diff --git a/CHANGELOG.md b/CHANGELOG.md index d15c48a5..c74ef4e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,19 @@ The **patch** part changes incrementally at each release. ### Security +## [9.1.9] - 2018-04-24 + +### Added + +### Changed +* apache: customize logrotate (52 weeks) +* evolinux: groups for SSH configuration are used with Debian 10 and later +* evolinux-base: fail2ban is not enabled by default +* evolinux-users: refactoring of the SSH configuration +* mysql-oracle: copy evolinux config files in mysql.cond.d +* mysql/mysql-oracle: mysqltuner cron scripts is 0755 +* generate-ldif: add a minifirewall service when /etc/default/minifirewall exists + ## [9.1.8] - 2018-04-16 ### Changed @@ -51,6 +64,7 @@ The **patch** part changes incrementally at each release. * elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`) * elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`). * evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues) +* evolinux-users: split AllowGroups/AllowUsers modes for SSH directives * mongodb: allow unauthenticated packages for Jessie * mongodb: configuration is forced by default but it's configurable (default: `false`) * mongodb: rename logrotate script diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 338556f4..6801ba22 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -163,6 +163,22 @@ tags: - apache +- name: "logrotate: rotate weekly" + replace: + dest: /etc/logrotate.d/apache2 + regexp: "(daily|weekly|monthly)" + replace: "weekly" + tags: + - apache + +- name: "logrotate: keep 52 files" + replace: + dest: /etc/logrotate.d/apache2 + regexp: "rotate .+" + replace: "rotate 52" + tags: + - apache + - include: log2mail.yml when: apache_log2mail_include tags: diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 6f462f15..bb9725b2 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -192,7 +192,7 @@ evolinux_nagios_nrpe_include: True # fail2ban -evolinux_fail2ban_include: True +evolinux_fail2ban_include: False # Listupgrade diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index ccf1372b..fafe0a4e 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -1,10 +1,11 @@ --- -- name: "Compatibility check" - fail: +- name: "System compatibility checks" + assert: + that: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('8', '>=') msg: only compatible with Debian >= 8 - when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - name: Apt configuration include_role: diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index 773de28f..323ef8ae 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -13,7 +13,7 @@ # We want to allow any user from a list of IP addresses to login with password, # but users of the "evolix" group can't login with password from other IP addresses -- name: Security directives for Evolinux (Debian 9 or later)" +- name: Security directives for Evolinux (Debian 10 or later)" blockinfile: dest: /etc/ssh/sshd_config block: | @@ -27,9 +27,9 @@ notify: reload sshd when: - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_major_version | version_compare('9', '>=') + - ansible_distribution_major_version | version_compare('10', '>=') -- name: Security directives for Evolinux (Jessie) +- name: Security directives for Evolinux (Jessie/Stretch) blockinfile: dest: /etc/ssh/sshd_config block: | @@ -41,7 +41,7 @@ notify: reload sshd when: - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_release == "jessie" + - ansible_distribution_major_version | version_compare('10', '<') # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. @@ -63,16 +63,16 @@ - name: "Get current user" command: logname + changed_when: False register: logname check_mode: no - changed_when: False when: evolinux_ssh_allow_current_user # we must double-escape caracters, because python - name: verify AllowUsers directive command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - changed_when: False failed_when: False + changed_when: False register: grep_allowusers_ssh check_mode: no when: evolinux_ssh_allow_current_user diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml index d7d6f958..fe97185c 100644 --- a/evolinux-users/defaults/main.yml +++ b/evolinux-users/defaults/main.yml @@ -1,4 +1,7 @@ --- evolinux_users: {} + evolinux_sudo_group: "evolinux-sudo" +evolinux_ssh_group: "evolinux-ssh" + evolinux_root_disable_ssh: True diff --git a/evolinux-users/tasks/account.yml b/evolinux-users/tasks/account.yml deleted file mode 100644 index 1ed142f9..00000000 --- a/evolinux-users/tasks/account.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: "Test if '{{ user.name }}' exists" - command: 'getent passwd {{ user.name }}' - register: loginisbusy - failed_when: False - changed_when: False - check_mode: no - -- name: "Test if uid exists for '{{ user.name }}'" - command: 'getent passwd {{ user.uid }}' - register: uidisbusy - failed_when: False - changed_when: False - check_mode: no - -- name: "Add Unix account with classical uid for '{{ user.name }}'" - user: - state: present - uid: '{{ user.uid }}' - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: loginisbusy.rc != 0 and uidisbusy.rc != 0 - -- name: "Add Unix account with random uid for '{{ user.name }}'" - user: - state: present - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: loginisbusy.rc != 0 and uidisbusy.rc == 0 - -- name: "Create secondary groups" - group: - name: "{{ group }}" - with_items: "{{ user.groups }}" - loop_control: - loop_var: group - when: user.groups is defined - -- name: "Add user '{{ user.name }}' to secondary groups" - user: - name: '{{ user.name }}' - groups: "{{ user.groups }}" - append: yes - when: user.groups is defined - -- name: "Fix perms on home directory for '{{ user.name }}'" - file: - name: '/home/{{ user.name }}' - mode: "0700" - state: directory diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index ec1400bd..e5872a91 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -1,9 +1,11 @@ --- -- fail: +- name: "System compatibility checks" + assert: + that: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('8', '>=') msg: only compatible with Debian >= 8 - when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') - debug: msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" @@ -16,5 +18,13 @@ with_dict: "{{ evolinux_users }}" when: evolinux_users != {} -- include: root_disable_ssh.yml - when: evolinux_root_disable_ssh +- name: Configure sudo + include: sudo.yml + vars: + user: "{{ item.value }}" + with_dict: "{{ evolinux_users }}" + when: evolinux_users != {} + +- name: Configure SSH + include: ssh.yml + when: evolinux_users != {} diff --git a/evolinux-users/tasks/profile.yml b/evolinux-users/tasks/profile.yml deleted file mode 100644 index 6a046e52..00000000 --- a/evolinux-users/tasks/profile.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: search profile for presence of evomaintenance - command: 'grep -q "trap.*sudo.*evomaintenance.sh"' - changed_when: False - failed_when: False - check_mode: no - register: grep_profile_evomaintenance - -# Don't add the trap if it is present or commented -- name: "Add evomaintenance trap for '{{ user.name }}'" - lineinfile: - state: present - dest: '/home/{{ user.name }}/.profile' - insertafter: EOF - line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - create: yes - when: grep_profile_evomaintenance.rc != 0 diff --git a/evolinux-users/tasks/root_disable_ssh.yml b/evolinux-users/tasks/root_disable_ssh.yml deleted file mode 100644 index 7906307f..00000000 --- a/evolinux-users/tasks/root_disable_ssh.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: disable root login - replace: - dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' - replace: "PermitRootLogin no" - notify: reload sshd - -### Disabled : it seems useless and too dangerous for now -# - name: remove root from AllowUsers directive -# replace: -# dest: /etc/ssh/sshd_config -# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' -# replace: '\1\4' -# validate: '/usr/sbin/sshd -T -f %s' -# notify: reload sshd diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 75b47ce2..70570c63 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -1,97 +1,64 @@ --- - -- name: "Create .ssh directory for '{{ user.name }}'" - file: - dest: '/home/{{ user.name }}/.ssh/' - state: directory - mode: "0700" - owner: '{{ user.name }}' - group: '{{ user.name }}' - -- name: "Add user's SSH public key for '{{ user.name }}'" - authorized_key: - user: "{{ user.name }}" - key: "{{ user.ssh_key }}" - state: present - when: user.ssh_key is defined - -- name: "Add user's SSH public keys for '{{ user.name }}'" - authorized_key: - user: "{{ user.name }}" - key: "{{ ssk_key }}" - state: present - with_items: "{{ user.ssh_keys }}" - loop_control: - loop_var: ssk_key - when: user.ssh_keys is defined - - name: verify AllowGroups directive command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" changed_when: False failed_when: False - register: grep_allowgroups_ssh check_mode: no + register: grep_allowgroups_ssh - # If AllowGroups is present, we don't change - debug: - msg: "AllowGroups detected : You have to configure SSH manually" - when: grep_allowgroups_ssh.rc == 0 + var: grep_allowgroups_ssh + verbosity: 1 -- block: - # If AllowGroups is not present, we proceed as usual - - name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - register: grep_allowusers_ssh - check_mode: no +- name: verify AllowUsers directive + command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_allowusers_ssh - - name: "Add AllowUsers sshd directive for '{{ user.name }}'" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ user.name }}" - insertafter: 'Subsystem' - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: grep_allowusers_ssh.rc != 0 +- debug: + var: grep_allowusers_ssh + verbosity: 1 - - name: "Modify AllowUsers sshd directive for '{{ user.name }}'" - replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' - replace: '\1 {{ user.name }}' - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: grep_allowusers_ssh.rc == 0 +- assert: + that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" + msg: "We can't deal with AllowUsers and AllowGroups at the same time" - - name: "verify Match User directive" - command: "grep 'Match User' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - register: grep_matchuser_ssh - check_mode: no +- set_fact: + # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+", + ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}" + # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10" + ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}" - - name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)" - lineinfile: - dest: /etc/ssh/sshd_config - line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" - insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: - - ansible_distribution_release == "jessie" - - grep_matchuser_ssh.rc != 0 +- debug: + var: ssh_allowgroups + verbosity: 1 - - name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)" - replace: - dest: /etc/ssh/sshd_config - regexp: '^(Match User ((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/sshd -T -f %s' - notify: reload sshd - when: - - ansible_distribution_release == "jessie" - - grep_matchuser_ssh.rc == 0 +- debug: + var: ssh_allowusers + verbosity: 1 - when: grep_allowgroups_ssh.rc != 0 +- include: ssh_allowgroups.yml + when: + - ssh_allowgroups + - not ssh_allowusers + +- include: ssh_allowusers.yml + vars: + user: "{{ item.value }}" + with_dict: "{{ evolinux_users }}" + when: + - ssh_allowusers + - not ssh_allowgroups + +- name: disable root login + replace: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' + replace: "PermitRootLogin no" + notify: reload sshd + when: evolinux_root_disable_ssh + +- meta: flush_handlers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml new file mode 100644 index 00000000..68635548 --- /dev/null +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -0,0 +1,28 @@ +--- + +# this check must be repeated for each user +# even if it's been done before +- name: verify AllowGroups directive + command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_allowgroups_ssh + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowGroups {{ evolinux_ssh_group }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_allowgroups_ssh.rc != 0 + +- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' + replace: '\1 {{ evolinux_ssh_group }}' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_allowgroups_ssh.rc == 0 diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml new file mode 100644 index 00000000..fff04f8c --- /dev/null +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -0,0 +1,53 @@ +--- + +# this check must be repeated for each user +# even if it's been done before +- name: verify AllowUsers directive + command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_allowusers_ssh + +- name: "Add AllowUsers sshd directive with '{{ user.name }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowUsers {{ user.name }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_allowusers_ssh.rc != 0 + +- name: "Append '{{ user.name }}' to AllowUsers sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' + replace: '\1 {{ user.name }}' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_allowusers_ssh.rc == 0 + +- name: "verify Match User directive" + command: "grep -E '^Match User' /etc/ssh/sshd_config" + changed_when: False + failed_when: False + check_mode: no + register: grep_matchuser_ssh + +- name: "Add Match User sshd directive with '{{ user.name }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" + insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_matchuser_ssh.rc != 0 + +- name: "Append '{{ user.name }}' to Match User's sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(Match User ((?!{{ user.name }}).)*)$' + replace: '\1,{{ user.name }}' + validate: '/usr/sbin/sshd -T -f %s' + notify: reload sshd + when: grep_matchuser_ssh.rc == 0 diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml new file mode 100644 index 00000000..ed696b43 --- /dev/null +++ b/evolinux-users/tasks/sudo.yml @@ -0,0 +1,9 @@ +--- + +- include: sudo_jessie.yml + when: ansible_distribution_release == "jessie" + +- include: sudo_stretch.yml + when: ansible_distribution_major_version | version_compare('9', '>=') + +- meta: flush_handlers diff --git a/evolinux-users/tasks/sudo_stretch.yml b/evolinux-users/tasks/sudo_stretch.yml index 3aa89e63..dc744c56 100644 --- a/evolinux-users/tasks/sudo_stretch.yml +++ b/evolinux-users/tasks/sudo_stretch.yml @@ -5,6 +5,7 @@ src: sudoers_stretch.j2 dest: /etc/sudoers.d/evolinux force: no + mode: "0440" validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 73fea728..21cb97b3 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -1,15 +1,125 @@ --- -- include: account.yml +# Unix account -- include: profile.yml +- name: "Test if '{{ user.name }}' exists" + command: 'getent passwd {{ user.name }}' + register: loginisbusy + failed_when: False + changed_when: False + check_mode: no -- include: ssh.yml +- name: "Test if uid exists for '{{ user.name }}'" + command: 'getent passwd {{ user.uid }}' + register: uidisbusy + failed_when: False + changed_when: False + check_mode: no -- include: sudo_jessie.yml - when: ansible_distribution_release == "jessie" +- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')" + user: + state: present + uid: '{{ user.uid }}' + name: '{{ user.name }}' + comment: '{{ user.fullname }}' + shell: /bin/bash + password: '{{ user.password_hash }}' + update_password: on_create + when: + - loginisbusy.rc != 0 + - uidisbusy.rc != 0 -- include: sudo_stretch.yml - when: ansible_distribution_major_version | version_compare('9', '>=') +- name: "Unix account for '{{ user.name }}' is present (with random uid)" + user: + state: present + name: '{{ user.name }}' + comment: '{{ user.fullname }}' + shell: /bin/bash + password: '{{ user.password_hash }}' + update_password: on_create + when: + - loginisbusy.rc != 0 + - uidisbusy.rc == 0 + +# Unix groups + +- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)" + group: + name: "{{ evolinux_ssh_group }}" + state: present + when: ansible_distribution_major_version | version_compare('10', '>=') + +- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)" + user: + name: '{{ user.name }}' + groups: "{{ evolinux_ssh_group }}" + append: yes + when: ansible_distribution_major_version | version_compare('10', '>=') + +- name: "Secondary Unix groups are present" + group: + name: "{{ group }}" + with_items: "{{ user.groups }}" + loop_control: + loop_var: group + when: user.groups is defined + +- name: "Unix user '{{ user.name }}' belongs to secondary groups" + user: + name: '{{ user.name }}' + groups: "{{ user.groups }}" + append: yes + when: user.groups is defined + +- name: "Home directory for '{{ user.name }}' is not accessible by group and other users" + file: + name: '/home/{{ user.name }}' + mode: "0700" + state: directory + +# Evomaintenance + +- name: Search profile for presence of evomaintenance + command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile' + changed_when: False + failed_when: False + check_mode: no + register: grep_profile_evomaintenance + +# Don't add the trap if it is present or commented +- name: "User '{{ user.name }}' has its shell trap for evomaintenance" + lineinfile: + state: present + dest: '/home/{{ user.name }}/.profile' + insertafter: EOF + line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' + when: grep_profile_evomaintenance.rc != 0 + +# SSH keys + +- name: "SSH directory for '{{ user.name }}' is present" + file: + dest: '/home/{{ user.name }}/.ssh/' + state: directory + mode: "0700" + owner: '{{ user.name }}' + group: '{{ user.name }}' + +- name: "SSH public key for '{{ user.name }}' is present" + authorized_key: + user: "{{ user.name }}" + key: "{{ user.ssh_key }}" + state: present + when: user.ssh_key is defined + +- name: "SSH public keys for '{{ user.name }}' are present" + authorized_key: + user: "{{ user.name }}" + key: "{{ ssk_key }}" + state: present + with_items: "{{ user.ssh_keys }}" + loop_control: + loop_var: ssk_key + when: user.ssh_keys is defined - meta: flush_handlers diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 0b45bc1c..f0cdd233 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -200,6 +200,19 @@ ServiceType: monitoring EOT fi +# minifirewall +if [ -f "/etc/default/minifirewall" ]; then + cat <> "${ldif_file}" + +dn: ServiceName=minifirewall,${computer_dn} +NagiosEnabled: TRUE +objectClass: EvoService +ServiceName: minifirewall +ServiceType: firewall +ServiceVersion: minifirewall +EOT +fi + # Postfix postfix_version=$(get_pkg_version postfix) if [ -n "${postfix_version}" ]; then diff --git a/mysql-oracle/handlers/main.yml b/mysql-oracle/handlers/main.yml index d6de2128..5a82afae 100644 --- a/mysql-oracle/handlers/main.yml +++ b/mysql-oracle/handlers/main.yml @@ -16,6 +16,7 @@ - name: reload systemd systemd: + name: mysql daemon_reload: yes - name: Restart minifirewall diff --git a/mysql-oracle/tasks/config.yml b/mysql-oracle/tasks/config.yml index 09131f92..82ae50cb 100644 --- a/mysql-oracle/tasks/config.yml +++ b/mysql-oracle/tasks/config.yml @@ -3,7 +3,7 @@ - name: "Copy MySQL defaults config file" copy: src: evolinux-defaults.cnf - dest: "/etc/mysql/conf.d/z-evolinux-defaults.cnf" + dest: "/etc/mysql/mysql.conf.d/z-evolinux-defaults.cnf" owner: root group: root mode: "0644" @@ -14,7 +14,7 @@ - name: "Copy MySQL custom config file" template: src: evolinux-custom.cnf.j2 - dest: "/etc/mysql/conf.d/zzz-evolinux-custom.cnf" + dest: "/etc/mysql/mysql.conf.d/zzz-evolinux-custom.cnf" owner: root group: root mode: "0644" diff --git a/mysql-oracle/tasks/packages.yml b/mysql-oracle/tasks/packages.yml index 76128f59..8be552bf 100644 --- a/mysql-oracle/tasks/packages.yml +++ b/mysql-oracle/tasks/packages.yml @@ -63,13 +63,8 @@ force: yes register: mysql_systemd_unit -# - name: systemd daemon is reloaded -# systemd: -# daemon_reload: yes -# when: mysql_systemd_unit | changed - - name: MySQL is started - service: + systemd: name: mysql daemon_reload: yes state: started diff --git a/mysql-oracle/tasks/utils.yml b/mysql-oracle/tasks/utils.yml index c5979ede..79587f16 100644 --- a/mysql-oracle/tasks/utils.yml +++ b/mysql-oracle/tasks/utils.yml @@ -168,7 +168,7 @@ copy: src: mysqltuner.cron.sh dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh - mode: "0700" + mode: "0755" when: mysql_cron_mysqltuner | bool tags: - mysql diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 62b97212..32c630af 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -16,4 +16,5 @@ - name: reload systemd systemd: + name: mysql daemon_reload: yes diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index a89f590d..e7ce1772 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -39,5 +39,6 @@ - name: reload systemd systemd: + name: mysql daemon_reload: yes when: mariadb_systemd_override.changed diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml index e1a02130..f11e41af 100644 --- a/mysql/tasks/users_jessie.yml +++ b/mysql/tasks/users_jessie.yml @@ -1,5 +1,10 @@ --- +- name: "Abort if MariaDB on Debian 8" + fail: + msg: "We can't create other users with 'debian-sys-maint' on Debian 8 with MariaDB.\nWe must give it the GRANT privilege before continuing." + when: mysql_variant == "mariadb" + # dependency for mysql_user and mysql_db - name: python-mysqldb is installed (Ansible dependency) @@ -38,8 +43,8 @@ value: '{{ item.value }}' create: yes with_items: - - { option: 'user', value: 'mysqladmin' } - - { option: password, value: '{{ mysql_admin_password.stdout }}' } + - { option: 'user', value: 'mysqladmin' } + - { option: 'password', value: '{{ mysql_admin_password.stdout }}' } when: create_mysqladmin_user.changed tags: - mysql diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml index 7b5499b9..6b180612 100644 --- a/mysql/tasks/users_stretch.yml +++ b/mysql/tasks/users_stretch.yml @@ -38,8 +38,8 @@ value: '{{ item.value }}' create: yes with_items: - - { option: 'user', value: 'mysqladmin' } - - { option: password, value: '{{ mysql_admin_password.stdout }}' } + - { option: 'user', value: 'mysqladmin' } + - { option: 'password', value: '{{ mysql_admin_password.stdout }}' } when: create_mysqladmin_user.changed tags: - mysql diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 114f614b..390acc0e 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -126,7 +126,7 @@ copy: src: mysqltuner.cron.sh dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh - mode: "0700" + mode: "0755" when: mysql_cron_mysqltuner tags: - mysql diff --git a/packweb-apache/files/log/access.log b/packweb-apache/files/log/access.log deleted file mode 100644 index e69de29b..00000000 diff --git a/packweb-apache/files/log/error.log b/packweb-apache/files/log/error.log deleted file mode 100644 index e69de29b..00000000 diff --git a/packweb-apache/meta/main.yml b/packweb-apache/meta/main.yml index 1b34e540..c86b3a03 100644 --- a/packweb-apache/meta/main.yml +++ b/packweb-apache/meta/main.yml @@ -21,3 +21,4 @@ dependencies: - { role: squid, squid_localproxy_enable: True } - { role: mysql, when: packweb_mysql_variant == "debian" } - { role: mysql-oracle, when: packweb_mysql_variant == "oracle" } + - { role: webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" } diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 12e4a0df..b24c9ae6 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -27,15 +27,21 @@ - { path: awstats, mode: "0750", state: directory } - { path: www, mode: "0750", state: directory } -- name: Copy apache empty log files if missing - copy: - src: "log/{{ item }}" +- name: Apache log file (templates) are present + command: "touch /etc/skel/log/{{ item }}" + args: + creates: "/etc/skel/log/{{ item }}" + with_items: + - access.log + - error.log + +- name: Apache log file (templates) have the proper permissions + file: dest: "/etc/skel/log/{{ item }}" mode: "0644" - force: no with_items: - - access.log - - error.log + - access.log + - error.log - name: "Install userlogrotate (jessie)" copy: @@ -65,10 +71,3 @@ - include: fhs_retrictions.yml when: packweb_fhs_retrictions - -- name: Install Evoadmin - include_role: - name: webapps/evoadmin-web - vars: - evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" - diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index 46c04f13..c03ef979 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -1,6 +1,7 @@ --- -- fail: +- name: "Ensure that evoadmin_contact_email is defined" + fail: msg: Please configure var evoadmin_contact_email when: evoadmin_contact_email is none diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 4070a52a..39926c0c 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -32,7 +32,7 @@ - name: "Clone evoadmin repository (jessie)" git: repo: https://forge.evolix.org/evoadmin-web.git - dest: "{{ evoadmin_document_root}}" + dest: "{{ evoadmin_document_root }}" version: jessie update: no when: ansible_distribution_release == "jessie" @@ -40,18 +40,25 @@ - name: "Clone evoadmin repository (Debian 9 or later)" git: repo: https://forge.evolix.org/evoadmin-web.git - dest: "{{ evoadmin_document_root}}" + dest: "{{ evoadmin_document_root }}" version: master update: yes when: ansible_distribution_major_version | version_compare('9', '>=') - name: Change ownership on git repository file: - dest: "{{ evoadmin_document_root}}" + dest: "{{ evoadmin_document_root }}" owner: "{{ evoadmin_username }}" group: "{{ evoadmin_username }}" recurse: yes +- name: Create evoadmin log directory + file: + name: "{{ evoadmin_log_dir }}" + owner: "{{ evoadmin_username }}" + group: "{{ evoadmin_username }}" + state: directory + - include_role: name: remount-usr when: evoadmin_scripts_dir | search ("/usr") @@ -64,7 +71,7 @@ state: directory - name: Install scripts like web-add.sh - shell: "cp {{ evoadmin_document_root}}/scripts/* {{ evoadmin_scripts_dir }}/" + shell: "cp {{ evoadmin_document_root }}/scripts/* {{ evoadmin_scripts_dir }}/" args: creates: "{{ evoadmin_scripts_dir }}/web-add.sh" diff --git a/webapps/evoadmin-web/templates/config.local.php.j2 b/webapps/evoadmin-web/templates/config.local.php.j2 index 3e159bcd..3a611612 100644 --- a/webapps/evoadmin-web/templates/config.local.php.j2 +++ b/webapps/evoadmin-web/templates/config.local.php.j2 @@ -6,3 +6,7 @@ $localconf['debug'] = FALSE; $localconf['superadmin'] = array(); $localconf['script_path'] = '{{ evoadmin_scripts_dir }}'; $localconf['cluster'] = FALSE; +// auth (sha256 hashs) / echo -n YourPass | sha256sum +$oriconf['logins'] = array(); +//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477'; +//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';