Merge branch 'unstable' into stable

stable 22.09
Jérémy Lecour 1 week ago committed by Jérémy Lecour
commit c3670ce897
  1. 16
      .Jenkinsfile
  2. 36
      .drone.yml
  3. 39
      CHANGELOG.md
  4. 355
      evocheck/files/evocheck.sh
  5. 7
      evocheck/tasks/main.yml
  6. 6
      evolinux-base/files/update-evobackup-canary
  7. 18
      evolinux-base/tasks/utils.yml
  8. 2
      evolinux-users/README.md
  9. 3
      evolinux-users/defaults/main.yml
  10. 4
      evolinux-users/tasks/main.yml
  11. 1
      evolinux-users/tasks/ssh.yml
  12. 4
      evolinux-users/tasks/sudo.yml
  13. 6
      fail2ban/files/dovecot-evolix.conf
  14. 8
      generate-ldif/templates/generateldif.sh.j2
  15. 2
      haproxy/templates/munin.conf.j2
  16. 2
      lxc-php/tasks/php74.yml
  17. 2
      lxc-php/tasks/php80.yml
  18. 2
      lxc-php/tasks/php81.yml
  19. 82
      memcached/files/check_memcached_instances.sh
  20. 17
      memcached/tasks/instance-default.yml
  21. 41
      memcached/tasks/instance-multi.yml
  22. 68
      memcached/tasks/main.yml
  23. 2
      memcached/tasks/munin.yml
  24. 29
      memcached/tasks/nrpe.yml
  25. 16
      minifirewall/handlers/main.yml
  26. 16
      minifirewall/tasks/config.legacy.yml
  27. 8
      minifirewall/tasks/config.yml
  28. 41
      minifirewall/tasks/main.yml
  29. 36
      minifirewall/tasks/tail.legacy.yml
  30. 36
      minifirewall/tasks/tail.yml
  31. 25
      munin/tasks/main.yml
  32. 31
      mysql/tasks/munin.yml
  33. 655
      nagios-nrpe/files/plugins/check_mongodb
  34. 69
      nagios-nrpe/files/plugins/check_ssl_local
  35. 3
      nagios-nrpe/templates/evolix.cfg.j2
  36. 54
      openvpn/tasks/debian.yml
  37. 46
      openvpn/tasks/openbsd.yml
  38. 4
      openvpn/templates/server.conf.j2
  39. 1
      php/tasks/main_bullseye.yml
  40. 2
      proftpd/README.md
  41. 4
      proftpd/defaults/main.yml
  42. 15
      proftpd/tasks/accounts.yml
  43. 20
      proftpd/tasks/main.yml
  44. 8
      proftpd/templates/evolinux.conf.j2
  45. 6
      proftpd/templates/ftps.conf.j2
  46. 14
      proftpd/templates/sftp.conf.j2
  47. 226
      rabbitmq/files/check_rabbitmq.python3
  48. 11
      rabbitmq/tasks/nrpe.yml
  49. 9
      redis/tasks/default-server.yml
  50. 12
      redis/tasks/instance-server.yml
  51. 2
      varnish/templates/varnish.conf.jessie.j2
  52. 13
      vrrpd/defaults/main.yml
  53. 20
      vrrpd/tasks/ip.yml
  54. 40
      vrrpd/tasks/main.yml
  55. 15
      vrrpd/templates/vrrp.service.j2
  56. 5
      webapps/nextcloud/defaults/main.yml
  57. 5
      webapps/nextcloud/handlers/main.yml
  58. 3
      webapps/nextcloud/meta/main.yml
  59. 33
      webapps/nextcloud/tasks/apache-system.yml
  60. 23
      webapps/nextcloud/tasks/apache-vhost.yml
  61. 12
      webapps/nextcloud/tasks/main.yml
  62. 0
      webapps/nextcloud/tasks/mysql-user.yml
  63. 16
      webapps/nextcloud/tasks/user.yml
  64. 34
      webapps/nextcloud/tasks/vhost.yml
  65. 41
      webapps/nextcloud/templates/apache-vhost.conf.j2
  66. 134
      webapps/nextcloud/templates/nginx.conf.j2
  67. 17
      webapps/nextcloud/templates/php-fpm.conf.j2

16
.Jenkinsfile vendored

@ -21,11 +21,11 @@ pipeline {
def major = versions[0]
def minor = versions[0] + '.' + versions[1]
def patch = version.trim()
/* No crendentials yet
im.push(major)
im.push(minor)
im.push(patch)
*/
docker.withRegistry('', 'hub.docker') {
im.push(major)
im.push(minor)
im.push(patch)
}
}
}
}
@ -40,9 +40,9 @@ pipeline {
im.inside {
sh 'echo Test needed'
}
/* No crendentials yet
im.push('latest')
*/
docker.withRegistry('', 'hub.docker') {
im.push('latest')
}
}
}
}

@ -1,36 +0,0 @@
kind: pipeline
name: default
steps:
- name: build tagged docker image
image: plugins/docker
settings:
username:
from_secret: docker_username
password:
from_secret: docker_password
dockerfile: Dockerfile
repo: evolix/ansible-roles
auto_tag: true
environment:
ROLES_VERSION: $DRONE_COMMIT_SHA
when:
event:
- tag
- name: build latest docker image
image: plugins/docker
settings:
username:
from_secret: docker_username
password:
from_secret: docker_password
dockerfile: Dockerfile
repo: evolix/ansible-roles
tags: latest
environment:
ROLES_VERSION: $DRONE_COMMIT_SHA
when:
branch:
- unstable

@ -20,6 +20,45 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Security
## [22.09] 2022-09-19
### Added
* evolinux_users: create only users who have a certain value for the `create` key (default: `always`).
* php: install php-xml with recent PHP versions
* vrrp: add an `ip.yml` task file to help create VRRP addresses
* webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php.
* memcached: NRPE check for multi-instance setup
* munin: Add ipmi_ plugins on dedicated hardware
* proftpd: Add options to override configs (and add a warning if file was overriden)
* proftpd: Allow user auth with ssh keys
### Changed
* evocheck: upstream release 22.09
* evolinux-base: update-evobackup-canary upstream release 22.06
* generate-ldif: Support any MariaDB version
* minifirewall: use handlers to restart minifirewall
* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
* openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS
* nagios-nrpe: Upgrade check_mongo
### Fixed
* fail2ban: fix dovecot-evolix regex syntax
* haproxy: make it so that munin doesn't break if there is a non default `haproxy_stats_path`
* mysql: Add missing Munin conf for Debian 11
* redis: config directory must be owned by the user that runs the service (to be able to write tmp config files in it)
* varnish: make `-j <jail_config>` the first argument on jessie/stretch as it has to be the first argument there.
* webapps/nextcloud: Add missing dependencies for imagick
### Removed
* evocheck: remove failure if deprecated variable is used
* webapps/nextcloud: Drop support for Nginx
## [22.07.1] 2022-07-28
### Changed

@ -1,10 +1,10 @@
#!/bin/bash
# EvoCheck
# Script to verify compliance of a Debian/OpenBSD server
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="22.07"
VERSION="22.09"
readonly VERSION
# base functions
@ -30,7 +30,7 @@ END
}
show_help() {
cat <<END
evocheck is a script that verifies Evolix conventions on Debian/OpenBSD servers.
evocheck is a script that verifies Evolix conventions on Linux (Debian) servers.
Usage: evocheck
or evocheck --cron
@ -50,7 +50,6 @@ detect_os() {
# OS detection
DEBIAN_RELEASE=""
LSB_RELEASE_BIN=$(command -v lsb_release)
OPENBSD_RELEASE=""
if [ -e /etc/debian_version ]; then
DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
@ -68,9 +67,6 @@ detect_os() {
12) DEBIAN_RELEASE="bookworm";;
esac
fi
elif [ "$(uname -s)" = "OpenBSD" ]; then
# use a better release name
OPENBSD_RELEASE=$(uname -r)
fi
}
@ -107,9 +103,6 @@ debian_release() {
debian_version() {
printf "%s" "${DEBIAN_VERSION}"
}
is_openbsd() {
test -n "${OPENBSD_RELEASE}"
}
is_pack_web(){
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
@ -582,8 +575,8 @@ check_autoif() {
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
fi
for interface in $interfaces; do
if ! grep -q "^auto $interface" /etc/network/interfaces; then
failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto"
if grep -Rq "^iface $interface" /etc/network/interfaces* && ! grep -Rq "^auto $interface" /etc/network/interfaces*; then
failed "IS_AUTOIF" "Network interface \`${interface}' is statically defined but not set to auto"
test "${VERBOSE}" = 1 || break
fi
done
@ -1226,18 +1219,18 @@ check_usrsharescripts() {
check_sshpermitrootno() {
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
if is_debian_jessie || is_debian_stretch; then
# Noop, we'll use the default $sshd_args
# Noop, we'll use the default $sshd_args
:
elif is_debian_buster; then
sshd_args="${sshd_args},rdomain="
sshd_args="${sshd_args},rdomain="
else
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
# -T doesn't require the additional -C.
sshd_args=
sshd_args=
fi
# shellcheck disable=SC2086
if ! (sshd -T ${sshd_args} | grep -q 'permitrootlogin no'); then
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
fi
}
check_evomaintenanceusers() {
@ -1408,8 +1401,6 @@ download_versions() {
if is_debian; then
versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}"
elif is_openbsd; then
versions_url="https://upgrades.evolix.org/versions-${OPENBSD_RELEASE}"
else
failed "IS_CHECK_VERSIONS" "error determining os release"
fi
@ -1536,9 +1527,7 @@ main() {
main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX")
files_to_cleanup="${files_to_cleanup} ${main_output_file}"
#-----------------------------------------------------------
# Tests communs à tous les systèmes
#-----------------------------------------------------------
MINIFW_FILE=$(minifirewall_file)
test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
@ -1549,221 +1538,111 @@ main() {
test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf
test "${IS_PRIVKEYWOLRDREADABLE:=1}" = 1 && check_privatekeyworldreadable
#-----------------------------------------------------------
# Vérifie si c'est une debian et fait les tests appropriés.
#-----------------------------------------------------------
if is_debian; then
MINIFW_FILE=$(minifirewall_file)
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
test "${IS_MODSECURITY:=1}" = 1 && check_modsecurity
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase
test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf
test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf
test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
test "${IS_APTITUDEONLY:=1}" = 1 && check_aptitudeonly
test "${IS_APTITUDE:=1}" = 1 && check_aptitude
test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak
test "${IS_APTICRON:=0}" = 1 && check_apticron
test "${IS_USRRO:=1}" = 1 && check_usrro
test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec
test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab
test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
test "${IS_DISKPERF:=0}" = 1 && check_diskperf
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
# Enable when minifirewall is released
test "${IS_MINIFWINCLUDES:=0}" = 1 && check_minifw_includes
test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs
test "${IS_APACHEMUNIN:=1}" = 1 && check_apachemunin
test "${IS_MYSQLUTILS:=1}" = 1 && check_mysqlutils
test "${IS_RAIDSOFT:=1}" = 1 && check_raidsoft
test "${IS_AWSTATSLOGFORMAT:=1}" = 1 && check_awstatslogformat
test "${IS_MUNINLOGROTATE:=1}" = 1 && check_muninlogrotate
test "${IS_SQUID:=1}" = 1 && check_squid
test "${IS_EVOMAINTENANCE_FW:=1}" = 1 && check_evomaintenance_fw
test "${IS_MODDEFLATE:=1}" = 1 && check_moddeflate
test "${IS_LOG2MAILRUNNING:=1}" = 1 && check_log2mailrunning
test "${IS_LOG2MAILAPACHE:=1}" = 1 && check_log2mailapache
test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql
test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid
test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot
test "${IS_REPVOLATILE:=1}" = 1 && check_repvolatile
test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces
test "${IS_AUTOIF:=1}" = 1 && check_autoif
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink
test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow
test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf
test "${IS_SAMBAPINPRIORITY:=1}" = 1 && check_sambainpriority
test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate
test "${IS_UPTIME:=1}" = 1 && check_uptime
test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded
test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
test "${IS_USERINADMGROUP:=1}" = 1 && check_userinadmgroup
test "${IS_APACHE2EVOLINUXCONF:=1}" = 1 && check_apache2evolinuxconf
test "${IS_BACKPORTSCONF:=1}" = 1 && check_backportsconf
test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
test "${IS_BIND9LOGROTATE:=1}" = 1 && check_bind9logrotate
test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware
test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool
test "${IS_LOG2MAILSYSTEMDUNIT:=1}" = 1 && check_log2mailsystemdunit
test "${IS_LISTUPGRADE:=1}" = 1 && check_listupgrade
test "${IS_MARIADBEVOLINUXCONF:=0}" = 1 && check_mariadbevolinuxconf
test "${IS_SQL_BACKUP:=1}" = 1 && check_sql_backup
test "${IS_POSTGRES_BACKUP:=1}" = 1 && check_postgres_backup
test "${IS_MONGO_BACKUP:=1}" = 1 && check_mongo_backup
test "${IS_LDAP_BACKUP:=1}" = 1 && check_ldap_backup
test "${IS_REDIS_BACKUP:=1}" = 1 && check_redis_backup
test "${IS_ELASTIC_BACKUP:=1}" = 1 && check_elastic_backup
test "${IS_MARIADBSYSTEMDUNIT:=1}" = 1 && check_mariadbsystemdunit
test "${IS_MYSQLMUNIN:=1}" = 1 && check_mysqlmunin
test "${IS_MYSQLNRPE:=1}" = 1 && check_mysqlnrpe
test "${IS_PHPEVOLINUXCONF:=0}" = 1 && check_phpevolinuxconf
test "${IS_SQUIDLOGROTATE:=1}" = 1 && check_squidlogrotate
test "${IS_SQUIDEVOLINUXCONF:=1}" = 1 && check_squidevolinuxconf
test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_EVOACME_CRON:=1}" = 1 && check_evoacme_cron
test "${IS_EVOACME_LIVELINKS:=1}" = 1 && check_evoacme_livelinks
test "${IS_APACHE_CONFENABLED:=1}" = 1 && check_apache_confenabled
test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre
test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir
test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs
test "${IS_OSPROBER:=1}" = 1 && check_osprober
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
fi
#-----------------------------------------------------------
# Tests spécifiques à OpenBSD
#-----------------------------------------------------------
if is_openbsd; then
if [ "${IS_SOFTDEP:=1}" = 1 ]; then
grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP"
fi
if [ "${IS_WHEEL:=1}" = 1 ]; then
grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL"
fi
if [ "${IS_SUDOADMIN:=1}" = 1 ]; then
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || failed "IS_SUDOADMIN"
fi
if [ "${IS_PKGMIRROR:=1}" = 1 ]; then
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile \
|| failed "IS_PKGMIRROR"
fi
if [ "${IS_HISTORY:=1}" = 1 ]; then
f=/root/.profile
{ grep -q "^HISTFILE=\$HOME/.histfile" $f \
&& grep -q "^export HISTFILE" $f \
&& grep -q "^HISTSIZE=1000" $f \
&& grep -q "^export HISTSIZE" $f;
} || failed "IS_HISTORY"
fi
if [ "${IS_VIM:=1}" = 1 ]; then
command -v vim > /dev/null 2>&1 || failed "IS_VIM"
fi
if [ "${IS_TTYC0SECURE:=1}" = 1 ]; then
grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE"
fi
if [ "${IS_CUSTOMSYSLOG:=1}" = 1 ]; then
grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG"
fi
if [ "${IS_NOINETD:=1}" = 1 ]; then
grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD"
fi
if [ "${IS_SUDOMAINT:=1}" = 1 ]; then
f=/etc/sudoers
{ grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f;
} || failed "IS_SUDOMAINT"
fi
if [ "${IS_POSTGRESQL:=1}" = 1 ]; then
pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed"
fi
if [ "${IS_NRPE:=1}" = 1 ]; then
{ pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe;
} || failed "IS_NRPE" "NRPE is not installed"
fi
# if [ "${IS_NRPEDISKS:=1}" = 1 ]; then
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
# [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS"
# fi
# Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
#
# if [ "${IS_NRPEPOSTFIX:=1}" = 1 ]; then
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || failed "IS_NRPEPOSTFIX" )
# fi
if [ "${IS_NRPEDAEMON:=1}" = 1 ]; then
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local \
|| failed "IS_NREPEDAEMON"
fi
if [ "${IS_ALERTBOOT:=1}" = 1 ]; then
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \
|| failed "IS_ALERTBOOT"
fi
if [ "${IS_RSYNC:=1}" = 1 ]; then
pkg info | grep -q rsync || failed "IS_RSYNC"
fi
if [ "${IS_CRONPATH:=1}" = 1 ]; then
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \
|| failed "IS_CRONPATH"
fi
#TODO
# - Check en profondeur de postfix
# - NRPEDISK et NRPEPOSTFIX
fi
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
test "${IS_MODSECURITY:=1}" = 1 && check_modsecurity
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase
test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf
test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf
test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
test "${IS_APTITUDEONLY:=1}" = 1 && check_aptitudeonly
test "${IS_APTITUDE:=1}" = 1 && check_aptitude
test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak
test "${IS_APTICRON:=0}" = 1 && check_apticron
test "${IS_USRRO:=1}" = 1 && check_usrro
test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec
test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab
test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
test "${IS_DISKPERF:=0}" = 1 && check_diskperf
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
# Enable when minifirewall is released
test "${IS_MINIFWINCLUDES:=0}" = 1 && check_minifw_includes
test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs
test "${IS_APACHEMUNIN:=1}" = 1 && check_apachemunin
test "${IS_MYSQLUTILS:=1}" = 1 && check_mysqlutils
test "${IS_RAIDSOFT:=1}" = 1 && check_raidsoft
test "${IS_AWSTATSLOGFORMAT:=1}" = 1 && check_awstatslogformat
test "${IS_MUNINLOGROTATE:=1}" = 1 && check_muninlogrotate
test "${IS_SQUID:=1}" = 1 && check_squid
test "${IS_EVOMAINTENANCE_FW:=1}" = 1 && check_evomaintenance_fw
test "${IS_MODDEFLATE:=1}" = 1 && check_moddeflate
test "${IS_LOG2MAILRUNNING:=1}" = 1 && check_log2mailrunning
test "${IS_LOG2MAILAPACHE:=1}" = 1 && check_log2mailapache
test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql
test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid
test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot
test "${IS_REPVOLATILE:=1}" = 1 && check_repvolatile
test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces
test "${IS_AUTOIF:=1}" = 1 && check_autoif
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink
test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow
test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf
test "${IS_SAMBAPINPRIORITY:=1}" = 1 && check_sambainpriority
test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate
test "${IS_UPTIME:=1}" = 1 && check_uptime
test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded
test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
test "${IS_USERINADMGROUP:=1}" = 1 && check_userinadmgroup
test "${IS_APACHE2EVOLINUXCONF:=1}" = 1 && check_apache2evolinuxconf
test "${IS_BACKPORTSCONF:=1}" = 1 && check_backportsconf
test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
test "${IS_BIND9LOGROTATE:=1}" = 1 && check_bind9logrotate
test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware
test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool
test "${IS_LOG2MAILSYSTEMDUNIT:=1}" = 1 && check_log2mailsystemdunit
test "${IS_LISTUPGRADE:=1}" = 1 && check_listupgrade
test "${IS_MARIADBEVOLINUXCONF:=0}" = 1 && check_mariadbevolinuxconf
test "${IS_SQL_BACKUP:=1}" = 1 && check_sql_backup
test "${IS_POSTGRES_BACKUP:=1}" = 1 && check_postgres_backup
test "${IS_MONGO_BACKUP:=1}" = 1 && check_mongo_backup
test "${IS_LDAP_BACKUP:=1}" = 1 && check_ldap_backup
test "${IS_REDIS_BACKUP:=1}" = 1 && check_redis_backup
test "${IS_ELASTIC_BACKUP:=1}" = 1 && check_elastic_backup
test "${IS_MARIADBSYSTEMDUNIT:=1}" = 1 && check_mariadbsystemdunit
test "${IS_MYSQLMUNIN:=1}" = 1 && check_mysqlmunin
test "${IS_MYSQLNRPE:=1}" = 1 && check_mysqlnrpe
test "${IS_PHPEVOLINUXCONF:=0}" = 1 && check_phpevolinuxconf
test "${IS_SQUIDLOGROTATE:=1}" = 1 && check_squidlogrotate
test "${IS_SQUIDEVOLINUXCONF:=1}" = 1 && check_squidevolinuxconf
test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_EVOACME_CRON:=1}" = 1 && check_evoacme_cron
test "${IS_EVOACME_LIVELINKS:=1}" = 1 && check_evoacme_livelinks
test "${IS_APACHE_CONFENABLED:=1}" = 1 && check_apache_confenabled
test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre
test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir
test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs
test "${IS_OSPROBER:=1}" = 1 && check_osprober
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
if [ -f "${main_output_file}" ]; then
lines_found=$(wc -l < "${main_output_file}")

@ -1,12 +1,5 @@
---
- name: Package install is not supported anymore
fail:
msg: Package install is not supported anymore
when:
- evocheck_force_install is defined
- evocheck_force_install == "package"
- include: install.yml
- include: cron.yml

@ -3,7 +3,7 @@
PROGNAME="update-evobackup-canary"
REPOSITORY="https://gitea.evolix.org/evolix/evobackup"
VERSION="22.05"
VERSION="22.06"
readonly VERSION
# base functions
@ -44,8 +44,8 @@ main() {
if [ -z "${canary_file:-}" ]; then
canary_file="/zzz_evobackup_canary"
fi
# This option is supported since (at least) Debian 8
date=$(date --iso-8601=seconds)
# This option is supported both on OpenBSD which does not use GNU date and on Debian
date=$(date "+%FT%T%z")
printf "%s %s\n" "${date}" "${who}" >> "${canary_file}"
}

@ -17,7 +17,7 @@
- name: update-evobackup-canary script is present
copy:
src: "update-evobackup-canary.sh"
src: update-evobackup-canary
dest: /usr/local/bin/update-evobackup-canary
force: True
owner: root
@ -30,11 +30,11 @@
path: /usr/local/sbin/update-evobackup-canary
state: absent
- name: dir-check script is present
copy:
src: "dir-check.sh"
dest: /usr/local/bin/dir-check
force: True
owner: root
group: root
mode: "0755"
# - name: dir-check script is present
# copy:
# src: "dir-check.sh"
# dest: /usr/local/bin/dir-check
# force: True
# owner: root
# group: root
# mode: "0755"

@ -19,6 +19,7 @@ evolinux_users:
groups: "baz"
password_hash: 'sdfgsdfgsdfgsdfg'
ssh_key: 'ssh-rsa AZERTYXYZ'
create: always
bar:
name: bar
uid: 1002
@ -30,6 +31,7 @@ evolinux_users:
ssh_keys:
- 'ssh-rsa QWERTYUIOP'
- 'ssh-ed25519 QWERTYUIOP'
create: on_demand
```
* `evolinux_sudo_group`: which group to use for sudo (default: `evolinux-sudo`)

@ -6,3 +6,6 @@ evolinux_ssh_group: "evolinux-ssh"
evolinux_internal_group: ""
evolinux_root_disable_ssh: True
# Defines which groups of users are created
evolinux_users_create: always

@ -16,7 +16,9 @@
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"
when: evolinux_users | length > 0
when:
- user.create == evolinux_users_create
- evolinux_users | length > 0
- name: Configure sudo
include: sudo.yml

@ -50,6 +50,7 @@
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"
when:
- user.create == evolinux_users_create
- ssh_allowusers
- not ssh_allowgroups

@ -6,6 +6,7 @@
loop: "{{ evolinux_users | dict2items }}"
when:
- evolinux_users | length > 0
- user.create == evolinux_users_create
- ansible_distribution_release == "jessie"
@ -16,6 +17,9 @@
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"
when:
- evolinux_users | length > 0
- user.create == evolinux_users_create
when:
- ansible_distribution_major_version is defined
- ansible_distribution_major_version is version('9', '>=')

@ -1,3 +1,3 @@
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=<HOST>,.*
ignoreregex =

@ -408,12 +408,8 @@ EOT
fi
# MariaDB
if is_pkg_installed mariadb-server-10.3; then
mariadb_version=$(get_pkg_version mariadb-server-10.3)
elif is_pkg_installed mariadb-server-10.1; then
mariadb_version=$(get_pkg_version mariadb-server-10.1)
elif is_pkg_installed mariadb-server-10.0; then
mariadb_version=$(get_pkg_version mariadb-server-10.0)
if is_pkg_installed mariadb-server; then
mariadb_version=$(get_pkg_version mariadb-server)
fi
if [ -n "${mariadb_version}" ]; then
cat <<EOT >> "${ldif_file}"

@ -1,4 +1,4 @@
[haproxy_*]
{% if haproxy_stats_internal_enable %}
env.url http://{{ haproxy_stats_internal_host }}:{{ haproxy_stats_internal_port }}/;csv;norefresh
env.url http://{{ haproxy_stats_internal_host }}:{{ haproxy_stats_internal_port }}{{ haproxy_stats_path }};csv;norefresh
{% endif %}

@ -3,7 +3,7 @@
- name: "{{ lxc_php_version }} - Install PHP packages"
lxc_container:
name: "{{ lxc_php_version }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - fix bullseye repository"
replace:

@ -46,7 +46,7 @@
- name: "{{ lxc_php_version }} - Install PHP packages"
lxc_container:
name: "{{ lxc_php_version }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
template:

@ -46,7 +46,7 @@
- name: "{{ lxc_php_version }} - Install PHP packages"
lxc_container:
name: "{{ lxc_php_version }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer"
- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration"
template:

@ -0,0 +1,82 @@
#!/bin/bash
# {{ ansible_managed }}
set -u
return=0
nb_crit=0
nb_warn=0
nb_ok=0
nb_unchk=0
output=""
vendored_check=/usr/local/lib/nagios/plugins/check_memcached.pl
if [ -x $vendored_check ]; then
check_bin=$vendored_check
else
echo "UNCHK - can't find check_memcached"
exit 3
fi
check_server() {
name=$1
conf_file=$2
host=$(config_var "-l" "${conf_file}")
port=$(config_var "-p" "${conf_file}")
cmd="${check_bin} -H ${host} -p ${port}"
result=$($cmd)
ret="${?}"
if [ "${ret}" -ge 2 ]; then
nb_crit=$((nb_crit + 1))
printf -v output "%s%s\n" "${output}" "${result}"
[ "${return}" -le 2 ] && return=2
elif [ "${ret}" -ge 1 ]; then
nb_warn=$((nb_warn + 1))
printf -v output "%s%s\n" "${output}" "${result}"
[ "${return}" -le 1 ] && return=1
else
nb_ok=$((nb_ok + 1))
printf -v output "%s%s\n" "${output}" "${result}"
[ "${return}" -le 0 ] && return=0
fi
}
config_var() {
variable=$1
file=$2
test -f "${file}" && grep -E "^${variable}\s+.+$" "${file}" | awk '{ print $2 }' | sed -e "s/^[\"']//" -e "s/[\"']$//"
}
# default instance
if systemctl is-enabled -q memcached; then
check_server "default" "/etc/memcached.conf"
fi
# additional instances
conf_files=$(ls -1 /etc/memcached_*.conf 2> /dev/null)
for conf_file in ${conf_files}; do
name=$(basename "${conf_file}" | sed '{s|memcached_||;s|\.conf||}')
if systemctl is-enabled -q "memcached@${name}.service"; then
check_server "${name}" "${conf_file}"
else
nb_unchk=$((nb_unchk + 1))
output="${output}UNCHK - ${name} (unit is disabled or missing)\n"
fi
done
[ "${return}" -ge 0 ] && header="OK"
[ "${return}" -ge 1 ] && header="WARNING"
[ "${return}" -ge 2 ] && header="CRITICAL"
printf "%s - %s UNCHK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unchk}" "${nb_crit}" "${nb_warn}" "${nb_ok}"
printf "%s" "${output}" | grep -E "CRITICAL"
printf "%s" "${output}" | grep -E "WARNING"
printf "%s" "${output}" | grep -E "OK"
printf "%s" "${output}" | grep -E "UNCHK"
exit "${return}"

@ -0,0 +1,17 @@
- name: Memcached is configured.
template:
src: memcached.conf.j2
dest: /etc/memcached.conf
mode: "0644"
notify: restart memcached
tags:
- memcached
- name: Memcached is running and enabled on boot.
service:
name: memcached
enabled: yes
state: started
tags:
- memcached

@ -0,0 +1,41 @@
---
- name: Add systemd unit template
copy:
src: memcached@.service
dest: /etc/systemd/system/memcached@.service
tags:
- memcached
- name: Disable default memcached systemd unit
systemd:
name: memcached
enabled: false
state: stopped
tags:
- memcached
- name: Make sure memcached.conf is absent
file:
path: /etc/memcached.conf
state: absent
tags:
- memcached
- name: "Create a configuration file for instance ({{ memcached_instance_name }})"
template:
src: memcached.conf.j2
dest: /etc/memcached_{{ memcached_instance_name }}.conf
mode: "0644"
tags:
- memcached
- name: "Enable and start the memcached instance ({{ memcached_instance_name }})"
systemd:
name: memcached@{{ memcached_instance_name }}
enabled: yes
state: started
daemon_reload: yes
masked: no
tags:
- memcached

@ -1,73 +1,15 @@
- name: ensure packages are installed
- name: Ensure memcached is installed
apt:
name: memcached
state: present
tags:
- memcached
- name: Memcached is configured.
template:
src: memcached.conf.j2
dest: /etc/memcached.conf
mode: "0644"
notify: restart memcached
tags:
- memcached
when: memcached_instance_name | length == 0
- name: Memcached is running and enabled on boot.
service:
name: memcached
enabled: yes
state: started
tags:
- memcached
when: memcached_instance_name | length == 0
- include: instance-default.yml
when: memcached_instance_name is undefined
- name: Add systemd template
copy:
src: memcached@.service
dest: /etc/systemd/system/memcached@.service
tags:
- memcached
when: memcached_instance_name | length > 0
- name: Delete default memcached systemd configuration file
systemd:
name: memcached
enabled: false
state: stopped
tags:
- memcached
when: memcached_instance_name | length > 0
- name: Make sure memcached.conf is absent
file:
path: /etc/memcached.conf
state: absent
tags:
- memcached
when: memcached_instance_name | length > 0
- name: Create a configuration file
template:
src: memcached.conf.j2
dest: /etc/memcached_{{ memcached_instance_name }}.conf
mode: "0644"
tags:
- memcached
when: memcached_instance_name | length > 0
- name: Enable and start the memcached instance
systemd:
name: memcached@{{ memcached_instance_name }}
enabled: yes
state: started
daemon_reload: yes
masked: no
tags:
- memcached
when: memcached_instance_name | length > 0
- include: instance-multi.yml
when: memcached_instance_name is defined
- include: munin.yml

@ -2,7 +2,7 @@
- name: Choose packages (Oracle)
set_fact:
multi: "multi_"
when: memcached_instance_name | length > 0
when: memcached_instance_name is defined
- name: is Munin present ?
stat:

@ -1,6 +1,4 @@
---
- include_role:
name: evolix/remount-usr
- name: Is nrpe present ?
stat:
@ -10,7 +8,12 @@
- block:
- name: Install dependencies
apt:
name: libcache-memcached-perl
name:
- libcache-memcached-perl
- libmemcached11
- include_role:
name: evolix/remount-usr
- name: Copy Nagios check for memcached
copy:
@ -18,13 +21,29 @@
dest: /usr/local/lib/nagios/plugins/
mode: "0755"
# TODO: install a "multi-instances" check if the memcached_instance_name variable is not null
- name: install check_memcached_instances
copy:
src: check_memcached_instances.sh
dest: /usr/local/lib/nagios/plugins/check_memcached_instances
force: yes
mode: "0755"
owner: root
group: root
- name: Add NRPE check
- name: Add NRPE check (single instance)
lineinfile:
name: /etc/nagios/nrpe.d/evolix.cfg
regexp: '^command\[check_memcached\]='
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
notify: restart nagios-nrpe-server
when: memcached_instance_name is undefined
- name: Add NRPE check (multi instance)
lineinfile:
name: /etc/nagios/nrpe.d/evolix.cfg
regexp: '^command\[check_memcached\]='
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached_instances'
notify: restart nagios-nrpe-server
when: memcached_instance_name is defined
when: nrpe_evolix_config.stat.exists

@ -4,3 +4,19 @@
service:
name: nagios-nrpe-server
state: restarted
- name: restart minifirewall (modern)
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout"
- name: restart minifirewall (legacy)
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
- name: restart minifirewall (noop)
meta: noop
register: minifirewall_init_restart
failed_when: False
changed_when: False

@ -197,21 +197,15 @@
path: "{{ minifirewall_main_file }}"
register: minifirewall_after
- name: restart minifirewall
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
- name: Schedule minifirewall restart (legacy)
command: /bin/true
notify: "restart minifirewall (legacy)"
when:
- minifirewall_install_mode == 'legacy'
- minifirewall_restart_if_needed | bool
- minifirewall_is_running.rc == 0
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed
- name: restart minifirewall (noop)
meta: noop
register: minifirewall_init_restart
failed_when: False
changed_when: False
when: not (minifirewall_restart_if_needed | bool)
- debug:
var: minifirewall_init_restart

@ -282,11 +282,11 @@
path: "/etc/default/minifirewall"
register: minifirewall_after
- name: restart minifirewall
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout"
- name: Schedule minifirewall restart (modern)
command: /bin/true
notify: "restart minifirewall (modern)"
when:
- minifirewall_install_mode != 'legacy'
- minifirewall_restart_if_needed | bool
- minifirewall_is_running.rc == 0
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed

@ -1,9 +1,5 @@
---
- name: Compose minifirewall_restart_handler_name variable
set_fact:
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
# Legacy or modern mode? ##############################################
- name: Check minifirewall
@ -39,6 +35,25 @@
var: minifirewall_install_mode
verbosity: 1
- name: 'Set minifirewall_restart_handler_name to "noop"'
set_fact:
minifirewall_restart_handler_name: "restart minifirewall (noop)"
when: not (minifirewall_restart_if_needed | bool)
- name: 'Set minifirewall_restart_handler_name to "legacy"'
set_fact:
minifirewall_restart_handler_name: "restart minifirewall (legacy)"
when:
- minifirewall_restart_if_needed | bool
- minifirewall_install_mode == 'legacy'
- name: 'Set minifirewall_restart_handler_name to "modern"'
set_fact:
minifirewall_restart_handler_name: "restart minifirewall (modern)"
when:
- minifirewall_restart_if_needed | bool
- minifirewall_install_mode != 'legacy'
#######################################################################
- name: Fail if minifirewall_main_file is defined (legacy mode)
@ -106,18 +121,16 @@
var: minifirewall_restart_force | bool
verbosity: 1
- name: Force restart minifirewall (modern mode)
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout"
- name: Force restart minifirewall (legacy)
command: /bin/true
notify: "restart minifirewall (legacy)"
when:
- minifirewall_install_mode != 'legacy'
- minifirewall_install_mode == 'legacy'
- minifirewall_restart_force | bool
- name: Force restart minifirewall (legacy mode)
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
- name: Force restart minifirewall (modern)
command: /bin/true
notify: "restart minifirewall (modern)"
when:
- minifirewall_install_mode == 'legacy'
- minifirewall_install_mode != 'legacy'
- minifirewall_restart_force | bool

@ -1,4 +1,22 @@
---
- name: Stat minifirewall config file (before)
stat:
path: "/etc/default/minifirewall"
register: minifirewall_before
- name: Check if minifirewall is running
shell:
cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
changed_when: False
failed_when: False
check_mode: no
register: minifirewall_is_running
- debug:
var: minifirewall_is_running
verbosity: 1
- name: Add some rules at the end of minifirewall file
template:
src: "{{ item }}"
@ -30,20 +48,14 @@
var: minifirewall_tail_source
verbosity: 1
- name: restart minifirewall
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
- name: Schedule minifirewall restart (legacy)
command: /bin/true
notify: "restart minifirewall (legacy)"
when:
- minifirewall_tail_template is changed
- minifirewall_install_mode == 'legacy'
- minifirewall_restart_if_needed | bool
- name: restart minifirewall (noop)
meta: noop
register: minifirewall_init_restart
failed_when: False
changed_when: False
when: not (minifirewall_restart_if_needed | bool)
- minifirewall_is_running.rc == 0
- minifirewall_tail_template is changed
- debug:
var: minifirewall_init_restart

@ -1,4 +1,22 @@
---
- name: Stat minifirewall config file (before)
stat:
path: "/etc/default/minifirewall"
register: minifirewall_before
- name: Check if minifirewall is running
shell:
cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
changed_when: False
failed_when: False
check_mode: no
register: minifirewall_is_running
- debug:
var: minifirewall_is_running
verbosity: 1
- name: Add some rules at the end of minifirewall file
template:
src: "{{ item }}"
@ -18,20 +36,14 @@
var: minifirewall_tail_template