From 96cd04ae404bbf46de7c5d900db641c2c1d2e905 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 30 Aug 2018 17:04:14 +0200 Subject: [PATCH 1/7] minifirewall: add a variable to disable the restart handler --- CHANGELOG.md | 1 + minifirewall/README.md | 1 + minifirewall/defaults/main.yml | 1 + minifirewall/tasks/config.yml | 12 +++++++++++- minifirewall/tasks/main.yml | 3 +++ minifirewall/tasks/tail.yml | 11 ++++++++++- 6 files changed, 27 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 25d77374..cdbe44ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release. ## [Unreleased] ### Added +* minifirewall: add a variable to disable the restart handler ### Changed diff --git a/minifirewall/README.md b/minifirewall/README.md index 67b389f1..6e82f735 100644 --- a/minifirewall/README.md +++ b/minifirewall/README.md @@ -16,6 +16,7 @@ Everything is in the `tasks/main.yml` file. * `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none) * `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none) * `minifirewall_tail_included` : source a "tail" file at the end of the main config file. (default: `False`) +* `minifirewall_restart_if_needed` : should the restart handler be executed (default: `True`) The full list of variables (with default values) can be found in `defaults/main.yml`. **Some IP/hosts must be configured or the server will be inaccessible via network.** diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 2b37a5cf..8351732f 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -24,6 +24,7 @@ minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] minifirewall_autostart: "no" +minifirewall_restart_if_needed: True evomaintenance_hosts: [] diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 7ed07a91..c2c81f81 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -123,7 +123,17 @@ register: minifirewall_init_restart failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" - when: minifirewall_is_running.rc == 0 and (minifirewall_config_ips | changed or minifirewall_config_ports | changed) + when: + - minifirewall_restart_if_needed + - minifirewall_is_running.rc == 0 + - (minifirewall_config_ips | changed or minifirewall_config_ports | changed) + +- name: restart minifirewall (noop) + meta: noop + register: minifirewall_init_restart + failed_when: False + changed_when: False + when: not minifirewall_restart_if_needed - debug: var: minifirewall_init_restart diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 1e135780..5fa59d25 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -1,5 +1,8 @@ --- +- set_fact: + minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" + - include: install.yml - include: config.yml diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index 3d61025d..a4cb6013 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -35,7 +35,16 @@ register: minifirewall_init_restart failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" - when: minifirewall_tail_template | changed + when: + - minifirewall_tail_template | changed + - minifirewall_restart_if_needed + +- name: restart minifirewall (noop) + meta: noop + register: minifirewall_init_restart + failed_when: False + changed_when: False + when: not minifirewall_restart_if_needed - debug: var: minifirewall_init_restart From 9787328a0bedf53cf33d3f10e616003eab6a6a54 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 30 Aug 2018 17:05:30 +0200 Subject: [PATCH 2/7] minifirewall: add a variable to force a restart of the firewall --- CHANGELOG.md | 1 + minifirewall/README.md | 1 + minifirewall/defaults/main.yml | 1 + minifirewall/tasks/main.yml | 5 +++++ 4 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cdbe44ff..bdec64fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added * minifirewall: add a variable to disable the restart handler +* minifirewall: add a variable to force a restart of the firewall (even with no change) ### Changed diff --git a/minifirewall/README.md b/minifirewall/README.md index 6e82f735..59cc86f6 100644 --- a/minifirewall/README.md +++ b/minifirewall/README.md @@ -17,6 +17,7 @@ Everything is in the `tasks/main.yml` file. * `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none) * `minifirewall_tail_included` : source a "tail" file at the end of the main config file. (default: `False`) * `minifirewall_restart_if_needed` : should the restart handler be executed (default: `True`) +* `minifirewall_restart_force` : force restart minifirewall at the end of the role execution (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. **Some IP/hosts must be configured or the server will be inaccessible via network.** diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 8351732f..b1dfbaf1 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -25,6 +25,7 @@ minifirewall_private_ports_udp: [] minifirewall_autostart: "no" minifirewall_restart_if_needed: True +minifirewall_restart_force: False evomaintenance_hosts: [] diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 5fa59d25..691d3842 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -13,3 +13,8 @@ - include: tail.yml when: minifirewall_tail_included + +- name: Force restart minifirewall + command: /bin/true + notify: restart minifirewall + when: minifirewall_restart_force From c25c3c6a311628d2c16f5d8e4cd79bb11850b2f5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 30 Aug 2018 17:06:21 +0200 Subject: [PATCH 3/7] minifirewall: improve variables values and documentation --- CHANGELOG.md | 1 + minifirewall/README.md | 4 +++- minifirewall/defaults/main.yml | 6 ++++-- minifirewall/tasks/activate.yml | 2 +- minifirewall/tasks/tail.yml | 6 +++--- 5 files changed, 12 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bdec64fd..f58be4b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * minifirewall: add a variable to disable the restart handler * minifirewall: add a variable to force a restart of the firewall (even with no change) +* inifirewall: improve variables values and documentation ### Changed diff --git a/minifirewall/README.md b/minifirewall/README.md index 59cc86f6..7d023fd9 100644 --- a/minifirewall/README.md +++ b/minifirewall/README.md @@ -15,9 +15,11 @@ Everything is in the `tasks/main.yml` file. * `minifirewall_int_lan`: (default: IP/32) * `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none) * `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none) -* `minifirewall_tail_included` : source a "tail" file at the end of the main config file. (default: `False`) +* `minifirewall_tail_included` : source a "tail" file at the end of the main config file (default: `False`) +* `minifirewall_tail_force` : overwrite the "tail" file (default: `True`) * `minifirewall_restart_if_needed` : should the restart handler be executed (default: `True`) * `minifirewall_restart_force` : force restart minifirewall at the end of the role execution (default: `False`) +* `minifirewall_autostart` : enable minifirewall start at boot time (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. **Some IP/hosts must be configured or the server will be inaccessible via network.** diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index b1dfbaf1..a331b033 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -1,6 +1,8 @@ --- + +minifirewall_tail_file: /etc/default/minifirewall.tail minifirewall_tail_included: False -minifirewall_tail_force: yes +minifirewall_tail_force: True minifirewall_git_url: "https://forge.evolix.org/minifirewall.git" minifirewall_checkout_path: "/tmp/minifirewall" @@ -23,7 +25,7 @@ minifirewall_semipublic_ports_udp: [] minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] -minifirewall_autostart: "no" +minifirewall_autostart: False minifirewall_restart_if_needed: True minifirewall_restart_force: False diff --git a/minifirewall/tasks/activate.yml b/minifirewall/tasks/activate.yml index ebe24fd6..1ecd0dc3 100644 --- a/minifirewall/tasks/activate.yml +++ b/minifirewall/tasks/activate.yml @@ -4,4 +4,4 @@ dest: /etc/init.d/alert5 regexp: '^#/etc/init.d/minifirewall start' replace: '/etc/init.d/minifirewall start' - when: minifirewall_autostart == "yes" + when: minifirewall_autostart diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index a4cb6013..4d404136 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -2,8 +2,8 @@ - name: Add some rules at the end of minifirewall file template: src: "{{ item }}" - dest: /etc/default/minifirewall.tail - force: "{{ minifirewall_tail_force | bool | ternary('yes', 'no') }}" + dest: "{{ minifirewall_tail_file }}" + force: "{{ minifirewall_tail_force | bool }}" with_first_found: - "templates/minifirewall-tail/minifirewall.{{ inventory_hostname }}.tail.j2" - "templates/minifirewall-tail/minifirewall.{{ host_group }}.tail.j2" @@ -19,7 +19,7 @@ blockinfile: dest: /etc/default/minifirewall marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES" - block: . /etc/default/minifirewall.tail + block: ". {{ minifirewall_tail_file }}" insertbefore: EOF register: minifirewall_tail_source From 9869a1f269ecb1577f19a1a25933e36c2e930818 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 31 Aug 2018 19:28:06 +0200 Subject: [PATCH 4/7] typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f58be4b3..639c7e13 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * minifirewall: add a variable to disable the restart handler * minifirewall: add a variable to force a restart of the firewall (even with no change) -* inifirewall: improve variables values and documentation +* minifirewall: improve variables values and documentation ### Changed From bf3e5b4cb6eb7b628de3a1b36ed5f8a09c40273b Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 4 Sep 2018 14:50:22 +0200 Subject: [PATCH 5/7] dovecot: enable SSL/TLS by default with snakeoil certificate --- CHANGELOG.md | 1 + dovecot/templates/z-evolinux-defaults.conf.j2 | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 639c7e13..f73fe3b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release. * minifirewall: improve variables values and documentation ### Changed +* dovecot: enable SSL/TLS by default with snakeoil certificate ### Fixed diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2 index b6d8d5e5..787b9d01 100644 --- a/dovecot/templates/z-evolinux-defaults.conf.j2 +++ b/dovecot/templates/z-evolinux-defaults.conf.j2 @@ -34,3 +34,8 @@ service login { process_limit = 256 } mail_max_userip_connections = 42 + +# SSL/TLS +ssl = yes +ssl_cert = Date: Wed, 5 Sep 2018 18:52:23 +0200 Subject: [PATCH 6/7] evomaintenance: update meta-data to support Debian Stretch --- evomaintenance/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evomaintenance/meta/main.yml b/evomaintenance/meta/main.yml index 51a614cd..3b27a2fe 100644 --- a/evomaintenance/meta/main.yml +++ b/evomaintenance/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: platforms: - name: Debian versions: + - stretch - jessie - squeeze From 37ea8d292eae83deb5420af3b0a8b7381bd59920 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 6 Sep 2018 15:14:34 +0200 Subject: [PATCH 7/7] Release 9.3.2 --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f73fe3b5..4826724a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,16 @@ The **patch** part changes incrementally at each release. ## [Unreleased] +### Added + +### Changed + +### Fixed + +### Security + +## [9.3.2] - 2018-09-06 + ### Added * minifirewall: add a variable to disable the restart handler * minifirewall: add a variable to force a restart of the firewall (even with no change)