Merge branch 'unstable' into stable
This commit is contained in:
commit
d997431518
14
CHANGELOG.md
14
CHANGELOG.md
|
@ -18,6 +18,20 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [9.3.2] - 2018-09-06
|
||||||
|
|
||||||
|
### Added
|
||||||
|
* minifirewall: add a variable to disable the restart handler
|
||||||
|
* minifirewall: add a variable to force a restart of the firewall (even with no change)
|
||||||
|
* minifirewall: improve variables values and documentation
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
* dovecot: enable SSL/TLS by default with snakeoil certificate
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
### Security
|
||||||
|
|
||||||
## [9.3.1] - 2018-08-30
|
## [9.3.1] - 2018-08-30
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
@ -34,3 +34,8 @@ service login {
|
||||||
process_limit = 256
|
process_limit = 256
|
||||||
}
|
}
|
||||||
mail_max_userip_connections = 42
|
mail_max_userip_connections = 42
|
||||||
|
|
||||||
|
# SSL/TLS
|
||||||
|
ssl = yes
|
||||||
|
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
|
|
@ -12,6 +12,7 @@ galaxy_info:
|
||||||
platforms:
|
platforms:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
|
- stretch
|
||||||
- jessie
|
- jessie
|
||||||
- squeeze
|
- squeeze
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,11 @@ Everything is in the `tasks/main.yml` file.
|
||||||
* `minifirewall_int_lan`: (default: IP/32)
|
* `minifirewall_int_lan`: (default: IP/32)
|
||||||
* `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none)
|
* `minifirewall_trusted_ips`: with IP/hosts should be trusted for full access (default: none)
|
||||||
* `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none)
|
* `minifirewall_privilegied_ips`: with IP/hosts should be trusted for restricted access (default: none)
|
||||||
* `minifirewall_tail_included` : source a "tail" file at the end of the main config file. (default: `False`)
|
* `minifirewall_tail_included` : source a "tail" file at the end of the main config file (default: `False`)
|
||||||
|
* `minifirewall_tail_force` : overwrite the "tail" file (default: `True`)
|
||||||
|
* `minifirewall_restart_if_needed` : should the restart handler be executed (default: `True`)
|
||||||
|
* `minifirewall_restart_force` : force restart minifirewall at the end of the role execution (default: `False`)
|
||||||
|
* `minifirewall_autostart` : enable minifirewall start at boot time (default: `False`)
|
||||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||||
|
|
||||||
**Some IP/hosts must be configured or the server will be inaccessible via network.**
|
**Some IP/hosts must be configured or the server will be inaccessible via network.**
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
minifirewall_tail_file: /etc/default/minifirewall.tail
|
||||||
minifirewall_tail_included: False
|
minifirewall_tail_included: False
|
||||||
minifirewall_tail_force: yes
|
minifirewall_tail_force: True
|
||||||
|
|
||||||
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
|
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
|
||||||
minifirewall_checkout_path: "/tmp/minifirewall"
|
minifirewall_checkout_path: "/tmp/minifirewall"
|
||||||
|
@ -23,7 +25,9 @@ minifirewall_semipublic_ports_udp: []
|
||||||
minifirewall_private_ports_tcp: [5666]
|
minifirewall_private_ports_tcp: [5666]
|
||||||
minifirewall_private_ports_udp: []
|
minifirewall_private_ports_udp: []
|
||||||
|
|
||||||
minifirewall_autostart: "no"
|
minifirewall_autostart: False
|
||||||
|
minifirewall_restart_if_needed: True
|
||||||
|
minifirewall_restart_force: False
|
||||||
|
|
||||||
evomaintenance_hosts: []
|
evomaintenance_hosts: []
|
||||||
|
|
||||||
|
|
|
@ -4,4 +4,4 @@
|
||||||
dest: /etc/init.d/alert5
|
dest: /etc/init.d/alert5
|
||||||
regexp: '^#/etc/init.d/minifirewall start'
|
regexp: '^#/etc/init.d/minifirewall start'
|
||||||
replace: '/etc/init.d/minifirewall start'
|
replace: '/etc/init.d/minifirewall start'
|
||||||
when: minifirewall_autostart == "yes"
|
when: minifirewall_autostart
|
||||||
|
|
|
@ -123,7 +123,17 @@
|
||||||
register: minifirewall_init_restart
|
register: minifirewall_init_restart
|
||||||
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
||||||
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
||||||
when: minifirewall_is_running.rc == 0 and (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
|
when:
|
||||||
|
- minifirewall_restart_if_needed
|
||||||
|
- minifirewall_is_running.rc == 0
|
||||||
|
- (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
|
||||||
|
|
||||||
|
- name: restart minifirewall (noop)
|
||||||
|
meta: noop
|
||||||
|
register: minifirewall_init_restart
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
when: not minifirewall_restart_if_needed
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
var: minifirewall_init_restart
|
var: minifirewall_init_restart
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
||||||
|
|
||||||
- include: install.yml
|
- include: install.yml
|
||||||
|
|
||||||
- include: config.yml
|
- include: config.yml
|
||||||
|
@ -10,3 +13,8 @@
|
||||||
|
|
||||||
- include: tail.yml
|
- include: tail.yml
|
||||||
when: minifirewall_tail_included
|
when: minifirewall_tail_included
|
||||||
|
|
||||||
|
- name: Force restart minifirewall
|
||||||
|
command: /bin/true
|
||||||
|
notify: restart minifirewall
|
||||||
|
when: minifirewall_restart_force
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
- name: Add some rules at the end of minifirewall file
|
- name: Add some rules at the end of minifirewall file
|
||||||
template:
|
template:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: /etc/default/minifirewall.tail
|
dest: "{{ minifirewall_tail_file }}"
|
||||||
force: "{{ minifirewall_tail_force | bool | ternary('yes', 'no') }}"
|
force: "{{ minifirewall_tail_force | bool }}"
|
||||||
with_first_found:
|
with_first_found:
|
||||||
- "templates/minifirewall-tail/minifirewall.{{ inventory_hostname }}.tail.j2"
|
- "templates/minifirewall-tail/minifirewall.{{ inventory_hostname }}.tail.j2"
|
||||||
- "templates/minifirewall-tail/minifirewall.{{ host_group }}.tail.j2"
|
- "templates/minifirewall-tail/minifirewall.{{ host_group }}.tail.j2"
|
||||||
|
@ -19,7 +19,7 @@
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/default/minifirewall
|
dest: /etc/default/minifirewall
|
||||||
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
|
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
|
||||||
block: . /etc/default/minifirewall.tail
|
block: ". {{ minifirewall_tail_file }}"
|
||||||
insertbefore: EOF
|
insertbefore: EOF
|
||||||
register: minifirewall_tail_source
|
register: minifirewall_tail_source
|
||||||
|
|
||||||
|
@ -35,7 +35,16 @@
|
||||||
register: minifirewall_init_restart
|
register: minifirewall_init_restart
|
||||||
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
||||||
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
||||||
when: minifirewall_tail_template | changed
|
when:
|
||||||
|
- minifirewall_tail_template | changed
|
||||||
|
- minifirewall_restart_if_needed
|
||||||
|
|
||||||
|
- name: restart minifirewall (noop)
|
||||||
|
meta: noop
|
||||||
|
register: minifirewall_init_restart
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
when: not minifirewall_restart_if_needed
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
var: minifirewall_init_restart
|
var: minifirewall_init_restart
|
||||||
|
|
Loading…
Reference in a new issue