evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Merge branch 'unstable' into stable

Browse source
This commit is contained in:
Jérémy Lecour 2018-08-24 18:29:03 +02:00 committed by Jérémy Lecour
parent b0ef42db11 191a49784d
commit e2d51e0e25
135 changed files with 1518 additions and 582 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
CHANGELOG.md
View file

@ -18,6 +18,54 @@ The **patch** part changes incrementally at each release.
### Security
## [9.3.0] - 2018-08-24
### Added
* elasticsearch: tmpdir configuration compatible with 5.x also
* elasticsearch: add http.publish_host variable
* evoacme: disable old certbot cron also in cron.daily
* evocheck: detect installed packages even if "held" by APT (manual fix)
* evocheck: the crontab is updated by the role (default: `True`)
* evolinux-base: add mail related aliases
* evolinux-todo: new role, to help maintain a file of todo tasks
* fail2ban: add a variable to disable the ssh filter (default: `False`)
* etc-git: install a script to optimize the repository each month
* fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`)
* generate-ldif: detect installed packages even if "held" by APT
* java: support for Oracle JRE
* kibana: log messages go to /var/log/kibana/kibana.log
* metricbeat: add a role (copied from filebeat)
* munin: properly rename Munin cache directory
* mysql: add an option to install the client development libraries (default: `False`)
* nagios-nrpe: add check_postgrey
### Changed
* etc-git: some entries of .gitignore are mandatory
* evocheck: update upstream script
* evolinux-base: improve hostname configuration (real vs. internal)
* evolinux-base: use the "evolinux-todo" role
* evolinux-users: add sudo permission for bkctld check
* java8: renamed to java (java8 symlinked to java for backward compatibility)
* minifirewall: the tail file can be overwritten, or not (default: `True`)
* nagios-nrpe: use bkctld internal check instead of nrpe plugin
* php: reorganization of the role for Sury overrides and more clear configuration
* redmine: use .my.cnf for mysql password
* rbenv: change default Ruby version (2.5.1)
* rbenv: switch from copy to lineinfile for default gems
* remount-usr: mount doesn't report a change
* squid: add a few news sites to the whitelist
* tomcat: better nrpe check output
* kvm-host: install kvm-tools package instead of copying add-vm.sh
### Fixed
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
* bind: chroot-bind.sh must not be executed in check mode
* evoacme: fix module detection in apache config
* fail2ban: fix fail2ban_ignore_ips definition
* mysql-oracle: fix configuration directory variable
* php: fpm slowlog needs an absolute path
* roundcube: add missing slash to https redirection
## [9.2.0] - 2018-05-16
### Changed

2
amavis/tasks/main.yml
View file

@ -12,7 +12,7 @@
- name: configure Amavis
template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults.conf
dest: /etc/amavis/conf.d/49-evolinux-defaults
mode: "0644"
notify: restart amavis
tags:

4
apache/tasks/main.yml
View file

@ -174,8 +174,8 @@
- name: "logrotate: keep 52 files"
replace:
dest: /etc/logrotate.d/apache2
regexp: "rotate .+"
replace: "rotate 52"
regexp: '^(\s+rotate) \d+$'
replace: '\1 52'
tags:
- apache

4
apache/tasks/munin.yml
View file

@ -3,7 +3,7 @@
- name: "Install munin-node and core plugins packages"
apt:
name: "{{ item }}"
state: installed
state: present
with_items:
- munin-node
- munin-plugins-core
@ -28,7 +28,7 @@
- name: "Install fcgi packages for Munin graphs"
apt:
name: "{{ item }}"
state: installed
state: present
with_items:
- libapache2-mod-fcgid
- libcgi-fast-perl

3
bind/tasks/main.yml
View file

@ -81,7 +81,6 @@
command: "/root/chroot-bind.sh"
register: chrootbind_run
changed_when: False
check_mode: no
when: bind_chroot_set
- debug:
@ -117,5 +116,3 @@
force: yes
notify: restart bind
when: bind_chroot_set

5
elasticsearch/README.md
View file

@ -15,9 +15,12 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
## Available variables
* `elasticsearch_cluster_name`: cluster name ;
* `elasticsearch_cluster_members:` members of a cluster (ex: '["10.0.0.1", "10.0.0.2", "10.0.0.3"]') (default: `Null`) ;
* `elasticsearch_minimum_master_nodes:` minimum of master nodes (the best practice is to have "number of elasticsearch_cluster_members / 2 + 1" as value) (default: `Null`) ;
* `elasticsearch_node_name`: node name, defaults to hostname ;
* `elasticsearch_network_host`: which interfaces to bind to ;
* `elasticsearch_network_publish_host`: which interface to publish ;
* `elasticsearch_network_publish_host`: which interface to publish for node-to-node communication (default: `Null`) ;
* `elasticsearch_http_publish_host`: which interface to publish for clients (default: `Null`) ;
* `elasticsearch_custom_datadir`: custom datadir ;
* `elasticsearch_custom_tmpdir`: custom tmpdir ;
* `elasticsearch_jvm_xms`: mininum heap size reserved for the JVM (default: `2g`).

5
elasticsearch/defaults/main.yml
View file

@ -2,9 +2,12 @@
elastic_stack_version: "6.x"
elasticsearch_cluster_name: Null
elasticsearch_cluster_members: Null
elasticsearch_minimum_master_nodes: Null
elasticsearch_node_name: "${HOSTNAME}"
elasticsearch_network_host: "[_site_, _local_]"
elasticsearch_network_publish_host: "_site_"
elasticsearch_network_publish_host: Null
elasticsearch_http_publish_host: Null
elasticsearch_custom_datadir: Null
elasticsearch_custom_tmpdir: Null
elasticsearch_default_tmpdir: /var/lib/elasticsearch/tmp

2
elasticsearch/meta/main.yml
View file

@ -25,4 +25,4 @@ galaxy_info:
# alphanumeric characters. Maximum 20 tags per role.
dependencies:
- java8
- { role: java, alternative: 'openjdk', java_version: 8 }

2
elasticsearch/tasks/bootstrap_checks.yml
View file

@ -13,7 +13,7 @@
name: vm.max_map_count
value: 262144
sysctl_file: /etc/sysctl.d/elasticsearch.conf
when: "{{ max_map_count|int < 262144 }}"
when: max_map_count | int < 262144
tags:
- config

32
elasticsearch/tasks/configuration.yml
View file

@ -39,6 +39,16 @@
tags:
- config
- name: Configure http publish_host
lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
regexp: "^http.publish_host:"
insertafter: "^http.port:"
when: elasticsearch_http_publish_host|default("", True)
tags:
- config
- name: Configure RESTART_ON_UPGRADE
lineinfile:
dest: /etc/default/elasticsearch
@ -63,3 +73,25 @@
line: "-Xmx{{ elasticsearch_jvm_xmx }}"
tags:
- config
- name: Configure cluster members
lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}"
regexp: "^discovery.zen.ping.unicast.hosts:"
insertafter: "^#discovery.zen.ping.unicast.hosts"
when: elasticsearch_cluster_members|default("", True)
tags:
- config
- name: Configure minimum master nodes
lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}"
regexp: "^discovery.zen.minimum_master_nodes:"
insertafter: "^#discovery.zen.minimum_master_nodes"
when: elasticsearch_minimum_master_nodes|default("", True)
tags:
- config

18
elasticsearch/tasks/tmpdir.yml
View file

@ -18,7 +18,19 @@
tags:
- elasticsearch
- name: check if ES_TMPDIR is available
- name: change JVM tmpdir (< 6.x)
lineinfile:
dest: /etc/elasticsearch/jvm.options
line: "-Djava.io.tmpdir={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
regexp: "^-Djava.io.tmpdir="
insertafter: "## JVM configuration"
notify:
- restart elasticsearch
tags:
- elasticsearch
when: elastic_stack_version | version_compare('6', '<')
- name: check if ES_TMPDIR is available (>= 6.x)
lineinfile:
dest: /etc/default/elasticsearch
line: "ES_TMPDIR={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
@ -28,8 +40,9 @@
- restart elasticsearch
tags:
- elasticsearch
when: elastic_stack_version | version_compare('6', '>=')
- name: change JVM tmpdir
- name: change JVM tmpdir (>= 6.x)
lineinfile:
dest: /etc/elasticsearch/jvm.options
line: "-Djava.io.tmpdir=${ES_TMPDIR}"
@ -39,4 +52,5 @@
- restart elasticsearch
tags:
- elasticsearch
when: elastic_stack_version | version_compare('6', '>=')
when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec | success

6
etc-git/files/gitignore
View file

@ -1,5 +1 @@
aliases.db
*.swp
postfix/sa-blacklist.access
postfix/*.db
postfix/spamd.cidr
# Default /etc/.gitignore file

3
etc-git/files/optimize-etc-git Normal file
View file

@ -0,0 +1,3 @@
#!/bin/sh
git --git-dir /etc/.git gc --quiet

25
etc-git/tasks/main.yml
View file

@ -26,7 +26,7 @@
tags:
- etc-git
- name: /etc/.git is secure
- name: /etc/.git is restricted to root
file:
path: /etc/.git
owner: root
@ -41,6 +41,20 @@
dest: /etc/.gitignore
owner: root
mode: "0600"
force: no
tags:
- etc-git
- name: Some entries MUST be in the /etc/.gitignore file
lineinfile:
dest: /etc/.gitignore
line: "{{ item }}"
with_items:
- "aliases.db"
- "*.swp"
- "postfix/sa-blacklist.access"
- "postfix/*.db"
- "postfix/spamd.cidr"
tags:
- etc-git
@ -65,3 +79,12 @@
when: git_log.rc != 0 or (git_init is defined and git_init.changed)
tags:
- etc-git
- name: Optimize script is installed in monthly crontab
copy:
src: optimize-etc-git
dest: /etc/cron.monthly/optimize-etc-git
mode: "0750"
force: no
tags:
- etc-git

12
evoacme/files/make-csr.sh
View file

@ -80,13 +80,17 @@ openssl_selfsigned() {
local csr="$1"
local key="$2"
local crt="$3"
local cfg="$4"
local crt_dir=$(dirname ${crt})
[ -r "${csr}" ] || error "File ${csr} is not readable"
[ -r "${key}" ] || error "File ${key} is not readable"
[ -w "${crt_dir}" ] || error "Directory ${crt_dir} is not writable"
"${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null
if grep -q SAN "${cfg}"; then
"${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -extensions SAN -extfile "${cfg}" -signkey "${key}" -out "${crt}" 2> /dev/null
else
"${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null
fi
[ -r "${crt}" ] || error "Something went wrong, ${crt} has not been generated"
}
@ -149,6 +153,7 @@ EOF
done
san=$(echo "${san}" | sed 's/^,//')
cat "${SSL_CONFIG_FILE}" - > "${config_file}" <<EOF
CN=${domains%% *}
[SAN]
subjectAltName=${san}
EOF
@ -160,7 +165,7 @@ EOF
chmod 644 "${CSR_FILE}"
mkdir -p -m 0755 "${SELF_SIGNED_DIR}"
openssl_selfsigned "${CSR_FILE}" "${SSL_KEY_FILE}" "${SELF_SIGNED_FILE}"
openssl_selfsigned "${CSR_FILE}" "${SSL_KEY_FILE}" "${SELF_SIGNED_FILE}" "${config_file}"
[ -r "${SELF_SIGNED_FILE}" ] && chmod 644 "${SELF_SIGNED_FILE}"
debug "Self-signed certificate stored at ${SELF_SIGNED_FILE}"
@ -227,6 +232,7 @@ main() {
command -v apache2ctl >/dev/null && sed_selfsigned_cert_path_for_apache "/etc/apache2/ssl/${VHOST}.conf"
command -v nginx >/dev/null && sed_selfsigned_cert_path_for_nginx "/etc/nginx/ssl/${VHOST}.conf"
exit 0
}
readonly PROGNAME=$(basename "$0")

6
evoacme/tasks/certbot.yml
View file

@ -34,6 +34,12 @@
removes: /etc/cron.d/certbot
creates: /etc/cron.d/certbot.disabled
- name: Disable /etc/cron.daily/certbot
command: mv /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
args:
removes: /etc/cron.daily/certbot
creates: /etc/cron.daily/certbot.disabled
- name: Install evoacme custom cron
copy:
src: evoacme.cron

4
evoacme/templates/apache.conf.j2
View file

@ -1,7 +1,7 @@
<IfModule jk>
<IfModule jk_module>
SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
</IfModule>
<IfModule proxy>
<IfModule proxy_module>
ProxyPass /.well-known/acme-challenge/ !
</IfModule>
Alias /.well-known/acme-challenge {{ evoacme_acme_dir }}/.well-known/acme-challenge

1
evocheck/README.md
View file

@ -18,3 +18,4 @@ A separate `exec.yml` file can be imported manually in playbooks or roles to exe
We can force install via :
* `evocheck_force_install: local` : will copy the script provided by the role
* `evocheck_force_install: package` : will install the package via repositories
* `evocheck_update_crontab` : will update the crontab (default: `True`)

1
evocheck/defaults/main.yml
View file

@ -1,3 +1,4 @@
---
evocheck_force_install: False
evocheck_update_crontab: True
evocheck_bin_dir: /usr/share/scripts

238
evocheck/files/evocheck.sh
View file

@ -5,7 +5,7 @@
# powered by Evolix
# Repository: https://gitlab.evolix.org/evolix/evocheck
# Commit: c99324488553a745a201022d44f8f78f224631eb
# Commit: d5a02b343f2e8e9a0b6fcd10b6b5a5d1e8c9af03
# Disable LANG*
export LANG=C
@ -100,6 +100,11 @@ IS_REDIS_BACKUP=1
IS_ELASTIC_BACKUP=1
IS_MONGO_BACKUP=1
IS_MOUNT_FSTAB=1
IS_NETWORK_INTERFACES=1
IS_EVOBACKUP=1
IS_DUPLICATE_FS_LABEL=1
IS_EVOMAINTENANCE_FW=1
IS_EVOLIX_USER=1
#Proper to OpenBSD
IS_SOFTDEP=1
@ -124,6 +129,7 @@ test -f /etc/evocheck.cf && . /etc/evocheck.cf
# If --cron is passed, ignore some checks.
if [ "$1" = "--cron" ]; then
IS_KERNELUPTODATE=0
IS_UPTIME=0
fi
# Functions
@ -137,7 +143,7 @@ is_pack_samba(){
is_installed(){
for pkg in $*; do
dpkg -l $pkg 2>/dev/null |grep -q ^ii || return 1
dpkg -l $pkg 2>/dev/null |grep -q -E '^(i|h)i' || return 1
done
}
@ -145,6 +151,11 @@ is_debianversion(){
[ $(lsb_release -c -s) = $1 ] && return 0
}
is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc
is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc
is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall
is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall
#-----------------------------------------------------------
#Vérifie si c'est une debian et fait les tests appropriés.
#-----------------------------------------------------------
@ -153,7 +164,7 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_DPKGWARNING" = 1 ]; then
is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \
egrep -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
/etc/apt/apt.conf | wc -l | grep -q ^2$ || echo 'IS_DPKGWARNING FAILED!' )
is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \
( test -e /etc/apt/apt.conf.d/80evolinux || echo 'IS_DPKGWARNING FAILED!' )
@ -180,29 +191,29 @@ if [ -e /etc/debian_version ]; then
fi
if [ "$IS_CUSTOMSUDOERS" = 1 ]; then
egrep -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
grep -E -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
fi
if [ "$IS_VARTMPFS" = 1 ]; then
df /var/tmp | grep -q tmpfs || echo 'IS_VARTMPFS FAILED!'
fi
if [ "$IS_SERVEURBASE" = 1 ]; then
is_installed serveur-base || echo 'IS_SERVEURBASE FAILED!'
fi
if [ "$IS_LOGROTATECONF" = 1 ]; then
test -e /etc/logrotate.d/zsyslog || echo 'IS_LOGROTATECONF FAILED!'
fi
if [ "$IS_SYSLOGCONF" = 1 ]; then
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || echo 'IS_SYSLOGCONF FAILED!'
fi
if [ "$IS_DEBIANSECURITY" = 1 ]; then
grep -q "^deb.*security" /etc/apt/sources.list || echo 'IS_DEBIANSECURITY FAILED!'
fi
if [ "$IS_APTITUDEONLY" = 1 ]; then
is_debianversion squeeze && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
is_debianversion wheezy && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
@ -225,15 +236,15 @@ if [ -e /etc/debian_version ]; then
test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && echo 'IS_APTICRON FAILED!'
fi
if [ "$IS_USRRO" = 1 ]; then
grep /usr /etc/fstab | grep -q ro || echo 'IS_USRRO FAILED!'
fi
if [ "$IS_TMPNOEXEC" = 1 ]; then
mount | grep "on /tmp" | grep -q noexec || echo 'IS_TMPNOEXEC FAILED!'
fi
if [ "$IS_MOUNT_FSTAB" = 1 ]; then
# Test if lsblk available, if not skip this test...
if test -x "$(command -v lsblk)"; then
@ -247,30 +258,30 @@ if [ -e /etc/debian_version ]; then
if is_debianversion stretch; then
is_installed apt-listchanges && echo 'IS_LISTCHANGESCONF FAILED!'
else
test -e /etc/apt/listchanges.conf && egrep "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!'
test -e /etc/apt/listchanges.conf && grep -E "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!'
fi
fi
if [ "$IS_CUSTOMCRONTAB" = 1 ]; then
egrep "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
fi
if [ "$IS_SSHALLOWUSERS" = 1 ]; then
egrep -qi "AllowUsers" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
fi
if [ "$IS_DISKPERF" = 1 ]; then
test -e /root/disk-perf.txt || echo 'IS_DISKPERF FAILED!'
fi
if [ "$IS_TMOUTPROFILE" = 1 ]; then
grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!'
fi
if [ "$IS_ALERT5BOOT" = 1 ]; then
grep -q ^date /etc/rc2.d/S*alert5 || echo 'IS_ALERT5BOOT FAILED!'
fi
if [ "$IS_ALERT5MINIFW" = 1 ]; then
grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || echo 'IS_ALERT5MINIFW FAILED!'
fi
@ -278,42 +289,39 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || echo 'IS_MINIFW FAILED!'
fi
if [ "$IS_NRPEPERMS" = 1 ]; then
test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || echo 'IS_NRPEPERMS FAILED!'
fi
if [ "$IS_MINIFWPERMS" = 1 ]; then
is_debianversion squeeze && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
is_debianversion wheezy && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
is_debianversion jessie && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
is_debianversion stretch && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!'
fi
if [ "$IS_NRPEDISKS" = 1 ]; then
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
DFDISKS=$(df -Pl | egrep -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
[ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
fi
if [ "$IS_NRPEPID" = 1 ]; then
is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPID FAILED!')
fi
if [ "$IS_GRSECPROCS" = 1 ]; then
uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || echo 'IS_GRSECPROCS FAILED!' )
fi
if [ "$IS_APACHEMUNIN" = 1 ]; then
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( egrep -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && egrep -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || egrep -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || echo 'IS_APACHEMUNIN FAILED!' ) )
fi
# Verification mytop + Munin si MySQL
if [ "$IS_MYSQLUTILS" = 1 ]; then
is_installed mysql-server && ( grep -q mysqladmin /root/.my.cnf && test -x /usr/bin/mytop && grep -q debian-sys-maint /root/.mytop || echo 'IS_MYSQLUTILS FAILED!' )
fi
# Verification de la configuration du raid soft (mdadm)
if [ "$IS_RAIDSOFT" = 1 ]; then
test -e /proc/mdstat && grep -q md /proc/mdstat && \
@ -321,12 +329,12 @@ if [ -e /etc/debian_version ]; then
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || echo 'IS_RAIDSOFT FAILED!')
fi
# Verification du LogFormat de AWStats
if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then
is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || echo 'IS_AWSTATSLOGFORMAT FAILED!' )
fi
# Verification de la présence de la config logrotate pour Munin
if [ "$IS_MUNINLOGROTATE" = 1 ]; then
( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || echo 'IS_MUNINLOGROTATE FAILED!'
@ -336,21 +344,27 @@ if [ -e /etc/debian_version ]; then
#if [ "$IS_METCHE" = 1 ]; then
# is_installed metche || echo 'IS_METCHE FAILED!'
#fi
# Verification de l'activation de Squid dans le cas d'un pack mail
if [ "$IS_SQUID" = 1 ]; then
squidconffile=/etc/squid*/squid.conf
is_debianversion squeeze && f=/etc/firewall.rc
is_debianversion wheezy && f=/etc/firewall.rc
is_debianversion jessie && f=/etc/default/minifirewall
is_debianversion stretch && f=/etc/default/minifirewall && squidconffile=/etc/squid/evolinux-custom.conf
is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf
is_pack_web && ( is_installed squid || is_installed squid3 \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $f \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $f \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' )
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' )
fi
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
if [ -f "$MINIFW_FILE" ]; then
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
if [ "$rulesNumber" -lt 4 ]; then
echo 'IS_EVOMAINTENANCE_FW FAILED!'
fi
fi
fi
# Verification de la conf et de l'activation de mod-deflate
if [ "$IS_MODDEFLATE" = 1 ]; then
f=/etc/apache2/mods-enabled/deflate.conf
@ -358,7 +372,7 @@ if [ -e /etc/debian_version ]; then
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || echo 'IS_MODDEFLATE FAILED!')
fi
# Verification de la conf log2mail
if [ "$IS_LOG2MAILRUNNING" = 1 ]; then
is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING')
@ -378,7 +392,7 @@ if [ -e /etc/debian_version ]; then
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \
/etc/log2mail/config/* 2>/dev/null || echo 'IS_LOG2MAILSQUID FAILED!' )
fi
# Verification si bind est chroote
if [ "$IS_BINDCHROOT" = 1 ]; then
if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then
@ -391,23 +405,32 @@ if [ -e /etc/debian_version ]; then
fi
fi
fi
# Verification de la présence du depot volatile
if [ "$IS_REPVOLATILE" = 1 ]; then
test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
fi
# /etc/network/interfaces should be present, we don't manage systemd-network yet
if [ "$IS_NETWORK_INTERFACES" = 1 ]; then
if ! test -f /etc/network/interfaces; then
echo "IS_NETWORK_INTERFACES FAILED!"
IS_AUTOIF=0
IS_INTERFACESGW=0
fi
fi
# Verify if all if are in auto
if [ "$IS_AUTOIF" = 1 ]; then
is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |egrep -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
done
is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |egrep -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
done
fi
# Network conf verification
if [ "$IS_INTERFACESGW" = 1 ]; then
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
@ -418,15 +441,15 @@ if [ -e /etc/debian_version ]; then
# Verification de la mise en place d'evobackup
if [ "$IS_EVOBACKUP" = 1 ]; then
ls /etc/cron* |grep -q "zz.backup$" || echo 'IS_EVOBACKUP FAILED!'
ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!'
fi
# Verification de la presence du userlogrotate
if [ "$IS_USERLOGROTATE" = 1 ]; then
is_pack_web && (test -x /etc/cron.weekly/userlogrotate || echo 'IS_USERLOGROTATE FAILED!')
fi
# Verification de la syntaxe de la conf d'Apache
if [ "$IS_APACHECTL" = 1 ]; then
is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || echo 'IS_APACHECTL FAILED!')
@ -454,22 +477,22 @@ if [ -e /etc/debian_version ]; then
fi
is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && echo 'IS_MUNINAPACHECONF FAILED!')
fi
# Verification de la priorité du package samba si les backports sont utilisés
if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then
is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || echo 'IS_SAMBAPINPRIORITY FAILED!' )
fi
# Verification si le système doit redémarrer suite màj kernel.
if [ "$IS_KERNELUPTODATE" = 1 ]; then
if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
echo 'IS_KERNELUPTODATE FAILED!'
fi
fi
# Check if the server is running for more than a year.
if [ "$IS_UPTIME" = 1 ]; then
if is_installed linux-image* && [ $(date -d "now - 1 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
echo 'IS_UPTIME FAILED!'
fi
fi
@ -499,7 +522,14 @@ if [ -e /etc/debian_version ]; then
# Check if no package has been upgraded since $limit.
if [ "$IS_NOTUPGRADED" = 1 ]; then
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
limit=$(date +%s -d "now - 60 days")
if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
# Manual upgrade process
limit=$(date +%s -d "now - 180 days")
else
# Regular process
limit=$(date +%s -d "now - 90 days")
fi
if [ -f /var/log/evolinux/00_prepare_system.log ]; then
install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log)
else
@ -556,7 +586,7 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_BACKPORTSCONF" = 1 ]; then
if is_debianversion stretch; then
grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
grep -q backports /etc/apt/sources.list.d/*.list && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
fi
fi
@ -668,8 +698,17 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_MYSQLMUNIN" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
for file in mysql_bytes mysql_queries mysql_slowqueries mysql_threads mysql_connections mysql_files_tables mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores mysql_myisam_indexes mysql_qcache mysql_qcache_mem mysql_sorts mysql_tmp_tables; do
test -L /etc/munin/plugins/$file || echo 'IS_MYSQLMUNIN FAILED!'
for file in mysql_bytes mysql_queries mysql_slowqueries \
mysql_threads mysql_connections mysql_files_tables \
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
mysql_sorts mysql_tmp_tables; do
if [[ ! -L /etc/munin/plugins/$file ]]; then
echo 'IS_MYSQLMUNIN FAILED!'
break
fi
done
fi
fi
@ -707,6 +746,29 @@ if [ -e /etc/debian_version ]; then
&& test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
fi
fi
if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
# Do it only if thereis blkid binary
if [ -x "$(which blkid)" ]; then
tmpFile=$(mktemp -p /tmp)
for part in $(blkid | grep -v raid_member | grep -Eo ' LABEL=".*"' | cut -d'"' -f2); do
echo "$part" >> "$tmpFile"
done
tmpOutput=$(sort < "$tmpFile" | uniq -d)
# If there is no duplicate, uniq will have no output
# So, if $tmpOutput is not null, there is a duplicate
if [ -n "$tmpOutput" ]; then
echo 'IS_DUPLICATE_FS_LABEL FAILED!'
# For debug, you may echo the contents of $tmpOutput
# echo $tmpOutput
fi
rm $tmpFile
fi
fi
if [ "$IS_EVOLIX_USER" = 1 ]; then
getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!'
fi
fi
@ -715,19 +777,19 @@ if [ `uname -s` == "OpenBSD" ]; then
if [ "$IS_SOFTDEP" = 1 ]; then
grep -q "softdep" /etc/fstab || echo 'IS_SOFTDEP FAILED!'
fi
if [ "$IS_WHEEL" = 1 ]; then
grep -qE "^%wheel.*$" /etc/sudoers || echo 'IS_WHEEL FAILED!'
fi
if [ "$IS_SUDOADMIN" = 1 ]; then
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || echo 'IS_SUDOADMIN FAILED!'
fi
if [ "$IS_PKGMIRROR" = 1 ]; then
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || echo 'IS_PKGMIRROR FAILED!'
fi
if [ "$IS_HISTORY" = 1 ]; then
f=/root/.profile
grep -q "^HISTFILE=\$HOME/.histfile" $f \
@ -736,68 +798,68 @@ if [ `uname -s` == "OpenBSD" ]; then
&& grep -q "^export HISTSIZE" $f \
|| echo 'IS_HISTORY FAILED!'
fi
if [ "$IS_VIM" = 1 ]; then
which vim 2>1 >> /dev/null || echo 'IS_VIM FAILED!'
fi
if [ "$IS_TTYC0SECURE" = 1 ]; then
grep -Eqv "^ttyC0.*secure$" /etc/ttys || echo 'IS_TTYC0SECURE FAILED!'
fi
if [ "$IS_CUSTOMSYSLOG" = 1 ]; then
grep -q Evolix /etc/newsyslog.conf || echo 'IS_CUSTOMSYSLOG FAILED!'
fi
if [ "$IS_NOINETD" = 1 ]; then
grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || echo 'IS_NOINETD FAILED!'
fi
if [ "$IS_SUDOMAINT" = 1 ]; then
f=/etc/sudoers
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \
|| echo 'IS_SUDOMAINT FAILED!'
fi
if [ "$IS_POSTGRESQL" = 1 ]; then
pkg info | grep -q postgresql-client || echo 'IS_POSTGRESQL FAILED!'
fi
if [ "$IS_NRPE" = 1 ]; then
( pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe ) || echo 'IS_NRPE FAILED!'
fi
# if [ "$IS_NRPEDISKS" = 1 ]; then
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
# DFDISKS=$(df -Pl | egrep -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
# [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
# fi
# Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
#
#
# if [ "$IS_NRPEPOSTFIX" = 1 ]; then
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || echo 'IS_NRPEPOSTFIX FAILED!' )
# fi
if [ "$IS_NRPEDAEMON" = 1 ]; then
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || echo 'IS_NREPEDAEMON FAILED!'
fi
if [ "$IS_ALERTBOOT" = 1 ]; then
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || echo 'IS_ALERTBOOT FAILED!'
fi
if [ "$IS_RSYNC" = 1 ]; then
pkg info | grep -q rsync || echo 'IS_RSYNC FAILED!'
fi
if [ "$IS_CRONPATH" = 1 ]; then
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || echo 'IS_CRONPATH FAILED!'
fi
#TODO
# - Check en profondeur de postfix
# - NRPEDISK et NRPEPOSTFIX
@ -816,8 +878,8 @@ if [ "$IS_USRSHARESCRIPTS" = 1 ]; then
fi
if [ "$IS_SSHPERMITROOTNO" = 1 ]; then
is_debianversion stretch || ( egrep -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( egrep -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
fi
if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
@ -831,7 +893,7 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!'
done
else
for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do
for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do
grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!'
done
fi

10
evocheck/tasks/cron.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: evocheck crontab is updated
template:
src: crontab.j2
dest: /etc/cron.d/evocheck
mode: "0644"
owner: root
group: root
force: yes

2
evocheck/tasks/install_package.yml
View file

@ -2,4 +2,4 @@
- name: install evocheck from package
apt:
name: evocheck
state: installed
state: present

3
evocheck/tasks/main.yml
View file

@ -5,3 +5,6 @@
- include: install_package.yml
when: evocheck_force_install == "package"
- include: cron.yml
when: evocheck_update_crontab

4
evocheck/templates/crontab.j2 Normal file
View file

@ -0,0 +1,4 @@
# {{ ansible_managed }}
33 1 1 * * root /usr/share/scripts/evocheck.sh
33 1 2-31 * * root /usr/share/scripts/evocheck.sh --cron

7
evolinux-base/defaults/main.yml
View file

@ -37,9 +37,12 @@ evolinux_hostname_hosts: True
evolinux_hostname_mailname: True
evolinux_hostname: "{{ ansible_hostname }}"
evolinux_domain: "{{ ansible_domain }}"
evolinux_fqdn: "{{ ansible_fqdn }}"
evolinux_domain: "{{ ansible_domain }}"
evolinux_fqdn: "{{ evolinux_hostname }}.{{ evolinux_domain }}"
evolinux_internal_hostname: "{{ evolinux_hostname }}"
evolinux_internal_domain: "{{ evolinux_domain }}"
evolinux_internal_fqdn: "{{ evolinux_internal_hostname }}.{{ evolinux_internal_domain }}"
# kernel

18
evolinux-base/tasks/etc-evolinux.yml
View file

@ -1,9 +1,13 @@
---
- name: /etc/evolinux exists
file:
dest: /etc/evolinux
owner: root
group: root
mode: "0700"
state: directory
### This is taken care of by the evolinux-todo role
# - name: /etc/evolinux exists
# file:
# dest: /etc/evolinux
# owner: root
# group: root
# mode: "0700"
# state: directory
- include_role:
name: evolinux-todo

4
evolinux-base/tasks/hostname.yml
View file

@ -2,7 +2,7 @@
- name: dbus is installed
apt:
name: dbus
state: installed
state: present
- name: Set hostname "{{ evolinux_hostname }}"
hostname:
@ -20,7 +20,7 @@
lineinfile:
dest: /etc/hosts
regexp: '^{{ ansible_default_ipv4.address }}\s+'
line: "{{ ansible_default_ipv4.address }} {{ evolinux_fqdn }} {{ evolinux_hostname }}"
line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}"
insertafter: '127.0.0.1\s+localhost.localdomain'
when: evolinux_hostname_hosts

13
evolinux-base/tasks/kernel.yml
View file

@ -50,4 +50,17 @@
reload: yes
when: evolinux_kernel_cve20165696
- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
with_items:
- { name: "net.ipv4.ipfrag_low_thresh", value: 196608 }
- { name: "net.ipv6.ip6frag_low_thresh", value: 196608 }
- { name: "net.ipv4.ipfrag_high_thresh", value: 262144 }
- { name: "net.ipv6.ip6frag_high_thresh", value: 262144 }
- meta: flush_handlers

5
evolinux-base/tasks/postfix.yml
View file

@ -26,7 +26,7 @@
lineinfile:
dest: /etc/postfix/main.cf
state: present
line: "mydestination = {{ evolinux_fqdn }} localhost.localdomain localhost"
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
regexp: '^mydestination'
notify: reload postfix
tags:
@ -61,6 +61,9 @@
- postmaster
- abuse
- mailer-daemon
- delay
- error
- bounce
notify: newaliases
when: evolinux_postfix_mailer_alias_root
tags:

4
evolinux-base/templates/default_www/index.html.j2
View file

@ -14,7 +14,7 @@
}
#container {
padding-top: 20px;
width: 500px;
width: 768px;
margin: auto;
overflow: hidden;
}
@ -24,7 +24,7 @@
border-bottom: 1px solid #a9a9a9;
background-image: url(./img/background-top.png);
background-repeat: no-repeat;
background-position: 245px 5px;
background-position: 510px 5px;
}
ul {
list-style-type: none;

0
java8/.kitchen.yml → evolinux-todo/.kitchen.yml
View file

15
evolinux-todo/README.md Normal file
View file

@ -0,0 +1,15 @@
# evocheck
Creates an /etc/evolinux/todo.txt file to hold information about things to do, gathered by humans or other Ansible tasks
## Tasks
The main tasks install the default file if missing.
A separate `cat.yml` file can be imported manually in playbooks or roles to get the content of the file. Example :
```
- include_role:
name: evolinux-todo
tasks_from: cat.yml
```

0
evolinux-todo/files/todo.defaults.txt Normal file
View file

30
evolinux-todo/meta/main.yml Normal file
View file

@ -0,0 +1,30 @@
galaxy_info:
author: Jeremy Lecour
description: Install evolinux-todo
company: Evolix
issue_tracker_url: https://forge.evolix.org/projects/evocheck/issues
license: GPLv2
min_ansible_version: 2.2
platforms:
- name: Debian
versions:
- jessie
- stretch
galaxy_tags: []
# List tags for your role here, one per line. A tag is
# a keyword that describes and categorizes the role.
# Users find roles by searching for tags. Be sure to
# remove the '[]' above if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of
# alphanumeric characters. Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.

13
evolinux-todo/tasks/cat.yml Normal file
View file

@ -0,0 +1,13 @@
---
- name: cat /etc/evolinux/todo.txt
command: "cat /etc/evolinux/todo.txt"
register: evolinux_todo
changed_when: False
failed_when: False
check_mode: no
- name: "Content of /etc/evolinux/todo.txt"
debug:
var: evolinux_todo.stdout_lines
when: evolinux_todo.stdout != ""

14
evolinux-todo/tasks/main.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: /etc/evolinux is present
file:
dest: /etc/evolinux
mode: "0700"
state: directory
- name: /etc/evolinux/todo.txt is present
copy:
src: todo.defaults.txt
dest: /etc/evolinux/todo.txt
mode: "0640"
force: no

4
evolinux-todo/tests/test.yml Normal file
View file

@ -0,0 +1,4 @@
---
- hosts: test-kitchen
roles:
- role: evolinux-todo

1
evolinux-users/templates/sudoers_jessie.j2
View file

@ -5,6 +5,7 @@ User_Alias ADMINS = {{ user.name }}
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
ADMINS ALL = (ALL:ALL) ALL

1
evolinux-users/templates/sudoers_stretch.j2
View file

@ -4,6 +4,7 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL

4
fail2ban/README.md
View file

@ -12,6 +12,8 @@ Main variables are :
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
* `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`).
* `fail2ban_ignore_ips`: list of IPs to ignore (default: empty).
* `fail2ban_default_ignore_ips`: default list of IPs to ignore (default: empty).
* `fail2ban_additional_ignore_ips`: additional list of IPs to ignore (default: empty).
* `fail2ban_disable_ssh`: if true, the "sshd" filter is disabled, otherwise nothing is done, not even enabling the filter (default: `False`).
The full list of variables (with default values) can be found in `defaults/main.yml`.

7
fail2ban/defaults/main.yml
View file

@ -2,9 +2,14 @@
general_alert_email: "root@localhost"
fail2ban_alert_email: Null
# Note: there are 2 variable to allow various overrides, but they are merged.
# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
fail2ban_default_ignore_ips: []
fail2ban_additional_ignore_ips: []
fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
# WARN: setting this to True will overwrite the list of ignored IP
fail2ban_force_update_ignore_ips: False
fail2ban_wordpress: False
fail2ban_roundcube: False
fail2ban_disable_ssh: False

25
fail2ban/tasks/main.yml
View file

@ -15,6 +15,9 @@
tags:
- fail2ban
- set_fact:
fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
- name: local jail is installed
template:
src: jail.local.j2
@ -25,6 +28,28 @@
tags:
- fail2ban
- name: update ignoreips lists
ini_file:
dest: /etc/fail2ban/jail.local
section: "[DEFAULT]"
option: "ignoreips"
value: "{{ fail2ban_ignore_ips | join(' ') }}"
notify: restart fail2ban
when: fail2ban_force_update_ignore_ips
tags:
- fail2ban
- name: Disable SSH filter
ini_file:
dest: /etc/fail2ban/jail.local
section: sshd
option: enabled
value: false
notify: restart fail2ban
when: fail2ban_disable_ssh
tags:
- fail2ban
- name: custom filters are installed
copy:
src: "{{ item }}"

2
fail2ban/templates/jail.local.j2
View file

@ -3,7 +3,7 @@
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = {{ (['127.0.0.1/8'] + fail2ban_ignore_ips) | join(' ') }}
ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
bantime = 600
maxretry = 3

2
generate-ldif/templates/generateldif.sh.j2
View file

@ -6,7 +6,7 @@ if [ $(id -u) != 0 ]; then
fi
is_pkg_installed() {
dpkg -l "$1" 2>/dev/null | grep -q '^ii'
dpkg -l "$1" 2>/dev/null | grep -q -E '^(i|h)i'
}
get_pkg_version() {

2
haproxy/README.md
View file

@ -8,7 +8,7 @@ Everything is in the `tasks/main.yml` file.
## Available variables
* `haproxy_jessie_backports` : on Debian Jessie, we can prefer v1.7 from backports (default: `False`)
* `haproxy_backports` : We can either prefer v1.7 from backports for Debian Jessie or v1.8 for Debian Stretch (default: `False`)
## Configuration templates

3
haproxy/defaults/main.yml
View file

@ -1,3 +1,4 @@
---
haproxy_jessie_backports: False
# backward compatibility with a previously used variable
haproxy_backports: "{{ haproxy_jessie_backports | default(false, true) }}"
haproxy_stats_url: "http://127.0.0.1:8080/"

3
haproxy/files/haproxy_apt_preferences
View file

@ -1,3 +0,0 @@
Package: haproxy libssl1.0.0
Pin: release a=jessie-backports
Pin-Priority: 999

8
haproxy/tasks/main.yml
View file

@ -2,18 +2,18 @@
- name: ssl-cert package is installed
apt:
name: ssl-cert
state: installed
state: present
tags:
- haproxy
- packages
- include: packages_jessie_backports.yml
when: ansible_distribution_release == "jessie" and haproxy_jessie_backports
- include: packages_backports.yml
when: haproxy_backports
- name: Install HAProxy package
apt:
name: haproxy
state: installed
state: present
tags:
- haproxy
- packages

2
haproxy/tasks/nagios.yml
View file

@ -1,4 +1,6 @@
---
- include_role:
name: remount-usr
- name: "Install check_haproxy_stats script"
copy:

6
haproxy/tasks/packages_jessie_backports.yml → haproxy/tasks/packages_backports.yml
View file

@ -7,9 +7,9 @@
- haproxy
- packages
- name: Prefer HAProxy package from jessie-backports
copy:
src: haproxy_apt_preferences
- name: Prefer HAProxy package from backports
template:
src: haproxy_apt_preferences.j2
dest: /etc/apt/preferences.d/999-haproxy
force: yes
mode: "0640"

3
haproxy/templates/haproxy_apt_preferences.j2 Normal file
View file

@ -0,0 +1,3 @@
Package: haproxy libssl1.0.0
Pin: release a={{ ansible_distribution_release }}-backports
Pin-Priority: 999

28
java/.kitchen.yml Normal file
View file

@ -0,0 +1,28 @@
---
driver:
name: docker
privileged: true
use_sudo: false
provisioner:
name: ansible_playbook
hosts: test-kitchen
roles_path: ../
ansible_verbose: true
require_ansible_source: false
require_chef_for_busser: false
idempotency_test: true
platforms:
- name: debian
driver_config:
image: evolix/ansible:2.2.1
suites:
- name: default
provisioner:
name: ansible_playbook
playbook: ./tests/test.yml
transport:
max_ssh_sessions: 6

14
java/README.md Normal file
View file

@ -0,0 +1,14 @@
# java
Install OpenJDK or OracleJDK
## Tasks
* `openjdk.yml` : install of OpenJDK
* `oracle.yml` : install or OracleJDK
## Available variables
* `java_alternative`: choose between openjdk or oraclejdk (default to openjdk)
* `java_version`: java version (default to 8)
* `java_default_alternative`: make this verison the default alternative (default to true)

4
java/defaults/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
java_alternative: 'openjdk'
java_version: 8
java_default_alternative: True

3
java8/meta/main.yml → java/meta/main.yml
View file

@ -1,7 +1,7 @@
---
galaxy_info:
author: Evolix
description: Installation of Java 8
description: Installation of Java
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
@ -13,3 +13,4 @@ galaxy_info:
- name: Debian
versions:
- jessie
- stretch

10
java/tasks/main.yml Normal file
View file

@ -0,0 +1,10 @@
---
- fail:
msg: "This role support only java 8 for now !"
when: java_version != 8
- include: openjdk.yml
when: "{{ java_alternative == 'openjdk' }}"
- include: oracle.yml
when: "{{ java_alternative == 'oracle' }}"

31
java/tasks/openjdk.yml Normal file
View file

@ -0,0 +1,31 @@
---
- name: Decide which Debian release to use
set_fact:
java_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}'
tags:
- java
- name: Install jessie-backports
include_role:
name: apt
tasks_from: backports.yml
when: ansible_distribution_release == "jessie"
tags:
- java
- name: Install openjdk package
apt:
name: "openjdk-{{ java_version}}-jre-headless"
default_release: "{{ java_apt_release }}"
state: present
tags:
- java
- packages
- name: This openjdk version is the default alternative
alternatives:
name: java
path: "/usr/lib/jvm/java-{{ java_version }}-openjdk-amd64/jre/bin/java"
when: java_default_alternative
tags:
- java

58
java/tasks/oracle.yml Normal file
View file

@ -0,0 +1,58 @@
---
- name: Install dependencies for build java package
apt:
name: "{{ item }}"
state: present
with_items:
- java-package
- build-essential
tags:
- java
- name: Create jvm dir
file:
path: "{{ item }}"
state: directory
mode: "0777"
with_items:
- /srv/java-package
- /srv/java-package/src
- /srv/java-package/tmp
tags:
- java
- name: Get Oracle jre archive
get_url:
url: 'http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.tar.gz'
dest: '/srv/java-package/src/'
checksum: 'sha256:f08f25aec2bdc86138ccba8fd5b904451e3afa1d24a88c85f28c2d84bfd45bad'
headers: 'Cookie: oraclelicense=accept-securebackup-cookie'
mode: "0644"
tags:
- java
- name: Make Debian package from Oracle JDK archive
shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/jre-8u172-linux-x64.tar.gz"
args:
chdir: /srv/java-package
creates: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
become: False
tags:
- java
- include_role:
name: remount-usr
- name: Install java package
apt:
deb: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
tags:
- java
- name: This openjdk version is the default alternative
alternatives:
name: java
path: "/usr/lib/jvm/jre-{{ java_version }}-oracle-x64/bin/java"
when: java_default_alternative
tags:
- java

2
java8/tests/test.yml → java/tests/test.yml
View file

@ -1,4 +1,4 @@
---
- hosts: test-kitchen
roles:
- role: java8
- role: java

1
java8 Symbolic link
View file

@ -0,0 +1 @@
java

11
java8/README.md
View file

@ -1,11 +0,0 @@
# java8
Install OpenJDK 1.8 (from jessie-backports)
## Tasks
Everything is in the `tasks/main.yml` file.
## Available variables
* `java8_default_alternative`: make this verison the default alternative (defaults to true)

2
java8/defaults/main.yml
View file

@ -1,2 +0,0 @@
---
java8_default_alternative: True

27
java8/tasks/main.yml
View file

@ -1,27 +0,0 @@
---
- name: Decide which Debian release to use
set_fact:
java8_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}'
- name: install jessie-backports
include_role:
name: apt
tasks_from: backports.yml
when: ansible_distribution_release == "jessie"
- name: Java 8 is installed
apt:
name: openjdk-8-jre-headless
default_release: "{{ java8_apt_release }}"
state: present
tags:
- java
- packages
- name: Java 8 is the default alternative
alternatives:
name: java
path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
when: java8_default_alternative
tags:
- java

2
jenkins/meta/main.yml
View file

@ -24,4 +24,4 @@ galaxy_info:
# alphanumeric characters. Maximum 20 tags per role.
dependencies:
- java8
- { role: java, java_alternative: 'openjdk', java_version: 8 }

16
kibana/tasks/main.yml
View file

@ -50,6 +50,22 @@
insertafter: '^#server.basePath:'
notify: restart kibana
- name: kibana log destination is present
file:
dest: /var/log/kibana
owner: kibana
group: kibana
mode: "0750"
state: directory
- name: kibana log messages go to custom file
lineinfile:
dest: /etc/kibana/kibana.yml
line: "logging.dest: \"/var/log/kibana/kibana.log\""
regexp: '^logging.dest:'
insertafter: '^#logging.dest:'
notify: restart kibana
- name: Kibana service is enabled and started
systemd:
name: kibana

9
kvm-host/tasks/main.yml
View file

@ -5,15 +5,6 @@
- include: packages.yml
- include_role:
name: remount-usr
- name: Copy add-vm script
get_url:
url: https://forge.evolix.org/projects/kvm-tools/repository/revisions/master/raw/add-vm.sh
dest: /usr/share/scripts/add-vm.sh
mode: "0750"
- include: munin.yml
- include: images.yml

1
kvm-host/tasks/packages.yml
View file

@ -10,3 +10,4 @@
- virtinst
- libvirt-daemon-system
- libvirt-clients
- kvm-tools

2
logstash/meta/main.yml
View file

@ -14,4 +14,4 @@ galaxy_info:
- jessie
dependencies:
- java8
- { role: java, java_alternative: 'openjdk', java_version: 8 }

9
memcached/README.md
View file

@ -15,5 +15,14 @@ Main variables are :
* `memcached_port`: opened port (default: `11211`) ;
* `memcached_bind_interface`: interface to listen to (default: `127.0.0.1`) ;
* `memcached_connections`: number of simultaneous incoming connections (default: `1024`) ;
* `memcached_instance_name`: use this to set up multiple memcached instances (default: `False`) ;
The full list of variables (with default values) can be found in `defaults/main.yml`.
## Multiple intances
When using memcached_instance_name variable, you can set up multiple memcached instances :
roles:
- { role: memcached, memcached_instance_name: "instance1" }
- { role: memcached, memcached_instance_name: "instance2", memcached_port: 11212 }

1
memcached/defaults/main.yml
View file

@ -1,4 +1,5 @@
---
memcached_instance_name: ""
memcached_logfile: '/var/log/memcached.log'
memcached_mem: 64
memcached_user: 'nobody'

10
memcached/files/memcached@.service Normal file
View file

@ -0,0 +1,10 @@
[Unit]
Description=memcached daemon
After=network.target
ConditionPathExists=/etc/memcached_%i.conf
[Service]
ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached_%i.conf
[Install]
WantedBy=multi-user.target

54
memcached/tasks/main.yml
View file

@ -3,7 +3,7 @@
name: memcached
state: present
tags:
- memcached
- memcached
- name: Memcached is configured.
template:
@ -12,7 +12,8 @@
mode: "0644"
notify: restart memcached
tags:
- memcached
- memcached
when: memcached_instance_name == ""
- name: Memcached is running and enabled on boot.
service:
@ -20,7 +21,54 @@
enabled: yes
state: started
tags:
- memcached
- memcached
when: memcached_instance_name == ""
- name: Add systemd template
copy:
src: memcached@.service
dest: /etc/systemd/system/memcached@.service
tags:
- memcached
when: memcached_instance_name != ""
- name: Delete default memcached systemd configuration file
systemd:
name: memcached
enabled: false
state: stopped
tags:
- memcached
when: memcached_instance_name != ""
- name: Make sure memcached.conf is absent
file:
path: /etc/memcached.conf
state: absent
tags:
- memcached
when: memcached_instance_name != ""
- name: Create a configuration file
template:
src: memcached.conf.j2
dest: /etc/memcached_{{ memcached_instance_name }}.conf
mode: "0644"
tags:
- memcached
when: memcached_instance_name != ""
- name: Enable and start the memcached instance
systemd:
name: memcached@{{ memcached_instance_name }}
enabled: yes
state: started
daemon_reload: yes
masked: no
tags:
- memcached
when: memcached_instance_name != ""
- include: munin.yml
- include: nrpe.yml

6
memcached/tasks/munin.yml
View file

@ -1,4 +1,8 @@
---
- name: Choose packages (Oracle)
set_fact:
multi: "multi_"
when: memcached_instance_name != False
- name: is Munin present ?
stat:
@ -21,7 +25,7 @@
- name: Enable core Munin plugins
file:
src: '/usr/share/munin/plugins/memcached_'
dest: /etc/munin/plugins/{{ item }}
dest: /etc/munin/plugins/{{ multi }}{{ item }}
state: link
with_items:
- memcached_bytes

8
memcached/tasks/nrpe.yml
View file

@ -1,4 +1,7 @@
---
- include_role:
name: remount-usr
- name: Is nrpe present ?
stat:
path: /etc/nagios/nrpe.d/evolix.cfg
@ -15,12 +18,13 @@
dest: /usr/local/lib/nagios/plugins/
mode: "0755"
# TODO: install a "multi-instances" check if the memcached_instance_name variable is not null
- name: Add NRPE check
lineinfile:
name: /etc/nagios/nrpe.d/evolix.cfg
regexp: '^command\[check_memcached\]='
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1'
line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
notify: restart nagios-nrpe-server
when: nrpe_evolix_config.stat.exists

28
metricbeat/.kitchen.yml Normal file
View file

@ -0,0 +1,28 @@
---
driver:
name: docker
privileged: true
use_sudo: false
provisioner:
name: ansible_playbook
hosts: test-kitchen
roles_path: ../
ansible_verbose: true
require_ansible_source: false
require_chef_for_busser: false
idempotency_test: true
platforms:
- name: debian
driver_config:
image: evolix/ansible:2.2.1
suites:
- name: default
provisioner:
name: ansible_playbook
playbook: ./tests/test.yml
transport:
max_ssh_sessions: 6

11
metricbeat/README.md Normal file
View file

@ -0,0 +1,11 @@
# filebeat
Install Metricbeat.
## Tasks
Everything is in the `tasks/main.yml` file.
## Available variables
* `elastic_stack_version`: version to install (default: `6.x`);

2
metricbeat/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
elastic_stack_version: "6.x"

31
metricbeat/files/elasticsearch.key Normal file
View file

@ -0,0 +1,31 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)
mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
qPDlGRlOgVTd9xUfHFkzB52c70E=
=92oX
-----END PGP PUBLIC KEY BLOCK-----

20
metricbeat/meta/main.yml Normal file
View file

@ -0,0 +1,20 @@
galaxy_info:
author: Evolix
description: Installation and basic configuration of Metricbeat.
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
license: GPLv2
min_ansible_version: 2.2
platforms:
- name: Debian
versions:
- jessie
- stretch
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.

41
metricbeat/tasks/main.yml Normal file
View file

@ -0,0 +1,41 @@
---
- name: APT https transport is enabled
apt:
name: apt-transport-https
state: present
tags:
- metricbeat
- packages
- name: Elastic GPG key is installed
apt_key:
# url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
data: "{{ lookup('file', 'elasticsearch.key') }}"
state: present
tags:
- metricbeat
- packages
- name: Elastic sources list is available
apt_repository:
repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
filename: elastic
state: present
update_cache: yes
tags:
- metricbeat
- packages
- name: Metricbeat is installed
apt:
name: metricbeat
state: present
tags:
- metricbeat
- packages
- name: Metricbeat service is enabled
systemd:
name: metricbeat
enabled: yes

4
metricbeat/tests/test.yml Normal file
View file

@ -0,0 +1,4 @@
---
- hosts: test-kitchen
roles:
- role: metricbeat

1
minifirewall/defaults/main.yml
View file

@ -1,5 +1,6 @@
---
minifirewall_tail_included: False
minifirewall_tail_force: yes
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
minifirewall_checkout_path: "/tmp/minifirewall"

2
minifirewall/tasks/tail.yml
View file

@ -3,7 +3,7 @@
template:
src: "{{ item }}"
dest: /etc/default/minifirewall.tail
force: yes
force: "{{ minifirewall_tail_force | bool | ternary('yes', 'no') }}"
with_first_found:
- "templates/minifirewall-tail/minifirewall.{{ inventory_hostname }}.tail.j2"
- "templates/minifirewall-tail/minifirewall.{{ host_group }}.tail.j2"

4
mongodb/tasks/main_jessie.yml
View file

@ -16,12 +16,12 @@
apt:
name: mongodb-org
allow_unauthenticated: yes
state: installed
state: present
- name: install dependency for monitoring
apt:
name: python-pymongo
state: installed
state: present
- name: Custom configuration
template:

4
mongodb/tasks/main_stretch.yml
View file

@ -3,7 +3,7 @@
- name: Install packages
apt:
name: "{{ item }}"
state: installed
state: present
with_items:
- mongodb
- mongo-tools
@ -11,7 +11,7 @@
- name: install dependency for monitoring
apt:
name: python-pymongo
state: installed
state: present
- name: Custom configuration
template:

2
munin/tasks/main.yml
View file

@ -22,7 +22,7 @@
notify: restart munin-node
- name: Rename the localdomain data dir
command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }}
shell: "mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename \"s/localhost.localdomain/{{ ansible_fqdn }}/\" /var/lib/munin/{{ ansible_domain }}/*"
args:
creates: /var/lib/munin/{{ ansible_domain }}
removes: /var/lib/munin/localdomain

2
mysql-oracle/defaults/main.yml
View file

@ -5,6 +5,8 @@ log2mail_alert_email: Null
general_scripts_dir: "/usr/share/scripts"
mysql_scripts_dir: Null
mysql_install_libclient: False
mysql_replace_root_with_mysqladmin: True
mysql_custom_datadir: ''

7
mysql-oracle/tasks/config.yml
View file

@ -1,9 +1,12 @@
---
- set_fact:
mysql_config_directory: "/etc/mysql/mysql.conf.d"
- name: "Copy MySQL defaults config file"
copy:
src: evolinux-defaults.cnf
dest: "/etc/mysql/mysql.conf.d/z-evolinux-defaults.cnf"
dest: "{{ mysql_config_directory }}/z-evolinux-defaults.cnf"
owner: root
group: root
mode: "0644"
@ -14,7 +17,7 @@
- name: "Copy MySQL custom config file"
template:
src: evolinux-custom.cnf.j2
dest: "/etc/mysql/mysql.conf.d/zzz-evolinux-custom.cnf"
dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf"
owner: root
group: root
mode: "0644"

13
mysql-oracle/tasks/packages.yml
View file

@ -11,7 +11,7 @@
- name: MySQL APT config package is installed
apt:
deb: /root/mysql-apt-config_0.8.9-1_all.deb
state: installed
state: present
register: mysql_apt_config_deb
- name: Open firewall for MySQL.com repository
@ -36,10 +36,21 @@
with_items:
- mysql-server
- mysql-client
tags:
- mysql
- packages
- name: Install MySQL dev packages
apt:
name: '{{ item }}'
update_cache: yes
state: present
with_items:
- libmysqlclient20
tags:
- mysql
- packages
when: mysql_install_libclient
- include_role:
name: remount-usr

2
mysql-oracle/tasks/tmpdir.yml
View file

@ -13,7 +13,7 @@
- name: Configure tmpdir
ini_file:
dest: "/etc/mysql/conf.d/zzz-evolinux-custom.cnf"
dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf"
section: mysqld
option: tmpdir
value: "{{ mysql_custom_tmpdir }}"

4
mysql-oracle/tasks/users.yml
View file

@ -37,7 +37,7 @@
create: yes
with_items:
- { option: 'user', value: 'mysqladmin' }
- { option: password, value: '{{ mysql_admin_password.stdout }}' }
- { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
when: create_mysqladmin_user | changed
tags:
- mysql
@ -73,7 +73,7 @@
with_nested:
- [ "client", "mysql_upgrade" ]
- [ { option: 'user', value: 'debian-sys-maint' },
{ option: password, value: '{{ mysql_debian_password.stdout }}' }
{ option: 'password', value: '{{ mysql_debian_password.stdout }}' }
]
when: create_debian_user | changed
tags:

11
mysql/README.md
View file

@ -22,12 +22,21 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
* `mysql_replace_root_with_mysqladmin`: switch from `root` to `mysqladmin` user or not ;
* `mysql_thread_cache_size`: number of threads for the cache ;
* `mysql_innodb_buffer_pool_size`: amount of RAM dedicated to InnoDB ;
* `mysql_custom_datadir`: custom datadir
* `mysql_bind_address` : (default: `Null`, default evolinux config is then used) ;
* `mysql_max_connections`: maximum number of simultaneous connections (default: `Null`, default evolinux config is then used) ;
* `mysql_max_connect_errors`: number of permitted successive interrupted connection requests before a host gets blocked (default: `Null`, default evolinux config is then used) ;
* `mysql_table_cache`: (default: `Null`, default evolinux config is then used) ;
* `mysql_tmp_table_size`: (default: `Null`, default evolinux config is then used) ;
* `mysql_max_heap_table_size`: (default: `Null`, default evolinux config is then used) ;
* `mysql_query_cache_limit`: (default: `Null`, default evolinux config is then used) ;
* `mysql_query_cache_size`: (default: `Null`, default evolinux config is then used) ;
* `mysql_custom_datadir`: custom datadir.
* `mysql_custom_tmpdir`: custom tmpdir.
* `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
* `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`).
* `mysql_scripts_dir`: email address to send Log2mail messages to (default: `general_scripts_dir`).
* `mysql_force_new_nrpe_password` : change the password for NRPE even if it exists already (default: `False`).
* `mysql_install_libclient`: install mysql client libraries (default: `False`).
NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet).

15
mysql/defaults/main.yml
View file

@ -7,6 +7,8 @@ mysql_scripts_dir: Null
mysql_variant: oracle
mysql_install_libclient: False
mysql_replace_root_with_mysqladmin: True
mysql_custom_datadir: ''
@ -15,6 +17,19 @@ mysql_custom_tmpdir: ''
mysql_thread_cache_size: '{{ ansible_processor_cores }}'
mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M'
# If these variables are changed to non-Null values,
# they will be added in the zzz-evolinux-custom.cnf file.
# Otherwise, the value from de the z-evolinux-defaults.cnf file will preveil.
mysql_bind_address: Null
mysql_max_connections: Null
mysql_max_connect_errors: Null
mysql_table_cache: Null
mysql_tmp_table_size: Null
mysql_max_heap_table_size: Null
mysql_query_cache_limit: Null
mysql_query_cache_size: Null
mysql_cron_optimize: True
mysql_cron_optimize_frequency: weekly

12
mysql/tasks/packages_jessie.yml
View file

@ -26,6 +26,18 @@
- mysql
- packages
- name: Install MySQL dev packages
apt:
name: '{{ item }}'
update_cache: yes
state: present
with_items:
- libmysqlclient-dev
tags:
- mysql
- packages
when: mysql_install_libclient
- name: MySQL is started
service:
name: mysql

12
mysql/tasks/packages_stretch.yml
View file

@ -12,6 +12,18 @@
- mysql
- packages
- name: Install MySQL dev packages
apt:
name: '{{ item }}'
update_cache: yes
state: present
with_items:
- default-libmysqlclient-dev
tags:
- mysql
- packages
when: mysql_install_libclient
- name: MySQL is started
service:
name: mysql

2
mysql/tasks/users_stretch.yml
View file

@ -76,7 +76,7 @@
with_nested:
- [ "client", "mysql_upgrade" ]
- [ { option: 'user', value: 'debian-sys-maint' },
{ option: password, value: '{{ mysql_debian_password.stdout }}' }
{ option: 'password', value: '{{ mysql_debian_password.stdout }}' }
]
when: create_debian_user.changed
tags:

29
mysql/templates/evolinux-custom.cnf.j2
View file

@ -1,4 +1,31 @@
[mysqld]
#bind-address = 0.0.0.0
{% if mysql_bind_address %}
bind-address = {{ mysql_bind_address }}
{% endif %}
{% if mysql_thread_cache_size %}
thread_cache_size = {{ mysql_thread_cache_size }}
{% endif %}
{% if mysql_innodb_buffer_pool_size %}
innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }}
{% endif %}
{% if mysql_max_connections %}
max_connections = {{ mysql_max_connections }}
{% endif %}
{% if mysql_max_connect_errors %}
max_connect_errors = {{ mysql_max_connect_errors }}
{% endif %}
{% if mysql_table_cache %}
table_cache = {{ mysql_table_cache }}
{% endif %}
{% if mysql_tmp_table_size %}
tmp_table_size = {{ mysql_tmp_table_size }}
{% endif %}
{% if mysql_max_heap_table_size %}
max_heap_table_size = {{ mysql_max_heap_table_size }}
{% endif %}
{% if mysql_query_cache_limit %}
query_cache_limit = {{ mysql_query_cache_limit }}
{% endif %}
{% if mysql_query_cache_limit %}
query_cache_size = {{ mysql_query_cache_size }}
{% endif %}

2
nagios-nrpe/files/plugins/check_http_many
View file

@ -16,7 +16,7 @@ check_state() {
cat $result >> ${result}.err
:> $result
fi
if [[ $1 -eq 2 ]]; then
if [[ $1 -ge 2 ]]; then
critical=true
cat $result >> ${result}.err
:> $result

5
nagios-nrpe/templates/evolix.cfg.j2
View file

@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
# System checks
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home
command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home
command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
@ -51,7 +51,8 @@ command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S
command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321
command[check_bkctld]=/usr/lib/nagios/plugins/check_bkctld
command[check_bkctld]=sudo /usr/sbin/bkctld check
command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023
# Local checks (not packaged)
command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10

2
newrelic/tasks/php.yml
View file

@ -39,4 +39,4 @@
- name: Install package for PHP
apt:
name: newrelic-php5
state: installed
state: present

Some files were not shown because too many files have changed in this diff Show more