eks. feil passord) eller så støtter - ikke din nettleser dette autentiseringsystemet. - - - - Om du har tillatelse til å besøke siden, vennligst kontroler ditt - brukernavn og passord og forsøk igjen. - - -----------nb-- - - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Serwer nie może zweryfikować, że masz uprawnienia dostępu do - URL-a "". - Nie podałeś prawidłowych danych autoryzacyjnych (np. hasła) - lub twoja przeglądarka nie potrafi ich przesłać. - - - - Jeśli masz prawo dostępu do żądanego dokumentu, sprawdź - podaną nazwę użytkownika i hasło. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - Este servidor não pode autorizar o seu acesso à URL - "". - Você deve ter fornecido dados incorretos (ex. senha errada), ou o seu - "browser" não fornece as credenciais necessárias. - - - - No caso de você realmente possuir permissão para este documento, - por favor checar seu login e sua senha e tentar novamente. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - Este servidor não conseguiu validar a sua autoridade para aceder - ao URL "". - Ou forneceu as credenciais erradas (e.g.: senha incorrecta) - ou o seu browser não sabe como fornecer as credenciais - necessárias. - - - - Caso lhe seja permitido aceder ao documento, por favor verifique o - seu nome de utilizador e senha e tente de novo. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Acest server nu a putut verifica daca sunteti autorizat sa accesati - URL-ul "". - Ati furnizat parametrii de acreditare gresiti (ex: parola gresita), sau browserul - dumneavoastra nu poate furniza aceste detalii de acreditare. - - - - In cazul in care nu va este permis sa cereti un document, va rugam - sa va verificati numele de utilizator si parola si sa incercati din nou. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Овај сервер није могао да потврди да сте овлашћени да приступите - УРЛ-у "". - Могуће је или да сте навели погрешне личне податке (нпр. нетачну лозинку), или да - ваш читач не разуме како да пошаље захтеване личне податке. - - - - Уколико вам је дозвољено да преузимате документ, молимо да - проверите своје корисничко име и лозинку и пробате поново. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Servern kunde inte verifiera att du har tillåtelse att besöka - adressen "". - Antingen angav du felaktiga uppgifter (ex. fel lösenord) eller så - stödjer inte din webbläsare detta autentiseringssätt. - - - - Om du har tillåtelse att besöka sidan, vänligen kontrollera ditt - användarnamn samt lösenord och försök igen. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Sunucu "" adresine erişim - izninizi doğrulayamadı. Ya sağladığınız kanıtlar yanlış (yanlış parola gibi) - ya da tarayıcınız bu kanıtların nasıl sağlanacağını bilmiyor. - - - - Eğer erişim izniniz olduğuna eminseniz, lütfen kullanıcı adınızı - ve parolanızı gözden geçirip yeniden deneyin. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var b/apache/files/error-pages/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var deleted file mode 100644 index 44094cde..00000000 --- a/apache/files/error-pages/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +++ /dev/null @@ -1,217 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Server nepodporuje typ prostředku (media) přeneseného v požadavku. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Das bei der Anfrage übermittelte Format (Media Type) - wird vom Server nicht unterstützt. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - The server does not support the media type transmitted in the request. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - El servidor no soporta el tipo - de medio transmitido en la solicitud. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - Le serveur ne supporte pas le type de média utilisé - dans votre requête. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Ní tachaíonn an fhreastalaí an cineáil - meán a sheoladh san iarratais. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Il server non è in grado di gestire il - tipo del formato dei dati trasmesso nella richiesta. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - リクエストで指定されたメディアタイプはサポートされていません。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 요청으로 보내온 미디어 형식을 이 서버가 지원하지 않습니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - De server ondersteunt het gevraagde formaat ( media type ) niet. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - Serveren støtter ikke den mediatypen som ble forespurt. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Serwer nie zna typu danych przesłanych w żądaniu. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - O servidor não suporta o tipo de mídia - transmitida nesta requisição. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - O servidor não suporta o media type transmitido no pedido. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - Serverul nu suporta tipul de date trimise in cerere. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Сервер не подржава врсту медија пренесену у захтеву. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - Servern stödjer inte den mediatyp som skickats i förfrågan. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - Sunucu, istekte belirtilen ortam türünü desteklemiyor. - - -----------tr-- diff --git a/apache/files/error-pages/HTTP_VARIANT_ALSO_VARIES.html.var b/apache/files/error-pages/HTTP_VARIANT_ALSO_VARIES.html.var deleted file mode 100644 index ba9609c6..00000000 --- a/apache/files/error-pages/HTTP_VARIANT_ALSO_VARIES.html.var +++ /dev/null @@ -1,242 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- - - - Varianta požadované entity má sama více variant. Přístup není možný. - - -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- - - - Ein Zugriff auf das angeforderte Objekt bzw. einer - Variante dieses Objektes ist nicht möglich, da es ebenfalls - ein variables Objekt darstellt. - - -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- - - - A variant for the requested entity - is itself a negotiable resource. - Access not possible. - - -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- - - - - Una variante de la entidad solicitada es por si misma - un recurso negociable. - No es posible tener acceso a la entidad. - - -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- - - - Une variante pour l'entité demandée - est elle-même une ressource négociable. - L'accès est impossible. - - -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- - - - Is é ceann de na athraithaí - don aonán iarraithe acmhainn - intráchta féin. - Rochtain dodhéanta. - - -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- - - - Non è possibile accedere all'entità - richiesta perché è essa stessa - una risorsa negoziabile. - - -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- - - - リクエストされたものの variant - はそれ自体もまた、ネゴシエーション可能なリソースです。 - アクセスできませんでした。 - - -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- - - - 요청한 객체의 형태 또한 여러 형태를 가지고 있어서 - 접근이 불가능합니다. - - -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- - - - Een variant van het gevraagde object - is op zich ook een te onderhandelen variant. - Toegang is niet mogelijk. - - -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- - - - En variant av den forespurte enheten er i seg selv en forhandelbar - ressurs. Tilgang ikke mulig. - - -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- - - - Wariant żądanego zasobu jest również zasobem negocjowalnym. - Dostęp jest niemożliwy. - - -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- - - - Uma variante da entidade de requisição - é por si mesma um recurso negociável. - Acesso não é possível. - - --------pt-br-- - -Content-language: pt -Content-type: text/html; charset=ISO-8859-1 -Body:----------pt-- - - - A variante relativa à entidade pedida é ela mesma - um recurso negociável. Não é possível - ter acesso. - - -----------pt-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- - - - O varianta pentru entitatea ceruta - este ea insasi o resursa negociabila. - Accesul nu este posibil. - - -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- - - - Варијанта захтеваног ентитета - је и сама ресурс који постоји у више варијанти. - Приступ није могућ. - - -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- - - - En variant av den förfrågade enheten är i - sig själv en giltig resurs. Åtkomst är inte - möjlig. - - -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- - - - İstenen gösterim çeşidinin kendisi zaten kendi içinde uzlaşımlı. - Erişim mümkün değil. - - -----------tr-- diff --git a/apache/files/error-pages/README b/apache/files/error-pages/README deleted file mode 100644 index b660d07e..00000000 --- a/apache/files/error-pages/README +++ /dev/null @@ -1,38 +0,0 @@ - - Multi Language Custom Error Documents - ------------------------------------- - - The 'error' directory contains HTTP error messages in multiple languages. - If the preferred language of a client is available it is selected - automatically via the MultiViews feature. This feature is enabled - by default via the Options, Language and ErrorDocument directives. - - You may configure the design and markup of the documents by modifying - the HTML files in the directory 'error/include'. - - Supported Languages: - - +-----------------------+------------------------------------------+ - | Language | Contributed by | - +-----------------------+------------------------------------------+ - | Brazilian (pt-br) | Ricardo Leite | - | Czech (cs) | Marcel Kolaja | - | Dutch (nl) | Peter Van Biesen | - | English (en) | Lars Eilebrecht | - | French (fr) | Cecile de Crecy | - | German (de) | Lars Eilebrecht | - | Italian (it) | Luigi Rosa | - | Japanese (ja) | TAKAHASHI Makoto | - | Korean (ko) | Jaeho Shin | - | Norwegian Bokmål (nb) | Tom Fredrik Klaussen | - | Polish (pl) | Tomasz Kepczynski | - | Romanian (ro) | Andrei Besleaga | - | Serbian (sr) | Nikola Smolenski | - | Spanish (es) | Karla Quintero | - | Swedish (sv) | Thomas Sjögren | - | Turkish (tr) | Emre Sokullu & Nilgün Belma Bugüner | - | Irish (ga) | Noirin Shirley | - +-----------------------+------------------------------------------+ - (Please see http://httpd.apache.org/docs-project/ if you would - like to contribute the pages in an additional language.) - diff --git a/apache/files/error-pages/contact.html.var b/apache/files/error-pages/contact.html.var deleted file mode 100644 index 62044cf0..00000000 --- a/apache/files/error-pages/contact.html.var +++ /dev/null @@ -1,127 +0,0 @@ -Content-language: cs -Content-type: text/html; charset=UTF-8 -Body:----------cs-- -Pokud si myslíte, že toto je chyba serveru, kontaktujte, prosím, -">webmastera. -----------cs-- - -Content-language: de -Content-type: text/html; charset=UTF-8 -Body:----------de-- -Sofern Sie dies für eine Fehlfunktion des Servers halten, -informieren Sie bitte den -">Webmaster -hierüber. -----------de-- - -Content-language: en -Content-type: text/html; charset=UTF-8 -Body:----------en-- -If you think this is a server error, please contact -the ">webmaster. -----------en-- - -Content-language: es -Content-type: text/html -Body:----------es-- -Si usted cree que esto es un error del servidor, por favor comuníqueselo al -">administrador -del portal. -----------es-- - -Content-language: fr -Content-type: text/html; charset=UTF-8 -Body:----------fr-- -Si vous pensez qu'il s'agit d'une erreur du serveur, veuillez contacter le -">webmestre. -----------fr-- - -Content-language: ga -Content-type: text/html; charset=UTF-8 -Body:----------ga-- -Má cheapann tú gur earráid fhreastalaí í seo, -téigh i dteagmháil leis an -"> -stiúrthóir gréasáin, le do thoil. -----------ga-- - -Content-language: it -Content-type: text/html; charset=UTF-8 -Body:----------it-- -Se pensi che questo sia un errore del server, per favore contatta il -">webmaster. -----------it-- - -Content-language: ja -Content-type: text/html; charset=UTF-8 -Body:----------ja-- -サーバーの障害と思われる場合は、" ->ウェブ管理者までご連絡ください。 -----------ja-- - -Content-language: ko -Content-type: text/html; charset=UTF-8 -Body:----------ko-- -만약 이것이 서버 오류라고 생각되면, -">웹 관리자에게 연락하시기 바랍니다. -----------ko-- - -Content-language: nl -Content-type: text/html; charset=UTF-8 -Body:----------nl-- -Indien u van oordeel bent dat deze server in fout is, gelieve -de ">webmaster te contacteren. -----------nl-- - -Content-language: nb -Content-type: text/html; charset=UTF-8 -Body:----------nb-- -Om du tror dette skyldes en serverfeil, venligst kontakt -">webansvarlig. -----------nb-- - -Content-language: pl -Content-type: text/html; charset=UTF-8 -Body:----------pl-- -Jeśli myślisz, że jest to błąd tego serwera, skontaktuj się z -">administratorem. -----------pl-- - -Content-language: pt-br -Content-type: text/html; charset=UTF-8 -Body:-------pt-br-- -Se você acredita ter encontrado um problema no servidor, -por favor entre em contato com o -">webmaster. --------pt-br-- - -Content-language: ro -Content-type: text/html; charset=UTF-8 -Body:----------ro-- -Va rugam sa il contactati pe -">webmaster -in cazul in care credeti ca aceasta este o eroare a serverului. -----------ro-- - -Content-language: sr -Content-type: text/html; charset=UTF-8 -Body:----------sr-- -Ако мислите да је ово грешка сервера, молимо обавестите -">вебмастера. -----------sr-- - -Content-language: sv -Content-type: text/html; charset=UTF-8 -Body:----------sv-- -Om du tror att detta beror på ett serverfel, vänligen kontakta -">webbansvarig. -----------sv-- - -Content-language: tr -Content-type: text/html; charset=UTF-8 -Body:----------tr-- -Bunun bir sunucu hatası olduğunu düşünüyorsanız, lütfen -">site -yöneticisi ile iletişime geçin. -----------tr-- diff --git a/apache/files/error-pages/include/bottom.html b/apache/files/error-pages/include/bottom.html deleted file mode 100644 index 971de02b..00000000 --- a/apache/files/error-pages/include/bottom.html +++ /dev/null @@ -1,12 +0,0 @@ -

    -

    - -

    - -

    Error

    -
    -
    - -
    - - diff --git a/apache/files/error-pages/include/spacer.html b/apache/files/error-pages/include/spacer.html deleted file mode 100644 index 7d5e5953..00000000 --- a/apache/files/error-pages/include/spacer.html +++ /dev/null @@ -1,2 +0,0 @@ -

    -

    diff --git a/apache/files/error-pages/include/top.html b/apache/files/error-pages/include/top.html deleted file mode 100644 index ae63020e..00000000 --- a/apache/files/error-pages/include/top.html +++ /dev/null @@ -1,21 +0,0 @@ - - -" xml:lang=""> - -<!--#echo encoding="none" var="TITLE" --> -" /> - - - - -

    -

    diff --git a/apache/files/evolinux-custom.conf b/apache/files/evolinux-custom.conf index 397f351b..cc5d73be 100644 --- a/apache/files/evolinux-custom.conf +++ b/apache/files/evolinux-custom.conf @@ -8,3 +8,15 @@ SetEnvIf User-Agent "^BadBot$" GoAway=1 SetEnvIf User-Agent "Nutch" GoAway=1 SetEnvIf User-Agent "ApacheBench" GoAway=1 +# Uncomment for SSL strong security +# +#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH +#SSLProtocol All -SSLv2 -SSLv3 +#SSLHonorCipherOrder On +#SSLCompression off +#SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000) +#SSLSessionCacheTimeout 600 +## Stapling not activated by default. Need config. +##SSLUseStapling on +##SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000) +# diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index 6e7aaeda..ca02d032 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -12,6 +12,13 @@ MaxRequestsPerChild 0 AllowOverride None Require all granted - # "Require not env XXX" is not supported - # Deny from env=GoAway + # "Require not env XXX" is not supported :( + Deny from env=GoAway + +SSLProtocol all -SSLv2 -SSLv3 +SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 + + + Require all denied + diff --git a/apache/files/evolinux-localized-error-pages.conf b/apache/files/evolinux-localized-error-pages.conf deleted file mode 100644 index 0658a03e..00000000 --- a/apache/files/evolinux-localized-error-pages.conf +++ /dev/null @@ -1,35 +0,0 @@ - - - - - Alias /error/ "/usr/local/share/apache2/error/" - - - Options IncludesNoExec - AddOutputFilter Includes html - AddHandler type-map var - Require all granted - LanguagePriority en fr de es cs it nl sv pt-br ro - ForceLanguagePriority Prefer Fallback - - - ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var - ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var - ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var - ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var - ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var - ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var - ErrorDocument 410 /error/HTTP_GONE.html.var - ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var - ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var - ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var - ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var - ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var - ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var - ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var - ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var - ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var - ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var - - - diff --git a/apache/files/evolinux-ssl.conf b/apache/files/evolinux-ssl.conf deleted file mode 100644 index cde0f7ec..00000000 --- a/apache/files/evolinux-ssl.conf +++ /dev/null @@ -1,11 +0,0 @@ -# Strong security. -SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH -SSLProtocol All -SSLv2 -SSLv3 -SSLHonorCipherOrder On -SSLCompression off -SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000) -SSLSessionCacheTimeout 600 - -# Stapling not activated by default. Need config. -#SSLUseStapling on -#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index a6a46eb8..d8dd10ba 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -1,65 +1,33 @@ --- -- name: Main packages are installed +- name: packages are installed (stretch) apt: name: '{{ item }}' state: present with_items: - apache2 - tags: - - apache - - packages - -- name: Install packages for Jessie - apt: - name: '{{ item }}' - state: present - with_items: - - apache2-mpm-prefork - tags: - - apache - - packages - when: ansible_distribution_release == "jessie" - -- name: manually disable mpm_event - command: a2dismod mpm_event - register: cmd_disable_event - changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout" - notify: restart apache - tags: - - apache - -- name: manually enable mpm_prefork - command: a2enmod mpm_prefork - register: cmd_disable_prefork - changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout" - notify: restart apache - tags: - - apache - -# With Ansible 2.2 the module check the config for conflicts -# With 2.3 it can be disabled. -# https://docs.ansible.com/ansible/apache2_module_module.html -# - name: mpm_event modules is disabled -# apache2_module: -# name: '{{ item }}' -# state: absent -# with_items: -# - mpm_event -# tags: -# - apache - -- name: Additional packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - apg + - libapache2-mpm-itk + - libapache2-mod-evasive - apachetop - libwww-perl tags: - apache - packages + when: ansible_distribution_release == "stretch" + +- name: packages are installed (jessie) + apt: + name: '{{ item }}' + state: present + with_items: + - apache2-mpm-itk + - libapache2-mod-evasive + - apachetop + - libwww-perl + tags: + - apache + - packages + when: ansible_distribution_release == "jessie" - name: basic modules are enabled apache2_module: @@ -70,10 +38,6 @@ - expires - headers - cgi - - ssl - - include - - negotiation - - alias tags: - apache @@ -83,61 +47,18 @@ dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf" owner: root group: root - mode: "0644" + mode: "0640" force: yes tags: - apache -- name: Copy Apache localized error pages config file - copy: - src: evolinux-localized-error-pages.conf - dest: "/etc/apache2/conf-available/z-evolinux-localized-error-pages.conf" - owner: root - group: root - mode: "0644" - force: yes - tags: - - apache - -- name: Create directory which will contain apache error pages - file: - path: /usr/local/share/apache2/error - mode: u=rwX,g=rX,o=rX - owner: root - group: root - state: directory - tags: - - apache - -- name: Copy apache error pages - copy: - src: error-pages/ - dest: "/usr/local/share/apache2/error/" - directory_mode: u=rwX,g=rX,o=rX - mode: u=rw,g=r,o=r - owner: root - group: root - tags: - - apache - - name: Copy Apache custom config file copy: src: evolinux-custom.conf dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf" owner: root group: root - mode: "0644" - force: no - tags: - - apache - -- name: Copy Apache SSL (strong security) config file - copy: - src: evolinux-ssl.conf - dest: "/etc/apache2/conf-available/evolinux-ssl.conf" - owner: root - group: root - mode: "0644" + mode: "0640" force: no tags: - apache @@ -148,9 +69,7 @@ changed_when: "'Enabling' in command_result.stderr" with_items: - z-evolinux-defaults.conf - - z-evolinux-localized-error-pages.conf - zzz-evolinux-custom.conf - - evolinux-ssl.conf tags: - apache @@ -205,10 +124,10 @@ check_mode: no tags: - apache + when: apache_phpmyadmin_set - include: phpmyadmin.yml - when: _default_index.stat.exists - + when: apache_phpmyadmin_set and _default_index.stat.exists # - block: # - name: generate random string for serverstatus suffix diff --git a/apache/tasks/phpmyadmin.yml b/apache/tasks/phpmyadmin.yml index 889336a9..a8b24e05 100644 --- a/apache/tasks/phpmyadmin.yml +++ b/apache/tasks/phpmyadmin.yml @@ -1,6 +1,14 @@ --- - block: + - name: packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - phpmyadmin + - apg + - name: generate random string for phpmyadmin suffix command: "apg -a 1 -M N -n 1" changed_when: False diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 38a367d4..bc272364 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -1,37 +1,10 @@ ServerName {{ ansible_fqdn }} - ServerAdmin webmaster@localhost + #ServerAlias {{ ansible_fqdn }} DocumentRoot /var/www/ - RewriteEngine on - # Redirect to HTTPS, execpt for munin, because some plugins - # can't handle HTTPS! :( - RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR] - RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] - RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] - - - Require ip 127.0.0.1 - - - - - - ServerName {{ ansible_fqdn }} - ServerAdmin webmaster@localhost - - DocumentRoot /var/www/ - - SSLEngine on - SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} - SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} - - # We override these 2 Directory directives setted in apache2.conf. - # We want no access except from allowed IP address. - Options -Indexes - Require all denied Include /etc/apache2/private_ipaddr_whitelist.conf @@ -43,7 +16,6 @@ # Munin. We need to set Directory directive as Alias take precedence. Alias /munin /var/cache/munin/www - Options -Indexes Require all denied Include /etc/apache2/private_ipaddr_whitelist.conf @@ -65,11 +37,68 @@ ErrorLog /var/log/apache2/error.log LogLevel warn - Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/ - IncludeOptional /etc/apache2/conf-available/phpmyadmin* - - - Require all denied - + + RewriteEngine on + # Redirect to HTTPS, execpt for munin, because some plugins + # can't handle HTTPS! :( + RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR] + RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] + RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] + + + Require ip 127.0.0.1 + + + + + ServerName {{ ansible_fqdn }} + #ServerAlias {{ ansible_fqdn }} + + DocumentRoot /var/www/ + + + Include /etc/apache2/private_ipaddr_whitelist.conf + + + Options -Indexes + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + + + SSLEngine on + SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} + SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} + + # We override these 2 Directory directives setted in apache2.conf. + # We want no access except from allowed IP address. + + Include /etc/apache2/private_ipaddr_whitelist.conf + + + # Munin. We need to set Directory directive as Alias take precedence. + Alias /munin /var/cache/munin/www + + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + + + Options -Indexes + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + + + # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + + + CustomLog /var/log/apache2/access.log vhost_combined + ErrorLog /var/log/apache2/error.log + LogLevel warn + + From 5c4125263e6c6f9540f61a52fecebb57b20023d7 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sun, 23 Jul 2017 00:38:05 +0200 Subject: [PATCH 112/277] Quick review of pack-web-apache role --- .../templates/log2mail-apache.j2 | 0 packweb-apache/files/evolinux-itk.conf | 10 ---- packweb-apache/tasks/apache.yml | 58 +++++++------------ .../evolinux-evasive.conf.j2} | 1 + 4 files changed, 23 insertions(+), 46 deletions(-) rename {packweb-apache => apache}/templates/log2mail-apache.j2 (100%) delete mode 100644 packweb-apache/files/evolinux-itk.conf rename packweb-apache/{files/evolinux-evasive.conf => templates/evolinux-evasive.conf.j2} (79%) diff --git a/packweb-apache/templates/log2mail-apache.j2 b/apache/templates/log2mail-apache.j2 similarity index 100% rename from packweb-apache/templates/log2mail-apache.j2 rename to apache/templates/log2mail-apache.j2 diff --git a/packweb-apache/files/evolinux-itk.conf b/packweb-apache/files/evolinux-itk.conf deleted file mode 100644 index 4e25d84b..00000000 --- a/packweb-apache/files/evolinux-itk.conf +++ /dev/null @@ -1,10 +0,0 @@ - -StartServers 50 -MinSpareServers 20 -MaxSpareServers 30 -ServerLimit 250 -MaxClients 250 -MaxRequestsPerChild 0 -LimitUIDRange 0 6000 -LimitGIDRange 0 6000 - diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 18ce16ca..31570944 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -16,62 +16,48 @@ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin when: envvar_grep_path.rc != 0 -- name: Install ITK module for Jessie - apt: - name: apache2-mpm-itk - when: ansible_distribution_release == "jessie" - -- name: Install ITK module for Stretch - apt: - name: libapache2-mpm-itk - when: ansible_distribution_release == "stretch" - - name: Additional packages are installed apt: name: '{{ item }}' state: present with_items: - - libapache2-mod-evasive - libapache2-mod-security2 - modsecurity-crs + - apg + +- name: Additional modules are enabled + apache2_module: + name: '{{ item }}' + state: present + with_items: + - ssl + - include + - negotiation + - alias - name: Copy Apache settings for modules copy: - src: "{{ item }}" - dest: "/etc/apache2/conf-available/{{ item }}" + src: "evolinux-modsec.conf" + dest: "/etc/apache2/conf-available/evolinux-modsec.conf" + owner: root + group: root + mode: "0644" + force: no + +- name: Copy Apache settings for modules + template: + src: "evolinux-evasive.conf.j2" + dest: "/etc/apache2/conf-available/evolinux-evasive.conf" owner: root group: root mode: "0644" force: no - with_items: - - evolinux-itk.conf - - evolinux-evasive.conf - - evolinux-modsec.conf - name: Ensure Apache modules configs are enabled command: "a2enconf {{ item }}" register: command_result changed_when: "'Enabling' in command_result.stderr" with_items: - - evolinux-itk - evolinux-evasive - evolinux-modsec -- name: Check if log2mail is installed - command: "apt list --installed log2mail" - register: command_result - changed_when: False - -- debug: - var: command_result - verbosity: 1 - -- name: Add log2mail config for Apache segfaults - template: - src: log2mail-apache.j2 - dest: "/etc/log2mail/config/apache" - owner: root - group: root - mode: "0644" - force: no - when: "'log2mail' in command_result.stdout" diff --git a/packweb-apache/files/evolinux-evasive.conf b/packweb-apache/templates/evolinux-evasive.conf.j2 similarity index 79% rename from packweb-apache/files/evolinux-evasive.conf rename to packweb-apache/templates/evolinux-evasive.conf.j2 index 15be182f..fd73ad81 100644 --- a/packweb-apache/files/evolinux-evasive.conf +++ b/packweb-apache/templates/evolinux-evasive.conf.j2 @@ -5,4 +5,5 @@ DOSSiteCount 30 DOSPageInterval 3 DOSSiteInterval 1 DOSBlockingPeriod 60 +DOSEmailNotify {{ general_alert_email }} From f49e720efdc46d5edd402b09a3897a6d25ac4fe9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sun, 23 Jul 2017 00:54:52 +0200 Subject: [PATCH 113/277] Add log2mail stuff for Apache --- apache/tasks/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index d8dd10ba..7c4c8d40 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -129,6 +129,20 @@ - include: phpmyadmin.yml when: apache_phpmyadmin_set and _default_index.stat.exists +- name: Check if log2mail is installed + apt: + name: log2mail + state: present + +- name: Add log2mail config for Apache segfaults + template: + src: log2mail-apache.j2 + dest: "/etc/log2mail/config/apache" + owner: root + group: root + mode: "0644" + force: no + # - block: # - name: generate random string for serverstatus suffix # command: "apg -a 1 -M N -n 1" From e212f3043fe304bc170d89239657d78ad17a298a Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Sun, 23 Jul 2017 00:55:23 +0200 Subject: [PATCH 114/277] Set right URL for our custom role --- evolinux-base/templates/default_www/index.html.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2 index dc8e0ce3..f37691ca 100644 --- a/evolinux-base/templates/default_www/index.html.j2 +++ b/evolinux-base/templates/default_www/index.html.j2 @@ -69,7 +69,7 @@

- Powered by Evolix + Powered by Evolix

From 2118bfae8cecb56a6847e9f02628cea12776a306 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20P=C3=A9riard-Tremblay?= Date: Mon, 24 Jul 2017 16:38:08 -0400 Subject: [PATCH 115/277] Update docker-host role --- docker-host/tasks/main.yml | 57 ++++++++++++++++++------- docker-host/templates/daemon.json.j2 | 16 +++++++ docker-host/templates/docker.service.j2 | 27 ------------ 3 files changed, 57 insertions(+), 43 deletions(-) create mode 100644 docker-host/templates/daemon.json.j2 delete mode 100644 docker-host/templates/docker.service.j2 diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 1bcd7810..9d477066 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -1,44 +1,64 @@ # This role installs the docker daemon --- -- name: Install apt-transport-https +- name: Remove older docker packages apt: - name: apt-transport-https + name: '{{ item }}' + state: absent + with_items: + - docker + - docker-engine + - docker.io + +- name: Install source requirements + apt: + name: '{{ item }}' state: present update_cache: yes + with_items: + - apt-transport-https + - ca-certificates + - gnupg2 -- name: Enable Docker repositories +- name: Add Docker repository apt_repository: - repo: 'deb https://apt.dockerproject.org/repo debian-{{ ansible_distribution_release }} main' + repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' state: present update_cache: no -- name: Enable backports repository for docker-py +- name: Enable backports repository for python-docker (Jessie only) apt_repository: repo: 'deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main' state: present + when: ansible_distribution_release == 'jessie' -- name: Install Docker repo keys +- name: Add Docker's official GPG key apt_key: - keyserver: pgp.mit.edu - id: 58118E89F3A912897C070ADBF76221572C52609D + url: "https://download.docker.com/linux/debian/gpg" + state: present -- name: Install docker and docker-py +- name: Install docker and python-docker apt: name: "{{ item }}" state: latest update_cache: yes with_items: - - docker-engine + - docker-ce - python-docker -- name: Configure docker service +- name: Copy Docker daemon configuration file template: - src: docker.service.j2 - dest: /lib/systemd/system/docker.service + src: daemon.json.j2 + dest: /etc/docker/daemon.json notify: - reload systemd - restart docker +- name: Remove options from docker systemd service + lineinfile: + path: /lib/systemd/system/docker.service + regexp: '^ExecStart=' + line: 'ExecStart=/usr/bin/dockerd' + - name: Creating Docker tmp directory file: path: "{{ docker_tmpdir }}" @@ -52,7 +72,7 @@ state: directory mode: "0644" owner: root - when: "{{ docker_tls_enabled }}" + when: docker_tls_enabled - name: Copy shellpki utility to Docker TLS directory template: @@ -62,8 +82,13 @@ with_items: - shellpki.sh - openssl.cnf - when: "{{ docker_tls_enabled }}" + when: docker_tls_enabled + +- name: Check if certs are already created + stat: + path: "{{ docker_tls_path }}/certs" + register: tls_certs_stat - name: Creating a CA, server key command: "{{ docker_tls_path }}/shellpki.sh init" - when: "{{ docker_tls_enabled }}" + when: docker_tls_enabled and not tls_certs_stat.stat.isdir is defined diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 new file mode 100644 index 00000000..ab6cac19 --- /dev/null +++ b/docker-host/templates/daemon.json.j2 @@ -0,0 +1,16 @@ +{ + "debug": false + {% if docker_tls_enabled %} + , + "tls": true, + "tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}", + "tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}", + "tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}" + {% endif %} + , + {% if docker_remote_access_enabled %} + "hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"] + {% else %} + "hosts": ["fd://"] + {% endif %} +} diff --git a/docker-host/templates/docker.service.j2 b/docker-host/templates/docker.service.j2 deleted file mode 100644 index 02229fd8..00000000 --- a/docker-host/templates/docker.service.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=Docker Application Container Engine -Documentation=https://docs.docker.com -After=network.target docker.socket -Requires=docker.socket - -[Service] -ExecStart=/usr/bin/docker daemon -H fd:// \ - {% if docker_tls_enabled %} - --tlsverify \ - --tlscacert={{ docker_tls_path }}/{{ docker_tls_ca }} \ - --tlscert={{ docker_tls_path }}/{{ docker_tls_cert }} \ - --tlskey={{ docker_tls_path }}/{{ docker_tls_key }} \ - {% endif %} - {% if docker_remote_access_enabled %} - -H tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }} - {% endif %} -MountFlags=slave -LimitNOFILE=1048576 -LimitNPROC=1048576 -LimitCORE=infinity -Environment="TMPDIR={{ docker_tmpdir }}" - -[Install] -WantedBy=multi-user.target From d033d9773add301999ec2166a2b444942dda2eda Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 16:49:14 -0400 Subject: [PATCH 116/277] etc-git: if sudo is used, the real user is the author --- etc-git/tasks/commit.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index d7d1fbbf..31746443 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -16,8 +16,19 @@ tags: - commit-etc +- name: fetch current Git user.email + git_config: + name: user.email + repo: /etc + scope: local + register: git_config_user_email + +- name: set commit author + set_fact: + etc_git_commit_options: "{% if ansible_env.SUDO_USER %} --author \"{{ ansible_env.SUDO_USER }} <{{ git_config_user_email.config_value }}>\"{% endif %}" + - name: /etc modifications are committed - shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"" + shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"{{ etc_git_commit_options }}" args: chdir: /etc register: etc_commit_end_run From f20b95f0753e5246d1c2b43a3852bdb6312fbd9d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 16:50:23 -0400 Subject: [PATCH 117/277] etc-git: use the git_config module instead of ini --- etc-git/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index faf4e8c6..cd1a9673 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -21,11 +21,11 @@ register: git_init - name: Git user.email is configured - ini_file: - dest: /etc/.git/config - section: user - option: email - value: "" + git_config: + name: user.email + repo: /etc + scope: local + value: "root@{{ ansible_fqdn | default('localhost') }}" - name: /etc/.git is secure file: From 6871de457a563369ec6aab4ee36b0dfdfbb4480f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 16:51:35 -0400 Subject: [PATCH 118/277] etc_git: fix README to use tasks_from instead of task_from --- etc-git/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc-git/README.md b/etc-git/README.md index d0930e59..5c033843 100644 --- a/etc-git/README.md +++ b/etc-git/README.md @@ -15,7 +15,7 @@ There is also an independant task that can be executed to commit changes made in pre_tasks: - include_role: name: etc-git - task_from: commit.yml + tasks_from: commit.yml vars: commit_message: "Ansible pre-run my splendid playbook" @@ -25,7 +25,7 @@ There is also an independant task that can be executed to commit changes made in post_tasks: - include_role: name: etc-git - task_from: commit.yml + tasks_from: commit.yml vars: commit_message: "Ansible pre-run my splendid playbook" ``` From b6e8c1760ec7862c6c5a6e31ff2936361ced00d9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 18:14:56 -0400 Subject: [PATCH 119/277] nginx: fix typo for tags --- nginx/tasks/packages_jessie_backports.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/tasks/packages_jessie_backports.yml b/nginx/tasks/packages_jessie_backports.yml index 703b9e2a..b9c1eaf9 100644 --- a/nginx/tasks/packages_jessie_backports.yml +++ b/nginx/tasks/packages_jessie_backports.yml @@ -4,7 +4,7 @@ name: apt tasks_from: backports.yml tags: - - haproxy + - nginx - packages - name: Prefer Nginx packages from jessie-backports From 2fc65d1b8b7a08059fa49408b99b78d988b79709 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 18:15:18 -0400 Subject: [PATCH 120/277] docker-host: use apt preferences and apt role * the "apt" role can deal with backports lists install * we'd rather use a preferences file for specific packages than simply installing jessie-backports --- docker-host/files/docker_preferences | 3 +++ docker-host/tasks/jessie_backports.yml | 23 +++++++++++++++++++++++ docker-host/tasks/main.yml | 6 ++---- 3 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 docker-host/files/docker_preferences create mode 100644 docker-host/tasks/jessie_backports.yml diff --git a/docker-host/files/docker_preferences b/docker-host/files/docker_preferences new file mode 100644 index 00000000..1a68427d --- /dev/null +++ b/docker-host/files/docker_preferences @@ -0,0 +1,3 @@ +Package: python-docker +Pin: release a=jessie-backports +Pin-Priority: 999 diff --git a/docker-host/tasks/jessie_backports.yml b/docker-host/tasks/jessie_backports.yml new file mode 100644 index 00000000..0284a859 --- /dev/null +++ b/docker-host/tasks/jessie_backports.yml @@ -0,0 +1,23 @@ +--- +- include_role: + name: apt + tasks_from: backports.yml + tags: + - packages + +- name: Prefer python-docker package from jessie-backports + copy: + src: apt/docker_preferences + dest: /etc/apt/preferences.d/999-docker + force: yes + mode: "0640" + register: docker_apt_preferences + tags: + - packages + +- name: update apt + apt: + update_cache: yes + when: docker_apt_preferences | changed + tags: + - packages diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 9d477066..39c8f578 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -24,11 +24,9 @@ repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' state: present update_cache: no + filename: docker.list -- name: Enable backports repository for python-docker (Jessie only) - apt_repository: - repo: 'deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main' - state: present +- include: jessie_backports.yml when: ansible_distribution_release == 'jessie' - name: Add Docker's official GPG key From 2dfd384fb84d4ddc4197059cdaf651455dd586ad Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 18:58:16 -0400 Subject: [PATCH 121/277] admin-users: users are in sudo group for Stretch --- admin-users/tasks/debian/main.yml | 15 ++++ admin-users/tasks/debian/profile.yml | 15 ++++ .../{adduser_debian.yml => debian/ssh.yml} | 71 ------------------- admin-users/tasks/debian/sudo_jessie.yml | 23 ++++++ admin-users/tasks/debian/sudo_stretch.yml | 7 ++ admin-users/tasks/debian/user.yml | 35 +++++++++ admin-users/tasks/main.yml | 8 +-- 7 files changed, 99 insertions(+), 75 deletions(-) create mode 100644 admin-users/tasks/debian/main.yml create mode 100644 admin-users/tasks/debian/profile.yml rename admin-users/tasks/{adduser_debian.yml => debian/ssh.yml} (50%) create mode 100644 admin-users/tasks/debian/sudo_jessie.yml create mode 100644 admin-users/tasks/debian/sudo_stretch.yml create mode 100644 admin-users/tasks/debian/user.yml diff --git a/admin-users/tasks/debian/main.yml b/admin-users/tasks/debian/main.yml new file mode 100644 index 00000000..db737b42 --- /dev/null +++ b/admin-users/tasks/debian/main.yml @@ -0,0 +1,15 @@ +--- + +- include: user.yml + +- include: profile.yml + +- include: ssh.yml + +- include: sudo_jessie.yml + when: ansible_distribution_release == 'jessie' + +- include: sudo_stretch.yml + when: ansible_distribution_release == 'stretch' + +- meta: flush_handlers diff --git a/admin-users/tasks/debian/profile.yml b/admin-users/tasks/debian/profile.yml new file mode 100644 index 00000000..0101d4be --- /dev/null +++ b/admin-users/tasks/debian/profile.yml @@ -0,0 +1,15 @@ +--- + +- name: is evomaintenance installed? + stat: + path: "/usr/share/scripts/evomaintenance.sh" + register: evomaintenance_script + check_mode: no + +- name: "Add evomaintenance trap for '{{ user.name }}'" + lineinfile: + state: present + dest: '/home/{{ user.name }}/.profile' + insertafter: EOF + line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' + when: evomaintenance_script.stat.exists diff --git a/admin-users/tasks/adduser_debian.yml b/admin-users/tasks/debian/ssh.yml similarity index 50% rename from admin-users/tasks/adduser_debian.yml rename to admin-users/tasks/debian/ssh.yml index 87899375..0ee7d2d8 100644 --- a/admin-users/tasks/adduser_debian.yml +++ b/admin-users/tasks/debian/ssh.yml @@ -1,52 +1,5 @@ --- -- name: "Test if uid exists for '{{ user.name }}'" - command: 'getent passwd {{ user.uid }}' - register: uidisbusy - failed_when: False - changed_when: False - check_mode: no - -- name: "Add Unix account with classical uid for '{{ user.name }}'" - user: - state: present - uid: '{{ user.uid }}' - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: uidisbusy.rc != 0 - -- name: "Add Unix account with random uid for '{{ user.name }}'" - user: - state: present - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: uidisbusy.rc == 0 - -- name: "Fix perms on homedirectory for '{{ user.name }}'" - file: - name: '/home/{{ user.name }}' - mode: "0700" - state: directory - -- name: is evomaintenance installed? - stat: - path: "/usr/share/scripts/evomaintenance.sh" - register: evomaintenance_script - check_mode: no - -- name: "Add evomaintenance trap for '{{ user.name }}'" - lineinfile: - state: present - dest: '/home/{{ user.name }}/.profile' - insertafter: EOF - line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - when: evomaintenance_script.stat.exists - name: "Create .ssh directory for '{{ user.name }}'" file: @@ -111,27 +64,3 @@ validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd when: grep_matchuser_ssh.rc == 0 - -- name: Verify Evolinux sudoers file presence - template: - src: sudoers_debian.j2 - dest: /etc/sudoers.d/evolinux - force: false - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - -- name: Verify Evolinux sudoers file permissions - file: - path: /etc/sudoers.d/evolinux - mode: "0440" - state: file - -- name: "Add user in sudoers file for '{{ user.name }}'" - replace: - dest: /etc/sudoers.d/evolinux - regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/visudo -cf %s' - when: not copy_sudoers_evolinux.changed - -- meta: flush_handlers diff --git a/admin-users/tasks/debian/sudo_jessie.yml b/admin-users/tasks/debian/sudo_jessie.yml new file mode 100644 index 00000000..1d7d3a69 --- /dev/null +++ b/admin-users/tasks/debian/sudo_jessie.yml @@ -0,0 +1,23 @@ +--- + +- name: Verify Evolinux sudoers file presence + template: + src: sudoers_debian.j2 + dest: /etc/sudoers.d/evolinux + force: false + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + +- name: Verify Evolinux sudoers file permissions + file: + path: /etc/sudoers.d/evolinux + mode: "0440" + state: file + +- name: "Add user in sudoers file for '{{ user.name }}'" + replace: + dest: /etc/sudoers.d/evolinux + regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' + replace: '\1,{{ user.name }}' + validate: '/usr/sbin/visudo -cf %s' + when: not copy_sudoers_evolinux.changed diff --git a/admin-users/tasks/debian/sudo_stretch.yml b/admin-users/tasks/debian/sudo_stretch.yml new file mode 100644 index 00000000..899ac6ae --- /dev/null +++ b/admin-users/tasks/debian/sudo_stretch.yml @@ -0,0 +1,7 @@ +--- + +- name: "'{{ user.name }}' is in the sudo group" + user: + name: "{{ user.name }}" + groups: sudo + append: yes diff --git a/admin-users/tasks/debian/user.yml b/admin-users/tasks/debian/user.yml new file mode 100644 index 00000000..c47fbdfc --- /dev/null +++ b/admin-users/tasks/debian/user.yml @@ -0,0 +1,35 @@ +--- + +- name: "Test if uid exists for '{{ user.name }}'" + command: 'getent passwd {{ user.uid }}' + register: uidisbusy + failed_when: False + changed_when: False + check_mode: no + +- name: "Add Unix account with classical uid for '{{ user.name }}'" + user: + state: present + uid: '{{ user.uid }}' + name: '{{ user.name }}' + comment: '{{ user.fullname }}' + shell: /bin/bash + password: '{{ user.password_hash }}' + update_password: on_create + when: uidisbusy.rc != 0 + +- name: "Add Unix account with random uid for '{{ user.name }}'" + user: + state: present + name: '{{ user.name }}' + comment: '{{ user.fullname }}' + shell: /bin/bash + password: '{{ user.password_hash }}' + update_password: on_create + when: uidisbusy.rc == 0 + +- name: "Fix perms on homedirectory for '{{ user.name }}'" + file: + name: '/home/{{ user.name }}' + mode: "0700" + state: directory diff --git a/admin-users/tasks/main.yml b/admin-users/tasks/main.yml index 50c43468..54e2fc53 100644 --- a/admin-users/tasks/main.yml +++ b/admin-users/tasks/main.yml @@ -1,15 +1,15 @@ --- - debug: - msg: "Warning: empty variable 'admin_users' admin-users tasks will skipped!" + msg: "Warning: empty 'admin_users' variable, tasks will be skipped!" when: admin_users == {} -- include: adduser_debian.yml +- include: debian/main.yml vars: user: "{{ item.value }}" with_dict: "{{ admin_users }}" when: ansible_distribution == "Debian" and admin_users != {} -# - include: adduser_openbsd.yml user={{ item.value }} +# - include: openbsd/main.yml user={{ item.value }} # with_dict: "{{ admin_users }}" -# when: ansible_distribution == "OpenBSD" +# when: ansible_distribution == "OpenBSD" and admin_users != {} From 66eee11cf758d2f3172c8668c612e95e0965654f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 21:33:34 -0400 Subject: [PATCH 122/277] etc-git: show OS in task name --- etc-git/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index cd1a9673..a958bacc 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -1,12 +1,12 @@ --- -- name: Git is installed +- name: Git is installed (Debian) apt: name: git state: present when: ansible_os_family == "Debian" -- name: Git is installed +- name: Git is installed (OpenBSD) openbsd_pkg: name: git state: present From 5e949d74fd5b31f411ee881cb81865006110b195 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 21:34:06 -0400 Subject: [PATCH 123/277] evomaintenance: check if minifirewall is installed --- evomaintenance/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 091c59d5..5837287c 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -23,15 +23,22 @@ - include: trap.yml home={{ item }} with_items: "{{ home_of_shell_users.stdout_lines }}" +- name: Is minifirewall installed? + stat: + path: /etc/default/minifirewall + register: minifirewall_default_file + - name: minifirewall section for evomaintenance lineinfile: dest: /etc/default/minifirewall line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" insertafter: "^# EvoMaintenance" with_items: "{{ evomaintenance_hosts }}" + when: minifirewall_default_file.stat.exists - name: remove minifirewall example rule for the proxy lineinfile: dest: /etc/default/minifirewall regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' state: absent + when: minifirewall_default_file.stat.exists From 2179be09d167c024126b6e1449c7f6fa7c9ab88b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 22:05:44 -0400 Subject: [PATCH 124/277] admin-users: passwordless sudo for come commands --- admin-users/tasks/debian/main.yml | 6 +----- admin-users/tasks/debian/{sudo_jessie.yml => sudo.yml} | 9 ++++++--- admin-users/tasks/debian/sudo_stretch.yml | 7 ------- .../templates/{sudoers_debian.j2 => sudoers_jessie.j2} | 0 admin-users/templates/sudoers_stretch.j2 | 8 ++++++++ 5 files changed, 15 insertions(+), 15 deletions(-) rename admin-users/tasks/debian/{sudo_jessie.yml => sudo.yml} (71%) delete mode 100644 admin-users/tasks/debian/sudo_stretch.yml rename admin-users/templates/{sudoers_debian.j2 => sudoers_jessie.j2} (100%) create mode 100644 admin-users/templates/sudoers_stretch.j2 diff --git a/admin-users/tasks/debian/main.yml b/admin-users/tasks/debian/main.yml index db737b42..329ce50e 100644 --- a/admin-users/tasks/debian/main.yml +++ b/admin-users/tasks/debian/main.yml @@ -6,10 +6,6 @@ - include: ssh.yml -- include: sudo_jessie.yml - when: ansible_distribution_release == 'jessie' - -- include: sudo_stretch.yml - when: ansible_distribution_release == 'stretch' +- include: sudo.yml - meta: flush_handlers diff --git a/admin-users/tasks/debian/sudo_jessie.yml b/admin-users/tasks/debian/sudo.yml similarity index 71% rename from admin-users/tasks/debian/sudo_jessie.yml rename to admin-users/tasks/debian/sudo.yml index 1d7d3a69..793e67d5 100644 --- a/admin-users/tasks/debian/sudo_jessie.yml +++ b/admin-users/tasks/debian/sudo.yml @@ -2,9 +2,9 @@ - name: Verify Evolinux sudoers file presence template: - src: sudoers_debian.j2 + src: sudoers_{{ ansible_distribution_release }}.j2 dest: /etc/sudoers.d/evolinux - force: false + force: no validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux @@ -20,4 +20,7 @@ regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' validate: '/usr/sbin/visudo -cf %s' - when: not copy_sudoers_evolinux.changed + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '<') + - not copy_sudoers_evolinux.changed diff --git a/admin-users/tasks/debian/sudo_stretch.yml b/admin-users/tasks/debian/sudo_stretch.yml deleted file mode 100644 index 899ac6ae..00000000 --- a/admin-users/tasks/debian/sudo_stretch.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: "'{{ user.name }}' is in the sudo group" - user: - name: "{{ user.name }}" - groups: sudo - append: yes diff --git a/admin-users/templates/sudoers_debian.j2 b/admin-users/templates/sudoers_jessie.j2 similarity index 100% rename from admin-users/templates/sudoers_debian.j2 rename to admin-users/templates/sudoers_jessie.j2 diff --git a/admin-users/templates/sudoers_stretch.j2 b/admin-users/templates/sudoers_stretch.j2 new file mode 100644 index 00000000..5332395c --- /dev/null +++ b/admin-users/templates/sudoers_stretch.j2 @@ -0,0 +1,8 @@ +Defaults umask=0077 + +Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount + +nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs +nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt + +%sudo ALL = NOPASSWD: MAINT From c97110f865118ef026cee1abdbf5da569ded6b37 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 22:17:25 -0400 Subject: [PATCH 125/277] minifirewall: embed files instead of git clone --- minifirewall/files/minifirewall | 385 +++++++++++++++++++++++++++ minifirewall/files/minifirewall.conf | 99 +++++++ minifirewall/tasks/install.yml | 44 +-- 3 files changed, 497 insertions(+), 31 deletions(-) create mode 100755 minifirewall/files/minifirewall create mode 100644 minifirewall/files/minifirewall.conf diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall new file mode 100755 index 00000000..94260a96 --- /dev/null +++ b/minifirewall/files/minifirewall @@ -0,0 +1,385 @@ +#!/bin/sh + +# minifirewall is shellscripts for easy firewalling on a standalone server +# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel +# See https://forge.evolix.org/projects/minifirewall + +# Copyright (c) 2007-2015 Evolix +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License. + +# Description +# script for standalone server + +# Start or stop minifirewall +# + +### BEGIN INIT INFO +# Provides: minfirewall +# Required-Start: +# Required-Stop: +# Should-Start: $network $syslog $named +# Should-Stop: $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop the firewall +# Description: Firewall designed for standalone server +### END INIT INFO + +DESC="minifirewall" +NAME="minifirewall" + + +# Variables configuration +######################### + +# iptables paths +IPT=/sbin/iptables +IPT6=/sbin/ip6tables + +# TCP/IP variables +LOOPBACK='127.0.0.0/8' +CLASSA='10.0.0.0/8' +CLASSB='172.16.0.0/12' +CLASSC='192.168.0.0/16' +CLASSD='224.0.0.0/4' +CLASSE='240.0.0.0/5' +ALL='0.0.0.0' +BROAD='255.255.255.255' +PORTSROOT='0:1023' +PORTSUSER='1024:65535' + + +case "$1" in + start) + + echo "Start IPTables rules..." + +# Stop and warn if error! +set -e +trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT + + +# sysctl network security settings +################################## + +# Don't answer to broadcast pings +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + +# Ignore bogus ICMP responses +echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + +# Disable Source Routing +for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do +echo 0 > $i +done + +# Enable TCP SYN cookies to avoid TCP-SYN-FLOOD attacks +# cf http://cr.yp.to/syncookies.html +echo 1 > /proc/sys/net/ipv4/tcp_syncookies + +# Disable ICMP redirects +for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do +echo 0 > $i +done + +for i in /proc/sys/net/ipv4/conf/*/send_redirects; do +echo 0 > $i +done + +# Enable Reverse Path filtering : verify if responses use same network interface +for i in /proc/sys/net/ipv4/conf/*/rp_filter; do +echo 1 > $i +done + +# log des paquets avec adresse incoherente +for i in /proc/sys/net/ipv4/conf/*/log_martians; do +echo 1 > $i +done + +# IPTables configuration +######################## + +$IPT -N LOG_DROP +$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : ' +$IPT -A LOG_DROP -j DROP +$IPT -N LOG_ACCEPT +$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' +$IPT -A LOG_ACCEPT -j ACCEPT + +# Configuration +oldconfigfile="/etc/firewall.rc" +configfile="/etc/default/minifirewall" + +if test -f $oldconfigfile; then + echo "$oldconfigfile is deprecated, rename to $configfile" >&2 + exit 1 +fi + +if ! test -f $configfile; then + echo "$configfile does not exist" >&2 + exit 1 +fi + +tmpfile=`mktemp` +. $configfile 2>$tmpfile >&2 +if [ -s $tmpfile ]; then + echo "$configfile returns standard or error output (see below). Stopping." >&2 + cat $tmpfile + exit 1 +fi +rm $tmpfile + +# Trusted ip addresses +$IPT -N ONLYTRUSTED +$IPT -A ONLYTRUSTED -j LOG_DROP +for x in $TRUSTEDIPS + do + $IPT -I ONLYTRUSTED -s $x -j ACCEPT + done + +# Privilegied ip addresses +# (trusted ip addresses *are* privilegied) +$IPT -N ONLYPRIVILEGIED +$IPT -A ONLYPRIVILEGIED -j ONLYTRUSTED +for x in $PRIVILEGIEDIPS + do + $IPT -I ONLYPRIVILEGIED -s $x -j ACCEPT + done + +# Chain for restrictions (blacklist IPs/ranges) +$IPT -N NEEDRESTRICT + +# We allow all on loopback interface +$IPT -A INPUT -i lo -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A INPUT -i lo -j ACCEPT +# if OUTPUTDROP +$IPT -A OUTPUT -o lo -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o lo -j ACCEPT + +# We avoid "martians" packets, typical when W32/Blaster virus +# attacked windowsupdate.com and DNS was changed to 127.0.0.1 +# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP +$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP + + +# Local services restrictions +############################# + +# Allow services for $INTLAN (local server or local network) +$IPT -A INPUT -s $INTLAN -j ACCEPT + +# Enable protection chain for sensible services +for x in $SERVICESTCP1p + do + $IPT -A INPUT -p tcp --dport $x -j NEEDRESTRICT + done + +for x in $SERVICESUDP1p + do + $IPT -A INPUT -p udp --dport $x -j NEEDRESTRICT + done + +# Public service +for x in $SERVICESTCP1 + do + $IPT -A INPUT -p tcp --dport $x -j ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT + done + +for x in $SERVICESUDP1 + do + $IPT -A INPUT -p udp --dport $x -j ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p udp --dport $x -j ACCEPT + done + +# Privilegied services +for x in $SERVICESTCP2 + do + $IPT -A INPUT -p tcp --dport $x -j ONLYPRIVILEGIED + done + +for x in $SERVICESUDP2 + do + $IPT -A INPUT -p udp --dport $x -j ONLYPRIVILEGIED + done + +# Private services +for x in $SERVICESTCP3 + do + $IPT -A INPUT -p tcp --dport $x -j ONLYTRUSTED + done + +for x in $SERVICESUDP3 + do + $IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED + done + + +# External services +################### + +# DNS authorizations +for x in $DNSSERVEURS + do + $IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT + $IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPT -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT + done + +# HTTP (TCP/80) authorizations +for x in $HTTPSITES + do + $IPT -A INPUT -p tcp ! --syn --sport 80 --dport $PORTSUSER -s $x -j ACCEPT + done + +# HTTPS (TCP/443) authorizations +for x in $HTTPSSITES + do + $IPT -A INPUT -p tcp ! --syn --sport 443 --dport $PORTSUSER -s $x -j ACCEPT + done + +# FTP (so complex protocol...) authorizations +for x in $FTPSITES + do + # requests on Control connection + $IPT -A INPUT -p tcp ! --syn --sport 21 --dport $PORTSUSER -s $x -j ACCEPT + # FTP port-mode on Data Connection + $IPT -A INPUT -p tcp --sport 20 --dport $PORTSUSER -s $x -j ACCEPT + # FTP passive-mode on Data Connection + # WARNING, this allow all connections on TCP ports > 1024 + $IPT -A INPUT -p tcp ! --syn --sport $PORTSUSER --dport $PORTSUSER -s $x -j ACCEPT + done + +# SSH authorizations +for x in $SSHOK + do + $IPT -A INPUT -p tcp ! --syn --sport 22 -s $x -j ACCEPT + done + +# SMTP authorizations +for x in $SMTPOK + do + $IPT -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -j ACCEPT + done + +# secure SMTP (TCP/465 et TCP/587) authorizations +for x in $SMTPSECUREOK + do + $IPT -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -j ACCEPT + $IPT -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -j ACCEPT + done + +# NTP authorizations +for x in $NTPOK + do + $IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT + $IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT + done + +# Always allow ICMP +$IPT -A INPUT -p icmp -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT + + +# IPTables policy +################# + +# by default DROP INPUT packets +$IPT -P INPUT DROP +[ "$IPV6" != "off" ] && $IPT6 -P INPUT DROP + +# by default, no FORWARING (deprecated for Virtual Machines) +#echo 0 > /proc/sys/net/ipv4/ip_forward +#$IPT -P FORWARD DROP +#$IPT6 -P FORWARD DROP + +# by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets) +$IPT -P OUTPUT ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT +$IPT -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT +$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A OUTPUT -p udp -j DROP +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp -j DROP + +trap - INT TERM EXIT + + echo "...starting IPTables rules is now finish : OK" + ;; + + stop) + + echo "Flush all rules and accept everything..." + + # Delete all rules + $IPT -F INPUT + $IPT -F OUTPUT + $IPT -F LOG_DROP + $IPT -F LOG_ACCEPT + $IPT -F ONLYTRUSTED + $IPT -F ONLYPRIVILEGIED + $IPT -F NEEDRESTRICT + $IPT -t nat -F + $IPT -t mangle -F + [ "$IPV6" != "off" ] && $IPT6 -F INPUT + [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT + + # Accept all + $IPT -P INPUT ACCEPT + $IPT -P OUTPUT ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -P INPUT ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT + #$IPT -P FORWARD ACCEPT + #$IPT -t nat -P PREROUTING ACCEPT + #$IPT -t nat -P POSTROUTING ACCEPT + + # Delete non-standard chains + $IPT -X LOG_DROP + $IPT -X LOG_ACCEPT + $IPT -X ONLYPRIVILEGIED + $IPT -X ONLYTRUSTED + $IPT -X NEEDRESTRICT + + echo "...flushing IPTables rules is now finish : OK" + ;; + + status) + + $IPT -L -n -v --line-numbers + $IPT -t nat -L -n -v --line-numbers + $IPT -t mangle -L -n -v --line-numbers + $IPT6 -L -n -v --line-numbers + $IPT6 -t mangle -L -n -v --line-numbers + ;; + + reset) + + echo "Reset all IPTables counters..." + + $IPT -Z + $IPT -t nat -Z + $IPT -t mangle -Z + [ "$IPV6" != "off" ] && $IPT6 -Z + [ "$IPV6" != "off" ] && $IPT6 -t mangle -Z + + echo "...reseting IPTables counters is now finish : OK" + ;; + + restart) + + $0 stop + $0 start + ;; + + *) + + echo "Usage: $0 {start|stop|restart|status|reset|squid}" + exit 1 +esac + +exit 0 + diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf new file mode 100644 index 00000000..12ea853f --- /dev/null +++ b/minifirewall/files/minifirewall.conf @@ -0,0 +1,99 @@ +# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall +# For fun, we keep last change from first CVS repository: +# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $ + +# Main interface +INT='eth0' + +# IPv6 +IPV6=on + +# Trusted IPv4 local network +# ...will be often IP/32 if you don't trust anything +INTLAN='192.168.0.2/32' + +# Trusted IPv4 addresses for private and semi-public services +TRUSTEDIPS='62.212.121.90 88.179.18.233 31.170.8.4 31.170.9.129' + +# Privilegied IPv4 addresses for semi-public services +# (no need to add again TRUSTEDIPS) +PRIVILEGIEDIPS='' + + +# Local services IPv4/IPv6 restrictions +####################################### + +# Protected services +# (add also in Public services if needed) +SERVICESTCP1p='22' +SERVICESUDP1p='' + +# Public services (IPv4/IPv6) +SERVICESTCP1='25 53 443 993 995 2222' +SERVICESUDP1='53' + +# Semi-public services (IPv4) +SERVICESTCP2='20 21 22 80 110 143' +SERVICESUDP2='' + +# Private services (IPv4) +SERVICESTCP3='5666' +SERVICESUDP3='' + +# Standard output IPv4 access restrictions +########################################## + +# DNS authorizations +# (if you have local DNS server, set 0.0.0.0/0) +DNSSERVEURS='0.0.0.0/0' + +# HTTP authorizations +# (you can use DNS names but set cron to reload minifirewall regularly) +# (if you have HTTP proxy, set 0.0.0.0/0) +HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' + +# HTTPS authorizations +HTTPSSITES='0.0.0.0/0' + +# FTP authorizations +FTPSITES='' + +# SSH authorizations +SSHOK='0.0.0.0/0' + +# SMTP authorizations +SMTPOK='0.0.0.0/0' + +# SMTP secure authorizations (ports TCP/465 and TCP/587) +SMTPSECUREOK='' + +# NTP authorizations +NTPOK='0.0.0.0/0' + + +# IPv6 Specific rules +##################### + +# Example: allow SSH from Trusted IPv6 addresses +/sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT + +# Example: allow input HTTP/HTTPS/SMTP/DNS traffic +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT + +# Example: allow output DNS, NTP and traceroute traffic +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT +#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT + +# Example: allow DHCPv6 +/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT + +# IPv4 Specific rules +##################### + +# /sbin/iptables ... diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index 8e211fb9..47d72b44 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -1,37 +1,19 @@ --- -- name: clone git repository - git: - repo: "{{ minifirewall_git_url}}" - dest: "{{ minifirewall_checkout_path }}" - clone: yes - -# WARN: these tasks copy the file if there are not already there -# They don't update files. - -- name: is init script present? - stat: - path: /etc/init.d/minifirewall - check_mode: no - register: init_minifirewall - - name: init script is copied - command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall" - when: not init_minifirewall.stat.exists - - -- name: is configuration present? - stat: - path: /etc/default/minifirewall - check_mode: no - register: default_minifirewall + copy: + src: minifirewall + dest: /etc/init.d/minifirewall + force: no + mode: "0700" + owner: root + group: root - name: configuration is copied - command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall" - when: not default_minifirewall.stat.exists - -- name: fix configuration rights - file: - path: /etc/default/minifirewall + copy: + src: minifirewall.conf + dest: /etc/default/minifirewall + force: no mode: "0600" - state: file + owner: root + group: root From aaded131763cb43da737f9b0c47d23ceadb0477c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 28 Jul 2017 15:24:26 -0400 Subject: [PATCH 126/277] apache: add missing reload notifications --- apache/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 7c4c8d40..a5ecf9fc 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -38,6 +38,7 @@ - expires - headers - cgi + notify: reload apache tags: - apache @@ -49,6 +50,7 @@ group: root mode: "0640" force: yes + notify: reload apache tags: - apache @@ -60,6 +62,7 @@ group: root mode: "0640" force: no + notify: reload apache tags: - apache @@ -70,6 +73,7 @@ with_items: - z-evolinux-defaults.conf - zzz-evolinux-custom.conf + notify: reload apache tags: - apache From 84fdd356fa888bb8b4e35003a8e12038759d9640 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 28 Jul 2017 15:27:34 -0400 Subject: [PATCH 127/277] apache: formatting --- apache/templates/evolinux-default.conf.j2 | 97 ++++++++++++----------- 1 file changed, 49 insertions(+), 48 deletions(-) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index bc272364..cd107d2d 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -38,12 +38,12 @@ LogLevel warn - RewriteEngine on - # Redirect to HTTPS, execpt for munin, because some plugins - # can't handle HTTPS! :( - RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR] - RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] - RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] + RewriteEngine on + # Redirect to HTTPS, execpt for munin, because some plugins + # can't handle HTTPS! :( + RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR] + RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] + RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] @@ -52,53 +52,54 @@ - - ServerName {{ ansible_fqdn }} - #ServerAlias {{ ansible_fqdn }} + + ServerName {{ ansible_fqdn }} + #ServerAlias {{ ansible_fqdn }} - DocumentRoot /var/www/ + DocumentRoot /var/www/ - - Include /etc/apache2/private_ipaddr_whitelist.conf - - - Options -Indexes - Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf - + + Include /etc/apache2/private_ipaddr_whitelist.conf + + + Options -Indexes + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + - SSLEngine on - SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} - SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} + SSLEngine on + SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} + SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} - # We override these 2 Directory directives setted in apache2.conf. - # We want no access except from allowed IP address. - - Include /etc/apache2/private_ipaddr_whitelist.conf - + # We override these 2 Directory directives setted in apache2.conf. + # We want no access except from allowed IP address. + + Include /etc/apache2/private_ipaddr_whitelist.conf + - # Munin. We need to set Directory directive as Alias take precedence. - Alias /munin /var/cache/munin/www - - Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf - - - Options -Indexes - Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf - + # Munin. We need to set Directory directive as Alias take precedence. + Alias /munin /var/cache/munin/www + + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + + + Options -Indexes + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + - # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. - ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - - Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf - + # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + - CustomLog /var/log/apache2/access.log vhost_combined - ErrorLog /var/log/apache2/error.log - LogLevel warn - + CustomLog /var/log/apache2/access.log vhost_combined + ErrorLog /var/log/apache2/error.log + LogLevel warn + + From e90d8ceec3a13e741f59a35b261dde6fa7c194b8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 28 Jul 2017 15:28:03 -0400 Subject: [PATCH 128/277] apache: "Require local" instead of "Require ip 127.0.0.1" --- apache/templates/evolinux-default.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index cd107d2d..48fec271 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -47,7 +47,7 @@ - Require ip 127.0.0.1 + Require local From 03aae520e883fa76dc9312208293290b3a23f5d7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 28 Jul 2017 15:28:19 -0400 Subject: [PATCH 129/277] apache: server-status only for default vhost --- apache/files/evolinux-defaults.conf | 7 +++++++ apache/tasks/main.yml | 6 ++++++ apache/templates/evolinux-default.conf.j2 | 17 +++++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index ca02d032..e4f1f512 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -22,3 +22,10 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 Require all denied + + + ExtendedStatus On + + ProxyStatus On + + diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index a5ecf9fc..2c919a41 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -66,6 +66,12 @@ tags: - apache +- name: disable status.conf + file: + dest: /etc/apache2/mods-enabled/status.conf + state: absent + notify: reload apache + - name: Ensure Apache config files are enabled command: "a2enconf {{ item }}" register: command_result diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 48fec271..a1f681e4 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -49,6 +49,15 @@ Require local + + + + SetHandler server-status + include /etc/apache2/private_ipaddr_whitelist.conf + Require local + + + @@ -101,5 +110,13 @@ ErrorLog /var/log/apache2/error.log LogLevel warn + + + SetHandler server-status + include /etc/apache2/private_ipaddr_whitelist.conf + Require local + + + From b71db80afeec3158833819c1e35be9705bc63546 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Thu, 3 Aug 2017 15:18:30 -0400 Subject: [PATCH 130/277] Move variable file to defaults/ --- munin/{vars => defaults}/main.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename munin/{vars => defaults}/main.yml (100%) diff --git a/munin/vars/main.yml b/munin/defaults/main.yml similarity index 100% rename from munin/vars/main.yml rename to munin/defaults/main.yml From b8894cc50948d08100a5b9255aa2bffd2fe8faf7 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Thu, 3 Aug 2017 16:15:27 -0400 Subject: [PATCH 131/277] Remount /usr rw before writing on it --- evoadmin/tasks/remount_usr_rw.yml | 15 +++++++++++++++ evoadmin/tasks/user.yml | 3 +++ 2 files changed, 18 insertions(+) create mode 100644 evoadmin/tasks/remount_usr_rw.yml diff --git a/evoadmin/tasks/remount_usr_rw.yml b/evoadmin/tasks/remount_usr_rw.yml new file mode 100644 index 00000000..8c51aee2 --- /dev/null +++ b/evoadmin/tasks/remount_usr_rw.yml @@ -0,0 +1,15 @@ +--- +- name: Get mount options for partitions + shell: "mount | grep 'on /usr type'" + args: + warn: no + register: mount + changed_when: False + failed_when: False + when: not ansible_check_mode + +- name: Remount /usr if it is a partition and it is not mounted in rw + command: "mount -o remount,rw /usr" + when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + args: + warn: no diff --git a/evoadmin/tasks/user.yml b/evoadmin/tasks/user.yml index e3442cd1..8023777d 100644 --- a/evoadmin/tasks/user.yml +++ b/evoadmin/tasks/user.yml @@ -25,6 +25,9 @@ # Warning: Need sudo! become_user: "{{ evoadmin_username }}" +- include: remount_usr_rw.yml + when: evoadmin_scripts_dir | search ("/usr") + - name: "Create {{ evoadmin_scripts_dir }}" file: dest: "{{ evoadmin_scripts_dir }}" From ce0644e976463fd7bda8ff5d263244c3234fa4ca Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 4 Aug 2017 09:52:51 -0400 Subject: [PATCH 132/277] copy general_alert_email/log2mail_alert_email to Apache role --- apache/README.md | 1 + apache/defaults/main.yml | 3 +++ packweb-apache/README.md | 2 +- packweb-apache/defaults/main.yml | 1 - 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/apache/README.md b/apache/README.md index bd45539b..66804981 100644 --- a/apache/README.md +++ b/apache/README.md @@ -14,5 +14,6 @@ Main variables are : * `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist; * `apache_private_htpasswd_present` : list of users to have in the private htpasswd ; * `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd. +* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 65048f14..810a0676 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -12,3 +12,6 @@ apache_evolinux_default_ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key apache_phpmyadmin_set: False apache_phpmyadmin_suffix: "" apache_serverstatus_suffix: "" + +general_alert_email: "root@localhost" +log2mail_alert_email: Null diff --git a/packweb-apache/README.md b/packweb-apache/README.md index a8bae5f0..d3f3f5b6 100644 --- a/packweb-apache/README.md +++ b/packweb-apache/README.md @@ -10,6 +10,6 @@ Everything is in the `tasks/main.yml` file for now. Main variables are : -* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). +* `packweb_enable_evoadmin_vhost` : enable VirtualHost for evoadmin (web interface to create web accounts) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml index 0301183f..9457fd8a 100644 --- a/packweb-apache/defaults/main.yml +++ b/packweb-apache/defaults/main.yml @@ -1,5 +1,4 @@ --- # defaults file for packweb-apache general_alert_email: "root@localhost" -log2mail_alert_email: Null packweb_enable_evoadmin_vhost: True From 6bf818b52d48faef7c394112e1ae27911434c25c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 3 Aug 2017 15:16:23 -0400 Subject: [PATCH 133/277] fix: path is 2.3+ only --- docker-host/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 39c8f578..6fc0b28c 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -53,7 +53,7 @@ - name: Remove options from docker systemd service lineinfile: - path: /lib/systemd/system/docker.service + dest: /lib/systemd/system/docker.service regexp: '^ExecStart=' line: 'ExecStart=/usr/bin/dockerd' From 3bd758759e7f8a61b7add68f157d30d273773be9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 4 Aug 2017 10:46:00 -0400 Subject: [PATCH 134/277] admin-users: add users to sudo group for Stretch --- admin-users/tasks/debian/user.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/admin-users/tasks/debian/user.yml b/admin-users/tasks/debian/user.yml index c47fbdfc..10e4980c 100644 --- a/admin-users/tasks/debian/user.yml +++ b/admin-users/tasks/debian/user.yml @@ -28,6 +28,13 @@ update_password: on_create when: uidisbusy.rc == 0 +- name: "Add user to sudo group (Stretch)" + user: + name: '{{ user.name }}' + groups: sudo + append: yes + when: ansible_distribution_release == "stretch" + - name: "Fix perms on homedirectory for '{{ user.name }}'" file: name: '/home/{{ user.name }}' From 15e7c72a23a528b651d865f6d8e8c6d9c5c1a9d9 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Fri, 4 Aug 2017 10:48:37 -0400 Subject: [PATCH 135/277] Fix systemd handler to restart elasticsearch with systemd --- elasticsearch/handlers/main.yml | 7 ++----- elasticsearch/tasks/bootstrap_checks.yml | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/elasticsearch/handlers/main.yml b/elasticsearch/handlers/main.yml index e1249341..c8a57b70 100644 --- a/elasticsearch/handlers/main.yml +++ b/elasticsearch/handlers/main.yml @@ -1,10 +1,7 @@ --- - name: restart elasticsearch - service: - name: elasticsearch - state: restarted - -- name: reload elasticsearch unit systemd: daemon_reload: yes + name: elasticsearch + state: restarted diff --git a/elasticsearch/tasks/bootstrap_checks.yml b/elasticsearch/tasks/bootstrap_checks.yml index b7d6547d..a79204b2 100644 --- a/elasticsearch/tasks/bootstrap_checks.yml +++ b/elasticsearch/tasks/bootstrap_checks.yml @@ -38,6 +38,6 @@ option: "LimitMEMLOCK" value: "infinity" notify: - - reload elasticsearch unit + - restart elasticsearch tags: - config From 3b03b8a74b82ce0a43807743925f8622b006a776 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 3 Aug 2017 22:13:50 +0200 Subject: [PATCH 136/277] php-fpm: support for Debian > 8 --- php-fpm/tasks/main.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/php-fpm/tasks/main.yml b/php-fpm/tasks/main.yml index 3131af3b..f05ae125 100644 --- a/php-fpm/tasks/main.yml +++ b/php-fpm/tasks/main.yml @@ -1,4 +1,15 @@ -- name: ensure packages are installed +- name: Ensure php5-fpm package is installed apt: name: php5-fpm state: present + when: ansible_distribution_major_version | version_compare('8', '<=') + tags: + - php-fpm + +- name: Ensure php-fpm packages is installed + apt: + name: php-fpm + state: present + when: ansible_distribution_major_version | version_compare('9', '>=') + tags: + - php-fpm From ab0e7b010b2238145831945b0a0c1cd94fcd1b20 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 4 Aug 2017 18:53:08 +0200 Subject: [PATCH 137/277] nginx: fix link to default vhost --- nginx/tasks/main_regular.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 7f11ed32..bc58503b 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -119,7 +119,7 @@ - name: default vhost is enabled file: src: /etc/nginx/sites-available/evolinux-default.conf - dest: /etc/nginx/sites-enabled/default.conf + dest: /etc/nginx/sites-enabled/default state: link force: yes notify: reload nginx From f75601a7ceefe3013040cc0b8fa0bd2bdf724d75 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Fri, 4 Aug 2017 18:17:56 -0400 Subject: [PATCH 138/277] Fix permission on nrpe.d/evolix.cfg --- nagios-nrpe/tasks/debian.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nagios-nrpe/tasks/debian.yml b/nagios-nrpe/tasks/debian.yml index d50bc533..dbb73903 100644 --- a/nagios-nrpe/tasks/debian.yml +++ b/nagios-nrpe/tasks/debian.yml @@ -15,6 +15,8 @@ template: src: evolix.cfg.j2 dest: /etc/nagios/nrpe.d/evolix.cfg + group: nagios + mode: "0640" notify: restart nagios-nrpe-server - name: Nagios config is secured From db2b418be478f3289432e2f8d44effbd057224f1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 4 Aug 2017 18:08:41 -0400 Subject: [PATCH 139/277] evolinux-base: fix typo in README --- evolinux-base/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/README.md b/evolinux-base/README.md index 7e51066c..abd70e7d 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -21,7 +21,7 @@ Various tasks for Evolinux setup. ## Available variables -Each tasks group is included in the `main.yml` file with a condition based on a variable like `evolinux_hostname_include` (mostly `True` by default). The variables can be set to `False` to disable a . Finer grained tasks disabling is done in each group of tasks. +Each tasks group is included in the `main.yml` file with a condition based on a variable like `evolinux_hostname_include` (mostly `True` by default). The variables can be set to `False` to disable a task group. Finer grained tasks disabling is done in each group of tasks. Main variables are: From 4b8456c5b7773ac7648435c844368a92ea65da99 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 5 Aug 2017 12:13:24 -0400 Subject: [PATCH 140/277] Fix ssh security policy --- admin-users/defaults/main.yml | 1 + admin-users/tasks/debian/ssh.yml | 2 +- admin-users/tasks/debian/user.yml | 6 ++- evolinux-base/tasks/ssh.yml | 62 +++++++++++++++++++++---------- 4 files changed, 49 insertions(+), 22 deletions(-) diff --git a/admin-users/defaults/main.yml b/admin-users/defaults/main.yml index e0c1ff04..ad5f42cb 100644 --- a/admin-users/defaults/main.yml +++ b/admin-users/defaults/main.yml @@ -1,2 +1,3 @@ --- admin_users: {} +admin_users_group: adm diff --git a/admin-users/tasks/debian/ssh.yml b/admin-users/tasks/debian/ssh.yml index 0ee7d2d8..d74a51f2 100644 --- a/admin-users/tasks/debian/ssh.yml +++ b/admin-users/tasks/debian/ssh.yml @@ -27,7 +27,7 @@ lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ user.name }}" - insertafter: '^# ForceCommand cvs server' + insertafter: 'Subsystem' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd when: grep_allowusers_ssh.rc != 0 diff --git a/admin-users/tasks/debian/user.yml b/admin-users/tasks/debian/user.yml index 10e4980c..7de5b778 100644 --- a/admin-users/tasks/debian/user.yml +++ b/admin-users/tasks/debian/user.yml @@ -28,10 +28,14 @@ update_password: on_create when: uidisbusy.rc == 0 +- name: "Create {{ admin_users_group }}" + group: + name: "{{ admin_users_group }}" + - name: "Add user to sudo group (Stretch)" user: name: '{{ user.name }}' - groups: sudo + groups: 'sudo,{{ admin_users_group }}' append: yes when: ansible_distribution_release == "stretch" diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index d74dcef3..6f79c982 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -1,29 +1,51 @@ --- -- name: verify Match Address directive - command: "grep 'Match Address' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_matchaddress_ssh - -- name: Add Match Address sshd directive - lineinfile: +- name: Security directives for Evolinux + blockinfile: dest: /etc/ssh/sshd_config - line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" + block: | + Match Group sudo + PasswordAuthentication no + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" + insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd - when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != [] -- name: Modify Match Address sshd directive - replace: - dest: /etc/ssh/sshd_config - regexp: '^(Match Address ((?!{{ item }}).)*)$' - replace: '\1,{{ item }}' - validate: '/usr/sbin/sshd -T -f %s' - with_items: "{{ evolinux_ssh_password_auth_addresses }}" - notify: reload sshd - when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0 +# - name: verify Match Address directive +# command: "grep 'Match Address' /etc/ssh/sshd_config" +# changed_when: False +# failed_when: False +# check_mode: no +# register: grep_matchaddress_ssh +# +# - name: Add Match Address sshd directive +# lineinfile: +# dest: /etc/ssh/sshd_config +# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" +# insertafter: '# +ForceCommand cvs server' +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd +# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != [] +# +# - name: Modify Match Address sshd directive +# replace: +# dest: /etc/ssh/sshd_config +# regexp: '^(Match Address ((?!{{ item }}).)*)$' +# replace: '\1,{{ item }}' +# validate: '/usr/sbin/sshd -T -f %s' +# with_items: "{{ evolinux_ssh_password_auth_addresses }}" +# notify: reload sshd +# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0 +# +# - name: Add Match Group sudo without password +# lineinfile: +# dest: /etc/ssh/sshd_config +# line: "\nMatch Group sudo\n PasswordAuthentication no" +# insertbefore: '^Match Address' +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd - name: disable SSH access for root replace: From 1bcd24a4c19c626975e7a6555630216b8e69b3df Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 9 Aug 2017 00:24:12 -0400 Subject: [PATCH 141/277] admin-users: remove openbsd mentions --- admin-users/tasks/{debian/main.yml => admin_user.yml} | 0 admin-users/tasks/main.yml | 8 ++------ admin-users/tasks/{debian => }/profile.yml | 0 admin-users/tasks/{debian => }/ssh.yml | 0 admin-users/tasks/{debian => }/sudo.yml | 0 admin-users/tasks/{debian => }/user.yml | 0 6 files changed, 2 insertions(+), 6 deletions(-) rename admin-users/tasks/{debian/main.yml => admin_user.yml} (100%) rename admin-users/tasks/{debian => }/profile.yml (100%) rename admin-users/tasks/{debian => }/ssh.yml (100%) rename admin-users/tasks/{debian => }/sudo.yml (100%) rename admin-users/tasks/{debian => }/user.yml (100%) diff --git a/admin-users/tasks/debian/main.yml b/admin-users/tasks/admin_user.yml similarity index 100% rename from admin-users/tasks/debian/main.yml rename to admin-users/tasks/admin_user.yml diff --git a/admin-users/tasks/main.yml b/admin-users/tasks/main.yml index 54e2fc53..c7eeaf39 100644 --- a/admin-users/tasks/main.yml +++ b/admin-users/tasks/main.yml @@ -4,12 +4,8 @@ msg: "Warning: empty 'admin_users' variable, tasks will be skipped!" when: admin_users == {} -- include: debian/main.yml +- include: admin_user.yml vars: user: "{{ item.value }}" with_dict: "{{ admin_users }}" - when: ansible_distribution == "Debian" and admin_users != {} - -# - include: openbsd/main.yml user={{ item.value }} -# with_dict: "{{ admin_users }}" -# when: ansible_distribution == "OpenBSD" and admin_users != {} + when: admin_users != {} diff --git a/admin-users/tasks/debian/profile.yml b/admin-users/tasks/profile.yml similarity index 100% rename from admin-users/tasks/debian/profile.yml rename to admin-users/tasks/profile.yml diff --git a/admin-users/tasks/debian/ssh.yml b/admin-users/tasks/ssh.yml similarity index 100% rename from admin-users/tasks/debian/ssh.yml rename to admin-users/tasks/ssh.yml diff --git a/admin-users/tasks/debian/sudo.yml b/admin-users/tasks/sudo.yml similarity index 100% rename from admin-users/tasks/debian/sudo.yml rename to admin-users/tasks/sudo.yml diff --git a/admin-users/tasks/debian/user.yml b/admin-users/tasks/user.yml similarity index 100% rename from admin-users/tasks/debian/user.yml rename to admin-users/tasks/user.yml From e02e116002babc12c41e2ee83bf10b08f96720ae Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 9 Aug 2017 01:18:20 -0400 Subject: [PATCH 142/277] docker-host: fix a bad path --- docker-host/tasks/jessie_backports.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-host/tasks/jessie_backports.yml b/docker-host/tasks/jessie_backports.yml index 0284a859..727ee7c8 100644 --- a/docker-host/tasks/jessie_backports.yml +++ b/docker-host/tasks/jessie_backports.yml @@ -7,7 +7,7 @@ - name: Prefer python-docker package from jessie-backports copy: - src: apt/docker_preferences + src: docker_preferences dest: /etc/apt/preferences.d/999-docker force: yes mode: "0640" From 1b32be19c07a01d57dd44543070ae55118c54f24 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 11:39:33 -0400 Subject: [PATCH 143/277] mysql script directory is a variable --- mysql/tasks/utils.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 262dcd0f..eafb9068 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -1,8 +1,8 @@ --- -- name: Ensure /usr/share/scripts exists +- name: Ensure scripts directory exists file: - dest: /usr/share/scripts + dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}" mode: "0700" state: directory tags: From 213ad5a606ce942f1fa98f46243ce33b9463fa34 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 12:10:21 -0400 Subject: [PATCH 144/277] mysql: log2mail config is owned by log2mail group --- mysql/tasks/log2mail.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mysql/tasks/log2mail.yml b/mysql/tasks/log2mail.yml index fb256d26..568b6649 100644 --- a/mysql/tasks/log2mail.yml +++ b/mysql/tasks/log2mail.yml @@ -13,6 +13,8 @@ template: src: log2mail.j2 dest: /etc/log2mail/config/mysql.conf + owner: log2mail + group: adm mode: "0640" when: log2mail_config_dir.stat.exists tags: From a8570456614a82b4cb430393cbc87f041fba22e1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 12:11:13 -0400 Subject: [PATCH 145/277] mysql: use apg for passwords --- mysql/tasks/nrpe.yml | 2 +- mysql/tasks/users_jessie.yml | 2 +- mysql/tasks/users_stretch.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/mysql/tasks/nrpe.yml b/mysql/tasks/nrpe.yml index 7cebcf50..be18a966 100644 --- a/mysql/tasks/nrpe.yml +++ b/mysql/tasks/nrpe.yml @@ -20,7 +20,7 @@ - block: - name: Create a password for NRPE - shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' + command: "apg -n 1 -m 16 -M lcN" register: mysql_nrpe_password changed_when: False diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml index 4d225317..a8c22cf8 100644 --- a/mysql/tasks/users_jessie.yml +++ b/mysql/tasks/users_jessie.yml @@ -10,7 +10,7 @@ - mysql - name: create a password for mysqladmin - shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' + command: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False tags: diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml index 0a3238eb..c57bd3ae 100644 --- a/mysql/tasks/users_stretch.yml +++ b/mysql/tasks/users_stretch.yml @@ -10,7 +10,7 @@ - mysql - name: create a password for mysqladmin - shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' + command: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False tags: @@ -45,7 +45,7 @@ - name: create a password for debian-sys-maint - shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' + command: "apg -n 1 -m 16 -M lcN" register: mysql_debian_password changed_when: False tags: From 7d8c1988490ba1fa90f0a4ab257c5bec547edbda Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 12:13:35 -0400 Subject: [PATCH 146/277] mysql: split packages tasks by release --- mysql/tasks/main.yml | 6 ++- .../{packages.yml => packages_jessie.yml} | 0 mysql/tasks/packages_stretch.yml | 37 +++++++++++++++++++ 3 files changed, 42 insertions(+), 1 deletion(-) rename mysql/tasks/{packages.yml => packages_jessie.yml} (100%) create mode 100644 mysql/tasks/packages_stretch.yml diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index ca3f0571..be64360c 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -1,6 +1,10 @@ --- -- include: packages.yml +- include: packages_stretch.yml + when: ansible_distribution_release == "stretch" + +- include: packages_jessie.yml + when: ansible_distribution_release == "jessie" - include: users_stretch.yml when: ansible_distribution_release == "stretch" diff --git a/mysql/tasks/packages.yml b/mysql/tasks/packages_jessie.yml similarity index 100% rename from mysql/tasks/packages.yml rename to mysql/tasks/packages_jessie.yml diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml new file mode 100644 index 00000000..d5645bea --- /dev/null +++ b/mysql/tasks/packages_stretch.yml @@ -0,0 +1,37 @@ +--- + +- name: Choose packages + set_fact: + mysql_packages: "{{ item }}" + with_items: + - mariadb-server + - mariadb-client + tags: + - mysql + - packages + +- name: Install MySQL packages + apt: + name: '{{ item }}' + update_cache: yes + state: present + with_items: "{{ mysql_packages }}" + tags: + - mysql + - packages + +- name: MySQL is started + service: + name: mysql + state: started + tags: + - mysql + - services + +- name: apg package is installed + apt: + name: apg + state: present + tags: + - mysql + - packages From 574cf3ab44a26227a776676b7954b07ecb532bb1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 12:23:44 -0400 Subject: [PATCH 147/277] mysql: install mysqltuner from packages --- mysql/tasks/utils.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index eafb9068..20b62581 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -52,13 +52,17 @@ when: (mysql_scripts_dir or general_scripts_dir) | search ("/usr") - name: Install mysqltuner - copy: - src: mysqltuner.pl - dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}/mysqltuner.pl" - mode: "0700" + # copy: + # src: mysqltuner.pl + # dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}/mysqltuner.pl" + # mode: "0700" + apt: + name: mysqltuner + state: present tags: - mysql - mysqltuner + - mysqltuner - name: Install aha apt: From d15bcc168e25a49c708a320880fa87b45d9857f5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 12:24:14 -0400 Subject: [PATCH 148/277] mysql: fix mysql optimize tasks --- mysql/tasks/utils.yml | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 20b62581..7fae0c97 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -83,7 +83,7 @@ tags: - mysql -- name: "Cron dir is present" +- name: "Cron dir for optimize is present" file: path: "/etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}" state: directory @@ -102,12 +102,36 @@ - name: "Disable cron to optimize MySQL" file: - dest: /etc/cron.weekly/mysql-optimize.sh + dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: absent when: not mysql_cron_optimize tags: - mysql +- name: "Cron dir for mysqltuner is present" + file: + path: "/etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}" + state: directory + mode: "0755" + owner: root + group: root + +- name: "Enable mysqltuner in cron" + copy: + src: mysqltuner.cron.sh + dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh + when: mysql_cron_mysqltuner + tags: + - mysql + +- name: "Disable mysqltuner in cron" + file: + dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh + state: absent + when: not mysql_cron_mysqltuner + tags: + - mysql + # my-add.sh - include: remount_usr_rw.yml From efa7e288dd48581759e1b000ab23b28026c4db70 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 12:25:07 -0400 Subject: [PATCH 149/277] mysql: install cron task for mysqltuer --- mysql/defaults/main.yml | 3 ++ mysql/files/mysqltuner.cron.sh | 50 ++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 mysql/files/mysqltuner.cron.sh diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index 3c2bbeb6..b84e59ec 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -18,4 +18,7 @@ mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M' mysql_cron_optimize: True mysql_cron_optimize_frequency: weekly +mysql_cron_mysqltuner: True +mysql_cron_mysqltuner_frequency: monthly + mysql_force_new_nrpe_password: False diff --git a/mysql/files/mysqltuner.cron.sh b/mysql/files/mysqltuner.cron.sh new file mode 100644 index 00000000..5424aa90 --- /dev/null +++ b/mysql/files/mysqltuner.cron.sh @@ -0,0 +1,50 @@ +#!/bin/bash +set -e +export TERM=screen + +mem=$(free -m | grep Mem: | tr -s ' ' | cut -d ' ' -f2) +swap=$(free -m | grep Swap: | tr -s ' ' | cut -d ' ' -f2) +template=$(mktemp --tmpdir=/tmp evomysqltuner.XXX) +body=$(mktemp --tmpdir=/tmp evomysqltuner.XXX) +clientmail=$(grep EVOMAINTMAIL /etc/evomaintenance.cf | cut -d'=' -f2) +hostname=$(grep HOSTNAME /etc/evomaintenance.cf | cut -d'=' -f2) +hostname=${hostname%%.evolix.net} +# If hostname is composed with -, remove the first part. +if [[ $hostname =~ "-" ]]; then + hostname=$(echo $hostname | cut -d'-' -f2-) +fi + +# Remove temporary files on exit. +trap "rm $template $body" EXIT + +# Add port here if you have more than one instance! +instances="3306" +for instance in $instances; do + mysqltuner --port $instance --host 127.0.0.1 --forcemem $mem --forceswap $swap \ + | aha > /var/www/mysqlreport_${instance}.html + cat << EOT > $template +Content-Type: text/plain; charset="utf-8" +Reply-To: Équipe Evolix +From: Équipe Evolix +To: $clientmail +Subject: Rapport MySQL instance $instance pour votre serveur $hostname +EOT + cat << EOT > $body +Bonjour, + +Veuillez trouver ci-joint un rapport MySQL. +Celui-ci permet d'identifier aisément si des optimisations MySQL sont possibles. + +N'hésitez pas à nous indiquer par mail ou ticket quelles variables vous souhaiter +optimiser. + +Veuillez noter qu'il faudra redémarrer MySQL pour appliquer de nouveaux paramètres. + +Bien à vous, +-- +Rapport automatique Evolix +EOT + mutt -x -e 'set send_charset="utf-8"' -H $template \ + -a /var/www/mysqlreport_${instance}.html < $body +done +chmod 644 /var/www/mysqlreport*html From 69ed3ecf05cff425a4b3e8c261bc6202a7cd152a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 12:35:37 -0400 Subject: [PATCH 150/277] apache: fix log2mail config permissions --- apache/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 2c919a41..f503d9b3 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -148,8 +148,8 @@ template: src: log2mail-apache.j2 dest: "/etc/log2mail/config/apache" - owner: root - group: root + owner: log2mail + group: adm mode: "0644" force: no From a4b917152d40400009bd4a56a811dbbad13c5ac8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 12:51:15 -0400 Subject: [PATCH 151/277] apache: cleanup munin tasks --- apache/defaults/main.yml | 2 ++ apache/handlers/main.yml | 5 +++++ apache/tasks/main.yml | 3 +++ apache/tasks/munin.yml | 23 +++++++++++++++++++++++ 4 files changed, 33 insertions(+) create mode 100644 apache/tasks/munin.yml diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 810a0676..d7d5fb25 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -13,5 +13,7 @@ apache_phpmyadmin_set: False apache_phpmyadmin_suffix: "" apache_serverstatus_suffix: "" +apache_munin_include: True + general_alert_email: "root@localhost" log2mail_alert_email: Null diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index af4d94d2..09fa8b02 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -8,3 +8,8 @@ service: name: apache2 state: reloaded + +- name: reload munin-node + service: + name: munin-node + state: reloaded diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index f503d9b3..3ba54c7e 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -169,3 +169,6 @@ # dest: /var/www/index.html # regexp: '__SERVERSTATUS_SUFFIX__' # replace: "{{ apache_serverstatus_suffix }}" + +- include: munin.yml + when: apache_munin_include diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml new file mode 100644 index 00000000..85f0b386 --- /dev/null +++ b/apache/tasks/munin.yml @@ -0,0 +1,23 @@ +--- + +- name: munin-node and core plugins are installed + apt: + name: "{{ item }}" + state: installed + with_items: + - munin-node + - munin-plugins-core + +- name: enable munin plugins + file: + src: "/usr/share/munin/plugins/{{ item }}" + dest: "/etc/munin/plugins/{{ item }}" + state: link + with_items: + - apache_accesses + - apache_processes + - apache_volume + notify: restart munin-node + tags: + - apache + - munin From 17bdfc8fef199e59e34e3bed232f5aa829d39d49 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 12:51:28 -0400 Subject: [PATCH 152/277] apache: cleanup log2mail tasks --- apache/defaults/main.yml | 1 + apache/tasks/log2mail.yml | 15 +++++++++++++++ apache/tasks/main.yml | 16 +++------------- 3 files changed, 19 insertions(+), 13 deletions(-) create mode 100644 apache/tasks/log2mail.yml diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index d7d5fb25..6b28d670 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -13,6 +13,7 @@ apache_phpmyadmin_set: False apache_phpmyadmin_suffix: "" apache_serverstatus_suffix: "" +apache_log2mail_include: True apache_munin_include: True general_alert_email: "root@localhost" diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml new file mode 100644 index 00000000..894ff039 --- /dev/null +++ b/apache/tasks/log2mail.yml @@ -0,0 +1,15 @@ +--- + +- name: log2mail is installed + apt: + name: log2mail + state: present + +- name: Add log2mail config for Apache segfaults + template: + src: log2mail-apache.j2 + dest: "/etc/log2mail/config/apache" + owner: log2mail + group: adm + mode: "0644" + force: no diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 3ba54c7e..a3ff8cfd 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -139,19 +139,6 @@ - include: phpmyadmin.yml when: apache_phpmyadmin_set and _default_index.stat.exists -- name: Check if log2mail is installed - apt: - name: log2mail - state: present - -- name: Add log2mail config for Apache segfaults - template: - src: log2mail-apache.j2 - dest: "/etc/log2mail/config/apache" - owner: log2mail - group: adm - mode: "0644" - force: no # - block: # - name: generate random string for serverstatus suffix @@ -170,5 +157,8 @@ # regexp: '__SERVERSTATUS_SUFFIX__' # replace: "{{ apache_serverstatus_suffix }}" +- include: log2mail.yml + when: apache_log2mail_include + - include: munin.yml when: apache_munin_include From 1896e531cbf35ef68a4830b02c9866313919c1fe Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 12 Aug 2017 15:45:54 -0400 Subject: [PATCH 153/277] evoadmin: use variables in template --- evoadmin/defaults/main.yml | 10 ++++++++++ evoadmin/templates/web-mail.tpl.j2 | 28 ++++++++++++++-------------- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/evoadmin/defaults/main.yml b/evoadmin/defaults/main.yml index 35cdcb6c..cdf309a3 100644 --- a/evoadmin/defaults/main.yml +++ b/evoadmin/defaults/main.yml @@ -12,3 +12,13 @@ evoadmin_username: evoadmin evoadmin_ssl_subject: "/CN={{ evoadmin_host }}" evoadmin_enable_vhost: True + +evoadmin_tpl_servername: "{{ ansible_fqdn }}" +evoadmin_tpl_address: "{{ ansible_default_ipv4.address }}" +evoadmin_tpl_phpmyadmin_url: Null +evoadmin_tpl_cgi_suffix: Null +evoadmin_tpl_signature: evoadmin +evoadmin_tpl_mail_from: root@localhost +evoadmin_tpl_mail_bcc: Null +evoadmin_tpl_mail_standard: "{{ general_alert_email }}" +evoadmin_tpl_mail_urgent: "{{ general_alert_email }}" diff --git a/evoadmin/templates/web-mail.tpl.j2 b/evoadmin/templates/web-mail.tpl.j2 index 82d4f67d..262995c3 100644 --- a/evoadmin/templates/web-mail.tpl.j2 +++ b/evoadmin/templates/web-mail.tpl.j2 @@ -1,6 +1,6 @@ -From: %MAIL_FROM% +From: {{ evoadmin_tpl_mail_from }} To: RCPTTO -Bcc: %MAIL_BCC% +Bcc: {{ evoadmin_tpl_mail_bcc }} Subject: Parametres hebergement web : LOGIN Bonjour, @@ -11,7 +11,7 @@ Votre compte d'hebergement web a ete cree. * CONNEXION SFTP/SSH ********************************** -NOM DU SERVEUR : %SERVER_NAME% +NOM DU SERVEUR : {{ evoadmin_tpl_servername }} USER : LOGIN PASSWORD : PASSE1 @@ -20,10 +20,10 @@ PASSWORD : PASSE1 ***************************************** URL du site : -http://SERVERNAME +http://{{ evoadmin_tpl_servername }} URL des stats : -http://SERVERNAME/cgi-RANDOM/awstats.pl +http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl (acces par IP ou login a demander !) Repertoire de connexion : HOME_DIR/LOGIN/ @@ -47,20 +47,20 @@ USER : LOGIN PASSWORD : PASSE2 NOM BASE : DBNAME URL interface d'admin : -%PMA_URL% +{{ evoadmin_tpl_phpmyadmin_url }} *********************************** * Rappels divers *********************************** Votre nom de domaine doit etre configure pour pointer -sur l'adresse IP %SERVER_ADDR% (enregistrement DNS A) -ou etre un alias de %SERVER_NAME% (enregistrement DNS CNAME). +sur l'adresse IP {{ evoadmin_tpl_address }} (enregistrement DNS A) +ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME). Si vous avez besoin de faire des tests, vous devez ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP : -%SERVER_ADDR% SERVERNAME +{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }} Attention, par defaut, toutes les connexions vers l'exterieur sont bloquees. Si vous avez besoin de recuperer des donnees @@ -71,16 +71,16 @@ Afin de securiser au maximum le serveur, certaines URL particulieres sont non autorisees pour eviter diverses attaques (XSS, robots, trojans, injections, etc.). Exemple d'URL refusee : -http://SERVERNAME/cmd32.exe +http://{{ evoadmin_tpl_servername }}/cmd32.exe En cas de soucis avec votre application, prevenez-nous. Si vous desirez mettre en place des parametres particuliers -pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab, +pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab, etc.), n'hesitez pas a nous contacter a l'adresse -%MAIL_STANDARD% (ou %MAIL_URGENT% si votre demande est +{{ evoadmin_tpl_mail_standard }} (ou {{ evoadmin_tpl_mail_urgent }} si votre demande est urgente). Cordialement, --- -%FOOTER% \ No newline at end of file +-- +{{ evoadmin_tpl_signature }} From 3b68fe074f4a6cc5c480cd2df055b6fd8bf93645 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Mon, 14 Aug 2017 12:51:15 +0200 Subject: [PATCH 154/277] Install, contributions and workflow documentation --- README.md | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/README.md b/README.md index f8a280c8..c5ca1fef 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,56 @@ A repository for Ansible roles used by Evolix. It contains only roles, everything else is available at https://forge.evolix.org/projects/ansible-public +## Branches + The **stable** branch contains roles that we consider ready for production. The **unstable** branch contains not sufficiently tested roles (or evolutions on existing roles) that we don't consider ready for production yet. + +Many feature branches may exist in the repository. They represent "work in progress". They may be used, for testing purposes. + +## Install and usage + +First, check-out the repository : + +``` +$ cd ~/GIT/ +$ git clone https://forge.evolix.org/projects/ansible-roles +``` + +Then, add its path to your ansible load path : + +``` +$ vim ~/.ansible.cfg +[defaults] +roles_path = $HOME/GIT/ansible-roles +``` + +Then, include roles in your playbooks : + +``` +- hosts: all + gather_facts: yes + become: yes + roles: + - etc-git + - evolinux-base +``` + +## Contributing + +Contributions are welcome, especially bug fixes and "ansible good practices". They will be merged in if they are consistent with our conventions and use cases. They might be rejected if they introduce complexity, cover features we don't need or don't fit "style". + +Before starting anything of importance, we suggest contacting us to discuss what you'd like to add or change. + +Our conventions are available in the "ansible-public":https://forge.evolix.org/projects/ansible-public repository, in the CONVENTIONS.md file. + +## Workflow + +The ideal and most typical workflow is to create a branch, based on the "unstable" branch. The branch should have a descriptive name (a ticket/issue number is great). The branch can be treated as a pull-request or merge-request. It should be propery tested and reviewed before merging into "unstable". + +Changes that don't introduce significant changes — or that must go faster that the typical workflow — can be commited directly into "unstable". + +Hotfixes, can be prepared on a new branch, based on "stable" or "unstable" (to be decided by the author). When ready, it can be merged back to "stable" for immediate deployment and to "unstable" for proper backporting. + +Other workflow are not forbidden, but should be discussed in advance. From 29e1c3053f69f83b18d97205c01d461953e70c3f Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Mon, 14 Aug 2017 11:03:21 -0400 Subject: [PATCH 155/277] TMOUT is now set in /etc/profile.d/evolinux.sh --- evocheck/files/evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index b972d8be..1f5262e9 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -220,7 +220,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_TMOUTPROFILE" = 1 ]; then - grep -q TMOUT= /etc/profile || echo 'IS_TMOUTPROFILE FAILED!' + grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!' fi if [ "$IS_ALERT5BOOT" = 1 ]; then From 48b4238a88fc563c6944e87fe53f892c24ad3207 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Mon, 14 Aug 2017 11:06:12 -0400 Subject: [PATCH 156/277] Make git commit task not to fail if user.email is undefined --- etc-git/tasks/commit.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index 31746443..3d0562c9 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -22,10 +22,11 @@ repo: /etc scope: local register: git_config_user_email + ignore_errors: yes - name: set commit author set_fact: - etc_git_commit_options: "{% if ansible_env.SUDO_USER %} --author \"{{ ansible_env.SUDO_USER }} <{{ git_config_user_email.config_value }}>\"{% endif %}" + etc_git_commit_options: "{% if ansible_env.SUDO_USER %} --author \"{{ ansible_env.SUDO_USER }} <{{ git_config_user_email.config_value |default()}}>\"{% endif %}" - name: /etc modifications are committed shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"{{ etc_git_commit_options }}" From 94223e54a0369f0f372b4ad792d4c030f21f4843 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Mon, 14 Aug 2017 11:17:59 -0400 Subject: [PATCH 157/277] apt-listchanges is not installed anymore --- evocheck/files/evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 1f5262e9..4c08b930 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -204,7 +204,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_LISTCHANGESCONF" = 1 ]; then - egrep "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!' + is_debianversion stretch || ( test -e /etc/apt/listchanges.conf && egrep "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!' ) fi if [ "$IS_CUSTOMCRONTAB" = 1 ]; then From 35198325c4e9ebefcbbeaf5b0278c23536da2a89 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 17 Aug 2017 14:47:37 +0200 Subject: [PATCH 158/277] Verify if login exists --- admin-users/tasks/user.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/admin-users/tasks/user.yml b/admin-users/tasks/user.yml index 7de5b778..b36f6eb6 100644 --- a/admin-users/tasks/user.yml +++ b/admin-users/tasks/user.yml @@ -1,5 +1,12 @@ --- +- name: "Test if '{{ user.name }}' exists" + command: 'getent passwd {{ user.name }}' + register: loginisbusy + failed_when: False + changed_when: False + check_mode: no + - name: "Test if uid exists for '{{ user.name }}'" command: 'getent passwd {{ user.uid }}' register: uidisbusy @@ -16,7 +23,7 @@ shell: /bin/bash password: '{{ user.password_hash }}' update_password: on_create - when: uidisbusy.rc != 0 + when: loginisbusy.rc != 0 and uidisbusy.rc != 0 - name: "Add Unix account with random uid for '{{ user.name }}'" user: @@ -26,7 +33,7 @@ shell: /bin/bash password: '{{ user.password_hash }}' update_password: on_create - when: uidisbusy.rc == 0 + when: loginisbusy.rc != 0 and uidisbusy.rc == 0 - name: "Create {{ admin_users_group }}" group: From 463ae9750858d7f851090be01654025254c022a9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 17 Aug 2017 14:50:34 +0200 Subject: [PATCH 159/277] proftpd role : add TimesGMT option to off to conform to https://wiki.evolix.org/HowtoProFTPD (thanks to jdubois) --- proftpd/templates/evolinux.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/proftpd/templates/evolinux.conf.j2 b/proftpd/templates/evolinux.conf.j2 index 2b62e1c0..d6e8b565 100644 --- a/proftpd/templates/evolinux.conf.j2 +++ b/proftpd/templates/evolinux.conf.j2 @@ -14,6 +14,7 @@ MaxClientsPerHost 20 PassivePorts 60000 61000 UseReverseDNS off IdentLookups off +TimesGMT off # Local permissions DefaultRoot ~ From e5e44d5bc1b91acb3ba460b79956d37e8111206f Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 18 Aug 2017 02:31:41 +0200 Subject: [PATCH 160/277] standard Evolix name is /etc/apache2/ipaddr_whitelist.conf cf https://wiki.evolix.org/HowtoApache --- apache/tasks/auth.yml | 10 ++++----- apache/templates/evolinux-default.conf.j2 | 26 +++++++++++------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index 32b9966a..0f550a3c 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -1,9 +1,9 @@ --- -- name: Init private_ipaddr_whitelist.conf file +- name: Init ipaddr_whitelist.conf file copy: src: private_ipaddr_whitelist.conf - dest: /etc/apache2/private_ipaddr_whitelist.conf + dest: /etc/apache2/ipaddr_whitelist.conf owner: root group: root mode: "0640" @@ -13,7 +13,7 @@ - name: add IP addresses to private IP whitelist lineinfile: - dest: /etc/apache2/private_ipaddr_whitelist.conf + dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: present with_items: "{{ apache_private_ipaddr_whitelist_present }}" @@ -23,7 +23,7 @@ - name: remove IP addresses from private IP whitelist lineinfile: - dest: /etc/apache2/private_ipaddr_whitelist.conf + dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: absent with_items: "{{ apache_private_ipaddr_whitelist_absent }}" @@ -34,7 +34,7 @@ - name: include private IP whitelist for server-status lineinfile: dest: /etc/apache2/mods-available/status.conf - line: " include /etc/apache2/private_ipaddr_whitelist.conf" + line: " include /etc/apache2/ipaddr_whitelist.conf" insertafter: 'SetHandler server-status' state: present tags: diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index a1f681e4..a53d3c9f 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -5,24 +5,24 @@ DocumentRoot /var/www/ - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf Options -Indexes Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf # Munin. We need to set Directory directive as Alias take precedence. Alias /munin /var/cache/munin/www Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf Options -Indexes Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. @@ -30,7 +30,7 @@ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf CustomLog /var/log/apache2/access.log vhost_combined @@ -53,7 +53,7 @@ SetHandler server-status - include /etc/apache2/private_ipaddr_whitelist.conf + include /etc/apache2/ipaddr_whitelist.conf Require local @@ -68,12 +68,12 @@ DocumentRoot /var/www/ - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf Options -Indexes Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf SSLEngine on @@ -83,19 +83,19 @@ # We override these 2 Directory directives setted in apache2.conf. # We want no access except from allowed IP address. - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf # Munin. We need to set Directory directive as Alias take precedence. Alias /munin /var/cache/munin/www Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf Options -Indexes Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. @@ -103,7 +103,7 @@ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf + Include /etc/apache2/ipaddr_whitelist.conf CustomLog /var/log/apache2/access.log vhost_combined @@ -113,7 +113,7 @@ SetHandler server-status - include /etc/apache2/private_ipaddr_whitelist.conf + include /etc/apache2/ipaddr_whitelist.conf Require local From bcd333aaa9cdd063b8c82cbccd556c881a679ab1 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 18 Aug 2017 02:58:26 +0200 Subject: [PATCH 161/277] ansible-roles is now only-Linux compatible, and add precision for compatibility (Debian 9 and accidentally Debian 8) --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c5ca1fef..966c4a70 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Ansible-roles -A repository for Ansible roles used by Evolix. +A repository for Ansible roles used by Evolix on Debian GNU/Linux 9 (stretch) servers. +Few roles are also be compatible with Debian GNU/Linux 8 (jessie) servers. It contains only roles, everything else is available at https://forge.evolix.org/projects/ansible-public From 2bb7367edfdf863a8b90734f6e848c10a7d153e2 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 18 Aug 2017 03:31:46 +0200 Subject: [PATCH 162/277] standardization for Debian versions : we use "jessie" or "9 or later" to prepare buster smoothly as possible --- admin-users/tasks/sudo.yml | 2 +- admin-users/tasks/user.yml | 4 ++-- apache/tasks/main.yml | 4 ++-- evoacme/tasks/certbot.yml | 2 +- evoadmin/tasks/web.yml | 2 +- evolinux-base/tasks/packages.yml | 5 ++++- jenkins/tasks/main.yml | 4 ++-- mongodb/tasks/main.yml | 4 ++-- mysql/tasks/main.yml | 4 ++-- newrelic/tasks/sources.yml | 4 ++-- nginx/tasks/main_regular.yml | 2 +- packweb-apache/tasks/main.yml | 2 +- php-fpm/tasks/main.yml | 8 ++++++-- 13 files changed, 27 insertions(+), 20 deletions(-) diff --git a/admin-users/tasks/sudo.yml b/admin-users/tasks/sudo.yml index 793e67d5..f8daf81f 100644 --- a/admin-users/tasks/sudo.yml +++ b/admin-users/tasks/sudo.yml @@ -22,5 +22,5 @@ validate: '/usr/sbin/visudo -cf %s' when: - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('9', '<') + - ansible_distribution_release == "jessie" - not copy_sudoers_evolinux.changed diff --git a/admin-users/tasks/user.yml b/admin-users/tasks/user.yml index b36f6eb6..ba72b388 100644 --- a/admin-users/tasks/user.yml +++ b/admin-users/tasks/user.yml @@ -39,12 +39,12 @@ group: name: "{{ admin_users_group }}" -- name: "Add user to sudo group (Stretch)" +- name: "Add user to sudo group (Debian 9 or later)" user: name: '{{ user.name }}' groups: 'sudo,{{ admin_users_group }}' append: yes - when: ansible_distribution_release == "stretch" + when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Fix perms on homedirectory for '{{ user.name }}'" file: diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index a3ff8cfd..c9d60dc5 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: packages are installed (stretch) +- name: packages are installed (Debian 9 or later) apt: name: '{{ item }}' state: present @@ -13,7 +13,7 @@ tags: - apache - packages - when: ansible_distribution_release == "stretch" + when: ansible_distribution_major_version | version_compare('9', '>=') - name: packages are installed (jessie) apt: diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index eae7ba86..526fbb07 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -65,7 +65,7 @@ squid_service_name: squid3 when: - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('9', '<') + - ansible_distribution_release == "jessie" - name: Let's Encrypt OCSP server is authorized by squid lineinfile: diff --git a/evoadmin/tasks/web.yml b/evoadmin/tasks/web.yml index 7cf6c9d2..87237248 100644 --- a/evoadmin/tasks/web.yml +++ b/evoadmin/tasks/web.yml @@ -16,7 +16,7 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache - when: ansible_distribution_release == "stretch" + when: ansible_distribution_major_version | version_compare('9', '>=') - name: Install evoadmin VHost template: diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 399f3f8f..b8c6576a 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -109,6 +109,9 @@ with_items: - { option: "confirm", value: "1" } - { option: "which", value: "both" } - when: evolinux_packages_listchanges and ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '<') + when: + - evolinux_packages_listchanges + - ansible_distribution == "Debian" + - ansible_distribution_release == "jessie" - meta: flush_handlers diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 70f6771d..83d3ec92 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -11,12 +11,12 @@ check_mode: no register: squid_whitelist_files -- name: set squid_service_name=squid3 for Debian < 9 +- name: set squid_service_name=squid3 for Debian 8 set_fact: squid_service_name: squid3 when: - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('9', '<') + - ansible_distribution_release == "jessie" - name: Append packages.dotdeb.org to Squid whitelist lineinfile: diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index f659df2d..f222c799 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -7,12 +7,12 @@ check_mode: no register: squid_whitelist_files -- name: set squid_service_name=squid3 for Debian < 9 +- name: set squid_service_name=squid3 for Debian 8 set_fact: squid_service_name: squid3 when: - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('9', '<') + - ansible_distribution_release == "jessie" - name: Append packages.dotdeb.org to Squid whitelist lineinfile: diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index be64360c..d6892fef 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -1,13 +1,13 @@ --- - include: packages_stretch.yml - when: ansible_distribution_release == "stretch" + when: ansible_distribution_major_version | version_compare('9', '>=') - include: packages_jessie.yml when: ansible_distribution_release == "jessie" - include: users_stretch.yml - when: ansible_distribution_release == "stretch" + when: ansible_distribution_major_version | version_compare('9', '>=') - include: users_jessie.yml when: ansible_distribution_release == "jessie" diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index cdcf5dc2..551fc8b5 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -5,12 +5,12 @@ # url: https://download.newrelic.com/548C16BF.gpg data: "{{ lookup('file', '548C16BF.gpg') }}" -- name: set squid_service_name=squid3 for Debian < 9 +- name: set squid_service_name=squid3 for Debian 8 set_fact: squid_service_name: squid3 when: - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('9', '<') + - ansible_distribution_release == "jessie" - name: Find squid config whitelist shell: find /etc/{{ squid_service_name | default('squid') }}/whitelist-custom.conf /etc/{{ squid_service_name | default('squid') }}/whitelist.conf 2> /dev/null diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index bc58503b..74580972 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -4,7 +4,7 @@ when: ansible_distribution_release == "jessie" - include: packages_stretch.yml - when: ansible_distribution_release == "stretch" + when: ansible_distribution_major_version | version_compare('9', '>=') # TODO: find a way to override the main configuration # without touching the main file diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 17e3909c..1aefaa7b 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -42,7 +42,7 @@ when: ansible_distribution_release == "jessie" - include: php.yml - when: ansible_distribution_release == "stretch" + when: ansible_distribution_major_version | version_compare('9', '>=') - include: phpmyadmin.yml diff --git a/php-fpm/tasks/main.yml b/php-fpm/tasks/main.yml index f05ae125..de12d1a7 100644 --- a/php-fpm/tasks/main.yml +++ b/php-fpm/tasks/main.yml @@ -2,7 +2,9 @@ apt: name: php5-fpm state: present - when: ansible_distribution_major_version | version_compare('8', '<=') + when: + - ansible_distribution == "Debian" + - ansible_distribution_release == "jessie" tags: - php-fpm @@ -10,6 +12,8 @@ apt: name: php-fpm state: present - when: ansible_distribution_major_version | version_compare('9', '>=') + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '>=') tags: - php-fpm From d82b12b6146cade2945b672a8a7374c29810c837 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 18 Aug 2017 04:13:56 +0200 Subject: [PATCH 163/277] fail when evolinux_ssh_password_auth_addresses is empty instead of Ansible crash (like for minifirewall) --- evolinux-base/tasks/ssh.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 6f79c982..9326b13c 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -1,5 +1,9 @@ --- +- fail: + msg: You must provide at least 1 ssh trusted IP + when: evolinux_ssh_password_auth_addresses == [] + - name: Security directives for Evolinux blockinfile: dest: /etc/ssh/sshd_config From 2fd165a465868d6392591223a5f0361efc74eb07 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 18 Aug 2017 04:18:52 +0200 Subject: [PATCH 164/277] fix error in handler call --- apache/tasks/munin.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index 85f0b386..42914d3e 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -17,7 +17,7 @@ - apache_accesses - apache_processes - apache_volume - notify: restart munin-node + notify: reload munin-node tags: - apache - munin From 8dbe8bf4ac237c7a5bfdb06adbe6e59ac4dd1f48 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 18 Aug 2017 05:05:17 +0200 Subject: [PATCH 165/277] Quick fix because MySQL install doesn't work anymore on Stretch --- mysql/tasks/packages_stretch.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index d5645bea..d625f691 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -1,21 +1,13 @@ --- -- name: Choose packages - set_fact: - mysql_packages: "{{ item }}" - with_items: - - mariadb-server - - mariadb-client - tags: - - mysql - - packages - - name: Install MySQL packages apt: name: '{{ item }}' update_cache: yes state: present - with_items: "{{ mysql_packages }}" + with_items: + - mariadb-server + - mariadb-client tags: - mysql - packages From a95d7893c50e86435f568dbd4705c5d81c3a38ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Fri, 18 Aug 2017 14:37:18 +0200 Subject: [PATCH 166/277] Add a comment about AcceptEnv --- evolinux-base/tasks/ssh.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 9326b13c..b9cfd9e6 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -59,6 +59,8 @@ notify: reload sshd when: evolinux_ssh_disable_root +# We disable AcceptEnv because it can be a security issue, but also because we +# do not want clients to push their environment variables like LANG. - name: disable AcceptEnv in ssh config replace: dest: /etc/ssh/sshd_config From f0ced31efa202571fbecde85b0e52de9c3bee2d9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 18 Aug 2017 15:18:06 +0200 Subject: [PATCH 167/277] review default vars --- apt/defaults/main.yml | 1 + munin/defaults/main.yml | 1 - munin/templates/munin.conf.j2 | 2 +- mysql/defaults/main.yml | 2 +- nagios-nrpe/defaults/main.yml | 2 +- 5 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index 671bc8b2..9e01a74e 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -1,3 +1,4 @@ +--- apt_install_basics: True apt_basics_components: "main" diff --git a/munin/defaults/main.yml b/munin/defaults/main.yml index 005a7989..ed97d539 100644 --- a/munin/defaults/main.yml +++ b/munin/defaults/main.yml @@ -1,2 +1 @@ --- -munin_dir: /home/www/munin diff --git a/munin/templates/munin.conf.j2 b/munin/templates/munin.conf.j2 index 6c837aa3..27e9c97e 100644 --- a/munin/templates/munin.conf.j2 +++ b/munin/templates/munin.conf.j2 @@ -6,7 +6,7 @@ # defaulted to the values you see here. # #dbdir /var/db/munin -htmldir {{ munin_dir }} +#htmldir /var/cache/munin/www #logdir /var/log/munin #rundir /var/run/munin diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index b84e59ec..d56e5999 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -2,7 +2,7 @@ general_alert_email: "root@localhost" log2mail_alert_email: Null -general_scripts_dir: "/usr/local/bin" +general_scripts_dir: "/usr/share/scripts" mysql_scripts_dir: Null mysql_variant: oracle diff --git a/nagios-nrpe/defaults/main.yml b/nagios-nrpe/defaults/main.yml index f1a4731b..c9ee2603 100644 --- a/nagios-nrpe/defaults/main.yml +++ b/nagios-nrpe/defaults/main.yml @@ -5,6 +5,6 @@ nagios_nrpe_ldap_passwd: LDAP_PASSWD nagios_nrpe_pgsql_passwd: PGSQL_PASSWD nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}" -nagios_nrpe_check_proxy_host: "www.debian.org" +nagios_nrpe_check_proxy_host: "www.example.com" nagios_plugins_directory: "/usr/local/lib/nagios/plugins" From ab08969cfb1097595c7519a6aab600023d180ff9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 00:29:29 +0200 Subject: [PATCH 168/277] We decided a new policy for sudo in stretch because our previous stretch policy is buggy --- admin-users/tasks/user.yml | 11 +++++++++-- admin-users/templates/sudoers_stretch.j2 | 3 ++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/admin-users/tasks/user.yml b/admin-users/tasks/user.yml index ba72b388..604af57c 100644 --- a/admin-users/tasks/user.yml +++ b/admin-users/tasks/user.yml @@ -35,14 +35,21 @@ update_password: on_create when: loginisbusy.rc != 0 and uidisbusy.rc == 0 -- name: "Create {{ admin_users_group }}" +- name: "Create evolinux-sudo group" + group: + name: evolinux-sudo + system: yes + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Create {{ admin_users_group }} group" group: name: "{{ admin_users_group }}" + when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Add user to sudo group (Debian 9 or later)" user: name: '{{ user.name }}' - groups: 'sudo,{{ admin_users_group }}' + groups: 'evolinux-sudo,{{ admin_users_group }}' append: yes when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/admin-users/templates/sudoers_stretch.j2 b/admin-users/templates/sudoers_stretch.j2 index 5332395c..8de1bbc6 100644 --- a/admin-users/templates/sudoers_stretch.j2 +++ b/admin-users/templates/sudoers_stretch.j2 @@ -5,4 +5,5 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt -%sudo ALL = NOPASSWD: MAINT +%evolinux-sudo ALL=(ALL:ALL) ALL +%evolinux-sudo ALL = NOPASSWD: MAINT From 606f3a14f5f8b5e50a705603ecbae15920d2909d Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 01:36:56 +0200 Subject: [PATCH 169/277] Move sudo stuff to sudo.yml --- admin-users/tasks/sudo.yml | 13 +++++++++++++ admin-users/tasks/user.yml | 13 ------------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/admin-users/tasks/sudo.yml b/admin-users/tasks/sudo.yml index f8daf81f..347a7f34 100644 --- a/admin-users/tasks/sudo.yml +++ b/admin-users/tasks/sudo.yml @@ -24,3 +24,16 @@ - ansible_distribution == "Debian" - ansible_distribution_release == "jessie" - not copy_sudoers_evolinux.changed + +- name: "Create evolinux-sudo group" + group: + name: evolinux-sudo + system: yes + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Add user to sudo group (Debian 9 or later)" + user: + name: '{{ user.name }}' + groups: 'evolinux-sudo,{{ admin_users_group }}' + append: yes + when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/admin-users/tasks/user.yml b/admin-users/tasks/user.yml index 604af57c..b0126ca8 100644 --- a/admin-users/tasks/user.yml +++ b/admin-users/tasks/user.yml @@ -35,24 +35,11 @@ update_password: on_create when: loginisbusy.rc != 0 and uidisbusy.rc == 0 -- name: "Create evolinux-sudo group" - group: - name: evolinux-sudo - system: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - - name: "Create {{ admin_users_group }} group" group: name: "{{ admin_users_group }}" when: ansible_distribution_major_version | version_compare('9', '>=') -- name: "Add user to sudo group (Debian 9 or later)" - user: - name: '{{ user.name }}' - groups: 'evolinux-sudo,{{ admin_users_group }}' - append: yes - when: ansible_distribution_major_version | version_compare('9', '>=') - - name: "Fix perms on homedirectory for '{{ user.name }}'" file: name: '/home/{{ user.name }}' From 5226082db098267873f04ae5e48be43a7e4bac3a Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 00:42:14 +0200 Subject: [PATCH 170/277] evolinux-base and admin-users are only compatible Debian >=8, declare once in main.yml and that's all (will be probably generalized to others modules if needed) --- admin-users/meta/main.yml | 1 + admin-users/tasks/main.yml | 6 ++++++ admin-users/tasks/sudo.yml | 1 - evolinux-base/tasks/main.yml | 7 +++++++ evolinux-base/tasks/packages.yml | 2 -- evolinux-base/tasks/ssh.yml | 4 +--- 6 files changed, 15 insertions(+), 6 deletions(-) diff --git a/admin-users/meta/main.yml b/admin-users/meta/main.yml index 7779f782..006768d3 100644 --- a/admin-users/meta/main.yml +++ b/admin-users/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch dependencies: [] # List your role dependencies here, one per line. diff --git a/admin-users/tasks/main.yml b/admin-users/tasks/main.yml index c7eeaf39..420c1427 100644 --- a/admin-users/tasks/main.yml +++ b/admin-users/tasks/main.yml @@ -1,5 +1,11 @@ --- +- fail: + msg: only compatible with Debian >= 8 + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('8', '<') + - debug: msg: "Warning: empty 'admin_users' variable, tasks will be skipped!" when: admin_users == {} diff --git a/admin-users/tasks/sudo.yml b/admin-users/tasks/sudo.yml index 347a7f34..2587e6d5 100644 --- a/admin-users/tasks/sudo.yml +++ b/admin-users/tasks/sudo.yml @@ -21,7 +21,6 @@ replace: '\1,{{ user.name }}' validate: '/usr/sbin/visudo -cf %s' when: - - ansible_distribution == "Debian" - ansible_distribution_release == "jessie" - not copy_sudoers_evolinux.changed diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 8514d7f0..1cc27278 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -1,4 +1,11 @@ --- + +- fail: + msg: only compatible with Debian >= 8 + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('8', '<') + - name: Hostname include: hostname.yml when: evolinux_hostname_include diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index b8c6576a..8089e397 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -79,7 +79,6 @@ - net-tools when: - evolinux_packages_stretch - - ansible_distribution == "Debian" - ansible_distribution_major_version | version_compare('9', '>=') - name: Customize logcheck recipient @@ -111,7 +110,6 @@ - { option: "which", value: "both" } when: - evolinux_packages_listchanges - - ansible_distribution == "Debian" - ansible_distribution_release == "jessie" - meta: flush_handlers diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index b9cfd9e6..f337f3ed 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -75,8 +75,6 @@ regexp: '^#?LogLevel [A-Z]+' replace: "LogLevel VERBOSE" notify: reload sshd - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('9', '>=') + when: ansible_distribution_major_version | version_compare('9', '>=') - meta: flush_handlers From bbdbd53cca747cccd5ec0c54492c021223dc753d Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 00:48:17 +0200 Subject: [PATCH 171/277] Avoid using vars not well defined in src file name AND be compatible with Debian 10 --- admin-users/tasks/sudo.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/admin-users/tasks/sudo.yml b/admin-users/tasks/sudo.yml index 2587e6d5..49b9c71e 100644 --- a/admin-users/tasks/sudo.yml +++ b/admin-users/tasks/sudo.yml @@ -1,20 +1,30 @@ --- -- name: Verify Evolinux sudoers file presence +- name: "Verify Evolinux sudoers file presence (jessie)" template: - src: sudoers_{{ ansible_distribution_release }}.j2 + src: sudoers_jessie.j2 dest: /etc/sudoers.d/evolinux force: no validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux + when: ansible_distribution_release == "jessie" -- name: Verify Evolinux sudoers file permissions +- name: "Verify Evolinux sudoers file presence (Debian 9 or later)" + template: + src: sudoers_stretch.j2 + dest: /etc/sudoers.d/evolinux + force: no + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Verify Evolinux sudoers file permissions" file: path: /etc/sudoers.d/evolinux mode: "0440" state: file -- name: "Add user in sudoers file for '{{ user.name }}'" +- name: "Add user in sudoers file for '{{ user.name }}' (jessie)" replace: dest: /etc/sudoers.d/evolinux regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' @@ -24,7 +34,7 @@ - ansible_distribution_release == "jessie" - not copy_sudoers_evolinux.changed -- name: "Create evolinux-sudo group" +- name: "Create evolinux-sudo group (Debian 9 or later)" group: name: evolinux-sudo system: yes From 2d17c60f39c8b0df0c1b1149bdb460e3e504b1e1 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 02:58:38 +0200 Subject: [PATCH 172/277] continuation of new policy for sudo in Debian 9 --- admin-users/tasks/sudo.yml | 4 ++-- admin-users/tasks/user.yml | 9 ++++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/admin-users/tasks/sudo.yml b/admin-users/tasks/sudo.yml index 49b9c71e..e05ac614 100644 --- a/admin-users/tasks/sudo.yml +++ b/admin-users/tasks/sudo.yml @@ -40,9 +40,9 @@ system: yes when: ansible_distribution_major_version | version_compare('9', '>=') -- name: "Add user to sudo group (Debian 9 or later)" +- name: "Add user to evolinux-sudo group (Debian 9 or later)" user: name: '{{ user.name }}' - groups: 'evolinux-sudo,{{ admin_users_group }}' + groups: 'evolinux-sudo' append: yes when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/admin-users/tasks/user.yml b/admin-users/tasks/user.yml index b0126ca8..94f1a0c3 100644 --- a/admin-users/tasks/user.yml +++ b/admin-users/tasks/user.yml @@ -35,11 +35,18 @@ update_password: on_create when: loginisbusy.rc != 0 and uidisbusy.rc == 0 -- name: "Create {{ admin_users_group }} group" +- name: "Create {{ admin_users_group }} group (Debian 9 or later)" group: name: "{{ admin_users_group }}" when: ansible_distribution_major_version | version_compare('9', '>=') +- name: "Add user to {{ admin_users_group }} group (Debian 9 or later)" + user: + name: '{{ user.name }}' + groups: '{{ admin_users_group }}' + append: yes + when: ansible_distribution_major_version | version_compare('9', '>=') + - name: "Fix perms on homedirectory for '{{ user.name }}'" file: name: '/home/{{ user.name }}' From 9c406cc9bd75ca2af456152347f338b93d4cd6e9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 06:30:04 +0200 Subject: [PATCH 173/277] Fix "Unable to reload service munin-node: Failed to reload munin-node.service: Job type reload is not applicable for unit munin-node.service.\n" --- apache/handlers/main.yml | 4 ++-- apache/tasks/munin.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index 09fa8b02..96daa368 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -9,7 +9,7 @@ name: apache2 state: reloaded -- name: reload munin-node +- name: restart munin-node service: name: munin-node - state: reloaded + state: restarted diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index 42914d3e..85f0b386 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -17,7 +17,7 @@ - apache_accesses - apache_processes - apache_volume - notify: reload munin-node + notify: restart munin-node tags: - apache - munin From 30d9e826b8e666aef2e743b4d0db65194949bbc8 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 18 Aug 2017 12:21:20 +0200 Subject: [PATCH 174/277] rename php-fpm -> php --- {php-fpm => php}/.kitchen.yml | 0 {php-fpm => php}/README.md | 0 {php-fpm => php}/defaults/main.yml | 0 {php-fpm => php}/handlers/main.yml | 0 {php-fpm => php}/meta/main.yml | 0 {php-fpm => php}/tasks/main.yml | 0 {php-fpm => php}/tests/test.yml | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename {php-fpm => php}/.kitchen.yml (100%) rename {php-fpm => php}/README.md (100%) rename {php-fpm => php}/defaults/main.yml (100%) rename {php-fpm => php}/handlers/main.yml (100%) rename {php-fpm => php}/meta/main.yml (100%) rename {php-fpm => php}/tasks/main.yml (100%) rename {php-fpm => php}/tests/test.yml (100%) diff --git a/php-fpm/.kitchen.yml b/php/.kitchen.yml similarity index 100% rename from php-fpm/.kitchen.yml rename to php/.kitchen.yml diff --git a/php-fpm/README.md b/php/README.md similarity index 100% rename from php-fpm/README.md rename to php/README.md diff --git a/php-fpm/defaults/main.yml b/php/defaults/main.yml similarity index 100% rename from php-fpm/defaults/main.yml rename to php/defaults/main.yml diff --git a/php-fpm/handlers/main.yml b/php/handlers/main.yml similarity index 100% rename from php-fpm/handlers/main.yml rename to php/handlers/main.yml diff --git a/php-fpm/meta/main.yml b/php/meta/main.yml similarity index 100% rename from php-fpm/meta/main.yml rename to php/meta/main.yml diff --git a/php-fpm/tasks/main.yml b/php/tasks/main.yml similarity index 100% rename from php-fpm/tasks/main.yml rename to php/tasks/main.yml diff --git a/php-fpm/tests/test.yml b/php/tests/test.yml similarity index 100% rename from php-fpm/tests/test.yml rename to php/tests/test.yml From 2e1deb3e93c6638c420377ff8075891b07bfcfe9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 05:57:19 +0200 Subject: [PATCH 175/277] write php role with https://wiki.evolix.org/HowtoPHP --- php/README.md | 4 +- php/defaults/main.yml | 3 ++ php/tasks/apache.yml | 59 +++++++++++++++++++++++++ php/tasks/fpm.yml | 90 +++++++++++++++++++++++++++++++++++++++ php/tasks/main.yml | 33 +++++++------- php/tasks/php_jessie.yml | 53 +++++++++++++++++++++++ php/tasks/php_stretch.yml | 54 +++++++++++++++++++++++ 7 files changed, 278 insertions(+), 18 deletions(-) create mode 100644 php/tasks/apache.yml create mode 100644 php/tasks/fpm.yml create mode 100644 php/tasks/php_jessie.yml create mode 100644 php/tasks/php_stretch.yml diff --git a/php/README.md b/php/README.md index bac322fe..e0a194ac 100644 --- a/php/README.md +++ b/php/README.md @@ -1,6 +1,6 @@ -# PHP-FPM +# PHP -Installation and basic configuration of php-fpm +Installation and basic configuration of PHP ## Tasks diff --git a/php/defaults/main.yml b/php/defaults/main.yml index ed97d539..010b8d62 100644 --- a/php/defaults/main.yml +++ b/php/defaults/main.yml @@ -1 +1,4 @@ --- + +php_fpm_enable: False +php_apache_enable: False diff --git a/php/tasks/apache.yml b/php/tasks/apache.yml new file mode 100644 index 00000000..2059648b --- /dev/null +++ b/php/tasks/apache.yml @@ -0,0 +1,59 @@ +--- + +- name: "Install mod_php packages (jessie)" + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-php5 + when: ansible_distribution_release == "jessie" + +- name: "Install mod_php packages (Debian 9 or later)" + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-php + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Set php.ini config for apache2 (jessie)" + set_fact: + php_apache_defaults_file: /etc/php5/apache2/conf.d/z-evolinux-defaults.ini + php_apache_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini + when: ansible_distribution_release == "jessie" + +- name: "Set php.ini config for apache2 (Debian 9 or later)" + set_fact: + php_apache_defaults_file: /etc/php/7.0/apache2/conf.d/z-evolinux-defaults.ini + php_apache_custom_file: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: Set default values for PHP + ini_file: + dest: "{{ php_apache_defaults_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "html_errors", value: "Off" } + - { option: "allow_url_fopen", value: "Off" } + +- name: Disable PHP functions + ini_file: + dest: "{{ php_apache_defaults_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + +- name: Custom php.ini + copy: + dest: "{{ php_apache_custom_file }}" + content: | + # Put customized values here. + force: no diff --git a/php/tasks/fpm.yml b/php/tasks/fpm.yml new file mode 100644 index 00000000..276a7181 --- /dev/null +++ b/php/tasks/fpm.yml @@ -0,0 +1,90 @@ +--- + +- name: "Install PHP FPM packages (jessie)" + apt: + name: '{{ item }}' + state: present + with_items: + - php5-fpm + when: ansible_distribution_release == "jessie" + +- name: "Install PHP FPM packages (Debian 9 or later)" + apt: + name: '{{ item }}' + state: present + with_items: + - php-fpm + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Set config files for FPM (jessie)" + set_fact: + phpini_fpm_defaults_file: /etc/php5/fpm/conf.d/z-evolinux-defaults.ini + phpini_fpm_custom_file: /etc/php5/fpm/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_file: /etc/php5/fpm/pool.d/z-evolinux-defaults.conf + php_fpm_custom_file: /etc/php5/fpm/pool.d/zzz-evolinux-custom.conf + when: ansible_distribution_release == "jessie" + +- name: "Set config files for FPM (Debian 9 or later)" + set_fact: + phpini_fpm_defaults_file: /etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini + phpini_fpm_custom_file: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_file: /etc/php/7.0/fpm/pool.d/z-evolinux-defaults.conf + php_fpm_custom_file: /etc/php/7.0/fpm/pool.d/zzz-evolinux-custom.conf + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: Set default php.ini values for FPM + ini_file: + dest: "{{ phpini_fpm_defaults_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "html_errors", value: "Off" } + - { option: "allow_url_fopen", value: "Off" } + +- name: Disable PHP functions for FPM + ini_file: + dest: "{{ phpini_fpm_defaults_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + +- name: Custom php.ini for FPM + copy: + dest: "{{ phpini_fpm_custom_file }}" + content: | + # Put customized values here. + force: no + +- name: Set default PHP FPM values + ini_file: + dest: "{{ php_fpm_defaults_file }}" + section: www + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "pm", value: "ondemand" } + - { option: "pm.max_children", value: "100" } + - { option: "pm.process_idle_timeout", value: "10s" } + - { option: "slowlog", value: "log/$pool.log.slow" } + - { option: "request_slowlog_timeout", value: "5s" } + - { option: "pm.status_path", value: "/fpm_status" } + - { option: "request_terminate_timeout", value: "60s" } + - { option: "chroot", value: "/var/www/html" } + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: Custom PHP FPM values + copy: + dest: "{{ php_fpm_custom_file }}" + content: | + # Put customized values here. + force: no + diff --git a/php/tasks/main.yml b/php/tasks/main.yml index de12d1a7..7f438569 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -1,19 +1,20 @@ -- name: Ensure php5-fpm package is installed - apt: - name: php5-fpm - state: present - when: - - ansible_distribution == "Debian" - - ansible_distribution_release == "jessie" - tags: - - php-fpm +--- -- name: Ensure php-fpm packages is installed - apt: - name: php-fpm - state: present +- fail: + msg: only compatible with Debian >= 8 when: - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('9', '>=') - tags: - - php-fpm + - ansible_distribution_major_version | version_compare('8', '<') + +- include: php_jessie.yml + when: ansible_distribution_release == "jessie" + +- include: php_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') + +- include: fpm.yml + when: php_fpm_enable + +- include: apache.yml + when: php_apache_enable + diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml new file mode 100644 index 00000000..53b4e4ca --- /dev/null +++ b/php/tasks/php_jessie.yml @@ -0,0 +1,53 @@ +--- + +- name: "Install PHP packages (jessie)" + apt: + name: '{{ item }}' + state: present + with_items: + - php5 + - php5-cli + - php5-gd + - php5-imap + - php5-ldap + - php5-mcrypt + - php5-mysql + - php5-pgsql + - php-gettext + - php5-curl + - libssh2-php + +- name: "Set php.ini config for CLI (jessie)" + set_fact: + phpini_cli_defaults_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini + phpini_cli_custom_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini + +- name: Set default php.ini values for CLI + ini_file: + dest: "{{ phpini_cli_defaults_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "html_errors", value: "Off" } + - { option: "allow_url_fopen", value: "Off" } + +- name: Disable PHP functions for CLI + ini_file: + dest: "{{ phpini_cli_defaults_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + +- name: Custom php.ini for CLI + copy: + dest: "{{ phpini_cli_custom_file }}" + content: | + # Put customized values here. + force: no diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml new file mode 100644 index 00000000..64b54a45 --- /dev/null +++ b/php/tasks/php_stretch.yml @@ -0,0 +1,54 @@ +--- + +- name: "Install PHP packages (Debian 9 or later)" + apt: + name: '{{ item }}' + state: present + with_items: + - php + - php-cli + - php-gd + - php-imap + - php-ldap + - php-mcrypt + - php-mysql + - php-pgsql + - php-gettext + - php-curl + - php-ssh2 + - composer + +- name: "Set php.ini config for CLI (Debian 9 or later)" + set_fact: + phpini_cli_defaults_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini + phpini_cli_custom_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini + +- name: Set default php.ini values for CLI + ini_file: + dest: "{{ phpini_cli_defaults_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "html_errors", value: "Off" } + - { option: "allow_url_fopen", value: "Off" } + +- name: Disable PHP functions for CLI + ini_file: + dest: "{{ phpini_cli_defaults_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + +- name: Custom php.ini for CLI + copy: + dest: "{{ phpini_cli_custom_file }}" + content: | + # Put customized values here. + force: no From 43e0f7589f29944bc1be2a217e018e1daa80fd92 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 06:09:58 +0200 Subject: [PATCH 176/277] use now PHP role --- packweb-apache/tasks/main.yml | 15 ++++---- packweb-apache/tasks/php.yml | 65 ----------------------------------- packweb-apache/tasks/php5.yml | 64 ---------------------------------- 3 files changed, 8 insertions(+), 136 deletions(-) delete mode 100644 packweb-apache/tasks/php.yml delete mode 100644 packweb-apache/tasks/php5.yml diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 1aefaa7b..4abe074a 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -2,7 +2,13 @@ - name: Include apache role include_role: - name: "apache" + name: apache + +- name: Include PHP role + include_role: + name: php + vars: + php_apache_enable: True - name: Add elements to user account template file: @@ -38,12 +44,6 @@ - include: apache.yml -- include: php5.yml - when: ansible_distribution_release == "jessie" - -- include: php.yml - when: ansible_distribution_major_version | version_compare('9', '>=') - - include: phpmyadmin.yml - include: awstats.yml @@ -123,3 +123,4 @@ name: evoadmin vars: evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" + diff --git a/packweb-apache/tasks/php.yml b/packweb-apache/tasks/php.yml deleted file mode 100644 index d97b5fc4..00000000 --- a/packweb-apache/tasks/php.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- - -- name: Install PHP packages - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-php7.0 - - php7.0 - - php7.0-gd - - php7.0-imap - - php7.0-ldap - - php7.0-mcrypt - - php7.0-mysql - - php7.0-pgsql - - php7.0-curl - - php-gettext - - php-ssh2 - tags: - - apache - -- name: Set variables for php config files - set_fact: - php7_apache_defaults_file: /etc/php/7.0/apache2/conf.d/z-evolinux_defaults.ini - php7_apache_custom_file: /etc/php/7.0/apache2/conf.d/zzz-evolinux_custom.ini - -- name: Set default values for PHP - ini_file: - dest: "{{ php7_apache_defaults_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - create: yes - with_items: - - { option: "short_open_tag", value: "Off" } - - { option: "expose_php", value: "Off" } - - { option: "display_errors", value: "Off" } - - { option: "html_errors", value: "Off" } - - { option: "log_errors", value: "On" } - - { option: "allow_url_fopen", value: "Off" } - notify: reload apache - -- name: Disable PHP exec function without evoadmin - ini_file: - dest: "{{ php7_apache_defaults_file }}" - section: PHP - option: disable_functions - value: "exec,shell-exec,system,passthru,putenv,popen" - when: not packweb_enable_evoadmin_vhost - -- name: Don't disable PHP exec function with evoadmin - ini_file: - dest: "{{ php7_apache_defaults_file }}" - section: PHP - option: disable_functions - value: "shell-exec,system,passthru,putenv,popen" - when: packweb_enable_evoadmin_vhost - -- name: Custom php.ini - copy: - dest: "{{ php7_apache_custom_file }}" - content: | - # Put customized values here. - force: no diff --git a/packweb-apache/tasks/php5.yml b/packweb-apache/tasks/php5.yml deleted file mode 100644 index ee65fd2f..00000000 --- a/packweb-apache/tasks/php5.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- - -- name: Install PHP5 packages - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-php5 - - php5 - - php5-gd - - php5-imap - - php5-ldap - - php5-mcrypt - - php5-mysql - - php5-pgsql - - php-gettext - - php5-curl - - libssh2-php - tags: - - apache - -- name: Set variables for php config files - set_fact: - php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini - php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini - -- name: Set default values for PHP - ini_file: - dest: "{{ php5_apache5_defaults_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - create: yes - with_items: - - { option: "short_open_tag", value: "Off" } - - { option: "expose_php", value: "Off" } - - { option: "display_errors", value: "Off" } - - { option: "log_errors", value: "On" } - - { option: "allow_url_fopen", value: "Off" } - notify: reload apache - -- name: Disable PHP exec function without evoadmin - ini_file: - dest: "{{ php5_apache5_defaults_file }}" - section: PHP - option: disable_functions - value: "exec,shell-exec,system,passthru,putenv,popen" - when: not packweb_enable_evoadmin_vhost - -- name: Don't disable PHP exec function with evoadmin - ini_file: - dest: "{{ php5_apache5_defaults_file }}" - section: PHP - option: disable_functions - value: "shell-exec,system,passthru,putenv,popen" - when: packweb_enable_evoadmin_vhost - -- name: Custom php.ini - copy: - dest: "{{ php5_apache5_custom_file }}" - content: | - # Put customized values here. - force: no From 84d39d71214f8143cf3189a6ccb0d5078ce67a15 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 06:20:18 +0200 Subject: [PATCH 177/277] mv evoadmin to webapps/evoadmin-web --- packweb-apache/tasks/main.yml | 2 +- {evoadmin => webapps/evoadmin-web}/defaults/main.yml | 0 {evoadmin => webapps/evoadmin-web}/files/evolinux.conf.diff | 0 {evoadmin => webapps/evoadmin-web}/handlers/main.yml | 0 {evoadmin => webapps/evoadmin-web}/tasks/config.yml | 0 {evoadmin => webapps/evoadmin-web}/tasks/ftp.yml | 0 {evoadmin => webapps/evoadmin-web}/tasks/main.yml | 0 {evoadmin => webapps/evoadmin-web}/tasks/packages.yml | 0 {evoadmin => webapps/evoadmin-web}/tasks/remount_usr_rw.yml | 0 {evoadmin => webapps/evoadmin-web}/tasks/ssl.yml | 0 {evoadmin => webapps/evoadmin-web}/tasks/user.yml | 0 {evoadmin => webapps/evoadmin-web}/tasks/web.yml | 0 .../evoadmin-web}/templates/config.local.php.j2 | 0 {evoadmin => webapps/evoadmin-web}/templates/evoadmin.conf.j2 | 0 {evoadmin => webapps/evoadmin-web}/templates/sudoers.j2 | 0 {evoadmin => webapps/evoadmin-web}/templates/web-add.conf.j2 | 0 {evoadmin => webapps/evoadmin-web}/templates/web-mail.tpl.j2 | 0 17 files changed, 1 insertion(+), 1 deletion(-) rename {evoadmin => webapps/evoadmin-web}/defaults/main.yml (100%) rename {evoadmin => webapps/evoadmin-web}/files/evolinux.conf.diff (100%) rename {evoadmin => webapps/evoadmin-web}/handlers/main.yml (100%) rename {evoadmin => webapps/evoadmin-web}/tasks/config.yml (100%) rename {evoadmin => webapps/evoadmin-web}/tasks/ftp.yml (100%) rename {evoadmin => webapps/evoadmin-web}/tasks/main.yml (100%) rename {evoadmin => webapps/evoadmin-web}/tasks/packages.yml (100%) rename {evoadmin => webapps/evoadmin-web}/tasks/remount_usr_rw.yml (100%) rename {evoadmin => webapps/evoadmin-web}/tasks/ssl.yml (100%) rename {evoadmin => webapps/evoadmin-web}/tasks/user.yml (100%) rename {evoadmin => webapps/evoadmin-web}/tasks/web.yml (100%) rename {evoadmin => webapps/evoadmin-web}/templates/config.local.php.j2 (100%) rename {evoadmin => webapps/evoadmin-web}/templates/evoadmin.conf.j2 (100%) rename {evoadmin => webapps/evoadmin-web}/templates/sudoers.j2 (100%) rename {evoadmin => webapps/evoadmin-web}/templates/web-add.conf.j2 (100%) rename {evoadmin => webapps/evoadmin-web}/templates/web-mail.tpl.j2 (100%) diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 4abe074a..5bcd59d9 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -120,7 +120,7 @@ - name: Install Evoadmin include_role: - name: evoadmin + name: webapps/evoadmin-web vars: evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" diff --git a/evoadmin/defaults/main.yml b/webapps/evoadmin-web/defaults/main.yml similarity index 100% rename from evoadmin/defaults/main.yml rename to webapps/evoadmin-web/defaults/main.yml diff --git a/evoadmin/files/evolinux.conf.diff b/webapps/evoadmin-web/files/evolinux.conf.diff similarity index 100% rename from evoadmin/files/evolinux.conf.diff rename to webapps/evoadmin-web/files/evolinux.conf.diff diff --git a/evoadmin/handlers/main.yml b/webapps/evoadmin-web/handlers/main.yml similarity index 100% rename from evoadmin/handlers/main.yml rename to webapps/evoadmin-web/handlers/main.yml diff --git a/evoadmin/tasks/config.yml b/webapps/evoadmin-web/tasks/config.yml similarity index 100% rename from evoadmin/tasks/config.yml rename to webapps/evoadmin-web/tasks/config.yml diff --git a/evoadmin/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml similarity index 100% rename from evoadmin/tasks/ftp.yml rename to webapps/evoadmin-web/tasks/ftp.yml diff --git a/evoadmin/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml similarity index 100% rename from evoadmin/tasks/main.yml rename to webapps/evoadmin-web/tasks/main.yml diff --git a/evoadmin/tasks/packages.yml b/webapps/evoadmin-web/tasks/packages.yml similarity index 100% rename from evoadmin/tasks/packages.yml rename to webapps/evoadmin-web/tasks/packages.yml diff --git a/evoadmin/tasks/remount_usr_rw.yml b/webapps/evoadmin-web/tasks/remount_usr_rw.yml similarity index 100% rename from evoadmin/tasks/remount_usr_rw.yml rename to webapps/evoadmin-web/tasks/remount_usr_rw.yml diff --git a/evoadmin/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml similarity index 100% rename from evoadmin/tasks/ssl.yml rename to webapps/evoadmin-web/tasks/ssl.yml diff --git a/evoadmin/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml similarity index 100% rename from evoadmin/tasks/user.yml rename to webapps/evoadmin-web/tasks/user.yml diff --git a/evoadmin/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml similarity index 100% rename from evoadmin/tasks/web.yml rename to webapps/evoadmin-web/tasks/web.yml diff --git a/evoadmin/templates/config.local.php.j2 b/webapps/evoadmin-web/templates/config.local.php.j2 similarity index 100% rename from evoadmin/templates/config.local.php.j2 rename to webapps/evoadmin-web/templates/config.local.php.j2 diff --git a/evoadmin/templates/evoadmin.conf.j2 b/webapps/evoadmin-web/templates/evoadmin.conf.j2 similarity index 100% rename from evoadmin/templates/evoadmin.conf.j2 rename to webapps/evoadmin-web/templates/evoadmin.conf.j2 diff --git a/evoadmin/templates/sudoers.j2 b/webapps/evoadmin-web/templates/sudoers.j2 similarity index 100% rename from evoadmin/templates/sudoers.j2 rename to webapps/evoadmin-web/templates/sudoers.j2 diff --git a/evoadmin/templates/web-add.conf.j2 b/webapps/evoadmin-web/templates/web-add.conf.j2 similarity index 100% rename from evoadmin/templates/web-add.conf.j2 rename to webapps/evoadmin-web/templates/web-add.conf.j2 diff --git a/evoadmin/templates/web-mail.tpl.j2 b/webapps/evoadmin-web/templates/web-mail.tpl.j2 similarity index 100% rename from evoadmin/templates/web-mail.tpl.j2 rename to webapps/evoadmin-web/templates/web-mail.tpl.j2 From 1af13e40c1b11d7876a119b0ded3e8e51168e764 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 4 Aug 2017 18:58:24 +0200 Subject: [PATCH 178/277] nginx: disable spdy in default vhost --- nginx/templates/evolinux-default.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/templates/evolinux-default.conf.j2 b/nginx/templates/evolinux-default.conf.j2 index 1e1ceab5..165f39f8 100644 --- a/nginx/templates/evolinux-default.conf.j2 +++ b/nginx/templates/evolinux-default.conf.j2 @@ -7,7 +7,7 @@ server { } server { - listen 443 ssl spdy; + listen 443 ssl; # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}.crt; From 39bc3d27fb038e43c5197f97f1806acf609c3f43 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Tue, 22 Aug 2017 11:32:32 -0400 Subject: [PATCH 179/277] Add role for LXC --- lxc/defaults/main.yml | 18 ++++++++++++ lxc/tasks/create-container.yml | 52 ++++++++++++++++++++++++++++++++++ lxc/tasks/main.yml | 21 ++++++++++++++ lxc/templates/default.conf | 22 ++++++++++++++ 4 files changed, 113 insertions(+) create mode 100644 lxc/defaults/main.yml create mode 100644 lxc/tasks/create-container.yml create mode 100644 lxc/tasks/main.yml create mode 100644 lxc/templates/default.conf diff --git a/lxc/defaults/main.yml b/lxc/defaults/main.yml new file mode 100644 index 00000000..86636da2 --- /dev/null +++ b/lxc/defaults/main.yml @@ -0,0 +1,18 @@ +--- +# Should LXC containers run in unprivilegied (non root) mode? +lxc_unprivilegied_containers: true + +# Network type to use. See lxc.container.conf(5). +lxc_network_type: "none" + +# Partition to bind mount into containers. +lxc_mount_part: "/home" + +# List of LXC containers to create. +# Eg.: +# lxc_containers: +# - name: php56 +# release: jessie +# - name: php70 +# release: stretch +lxc_containers: [] diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml new file mode 100644 index 00000000..fc4b5a72 --- /dev/null +++ b/lxc/tasks/create-container.yml @@ -0,0 +1,52 @@ +--- +- name: Check if container exists + command: "lxc-ls {{name}}" + register: container_exists + +- name: Create container + command: "lxc-create -n {{name}} -t download -- --dist debian --release {{release}} --arch amd64" + when: container_exists.stdout_lines == [] + +- name: Disable network configuration inside container + replace: + name: "/var/lib/lxc/{{name}}/rootfs/etc/default/networking" + regexp: "^#CONFIGURE_INTERFACES=yes" + replace: CONFIGURE_INTERFACES=no + when: lxc_network_type == "none" + +- name: Disable interface shut down on halt inside container + lineinfile: + name: "/var/lib/lxc/{{name}}/rootfs/etc/default/halt" + line: "NETDOWN=no" + when: lxc_network_type == "none" + +- name: Make the container poweroff on SIGPWR (sent by lxc-stop) on jessie + file: + src: /lib/systemd/system/poweroff.target + dest: "/var/lib/lxc/{{name}}/rootfs/etc/systemd/system/sigpwr.target" + state: link + when: release == 'jessie' + +- name: Set the DNS resolvers + command: "cp /etc/resolv.conf /var/lib/lxc/{{name}}/rootfs/etc/" + +- name: Add hostname in /etc/hosts + lineinfile: + name: "/var/lib/lxc/{{name}}/rootfs/etc/hosts" + line: "127.0.0.1 {{name}}" + +# Still needed? +- name: Fix permission on /dev + lineinfile: + name: "/var/lib/lxc/{{name}}/rootfs/etc/rc.local" + line: "chmod 755 /dev" + insertbefore: "^exit 0$" + +- name: Check if container is running + command: "lxc-ls --running {{name}}" + register: container_running + +- name: "Start {{name}} container" + command: "lxc-start -dn {{name}}" + when: container_running.stdout_lines == [] + diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml new file mode 100644 index 00000000..e92e7d39 --- /dev/null +++ b/lxc/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install lxc tools + apt: + name: lxc + +- name: Copy LXC default containers configuration + template: + src: default.conf + dest: /etc/lxc/ + +- name: Check if root has subuids + command: grep '^root:100000:10000$' /etc/subuid + register: root_subuids + +- name: Add subuid and subgid ranges to root + command: usermod -v 100000-199999 -w 100000-109999 root + when: not root_subuids.rc + +- name: Create containers + include: "create-container.yml name={{item.name}} release={{item.release}}" + with_items: lxc_containers diff --git a/lxc/templates/default.conf b/lxc/templates/default.conf new file mode 100644 index 00000000..5aaf824e --- /dev/null +++ b/lxc/templates/default.conf @@ -0,0 +1,22 @@ +{% if lxc_unprivilegied_containers %} +# Run containers in unprivilegied mode. +# Map both user and group IDs in range 0-9999 in the container to the IDs +# 100000-109999 on the host. +lxc.id_map = u 0 100000 10000 +lxc.id_map = g 0 100000 10000 + +{% endif %} +# Set the default network virtualization method. +lxc.network.type = {{lxc_network_type}} + +{% if lxc_mount_part %} +# Mount {{lxc_mount_part}} into containers. +# lxc.mount.entry = {{lxc_mount_part}} {{lxc_mount_part |replace('/', '')}} none bind 0 0 + +{% endif %} +# Only one tty is enough. +# This require that you disabled others tty ([2-6]) in systemd. +lxc.tty = 1 + +# Run 64bits containers +lxc.arch = x86_64 From 5ba32d4c5f99a56caf7591e16bf6d5b83302b266 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Tue, 22 Aug 2017 12:58:13 -0400 Subject: [PATCH 180/277] Add README to lxc role --- lxc/README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 lxc/README.md diff --git a/lxc/README.md b/lxc/README.md new file mode 100644 index 00000000..4da64f3c --- /dev/null +++ b/lxc/README.md @@ -0,0 +1,24 @@ +# lxc + +Install and configure lxc and create containers. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +Here is the list of available variables: + +* `lxc_unprivilegied_containers`: should LXC containers run in unprivilegied (non root) mode? Default: `true` +* `lxc_network_type`: network type to use. See lxc.container.conf(5). Default: `"none"` +* `lxc_mount_part`: partition to bind mount into containers. Default: `"/home"` +* `lxc_containers`: list of LXC containers to create. Default: `[]` (empty). + Eg.: + ``` + lxc_containers: + - name: php56 + release: jessie + - name: php70 + release: stretch + ``` From 6526e88b9c440a84666bfb0658c027a93cf09645 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 22 Aug 2017 18:18:23 +0200 Subject: [PATCH 181/277] install phpmailer by default (now in HowtoPHP) + fix name of package for ssh module in jessie --- php/tasks/php_jessie.yml | 3 ++- php/tasks/php_stretch.yml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml index 53b4e4ca..46c7c973 100644 --- a/php/tasks/php_jessie.yml +++ b/php/tasks/php_jessie.yml @@ -15,7 +15,8 @@ - php5-pgsql - php-gettext - php5-curl - - libssh2-php + - php5-ssh2 + - libphp-phpmailer - name: "Set php.ini config for CLI (jessie)" set_fact: diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml index 64b54a45..00ed327a 100644 --- a/php/tasks/php_stretch.yml +++ b/php/tasks/php_stretch.yml @@ -17,6 +17,7 @@ - php-curl - php-ssh2 - composer + - libphp-phpmailer - name: "Set php.ini config for CLI (Debian 9 or later)" set_fact: From 32bcec3cc85f79a8edf237b2841006be4a64de92 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 01:03:07 +0200 Subject: [PATCH 182/277] review squid role whith https://wiki.evolix.org/HowtoSquid --- squid/README.md | 6 +- squid/defaults/main.yml | 2 +- squid/files/default_squid | 2 + squid/files/evolinux-defaults.conf | 35 ++++++ squid/files/evolinux-httpaccess.conf | 2 + squid/files/evolinux-whitelist-defaults.conf | 119 ++++++++++++++++++ squid/files/whitelist-custom.conf | 2 - squid/files/whitelist-evolinux.conf | 1 - squid/tasks/logrotate.yml | 2 +- squid/tasks/main.yml | 123 ++++++++++++++++--- squid/templates/evolinux-acl.conf.j2 | 1 + squid/templates/evolinux-custom.conf.j2 | 4 + squid/templates/log2mail.j2 | 2 +- squid/templates/logrotate.j2 | 4 +- squid/templates/{squid.j2 => squid.conf.j2} | 5 +- squid/vars/Debian-jessie.yml | 6 - squid/vars/Debian-stretch.yml | 6 - 17 files changed, 279 insertions(+), 43 deletions(-) create mode 100644 squid/files/default_squid create mode 100644 squid/files/evolinux-defaults.conf create mode 100644 squid/files/evolinux-httpaccess.conf create mode 100644 squid/files/evolinux-whitelist-defaults.conf delete mode 100644 squid/files/whitelist-custom.conf create mode 100644 squid/templates/evolinux-acl.conf.j2 create mode 100644 squid/templates/evolinux-custom.conf.j2 rename squid/templates/{squid.j2 => squid.conf.j2} (70%) delete mode 100644 squid/vars/Debian-jessie.yml delete mode 100644 squid/vars/Debian-stretch.yml diff --git a/squid/README.md b/squid/README.md index d25e85c0..a2d5c29f 100644 --- a/squid/README.md +++ b/squid/README.md @@ -1,6 +1,6 @@ # squid -Installation and configuration of Squid as an outgoing proxy. +Installation and configuration of Squid ## Tasks @@ -12,7 +12,9 @@ A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses * `squid_address` : IP address for internal/outgoing traffic (default: Ansible detected IPv4 address) ; * `squid_whitelist_items` : list of URL to add to the whitelist (default: `[]`) ; -* `general_alert_email`: email address to send various alert messages (default: `root@localhost`). +* `squid_localproxy_enable` : enable configuration for squid as local proxy (default: False) ; +* `general_alert_email`: email address to send various alert messages (default: `root@localhost`) ; * `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). + The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/squid/defaults/main.yml b/squid/defaults/main.yml index 2f81cc43..1a6db438 100644 --- a/squid/defaults/main.yml +++ b/squid/defaults/main.yml @@ -5,4 +5,4 @@ log2mail_alert_email: Null squid_address: "{{ ansible_default_ipv4.address }}" squid_whitelist_items: [] -squid_service_name: squid +squid_localproxy_enable: False diff --git a/squid/files/default_squid b/squid/files/default_squid new file mode 100644 index 00000000..ae39d9ed --- /dev/null +++ b/squid/files/default_squid @@ -0,0 +1,2 @@ +CONFIG=/etc/squid/evolinux-defaults.conf +SQUID_ARGS="-YC -f $CONFIG" diff --git a/squid/files/evolinux-defaults.conf b/squid/files/evolinux-defaults.conf new file mode 100644 index 00000000..3153221a --- /dev/null +++ b/squid/files/evolinux-defaults.conf @@ -0,0 +1,35 @@ +http_port 127.0.0.1:3128 +coredump_dir /var/spool/squid +max_filedescriptors 4096 + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT +acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-defaults.conf" +acl Whitelist_domains dstdom_regex -i "/etc/squid/evolinux-whitelist-custom.conf" +include /etc/squid/evolinux-acl.conf + +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow localhost manager +http_access deny manager +include /etc/squid/evolinux-httpaccess.conf +http_access allow localhost +http_access deny all + +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +access_log /var/log/squid/access.log combined diff --git a/squid/files/evolinux-httpaccess.conf b/squid/files/evolinux-httpaccess.conf new file mode 100644 index 00000000..7a4e00a2 --- /dev/null +++ b/squid/files/evolinux-httpaccess.conf @@ -0,0 +1,2 @@ +http_access deny !Whitelist_domains +http_access allow LOCAL diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf new file mode 100644 index 00000000..310763e5 --- /dev/null +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -0,0 +1,119 @@ +### Evolix & System +^.*\.evolix\.(net|org|com|fr)$ +^.*\.debian\.org$ +^www\.backports\.org$ +^backports\.debian\.org$ +^www\.kernel\.org$ +^hwraid\.le-vert\.net$ +^.*clamav\.net$ +^spamassassin\.apache\.org$ +^.*sa-update.*$ +^pear\.php\.net$ + +# Let's Encrypt +^.*\.letsencrypt.org$ + +# Other OCSP endpoint +^ocsp\.usertrust\.com$ + +### CMS / Wordpress / Drupal / ... +# Wordpress +^.*akismet\.com$ +^.*wordpress\.(org|com)$ +^.*gravatar\.com$ +^www\.wordpress-fr\.net$ +^pixel\.wp\.com$ +# Wordpress pingback +^rpc\.pingomatic\.com$ +^blo\.gs$ +^ping\.blo\.gs$ +^ping\.baidu\.com$ +^blogsearch\.google\.ru$ +^ping\.pubsub\.com$ +^rpc\.twingly\.com$ +^api\.feedster\.com$ +^api\.moreover\.com$ +^api\.moreover\.com$ +^www\.blogdigger\.com$ +^www\.blogshares\.com$ +^www\.blogsnow\.com$ +^www\.blogstreet\.com$ +^bulkfeeds\.net$ +^www\.newsisfree\.com$ +^ping\.feedburner\.com$ +^ping\.syndic8\.com$ +^ping\.weblogalot\.com$ +^rpc\.blogrolling\.com$ +^rpc\.technorati\.com$ +^rpc\.weblogs\.com$ +^www\.feedsubmitter\.com$ +^www\.pingerati\.net$ +^www\.pingmyblog\.com$ +^geourl\.org$ +^ipings\.com$ +^www\.weblogalot\.com$ +# Wordpress plugins +^.*wpml\.org$ +^www\.wpcube\.co\.uk$ +^.*wp-rocket\.me$ +^www\.yithemes\.com$ +^.*yoast\.com$ +^yarpp\.org$ +^repository\.kreaturamedia\.com$ +^api\.wp-events-plugin\.com$ +^updates\.themepunch\.com$ +^themeisle\.com$ +^download\.advancedcustomfields\.com$ +^wpcdn\.io$ +^vimeo\.com$ +^api\.genesistheme\.com$ +^www\.bolderelements\.net$ +# Magento Plugins +^extensions\.activo\.com$ +^amasty\.com$ +# Joomla +^.*.joomla\.org$ +^getk2\.org$ +^miwisoft\.com$ +^mijosoft\.com$ +^www\.joomlaworks\.net$ +^cdn\.joomlaworks\.org$ +^download\.regularlabs\.com$ +# Prestashop +^.*.prestashop\.com$ +^www\.presta-module\.com$ +^www\.presteamshop\.com$ +# Others +^.*.drupal\.org$ +^.*\.dotclear\.(net|org)$ +^www\.phpbb\.com$ +^www\.typolight\.org$ +^www\.spip\.net$ + +### Feeds / API / WS Tools / ... +# Google +^.*\.googleapis\.com$ +^.*\.google-analytics\.com$ +^blogsearch\.google\.(com|fr)$ +^csi\.gstatic\.com$ +^maps\.google\..*$ +^translate\.google\.com$ +^www\.google\.com$ +# Facebook +^.*\.facebook\.com$ +^.*\.fbcdn\.net$ +# Maxmind +^geolite\.maxmind\.com$ +# Others +#^.*amazon.com$ +^.*twitter\.com$ +^.*feedburner\.com$ +^.*openx\.(org|com|net)$ +^geoip-api\.meteor\.com$ +^www\.bing\.com$ +^www\.telize\.com$ +^.*ident\.me$ +^.*icanhazip\.com$ +^www\.express-mailing\.com$ +^bot\.whatismyipaddress\.com$ +^ipecho\.net$ diff --git a/squid/files/whitelist-custom.conf b/squid/files/whitelist-custom.conf deleted file mode 100644 index 5d930f2c..00000000 --- a/squid/files/whitelist-custom.conf +++ /dev/null @@ -1,2 +0,0 @@ -### Custom whitelist -# http://example.com/.* diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index 407e7645..f9691802 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -119,4 +119,3 @@ http://bot.whatismyipaddress.com/.* http://ipecho.net/.* ### Various / Manual entry -http://.*.s3.amazonaws.com/.* diff --git a/squid/tasks/logrotate.yml b/squid/tasks/logrotate.yml index 3ac53a6e..8464d309 100644 --- a/squid/tasks/logrotate.yml +++ b/squid/tasks/logrotate.yml @@ -2,5 +2,5 @@ - name: logrotate configuration template: src: logrotate.j2 - dest: /etc/logrotate.d/{{ squid_daemon }} + dest: /etc/logrotate.d/{{ squid_daemoname }} force: no diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index eaf690a6..5d81a670 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -1,41 +1,128 @@ --- -- name: Include OS-specific variables - include_vars: "{{ ansible_os_family }}-{{ ansible_distribution_release }}.yml" +- fail: + msg: only compatible with Debian >= 8 + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('8', '<') -- name: package is installed +- name: "Set squid name (jessie)" + set_fact: + squid_daemoname: squid3 + when: ansible_distribution_release == "jessie" + +- name: "Set squid name (Debian 9 or later)" + set_fact: + squid_daemoname: squid + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "Install Squid packages" apt: - name: "{{ squid_package }}" + name: '{{ item }}' state: present + with_items: + - "{{ squid_daemoname }}" + - squidclient -- name: squid.conf is present +- name: "Set alternative config file (Debian 9 or later)" + copy: + src: default_squid + dest: /etc/default/squid + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "squid.conf is present (jessie)" template: - src: squid.j2 - dest: "{{ squid_conf_file }}" - notify: "restart {{ squid_daemon }}" + src: squid.conf.j2 + dest: /etc/squid3/squid.conf + notify: "restart squid3" + when: ansible_distribution_release == "jessie" -- name: evolix whitelist is present +- name: "evolix whitelist is present (jessie)" copy: src: whitelist-evolinux.conf - dest: "{{ squid_conf_path }}/whitelist-evolinux.conf" - force: yes - notify: "reload {{ squid_daemon }}" + dest: /etc/squid3/whitelist.conf + notify: "reload squid3" + when: ansible_distribution_release == "jessie" -- name: custom whitelist is present +- name: "evolinux custom squid file (Debian 9 or later)" copy: - src: whitelist-custom.conf - dest: "{{ squid_conf_path }}/whitelist-custom.conf" + src: evolinux-defaults.conf + dest: /etc/squid/evolinux-defaults.conf + notify: "restart squid" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux defaults whitelist (Debian 9 or later)" + copy: + src: evolinux-whitelist-defaults.conf + dest: /etc/squid/evolinux-whitelist-defaults.conf + notify: "reload squid" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux custom whitelist (Debian 9 or later)" + copy: + dest: /etc/squid/evolinux-whitelist-custom.conf + content: | + # Put customized values here. force: no - notify: "reload {{ squid_daemon }}" + when: ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux acl for local proxy (Debian 9 or later)" + template: + src: evolinux-acl.conf.j2 + dest: /etc/squid/evolinux-acl.conf + force: no + notify: "reload squid" + when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux custom acl (Debian 9 or later)" + copy: + dest: /etc/squid/evolinux-acl.conf + content: | + # Put customized values here. + force: no + when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux http_access for local proxy (Debian 9 or later)" + copy: + src: evolinux-httpaccess.conf + dest: /etc/squid/evolinux-httpaccess.conf + force: no + notify: "reload squid" + when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux custom http_access (Debian 9 or later)" + copy: + dest: /etc/squid/evolinux-httpaccess.conf + content: | + # Put customized values here. + force: no + when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux overrides for local proxy (Debian 9 or later)" + template: + src: evolinux-custom.conf.j2 + dest: /etc/squid/evolinux-custom.conf + force: no + notify: "reload squid" + when: squid_localproxy_enable and ansible_distribution_major_version | version_compare('9', '>=') + +- name: "evolinux custom overrides (Debian 9 or later)" + copy: + dest: /etc/squid/evolinux-custom.conf + content: | + # Put customized values here. + force: no + when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=') - name: add some URL in whitelist lineinfile: insertafter: EOF - dest: "{{ squid_conf_path }}/whitelist-custom.conf" + dest: /etc/squid/evolinux-whitelist-custom.conf line: "{{ item }}" state: present with_items: '{{ squid_whitelist_items }}' - notify: "reload {{ squid_daemon }}" + notify: "reload squid" + when: ansible_distribution_major_version | version_compare('9', '>=') - include: logrotate.yml diff --git a/squid/templates/evolinux-acl.conf.j2 b/squid/templates/evolinux-acl.conf.j2 new file mode 100644 index 00000000..dbd83927 --- /dev/null +++ b/squid/templates/evolinux-acl.conf.j2 @@ -0,0 +1 @@ +acl LOCAL src {{ squid_address }}/32 diff --git a/squid/templates/evolinux-custom.conf.j2 b/squid/templates/evolinux-custom.conf.j2 new file mode 100644 index 00000000..cc465dc7 --- /dev/null +++ b/squid/templates/evolinux-custom.conf.j2 @@ -0,0 +1,4 @@ +http_port 8888 transparent +cache deny all +ignore_expect_100 on +tcp_outgoing_address {{ squid_address }} diff --git a/squid/templates/log2mail.j2 b/squid/templates/log2mail.j2 index 223c8e27..7a025676 100644 --- a/squid/templates/log2mail.j2 +++ b/squid/templates/log2mail.j2 @@ -1,4 +1,4 @@ -file = /var/log/squid3/access.log +file = /var/log/{{ squid_daemoname }}/access.log pattern = "TCP_DENIED" mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} template = /etc/log2mail/mail diff --git a/squid/templates/logrotate.j2 b/squid/templates/logrotate.j2 index 409776b2..118e837b 100644 --- a/squid/templates/logrotate.j2 +++ b/squid/templates/logrotate.j2 @@ -1,4 +1,4 @@ -/var/log/{{ squid_daemon }}/*.log { +/var/log/{{ squid_daemoname }}/*.log { monthly compress rotate 12 @@ -6,6 +6,6 @@ create 640 proxy adm sharedscripts postrotate - test ! -e /var/run/{{ squid_daemon }}.pid || /usr/sbin/{{ squid_daemon }} -k rotate + test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate endscript } diff --git a/squid/templates/squid.j2 b/squid/templates/squid.conf.j2 similarity index 70% rename from squid/templates/squid.j2 rename to squid/templates/squid.conf.j2 index c983f7ff..108a3bc1 100644 --- a/squid/templates/squid.j2 +++ b/squid/templates/squid.conf.j2 @@ -8,8 +8,7 @@ acl localhost src 127.0.0.0/32 acl INTERNE src {{ squid_address }}/32 127.0.0.0/8 acl Safe_ports port 80 # http acl SSL_ports port 443 563 -acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-evolinux.conf" -acl WHITELIST url_regex "{{ squid_conf_path }}/whitelist-custom.conf" +acl WHITELIST url_regex "/etc/squid3/whitelist.conf" http_access deny !WHITELIST http_access allow INTERNE http_access deny all @@ -17,4 +16,4 @@ tcp_outgoing_address {{ squid_address }} # Logs logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh -access_log {{ squid_log_path }}/access.log combined +access_log /var/log/squid3/access.log combined diff --git a/squid/vars/Debian-jessie.yml b/squid/vars/Debian-jessie.yml deleted file mode 100644 index 91b0e615..00000000 --- a/squid/vars/Debian-jessie.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -squid_package: squid3 -squid_daemon: squid3 -squid_conf_path: /etc/squid3 -squid_conf_file: /etc/squid3/squid.conf -squid_log_path: /var/log/squid3 diff --git a/squid/vars/Debian-stretch.yml b/squid/vars/Debian-stretch.yml deleted file mode 100644 index 4ed3046e..00000000 --- a/squid/vars/Debian-stretch.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -squid_package: squid -squid_daemon: squid -squid_conf_path: /etc/squid -squid_conf_file: /etc/squid/squid.conf -squid_log_path: /var/log/squid From 41329af173c7d2c598d89710eddccac716f9089f Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 01:26:57 +0200 Subject: [PATCH 183/277] Remove dynamic add of whitelist Squid proxy --- evoacme/tasks/certbot.yml | 21 -------------- jenkins/tasks/main.yml | 29 -------------------- mongodb/tasks/main.yml | 27 ------------------ newrelic/tasks/sources.yml | 24 ---------------- squid/files/evolinux-whitelist-defaults.conf | 7 +++++ squid/files/whitelist-evolinux.conf | 9 ++++-- 6 files changed, 14 insertions(+), 103 deletions(-) diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 526fbb07..20658ec2 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -53,24 +53,3 @@ dest: /etc/cron.daily/certbot mode: "0755" -- name: Find squid config whitelist - shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null - failed_when: false - changed_when: false - check_mode: no - register: squid_whitelist_files - -- name: set squid_service_name=squid3 for Debian < 9 - set_fact: - squid_service_name: squid3 - when: - - ansible_distribution == "Debian" - - ansible_distribution_release == "jessie" - -- name: Let's Encrypt OCSP server is authorized by squid - lineinfile: - dest: "{{ squid_whitelist_files.stdout_lines | first }}" - line: "http://.*.letsencrypt.org/.*" - state: present - notify: "reload {{ squid_service_name | default('squid') }}" - when: squid_whitelist_files.stdout != "" diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 83d3ec92..a1070229 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -4,35 +4,6 @@ # url: https://jenkins-ci.org/debian/jenkins-ci.org.key data: "{{ lookup('file', 'jenkins.key') }}" -- name: Find squid config whitelist - shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null - failed_when: false - changed_when: false - check_mode: no - register: squid_whitelist_files - -- name: set squid_service_name=squid3 for Debian 8 - set_fact: - squid_service_name: squid3 - when: - - ansible_distribution == "Debian" - - ansible_distribution_release == "jessie" - -- name: Append packages.dotdeb.org to Squid whitelist - lineinfile: - dest: "{{ squid_whitelist_files.stdout_lines | first }}" - line: "{{ item }}" - state: present - with_items: - - "http://pkg.jenkins-ci.org/.*" - - "http://mirrors.jenkins.io/.*" - - "http://jenkins.mirror.isppower.de/.*" - - "http://ftp.icm.edu.pl/.*" - notify: "reload {{ squid_service_name | default('squid') }}" - when: squid_whitelist_files.stdout != "" - -- meta: flush_handlers - - name: Add jenkins APT repository apt_repository: repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index f222c799..42d7c385 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -1,32 +1,5 @@ --- # tasks file for mongodb -- name: Find squid config whitelist - shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null - failed_when: false - changed_when: false - check_mode: no - register: squid_whitelist_files - -- name: set squid_service_name=squid3 for Debian 8 - set_fact: - squid_service_name: squid3 - when: - - ansible_distribution == "Debian" - - ansible_distribution_release == "jessie" - -- name: Append packages.dotdeb.org to Squid whitelist - lineinfile: - dest: "{{ squid_whitelist_files.stdout_lines | first }}" - line: "{{ item }}" - state: present - with_items: - - "http://keyserver.ubuntu.com/.*" - - "hkp://keyserver.ubuntu.com/.*" - - "http://repo.mongodb.org/.*" - notify: "reload {{ squid_service_name | default('squid') }}" - when: squid_whitelist_files.stdout != "" - -- meta: flush_handlers # Attention à bien indiquer le protocole et le port, sinon le firewall ne laisse pas passer - name: MongoDB public GPG Key diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index 551fc8b5..b5b35fd0 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -5,30 +5,6 @@ # url: https://download.newrelic.com/548C16BF.gpg data: "{{ lookup('file', '548C16BF.gpg') }}" -- name: set squid_service_name=squid3 for Debian 8 - set_fact: - squid_service_name: squid3 - when: - - ansible_distribution == "Debian" - - ansible_distribution_release == "jessie" - -- name: Find squid config whitelist - shell: find /etc/{{ squid_service_name | default('squid') }}/whitelist-custom.conf /etc/{{ squid_service_name | default('squid') }}/whitelist.conf 2> /dev/null - failed_when: false - changed_when: false - check_mode: no - register: squid_whitelist_files - -- name: Append packages.dotdeb.org to Squid whitelist - lineinfile: - dest: "{{ squid_whitelist_files.stdout_lines | first }}" - line: "http://apt.newrelic.com/.*" - state: present - notify: "reload {{ squid_service_name | default('squid') }}" - when: squid_whitelist_files.stdout != "" - -- meta: flush_handlers - - name: Install NewRelic repository apt_repository: repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index 310763e5..ada4fcdc 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -117,3 +117,10 @@ ^www\.express-mailing\.com$ ^bot\.whatismyipaddress\.com$ ^ipecho\.net$ +^keyserver\.ubuntu\.com$ +^repo\.mongodb\.org$ +^pkg\.jenkins-ci\.org$ +^mirrors\.jenkins\.io$ +^jenkins\.mirror\.isppower\.de$ +^ftp\.icm\.edu\.pl$ +^apt\.newrelic\.com$ diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index f9691802..10bcd779 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -117,5 +117,10 @@ http://.*icanhazip.com/.* http://www.express-mailing.com/.* http://bot.whatismyipaddress.com/.* http://ipecho.net/.* - -### Various / Manual entry +http://keyserver.ubuntu.com/.* +http://repo.mongodb.org/.* +http://pkg.jenkins-ci.org/.* +http://mirrors.jenkins.io/.* +http://jenkins.mirror.isppower.de/.* +http://ftp.icm.edu.pl/.* +http://apt.newrelic.com/.* From a5db321717055d87f2e65f8db684d84119252184 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 01:44:07 +0200 Subject: [PATCH 184/277] quick review of mongodb role, few improvments and disable it for stretch because not ready --- mongodb/handlers/main.yml | 11 +---------- mongodb/tasks/main.yml | 11 ++++++++++- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/mongodb/handlers/main.yml b/mongodb/handlers/main.yml index c651d98e..46a307cc 100644 --- a/mongodb/handlers/main.yml +++ b/mongodb/handlers/main.yml @@ -2,15 +2,6 @@ # handlers file for mongodb - name: restart mongodb service: - name: mongodb + name: mongod state: restarted -- name: reload squid - service: - name: squid - state: reloaded - -- name: reload squid3 - service: - name: squid3 - state: reloaded diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index 42d7c385..47551fde 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -1,5 +1,9 @@ --- -# tasks file for mongodb + +- fail: + msg: only compatible with Debian 8 + when: + - ansible_distribution =! "Debian" or ansible_distribution_release != "jessie" # Attention à bien indiquer le protocole et le port, sinon le firewall ne laisse pas passer - name: MongoDB public GPG Key @@ -33,3 +37,8 @@ dest: /etc/logrotate.d/mongodb force: yes backup: no + +- name: enable mongod service + service: + name: mongod + enabled: yes From 207a2f60118354ea5d09465144aa729e45e1a76d Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 01:49:27 +0200 Subject: [PATCH 185/277] Improve distribution verification --- admin-users/tasks/main.yml | 3 +-- apt/tasks/main.yml | 8 +++----- evoacme/tasks/main.yml | 8 +++----- evolinux-base/tasks/main.yml | 3 +-- php/tasks/main.yml | 3 +-- squid/tasks/main.yml | 3 +-- 6 files changed, 10 insertions(+), 18 deletions(-) diff --git a/admin-users/tasks/main.yml b/admin-users/tasks/main.yml index 420c1427..6a1d1506 100644 --- a/admin-users/tasks/main.yml +++ b/admin-users/tasks/main.yml @@ -3,8 +3,7 @@ - fail: msg: only compatible with Debian >= 8 when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('8', '<') + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - debug: msg: "Warning: empty 'admin_users' variable, tasks will be skipped!" diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index b179ba4f..7bb8950e 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -1,11 +1,9 @@ --- -- name: Fail if distribution is not supported - fail: - msg: "Error: '{{ ansible_os_family }} {{ ansible_distribution_release }}' is not a supported distribution." +- fail: + msg: only compatible with Debian >= 8 when: - - ansible_distribution_release != "jessie" - - ansible_distribution_release != "stretch" + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') tags: - apt diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index 07a1d5d2..beac178e 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -1,11 +1,9 @@ --- -- name: Fail if distribution is not supported - fail: - msg: "Error: '{{ ansible_os_family }} {{ ansible_distribution_release }}' is not a supported distribution." +- fail: + msg: only compatible with Debian >= 8 when: - - ansible_distribution_release != "jessie" - - ansible_distribution_release != "stretch" + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - include: certbot.yml diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 1cc27278..5c1ad594 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -3,8 +3,7 @@ - fail: msg: only compatible with Debian >= 8 when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('8', '<') + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - name: Hostname include: hostname.yml diff --git a/php/tasks/main.yml b/php/tasks/main.yml index 7f438569..7ea4269c 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -3,8 +3,7 @@ - fail: msg: only compatible with Debian >= 8 when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('8', '<') + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - include: php_jessie.yml when: ansible_distribution_release == "jessie" diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 5d81a670..542730bb 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -3,8 +3,7 @@ - fail: msg: only compatible with Debian >= 8 when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('8', '<') + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - name: "Set squid name (jessie)" set_fact: From 41d6fa4df27b45aeed62056e48b51dc02bc8598d Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 02:00:42 +0200 Subject: [PATCH 186/277] test jenkins role on Debian 8 and 9 --- jenkins/tasks/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index a1070229..88db3b90 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -1,4 +1,9 @@ --- + +- name: Include java8 role + include_role: + name: java8 + - name: Add jenkins GPG key apt_key: # url: https://jenkins-ci.org/debian/jenkins-ci.org.key @@ -7,7 +12,7 @@ - name: Add jenkins APT repository apt_repository: repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ - filename: jenkins.list + filename: jenkins update_cache: yes - name: Install Jenkins From 8e0aa59e47177fdc879caef94717ad58990a5513 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 02:50:17 +0200 Subject: [PATCH 187/277] download gpg in repo, we want to be independant from network as possible --- apt/files/reg.gpg | 935 ++++++++++++++++++++++++++++ apt/tasks/evolix_public.yml | 4 +- docker-host/files/docker-debian.gpg | 62 ++ docker-host/tasks/main.yml | 4 +- mongodb/files/server-3.4.asc | 30 + mongodb/tasks/main.yml | 4 +- nodejs/files/nodesource.gpg.key | 52 ++ nodejs/tasks/main.yml | 4 +- postgresql/files/ACCC4CF8.asc | 77 +++ postgresql/tasks/pgdg-repo.yml | 3 +- 10 files changed, 1166 insertions(+), 9 deletions(-) create mode 100644 apt/files/reg.gpg create mode 100644 docker-host/files/docker-debian.gpg create mode 100644 mongodb/files/server-3.4.asc create mode 100644 nodejs/files/nodesource.gpg.key create mode 100644 postgresql/files/ACCC4CF8.asc diff --git a/apt/files/reg.gpg b/apt/files/reg.gpg new file mode 100644 index 00000000..b41face7 --- /dev/null +++ b/apt/files/reg.gpg @@ -0,0 +1,935 @@ + + + + +Public Key Server -- Get "0x44975278b8612b5d " + +

Public Key Server -- Get "0x44975278b8612b5d "

+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.6
+Comment: Hostname: keyserver.ubuntu.com
+
+mQINBEoHZ5kBEAC680PjynWTcP3ZtVfWWL6zQAcD8JoC+c5MbnpFScqtBc2MdlVZu6zED+B5
+sw2SSLf1EZlfbTPc3GcWTwdiXj2GQKzjMra1MZKUnVOD/uMVkj0ZTszUQziW01O9sWPhxbMu
+Qr7OD04jQ7TjtBBEJD+yf0HJsDVC7TCbpcNNtmhXByXqw7bgo0rzxeOB3hL88I7AcC7ve5iR
+xwXoXJYs1hgJMPmZXJmhKb0a3pVk075yMsXnxlOqM7XBk++zodDR03Ym21GLFOu+3DLTX9aC
+aU/AjXb/udtEBAHv+iVxZChzka/KkYMY+KX8A7niE/UN2PIfhWDTmLLcTyBAOuis6cUqDm2a
+w0IbXh359dfBbgV4/QLoafcM841W47Menp9tb0Qz1uHYwV6jjDEmbpGgEJRGIqd143j/zGBP
+xffmtPq1zn/QFVBQNltLiMyclAR1Yb4fksDkt8JGmvI+FwaHdx3dn1VU0hbdYR/5CHtsxN4V
+P/juUOrjbagp5zBBXLlVIVceGoD0mNkNWPyZh8C3SHg2Y+Q7t+cz4xysQN5BUHL4DX6nEIJA
+u0cZdBtr8dtkJToYlhSFaLFwZh/XmOgOndSNmeJz4ll29Xc3V2/hCQlllHXux5E79rRNRKK/
+rSydUzYir755udPWw18+6mPUzT6NDaVDDAwSOLOn99OUJt6bBQARAQABtB9HcmVnb3J5IENv
+bHBhcnQgPHJlZ0Bldm9saXguY2E+iQI3BBMBCAAhBQJWEagEAhsDBQsJCAcDBRUKCQgLBRYC
+AwEAAh4BAheAAAoJEESXUni4YStdYDAQAKuwOHT+wDS6vL6Xqp/59eKLaB02lTQuTDFq55K4
+dK9TNYOTmPoxvgeJigT3pHHfKQFS/wwigkOfv8VebBZAcjY03N+Joau1Vi+Er2VNR5Pt0jAf
+ApwZqe+8NMAfefculZvO0g91g2lcqJoMUIaUemAqOD/CoAMMXGQSNlX4BLsI7dbvkLLjbPSa
+wEODAMvuSLilI38dj7wBC30IAOQkOdkB34I/eL/sGruOxYSK7UFJfNU1aD2oQhTkYEQ5cgNK
+vE325fOx7m/sZ5aAlNvtZ3jS4ym45feT9xrbG2qHTbJiVAhdtfHMXGOU6/0UHJ3+YHHdzZhu
+0NCWinu18nDVeDWLmkqkZd77QtTpC/zw5s3+t8lpyqUAF+bN80ZHbB47bFphIupmWGDP2ihM
+NBWBwwFZb7ry27mLyyXKVOFWrYZPrdlNheEjUP7x0GzEO0kuxYO4fyTic5lu594hxwt/LWV1
+s48SV95dXqpQIRroV8ePZoJxlD4hXh1x23AgkWgG+SS3perIGypmouOdl9CQ3yAYSCfcTKw2
+dOWOxGubseyBWw3EDlWKZLkrqbBGxfBz8XJ92iCJ27rRhtpd6XEbqhRfPR9TGTliIfaruTLp
+MPrKZh74Hs7LAhHo0nkwcOoE/iYHhQpNXHMnj0hqMcwzzf6MlSrgJ/VPgQ721d5nTwrjtCBH
+cmVnb3J5IENvbHBhcnQgPHJlZ0BkZWJpYW4ub3JnPohGBBARAgAGBQJMa+/FAAoJENXKmwTy
+xCO8ggsAnAzhqo1IQ+3qwCWD9ifx4niyPiAFAKCo1ou0sB38EuQXnWCyp1ajblx37ohGBBAR
+AgAGBQJQn+UPAAoJEHDzXiRtUx5z2B0An3U1rm/gCkoWtAcsC/IYQ2hMVaMDAJ9ddV8IywsM
+vnKJ35rfg1PLT4KNFohGBBARCAAGBQJKB3HmAAoJEDIXXA3BAnoOiOgAn2tHyIuAGEY2ctJC
+yM+C7hmyMNMKAJ9asA/uRkG4wiJwEP8DCnNB7Obfq4hGBBARCAAGBQJMXHEgAAoJEOFVF/Ir
+CSDAnq0An2xcCMh6H6vIT9rmbxHgGbc8VfTEAKCopbM+QMAGQvOROMfqWJhiCB0fHIhGBBAR
+CAAGBQJMXT8rAAoJENTl7azAFD0tTz4AmwaE8zBHaUWbUnsYwWXqxavmf8BCAKC1hL9GKk60
+yXTEW1W1QUm8jIYILIhGBBARCAAGBQJMXzSgAAoJEPmF40AK/HR2eqoAni/Hvg2M4e4vrju5
+wPT+dONsA9/vAKC1X1c4YL1XiJ0fXpT02U13r9e8AIhGBBARCAAGBQJMZ0yhAAoJEJ94+Dzo
+xDRhLFYAnihJShfS/zRoG7iTNhgwqyLxGqczAJ0WIP7yfVZbP1N5oe6LwhQsZ1BdVohGBBAR
+CgAGBQJMXlHCAAoJENoZYjcCOz9Pjd8AoMdNUjbpkScdndClI4EqT7tn6PI/AJ9Luiw8fIEs
+iD5yM8NOkdykX1LPyYkBHAQTAQgABgUCSttnewAKCRAtDVq4fCU9UlJJCACTQKre8pA3ud/V
+esa7/TmJI1S1cVWj8FlS/gatvLJndd90i50p9uGm1yA4g8iwMnGdcIWCuRfBlhjUnUJnTX4B
+QdnUU6HCv9RQ/OlJ99k7vNhswtgoEGQWq1mH1opSviZ3xhMwFTiXISQ12i4TiGSiUfbXItzq
+yxOf/gtjAMGrfnNB4MUYPrHL/lSMs24evYFR5DgOKDwVE3vVY2Wf2ytWKZJQNvKcm7sxIxKq
+W3OlW4wzG2IMxMSTl6SHYOqIhRGS9xAj9hpIfD5XzZjl/iHmMZMcuRA1LPxQjqdZ5CeF391P
+p6vEobkSyX0LyDvqcvy//VHn0l8cRuyEmgrTpdmTiQGcBBABCAAGBQJMdo7oAAoJECI64FW9
+lOFUIpkMAJ/obi1HblArRgKmxiCIMD2/nTcj/ML3tL9HfZ8bpWZ6YJIUsFRcmHCVWaOaCBMJ
+omiICZbcot3v7/1p0D/AE57i0IFPZpXXu4utC8B70JjWaMJT22kVi3hvhrChxlZYNZlkXr8G
+mKhGJpzEfVlg3hp26jbj3jEEGmjJlii7uuSrV1VJjyZaDfTNbgXMbUL/3sISsKODINCLlgCG
+iVqa6Xc8bIo54zQ1Rx30Ijn/6ElFvBMSdZPu4wQ9hKrJGhrqY9FZ/U0xfaawEzxbmdZKDxVO
+Xdd/qD3lNAi8Jg6m6qQO9/A4c/Ln80ll8St6MrfLwJ58QRWawTQcl8wSTxouC/ag85VwW1lX
+FfnulWVjqRAY41gVY2SaBb78A8pwuwy+ixBWGqAyGRVjahNj/uznD3kwQh1DUwjyDe9lV0TV
+5IpQy4YfXjkukwt8kVvQUL/p9w3/gmPZ2lXBuEgMT/NKZWKszgp/JZ45qDUD8hgPlK9bICRm
+iQ1KjcAV3mh6dYLwJ4kBnAQTAQIABgUCUipIgwAKCRDvc+baWDa4Gqa8C/9aWvMONUnoDGjS
+H6gIsnJn0pGQ4zx/SU+Bt8MG0SPbtv8Zu1twofiX7xSV8p7/RmESaQyjbzOD9mMvXwl5mF2N
+q8IbDhvJmEcCCgVolhM1g1YtF8uM/Az74tNLmI8gsIiX/Er8045jMANp+UozOLvrzx9NpVBj
+InDRhXt5ZF4YeMdB44cZL2OH8juSbpZAPFAi3Lm39gSMj3eUiUavT6r0Ok7AC3qMiaTvvtb1
+VU5vl/CcevaFE0DfZQ3+1iXsshnUu6ql2NvFPSn0tR1S8Ekk8NfItbAGComC4BF71MXxY9Af
+RW21ROLzRR5Szm93E5DirjTC+vfxQYwEmemn9v8KWxMlmFTu08GbBhi54bBb0iuaRc9lf5E2
+dixJqLU4JVUPxjOk6tFvQHtZQRj7e5fu/lusZ++WKXnZsH0AiRekbN/j1Qh65aDi17w0ebXX
+lsKc1kqryHNTq4PBrhrKbNBa+tlFDcmn3yUReIxfcZ1Bm3N6PxNiQSxx9Wf6LL/1rPuJAhwE
+EAECAAYFAkxccZ8ACgkQ8aab5CnA/+7HvQ//dhkVGegUq2TyePOTWBxK7EyLVEZEBr2HXa+y
+Xqg2i8Fdou5smHNEd0q8dz9oMBEWcZtRYmGKzinGcmxzArdmVyXV4fEkUab9zfL8g6dGxo+N
+wqoHt9DteuJEURwakSJ7oDW+DlfzxMJ924sg5cuUtqcnZwy73a58Y5fkPaZVf+/HrkadZT3f
+7fM8pb7JgJSRhgmdi3MfbUQcDgbZ604MifdEVIbXX56ex/9OuthbQ3lp6jHsvHcXPG5qt9th
+RXkztoyKcArSimHcOFrLqWAQsF8u8PIYNaTKyJO8uRDYjMGcJQv6B8HqV2eiLCZtIEdcoWev
+Y/oeflGDh0PbGpswAiQzoSxjvVdPgPUTqNnsl/eWvup4govByKV4y8dxgyM5a68a2N2t4ki2
+TwVu8LpCRzuiin0EvgkM4jKSFU/KPiZemdLq31D6o0dQorx+Im31XWv/H8XoI2jGbNeMVWHq
+5WumzPhTfgFVajQEc94Te29vea9OV+mlgIDuTzqLD2Je5G6BDqu5EmTlO5sPDJAwM1c2ckJb
+fHjtUih3Vw2B339NqF+aneOX9MH4blAlX2V5vuz0xtmEcd7Dy6wKjzmX1Tcec4VjDDgtCoH7
+vWzCeQmlWLzf1tF9keUvRn7eUktyAqozvNdE4fs6+3igdFKoI1RHNkFO45AuFe1goN+uDFOJ
+AhwEEAECAAYFAkxgK4sACgkQHnWacmqf3XRTUBAAtb4DXxkzn14Qo9JME9KfZ3QA1ZfoNffR
+PgxHkLX3q/KzGvbQYQc86kh6b/19aV1ahcUBrpABOkV/0k6tASrs9N6V6KBcIQbJwRETyWU6
+G/rG47h+4fWIMew5XwCzUzvqAD5GDp2XfivDQuVt1Ta2WcEAmKVYNlHYowpnEqxvLNSSbXuX
+Afe+OK4XxaFr7i4zr8zS6S7NRigAdENCt2Mr4slo0ldnRn6uQ57ixfs23g8LO4/89zW+GxKG
+PPUQbo9epE4hCewTAyWwrpVz9NxrodvDL6D1W7kY6caiOd5tArNKpwF/GCH/vsGPU3NsFISI
++P8GJUwtmM/47xgcteHthx2yC0HUArTV0w4+PnAaelpxzAyqd3KxLLUNJ3vjv3xpwV3eGWSG
+zd3UZ4AYTJmSlbgzuJzQIwwyxHsA7ypUUsbdrsoQaTkACUOsHO1l/oT4P+z3/tWPuXqUmO+D
+Ly/pBiCRrV7c4cHMzud/dKBXuAK/gS7VD4Is+K8/srdEJTrPB88zleiLOdffymHtCAmZPn93
+bvPXUcJk1PiNQYRwQIuIjHJbbZL8rxqVo4NCmi2HwjqMaow4GLEPSEdqEu83LpSU0Ts0BJvF
+/6UTUEs04zDjSXpAGrPhWoom2jxUllAJq5Aek+f662dZpxVLxzMHWrLly7Fb1WPLbCrWhqIl
+k+SJAhwEEAECAAYFAkxgNzgACgkQ14hMRxjhj0QJqg/+LKFGM1orBnYv+DZeVGbcPrBJVkeK
+nAVgX+HpIo9uY7F6rRMZU8BHmxqM66k/tPwwrVzrgrLScK6spQTUjxKbjGkktT+LPVdFdB9F
+2QdEYCwX1AB+0InLVtrXF/yFFTqlxxgLCRamRziO6w/1QDFMsDdNbIgxErjMb7d0MqRFNlvR
+fO/ElovAPWlf+4zA0xiCRVbV3tbNl1/ILh41C8gc1VoTYdmUP7W3F6xCpy4MirSkY8LLDcax
+wF9blsfc+gj8mW5yegBZnEoZchasl1thZ7Jt05tMkcEFTVYMfeReo/5Ww/dEpSfhjhryq5MH
+0sSBT/1YGwbdgBRVzmocrWtQJ9i22MY3RboKNeAFs/wx9L38z570rOdemtfuXzKmI8jlcfQI
+BIrE0p1zHE0OzgdfAI/uiJMZ3dRZJXsr8iVWuER97QqYZZkgDMaSHxvuKcNKQol9AbnDWbpl
+q0J7CBo5si41rXpUIb/18FydC3k2KzjkCAaZs7VUCguWU/YKVw68kfrksJB0gIGqh66wYda9
+dpJVmjVNTR5bWbo8//ZHQXFfGccWoRImEZ7dD4xKTl1B1ihmgad0H7Bynd0IiORVs5zbdbIE
+FCwnMjjB5nr4teU0wq20H8CaR36Rw38KgRrcJdSrJVDrmg+A4PPsW3aA1K3oCvREoR2+p322
+8j2c0pyJAhwEEAECAAYFAkxljxgACgkQE8C1Zno4sLCijQ//VodIvktCD/rmvxmbby+tjTFp
+yNPRgiIdLyXU0Wfoi0TqzLsATfOluWVpJqSqIQ36g0wYc9T8BemqcBepDhj5e9NpYe4oq5kF
+IxIJHzH5jHSM32vPVxJU4PzYcZzAMEVWCEBx0CHgW2cYc/Sq+YNq8Y/c69R8WNjse0qOZP7g
+zTInr4JqL181TVvGHt9Ak4KNakxEVLXGIXVSV9QDDGCpYMkfpEy7pwvtV68DFVj2nHHetzCp
+3gYi90nsVvk3t8iowNUTlKkxnj4dZ2lFMJfZBBeNev31JLkhyqExUoBzZMDmW+c58nye8Ode
+hXnvZ9nc0pe2Z6XWLuraYDqNDKGMWsOTG8gCPVrZL5BtHr4Qh5uuAwT44PzkdPCdw9NaHw1n
+0s47Uuailgg+ZuZgFXxNcRD5A93Ovl6/skln7KyTr+kJ6BsDcdWzcXpgQ62/3ayxgaOEZlKE
+VLJsngKhcjlINiIXc6t0AVZhAlgLrLAvi1G19ISqNPNBRGUWeCYjC++RCaC7i/vAFWIQOTLA
+NfCtzwhF+kopF2tmmt0ubapaH2CycmWLr0EIvPUIJ7GAW6tkjjv8tfkn2VtT59+gE1WmwR4q
+55XkJ8zbX9tJx62w84zkQA6nMnbBQ9nfWY1eThRk5IOXKElyk8cNIZlqIPPH8RVP/Ng9Pjj4
++vSOAjkT8LyJAhwEEAECAAYFAkxmx/gACgkQHAH0Q8nJPFo1uw/+Nu1AJqt6ifpA/EaWoDnU
+9hSYcpVq3mGivwEE08U5/2trXl5fcAe8qvdPB8JIYRROTLSUIsTkERftzxMzsCIb+iMj7bKx
+5Ip18GSmTOcJU32hin/l/DZlDxB9/bo8LqCurbpEDeZ84zV//F6AqMc0mUyxhdVA/y8gEp6x
+YNnVHU+AmIxzHkE4n+Rrc6JdGUODOL4iZcewBl2IKcYzRzcELIFMzjnSNbA/uxKE9g1kTa0F
+QUTTpy/y5f36ykfWWdrz9OZFR81/UlZ//gv+sr1UHs6uMs0QayF2QJW4iF0KX4IQWCcbSRyn
+iHuOzpmJuTFu0KNmU2cfRFLgyer80glsqicj0MwI9shdtpp2+ulfi2itC/gGM00cynt2WP3d
+arrohFDOwCuAVWjp5dtENk8LNCK2aYEXlHiW10kaGi9k67AVfrV55p8WVTWcpT9oQ76wafnp
+jUb6XPou4DM0Z5ItJqvDQv8823b5BCnMeyG61x9qCTMhGMEzDLFFkXalViQtIjsS0tzF+S1I
+B+dVVvCC0tMnPWoyyqYNqtC0rIS0I+89uQuDD/4jAf6hL7sKLUzdLs8NByjQoV9nIaXEHzp7
+jBlgAZgx2SX+eK8wF/Lo4d0a0jddX8PRZEjkx0HOhaYcW59tui/ZXr2UDwlTTuyfsSpo35K0
++VdJ+mtz8gHZ2lCJAhwEEAECAAYFAkx25QoACgkQryKDqnbirHtS6w//Xt2HPPu9r9Lp4Z7C
+U1EtWEDzBHZoiYrX8GBjfx7XJqX0kJWAXTHoN9HtGDwCil2bTb3WwopNrFUShR2yEs2Tbo8I
+j1n4veQxx5japTb9b3gwh/8lRRPCfF++jn9q6927D+0jJde7hx3G/o0OoJP2H04kEM5wrzup
+1nOkH/L5+bFerw4eYir+hl0oVfrnK40RKSnzy+6sD+FCFwLipOofDX+qVp1VguzwkfAwLTSD
+PVxsjfvxKdRCj49RbI0Q1svMu8iS0Hu+i6e+pPVgvy2Bh9iPQiPNaGG9IeHy5mnq9T8yxKd3
+KY0mj6ipuHm3c1HPJln5bFlt1K6mrysbZtxafo+O6XeIUoRNqKi9eyA9udgIdHPuMAypsYFq
+M1Pn7TLdSnRCyuhG0UFlr/nx3VVH7PLOerxMCZf7ApfcWA/s/iBG2DLpeB698UKOSfogcbWO
+JW7Dteg4ZCL9zLxRiTZHLsMHnW/aZAAwoh/zV2Kpd6qbrZSyqgn3Pys8kwiFnnf9aWdqXmls
+oNswHZeh3JvMOgs2QyY9X/+Bz3k1vf4a2aU2gINvL55aRmtgd3VDvWVk41WcRAvOfBPCC9TL
+0UKbIBT+/rxuse6UiS/lVRNngvOpuUBmd0Zo/PiXxsxq+aKX6FQzZs0HsqAR/Ov7bmbh7Z+c
+WwE0ZEogPivsD97qv2aJAhwEEAECAAYFAlVxpVAACgkQ2oKDDjzMOjq1exAAo41+8W0VSibl
+OmQWDesxI8T+Qlw1v3Luf1CexMx9UsEktH5yP+guCeVpADMupSeKis8q0ayOgqXim6gyRjHS
+1HklDGwUnhUyfDu5VNqy7BOrbUKq32TOqudwtq5PEyohof89/hR0UwfC18hBkumW7NfCmEY+
+kUkvlAVzVwbSAm1bjkFu3DLD3RKN4d4UG3kFc4tqY0BweC85UvJaFFnY362RLCBV4gTjXVgl
+UIHXpDSt863NBTtbNJUTIf1tt5sFqknZh2N5UzgtkTz6t4N47+k0VZfxuk/f9MmuDEHAEBBp
+lj4X+ofPXbxbr2iaAZjT/LjU76tYq7thkbU2NRB6RtDv+Tqfib5z5ecwNEKIgQ6BelCh7pRI
+wnMYhx3wj2aeY28vJ9vE76NizPWiZpYzD3MHyWfN+kIuSDRZPBhSNLnfA5uUuBQNjS1Ad+QR
+Xo6CtWZ1cE/7Xv6DCKmk0ThbGrvwkHKJGrpJeaaf8lP0fo0L9cIipqx3NSSKHGe+B7zhQZO0
+QBlTfXRlErjuZ/j+V8MTZqsmlhdVi+hElTioj24MQJiXfB956RuOM+g4P9v2QT5RRD0C4XaS
++KSC3eejZGYEeJAmB0uRztsRntyryw2LF6WxcSyEg0pY+/SLFxMfRIPlcAxMM0SB7HSAFZ5V
+nQJHc7bBkNpw179YqexsIKaJAhwEEAEIAAYFAkxccTMACgkQ8RQITAhhERF8zQ//R2Bls2xP
+vxotETrAPF5MOjDqlK6aeOnSyI7shiWWXL+7ds52SWsmD7IL+7XW0t+fwvfEVOb+qNWIiVaS
+Yg4nvZQnTkCqTnDxTzdxipEaiK0MC0bXmAikBQjZ0iiveOMYOeRx2PWuUOHrymcvJ+atlkq6
+pk/mycZGpVitnO9crTb17SLsm71k5aV2u7EBCEUcbakmrx1mDvBoi/tSns5y9YEPTc6JcKtz
+VqbyiSAY5dZSaLc8IW9Aqn533kPyIwYXnbxd8cPFDxDLhIeBmZnVTLURE3517RXZu1ngZEFh
+pSoT3w0Xg0cgh7eJ4Vmo8MnW3p33+dSHbWRlgrNZcB0PBWZrByS/iS1b9REgFTyU4UeI7lH5
+zLgPdxPKBvCNObRhKg/dAmqSDq5EHYgWxn50p3TCfhrDrkoD+3seeee+mNARjLP4EDyBF4/k
+57SqT7ytj9TWQoQuGAodQqNXwMKNcldz4FRZ3rMFrUpJj3uD9x2tlT/3bCVKQ1QcPSzKcEcq
+zq9AZzjH7cVEbgpKI5zBJlejWB6aGvHLIhYZb4EYuO03OgEDDj9AUvIBFBxKdRvCzeTZOCTM
+/8oAgSSVmFewEI4E0yNxvZu7wjSV5LI0AiyhwnCWlfYM9Hgxbai3cv2osIK2p5GXbaRykhwc
+jc4lPrIsEE3At2UzlzO4TTI202GJAhwEEAEIAAYFAkxdPzMACgkQhy9wLE1uJahHJA//a9iV
+wDsx+OxFu8+vPEXmJCKt1o17+PyhskIvNSXlVPvpYIpqNKUJQXpqBkiNASrCOQSHrQtw6p28
+9i011TMqmMZsUkjqk/Y3Yzx+SPT6KUfny7qQzGW2DpHL1qILDFMywzvt9djzWT6hmH5LCLSB
+3aWMHIwPDvtvylzHPIN2XIABSBxnHgeEi+2ZZoLZE7HlQbwsAU7Xguj0K1DHe+urOBYvU0rq
+ceqiJhnY8b71bwQRhFqVhoFkW/IPp7dujQxeJVvHZQLLNkB4RMqG+kR2Ku04U1Fxbh7oc0vr
+e8EAYdMfutU3ZRWZ4D8Ltr+q/hxy6dm/bHrpFu6NIxox6KrR8zewcoGDQKI9BlQn8mrIof0W
+YWNUusb//Vbz58iOh3POcjs7VkD7aPo9R/TaruBIWv77kbjszlQaKKHWV4aIVS9EXW0cPpeF
+OQUaq91aAxB8Tw0Clx1TfVc/QZJB7/l6k8deXgo/+4JCU/BBmsplR6mG5mhY1Iq5PnuutU+W
++sHQRYSiq0EKdwmAaq3AIz7D+rWafv83Ea1cZaMph23ChqVX/e+YVI7rxxYCY1bubd7TtYWb
+VG2W8ufTwemZBxWFq8HXc9d+Qm3LHV20Qxp5fAoYr6O67XYgQicIFW7f0lJ54igqH67wFjOf
+zOTHfWK0izIeLVtp8xmj7hbFrXXd46+JAhwEEAEIAAYFAkxdRNoACgkQU5RHndNSTFGQ7Q//
+YTQ8KFH7n9MYRpb83fTRfkyreyQyTdbcBsQw7R8Tksx/qbidiZZfI2cILweIqsumN2bF+ibQ
+VYx/PpKEStaW1VQI5Crx/kSRmBaOlipbbfO+A3sbp98hpKMmaIxvV7IhN9qKhjcQR0YGXcam
+5oVVwjIb2n89nqiS0qnGIUSTLzK5IR8Chob6tpnD3jQAnxE96wyhADedhCVMf799HSoQiiAH
+TUarSv/HMIws34LRgZ2voFXADq+CE1Q2rBEapwrcDSkEQEZ79LImeuS/S1Be2ritRO+TFLzc
+982LuHBxUa4MlcwWtWaQQ6PW/c5J7QJz0RiqaaL0DZxCw/Cr2e3MIfTCdK0zPg4A9BrNsQkR
+/zYmePPTejvbsYpsWbpOknwZNqoYRc4cEaukAtdhZhFUDfL7jfh5HppCIM6EN3ovmTsRhauv
+LeAI3J7JqrPp2yLDbL43U+1ejsD22+l2rmJQcQpRsdD8KlJX8bD3J0fCRhhIFNABjMmy3e4T
+bij7ZM3ovNZLCgjHmNa5ASMyS3l/T2Rqu9rh/pZbPWS2hPTlmYTStpb2T+Ax/anpXSW3ZiAW
+fHGOSjNrl9+LFqCdjyzvk/u2kbgd9VtjjFfpPS8xS1dGk7iIHHQQ1GZXc8s2WB9XkGGpD/j3
+8bvLJG9EXtqVWwJLo6t/PMOgnHK9dneq4I+JAhwEEAEIAAYFAkxfI2cACgkQeo9J6LY0gL4z
+KQ//YgbbsU+C4e9A4L+b9lOTh4ICrmYg0jD86oBtjTsomMO+UP3T+mVH/meHWTzr+6ib1vsu
+Nz85E5OWHeHL1Mzj60gbZSn/PMcfL++kKVCMhJs/HN6z4t/hY+GkafkeZgglnqItkZGK85ME
+SmpoecuYsExEj9fQaNjHuCOrp3c+B0PJ3PSQ3qTknsOnUwkOgAhgeni1RusUqckryre1pPrb
+Oy9RrTroHGsbvzfbYEYS8IVoaMP1AJj6o1kb6vomTmWlh7r5UM5iZRcFrKK3qjQaTYr9f8vf
+vpJZ0GlWT6T4szOmekTnYuZJGOumkLScn66qSihvxXXlurPP0XzVObz7YrZ+GEDNJxXwPJpw
+fpYZHsuSXv9Pu8S1wjbvL1xq8WEjwd9q4kgch6r5SD4+syLydwLHiBXTc5dfVO5Xs6KzWtXE
+MNsFBrDO3pgHtWvS2V6peL/yG7RJJztzZUc/IYZWuEJIU76rzU4YK/SC2Vse9lVA3I4s0knw
+5TCFvZHTV9KIjqT95xOgdlZKmQc0uXSPNrVfoi28JOfcAGnSnRX52KFt6yBrhCBCWuVTZTgk
+hKSIktI9PPC/C3xyLwxJjz1jPwEomhtnNx9B04W17G5c8nW1yCjxPxY4Q9LCYpMYXGB2Nena
+YydDbgfA6ua1exRQ+ZkWpnHqsmCLL7B0C/7oTOeJAhwEEAEIAAYFAkxfNK8ACgkQ0V0xOIIA
+QXMoXhAAs79q+JHo7ulKZvKDkh+OVOXrSh5eKGUmuqK4RJuxrHmthUFkNTsyNBEZc2+QWw4B
+8q8ka0x2/1eIDqwsKwHOfcQdyMepGiKnGWm58vL5CeoV/pZW/Yzrs6Q13o6/mm02bcxiVlqs
+ZGFiRaueY2QJ66viPY0TJPlK3CavKKgZQ4xQtfQ/MDg8sdEnu3G/1PWyyHfMVsq7fG6MXCdY
+TisgHAEyQJXgpCnk1YIuwxZQPKbMhcjiGbkKBMeQi9uZDiDUtY6s6S5MZGsG5v0KTuoBt2Kw
+XHbTgkFT9wKaQnK4rfMjGtZFuwiZw8MPsFgz2QAR+1s4mIkCbLPPl+jwL+F4UkEUJvpKWcPI
+AHnDe2q82vOc5ToWfm/C1cSf7cuLi2hGuSKw8JHuJ4hBF5NaMhmsrBOxjS9BC1OrutNvjoa/
+bBihJxX6pyz6Fhd3wnjtF8f+H2pxu9/9M6bv6lkHZDQxfnt2+muwsRncx/wU5JJcxzxUzcLl
+wctSMFHmNU2egx6Kw+vPgPdkthrOZjkLQZZj9DZxHK2j2ENAm4jVF2Z6cUHHm5tVTsR7XF5t
+CeFRNPUlhoEz4zdJiN2qflMY0pm9MjBpF44O8usWrEpUiPN53bIOpbPM08zYZ+BBGPOgxZbh
+6Y68YUAq9XfVn9okE73HeyLLS/bpBj1QSe6QapV7sg+JAhwEEAEIAAYFAkxh7k8ACgkQcDc8
+8SkNuc7NWg/+It0T/mHuye7+PG1kQbutyVw69/C7yyZkoICrcQQ+Oh81Ba+DENSKrPVkmt2o
+U3HR1bL+QbFDjUa+hnLHXh4N9hlREDbsaYdYz3xLbXeGOPDt0QrLn3mdZ2cZrZwLjcqsu+bz
+5sRZMbKKTXqKkMQaDcJa2CU60aEoH9d+QJkIhOHiqkNvVyrKbiMoGnJoKDppwG1e3+Ri/oXA
+6Sx3cWwmdVrNlwNAKraTFlw5Xh0RUQ5NJstxX56PN7tMm+PEnY94bPTJHiyzG1obm2Ona7sg
++P3DIvqMFIkldhNz/DdeCjSN4qrB2u71tC7xwAneqqLpPuYhpMpFtD/JX2lOhoOvo43n+atM
+jqIU7xhZ2W0L7n64Ym31+wqqz6NEx+aVp+OgYVJPH6MA6jel3/KFhHoWpdnLJIL3XLq3Op4U
+tCio5JfouHfuHVdslmKlH/6rO8SFY4VZGF+RZURMze0I6b3HN3WQb9Qv78hg0ZrI4E7JIbhc
+oQQDIXgASS575vjK63/WRuMDxEpLEUflESKBsG02GJWe6knx5lACdIyD/8kZ6MIV9mE31Nqd
+zVKv+i7BBomu+ci/4B4LXn5LcPphmGPAvL1aabC7D/9lxLPA5Ur6LHDU08LA7S3j5Z7Iob4m
+KbS7pKaBdYPLm+kfAlw88bDnPioZwkWSggD5/6iwEN2XseeJAhwEEAEIAAYFAkxh9TkACgkQ
+dzH8zGPk4neH6A/+PTNKtYOQmFxM+1QJEqK8+4ZOyeIB74wHGI0VyFWRb6Bt6K7OIYAfp8Vr
+F4kH3DYPqRYWZLyG8Krkff3HUwdgBdrsRRQKN5Q1YwpwpofCcdDY9l3fmlUNx4MQN4Cx9uBT
+XY1OGTOMHHCog2eIOIkc3sT4xZ/zIcgFKM245lXl+fLvbJId8jZjYFwefNerUX1bucNoaloC
+drmbUN2OItXISlczLhSZlXcOyxU2Q1DICK4EksZy0y6XRnYA4/7JK209AS5jIZb6UvV4kMGU
+y0/CBTW9fJx1jZthN4bLxHMSVFHvG8oqRPmr7bO6KyvnxeGY/0bd30nA0hoVyDtKuIAuBYXL
+nrnjHogjF5sl4LCXLNDmIqbYoXMCAuYrlGaGsLzqGqjPX22yb+5B3zYCB17nCP4/l84auAJL
+6/EOrkOjTRPWIqsRO+dK8QENfp2zYfWmr0G7xBQPdeDvyFHbY6LO+PwzVfzESGranmiliTDq
+fGUGT/F6F3eBhKb392zDllJgfeKLt8V00vqaY8jqXS4AB6ze7XkcEXKsshN2atVsstUmjLKZ
+iSO73irt1X/Cg6SrKkjDgUhwTmOxywkHBYjsot2NSYcrdkYEfK3nPpesB19dgJYzPn0Mborc
+vJ3ixf5c2mjT1GHIdrp6XEjqLs2zu8dKLDiTJPSV/Q1H1nEasMKJAhwEEAEIAAYFAkxi3k8A
+CgkQd8b7Q+PTCCRE8A/+OY2000flzIxhqxc23BzEOXWxwZ+tH2r0UQTq8kwZiSsva+NIjN5G
+bx3MMcT4IyGF3VaxKZRJDPGcK3ByJS8HnCv58OE2iF9sUT2BZJEIfgniHgDA6iLyyQDmM9N6
+9UVoYYqIWff6Ve+4gPYebafy3UAgUJLHdrknfhE2fseE3jEtdsn9AizP7hc46xPkeuaAD474
+4jtM8h0zVk36l3gdRwFZEWMsxATskct3hLjKv4R/EFdEgIo8x7hK0uxvc6JyyguOznrwAgP4
+0LgXv+Ci2BWrf0awhOyuDJ+BiViKtEuzcqgwPR4GgOKkvzti8jkPNAvjCEIHTpWJwkIZ+SNW
+aaIZVfbZdSTMf3tfVkUJ8tLImtfHwJ9b+BPxpiP1DENZtxmbOsKPKeH1SIGO2BUt/Y+i0KYM
+rJmhQiL4k62PIRRhMKuYjQ5sasa9oyAACxg6nJMJoeJalJtcE0ZynCwdCFIkhYLXVPAgHCUo
+/c5Wq20YMW0sqerdf/oLwTHe8Gyru8JfcRS1mLBuTPWQUGIt2h37WMysv4hCHT29N98w6zJL
+jIGHH6Sd8PBw+WBxg6rpeGH8VVuLfHerB6XEMxoQM7FVAefDUCrHzWUrNHgSl5qG14HQ+46y
+xxegb5XNGM+ku721W/t7YsA15ASgZi8ehaQ7iSl56TGu8vQCTaDqPmqJAhwEEAEIAAYFAkxn
+Ti8ACgkQs0ZPiWqhWUgz+BAArOWNP1VqUSh1LpZ2mgjMLCW8cPChtEKI4/RHUElI9r6BVMGR
+/35Ww1HMcayD+H7WZDXXiBqG/yPJJtmMfBW0xWH3dbo1pEn8IUZd6mWSlbhzxRkVr6AFhDKo
+4T6QVQQ6nwJg9aBveBAXGnsr9/PieQNsp9IyACxZCvjoEh+2TV6xE4r0WaPKGLai5qPuvzSN
+2efP1Fl6gtmoxgI0yiLDyMlQZPi+/jXC7qcae74qYFUqih1hAq3EaCfiUNCVCulAEYnzhu+Y
+qJorF+Xl3vV/i/NT09k7GwvxLy1waPAi93yekg/QwkJMSrvehxXJlPdkUXUKCsgE9o+1CztW
+iIK37utWFTnkApQaKUyHJA8T++ReyRXDCEq3Mu82ZMQDzsWRhJuWmX7/5MAw/1H6yG0HLxC8
+sGH64oduKWZIlWwjkox0pUrA/ZkEDaznUxUK0ay0exYtcPJ9uUcmXsFvxCe0SOGwarNKbEjs
+FkZ/lelB2LZprKk/10BqRg3AzPEix8IK9hRRM5jXK1ZDEYRGYw/c9VoQPf7eMpF52zAZ45h8
+UjL/q6oAg3egW+ddbsEEXzsAgpcfNKhN/edoUKhQd5d2h0S8IpmPMrwvqrRaRSlOrqMhbqro
+GQhFOV4+fO6zwkV0P6Y9QSIKibjZDS+QUZPXCLfpKRSYVQlkFwGVeVUcZzqJAhwEEAEIAAYF
+Akxsv4oACgkQ5E+AFtNjD4l5ohAAtgotU7QYfbvY/6b2DKShrm0guTeROOi1imRMfMD5Nvy4
+CazA7qm07G9Jxo/yFYHMaXXeG02vx0pSb6Gbx9Z/jtwrOALmtIUAajTFmcC1Koshn1KAlqtV
+FriWzwAz/jYIK8BL8Db3LCgGP0SSyIaD86x3VXm4JE04AJeAtFUikQwBU6iNA8Mue0rmdIgz
+vQ2Fg7qk11Nafx4xT7XU/K4BAy8U+6Ai4F8VPxdh94zc+Z5qVd5lRZ9fYsdzztYoc8xtOzjJ
+YzDACo6j6covoSD56gQi9htJzraPtKaWu+gz4P0ijZ/naX/hsXlOnZ7IQzaByetVgXoU2Hg5
+D6UN7YCrQ75TB+Q7Mh702dvihXCr2smUkBOBnEqKoxrLqLtrDYPLw7ELuM+bRzZb2nfBYzh7
+/o5hEG3NO1rXIQ21cYvfPSggkI1fq8kOsWbd9uIXR4iHycohZ9DsSW4iQ7+IwVu1Giypf/R2
+Fpz+cL6aGI5DKFRBuz5ucjyhJrl9wes8v1hsTDNAPSbOyd3I4PHa3N4gxWbFvV6TZfSwHKm2
+fot2bglB+n9otZaPBVnHdsntQsRnS6K7Ptft/EZ1zJvWJcOnAjZEtj62mbrP2bQ48r+wkWy0
+LbOoQZ20auH/YaqOO8ZdA3QGpvK2GCfYB6JzD3bQomsQWMlaAkx1wfFQUBQ5xtOJAhwEEAEI
+AAYFAkxvKsUACgkQfFas/pR4l9iqyQ//el6hebIh5S7ekU/6R/msFAmuluGh03OAMYa+JwUm
+YqXR6iGf0Ftw7XgYJt2NiY5ZtaOULtZe3zOslFio4KRAwjKgEOzSzEDc0wFtZnj0/LlSTk9c
+zrrymcJQCAgKKV4WTffgiPpzDM1ajaHxY0WQfYJng/5pVxWb6QXjtB5mupf4T1Yv2blWAKpK
+Fw67Fz/iN4DlWil21vx3FgpAHY+7JVB/129BnbdHtbzP2CiQxZ9PoQt40bhrinI4cHyPHcHk
+EPKBD6GnyuyIoPGYRsILp76rH9vWQJWtY71DQwlB9+w/JTVP3TRinXJ0BSBvFGNcP4hqY5b+
+8tKmSBPJM0umER6Q16HosZtI+8rY+4yvaHjtEIqau/AdBnCW/EBeG1YyjDOQAQzVdOR84PLf
+Nyz+eqeZI17fZtokRjTg41J2b1+F0GbUOTQueqzlTK3spWYrPgDe54luHoYmgVqlsj71Zv7F
+cWEf7L9RdcA7sqCQXpDggcOTRDVg+eR6eCLGJetBfq4fsX0ae10TRh/pGut8Vu6NTcFGw5c8
+vt74h+WFIXPknpBeKl1HcKUXTLJxQP5CDrZF/HzUaLYI1SaKv1jVm36gV2YZvuZQyim4vBgg
+V1/9K1EMgUW7GRnQoOpQP6zxFWnpPXPY3TDvdleaqeET3xET75mGgD0WIUreBaKjp+CJAhwE
+EAEIAAYFAkxv+OAACgkQnQteWx7sjw4tUw/9FgAffwwit35JdS4S0LQqmkmGXlMvfZEkfezj
+GH6ITG/YWri9QE0ktGJqyCbP9tnL3WCno8bs90tmrQyagjbp7EsADz8L36vbYrOU72mNHaeL
+qbJcCoztUSWAe9aPJ4ESwTXbXCkl8xE0fm1zTF0MLq3T40Qqw67oMTBygYqhb8zeY43bKOzZ
+f0fBLqFE8+LTZDEk00Ucc72M+W+J87rdiHUuJDFdAZbuAvBGT9p1YNkcqaRWSmgRddJ9nBTD
+a/Qe9IBnAXBblouKiVvSTGpcyAyGKJ9cPtaviCLRXk17rGli43AymorBdGPpliZmMtrInMm4
+FAhSoU3nwB6b8oI5gMh46Dze05PYkVVZylO4Vo2AILUkeo6tagy3t+BEFAmonnpluJKZkfcY
+/FvvoaT8oej2U13tXStA0FXMOJd9fGLruJ+yZnAFPrVHZWA3ziyO/u9iprB7ZjqrT1OM1Nob
+ZP7NwGxdqED3AYJAb3H97s4dMGAJO3WzGgHOfuZEMsH0/vIc3nWAkj9jsFcDxJ8uTVM6uy2R
+oIfBM3/XspyZvm2MBTuEJvwhXW7JTnxsUEpZ7aJQVJLT9Z8PPj7rPLJCkDQsdwBw+e0heTl+
+BspMqppnKw0mXmrRfnqGGxgLtlIRn8bNEp4K3AVuNP2iWp9rMSVPg0qLGSFgEH1DtoN2DsiJ
+AhwEEAEIAAYFAlWS7hEACgkQ66DGxxwAJW8VIhAAtBkHOqKPOA4A5MKAzWSIYAfX6FiUfFaI
+Edwqm5ZmxHItPQk+Ze8VN8jUEzzArrvGOZnctSZy7dMgT4WY+CNy3FUtg4WbmuvflcvCHlSr
+ontSVeFjxL8qhkBgUzaxqohesB899mszzDyaM0GMD7FKt4UisOV4K9VqhXKHBhcKi0foQKgx
++VMD35N4+SqgSUF4+td913DNxdxvF5BKICwp9edYv6NpP/u9DMqG3lceVCy+rR3VEGTsFGNa
+HpJI0Sny797FR3w4k18wKQGaGwUtdMz6GcmhnDxgiV2V1StLloK6wbAVA4YY3BfE4l7XmJZS
+bStlL54h9tffDi0Dj1oJkSKXMdnI8FdpQEvGTGP9ARUz7MCxwiRzcJfOpfxATt3793o6fMLU
+2dOzrCCl+09bgG5+wls8nda2RB2RE1EHksoaNyz4OGpq9seYGe0qhNLN+lvIJsv1BaZNdD0s
+CaF+xbUGCoYQgvOh3DCiZbg+Ao138YEQw9eKE+Xifi8M36IeBTdq7S1OcRCwaDMmVchLFT5X
+AHmFeO3L3zCO1C95WmNsFg04+4avHqgOp5MolLSrOEvKTnFW1Ebv2BJizs45d28VAI/JhgPx
+T0w69M9Jpybd+Cbg93fHTXclLAPyQWXzhlfDPmKhukhSsG5JXIt0gyBUsq6lUygyWZcewBwa
+uy2JAhwEEAEKAAYFAkxdthEACgkQXTKNCCqqsUB3ZA//S25k6cAkZpIddDahnJxDIon8VWhe
+JzGmOMfb+hMbQ0y7xeCKRdNBa5yw3LKttLugofqcrGV3V6lmE9jWz5hK2we+ZAdCo/wXUWuL
+FJQW8WKY7hmDBwxROJ4jgC0LTgeRZhYEvhKpCH/rtSQuymstcTJd+5jkEE2FU1AOsoAOsaPx
+1DAb+uqSv2VefP/TG4sZ2vg0fdEuJd1+SiuTTLLEAnsG2yQT9brcXDvXPOckawFAM1KOwk7S
+fkYekg0iSA4Ii9RlXOhpxNcW/zZf3WuS/wrCCVYoY6OgH/+rp8LkBG7hdeAfRsMjozqtBYUE
+JwPSvLfRnG76neTa0DSi1bigpOMvHDIeATuS/hR7UdmTkSMwZ8AvQBOaSRHobjQwjfDY7WYM
+kvErANQkevWiWA4WshsS/MpEKxiUe6SGlLVeJZfX1dy6Jmh1WzswqoQ9eXQXX8zBltPAfKFs
+KRmf+OpHT94qYZsMhqAXOd51joUtCBmqeuzvdp9KM+R8cmuoPVqmZ8ZMdMbD2dQUap5yVxw5
+yO3CfGMXGPGfvA/8fOav/3MwWXUL5Zqv/ZhdjpP/ZNEB4txLJk1rIg4kjKrZxz2PggbMcCGQ
+0uf3SBZa6qXPVT0KbMjzvRKao473eNX2OPqk+K2hIYuZTVhAcKKuvN8qQu+o003Kzw1SWlLj
+1zrwaX+JAhwEEAEKAAYFAkxeUcQACgkQORS1MvTfvpmBNg//eJFnqXakbedse6wPpmk56CxU
+47abeG6ZCu/0FTwhwnagYfGXUKGTCepVjI/wLpevVeoXDbYmrUOT9zxqIL2Xssp/wz3Qb+HX
+deft/drFmb4XMrdUGwi+N1nhvPCXjWOtyUrzuYXnpCz8e0vjSfn6RpJ6qdgTs3Psyca9kPPo
+1Zgx29sumQMx7b0hcmRbSxNOmm/vGCpJKb43sHsYN2ESMCNzazQtpbt/HZ/xA/HqJCfEiKJm
+GUQ5rboqvhpruhbUFnuLIpGRvLJqE3kRm2iq1XfnfjXqUVbX2aHxNXcNKa601Yla3HGisEAB
+ILGvCRa12hrmh43EPpwLCnTOIB3Sejndl+8waKd0smV7Ox0oT1nSo5MHl/VtVLJzPnCX+EfB
+bzOepXJ5HRRsX5sHOTPHjJTOUuQvzfKen5nAu6iKsQnawpwQvIN1C7/OtEhqDAjWFr+eqG49
+bqN9a+EKu53bnXqM46N0/kRWXJAsHKfllki9e0bRKV5rIH0grsCN8P8qq5003cp/owAyySX+
+Pu9jFs9Hw4nGmEkuZPYXkjg3wTYClaPjrmbKfWXgVl2BjW+N7xU1yJZaAJSpd8vqGtLK4qz4
+wk0CrGr59EHPeAE9fAxNg+oonDQ7YcuDnHkVY7LNpIGXQkChrv1YgBzzAN6CFBI8GgG3C5Gv
+bYCj+NsHFyaJAhwEEAEKAAYFAkxlr5QACgkQMiR/u0CtH6b0ZA//atTqqwPfQWupcXoA/doN
+nXnBZDHUePFkCBan7YHitR0kPBVPP10dRfyd9ShKs25+DgAFTr2JKKk4ofc8ib+2SB4rTPIf
+gvc1h3GgtI7CXzuwKdcHojmOYXQQsLaxcQDNqEJqS6oGh1oHd8DQJTn/OiARVUvxi6LkioOp
+eE0KAkUOfZfnROz5E7ox2ImvMNvhy6VcD6q2q4E4nuWXaSVw13/MqZ8lGHRhytdrVLvVndSK
+U9EP79Tm+nIRwgqeJ0CttcSESoKLngTAvHSwVpiMcO9rLfWqYZB6FmhEjCyPl7hV1e9jXf80
+PLDihKscVEroxww4nflbIFOPsKP12vXuQs7cQr3BFE9yCowLz0X961WM2V4Cc6o6txY1MzU7
+FY7mFrwIy9b/WNLBXJUB+dpnKzmY38ECLJQ+gTxahgumxaNe0wQclIrkrnGLszOrIgLyVAL6
+/qD2qUywoNb3WWOHg6fOabKfTF3zBdzSYPNRXbhWNxt05EXARXRwYR/mkwpAdT3TUgbGlOcU
+hNAqmtzEvT/Q/Cu0nPvwXnJ1Foix6S+zrFAM8gs6zeUc8Q3k0EQvi8m54jILnt5QqYFSGM40
+FLgryKBF9hjwcPN1Hu1Qij8Z3H9MllV6Df36YSgKN1XpG3Jy9ktJcHvQPgHYVmXNsmQlmQxE
+ei/ZYehdgLeU0Q+JAhwEEAEKAAYFAkxsD/QACgkQeFPaTUmIGtMxgw//TrRErKK8vl8VnvHO
+8TK8KAMFi/GaRM0RKze4nJp72CGSrY5/bg2jAlS0hEKmSirlbLD8+U5/wWa5SrQT36AcyXYm
+I3weWgzNSvbCS3N1WnefhlUhkaC1PRMX3AI7EqwyTUX7o8Q8A/HVTgbgHnIKxO1y1EhcfY1I
+WEvA1wTR29928n63dmy03rKB2cJvQupGd/xRPXBx55h79NlLOJOadlYsUrk3B+RWBZHsn7xp
+wWXn+38fwuIFs7DJye3Eh1ceDootTd6wlI7Km8Nh0+bCCVbeInxp3THavrz1ohGhQ8O6AmPx
+wX7TN2EakX5mrwePFgHasLpgciOVRpDsaoQPF7taQg+d7knrrgbD9Xf6JkDl9/sxnlZ//t72
+eQR3X+CGQFmfhl5rw+h28FkPxrFO+n6nk6opm1z1n8FFjQnTzFxp2taqVs3s58ondUiPWb2p
+E8HOHQX9b4iYY5x6hrZehkSwoJOlwGssiJZSa9eCWs+yvJoJOG8yHunh48o91gY7kaqxGT9o
+K+2MzW/uwh7ztZ/ElJj4Vg4XTOqHgSDmUKZjA6e8Z1xuXoVT7D7axP0NvgIj1jjeCD1ncQsf
+Ay6tynZm/+Mz/PLwfe9uYGt5ZncwY9aKZRr8a9sUnaaIjeq7ywugKfQyxr1v4sjcQqELKfsM
+NLrvOMjw2eLg+3UC9p6JAiIEEAEKAAwFAkxi3T4FgwlmAYAACgkQzNLtlNIXOemGQhAAo5Zp
+Oa83tEIyfPOcj7HkQPTutAs8H+kgxzPMLYFhXSYKLPMsoH1TGMFC1JH6PjrzRdk6g7jmoUEK
+2F6EL5QpFFKFNVWahRWY49F67jryslVdeZKvFMEY0qjqsJ9nEBIZW8wJ/7BNvYmZxBlWq7PU
+0SKbbGNVexMagwctygY+mdnknS6vI3aom/yFByVcVXIdF52GJiAWA9nIx/poKS0ecCd4UuZr
+eQd+d+x/z4Bww5E62k2mB9d+VDik1kjzL7bXfPV3+bWoyBmfl9zEYgNnQ3ICurKztkRmu1/k
+1+68wHfU/0MR/1nJ9DkEfBi9Z7T3shtCiU+993wSHPeKgurkQwn+wzkthCNRNs3kOwee5Whs
+/zD/dyZgH+lrJDHmW6C8zaa/K6Om9+AacXLId1xjQpmmkO83Tkf9qQvtC/UlocllGxHo3hAJ
+dfxONF/jwY6Zs8NvRWPuswTEQOLCLeww5AhVfapOLBhcG7xZEye6VLArPNq4OsD2b8NyCd39
+GxtBdxR6/8OQbGoEmrYf7aGS+ga6oygj/+ut1M6w4YkQCbLd+OjL2ZUG85tALP/1KdCp1pTg
+YW/TmF0BeT7ICa/MmZeYyO0DUKqvsbH7Dyk0aiYgu+Gm3ob6JNC7MGadUkWIyjLUHkPNmnXV
+rGT4KAkRtX+cQl/R+rR+ewB6RErUtCmJAjcEEwEIACECGwMCHgECF4AFAkoHaOQFCwkIBwMF
+FQoJCAsFFgIDAQAACgkQRJdSeLhhK13PHBAAiyiTX8GMp3CgLyIiieHJnBIQS5fxBICbsSrO
+j8OHWnNAVwkiRbtXZQ2g4D4NvyGBuPN2hskjuGOj7aCsqpE4Ln23RfBTAI3fF3JgMGwkqWh3
+9a7Sjnw8DwxqaHB3zfs2AvPnolSUNyzc45VslNsE2j359UmvwZAGpqN0A1GfobFMWjmt3QoD
+q58C8EyFOWx/Mzcl0qUrvGRbQjQ8najAYugpBjdRZ0MzGfro/pmoETJnTgrZimHNXvDtSTmZ
+HTVYYbxj/99Iw5DeYschcK0yvbPFXGo12ndRrEs270LpOMmBpdBaW8bCj2uzATQLZbuaM/je
+py3bzEFcCHUMkF+ekIf9zp6IUkSc2B3kkbQmVJKxOeiKWzCXvuu6pU1nRqrG/565CRkwWWol
+p4TvlktQgHSZ6CoIxzDnYRE0eiGpsLxA10nE9VrUCjME5a+AYLQxj7ztDdDfb5r9Lq+1/bUN
+gtiiQ0fbaNVXXe14+daezFw0sCGB14MWSPQz62rkG6piKB4ZMilRijiicWg/k/Rvlbi+QzH3
+PGhqaVOV0JpCTfh3rolf54x3JN3bdlW8wcev0DLPJOAuhv8nXoBBdilH999RH0lGv1NzbAIy
+7goaG+XOe/fmxiZwhUQhmTdfFnXEtR8UL9/7+dv9nfVY+kIZIdSN+Sa5+pGs7bik8dfi1xy0
+IkdyZWdvcnkgQ29scGFydCA8cmVnQGdjb2xwYXJ0LmNvbT6IRgQQEQIABgUCTGvvxQAKCRDV
+ypsE8sQjvNDlAKC18LdtboThQEnkx1lTvZZSZfApWgCfdj0UAdJxB9OLNqm3L8ukPYl8DW6I
+RgQQEQIABgUCUJ/lDwAKCRBw814kbVMecylQAKCzW0oYdLbYjN2+VkMFlr9WWoeWugCfTyfX
+Czqy8U9NJX0KMsEsVBmwB7yIRgQQEQgABgUCSgdx3wAKCRAyF1wNwQJ6DvPzAKCBblkNp8NA
+k+lQwKAeqyjGAr+kawCfXlAQCvjXpRb6fYYu9X0S4r3gdfiIRgQQEQgABgUCTFxxIAAKCRDh
+VRfyKwkgwGBWAKCXP+R5VvROrrh366WPoeX552dN6QCbB8aK562QKVhd4OGwbqhHAJzpE7KI
+RgQQEQgABgUCTF0/KwAKCRDU5e2swBQ9LSl6AKCpl0Sd/zaVE+rXCmCg9lF4Z/DyJACfVE+x
+FXdayyRPKh6cy6g1x+KeMQCIRgQQEQgABgUCTF80oAAKCRD5heNACvx0dlAxAJ9JA62AWyTp
+1xpVLyxGchSp7G1I3ACeIJGHywtqpfbJfG6YiFjt2C5uVVeIRgQQEQgABgUCTGdMoQAKCRCf
+ePg86MQ0YfqTAJ9hOim0VRfs5+pf6rsMNStUWZXksACeODXRe1BY90f2o28VOFpxoDQMhZmI
+RgQQEQoABgUCTF5RwgAKCRDaGWI3Ajs/T8IZAKDCaii1ecrI+HP8NT7zero94/RE5QCdH9zl
+k7ui4NR8EuEegYPvqFw7cI+JARwEEwEIAAYFAkrbZ3sACgkQLQ1auHwlPVLxQgf/Y5PQaqBd
+FXEs9QkD2Ei7WaD1AZkGwpICpVmV1kA724sJ0uXgLavd1E9NtjhMVKWYwdjEl2556oZL2i/H
+XfRz+VgRcysjLM/ICcGDxy6OygziguJRpwBWk0xMowNgWFGIDvTt+Hlc7f5UnBrSE4hGmWHQ
+9Vxc4qFiADKL5IuiLssYgJY31xkwSyWcEnUe8WolOb4BOX7SLuuTIO6u/Ud+Zh+N3o2amWBn
+3l/OBfi2lM/TTrjFEiJ0KOfyutiGV6a6/SkfGKBzhgdzWj4M8vIMthxFAapU++3WXF7qNQAX
+f50EN2TKXKHgmidfpWFqmbPhIkEaoheUYYOCaiaXY/IKgIkBnAQQAQgABgUCTHaO6AAKCRAi
+OuBVvZThVI98DACKydotmw0GE4sNu7CHhGMZJqvSu2MSMK7IyjoShr/JU9PO9yXEB6TQpfLw
+E5b9bso87SouahOJV+bYvBaLx7JTT0awNSMRxlGnf4il8F0FOcl3RgXpgv14YxXxs8KJHLV4
+GhHRwVxzJu8hdNltsTJ7JjJQS3kUYjBpIfJlyp4yNvZvUeRQJWTs1l31CkPwU6fXP6pxCP7s
+loh/zL1zVGY2q0GrTkFlrCJIxceiPNll44Rl4PrIMTmBQHVipToRinsrFbyD5QTAjiorVol2
+il078fK2IeavCxtRUR6jTiHx4/IWqt+kPycq11EK4bFMKQIAJeF0aBoAX4fWOoSPIFWI/Nz4
+m+EecHCk5frctfxNV6VAB5Lf4XwjEho9HFZwqmSQ9snMi3zrEZnhnrCJ1/Gs/ALt9vu0Z6d2
+ZoLFgxW2hdOyaXrE54rMKillYoTLZ5d8+uTQVoN8XFz5SliSNb1tu1//i8U9Y1tpSUUTD87G
+SuNV6q49gYSeDqZ54EZEiHeJAZwEEwECAAYFAlIqSIMACgkQ73Pm2lg2uBpHzAv/dOSlPdQx
+6o4MrM1lB6imRf4KPTmjkIwnO4N5iFrsZch+BNJ64PdGukhuAi1EXY7LBJlXRO9BPxdJI6IF
+R91ELvM5VzNzZDdwZVPDV8wJwkpBTQTgNJXCjETePf6adpQ1ORMm6Kg40WIH67BLBN993Bfz
+dQbskas89BxmEdqaz1eGDaBTHO2N39jOG4vTNouatsTsUlDxCxNW/razg0uLgMPpL8dJpZ0B
+4cCi7z/+r+OYrV2DQlJo6Cc/vieROA2ElFa3p9unYRcuY4Mcn6Hl4gA3QnuQDsn00GPDTqBG
+OEvhjcrHghhB0WzxAu+lc6te4vOTS0OCVTWMNU/ROaG7x8vQSFqaNWxEigkVlRDofxsyGQw7
+CxNS1mwsYAc2kbA84N4OxMZ4sHkLnheoVjUYaXz3JmLMnlA0AerkZVQRfzm/+rlEwLW79G1G
+tsVaRP0WmG9/nNZXAr2wfD8menJAIV1lB/pCSkNlHmEM4uGFAb1lA/EENQS8sz8NvvdvLNYs
+iQIcBBABAgAGBQJMXHGfAAoJEPGmm+QpwP/ujggP/1V5FTQ8rwB8uw4u7Zg5EEta/aM4E8Pb
+idUJ8KDr6p5Zad+hGWCPKT3nloPbN3iaYXblmxDuAYhHl1neH96tWYU6vygmiR2Xo53y06tY
+EKQbdIF3+pfOCSFh9NnFlAqw72cMWsL0VqSoZL+SgY4IojwupFWPNIJbB0JaOSW21kFf6/U1
+juAbtat4J8+l4j8mNgWCUeHBENN78lYD506VIuuJRlsWiUBhH0unzY33A1BoJwyXo0TmL3wd
+0g2JIGT5sJmpeMkMlKminVjZCcY7AzoTS60QrCj2FCGBtfbUOH9OQvBojWOPz7ALmKj/aOl7
+3UtGnvlscJPeilteNQFWEib1e85ufAG0Ry1AEDtR0GsdARJhqiG6jRn3v0lBxfG2dVWbHrFq
+a5FkUm73c9r+xjDC5NquWhd4GHyG3IgVPMvkw8sciL33o9A/XhNdjQiZmpok77nswvbuNOEX
+diQVnHcylh7bNaoXR6+3R8FVA/TThpW2EjxIg9TwAPfJFKWV0SWfyJSOZLFOiEYDEqBI190j
+3WSJNV+p0+lN8CDu8jFHxehsTGOAALCSQq0mZTKJJh0GH7d2YD5BV9isUvsfne52GLx/xmoJ
++cKJfszaWq2FoMhIPD/tnVYA/LPodylTRC6/8C0WIMR0eAaF+ByCoU7aEMWJDEJfX2MoyQHa
+fBV8iQIcBBABAgAGBQJMYCuLAAoJEB51mnJqn910WK8QAOJQVb/ihBQC0IsBpJwKyOH5B/XI
+jwE6BeErvO0rnmcYTr57AXwKNYxOvtIV8uS8gFzfaZJM4YHsF5BNToT3l2UIrWGK+O5nUL7S
+UM32plf7QPI/NSfyCtBxKWfXgbFQ8X/oNdwq7HMzCtRqZDoYv5btUajFsTP8gykqXqH9Ry4G
+hCFmnP0UNUWwTq4D2/bImt+iOOw4C7MXyROQ8aZd69aUsAln340L7rXz/yGTGvabdLXKuVDE
+QJtiZ1m/bewAw3A7zw3mKtMAA8Em8EJuTfmFvVQEpBBdacjwIn+ZpSzuY11arLIWNp78Yegp
+mFsuCANZDr/V33Xxo2Bb+4cbuOzSlXw+mOx1WYo1Fkj5Ga2IGkTbijqByIPwnCB03T/3nG/u
+hde1SS9YGGNL17Z2qDOlNtufKsbfPJf9xtiEN1vJ2cbOEDD+WbC2nvJQju4t4WaX06Kyok6b
+HPqupuGSOaa9VMYk6TzPAOG9hzcD8SBjO6S59z/qtGNqKZOcTWpeXWI/4qdvWtAPmafB4fVt
+2XS+vOwn1c4gNQFK+nCatlYywfuKxoQqGC+i/ld8wuniugtOjX4XbK2HzvuKMuCo0z6x/7Nx
+pOJAOf1jgWuQWruIt5VEULh56mhglEV1vL93aCUxOE7kKAcas7Ojbve/EQruWlFbzxJW6VgE
+1ncxHX5yiQIcBBABAgAGBQJMYDc4AAoJENeITEcY4Y9ExdYQANMHDBB1HSdVXEmkfVjMgW5O
+BF0AphUt1r9ptI6NvzcuJ5lFTIXHDa263UBRpHb65EgaHYqKC5LKLSXmUoKXcTU9fBLWFRYG
+N11qVpdoO1WSD7R7U7ZDbix76ujLCfOtPlqrh0TzHEzE3U22X3hxL+rHjDbvrLQuEhKbVYaB
+WaY1THCJjB4SA4YcWOXUNNA1i+baXlDw2XKqZrEriv+zARTxlF1GzpXBoh9ymH9TsyPg1dg9
+BbzzGy6r99LMMHmt/kB8BrOX6BfnzeLwSmg4VZ/aUWSAKK2cxbvmQFA5HkuFJ2sUc2VXmuPR
+DRY+vurz9PHMF5WZI8ait4/2m+W4zvsYZdgOPPkGr63+DVKssczpZWSq4zX5Ykmd9e+bsCUn
+E9jAI0iH4P4SKyFt1IkRWMAaUxQjN2v5/CIyydaavQGKM7AB0CjZL2835LwqiboOmptxzuWJ
+5HJM5JSqr1HMHP8vokNKcbrU0taV9IuTuBjPl198TR1vxPhHYcACIt6TP4wr1ApAsax3yoDd
+T/KrmCaczIeX6BmFFqXjDM/azhpQKIyFGgbDzrRAQ/CatG8Vy1baA5uJIsmiLxc7imwtUf5r
+uJOlXSi72uQd9eBx55mlt+zNHbrxULPYBIL4zOe3g1SXb0leZsvPjVAWcj21AgH2QJx1IoV0
+POwfFLEVCjTxiQIcBBABAgAGBQJMZY8YAAoJEBPAtWZ6OLCw8NEQALA9UfSTm/Zqc2pJn+nN
+q4sfhPUhYlTUxE1D49FzF4GmUHDYzMlU8VVZub5LahrITDINOIidmf49wXc3BcjcEKCUjND2
+aL/0JMtyMMORH+3g/Vz8HvktL3EnOiTw+Z9p1GNbEROI195VIWwNRjU/EYv78ErcrQ99MzJu
+O5yz+Qibp6JUSIzMGVTAiGIPzdJvnbd9JQXfg+fhanWKIIzj0dqNmH7tqYuld0K1nD/5cf5j
+o8Gc2L8GQgIStjUF5OwkElnO45iSYz4rgw2PfHVQBX8GsLBGRhKcxUK9psNBHIP0eWUk7sTG
+4/cbLgkQow+u0ryitmu+IJ/Q79NUiRNrw6a0rf2FUY3Nh/AbVqLVdQChKrxGtDQuJtpwh+uV
+RYTmc1rPmyPbsWj6xmgfvkLgX14E+5EPx8H1wyRsRpBPEW+Wb397I5eEt+gCEjfjrCprD/xX
+eNSRMdOT9NVG1HJ3wmeTEddkpbDNhtY09ydMzS1O3auJReh0L7ZRn8gPmnXk4EPamDNzY8N2
+OVByXKEPhb3bHD9RCHEaSe02BDcR1nbpbVAX3onquvK4ejZMuZIXXktbBcnqHz+zbRGRyoQO
+Jsgh6bv3qun3fer12w22PJ8Q8ifhAmcS+Lhadvq4hskVprr5tRmvxHRKPgZF0ZqGOmqvikyV
+YhFvZabdkKACAYCZiQIcBBABAgAGBQJMZsf4AAoJEBwB9EPJyTxaJbQP/1OgrWHtcJ39T7gf
+wh+3lbFvmcQ4ggc45PfnM7jM+OZbkPZOMnTmXgDXIz+0SKbPUVH86XPbeZAXHXavtIFvqbPC
+yC284oQeG0gzwS5yxygry5jj0fZmw2W0MfSQWEuUkj4HBkqEhgXGmbsYhCbbN6+O8XvBvIvY
+EIYO5a7wSzi/21NPuG3hcGMFV2yzr6p2FtvXfO5biWGcf0yvkj0YeBzaCwdty4F+1qGAIHcH
+oPhXCEggJKZtOYVZmsHz6/6RYghmRaSoGoG7Jj9+6udgZCycn6EKPVTE+p3tMiHxJzviEFRD
+Ov6iNBC55cFhSbMplkW7fH/M6rkW/e6+1zhxP1K11gwNTtoMJelrePLRpf/w12lNJl9jhe6h
+fw07mluEogjhXLVOQWSFjz3Y1Tfb0ez53ev/ooucvk9XT/svl2UM/K6RqyWYl1A8KCp5OgW5
+nXzRZ6fc4Ht9OY0sxMNLTLZ3enwrVa857n2VrnOgRTe8bFqNSMcR39QMAD6h9qmJR7cNbFKn
+IyQQiOtKCDFbZ7wyMroepw8wNLXPlvtMvS2zSBmMC/gJsdZVHK0u3O1Rpp1Jhq/qsve7D/fE
+NhHih8FBKPH1YXUOILdR0zDkyBUdXHBUpZlcRovaznkigKX6LL7f2SbXZo/jO0L1FHDhYQs7
+kl7OmWIXh8XW4m0ocB3IiQIcBBABAgAGBQJMduUKAAoJEK8ig6p24qx7z1gP/3wRRaEX7n5p
+oZUnpEcNy3ZRQPAfVAAX07aBSnTuHzuphX0smAfJu5fqEuYP1XzBUV/WSxuQ6nGtFoVSLEpg
+W3EX+KgLUGEv7Y4NI9LUNd47CNcZ3Fo26hQ1ur66c0asuLjseHbHl1aYwRgOarMy3X8JO1b8
+x3z9edPan11kBIeLpjlBnnScZVB9EB2ezptxaXvyvyq/+SAfRMnGKKO6qx5vG9uK2g7GOPJk
+dzS5LGeguixNjh7pN1ewiSHO/AqPyywVGYiYB9dnVWT0RwCZMXs3YmytZHfc58EpmKDoI19W
+MFA4Hsdgwp9ucXJMfZZ1Xw0i02fJQKs911aw0dF/hVjHSOQfVAiNvBFn8u5l4hgFG3JkZ6Yl
+rktrC6HThK3mo+KUNlynB70xSLXwxIHYkQUTxGr0HqZgRQJL03pPqk2Y+Lx4ndu4g0YwnInv
+1arb5Yfg/y4IJ6GDY6W6gvPP4wUrxue1w6BwqRwO0rD0vRMJtJqzoIRNCE8aqtQP96OmH5iy
+xAQo39Mvz5cntzaNMV9LOm7RgSaBvt/hLwxfhG2KX6Fca8hAXo0Q9dg5FbHSyLxF0mSZTRpO
+NPFzMz5zc2yUpjW3Holt9+5n9pzi8EUVwfNnFzijagzbL9bwuyc37M9wnPp5x2wLx3MF2o/3
+fNzpyo5Lh+IH7efZcG4XnUsYiQIcBBABAgAGBQJVcaVQAAoJENqCgw48zDo65e0P/2RDhlCL
+zEUuut3KmGhBmPbiTX7CnpwFhatNFIb+C1EJ2giPmmrwn0O25ED8dJFC0GhZrwNatuRzSefI
+yc75hGrTr/BFqRLAOD4xfMqOE5U4+z0frVTyuxB9Gdr31EmZ9miykKnfzcz1YY4MpQtzQOWj
+SiYFgjofwcpI+b5MjnqG3T8q1PzONnvvx7BrXt0lRNqL5MyByaV51CPbENyhWeJMu5tX3hAR
+rsuWoBP3kw6Df/ij5I71EfO4vD8C8F6AKWt8mBjyOfIpDmHkxNU0HYrmOnxzqXGqHTu+II83
+vgJOurjZ7TnqEe9jB4XMNF7w6+SPL6u3bNfzH0KPpEjzBV7jQKFUhllkRbcf2PeLnmzex3+U
+pEJjS5HLOkJt3B8wyANnZB358921snsv4LVJmgx1aVpeYWNo8vRgzKRMZT5Qk3ckXmuzHN3O
+FGKwLJnHmnha6rXG0ShlYjNY2wJjfmwaed4wU9k7T73tFbzoWJ1NXP37iQuEnOINVbNCQdfK
+cvL/82Q3LcpiapN1E/QYdfYjNju9NVpnSFICDEEYOfvodDlxbEQegZdd8zVHayYQJuc62sUd
+zPvMYLvQTq+x5tk1vJD+VSJ1sAbVZ3gzAANyMyYQ4670RK9H8z4ygxa09lAunkcJ3cUHRFat
+JyRM/u5NYxmCxxL5l0/UqOJg775tiQIcBBABCAAGBQJMXHEzAAoJEPEUCEwIYRERgesP/1xd
+2SPeYmC5X4OpUDsbqQoe79ojCbmd+2CoFHm+GM0WbtJHFi3BEJcVW//QNQJRSE5dKXCHtIDb
+jDhzlTKYT4q0f0p25mWMJFOXqb8sNiorXXdDz7k7GwrRZFsi/XlyiIrCwVHwLpyDGkY5IPBz
+p5JMXuxViM/TYn9BIX58rP7eVwAcazSBIs+QpAvUi4pfxNdPhrHh3Pczllxg6DamsEPBZsjM
+fz7pJxiddkJgAlDpIa8C3ZX4HdMnoPZhMh3JHxry4CIceMC8BOuX4c3GyXuFkKTMJSlRViKG
+57WyN7eQe17UZni23QLifLYD7V1r4cY7cWj1s/qsGtLsvtuVL2brOvHeHVEE7s6dWpQea6lo
+jLtlWjNXvb7WQ6XNFqpal5x7MG95QbBKWGHfifhVt7WrDSW6kbouXYYEgRhSZBkPPjSZXTEv
+54YkBVwCsb9fykKLOTy+wyJ5Ttj1kxtrMWsaofhDYOo9OtywwKL4AnfBMhE3NcrZ5Yf5MHHx
+NK/A95j9p8/HY1dKSHNDRub7PMM73Xp0fc/6cCyl9sTM9SFymKvvcMFChRcy1ZF9kVkXP3w4
+ZzoJz2YSTK4zIRY/Qqc+Z+BhX/rRuhwiILuCH9hXhhvBx9rKBxxKcTw1Gl5hZ8nP2CGXNkAV
+qSXL/0H8hschAtxw203KMvqbpSq7bYkniQIcBBABCAAGBQJMXT8zAAoJEIcvcCxNbiWo+oQP
+/2mKGGHKVA63SdyOkyAaz+mV2y9jIw+0hf2D6eoQ/OJ2l6vQqc4atQ9NsMBH5SKo+kPLhfof
+NcO6axy4ngb27YK1czUS0oyF+Vv618k+1WePw4Kh4afVZGrGsHBiv8DcKbeAoEn3gVORu5UY
+ElINIsW9ZIuIypyFXhV/zf30zR8MOd1uuJjif4ac7V+n+O0GpBgzCkKZoCdO7NJ3QH7RmpJ/
+TYAug0UMY9YvU1P2ffTvZuHxdY8adJGnieFnsLrO7yYHlva6Y2T47m0QwM6BXe673hj45H7s
+rZpbvNIEyRiXpucEm7YBCboiA8vBTjXOo8D27Aa5MoZUHF+znB9gRKWKUnkCyCT409yo8qJI
+5uSm5LWOa3Dsje3jlzfQh0BVLbq2f/g/kgm06Sb8jWzLYHUvA/+K774sOQu2gSG0FkV8BQJc
+M9RMdImzIMpNpV9JYOWZCzVbTe2ZzzZuNXQJFG7reuZ8SoB8JyrLEqNbfzJ4G+pNbXZbrSA3
+ybMgkaIvt5xDujQSwH/we/V3W296WHmVbU1U1W6lfW43KbOXriCrLl/j6qiy9ln/gkVc/Amx
+Mh2RC5bKOCTRJ2TgPms2+a4tSpOrqapcpa0OnZJJTG/sifz9/3eDGPTKoVkN1fYZqTp+0s8m
+NohYO6YMJsuqkYNr7UAHOTE1p8nhrq4RQlaIiQIcBBABCAAGBQJMXUTaAAoJEFOUR53TUkxR
+rf4P/jp1G3yjSGwglzqEbvu4rzO6LrC8ZqnxOSWjKd8xN/CIje6naB5P3gRFLphJaDUgnlpx
+nQYODkDZlMPsSmUY6+GrM+XDPIEnw2Yp2Vb6OVTSeDzgpjgNsdKptNGR2ENFpC5ReAKEKAUy
+7bLcraD04IV35hnuHNevjq86VO+Dev/SQ2NJf0NrOuC3iW2YA5SEXcJYGp1vXAZjRUprOnxK
+n/e04kTTA4b3cKzoEo/bQqk7C+7fLG1vHziDDPszsZ09G7eAhnhZmFVTk/jvBxJ9ra56Bo8l
+ArknJ7A/LHvGe2SEd9MVcoKIHGpM3IPhJldZiXNeyz/HuUA+xKAY2Ox+p0vDlKUAF/koME7u
+2wwx4ncMnRdbVOGNGDJTJhJGWk3VIUsicbQQ8M+wKnkJmLNI0ZGWdoNADdIR/xSIhL8bUaVu
+PC8amQwK3VD7iNRcbNnIw0+Xbzev892lbBvav1Y/V6G9lBeS4KrLu1s5h+cmCq84RlW3xCzY
+B3yZhWUeojvuplyNKPApJwkjWXGC1LK6VldZzYksXMb+9JxtoE6A/9F++NKqEmDilKl15YFV
+Dy/beTjoSK1+6T6RrTKOPt6kFu2460PTa9KOqjpQ60hxOn/YpyAeEK/MtRuBjAT+wBCIX+NY
+UIxHNX3mcl35l6Gb1nYtL4CxBG4h557CGM4s65IJiQIcBBABCAAGBQJMXyNnAAoJEHqPSei2
+NIC+Za4P+gLihkZlHwFEM0pNSR9GoL6OsaEnsUebefwcLSrX10Ee+5mpODki11Sf1flIWJ7J
+I+2Gj7U2NtFFXBvzNCUDN30Xb+QJBSU+pgJERtXThl8hKYuot79wg7FclsIo9P/NEQ60/tji
+2iSQ/w12NIApczn6FmX/xVaKafJyf/QRnI0mxQvd5w7JEoeIKvaUVjt5Zz9fUhTiM/9kDCv7
+E4a+PuVP7nyQdSCoduhFYQwLf+727mxtdLjK5OHXl1jYx5tcFdTyumZpB7bG/R6U2wb55kxd
+iAltk4U+59p7NG7JSu5Lnexq+p5/281vVH33PrIINuZUhmpPovFNeDz6lFqEICQvaiS2STte
+/BY6yBwIDx/1nUhiBF3yUU1TOQrtQUfRjox4QRj1g8YpGspsUXagBltN04l4tev6Hw8tCn7A
+/f/RkdQ/7U6N24ZP3BdBx1R9nKvksE+C+v5QwlqpufU8Zaj1YpmPBn/yfSzSCvd9cE8pa4zO
+KujACMEsPh0c/BDoiWsmxKLTzOoeKGwl15x6x1Y1yTKOLD0wXXvEM0TVF3x3RJgvpdnvonN6
+c7URWq31zKcISwLOKCK1c0UK7hyD8zFISiPChiUUdGicZ1Jo0me+xp7R9b2QQnwVj4kO94gY
+maw/3ouaDqOrU80N5pVC5vC8XSp/iGAY8wR0fc0qsPY6iQIcBBABCAAGBQJMXzSvAAoJENFd
+MTiCAEFz+XAQAJo4XauT6qsxxS3i4ADlzeesoE5g+QPzg5mpVP8NA+kEXqLuvW7ZZjDzMClh
+bpnhT9L6lgMdKOzODa8PzMMe8lMlQtGQsfby9Jy7c15wFwO3YLr0OesnS0gGMV0cxpu7XVmZ
+ROPqOn1eVk25eaZHO3dHrc4ve2OMP3ZG+df3+kwQpiMgrl5x+9UHOWfqEtyT590yzofK3FCj
+qHZwMUt2pYeCksErljI2hmrKDqp1zVcjE7OoQwc6M14i2HvhYwAtvEJTuqyIjFZL/XzGS4La
+2q43fiLlAJalwlvIBEtRH7E5qWJEiS8gs47+Qcwigw16RhVp0FxhD7kT1vHrCoqwMFh5ULQB
+fEYVQVbfVaXU9vL61LOvPfnE7QVCMnREwzCyYlD+FonI/LK1pqbzXgEJjh48rXEVuzic1G3Z
+zipxiAbJNattO5aWuQjlEQv1ykWGIwh5Fa+LEQ6Idcxi32CsD7FFCYI4dg9GpZwM0NjJYrYN
+sN+Nl8/o96LBGzCsminV+M+jXyGN7S08DoEyuuoAwmiY/48lAQJQChMH+M0M/UthALdcTooe
+epFC3AiHiIaKUouRyqo60vNbAixbv1olxZpu12KlgCAg/ra9VcYjvt48msQTtmDQLz8/aY2L
+eoFLm4L4NMqIQ5Dxywqen1MTKkk6GIx+7pAJH5Z3izmQJEYpiQIcBBABCAAGBQJMYe5MAAoJ
+EHA3PPEpDbnOyQgQAJcCcEi6GZBjFHjNE3N2iLVUMItWSEdx93NabuJi7FpuhorwaJphZiYY
+3ehgSa4t0/gNzkRkscCmbzjAr/auQsS+iSpINgCKUJ+dwOO7t03owH7ARXb4gmWY58poL+J5
+ZgkqDok7ZtW09G+OenTaAccIpmb1IaGHDASwZ74EuH5M2P3iP42h7Q7Slhxer1GVloLD4SPs
+8W/3Rslwh+/ccYfweNC3gLvU1q50bj6kvO6OWemcI1NAWtxEDTGjsS+BsXBPlYQRF3tqtoQF
+Ht3xUKlGjHBO0DYymOMAlQzXfW7uqUYenrOXmOV048rqZxRtSdQwlXUHyaGIuyCRWqzzqYip
+ArtquhHSSKedxe5wltdqeB9G/D/zwHR1fz4VFkECxRp0rWnnOnWJEp6+uxYPiIV/36qB7X9d
+NFxlt0Vu3vZZiXgo9RMLjdQdYuBBJrshlwKkOlYPDzpYjHWmXJjKUIhDTqD5Kr2CTw3TrRyu
+mHevt0nbqlnzoHd935ZssJdbYGDC+F9aUfcyzwJN+CH34zKz5gtteGP48DewptBF61Dyl0Pa
+rHthrkwMqdZBA6cHE4lGpvrGh3GXASqf/rtAHwLM4brOhtH/LYYjvO81wThRmtjyjmSsokSl
+0p496fHxPDuGr7kbBDMtdfVdty8zJ8IaWI11wTYExu/6VgY9dlhuiQIcBBABCAAGBQJMYfU5
+AAoJEHcx/Mxj5OJ3X+MQAIdfUJP5Pmxv6T+yNRYSZ44Kx6cJJVvPtWkV+h5gx2sY/uTAS4/y
+oiBrtnxilEr1D3MbWyElI6jZPlDXxl/Jx42kEEur5BkVOFmAmAJYRork7qCds2RAWGnhqlNH
+vuMIz1/PfJlcB2hS5qo+JZLxTFk4ltOTUT6W8ENacKzcpzWGeQvqG/dY8H8FL2hnvNLiGITY
+XZY6hWGvW5Ti5xzIBXj7QN1C3WZAmxTOt9C/t6PHHktfC+MNGN9zQEBAn9MLkE80oSwEX38q
+/ukX1RpXCUTZmxIbXOaLc6deaTcxjJbBOX+YE1dSXrg3KxhXg1IUsMVBhQx96p+yhTUwznfE
+F3pZQiWZhVP9/qGa56tR6pejRM8nfgZaLNcT7nVibIk/7Js+fXRYp5nWUKf3f0BoymQss9MU
+cQLFs2Dm/l6iX1gFUgqoiOVIAX8DRc7MfJ+UTlHBOMGDKVok9nVsZegQYe6P/C88vfFlI1Qy
+fV4KAdAb4YwD2HatpcjDcX5TRX49mD+pmK0bx4+L3toRG6W3OPvTcsaubE9peNfjwS5L6CF/
+M0Fq6IhIUobcDRjmUNtiXk77WmI0ZM1RiaaknHHCHXGQgS+QPd82Htox2ndOwP0ScgbqlL4D
+LT3ZJqRJVWgnWK/n2BrctT63KFAZa68Epm4v0GZtTjpJpL1DYnUd/J6OiQIcBBABCAAGBQJM
+Yt5PAAoJEHfG+0Pj0wgkbVQP/1NGXS+oar0Y3GuQZ+HwYq4t7Sh8CbCIZlei01oDcC95Fl65
+HtTZJcd8RTPCkTilZV4orC+gHppLVGi2GQdSJ6C4whlnliwDtgU6uJ9uuP6EKTsGh1jAoTlq
+eSDx1n8/F4JG6A1xVOekZ8NzTIfpfdFlAYANe+z674ZrRPi6tL5euQ9/iJpi//bZJMVvmttM
+2QJ+XxNn/CrGKGZbA1PjBYYol3s7DjZLhR3IhgK/rvmVCo+0waZzPqI0CD/axU2OXT8B4lIG
+WvDcccX/8p1tzIjlXNNsDV804c+VtUVX3jZMISmVMWLfkShhnUEhfwi5CUNtctL1SPlqwvbK
+q3bxZjol/OFu2KbW1IjhZ2dJ2e1hQ1V8jUjSYQ4xdDDwzS/Z6EWWn7cLycAR8xF4CQd92hCx
+o5AIgkQGG1R6iraztY5H/fdhXjzySby6q9Zvfa+rw0GkXpJzffKwrjZu27+QCqvNGX/3b1f2
+s0eZ3EkFam9cMD3df8PCPU7Wt/IN8Sxv7JQqkb6StQF3NjI/lnFLcb7qf4dhZItGZBbkWfwj
+M2PMEIbCl66bi8XqviJUUskn2XWfhaodv13VyXGeGzVEw4+N4auDM1w3WZ5SnSXWrFazIXCw
+IBWYFSyHlKawy+Rd3I9ueYyA7PqgwdczNxTwILXhB0+pBd0Z9FMxjL85C1N7iQIcBBABCAAG
+BQJMZ04vAAoJELNGT4lqoVlI9tEP/0yGcqKoQuNUIsuMasD3zVuh5j77i4wo/FCqQvMQIlzd
+PWl+gC9W0xDA7vILOcqZEErIi4PPGwqpQYGUgh9KynP4HQau+43qe2BrvdauFCIJPsmuwfER
+OwrgdSkKyvdXA08WG77v0a1V+u6nsnmbXg5/xZZdwCAKt+kILPVemxeIy+f1AAHj2zLnDGfy
+0JE1jN4w+JZrhdWtsYXWMnfRFQQqPbnVqi5BkFDeRalBn0R4mLTCCOZn/fGodA7EdmRL1dLN
+X9FbnfD8AWMDEPMDZ/h8HdK7dD16XxW7i5o6ZbVvftyf/yaF+bhtOyTHabkdSlMJXHzl5mnW
+mH8NVlTTQt05SJ86NhOjr98dhSvcQOxFT/fVajDcXAQbdKnylAWHEjnejGgt9QwpM99l/Mp4
+8j2rLgqfexF54y53km5ssTub3QJ19FG0FPLvRB5fnXfzOvn8iDhcC5V7dA7q08afUjaLDTVG
+6byCHe8TR9weCaCrV7vvGHzmEEPRNzu02C86SXGZw05eRMWFKJL0AG1avj6k24hsnatuoUke
+6IA5zcx81GbkqPDiOiiYJOEZFY1Eokm6MhIQ30HwUO0TQ93TdNgD0pJdAiElPyhs6csf6/Jr
+ijOSajEDcEOuKzqYnrmY2AmDgfyOrjoW44ADKOcRTnnhAF26ljBzwqa4xguz9HEUiQIcBBAB
+CAAGBQJMbL+KAAoJEORPgBbTYw+Jb74QAIQ2ADLJSvn+c5MBWYwc2NcFrRHIc0JXwmn+wzG+
+QLeFDGO9SV//LM9L0XIIbsFFn71Rv+/KqyFLn9SyeGdJakuL/AMC4qF1m6bCzwSMdoZeYBwK
+2r3bgPU4xW94O8zKOfRF9kwxP+QK2adfR1y7j3X70rICZYAua2ugkZcIDkN549PBze+2LYnR
+3CIhyOV6nYTArKhYuaDiNnS822l8VThOgk/Dmdof0+ExQfl7Nc2oAk7wljhmLX7nMonNZcDI
+ct+fDsVS856UYg3aJR8EuDCAayZHZvo24/bKPwroxl26+tEEfsqks7epWZZRGY0lH+IY2qoP
+oFhHPodpAw+faiafD5/06Vo3SzH2i/btYQEwwCCA21cRLwpv9432Ia4ekvjPQ2E3fjBWGyNs
+UA49MYhtllX/8jk6LE+AIU43PFit6ZB2BzVBunsy/LH4ZLxdi5sLTA1f0dO9jNkqf3xGbRIp
+PVXtQ6t/9PUXAy1evqWBQgRNHVScKL6pjuoLurSIenQCbcNQo1iNLB9DuenAHNUBP6Ny3cby
+hqMpazBoCIb4HqtdeUBmzdDZ3okIdjXQaxsHZhDsLNQM1ggj9mu0vJWSkXfdXpew2Z/J3Cco
+lOuTcTqfGi5kdoDHPLvFDEYyrGKiHTV6P7TxoIxml4A0rY6gHFYlF1b5SXmUiCt+cKMgiQIc
+BBABCAAGBQJMbyrFAAoJEHxWrP6UeJfYj6EP/0SlRe8esTX01wSot7D9mZfjK/yvpA3g2YQi
+3U86Nb2vvLvJAamLzV+Ka5GL34lPASAIgwfilQyVhmAsyTOQ1sIU+rPav4olOoUTBaORlzL6
+1AmhtI5N0HpjgnIDLmtKF5F/kRxm7JmcgnHgiKoSZCzZH2tomVVIGA9/aSDznr4N/uJZ0yWT
+6MxKbmS3udM8WAgKxNN8IB2Z/xVDJ2dXMt0a4IgHNAn7wgfaizOiOKaJ77c4c/LNRiyhomA3
+VgHDBTP+WgDwEcJupo6RiXWyvd1yDTEsHCApieODSIlniWUePiuwjBPNNKwH0/yRo1fkK6cY
+kqbCD8Dk10p7HUr1+BEGW2fns45mpwJH9PvbJ7e7VldPs7AKmEKC0HHKZ9BNa3AJiujwnaUj
+EYt6hq+/DRUQp6iqTPDAKE1bNTA4JD55zd1gGthsGHKfTSAydT/kdvxWH8fK6F0vOssQy7iD
+o+8VVoVpbl3qJ1MtvbJTxum4ElFhPYaG4Oh/JPK1vhWVXva9T1PX6sGskdC9DPgDLStCweq3
+RqzAhjPvcqgpx39mZGU/SQzwVUFN7aqASNl0ZFUMmnZ/4aNNYXY9yEAvx8GetdZm8s+0gw4O
+zecerDlVf6xykodTT9sK3qiiRF53P5A8HlgyXoewut6MyKGEwhItfUshFSp7MMMJcycl+I8Y
+iQIcBBABCAAGBQJMb/jgAAoJEJ0LXlse7I8OrucP/jRV886elnIly0yuYX3ALXDPgGKFwbRZ
+GWC1qjf3ESdrqjC+On7jMLnT3/A4l03F23bpHEAOnTl5Ounb1PrhDnvo7msJUH1ZdtqsoT16
+sAPbq14Rsg4+n7f72KYKwcQaNVkgizg/W6a8VJDOxQQgkrZh3Lp90O8krIp6MDgd+XKEQRjV
+HxyhzpHHyqAaY+/nhRY3VXATZ/5K4+pdyRt0aWlpvftYTvX/iZnGBrsfjgYkBZnix/+PfFtF
+A2p0AXfiFfFuU3BlE/kG35gGDgbYf9SouHuYeR6TLgEMOekxeqPacbTTpM051Mq4tewfFQHM
+raLLSMCucl+duu7kyDRXfwZ+zoQ7I74UT9gRkI/jSYecRKAoSYnoewDo2bNMEsnYjFwyf+Zt
+MEV3glEDcE7FXgm20YYjFb7uMQIVbiuXnFho9RQFyu6z67cfIcJzEn1pttMdV0vmMfi872Cr
+BKGHxYu4gP1a+yQWx6N4Xgm1eJVdAdzhmkX7mH5C2GKLPIWzwT+onyi3qCCUWp4NL+2QescH
+IVkc8daU0AH4IGp0A83dpRDb91vYWFImVW2brurAsBwNtKRhpd6yG+ufE8+9PBzQ+hZD4+C0
+jyR/T5HAsuMQNSfcDDEi70E6wRLEd/KYp0YePkoAKES5CB3n46XS+WESddBXfeK0OZpAbXye
+45lyiQIcBBABCAAGBQJVku4RAAoJEOugxsccACVvHtQP/1218tsrXF0nLofFs9edddWw4NLo
+ZYc3HvELTHfyq4/41ERGOQoevO5/3tMzSyAG5C2lmKOz8SDHjAwkLmbqiYI2EbwYxLg1lTzw
+1jZGpjzBfKm+dll3SWroKiyesv/iPrExc6fJ1mxLWtP6G7R4m6ibmz46uywwreT6WvhKRKzs
+IPQdf84W13y2ItpFe9n2U3/Sy50brOnqAiLj/zIP5PIaaHzrqUIevdINFgyIWee2s7tTDcNm
+zV8TV6+cMs4jT8nqguNy0lBGjMsSm4BviQRZJON7h/v3/yf67TctHMWJxeD62STnXS6wjEIk
+TTYSNSEZGvMw6Ti3lVB4nlx7WW8wLX9X5/1QdPc9jZyVpsh8QzqUtp+jDo6dfXPBYfUlwm1v
+Q84BVfcknpMkVMDLX9EMS8M2HLWBGCOEa2/n88ocUnjX2ZL5C2MGlK1TTyxSWCA8D9beVpKa
+PdYP8JfUiZpC5nLKKBvyEGJhUa2dOY6jdbPRZX+V2TWMIwGWq03kSv4VBHdErK+HUXXcFvue
+OdQBEOcN4H78RPd20CNTEIE4bsxgT+riXcjUDDrfIH4EQsA4oh1Z5fXpE47y3ZMMJuWfRzrg
+es5QTKNFKDfLsDwPvgyJV3iLbJeKp3G/Te+scm3UDYi9dCB0eu1MiKM6SIxrJIGzl068Xndh
+QNLOTpCjiQIcBBABCgAGBQJMXbYRAAoJEF0yjQgqqrFAvAsQALNsAqgOJrnudiKERxnGU8dD
+YlxWPADlESd/DfsoEFkyd87GXVzfOE3ZaGKW66PB/D8eEfiT3wWVNpmAfIoHePXkPsA7NSyD
+CORROlpxXE9zFaiRYMzY3EdCsvSjSn2F3K7pymCC5yuYFXTW1J6x+CS8YCEautV5h6oIsGsD
+4zqXyHLWM6Htm1J1Rk0vW9tJqtfO39CFD/McuOUC6QMNLeBlWri8VDFmdGixOmLNAtBoZkPv
+i7AE3BFa4utWcLLjm5gMDsPW2xag21LAwX+xiZ/G0xkDfwKM6w01KcIp03wVzWBwtaUApsmu
+6fsH6gFPFuqrAKadAJY/L/U0A5QI8Lw8joq152skYYwzwC0INYTw+gst4IJDWPtjd5sK80Q9
+NJpnqLJv91KAn5+Ya/i+K3jjFQLwII8x1rX+B+hxsbofh95VdfPJW7W2ZMFAc5kpiN6Vmw6O
+X5i0x407cMV2TslvGI5L0aQ1T9mnMipqMnQNX9sMjCUSRNVa1DTYPr4ANkPy4ssXxenRN6Y6
+J1Y2KORYgm93FfUpQaUUHOPzBT8PlfuTn1rNZpIABEl7RB2qpsJIWytQjZ8U/9epUiiChMXk
+1zmB8izRWAoX9NtLM7KttiFht1nRYgB+8Q9/Ta5mros/htAW4slcFzNwEqFFEYNpgdtfh+S5
+50o9SeOpmQQqiQIcBBABCgAGBQJMXlHEAAoJEDkUtTL0376Zk/AP/2NHH69E18cRAOuET57I
+oRZmJqa+a+cIdmXFIhWlxUtQfEBdXwSDDcCNVZCWWabiHieSEahXSbCQIpjsjfTLHVVmBBCY
+a1XFHixF3tnR8auN/KONFQ5tl5IViAw0tYBX1zbx3FqZf/XMqzOr/twpKrbI2VaslvjPpu1E
+sZ7KiXnqjWU1Dp9ydwK7sdb34V6w/N/uonaulFq6IZ4GzQzIaF7/SkOwm9am9TKON/OmE9HL
+hz4kGimtnvztfaGQANF/YxBdjXEvtUp76y8QwXrxOD8f7EFQmascGPIJqgR9KLYp1Tsw6EFJ
+eKpDGJjzevkBN8eeIDLOWfcG+qlhNHHtnbfXnv9Ojr8b1idvSsdqvwFBAjw2svZAK5f0wkrx
+KU3U5/hTIz89EQuT0o/oJWBj67ONQYHyh4CYMZi3oTiqFWQH10utKi4kGnM8jaDA2No4q4xk
+n6L99QIU+RClkamJVBQdmzoSYpjiFoAlXDIhwQGt+QmhbizZLp6NqxXJOOHJ8ictRpRlzHOq
+ERlLNkmaaf4YTyBeEIH+GYad/xiqDQqm5NQHFBira2dZskxKC3SND1e5sTd0nYIur09wbJG+
+z72oKoiPMCf4Lzawpi83Yz3Swks8hZ32fbObhuiAmfXqEfDlhbf6Hz9NqTxE57faXm8pWrRy
+o1QgHe7WNpM8vth/iQIcBBABCgAGBQJMZa+UAAoJEDIkf7tArR+mQ54P/j192Qx1SS9xW+Ao
+2V6IdWidRtV25Pkt4LckZAIJHfVEvjpM8z1uuY34YacjFeZWtfI3mpM9JUQ2Zx854oSX9z0S
+iQ0u5XnPNBavYZ+DKgGygOyDQdNdjvdzR13IT3RIu+OAnAFkBfwS2r8i2rrWpeZxltPR1Uc8
+J0ZtJ+DLgdbtWZxCGIl5eupdbf03oNQ0GHP/h4W9Ls2kvJOzILQx24+9tCZBIi6ZuHjlawhV
+uZwTvhuc9HNhl5knHeyOZCFfBcNTWFnxuHIzYq0AU/12+WYuZ+SLll7+yA1yHpP7tQrz6oSY
+rQGLzsBq0/kONM4WYmhMQVtgxuxjZV7DK8+1f1YlbKCGrk/R4lZ2JklJ2+qI2WMiiW4BdZ3o
+CkEi8z5Z2vISsbTe9LujYnEbiTyCiEZlrz5bkavOgMP8T/0NlA0GSUt1Jo4hkLG9eWUfYgq/
+7N9vMQd0ihpUVKciJyqaSixVZVX2OdUW0nCh2ftwOzfvjhBG3GydQDb6Q8tdiOeLL4kB/zpO
+VfZu3UydE7CAtqzvNj9DRR6hfyuELHULoxkP7DHCJIx2k4ZZwgUmLHYIyni8ITsRUnapzqwO
+Gy4wmQM9ZGvI1vFXINsV8FUKg55scO7baXwizGX6UQ4jwvCBkt7i/1lYhY5udn8vmQ0cRf9Z
+HjKhTYfZ05hp1dAc9Z7piQIcBBABCgAGBQJMbA/0AAoJEHhT2k1JiBrTtIEP+wRhrJcz3w7K
+y8F8xF7+ihU9k/lvDjqZLlYKuX6kJsTupTygmC7bNVw4uBfGzlujY5kroa375kGK0Q6Uh4PT
+ffiySDUmKj4ap29rlLT3JzFuu5CIH2jskPEAYhqgaf1NZUKAcIncDtVGZWi5J/Gi8faVyRnn
+tE86gVvHzlgsDoz4WLE/Wer/LUkotK66I9sn6t877lm948GIrJ0pknNHB1bCcR6YhNRS6fI5
+n9W3bkHBBs+ilCd1GlWKl+a/NmBnr3yMKEYrM8hdh8RVJlHW1puyLruumoxolSToGvhAIPV5
+E8D8dc92Pa5N0tELtw4a1Ao9zl4X980QQ9XPqp19LdgrN4ipqxgaxlVywzSq1fObqtSd5IYo
+NuLz3PvoFeoDyP0degy+4PxXX+hERcpe224No/Oo6cPvyxblgftFpMlRVuxLJx79m2B0db/A
+lIEN4RAa6mO77ZcJnAeInD6ZWnHw+bVPTbGnsz/9L8EJA/SjILpBcG9UO9pqUYu+aL80AgDF
+FoWlq/Oy5YOjTIBBMcE9iN4V7RV0S7ygA7xXQ8JEon3lrgVNRQ3tyrqclXKw90ehPS8ntYJe
+8rr7M7hw9SGC/UwLlZctG0BO/Le1aoRI7U6NTnfKgdhfn2UAPX7tgSAX/xgZDcuF3T8KeTwH
+/GYjjUzgeoKuZMtfMjXtEOfxiQIiBBABCgAMBQJMYt0+BYMJZgGAAAoJEMzS7ZTSFznpEuUP
+/ih8u8cHaYsnA0vQnfXUB3NDtKpwPA39yTh12Em2QWP9ezw9CizD9VRBmR3kksbxvFI7lNHF
+bBR26jzHvz5wh0OFAoL0QpnwqO6YVDYAnDbwU+9Gyk9zFz5WAiTaj1AFMA2Y6tfq9M6eYOG8
+7eNVVdRI6NOwmjO5cO1NNFO6fo4zxa93VLX8CS+4Xgt+qYnJc6bZDbwUPdmfSr0UgRVVbZAO
+CGE4f2tSeLQwEOkO44XB1rgRilyGu9dRShgxLQoauAXzsQvqMzaNwjal2bz+yunhj14Q81xk
+xJZ96I0w7IzMPmu5tjyPa/1Bhn+f8cHkqQQKcu4Bf2OEtANNU6M98reiS/K4cHEj0ChdFiHX
+l2z4WxSsihbC3megEX96l9A2uVgJK0VsSPQQkGKzVsJkEAsld8tC4XK4OzukpXB184h68huy
+TL1jdJkYcZoBQ/3Lo6Z7TJ5ZvnUhdpuvQdRfmBYK1AuRuNuhmPDYV2/qqmFOYBrpUY2/qv0k
+xOYUduergCG6cI8zFK+KWn3S3sfxVt/032qe7oa9/VsloGBRwiaLl7MAwzHJfUgZCMIcfJgx
+6sQRhrvZbwWg64UyG+xFuocSqTRkcCU2fezMZHhLA6B6CZgk0sY/VBQLBBOy4bmtb54AslmW
+f39NNnD/VzkSqURypo3aDKn/f/v9+JNBfcCJiQI3BBMBCAAhAhsDAh4BAheABQJKB2jkBQsJ
+CAcDBRUKCQgLBRYCAwEAAAoJEESXUni4YStd9mcP/AtRNozdY/n06hAVJCnI2W0U0/BknKBd
+z8SXGItd3Mb++tWs8tMvZw40hB3C6oQJu9CdZ4tzZtf1jSUxoAJjGTGOiz0pooeINAuN0xRa
+eLzUPyQNJpd1/CsZPFgtn4FeUa/T9WwHxZn/XzDBPd+N3uKzM63ZRpKU2lkSvSrh7fvqP13A
+h8Zq/quMgOsCbQR6Dp1swJIm0s9gPfN4mEVXeknXnd2vRGrblJYL3u8V7cfjUjnCUlFmB7U5
+TiROYZYeP3OIuDsAqv8+xweBswWxCxX0LYsuRHRxmLKWEYHAV6e0czRSJYKQdV90+URoOZin
+Qdeo24cWK6caJEavAHFnDcKP5aMCrCtp9hM9EB1J5/w0zOEXLotwhD3cWVDv1k2s0w9wkNZp
+PJKRdXL9f0en47MpqJqR9/8U9X9j8t8tTUbo9PcUcf3YB4hvmEBauBHrCBNslMx58uPYOFjV
+YqbwHUzhTKHhUGVHbCkQrUOjD0z3sjKlzXFqO8Ba3sDAP+hs9+g3YUQX+A403rYJoI/b4Bvy
+eZ4ryKanz4/zhskMDdSBZ/UvduPm+gHEyq8Xtj/jxRDX0EqLvkphDdUgZqnmanx3FkkH9EOx
+fUxnqpdwJvAj6k3diWEuei7pSbTBlqi80fLRUm43135UP6AryHtUnraBSsaGskH4pznmwUfW
+Kh5WtChHcmVnb3J5IENvbHBhcnQgKEV2b2xpeCkgPHJlZ0Bldm9saXguZnI+iEYEEBECAAYF
+Akxr78UACgkQ1cqbBPLEI7xL7ACghnGFWacQR2ySOwHGcuP3y2NepV8AoLz9sWYoqYd0SL5T
+192WWkJWAboKiEYEEBECAAYFAlCf5Q8ACgkQcPNeJG1THnOB7QCghdTeFj/8kaopb1WjUCof
+BrrhzNQAnjYiGUchyKzDS++2vV4VPwxvMZZIiEYEEBEIAAYFAkoHceYACgkQMhdcDcECeg7B
+0gCfXpPTRYvu8+YGBrnl3ryzbBrYCiIAnRMek3cGNpJrDT76nPCVkp9J7zqjiEYEEBEIAAYF
+AkxccSAACgkQ4VUX8isJIMAYjQCfRZD7k69DKbhcMYOYWt5paHpg6SMAoIPdjQhnId+yPSTL
+h05O6LtJU7XOiEYEEBEIAAYFAkxdPysACgkQ1OXtrMAUPS2JYACeP1vgz920Qbq9CMig1p7V
+9Bve+7sAn0FIeNCiAGp7owWq6mZX4BOD0o/IiEYEEBEIAAYFAkxfNKAACgkQ+YXjQAr8dHYl
+2QCfa1lGYuTcxswPc6nqR8P9G1KoS5gAoNsq+dtZCJmYMIflfGNOxlzLUsNziEYEEBEIAAYF
+AkxnTKEACgkQn3j4POjENGFPMQCeNYzQIXlYtcurpdjQru//evWc084AnA4MQEEKUkVvRLOl
+PvkCi847vss1iEYEEBEKAAYFAkxeUcIACgkQ2hliNwI7P0846ACgm2JlzfNk5w49MB4cGDwy
+Aodz+MQAnjanm/JlttRZCU+zLaxHxEj4JovdiQEcBBMBCAAGBQJK22d7AAoJEC0NWrh8JT1S
+LqwIAKQmrdBXWS2UmANTYLBfDuytJJm+mHj1YSJ8ro92xzst6WBmqxMwQ2EscOv7S0rI/LGr
+8PfXBnpp7Mf3zhwEXeUts0ZUt/Vy6s8UAVPTGPSQlj/Ya8u0mFfXkdGsLMgMdds9Cz8fLbZr
+SycslmVmLtK4S+rhjQhJ0vXt2sL5VJ3HRznCpmSP5+ZQOlH/PenHLmV0kC9KcOsrxgvV6Rls
+HIZ7oiATogYm/kuwXwQ+0qQAMsTY3AGwE0yuMXvDuDUnGdUBzaZJJZ/wodDFYlDxTJb9NOh5
+P7PDBQghiR0LrnU+Y4b4Oh6ne61EyGRhP5ULvZ8RZsvDCO27gjNxRH1nJkmJAZwEEAEIAAYF
+Akx2jugACgkQIjrgVb2U4VSOeAwAsBhm8cj/o2YZPP0gFdUCUyr6ecydoD1d0ER8wwvOci64
+bA6Xeu+i8LtcAHKowj0h1uVye9SXK7FpfyPlD3j6hbikG5CKXSwwEfEOUHmBIdY+UarL2Att
+791yM3hADK/LjKObU/hEFs+b50xsug4pbYGbnDgitj4AG7mrqLLReCAV708jbizQyxizDl2w
+/aXbgRvjjVczuxFeFYGlkIFv+da3NoeYCV1oH7Wcg2vrBb+TrxgIbAMW4V36v+fIPaTsderL
+QQTv86Rq5Uv+FvZaoA1y7rXMpDbD8OJ1DdRv5BeDAGOAWUFYj+XDDdpfKt91zOlzfr74hikP
+1NWx0NEyG09wxvkV/6P1zjbv8NVedwhDBs6QQsco/oYx25Pqsin+x0mnc1NiDpR+9Oe7c4ha
+6JzzN3ufllxydLpK4D1RC/ITKhNhIrG26qSEtk9K6zM4QQbD/Ngh/hztcHMObLYv4MIz/Uus
+K+CoJDI9kPAISK7zKTHfGTbM4O+gST0gqcFSiQGcBBMBAgAGBQJSKkiDAAoJEO9z5tpYNrga
+fAoL/0E2pxy8oF9vH2d87G/tYfJB1sndWixltZtLYJMZ6HVAwYBsq6ju02893SllpZ6xp99x
+xAss+xeJF8PlpH5nauQOn07IyUNTytxa6kJ/xHcIuVEVFEBU5SUaXStqfugM/EE/V8pbW5di
+oIILQx52NKli/JhrBWlW4/1k8moyuCkZqYsdwwp2QgLrJhcTNB1nWx4DBgonAL7GOGy7s2DP
+6zoQT2rDmlMY+Y0GrYkt6dwwed0y8mP/6c1ayLP/5E7ZlJK7Lj/3WFxYXeOOP3rU2xm+Brym
+u1ND4gGC9P+p3rlEBJ/loSruk9bbviULqiO5s7dB4Xzr2joED4u0suutYtSPnuY1fNV0DGxG
+qgYvhwxcuOHVD3zBMuAfYoGSRQNsMrpzBnfytP2pF2CcS9L7maaTBxyKF7UbpqdvDDh74i+A
+/J2O0TmMuraSX6r/szqCS8B5UdetjxWHpaEViIy4TiFBMIzkhhJIn4nngn8lHniRT6ex+TWp
+dM/vkeO5f9ea24kCHAQQAQIABgUCTFxxnwAKCRDxppvkKcD/7nyjD/wIQDebpZRkWpthmHaP
+NtpU8vn2WWtxigo4D/crBIrhWCvJGqm9P9n33AXpGGc3T6VEJGyq4lxdwBP/K5FC8a3hgCXr
+dXAA+V5knfURy8kya5FBGK34YtrGXBcNv77I9GdGdum+tooYNnNJERueRkBLA4aIImB/W3NL
+eL1f8vWVi4vys8Utpj8+5pg5GLstbpmzewtc2LQFstMDeCjBsrDiuZZrsp3fO6zKnizg0SOS
+jTkSdXwvCma9j4mlmU2Ry9QJf3EBqyDwhe5Rcrl8TopaP75wOKD3r5npo+e95Wjvxy06PjjK
+1ntAYLMuEODWiKAhQ31YYYg8v0yMvBRFLfFmtgmSoFcIiGJw7azkxJefqIhQr6SWUF2G3keQ
+iD3qNjrriIqxdJQqj1XZjbwwHMKlvtvokf0xCWltpqzgW9YBcKwqr80Sp5Z2M5wjeB9TWhSu
+uoG44r8dtz7GEVllGwGd+hRYbyhdaEjdgFjZtJ/T2n5ESYQ5h3V3vjJbbxVZ3fOE4ksVNEkR
+5cv/h1x631SuU/287bb/ObGieYIbaIxpaQPedcPuX1+hHbLCrtZ9FAx1COzhIJbXG/2mS+2b
+hTUyax9RQ4n01fgsU/C6FPeGqfyrrfijS2XKQAGsigRGm7rIjENjXM2fGqNsWGEPt9v3YoAl
+vVv216XE3sCRMz4Ua4kCHAQQAQIABgUCTGAriwAKCRAedZpyap/ddM2HEADRXZZx9vRiIKFC
+taquk6DZB15B+CTJSe+rhtiiRiSH8GZcifbF2ARqZF00OctbKkbBNycNV8FuxRiaZZSZN1fu
+ZckgOKwMK83Llj0tHd+BTrjmOiZqrZ20l9j4CMfvoTQZLOqxbf0XKpfkx+WEf8HaJ59+2GDy
+CvqYrzYW4oQLdc1wwQ1mI/6XcP5YyTPaOai7WzrRhL0ClYj6/kKrcyzUm3G91SuC/AXPGs5n
+8QVINq1hidCyEjuRO29Pi9YjOIRA0YSmWwmF1Jq0CAWDlSeWZf6oZZq232UM4OnDosjp58pj
+ldIf8YS8TcNLjFZUSq3ilfIJgTLZIfMj0H+YZyBRvHL8071X6xmqcQXmZb2xGOJHu/Zn1qrq
+BjN7HIOrohVvVqccR5rbmQp2m763vqGCPL8nxZszGvH7v5PFCTdrfa8tlqiugadUvYW+SCn7
+RI1QMijJJjrlWolD6ZJLSiA21a9B/y8XmUluedCQ+RiJLzYBVSZhHI4j6EdavCKbTZfeUZEW
+PiYbpjltZ5oOjoTzI/C7GKn/btPdY298tHPIRPJP2P4Ybi0Xzx1tsZIApFEn/uHxzxndigef
+Q0EtTz/ikmVN3CAPo2i9dj1urBixB2QuoESumF2hjUHs9rZDtug6CuskojI0GAb2wPNf/U6x
+ugU3APwb6c8O+66de8wHNYkCHAQQAQIABgUCTGA3OAAKCRDXiExHGOGPRLxnEADsBFKXFFK9
+8wUfiWk8b5ov+XJRvYhrOQZz7fX0iIxUaZCLaSIViyOD8RYFXr9KKuhGc7pcEvU71ccRdmN3
+SoHz+RQDrCJlRgBosEAY5hfIuqtuCEF/njo1cNSR7kjkYc5PKXpbHL2G+15X8aOBdsd/Wa0W
+E6vLxMerhS5ILRbRs30W/VzcNnlb/3dhHSvJPVF9FGBeZuOahY1edZKU7xu8k+udND6lV1Xy
+j25Ty0mb1WfQ6ORuqLhXPbfIycqLD2sNmpFBNVlRkRejEhJU9IiOrqkgECPjqKUMo9cnCCt1
+rVO0EZYvJGD75wl1PySqbQus1MMLep6FJsqvnUpEh/HzS6+Q3/2AL3a9JLITDm2h0TkCeX6q
+o7b27aoe+J4cjiApF5E643OduBA6Ox2iauEr1t5d1J8ewFWx929EQYHnLgHtBx0CzZGUAZqU
+NJEqLwfgxZaN86Kdw1xP6qKCuCdkhrsLt7gsACvSpkIEEhVxoAHqJleWF4MqozwfpsEO9BSg
+L071pyc0Czw0XJlNNq2sn/GomNRvXLbYeSpqzsLdOAYxsG2l7aNRHVb81ml/OEvIuxHZE4Ae
+cjxfsvnONarc5jWIA7iFgk3sLaTVejP4Y8cbn4rXn+98QwseRPBMHRPx84W0Rx+YUXQSAvVG
+2GboFMP1PvnEEv0Qqq6JsdMmZYkCHAQQAQIABgUCTGWPGAAKCRATwLVmejiwsLktD/9ALTT3
+VOyGLPKCdTYn+kXo/R4x1+VpRdoLLkUnxKBzfTVqtHg6X9GAqMn4b8PIgIh+9ULPiK9OLV5k
+bdko3T/cbP+Cl2iqSbVZoKuYpf/xd49oIdiJm/omruVotTDbz5vOHwxzmrSRcxXNzKrnmptr
+f48dZjoDdrirUJNDlPE7yvM0IvBSwPv5R+t7gcti0/ZZFWDSEQ1fphx5q5fD47+t2Oqeyq9s
+oIC1uO9xnzB7tTmQ4m1Up0mwRsf/r0JdTkcT2Q1PNOttWUY4aDncF+d8wCraPW7715C7iP/U
+saAW2h+MwAVC3yMT6iu1dcufRJsgFg0iEd7G4Uxp4IcCfwSLWD1mh4NEXZ8Tis4hTnfpbICs
+Go7qPAFDdPhWRw7ZGs/aLV0+E6hu0t5hE2CWaOCS7hfx8Z9W1heEuMBqDXZeSEfkiA6/sNHW
+ocgNXiDXVMdyHm53xlswdbSDxDT6CPcdvzHsyNP9/pYd6+CFgTBAw60XqLrjYPr3tyTHBWgt
+vFS0tmSq2h6zMht+yMu0WCoZgw4iTYKtwoE+8RE0aaqwxUcNw1w5h8TTFY0b0NyfD16pHX94
+TruaZnlnpNWZtHgYEqtobMH6SKyOsy0G+BJ/XM3jLKczi1U5osqH0yBRCWxVk0uUAOT7Y8fi
+wkUSNQl8wnUbDoRSOtwCn1AQ0LRgOokCHAQQAQIABgUCTGbH+AAKCRAcAfRDyck8Wux1D/4y
+7uso609rTdbQTInHqA2XUshIOCgsk9aW9Vphgs4hY0VEhhfRyajEa6RrjdYs68BuWUWO8qs8
+PKe3LhgTDv2ZmSBMdXEowYVY0CvvHhyHHZwdMl+6vRZX1uI3SHf3TKqT0eci7gNNvYnCbdMO
+nXiBCM8nYUbbPOzSBKFEq3CE7EhNOvSMZwTu6pnOdH0qiVUvqNTx/hEo9qg+brPrPcLho7Yp
+cGu/Kuqp30r2b/HVv4U5X5mOy/OebqzCAb8WEdWoY9V9sDo0bf4or5DZaY/JB6tozg7bQ4Zv
+CTwyu4x9D1SqnySE9/wsu9xSlhni8e43o9ujv3jxABpbbOPqt00wA43wSoCbdfv4mWLsbGk4
+byKR3eWEh1XcUwRfaPk08fh0ssskKBk8C4sUMIk5oTiT+VU7IZ50gh8+XgMxrwdMcWAQH/Qs
+VtsYhDGA0UTw7C1Qp8mCmeqLVw9RA11d/S47UgYlXBQiv+3LXuYfmz/sALy/ktIpz/tp5CtY
+PeP3CPuFMTlKpVScL7+DbeW4pwwR3pkm1QAVaG/lb3Dqc4QpYcucetSyfdof1E7ZQtCRTR+L
+BXBHkfqQT4xnqYOU8ULraaLaUGOd3y17rlYUXlHijhNtytzSbn+GPDnbteQYqZPx16IS1H/6
+buaSwB5ZRHBbfsF9O8JP9+ldLkbjaodxpIkCHAQQAQIABgUCTHblCgAKCRCvIoOqduKse+8L
+EACKRmLci/pI12k8kF81SrF1TEZG4Mlqtij0vFQNTvaLJW9PSX5xE9ln/WcsLwUPf0ciV7bF
+M92bdaPiiEDOzpC3MFEV8Kx/cBGPdGNx42SHbOrxzbriIt+OCFxylsqlElW+Wbo8chPtXWzi
+/G39v1a/xHVxzBg4uUPFRL6zOOZ12M+l+TCijja4EKgctCb63t+x82GCW8UspmTTaEn8UT5F
+STK+qp4+cQeIYBRBcHAGKyfzKJ6Chbv3MlNq+zhmg3b8NYLTKWOgpP4th1v44EeO/R8Oibnt
+KJ9hqQF7a58hb2JLuoEmXXBJVk552hKD5UjKm1DrfZAapUTbWvVv9L5IdozaDph+GZzpXQ4C
+Mxlwil3JVEe9sWPoT35iApFSgoWbDNYGW8M/CRiyLzYtCqcAzExJbU9KnKOV9kbebiZ8J7CZ
+gxot5en0OaXrc/ALPHjYKrNmZEQ+B7dlUcN7KzFMEJHPC5Jb9xsV3Jje6T17lA+W4skejqPC
+ZB1mi9D6SHTN0MYajeRLasFq7F1Vytd0H09MLkQ3i2lymE50Su7cOsMk1+KjA63C0JmMquMp
+4rvuBt6Sh3qVaXDTPEUV5ZT5by7z6KCb4iYg7AB3IsCTsP9njUCZh19YE8IKxd4y1XXD+ymW
+FwxcQs8Fak4HdGfmXLf7G55wI1E4GHFEwWMJ1YkCHAQQAQIABgUCVXGlUAAKCRDagoMOPMw6
+OpY6D/9xPI7IEHZCcGdZV1C5JH93KmiqARv45K0p36nAxmGH16mpFYtTOuK9oJ3ZSAZtbGp2
+oppbQX5AZHhRUvHcjwv33ME0RduosJqeMA8GT/xZKfXNGvQpn/ZG/pDyDLbL0LyEngRR1R+E
+JCPNAna+op7ULQSQ/gf/HSwPI6ImnirMwXFAGOBSW0s29z0ilC/BYRlr4xt5uGwWugYnyhJK
+/SSwrGBaDxB7hakk2LTeVOe18etFCno07VPoI8pUtNLBiLmySM2aK2Muy4NR+jZjU9x6oDoB
+tTq40fkFln64nK82hqFoJP6kDPkzdQx5NaRiH4PAr1DOydHyXofs0MghS0UKlCZR6rkyAR2k
+9r+b9+KUDEQYrHXXDqhpeCunQv9LGzTi9GmaCatNHJTwTmVk1+oydWiruYLQCQHETCzQrK2Y
+FEonJnwJO8XremTXw+V3jyKZLee311I+ggQmtI5StRF7fFh7OGzdJXBVw5hI1VlISketFvAz
+rllAI8Txt59l45NFNkZDZlJlJeadffen6GOXsWr5q5JfS9XlfLbGlzlrcZCG0uxGfKoYaUJM
+0SNa5rvWO04pEK6AjBufkinWJBIJ1l9bz1uSkDY8g2tQWvdZrqGgih2DAXDhv+lu96U62fn6
+k+UtKx1D2Y6JI+KEdeGffuVp+4SnydvYIAH4GgSaN4kCHAQQAQgABgUCTFxxMwAKCRDxFAhM
+CGEREQw7EADTPt7E7JjfPg5B5r8xEQwvWnQ09/dE9xie4ohfzCOfGVpvTquyG3xKrbw9SKhh
+akS8HPLGgBvvodqvZOqPGP6eZKfAAZmlER5fAEtw42deAGhL074S4XOeuPmRPnYlzPZW8cy8
+HhcmjbuwXbhC7SJs1KtQ+sHZ6ihtTqXoqjsC1ArMOuA0Lsw9d4IOT5sXILtqnk92ynkX420i
+yAiRU5RXlASnBNg5fAmMGZbW2/EGrHtfE+zzpqX0N38qKmBnE7kRgPM8OGYxYGpUl8x+M1zz
+KY8BLhJx+gwCzI4L22uKwqv8dz3kzdWD1RBUUKJycCDzwrR+RI+xO9cQzaU/HOykH3HoRfIG
+TmaewYDxl2vsVeHVDbGdZOmhVRzLqQIS259eRjQe6ZjdMiRJe15j+udFF/iVMgSgq93vWWNF
+WB9Q7dKRZyPHjBuFuL9YP1VmxiNELX/BkQlDXcnlXHvK+KSFuEgV8RgQenmFtHy64YBC0MoS
+ka4NtWkPl9EimPn3iAHNLBCfqqs83TaG9Fl8+V9se/B//AcsNoM0/3vBU/L/5F0PppPVO6fk
+ELDY2V11zy7L5KcLJWm8f4YwOKCdyDYPYVTpl7xGM+30n5h3xto8Mz6f5NWVZbfxfErLU5iK
+aeDdSebdqns+FUXmZYUlWJGCXEnY1aAzy/9MpRSz+mtXAokCHAQQAQgABgUCTF0/MwAKCRCH
+L3AsTW4lqMf4D/9oxFxZbLh/kRIjys0wNgeiq0oBLh+KgN83Rf+vc74A2q2T9/XiopuEtk0T
+ywbz3Xw9KlidyGr9Rrbl6O6aWpy0csxUOWvprE7jaTwjqZxqISNCcsPFbsWQieJ1bVv6upjE
+j/wrTRh4IEC/P+K1OU0lWblbeDDEv2K8aj2uiO8g5Ckp9X8Y47Lh9VMPvSOPN6aFyX0s1DDV
+fweQtoYGQOmteY/pFDP+K+FV8iBw/wjEVEWflqWUCIOAWBT4w2sJ49KDdi3RGmFk6PSp/JsU
+SLGrwUU3YnRiVh2vsK0X5nukWk41jm/1XdvPzEEpMK/RYiSAzGXKvs+UUWFi8g7AHQNfJOl0
+hmB8LYFV7mQOLdbNIVTRB/ImbexKtuLDxU35CIxrJFvg7Ry3ulIZgDgFZEM0D/xu+2tBd28X
+GjppOjqp2W6Zwnn4uwqBXMrggtNRVSeGASTDs8WPdwR3PxYKxx237f8J/aC3o2k08q8KbjmR
+QVRLlOo1huZxmXpn+SUUKUJ0dqrrQHIEyzGtS/VSRRI+Kj4wiThPOS6zmc/vFaLjl5T69sOA
+LS5TJqoGZz7j+GDK2MINkWWNM61SNyzomtdQc2PIICR7TP9zJbOvad1QDfT7kyM1JuhpvV/6
+7XIP/oxk6OfgMT7yHTF6rh+G8UUNt/ZBCYAipcFByCKDwNB5sIkCHAQQAQgABgUCTF1E2gAK
+CRBTlEed01JMUcebD/9aEHlc3TtXSGHF/gxVl0zsi3mFM/wibd2n/2Zv2gRrL0Su7BunKEMc
+l+7SECKbDzWC3LYucKhjgVuPHSgGakk3ANiXiDw4qFqiYil1Prf/MK8F6RWye00IIG7yZamG
++1kLA5ft7sjO/emappGvW7bicXqgoEsazImSi9ekfYhLFKHn64IR4UjynHibKjoXA+EatPnN
+pT+IHnBRRHRq2uaU8ycQoxiwUT8WMPyjlIg7NT+IIYqQm7DRjSTsUoTwhdaMlH7YCbi/dX0y
+SlfG0LF/5fdg+MV0h/hPqy6gq2oRouILZlfEGtvv0vBmqagmPP+m4KJ/6/Ikf5ysMtC/NlN7
+exkyj4M8Nl1U07ijha5CQCvn6DyQmy7xT/rmbJ0i1zjZauFmPf1ZaqennMkz2ndC0glSAYIh
+d76mDDWGjvszrYpbO7KdJJeiO0LkoSW7fKxgabNm6x5MaPVhcynmjlC8BFbn8xuZQst13Pit
+VmFtIDX+SJVFQCK0Ypuw0NhkXx4sRqkBukASSwCRrDxPPWqlg9/Ji9uKjInS7M/y3RDZqwJK
+UZqLw2pdlzdAStExWfA3YAX6lI7IrpHMuoPUt+aKNyO6XBLMOGmAGo6LUP8vOvwfkFI72nWL
+IgHSbB7MzHLFcMxyb4CvGjpZQzu3VDt7sDIweT4ZqWMuMIxreik+M4kCHAQQAQgABgUCTF8j
+ZwAKCRB6j0notjSAvpDND/4nzSbiS1pMCum5H8dhR6odBPIRanEa8fLaltUQCfwG+CXBfuH0
+nguvR07j3oMWLZJ0YqZIfGWy+FRMAqFjkY9Wm35ddEO4fm5O7j662mJn32S7ouAWvMXeZa7i
+uhz7pe5o5hxoN9dzr/jD0qNIUwWzCl8C1KC6Gm2Szhnzr4jMM6fxol3i1TIjzqcRACqIFM9k
+rJdpHe18XEE0Ao/cNC4bPdPFEqFdDi+zoYXNrHqyCl0FqnWOkq9IVa6Sizy/8+ncgLt7mxpR
+CeA6v/N4w55AGlxfS284QzDWUDzAoMzMibhnqoY/3p9xup1tMtOZe+2R6/AOfSa7nB3BSGDi
+g3INNT37Xh3OiwYtiGoAPGnBvMdVQYeLd0ySC1cTls+HsXuhfediraNnzRRgioi+r7Ew29Dj
+H4O0gWhunw0gqn5NO/0sqQyN5cW70iIjhJlXA2pJYXSLvONRzQ9GmvhYIq+UA89UmriycCBd
+u12zi0NfEY85B8qqzFP1c0EJrHclHNm4SuSh/cXFlejRbIiSejp9uCHXQqELSRWzxRWOSy9T
+4iARC/twBSE+rJYfCrTMLKZznBzz+FgY/NU91w+teGbKanrKLKjRJtlXanm5kMSVXpmeTnc4
+x46OO8QjHGto4hyaILX+H0+jYcTFZXV1wXPqgevaGLL5fZ2EwfdURZOMI4kCHAQQAQgABgUC
+TF80rwAKCRDRXTE4ggBBc1JWD/9xj+Vpx8DaFRrmDwND90I7bFDux0MrxxGZ1NJc0WhF03+t
+1rqP5aoqgXTx6UxMHTTQXRk6dNKpqRdWCiacxd9LUpUIFj8QrSE6zwWweW+5e1lCa4cIC69y
+AHRN7LwdWV/s8dTbBWxPuCspDXrb3wPNmNaouw76T2Ny5Qwt13PnkaHmoNGIDju8yOpVhcAM
+mRIeAHgJn5X3WkMPi9dGfKr94Vv+K1dAKzl1VQ2DHUcS8dVUTqugYcaq1NXeZ8ipacQtTy6o
+4+aiY1iBJDvKdH1MxJGsS2EvcXT14r5YzOz+KTwIExlrKK98+3XI/u1L3VkUHqY9rILN03Q+
+cKxX/3dV3j9YDu3mUNL9at+cZ4FjZG/rJ0B/7frBxf9fy+7RnqKHsrr5H7jFK+mZlqyAWqLn
+Lxi1kW9tliiEZ5RgqLsYQk/nvvA/hr01rAI/todTvFHV7RIByNQVrp8zBbpmSUhyGaycc3q0
+aNStTXoy6dFS5WLAirq5o0W2zKRbWF6RAZLCwYAz8BAvKfbdDNAjTeXQ1X6kEYxEmsOJL3UQ
+UYLUHm8Ko8pPeaFLjMfRNZYVdQhpyLQbKxEDWwmzuAxODTHPa+bWmD2QRP6g/be8ff43L+zW
+Ti+1bglSk5xCncsGp5ydPfxYhAQiizIySbmVGV0u+hVPSB+vGJTelgw8p0PMeokCHAQQAQgA
+BgUCTGHuTwAKCRBwNzzxKQ25zl+FD/0TkiEx7eq83NaPbkxw4fQGgIfV+ZQHHZPHZxQmWQe5
+Nw+o6jBv4spK4iTQOgfcyZQ9vcNoxDyvFXTPxD1SA9VhJKY/pvZYgFk4chfIAwqsuLhL2B4x
+fL7XRU044MIy12YG24mQ6wq4Yp4CLX0J7XTkqF4o5gZ53W2lZ8IBhGee13vY658Ie7OmSwXd
+HZwLABOIck59PBOnDQmbIWHw2nO8esxPuCG7A1vJ9oX71PRYGe53310L/vqRWliGwgINI+Lc
+ghnn/GIxdBNAQzvn1vrBtLvZB50Ck5WxRZdRyAh29i8IQKVt43X3CeXatFqPke30n1hudgXN
+f5zu7aJAHA3TvIghig9L9uZtHUMIZzxSovTF75ACmxfqiCXxS2pxqzJacDpahog4rJ/AZbsG
+3787vyhM2zjCiSZIrA2GE53M4M3TQpV8gKAZy54Gdjy2S8FcOiFARFGXVu/l6j3vf2dDrTdI
+Hlr+Ta/f2eKfKhyCLT5ShZwem9O10mpDfP/Lznb4kPKygCjT24t/UdY21mvVKwAiXDtkeeSI
+LhXVj+I4ddyx4xf5mrH7khCxwDiYKr/sPmzFUg6gHHPsxIMoV/8+DA/VU+x/r2thuSH2rdKp
+IuPcN1fLI3R/Buy2Pv3KGHzzOHQyHv2UbfGK5ijKY/lF5Y3RWYynInUcjQLbx9g+V4kCHAQQ
+AQgABgUCTGH1OQAKCRB3MfzMY+Tid/cSD/0XD2h3/YcPxSfN1Wc+CRkbtw/14V3lgDOa83Q1
+Gr6GySQZMeZ9NeBIeC03fvlfmQl4EwFebqGR7jsuRRVZ03P9I9fKoPXJhlx/hpbavP8mkAAd
+Ye/ziA5xjzIi6j7GIpID9ULMvAW9nwPtL6p0ritjvkfx7EOJ1D30ID5Gn0BzyhgPUKiqLsR9
+zdP11Z4u85ja1cgkVXMl6IEMflMJ/qUonGX51sEGvAC9OfbshoASv9g1cohRJe0MAVG0arWj
+KkxekFXTaChVOSuzfavExtlW2eCHy2IH4LVRT2VlOiPA+dyRZuhjBMaRr9raeYnNtB+7SLWu
+XeRgMcAiwWdvKSJRIS1H1sVAlP02APy67wBeHEcMrURx0NzAZaw/7XeyPAt7+S00LJNp6qNQ
+fnecBTF5LZkfKGIentqjKKN0Ns20lyMuo5TGb2mZSdhlYRixsY/z95STNhsGe3SNzgdSpbG1
+2eB8j+uaoLj9Gjd4UF0uAhfS/xqDXF3MONZX+IjKbGnVx1MMwg/ECPjtfRu0nzm2o3jpYQgU
+XlnM/kAjGDcHgWsWyWdKVeMB+bXOwGPl6wDmcAkaj2GoUJP2B2bDnd6QHmtBQSD0jiRmqoXb
+ARisPDuTJ7VywYSND/zTkYfBpXh9YLikxYS+Vl+NtLuvILXsyOt9FV5pxNOoWKVbj3X03okC
+HAQQAQgABgUCTGdOLwAKCRCzRk+JaqFZSNlnEADIAMz9GZZwdKchx9VqWzsHKetF7ASrZuv0
+5DSzfPH9lxJQZskWDRnLLtTzpSkrMDqueu7bgKE5XIoRcPgIfKoBI/iJBZPQaoxN9aRyxrNa
+HM/F3AF2H0hc3fqUyi5+s58C5/El8Bc8oq1ePKGrOWFAFoNTYIvQJ3CNbXfw3tm56TGVKKws
+SMiH+9xk2fIBj1m8mSpAwZKo6CMjlVU3Mz3h7DNiEa0yCiESl3USCIBO1dmIRs08DNn+MZyE
+oeXSXM+eJtw+GpWGwDflnwOlKDlDj42y4K6pH6BubyfXe9ylb5DI19TV1X3wtvsqyhE+nPuT
+4V6j8Bli1YKm/KhwjkXw7KggkStS+6TMlT6EF9f7JiLbDjAqhCZ0eBvgCm/p0/TNL0lBwrf5
+90vD8QpXfnxAprdGR8O9ZEyviUqpw4JRnlRiH7TMBHVDiNCJ0eX53oyFd/TuDSTcvfyp3i2J
+GO38NQfoO0u880bpRbCiBsLcZfEAByaXp2hV/9oPEvBP+95GwbnMAR8PlmL8EDzygDElweDc
+F11FvcD6pgKQdXPubxeM6vJgcrFEozzW0mLZxXLUlv0n64YUMy/7JVoETPIEFJqAKwsMvaJy
+OHJH7ycbs2dTeWNT3KDigSM49VE8ERd7XzyncZUbRk3ZkhGgRAE0Fe1prHPDx86PClBV76hm
+hIkCHAQQAQgABgUCTGy/igAKCRDkT4AW02MPibaTD/442P0Qwf27NHs5RV+n/M2CKeG4sZmB
+epDU0XjnqjTZJYYcMtKvVJ3EPvB8qh3Y69d+pCy92pE9x+4TXj+59pSYxSaZFacW+3s1884K
+BQYe4256NjbVnxQEIStYtS4wRL1xjYBoNnPu1hq+vj+zArQ1pCWjCcM9Wzpl2tUPu7Lat7Os
+qB7HnDvgDB/HUbNgpni6EmfrWN3YlbGthnBXfGvAf3nyPwuM++GKs7a7R/6+it/dnPdke3Tb
+/aJKAC8YXlUSo4mEqpuBzz4Sk+5wBv+xS0h2GF4z+mnwsMY7ChqlyX1eLqfx+WWdO7V5CuPM
+sHMp0WxsCw4x8NPhzBzEPFlYSvYlS2z5M/RMie0g5JuXvs/ajDHZItZYJoVbeRAIVZ5q3ru4
+jR2tuSLQNo8qoqll+u7qA01zeEh3heov+FZXqoe8I1z7XOS6i7ZP745+zdbyRhi2beqEQ6XB
+7ub3jSSOUPM+x+LKxXC7bbhKLlAat5256wZnTTKRVNEUuoCFPtUR8FwzwRXl9AOl1Ekmqdfq
+M1F9TKYq3dPATHCxw/vV1QrCaIbqdJBAtf7ZLHH9B0sAZ8kudVPQeB+Ghr4KYaSPyX8Vstx6
+tl+qTyuVlkWd26OZo1mFUc9kPej7cjiXtf/XOp2mI73piU4bfTAOBHAopiNiKe25M/75bGso
+bAWSh4kCHAQQAQgABgUCTG8qxQAKCRB8Vqz+lHiX2Nc0EACkkjvmLuJz2Wp9Lq0fvdjBhGCp
+95dZFpvcBFJfX0rzifUEmbWRp9fiU9P2SJaCy392PL0gEhEi4P7Aos1rRfyXjGhxcy+TYSUA
+HaP/jQF59XED6t2ElW8+NnZNQ3NE1NnZ2ivcig09GdxvfV/Ivi3dAjYXslsd0um4pVCEEBlc
+lWw9lWRfm1V9/Zmz+/83CNuc6yVGmch9lckcq/1zxqcBE38WyP/cR6nvvuiC4NY9W6e3LobD
+eLkagJqFtsThM06Hy2mI3pDsC33nu0Za1tOV1ihJCUTxArZBDqUYWBN7C7hfx6/+IO+as+2Z
+hi8bav8mjY9j7chXREqnmJq5uTXGyI0LDuTABn+Sfr8861zPeev56GhS3/gBIsvhEik+Hym1
+1qnvlFhICo6Gq8qtXiJ9KQE+XI/bWZgFuflJdDLWT7V+DUw5+Rdqo3Qay0vHvsto+EMQLCiL
+8qLdw3eE5/lVOn9vHPccypGq5saMyS2hdS7yF8x+laj9xfIwMyp3CKTJ892K/NOh+dEhAo4J
+ZNw5tHCviE2KVRxDWNjjBOcrpONkp8o/OPe5bxCXVnV5F9oZqHCfWtXc+MTlI4dkk2dPRB3P
+JNUnKbSgX4x63th/m6oAB1JJ5DE1iT+fdDre4zBpSI3ILCxegWL4ve+hLHUWS/ubfkJtlO5z
+4w4wiLmfPokCHAQQAQgABgUCTG/44AAKCRCdC15bHuyPDso6EADTyj6fKEvSzHFo4caqYOVX
+d5kZir9ss0hzplt/csBDosMdW+wO+wxzt7jXXtfPlA0OGoFqCVEtxUGQG4qYHSbCKPd9PEHS
+ruWlcqNFAqRBi6k0phM8GeKbE0+B1u0qiyEvuG8IuP+1DlXla3yG4yEUWqprBMjl46OnTd7u
+ZKS24zOqnS4Hx9fId3s7bW1JwrVmodbx2rdHDyZKXqCpwXFJsVWe3cbh/h2lXYalDKzwbdcm
+rgDZUJp75YxlxerMiTG9Xc/4e+XOs30DKGy2cHAMitswtjXm7ZKZ8yL5pmbmDeP99XASwByB
+7Mm6KuvQSA+8ByLmkvu9XBrRq5WUG9Cx3m0Shxy7e74w5/u4LJkqrmr1wdw+gZIvWG3UuTWR
+kqJw6rEoiv8WTjJSWE5rTFVaN6YH2OuOFsTWNaUH1bc01HpEKivhk3ZiOOg2Bhxbt7i7oYJc
+Y+UHCbC3PwwktM3wEnANz9UMoIFxn/2OHdIWl09t50iaDErTmtgbfkENDdsXEcLA7qs+8vpr
+8qY+M7ycCuRat7Vu2dqopwpkhRpKtddoMNYZ5/51vFcSuz9BdCk+y+q06Ri494UPVFJsHTvn
+gjtEcxsJopZn4pddzk8g2z69BBWRv31c8xiV5X5QTf9zmRUFD06pux6dn1CUI4zoul5kW0ah
+LwQysmqgG40apYkCHAQQAQgABgUCVZLuEQAKCRDroMbHHAAlb97dEAC8oQamwtIj/SWT2PJS
+Kl3bdPdQaYI8+9ZL9xXLYyhOl8aduFVMlJ7rqkWSdwg/AGnp8nh/pQiaGsnRweqFoSte3poC
+QkNmRR3pgsZ1qqWMxqVrE37R51MSGRBEZq50diQ0sG63tzX7GSnsHXyxDjVfR4J0/ohZzyXn
+UubBB8X/C72E8CaxrFAzyrLY0zqJBMzub+b2zg5Ac0V+GK45Iz4duftmvnWf6d9aOvXsPqe9
+/BPbix8l8lCWUjfAPh0sSskI48mIi+jK6rm7+JmsF+9zIoVxlnnlFcmDxMGtapUl73BzpCKI
+tbplOogAKpA9/2pcSvf2JO26cjQm2gN7BHGfApB4qYFHb90fmSt7XUQEwxyCbsQyhS7Tb6bN
+wI8mTqajGoRZydB8WZVjRgsnnCHa9ecY3Hs1IrTMKM3gl7Kmm1tzbtAK+NMSH0mxPG3dmTbv
+NIkjOcgGTYo4r9Qt4Q6rV0zfm43dZs7AP6nECRYyMggEoHHBDh1PaPUjoUsJ4Q/b0R8yvNNC
+8defastUYtUkepBJ90FzlIJeMLf/1t/1cYX0or5wfp7DPAGxTx3+5EtyKC2Vk3JltR5QkLaj
+blZ2PIq8TTtdDprXJuOtucF33p3SwXRjA59DrxEofOf1B2cAcxvb42QgZ0ToJmfeTz9TfGDS
+adTRh+oqbbjogv0A8okCHAQQAQoABgUCTF22EQAKCRBdMo0IKqqxQBAND/sHFnas21+PsxN5
+Uo2Gr6ieI6NqP2347xT3ZAugQFDhobNJkdXexShpW/PAAxN8/JdndFtuF3nNCy6gSt9c+eLx
+uZ1srzyE9nZeXne59TDI4+ubXhuu/oXIfj0n2j7m53st6+RI5JJ3SuI9kJTOhIYA+7AHBpZp
+XUu+m8sS+Jhyy3h7tqJw4IrwwOfW9/WEwhp3Yb2zDoEBe2Na5whcjFRtCJkJub4YwL3L/D5G
+w31dFnTFQV9C8BNmyPfoHiTWRQovejmORLdNOzaHKy9a0c4fF6C92j4s9wR3KM/eaVJxM5bD
+NvP78usX8LQY5A6C/3+e7kRo1gzDoDhgYii3gDm5hItXXU0V6sTcFWWVSPGwrm+628G3VWmm
+1b57mxWn6+7Yzw01R/CyqEzovFG+M1BZrJn2JqJ8Y4pM7T0oRpi0/Ee9Dqiw4+v5I8wKCTag
+713ZLx2IdMQxIsMnmBq/819ZqjKkYpAbgteov/foku+Y8RvymE+afjxcE+aYQpYOyMPNRMRp
+Dq6CKkVErPNpI758Eav7UqUi5KyfMQ6tMh09F+mKBZvAVE7AGIbrQWhHlTCOYdSRA7uFtgSX
+TUQlMSsj/2xkorXaPoFqShOr1hiWIG78zduIGT5FxSG06j8h7j2h6W7nCj0rYaOzDNOBM9yt
+3il8eu9SeAgl2cEosRL/4IkCHAQQAQoABgUCTF5RxAAKCRA5FLUy9N++mdKJD/9Lclk6nEQu
+xlcgA/0ugEKmWn5JsNnq8ZUl78nZP6fKY0syx9v4bMA+ICQrokfwY4o6dMxcj2Us6JUp/FBV
+Z5lo2T2iPE+ucxobFslNdpZtzOQGOsOJ0N7qirafFXJ7ACtydbnCUaPfzkPYwwplHFqT+yQH
+k4RxBysHWw9a9YoBMl9KFjIwZ7Q8v0x4ywySwfRAKEzFp+ESP+hDwhlOqTBKFL1/P54lmbhG
+JHDCNbwxGLIjiAeCjomyoxpg5YdSZVyWttmsy1rxMV+ndERK5vELfZYqdlhL0quVPzd1L+g0
+m2iA4QdeGfqrCxex7olq1su60PFrMee2wFzH8YEYY70nCi6/JRTb/Vk0wNqgyNjKY434EzHn
+liuyhFvsTkQy+ciegx1lQixRxJfVnyz1BkHNDd37qL9lbzPwVqLhhh7jkjW8koPbExQGjVcH
+St2HCGDcAxyOJK9sG5a2GxPn1K/SzHXWwhVCSQN7sJSkpNmRNgjpJdOTnEtsfRC7keUEG853
+cKtWtqJw38/ye6RbXXHM9y4oiLkSWLneGH3sQFtbmdtjubLQNXE7rfuUHarwCnVHV5FaeAn9
+FNBoo9MCAZL1cuxe7CR/awAuH/JAkuZOanj2jFwvqeyfNgsB/LIlHIBTLPwVXDOZ3E7+KUMJ
+lQ45DOfhGPOSzv3QTL4gP6lcvIkCHAQQAQoABgUCTGWvlAAKCRAyJH+7QK0fpgPsD/9gJRwY
+37FXgq6tqiUO+q8H1m+VQ4y64cKNA/SMOGxV04h7o5tC3B9D/ZghAyfQ71Li88PIk8n7PAV0
+Wnbv+V/9kawa7C7Bfq4OJOGzMU0Y0JPd6LnupBtq+jtE9H1TLneCiBu05bjeLSQde438Or9w
+SV0sLwqKncwqRJY8iIjz9O44X+6+6p4CqdMYmsZV9nGM+cES6uytQ/sB/mh5PutZahslWurz
+ouec1uqTY4uuGNwOz+MJvYUNPyajcgtpH8JNQ0phlUvV+nAOJuiNXBHw8MbxNzTdLfsdtdpy
+zRH6NAMN3QHrtEGAQ8XgFnCtu6BEPpgOQIB1pMw9OiRMhkcu9uCNCY5p9NMhL1tEx92DkSyW
+lmFIF/h1Ohd4yaxnn9jwTVxxhdAxqK0rIORy+sHUSuc5LrtItNe+AnTvQeY7MRgZwJuCCohQ
+L3OLXULZajB98g6cZQJmNmtdUeqMY/QymIOH8IoY3SCOws4h4QZSSVxNczo2Ag5R5QKSpBA6
+jjsFo/VHUX0wB/KbJTb1Hl2vtID20kR7MfzACFTI9AEbwvG6CX7oWsnciom7bHEiyHWR4Olp
+tlpQk2RQ4T3RG8r9kDgJuX6KmDH6uI9CdYTuBxQgIfpEm+tfSki3LVfnOKgkRDqAJciBv+ua
+qeW7KSjNDpBC4u8pn9tyX8RhpYUP7IkCHAQQAQoABgUCTGwP9AAKCRB4U9pNSYga09OUD/9X
+xTiFFzcuev5k8MtYx7+T30Z549gFnOx6GdFgCK7GzW7ZjnofKt8e0NIQmzzCf0g1vxdulqeZ
+7Oh8iFrxpPZyOKJoO2BDKS9VnYEANQf+quUJPTdyhGqdMSDQGbSEqjLF3oNp/+jdIIMjuo3Q
+nShdK/BJPcluN7AoOFLQ3QH4Q5fEbtwc+bEJL9TfFqAhUhcY3TYnqWtsMRW3tkrgCvcp0Bo7
+LMSJB6jH4Dx5q60Am4V1Zz7C9wxtZeZP+P0h0YYWCbOmQWhzT2aCRYDrp1o3SsuatHm/bPkv
+rliBzslW8i5Hh3gv5Atn/P5bhMaXtJiGepkat/MGw1hP8BYaSb/mmy9XbdMlfDijcsAF2+w6
+w1b782oCGXgz2ISqPLsFYWccS4GOAwSytep22iwsWpIx2JNNndg4GVfgBxx3QIhci7EVN5Pv
+/586PwxTetIZmQ+FNNHcAzqBzi3oe6J8o7HlMEHjG6Dps/D2clTNHtD0vSk5ECfhSC3W8OAD
+VSuB8NxZVfI2UfnyCsdjyDLUu06fMR4gNW+zlSHI1FJBSVuU8CCQOtMPJ5fHPq3hEc0DFyLx
+8fPE02n8It0wm5RrdUkgOjiVK2n251SyAwSM6zATCFOIt6zdZWx6T/HrJw5wzI+wgsZHibVt
+i0vOA0GsAXzobE5yyhhWTnhqJgW2vKNHjYkCIgQQAQoADAUCTGLdPgWDCWYBgAAKCRDM0u2U
+0hc56aYKD/4gPLkcER4nlKdsMN5x4MuUjBbv/+Hab1+hSDxEiA0Ya2Lt3J64y03fz7J1RzIB
+djH2QGhdvuZtEohiad44DUdLNGJ98q7PPll2KPeuuth+bDa3P4h8ynVbCJRSmIkSVCRG90eE
+AibHWOgTNOmn48Rwq5zMEgwNvmgsX7ZRm7Mwggt24LIK93iBMqH7WqS1CujF+WqQygpk671e
+GUIWSUc/iBmaHZ/yoElL5cSBSPHm+ePyQsPSN7ooaWfodXXTADpQN4d5Tl1WzwZT8G5cRVLP
+4CZ4sqbzJ9EKWFMlohcf3ibT4r8H5ij8btgq0TvNcoMvCbO2P94KChQWxQSwJRftJ9/GPPo1
+7zK7pXGK1QMZNMYhvbYSdcbxG/AsmC4qJb4NVdrrxBiEye41+M+nQiT7g2GbbJ9gBCv8k7lH
+iw3B+KfNoAkQ2v2CaVMrguQuzxCs8Zpl7iKuFG+d3SGqnn8rRrRPE5AOlSk6bOr22jLyGsns
+URt6Mvh5QyVrk0G/6YW/5IMIVNuS/i12m6ireKvpPBkUIkNlS938vNqZ4LnsZ/+gBlZqmY8H
+sZEt6Wfq7efDBw8z1FLRW58xOqCY0vh4tteFJkcY1LgzK5GUddIHfYcO/Y6p/3/Vq1/ao4VJ
+Jq+HSIsqrdW1nF3EDSbwyy96uAdxuhfZLxSgRugCKyyOk4kCNwQTAQgAIQIbAwIeAQIXgAUC
+Sgdo4AULCQgHAwUVCgkICwUWAgMBAAAKCRBEl1J4uGErXaQAD/9wcX8JM24NI9mCjnHOGOuV
+eo/1Z9sefzYvhlbbTWvJsEdt5eaL0FRl+kErHtwNyEqvOTAmt860GrpekjkFYQObCsmDOiEy
+i+vJBScub9YK6TJSOQJ7f7zyIwzHgvilktujiS+/YDqd1IEyxD3QxQ9PTdjcQX/Z7enfBeei
+sBFfgRwbH32p5EtdwovrmBYtgyXUqp+lSg9kG3vvdj0bt/Fkq7Es1eEW8Sp9QqaBpo2fuzNS
+rojYfZu68coreRIV/nhuA7/ehjiVXlvzi3su+0ybJwGZXLXaM7kxXoYm5i8NDxp4p+7laXe2
+J6HUuIQM5ea4NuPu9BKIpKGxqNXQE+n4tmX3lp6QwXuZShwOXjSFsKxXvipKI4sAkxPfrPFa
+xzz/EDqUf9lzCBZ5nl6+OLv+GyTz6Meq1NGIX1N7u6XBPtdCujVbKzXd5PbEk0Y00skLFcQ4
+9FwAwDFw1XIPljQ6WttsQlV6k0yoVJZc6HHovnV1zGDviSyUdegDX9uKBmgGG8ApliPLvZ6r
+haU4yHykFHBMPfwBNBwrmthTShdPS7xh4bz5xYlay9wm2CzIVB6muK8PIyTrRfouuFivJuYA
+zoEcPBbubalC3OCocLl2xv+Qb5G7cz2hTDx9JZXUD18IeG2A2mcLeGp1zTc1qz/7h9qa0TLe
+fWpC75exhIgXVrkCDQRKB2tdARAAqsQbw2Qd1WfbJr9U1KRdwTKm2OsDODftgNv0zmfaiYCN
+iOKEsrsJdtonmaisMi+Z+5/wrf3Q0bV54qmwOMTlCVvqnpxwbVik8VVGWgUcLJYYK5Lkn0dz
+rtZs6AaT/sbFewir8q6m3ADbq9hTXxt9uUfe5Z/D4sdbhgbWtQa/DeJwWZr6VeyCHcY8BhR0
+FXYmYDZ0c1rmbZZBt+vIF4UNTNU4x6me9va6QPW0nWTEjae9ExGSPwm1B4hQd63Nop6E2Vqu
+ahdJqKVRYYmD/IqVXOxAhFRA/w9vqF95aV2BB/ZrF0FTA8iCEbFy3oNrZfq8KlJRCtcUH2qf
+igMndOt8P65omM1DQhlvterVgm2PCb1GmwLEbMi+HtLntziFozYGLTlAMcUJt7Pyu/iinzx6
+Sc4U108dmNTJLxqSZtvJFaRyHml9x7oP2gWjpuyVgo1KuEXKq2Z96S+sxE/YtPyB/cBpazZ+
++o/i7PLhxKa1RTIA8NgkDelWeNalvYzjNkB+tXeH0UnxtBTC+PW8dyUP8OmmM/2V1Dzcj9Tm
+Ky/G04TFQyL1NjvFjzXyIUO5WpdEbSs04h5J3KM6YZJlicqB2aKAUslOi9wUIpKRK+UZBTSj
+886jynsu+HA1Ob6tcTSlwtj95RV7nBTiTM6MpPuxTmZ2DR/vLE6c7yE+XgrOx9EAEQEAAYkC
+HwQYAQgACQUCSgdrXQIbDAAKCRBEl1J4uGErXVFeD/9Q2vtN0FeOiveLwN4KAFbMLZP97bT/
+sRJkQQUZoawfbINwzGDuFrZSsWipoBLam6BnMH6OfHkUOrCToZROHYagW/nv/WTjBTX8lJt8
+SFhHh4ONPBaxF90z/YrpWlNcs/z/rqu+sm1KgCA9mkheENGOj3t97udZNfA1N4NZu67Lo6HZ
+yUUCK+eJtX6BS2HgMGokHuGha/LokTor1lkl52Y3CVfds9YDrJmlSQVhxI/S6/IajLwKFyHd
+pMiK/o8q3mYuZ7JKCBOooNnRpa4myUrBetf1p6xZqbhEAALMFJc7/8NXxesqvG7RQJ7VWyYO
+5BhgzPutqTUOVZskc3r4cvaB7CT1CsKPdW+af/I8q/C7dhTWWthirPN4DCdcTIlK9ECpba+m
+S7MQG/3ta7+/3lT3yyMKlhLkAaUlUNa/VbzUHOlVA1txJk6jcuEzWIzebEtoT/aYJZwNE+jL
+CFOC75HTGlxp7/8ngHCXn1rcBS9TQJ7CGX31HhbmNak0LtzhAS4B+fWQLrFfShTREcYD+31z
+yLns4jIKY8dehPner0Y8RX31/0eQOknRwRSl6uceu/6liJT23KHYzT3FPGHuK2QH6AHnORGS
+g6FmBsbXSzosQOKWE3sO0dzjPIE6DRKwZIJmqQKvHqeAvPsC0U7JBWlKl0eMoIuDjp9qFDKz
+BWcdiQ==
+=iUyJ
+-----END PGP PUBLIC KEY BLOCK-----
+
+ diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 9b04c971..5bfb3287 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -10,8 +10,8 @@ - name: Add Evolix GPG key apt_key: - keyserver: "hkp://keyserver.ubuntu.com:80" - id: 44975278B8612B5D + #url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D + data: "{{ lookup('file', 'reg.gpg') }}" - name: Evolix public list is installed template: diff --git a/docker-host/files/docker-debian.gpg b/docker-host/files/docker-debian.gpg new file mode 100644 index 00000000..ee7872e5 --- /dev/null +++ b/docker-host/files/docker-debian.gpg @@ -0,0 +1,62 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth +lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh +38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq +L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7 +UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N +cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht +ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo +vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD +G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ +XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj +q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB +tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3 +BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO +v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd +tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk +jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m +6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P +XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc +FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8 +g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm +ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh +9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5 +G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW +FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB +EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF +M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx +Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu +w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk +z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8 +eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb +VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa +1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X +zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ +pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7 +ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ +BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY +1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp +YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI +mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES +KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7 +JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ +cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0 +6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5 +U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z +VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f +irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk +SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz +QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W +9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw +24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe +dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y +Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR +H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh +/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ +M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S +xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O +jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG +YT90qFF93M3v01BbxP+EIY2/9tiIPbrd +=0YYh +-----END PGP PUBLIC KEY BLOCK----- diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 6fc0b28c..f468404c 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -31,8 +31,8 @@ - name: Add Docker's official GPG key apt_key: - url: "https://download.docker.com/linux/debian/gpg" - state: present + #url: https://download.docker.com/linux/debian/gpg + data: "{{ lookup('file', 'docker-debian.gpg') }}" - name: Install docker and python-docker apt: diff --git a/mongodb/files/server-3.4.asc b/mongodb/files/server-3.4.asc new file mode 100644 index 00000000..1d681f82 --- /dev/null +++ b/mongodb/files/server-3.4.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFaUNhsBEACkTlpL9xCrlirl77tahFzzd9ccTc5wP+M3oob18GIaMYKicjbR +h6J6ytCiXCkl65zYKvQdLkt8qlkBVc5DxGeJvD41IY3NzGPz+BZ9pFFBndAE+JEP +ng0ULLxzUDmWXIoukdHqf92BSizTFd2A8v+YGuwOkNBdPi/BHkwiViAaAKDZm/4k +9LZeOF0v7gZF89QD75NrSCKo5SGFRb8Cxi4KR4cS/jPuQVjd+B9fWkc74BUWE91t +3R87Uypd+1qnmoN6cOssLZ4s8n/cyOCkVphGmk1tDDhbEsI4knOqtPXaBHiC4lVI +ghpTHEDUuDfbQ7scySae8/YItTC/vVGngiJmZSfZU5AvVspe6rfkHQHqZs3gYMqj +XPl7acviEAZ7OiMp9diq6Kgp+xLRvRGL+jtUjLkP5O4gJlnxCm7YWrYfYA/vHULD +MyIGSBzuESGxL+Ygz+Dc0Aim9NPM5KhpV5FoAXNt50cn6n1adIwbUciRY0zBXKAI +Vj6D+j3e0ozsO+GGEpmQFAIo1h7CEn8VV61WaLz2F60LKR8d/DEMZ7SY8uznbzkm +TJCeCp/pTnPeGwkyJmJ78LAaKw2tSCeEAfRlnzPeQeanOnEX/wnAjHHAHewvGgQe +GW1QkEdy8zNmfODDf9wqknBShaFRHAOAQFEgBAkYHuT4SgHqW8TVDtF3CQARAQAB +tDdNb25nb0RCIDMuNCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u +Z29kYi5jb20+iQI+BBMBAgAoBQJWlDYbAhsDBQkDwmcABgsJCAcDAgYVCAIJCgsE +FgIDAQIeAQIXgAAKCRC8cR+boVcDxmtEEACSjnZcwcozGYS/8peH2P8yPxD2mXVQ +AJ8Pss+YBo8hpRaiA7BEY+FFthbSYEX8XRR/Bg9HjDk9CNXc221I0WcTRv3Sb718 +QutRd4ppdGtusgTHjUdYNDzctExU90vtJRvwI2oiz2YA8dM7mtTzUFpR4IQGopB4 +PmjEls6hkebTjjSaO9UmcLyip+S+rTZ9c8UQvBH7rNoe4QacmGi/l/uUo/q4J7nE +jtjpsemUK7LWY7YtB21F/hH3OrQkgQAoVv2q2xSaiLJeWsr33jgd4o4/d3QN1t/P +GkNIOEBdO/hM8uOj+hGD+tDphHzd9jGjALqV6lC2k9zNXyAFnTUwp0NL74hODv6z +daihKu4fTRU7S0eYSGc2sQDPiiQF5YkxAHqADnPmR2ZpBVVtbUNB31BDOYjTzRwq +tkLKRCgI29Kgut0Uhvq+/Hx+0485ndgzcqeaLhslUagZy1bXN3sDW4QYN2tPvP+P +2JDtGydsYGZCWA0FBRFdsSbruBSK/BkEpGhq97bE9vclfVchb989A47lgErusw5C +xtLxUGPmVc2dYmHJLUkgHszdcTLHwy8/arYMehG7RVzAEG55AueLsc9B0vSI0E6r +lvalHgoCttCynEzM4Ol1rcG9XtlCyKk4AeimYLE/cxlckDoIVVwrFXrRrhB41Asw +rP4l4xtk+nWHpg== +=F42J +-----END PGP PUBLIC KEY BLOCK----- diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index 47551fde..d6c634ad 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -8,8 +8,8 @@ # Attention à bien indiquer le protocole et le port, sinon le firewall ne laisse pas passer - name: MongoDB public GPG Key apt_key: - keyserver: "hkp://keyserver.ubuntu.com:80" - id: "0C49F3730359A14518585931BC711F9BA15703C6" + # url: https://www.mongodb.org/static/pgp/server-3.4.asc + data: "{{ lookup('file', 'server-3.4.asc') }}" - name: enable APT sources list apt_repository: diff --git a/nodejs/files/nodesource.gpg.key b/nodejs/files/nodesource.gpg.key new file mode 100644 index 00000000..1dc1d101 --- /dev/null +++ b/nodejs/files/nodesource.gpg.key @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 +Comment: GPGTools - https://gpgtools.org + +mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+ +W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs +fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy +qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7 +89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD +Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7 +C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/ +G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc +Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft +qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm +EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB +tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2 +AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy +jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ +kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1 +GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm +XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU +VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka +1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI +IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc +pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn +xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y +gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI +AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ +fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ +Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh +41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea +JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD +xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi +vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/ +aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o +QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK +yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3 +QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek +fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK +CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec +0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1 +PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh +qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15 +ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac +hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb +DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4 +xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu +G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd +sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy +/qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g== +=CLGF +-----END PGP PUBLIC KEY BLOCK----- diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index 31e6bd0a..bd276dc7 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -11,8 +11,8 @@ - name: Node GPG key is installed apt_key: - url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key - state: present + #url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key + data: "{{ lookup('file', 'nodesource.gpg.key') }}" tags: - system - packages diff --git a/postgresql/files/ACCC4CF8.asc b/postgresql/files/ACCC4CF8.asc new file mode 100644 index 00000000..8480576e --- /dev/null +++ b/postgresql/files/ACCC4CF8.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE6XR8IBEACVdDKT2HEH1IyHzXkb4nIWAY7echjRxo7MTcj4vbXAyBKOfjja +UrBEJWHN6fjKJXOYWXHLIYg0hOGeW9qcSiaa1/rYIbOzjfGfhE4x0Y+NJHS1db0V +G6GUj3qXaeyqIJGS2z7m0Thy4Lgr/LpZlZ78Nf1fliSzBlMo1sV7PpP/7zUO+aA4 +bKa8Rio3weMXQOZgclzgeSdqtwKnyKTQdXY5MkH1QXyFIk1nTfWwyqpJjHlgtwMi +c2cxjqG5nnV9rIYlTTjYG6RBglq0SmzF/raBnF4Lwjxq4qRqvRllBXdFu5+2pMfC +IZ10HPRdqDCTN60DUix+BTzBUT30NzaLhZbOMT5RvQtvTVgWpeIn20i2NrPWNCUh +hj490dKDLpK/v+A5/i8zPvN4c6MkDHi1FZfaoz3863dylUBR3Ip26oM0hHXf4/2U +A/oA4pCl2W0hc4aNtozjKHkVjRx5Q8/hVYu+39csFWxo6YSB/KgIEw+0W8DiTII3 +RQj/OlD68ZDmGLyQPiJvaEtY9fDrcSpI0Esm0i4sjkNbuuh0Cvwwwqo5EF1zfkVj +Tqz2REYQGMJGc5LUbIpk5sMHo1HWV038TWxlDRwtOdzw08zQA6BeWe9FOokRPeR2 +AqhyaJJwOZJodKZ76S+LDwFkTLzEKnYPCzkoRwLrEdNt1M7wQBThnC5z6wARAQAB +tBxQb3N0Z3JlU1FMIERlYmlhbiBSZXBvc2l0b3J5iQJOBBMBCAA4AhsDBQsJCAcD +BRUKCQgLBRYCAwEAAh4BAheAFiEEuXsK/KoaR/BE8kSgf8x9RqzMTPgFAlhtCD8A +CgkQf8x9RqzMTPgECxAAk8uL+dwveTv6eH21tIHcltt8U3Ofajdo+D/ayO53LiYO +xi27kdHD0zvFMUWXLGxQtWyeqqDRvDagfWglHucIcaLxoxNwL8+e+9hVFIEskQAY +kVToBCKMXTQDLarz8/J030Pmcv3ihbwB+jhnykMuyyNmht4kq0CNgnlcMCdVz0d3 +z/09puryIHJrD+A8y3TD4RM74snQuwc9u5bsckvRtRJKbP3GX5JaFZAqUyZNRJRJ +Tn2OQRBhCpxhlZ2afkAPFIq2aVnEt/Ie6tmeRCzsW3lOxEH2K7MQSfSu/kRz7ELf +Cz3NJHj7rMzC+76Rhsas60t9CjmvMuGONEpctijDWONLCuch3Pdj6XpC+MVxpgBy +2VUdkunb48YhXNW0jgFGM/BFRj+dMQOUbY8PjJjsmVV0joDruWATQG/M4C7O8iU0 +B7o6yVv4m8LDEN9CiR6r7H17m4xZseT3f+0QpMe7iQjz6XxTUFRQxXqzmNnloA1T +7VjwPqIIzkj/u0V8nICG/ktLzp1OsCFatWXh7LbU+hwYl6gsFH/mFDqVxJ3+DKQi +vyf1NatzEwl62foVjGUSpvh3ymtmtUQ4JUkNDsXiRBWczaiGSuzD9Qi0ONdkAX3b +ewqmN4TfE+XIpCPxxHXwGq9Rv1IFjOdCX0iG436GHyTLC1tTUIKF5xV4Y0+cXIOI +RgQQEQgABgUCTpdI7gAKCRDFr3dKWFELWqaPAKD1TtT5c3sZz92Fj97KYmqbNQZP ++ACfSC6+hfvlj4GxmUjp1aepoVTo3weJAhwEEAEIAAYFAk6XSQsACgkQTFprqxLS +p64F8Q//cCcutwrH50UoRFejg0EIZav6LUKejC6kpLeubbEtuaIH3r2zMblPGc4i ++eMQKo/PqyQrceRXeNNlqO6/exHozYi2meudxa6IudhwJIOn1MQykJbNMSC2sGUp +1W5M1N5EYgt4hy+qhlfnD66LR4G+9t5FscTJSy84SdiOuqgCOpQmPkVRm1HX5X1+ +dmnzMOCk5LHHQuiacV0qeGO7JcBCVEIDr+uhU1H2u5GPFNHm5u15n25tOxVivb94 +xg6NDjouECBH7cCVuW79YcExH/0X3/9G45rjdHlKPH1OIUJiiX47OTxdG3dAbB4Q +fnViRJhjehFscFvYWSqXo3pgWqUsEvv9qJac2ZEMSz9x2mj0ekWxuM6/hGWxJdB+ ++985rIelPmc7VRAXOjIxWknrXnPCZAMlPlDLu6+vZ5BhFX0Be3y38f7GNCxFkJzl +hWZ4Cj3WojMj+0DaC1eKTj3rJ7OJlt9S9xnO7OOPEUTGyzgNIDAyCiu8F4huLPaT +ape6RupxOMHZeoCVlqx3ouWctelB2oNXcxxiQ/8y+21aHfD4n/CiIFwDvIQjl7dg +mT3u5Lr6yxuosR3QJx1P6rP5ZrDTP9khT30t+HZCbvs5Pq+v/9m6XDmi+NlU7Zuh +Ehy97tL3uBDgoL4b/5BpFL5U9nruPlQzGq1P9jj40dxAaDAX/WKJAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlB5KywFCQPDFt8ACgkQf8x9RqzM +TPhuCQ//QAjRSAOCQ02qmUAikT+mTB6baOAakkYq6uHbEO7qPZkv4E/M+HPIJ4wd +nBNeSQjfvdNcZBA/x0hr5EMcBneKKPDj4hJ0panOIRQmNSTThQw9OU351gm3YQct +AMPRUu1fTJAL/AuZUQf9ESmhyVtWNlH/56HBfYjE4iVeaRkkNLJyX3vkWdJSMwC/ +LO3Lw/0M3R8itDsm74F8w4xOdSQ52nSRFRh7PunFtREl+QzQ3EA/WB4AIj3VohIG +kWDfPFCzV3cyZQiEnjAe9gG5pHsXHUWQsDFZ12t784JgkGyO5wT26pzTiuApWM3k +/9V+o3HJSgH5hn7wuTi3TelEFwP1fNzI5iUUtZdtxbFOfWMnZAypEhaLmXNkg4zD +kH44r0ss9fR0DAgUav1a25UnbOn4PgIEQy2fgHKHwRpCy20d6oCSlmgyWsR40EPP +YvtGq49A2aK6ibXmdvvFT+Ts8Z+q2SkFpoYFX20mR2nsF0fbt1lfH65P64dukxeR +GteWIeNakDD40bAAOH8+OaoTGVBJ2ACJfLVNM53PEoftavAwUYMrR910qvwYfd/4 +6rh46g1Frr9SFMKYE9uvIJIgDsQB3QBp71houU4H55M5GD8XURYs+bfiQpJG1p7e +B8e5jZx1SagNWc4XwL2FzQ9svrkbg1Y+359buUiP7T6QXX2zY++JAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlEqbZUFCQg2wEEACgkQf8x9RqzM +TPhFMQ//WxAfKMdpSIA9oIC/yPD/dJpY/+DyouOljpE6MucMy/ArBECjFTBwi/j9 +NYM4ynAk34IkhuNexc1i9/05f5RM6+riLCLgAOsADDbHD4miZzoSxiVr6GQ3YXMb +OGld9kV9Sy6mGNjcUov7iFcf5Hy5w3AjPfKuR9zXswyfzIU1YXObiiZT38l55pp/ +BSgvGVQsvbNjsff5CbEKXS7q3xW+WzN0QWF6YsfNVhFjRGj8hKtHvwKcA02wwjLe +LXVTm6915ZUKhZXUFc0vM4Pj4EgNswH8Ojw9AJaKWJIZmLyW+aP+wpu6YwVCicxB +Y59CzBO2pPJDfKFQzUtrErk9irXeuCCLesDyirxJhv8o0JAvmnMAKOLhNFUrSQ2m ++3EnF7zhfz70gHW+EG8X8mL/EN3/dUM09j6TVrjtw43RLxBzwMDeariFF9yC+5bL +tnGgxjsB9Ik6GV5v34/NEEGf1qBiAzFmDVFRZlrNDkq6gmpvGnA5hUWNr+y0i01L +jGyaLSWHYjgw2UEQOqcUtTFK9MNzbZze4mVaHMEz9/aMfX25R6qbiNqCChveIm8m +Yr5Ds2zdZx+G5bAKdzX7nx2IUAxFQJEE94VLSp3npAaTWv3sHr7dR8tSyUJ9poDw +gw4W9BIcnAM7zvFYbLF5FNggg/26njHCCN70sHt8zGxKQINMc6SJAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLpFRkFCQ6EJy0ACgkQf8x9RqzM +TPjOZA//Zp0e25pcvle7cLc0YuFr9pBv2JIkLzPm83nkcwKmxaWayUIG4Sv6pH6h +m8+S/CHQij/yFCX+o3ngMw2J9HBUvafZ4bnbI0RGJ70GsAwraQ0VlkIfg7GUw3Tz +voGYO42rZTru9S0K/6nFP6D1HUu+U+AsJONLeb6oypQgInfXQExPZyliUnHdipei +4WR1YFW6sjSkZT/5C3J1wkAvPl5lvOVthI9Zs6bZlJLZwusKxU0UM4Btgu1Sf3nn +JcHmzisixwS9PMHE+AgPWIGSec/N27a0KmTTvImV6K6nEjXJey0K2+EYJuIBsYUN +orOGBwDFIhfRk9qGlpgt0KRyguV+AP5qvgry95IrYtrOuE7307SidEbSnvO5ezNe +mE7gT9Z1tM7IMPfmoKph4BfpNoH7aXiQh1Wo+ChdP92hZUtQrY2Nm13cmkxYjQ4Z +gMWfYMC+DA/GooSgZM5i6hYqyyfAuUD9kwRN6BqTbuAUAp+hCWYeN4D88sLYpFh3 +paDYNKJ+Gf7Yyi6gThcV956RUFDH3ys5Dk0vDL9NiWwdebWfRFbzoRM3dyGP889a +OyLzS3mh6nHzZrNGhW73kslSQek8tjKrB+56hXOnb4HaElTZGDvD5wmrrhN94kby +Gtz3cydIohvNO9d90+29h0eGEDYti7j7maHkBKUAwlcPvMg5m3Y= +=DA1T +-----END PGP PUBLIC KEY BLOCK----- diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 539debbc..ee42591e 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -15,7 +15,8 @@ - name: Add GPG key for PGDG repository apt_key: - url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc + #url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc + data: "{{ lookup('file', 'ACCC4CF8.asc') }}" - name: Add APT preference file template: From f480ae461cf9ae1da3dd68977e5d2468a82e08f6 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 03:13:04 +0200 Subject: [PATCH 188/277] add main.cf hash for stretch --- postfix/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index 3d7e59f3..49ccb2ac 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -20,7 +20,8 @@ group: root mode: "0644" force: yes - when: default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" + when: default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or + default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -" notify: restart postfix - meta: flush_handlers From 453b78a59bbd727cbb409e4967171bebbd9e84d8 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 03:17:07 +0200 Subject: [PATCH 189/277] do not remove old log files --- packweb-apache/tasks/main.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 5bcd59d9..bd3fe6c4 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -109,15 +109,6 @@ - /var/log/evolix.log - /etc/warnquota.conf -- name: Remove some log files (/var/log/mail.err, ...) - file: - path: "{{ item }}" - state: absent - with_items: - - /var/log/debug - - /var/log/mail.err - - /var/log/mail.warn - - name: Install Evoadmin include_role: name: webapps/evoadmin-web From e10e971dbec05169385f118e65a8ee3b31be9f8f Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 03:23:16 +0200 Subject: [PATCH 190/277] move FHS restrictions to a new file --- packweb-apache/defaults/main.yml | 1 + packweb-apache/tasks/fhs_retrictions.yml | 63 ++++++++++++++++++++++++ packweb-apache/tasks/main.yml | 62 +---------------------- 3 files changed, 66 insertions(+), 60 deletions(-) create mode 100644 packweb-apache/tasks/fhs_retrictions.yml diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml index 9457fd8a..25c8d6fd 100644 --- a/packweb-apache/defaults/main.yml +++ b/packweb-apache/defaults/main.yml @@ -2,3 +2,4 @@ # defaults file for packweb-apache general_alert_email: "root@localhost" packweb_enable_evoadmin_vhost: True +packweb_fhs_retrictions: True diff --git a/packweb-apache/tasks/fhs_retrictions.yml b/packweb-apache/tasks/fhs_retrictions.yml new file mode 100644 index 00000000..123148aa --- /dev/null +++ b/packweb-apache/tasks/fhs_retrictions.yml @@ -0,0 +1,63 @@ +--- + +- name: Remove read permission on some folders (/, /etc, ...) + shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + failed_when: False + with_items: + - / + - /etc + - /usr + - /usr/bin + - /var + - /var/log + - /home + - /bin + - /sbin + - /lib + - /usr/lib + - /usr/include + - /usr/bin + - /usr/sbin + - /usr/share + - /usr/share/doc + - /etc/default + +- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...) + shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + failed_when: False + with_items: + - /var/log/apt + - /var/lib/dpkg + - /var/log/munin + - /var/backups + - /etc/init.d + - /etc/apache2 + - /etc/network + - /etc/phpmyadmin + - /var/log/installer + +- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...) + shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + failed_when: False + with_items: + - /bin/ping + - /bin/ping6 + - /usr/bin/fping + - /usr/bin/fping6 + - /usr/bin/mtr + +- name: Set 640 permission on some files (/var/log/evolix.log, ...) + shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + failed_when: False + with_items: + - /var/log/evolix.log + - /etc/warnquota.conf + diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index bd3fe6c4..961f419e 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -48,66 +48,8 @@ - include: awstats.yml -- name: Remove read permission on some folders (/, /etc, ...) - shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}" - register: command_result - changed_when: "'changed' in command_result.stdout" - failed_when: False - with_items: - - / - - /etc - - /usr - - /usr/bin - - /var - - /var/log - - /home - - /bin - - /sbin - - /lib - - /usr/lib - - /usr/include - - /usr/bin - - /usr/sbin - - /usr/share - - /usr/share/doc - - /etc/default - -- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...) - shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}" - register: command_result - changed_when: "'changed' in command_result.stdout" - failed_when: False - with_items: - - /var/log/apt - - /var/lib/dpkg - - /var/log/munin - - /var/backups - - /etc/init.d - - /etc/apache2 - - /etc/network - - /etc/phpmyadmin - - /var/log/installer - -- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...) - shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}" - register: command_result - changed_when: "'changed' in command_result.stdout" - failed_when: False - with_items: - - /bin/ping - - /bin/ping6 - - /usr/bin/fping - - /usr/bin/fping6 - - /usr/bin/mtr - -- name: Set 640 permission on some files (/var/log/evolix.log, ...) - shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}" - register: command_result - changed_when: "'changed' in command_result.stdout" - failed_when: False - with_items: - - /var/log/evolix.log - - /etc/warnquota.conf +- include: fhs_retrictions.yml + when: packweb_fhs_retrictions - name: Install Evoadmin include_role: From 5bbec8f82935cea127bf9eb666ed1781d25595b2 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 03:30:38 +0200 Subject: [PATCH 191/277] first step to improve userlogrotate in Debian 9 --- packweb-apache/files/userlogrotate | 11 +++---- packweb-apache/files/userlogrotate_jessie | 38 +++++++++++++++++++++++ packweb-apache/tasks/main.yml | 15 ++++++++- 3 files changed, 57 insertions(+), 7 deletions(-) create mode 100644 packweb-apache/files/userlogrotate_jessie diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate index 339101a9..9d45af6a 100644 --- a/packweb-apache/files/userlogrotate +++ b/packweb-apache/files/userlogrotate @@ -23,11 +23,6 @@ for log in access.log access-*.log error.log; do done done -for i in `ls -1 -d $HOMEPREFIX/*/log/php.log 2>/dev/null | grep -v \.bak\.`; do - USER=`user_for $i` - rotate $i www-$USER:$USER -done - for log in production.log delayed_job.log development.log test.log; do for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do USER=`user_for $i` @@ -35,4 +30,8 @@ for log in production.log delayed_job.log development.log test.log; do done done -apache2ctl restart > /dev/null +if /etc/init.d/apache2 status > /dev/null ; then \ + /etc/init.d/apache2 reload > /dev/null; \ +fi; + +test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 diff --git a/packweb-apache/files/userlogrotate_jessie b/packweb-apache/files/userlogrotate_jessie new file mode 100644 index 00000000..339101a9 --- /dev/null +++ b/packweb-apache/files/userlogrotate_jessie @@ -0,0 +1,38 @@ +#!/bin/bash + +DATE=`/bin/date +"%d-%m-%Y"` +HOMEPREFIX="/home" + +rotate () { + mv $1 $1.$DATE + gzip $1.$DATE + touch $1 + chown $2 $1 + chmod g+r $1 +} + +user_for() { + homedir=`echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#"` + stat -L -c '%G' $homedir +} + +for log in access.log access-*.log error.log; do + for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do + USER=`user_for $i` + rotate $i root:$USER + done +done + +for i in `ls -1 -d $HOMEPREFIX/*/log/php.log 2>/dev/null | grep -v \.bak\.`; do + USER=`user_for $i` + rotate $i www-$USER:$USER +done + +for log in production.log delayed_job.log development.log test.log; do + for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do + USER=`user_for $i` + rotate $i $USER:$USER + done +done + +apache2ctl restart > /dev/null diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 961f419e..764a60f6 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -1,5 +1,10 @@ --- +- fail: + msg: only compatible with Debian >= 8 + when: + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') + - name: Include apache role include_role: name: apache @@ -30,11 +35,19 @@ - access.log - error.log -- name: Install userlogrotate +- name: "Install userlogrotate (jessie)" + copy: + src: userlogrotate_jessie + dest: /etc/cron.weekly/userlogrotate + mode: "0755" + when: ansible_distribution_release == "jessie" + +- name: "Install userlogrotate (Debian 9 or later)" copy: src: userlogrotate dest: /etc/cron.weekly/userlogrotate mode: "0755" + when: ansible_distribution_major_version | version_compare('9', '>=') - name: Force DIR_MODE to 0750 in /etc/adduser.conf lineinfile: From 9aec7c88915960894c4737da77e6bffe619997c9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 23 Aug 2017 04:28:21 +0200 Subject: [PATCH 192/277] First step to use new evoadmin / FPM --- packweb-apache/defaults/main.yml | 3 +++ packweb-apache/tasks/main.yml | 8 ++++++++ webapps/evoadmin-web/tasks/user.yml | 12 ++++++++++++ 3 files changed, 23 insertions(+) diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml index 25c8d6fd..6a2da764 100644 --- a/packweb-apache/defaults/main.yml +++ b/packweb-apache/defaults/main.yml @@ -1,5 +1,8 @@ --- # defaults file for packweb-apache general_alert_email: "root@localhost" + packweb_enable_evoadmin_vhost: True packweb_fhs_retrictions: True +packweb_apache_modphp: True +packweb_apache_fpm: False diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 764a60f6..cf974547 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -14,6 +14,14 @@ name: php vars: php_apache_enable: True + when: packweb_apache_modphp + +- name: Include PHP role + include_role: + name: php + vars: + php_fpm_enable: True + when: packweb_apache_fpm - name: Add elements to user account template file: diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 8023777d..00d151ae 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -21,9 +21,21 @@ git: repo: https://forge.evolix.org/evoadmin-web.git dest: "{{ evoadmin_document_root}}" + version: jessie update: no # Warning: Need sudo! become_user: "{{ evoadmin_username }}" + when: ansible_distribution_release == "jessie" + +- name: Clone evoadmin repository + git: + repo: https://forge.evolix.org/evoadmin-web.git + dest: "{{ evoadmin_document_root}}" + version: master + update: yes + # Warning: Need sudo! + become_user: "{{ evoadmin_username }}" + when: ansible_distribution_major_version | version_compare('9', '>=') - include: remount_usr_rw.yml when: evoadmin_scripts_dir | search ("/usr") From 8ed1aaf160dcf6c878c0a718253e1550564d8e7a Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Thu, 24 Aug 2017 12:07:16 -0400 Subject: [PATCH 193/277] Fix multiple bugs in lxc role after testing --- lxc/README.md | 2 +- lxc/defaults/main.yml | 2 +- lxc/tasks/create-container.yml | 7 ++++--- lxc/tasks/main.yml | 7 +++++-- lxc/templates/default.conf | 3 +++ 5 files changed, 14 insertions(+), 7 deletions(-) diff --git a/lxc/README.md b/lxc/README.md index 4da64f3c..c267d6b9 100644 --- a/lxc/README.md +++ b/lxc/README.md @@ -10,7 +10,7 @@ Everything is in the `tasks/main.yml` file. Here is the list of available variables: -* `lxc_unprivilegied_containers`: should LXC containers run in unprivilegied (non root) mode? Default: `true` +* `lxc_unprivilegied_containers`: should LXC containers run in unprivilegied (non root) mode? Currently `lxc_unprivilegied_containers: true` does not work. Default: `false` * `lxc_network_type`: network type to use. See lxc.container.conf(5). Default: `"none"` * `lxc_mount_part`: partition to bind mount into containers. Default: `"/home"` * `lxc_containers`: list of LXC containers to create. Default: `[]` (empty). diff --git a/lxc/defaults/main.yml b/lxc/defaults/main.yml index 86636da2..e7e1c1ff 100644 --- a/lxc/defaults/main.yml +++ b/lxc/defaults/main.yml @@ -1,6 +1,6 @@ --- # Should LXC containers run in unprivilegied (non root) mode? -lxc_unprivilegied_containers: true +lxc_unprivilegied_containers: false # Network type to use. See lxc.container.conf(5). lxc_network_type: "none" diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index fc4b5a72..8b35d66b 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -1,6 +1,7 @@ --- - name: Check if container exists command: "lxc-ls {{name}}" + changed_when: false register: container_exists - name: Create container @@ -18,7 +19,7 @@ lineinfile: name: "/var/lib/lxc/{{name}}/rootfs/etc/default/halt" line: "NETDOWN=no" - when: lxc_network_type == "none" + when: lxc_network_type == "none" and release != "stretch" - name: Make the container poweroff on SIGPWR (sent by lxc-stop) on jessie file: @@ -35,18 +36,18 @@ name: "/var/lib/lxc/{{name}}/rootfs/etc/hosts" line: "127.0.0.1 {{name}}" -# Still needed? - name: Fix permission on /dev lineinfile: name: "/var/lib/lxc/{{name}}/rootfs/etc/rc.local" line: "chmod 755 /dev" insertbefore: "^exit 0$" + when: release != 'stretch' - name: Check if container is running command: "lxc-ls --running {{name}}" + changed_when: false register: container_running - name: "Start {{name}} container" command: "lxc-start -dn {{name}}" when: container_running.stdout_lines == [] - diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index e92e7d39..48ecf51b 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -10,12 +10,15 @@ - name: Check if root has subuids command: grep '^root:100000:10000$' /etc/subuid + failed_when: false + changed_when: false register: root_subuids + when: lxc_unprivilegied_containers - name: Add subuid and subgid ranges to root command: usermod -v 100000-199999 -w 100000-109999 root - when: not root_subuids.rc + when: lxc_unprivilegied_containers and root_subuids.rc - name: Create containers include: "create-container.yml name={{item.name}} release={{item.release}}" - with_items: lxc_containers + with_items: "{{lxc_containers}}" diff --git a/lxc/templates/default.conf b/lxc/templates/default.conf index 5aaf824e..bf3501d3 100644 --- a/lxc/templates/default.conf +++ b/lxc/templates/default.conf @@ -20,3 +20,6 @@ lxc.tty = 1 # Run 64bits containers lxc.arch = x86_64 + +# Start containers on boot by default +lxc.start.auto = 1 From 58bc7940ace7d1339a52a8b7c5ac404c539da3ac Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Thu, 24 Aug 2017 12:56:12 -0400 Subject: [PATCH 194/277] Add LimitUIDRange. Fix sudo calls from evoadmin --- apache/files/evolinux-defaults.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index e4f1f512..348717ea 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -29,3 +29,8 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 ProxyStatus On + + +LimitUIDRange 0 6000 +LimitGIDRange 0 6000 + From 1b8095604367d488af60bd779b8c8e280a82344f Mon Sep 17 00:00:00 2001 From: Daniel Jakots Date: Mon, 28 Aug 2017 14:05:27 -0400 Subject: [PATCH 195/277] remove OpenBSD tentacles, requested by gcolpart --- unbound/tasks/main.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml index 33d4a4ff..209c6d0f 100644 --- a/unbound/tasks/main.yml +++ b/unbound/tasks/main.yml @@ -19,18 +19,6 @@ tags: - unbound -- name: Copy Unbound config - template: - src: unbound.conf.j2 - dest: /var/unbound/etc/unbound.conf - owner: root - group: wheel - mode: "0644" - when: ansible_distribution == "OpenBSD" - notify: reload unbound - tags: - - unbound - - name: Starting and enabling Unbound service: name: unbound From b02e49073a7659eaa124495dc4b1c8f0eb7b6a33 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 28 Aug 2017 19:44:11 +0200 Subject: [PATCH 196/277] don't crash when use in root (no SUDO_USER) --- etc-git/tasks/commit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index 3d0562c9..e83d85c6 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -26,7 +26,7 @@ - name: set commit author set_fact: - etc_git_commit_options: "{% if ansible_env.SUDO_USER %} --author \"{{ ansible_env.SUDO_USER }} <{{ git_config_user_email.config_value |default()}}>\"{% endif %}" + etc_git_commit_options: "{ --author \"{{ ansible_env.SUDO_USER |default(\"root\")}} <{{ git_config_user_email.config_value |default(\"root@localhost\")}}>\"" - name: /etc modifications are committed shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"{{ etc_git_commit_options }}" From df6170404f6237b9d2502b79e98a275d76674baa Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 29 Aug 2017 00:00:59 +0200 Subject: [PATCH 197/277] typo in include file --- haproxy/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index 4f0e7820..43e3c4b5 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -7,7 +7,7 @@ - haproxy - packages -- include: jessie_backports.yml +- include: packages_jessie_backports.yml when: ansible_distribution_release == "jessie" and haproxy_jessie_backports - name: Install HAProxy package From aca83c50a9911c30aa3dcdf3b5ef23151009252c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 29 Aug 2017 00:05:36 +0200 Subject: [PATCH 198/277] need libssl1.0.0 backport for haproxy in jessie-backports --- haproxy/files/haproxy_apt_preferences | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/haproxy/files/haproxy_apt_preferences b/haproxy/files/haproxy_apt_preferences index 18de5cea..bae1e794 100644 --- a/haproxy/files/haproxy_apt_preferences +++ b/haproxy/files/haproxy_apt_preferences @@ -1,3 +1,3 @@ -Package: haproxy +Package: haproxy libssl1.0.0 Pin: release a=jessie-backports Pin-Priority: 999 From 8cfa0a6ef25be1532423f3d9eb3f9b320549380e Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 29 Aug 2017 02:32:20 +0200 Subject: [PATCH 199/277] Fix: openssl req -subj arg need to be "/CN=" --- evolinux-base/tasks/default_www.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 2e67eb97..6e2b710e 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -27,7 +27,7 @@ - block: - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}" + command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ evolinux_default_www_ssl_subject }}" args: creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" From 4a81d12d03a13f609ba13dfb7f406751796bfdd4 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 29 Aug 2017 03:09:57 +0200 Subject: [PATCH 200/277] Delete OpenBSD stuff (mv to another repo), ansible-roles is now Linux-specific (even Debian-specific) --- etc-git/tasks/main.yml | 7 --- evocheck/README.md | 1 - munin/tasks/debian.yml | 87 -------------------------- munin/tasks/main.yml | 89 ++++++++++++++++++++++++-- munin/tasks/openbsd.yml | 100 ------------------------------ nagios-nrpe/tasks/debian.yml | 51 --------------- nagios-nrpe/tasks/main.yml | 55 +++++++++++++--- nagios-nrpe/tasks/openbsd.yml | 42 ------------- newsyslog/README.md | 5 -- newsyslog/files/newsyslog.conf | 15 ----- newsyslog/meta/main.yml | 15 ----- newsyslog/tasks/main.yml | 7 --- newsyslog/tasks/openbsd.yml | 12 ---- unbound/templates/unbound.conf.j2 | 4 -- 14 files changed, 133 insertions(+), 357 deletions(-) delete mode 100644 munin/tasks/debian.yml delete mode 100644 munin/tasks/openbsd.yml delete mode 100644 nagios-nrpe/tasks/debian.yml delete mode 100644 nagios-nrpe/tasks/openbsd.yml delete mode 100644 newsyslog/README.md delete mode 100644 newsyslog/files/newsyslog.conf delete mode 100644 newsyslog/meta/main.yml delete mode 100644 newsyslog/tasks/main.yml delete mode 100644 newsyslog/tasks/openbsd.yml diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index a958bacc..58bf52f2 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -4,13 +4,6 @@ apt: name: git state: present - when: ansible_os_family == "Debian" - -- name: Git is installed (OpenBSD) - openbsd_pkg: - name: git - state: present - when: ansible_os_family == "OpenBSD" - name: /etc is versioned with git command: "git init ." diff --git a/evocheck/README.md b/evocheck/README.md index 4a0e80de..b669fe54 100644 --- a/evocheck/README.md +++ b/evocheck/README.md @@ -5,7 +5,6 @@ Install and run evocheck ; a script for checking various settings automatically. ## Tasks The roles does not install evocheck by default as it should be installed through dependencies. -For OpenBSD, it should be packaged, but the work is not done yet. A separate `exec.yml` file can be imported manually in playbooks or roles to execute the script. Example : diff --git a/munin/tasks/debian.yml b/munin/tasks/debian.yml deleted file mode 100644 index cec24e62..00000000 --- a/munin/tasks/debian.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- - -- name: Ensure that Munin is installed - apt: - name: '{{ item }}' - state: present - with_items: - - munin - - munin-node - - munin-plugins-core - - munin-plugins-extra - tags: - - munin - - packages - -- block: - - name: Replace localdomain in Munin config - replace: - dest: /etc/munin/munin.conf - regexp: 'localhost.localdomain' - replace: '{{ ansible_fqdn }}' - notify: restart munin-node - - - name: Rename the localdomain data dir - command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} - args: - creates: /var/lib/munin/{{ ansible_domain }} - removes: /var/lib/munin/localdomain - notify: restart munin-node - - when: not ansible_hostname == "localdomain" - tags: - - munin - -- name: Ensure some Munin plugins are disabled - file: - path: '/etc/munin/plugins/{{ item }}' - state: absent - with_items: - - http_loadtime - - exim_mailqueue - - exim_mailstats - - nfsd - - nfsd4 - - nfs_client - - nfs4_client - notify: restart munin-node - tags: - - munin - -- name: Ensure some Munin plugins are enabled - file: - src: "/usr/share/munin/plugins/{{ item }}" - dest: "/etc/munin/plugins/{{ item }}" - state: link - with_items: - - meminfo - - netstat_multi - - tcp - notify: restart munin-node - tags: - - munin - -- name: Enable sensors plugin unless VM detected - file: - src: /usr/share/munin/plugins/sensors_ - dest: /etc/munin/plugins/sensors_temp - state: link - when: ansible_virtualization_role != "guest" - notify: restart munin-node - tags: - - munin - -- name: adjustments for grsec kernel - blockinfile: - dest: /etc/munin/plugin-conf.d/munin-node - block: | - - [processes] - user root - - [vmstat] - user root - - [swap] - user root - when: ansible_kernel | search("-grs-") diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index bb765176..cec24e62 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -1,6 +1,87 @@ --- -- include: debian.yml - when: ansible_os_family == "Debian" -- include: openbsd.yml - when: ansible_os_family == "OpenBSD" +- name: Ensure that Munin is installed + apt: + name: '{{ item }}' + state: present + with_items: + - munin + - munin-node + - munin-plugins-core + - munin-plugins-extra + tags: + - munin + - packages + +- block: + - name: Replace localdomain in Munin config + replace: + dest: /etc/munin/munin.conf + regexp: 'localhost.localdomain' + replace: '{{ ansible_fqdn }}' + notify: restart munin-node + + - name: Rename the localdomain data dir + command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} + args: + creates: /var/lib/munin/{{ ansible_domain }} + removes: /var/lib/munin/localdomain + notify: restart munin-node + + when: not ansible_hostname == "localdomain" + tags: + - munin + +- name: Ensure some Munin plugins are disabled + file: + path: '/etc/munin/plugins/{{ item }}' + state: absent + with_items: + - http_loadtime + - exim_mailqueue + - exim_mailstats + - nfsd + - nfsd4 + - nfs_client + - nfs4_client + notify: restart munin-node + tags: + - munin + +- name: Ensure some Munin plugins are enabled + file: + src: "/usr/share/munin/plugins/{{ item }}" + dest: "/etc/munin/plugins/{{ item }}" + state: link + with_items: + - meminfo + - netstat_multi + - tcp + notify: restart munin-node + tags: + - munin + +- name: Enable sensors plugin unless VM detected + file: + src: /usr/share/munin/plugins/sensors_ + dest: /etc/munin/plugins/sensors_temp + state: link + when: ansible_virtualization_role != "guest" + notify: restart munin-node + tags: + - munin + +- name: adjustments for grsec kernel + blockinfile: + dest: /etc/munin/plugin-conf.d/munin-node + block: | + + [processes] + user root + + [vmstat] + user root + + [swap] + user root + when: ansible_kernel | search("-grs-") diff --git a/munin/tasks/openbsd.yml b/munin/tasks/openbsd.yml deleted file mode 100644 index fc9a1027..00000000 --- a/munin/tasks/openbsd.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- - -- name: Ensure that Munin is installed - openbsd_pkg: - name: '{{ item }}' - state: present - with_items: - - munin-server - - munin-node - tags: - - munin - - packages - -- name: Set munin.conf file - template: - src: munin.conf.j2 - dest: /etc/munin/munin.conf - mode: "0644" - tags: - - munin - -- name: Create munin www directory - file: - path: '{{ munin_dir }}' - state: directory - owner: _munin - group: www - mode: "0755" - tags: - - munin - -- name: Set munin-node config - template: - src: munin-node.conf.j2 - dest: /etc/munin/munin-node.conf - mode: "0644" - notify: restart munin_node - tags: - - munin - -- name: Install munin cron - copy: - src: "crontab" - dest: "/var/cron/tabs/_munin" - owner: "_munin" - group: "crontab" - tags: - - munin - -- name: Enable munin plugins - file: - src: "/usr/local/libexec/munin/plugins/{{ item }}" - dest: "/etc/munin/plugins/{{ item }}" - state: link - with_items: - - cpu - - df - - df_inode - - load - - memory - - munin_stats - - netstat - - open_files - - pf_changes - - pf_searches - - pf_states - - processes - - systat - - uptime - - users - - vmstat - notify: restart munin_node - tags: - - munin - -- name: Enable network graphs - file: - src: "/usr/local/libexec/munin/plugins/if_" - dest: "/etc/munin/plugins/if_{{ item }}" - state: link - notify: restart munin_node - with_items: "{{ ansible_interfaces }}" - -- name: Enable sensors plugin unless VM detected - file: - src: /usr/local/libexec/munin/plugins/sensors_ - dest: /etc/munin/plugins/sensors_temp - state: link - when: ansible_vio0 is undefined - notify: restart munin_node - tags: - - munin - -- name: Activating munin_node - service: - name: munin_node - enabled: yes - state: started - tags: - - munin diff --git a/nagios-nrpe/tasks/debian.yml b/nagios-nrpe/tasks/debian.yml deleted file mode 100644 index dbb73903..00000000 --- a/nagios-nrpe/tasks/debian.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -- name: packages are installed - apt: - name: "{{ item }}" - state: present - with_items: - - nagios-nrpe-server - - nagios-plugins - - nagios-plugins-basic - - nagios-plugins-common - - nagios-plugins-contrib - - nagios-plugins-standard - -- name: custom configuration is present - template: - src: evolix.cfg.j2 - dest: /etc/nagios/nrpe.d/evolix.cfg - group: nagios - mode: "0640" - notify: restart nagios-nrpe-server - -- name: Nagios config is secured - file: - dest: /etc/nagios/ - mode: "0750" - group: nagios - state: directory - notify: restart nagios-nrpe-server - -- include: remount_usr_rw.yml - when: nagios_plugins_directory | search ("/usr") - tags: - - nagios-plugins - -- name: Nagios plugins are installed - copy: - src: plugins/ - dest: "{{ nagios_plugins_directory }}/" - mode: "0755" - notify: restart nagios-nrpe-server - tags: - - nagios-plugins - -- name: Nagios lib is secured - file: - dest: /usr/local/lib/nagios/ - mode: "0755" - group: nagios - recurse: yes - state: directory - notify: restart nagios-nrpe-server diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index e723d322..dbb73903 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -1,10 +1,51 @@ --- -- include: debian.yml - when: ansible_os_family == "Debian" - tags: - - nagios +- name: packages are installed + apt: + name: "{{ item }}" + state: present + with_items: + - nagios-nrpe-server + - nagios-plugins + - nagios-plugins-basic + - nagios-plugins-common + - nagios-plugins-contrib + - nagios-plugins-standard -- include: openbsd.yml - when: ansible_os_family == "OpenBSD" +- name: custom configuration is present + template: + src: evolix.cfg.j2 + dest: /etc/nagios/nrpe.d/evolix.cfg + group: nagios + mode: "0640" + notify: restart nagios-nrpe-server + +- name: Nagios config is secured + file: + dest: /etc/nagios/ + mode: "0750" + group: nagios + state: directory + notify: restart nagios-nrpe-server + +- include: remount_usr_rw.yml + when: nagios_plugins_directory | search ("/usr") tags: - - nagios + - nagios-plugins + +- name: Nagios plugins are installed + copy: + src: plugins/ + dest: "{{ nagios_plugins_directory }}/" + mode: "0755" + notify: restart nagios-nrpe-server + tags: + - nagios-plugins + +- name: Nagios lib is secured + file: + dest: /usr/local/lib/nagios/ + mode: "0755" + group: nagios + recurse: yes + state: directory + notify: restart nagios-nrpe-server diff --git a/nagios-nrpe/tasks/openbsd.yml b/nagios-nrpe/tasks/openbsd.yml deleted file mode 100644 index 5229778e..00000000 --- a/nagios-nrpe/tasks/openbsd.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: packages are installed - openbsd_pkg: - name: "{{ item }}" - state: present - with_items: - - nrpe-- - - monitoring-plugins - -- name: Create nrpe.d dir - file: - path: /etc/nrpe.d - state: directory - owner: root - group: wheel - mode: "0755" - -- name: Include nrpe.d dir in nrpe.cfg - lineinfile: - dest: /etc/nrpe.cfg - line: 'include_dir=/etc/nrpe.d' - -- name: custom configuration is present - template: - src: evolix_bsd.cfg.j2 - dest: /etc/nrpe.d/evolix.cfg - notify: restart nrpe - -- name: Nagios plugins are installed - copy: - src: plugins_bsd/ - dest: /usr/local/libexec/nagios/plugins/ - owner: root - group: wheel - mode: "0755" - notify: restart nrpe - -- name: Starting and enabling nrpe - service: - name: nrpe - enabled: yes - state: started diff --git a/newsyslog/README.md b/newsyslog/README.md deleted file mode 100644 index 2b974979..00000000 --- a/newsyslog/README.md +++ /dev/null @@ -1,5 +0,0 @@ -Role Name -========= - -Configure newsyslog by Evolix standard - diff --git a/newsyslog/files/newsyslog.conf b/newsyslog/files/newsyslog.conf deleted file mode 100644 index 5b51ebc8..00000000 --- a/newsyslog/files/newsyslog.conf +++ /dev/null @@ -1,15 +0,0 @@ -# Syslog for Pack Evolix -# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST -# logfile_name owner:group mode count size when flags -/var/cron/log root:wheel 600 52 * 168 Z -/var/log/authlog root:wheel 640 52 * 168 Z -/var/log/daemon 640 52 * 168 Z -/var/log/lpd-errs 640 7 * 24 Z -/var/log/maillog 640 52 * 168 Z -/var/log/messages 644 52 * 168 Z -/var/log/secure 600 52 * 168 Z -/var/log/wtmp 644 7 * $W6D4 ZB -/var/log/xferlog 640 7 250 * Z -/var/log/pflog 600 3 250 * ZB "pkill -HUP -u root -U root -t - -x pflogd" -/var/www/logs/access.log 644 4 * $W0 Z "pkill -USR1 -u root -U root -x httpd" -/var/www/logs/error.log 644 7 250 * Z "pkill -USR1 -u root -U root -x httpd" diff --git a/newsyslog/meta/main.yml b/newsyslog/meta/main.yml deleted file mode 100644 index a6ad9ab5..00000000 --- a/newsyslog/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -galaxy_info: - author: Evolix - description: Basic configuration of newsyslog - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: OpenBSD - versions: - - 6.1 - diff --git a/newsyslog/tasks/main.yml b/newsyslog/tasks/main.yml deleted file mode 100644 index a7ecf987..00000000 --- a/newsyslog/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -#- include: debian.yml -# when: ansible_os_family == "Debian" - -- include: openbsd.yml - when: ansible_os_family == "OpenBSD" diff --git a/newsyslog/tasks/openbsd.yml b/newsyslog/tasks/openbsd.yml deleted file mode 100644 index 28be4862..00000000 --- a/newsyslog/tasks/openbsd.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# no need to enable any daemon, it's run (by default) with cron(8) -- name: Configuring newsyslog - copy: - src: newsyslog.conf - dest: /etc/newsyslog.conf - owner: root - group: wheel - mode: "0644" - tags: - - log - - newsyslog diff --git a/unbound/templates/unbound.conf.j2 b/unbound/templates/unbound.conf.j2 index 2447ea41..73c03141 100644 --- a/unbound/templates/unbound.conf.j2 +++ b/unbound/templates/unbound.conf.j2 @@ -15,11 +15,7 @@ server: # root-hints: "/var/unbound/etc/named.cache" # Uncomment to enable DNSSEC validation. -{% if ansible_os_family == "OpenBSD" %} - auto-trust-anchor-file: "/var/unbound/db/root.key" -{% else %} #auto-trust-anchor-file: "/etc/unbound/root.key" -{% endif %} # Serve zones authoritatively from Unbound to resolver clients. # Not for external service. From 03f4eaf2695a45604e481c23ea9c1a5e4019aaf4 Mon Sep 17 00:00:00 2001 From: Daniel Jakots Date: Tue, 29 Aug 2017 11:22:21 -0400 Subject: [PATCH 201/277] fix example --- etc-git/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc-git/README.md b/etc-git/README.md index 5c033843..9028cc1c 100644 --- a/etc-git/README.md +++ b/etc-git/README.md @@ -27,5 +27,5 @@ There is also an independant task that can be executed to commit changes made in name: etc-git tasks_from: commit.yml vars: - commit_message: "Ansible pre-run my splendid playbook" + commit_message: "Ansible post-run my splendid playbook" ``` From 859822709d5e1fe3117d17b7a3ff64becb7e41aa Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 29 Aug 2017 23:21:58 +0200 Subject: [PATCH 202/277] Revert "Fix: openssl req -subj arg need to be "/CN="" because bad var during test This reverts commit 8cfa0a6ef25be1532423f3d9eb3f9b320549380e. --- evolinux-base/tasks/default_www.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 6e2b710e..2e67eb97 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -27,7 +27,7 @@ - block: - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ evolinux_default_www_ssl_subject }}" + command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}" args: creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" From 251d3236628799d62d3519ec300365d5ce8efdf6 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 30 Aug 2017 03:37:38 +0200 Subject: [PATCH 203/277] Fix: forgot an include in main squid config file --- squid/files/evolinux-defaults.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/squid/files/evolinux-defaults.conf b/squid/files/evolinux-defaults.conf index 3153221a..ef11ea69 100644 --- a/squid/files/evolinux-defaults.conf +++ b/squid/files/evolinux-defaults.conf @@ -33,3 +33,4 @@ refresh_pattern . 0 20% 4320 logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined +include /etc/squid/evolinux-custom.conf From ca4b0d5b1db77ef389ceee39fc5a2a7881691e39 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 30 Aug 2017 03:46:34 +0200 Subject: [PATCH 204/277] log2mail need to be started and not restarted each time --- evolinux-base/tasks/log2mail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 126bc48e..e6f624c1 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -14,5 +14,5 @@ systemd: name: log2mail daemon-reload: yes - state: restarted + state: started enabled: yes From 1524146f1031dc042afdf3de72322abfa85f8446 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 30 Aug 2017 04:06:46 +0200 Subject: [PATCH 205/277] force own:group for config.local.php --- webapps/evoadmin-web/tasks/web.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 87237248..170e2416 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -43,6 +43,8 @@ src: config.local.php.j2 dest: "{{ evoadmin_document_root}}/conf/config.local.php" mode: "0644" + owner: evoadmin + group: evoadmin force: no - name: add www-evoadmin to shadow group From 4e4cbdb3c9bbd20376da968c0b6f21e600c1973e Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 30 Aug 2017 14:25:46 +0200 Subject: [PATCH 206/277] ntpd: listen only on localhost by default --- ntpd/defaults/main.yml | 1 + ntpd/templates/ntp.conf.j2 | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index c48a2dd4..5c5e9781 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,4 +1,5 @@ --- +ntpd_only_local: true ntpd_servers: - 'pool.ntp.org' ntpd_acls: diff --git a/ntpd/templates/ntp.conf.j2 b/ntpd/templates/ntp.conf.j2 index e004ec6a..272bb43c 100644 --- a/ntpd/templates/ntp.conf.j2 +++ b/ntpd/templates/ntp.conf.j2 @@ -2,6 +2,11 @@ driftfile /var/lib/ntp/ntp.drift +{% if ntpd_only_local is defined and ntpd_only_local %} +# Only listen on 127.0.0.1 and ::1 +interface ignore wildcard + +{% endif %} # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ From d72cd0184d22daad00a27333c2936696ab08fdca Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 03:21:57 +0200 Subject: [PATCH 207/277] minor fix. true -> True --- ntpd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index 5c5e9781..880986f8 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,5 +1,5 @@ --- -ntpd_only_local: true +ntpd_only_local: True ntpd_servers: - 'pool.ntp.org' ntpd_acls: From b801c883acde7022a58b6ba0a18e49bcf265ee30 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 03:23:07 +0200 Subject: [PATCH 208/277] minor fix: true -> True --- evolinux-base/defaults/main.yml | 2 +- monit/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index ae012b8b..f4ef9b2e 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -83,7 +83,7 @@ evolinux_system_locales: True evolinux_system_set_timezone: True evolinux_system_timezone: "Europe/Paris" -evolinux_system_vim_skip_defaults: true +evolinux_system_vim_skip_defaults: True evolinux_system_vim_default_editor: True evolinux_system_profile: True evolinux_system_dirmode_adduser: True diff --git a/monit/defaults/main.yml b/monit/defaults/main.yml index 39d28f24..2657f67d 100644 --- a/monit/defaults/main.yml +++ b/monit/defaults/main.yml @@ -1,7 +1,7 @@ --- monit_daemon_time: 60 monit_alert_dest: -monit_httpd_enable: true +monit_httpd_enable: True monit_httpd_port: 2812 monit_httpd_allow_items: - localhost From 5d3870f20f4afb81030bf4391e1fb439146bd065 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 03:23:59 +0200 Subject: [PATCH 209/277] using ntp.evolix.net by default --- ntpd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index 880986f8..380bd0e7 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,7 +1,7 @@ --- ntpd_only_local: True ntpd_servers: -- 'pool.ntp.org' +- 'ntp.evolix.net' ntpd_acls: - '127.0.0.1' - '::1' From 4eb891b8b7f60fb7aa9db955fe0bee34bb9bd11c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 03:31:00 +0200 Subject: [PATCH 210/277] use role ntpd in evolinux-base --- evolinux-base/README.md | 1 - evolinux-base/defaults/main.yml | 4 ---- evolinux-base/handlers/main.yml | 4 ---- evolinux-base/tasks/packages.yml | 1 - evolinux-base/tasks/system.yml | 19 ++----------------- 5 files changed, 2 insertions(+), 27 deletions(-) diff --git a/evolinux-base/README.md b/evolinux-base/README.md index abd70e7d..8ef7a70e 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -33,7 +33,6 @@ Main variables are: * `evolinux_apt_hooks`: install APT hooks (default: `True`) * `evolinux_apt_remove_aptitude`: uninstall aptitude (default: `True`) * `evolinux_delete_nfs`: delete NFS tools (default: `True`) -* `evolinux_ntp_server`: custom NTP server host or IP (default: `Null`) * `evolinux_additional_packages`: optional additional packages to install (default: `[]`) * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ; * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index f4ef9b2e..822bbf9e 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -96,10 +96,6 @@ evolinux_system_alert5_init: True evolinux_system_alert5_enable: True evolinux_system_eni_auto: True -evolinux_system_ntprestrict: True -evolinux_system_set_ntpserver: True -evolinux_system_ntpserver: "ntp.evolix.net" - # root evolinux_root_include: True diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index 002cd978..80b7378e 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -72,7 +72,3 @@ name: postfix state: reloaded -- name: restart ntp - service: - name: ntp - state: restarted diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 8089e397..bb1f81c9 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -6,7 +6,6 @@ with_items: - locales - sudo - - ntp - ntpdate - lsb-release - dnsutils diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 67638b55..261ef1a9 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -111,23 +111,8 @@ - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } when: evolinux_system_cron_random -# NTP listen retriction -- name: Listen only on lo interface - -# NTP server address - lineinfile: - dest: /etc/ntp.conf - line: "interface ignore wildcard" - notify: restart ntp - when: evolinux_system_ntprestrict - -- name: Configure NTP - replace: - dest: /etc/ntp.conf - regexp: "^server .*$" - replace: "server {{ evolinux_system_ntpserver }}" - notify: restart ntp - when: evolinux_system_set_ntpserver +- include_role: + name: ntpd ## alert5 From 409ac0d503d395007c7bb0f33b62bdd963b7228e Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 04:05:33 +0200 Subject: [PATCH 211/277] ajust minfirewall default config (mostly let port 22 in public port to avoid failure during Ansible connection) --- minifirewall/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index c3e2af96..94bd3cb4 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -11,9 +11,9 @@ minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] minifirewall_protected_ports_udp: [] -minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222] -minifirewall_public_ports_udp: [53] -minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143] +minifirewall_public_ports_tcp: [22, 80, 443] +minifirewall_public_ports_udp: [] +minifirewall_semipublic_ports_tcp: [20, 21, 25] minifirewall_semipublic_ports_udp: [] minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] From 64c1dc3d4540ceea36bcca57d56fe19ff57b91f9 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 04:40:49 +0200 Subject: [PATCH 212/277] Fix mytop install with https://wiki.evolix.org/HowtoMySQL#mytop --- mysql/tasks/utils.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 7fae0c97..87291374 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -10,16 +10,7 @@ # mytop -# mytop is installed with MariaB -# the package has been removed of Stretch repositories -- name: Is mytop available ? - command: which mytop - failed_when: False - changed_when: False - check_mode: no - register: which_mytop - -- name: Install mytop +- name: "Install mytop (jessie)" apt: name: mytop state: present @@ -27,7 +18,16 @@ - packages - mytop - mysql - when: which_mytop.rc != 0 + when: ansible_distribution_release == "jessie" + +- name: "Install depends for mytop (Debian 9 or later)" + apt: + name: "{{ item }}" + with_items: + - mariadb-client-10.1 + - libconfig-inifiles-perl + - libterm-readkey-perl + when: ansible_distribution_major_version | version_compare('9', '>=') - name: Read debian-sys-maint password shell: cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3 From f47947f48998e9c4e25882025abb91cf140ecf3d Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 31 Aug 2017 09:47:07 +0200 Subject: [PATCH 213/277] Add a redmine role --- redmine/defaults/main.yml | 8 + redmine/files/Gemfile.local | 1 + redmine/files/profile | 23 ++ redmine/files/puma.service | 17 ++ redmine/handlers/main.yml | 24 ++ redmine/tasks/main.yml | 260 ++++++++++++++++++ .../templates/additional_environment.rb.j2 | 1 + redmine/templates/configuration.yml.j2 | 11 + redmine/templates/database.yml.j2 | 7 + redmine/templates/puma.rb.j2 | 4 + 10 files changed, 356 insertions(+) create mode 100644 redmine/defaults/main.yml create mode 100644 redmine/files/Gemfile.local create mode 100644 redmine/files/profile create mode 100644 redmine/files/puma.service create mode 100644 redmine/handlers/main.yml create mode 100644 redmine/tasks/main.yml create mode 100644 redmine/templates/additional_environment.rb.j2 create mode 100644 redmine/templates/configuration.yml.j2 create mode 100644 redmine/templates/database.yml.j2 create mode 100644 redmine/templates/puma.rb.j2 diff --git a/redmine/defaults/main.yml b/redmine/defaults/main.yml new file mode 100644 index 00000000..c87d09d3 --- /dev/null +++ b/redmine/defaults/main.yml @@ -0,0 +1,8 @@ +--- +puma_env: 'production' +puma_worker: 2 +puma_min_thread: 0 +puma_max_thread: 4 +redmine_db_name: "{{ redmine_user }}" +redmine_db_host: "localhost" +redmine_db_username: "{{ redmine_user }}" diff --git a/redmine/files/Gemfile.local b/redmine/files/Gemfile.local new file mode 100644 index 00000000..78486d1b --- /dev/null +++ b/redmine/files/Gemfile.local @@ -0,0 +1 @@ +gem "puma" diff --git a/redmine/files/profile b/redmine/files/profile new file mode 100644 index 00000000..57d0668e --- /dev/null +++ b/redmine/files/profile @@ -0,0 +1,23 @@ +# ~/.profile: executed by the command interpreter for login shells. + +umask 027 + +# if running bash +if [ -n "$BASH_VERSION" ]; then + # include .bashrc if it exists + if [ -f "$HOME/.bashrc" ]; then + . "$HOME/.bashrc" + fi +fi + +# set PATH so it includes gems bin +if [ -d "$HOME/bin" ] ; then + export PATH="$HOME/.gems/ruby/2.1.0/bin:$PATH" +fi + +# For systemctl --user +export XDG_RUNTIME_DIR=/run/user/$UID + +# Ruby vars +export RAILS_ENV=production +export BUNDLE_GEMFILE="$HOME/www/Gemfile" diff --git a/redmine/files/puma.service b/redmine/files/puma.service new file mode 100644 index 00000000..65aab8fb --- /dev/null +++ b/redmine/files/puma.service @@ -0,0 +1,17 @@ +[Unit] +Description=Puma HTTP server for Ruby Apps : %u +After=network.target + +[Service] +WorkingDirectory=%h/www +UMask=0027 +PIDFile=%h/ruby.pid +ExecStartPre=/bin/mkdir -m 0750 -p %h/run +ExecStart=/usr/bin/bundle exec puma --bind unix://%h/run/puma.sock?umask=0007 --pidfile %h/run/puma.pid --dir %h/www --config /etc/puma/%u.rb +ExecReload=/bin/kill -USR2 $MAINPID +KillMode=process +#Restart=on-failure + +[Install] +WantedBy=multi-user.target +Alias=puma.service diff --git a/redmine/handlers/main.yml b/redmine/handlers/main.yml new file mode 100644 index 00000000..73b42e23 --- /dev/null +++ b/redmine/handlers/main.yml @@ -0,0 +1,24 @@ +--- +- name: bundle update + bundler: + state: present + gemfile: "/home/{{ redmine_user }}/www/Gemfile" + gem_path: "/home/{{ redmine_user }}/.gems" + user_install: yes + become_user: "{{ redmine_user }}" + +- name: rake migrate + shell: bundle exec rake -qf ~/www/Rakefile db:migrate + become_user: "{{ redmine_user }}" + become_method: sudo + become_flags: '-iu {{ redmine_user }}' + +- name: puma reload + systemd: + name: puma + daemon_reload: yes + state: reloaded + user: yes + become_user: "{{ redmine_user }}" + become_method: sudo + become_flags: '-iu {{ redmine_user }}' diff --git a/redmine/tasks/main.yml b/redmine/tasks/main.yml new file mode 100644 index 00000000..e6b4dd42 --- /dev/null +++ b/redmine/tasks/main.yml @@ -0,0 +1,260 @@ +--- +- name: Install dependancy + apt: + name: "{{ item }}" + state: present + with_items: + - libpam-systemd + - ruby + - ruby-dev + - bundler + - imagemagick + - git-core + - git-svn + - gcc + - build-essential + - libxml2-dev + - libxslt1-dev + - libssl-dev + - libmagickwand-dev + - libmagickcore-dev + - libmysqlclient-dev + - python-mysqldb + tags: + - redmine + +#- name: +# lineinfile: +# with_items: +# - 'https://github.com/.*' +# - 'http://rubygems.org/.*' +# - 'http://.*.rubygems.org/.*' +# tags: +# - redmine + +- name: Deploy systemd unit + copy: + src: puma.service + dest: /etc/systemd/user/puma.service + mode: "0644" + tags: + - redmine + +- name: Create puma config dir + file: + path: /etc/puma + state: directory + mode: "0755" + owner: root + tags: + - redmine + +- name: Create redmine group + group: + name: "{{ redmine_user }}" + state: present + tags: + - redmine + +- name: Add www-data to redmine group + user: + name: www-data + groups: "{{ redmine_user }}" + append: yes + tags: + - redmine + +- name: Create redmine user + user: + name: "{{ redmine_user }}" + state: present + group: "{{ redmine_user }}" + createhome: yes + home: "/home/{{ redmine_user }}" + shell: /bin/bash + tags: + - redmine + +- name: Create required directory + file: + path: "{{ item }}" + state: directory + owner: "{{ redmine_user }}" + group: "{{ redmine_user }}" + mode: "0750" + with_items: + - "/home/{{ redmine_user }}" + - "/home/{{ redmine_user }}/files" + - "/home/{{ redmine_user }}/log" + tags: + - redmine + +- name: Touch Nginx logs file + file: + path: "/home/{{ redmine_user }}/log/{{ item }}" + state: touch + owner: "root" + group: "{{ redmine_user }}" + mode: "0640" + with_items: + - nginx_access.log + - nginx_error.log + tags: + - redmine + +- name: Enable systemd user mode + command: "loginctl enable-linger {{ redmine_user }}" + changed_when: false + +- name: Set user .profile + copy: + src: profile + dest: "/home/{{ redmine_user }}/.profile" + owner: "{{ redmine_user }}" + group: "{{ redmine_user }}" + mode: "0640" + tags: + - redmine + +- name: Update or clone Redmine git + git: + repo: 'https://github.com/redmine/redmine.git' + dest: "/home/{{ redmine_user }}/www" + version: '3.4-stable' + umask: "027" + update: yes + become_user: "{{ redmine_user }}" + notify: + - bundle update + - rake migrate + tags: + - redmine + +- name: Deploy custom Gemfile + copy: + src: Gemfile.local + dest: "/home/{{ redmine_user }}/www" + owner: "{{ redmine_user }}" + group: "{{ redmine_user }}" + mode: "0640" + notify: bundle update + +- name: Get actual Mysql password + shell: "grep password /home/{{ redmine_user }}/.my.cnf | awk '{ print $3 }'" + register: redmine_get_mysql_password + check_mode: no + changed_when: False + failed_when: false + tags: + - redmine + +- name: Generate Mysql password + shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' + register: redmine_generate_mysql_password + check_mode: no + changed_when: False + when: redmine_get_mysql_password.stdout == "" + tags: + - redmine + +- name: Set Mysql password + set_fact: + redmine_db_pass: "{{ redmine_generate_mysql_password.stdout | default(redmine_get_mysql_password.stdout) }}" + tags: + - redmine + +- name: Create Mysql database + mysql_db: + name: "{{ redmine_db_name }}" + config_file: "/root/.my.cnf" + state: present + tags: + - redmine + +- name: Create Mysql user + mysql_user: + name: "{{ redmine_db_username }}" + password: '{{ redmine_db_pass }}' + priv: "{{ redmine_user }}.*:ALL" + config_file: "/root/.my.cnf" + update_password: always + state: present + tags: + - redmine + +- name: Store credentials in my.cnf + ini_file: + dest: "/home/{{ redmine_user }}/.my.cnf" + owner: "{{ redmine_user }}" + group: "{{ redmine_user }}" + mode: "0600" + section: client + option: '{{ item.option }}' + value: '{{ item.value }}' + with_items: + - { option: 'user', value: "{{ redmine_db_username }}" } + - { option: 'database', value: "{{ redmine_db_name }}" } + - { option: 'password', value: '{{ redmine_db_pass }}' } + tags: + - redmine + +- name: Copy configurations file + template: + src: "{{ item }}.j2" + dest: "/home/{{ redmine_user }}/www/config/{{ item }}" + owner: "{{ redmine_user }}" + group: "{{ redmine_user }}" + mode: "0640" + with_items: + - 'configuration.yml' + - 'database.yml' + - 'additional_environment.rb' + tags: + - redmine + +- meta: flush_handlers + +- name: Populate Mysql database + shell: bundle exec rake -qf ~/www/Rakefile redmine:load_default_data REDMINE_LANG=fr && touch ~/.populated + args: + creates: "/home/{{ redmine_user }}/.populated" + become_user: "{{ redmine_user }}" + become_method: sudo + become_flags: '-iu {{ redmine_user }}' + +- name: Generate secret token + shell: bundle exec rake -qf ~/www/Rakefile generate_secret_token + args: + creates: "/home/{{ redmine_user }}/www/config/initializers/secret_token.rb" + become_user: "{{ redmine_user }}" + become_method: sudo + become_flags: '-iu {{ redmine_user }}' + tags: + - redmine + +- name: Copy puma config + template: + src: puma.rb.j2 + dest: "/etc/puma/{{ redmine_user }}.rb" + owner: "{{ redmine_user }}" + group: "{{ redmine_user }}" + mode: "0640" + notify: + - puma reload + tags: + - redmine + +- name: Start puma service + systemd: + name: puma + daemon_reload: yes + enabled: yes + state: started + user: yes + become_user: "{{ redmine_user }}" + become_method: sudo + become_flags: '-iu {{ redmine_user }}' + tags: + - redmine + +- meta: flush_handlers diff --git a/redmine/templates/additional_environment.rb.j2 b/redmine/templates/additional_environment.rb.j2 new file mode 100644 index 00000000..b1211a2e --- /dev/null +++ b/redmine/templates/additional_environment.rb.j2 @@ -0,0 +1 @@ +config.paths['log'] = "/home/{{ redmine_user }}/log/redmine.log" diff --git a/redmine/templates/configuration.yml.j2 b/redmine/templates/configuration.yml.j2 new file mode 100644 index 00000000..3640cd65 --- /dev/null +++ b/redmine/templates/configuration.yml.j2 @@ -0,0 +1,11 @@ +production: + email_delivery: + delivery_method: :smtp + smtp_settings: + address: localhost + port: 25 + domain: "{{ ansible_domain }}" + ssl: false + enable_starttls_auto: false + attachments_storage_path: /home/{{ redmine_user }}/files + autologin_cookie_secure: true diff --git a/redmine/templates/database.yml.j2 b/redmine/templates/database.yml.j2 new file mode 100644 index 00000000..c694644c --- /dev/null +++ b/redmine/templates/database.yml.j2 @@ -0,0 +1,7 @@ +production: + adapter: mysql2 + database: {{ redmine_db_name }} + host: {{ redmine_db_host }} + username: {{ redmine_db_username }} + password: "{{ redmine_db_pass }}" + encoding: utf8 diff --git a/redmine/templates/puma.rb.j2 b/redmine/templates/puma.rb.j2 new file mode 100644 index 00000000..dd5ea5af --- /dev/null +++ b/redmine/templates/puma.rb.j2 @@ -0,0 +1,4 @@ +environment '{{ puma_env }}' +workers {{ puma_worker }} +threads {{ puma_min_thread }}, {{ puma_max_thread }} +tag 'Redmine {{ redmine_user }}' From 716b0a2ed8e7456ef2fcf929e3545cb65dd78aad Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 31 Aug 2017 10:55:08 +0200 Subject: [PATCH 214/277] redmine: use tasks instead of handlers --- redmine/handlers/main.yml | 24 ------------------------ redmine/tasks/main.yml | 36 ++++++++++++++++++++++++++++-------- 2 files changed, 28 insertions(+), 32 deletions(-) delete mode 100644 redmine/handlers/main.yml diff --git a/redmine/handlers/main.yml b/redmine/handlers/main.yml deleted file mode 100644 index 73b42e23..00000000 --- a/redmine/handlers/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: bundle update - bundler: - state: present - gemfile: "/home/{{ redmine_user }}/www/Gemfile" - gem_path: "/home/{{ redmine_user }}/.gems" - user_install: yes - become_user: "{{ redmine_user }}" - -- name: rake migrate - shell: bundle exec rake -qf ~/www/Rakefile db:migrate - become_user: "{{ redmine_user }}" - become_method: sudo - become_flags: '-iu {{ redmine_user }}' - -- name: puma reload - systemd: - name: puma - daemon_reload: yes - state: reloaded - user: yes - become_user: "{{ redmine_user }}" - become_method: sudo - become_flags: '-iu {{ redmine_user }}' diff --git a/redmine/tasks/main.yml b/redmine/tasks/main.yml index e6b4dd42..717b158d 100644 --- a/redmine/tasks/main.yml +++ b/redmine/tasks/main.yml @@ -124,9 +124,7 @@ umask: "027" update: yes become_user: "{{ redmine_user }}" - notify: - - bundle update - - rake migrate + register: redmine_git_task tags: - redmine @@ -137,7 +135,7 @@ owner: "{{ redmine_user }}" group: "{{ redmine_user }}" mode: "0640" - notify: bundle update + register: redmine_local_gemfile_task - name: Get actual Mysql password shell: "grep password /home/{{ redmine_user }}/.my.cnf | awk '{ print $3 }'" @@ -212,7 +210,21 @@ tags: - redmine -- meta: flush_handlers +- name: Update local gems with bundle + bundler: + state: present + gemfile: "/home/{{ redmine_user }}/www/Gemfile" + gem_path: "/home/{{ redmine_user }}/.gems" + user_install: yes + become_user: "{{ redmine_user }}" + when: redmine_git_task.changed or redmine_local_gemfile_task.changed + +- name: Migrate database with rake + shell: bundle exec rake -qf ~/www/Rakefile db:migrate + become_user: "{{ redmine_user }}" + become_method: sudo + become_flags: '-iu {{ redmine_user }}' + when: redmine_git_task.changed - name: Populate Mysql database shell: bundle exec rake -qf ~/www/Rakefile redmine:load_default_data REDMINE_LANG=fr && touch ~/.populated @@ -239,8 +251,7 @@ owner: "{{ redmine_user }}" group: "{{ redmine_user }}" mode: "0640" - notify: - - puma reload + register: redmine_puma_config_task tags: - redmine @@ -257,4 +268,13 @@ tags: - redmine -- meta: flush_handlers +- name: Reload puma service + systemd: + name: puma + daemon_reload: yes + state: reloaded + user: yes + become_user: "{{ redmine_user }}" + become_method: sudo + become_flags: '-iu {{ redmine_user }}' + when: redmine_puma_config_task.changed From e38f4bc0c3c9bfac3fabf940ac14d95cef3e9a5d Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 31 Aug 2017 11:07:59 +0200 Subject: [PATCH 215/277] redmine: don't change when touch nginx log files --- redmine/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/redmine/tasks/main.yml b/redmine/tasks/main.yml index 717b158d..f7ab97c4 100644 --- a/redmine/tasks/main.yml +++ b/redmine/tasks/main.yml @@ -96,6 +96,7 @@ owner: "root" group: "{{ redmine_user }}" mode: "0640" + changed_when: false with_items: - nginx_access.log - nginx_error.log From 4a0d473e84e75adbbac47c84c3321f358ecda488 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 1 Sep 2017 02:44:36 +0200 Subject: [PATCH 216/277] clean gpg key --- apt/files/reg.gpg | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/apt/files/reg.gpg b/apt/files/reg.gpg index b41face7..3fadeb07 100644 --- a/apt/files/reg.gpg +++ b/apt/files/reg.gpg @@ -1,16 +1,3 @@ - - - - -Public Key Server -- Get "0x44975278b8612b5d " - -

Public Key Server -- Get "0x44975278b8612b5d "

-
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: SKS 1.1.6
 Comment: Hostname: keyserver.ubuntu.com
@@ -930,6 +917,4 @@ yLns4jIKY8dehPner0Y8RX31/0eQOknRwRSl6uceu/6liJT23KHYzT3FPGHuK2QH6AHnORGS
 g6FmBsbXSzosQOKWE3sO0dzjPIE6DRKwZIJmqQKvHqeAvPsC0U7JBWlKl0eMoIuDjp9qFDKz
 BWcdiQ==
 =iUyJ
------END PGP PUBLIC KEY BLOCK-----
-
- +-----END PGP PUBLIC KEY BLOCK----- From d1b290f8649a143e0868aa5454ff47f5673a52d4 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 1 Sep 2017 03:51:28 +0200 Subject: [PATCH 217/277] Typos + add info --- mysql/README.md | 4 ++-- mysql/tasks/utils.yml | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/mysql/README.md b/mysql/README.md index e8a8399f..b1e4bf57 100644 --- a/mysql/README.md +++ b/mysql/README.md @@ -18,7 +18,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` : ## Available variables -* `mysql_variant` : install Oracle's MySQL or MariaDB (default: `oracle`) ; +* `mysql_variant` : install Oracle's MySQL or MariaDB (default: `oracle`) [Debian 8 only]; * `mysql_replace_root_with_mysqladmin`: switch from `root` to `mysqladmin` user or not ; * `mysql_thread_cache_size`: number of threads for the cache ; * `mysql_innodb_buffer_pool_size`: amount of RAM dedicated to InnoDB ; @@ -30,4 +30,4 @@ Tasks are extracted in several files, included in `tasks/main.yml` : * `mysql_scripts_dir`: email address to send Log2mail messages to (default: `general_scripts_dir`). * `mysql_force_new_nrpe_password` : change the password for NRPE even if it exists already (default: `False`). -NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet). +NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet). diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 87291374..d0fe71a8 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -62,7 +62,6 @@ tags: - mysql - mysqltuner - - mysqltuner - name: Install aha apt: From d4a47346ef1876f92e7b4f7e0409907b46b6b014 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 1 Sep 2017 03:58:19 +0200 Subject: [PATCH 218/277] In Stretch, we have now /etc/mysql/mariadb.conf.d/ dir then we need use it for our conf files --- mysql/tasks/{config.yml => config_jessie.yml} | 0 mysql/tasks/config_stretch.yml | 22 +++++++++++++++++++ mysql/tasks/main.yml | 6 ++++- 3 files changed, 27 insertions(+), 1 deletion(-) rename mysql/tasks/{config.yml => config_jessie.yml} (100%) create mode 100644 mysql/tasks/config_stretch.yml diff --git a/mysql/tasks/config.yml b/mysql/tasks/config_jessie.yml similarity index 100% rename from mysql/tasks/config.yml rename to mysql/tasks/config_jessie.yml diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml new file mode 100644 index 00000000..a937c03d --- /dev/null +++ b/mysql/tasks/config_stretch.yml @@ -0,0 +1,22 @@ +--- +- name: Copy MySQL defaults config file + copy: + src: evolinux-defaults.cnf + dest: /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf + owner: root + group: root + mode: "0644" + force: yes + tags: + - mysql + +- name: Copy MySQL custom config file + template: + src: evolinux-custom.cnf.j2 + dest: /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf + owner: root + group: root + mode: "0640" + force: no + tags: + - mysql diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index d6892fef..dd9c2e99 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -12,7 +12,11 @@ - include: users_jessie.yml when: ansible_distribution_release == "jessie" -- include: config.yml +- include: config_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') + +- include: config_jessie.yml + when: ansible_distribution_release == "jessie" - include: datadir.yml From 2f2192e5cf60ec3e3aedda5fc61fc27465bb3255 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 21 Jul 2017 10:08:55 +0200 Subject: [PATCH 219/277] apache is compatible with Stretch --- apache/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/apache/meta/main.yml b/apache/meta/main.yml index 0949e1dd..497d52e9 100644 --- a/apache/meta/main.yml +++ b/apache/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch dependencies: [] # List your role dependencies here, one per line. From fc23090fca027583909d629a31058aef0a3e6691 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 4 Sep 2017 17:17:51 +0200 Subject: [PATCH 220/277] MongoDB: fix syntax mistake --- mongodb/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index d6c634ad..0caee268 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -3,7 +3,7 @@ - fail: msg: only compatible with Debian 8 when: - - ansible_distribution =! "Debian" or ansible_distribution_release != "jessie" + - ansible_distribution != "Debian" or ansible_distribution_release != "jessie" # Attention à bien indiquer le protocole et le port, sinon le firewall ne laisse pas passer - name: MongoDB public GPG Key From 5d549af643bd499509b2900d4722a02b6ff16bb7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 5 Sep 2017 15:24:51 +0200 Subject: [PATCH 221/277] evomainteance should not install the trap itself Not all users with a shell are sudoers. --- evomaintenance/tasks/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 5837287c..4be99c58 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -14,14 +14,14 @@ src: evomaintenance.j2 dest: /etc/evomaintenance.cf -- name: list users with a shell - shell: "cat /etc/passwd | grep -vE \"^root:\" | grep -E \":/[^:]+sh$\" | cut -d: -f6" - changed_when: False - check_mode: no - register: home_of_shell_users - -- include: trap.yml home={{ item }} - with_items: "{{ home_of_shell_users.stdout_lines }}" +# - name: list users with a shell +# shell: "cat /etc/passwd | grep -vE \"^root:\" | grep -E \":/[^:]+sh$\" | cut -d: -f6" +# changed_when: False +# check_mode: no +# register: home_of_shell_users +# +# - include: trap.yml home={{ item }} +# with_items: "{{ home_of_shell_users.stdout_lines }}" - name: Is minifirewall installed? stat: From 6241bdc8ce65d245f1e79b402533dc7306db576e Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 6 Sep 2017 14:57:14 +0200 Subject: [PATCH 222/277] Easy activation of Access-Control-Allow-Origin for eot|ttf|otf|woff files --- apache/files/evolinux-custom.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apache/files/evolinux-custom.conf b/apache/files/evolinux-custom.conf index cc5d73be..64d8f97a 100644 --- a/apache/files/evolinux-custom.conf +++ b/apache/files/evolinux-custom.conf @@ -20,3 +20,7 @@ SetEnvIf User-Agent "ApacheBench" GoAway=1 ##SSLUseStapling on ##SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000) # + +# +# Header set Access-Control-Allow-Origin "*" +# From 521fe2e9f36d9479b5f46fe759aa472a31bac9f4 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 6 Sep 2017 15:34:11 +0200 Subject: [PATCH 223/277] Fix custom config file name for PHP ini values --- webapps/evoadmin-web/tasks/web.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 170e2416..75584a35 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -1,17 +1,17 @@ --- -- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini +- name: "Set custom values for PHP config (jessie)" ini_file: - dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + dest: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache when: ansible_distribution_release == "jessie" -- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini +- name: "Set custom values for PHP config (Debian 9 or later)" ini_file: - dest: /etc/php/7.0/apache2/conf.d/z-evolinux_defaults.ini + dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" From af5427e077b072363c762ba9a60cc83b1a3bb345 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 6 Sep 2017 19:28:37 +0200 Subject: [PATCH 224/277] Add flavor for installing Symfony --- php/defaults/main.yml | 1 + php/tasks/apache.yml | 11 +++++++++++ php/tasks/fpm.yml | 11 +++++++++++ php/tasks/php_jessie.yml | 12 ++++++++++++ php/tasks/php_stretch.yml | 11 +++++++++++ 5 files changed, 46 insertions(+) diff --git a/php/defaults/main.yml b/php/defaults/main.yml index 010b8d62..ca243024 100644 --- a/php/defaults/main.yml +++ b/php/defaults/main.yml @@ -2,3 +2,4 @@ php_fpm_enable: False php_apache_enable: False +php_symfony_requirements: False diff --git a/php/tasks/apache.yml b/php/tasks/apache.yml index 2059648b..32e79b4c 100644 --- a/php/tasks/apache.yml +++ b/php/tasks/apache.yml @@ -57,3 +57,14 @@ content: | # Put customized values here. force: no + +- name: "Set custom values for PHP to enable Symfony" + ini_file: + dest: "{{ php_apache_custom_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + with_items: + - { option: "date.timezone", value: "Europe/Paris" } + when: php_symfony_requirements diff --git a/php/tasks/fpm.yml b/php/tasks/fpm.yml index 276a7181..b3971763 100644 --- a/php/tasks/fpm.yml +++ b/php/tasks/fpm.yml @@ -88,3 +88,14 @@ # Put customized values here. force: no +- name: "Set custom values for PHP to enable Symfony" + ini_file: + dest: "{{ phpini_cli_custom_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + with_items: + - { option: "date.timezone", value: "Europe/Paris" } + when: php_symfony_requirements + diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml index 46c7c973..661901a5 100644 --- a/php/tasks/php_jessie.yml +++ b/php/tasks/php_jessie.yml @@ -52,3 +52,15 @@ content: | # Put customized values here. force: no + +- name: "Set custom values for PHP to enable Symfony (jessie)" + ini_file: + dest: "{{ phpini_cli_custom_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + with_items: + - { option: "date.timezone", value: "Europe/Paris" } + when: php_symfony_requirements + diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml index 00ed327a..d8d81c11 100644 --- a/php/tasks/php_stretch.yml +++ b/php/tasks/php_stretch.yml @@ -53,3 +53,14 @@ content: | # Put customized values here. force: no + +- name: "Set custom values for PHP to enable Symfony (Debian 9 or later)" + ini_file: + dest: "{{ phpini_cli_custom_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + with_items: + - { option: "date.timezone", value: "Europe/Paris" } + when: php_symfony_requirements From 4f3b04e97dd0be89644074fcf275538185f198d7 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 6 Sep 2017 19:30:21 +0200 Subject: [PATCH 225/277] Centralize restrictions to fhs_retrictions.yml --- packweb-apache/tasks/fhs_retrictions.yml | 5 +++++ packweb-apache/tasks/phpmyadmin.yml | 4 ---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/packweb-apache/tasks/fhs_retrictions.yml b/packweb-apache/tasks/fhs_retrictions.yml index 123148aa..2308db2a 100644 --- a/packweb-apache/tasks/fhs_retrictions.yml +++ b/packweb-apache/tasks/fhs_retrictions.yml @@ -40,6 +40,11 @@ - /etc/phpmyadmin - /var/log/installer +- name: Change group to www-data for /etc/phpmyadmin/ + file: + dest: /etc/phpmyadmin/ + group: www-data + - name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...) shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}" register: command_result diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index cc34067e..c955270e 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -20,7 +20,3 @@ changed_when: "'Disabling' in command_result.stderr" when: pma_default_config.stat.exists -- name: Change group to www-data for /etc/phpmyadmin/ - file: - dest: /etc/phpmyadmin/ - group: www-data From 94625a73c276967a486c7fa0967ea48f418eef41 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 6 Sep 2017 19:34:04 +0200 Subject: [PATCH 226/277] Prepare phpMyAdmin config if needed --- apache/templates/evolinux-default.conf.j2 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index a53d3c9f..ec860f7e 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -106,6 +106,15 @@ Include /etc/apache2/ipaddr_whitelist.conf + # phpMyAdmin + #Alias /phpmyadmin /var/www + #Alias /pma-42 /usr/share/phpmyadmin/ + #Include /etc/phpmyadmin/apache.conf + # + # Require all denied + # Include /etc/apache2/ipaddr_whitelist.conf + # + CustomLog /var/log/apache2/access.log vhost_combined ErrorLog /var/log/apache2/error.log LogLevel warn From be4e811c477891e861870c34c52b0d85ecd45eff Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 7 Sep 2017 01:16:45 +0200 Subject: [PATCH 227/277] phpMyAdmin configuration --- apache/defaults/main.yml | 2 - apache/tasks/main.yml | 5 --- apache/tasks/phpmyadmin.yml | 32 --------------- apache/templates/evolinux-default.conf.j2 | 10 +---- .../templates/default_www/index.html.j2 | 14 +++---- packweb-apache/defaults/main.yml | 2 + packweb-apache/tasks/phpmyadmin.yml | 39 ++++++++++++++++++- 7 files changed, 48 insertions(+), 56 deletions(-) delete mode 100644 apache/tasks/phpmyadmin.yml diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 6b28d670..276f5a38 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -9,8 +9,6 @@ apache_evolinux_default_enabled: True apache_evolinux_default_ssl_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem apache_evolinux_default_ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key -apache_phpmyadmin_set: False -apache_phpmyadmin_suffix: "" apache_serverstatus_suffix: "" apache_log2mail_include: True diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index c9d60dc5..9cd52ae6 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -134,11 +134,6 @@ check_mode: no tags: - apache - when: apache_phpmyadmin_set - -- include: phpmyadmin.yml - when: apache_phpmyadmin_set and _default_index.stat.exists - # - block: # - name: generate random string for serverstatus suffix diff --git a/apache/tasks/phpmyadmin.yml b/apache/tasks/phpmyadmin.yml deleted file mode 100644 index a8b24e05..00000000 --- a/apache/tasks/phpmyadmin.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- - -- block: - - name: packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - phpmyadmin - - apg - - - name: generate random string for phpmyadmin suffix - command: "apg -a 1 -M N -n 1" - changed_when: False - register: _random_phpmyadmin_suffix - - - name: overwrite apache_phpmyadmin_suffix - set_fact: - apache_phpmyadmin_suffix: "{{ _random_phpmyadmin_suffix.stdout }}" - when: apache_phpmyadmin_suffix == "" - tags: - - apache - - phpmyadmin - -- name: replace phpmyadmin suffix in default site index - replace: - dest: /var/www/index.html - regexp: '__PHPMYADMIN_SUFFIX__' - replace: "{{ apache_phpmyadmin_suffix }}" - tags: - - apache - - phpmyadmin diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index ec860f7e..5136eb33 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -106,14 +106,8 @@ Include /etc/apache2/ipaddr_whitelist.conf - # phpMyAdmin - #Alias /phpmyadmin /var/www - #Alias /pma-42 /usr/share/phpmyadmin/ - #Include /etc/phpmyadmin/apache.conf - # - # Require all denied - # Include /etc/apache2/ipaddr_whitelist.conf - # +# BEGIN phpMyAdmin section +# END phpMyAdmin section CustomLog /var/log/apache2/access.log vhost_combined ErrorLog /var/log/apache2/error.log diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2 index f37691ca..981732ee 100644 --- a/evolinux-base/templates/default_www/index.html.j2 +++ b/evolinux-base/templates/default_www/index.html.j2 @@ -58,14 +58,12 @@

diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml index 6a2da764..8282d081 100644 --- a/packweb-apache/defaults/main.yml +++ b/packweb-apache/defaults/main.yml @@ -6,3 +6,5 @@ packweb_enable_evoadmin_vhost: True packweb_fhs_retrictions: True packweb_apache_modphp: True packweb_apache_fpm: False + +packweb_phpmyadmin_suffix: "" diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index c955270e..ec70bdeb 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -2,8 +2,11 @@ - name: Install phpmyadmin apt: - name: phpmyadmin + name: '{{ item }}' state: present + with_items: + - phpmyadmin + - apg - name: Check if phpmyadmin default configuration is present stat: @@ -20,3 +23,37 @@ changed_when: "'Disabling' in command_result.stderr" when: pma_default_config.stat.exists +- name: generate random string for phpmyadmin suffix + command: "apg -a 1 -M N -n 1" + changed_when: False + register: _random_phpmyadmin_suffix + +- name: overwrite packweb_phpmyadmin_suffix + set_fact: + packweb_phpmyadmin_suffix: "{{ _random_phpmyadmin_suffix.stdout }}" + when: packweb_phpmyadmin_suffix == "" + +- name: enable phpMyAdmin config + blockinfile: + dest: /etc/apache2/sites-available/000-evolinux-default.conf + marker: "# {mark} phpMyAdmin section" + block: | + Alias /phpmyadmin /var/www + Alias /phpmyadmin-{{ packweb_phpmyadmin_suffix }} /usr/share/phpmyadmin/ + Include /etc/phpmyadmin/apache.conf + + Require all denied + Include /etc/apache2/ipaddr_whitelist.conf + + +- name: enable phpmyadmin link in default site index + lineinfile: + dest: /var/www/index.html + line: '

  • Accès PhpMyAdmin
    • ' + regexp: "__PHPMYADMIN_SUFFIX__" + +- name: replace phpmyadmin suffix in default site index + replace: + dest: /var/www/index.html + regexp: '__PHPMYADMIN_SUFFIX__' + replace: "{{ packweb_phpmyadmin_suffix }}" From 26b76aed17ff60a9ced2178f2f2a13f1932d1b4e Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 7 Sep 2017 01:20:12 +0200 Subject: [PATCH 228/277] review default vhost --- apache/templates/evolinux-default.conf.j2 | 8 ++------ evolinux-base/templates/default_www/index.html.j2 | 6 +++++- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 5136eb33..b50409a8 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -67,6 +67,8 @@ DocumentRoot /var/www/ + # We override these 2 Directory directives setted in apache2.conf. + # We want no access except from allowed IP address. Include /etc/apache2/ipaddr_whitelist.conf @@ -80,12 +82,6 @@ SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} - # We override these 2 Directory directives setted in apache2.conf. - # We want no access except from allowed IP address. - - Include /etc/apache2/ipaddr_whitelist.conf - - # Munin. We need to set Directory directive as Alias take precedence. Alias /munin /var/cache/munin/www diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2 index 981732ee..ccdb44a4 100644 --- a/evolinux-base/templates/default_www/index.html.j2 +++ b/evolinux-base/templates/default_www/index.html.j2 @@ -58,12 +58,16 @@

    From 87ef758891ae9389ac7945400a05239411256df8 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 7 Sep 2017 02:25:16 +0200 Subject: [PATCH 229/277] we need force=no for files who will be lineinfile/blockinfile --- apache/tasks/main.yml | 2 +- evolinux-base/tasks/default_www.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 9cd52ae6..50fb548a 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -90,7 +90,7 @@ src: evolinux-default.conf.j2 dest: /etc/apache2/sites-available/000-evolinux-default.conf mode: "0640" - # force: yes + force: no notify: reload apache tags: - apache diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 2e67eb97..f3d3a83c 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -20,6 +20,7 @@ src: default_www/index.html.j2 dest: /var/www/index.html mode: "0755" + force: no when: evolinux_default_www_files # SSL cert From 9f01e1869df1333ff7dbd157cbd2cfb17f6c7997 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 7 Sep 2017 23:16:41 +0200 Subject: [PATCH 230/277] Add info.php --- packweb-apache/files/info.php | 3 +++ packweb-apache/tasks/main.yml | 12 ++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 packweb-apache/files/info.php diff --git a/packweb-apache/files/info.php b/packweb-apache/files/info.php new file mode 100644 index 00000000..cf608608 --- /dev/null +++ b/packweb-apache/files/info.php @@ -0,0 +1,3 @@ + diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index cf974547..2e835b24 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -23,6 +23,18 @@ php_fpm_enable: True when: packweb_apache_fpm +- name: install info.php + copy: + src: info.php + dest: /var/www/info.php + mode: "0644" + +- name: enable info.php link in default site index + lineinfile: + dest: /var/www/index.html + line: '

  • Infos PHP
    • ' + regexp: "Infos PHP" + - name: Add elements to user account template file: path: "/etc/skel/{{ item.path }}" From a074f6488afc7bdac7c7bbfcf6a8691413c5b658 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 8 Sep 2017 00:15:53 +0200 Subject: [PATCH 231/277] we use now evolinux-sudo group to set sudo rights --- evolinux-base/tasks/ssh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index f337f3ed..c455cafb 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -8,7 +8,7 @@ blockinfile: dest: /etc/ssh/sshd_config block: | - Match Group sudo + Match Group evolinux-sudo PasswordAuthentication no Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes From 04239e3350e2ff7ab8aefd1cdc8488b4fed114b0 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 8 Sep 2017 01:10:08 +0200 Subject: [PATCH 232/277] use replace instead of lineinfile --- packweb-apache/tasks/phpmyadmin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index ec70bdeb..1e14be7e 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -47,10 +47,10 @@     - name: enable phpmyadmin link in default site index - lineinfile: + replace: dest: /var/www/index.html - line: '
  • Accès PhpMyAdmin
    • ' - regexp: "__PHPMYADMIN_SUFFIX__" + regexp: '' + replace: '
  • Accès PhpMyAdmin
    • ' - name: replace phpmyadmin suffix in default site index replace: From d4e800a2638400ec74b25b659ec36a65dab05b6d Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 8 Sep 2017 01:24:14 +0200 Subject: [PATCH 233/277] enable evoadmin-web link in default site index --- evolinux-base/templates/default_www/index.html.j2 | 8 ++++---- webapps/evoadmin-web/tasks/main.yml | 8 ++++++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2 index ccdb44a4..f7d5c428 100644 --- a/evolinux-base/templates/default_www/index.html.j2 +++ b/evolinux-base/templates/default_www/index.html.j2 @@ -64,10 +64,10 @@ - - - - + + + +

    diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index 655aa81d..185549aa 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -11,3 +11,11 @@ - include: web.yml - include: ftp.yml + +- name: enable evoadmin-web link in default site index + blockinfile: + dest: /var/www/index.html + marker: "" + block: | +

  • Interface admin web (EvoAdmin-web)
    • + From 06184a44bf6f446a49f489d590883cd72aed6380 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 8 Sep 2017 01:24:58 +0200 Subject: [PATCH 234/277] remove *ssl_subject vars to avoid errors --- evolinux-base/defaults/main.yml | 1 - evolinux-base/tasks/default_www.yml | 2 +- webapps/evoadmin-web/defaults/main.yml | 1 - webapps/evoadmin-web/tasks/ssl.yml | 2 +- 4 files changed, 2 insertions(+), 4 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 822bbf9e..e0c91fd1 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -143,7 +143,6 @@ evolinux_default_www_include: True evolinux_default_www_files: True evolinux_default_www_ssl_cert: True -evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}" # hardware diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index f3d3a83c..d27ad70f 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -28,7 +28,7 @@ - block: - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}" + command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}" args: creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" diff --git a/webapps/evoadmin-web/defaults/main.yml b/webapps/evoadmin-web/defaults/main.yml index cdf309a3..58200cf1 100644 --- a/webapps/evoadmin-web/defaults/main.yml +++ b/webapps/evoadmin-web/defaults/main.yml @@ -9,7 +9,6 @@ evoadmin_log_dir: "{{ evoadmin_home_dir }}/log" evoadmin_scripts_dir: /usr/share/scripts/evoadmin/ evoadmin_host: "evoadmin.{{ ansible_fqdn }}" evoadmin_username: evoadmin -evoadmin_ssl_subject: "/CN={{ evoadmin_host }}" evoadmin_enable_vhost: True diff --git a/webapps/evoadmin-web/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml index 1eb354fc..6bdf1421 100644 --- a/webapps/evoadmin-web/tasks/ssl.yml +++ b/webapps/evoadmin-web/tasks/ssl.yml @@ -7,7 +7,7 @@ state: present - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "{{ evoadmin_ssl_subject }}" + command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "/CN={{ evoadmin_host }}" args: creates: "/etc/ssl/private/{{ evoadmin_host }}.key" From 27f0369c5baf5987fe64dccc4cc1e1fd5275315c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 8 Sep 2017 02:01:26 +0200 Subject: [PATCH 235/277] esthetic changes: add version condition in name: --- php/tasks/php_jessie.yml | 4 ++-- php/tasks/php_stretch.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml index 661901a5..5f31671d 100644 --- a/php/tasks/php_jessie.yml +++ b/php/tasks/php_jessie.yml @@ -23,7 +23,7 @@ phpini_cli_defaults_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini phpini_cli_custom_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini -- name: Set default php.ini values for CLI +- name: "Set default php.ini values for CLI (jessie)" ini_file: dest: "{{ phpini_cli_defaults_file }}" section: PHP @@ -39,7 +39,7 @@ - { option: "html_errors", value: "Off" } - { option: "allow_url_fopen", value: "Off" } -- name: Disable PHP functions for CLI +- name: "Disable PHP functions for CLI (jessie)" ini_file: dest: "{{ phpini_cli_defaults_file }}" section: PHP diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml index d8d81c11..3cb5cf60 100644 --- a/php/tasks/php_stretch.yml +++ b/php/tasks/php_stretch.yml @@ -24,7 +24,7 @@ phpini_cli_defaults_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini phpini_cli_custom_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini -- name: Set default php.ini values for CLI +- name: "Set default php.ini values for CLI (Debian 9 or later)" ini_file: dest: "{{ phpini_cli_defaults_file }}" section: PHP @@ -40,14 +40,14 @@ - { option: "html_errors", value: "Off" } - { option: "allow_url_fopen", value: "Off" } -- name: Disable PHP functions for CLI +- name: "Disable PHP functions for CLI (Debian 9 or later)" ini_file: dest: "{{ phpini_cli_defaults_file }}" section: PHP option: disable_functions value: "exec,shell-exec,system,passthru,putenv,popen" -- name: Custom php.ini for CLI +- name: "Custom php.ini for CLI (Debian 9 or later)" copy: dest: "{{ phpini_cli_custom_file }}" content: | From db4331b98f93107fc0350a848a38b78e1c767bae Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 8 Sep 2017 04:03:04 +0200 Subject: [PATCH 236/277] we don't need anymore shadow group in Debian 9 or later --- webapps/evoadmin-web/tasks/user.yml | 7 ++++--- webapps/evoadmin-web/tasks/web.yml | 6 ------ 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 00d151ae..377f7f60 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -17,7 +17,7 @@ name: git state: present -- name: Clone evoadmin repository +- name: "Clone evoadmin repository (jessie)" git: repo: https://forge.evolix.org/evoadmin-web.git dest: "{{ evoadmin_document_root}}" @@ -27,7 +27,7 @@ become_user: "{{ evoadmin_username }}" when: ansible_distribution_release == "jessie" -- name: Clone evoadmin repository +- name: "Clone evoadmin repository (Debian 9 or later)" git: repo: https://forge.evolix.org/evoadmin-web.git dest: "{{ evoadmin_document_root}}" @@ -61,11 +61,12 @@ with_items: - "{{ evoadmin_home_dir}}/www" -- name: Add www-evoadmin to group shadow +- name: "Add www-evoadmin to group shadow (jessie)" user: name: www-evoadmin groups: shadow append: yes + when: ansible_distribution_release == "jessie" - name: Add evoadmin sudoers file template: diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 75584a35..0944c2cd 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -46,9 +46,3 @@ owner: evoadmin group: evoadmin force: no - -- name: add www-evoadmin to shadow group - user: - name: www-evoadmin - groups: shadow - append: yes From 1cc4ea65dfe90fde294f0ee746db03c7997ea03f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 8 Sep 2017 15:04:58 +0200 Subject: [PATCH 237/277] nginx: fix default link in minimal install --- nginx/tasks/main_minimal.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/tasks/main_minimal.yml b/nginx/tasks/main_minimal.yml index 1cded8ea..281aed7f 100644 --- a/nginx/tasks/main_minimal.yml +++ b/nginx/tasks/main_minimal.yml @@ -24,7 +24,7 @@ - name: Enable default vhost file: src: /etc/nginx/sites-available/evolinux-default.minimal.conf - dest: /etc/nginx/sites-enabled/default.conf + dest: /etc/nginx/sites-enabled/default state: link notify: reload nginx tags: From e210de5f53f865944812428f4c54ded226868e76 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 24 Aug 2017 18:25:42 +0200 Subject: [PATCH 238/277] evoacme: complete refactoring of evoacme.sh --- evoacme/files/evoacme.sh | 117 +++++++++++++++++++++------------------ 1 file changed, 63 insertions(+), 54 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index d0940944..63e889da 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -1,62 +1,71 @@ -#!/bin/bash +#!/bin/sh +# +# evoacme is a shell script to manage Let's Encrypt certificate with +# certbot tool but with a dedicated user (no-root) and from a csr +# +# Author: Victor Laborie +# Licence: AGPLv3 +# -[ -f /etc/default/evoacme ] && . /etc/default/evoacme -[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' -[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' -[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' -[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' -[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' +mkconf_apache() { + [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" + apache2ctl -t 2>/dev/null && service apache2 reload +} -vhost=$(basename $1 .conf) -DATE=$(date "+%Y%m%d") +mkconf_nginx() { + [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" + nginx -t 2>/dev/null && service nginx reload +} -SSL_EMAIL=$(grep emailAddress ${CRT_DIR}/openssl.cnf|cut -d'=' -f2|xargs) -if [ -n "$SSL_EMAIL" ]; then - emailopt="--email $SSL_EMAIL" -else - emailopt="--register-unsafely-without-email" -fi +mkconf_haproxy() { + mkdir -p /etc/ssl/haproxy -m 700 + cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" + [ -f "$DH_DIR/${vhost}" ] && cat "$DH_DIR/${vhost}" >> "/etc/ssl/haproxy/${vhost}.pem" + haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload +} -# Check master status for evoadmin-cluster -if [ -f /home/${vhost}/state ]; then - grep -q "STATE=master" /home/${vhost}/state - [ $? -ne 0 ] && exit 0 -fi +main() { + vhost=$(basename "$1" .conf) -if [ -h $CRT_DIR/${vhost}/live ]; then - crt_end_date=`openssl x509 -noout -enddate -in $CRT_DIR/${vhost}/live/cert.crt|sed -e "s/.*=//"` - date_crt=`date -ud "$crt_end_date" +"%s"` - date_today=`date +'%s'` - date_diff=$(( ( $date_crt - $date_today ) / (60*60*24) )) - [ $date_diff -ge $SSL_MINDAY ] && exit 0 -fi - -mkdir -pm 755 $CRT_DIR/${vhost} $CRT_DIR/${vhost}/${DATE} -chown -R acme: $CRT_DIR/${vhost} -sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}/${DATE}/cert.crt --fullchain-path=$CRT_DIR/${vhost}/${DATE}/fullchain.pem --chain-path=$CRT_DIR/${vhost}/${DATE}/chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util) - -if [ $? -eq 0 ]; then - ln -sf $CRT_DIR/${vhost}/${DATE} $CRT_DIR/${vhost}/live - which apache2ctl>/dev/null - if [ $? -eq 0 ]; then - [ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" /etc/apache2/ssl/${vhost}.conf - apache2ctl -t 2>/dev/null - [ $? -eq 0 ] && service apache2 reload - fi - which nginx>/dev/null - if [ $? -eq 0 ]; then - [ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf - nginx -t 2>/dev/null - [ $? -eq 0 ] && service nginx reload + # Check master status for evoadmin-cluster + if [ -f "/home/${vhost}/state" ]; then + grep -q "STATE=master" "/home/${vhost}/state" || exit 0 fi + + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' + [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' + [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' + [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' - which haproxy>/dev/null - if [ $? -eq 0 ]; then - mkdir -p /etc/ssl/haproxy -m 700 - cat $CRT_DIR/${vhost}/live/fullchain.pem $SSL_KEY_DIR/${vhost}.key > /etc/ssl/haproxy/${vhost}.pem - [ -f $DH_DIR/${vhost} ] && cat $DH_DIR/${vhost} >> /etc/ssl/haproxy/${vhost}.pem - haproxy -c -f /etc/haproxy/haproxy.cfg 1>/dev/null - [ $? -eq 0 ] && service haproxy reload + SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) + if [ -n "$SSL_EMAIL" ]; then + emailopt="-m $SSL_EMAIL" + else + emailopt="--register-unsafely-without-email" fi - exit 0 -fi + DATE=$(date "+%Y%m%d") + + if [ -h "$CRT_DIR/${vhost}/live" ]; then + crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//") + date_crt=$(date -ud "$crt_end_date" +"%s") + date_today=$(date +'%s') + date_diff=$(((date_crt - date_today) / (60*60*24))) + [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 + fi + mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" + chown -R acme: "$CRT_DIR/${vhost}" + sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" + if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then + ln -sf "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + which apache2ctl >/dev/null && mkconf_apache + which nginx >/dev/null && mkconf_nginx + which haproxy >/dev/null && mkconf_haproxy + else + rmdir "$CRT_DIR/${vhost}/${DATE}" + fi +} + +main "$@" From 9deb5948342072089944db89004f004a95a2567c Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 24 Aug 2017 19:27:07 +0200 Subject: [PATCH 239/277] evoacme: move scripts in /usr/local/sbin --- evoacme/tasks/scripts.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml index 930f1f25..01e61fdb 100644 --- a/evoacme/tasks/scripts.yml +++ b/evoacme/tasks/scripts.yml @@ -10,7 +10,7 @@ - name: Copy make-csr.sh script copy: src: files/make-csr.sh - dest: /usr/local/bin/make-csr + dest: /usr/local/sbin/make-csr owner: root group: root mode: "0755" @@ -18,7 +18,15 @@ - name: Copy evoacme script copy: src: files/evoacme.sh - dest: /usr/local/bin/evoacme + dest: /usr/local/sbin/evoacme owner: root group: root mode: "0755" + +- name: Delete scripts in old location + file: + path: "/usr/local/bin/{{ item }}" + state: absent + with_items: + - 'make-csr' + - 'evoacme' From 8d7cbab3a9a85df079ae90fb15d4dd2517f01669 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 25 Aug 2017 14:32:58 +0200 Subject: [PATCH 240/277] evoacme: refactoring of certbot.cron --- evoacme/files/certbot.cron | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index 84a22241..a7c4eef2 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -1,17 +1,14 @@ #!/bin/sh +# +# Run evoacme script on every configured cert +# +# Author: Victor Laborie +# Licence: AGPLv3 +# [ -f /etc/default/evoacme ] && . /etc/default/evoacme [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' -[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' -find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do - evoacme $vhost -done - -# Compatibility with older version of evoacme -find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type f -name "*.crt" -exec basename {} .crt \; | while read vhost; do - [ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf - [ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf - rm ${CRT_DIR}/${vhost}.crt ${CRT_DIR}/${vhost}-chain.pem ${CRT_DIR}/${vhost}-fullchain.pem - evoacme $vhost +find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do + evoacme "$vhost" done From 05afeea8946607d818e18e88cb2cccfd288bb871 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 25 Aug 2017 14:40:00 +0200 Subject: [PATCH 241/277] evoacme: remove obsolete sudoers file --- evoacme/files/sudoers | 1 - 1 file changed, 1 deletion(-) delete mode 100644 evoacme/files/sudoers diff --git a/evoacme/files/sudoers b/evoacme/files/sudoers deleted file mode 100644 index 4a43bce3..00000000 --- a/evoacme/files/sudoers +++ /dev/null @@ -1 +0,0 @@ -acme ALL=(ALL:ALL) NOPASSWD: /opt/certbot/certbot-auto From e16eafc1a08bd58593356d59adaa8be6f1682317 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 25 Aug 2017 18:13:32 +0200 Subject: [PATCH 242/277] evoacme: complete refactoring of make-csr.sh --- evoacme/files/make-csr.sh | 225 ++++++++++++++++++++++---------------- 1 file changed, 130 insertions(+), 95 deletions(-) diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 5b2c9298..76cde50b 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -1,114 +1,149 @@ -#!/bin/bash +#!/bin/sh +# +# make-csr is a shell script designed to automatically generate a +# certificate signing request (CSR) from an Apache or a Nginx vhost +# +# Author: Victor Laborie +# Licence: AGPLv3 +# -[ -f /etc/default/evoacme ] && source /etc/default/evoacme -[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' -[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' -[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - -shopt -s extglob - -vhost=$(basename $1 .conf) -vhostfiles=$(ls -1 /etc/{nginx,apache2}/sites-enabled/${vhost}?(.conf) 2>/dev/null) - -if [ $(echo "${vhostfiles}"|wc -l) -lt 1 ]; then - echo "$vhost doesn't exist !" - exit 1 -fi - -for vhostfile in "${vhostfiles}"; do - break; -done - -if [ -f $SSL_KEY_DIR/${vhost}.key ]; then - read -p "$vhost key already exist, overwrite it ? (y)" -n 1 -r - echo "" - if [[ ! $REPLY =~ ^[Yy]$ ]]; then - exit 1 +get_domains() { + echo "$vhostfile"|grep -q nginx + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq) fi - rm -f /etc/apache2/ssl/${vhost}.conf - rm -f /etc/nginx/ssl/${vhost}.conf -fi - -SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) -openssl genrsa -out $SSL_KEY_DIR/${vhost}.key $SSL_KEY_SIZE -chown root: $SSL_KEY_DIR/${vhost}.key -chmod 600 $SSL_KEY_DIR/${vhost}.key - -nb=0 - -echo $vhostfile |grep -q nginx -if [ $? -eq 0 ]; then - domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq` -fi - -echo $vhostfile |grep -q apache2 -if [ $? -eq 0 ]; then - domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq` -fi - -valid_domains='' -srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") - -echo "Valid Domain(s) for $vhost :" -for domain in $domains -do - real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+") - for ip in $(echo $srv_ip|xargs -n1); do - if [ "${ip}" == "${real_ip}" ]; then - valid_domains="$valid_domains $domain" - nb=$(( nb + 1 )) - echo "- $domain" - fi - done -done - -if [ $nb -eq 0 ]; then - nb=`echo $domains|wc -l` - echo "No valid domains : $domains" >&2 -else - domains=$valid_domains -fi - -mkdir -p $CSR_DIR -m 0755 - -if [ $nb -eq 1 ]; then - openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -config <(cat /etc/letsencrypt/openssl.cnf <(printf "CN=$domains")) -out $CSR_DIR/${vhost}.csr -elif [ $nb -gt 1 ]; then - san='' + + echo "$vhostfile" |grep -q apache2 + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq) + fi + valid_domains="" + nb=0 + + echo "Valid Domain(s) for $vhost :" for domain in $domains do - san="$san,DNS:$domain" + real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") + for ip in $(echo "$SRV_IP"|xargs -n1); do + if [ "${ip}" = "${real_ip}" ]; then + valid_domains="$valid_domains $domain" + nb=$(( nb + 1 )) + echo "* $domain" + fi + done done - san=`echo $san|sed 's/,//'` - openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -reqexts SAN -config <(cat /etc/letsencrypt/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > $CSR_DIR/${vhost}.csr -fi - -if [ -f $CSR_DIR/${vhost}.csr ]; then - chmod 644 $CSR_DIR/${vhost}.csr - mkdir -p $SELF_SIGNED_DIR -m 0755 - openssl x509 -req -sha256 -days 365 -in $CSR_DIR/${vhost}.csr -signkey $SSL_KEY_DIR/${vhost}.key -out $SELF_SIGNED_DIR/${vhost}.pem - if [ -f $SELF_SIGNED_DIR/${vhost}.pem ]; then - chmod 644 $SELF_SIGNED_DIR/${vhost}.pem + + if [ "$nb" -eq 0 ]; then + nb=$(echo "$domains"|wc -l) + echo "No valid domains : $domains" >&2 + domains="$domains" + else + domains="$valid_domains" fi -fi + domains=$(echo "$domains"|xargs -n1) +} -if [ -d /etc/apache2 ]; then +make_key() { + openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null + chown root: "$SSL_KEY_DIR/${vhost}.key" + chmod 600 "$SSL_KEY_DIR/${vhost}.key" +} + +make_csr() { + domains="$1" + nb=$(echo "$domains"|wc -l) + config_file="/tmp/make-csr-${vhost}.conf" + + mkdir -p "$CSR_DIR" -m 0755 + + if [ "$nb" -eq 1 ]; then + cat /etc/letsencrypt/openssl.cnf - > "$config_file" < "$config_file" < "$CSR_DIR/${vhost}.csr" + fi + + if [ -f "$CSR_DIR/${vhost}.csr" ]; then + chmod 644 "$CSR_DIR/${vhost}.csr" + mkdir -p "$SELF_SIGNED_DIR" -m 0755 + openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem" + [ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem" + fi +} + +mkconf_apache() { mkdir -p /etc/apache2/ssl - if [ ! -f /etc/apache2/ssl/${vhost}.conf ]; then - cat > /etc/apache2/ssl/${vhost}.conf < "/etc/apache2/ssl/${vhost}.conf" < /etc/nginx/ssl/${vhost}.conf < /etc/nginx/ssl/${vhost}.conf" <&2 + exit 1 + fi + vhost=$(basename "$1" .conf) + local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") + + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' + [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' + [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) + [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} local_ip" || SRV_IP="$local_ip" + + vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) + + if [ ! -h "$vhostfile" ]; then + echo "$vhost is not a valid virtualhost !" >&2 + exit 1 + fi + + if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then + echo "$vhost key already exist, overwrite it ? (y)" + read REPLY + [ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0 + rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf" + [ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live" + fi + + get_domains + make_key + make_csr "$domains" + which apache2ctl >/dev/null && mkconf_apache + which nginx >/dev/null && mkconf_nginx +} + +main "$@" From 740b60d838cc06c02553b42ea96d80a6cf7a1643 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 1 Sep 2017 10:55:07 +0200 Subject: [PATCH 243/277] evoacme: make-csr stdout is more verbose --- evoacme/files/make-csr.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 76cde50b..aa98e073 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -20,7 +20,7 @@ get_domains() { valid_domains="" nb=0 - echo "Valid Domain(s) for $vhost :" + echo "Domain(s) in $vhost :" for domain in $domains do real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") @@ -28,16 +28,19 @@ get_domains() { if [ "${ip}" = "${real_ip}" ]; then valid_domains="$valid_domains $domain" nb=$(( nb + 1 )) - echo "* $domain" + echo "* $domain : OK ($real_ip)" + else + echo "* $domain : INVALID ($real_ip)" fi done done if [ "$nb" -eq 0 ]; then nb=$(echo "$domains"|wc -l) - echo "No valid domains : $domains" >&2 + echo "No valid domain found, all domains will be used for CSR creation." domains="$domains" else + echo "CSR will be created only with valid domains." domains="$valid_domains" fi domains=$(echo "$domains"|xargs -n1) From 0726d29796460b51b4cf092ba23c2baf126f3823 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 1 Sep 2017 11:14:33 +0200 Subject: [PATCH 244/277] evoacme: purge same day cert before recreating it --- evoacme/files/evoacme.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 63e889da..1715f8db 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -55,6 +55,7 @@ main() { date_diff=$(((date_crt - date_today) / (60*60*24))) [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 fi + rm -rf "$CRT_DIR/${vhost}/${DATE}" mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" chown -R acme: "$CRT_DIR/${vhost}" sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" From ff392d8e269498f1b8cb7acf9fd63fce9fa1b67c Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 5 Sep 2017 13:40:01 +0200 Subject: [PATCH 245/277] evoacme: fix symlink generation --- evoacme/files/evoacme.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 1715f8db..a972c04f 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -60,7 +60,8 @@ main() { chown -R acme: "$CRT_DIR/${vhost}" sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then - ln -sf "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + rm -f live + ln -s "${DATE}" live which apache2ctl >/dev/null && mkconf_apache which nginx >/dev/null && mkconf_nginx which haproxy >/dev/null && mkconf_haproxy From 1fbcb615596a385745c5db3c8c40b33db534ad8f Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 11 Sep 2017 11:48:17 +0200 Subject: [PATCH 246/277] evoacme: fix typo --- evoacme/files/make-csr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index aa98e073..7a510009 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -102,7 +102,7 @@ EOF mkconf_nginx() { mkdir -p /etc/nginx/ssl if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then - "cat > /etc/nginx/ssl/${vhost}.conf" < "/etc/nginx/ssl/${vhost}.conf" < Date: Mon, 11 Sep 2017 11:54:22 +0200 Subject: [PATCH 247/277] evoacme: fix live link path --- evoacme/files/evoacme.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index a972c04f..7f8793b9 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -60,8 +60,8 @@ main() { chown -R acme: "$CRT_DIR/${vhost}" sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then - rm -f live - ln -s "${DATE}" live + rm -f "$CRT_DIR/${vhost}/live" + ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" which apache2ctl >/dev/null && mkconf_apache which nginx >/dev/null && mkconf_nginx which haproxy >/dev/null && mkconf_haproxy From ab177c2dade6af639190b9cdcf226f9444659e0a Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 11 Sep 2017 12:12:43 +0200 Subject: [PATCH 248/277] evoacme: add pem extension to dhparam file --- evoacme/files/evoacme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 7f8793b9..7410bbca 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -20,7 +20,7 @@ mkconf_nginx() { mkconf_haproxy() { mkdir -p /etc/ssl/haproxy -m 700 cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" - [ -f "$DH_DIR/${vhost}" ] && cat "$DH_DIR/${vhost}" >> "/etc/ssl/haproxy/${vhost}.pem" + [ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem" haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload } From 069e675c6ba70e4a388da68fec1a7a8e2d34c589 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 11 Sep 2017 14:18:20 +0200 Subject: [PATCH 249/277] evoacme: add basic check to evoacme.sh --- evoacme/files/evoacme.sh | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 7410bbca..ffbf22ac 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -7,6 +7,15 @@ # Licence: AGPLv3 # +usage() { + echo "Usage: $0 NAME" + echo "" + echo "NAME must be correspond to :" + echo "- a CSR in ${CSR_DIR}/NAME.csr" + echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" + echo "" +} + mkconf_apache() { [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" apache2ctl -t 2>/dev/null && service apache2 reload @@ -25,13 +34,6 @@ mkconf_haproxy() { } main() { - vhost=$(basename "$1" .conf) - - # Check master status for evoadmin-cluster - if [ -f "/home/${vhost}/state" ]; then - grep -q "STATE=master" "/home/${vhost}/state" || exit 0 - fi - [ -f /etc/default/evoacme ] && . /etc/default/evoacme [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' @@ -40,6 +42,15 @@ main() { [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' + [ "$#" -ne 1 ] && usage && exit 1 + + vhost=$(basename "$1" .conf) + + # Check master status for evoadmin-cluster + if [ -f "/home/${vhost}/state" ]; then + grep -q "STATE=master" "/home/${vhost}/state" || exit 0 + fi + SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) if [ -n "$SSL_EMAIL" ]; then emailopt="-m $SSL_EMAIL" From 0438ece246f586c28fdd5c7514deb11a9d5b5a4c Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 12 Sep 2017 10:41:47 +0200 Subject: [PATCH 250/277] php: comments starting with '#' are deprecated --- php/tasks/apache.yml | 2 +- php/tasks/fpm.yml | 4 ++-- php/tasks/php_jessie.yml | 2 +- php/tasks/php_stretch.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/php/tasks/apache.yml b/php/tasks/apache.yml index 32e79b4c..99c50e2b 100644 --- a/php/tasks/apache.yml +++ b/php/tasks/apache.yml @@ -55,7 +55,7 @@ copy: dest: "{{ php_apache_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. force: no - name: "Set custom values for PHP to enable Symfony" diff --git a/php/tasks/fpm.yml b/php/tasks/fpm.yml index b3971763..8647003d 100644 --- a/php/tasks/fpm.yml +++ b/php/tasks/fpm.yml @@ -59,7 +59,7 @@ copy: dest: "{{ phpini_fpm_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. force: no - name: Set default PHP FPM values @@ -85,7 +85,7 @@ copy: dest: "{{ php_fpm_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. force: no - name: "Set custom values for PHP to enable Symfony" diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml index 5f31671d..62e68aa8 100644 --- a/php/tasks/php_jessie.yml +++ b/php/tasks/php_jessie.yml @@ -50,7 +50,7 @@ copy: dest: "{{ phpini_cli_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. force: no - name: "Set custom values for PHP to enable Symfony (jessie)" diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml index 3cb5cf60..1ebae567 100644 --- a/php/tasks/php_stretch.yml +++ b/php/tasks/php_stretch.yml @@ -51,7 +51,7 @@ copy: dest: "{{ phpini_cli_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. force: no - name: "Set custom values for PHP to enable Symfony (Debian 9 or later)" From 81aabdbe5e2a2a0c20584544ef7e654342d04aa8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 12 Sep 2017 15:15:31 +0200 Subject: [PATCH 251/277] nginx: apt preferences for libnginx packages --- nginx/files/apt/nginx_preferences | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/files/apt/nginx_preferences b/nginx/files/apt/nginx_preferences index 5ff68c38..e8f693bd 100644 --- a/nginx/files/apt/nginx_preferences +++ b/nginx/files/apt/nginx_preferences @@ -1,3 +1,3 @@ -Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libssl1.0.0 +Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libnginx-mod-* libssl1.0.0 Pin: release a=jessie-backports Pin-Priority: 999 From f5fdd71681547fa0959f5890a359e809ad747b01 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 12 Sep 2017 15:49:29 +0200 Subject: [PATCH 252/277] evoacme: fix invalid domain printing in make-csr --- evoacme/files/make-csr.sh | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 7a510009..4d05b306 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -20,27 +20,26 @@ get_domains() { valid_domains="" nb=0 - echo "Domain(s) in $vhost :" - for domain in $domains - do + echo "Valid(s) domain(s) in $vhost :" + for domain in $domains; do real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") for ip in $(echo "$SRV_IP"|xargs -n1); do if [ "${ip}" = "${real_ip}" ]; then valid_domains="$valid_domains $domain" nb=$(( nb + 1 )) - echo "* $domain : OK ($real_ip)" - else - echo "* $domain : INVALID ($real_ip)" + echo "* $domain -> $real_ip" fi done done if [ "$nb" -eq 0 ]; then nb=$(echo "$domains"|wc -l) - echo "No valid domain found, all domains will be used for CSR creation." - domains="$domains" + echo "* No valid domain found" + echo "All following(s) domain(s) will be used for CSR creation :" + for domain in $domains; do + echo "* $domain" + done else - echo "CSR will be created only with valid domains." domains="$valid_domains" fi domains=$(echo "$domains"|xargs -n1) From a1188c7823bcef553edc9dfe708a07e157980259 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 12 Sep 2017 20:14:56 +0200 Subject: [PATCH 253/277] add default_charset example in php custom files --- php/tasks/apache.yml | 1 + php/tasks/fpm.yml | 1 + php/tasks/php_stretch.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/php/tasks/apache.yml b/php/tasks/apache.yml index 99c50e2b..179eb1fc 100644 --- a/php/tasks/apache.yml +++ b/php/tasks/apache.yml @@ -56,6 +56,7 @@ dest: "{{ php_apache_custom_file }}" content: | ; Put customized values here. + ; default_charset = "ISO-8859-1" force: no - name: "Set custom values for PHP to enable Symfony" diff --git a/php/tasks/fpm.yml b/php/tasks/fpm.yml index 8647003d..6c31ff5f 100644 --- a/php/tasks/fpm.yml +++ b/php/tasks/fpm.yml @@ -86,6 +86,7 @@ dest: "{{ php_fpm_custom_file }}" content: | ; Put customized values here. + ; default_charset = "ISO-8859-1" force: no - name: "Set custom values for PHP to enable Symfony" diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml index 1ebae567..d566ab23 100644 --- a/php/tasks/php_stretch.yml +++ b/php/tasks/php_stretch.yml @@ -52,6 +52,7 @@ dest: "{{ phpini_cli_custom_file }}" content: | ; Put customized values here. + ; default_charset = "ISO-8859-1" force: no - name: "Set custom values for PHP to enable Symfony (Debian 9 or later)" From 8a139b07b28c57d0828c45ee9209255433f30d02 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 13 Sep 2017 11:38:38 +0200 Subject: [PATCH 254/277] evoacme: fix SRV_IP overriding in make-csr --- evoacme/files/make-csr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 4d05b306..844847ab 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -124,7 +124,7 @@ main() { [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) - [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} local_ip" || SRV_IP="$local_ip" + [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip" vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) From ca2048f9e35bfec9f8012d3c803cc8df333c3840 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 14 Sep 2017 08:55:15 +0200 Subject: [PATCH 255/277] squid: fix variable name --- squid/tasks/logrotate.yml | 2 +- squid/tasks/main.yml | 6 +++--- squid/templates/log2mail.j2 | 2 +- squid/templates/logrotate.j2 | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/squid/tasks/logrotate.yml b/squid/tasks/logrotate.yml index 8464d309..975c3a96 100644 --- a/squid/tasks/logrotate.yml +++ b/squid/tasks/logrotate.yml @@ -2,5 +2,5 @@ - name: logrotate configuration template: src: logrotate.j2 - dest: /etc/logrotate.d/{{ squid_daemoname }} + dest: /etc/logrotate.d/{{ squid_daemon_name }} force: no diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 542730bb..9a6e0469 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -7,12 +7,12 @@ - name: "Set squid name (jessie)" set_fact: - squid_daemoname: squid3 + squid_daemon_name: squid3 when: ansible_distribution_release == "jessie" - name: "Set squid name (Debian 9 or later)" set_fact: - squid_daemoname: squid + squid_daemon_name: squid when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Install Squid packages" @@ -20,7 +20,7 @@ name: '{{ item }}' state: present with_items: - - "{{ squid_daemoname }}" + - "{{ squid_daemon_name }}" - squidclient - name: "Set alternative config file (Debian 9 or later)" diff --git a/squid/templates/log2mail.j2 b/squid/templates/log2mail.j2 index 7a025676..f01256c5 100644 --- a/squid/templates/log2mail.j2 +++ b/squid/templates/log2mail.j2 @@ -1,4 +1,4 @@ -file = /var/log/{{ squid_daemoname }}/access.log +file = /var/log/{{ squid_daemon_name }}/access.log pattern = "TCP_DENIED" mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} template = /etc/log2mail/mail diff --git a/squid/templates/logrotate.j2 b/squid/templates/logrotate.j2 index 118e837b..12597d7b 100644 --- a/squid/templates/logrotate.j2 +++ b/squid/templates/logrotate.j2 @@ -1,4 +1,4 @@ -/var/log/{{ squid_daemoname }}/*.log { +/var/log/{{ squid_daemon_name }}/*.log { monthly compress rotate 12 @@ -6,6 +6,6 @@ create 640 proxy adm sharedscripts postrotate - test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate + test ! -e /var/run/{{ squid_daemon_name }}.pid || /usr/sbin/{{ squid_daemon_name }} -k rotate endscript } From c44896d4335e807f828bf66b4e67f195242beddd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 14 Sep 2017 09:19:00 +0200 Subject: [PATCH 256/277] squid: consistent version switch --- squid/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 9a6e0469..0557b6b5 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -5,10 +5,10 @@ when: - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') -- name: "Set squid name (jessie)" +- name: "Set squid name (Debian 8)" set_fact: squid_daemon_name: squid3 - when: ansible_distribution_release == "jessie" + when: ansible_distribution_major_version == "8" - name: "Set squid name (Debian 9 or later)" set_fact: @@ -29,19 +29,19 @@ dest: /etc/default/squid when: ansible_distribution_major_version | version_compare('9', '>=') -- name: "squid.conf is present (jessie)" +- name: "squid.conf is present (Debian 8)" template: src: squid.conf.j2 dest: /etc/squid3/squid.conf notify: "restart squid3" - when: ansible_distribution_release == "jessie" + when: ansible_distribution_major_version == "8" -- name: "evolix whitelist is present (jessie)" +- name: "evolix whitelist is present (Debian 8)" copy: src: whitelist-evolinux.conf dest: /etc/squid3/whitelist.conf notify: "reload squid3" - when: ansible_distribution_release == "jessie" + when: ansible_distribution_major_version == "8" - name: "evolinux custom squid file (Debian 9 or later)" copy: From b4cf781dd1760cf741cb9dc72a604d631a8c9a8b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 14 Sep 2017 09:19:15 +0200 Subject: [PATCH 257/277] squid: append whitelist for Debian 8 too --- squid/tasks/main.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 0557b6b5..1f82804e 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -113,7 +113,17 @@ force: no when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=') -- name: add some URL in whitelist +- name: add some URL in whitelist (Debian 8) + lineinfile: + insertafter: EOF + dest: /etc/squid3/whitelist.conf + line: "{{ item }}" + state: present + with_items: '{{ squid_whitelist_items }}' + notify: "reload squid3" + when: ansible_distribution_major_version == '8' + +- name: add some URL in whitelist (Debian 9 or later) lineinfile: insertafter: EOF dest: /etc/squid/evolinux-whitelist-custom.conf From 82fda57cdbcff49a6ad6c7b8f5deb707efd9859f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 14 Sep 2017 09:29:22 +0200 Subject: [PATCH 258/277] squid: don't overwrite whitelist for Debian 8 --- squid/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 1f82804e..e71f6fb6 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -40,6 +40,7 @@ copy: src: whitelist-evolinux.conf dest: /etc/squid3/whitelist.conf + force: no notify: "reload squid3" when: ansible_distribution_major_version == "8" From 3a9b95cedc257618b019f2c3c9a4dece7889d86c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 14 Sep 2017 14:26:00 +0200 Subject: [PATCH 259/277] evolinux-base: fallback with warning for ssh without addresses --- evolinux-base/tasks/ssh.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index c455cafb..2b7273b5 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -1,7 +1,6 @@ --- - -- fail: - msg: You must provide at least 1 ssh trusted IP +- debug: + msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" when: evolinux_ssh_password_auth_addresses == [] - name: Security directives for Evolinux @@ -16,6 +15,7 @@ insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd + when: not evolinux_ssh_password_auth_addresses == [] # - name: verify Match Address directive # command: "grep 'Match Address' /etc/ssh/sshd_config" From 685282bf93edabaf6a1162b1afcc9848f91c366b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 14 Sep 2017 14:26:44 +0200 Subject: [PATCH 260/277] minifirewall: fallback when no trusted ip is provided --- minifirewall/defaults/main.yml | 2 +- minifirewall/tasks/config.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 94bd3cb4..69e1e8fe 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -6,7 +6,7 @@ minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" minifirewall_ipv6: "on" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" -minifirewall_trusted_ips: [] +minifirewall_trusted_ips: ["0.0.0.0/0"] minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 0d91945f..80acf5d0 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -28,6 +28,9 @@ - fail: msg: You must provide at least 1 trusted IP when: minifirewall_trusted_ips == [] +- debug: + msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!" + when: minifirewall_trusted_ips == ["0.0.0.0/0"] - name: Configure IP addresses blockinfile: From dbbd0e1783d9cc126676f15064c1e953fa7da84a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=2ES?= Date: Thu, 14 Sep 2017 15:19:26 +0200 Subject: [PATCH 261/277] Patch MySQL 5.5.53, set secure-file-priv to empty value. Why? Because we want to do SELECT INTO OUTFILE. --- mysql/files/evolinux-defaults.cnf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mysql/files/evolinux-defaults.cnf b/mysql/files/evolinux-defaults.cnf index 9e3f87d4..579d68fc 100644 --- a/mysql/files/evolinux-defaults.cnf +++ b/mysql/files/evolinux-defaults.cnf @@ -57,3 +57,5 @@ innodb_thread_concurrency = 16 # charset utf8 par defaut character-set-server=utf8 collation-server=utf8_general_ci +# Patch MySQL 5.5.53 +secure-file-priv = "" From 76dda6200197a676eec848022b519f10737497da Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 14 Sep 2017 19:09:22 +0200 Subject: [PATCH 262/277] remove interface ignore wildcard because it breaks ntp sync with external servers --- ntpd/defaults/main.yml | 1 - ntpd/templates/ntp.conf.j2 | 6 ------ 2 files changed, 7 deletions(-) diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index 380bd0e7..61a0846f 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,5 +1,4 @@ --- -ntpd_only_local: True ntpd_servers: - 'ntp.evolix.net' ntpd_acls: diff --git a/ntpd/templates/ntp.conf.j2 b/ntpd/templates/ntp.conf.j2 index 272bb43c..e57dad33 100644 --- a/ntpd/templates/ntp.conf.j2 +++ b/ntpd/templates/ntp.conf.j2 @@ -2,11 +2,6 @@ driftfile /var/lib/ntp/ntp.drift -{% if ntpd_only_local is defined and ntpd_only_local %} -# Only listen on 127.0.0.1 and ::1 -interface ignore wildcard - -{% endif %} # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ @@ -23,7 +18,6 @@ filegen clockstats file clockstats type day enable # pool: #server pool.ntp.org - {% for server in ntpd_servers %} server {{ server }} {% endfor %} From 3882a366e4f4edd301d30e8a29b7c43979d01765 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 14 Sep 2017 19:13:59 +0200 Subject: [PATCH 263/277] Revert "squid: consistent version switch" because we use == jessie everywhere This reverts commit c44896d4335e807f828bf66b4e67f195242beddd. --- squid/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index e71f6fb6..7c080b44 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -5,10 +5,10 @@ when: - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') -- name: "Set squid name (Debian 8)" +- name: "Set squid name (jessie)" set_fact: squid_daemon_name: squid3 - when: ansible_distribution_major_version == "8" + when: ansible_distribution_release == "jessie" - name: "Set squid name (Debian 9 or later)" set_fact: @@ -29,20 +29,20 @@ dest: /etc/default/squid when: ansible_distribution_major_version | version_compare('9', '>=') -- name: "squid.conf is present (Debian 8)" +- name: "squid.conf is present (jessie)" template: src: squid.conf.j2 dest: /etc/squid3/squid.conf notify: "restart squid3" - when: ansible_distribution_major_version == "8" + when: ansible_distribution_release == "jessie" -- name: "evolix whitelist is present (Debian 8)" +- name: "evolix whitelist is present (jessie)" copy: src: whitelist-evolinux.conf dest: /etc/squid3/whitelist.conf force: no notify: "reload squid3" - when: ansible_distribution_major_version == "8" + when: ansible_distribution_release == "jessie" - name: "evolinux custom squid file (Debian 9 or later)" copy: From 139a27383d43ab6111ab03ffb8c43d0d6a4431c6 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 14 Sep 2017 19:30:59 +0200 Subject: [PATCH 264/277] Use /etc/systemd/system/*.service.d/evolinux.conf and fix systemd unit --- varnish/tasks/main.yml | 4 ++-- varnish/templates/varnish.conf.j2 | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 798f7aec..ffd80889 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -34,10 +34,10 @@ tags: - varnish -- name: Modify Varnish configuration files +- name: Override Varnish systemd unit template: src: varnish.conf.j2 - dest: /etc/systemd/system/varnish.service.d/varnish.conf + dest: /etc/systemd/system/varnish.service.d/evolinux.conf force: yes notify: reload systemd tags: diff --git a/varnish/templates/varnish.conf.j2 b/varnish/templates/varnish.conf.j2 index a60462e2..275e8909 100644 --- a/varnish/templates/varnish.conf.j2 +++ b/varnish/templates/varnish.conf.j2 @@ -1,7 +1,5 @@ # {{ ansible_managed }} [Service] -ExecStart= ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} -ExecReload= ExecReload=/etc/varnish/reload-vcl.sh From ba7c7e09271f04635e0eaa1309fec115e2e5e13d Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 14 Sep 2017 19:32:24 +0200 Subject: [PATCH 265/277] add systemd override for MariaDB --- mysql/tasks/config_stretch.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index a937c03d..bc26f13d 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -20,3 +20,15 @@ force: no tags: - mysql + +- name: Create a system config directory for systemd overrides + file: + path: /etc/systemd/system/mariadb.service.d + state: directory + +- name: Override MariaDB systemd unit + template: + src: mariadb.systemd.j2 + dest: /etc/systemd/system/mariadb.service.d/evolinux.conf + force: yes + notify: reload systemd From 8e4d7e484a76bf9f05fe7e268908e538af7496bf Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 14 Sep 2017 19:34:04 +0200 Subject: [PATCH 266/277] wording --- mysql/tasks/config_jessie.yml | 4 ++-- mysql/tasks/config_stretch.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index fbd85f01..7676615f 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -1,5 +1,5 @@ --- -- name: Copy MySQL defaults config file +- name: "Copy MySQL defaults config file (jessie)" copy: src: evolinux-defaults.cnf dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf @@ -10,7 +10,7 @@ tags: - mysql -- name: Copy MySQL custom config file +- name: "Copy MySQL custom config file (jessie)" template: src: evolinux-custom.cnf.j2 dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index bc26f13d..4a01a933 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -1,5 +1,5 @@ --- -- name: Copy MySQL defaults config file +- name: "Copy MySQL defaults config file (Debian 9 or later)" copy: src: evolinux-defaults.cnf dest: /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf @@ -10,7 +10,7 @@ tags: - mysql -- name: Copy MySQL custom config file +- name: "Copy MySQL custom config file (Debian 9 or later)" template: src: evolinux-custom.cnf.j2 dest: /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf @@ -21,12 +21,12 @@ tags: - mysql -- name: Create a system config directory for systemd overrides +- name: "Create a system config directory for systemd overrides (Debian 9 or later)" file: path: /etc/systemd/system/mariadb.service.d state: directory -- name: Override MariaDB systemd unit +- name: "Override MariaDB systemd unit (Debian 9 or later)" template: src: mariadb.systemd.j2 dest: /etc/systemd/system/mariadb.service.d/evolinux.conf From 0e89d5ea566e7fcde76bf0d636b3ebb90dcfa023 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 14 Sep 2017 22:04:33 +0200 Subject: [PATCH 267/277] Add files for MariaDB --- mysql/tasks/handlers/main.yml | 3 +++ mysql/templates/mariadb.systemd.j2 | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 mysql/tasks/handlers/main.yml create mode 100644 mysql/templates/mariadb.systemd.j2 diff --git a/mysql/tasks/handlers/main.yml b/mysql/tasks/handlers/main.yml new file mode 100644 index 00000000..10f5cdae --- /dev/null +++ b/mysql/tasks/handlers/main.yml @@ -0,0 +1,3 @@ +-- +- name: reload systemd + command: systemctl daemon-reload diff --git a/mysql/templates/mariadb.systemd.j2 b/mysql/templates/mariadb.systemd.j2 new file mode 100644 index 00000000..44f1f6e8 --- /dev/null +++ b/mysql/templates/mariadb.systemd.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +[Service] +ProtectHome=false From b41c4f15679f4b2dda7ac5869be30844a0aa8ca0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 15 Sep 2017 11:30:08 +0200 Subject: [PATCH 268/277] mysql: custom config file must be world readable --- mysql/tasks/config_jessie.yml | 2 +- mysql/tasks/config_stretch.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index 7676615f..dcb83a61 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -16,7 +16,7 @@ dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf owner: root group: root - mode: "0640" + mode: "0644" force: no tags: - mysql diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index 4a01a933..22b2d312 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -16,7 +16,7 @@ dest: /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf owner: root group: root - mode: "0640" + mode: "0644" force: no tags: - mysql From accce99e058e9b6b553025d856a7c9a707bb238f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 15 Sep 2017 11:30:33 +0200 Subject: [PATCH 269/277] mysql: fix slow_log config --- mysql/files/evolinux-defaults.cnf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mysql/files/evolinux-defaults.cnf b/mysql/files/evolinux-defaults.cnf index 579d68fc..395ccac4 100644 --- a/mysql/files/evolinux-defaults.cnf +++ b/mysql/files/evolinux-defaults.cnf @@ -8,7 +8,8 @@ back_log = 100 # Maximum d'erreurs avant de blacklister un hote max_connect_errors = 10 # Loguer les requetes trop longues -slow_query_log = /var/log/mysql/mysql-slow.log +slow_query_log = 1 +slow_query_log_file = /var/log/mysql/mysql-slow.log long_query_time = 10 ###### Tailles From 3207d837cbf475f69854e08181206075320277b3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 15 Sep 2017 16:03:49 +0200 Subject: [PATCH 270/277] etc-git: better commit author composition --- etc-git/tasks/commit.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index e83d85c6..c11b453c 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -24,12 +24,13 @@ register: git_config_user_email ignore_errors: yes -- name: set commit author +- name: "set commit author" set_fact: - etc_git_commit_options: "{ --author \"{{ ansible_env.SUDO_USER |default(\"root\")}} <{{ git_config_user_email.config_value |default(\"root@localhost\")}}>\"" + commit_author: '{% if ansible_env.SUDO_USER == "" %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}' + commit_email: '{% if git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' -- name: /etc modifications are committed - shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"{{ etc_git_commit_options }}" +- name: "/etc modifications are committed" + shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\"" args: chdir: /etc register: etc_commit_end_run From d96e2ea5bf48d147336d8efccf3e2beccc3a8cd7 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 18 Sep 2017 15:02:20 +0200 Subject: [PATCH 271/277] evoacme: renew certs 30 days before expiration by default --- evoacme/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evoacme/defaults/main.yml b/evoacme/defaults/main.yml index 0cdffca9..4194b5aa 100644 --- a/evoacme/defaults/main.yml +++ b/evoacme/defaults/main.yml @@ -6,7 +6,7 @@ evoacme_acme_dir: /var/lib/letsencrypt evoacme_csr_dir: /etc/ssl/requests evoacme_crt_dir: /etc/letsencrypt evoacme_log_dir: /var/log/evoacme -evoacme_ssl_minday: 15 +evoacme_ssl_minday: 30 evoacme_ssl_ct: 'FR' evoacme_ssl_state: 'France' evoacme_ssl_loc: 'Marseille' From a5e76c5248fe4884ea6b9fbc0f200df7f0e260be Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 18 Sep 2017 21:46:27 +0200 Subject: [PATCH 272/277] Fix error in handlers filename. --- mysql/handlers/main.yml | 4 ++++ mysql/tasks/handlers/main.yml | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) delete mode 100644 mysql/tasks/handlers/main.yml diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 35d5b5bf..80375330 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -13,3 +13,7 @@ service: name: mysql state: restarted + +- name: reload systemd + command: systemctl daemon-reload + diff --git a/mysql/tasks/handlers/main.yml b/mysql/tasks/handlers/main.yml deleted file mode 100644 index 10f5cdae..00000000 --- a/mysql/tasks/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ --- -- name: reload systemd - command: systemctl daemon-reload From 7f9399964bdb7a4be7632ea9a1cccf2655ee8b5e Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 18 Sep 2017 22:36:14 +0200 Subject: [PATCH 273/277] we need www-evoadmin user in Debian 9 --- webapps/evoadmin-web/tasks/user.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 377f7f60..c5e5a35b 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -12,6 +12,18 @@ name: www-evoadmin state: present +- name: "Create www-evoadmin and add to group shadow (jessie)" + user: + name: www-evoadmin + groups: shadow + append: yes + when: ansible_distribution_release == "jessie" + +- name: "Create www-evoadmin (Debian 9 or later)" + user: + name: www-evoadmin + when: ansible_distribution_major_version | version_compare('9', '>=') + - name: Install Git apt: name: git @@ -61,13 +73,6 @@ with_items: - "{{ evoadmin_home_dir}}/www" -- name: "Add www-evoadmin to group shadow (jessie)" - user: - name: www-evoadmin - groups: shadow - append: yes - when: ansible_distribution_release == "jessie" - - name: Add evoadmin sudoers file template: src: sudoers.j2 From a9278c0d70e144ccf398b636c36d2c849c45c744 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 19 Sep 2017 09:36:59 +0200 Subject: [PATCH 274/277] haproxy: add a Nagios check --- haproxy/files/check_haproxy_stats.pl | 282 +++++++++++++++++++++++++++ haproxy/tasks/main.yml | 2 + haproxy/tasks/nagios.yml | 20 ++ 3 files changed, 304 insertions(+) create mode 100644 haproxy/files/check_haproxy_stats.pl create mode 100644 haproxy/tasks/nagios.yml diff --git a/haproxy/files/check_haproxy_stats.pl b/haproxy/files/check_haproxy_stats.pl new file mode 100644 index 00000000..14d4fa45 --- /dev/null +++ b/haproxy/files/check_haproxy_stats.pl @@ -0,0 +1,282 @@ +#!/usr/bin/env perl +# vim: se et ts=4: + +# +# Copyright (C) 2012, Giacomo Montagner +# 2015, Yann Fertat, Romain Dessort, Jeff Palmer, +# Christophe Drevet-Droguet +# +# This program is free software; you can redistribute it and/or modify it +# under the same terms as Perl 5.10.1. +# For more details, see http://dev.perl.org/licenses/artistic.html +# +# This program is distributed in the hope that it will be +# useful, but without any warranty; without even the implied +# warranty of merchantability or fitness for a particular purpose. +# + +our $VERSION = "1.1.1"; + +open(STDERR, ">&STDOUT"); + +# CHANGELOG: +# 1.0.0 - first release +# 1.0.1 - fixed empty message if all proxies are OK +# 1.0.2 - add perfdata +# 1.0.3 - redirect stderr to stdout +# 1.0.4 - fix undef vars +# 1.0.5 - fix thresholds +# 1.1.0 - support for HTTP interface +# 1.1.1 - drop perl 5.10 requirement + +use strict; +use warnings; +use File::Basename qw/basename/; +use IO::Socket::UNIX; +use Getopt::Long; +my $lwp = eval { + require LWP::Simple; + LWP::Simple->import; + 1; +}; + +sub usage { + my $me = basename $0; + print <. + $me is distributed under GPL and the Artistic License 2.0 +SEE ALSO + Check out online haproxy documentation at +EOU +} + +my %check_statuses = ( + UNK => "unknown", + INI => "initializing", + SOCKERR => "socket error", + L4OK => "layer 4 check OK", + L4CON => "connection error", + L4TMOUT => "layer 1-4 timeout", + L6OK => "layer 6 check OK", + L6TOUT => "layer 6 (SSL) timeout", + L6RSP => "layer 6 protocol error", + L7OK => "layer 7 check OK", + L7OKC => "layer 7 conditionally OK", + L7TOUT => "layer 7 (HTTP/SMTP) timeout", + L7RSP => "layer 7 protocol error", + L7STS => "layer 7 status error", +); + +my @status_names = (qw/OK WARNING CRITICAL UNKNOWN/); + +# Defaults +my $swarn = 80.0; +my $scrit = 90.0; +my $sock = "/var/run/haproxy.sock"; +my $url; +my $user = ''; +my $pass = ''; +my $dump; +my $ignore_maint; +my $proxy; +my $no_proxy; +my $help; + +# Read command line +Getopt::Long::Configure ("bundling"); +GetOptions ( + "c|critical=i" => \$scrit, + "d|dump" => \$dump, + "h|help" => \$help, + "m|ignore-maint" => \$ignore_maint, + "p|proxy=s" => \$proxy, + "P|no-proxy=s" => \$no_proxy, + "s|sock|socket=s" => \$sock, + "U|url=s" => \$url, + "u|user|username=s" => \$user, + "x|pass|password=s" => \$pass, + "w|warning=i" => \$swarn, +); + +# Want help? +if ($help) { + usage; + exit 3; +} + +my $haproxy; +if ($url and $lwp) { + my $geturl = $url; + if ($user ne '') { + $url =~ /^([^:]*:\/\/)(.*)/; + $geturl = $1.$user.':'.$pass.'@'.$2; + } + $geturl .= ';csv'; + $haproxy = get($geturl); +} elsif ($url) { + my $haproxyio; + my $getcmd = "curl --insecure -s --fail " + . "--user '$user:$pass' '".$url.";csv'"; + open $haproxyio, "-|", $getcmd; + while (<$haproxyio>) { + $haproxy .= $_; + } + close($haproxyio); +} else { + # Connect to haproxy socket and get stats + my $haproxyio = new IO::Socket::UNIX ( + Peer => $sock, + Type => SOCK_STREAM, + ); + die "Unable to connect to haproxy socket: $sock\n$@" unless $haproxyio; + print $haproxyio "show stat\n" or die "Print to socket failed: $!"; + $haproxy = ''; + while (<$haproxyio>) { + $haproxy .= $_; + } + close($haproxyio); +} + +# Dump stats and exit if requested +if ($dump) { + print($haproxy); + exit 0; +} + +# Get labels from first output line and map them to their position in the line +my @hastats = ( split /\n/, $haproxy ); +my $labels = $hastats[0]; +die "Unable to retrieve haproxy stats" unless $labels; +chomp($labels); +$labels =~ s/^# // or die "Data format not supported."; +my @labels = split /,/, $labels; +{ + no strict "refs"; + my $idx = 0; + map { $$_ = $idx++ } @labels; +} + +# Variables I will use from here on: +our $pxname; +our $svname; +our $status; +our $slim; +our $scur; + +my @proxies = split ',', $proxy if $proxy; +my @no_proxies = split ',', $no_proxy if $no_proxy; +my $exitcode = 0; +my $msg; +my $checked = 0; +my $perfdata = ""; + +# Remove excluded proxies from the list if both -p and -P options are +# specified. +my %hash; +@hash{@no_proxies} = undef; +@proxies = grep{ not exists $hash{$_} } @proxies; + +foreach (@hastats) { + chomp; + next if /^#/; + next if /^[[:space:]]*$/; + my @data = split /,/, $_; + if (@proxies) { next unless grep {$data[$pxname] eq $_} @proxies; }; + if (@no_proxies) { next if grep {$data[$pxname] eq $_} @no_proxies; }; + + # Is session limit enforced? + if ($data[$slim]) { + $perfdata .= sprintf "%s-%s=%u;%u;%u;0;%u;", $data[$pxname], $data[$svname], $data[$scur], $swarn * $data[$slim] / 100, $scrit * $data[$slim] / 100, $data[$slim]; + + # Check current session # against limit + my $sratio = $data[$scur]/$data[$slim]; + if ($sratio >= $scrit / 100 || $sratio >= $swarn / 100) { + $exitcode = $sratio >= $scrit / 100 ? 2 : + $exitcode < 2 ? 1 : $exitcode; + $msg .= sprintf "%s:%s sessions: %.2f%%; ", $data[$pxname], $data[$svname], $sratio * 100; + } + } + + # Check of BACKENDS + if ($data[$svname] eq 'BACKEND') { + if ($data[$status] ne 'UP') { + $msg .= sprintf "BACKEND: %s is %s; ", $data[$pxname], $data[$status]; + $exitcode = 2; + } + # Check of FRONTENDS + } elsif ($data[$svname] eq 'FRONTEND') { + if ($data[$status] ne 'OPEN') { + $msg .= sprintf "FRONTEND: %s is %s; ", $data[$pxname], $data[$status]; + $exitcode = 2; + } + # Check of servers + } else { + if ($data[$status] ne 'UP') { + next if ($ignore_maint && $data[$status] eq 'MAINT'); + next if $data[$status] eq 'no check'; # Ignore server if no check is configured to be run + next if $data[$svname] eq 'sock-1'; + $exitcode = 2; + our $check_status; + $msg .= sprintf "server: %s:%s is %s", $data[$pxname], $data[$svname], $data[$status]; + $msg .= sprintf " (check status: %s)", $check_statuses{$data[$check_status]} if $check_statuses{$data[$check_status]}; + $msg .= "; "; + } + } + ++$checked; +} + +unless ($msg) { + $msg = @proxies ? sprintf("checked proxies: %s", join ', ', sort @proxies) : "checked $checked proxies."; +} +print "Check haproxy $status_names[$exitcode] - $msg|$perfdata\n"; +exit $exitcode; diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index 43e3c4b5..054aec1a 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -32,3 +32,5 @@ tags: - haproxy - config + +- include: nagios.yml diff --git a/haproxy/tasks/nagios.yml b/haproxy/tasks/nagios.yml new file mode 100644 index 00000000..eff711ac --- /dev/null +++ b/haproxy/tasks/nagios.yml @@ -0,0 +1,20 @@ +--- + +- name: "Install check_haproxy_stats script" + copy: + src: check_haproxy_stats.pl + dest: /usr/local/lib/nagios/plugins/check_haproxy_stats.pl + mode: "0755" + tags: + - haproxy + - nrpe + +- name: "Add check_haproxy to sudoers" + lineinfile: + dest: /etc/sudoers.d/evolinux + line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats.pl' + insertafter: '^nagios' + tags: + - haproxy + - nrpe + - sudo From c430fa3485472894eca3497a1a4de211e0ed0149 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 19 Sep 2017 10:29:38 +0200 Subject: [PATCH 275/277] php: install php5/php package after fpm/libapache2-mod-php Because apt dependency always install libapache2-mod-php if neither is present --- php/tasks/apache.yml | 2 ++ php/tasks/fpm.yml | 2 ++ php/tasks/php_jessie.yml | 1 - php/tasks/php_stretch.yml | 1 - 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/php/tasks/apache.yml b/php/tasks/apache.yml index 179eb1fc..df352848 100644 --- a/php/tasks/apache.yml +++ b/php/tasks/apache.yml @@ -6,6 +6,7 @@ state: present with_items: - libapache2-mod-php5 + - php5 when: ansible_distribution_release == "jessie" - name: "Install mod_php packages (Debian 9 or later)" @@ -14,6 +15,7 @@ state: present with_items: - libapache2-mod-php + - php when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Set php.ini config for apache2 (jessie)" diff --git a/php/tasks/fpm.yml b/php/tasks/fpm.yml index 6c31ff5f..06dc4202 100644 --- a/php/tasks/fpm.yml +++ b/php/tasks/fpm.yml @@ -6,6 +6,7 @@ state: present with_items: - php5-fpm + - php5 when: ansible_distribution_release == "jessie" - name: "Install PHP FPM packages (Debian 9 or later)" @@ -14,6 +15,7 @@ state: present with_items: - php-fpm + - php when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Set config files for FPM (jessie)" diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml index 62e68aa8..12f3a4f8 100644 --- a/php/tasks/php_jessie.yml +++ b/php/tasks/php_jessie.yml @@ -5,7 +5,6 @@ name: '{{ item }}' state: present with_items: - - php5 - php5-cli - php5-gd - php5-imap diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml index d566ab23..4ed4c8b5 100644 --- a/php/tasks/php_stretch.yml +++ b/php/tasks/php_stretch.yml @@ -5,7 +5,6 @@ name: '{{ item }}' state: present with_items: - - php - php-cli - php-gd - php-imap From 248f550a7fed05f2d3558af38783453e68e14f0f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Sep 2017 10:30:24 +0200 Subject: [PATCH 276/277] Squid: restart minifirewall if needed --- squid/handlers/main.yml | 3 +++ squid/tasks/minifirewall.yml | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/squid/handlers/main.yml b/squid/handlers/main.yml index 8173d655..4f5329b9 100644 --- a/squid/handlers/main.yml +++ b/squid/handlers/main.yml @@ -28,3 +28,6 @@ service: name: log2mail state: restarted + +- name: restart minifirewall + command: /etc/init.d/minifirewall restart diff --git a/squid/tasks/minifirewall.yml b/squid/tasks/minifirewall.yml index 7f8217b0..5eea7675 100644 --- a/squid/tasks/minifirewall.yml +++ b/squid/tasks/minifirewall.yml @@ -11,12 +11,14 @@ dest: /etc/default/minifirewall regexp: "^(HTTPSITES='[^0-9])" replace: '#\1' + notify: restart minifirewall - name: all HTTPSITES are authorized in minifirewall lineinfile: dest: /etc/default/minifirewall line: "HTTPSITES='0.0.0.0/0'" insertafter: "^#HTTPSITES=" + notify: restart minifirewall - name: add iptables rules for the proxy lineinfile: @@ -29,10 +31,12 @@ - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d {{ squid_address }} -j ACCEPT" - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.0/8 -j ACCEPT" - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8888" + notify: restart minifirewall - name: remove minifirewall example rule for the proxy lineinfile: dest: /etc/default/minifirewall regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)' state: absent + notify: restart minifirewall when: minifirewall_test.stat.exists From 95c34c5d88208617b9f4dbe1b4186728b30d0e95 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Sep 2017 11:33:27 +0200 Subject: [PATCH 277/277] MySQL: "REPLICATION CLIENT" privilege for nrpe --- mysql/tasks/nrpe.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mysql/tasks/nrpe.yml b/mysql/tasks/nrpe.yml index be18a966..88765193 100644 --- a/mysql/tasks/nrpe.yml +++ b/mysql/tasks/nrpe.yml @@ -28,6 +28,7 @@ mysql_user: name: nrpe password: '{{ mysql_nrpe_password.stdout }}' + priv: "*.*:REPLICATION CLIENT" config_file: /root/.my.cnf update_password: always state: present