Merge branch 'unstable' (commit 3acd997eca) into stable

apt/defaults/main.yml

@@ -6,3 +6,5 @@ apt_install_backports: False
 apt_backports_components: "main"
 
 apt_install_evolix_public: True
+
+apt_clean_gandi_sourceslist: False

apt/tasks/basics.yml

@@ -10,6 +10,16 @@
   tags:
   - apt
 
+- name: Clean GANDI sources.list.d/debian-security.list
+  file:
+    path: '{{ item }}'
+    state: absent
+  with_items:
+  - /etc/apt/sources.list.d/debian-security.list
+  - /etc/apt/sources.list.d/debian-stretch.list
+  - /etc/apt/sources.list.d/debian-update.list
+  when: apt_clean_gandi_sourceslist
+
 - name: Intermediate flush of handlers
   meta: flush_handlers
   tags:

docker-host/defaults/main.yml

@@ -1,12 +1,15 @@
 ---
-docker_tmpdir: /home/docker/tmp
+# If docher_home sets to /home/, the partition should be mounted with exec
+# option.
+docker_home: /srv/docker
+docker_tmpdir: "{{docker_home}}/tmp"
 
 docker_remote_access_enabled: True
 docker_daemon_port: 2376
 docker_daemon_listening_ip: 0.0.0.0
 
 docker_tls_enabled: True
-docker_tls_path: /home/docker/tls
+docker_tls_path: "{{docker_home}}/tls"
 docker_tls_ca: ca/ca.pem
 docker_tls_ca_key: ca/ca-key.pem
 docker_tls_cert: server/cert.pem

docker-host/tasks/main.yml

@@ -37,7 +37,6 @@
 - name: Install docker and python-docker
   apt:
     name: "{{ item }}"
-    state: latest
     update_cache: yes
   with_items:
     - docker-ce
@@ -47,15 +46,20 @@
   template:
     src: daemon.json.j2
     dest: /etc/docker/daemon.json
-  notify:
-    - reload systemd
-    - restart docker
+  notify: restart docker
 
-- name: Remove options from docker systemd service
-  lineinfile:
-    dest: /lib/systemd/system/docker.service
-    regexp: '^ExecStart='
-    line: 'ExecStart=/usr/bin/dockerd'
+- name: Create override directory for docker unit
+  file:
+    name: /etc/systemd/system/docker.service.d/
+    state: directory
+    mode: "0755"
+
+- name: Remove options in ExecStart from docker unit
+  copy:
+    src: docker.conf
+    dest: /etc/systemd/system/docker.service.d/
+    mode: "0644"
+  notify: reload systemd
 
 - name: Creating Docker tmp directory
   file:

etc-git/tasks/commit.yml

@@ -20,13 +20,12 @@
   git_config:
     name: user.email
     repo: /etc
-    scope: local
   register: git_config_user_email
   ignore_errors: yes
 
 - name: "set commit author"
   set_fact:
-    commit_author: '{% if ansible_env.SUDO_USER == "" %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
+    commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
     commit_email:  '{% if git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
 
 - name: "/etc modifications are committed"

haproxy/files/check_haproxy_stats.pl

@@ -0,0 +1,282 @@
+#!/usr/bin/env perl
+# vim: se et ts=4:
+
+#
+# Copyright (C) 2012, Giacomo Montagner <giacomo@entirelyunlike.net>
+#               2015, Yann Fertat, Romain Dessort, Jeff Palmer,
+#                     Christophe Drevet-Droguet <dr4ke@dr4ke.net>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the same terms as Perl 5.10.1.
+# For more details, see http://dev.perl.org/licenses/artistic.html
+#
+# This program is distributed in the hope that it will be
+# useful, but without any warranty; without even the implied
+# warranty of merchantability or fitness for a particular purpose.
+#
+
+our $VERSION = "1.1.1";
+
+open(STDERR, ">&STDOUT");
+
+# CHANGELOG:
+#   1.0.0   - first release
+#   1.0.1   - fixed empty message if all proxies are OK
+#   1.0.2   - add perfdata
+#   1.0.3   - redirect stderr to stdout
+#   1.0.4   - fix undef vars
+#   1.0.5   - fix thresholds
+#   1.1.0   - support for HTTP interface
+#   1.1.1   - drop perl 5.10 requirement
+
+use strict;
+use warnings;
+use File::Basename qw/basename/;
+use IO::Socket::UNIX;
+use Getopt::Long;
+my $lwp = eval {
+    require LWP::Simple;
+    LWP::Simple->import;
+    1;
+};
+
+sub usage {
+    my $me = basename $0;
+    print <<EOU;
+NAME
+    $me - check haproxy stats for errors, using UNIX socket interface
+SYNOPSIS
+    $me [OPTIONS]
+DESCRIPTION
+    Get haproxy statistics via UNIX socket and parse information searching for errors.
+    OPTIONS
+    -c, --critical
+        Set critical threshold for sessions number (chacks current number of sessions
+        against session limit, if enforced) to the specified percentage.
+        If no session limit (slim) was specified for the given proxy, this option has
+        no effect.
+    -d, --dump
+        Just dump haproxy stats and exit;
+    -h, --help
+        Print this message.
+    -m, --ignore-maint
+        Assume servers in MAINT state to be ok.
+    -p, --proxy
+        Check only named proxies, not every one. Use comma to separate proxies
+        in list.
+    -P, --no-proxy
+        Do not check named proxies. Use comma to separate proxies in list.
+    -s, --sock, --socket
+        Use named UNIX socket instead of default (/var/run/haproxy.sock)
+    -U, --url
+        Use HTTP URL instead of socket. The LWP::Simple perl module is used if
+        available. Otherwise, it falls back to using the external command `curl`.
+    -u, --user, --username
+        Username for the HTTP URL
+    -x, --pass, --password
+        Password for the HTTP URL
+    -w, --warning
+        Set warning threshold for sessions number to the specified percentage (see -c)
+CHECKS AND OUTPUT
+    $me checks every proxy (or the named ones, if -p was given)
+    for status. It returns an error if any of the checked FRONTENDs is not OPEN,
+    any of the checked BACKENDs is not UP, or any of the checkes servers is not UP;
+    $me reports any problem it found.
+EXAMPLES
+    $me -s /var/spool/haproxy/sock
+        Use /var/spool/haproxy/sock to communicate with haproxy.
+    $me -p proxy1,proxy2 -w 60 -c 80
+        Check only proxies named "proxy1" and "proxy2", and set sessions number
+        thresholds to 60% and 80%.
+AUTHOR
+    Written by Giacomo Montagner
+REPORTING BUGS
+    Please report any bug to bugs\@entirelyunlike.net
+COPYRIGHT
+    Copyright (C) 2012 Giacomo Montagner <giacomo\@entirelyunlike.net>.
+    $me is distributed under GPL and the Artistic License 2.0
+SEE ALSO
+    Check out online haproxy documentation at <http://haproxy.1wt.eu/>
+EOU
+}
+
+my %check_statuses = (
+    UNK     => "unknown",
+    INI     => "initializing",
+    SOCKERR => "socket error",
+    L4OK    => "layer 4 check OK",
+    L4CON   => "connection error",
+    L4TMOUT => "layer 1-4 timeout",
+    L6OK    => "layer 6 check OK",
+    L6TOUT  => "layer 6 (SSL) timeout",
+    L6RSP   => "layer 6 protocol error",
+    L7OK    => "layer 7 check OK",
+    L7OKC   => "layer 7 conditionally OK",
+    L7TOUT  => "layer 7 (HTTP/SMTP) timeout",
+    L7RSP   => "layer 7 protocol error",
+    L7STS   => "layer 7 status error",
+);
+
+my @status_names = (qw/OK WARNING CRITICAL UNKNOWN/);
+
+# Defaults
+my $swarn = 80.0;
+my $scrit = 90.0;
+my $sock  = "/var/run/haproxy.sock";
+my $url;
+my $user = '';
+my $pass = '';
+my $dump;
+my $ignore_maint;
+my $proxy;
+my $no_proxy;
+my $help;
+
+# Read command line
+Getopt::Long::Configure ("bundling");
+GetOptions (
+    "c|critical=i"      => \$scrit,
+    "d|dump"            => \$dump,
+    "h|help"            => \$help,
+    "m|ignore-maint"    => \$ignore_maint,
+    "p|proxy=s"         => \$proxy,
+    "P|no-proxy=s"      => \$no_proxy,
+    "s|sock|socket=s"   => \$sock,
+    "U|url=s"           => \$url,
+    "u|user|username=s" => \$user,
+    "x|pass|password=s" => \$pass,
+    "w|warning=i"       => \$swarn,
+);
+
+# Want help?
+if ($help) {
+    usage;
+    exit 3;
+}
+
+my $haproxy;
+if ($url and $lwp) {
+    my $geturl = $url;
+    if ($user ne '') {
+        $url =~ /^([^:]*:\/\/)(.*)/;
+        $geturl = $1.$user.':'.$pass.'@'.$2;
+    }
+    $geturl .= ';csv';
+    $haproxy = get($geturl);
+} elsif ($url) {
+    my $haproxyio;
+    my $getcmd = "curl --insecure -s --fail "
+               . "--user '$user:$pass' '".$url.";csv'";
+    open $haproxyio, "-|", $getcmd;
+    while (<$haproxyio>) {
+        $haproxy .= $_;
+    }
+    close($haproxyio);
+} else {
+    # Connect to haproxy socket and get stats
+    my $haproxyio = new IO::Socket::UNIX (
+        Peer => $sock,
+        Type => SOCK_STREAM,
+    );
+    die "Unable to connect to haproxy socket: $sock\n$@" unless $haproxyio;
+    print $haproxyio "show stat\n" or die "Print to socket failed: $!";
+    $haproxy = '';
+    while (<$haproxyio>) {
+        $haproxy .= $_;
+    }
+    close($haproxyio);
+}
+
+# Dump stats and exit if requested
+if ($dump) {
+    print($haproxy);
+    exit 0;
+}
+
+# Get labels from first output line and map them to their position in the line
+my @hastats = ( split /\n/, $haproxy );
+my $labels = $hastats[0];
+die "Unable to retrieve haproxy stats" unless $labels;
+chomp($labels);
+$labels =~ s/^# // or die "Data format not supported.";
+my @labels = split /,/, $labels;
+{
+    no strict "refs";
+    my $idx = 0;
+    map { $$_ = $idx++ } @labels;
+}
+
+# Variables I will use from here on:
+our $pxname;
+our $svname;
+our $status;
+our $slim;
+our $scur;
+
+my @proxies = split ',', $proxy if $proxy;
+my @no_proxies = split ',', $no_proxy if $no_proxy;
+my $exitcode = 0;
+my $msg;
+my $checked = 0;
+my $perfdata = "";
+
+# Remove excluded proxies from the list if both -p and -P options are
+# specified.
+my %hash;
+@hash{@no_proxies} = undef;
+@proxies = grep{ not exists $hash{$_} } @proxies;
+
+foreach (@hastats) {
+    chomp;
+    next if /^#/;
+    next if /^[[:space:]]*$/;
+    my @data = split /,/, $_;
+    if (@proxies) { next unless grep {$data[$pxname] eq $_} @proxies; };
+    if (@no_proxies) { next if grep {$data[$pxname] eq $_} @no_proxies; };
+
+    # Is session limit enforced?
+    if ($data[$slim]) {
+        $perfdata .= sprintf "%s-%s=%u;%u;%u;0;%u;", $data[$pxname], $data[$svname], $data[$scur], $swarn * $data[$slim] / 100, $scrit * $data[$slim] / 100, $data[$slim];
+
+        # Check current session # against limit
+        my $sratio = $data[$scur]/$data[$slim];
+        if ($sratio >= $scrit / 100 || $sratio >= $swarn / 100) {
+            $exitcode = $sratio >= $scrit / 100 ? 2 :
+                $exitcode < 2 ? 1 : $exitcode;
+            $msg .= sprintf "%s:%s sessions: %.2f%%; ", $data[$pxname], $data[$svname], $sratio * 100;
+        }
+    }
+
+    # Check of BACKENDS
+    if ($data[$svname] eq 'BACKEND') {
+        if ($data[$status] ne 'UP') {
+            $msg .= sprintf "BACKEND: %s is %s; ", $data[$pxname], $data[$status];
+            $exitcode = 2;
+        }
+    # Check of FRONTENDS
+    } elsif ($data[$svname] eq 'FRONTEND') {
+        if ($data[$status] ne 'OPEN') {
+            $msg .= sprintf "FRONTEND: %s is %s; ", $data[$pxname], $data[$status];
+            $exitcode = 2;
+        }
+    # Check of servers
+    } else {
+        if ($data[$status] ne 'UP') {
+            next if ($ignore_maint && $data[$status] eq 'MAINT');
+            next if $data[$status] eq 'no check';   # Ignore server if no check is configured to be run
+            next if $data[$svname] eq 'sock-1';
+            $exitcode = 2;
+            our $check_status;
+            $msg .= sprintf "server: %s:%s is %s", $data[$pxname], $data[$svname], $data[$status];
+            $msg .= sprintf " (check status: %s)", $check_statuses{$data[$check_status]} if $check_statuses{$data[$check_status]};
+            $msg .= "; ";
+        }
+    }
+    ++$checked;
+}
+
+unless ($msg) {
+    $msg = @proxies ? sprintf("checked proxies: %s", join ', ', sort @proxies) : "checked $checked proxies.";
+}
+print "Check haproxy $status_names[$exitcode] - $msg|$perfdata\n";
+exit $exitcode;

haproxy/tasks/main.yml

@@ -32,3 +32,5 @@
   tags:
   - haproxy
   - config
+
+- include: nagios.yml

haproxy/tasks/nagios.yml

@@ -0,0 +1,20 @@
+---
+
+- name: "Install check_haproxy_stats script"
+  copy:
+    src: check_haproxy_stats.pl
+    dest: /usr/local/lib/nagios/plugins/check_haproxy_stats.pl
+    mode: "0755"
+  tags:
+  - haproxy
+  - nrpe
+
+- name: "Add check_haproxy to sudoers"
+  lineinfile:
+    dest: /etc/sudoers.d/evolinux
+    line: 'nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats.pl'
+    insertafter: '^nagios'
+  tags:
+  - haproxy
+  - nrpe
+  - sudo

minifirewall/tasks/main.yml

@@ -1,5 +1,12 @@
 ---
 
+- name: packages are installed
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+  - iptables
+
 - include: install.yml
 
 - include: config.yml

mysql/tasks/nrpe.yml

@@ -28,6 +28,7 @@
     mysql_user:
       name: nrpe
       password: '{{ mysql_nrpe_password.stdout }}'
+      priv: "*.*:REPLICATION CLIENT"
       config_file: /root/.my.cnf
       update_password: always
       state: present

packweb-apache/files/userlogrotate

@@ -30,8 +30,11 @@ for log in production.log delayed_job.log development.log test.log; do
   done
 done
 
-if /etc/init.d/apache2 status > /dev/null ; then \
+test -x /usr/sbin/apache2ctl && if /etc/init.d/apache2 status > /dev/null ; then \
     /etc/init.d/apache2 reload > /dev/null; \
 fi;
 
 test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1
+
+# we want exit 0
+true

php/tasks/apache.yml

@@ -6,6 +6,7 @@
     state: present
   with_items:
   - libapache2-mod-php5
+  - php5
   when: ansible_distribution_release == "jessie"
 
 - name: "Install mod_php packages (Debian 9 or later)"
@@ -14,6 +15,7 @@
     state: present
   with_items:
   - libapache2-mod-php
+  - php
   when: ansible_distribution_major_version | version_compare('9', '>=')
 
 - name: "Set php.ini config for apache2 (jessie)"

php/tasks/fpm.yml

@@ -6,6 +6,7 @@
     state: present
   with_items:
   - php5-fpm
+  - php5
   when: ansible_distribution_release == "jessie"
 
 - name: "Install PHP FPM packages (Debian 9 or later)"
@@ -14,6 +15,7 @@
     state: present
   with_items:
   - php-fpm
+  - php
   when: ansible_distribution_major_version | version_compare('9', '>=')
 
 - name: "Set config files for FPM (jessie)"

php/tasks/php_jessie.yml

@@ -5,7 +5,6 @@
     name: '{{ item }}'
     state: present
   with_items:
-  - php5
   - php5-cli
   - php5-gd
   - php5-imap

php/tasks/php_stretch.yml

@@ -5,7 +5,6 @@
     name: '{{ item }}'
     state: present
   with_items:
-  - php
   - php-cli
   - php-gd
   - php-imap

squid/handlers/main.yml

@@ -28,3 +28,6 @@
   service:
     name: log2mail
     state: restarted
+
+- name: restart minifirewall
+  command: /etc/init.d/minifirewall restart

squid/tasks/minifirewall.yml

@@ -11,12 +11,14 @@
       dest: /etc/default/minifirewall
       regexp: "^(HTTPSITES='[^0-9])"
       replace: '#\1'
+    notify: restart minifirewall
 
   - name: all HTTPSITES are authorized in minifirewall
     lineinfile:
       dest: /etc/default/minifirewall
       line: "HTTPSITES='0.0.0.0/0'"
       insertafter: "^#HTTPSITES="
+    notify: restart minifirewall
 
   - name: add iptables rules for the proxy
     lineinfile:
@@ -29,10 +31,12 @@
       - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d {{ squid_address }} -j ACCEPT"
       - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.0/8 -j ACCEPT"
       - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8888"
+    notify: restart minifirewall
 
   - name: remove minifirewall example rule for the proxy
     lineinfile:
       dest: /etc/default/minifirewall
       regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)'
       state: absent
+    notify: restart minifirewall
   when: minifirewall_test.stat.exists

varnish/templates/varnish.conf.j2

@@ -1,5 +1,7 @@
 # {{ ansible_managed }}
 
 [Service]
+ExecStart=
 ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
+ExecReload=
 ExecReload=/etc/varnish/reload-vcl.sh