Merge branch 'unstable' into lpoujol/better-multiphp
continuous-integration/drone/push Build is passing Détails
continuous-integration/drone/pr Build is failing Détails

Cette révision appartient à :
Jérémy Lecour 2020-04-17 12:23:56 +02:00
révision d013a65cf6
14 fichiers modifiés avec 78 ajouts et 25 suppressions

Voir le fichier

@ -56,10 +56,11 @@ The **patch** part changes incrementally at each release.
* bind: change name of logrotate file to bind9
* certbot: commit hook must be executed at the end
* elasticsearch: listen on local interface only by default
* evocheck: upstream version 20.02.1
* evocheck: upstream version 20.04.2
* evocheck: cron jobs execute in verbose
* evolinux-base: use "evolinux_internal_group" for SSH authentication
* evolinux-base: Don't customize the logcheck recipient by default.
* evolinux-base: configure cciss-vol-statusd in the proper file
* evomaintenance: upstream release 0.6.3
* evomaintenance: Turn on API by default (instead of DB)
* evomaintenance: install PG dependencies only when needed
@ -82,6 +83,7 @@ The **patch** part changes incrementally at each release.
* php: Make sure the default pool we define can be fully functionnal witout debian's default pool file
* php: Change the default pool names to something more explicit (and same for the variables names)
* php: Add a task to remove Debian's default FPM pool file (off by default)
* php: Cleanup CLI Settings. Also, allow url fopen and don't disable functions (in CLI only)
* postgresql : changed logrotate config to 10 days (and fixed permissions)
* rbenv: changed default Ruby version to 2.7.0
* squid: Remove wait time when we turn off squid

Voir le fichier

@ -18,3 +18,6 @@
- name: systemd daemon-reload
systemd:
daemon_reload: yes
- name: install certbot-auto
command: /usr/local/bin/certbot --install-only

Voir le fichier

@ -16,6 +16,7 @@
owner: root
group: root
force: no
notify: install certbot-auto
- name: systemd artefacts are absent
file:

Voir le fichier

@ -1,6 +1,7 @@
#!/bin/sh
readonly PROGNAME=$(basename "$0")
# shellcheck disable=SC2124,SC2034
readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
@ -17,6 +18,7 @@ debug() {
}
if [ -n "$(pidof apache2)" ]; then
# shellcheck disable=SC2091
if $($(command -v apache2ctl) -t 2> /dev/null); then
debug "Apache detected... reloading"
service apache2 reload

Voir le fichier

@ -1,6 +1,7 @@
#!/bin/sh
readonly PROGNAME=$(basename "$0")
# shellcheck disable=SC2124,SC2034
readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
@ -17,7 +18,9 @@ debug() {
}
if [ -n "$(pidof dovecot)" ]; then
# shellcheck disable=SC2091
if $($(command -v doveconf) > /dev/null); then
# shellcheck disable=SC2091
if $($(command -v doveconf)|grep -E "^ssl_cert[^_]"|grep -q "letsencrypt"); then
debug "Dovecot detected... reloading"
service dovecot reload

Voir le fichier

@ -1,6 +1,7 @@
#!/bin/sh
readonly PROGNAME=$(basename "$0")
# shellcheck disable=SC2124,SC2034
readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
@ -17,6 +18,7 @@ debug() {
}
if [ -n "$(pidof nginx)" ]; then
# shellcheck disable=SC2091
if $($(command -v nginx) -t 2> /dev/null); then
debug "Nginx detected... reloading"
service nginx reload

Voir le fichier

@ -1,6 +1,7 @@
#!/bin/sh
readonly PROGNAME=$(basename "$0")
# shellcheck disable=SC2124,SC2034
readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
@ -17,7 +18,9 @@ debug() {
}
if [ -n "$(pidof master)" ]; then
# shellcheck disable=SC2091
if $($(command -v postconf) > /dev/null); then
# shellcheck disable=SC2091
if $($(command -v postconf)|grep -E "^smtpd_tls_cert_file"|grep -q "letsencrypt"); then
debug "Postfix detected... reloading"
service postfix reload

Voir le fichier

@ -4,6 +4,8 @@
# Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix
readonly VERSION="20.04.2"
# base functions
show_version() {
@ -551,6 +553,20 @@ check_evobackup() {
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
}
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
check_evobackup_exclude_mount() {
excludes_file=$(mktemp)
# shellcheck disable=SC2064
trap "rm -f ${excludes_file}" 0
# shellcheck disable=SC2044
for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
for mount in ${not_excluded}; do
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
done
done
}
# Verification de la presence du userlogrotate
check_userlogrotate() {
if is_pack_web; then
@ -1225,6 +1241,29 @@ check_apt_valid_until() {
fi
}
check_chrooted_binary_not_uptodate() {
# list of processes to check
process_list="sshd"
for process_name in ${process_list}; do
# what is the binary path?
original_bin=$(command -v "${process_name}")
for pid in $(pgrep ${process_name}); do
process_bin=$(realpath /proc/${pid}/exe)
# Is the process chrooted?
real_root=$(realpath /proc/${pid}/root)
if [ "${real_root}" != "/" ]; then
chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ')
original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
# compare md5 checksums
if [ "$original_md5" != "$chrooted_md5" ]; then
failed "IS_CHROOTED_BINARY_NOT_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
test "${VERBOSE}" = 1 || break
fi
fi
done
done
}
main() {
# Default return code : 0 = no error
RC=0
@ -1300,6 +1339,7 @@ main() {
test "${IS_AUTOIF:=1}" = 1 && check_autoif
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink
@ -1348,6 +1388,7 @@ main() {
test "${IS_OSPROBER:=1}" = 1 && check_osprober
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
test "${IS_CHROOTED_BINARY_NOT_UPTODATE:=1}" = 1 && check_chrooted_binary_not_uptodate
fi
#-----------------------------------------------------------
@ -1460,8 +1501,6 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
# shellcheck disable=2124
readonly ARGS=$@
readonly VERSION="20.02.1"
# Disable LANG*
export LANG=C
export LANGUAGE=C

Voir le fichier

@ -52,17 +52,24 @@
- ssacli
state: present
- name: Configure packages for HP hardware
- name: cciss-vol-statusd init script is present
template:
src: hardware/cciss-vol-statusd.j2
dest: /etc/init.d/cciss-vol-statusd
mode: "0755"
- name: Configure cciss-vol-statusd
lineinfile:
dest: /etc/default/cciss-vol-statusd
line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"'
regexp: 'MAILTO='
create: yes
- name: Enable HP hardware in systemd
service:
name: cciss-vol-statusd
enabled: true
state: started
state: restarted
when: "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
- name: MegaRAID SAS package is present

Voir le fichier

@ -20,7 +20,7 @@ PIDFILE=/var/run/$NAME.pid
STATUSFILE=/var/run/$NAME.status
SCRIPTNAME=/etc/init.d/$NAME
MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}" # Where to report problems
MAILTO="root" # Where to report problems
PERIOD=600 # Seconds between each check (default 10 minutes)
REMIND=86400 # Seconds between each reminder (default 2 hours)
RUN_DAEMON=yes

Voir le fichier

@ -30,7 +30,7 @@
tags:
- fail2ban
- name: Include ignoredips update task
- name: Include ignoredips update task
include: ip_whitelist.yml
when: fail2ban_force_update_ignore_ips
tags:

Voir le fichier

@ -52,6 +52,7 @@
mode: "0600"
owner: root
group: root
force: no
- name: old-kernel-autoremoval script is present
copy:

Voir le fichier

@ -2,7 +2,7 @@
Install MongoDB
We use packages from 10Gen for Jessie and packages from Debian for Stretch.
We use Debian packages for Stretch, but MongoDB.org packages for Jessie/Buster
## Tasks

Voir le fichier

@ -1,5 +1,5 @@
---
- name: "Set default php.ini values for CLI (jessie)"
- name: "Set default php.ini values for CLI"
ini_file:
dest: "{{ php_cli_defaults_ini_file }}"
section: PHP
@ -8,21 +8,11 @@
mode: "0644"
create: yes
with_items:
- { option: "short_open_tag", value: "Off" }
- { option: "expose_php", value: "Off" }
- { option: "display_errors", value: "Off" }
- { option: "log_errors", value: "On" }
- { option: "html_errors", value: "Off" }
- { option: "allow_url_fopen", value: "Off" }
- { option: "display_errors", value: "On" }
- { option: "allow_url_fopen", value: "On" }
- { option: "disable_functions", value: "" }
- name: "Disable PHP functions for CLI (jessie)"
ini_file:
dest: "{{ php_cli_defaults_ini_file }}"
section: PHP
option: disable_functions
value: "exec,shell-exec,system,passthru,putenv,popen"
- name: Custom php.ini for CLI (jessie)
- name: Custom php.ini for CLI
copy:
dest: "{{ php_cli_custom_ini_file }}"
content: |
@ -31,12 +21,12 @@
# This task is not merged with the above copy
# because "force: no" prevents any fix after the fact
- name: "Permissions for custom php.ini for CLI (jessie)"
- name: "Permissions for custom php.ini for CLI"
file:
dest: "{{ php_cli_custom_ini_file }}"
mode: "0644"
- name: "Set custom values for PHP to enable Symfony (jessie)"
- name: "Set custom values for PHP to enable Symfony"
ini_file:
dest: "{{ php_cli_custom_ini_file }}"
section: PHP