Merge branch 'unstable' into stable
This commit is contained in:
commit
c7d291c830
14
CHANGELOG.md
14
CHANGELOG.md
|
@ -18,6 +18,19 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Security
|
||||
|
||||
## [9.1.9] - 2018-04-24
|
||||
|
||||
### Added
|
||||
|
||||
### Changed
|
||||
* apache: customize logrotate (52 weeks)
|
||||
* evolinux: groups for SSH configuration are used with Debian 10 and later
|
||||
* evolinux-base: fail2ban is not enabled by default
|
||||
* evolinux-users: refactoring of the SSH configuration
|
||||
* mysql-oracle: copy evolinux config files in mysql.cond.d
|
||||
* mysql/mysql-oracle: mysqltuner cron scripts is 0755
|
||||
* generate-ldif: add a minifirewall service when /etc/default/minifirewall exists
|
||||
|
||||
## [9.1.8] - 2018-04-16
|
||||
|
||||
### Changed
|
||||
|
@ -51,6 +64,7 @@ The **patch** part changes incrementally at each release.
|
|||
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
||||
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
||||
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
||||
* evolinux-users: split AllowGroups/AllowUsers modes for SSH directives
|
||||
* mongodb: allow unauthenticated packages for Jessie
|
||||
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
||||
* mongodb: rename logrotate script
|
||||
|
|
|
@ -163,6 +163,22 @@
|
|||
tags:
|
||||
- apache
|
||||
|
||||
- name: "logrotate: rotate weekly"
|
||||
replace:
|
||||
dest: /etc/logrotate.d/apache2
|
||||
regexp: "(daily|weekly|monthly)"
|
||||
replace: "weekly"
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: "logrotate: keep 52 files"
|
||||
replace:
|
||||
dest: /etc/logrotate.d/apache2
|
||||
regexp: "rotate .+"
|
||||
replace: "rotate 52"
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- include: log2mail.yml
|
||||
when: apache_log2mail_include
|
||||
tags:
|
||||
|
|
|
@ -192,7 +192,7 @@ evolinux_nagios_nrpe_include: True
|
|||
|
||||
# fail2ban
|
||||
|
||||
evolinux_fail2ban_include: True
|
||||
evolinux_fail2ban_include: False
|
||||
|
||||
# Listupgrade
|
||||
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
---
|
||||
|
||||
- name: "Compatibility check"
|
||||
fail:
|
||||
- name: "System compatibility checks"
|
||||
assert:
|
||||
that:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version | version_compare('8', '>=')
|
||||
msg: only compatible with Debian >= 8
|
||||
when:
|
||||
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
|
||||
|
||||
- name: Apt configuration
|
||||
include_role:
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
# We want to allow any user from a list of IP addresses to login with password,
|
||||
# but users of the "evolix" group can't login with password from other IP addresses
|
||||
|
||||
- name: Security directives for Evolinux (Debian 9 or later)"
|
||||
- name: Security directives for Evolinux (Debian 10 or later)"
|
||||
blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
block: |
|
||||
|
@ -27,9 +27,9 @@
|
|||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_ssh_password_auth_addresses != []
|
||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: Security directives for Evolinux (Jessie)
|
||||
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||
blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
block: |
|
||||
|
@ -41,7 +41,7 @@
|
|||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_ssh_password_auth_addresses != []
|
||||
- ansible_distribution_release == "jessie"
|
||||
- ansible_distribution_major_version | version_compare('10', '<')
|
||||
|
||||
# We disable AcceptEnv because it can be a security issue, but also because we
|
||||
# do not want clients to push their environment variables like LANG.
|
||||
|
@ -63,16 +63,16 @@
|
|||
|
||||
- name: "Get current user"
|
||||
command: logname
|
||||
changed_when: False
|
||||
register: logname
|
||||
check_mode: no
|
||||
changed_when: False
|
||||
when: evolinux_ssh_allow_current_user
|
||||
|
||||
# we must double-escape caracters, because python
|
||||
- name: verify AllowUsers directive
|
||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
---
|
||||
evolinux_users: {}
|
||||
|
||||
evolinux_sudo_group: "evolinux-sudo"
|
||||
evolinux_ssh_group: "evolinux-ssh"
|
||||
|
||||
evolinux_root_disable_ssh: True
|
||||
|
|
|
@ -1,57 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "Test if '{{ user.name }}' exists"
|
||||
command: 'getent passwd {{ user.name }}'
|
||||
register: loginisbusy
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
|
||||
- name: "Test if uid exists for '{{ user.name }}'"
|
||||
command: 'getent passwd {{ user.uid }}'
|
||||
register: uidisbusy
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
|
||||
- name: "Add Unix account with classical uid for '{{ user.name }}'"
|
||||
user:
|
||||
state: present
|
||||
uid: '{{ user.uid }}'
|
||||
name: '{{ user.name }}'
|
||||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
when: loginisbusy.rc != 0 and uidisbusy.rc != 0
|
||||
|
||||
- name: "Add Unix account with random uid for '{{ user.name }}'"
|
||||
user:
|
||||
state: present
|
||||
name: '{{ user.name }}'
|
||||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
when: loginisbusy.rc != 0 and uidisbusy.rc == 0
|
||||
|
||||
- name: "Create secondary groups"
|
||||
group:
|
||||
name: "{{ group }}"
|
||||
with_items: "{{ user.groups }}"
|
||||
loop_control:
|
||||
loop_var: group
|
||||
when: user.groups is defined
|
||||
|
||||
- name: "Add user '{{ user.name }}' to secondary groups"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: "{{ user.groups }}"
|
||||
append: yes
|
||||
when: user.groups is defined
|
||||
|
||||
- name: "Fix perms on home directory for '{{ user.name }}'"
|
||||
file:
|
||||
name: '/home/{{ user.name }}'
|
||||
mode: "0700"
|
||||
state: directory
|
|
@ -1,9 +1,11 @@
|
|||
---
|
||||
|
||||
- fail:
|
||||
- name: "System compatibility checks"
|
||||
assert:
|
||||
that:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version | version_compare('8', '>=')
|
||||
msg: only compatible with Debian >= 8
|
||||
when:
|
||||
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
|
||||
|
||||
- debug:
|
||||
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
||||
|
@ -16,5 +18,13 @@
|
|||
with_dict: "{{ evolinux_users }}"
|
||||
when: evolinux_users != {}
|
||||
|
||||
- include: root_disable_ssh.yml
|
||||
when: evolinux_root_disable_ssh
|
||||
- name: Configure sudo
|
||||
include: sudo.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when: evolinux_users != {}
|
||||
|
||||
- name: Configure SSH
|
||||
include: ssh.yml
|
||||
when: evolinux_users != {}
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
|
||||
- name: search profile for presence of evomaintenance
|
||||
command: 'grep -q "trap.*sudo.*evomaintenance.sh"'
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_profile_evomaintenance
|
||||
|
||||
# Don't add the trap if it is present or commented
|
||||
- name: "Add evomaintenance trap for '{{ user.name }}'"
|
||||
lineinfile:
|
||||
state: present
|
||||
dest: '/home/{{ user.name }}/.profile'
|
||||
insertafter: EOF
|
||||
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
|
||||
create: yes
|
||||
when: grep_profile_evomaintenance.rc != 0
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
|
||||
- name: disable root login
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
|
||||
### Disabled : it seems useless and too dangerous for now
|
||||
# - name: remove root from AllowUsers directive
|
||||
# replace:
|
||||
# dest: /etc/ssh/sshd_config
|
||||
# regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
|
||||
# replace: '\1\4'
|
||||
# validate: '/usr/sbin/sshd -T -f %s'
|
||||
# notify: reload sshd
|
|
@ -1,97 +1,64 @@
|
|||
---
|
||||
|
||||
|
||||
- name: "Create .ssh directory for '{{ user.name }}'"
|
||||
file:
|
||||
dest: '/home/{{ user.name }}/.ssh/'
|
||||
state: directory
|
||||
mode: "0700"
|
||||
owner: '{{ user.name }}'
|
||||
group: '{{ user.name }}'
|
||||
|
||||
- name: "Add user's SSH public key for '{{ user.name }}'"
|
||||
authorized_key:
|
||||
user: "{{ user.name }}"
|
||||
key: "{{ user.ssh_key }}"
|
||||
state: present
|
||||
when: user.ssh_key is defined
|
||||
|
||||
- name: "Add user's SSH public keys for '{{ user.name }}'"
|
||||
authorized_key:
|
||||
user: "{{ user.name }}"
|
||||
key: "{{ ssk_key }}"
|
||||
state: present
|
||||
with_items: "{{ user.ssh_keys }}"
|
||||
loop_control:
|
||||
loop_var: ssk_key
|
||||
when: user.ssh_keys is defined
|
||||
|
||||
- name: verify AllowGroups directive
|
||||
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: grep_allowgroups_ssh
|
||||
check_mode: no
|
||||
register: grep_allowgroups_ssh
|
||||
|
||||
# If AllowGroups is present, we don't change
|
||||
- debug:
|
||||
msg: "AllowGroups detected : You have to configure SSH manually"
|
||||
when: grep_allowgroups_ssh.rc == 0
|
||||
var: grep_allowgroups_ssh
|
||||
verbosity: 1
|
||||
|
||||
- block:
|
||||
# If AllowGroups is not present, we proceed as usual
|
||||
- name: verify AllowUsers directive
|
||||
- name: verify AllowUsers directive
|
||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowusers_ssh
|
||||
check_mode: no
|
||||
|
||||
- name: "Add AllowUsers sshd directive for '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ user.name }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc != 0
|
||||
- debug:
|
||||
var: grep_allowusers_ssh
|
||||
verbosity: 1
|
||||
|
||||
- name: "Modify AllowUsers sshd directive for '{{ user.name }}'"
|
||||
- assert:
|
||||
that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
|
||||
msg: "We can't deal with AllowUsers and AllowGroups at the same time"
|
||||
|
||||
- set_fact:
|
||||
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
|
||||
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
||||
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
||||
|
||||
- debug:
|
||||
var: ssh_allowgroups
|
||||
verbosity: 1
|
||||
|
||||
- debug:
|
||||
var: ssh_allowusers
|
||||
verbosity: 1
|
||||
|
||||
- include: ssh_allowgroups.yml
|
||||
when:
|
||||
- ssh_allowgroups
|
||||
- not ssh_allowusers
|
||||
|
||||
- include: ssh_allowusers.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
with_dict: "{{ evolinux_users }}"
|
||||
when:
|
||||
- ssh_allowusers
|
||||
- not ssh_allowgroups
|
||||
|
||||
- name: disable root login
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
||||
replace: '\1 {{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc == 0
|
||||
when: evolinux_root_disable_ssh
|
||||
|
||||
- name: "verify Match User directive"
|
||||
command: "grep 'Match User' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: grep_matchuser_ssh
|
||||
check_mode: no
|
||||
|
||||
- name: "Add Match User sshd directive for '{{ user.name }}' (Jessie)"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ansible_distribution_release == "jessie"
|
||||
- grep_matchuser_ssh.rc != 0
|
||||
|
||||
- name: "Modify Match User's sshd directive for '{{ user.name }}' (Jessie)"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ansible_distribution_release == "jessie"
|
||||
- grep_matchuser_ssh.rc == 0
|
||||
|
||||
when: grep_allowgroups_ssh.rc != 0
|
||||
- meta: flush_handlers
|
||||
|
|
28
evolinux-users/tasks/ssh_allowgroups.yml
Normal file
28
evolinux-users/tasks/ssh_allowgroups.yml
Normal file
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
|
||||
# this check must be repeated for each user
|
||||
# even if it's been done before
|
||||
- name: verify AllowGroups directive
|
||||
command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowgroups_ssh
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowgroups_ssh.rc != 0
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
||||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowgroups_ssh.rc == 0
|
53
evolinux-users/tasks/ssh_allowusers.yml
Normal file
53
evolinux-users/tasks/ssh_allowusers.yml
Normal file
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
|
||||
# this check must be repeated for each user
|
||||
# even if it's been done before
|
||||
- name: verify AllowUsers directive
|
||||
command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowusers_ssh
|
||||
|
||||
- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ user.name }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc != 0
|
||||
|
||||
- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
||||
replace: '\1 {{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc == 0
|
||||
|
||||
- name: "verify Match User directive"
|
||||
command: "grep -E '^Match User' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_matchuser_ssh
|
||||
|
||||
- name: "Add Match User sshd directive with '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc != 0
|
||||
|
||||
- name: "Append '{{ user.name }}' to Match User's sshd directive"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc == 0
|
9
evolinux-users/tasks/sudo.yml
Normal file
9
evolinux-users/tasks/sudo.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
|
||||
- include: sudo_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: sudo_stretch.yml
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- meta: flush_handlers
|
|
@ -5,6 +5,7 @@
|
|||
src: sudoers_stretch.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
mode: "0440"
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
|
||||
|
|
|
@ -1,15 +1,125 @@
|
|||
---
|
||||
|
||||
- include: account.yml
|
||||
# Unix account
|
||||
|
||||
- include: profile.yml
|
||||
- name: "Test if '{{ user.name }}' exists"
|
||||
command: 'getent passwd {{ user.name }}'
|
||||
register: loginisbusy
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
|
||||
- include: ssh.yml
|
||||
- name: "Test if uid exists for '{{ user.name }}'"
|
||||
command: 'getent passwd {{ user.uid }}'
|
||||
register: uidisbusy
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
|
||||
- include: sudo_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
|
||||
user:
|
||||
state: present
|
||||
uid: '{{ user.uid }}'
|
||||
name: '{{ user.name }}'
|
||||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
when:
|
||||
- loginisbusy.rc != 0
|
||||
- uidisbusy.rc != 0
|
||||
|
||||
- include: sudo_stretch.yml
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
- name: "Unix account for '{{ user.name }}' is present (with random uid)"
|
||||
user:
|
||||
state: present
|
||||
name: '{{ user.name }}'
|
||||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
when:
|
||||
- loginisbusy.rc != 0
|
||||
- uidisbusy.rc == 0
|
||||
|
||||
# Unix groups
|
||||
|
||||
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
|
||||
group:
|
||||
name: "{{ evolinux_ssh_group }}"
|
||||
state: present
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: "{{ evolinux_ssh_group }}"
|
||||
append: yes
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
|
||||
- name: "Secondary Unix groups are present"
|
||||
group:
|
||||
name: "{{ group }}"
|
||||
with_items: "{{ user.groups }}"
|
||||
loop_control:
|
||||
loop_var: group
|
||||
when: user.groups is defined
|
||||
|
||||
- name: "Unix user '{{ user.name }}' belongs to secondary groups"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: "{{ user.groups }}"
|
||||
append: yes
|
||||
when: user.groups is defined
|
||||
|
||||
- name: "Home directory for '{{ user.name }}' is not accessible by group and other users"
|
||||
file:
|
||||
name: '/home/{{ user.name }}'
|
||||
mode: "0700"
|
||||
state: directory
|
||||
|
||||
# Evomaintenance
|
||||
|
||||
- name: Search profile for presence of evomaintenance
|
||||
command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile'
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_profile_evomaintenance
|
||||
|
||||
# Don't add the trap if it is present or commented
|
||||
- name: "User '{{ user.name }}' has its shell trap for evomaintenance"
|
||||
lineinfile:
|
||||
state: present
|
||||
dest: '/home/{{ user.name }}/.profile'
|
||||
insertafter: EOF
|
||||
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
|
||||
when: grep_profile_evomaintenance.rc != 0
|
||||
|
||||
# SSH keys
|
||||
|
||||
- name: "SSH directory for '{{ user.name }}' is present"
|
||||
file:
|
||||
dest: '/home/{{ user.name }}/.ssh/'
|
||||
state: directory
|
||||
mode: "0700"
|
||||
owner: '{{ user.name }}'
|
||||
group: '{{ user.name }}'
|
||||
|
||||
- name: "SSH public key for '{{ user.name }}' is present"
|
||||
authorized_key:
|
||||
user: "{{ user.name }}"
|
||||
key: "{{ user.ssh_key }}"
|
||||
state: present
|
||||
when: user.ssh_key is defined
|
||||
|
||||
- name: "SSH public keys for '{{ user.name }}' are present"
|
||||
authorized_key:
|
||||
user: "{{ user.name }}"
|
||||
key: "{{ ssk_key }}"
|
||||
state: present
|
||||
with_items: "{{ user.ssh_keys }}"
|
||||
loop_control:
|
||||
loop_var: ssk_key
|
||||
when: user.ssh_keys is defined
|
||||
|
||||
- meta: flush_handlers
|
||||
|
|
|
@ -200,6 +200,19 @@ ServiceType: monitoring
|
|||
EOT
|
||||
fi
|
||||
|
||||
# minifirewall
|
||||
if [ -f "/etc/default/minifirewall" ]; then
|
||||
cat <<EOT >> "${ldif_file}"
|
||||
|
||||
dn: ServiceName=minifirewall,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
objectClass: EvoService
|
||||
ServiceName: minifirewall
|
||||
ServiceType: firewall
|
||||
ServiceVersion: minifirewall
|
||||
EOT
|
||||
fi
|
||||
|
||||
# Postfix
|
||||
postfix_version=$(get_pkg_version postfix)
|
||||
if [ -n "${postfix_version}" ]; then
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
|
||||
- name: reload systemd
|
||||
systemd:
|
||||
name: mysql
|
||||
daemon_reload: yes
|
||||
|
||||
- name: Restart minifirewall
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
- name: "Copy MySQL defaults config file"
|
||||
copy:
|
||||
src: evolinux-defaults.cnf
|
||||
dest: "/etc/mysql/conf.d/z-evolinux-defaults.cnf"
|
||||
dest: "/etc/mysql/mysql.conf.d/z-evolinux-defaults.cnf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
@ -14,7 +14,7 @@
|
|||
- name: "Copy MySQL custom config file"
|
||||
template:
|
||||
src: evolinux-custom.cnf.j2
|
||||
dest: "/etc/mysql/conf.d/zzz-evolinux-custom.cnf"
|
||||
dest: "/etc/mysql/mysql.conf.d/zzz-evolinux-custom.cnf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
|
|
@ -63,13 +63,8 @@
|
|||
force: yes
|
||||
register: mysql_systemd_unit
|
||||
|
||||
# - name: systemd daemon is reloaded
|
||||
# systemd:
|
||||
# daemon_reload: yes
|
||||
# when: mysql_systemd_unit | changed
|
||||
|
||||
- name: MySQL is started
|
||||
service:
|
||||
systemd:
|
||||
name: mysql
|
||||
daemon_reload: yes
|
||||
state: started
|
||||
|
|
|
@ -168,7 +168,7 @@
|
|||
copy:
|
||||
src: mysqltuner.cron.sh
|
||||
dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh
|
||||
mode: "0700"
|
||||
mode: "0755"
|
||||
when: mysql_cron_mysqltuner | bool
|
||||
tags:
|
||||
- mysql
|
||||
|
|
|
@ -16,4 +16,5 @@
|
|||
|
||||
- name: reload systemd
|
||||
systemd:
|
||||
name: mysql
|
||||
daemon_reload: yes
|
||||
|
|
|
@ -39,5 +39,6 @@
|
|||
|
||||
- name: reload systemd
|
||||
systemd:
|
||||
name: mysql
|
||||
daemon_reload: yes
|
||||
when: mariadb_systemd_override.changed
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
---
|
||||
|
||||
- name: "Abort if MariaDB on Debian 8"
|
||||
fail:
|
||||
msg: "We can't create other users with 'debian-sys-maint' on Debian 8 with MariaDB.\nWe must give it the GRANT privilege before continuing."
|
||||
when: mysql_variant == "mariadb"
|
||||
|
||||
# dependency for mysql_user and mysql_db
|
||||
|
||||
- name: python-mysqldb is installed (Ansible dependency)
|
||||
|
@ -39,7 +44,7 @@
|
|||
create: yes
|
||||
with_items:
|
||||
- { option: 'user', value: 'mysqladmin' }
|
||||
- { option: password, value: '{{ mysql_admin_password.stdout }}' }
|
||||
- { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
|
||||
when: create_mysqladmin_user.changed
|
||||
tags:
|
||||
- mysql
|
||||
|
|
|
@ -39,7 +39,7 @@
|
|||
create: yes
|
||||
with_items:
|
||||
- { option: 'user', value: 'mysqladmin' }
|
||||
- { option: password, value: '{{ mysql_admin_password.stdout }}' }
|
||||
- { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
|
||||
when: create_mysqladmin_user.changed
|
||||
tags:
|
||||
- mysql
|
||||
|
|
|
@ -126,7 +126,7 @@
|
|||
copy:
|
||||
src: mysqltuner.cron.sh
|
||||
dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh
|
||||
mode: "0700"
|
||||
mode: "0755"
|
||||
when: mysql_cron_mysqltuner
|
||||
tags:
|
||||
- mysql
|
||||
|
|
|
@ -21,3 +21,4 @@ dependencies:
|
|||
- { role: squid, squid_localproxy_enable: True }
|
||||
- { role: mysql, when: packweb_mysql_variant == "debian" }
|
||||
- { role: mysql-oracle, when: packweb_mysql_variant == "oracle" }
|
||||
- { role: webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" }
|
||||
|
|
|
@ -27,12 +27,18 @@
|
|||
- { path: awstats, mode: "0750", state: directory }
|
||||
- { path: www, mode: "0750", state: directory }
|
||||
|
||||
- name: Copy apache empty log files if missing
|
||||
copy:
|
||||
src: "log/{{ item }}"
|
||||
- name: Apache log file (templates) are present
|
||||
command: "touch /etc/skel/log/{{ item }}"
|
||||
args:
|
||||
creates: "/etc/skel/log/{{ item }}"
|
||||
with_items:
|
||||
- access.log
|
||||
- error.log
|
||||
|
||||
- name: Apache log file (templates) have the proper permissions
|
||||
file:
|
||||
dest: "/etc/skel/log/{{ item }}"
|
||||
mode: "0644"
|
||||
force: no
|
||||
with_items:
|
||||
- access.log
|
||||
- error.log
|
||||
|
@ -65,10 +71,3 @@
|
|||
|
||||
- include: fhs_retrictions.yml
|
||||
when: packweb_fhs_retrictions
|
||||
|
||||
- name: Install Evoadmin
|
||||
include_role:
|
||||
name: webapps/evoadmin-web
|
||||
vars:
|
||||
evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}"
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
|
||||
- fail:
|
||||
- name: "Ensure that evoadmin_contact_email is defined"
|
||||
fail:
|
||||
msg: Please configure var evoadmin_contact_email
|
||||
when: evoadmin_contact_email is none
|
||||
|
||||
|
|
|
@ -32,7 +32,7 @@
|
|||
- name: "Clone evoadmin repository (jessie)"
|
||||
git:
|
||||
repo: https://forge.evolix.org/evoadmin-web.git
|
||||
dest: "{{ evoadmin_document_root}}"
|
||||
dest: "{{ evoadmin_document_root }}"
|
||||
version: jessie
|
||||
update: no
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
@ -40,18 +40,25 @@
|
|||
- name: "Clone evoadmin repository (Debian 9 or later)"
|
||||
git:
|
||||
repo: https://forge.evolix.org/evoadmin-web.git
|
||||
dest: "{{ evoadmin_document_root}}"
|
||||
dest: "{{ evoadmin_document_root }}"
|
||||
version: master
|
||||
update: yes
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Change ownership on git repository
|
||||
file:
|
||||
dest: "{{ evoadmin_document_root}}"
|
||||
dest: "{{ evoadmin_document_root }}"
|
||||
owner: "{{ evoadmin_username }}"
|
||||
group: "{{ evoadmin_username }}"
|
||||
recurse: yes
|
||||
|
||||
- name: Create evoadmin log directory
|
||||
file:
|
||||
name: "{{ evoadmin_log_dir }}"
|
||||
owner: "{{ evoadmin_username }}"
|
||||
group: "{{ evoadmin_username }}"
|
||||
state: directory
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
when: evoadmin_scripts_dir | search ("/usr")
|
||||
|
@ -64,7 +71,7 @@
|
|||
state: directory
|
||||
|
||||
- name: Install scripts like web-add.sh
|
||||
shell: "cp {{ evoadmin_document_root}}/scripts/* {{ evoadmin_scripts_dir }}/"
|
||||
shell: "cp {{ evoadmin_document_root }}/scripts/* {{ evoadmin_scripts_dir }}/"
|
||||
args:
|
||||
creates: "{{ evoadmin_scripts_dir }}/web-add.sh"
|
||||
|
||||
|
|
|
@ -6,3 +6,7 @@ $localconf['debug'] = FALSE;
|
|||
$localconf['superadmin'] = array();
|
||||
$localconf['script_path'] = '{{ evoadmin_scripts_dir }}';
|
||||
$localconf['cluster'] = FALSE;
|
||||
// auth (sha256 hashs) / echo -n YourPass | sha256sum
|
||||
$oriconf['logins'] = array();
|
||||
//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477';
|
||||
//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';
|
||||
|
|
Loading…
Reference in a new issue