Merge branch 'unstable' into stable
This commit is contained in:
commit
e2d51e0e25
48
CHANGELOG.md
48
CHANGELOG.md
|
@ -18,6 +18,54 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Security
|
||||
|
||||
## [9.3.0] - 2018-08-24
|
||||
|
||||
### Added
|
||||
* elasticsearch: tmpdir configuration compatible with 5.x also
|
||||
* elasticsearch: add http.publish_host variable
|
||||
* evoacme: disable old certbot cron also in cron.daily
|
||||
* evocheck: detect installed packages even if "held" by APT (manual fix)
|
||||
* evocheck: the crontab is updated by the role (default: `True`)
|
||||
* evolinux-base: add mail related aliases
|
||||
* evolinux-todo: new role, to help maintain a file of todo tasks
|
||||
* fail2ban: add a variable to disable the ssh filter (default: `False`)
|
||||
* etc-git: install a script to optimize the repository each month
|
||||
* fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`)
|
||||
* generate-ldif: detect installed packages even if "held" by APT
|
||||
* java: support for Oracle JRE
|
||||
* kibana: log messages go to /var/log/kibana/kibana.log
|
||||
* metricbeat: add a role (copied from filebeat)
|
||||
* munin: properly rename Munin cache directory
|
||||
* mysql: add an option to install the client development libraries (default: `False`)
|
||||
* nagios-nrpe: add check_postgrey
|
||||
|
||||
### Changed
|
||||
* etc-git: some entries of .gitignore are mandatory
|
||||
* evocheck: update upstream script
|
||||
* evolinux-base: improve hostname configuration (real vs. internal)
|
||||
* evolinux-base: use the "evolinux-todo" role
|
||||
* evolinux-users: add sudo permission for bkctld check
|
||||
* java8: renamed to java (java8 symlinked to java for backward compatibility)
|
||||
* minifirewall: the tail file can be overwritten, or not (default: `True`)
|
||||
* nagios-nrpe: use bkctld internal check instead of nrpe plugin
|
||||
* php: reorganization of the role for Sury overrides and more clear configuration
|
||||
* redmine: use .my.cnf for mysql password
|
||||
* rbenv: change default Ruby version (2.5.1)
|
||||
* rbenv: switch from copy to lineinfile for default gems
|
||||
* remount-usr: mount doesn't report a change
|
||||
* squid: add a few news sites to the whitelist
|
||||
* tomcat: better nrpe check output
|
||||
* kvm-host: install kvm-tools package instead of copying add-vm.sh
|
||||
|
||||
### Fixed
|
||||
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
|
||||
* bind: chroot-bind.sh must not be executed in check mode
|
||||
* evoacme: fix module detection in apache config
|
||||
* fail2ban: fix fail2ban_ignore_ips definition
|
||||
* mysql-oracle: fix configuration directory variable
|
||||
* php: fpm slowlog needs an absolute path
|
||||
* roundcube: add missing slash to https redirection
|
||||
|
||||
## [9.2.0] - 2018-05-16
|
||||
|
||||
### Changed
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
- name: configure Amavis
|
||||
template:
|
||||
src: amavis.conf.j2
|
||||
dest: /etc/amavis/conf.d/49-evolinux-defaults.conf
|
||||
dest: /etc/amavis/conf.d/49-evolinux-defaults
|
||||
mode: "0644"
|
||||
notify: restart amavis
|
||||
tags:
|
||||
|
|
|
@ -174,8 +174,8 @@
|
|||
- name: "logrotate: keep 52 files"
|
||||
replace:
|
||||
dest: /etc/logrotate.d/apache2
|
||||
regexp: "rotate .+"
|
||||
replace: "rotate 52"
|
||||
regexp: '^(\s+rotate) \d+$'
|
||||
replace: '\1 52'
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
- name: "Install munin-node and core plugins packages"
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: installed
|
||||
state: present
|
||||
with_items:
|
||||
- munin-node
|
||||
- munin-plugins-core
|
||||
|
@ -28,7 +28,7 @@
|
|||
- name: "Install fcgi packages for Munin graphs"
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: installed
|
||||
state: present
|
||||
with_items:
|
||||
- libapache2-mod-fcgid
|
||||
- libcgi-fast-perl
|
||||
|
|
|
@ -81,7 +81,6 @@
|
|||
command: "/root/chroot-bind.sh"
|
||||
register: chrootbind_run
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
when: bind_chroot_set
|
||||
|
||||
- debug:
|
||||
|
@ -117,5 +116,3 @@
|
|||
force: yes
|
||||
notify: restart bind
|
||||
when: bind_chroot_set
|
||||
|
||||
|
||||
|
|
|
@ -15,9 +15,12 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
|
|||
## Available variables
|
||||
|
||||
* `elasticsearch_cluster_name`: cluster name ;
|
||||
* `elasticsearch_cluster_members:` members of a cluster (ex: '["10.0.0.1", "10.0.0.2", "10.0.0.3"]') (default: `Null`) ;
|
||||
* `elasticsearch_minimum_master_nodes:` minimum of master nodes (the best practice is to have "number of elasticsearch_cluster_members / 2 + 1" as value) (default: `Null`) ;
|
||||
* `elasticsearch_node_name`: node name, defaults to hostname ;
|
||||
* `elasticsearch_network_host`: which interfaces to bind to ;
|
||||
* `elasticsearch_network_publish_host`: which interface to publish ;
|
||||
* `elasticsearch_network_publish_host`: which interface to publish for node-to-node communication (default: `Null`) ;
|
||||
* `elasticsearch_http_publish_host`: which interface to publish for clients (default: `Null`) ;
|
||||
* `elasticsearch_custom_datadir`: custom datadir ;
|
||||
* `elasticsearch_custom_tmpdir`: custom tmpdir ;
|
||||
* `elasticsearch_jvm_xms`: mininum heap size reserved for the JVM (default: `2g`).
|
||||
|
|
|
@ -2,9 +2,12 @@
|
|||
elastic_stack_version: "6.x"
|
||||
|
||||
elasticsearch_cluster_name: Null
|
||||
elasticsearch_cluster_members: Null
|
||||
elasticsearch_minimum_master_nodes: Null
|
||||
elasticsearch_node_name: "${HOSTNAME}"
|
||||
elasticsearch_network_host: "[_site_, _local_]"
|
||||
elasticsearch_network_publish_host: "_site_"
|
||||
elasticsearch_network_publish_host: Null
|
||||
elasticsearch_http_publish_host: Null
|
||||
elasticsearch_custom_datadir: Null
|
||||
elasticsearch_custom_tmpdir: Null
|
||||
elasticsearch_default_tmpdir: /var/lib/elasticsearch/tmp
|
||||
|
|
|
@ -25,4 +25,4 @@ galaxy_info:
|
|||
# alphanumeric characters. Maximum 20 tags per role.
|
||||
|
||||
dependencies:
|
||||
- java8
|
||||
- { role: java, alternative: 'openjdk', java_version: 8 }
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
name: vm.max_map_count
|
||||
value: 262144
|
||||
sysctl_file: /etc/sysctl.d/elasticsearch.conf
|
||||
when: "{{ max_map_count|int < 262144 }}"
|
||||
when: max_map_count | int < 262144
|
||||
tags:
|
||||
- config
|
||||
|
||||
|
|
|
@ -39,6 +39,16 @@
|
|||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure http publish_host
|
||||
lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
|
||||
regexp: "^http.publish_host:"
|
||||
insertafter: "^http.port:"
|
||||
when: elasticsearch_http_publish_host|default("", True)
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure RESTART_ON_UPGRADE
|
||||
lineinfile:
|
||||
dest: /etc/default/elasticsearch
|
||||
|
@ -63,3 +73,25 @@
|
|||
line: "-Xmx{{ elasticsearch_jvm_xmx }}"
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure cluster members
|
||||
lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}"
|
||||
regexp: "^discovery.zen.ping.unicast.hosts:"
|
||||
insertafter: "^#discovery.zen.ping.unicast.hosts"
|
||||
when: elasticsearch_cluster_members|default("", True)
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure minimum master nodes
|
||||
lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}"
|
||||
regexp: "^discovery.zen.minimum_master_nodes:"
|
||||
insertafter: "^#discovery.zen.minimum_master_nodes"
|
||||
when: elasticsearch_minimum_master_nodes|default("", True)
|
||||
tags:
|
||||
- config
|
||||
|
||||
|
||||
|
|
|
@ -18,7 +18,19 @@
|
|||
tags:
|
||||
- elasticsearch
|
||||
|
||||
- name: check if ES_TMPDIR is available
|
||||
- name: change JVM tmpdir (< 6.x)
|
||||
lineinfile:
|
||||
dest: /etc/elasticsearch/jvm.options
|
||||
line: "-Djava.io.tmpdir={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
|
||||
regexp: "^-Djava.io.tmpdir="
|
||||
insertafter: "## JVM configuration"
|
||||
notify:
|
||||
- restart elasticsearch
|
||||
tags:
|
||||
- elasticsearch
|
||||
when: elastic_stack_version | version_compare('6', '<')
|
||||
|
||||
- name: check if ES_TMPDIR is available (>= 6.x)
|
||||
lineinfile:
|
||||
dest: /etc/default/elasticsearch
|
||||
line: "ES_TMPDIR={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
|
||||
|
@ -28,8 +40,9 @@
|
|||
- restart elasticsearch
|
||||
tags:
|
||||
- elasticsearch
|
||||
when: elastic_stack_version | version_compare('6', '>=')
|
||||
|
||||
- name: change JVM tmpdir
|
||||
- name: change JVM tmpdir (>= 6.x)
|
||||
lineinfile:
|
||||
dest: /etc/elasticsearch/jvm.options
|
||||
line: "-Djava.io.tmpdir=${ES_TMPDIR}"
|
||||
|
@ -39,4 +52,5 @@
|
|||
- restart elasticsearch
|
||||
tags:
|
||||
- elasticsearch
|
||||
when: elastic_stack_version | version_compare('6', '>=')
|
||||
when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec | success
|
||||
|
|
|
@ -1,5 +1 @@
|
|||
aliases.db
|
||||
*.swp
|
||||
postfix/sa-blacklist.access
|
||||
postfix/*.db
|
||||
postfix/spamd.cidr
|
||||
# Default /etc/.gitignore file
|
||||
|
|
3
etc-git/files/optimize-etc-git
Normal file
3
etc-git/files/optimize-etc-git
Normal file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
git --git-dir /etc/.git gc --quiet
|
|
@ -26,7 +26,7 @@
|
|||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: /etc/.git is secure
|
||||
- name: /etc/.git is restricted to root
|
||||
file:
|
||||
path: /etc/.git
|
||||
owner: root
|
||||
|
@ -41,6 +41,20 @@
|
|||
dest: /etc/.gitignore
|
||||
owner: root
|
||||
mode: "0600"
|
||||
force: no
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: Some entries MUST be in the /etc/.gitignore file
|
||||
lineinfile:
|
||||
dest: /etc/.gitignore
|
||||
line: "{{ item }}"
|
||||
with_items:
|
||||
- "aliases.db"
|
||||
- "*.swp"
|
||||
- "postfix/sa-blacklist.access"
|
||||
- "postfix/*.db"
|
||||
- "postfix/spamd.cidr"
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
|
@ -65,3 +79,12 @@
|
|||
when: git_log.rc != 0 or (git_init is defined and git_init.changed)
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: Optimize script is installed in monthly crontab
|
||||
copy:
|
||||
src: optimize-etc-git
|
||||
dest: /etc/cron.monthly/optimize-etc-git
|
||||
mode: "0750"
|
||||
force: no
|
||||
tags:
|
||||
- etc-git
|
||||
|
|
|
@ -80,13 +80,17 @@ openssl_selfsigned() {
|
|||
local csr="$1"
|
||||
local key="$2"
|
||||
local crt="$3"
|
||||
local cfg="$4"
|
||||
local crt_dir=$(dirname ${crt})
|
||||
|
||||
[ -r "${csr}" ] || error "File ${csr} is not readable"
|
||||
[ -r "${key}" ] || error "File ${key} is not readable"
|
||||
[ -w "${crt_dir}" ] || error "Directory ${crt_dir} is not writable"
|
||||
|
||||
"${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null
|
||||
if grep -q SAN "${cfg}"; then
|
||||
"${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -extensions SAN -extfile "${cfg}" -signkey "${key}" -out "${crt}" 2> /dev/null
|
||||
else
|
||||
"${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null
|
||||
fi
|
||||
|
||||
[ -r "${crt}" ] || error "Something went wrong, ${crt} has not been generated"
|
||||
}
|
||||
|
@ -149,6 +153,7 @@ EOF
|
|||
done
|
||||
san=$(echo "${san}" | sed 's/^,//')
|
||||
cat "${SSL_CONFIG_FILE}" - > "${config_file}" <<EOF
|
||||
CN=${domains%% *}
|
||||
[SAN]
|
||||
subjectAltName=${san}
|
||||
EOF
|
||||
|
@ -160,7 +165,7 @@ EOF
|
|||
chmod 644 "${CSR_FILE}"
|
||||
mkdir -p -m 0755 "${SELF_SIGNED_DIR}"
|
||||
|
||||
openssl_selfsigned "${CSR_FILE}" "${SSL_KEY_FILE}" "${SELF_SIGNED_FILE}"
|
||||
openssl_selfsigned "${CSR_FILE}" "${SSL_KEY_FILE}" "${SELF_SIGNED_FILE}" "${config_file}"
|
||||
|
||||
[ -r "${SELF_SIGNED_FILE}" ] && chmod 644 "${SELF_SIGNED_FILE}"
|
||||
debug "Self-signed certificate stored at ${SELF_SIGNED_FILE}"
|
||||
|
@ -227,6 +232,7 @@ main() {
|
|||
|
||||
command -v apache2ctl >/dev/null && sed_selfsigned_cert_path_for_apache "/etc/apache2/ssl/${VHOST}.conf"
|
||||
command -v nginx >/dev/null && sed_selfsigned_cert_path_for_nginx "/etc/nginx/ssl/${VHOST}.conf"
|
||||
exit 0
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
|
|
|
@ -34,6 +34,12 @@
|
|||
removes: /etc/cron.d/certbot
|
||||
creates: /etc/cron.d/certbot.disabled
|
||||
|
||||
- name: Disable /etc/cron.daily/certbot
|
||||
command: mv /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
|
||||
args:
|
||||
removes: /etc/cron.daily/certbot
|
||||
creates: /etc/cron.daily/certbot.disabled
|
||||
|
||||
- name: Install evoacme custom cron
|
||||
copy:
|
||||
src: evoacme.cron
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<IfModule jk>
|
||||
<IfModule jk_module>
|
||||
SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
|
||||
</IfModule>
|
||||
<IfModule proxy>
|
||||
<IfModule proxy_module>
|
||||
ProxyPass /.well-known/acme-challenge/ !
|
||||
</IfModule>
|
||||
Alias /.well-known/acme-challenge {{ evoacme_acme_dir }}/.well-known/acme-challenge
|
||||
|
|
|
@ -18,3 +18,4 @@ A separate `exec.yml` file can be imported manually in playbooks or roles to exe
|
|||
We can force install via :
|
||||
* `evocheck_force_install: local` : will copy the script provided by the role
|
||||
* `evocheck_force_install: package` : will install the package via repositories
|
||||
* `evocheck_update_crontab` : will update the crontab (default: `True`)
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
evocheck_force_install: False
|
||||
evocheck_update_crontab: True
|
||||
evocheck_bin_dir: /usr/share/scripts
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# powered by Evolix
|
||||
|
||||
# Repository: https://gitlab.evolix.org/evolix/evocheck
|
||||
# Commit: c99324488553a745a201022d44f8f78f224631eb
|
||||
# Commit: d5a02b343f2e8e9a0b6fcd10b6b5a5d1e8c9af03
|
||||
|
||||
# Disable LANG*
|
||||
export LANG=C
|
||||
|
@ -100,6 +100,11 @@ IS_REDIS_BACKUP=1
|
|||
IS_ELASTIC_BACKUP=1
|
||||
IS_MONGO_BACKUP=1
|
||||
IS_MOUNT_FSTAB=1
|
||||
IS_NETWORK_INTERFACES=1
|
||||
IS_EVOBACKUP=1
|
||||
IS_DUPLICATE_FS_LABEL=1
|
||||
IS_EVOMAINTENANCE_FW=1
|
||||
IS_EVOLIX_USER=1
|
||||
|
||||
#Proper to OpenBSD
|
||||
IS_SOFTDEP=1
|
||||
|
@ -124,6 +129,7 @@ test -f /etc/evocheck.cf && . /etc/evocheck.cf
|
|||
# If --cron is passed, ignore some checks.
|
||||
if [ "$1" = "--cron" ]; then
|
||||
IS_KERNELUPTODATE=0
|
||||
IS_UPTIME=0
|
||||
fi
|
||||
|
||||
# Functions
|
||||
|
@ -137,7 +143,7 @@ is_pack_samba(){
|
|||
|
||||
is_installed(){
|
||||
for pkg in $*; do
|
||||
dpkg -l $pkg 2>/dev/null |grep -q ^ii || return 1
|
||||
dpkg -l $pkg 2>/dev/null |grep -q -E '^(i|h)i' || return 1
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -145,6 +151,11 @@ is_debianversion(){
|
|||
[ $(lsb_release -c -s) = $1 ] && return 0
|
||||
}
|
||||
|
||||
is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc
|
||||
is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc
|
||||
is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall
|
||||
is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall
|
||||
|
||||
#-----------------------------------------------------------
|
||||
#Vérifie si c'est une debian et fait les tests appropriés.
|
||||
#-----------------------------------------------------------
|
||||
|
@ -153,7 +164,7 @@ if [ -e /etc/debian_version ]; then
|
|||
|
||||
if [ "$IS_DPKGWARNING" = 1 ]; then
|
||||
is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \
|
||||
egrep -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
|
||||
grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
|
||||
/etc/apt/apt.conf | wc -l | grep -q ^2$ || echo 'IS_DPKGWARNING FAILED!' )
|
||||
is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \
|
||||
( test -e /etc/apt/apt.conf.d/80evolinux || echo 'IS_DPKGWARNING FAILED!' )
|
||||
|
@ -180,29 +191,29 @@ if [ -e /etc/debian_version ]; then
|
|||
fi
|
||||
|
||||
if [ "$IS_CUSTOMSUDOERS" = 1 ]; then
|
||||
egrep -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
|
||||
grep -E -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_VARTMPFS" = 1 ]; then
|
||||
df /var/tmp | grep -q tmpfs || echo 'IS_VARTMPFS FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_SERVEURBASE" = 1 ]; then
|
||||
is_installed serveur-base || echo 'IS_SERVEURBASE FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_LOGROTATECONF" = 1 ]; then
|
||||
test -e /etc/logrotate.d/zsyslog || echo 'IS_LOGROTATECONF FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_SYSLOGCONF" = 1 ]; then
|
||||
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || echo 'IS_SYSLOGCONF FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_DEBIANSECURITY" = 1 ]; then
|
||||
grep -q "^deb.*security" /etc/apt/sources.list || echo 'IS_DEBIANSECURITY FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_APTITUDEONLY" = 1 ]; then
|
||||
is_debianversion squeeze && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
|
||||
is_debianversion wheezy && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
|
||||
|
@ -225,15 +236,15 @@ if [ -e /etc/debian_version ]; then
|
|||
test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
|
||||
( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && echo 'IS_APTICRON FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_USRRO" = 1 ]; then
|
||||
grep /usr /etc/fstab | grep -q ro || echo 'IS_USRRO FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_TMPNOEXEC" = 1 ]; then
|
||||
mount | grep "on /tmp" | grep -q noexec || echo 'IS_TMPNOEXEC FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_MOUNT_FSTAB" = 1 ]; then
|
||||
# Test if lsblk available, if not skip this test...
|
||||
if test -x "$(command -v lsblk)"; then
|
||||
|
@ -247,30 +258,30 @@ if [ -e /etc/debian_version ]; then
|
|||
if is_debianversion stretch; then
|
||||
is_installed apt-listchanges && echo 'IS_LISTCHANGESCONF FAILED!'
|
||||
else
|
||||
test -e /etc/apt/listchanges.conf && egrep "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!'
|
||||
test -e /etc/apt/listchanges.conf && grep -E "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_CUSTOMCRONTAB" = 1 ]; then
|
||||
egrep "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
|
||||
grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_SSHALLOWUSERS" = 1 ]; then
|
||||
egrep -qi "AllowUsers" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
|
||||
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_DISKPERF" = 1 ]; then
|
||||
test -e /root/disk-perf.txt || echo 'IS_DISKPERF FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_TMOUTPROFILE" = 1 ]; then
|
||||
grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_ALERT5BOOT" = 1 ]; then
|
||||
grep -q ^date /etc/rc2.d/S*alert5 || echo 'IS_ALERT5BOOT FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_ALERT5MINIFW" = 1 ]; then
|
||||
grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || echo 'IS_ALERT5MINIFW FAILED!'
|
||||
fi
|
||||
|
@ -278,42 +289,39 @@ if [ -e /etc/debian_version ]; then
|
|||
if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then
|
||||
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || echo 'IS_MINIFW FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_NRPEPERMS" = 1 ]; then
|
||||
test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || echo 'IS_NRPEPERMS FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_MINIFWPERMS" = 1 ]; then
|
||||
is_debianversion squeeze && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
||||
is_debianversion wheezy && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
||||
is_debianversion jessie && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
||||
is_debianversion stretch && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
||||
ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_NRPEDISKS" = 1 ]; then
|
||||
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
|
||||
DFDISKS=$(df -Pl | egrep -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
|
||||
DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
|
||||
[ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_NRPEPID" = 1 ]; then
|
||||
is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPID FAILED!')
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_GRSECPROCS" = 1 ]; then
|
||||
uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || echo 'IS_GRSECPROCS FAILED!' )
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_APACHEMUNIN" = 1 ]; then
|
||||
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( egrep -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && egrep -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || egrep -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
|
||||
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
|
||||
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || echo 'IS_APACHEMUNIN FAILED!' ) )
|
||||
fi
|
||||
|
||||
|
||||
# Verification mytop + Munin si MySQL
|
||||
if [ "$IS_MYSQLUTILS" = 1 ]; then
|
||||
is_installed mysql-server && ( grep -q mysqladmin /root/.my.cnf && test -x /usr/bin/mytop && grep -q debian-sys-maint /root/.mytop || echo 'IS_MYSQLUTILS FAILED!' )
|
||||
fi
|
||||
|
||||
|
||||
# Verification de la configuration du raid soft (mdadm)
|
||||
if [ "$IS_RAIDSOFT" = 1 ]; then
|
||||
test -e /proc/mdstat && grep -q md /proc/mdstat && \
|
||||
|
@ -321,12 +329,12 @@ if [ -e /etc/debian_version ]; then
|
|||
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \
|
||||
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || echo 'IS_RAIDSOFT FAILED!')
|
||||
fi
|
||||
|
||||
|
||||
# Verification du LogFormat de AWStats
|
||||
if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then
|
||||
is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || echo 'IS_AWSTATSLOGFORMAT FAILED!' )
|
||||
fi
|
||||
|
||||
|
||||
# Verification de la présence de la config logrotate pour Munin
|
||||
if [ "$IS_MUNINLOGROTATE" = 1 ]; then
|
||||
( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || echo 'IS_MUNINLOGROTATE FAILED!'
|
||||
|
@ -336,21 +344,27 @@ if [ -e /etc/debian_version ]; then
|
|||
#if [ "$IS_METCHE" = 1 ]; then
|
||||
# is_installed metche || echo 'IS_METCHE FAILED!'
|
||||
#fi
|
||||
|
||||
|
||||
# Verification de l'activation de Squid dans le cas d'un pack mail
|
||||
if [ "$IS_SQUID" = 1 ]; then
|
||||
squidconffile=/etc/squid*/squid.conf
|
||||
is_debianversion squeeze && f=/etc/firewall.rc
|
||||
is_debianversion wheezy && f=/etc/firewall.rc
|
||||
is_debianversion jessie && f=/etc/default/minifirewall
|
||||
is_debianversion stretch && f=/etc/default/minifirewall && squidconffile=/etc/squid/evolinux-custom.conf
|
||||
is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf
|
||||
is_pack_web && ( is_installed squid || is_installed squid3 \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $f \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $f \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' )
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' )
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
|
||||
if [ -f "$MINIFW_FILE" ]; then
|
||||
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
|
||||
if [ "$rulesNumber" -lt 4 ]; then
|
||||
echo 'IS_EVOMAINTENANCE_FW FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Verification de la conf et de l'activation de mod-deflate
|
||||
if [ "$IS_MODDEFLATE" = 1 ]; then
|
||||
f=/etc/apache2/mods-enabled/deflate.conf
|
||||
|
@ -358,7 +372,7 @@ if [ -e /etc/debian_version ]; then
|
|||
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \
|
||||
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || echo 'IS_MODDEFLATE FAILED!')
|
||||
fi
|
||||
|
||||
|
||||
# Verification de la conf log2mail
|
||||
if [ "$IS_LOG2MAILRUNNING" = 1 ]; then
|
||||
is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING')
|
||||
|
@ -378,7 +392,7 @@ if [ -e /etc/debian_version ]; then
|
|||
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \
|
||||
/etc/log2mail/config/* 2>/dev/null || echo 'IS_LOG2MAILSQUID FAILED!' )
|
||||
fi
|
||||
|
||||
|
||||
# Verification si bind est chroote
|
||||
if [ "$IS_BINDCHROOT" = 1 ]; then
|
||||
if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then
|
||||
|
@ -391,23 +405,32 @@ if [ -e /etc/debian_version ]; then
|
|||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
# Verification de la présence du depot volatile
|
||||
if [ "$IS_REPVOLATILE" = 1 ]; then
|
||||
test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
|
||||
test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
|
||||
fi
|
||||
|
||||
|
||||
# /etc/network/interfaces should be present, we don't manage systemd-network yet
|
||||
if [ "$IS_NETWORK_INTERFACES" = 1 ]; then
|
||||
if ! test -f /etc/network/interfaces; then
|
||||
echo "IS_NETWORK_INTERFACES FAILED!"
|
||||
IS_AUTOIF=0
|
||||
IS_INTERFACESGW=0
|
||||
fi
|
||||
fi
|
||||
|
||||
# Verify if all if are in auto
|
||||
if [ "$IS_AUTOIF" = 1 ]; then
|
||||
is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |egrep -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
|
||||
is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
|
||||
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
|
||||
done
|
||||
is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |egrep -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
|
||||
is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
|
||||
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
# Network conf verification
|
||||
if [ "$IS_INTERFACESGW" = 1 ]; then
|
||||
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
|
||||
|
@ -418,15 +441,15 @@ if [ -e /etc/debian_version ]; then
|
|||
|
||||
# Verification de la mise en place d'evobackup
|
||||
if [ "$IS_EVOBACKUP" = 1 ]; then
|
||||
ls /etc/cron* |grep -q "zz.backup$" || echo 'IS_EVOBACKUP FAILED!'
|
||||
ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
# Verification de la presence du userlogrotate
|
||||
if [ "$IS_USERLOGROTATE" = 1 ]; then
|
||||
is_pack_web && (test -x /etc/cron.weekly/userlogrotate || echo 'IS_USERLOGROTATE FAILED!')
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
# Verification de la syntaxe de la conf d'Apache
|
||||
if [ "$IS_APACHECTL" = 1 ]; then
|
||||
is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || echo 'IS_APACHECTL FAILED!')
|
||||
|
@ -454,22 +477,22 @@ if [ -e /etc/debian_version ]; then
|
|||
fi
|
||||
is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && echo 'IS_MUNINAPACHECONF FAILED!')
|
||||
fi
|
||||
|
||||
|
||||
# Verification de la priorité du package samba si les backports sont utilisés
|
||||
if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then
|
||||
is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || echo 'IS_SAMBAPINPRIORITY FAILED!' )
|
||||
fi
|
||||
|
||||
|
||||
# Verification si le système doit redémarrer suite màj kernel.
|
||||
if [ "$IS_KERNELUPTODATE" = 1 ]; then
|
||||
if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
|
||||
echo 'IS_KERNELUPTODATE FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
# Check if the server is running for more than a year.
|
||||
if [ "$IS_UPTIME" = 1 ]; then
|
||||
if is_installed linux-image* && [ $(date -d "now - 1 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
|
||||
if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
|
||||
echo 'IS_UPTIME FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
@ -499,7 +522,14 @@ if [ -e /etc/debian_version ]; then
|
|||
# Check if no package has been upgraded since $limit.
|
||||
if [ "$IS_NOTUPGRADED" = 1 ]; then
|
||||
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
|
||||
limit=$(date +%s -d "now - 60 days")
|
||||
if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
||||
|| grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
||||
# Manual upgrade process
|
||||
limit=$(date +%s -d "now - 180 days")
|
||||
else
|
||||
# Regular process
|
||||
limit=$(date +%s -d "now - 90 days")
|
||||
fi
|
||||
if [ -f /var/log/evolinux/00_prepare_system.log ]; then
|
||||
install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log)
|
||||
else
|
||||
|
@ -556,7 +586,7 @@ if [ -e /etc/debian_version ]; then
|
|||
if [ "$IS_BACKPORTSCONF" = 1 ]; then
|
||||
if is_debianversion stretch; then
|
||||
grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
|
||||
grep -q backports /etc/apt/sources.list.d/*.list && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
|
||||
grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -668,8 +698,17 @@ if [ -e /etc/debian_version ]; then
|
|||
|
||||
if [ "$IS_MYSQLMUNIN" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed mariadb-server; then
|
||||
for file in mysql_bytes mysql_queries mysql_slowqueries mysql_threads mysql_connections mysql_files_tables mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores mysql_myisam_indexes mysql_qcache mysql_qcache_mem mysql_sorts mysql_tmp_tables; do
|
||||
test -L /etc/munin/plugins/$file || echo 'IS_MYSQLMUNIN FAILED!'
|
||||
for file in mysql_bytes mysql_queries mysql_slowqueries \
|
||||
mysql_threads mysql_connections mysql_files_tables \
|
||||
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
|
||||
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
|
||||
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
|
||||
mysql_sorts mysql_tmp_tables; do
|
||||
|
||||
if [[ ! -L /etc/munin/plugins/$file ]]; then
|
||||
echo 'IS_MYSQLMUNIN FAILED!'
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
@ -707,6 +746,29 @@ if [ -e /etc/debian_version ]; then
|
|||
&& test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
|
||||
# Do it only if thereis blkid binary
|
||||
if [ -x "$(which blkid)" ]; then
|
||||
tmpFile=$(mktemp -p /tmp)
|
||||
for part in $(blkid | grep -v raid_member | grep -Eo ' LABEL=".*"' | cut -d'"' -f2); do
|
||||
echo "$part" >> "$tmpFile"
|
||||
done
|
||||
tmpOutput=$(sort < "$tmpFile" | uniq -d)
|
||||
# If there is no duplicate, uniq will have no output
|
||||
# So, if $tmpOutput is not null, there is a duplicate
|
||||
if [ -n "$tmpOutput" ]; then
|
||||
echo 'IS_DUPLICATE_FS_LABEL FAILED!'
|
||||
# For debug, you may echo the contents of $tmpOutput
|
||||
# echo $tmpOutput
|
||||
fi
|
||||
rm $tmpFile
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOLIX_USER" = 1 ]; then
|
||||
getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
|
@ -715,19 +777,19 @@ if [ `uname -s` == "OpenBSD" ]; then
|
|||
if [ "$IS_SOFTDEP" = 1 ]; then
|
||||
grep -q "softdep" /etc/fstab || echo 'IS_SOFTDEP FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_WHEEL" = 1 ]; then
|
||||
grep -qE "^%wheel.*$" /etc/sudoers || echo 'IS_WHEEL FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_SUDOADMIN" = 1 ]; then
|
||||
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || echo 'IS_SUDOADMIN FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_PKGMIRROR" = 1 ]; then
|
||||
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || echo 'IS_PKGMIRROR FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_HISTORY" = 1 ]; then
|
||||
f=/root/.profile
|
||||
grep -q "^HISTFILE=\$HOME/.histfile" $f \
|
||||
|
@ -736,68 +798,68 @@ if [ `uname -s` == "OpenBSD" ]; then
|
|||
&& grep -q "^export HISTSIZE" $f \
|
||||
|| echo 'IS_HISTORY FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_VIM" = 1 ]; then
|
||||
which vim 2>1 >> /dev/null || echo 'IS_VIM FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_TTYC0SECURE" = 1 ]; then
|
||||
grep -Eqv "^ttyC0.*secure$" /etc/ttys || echo 'IS_TTYC0SECURE FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_CUSTOMSYSLOG" = 1 ]; then
|
||||
grep -q Evolix /etc/newsyslog.conf || echo 'IS_CUSTOMSYSLOG FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_NOINETD" = 1 ]; then
|
||||
grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || echo 'IS_NOINETD FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_SUDOMAINT" = 1 ]; then
|
||||
f=/etc/sudoers
|
||||
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
|
||||
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \
|
||||
|| echo 'IS_SUDOMAINT FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_POSTGRESQL" = 1 ]; then
|
||||
pkg info | grep -q postgresql-client || echo 'IS_POSTGRESQL FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_NRPE" = 1 ]; then
|
||||
( pkg info | grep -qE "nagios-plugins-[0-9.]" \
|
||||
&& pkg info | grep -q nagios-plugins-ntp \
|
||||
&& pkg info | grep -q nrpe ) || echo 'IS_NRPE FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
# if [ "$IS_NRPEDISKS" = 1 ]; then
|
||||
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
|
||||
# DFDISKS=$(df -Pl | egrep -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
|
||||
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
|
||||
# [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
|
||||
# fi
|
||||
|
||||
|
||||
# Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
|
||||
#
|
||||
#
|
||||
# if [ "$IS_NRPEPOSTFIX" = 1 ]; then
|
||||
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || echo 'IS_NRPEPOSTFIX FAILED!' )
|
||||
# fi
|
||||
|
||||
|
||||
if [ "$IS_NRPEDAEMON" = 1 ]; then
|
||||
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || echo 'IS_NREPEDAEMON FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_ALERTBOOT" = 1 ]; then
|
||||
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || echo 'IS_ALERTBOOT FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_RSYNC" = 1 ]; then
|
||||
pkg info | grep -q rsync || echo 'IS_RSYNC FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_CRONPATH" = 1 ]; then
|
||||
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || echo 'IS_CRONPATH FAILED!'
|
||||
fi
|
||||
|
||||
|
||||
#TODO
|
||||
# - Check en profondeur de postfix
|
||||
# - NRPEDISK et NRPEPOSTFIX
|
||||
|
@ -816,8 +878,8 @@ if [ "$IS_USRSHARESCRIPTS" = 1 ]; then
|
|||
fi
|
||||
|
||||
if [ "$IS_SSHPERMITROOTNO" = 1 ]; then
|
||||
is_debianversion stretch || ( egrep -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
|
||||
is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( egrep -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
|
||||
is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
|
||||
is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
|
||||
|
@ -831,7 +893,7 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
|
|||
grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!'
|
||||
done
|
||||
else
|
||||
for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do
|
||||
for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do
|
||||
grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!'
|
||||
done
|
||||
fi
|
||||
|
|
10
evocheck/tasks/cron.yml
Normal file
10
evocheck/tasks/cron.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
|
||||
- name: evocheck crontab is updated
|
||||
template:
|
||||
src: crontab.j2
|
||||
dest: /etc/cron.d/evocheck
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
force: yes
|
|
@ -2,4 +2,4 @@
|
|||
- name: install evocheck from package
|
||||
apt:
|
||||
name: evocheck
|
||||
state: installed
|
||||
state: present
|
||||
|
|
|
@ -5,3 +5,6 @@
|
|||
|
||||
- include: install_package.yml
|
||||
when: evocheck_force_install == "package"
|
||||
|
||||
- include: cron.yml
|
||||
when: evocheck_update_crontab
|
||||
|
|
4
evocheck/templates/crontab.j2
Normal file
4
evocheck/templates/crontab.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
33 1 1 * * root /usr/share/scripts/evocheck.sh
|
||||
33 1 2-31 * * root /usr/share/scripts/evocheck.sh --cron
|
|
@ -37,9 +37,12 @@ evolinux_hostname_hosts: True
|
|||
evolinux_hostname_mailname: True
|
||||
|
||||
evolinux_hostname: "{{ ansible_hostname }}"
|
||||
evolinux_domain: "{{ ansible_domain }}"
|
||||
evolinux_fqdn: "{{ ansible_fqdn }}"
|
||||
evolinux_domain: "{{ ansible_domain }}"
|
||||
evolinux_fqdn: "{{ evolinux_hostname }}.{{ evolinux_domain }}"
|
||||
|
||||
evolinux_internal_hostname: "{{ evolinux_hostname }}"
|
||||
evolinux_internal_domain: "{{ evolinux_domain }}"
|
||||
evolinux_internal_fqdn: "{{ evolinux_internal_hostname }}.{{ evolinux_internal_domain }}"
|
||||
|
||||
# kernel
|
||||
|
||||
|
|
|
@ -1,9 +1,13 @@
|
|||
---
|
||||
|
||||
- name: /etc/evolinux exists
|
||||
file:
|
||||
dest: /etc/evolinux
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0700"
|
||||
state: directory
|
||||
### This is taken care of by the evolinux-todo role
|
||||
# - name: /etc/evolinux exists
|
||||
# file:
|
||||
# dest: /etc/evolinux
|
||||
# owner: root
|
||||
# group: root
|
||||
# mode: "0700"
|
||||
# state: directory
|
||||
|
||||
- include_role:
|
||||
name: evolinux-todo
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
- name: dbus is installed
|
||||
apt:
|
||||
name: dbus
|
||||
state: installed
|
||||
state: present
|
||||
|
||||
- name: Set hostname "{{ evolinux_hostname }}"
|
||||
hostname:
|
||||
|
@ -20,7 +20,7 @@
|
|||
lineinfile:
|
||||
dest: /etc/hosts
|
||||
regexp: '^{{ ansible_default_ipv4.address }}\s+'
|
||||
line: "{{ ansible_default_ipv4.address }} {{ evolinux_fqdn }} {{ evolinux_hostname }}"
|
||||
line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}"
|
||||
insertafter: '127.0.0.1\s+localhost.localdomain'
|
||||
when: evolinux_hostname_hosts
|
||||
|
||||
|
|
|
@ -50,4 +50,17 @@
|
|||
reload: yes
|
||||
when: evolinux_kernel_cve20165696
|
||||
|
||||
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
|
||||
sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||
state: present
|
||||
reload: yes
|
||||
with_items:
|
||||
- { name: "net.ipv4.ipfrag_low_thresh", value: 196608 }
|
||||
- { name: "net.ipv6.ip6frag_low_thresh", value: 196608 }
|
||||
- { name: "net.ipv4.ipfrag_high_thresh", value: 262144 }
|
||||
- { name: "net.ipv6.ip6frag_high_thresh", value: 262144 }
|
||||
|
||||
- meta: flush_handlers
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
lineinfile:
|
||||
dest: /etc/postfix/main.cf
|
||||
state: present
|
||||
line: "mydestination = {{ evolinux_fqdn }} localhost.localdomain localhost"
|
||||
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
|
||||
regexp: '^mydestination'
|
||||
notify: reload postfix
|
||||
tags:
|
||||
|
@ -61,6 +61,9 @@
|
|||
- postmaster
|
||||
- abuse
|
||||
- mailer-daemon
|
||||
- delay
|
||||
- error
|
||||
- bounce
|
||||
notify: newaliases
|
||||
when: evolinux_postfix_mailer_alias_root
|
||||
tags:
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
}
|
||||
#container {
|
||||
padding-top: 20px;
|
||||
width: 500px;
|
||||
width: 768px;
|
||||
margin: auto;
|
||||
overflow: hidden;
|
||||
}
|
||||
|
@ -24,7 +24,7 @@
|
|||
border-bottom: 1px solid #a9a9a9;
|
||||
background-image: url(./img/background-top.png);
|
||||
background-repeat: no-repeat;
|
||||
background-position: 245px 5px;
|
||||
background-position: 510px 5px;
|
||||
}
|
||||
ul {
|
||||
list-style-type: none;
|
||||
|
|
15
evolinux-todo/README.md
Normal file
15
evolinux-todo/README.md
Normal file
|
@ -0,0 +1,15 @@
|
|||
# evocheck
|
||||
|
||||
Creates an /etc/evolinux/todo.txt file to hold information about things to do, gathered by humans or other Ansible tasks
|
||||
|
||||
## Tasks
|
||||
|
||||
The main tasks install the default file if missing.
|
||||
|
||||
A separate `cat.yml` file can be imported manually in playbooks or roles to get the content of the file. Example :
|
||||
|
||||
```
|
||||
- include_role:
|
||||
name: evolinux-todo
|
||||
tasks_from: cat.yml
|
||||
```
|
0
evolinux-todo/files/todo.defaults.txt
Normal file
0
evolinux-todo/files/todo.defaults.txt
Normal file
30
evolinux-todo/meta/main.yml
Normal file
30
evolinux-todo/meta/main.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
galaxy_info:
|
||||
author: Jeremy Lecour
|
||||
description: Install evolinux-todo
|
||||
company: Evolix
|
||||
|
||||
issue_tracker_url: https://forge.evolix.org/projects/evocheck/issues
|
||||
|
||||
license: GPLv2
|
||||
|
||||
min_ansible_version: 2.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
|
||||
galaxy_tags: []
|
||||
# List tags for your role here, one per line. A tag is
|
||||
# a keyword that describes and categorizes the role.
|
||||
# Users find roles by searching for tags. Be sure to
|
||||
# remove the '[]' above if you add tags to this list.
|
||||
#
|
||||
# NOTE: A tag is limited to a single word comprised of
|
||||
# alphanumeric characters. Maximum 20 tags per role.
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
13
evolinux-todo/tasks/cat.yml
Normal file
13
evolinux-todo/tasks/cat.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
|
||||
- name: cat /etc/evolinux/todo.txt
|
||||
command: "cat /etc/evolinux/todo.txt"
|
||||
register: evolinux_todo
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
||||
- name: "Content of /etc/evolinux/todo.txt"
|
||||
debug:
|
||||
var: evolinux_todo.stdout_lines
|
||||
when: evolinux_todo.stdout != ""
|
14
evolinux-todo/tasks/main.yml
Normal file
14
evolinux-todo/tasks/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
|
||||
- name: /etc/evolinux is present
|
||||
file:
|
||||
dest: /etc/evolinux
|
||||
mode: "0700"
|
||||
state: directory
|
||||
|
||||
- name: /etc/evolinux/todo.txt is present
|
||||
copy:
|
||||
src: todo.defaults.txt
|
||||
dest: /etc/evolinux/todo.txt
|
||||
mode: "0640"
|
||||
force: no
|
4
evolinux-todo/tests/test.yml
Normal file
4
evolinux-todo/tests/test.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- hosts: test-kitchen
|
||||
roles:
|
||||
- role: evolinux-todo
|
|
@ -5,6 +5,7 @@ User_Alias ADMINS = {{ user.name }}
|
|||
|
||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
||||
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
|
||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
||||
|
||||
ADMINS ALL = (ALL:ALL) ALL
|
||||
|
|
|
@ -4,6 +4,7 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
|
|||
|
||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
||||
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
|
||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
||||
|
||||
%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL
|
||||
|
|
|
@ -12,6 +12,8 @@ Main variables are :
|
|||
|
||||
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
|
||||
* `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`).
|
||||
* `fail2ban_ignore_ips`: list of IPs to ignore (default: empty).
|
||||
* `fail2ban_default_ignore_ips`: default list of IPs to ignore (default: empty).
|
||||
* `fail2ban_additional_ignore_ips`: additional list of IPs to ignore (default: empty).
|
||||
* `fail2ban_disable_ssh`: if true, the "sshd" filter is disabled, otherwise nothing is done, not even enabling the filter (default: `False`).
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
|
|
@ -2,9 +2,14 @@
|
|||
general_alert_email: "root@localhost"
|
||||
fail2ban_alert_email: Null
|
||||
|
||||
# Note: there are 2 variable to allow various overrides, but they are merged.
|
||||
# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
|
||||
fail2ban_default_ignore_ips: []
|
||||
fail2ban_additional_ignore_ips: []
|
||||
fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
|
||||
# WARN: setting this to True will overwrite the list of ignored IP
|
||||
fail2ban_force_update_ignore_ips: False
|
||||
|
||||
fail2ban_wordpress: False
|
||||
fail2ban_roundcube: False
|
||||
|
||||
fail2ban_disable_ssh: False
|
||||
|
|
|
@ -15,6 +15,9 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
|
||||
- set_fact:
|
||||
fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
|
||||
|
||||
- name: local jail is installed
|
||||
template:
|
||||
src: jail.local.j2
|
||||
|
@ -25,6 +28,28 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: update ignoreips lists
|
||||
ini_file:
|
||||
dest: /etc/fail2ban/jail.local
|
||||
section: "[DEFAULT]"
|
||||
option: "ignoreips"
|
||||
value: "{{ fail2ban_ignore_ips | join(' ') }}"
|
||||
notify: restart fail2ban
|
||||
when: fail2ban_force_update_ignore_ips
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: Disable SSH filter
|
||||
ini_file:
|
||||
dest: /etc/fail2ban/jail.local
|
||||
section: sshd
|
||||
option: enabled
|
||||
value: false
|
||||
notify: restart fail2ban
|
||||
when: fail2ban_disable_ssh
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: custom filters are installed
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
[DEFAULT]
|
||||
|
||||
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
|
||||
ignoreip = {{ (['127.0.0.1/8'] + fail2ban_ignore_ips) | join(' ') }}
|
||||
ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
|
||||
|
||||
bantime = 600
|
||||
maxretry = 3
|
||||
|
|
|
@ -6,7 +6,7 @@ if [ $(id -u) != 0 ]; then
|
|||
fi
|
||||
|
||||
is_pkg_installed() {
|
||||
dpkg -l "$1" 2>/dev/null | grep -q '^ii'
|
||||
dpkg -l "$1" 2>/dev/null | grep -q -E '^(i|h)i'
|
||||
}
|
||||
|
||||
get_pkg_version() {
|
||||
|
|
|
@ -8,7 +8,7 @@ Everything is in the `tasks/main.yml` file.
|
|||
|
||||
## Available variables
|
||||
|
||||
* `haproxy_jessie_backports` : on Debian Jessie, we can prefer v1.7 from backports (default: `False`)
|
||||
* `haproxy_backports` : We can either prefer v1.7 from backports for Debian Jessie or v1.8 for Debian Stretch (default: `False`)
|
||||
|
||||
## Configuration templates
|
||||
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
haproxy_jessie_backports: False
|
||||
# backward compatibility with a previously used variable
|
||||
haproxy_backports: "{{ haproxy_jessie_backports | default(false, true) }}"
|
||||
haproxy_stats_url: "http://127.0.0.1:8080/"
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
Package: haproxy libssl1.0.0
|
||||
Pin: release a=jessie-backports
|
||||
Pin-Priority: 999
|
|
@ -2,18 +2,18 @@
|
|||
- name: ssl-cert package is installed
|
||||
apt:
|
||||
name: ssl-cert
|
||||
state: installed
|
||||
state: present
|
||||
tags:
|
||||
- haproxy
|
||||
- packages
|
||||
|
||||
- include: packages_jessie_backports.yml
|
||||
when: ansible_distribution_release == "jessie" and haproxy_jessie_backports
|
||||
- include: packages_backports.yml
|
||||
when: haproxy_backports
|
||||
|
||||
- name: Install HAProxy package
|
||||
apt:
|
||||
name: haproxy
|
||||
state: installed
|
||||
state: present
|
||||
tags:
|
||||
- haproxy
|
||||
- packages
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
---
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
||||
- name: "Install check_haproxy_stats script"
|
||||
copy:
|
||||
|
|
|
@ -7,9 +7,9 @@
|
|||
- haproxy
|
||||
- packages
|
||||
|
||||
- name: Prefer HAProxy package from jessie-backports
|
||||
copy:
|
||||
src: haproxy_apt_preferences
|
||||
- name: Prefer HAProxy package from backports
|
||||
template:
|
||||
src: haproxy_apt_preferences.j2
|
||||
dest: /etc/apt/preferences.d/999-haproxy
|
||||
force: yes
|
||||
mode: "0640"
|
3
haproxy/templates/haproxy_apt_preferences.j2
Normal file
3
haproxy/templates/haproxy_apt_preferences.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
Package: haproxy libssl1.0.0
|
||||
Pin: release a={{ ansible_distribution_release }}-backports
|
||||
Pin-Priority: 999
|
28
java/.kitchen.yml
Normal file
28
java/.kitchen.yml
Normal file
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
driver:
|
||||
name: docker
|
||||
privileged: true
|
||||
use_sudo: false
|
||||
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
hosts: test-kitchen
|
||||
roles_path: ../
|
||||
ansible_verbose: true
|
||||
require_ansible_source: false
|
||||
require_chef_for_busser: false
|
||||
idempotency_test: true
|
||||
|
||||
platforms:
|
||||
- name: debian
|
||||
driver_config:
|
||||
image: evolix/ansible:2.2.1
|
||||
|
||||
suites:
|
||||
- name: default
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
playbook: ./tests/test.yml
|
||||
|
||||
transport:
|
||||
max_ssh_sessions: 6
|
14
java/README.md
Normal file
14
java/README.md
Normal file
|
@ -0,0 +1,14 @@
|
|||
# java
|
||||
|
||||
Install OpenJDK or OracleJDK
|
||||
|
||||
## Tasks
|
||||
|
||||
* `openjdk.yml` : install of OpenJDK
|
||||
* `oracle.yml` : install or OracleJDK
|
||||
|
||||
## Available variables
|
||||
|
||||
* `java_alternative`: choose between openjdk or oraclejdk (default to openjdk)
|
||||
* `java_version`: java version (default to 8)
|
||||
* `java_default_alternative`: make this verison the default alternative (default to true)
|
4
java/defaults/main.yml
Normal file
4
java/defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
java_alternative: 'openjdk'
|
||||
java_version: 8
|
||||
java_default_alternative: True
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
galaxy_info:
|
||||
author: Evolix
|
||||
description: Installation of Java 8
|
||||
description: Installation of Java
|
||||
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
||||
|
@ -13,3 +13,4 @@ galaxy_info:
|
|||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
10
java/tasks/main.yml
Normal file
10
java/tasks/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- fail:
|
||||
msg: "This role support only java 8 for now !"
|
||||
when: java_version != 8
|
||||
|
||||
- include: openjdk.yml
|
||||
when: "{{ java_alternative == 'openjdk' }}"
|
||||
|
||||
- include: oracle.yml
|
||||
when: "{{ java_alternative == 'oracle' }}"
|
31
java/tasks/openjdk.yml
Normal file
31
java/tasks/openjdk.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
- name: Decide which Debian release to use
|
||||
set_fact:
|
||||
java_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}'
|
||||
tags:
|
||||
- java
|
||||
|
||||
- name: Install jessie-backports
|
||||
include_role:
|
||||
name: apt
|
||||
tasks_from: backports.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
tags:
|
||||
- java
|
||||
|
||||
- name: Install openjdk package
|
||||
apt:
|
||||
name: "openjdk-{{ java_version}}-jre-headless"
|
||||
default_release: "{{ java_apt_release }}"
|
||||
state: present
|
||||
tags:
|
||||
- java
|
||||
- packages
|
||||
|
||||
- name: This openjdk version is the default alternative
|
||||
alternatives:
|
||||
name: java
|
||||
path: "/usr/lib/jvm/java-{{ java_version }}-openjdk-amd64/jre/bin/java"
|
||||
when: java_default_alternative
|
||||
tags:
|
||||
- java
|
58
java/tasks/oracle.yml
Normal file
58
java/tasks/oracle.yml
Normal file
|
@ -0,0 +1,58 @@
|
|||
---
|
||||
- name: Install dependencies for build java package
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- java-package
|
||||
- build-essential
|
||||
tags:
|
||||
- java
|
||||
|
||||
- name: Create jvm dir
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: "0777"
|
||||
with_items:
|
||||
- /srv/java-package
|
||||
- /srv/java-package/src
|
||||
- /srv/java-package/tmp
|
||||
tags:
|
||||
- java
|
||||
|
||||
- name: Get Oracle jre archive
|
||||
get_url:
|
||||
url: 'http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.tar.gz'
|
||||
dest: '/srv/java-package/src/'
|
||||
checksum: 'sha256:f08f25aec2bdc86138ccba8fd5b904451e3afa1d24a88c85f28c2d84bfd45bad'
|
||||
headers: 'Cookie: oraclelicense=accept-securebackup-cookie'
|
||||
mode: "0644"
|
||||
tags:
|
||||
- java
|
||||
|
||||
- name: Make Debian package from Oracle JDK archive
|
||||
shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/jre-8u172-linux-x64.tar.gz"
|
||||
args:
|
||||
chdir: /srv/java-package
|
||||
creates: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
|
||||
become: False
|
||||
tags:
|
||||
- java
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
||||
- name: Install java package
|
||||
apt:
|
||||
deb: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
|
||||
tags:
|
||||
- java
|
||||
|
||||
- name: This openjdk version is the default alternative
|
||||
alternatives:
|
||||
name: java
|
||||
path: "/usr/lib/jvm/jre-{{ java_version }}-oracle-x64/bin/java"
|
||||
when: java_default_alternative
|
||||
tags:
|
||||
- java
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
- hosts: test-kitchen
|
||||
roles:
|
||||
- role: java8
|
||||
- role: java
|
|
@ -1,11 +0,0 @@
|
|||
# java8
|
||||
|
||||
Install OpenJDK 1.8 (from jessie-backports)
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
* `java8_default_alternative`: make this verison the default alternative (defaults to true)
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
java8_default_alternative: True
|
|
@ -1,27 +0,0 @@
|
|||
---
|
||||
- name: Decide which Debian release to use
|
||||
set_fact:
|
||||
java8_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}'
|
||||
|
||||
- name: install jessie-backports
|
||||
include_role:
|
||||
name: apt
|
||||
tasks_from: backports.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: Java 8 is installed
|
||||
apt:
|
||||
name: openjdk-8-jre-headless
|
||||
default_release: "{{ java8_apt_release }}"
|
||||
state: present
|
||||
tags:
|
||||
- java
|
||||
- packages
|
||||
|
||||
- name: Java 8 is the default alternative
|
||||
alternatives:
|
||||
name: java
|
||||
path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
|
||||
when: java8_default_alternative
|
||||
tags:
|
||||
- java
|
|
@ -24,4 +24,4 @@ galaxy_info:
|
|||
# alphanumeric characters. Maximum 20 tags per role.
|
||||
|
||||
dependencies:
|
||||
- java8
|
||||
- { role: java, java_alternative: 'openjdk', java_version: 8 }
|
||||
|
|
|
@ -50,6 +50,22 @@
|
|||
insertafter: '^#server.basePath:'
|
||||
notify: restart kibana
|
||||
|
||||
- name: kibana log destination is present
|
||||
file:
|
||||
dest: /var/log/kibana
|
||||
owner: kibana
|
||||
group: kibana
|
||||
mode: "0750"
|
||||
state: directory
|
||||
|
||||
- name: kibana log messages go to custom file
|
||||
lineinfile:
|
||||
dest: /etc/kibana/kibana.yml
|
||||
line: "logging.dest: \"/var/log/kibana/kibana.log\""
|
||||
regexp: '^logging.dest:'
|
||||
insertafter: '^#logging.dest:'
|
||||
notify: restart kibana
|
||||
|
||||
- name: Kibana service is enabled and started
|
||||
systemd:
|
||||
name: kibana
|
||||
|
|
|
@ -5,15 +5,6 @@
|
|||
|
||||
- include: packages.yml
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
||||
- name: Copy add-vm script
|
||||
get_url:
|
||||
url: https://forge.evolix.org/projects/kvm-tools/repository/revisions/master/raw/add-vm.sh
|
||||
dest: /usr/share/scripts/add-vm.sh
|
||||
mode: "0750"
|
||||
|
||||
- include: munin.yml
|
||||
|
||||
- include: images.yml
|
||||
|
|
|
@ -10,3 +10,4 @@
|
|||
- virtinst
|
||||
- libvirt-daemon-system
|
||||
- libvirt-clients
|
||||
- kvm-tools
|
||||
|
|
|
@ -14,4 +14,4 @@ galaxy_info:
|
|||
- jessie
|
||||
|
||||
dependencies:
|
||||
- java8
|
||||
- { role: java, java_alternative: 'openjdk', java_version: 8 }
|
||||
|
|
|
@ -15,5 +15,14 @@ Main variables are :
|
|||
* `memcached_port`: opened port (default: `11211`) ;
|
||||
* `memcached_bind_interface`: interface to listen to (default: `127.0.0.1`) ;
|
||||
* `memcached_connections`: number of simultaneous incoming connections (default: `1024`) ;
|
||||
* `memcached_instance_name`: use this to set up multiple memcached instances (default: `False`) ;
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
||||
## Multiple intances
|
||||
|
||||
When using memcached_instance_name variable, you can set up multiple memcached instances :
|
||||
|
||||
roles:
|
||||
- { role: memcached, memcached_instance_name: "instance1" }
|
||||
- { role: memcached, memcached_instance_name: "instance2", memcached_port: 11212 }
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
---
|
||||
memcached_instance_name: ""
|
||||
memcached_logfile: '/var/log/memcached.log'
|
||||
memcached_mem: 64
|
||||
memcached_user: 'nobody'
|
||||
|
|
10
memcached/files/memcached@.service
Normal file
10
memcached/files/memcached@.service
Normal file
|
@ -0,0 +1,10 @@
|
|||
[Unit]
|
||||
Description=memcached daemon
|
||||
After=network.target
|
||||
ConditionPathExists=/etc/memcached_%i.conf
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached_%i.conf
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -3,7 +3,7 @@
|
|||
name: memcached
|
||||
state: present
|
||||
tags:
|
||||
- memcached
|
||||
- memcached
|
||||
|
||||
- name: Memcached is configured.
|
||||
template:
|
||||
|
@ -12,7 +12,8 @@
|
|||
mode: "0644"
|
||||
notify: restart memcached
|
||||
tags:
|
||||
- memcached
|
||||
- memcached
|
||||
when: memcached_instance_name == ""
|
||||
|
||||
- name: Memcached is running and enabled on boot.
|
||||
service:
|
||||
|
@ -20,7 +21,54 @@
|
|||
enabled: yes
|
||||
state: started
|
||||
tags:
|
||||
- memcached
|
||||
- memcached
|
||||
when: memcached_instance_name == ""
|
||||
|
||||
- name: Add systemd template
|
||||
copy:
|
||||
src: memcached@.service
|
||||
dest: /etc/systemd/system/memcached@.service
|
||||
tags:
|
||||
- memcached
|
||||
when: memcached_instance_name != ""
|
||||
|
||||
- name: Delete default memcached systemd configuration file
|
||||
systemd:
|
||||
name: memcached
|
||||
enabled: false
|
||||
state: stopped
|
||||
tags:
|
||||
- memcached
|
||||
when: memcached_instance_name != ""
|
||||
|
||||
- name: Make sure memcached.conf is absent
|
||||
file:
|
||||
path: /etc/memcached.conf
|
||||
state: absent
|
||||
tags:
|
||||
- memcached
|
||||
when: memcached_instance_name != ""
|
||||
|
||||
- name: Create a configuration file
|
||||
template:
|
||||
src: memcached.conf.j2
|
||||
dest: /etc/memcached_{{ memcached_instance_name }}.conf
|
||||
mode: "0644"
|
||||
tags:
|
||||
- memcached
|
||||
when: memcached_instance_name != ""
|
||||
|
||||
- name: Enable and start the memcached instance
|
||||
systemd:
|
||||
name: memcached@{{ memcached_instance_name }}
|
||||
enabled: yes
|
||||
state: started
|
||||
daemon_reload: yes
|
||||
masked: no
|
||||
tags:
|
||||
- memcached
|
||||
when: memcached_instance_name != ""
|
||||
|
||||
- include: munin.yml
|
||||
|
||||
- include: nrpe.yml
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
---
|
||||
- name: Choose packages (Oracle)
|
||||
set_fact:
|
||||
multi: "multi_"
|
||||
when: memcached_instance_name != False
|
||||
|
||||
- name: is Munin present ?
|
||||
stat:
|
||||
|
@ -21,7 +25,7 @@
|
|||
- name: Enable core Munin plugins
|
||||
file:
|
||||
src: '/usr/share/munin/plugins/memcached_'
|
||||
dest: /etc/munin/plugins/{{ item }}
|
||||
dest: /etc/munin/plugins/{{ multi }}{{ item }}
|
||||
state: link
|
||||
with_items:
|
||||
- memcached_bytes
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
---
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
||||
- name: Is nrpe present ?
|
||||
stat:
|
||||
path: /etc/nagios/nrpe.d/evolix.cfg
|
||||
|
@ -15,12 +18,13 @@
|
|||
dest: /usr/local/lib/nagios/plugins/
|
||||
mode: "0755"
|
||||
|
||||
# TODO: install a "multi-instances" check if the memcached_instance_name variable is not null
|
||||
|
||||
- name: Add NRPE check
|
||||
lineinfile:
|
||||
name: /etc/nagios/nrpe.d/evolix.cfg
|
||||
regexp: '^command\[check_memcached\]='
|
||||
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1'
|
||||
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
|
||||
notify: restart nagios-nrpe-server
|
||||
|
||||
when: nrpe_evolix_config.stat.exists
|
||||
|
||||
|
|
28
metricbeat/.kitchen.yml
Normal file
28
metricbeat/.kitchen.yml
Normal file
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
driver:
|
||||
name: docker
|
||||
privileged: true
|
||||
use_sudo: false
|
||||
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
hosts: test-kitchen
|
||||
roles_path: ../
|
||||
ansible_verbose: true
|
||||
require_ansible_source: false
|
||||
require_chef_for_busser: false
|
||||
idempotency_test: true
|
||||
|
||||
platforms:
|
||||
- name: debian
|
||||
driver_config:
|
||||
image: evolix/ansible:2.2.1
|
||||
|
||||
suites:
|
||||
- name: default
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
playbook: ./tests/test.yml
|
||||
|
||||
transport:
|
||||
max_ssh_sessions: 6
|
11
metricbeat/README.md
Normal file
11
metricbeat/README.md
Normal file
|
@ -0,0 +1,11 @@
|
|||
# filebeat
|
||||
|
||||
Install Metricbeat.
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
* `elastic_stack_version`: version to install (default: `6.x`);
|
2
metricbeat/defaults/main.yml
Normal file
2
metricbeat/defaults/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
elastic_stack_version: "6.x"
|
31
metricbeat/files/elasticsearch.key
Normal file
31
metricbeat/files/elasticsearch.key
Normal file
|
@ -0,0 +1,31 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v2.0.14 (GNU/Linux)
|
||||
|
||||
mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
|
||||
A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
|
||||
CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
|
||||
j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
|
||||
1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
|
||||
2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
|
||||
KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
|
||||
Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
|
||||
F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
|
||||
nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
|
||||
7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
|
||||
TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
|
||||
8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
|
||||
eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
|
||||
zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
|
||||
RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
|
||||
1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
|
||||
Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
|
||||
KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
|
||||
EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
|
||||
c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
|
||||
TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
|
||||
6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
|
||||
vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
|
||||
cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
|
||||
qPDlGRlOgVTd9xUfHFkzB52c70E=
|
||||
=92oX
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
20
metricbeat/meta/main.yml
Normal file
20
metricbeat/meta/main.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
galaxy_info:
|
||||
author: Evolix
|
||||
description: Installation and basic configuration of Metricbeat.
|
||||
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
||||
license: GPLv2
|
||||
|
||||
min_ansible_version: 2.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
41
metricbeat/tasks/main.yml
Normal file
41
metricbeat/tasks/main.yml
Normal file
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
|
||||
- name: APT https transport is enabled
|
||||
apt:
|
||||
name: apt-transport-https
|
||||
state: present
|
||||
tags:
|
||||
- metricbeat
|
||||
- packages
|
||||
|
||||
- name: Elastic GPG key is installed
|
||||
apt_key:
|
||||
# url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
|
||||
data: "{{ lookup('file', 'elasticsearch.key') }}"
|
||||
state: present
|
||||
tags:
|
||||
- metricbeat
|
||||
- packages
|
||||
|
||||
- name: Elastic sources list is available
|
||||
apt_repository:
|
||||
repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
|
||||
filename: elastic
|
||||
state: present
|
||||
update_cache: yes
|
||||
tags:
|
||||
- metricbeat
|
||||
- packages
|
||||
|
||||
- name: Metricbeat is installed
|
||||
apt:
|
||||
name: metricbeat
|
||||
state: present
|
||||
tags:
|
||||
- metricbeat
|
||||
- packages
|
||||
|
||||
- name: Metricbeat service is enabled
|
||||
systemd:
|
||||
name: metricbeat
|
||||
enabled: yes
|
4
metricbeat/tests/test.yml
Normal file
4
metricbeat/tests/test.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- hosts: test-kitchen
|
||||
roles:
|
||||
- role: metricbeat
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
minifirewall_tail_included: False
|
||||
minifirewall_tail_force: yes
|
||||
|
||||
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
|
||||
minifirewall_checkout_path: "/tmp/minifirewall"
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/default/minifirewall.tail
|
||||
force: yes
|
||||
force: "{{ minifirewall_tail_force | bool | ternary('yes', 'no') }}"
|
||||
with_first_found:
|
||||
- "templates/minifirewall-tail/minifirewall.{{ inventory_hostname }}.tail.j2"
|
||||
- "templates/minifirewall-tail/minifirewall.{{ host_group }}.tail.j2"
|
||||
|
|
|
@ -16,12 +16,12 @@
|
|||
apt:
|
||||
name: mongodb-org
|
||||
allow_unauthenticated: yes
|
||||
state: installed
|
||||
state: present
|
||||
|
||||
- name: install dependency for monitoring
|
||||
apt:
|
||||
name: python-pymongo
|
||||
state: installed
|
||||
state: present
|
||||
|
||||
- name: Custom configuration
|
||||
template:
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
- name: Install packages
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: installed
|
||||
state: present
|
||||
with_items:
|
||||
- mongodb
|
||||
- mongo-tools
|
||||
|
@ -11,7 +11,7 @@
|
|||
- name: install dependency for monitoring
|
||||
apt:
|
||||
name: python-pymongo
|
||||
state: installed
|
||||
state: present
|
||||
|
||||
- name: Custom configuration
|
||||
template:
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
notify: restart munin-node
|
||||
|
||||
- name: Rename the localdomain data dir
|
||||
command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }}
|
||||
shell: "mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename \"s/localhost.localdomain/{{ ansible_fqdn }}/\" /var/lib/munin/{{ ansible_domain }}/*"
|
||||
args:
|
||||
creates: /var/lib/munin/{{ ansible_domain }}
|
||||
removes: /var/lib/munin/localdomain
|
||||
|
|
|
@ -5,6 +5,8 @@ log2mail_alert_email: Null
|
|||
general_scripts_dir: "/usr/share/scripts"
|
||||
mysql_scripts_dir: Null
|
||||
|
||||
mysql_install_libclient: False
|
||||
|
||||
mysql_replace_root_with_mysqladmin: True
|
||||
|
||||
mysql_custom_datadir: ''
|
||||
|
|
|
@ -1,9 +1,12 @@
|
|||
---
|
||||
|
||||
- set_fact:
|
||||
mysql_config_directory: "/etc/mysql/mysql.conf.d"
|
||||
|
||||
- name: "Copy MySQL defaults config file"
|
||||
copy:
|
||||
src: evolinux-defaults.cnf
|
||||
dest: "/etc/mysql/mysql.conf.d/z-evolinux-defaults.cnf"
|
||||
dest: "{{ mysql_config_directory }}/z-evolinux-defaults.cnf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
@ -14,7 +17,7 @@
|
|||
- name: "Copy MySQL custom config file"
|
||||
template:
|
||||
src: evolinux-custom.cnf.j2
|
||||
dest: "/etc/mysql/mysql.conf.d/zzz-evolinux-custom.cnf"
|
||||
dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
- name: MySQL APT config package is installed
|
||||
apt:
|
||||
deb: /root/mysql-apt-config_0.8.9-1_all.deb
|
||||
state: installed
|
||||
state: present
|
||||
register: mysql_apt_config_deb
|
||||
|
||||
- name: Open firewall for MySQL.com repository
|
||||
|
@ -36,10 +36,21 @@
|
|||
with_items:
|
||||
- mysql-server
|
||||
- mysql-client
|
||||
tags:
|
||||
- mysql
|
||||
- packages
|
||||
|
||||
- name: Install MySQL dev packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
update_cache: yes
|
||||
state: present
|
||||
with_items:
|
||||
- libmysqlclient20
|
||||
tags:
|
||||
- mysql
|
||||
- packages
|
||||
when: mysql_install_libclient
|
||||
|
||||
- include_role:
|
||||
name: remount-usr
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
- name: Configure tmpdir
|
||||
ini_file:
|
||||
dest: "/etc/mysql/conf.d/zzz-evolinux-custom.cnf"
|
||||
dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf"
|
||||
section: mysqld
|
||||
option: tmpdir
|
||||
value: "{{ mysql_custom_tmpdir }}"
|
||||
|
|
|
@ -37,7 +37,7 @@
|
|||
create: yes
|
||||
with_items:
|
||||
- { option: 'user', value: 'mysqladmin' }
|
||||
- { option: password, value: '{{ mysql_admin_password.stdout }}' }
|
||||
- { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
|
||||
when: create_mysqladmin_user | changed
|
||||
tags:
|
||||
- mysql
|
||||
|
@ -73,7 +73,7 @@
|
|||
with_nested:
|
||||
- [ "client", "mysql_upgrade" ]
|
||||
- [ { option: 'user', value: 'debian-sys-maint' },
|
||||
{ option: password, value: '{{ mysql_debian_password.stdout }}' }
|
||||
{ option: 'password', value: '{{ mysql_debian_password.stdout }}' }
|
||||
]
|
||||
when: create_debian_user | changed
|
||||
tags:
|
||||
|
|
|
@ -22,12 +22,21 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
|
|||
* `mysql_replace_root_with_mysqladmin`: switch from `root` to `mysqladmin` user or not ;
|
||||
* `mysql_thread_cache_size`: number of threads for the cache ;
|
||||
* `mysql_innodb_buffer_pool_size`: amount of RAM dedicated to InnoDB ;
|
||||
* `mysql_custom_datadir`: custom datadir
|
||||
* `mysql_bind_address` : (default: `Null`, default evolinux config is then used) ;
|
||||
* `mysql_max_connections`: maximum number of simultaneous connections (default: `Null`, default evolinux config is then used) ;
|
||||
* `mysql_max_connect_errors`: number of permitted successive interrupted connection requests before a host gets blocked (default: `Null`, default evolinux config is then used) ;
|
||||
* `mysql_table_cache`: (default: `Null`, default evolinux config is then used) ;
|
||||
* `mysql_tmp_table_size`: (default: `Null`, default evolinux config is then used) ;
|
||||
* `mysql_max_heap_table_size`: (default: `Null`, default evolinux config is then used) ;
|
||||
* `mysql_query_cache_limit`: (default: `Null`, default evolinux config is then used) ;
|
||||
* `mysql_query_cache_size`: (default: `Null`, default evolinux config is then used) ;
|
||||
* `mysql_custom_datadir`: custom datadir.
|
||||
* `mysql_custom_tmpdir`: custom tmpdir.
|
||||
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
|
||||
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
||||
* `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`).
|
||||
* `mysql_scripts_dir`: email address to send Log2mail messages to (default: `general_scripts_dir`).
|
||||
* `mysql_force_new_nrpe_password` : change the password for NRPE even if it exists already (default: `False`).
|
||||
* `mysql_install_libclient`: install mysql client libraries (default: `False`).
|
||||
|
||||
NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet).
|
||||
|
|
|
@ -7,6 +7,8 @@ mysql_scripts_dir: Null
|
|||
|
||||
mysql_variant: oracle
|
||||
|
||||
mysql_install_libclient: False
|
||||
|
||||
mysql_replace_root_with_mysqladmin: True
|
||||
|
||||
mysql_custom_datadir: ''
|
||||
|
@ -15,6 +17,19 @@ mysql_custom_tmpdir: ''
|
|||
mysql_thread_cache_size: '{{ ansible_processor_cores }}'
|
||||
mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M'
|
||||
|
||||
# If these variables are changed to non-Null values,
|
||||
# they will be added in the zzz-evolinux-custom.cnf file.
|
||||
# Otherwise, the value from de the z-evolinux-defaults.cnf file will preveil.
|
||||
mysql_bind_address: Null
|
||||
mysql_max_connections: Null
|
||||
mysql_max_connect_errors: Null
|
||||
mysql_table_cache: Null
|
||||
mysql_tmp_table_size: Null
|
||||
mysql_max_heap_table_size: Null
|
||||
mysql_query_cache_limit: Null
|
||||
mysql_query_cache_size: Null
|
||||
|
||||
|
||||
mysql_cron_optimize: True
|
||||
mysql_cron_optimize_frequency: weekly
|
||||
|
||||
|
|
|
@ -26,6 +26,18 @@
|
|||
- mysql
|
||||
- packages
|
||||
|
||||
- name: Install MySQL dev packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
update_cache: yes
|
||||
state: present
|
||||
with_items:
|
||||
- libmysqlclient-dev
|
||||
tags:
|
||||
- mysql
|
||||
- packages
|
||||
when: mysql_install_libclient
|
||||
|
||||
- name: MySQL is started
|
||||
service:
|
||||
name: mysql
|
||||
|
|
|
@ -12,6 +12,18 @@
|
|||
- mysql
|
||||
- packages
|
||||
|
||||
- name: Install MySQL dev packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
update_cache: yes
|
||||
state: present
|
||||
with_items:
|
||||
- default-libmysqlclient-dev
|
||||
tags:
|
||||
- mysql
|
||||
- packages
|
||||
when: mysql_install_libclient
|
||||
|
||||
- name: MySQL is started
|
||||
service:
|
||||
name: mysql
|
||||
|
|
|
@ -76,7 +76,7 @@
|
|||
with_nested:
|
||||
- [ "client", "mysql_upgrade" ]
|
||||
- [ { option: 'user', value: 'debian-sys-maint' },
|
||||
{ option: password, value: '{{ mysql_debian_password.stdout }}' }
|
||||
{ option: 'password', value: '{{ mysql_debian_password.stdout }}' }
|
||||
]
|
||||
when: create_debian_user.changed
|
||||
tags:
|
||||
|
|
|
@ -1,4 +1,31 @@
|
|||
[mysqld]
|
||||
#bind-address = 0.0.0.0
|
||||
{% if mysql_bind_address %}
|
||||
bind-address = {{ mysql_bind_address }}
|
||||
{% endif %}
|
||||
{% if mysql_thread_cache_size %}
|
||||
thread_cache_size = {{ mysql_thread_cache_size }}
|
||||
{% endif %}
|
||||
{% if mysql_innodb_buffer_pool_size %}
|
||||
innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }}
|
||||
{% endif %}
|
||||
{% if mysql_max_connections %}
|
||||
max_connections = {{ mysql_max_connections }}
|
||||
{% endif %}
|
||||
{% if mysql_max_connect_errors %}
|
||||
max_connect_errors = {{ mysql_max_connect_errors }}
|
||||
{% endif %}
|
||||
{% if mysql_table_cache %}
|
||||
table_cache = {{ mysql_table_cache }}
|
||||
{% endif %}
|
||||
{% if mysql_tmp_table_size %}
|
||||
tmp_table_size = {{ mysql_tmp_table_size }}
|
||||
{% endif %}
|
||||
{% if mysql_max_heap_table_size %}
|
||||
max_heap_table_size = {{ mysql_max_heap_table_size }}
|
||||
{% endif %}
|
||||
{% if mysql_query_cache_limit %}
|
||||
query_cache_limit = {{ mysql_query_cache_limit }}
|
||||
{% endif %}
|
||||
{% if mysql_query_cache_limit %}
|
||||
query_cache_size = {{ mysql_query_cache_size }}
|
||||
{% endif %}
|
||||
|
|
|
@ -16,7 +16,7 @@ check_state() {
|
|||
cat $result >> ${result}.err
|
||||
:> $result
|
||||
fi
|
||||
if [[ $1 -eq 2 ]]; then
|
||||
if [[ $1 -ge 2 ]]; then
|
||||
critical=true
|
||||
cat $result >> ${result}.err
|
||||
:> $result
|
||||
|
|
|
@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
|
|||
# System checks
|
||||
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
|
||||
command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
|
||||
command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home
|
||||
command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home
|
||||
command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
|
||||
command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
|
||||
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
|
||||
|
@ -51,7 +51,8 @@ command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S
|
|||
command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
|
||||
command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
|
||||
command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321
|
||||
command[check_bkctld]=/usr/lib/nagios/plugins/check_bkctld
|
||||
command[check_bkctld]=sudo /usr/sbin/bkctld check
|
||||
command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023
|
||||
|
||||
# Local checks (not packaged)
|
||||
command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10
|
||||
|
|
|
@ -39,4 +39,4 @@
|
|||
- name: Install package for PHP
|
||||
apt:
|
||||
name: newrelic-php5
|
||||
state: installed
|
||||
state: present
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue