Merge branch 'unstable' into stable

CHANGELOG.md

@@ -18,6 +18,19 @@ The **patch** part changes incrementally at each release.
 
 ### Security
 
+## [9.1.9] - 2018-04-24
+
+### Added
+
+### Changed
+* apache: customize logrotate (52 weeks)
+* evolinux: groups for SSH configuration are used with Debian 10 and later
+* evolinux-base: fail2ban is not enabled by default
+* evolinux-users: refactoring of the SSH configuration
+* mysql-oracle: copy evolinux config files in mysql.cond.d
+* mysql/mysql-oracle: mysqltuner cron scripts is 0755
+* generate-ldif: add a minifirewall service when /etc/default/minifirewall exists
+
 ## [9.1.8] - 2018-04-16
 
 ### Changed
@@ -51,6 +64,7 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
 * elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
 * evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
+* evolinux-users: split AllowGroups/AllowUsers modes for SSH directives
 * mongodb: allow unauthenticated packages for Jessie
 * mongodb: configuration is forced by default but it's configurable (default: `false`)
 * mongodb: rename logrotate script

apache/tasks/main.yml

@@ -163,6 +163,22 @@
   tags:
     - apache
 
+- name: "logrotate: rotate weekly"
+  replace:
+    dest: /etc/logrotate.d/apache2
+    regexp: "(daily|weekly|monthly)"
+    replace: "weekly"
+  tags:
+    - apache
+
+- name: "logrotate: keep 52 files"
+  replace:
+    dest: /etc/logrotate.d/apache2
+    regexp: "rotate .+"
+    replace: "rotate 52"
+  tags:
+    - apache
+
 - include: log2mail.yml
   when: apache_log2mail_include
   tags:

evolinux-base/defaults/main.yml

@@ -192,7 +192,7 @@ evolinux_nagios_nrpe_include: True
 
 # fail2ban
 
-evolinux_fail2ban_include: True
+evolinux_fail2ban_include: False
 
 # Listupgrade
 

evolinux-base/tasks/main.yml

@@ -1,10 +1,11 @@
 ---
 
-- name: "Compatibility check"
-  fail:
+- name: "System compatibility checks"
+  assert:
+    that:
+      - ansible_distribution == "Debian"
+      - ansible_distribution_major_version | version_compare('8', '>=')
     msg: only compatible with Debian >= 8
-  when:
-  - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
 
 - name: Apt configuration
   include_role:

evolinux-base/tasks/ssh.yml

@@ -13,7 +13,7 @@
 # We want to allow any user from a list of IP addresses to login with password,
 # but users of the "evolix" group can't login with password from other IP addresses
 
-- name: Security directives for Evolinux (Debian 9 or later)"
+- name: Security directives for Evolinux (Debian 10 or later)"
   blockinfile:
     dest: /etc/ssh/sshd_config
     block: |
@@ -27,9 +27,9 @@
   notify: reload sshd
   when:
     - evolinux_ssh_password_auth_addresses != []
-    - ansible_distribution_major_version | version_compare('9', '>=')
+    - ansible_distribution_major_version | version_compare('10', '>=')
 
-- name: Security directives for Evolinux (Jessie)
+- name: Security directives for Evolinux (Jessie/Stretch)
   blockinfile:
     dest: /etc/ssh/sshd_config
     block: |
@@ -41,7 +41,7 @@
   notify: reload sshd
   when:
     - evolinux_ssh_password_auth_addresses != []
-    - ansible_distribution_release == "jessie"
+    - ansible_distribution_major_version | version_compare('10', '<')
 
 # We disable AcceptEnv because it can be a security issue, but also because we
 # do not want clients to push their environment variables like LANG.
@@ -63,16 +63,16 @@
 
 - name: "Get current user"
   command: logname
+  changed_when: False
   register: logname
   check_mode: no
-  changed_when: False
   when: evolinux_ssh_allow_current_user
 
 # we must double-escape caracters, because python
 - name: verify AllowUsers directive
   command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
-  changed_when: False
   failed_when: False
+  changed_when: False
   register: grep_allowusers_ssh
   check_mode: no
   when: evolinux_ssh_allow_current_user

evolinux-users/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
 evolinux_users: {}
+
 evolinux_sudo_group: "evolinux-sudo"
+evolinux_ssh_group: "evolinux-ssh"
+
 evolinux_root_disable_ssh: True

evolinux-users/tasks/account.yml

@@ -1,57 +0,0 @@
----
-
-- name: "Test if '{{ user.name }}' exists"
-  command: 'getent passwd {{ user.name }}'
-  register: loginisbusy
-  failed_when: False
-  changed_when: False
-  check_mode: no
-
-- name: "Test if uid exists for '{{ user.name }}'"
-  command: 'getent passwd {{ user.uid }}'
-  register: uidisbusy
-  failed_when: False
-  changed_when: False
-  check_mode: no
-
-- name: "Add Unix account with classical uid for '{{ user.name }}'"
-  user:
-   state: present
-   uid: '{{ user.uid }}'
-   name: '{{ user.name }}'
-   comment: '{{ user.fullname }}'
-   shell: /bin/bash
-   password: '{{ user.password_hash }}'
-   update_password: on_create
-  when: loginisbusy.rc != 0 and uidisbusy.rc != 0
-
-- name: "Add Unix account with random uid for '{{ user.name }}'"
-  user:
-   state: present
-   name: '{{ user.name }}'
-   comment: '{{ user.fullname }}'
-   shell: /bin/bash
-   password: '{{ user.password_hash }}'
-   update_password: on_create
-  when: loginisbusy.rc != 0 and uidisbusy.rc == 0
-
-- name: "Create secondary groups"
-  group:
-    name: "{{ group }}"
-  with_items: "{{ user.groups }}"
-  loop_control:
-    loop_var: group
-  when: user.groups is defined
-
-- name: "Add user '{{ user.name }}' to secondary groups"
-  user:
-    name: '{{ user.name }}'
-    groups: "{{ user.groups }}"
-    append: yes
-  when: user.groups is defined
-
-- name: "Fix perms on home directory for '{{ user.name }}'"
-  file:
-   name: '/home/{{ user.name }}'
-   mode: "0700"
-   state: directory

evolinux-users/tasks/main.yml

@@ -1,9 +1,11 @@
 ---
 
-- fail:
+- name: "System compatibility checks"
+  assert:
+    that:
+      - ansible_distribution == "Debian"
+      - ansible_distribution_major_version | version_compare('8', '>=')
     msg: only compatible with Debian >= 8
-  when:
-  - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
 
 - debug:
     msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
@@ -16,5 +18,13 @@
   with_dict: "{{ evolinux_users }}"
   when: evolinux_users != {}
 
-- include: root_disable_ssh.yml
-  when: evolinux_root_disable_ssh
+- name: Configure sudo
+  include: sudo.yml
+  vars:
+    user: "{{ item.value }}"
+  with_dict: "{{ evolinux_users }}"
+  when: evolinux_users != {}
+
+- name: Configure SSH
+  include: ssh.yml
+  when: evolinux_users != {}

evolinux-users/tasks/profile.yml

@@ -1,18 +0,0 @@
----
-
-- name: search profile for presence of evomaintenance
-  command: 'grep -q "trap.*sudo.*evomaintenance.sh"'
-  changed_when: False
-  failed_when: False
-  check_mode: no
-  register: grep_profile_evomaintenance
-
-# Don't add the trap if it is present or commented
-- name: "Add evomaintenance trap for '{{ user.name }}'"
-  lineinfile:
-    state: present
-    dest: '/home/{{ user.name }}/.profile'
-    insertafter: EOF
-    line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
-    create: yes
-  when: grep_profile_evomaintenance.rc != 0

evolinux-users/tasks/root_disable_ssh.yml

@@ -1,17 +0,0 @@
----
-
-- name: disable root login
-  replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
-    replace: "PermitRootLogin no"
-  notify: reload sshd
-
-### Disabled : it seems useless and too dangerous for now
-# - name: remove root from AllowUsers directive
-#   replace:
-#     dest: /etc/ssh/sshd_config
-#     regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
-#     replace: '\1\4'
-#     validate: '/usr/sbin/sshd -T -f %s'
-#   notify: reload sshd

evolinux-users/tasks/ssh.yml

@@ -1,97 +1,64 @@
 ---
 
-
-- name: "Create .ssh directory for '{{ user.name }}'"
-  file:
-    dest: '/home/{{ user.name }}/.ssh/'
-    state: directory
-    mode: "0700"
-    owner: '{{ user.name }}'
-    group: '{{ user.name }}'
-
-- name: "Add user's SSH public key for '{{ user.name }}'"
-  authorized_key:
-    user: "{{ user.name }}"
-    key: "{{ user.ssh_key }}"
-    state: present
-  when: user.ssh_key is defined
-
-- name: "Add user's SSH public keys for '{{ user.name }}'"
-  authorized_key:
-    user: "{{ user.name }}"
-    key: "{{ ssk_key }}"
-    state: present
-  with_items: "{{ user.ssh_keys }}"
-  loop_control:
-    loop_var: ssk_key
-  when: user.ssh_keys is defined
-
 - name: verify AllowGroups directive
   command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
   changed_when: False
   failed_when: False
-  register: grep_allowgroups_ssh
   check_mode: no
+  register: grep_allowgroups_ssh
 
-  # If AllowGroups is present, we don't change
 - debug:
-    msg: "AllowGroups detected : You have to configure SSH manually"
-  when: grep_allowgroups_ssh.rc == 0
+    var: grep_allowgroups_ssh
+    verbosity: 1
 
-- block:
-  # If AllowGroups is not present, we proceed as usual
-  - name: verify AllowUsers directive
-    command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
-    changed_when: False
-    failed_when: False
-    register: grep_allowusers_ssh
-    check_mode: no
+- name: verify AllowUsers directive
+  command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_allowusers_ssh
 
-  - name: "Add AllowUsers sshd directive for '{{ user.name }}'"
-    lineinfile:
-      dest: /etc/ssh/sshd_config
-      line: "\nAllowUsers {{ user.name }}"
-      insertafter: 'Subsystem'
-      validate: '/usr/sbin/sshd -T -f %s'
-    notify: reload sshd
-    when: grep_allowusers_ssh.rc != 0
+- debug:
+    var: grep_allowusers_ssh
+    verbosity: 1
 
-  - name: "Modify AllowUsers sshd directive for '{{ user.name }}'"
-    replace:
-      dest: /etc/ssh/sshd_config
-      regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
-      replace: '\1 {{ user.name }}'
-      validate: '/usr/sbin/sshd -T -f %s'
-    notify: reload sshd
-    when: grep_allowusers_ssh.rc == 0
+- assert:
+    that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
+    msg: "We can't deal with AllowUsers and AllowGroups at the same time"
 
-  - name: "verify Match User directive"
-    command: "grep 'Match User' /etc/ssh/sshd_config"
-    changed_when: False
-    failed_when: False
-    register: grep_matchuser_ssh
-    check_mode: no
+- set_fact:
+    # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
+    ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
+    # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
+    ssh_allowusers:  "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
 
-  - name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)"
-    lineinfile:
-      dest: /etc/ssh/sshd_config
-      line: "\nMatch User {{ user.name }}\n    PasswordAuthentication no"
-      insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
-      validate: '/usr/sbin/sshd -T -f %s'
-    notify: reload sshd
-    when:
-      - ansible_distribution_release == "jessie"
-      - grep_matchuser_ssh.rc != 0
+- debug:
+    var: ssh_allowgroups
+    verbosity: 1
 
-  - name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)"
-    replace:
-      dest: /etc/ssh/sshd_config
-      regexp: '^(Match User ((?!{{ user.name }}).)*)$'
-      replace: '\1,{{ user.name }}'
-      validate: '/usr/sbin/sshd -T -f %s'
-    notify: reload sshd
-    when:
-      - ansible_distribution_release == "jessie"
-      - grep_matchuser_ssh.rc == 0
+- debug:
+    var: ssh_allowusers
+    verbosity: 1
 
-  when: grep_allowgroups_ssh.rc != 0
+- include: ssh_allowgroups.yml
+  when:
+    - ssh_allowgroups
+    - not ssh_allowusers
+
+- include: ssh_allowusers.yml
+  vars:
+    user: "{{ item.value }}"
+  with_dict: "{{ evolinux_users }}"
+  when:
+    - ssh_allowusers
+    - not ssh_allowgroups
+
+- name: disable root login
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
+    replace: "PermitRootLogin no"
+  notify: reload sshd
+  when: evolinux_root_disable_ssh
+
+- meta: flush_handlers

evolinux-users/tasks/ssh_allowgroups.yml

@@ -0,0 +1,28 @@
+---
+
+# this check must be repeated for each user
+# even if it's been done before
+- name: verify AllowGroups directive
+  command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_allowgroups_ssh
+
+- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "\nAllowGroups {{ evolinux_ssh_group }}"
+    insertafter: 'Subsystem'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: grep_allowgroups_ssh.rc != 0
+
+- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
+    replace: '\1 {{ evolinux_ssh_group }}'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: grep_allowgroups_ssh.rc == 0

evolinux-users/tasks/ssh_allowusers.yml

@@ -0,0 +1,53 @@
+---
+
+# this check must be repeated for each user
+# even if it's been done before
+- name: verify AllowUsers directive
+  command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_allowusers_ssh
+
+- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "\nAllowUsers {{ user.name }}"
+    insertafter: 'Subsystem'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: grep_allowusers_ssh.rc != 0
+
+- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
+    replace: '\1 {{ user.name }}'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: grep_allowusers_ssh.rc == 0
+
+- name: "verify Match User directive"
+  command: "grep -E '^Match User' /etc/ssh/sshd_config"
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_matchuser_ssh
+
+- name: "Add Match User sshd directive with '{{ user.name }}'"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "\nMatch User {{ user.name }}\n    PasswordAuthentication no"
+    insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: grep_matchuser_ssh.rc != 0
+
+- name: "Append '{{ user.name }}' to Match User's sshd directive"
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(Match User ((?!{{ user.name }}).)*)$'
+    replace: '\1,{{ user.name }}'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: grep_matchuser_ssh.rc == 0

evolinux-users/tasks/sudo.yml

@@ -0,0 +1,9 @@
+---
+
+- include: sudo_jessie.yml
+  when: ansible_distribution_release == "jessie"
+
+- include: sudo_stretch.yml
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- meta: flush_handlers

evolinux-users/tasks/sudo_stretch.yml

@@ -5,6 +5,7 @@
     src: sudoers_stretch.j2
     dest: /etc/sudoers.d/evolinux
     force: no
+    mode: "0440"
     validate: '/usr/sbin/visudo -cf %s'
   register: copy_sudoers_evolinux
 

evolinux-users/tasks/user.yml

@@ -1,15 +1,125 @@
 ---
 
-- include: account.yml
+# Unix account
 
-- include: profile.yml
+- name: "Test if '{{ user.name }}' exists"
+  command: 'getent passwd {{ user.name }}'
+  register: loginisbusy
+  failed_when: False
+  changed_when: False
+  check_mode: no
 
-- include: ssh.yml
+- name: "Test if uid exists for '{{ user.name }}'"
+  command: 'getent passwd {{ user.uid }}'
+  register: uidisbusy
+  failed_when: False
+  changed_when: False
+  check_mode: no
 
-- include: sudo_jessie.yml
-  when: ansible_distribution_release == "jessie"
+- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
+  user:
+   state: present
+   uid: '{{ user.uid }}'
+   name: '{{ user.name }}'
+   comment: '{{ user.fullname }}'
+   shell: /bin/bash
+   password: '{{ user.password_hash }}'
+   update_password: on_create
+  when:
+    - loginisbusy.rc != 0
+    - uidisbusy.rc   != 0
 
-- include: sudo_stretch.yml
-  when: ansible_distribution_major_version | version_compare('9', '>=')
+- name: "Unix account for '{{ user.name }}' is present (with random uid)"
+  user:
+   state: present
+   name: '{{ user.name }}'
+   comment: '{{ user.fullname }}'
+   shell: /bin/bash
+   password: '{{ user.password_hash }}'
+   update_password: on_create
+  when:
+    - loginisbusy.rc != 0
+    - uidisbusy.rc   == 0
+
+# Unix groups
+
+- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
+  group:
+    name: "{{ evolinux_ssh_group }}"
+    state: present
+  when: ansible_distribution_major_version | version_compare('10', '>=')
+
+- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
+  user:
+    name: '{{ user.name }}'
+    groups: "{{ evolinux_ssh_group }}"
+    append: yes
+  when: ansible_distribution_major_version | version_compare('10', '>=')
+
+- name: "Secondary Unix groups are present"
+  group:
+    name: "{{ group }}"
+  with_items: "{{ user.groups }}"
+  loop_control:
+    loop_var: group
+  when: user.groups is defined
+
+- name: "Unix user '{{ user.name }}' belongs to secondary groups"
+  user:
+    name: '{{ user.name }}'
+    groups: "{{ user.groups }}"
+    append: yes
+  when: user.groups is defined
+
+- name: "Home directory for '{{ user.name }}' is not accessible by group and other users"
+  file:
+   name: '/home/{{ user.name }}'
+   mode: "0700"
+   state: directory
+
+# Evomaintenance
+
+- name: Search profile for presence of evomaintenance
+  command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile'
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_profile_evomaintenance
+
+# Don't add the trap if it is present or commented
+- name: "User '{{ user.name }}' has its shell trap for evomaintenance"
+  lineinfile:
+    state: present
+    dest: '/home/{{ user.name }}/.profile'
+    insertafter: EOF
+    line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
+  when: grep_profile_evomaintenance.rc != 0
+
+# SSH keys
+
+- name: "SSH directory for '{{ user.name }}' is present"
+  file:
+    dest: '/home/{{ user.name }}/.ssh/'
+    state: directory
+    mode: "0700"
+    owner: '{{ user.name }}'
+    group: '{{ user.name }}'
+
+- name: "SSH public key for '{{ user.name }}' is present"
+  authorized_key:
+    user: "{{ user.name }}"
+    key: "{{ user.ssh_key }}"
+    state: present
+  when: user.ssh_key is defined
+
+- name: "SSH public keys for '{{ user.name }}' are present"
+  authorized_key:
+    user: "{{ user.name }}"
+    key: "{{ ssk_key }}"
+    state: present
+  with_items: "{{ user.ssh_keys }}"
+  loop_control:
+    loop_var: ssk_key
+  when: user.ssh_keys is defined
 
 - meta: flush_handlers

generate-ldif/templates/generateldif.sh.j2

@@ -200,6 +200,19 @@ ServiceType: monitoring
 EOT
 fi
 
+# minifirewall
+if [ -f "/etc/default/minifirewall" ]; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: ServiceName=minifirewall,${computer_dn}
+NagiosEnabled: TRUE
+objectClass: EvoService
+ServiceName: minifirewall
+ServiceType: firewall
+ServiceVersion: minifirewall
+EOT
+fi
+
 # Postfix
 postfix_version=$(get_pkg_version postfix)
 if [ -n "${postfix_version}" ]; then

mysql-oracle/handlers/main.yml

@@ -16,6 +16,7 @@
 
 - name: reload systemd
   systemd:
+    name: mysql
     daemon_reload: yes
 
 - name: Restart minifirewall

mysql-oracle/tasks/config.yml

@@ -3,7 +3,7 @@
 - name: "Copy MySQL defaults config file"
   copy:
     src: evolinux-defaults.cnf
-    dest: "/etc/mysql/conf.d/z-evolinux-defaults.cnf"
+    dest: "/etc/mysql/mysql.conf.d/z-evolinux-defaults.cnf"
     owner: root
     group: root
     mode: "0644"
@@ -14,7 +14,7 @@
 - name: "Copy MySQL custom config file"
   template:
     src: evolinux-custom.cnf.j2
-    dest: "/etc/mysql/conf.d/zzz-evolinux-custom.cnf"
+    dest: "/etc/mysql/mysql.conf.d/zzz-evolinux-custom.cnf"
     owner: root
     group: root
     mode: "0644"

mysql-oracle/tasks/packages.yml

@@ -63,13 +63,8 @@
     force: yes
   register: mysql_systemd_unit
 
-# - name: systemd daemon is reloaded
-#   systemd:
-#     daemon_reload: yes
-#   when: mysql_systemd_unit | changed
-
 - name: MySQL is started
-  service:
+  systemd:
     name: mysql
     daemon_reload: yes
     state: started

mysql-oracle/tasks/utils.yml

@@ -168,7 +168,7 @@
   copy:
     src: mysqltuner.cron.sh
     dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh
-    mode: "0700"
+    mode: "0755"
   when: mysql_cron_mysqltuner | bool
   tags:
     - mysql

mysql/handlers/main.yml

@@ -16,4 +16,5 @@
 
 - name: reload systemd
   systemd:
+    name: mysql
     daemon_reload: yes

mysql/tasks/config_stretch.yml

@@ -39,5 +39,6 @@
 
 - name: reload systemd
   systemd:
+    name: mysql
     daemon_reload: yes
   when: mariadb_systemd_override.changed

mysql/tasks/users_jessie.yml

@@ -1,5 +1,10 @@
 ---
 
+- name: "Abort if MariaDB on Debian 8"
+  fail:
+    msg: "We can't create other users with 'debian-sys-maint' on Debian 8 with MariaDB.\nWe must give it the GRANT privilege before continuing."
+  when: mysql_variant == "mariadb"
+
 # dependency for mysql_user and mysql_db
 
 - name: python-mysqldb is installed (Ansible dependency)
@@ -38,8 +43,8 @@
     value: '{{ item.value }}'
     create: yes
   with_items:
-    - { option: 'user', value: 'mysqladmin' }
-    - { option: password, value: '{{ mysql_admin_password.stdout }}' }
+    - { option: 'user',     value: 'mysqladmin' }
+    - { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
   when: create_mysqladmin_user.changed
   tags:
   - mysql

mysql/tasks/users_stretch.yml

@@ -38,8 +38,8 @@
     value: '{{ item.value }}'
     create: yes
   with_items:
-    - { option: 'user', value: 'mysqladmin' }
-    - { option: password, value: '{{ mysql_admin_password.stdout }}' }
+    - { option: 'user',     value: 'mysqladmin' }
+    - { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
   when: create_mysqladmin_user.changed
   tags:
   - mysql

mysql/tasks/utils.yml

@@ -126,7 +126,7 @@
   copy:
     src: mysqltuner.cron.sh
     dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh
-    mode: "0700"
+    mode: "0755"
   when: mysql_cron_mysqltuner
   tags:
     - mysql

packweb-apache/meta/main.yml

@@ -21,3 +21,4 @@ dependencies:
   - { role: squid, squid_localproxy_enable: True }
   - { role: mysql,        when: packweb_mysql_variant == "debian" }
   - { role: mysql-oracle, when: packweb_mysql_variant == "oracle" }
+  - { role: webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" }

packweb-apache/tasks/main.yml

@@ -27,15 +27,21 @@
   - { path: awstats, mode: "0750", state: directory }
   - { path: www, mode: "0750", state: directory }
 
-- name: Copy apache empty log files if missing
-  copy:
-    src: "log/{{ item }}"
+- name: Apache log file (templates) are present
+  command: "touch /etc/skel/log/{{ item }}"
+  args:
+    creates: "/etc/skel/log/{{ item }}"
+  with_items:
+    - access.log
+    - error.log
+
+- name: Apache log file (templates) have the proper permissions
+  file:
     dest: "/etc/skel/log/{{ item }}"
     mode: "0644"
-    force: no
   with_items:
-  - access.log
-  - error.log
+    - access.log
+    - error.log
 
 - name: "Install userlogrotate (jessie)"
   copy:
@@ -65,10 +71,3 @@
 
 - include: fhs_retrictions.yml
   when: packweb_fhs_retrictions
-
-- name: Install Evoadmin
-  include_role:
-    name: webapps/evoadmin-web
-  vars:
-    evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}"
-

webapps/evoadmin-web/tasks/main.yml

@@ -1,6 +1,7 @@
 ---
 
-- fail:
+- name: "Ensure that evoadmin_contact_email is defined"
+  fail:
     msg: Please configure var evoadmin_contact_email
   when: evoadmin_contact_email is none
 

webapps/evoadmin-web/tasks/user.yml

@@ -32,7 +32,7 @@
 - name: "Clone evoadmin repository (jessie)"
   git:
     repo: https://forge.evolix.org/evoadmin-web.git
-    dest: "{{ evoadmin_document_root}}"
+    dest: "{{ evoadmin_document_root }}"
     version: jessie
     update: no
   when: ansible_distribution_release == "jessie"
@@ -40,18 +40,25 @@
 - name: "Clone evoadmin repository (Debian 9 or later)"
   git:
     repo: https://forge.evolix.org/evoadmin-web.git
-    dest: "{{ evoadmin_document_root}}"
+    dest: "{{ evoadmin_document_root }}"
     version: master
     update: yes
   when: ansible_distribution_major_version | version_compare('9', '>=')
 
 - name: Change ownership on git repository
   file:
-    dest: "{{ evoadmin_document_root}}"
+    dest: "{{ evoadmin_document_root }}"
     owner: "{{ evoadmin_username }}"
     group: "{{ evoadmin_username }}"
     recurse: yes
 
+- name: Create evoadmin log directory
+  file:
+    name: "{{ evoadmin_log_dir }}"
+    owner: "{{ evoadmin_username }}"
+    group: "{{ evoadmin_username }}"
+    state: directory
+
 - include_role:
     name: remount-usr
   when: evoadmin_scripts_dir | search ("/usr")
@@ -64,7 +71,7 @@
     state: directory
 
 - name: Install scripts like web-add.sh
-  shell: "cp {{ evoadmin_document_root}}/scripts/* {{ evoadmin_scripts_dir }}/"
+  shell: "cp {{ evoadmin_document_root }}/scripts/* {{ evoadmin_scripts_dir }}/"
   args:
     creates: "{{ evoadmin_scripts_dir }}/web-add.sh"
 

webapps/evoadmin-web/templates/config.local.php.j2

@@ -6,3 +6,7 @@ $localconf['debug'] = FALSE;
 $localconf['superadmin'] = array();
 $localconf['script_path'] = '{{ evoadmin_scripts_dir }}';
 $localconf['cluster'] = FALSE;
+// auth (sha256 hashs) / echo -n YourPass | sha256sum
+$oriconf['logins'] = array();
+//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477';
+//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';