Merge branch 'unstable' into lpoujol/better-multiphp
This commit is contained in:
commit
d013a65cf6
|
@ -56,10 +56,11 @@ The **patch** part changes incrementally at each release.
|
||||||
* bind: change name of logrotate file to bind9
|
* bind: change name of logrotate file to bind9
|
||||||
* certbot: commit hook must be executed at the end
|
* certbot: commit hook must be executed at the end
|
||||||
* elasticsearch: listen on local interface only by default
|
* elasticsearch: listen on local interface only by default
|
||||||
* evocheck: upstream version 20.02.1
|
* evocheck: upstream version 20.04.2
|
||||||
* evocheck: cron jobs execute in verbose
|
* evocheck: cron jobs execute in verbose
|
||||||
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
||||||
* evolinux-base: Don't customize the logcheck recipient by default.
|
* evolinux-base: Don't customize the logcheck recipient by default.
|
||||||
|
* evolinux-base: configure cciss-vol-statusd in the proper file
|
||||||
* evomaintenance: upstream release 0.6.3
|
* evomaintenance: upstream release 0.6.3
|
||||||
* evomaintenance: Turn on API by default (instead of DB)
|
* evomaintenance: Turn on API by default (instead of DB)
|
||||||
* evomaintenance: install PG dependencies only when needed
|
* evomaintenance: install PG dependencies only when needed
|
||||||
|
@ -82,6 +83,7 @@ The **patch** part changes incrementally at each release.
|
||||||
* php: Make sure the default pool we define can be fully functionnal witout debian's default pool file
|
* php: Make sure the default pool we define can be fully functionnal witout debian's default pool file
|
||||||
* php: Change the default pool names to something more explicit (and same for the variables names)
|
* php: Change the default pool names to something more explicit (and same for the variables names)
|
||||||
* php: Add a task to remove Debian's default FPM pool file (off by default)
|
* php: Add a task to remove Debian's default FPM pool file (off by default)
|
||||||
|
* php: Cleanup CLI Settings. Also, allow url fopen and don't disable functions (in CLI only)
|
||||||
* postgresql : changed logrotate config to 10 days (and fixed permissions)
|
* postgresql : changed logrotate config to 10 days (and fixed permissions)
|
||||||
* rbenv: changed default Ruby version to 2.7.0
|
* rbenv: changed default Ruby version to 2.7.0
|
||||||
* squid: Remove wait time when we turn off squid
|
* squid: Remove wait time when we turn off squid
|
||||||
|
|
|
@ -18,3 +18,6 @@
|
||||||
- name: systemd daemon-reload
|
- name: systemd daemon-reload
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
|
|
||||||
|
- name: install certbot-auto
|
||||||
|
command: /usr/local/bin/certbot --install-only
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
force: no
|
force: no
|
||||||
|
notify: install certbot-auto
|
||||||
|
|
||||||
- name: systemd artefacts are absent
|
- name: systemd artefacts are absent
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
readonly PROGNAME=$(basename "$0")
|
readonly PROGNAME=$(basename "$0")
|
||||||
|
# shellcheck disable=SC2124,SC2034
|
||||||
readonly ARGS=$@
|
readonly ARGS=$@
|
||||||
|
|
||||||
readonly VERBOSE=${VERBOSE:-"0"}
|
readonly VERBOSE=${VERBOSE:-"0"}
|
||||||
|
@ -17,6 +18,7 @@ debug() {
|
||||||
}
|
}
|
||||||
|
|
||||||
if [ -n "$(pidof apache2)" ]; then
|
if [ -n "$(pidof apache2)" ]; then
|
||||||
|
# shellcheck disable=SC2091
|
||||||
if $($(command -v apache2ctl) -t 2> /dev/null); then
|
if $($(command -v apache2ctl) -t 2> /dev/null); then
|
||||||
debug "Apache detected... reloading"
|
debug "Apache detected... reloading"
|
||||||
service apache2 reload
|
service apache2 reload
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
readonly PROGNAME=$(basename "$0")
|
readonly PROGNAME=$(basename "$0")
|
||||||
|
# shellcheck disable=SC2124,SC2034
|
||||||
readonly ARGS=$@
|
readonly ARGS=$@
|
||||||
|
|
||||||
readonly VERBOSE=${VERBOSE:-"0"}
|
readonly VERBOSE=${VERBOSE:-"0"}
|
||||||
|
@ -17,7 +18,9 @@ debug() {
|
||||||
}
|
}
|
||||||
|
|
||||||
if [ -n "$(pidof dovecot)" ]; then
|
if [ -n "$(pidof dovecot)" ]; then
|
||||||
|
# shellcheck disable=SC2091
|
||||||
if $($(command -v doveconf) > /dev/null); then
|
if $($(command -v doveconf) > /dev/null); then
|
||||||
|
# shellcheck disable=SC2091
|
||||||
if $($(command -v doveconf)|grep -E "^ssl_cert[^_]"|grep -q "letsencrypt"); then
|
if $($(command -v doveconf)|grep -E "^ssl_cert[^_]"|grep -q "letsencrypt"); then
|
||||||
debug "Dovecot detected... reloading"
|
debug "Dovecot detected... reloading"
|
||||||
service dovecot reload
|
service dovecot reload
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
readonly PROGNAME=$(basename "$0")
|
readonly PROGNAME=$(basename "$0")
|
||||||
|
# shellcheck disable=SC2124,SC2034
|
||||||
readonly ARGS=$@
|
readonly ARGS=$@
|
||||||
|
|
||||||
readonly VERBOSE=${VERBOSE:-"0"}
|
readonly VERBOSE=${VERBOSE:-"0"}
|
||||||
|
@ -17,6 +18,7 @@ debug() {
|
||||||
}
|
}
|
||||||
|
|
||||||
if [ -n "$(pidof nginx)" ]; then
|
if [ -n "$(pidof nginx)" ]; then
|
||||||
|
# shellcheck disable=SC2091
|
||||||
if $($(command -v nginx) -t 2> /dev/null); then
|
if $($(command -v nginx) -t 2> /dev/null); then
|
||||||
debug "Nginx detected... reloading"
|
debug "Nginx detected... reloading"
|
||||||
service nginx reload
|
service nginx reload
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
readonly PROGNAME=$(basename "$0")
|
readonly PROGNAME=$(basename "$0")
|
||||||
|
# shellcheck disable=SC2124,SC2034
|
||||||
readonly ARGS=$@
|
readonly ARGS=$@
|
||||||
|
|
||||||
readonly VERBOSE=${VERBOSE:-"0"}
|
readonly VERBOSE=${VERBOSE:-"0"}
|
||||||
|
@ -17,7 +18,9 @@ debug() {
|
||||||
}
|
}
|
||||||
|
|
||||||
if [ -n "$(pidof master)" ]; then
|
if [ -n "$(pidof master)" ]; then
|
||||||
|
# shellcheck disable=SC2091
|
||||||
if $($(command -v postconf) > /dev/null); then
|
if $($(command -v postconf) > /dev/null); then
|
||||||
|
# shellcheck disable=SC2091
|
||||||
if $($(command -v postconf)|grep -E "^smtpd_tls_cert_file"|grep -q "letsencrypt"); then
|
if $($(command -v postconf)|grep -E "^smtpd_tls_cert_file"|grep -q "letsencrypt"); then
|
||||||
debug "Postfix detected... reloading"
|
debug "Postfix detected... reloading"
|
||||||
service postfix reload
|
service postfix reload
|
||||||
|
|
|
@ -4,6 +4,8 @@
|
||||||
# Script to verify compliance of a Debian/OpenBSD server
|
# Script to verify compliance of a Debian/OpenBSD server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
|
readonly VERSION="20.04.2"
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
|
||||||
show_version() {
|
show_version() {
|
||||||
|
@ -551,6 +553,20 @@ check_evobackup() {
|
||||||
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
|
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
|
||||||
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
|
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
|
||||||
}
|
}
|
||||||
|
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
|
||||||
|
check_evobackup_exclude_mount() {
|
||||||
|
excludes_file=$(mktemp)
|
||||||
|
# shellcheck disable=SC2064
|
||||||
|
trap "rm -f ${excludes_file}" 0
|
||||||
|
# shellcheck disable=SC2044
|
||||||
|
for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do
|
||||||
|
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||||
|
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
|
||||||
|
for mount in ${not_excluded}; do
|
||||||
|
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
}
|
||||||
# Verification de la presence du userlogrotate
|
# Verification de la presence du userlogrotate
|
||||||
check_userlogrotate() {
|
check_userlogrotate() {
|
||||||
if is_pack_web; then
|
if is_pack_web; then
|
||||||
|
@ -1225,6 +1241,29 @@ check_apt_valid_until() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_chrooted_binary_not_uptodate() {
|
||||||
|
# list of processes to check
|
||||||
|
process_list="sshd"
|
||||||
|
for process_name in ${process_list}; do
|
||||||
|
# what is the binary path?
|
||||||
|
original_bin=$(command -v "${process_name}")
|
||||||
|
for pid in $(pgrep ${process_name}); do
|
||||||
|
process_bin=$(realpath /proc/${pid}/exe)
|
||||||
|
# Is the process chrooted?
|
||||||
|
real_root=$(realpath /proc/${pid}/root)
|
||||||
|
if [ "${real_root}" != "/" ]; then
|
||||||
|
chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ')
|
||||||
|
original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
|
||||||
|
# compare md5 checksums
|
||||||
|
if [ "$original_md5" != "$chrooted_md5" ]; then
|
||||||
|
failed "IS_CHROOTED_BINARY_NOT_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
|
||||||
|
test "${VERBOSE}" = 1 || break
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
# Default return code : 0 = no error
|
# Default return code : 0 = no error
|
||||||
RC=0
|
RC=0
|
||||||
|
@ -1300,6 +1339,7 @@ main() {
|
||||||
test "${IS_AUTOIF:=1}" = 1 && check_autoif
|
test "${IS_AUTOIF:=1}" = 1 && check_autoif
|
||||||
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
|
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
|
||||||
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
|
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
|
||||||
|
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
|
||||||
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
|
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
|
||||||
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
|
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
|
||||||
test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink
|
test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink
|
||||||
|
@ -1348,6 +1388,7 @@ main() {
|
||||||
test "${IS_OSPROBER:=1}" = 1 && check_osprober
|
test "${IS_OSPROBER:=1}" = 1 && check_osprober
|
||||||
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
|
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
|
||||||
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
|
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
|
||||||
|
test "${IS_CHROOTED_BINARY_NOT_UPTODATE:=1}" = 1 && check_chrooted_binary_not_uptodate
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#-----------------------------------------------------------
|
#-----------------------------------------------------------
|
||||||
|
@ -1460,8 +1501,6 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
|
||||||
# shellcheck disable=2124
|
# shellcheck disable=2124
|
||||||
readonly ARGS=$@
|
readonly ARGS=$@
|
||||||
|
|
||||||
readonly VERSION="20.02.1"
|
|
||||||
|
|
||||||
# Disable LANG*
|
# Disable LANG*
|
||||||
export LANG=C
|
export LANG=C
|
||||||
export LANGUAGE=C
|
export LANGUAGE=C
|
||||||
|
|
|
@ -52,17 +52,24 @@
|
||||||
- ssacli
|
- ssacli
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Configure packages for HP hardware
|
- name: cciss-vol-statusd init script is present
|
||||||
template:
|
template:
|
||||||
src: hardware/cciss-vol-statusd.j2
|
src: hardware/cciss-vol-statusd.j2
|
||||||
dest: /etc/init.d/cciss-vol-statusd
|
dest: /etc/init.d/cciss-vol-statusd
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: Configure cciss-vol-statusd
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/default/cciss-vol-statusd
|
||||||
|
line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"'
|
||||||
|
regexp: 'MAILTO='
|
||||||
|
create: yes
|
||||||
|
|
||||||
- name: Enable HP hardware in systemd
|
- name: Enable HP hardware in systemd
|
||||||
service:
|
service:
|
||||||
name: cciss-vol-statusd
|
name: cciss-vol-statusd
|
||||||
enabled: true
|
enabled: true
|
||||||
state: started
|
state: restarted
|
||||||
when: "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
|
when: "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
|
||||||
|
|
||||||
- name: MegaRAID SAS package is present
|
- name: MegaRAID SAS package is present
|
||||||
|
|
|
@ -20,7 +20,7 @@ PIDFILE=/var/run/$NAME.pid
|
||||||
STATUSFILE=/var/run/$NAME.status
|
STATUSFILE=/var/run/$NAME.status
|
||||||
SCRIPTNAME=/etc/init.d/$NAME
|
SCRIPTNAME=/etc/init.d/$NAME
|
||||||
|
|
||||||
MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}" # Where to report problems
|
MAILTO="root" # Where to report problems
|
||||||
PERIOD=600 # Seconds between each check (default 10 minutes)
|
PERIOD=600 # Seconds between each check (default 10 minutes)
|
||||||
REMIND=86400 # Seconds between each reminder (default 2 hours)
|
REMIND=86400 # Seconds between each reminder (default 2 hours)
|
||||||
RUN_DAEMON=yes
|
RUN_DAEMON=yes
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
||||||
- name: Include ignoredips update task
|
- name: Include ignoredips update task
|
||||||
include: ip_whitelist.yml
|
include: ip_whitelist.yml
|
||||||
when: fail2ban_force_update_ignore_ips
|
when: fail2ban_force_update_ignore_ips
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -52,6 +52,7 @@
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
force: no
|
||||||
|
|
||||||
- name: old-kernel-autoremoval script is present
|
- name: old-kernel-autoremoval script is present
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
Install MongoDB
|
Install MongoDB
|
||||||
|
|
||||||
We use packages from 10Gen for Jessie and packages from Debian for Stretch.
|
We use Debian packages for Stretch, but MongoDB.org packages for Jessie/Buster
|
||||||
|
|
||||||
## Tasks
|
## Tasks
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: "Set default php.ini values for CLI (jessie)"
|
- name: "Set default php.ini values for CLI"
|
||||||
ini_file:
|
ini_file:
|
||||||
dest: "{{ php_cli_defaults_ini_file }}"
|
dest: "{{ php_cli_defaults_ini_file }}"
|
||||||
section: PHP
|
section: PHP
|
||||||
|
@ -8,21 +8,11 @@
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
create: yes
|
create: yes
|
||||||
with_items:
|
with_items:
|
||||||
- { option: "short_open_tag", value: "Off" }
|
- { option: "display_errors", value: "On" }
|
||||||
- { option: "expose_php", value: "Off" }
|
- { option: "allow_url_fopen", value: "On" }
|
||||||
- { option: "display_errors", value: "Off" }
|
- { option: "disable_functions", value: "" }
|
||||||
- { option: "log_errors", value: "On" }
|
|
||||||
- { option: "html_errors", value: "Off" }
|
|
||||||
- { option: "allow_url_fopen", value: "Off" }
|
|
||||||
|
|
||||||
- name: "Disable PHP functions for CLI (jessie)"
|
- name: Custom php.ini for CLI
|
||||||
ini_file:
|
|
||||||
dest: "{{ php_cli_defaults_ini_file }}"
|
|
||||||
section: PHP
|
|
||||||
option: disable_functions
|
|
||||||
value: "exec,shell-exec,system,passthru,putenv,popen"
|
|
||||||
|
|
||||||
- name: Custom php.ini for CLI (jessie)
|
|
||||||
copy:
|
copy:
|
||||||
dest: "{{ php_cli_custom_ini_file }}"
|
dest: "{{ php_cli_custom_ini_file }}"
|
||||||
content: |
|
content: |
|
||||||
|
@ -31,12 +21,12 @@
|
||||||
|
|
||||||
# This task is not merged with the above copy
|
# This task is not merged with the above copy
|
||||||
# because "force: no" prevents any fix after the fact
|
# because "force: no" prevents any fix after the fact
|
||||||
- name: "Permissions for custom php.ini for CLI (jessie)"
|
- name: "Permissions for custom php.ini for CLI"
|
||||||
file:
|
file:
|
||||||
dest: "{{ php_cli_custom_ini_file }}"
|
dest: "{{ php_cli_custom_ini_file }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: "Set custom values for PHP to enable Symfony (jessie)"
|
- name: "Set custom values for PHP to enable Symfony"
|
||||||
ini_file:
|
ini_file:
|
||||||
dest: "{{ php_cli_custom_ini_file }}"
|
dest: "{{ php_cli_custom_ini_file }}"
|
||||||
section: PHP
|
section: PHP
|
||||||
|
|
Loading…
Reference in a new issue