diff --git a/CHANGELOG.md b/CHANGELOG.md index 056650ed..9461a8c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,54 @@ The **patch** part changes incrementally at each release. ### Security +## [9.3.0] - 2018-08-24 + +### Added +* elasticsearch: tmpdir configuration compatible with 5.x also +* elasticsearch: add http.publish_host variable +* evoacme: disable old certbot cron also in cron.daily +* evocheck: detect installed packages even if "held" by APT (manual fix) +* evocheck: the crontab is updated by the role (default: `True`) +* evolinux-base: add mail related aliases +* evolinux-todo: new role, to help maintain a file of todo tasks +* fail2ban: add a variable to disable the ssh filter (default: `False`) +* etc-git: install a script to optimize the repository each month +* fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`) +* generate-ldif: detect installed packages even if "held" by APT +* java: support for Oracle JRE +* kibana: log messages go to /var/log/kibana/kibana.log +* metricbeat: add a role (copied from filebeat) +* munin: properly rename Munin cache directory +* mysql: add an option to install the client development libraries (default: `False`) +* nagios-nrpe: add check_postgrey + +### Changed +* etc-git: some entries of .gitignore are mandatory +* evocheck: update upstream script +* evolinux-base: improve hostname configuration (real vs. internal) +* evolinux-base: use the "evolinux-todo" role +* evolinux-users: add sudo permission for bkctld check +* java8: renamed to java (java8 symlinked to java for backward compatibility) +* minifirewall: the tail file can be overwritten, or not (default: `True`) +* nagios-nrpe: use bkctld internal check instead of nrpe plugin +* php: reorganization of the role for Sury overrides and more clear configuration +* redmine: use .my.cnf for mysql password +* rbenv: change default Ruby version (2.5.1) +* rbenv: switch from copy to lineinfile for default gems +* remount-usr: mount doesn't report a change +* squid: add a few news sites to the whitelist +* tomcat: better nrpe check output +* kvm-host: install kvm-tools package instead of copying add-vm.sh + +### Fixed +* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word. +* bind: chroot-bind.sh must not be executed in check mode +* evoacme: fix module detection in apache config +* fail2ban: fix fail2ban_ignore_ips definition +* mysql-oracle: fix configuration directory variable +* php: fpm slowlog needs an absolute path +* roundcube: add missing slash to https redirection + ## [9.2.0] - 2018-05-16 ### Changed diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml index 810ba505..6b8bcc63 100644 --- a/amavis/tasks/main.yml +++ b/amavis/tasks/main.yml @@ -12,7 +12,7 @@ - name: configure Amavis template: src: amavis.conf.j2 - dest: /etc/amavis/conf.d/49-evolinux-defaults.conf + dest: /etc/amavis/conf.d/49-evolinux-defaults mode: "0644" notify: restart amavis tags: diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 6801ba22..19858569 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -174,8 +174,8 @@ - name: "logrotate: keep 52 files" replace: dest: /etc/logrotate.d/apache2 - regexp: "rotate .+" - replace: "rotate 52" + regexp: '^(\s+rotate) \d+$' + replace: '\1 52' tags: - apache diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index 9195ae0f..27aa7ad8 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -3,7 +3,7 @@ - name: "Install munin-node and core plugins packages" apt: name: "{{ item }}" - state: installed + state: present with_items: - munin-node - munin-plugins-core @@ -28,7 +28,7 @@ - name: "Install fcgi packages for Munin graphs" apt: name: "{{ item }}" - state: installed + state: present with_items: - libapache2-mod-fcgid - libcgi-fast-perl diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 1d190135..8fdf1692 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -81,7 +81,6 @@ command: "/root/chroot-bind.sh" register: chrootbind_run changed_when: False - check_mode: no when: bind_chroot_set - debug: @@ -117,5 +116,3 @@ force: yes notify: restart bind when: bind_chroot_set - - diff --git a/elasticsearch/README.md b/elasticsearch/README.md index 9f968ae2..e8184019 100644 --- a/elasticsearch/README.md +++ b/elasticsearch/README.md @@ -15,9 +15,12 @@ Tasks are extracted in several files, included in `tasks/main.yml` : ## Available variables * `elasticsearch_cluster_name`: cluster name ; +* `elasticsearch_cluster_members:` members of a cluster (ex: '["10.0.0.1", "10.0.0.2", "10.0.0.3"]') (default: `Null`) ; +* `elasticsearch_minimum_master_nodes:` minimum of master nodes (the best practice is to have "number of elasticsearch_cluster_members / 2 + 1" as value) (default: `Null`) ; * `elasticsearch_node_name`: node name, defaults to hostname ; * `elasticsearch_network_host`: which interfaces to bind to ; -* `elasticsearch_network_publish_host`: which interface to publish ; +* `elasticsearch_network_publish_host`: which interface to publish for node-to-node communication (default: `Null`) ; +* `elasticsearch_http_publish_host`: which interface to publish for clients (default: `Null`) ; * `elasticsearch_custom_datadir`: custom datadir ; * `elasticsearch_custom_tmpdir`: custom tmpdir ; * `elasticsearch_jvm_xms`: mininum heap size reserved for the JVM (default: `2g`). diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 8b5dd20e..52fc8856 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -2,9 +2,12 @@ elastic_stack_version: "6.x" elasticsearch_cluster_name: Null +elasticsearch_cluster_members: Null +elasticsearch_minimum_master_nodes: Null elasticsearch_node_name: "${HOSTNAME}" elasticsearch_network_host: "[_site_, _local_]" -elasticsearch_network_publish_host: "_site_" +elasticsearch_network_publish_host: Null +elasticsearch_http_publish_host: Null elasticsearch_custom_datadir: Null elasticsearch_custom_tmpdir: Null elasticsearch_default_tmpdir: /var/lib/elasticsearch/tmp diff --git a/elasticsearch/meta/main.yml b/elasticsearch/meta/main.yml index 54156392..cfc69425 100644 --- a/elasticsearch/meta/main.yml +++ b/elasticsearch/meta/main.yml @@ -25,4 +25,4 @@ galaxy_info: # alphanumeric characters. Maximum 20 tags per role. dependencies: - - java8 + - { role: java, alternative: 'openjdk', java_version: 8 } diff --git a/elasticsearch/tasks/bootstrap_checks.yml b/elasticsearch/tasks/bootstrap_checks.yml index a79204b2..b1f79046 100644 --- a/elasticsearch/tasks/bootstrap_checks.yml +++ b/elasticsearch/tasks/bootstrap_checks.yml @@ -13,7 +13,7 @@ name: vm.max_map_count value: 262144 sysctl_file: /etc/sysctl.d/elasticsearch.conf - when: "{{ max_map_count|int < 262144 }}" + when: max_map_count | int < 262144 tags: - config diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index b9fecd47..50e8c98c 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -39,6 +39,16 @@ tags: - config +- name: Configure http publish_host + lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "http.publish_host: {{ elasticsearch_http_publish_host }}" + regexp: "^http.publish_host:" + insertafter: "^http.port:" + when: elasticsearch_http_publish_host|default("", True) + tags: + - config + - name: Configure RESTART_ON_UPGRADE lineinfile: dest: /etc/default/elasticsearch @@ -63,3 +73,25 @@ line: "-Xmx{{ elasticsearch_jvm_xmx }}" tags: - config + +- name: Configure cluster members + lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}" + regexp: "^discovery.zen.ping.unicast.hosts:" + insertafter: "^#discovery.zen.ping.unicast.hosts" + when: elasticsearch_cluster_members|default("", True) + tags: + - config + +- name: Configure minimum master nodes + lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}" + regexp: "^discovery.zen.minimum_master_nodes:" + insertafter: "^#discovery.zen.minimum_master_nodes" + when: elasticsearch_minimum_master_nodes|default("", True) + tags: + - config + + diff --git a/elasticsearch/tasks/tmpdir.yml b/elasticsearch/tasks/tmpdir.yml index d7046f02..f87a4ebe 100644 --- a/elasticsearch/tasks/tmpdir.yml +++ b/elasticsearch/tasks/tmpdir.yml @@ -18,7 +18,19 @@ tags: - elasticsearch - - name: check if ES_TMPDIR is available + - name: change JVM tmpdir (< 6.x) + lineinfile: + dest: /etc/elasticsearch/jvm.options + line: "-Djava.io.tmpdir={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}" + regexp: "^-Djava.io.tmpdir=" + insertafter: "## JVM configuration" + notify: + - restart elasticsearch + tags: + - elasticsearch + when: elastic_stack_version | version_compare('6', '<') + + - name: check if ES_TMPDIR is available (>= 6.x) lineinfile: dest: /etc/default/elasticsearch line: "ES_TMPDIR={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}" @@ -28,8 +40,9 @@ - restart elasticsearch tags: - elasticsearch + when: elastic_stack_version | version_compare('6', '>=') - - name: change JVM tmpdir + - name: change JVM tmpdir (>= 6.x) lineinfile: dest: /etc/elasticsearch/jvm.options line: "-Djava.io.tmpdir=${ES_TMPDIR}" @@ -39,4 +52,5 @@ - restart elasticsearch tags: - elasticsearch + when: elastic_stack_version | version_compare('6', '>=') when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec | success diff --git a/etc-git/files/gitignore b/etc-git/files/gitignore index 7f8a0e4a..39002e32 100644 --- a/etc-git/files/gitignore +++ b/etc-git/files/gitignore @@ -1,5 +1 @@ -aliases.db -*.swp -postfix/sa-blacklist.access -postfix/*.db -postfix/spamd.cidr +# Default /etc/.gitignore file diff --git a/etc-git/files/optimize-etc-git b/etc-git/files/optimize-etc-git new file mode 100644 index 00000000..a7b7510f --- /dev/null +++ b/etc-git/files/optimize-etc-git @@ -0,0 +1,3 @@ +#!/bin/sh + +git --git-dir /etc/.git gc --quiet diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index 53b63825..452711c9 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -26,7 +26,7 @@ tags: - etc-git -- name: /etc/.git is secure +- name: /etc/.git is restricted to root file: path: /etc/.git owner: root @@ -41,6 +41,20 @@ dest: /etc/.gitignore owner: root mode: "0600" + force: no + tags: + - etc-git + +- name: Some entries MUST be in the /etc/.gitignore file + lineinfile: + dest: /etc/.gitignore + line: "{{ item }}" + with_items: + - "aliases.db" + - "*.swp" + - "postfix/sa-blacklist.access" + - "postfix/*.db" + - "postfix/spamd.cidr" tags: - etc-git @@ -65,3 +79,12 @@ when: git_log.rc != 0 or (git_init is defined and git_init.changed) tags: - etc-git + +- name: Optimize script is installed in monthly crontab + copy: + src: optimize-etc-git + dest: /etc/cron.monthly/optimize-etc-git + mode: "0750" + force: no + tags: + - etc-git diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 10c0f8e9..c9ba8c92 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -80,13 +80,17 @@ openssl_selfsigned() { local csr="$1" local key="$2" local crt="$3" + local cfg="$4" local crt_dir=$(dirname ${crt}) [ -r "${csr}" ] || error "File ${csr} is not readable" [ -r "${key}" ] || error "File ${key} is not readable" [ -w "${crt_dir}" ] || error "Directory ${crt_dir} is not writable" - - "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null + if grep -q SAN "${cfg}"; then + "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -extensions SAN -extfile "${cfg}" -signkey "${key}" -out "${crt}" 2> /dev/null + else + "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null + fi [ -r "${crt}" ] || error "Something went wrong, ${crt} has not been generated" } @@ -149,6 +153,7 @@ EOF done san=$(echo "${san}" | sed 's/^,//') cat "${SSL_CONFIG_FILE}" - > "${config_file}" </dev/null && sed_selfsigned_cert_path_for_apache "/etc/apache2/ssl/${VHOST}.conf" command -v nginx >/dev/null && sed_selfsigned_cert_path_for_nginx "/etc/nginx/ssl/${VHOST}.conf" + exit 0 } readonly PROGNAME=$(basename "$0") diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 5288f5fd..003c92d0 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -34,6 +34,12 @@ removes: /etc/cron.d/certbot creates: /etc/cron.d/certbot.disabled +- name: Disable /etc/cron.daily/certbot + command: mv /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled + args: + removes: /etc/cron.daily/certbot + creates: /etc/cron.daily/certbot.disabled + - name: Install evoacme custom cron copy: src: evoacme.cron diff --git a/evoacme/templates/apache.conf.j2 b/evoacme/templates/apache.conf.j2 index 014c4d3f..f0527728 100644 --- a/evoacme/templates/apache.conf.j2 +++ b/evoacme/templates/apache.conf.j2 @@ -1,7 +1,7 @@ - + SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk - + ProxyPass /.well-known/acme-challenge/ ! Alias /.well-known/acme-challenge {{ evoacme_acme_dir }}/.well-known/acme-challenge diff --git a/evocheck/README.md b/evocheck/README.md index b669fe54..807b9a44 100644 --- a/evocheck/README.md +++ b/evocheck/README.md @@ -18,3 +18,4 @@ A separate `exec.yml` file can be imported manually in playbooks or roles to exe We can force install via : * `evocheck_force_install: local` : will copy the script provided by the role * `evocheck_force_install: package` : will install the package via repositories +* `evocheck_update_crontab` : will update the crontab (default: `True`) diff --git a/evocheck/defaults/main.yml b/evocheck/defaults/main.yml index 565849e3..e2d80c2a 100644 --- a/evocheck/defaults/main.yml +++ b/evocheck/defaults/main.yml @@ -1,3 +1,4 @@ --- evocheck_force_install: False +evocheck_update_crontab: True evocheck_bin_dir: /usr/share/scripts diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index ced2d71b..200f0471 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -5,7 +5,7 @@ # powered by Evolix # Repository: https://gitlab.evolix.org/evolix/evocheck -# Commit: c99324488553a745a201022d44f8f78f224631eb +# Commit: d5a02b343f2e8e9a0b6fcd10b6b5a5d1e8c9af03 # Disable LANG* export LANG=C @@ -100,6 +100,11 @@ IS_REDIS_BACKUP=1 IS_ELASTIC_BACKUP=1 IS_MONGO_BACKUP=1 IS_MOUNT_FSTAB=1 +IS_NETWORK_INTERFACES=1 +IS_EVOBACKUP=1 +IS_DUPLICATE_FS_LABEL=1 +IS_EVOMAINTENANCE_FW=1 +IS_EVOLIX_USER=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -124,6 +129,7 @@ test -f /etc/evocheck.cf && . /etc/evocheck.cf # If --cron is passed, ignore some checks. if [ "$1" = "--cron" ]; then IS_KERNELUPTODATE=0 + IS_UPTIME=0 fi # Functions @@ -137,7 +143,7 @@ is_pack_samba(){ is_installed(){ for pkg in $*; do - dpkg -l $pkg 2>/dev/null |grep -q ^ii || return 1 + dpkg -l $pkg 2>/dev/null |grep -q -E '^(i|h)i' || return 1 done } @@ -145,6 +151,11 @@ is_debianversion(){ [ $(lsb_release -c -s) = $1 ] && return 0 } +is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc +is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc +is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall +is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall + #----------------------------------------------------------- #Vérifie si c'est une debian et fait les tests appropriés. #----------------------------------------------------------- @@ -153,7 +164,7 @@ if [ -e /etc/debian_version ]; then if [ "$IS_DPKGWARNING" = 1 ]; then is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \ - egrep -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \ + grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \ /etc/apt/apt.conf | wc -l | grep -q ^2$ || echo 'IS_DPKGWARNING FAILED!' ) is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \ ( test -e /etc/apt/apt.conf.d/80evolinux || echo 'IS_DPKGWARNING FAILED!' ) @@ -180,29 +191,29 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_CUSTOMSUDOERS" = 1 ]; then - egrep -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!' + grep -E -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!' fi if [ "$IS_VARTMPFS" = 1 ]; then df /var/tmp | grep -q tmpfs || echo 'IS_VARTMPFS FAILED!' fi - + if [ "$IS_SERVEURBASE" = 1 ]; then is_installed serveur-base || echo 'IS_SERVEURBASE FAILED!' fi - + if [ "$IS_LOGROTATECONF" = 1 ]; then test -e /etc/logrotate.d/zsyslog || echo 'IS_LOGROTATECONF FAILED!' fi - + if [ "$IS_SYSLOGCONF" = 1 ]; then grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || echo 'IS_SYSLOGCONF FAILED!' fi - + if [ "$IS_DEBIANSECURITY" = 1 ]; then grep -q "^deb.*security" /etc/apt/sources.list || echo 'IS_DEBIANSECURITY FAILED!' fi - + if [ "$IS_APTITUDEONLY" = 1 ]; then is_debianversion squeeze && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!' is_debianversion wheezy && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!' @@ -225,15 +236,15 @@ if [ -e /etc/debian_version ]; then test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" ( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && echo 'IS_APTICRON FAILED!' fi - + if [ "$IS_USRRO" = 1 ]; then grep /usr /etc/fstab | grep -q ro || echo 'IS_USRRO FAILED!' fi - + if [ "$IS_TMPNOEXEC" = 1 ]; then mount | grep "on /tmp" | grep -q noexec || echo 'IS_TMPNOEXEC FAILED!' fi - + if [ "$IS_MOUNT_FSTAB" = 1 ]; then # Test if lsblk available, if not skip this test... if test -x "$(command -v lsblk)"; then @@ -247,30 +258,30 @@ if [ -e /etc/debian_version ]; then if is_debianversion stretch; then is_installed apt-listchanges && echo 'IS_LISTCHANGESCONF FAILED!' else - test -e /etc/apt/listchanges.conf && egrep "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!' + test -e /etc/apt/listchanges.conf && grep -E "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!' fi fi - + if [ "$IS_CUSTOMCRONTAB" = 1 ]; then - egrep "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!' + grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!' fi - + if [ "$IS_SSHALLOWUSERS" = 1 ]; then - egrep -qi "AllowUsers" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!' + grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!' fi - + if [ "$IS_DISKPERF" = 1 ]; then test -e /root/disk-perf.txt || echo 'IS_DISKPERF FAILED!' fi - + if [ "$IS_TMOUTPROFILE" = 1 ]; then grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!' fi - + if [ "$IS_ALERT5BOOT" = 1 ]; then grep -q ^date /etc/rc2.d/S*alert5 || echo 'IS_ALERT5BOOT FAILED!' fi - + if [ "$IS_ALERT5MINIFW" = 1 ]; then grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || echo 'IS_ALERT5MINIFW FAILED!' fi @@ -278,42 +289,39 @@ if [ -e /etc/debian_version ]; then if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || echo 'IS_MINIFW FAILED!' fi - + if [ "$IS_NRPEPERMS" = 1 ]; then test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || echo 'IS_NRPEPERMS FAILED!' fi - + if [ "$IS_MINIFWPERMS" = 1 ]; then - is_debianversion squeeze && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion wheezy && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion jessie && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion stretch && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) + ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' fi - + if [ "$IS_NRPEDISKS" = 1 ]; then NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) - DFDISKS=$(df -Pl | egrep -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) + DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!' fi if [ "$IS_NRPEPID" = 1 ]; then is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPID FAILED!') fi - + if [ "$IS_GRSECPROCS" = 1 ]; then uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || echo 'IS_GRSECPROCS FAILED!' ) fi - + if [ "$IS_APACHEMUNIN" = 1 ]; then - test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( egrep -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && egrep -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || egrep -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) ) + test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) ) test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || echo 'IS_APACHEMUNIN FAILED!' ) ) fi - + # Verification mytop + Munin si MySQL if [ "$IS_MYSQLUTILS" = 1 ]; then is_installed mysql-server && ( grep -q mysqladmin /root/.my.cnf && test -x /usr/bin/mytop && grep -q debian-sys-maint /root/.mytop || echo 'IS_MYSQLUTILS FAILED!' ) fi - + # Verification de la configuration du raid soft (mdadm) if [ "$IS_RAIDSOFT" = 1 ]; then test -e /proc/mdstat && grep -q md /proc/mdstat && \ @@ -321,12 +329,12 @@ if [ -e /etc/debian_version ]; then && grep -q "^START_DAEMON=true" /etc/default/mdadm \ && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || echo 'IS_RAIDSOFT FAILED!') fi - + # Verification du LogFormat de AWStats if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || echo 'IS_AWSTATSLOGFORMAT FAILED!' ) fi - + # Verification de la présence de la config logrotate pour Munin if [ "$IS_MUNINLOGROTATE" = 1 ]; then ( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || echo 'IS_MUNINLOGROTATE FAILED!' @@ -336,21 +344,27 @@ if [ -e /etc/debian_version ]; then #if [ "$IS_METCHE" = 1 ]; then # is_installed metche || echo 'IS_METCHE FAILED!' #fi - + # Verification de l'activation de Squid dans le cas d'un pack mail if [ "$IS_SQUID" = 1 ]; then squidconffile=/etc/squid*/squid.conf - is_debianversion squeeze && f=/etc/firewall.rc - is_debianversion wheezy && f=/etc/firewall.rc - is_debianversion jessie && f=/etc/default/minifirewall - is_debianversion stretch && f=/etc/default/minifirewall && squidconffile=/etc/squid/evolinux-custom.conf + is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf is_pack_web && ( is_installed squid || is_installed squid3 \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' ) + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' ) fi - + + if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then + if [ -f "$MINIFW_FILE" ]; then + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") + if [ "$rulesNumber" -lt 4 ]; then + echo 'IS_EVOMAINTENANCE_FW FAILED!' + fi + fi + fi + # Verification de la conf et de l'activation de mod-deflate if [ "$IS_MODDEFLATE" = 1 ]; then f=/etc/apache2/mods-enabled/deflate.conf @@ -358,7 +372,7 @@ if [ -e /etc/debian_version ]; then && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || echo 'IS_MODDEFLATE FAILED!') fi - + # Verification de la conf log2mail if [ "$IS_LOG2MAILRUNNING" = 1 ]; then is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING') @@ -378,7 +392,7 @@ if [ -e /etc/debian_version ]; then is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \ /etc/log2mail/config/* 2>/dev/null || echo 'IS_LOG2MAILSQUID FAILED!' ) fi - + # Verification si bind est chroote if [ "$IS_BINDCHROOT" = 1 ]; then if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then @@ -391,23 +405,32 @@ if [ -e /etc/debian_version ]; then fi fi fi - + # Verification de la présence du depot volatile if [ "$IS_REPVOLATILE" = 1 ]; then test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!') test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!') fi - + + # /etc/network/interfaces should be present, we don't manage systemd-network yet + if [ "$IS_NETWORK_INTERFACES" = 1 ]; then + if ! test -f /etc/network/interfaces; then + echo "IS_NETWORK_INTERFACES FAILED!" + IS_AUTOIF=0 + IS_INTERFACESGW=0 + fi + fi + # Verify if all if are in auto if [ "$IS_AUTOIF" = 1 ]; then - is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |egrep -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do + is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break) done - is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |egrep -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do + is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break) done fi - + # Network conf verification if [ "$IS_INTERFACESGW" = 1 ]; then number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces) @@ -418,15 +441,15 @@ if [ -e /etc/debian_version ]; then # Verification de la mise en place d'evobackup if [ "$IS_EVOBACKUP" = 1 ]; then - ls /etc/cron* |grep -q "zz.backup$" || echo 'IS_EVOBACKUP FAILED!' + ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!' fi - + # Verification de la presence du userlogrotate if [ "$IS_USERLOGROTATE" = 1 ]; then is_pack_web && (test -x /etc/cron.weekly/userlogrotate || echo 'IS_USERLOGROTATE FAILED!') fi - - + + # Verification de la syntaxe de la conf d'Apache if [ "$IS_APACHECTL" = 1 ]; then is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || echo 'IS_APACHECTL FAILED!') @@ -454,22 +477,22 @@ if [ -e /etc/debian_version ]; then fi is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && echo 'IS_MUNINAPACHECONF FAILED!') fi - + # Verification de la priorité du package samba si les backports sont utilisés if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || echo 'IS_SAMBAPINPRIORITY FAILED!' ) fi - + # Verification si le système doit redémarrer suite màj kernel. if [ "$IS_KERNELUPTODATE" = 1 ]; then if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then echo 'IS_KERNELUPTODATE FAILED!' fi fi - + # Check if the server is running for more than a year. if [ "$IS_UPTIME" = 1 ]; then - if is_installed linux-image* && [ $(date -d "now - 1 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then + if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then echo 'IS_UPTIME FAILED!' fi fi @@ -499,7 +522,14 @@ if [ -e /etc/debian_version ]; then # Check if no package has been upgraded since $limit. if [ "$IS_NOTUPGRADED" = 1 ]; then last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) - limit=$(date +%s -d "now - 60 days") + if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ + || grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then + # Manual upgrade process + limit=$(date +%s -d "now - 180 days") + else + # Regular process + limit=$(date +%s -d "now - 90 days") + fi if [ -f /var/log/evolinux/00_prepare_system.log ]; then install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log) else @@ -556,7 +586,7 @@ if [ -e /etc/debian_version ]; then if [ "$IS_BACKPORTSCONF" = 1 ]; then if is_debianversion stretch; then grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!' - grep -q backports /etc/apt/sources.list.d/*.list && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') + grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') fi fi @@ -668,8 +698,17 @@ if [ -e /etc/debian_version ]; then if [ "$IS_MYSQLMUNIN" = 1 ]; then if is_debianversion stretch && is_installed mariadb-server; then - for file in mysql_bytes mysql_queries mysql_slowqueries mysql_threads mysql_connections mysql_files_tables mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores mysql_myisam_indexes mysql_qcache mysql_qcache_mem mysql_sorts mysql_tmp_tables; do - test -L /etc/munin/plugins/$file || echo 'IS_MYSQLMUNIN FAILED!' + for file in mysql_bytes mysql_queries mysql_slowqueries \ + mysql_threads mysql_connections mysql_files_tables \ + mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ + mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ + mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ + mysql_sorts mysql_tmp_tables; do + + if [[ ! -L /etc/munin/plugins/$file ]]; then + echo 'IS_MYSQLMUNIN FAILED!' + break + fi done fi fi @@ -707,6 +746,29 @@ if [ -e /etc/debian_version ]; then && test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!' fi fi + + if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then + # Do it only if thereis blkid binary + if [ -x "$(which blkid)" ]; then + tmpFile=$(mktemp -p /tmp) + for part in $(blkid | grep -v raid_member | grep -Eo ' LABEL=".*"' | cut -d'"' -f2); do + echo "$part" >> "$tmpFile" + done + tmpOutput=$(sort < "$tmpFile" | uniq -d) + # If there is no duplicate, uniq will have no output + # So, if $tmpOutput is not null, there is a duplicate + if [ -n "$tmpOutput" ]; then + echo 'IS_DUPLICATE_FS_LABEL FAILED!' + # For debug, you may echo the contents of $tmpOutput + # echo $tmpOutput + fi + rm $tmpFile + fi + fi + + if [ "$IS_EVOLIX_USER" = 1 ]; then + getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!' + fi fi @@ -715,19 +777,19 @@ if [ `uname -s` == "OpenBSD" ]; then if [ "$IS_SOFTDEP" = 1 ]; then grep -q "softdep" /etc/fstab || echo 'IS_SOFTDEP FAILED!' fi - + if [ "$IS_WHEEL" = 1 ]; then grep -qE "^%wheel.*$" /etc/sudoers || echo 'IS_WHEEL FAILED!' fi - + if [ "$IS_SUDOADMIN" = 1 ]; then grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || echo 'IS_SUDOADMIN FAILED!' fi - + if [ "$IS_PKGMIRROR" = 1 ]; then grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || echo 'IS_PKGMIRROR FAILED!' fi - + if [ "$IS_HISTORY" = 1 ]; then f=/root/.profile grep -q "^HISTFILE=\$HOME/.histfile" $f \ @@ -736,68 +798,68 @@ if [ `uname -s` == "OpenBSD" ]; then && grep -q "^export HISTSIZE" $f \ || echo 'IS_HISTORY FAILED!' fi - + if [ "$IS_VIM" = 1 ]; then which vim 2>1 >> /dev/null || echo 'IS_VIM FAILED!' fi - + if [ "$IS_TTYC0SECURE" = 1 ]; then grep -Eqv "^ttyC0.*secure$" /etc/ttys || echo 'IS_TTYC0SECURE FAILED!' fi - + if [ "$IS_CUSTOMSYSLOG" = 1 ]; then grep -q Evolix /etc/newsyslog.conf || echo 'IS_CUSTOMSYSLOG FAILED!' fi - + if [ "$IS_NOINETD" = 1 ]; then grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || echo 'IS_NOINETD FAILED!' fi - + if [ "$IS_SUDOMAINT" = 1 ]; then f=/etc/sudoers grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \ && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \ || echo 'IS_SUDOMAINT FAILED!' fi - + if [ "$IS_POSTGRESQL" = 1 ]; then pkg info | grep -q postgresql-client || echo 'IS_POSTGRESQL FAILED!' fi - + if [ "$IS_NRPE" = 1 ]; then ( pkg info | grep -qE "nagios-plugins-[0-9.]" \ && pkg info | grep -q nagios-plugins-ntp \ && pkg info | grep -q nrpe ) || echo 'IS_NRPE FAILED!' fi - + # if [ "$IS_NRPEDISKS" = 1 ]; then # NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) -# DFDISKS=$(df -Pl | egrep -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) +# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) # [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!' # fi - + # Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix) -# +# # if [ "$IS_NRPEPOSTFIX" = 1 ]; then # pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || echo 'IS_NRPEPOSTFIX FAILED!' ) # fi - + if [ "$IS_NRPEDAEMON" = 1 ]; then grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || echo 'IS_NREPEDAEMON FAILED!' fi - + if [ "$IS_ALERTBOOT" = 1 ]; then grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || echo 'IS_ALERTBOOT FAILED!' fi - + if [ "$IS_RSYNC" = 1 ]; then pkg info | grep -q rsync || echo 'IS_RSYNC FAILED!' fi - + if [ "$IS_CRONPATH" = 1 ]; then grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || echo 'IS_CRONPATH FAILED!' fi - + #TODO # - Check en profondeur de postfix # - NRPEDISK et NRPEPOSTFIX @@ -816,8 +878,8 @@ if [ "$IS_USRSHARESCRIPTS" = 1 ]; then fi if [ "$IS_SSHPERMITROOTNO" = 1 ]; then - is_debianversion stretch || ( egrep -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' ) - is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( egrep -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' ) + is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' ) + is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' ) fi if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then @@ -831,7 +893,7 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!' done else - for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do + for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!' done fi diff --git a/evocheck/tasks/cron.yml b/evocheck/tasks/cron.yml new file mode 100644 index 00000000..82f56130 --- /dev/null +++ b/evocheck/tasks/cron.yml @@ -0,0 +1,10 @@ +--- + +- name: evocheck crontab is updated + template: + src: crontab.j2 + dest: /etc/cron.d/evocheck + mode: "0644" + owner: root + group: root + force: yes diff --git a/evocheck/tasks/install_package.yml b/evocheck/tasks/install_package.yml index 7a2f875e..34e672e5 100644 --- a/evocheck/tasks/install_package.yml +++ b/evocheck/tasks/install_package.yml @@ -2,4 +2,4 @@ - name: install evocheck from package apt: name: evocheck - state: installed + state: present diff --git a/evocheck/tasks/main.yml b/evocheck/tasks/main.yml index 769dbbfe..0e374b92 100644 --- a/evocheck/tasks/main.yml +++ b/evocheck/tasks/main.yml @@ -5,3 +5,6 @@ - include: install_package.yml when: evocheck_force_install == "package" + +- include: cron.yml + when: evocheck_update_crontab diff --git a/evocheck/templates/crontab.j2 b/evocheck/templates/crontab.j2 new file mode 100644 index 00000000..fdd07649 --- /dev/null +++ b/evocheck/templates/crontab.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +33 1 1 * * root /usr/share/scripts/evocheck.sh +33 1 2-31 * * root /usr/share/scripts/evocheck.sh --cron diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index bb9725b2..88ea931d 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -37,9 +37,12 @@ evolinux_hostname_hosts: True evolinux_hostname_mailname: True evolinux_hostname: "{{ ansible_hostname }}" -evolinux_domain: "{{ ansible_domain }}" -evolinux_fqdn: "{{ ansible_fqdn }}" +evolinux_domain: "{{ ansible_domain }}" +evolinux_fqdn: "{{ evolinux_hostname }}.{{ evolinux_domain }}" + evolinux_internal_hostname: "{{ evolinux_hostname }}" +evolinux_internal_domain: "{{ evolinux_domain }}" +evolinux_internal_fqdn: "{{ evolinux_internal_hostname }}.{{ evolinux_internal_domain }}" # kernel diff --git a/evolinux-base/tasks/etc-evolinux.yml b/evolinux-base/tasks/etc-evolinux.yml index 2aee963f..d6562e68 100644 --- a/evolinux-base/tasks/etc-evolinux.yml +++ b/evolinux-base/tasks/etc-evolinux.yml @@ -1,9 +1,13 @@ --- -- name: /etc/evolinux exists - file: - dest: /etc/evolinux - owner: root - group: root - mode: "0700" - state: directory +### This is taken care of by the evolinux-todo role +# - name: /etc/evolinux exists +# file: +# dest: /etc/evolinux +# owner: root +# group: root +# mode: "0700" +# state: directory + +- include_role: + name: evolinux-todo diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index 059b6763..b73c11c7 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -2,7 +2,7 @@ - name: dbus is installed apt: name: dbus - state: installed + state: present - name: Set hostname "{{ evolinux_hostname }}" hostname: @@ -20,7 +20,7 @@ lineinfile: dest: /etc/hosts regexp: '^{{ ansible_default_ipv4.address }}\s+' - line: "{{ ansible_default_ipv4.address }} {{ evolinux_fqdn }} {{ evolinux_hostname }}" + line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}" insertafter: '127.0.0.1\s+localhost.localdomain' when: evolinux_hostname_hosts diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index 10f0c00b..9dc66c42 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -50,4 +50,17 @@ reload: yes when: evolinux_kernel_cve20165696 +- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack) + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + sysctl_file: "{{ evolinux_kernel_sysctl_path }}" + state: present + reload: yes + with_items: + - { name: "net.ipv4.ipfrag_low_thresh", value: 196608 } + - { name: "net.ipv6.ip6frag_low_thresh", value: 196608 } + - { name: "net.ipv4.ipfrag_high_thresh", value: 262144 } + - { name: "net.ipv6.ip6frag_high_thresh", value: 262144 } + - meta: flush_handlers diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 84bb06a2..d0c66a65 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -26,7 +26,7 @@ lineinfile: dest: /etc/postfix/main.cf state: present - line: "mydestination = {{ evolinux_fqdn }} localhost.localdomain localhost" + line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost" regexp: '^mydestination' notify: reload postfix tags: @@ -61,6 +61,9 @@ - postmaster - abuse - mailer-daemon + - delay + - error + - bounce notify: newaliases when: evolinux_postfix_mailer_alias_root tags: diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2 index 4ede9d36..cf02ccb3 100644 --- a/evolinux-base/templates/default_www/index.html.j2 +++ b/evolinux-base/templates/default_www/index.html.j2 @@ -14,7 +14,7 @@ } #container { padding-top: 20px; - width: 500px; + width: 768px; margin: auto; overflow: hidden; } @@ -24,7 +24,7 @@ border-bottom: 1px solid #a9a9a9; background-image: url(./img/background-top.png); background-repeat: no-repeat; - background-position: 245px 5px; + background-position: 510px 5px; } ul { list-style-type: none; diff --git a/java8/.kitchen.yml b/evolinux-todo/.kitchen.yml similarity index 100% rename from java8/.kitchen.yml rename to evolinux-todo/.kitchen.yml diff --git a/evolinux-todo/README.md b/evolinux-todo/README.md new file mode 100644 index 00000000..52c397c7 --- /dev/null +++ b/evolinux-todo/README.md @@ -0,0 +1,15 @@ +# evocheck + +Creates an /etc/evolinux/todo.txt file to hold information about things to do, gathered by humans or other Ansible tasks + +## Tasks + +The main tasks install the default file if missing. + +A separate `cat.yml` file can be imported manually in playbooks or roles to get the content of the file. Example : + +``` +- include_role: + name: evolinux-todo + tasks_from: cat.yml +``` diff --git a/evolinux-todo/files/todo.defaults.txt b/evolinux-todo/files/todo.defaults.txt new file mode 100644 index 00000000..e69de29b diff --git a/evolinux-todo/meta/main.yml b/evolinux-todo/meta/main.yml new file mode 100644 index 00000000..041e58cc --- /dev/null +++ b/evolinux-todo/meta/main.yml @@ -0,0 +1,30 @@ +galaxy_info: + author: Jeremy Lecour + description: Install evolinux-todo + company: Evolix + + issue_tracker_url: https://forge.evolix.org/projects/evocheck/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - jessie + - stretch + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/evolinux-todo/tasks/cat.yml b/evolinux-todo/tasks/cat.yml new file mode 100644 index 00000000..9cebeca5 --- /dev/null +++ b/evolinux-todo/tasks/cat.yml @@ -0,0 +1,13 @@ +--- + +- name: cat /etc/evolinux/todo.txt + command: "cat /etc/evolinux/todo.txt" + register: evolinux_todo + changed_when: False + failed_when: False + check_mode: no + +- name: "Content of /etc/evolinux/todo.txt" + debug: + var: evolinux_todo.stdout_lines + when: evolinux_todo.stdout != "" diff --git a/evolinux-todo/tasks/main.yml b/evolinux-todo/tasks/main.yml new file mode 100644 index 00000000..bd098c72 --- /dev/null +++ b/evolinux-todo/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +- name: /etc/evolinux is present + file: + dest: /etc/evolinux + mode: "0700" + state: directory + +- name: /etc/evolinux/todo.txt is present + copy: + src: todo.defaults.txt + dest: /etc/evolinux/todo.txt + mode: "0640" + force: no diff --git a/evolinux-todo/tests/test.yml b/evolinux-todo/tests/test.yml new file mode 100644 index 00000000..2c9b5d72 --- /dev/null +++ b/evolinux-todo/tests/test.yml @@ -0,0 +1,4 @@ +--- +- hosts: test-kitchen + roles: + - role: evolinux-todo diff --git a/evolinux-users/templates/sudoers_jessie.j2 b/evolinux-users/templates/sudoers_jessie.j2 index 391ae898..c349ac09 100644 --- a/evolinux-users/templates/sudoers_jessie.j2 +++ b/evolinux-users/templates/sudoers_jessie.j2 @@ -5,6 +5,7 @@ User_Alias ADMINS = {{ user.name }} nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall +nagios ALL = NOPASSWD: /usr/sbin/bkctld check nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt ADMINS ALL = (ALL:ALL) ALL diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 index 9a9ea7ed..fb785c46 100644 --- a/evolinux-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -4,6 +4,7 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall +nagios ALL = NOPASSWD: /usr/sbin/bkctld check nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt %{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL diff --git a/fail2ban/README.md b/fail2ban/README.md index af94e38a..99ab0ae3 100644 --- a/fail2ban/README.md +++ b/fail2ban/README.md @@ -12,6 +12,8 @@ Main variables are : * `general_alert_email`: email address to send various alert messages (default: `root@localhost`). * `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`). -* `fail2ban_ignore_ips`: list of IPs to ignore (default: empty). +* `fail2ban_default_ignore_ips`: default list of IPs to ignore (default: empty). +* `fail2ban_additional_ignore_ips`: additional list of IPs to ignore (default: empty). +* `fail2ban_disable_ssh`: if true, the "sshd" filter is disabled, otherwise nothing is done, not even enabling the filter (default: `False`). The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 45c2477a..d983b32a 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -2,9 +2,14 @@ general_alert_email: "root@localhost" fail2ban_alert_email: Null +# Note: there are 2 variable to allow various overrides, but they are merged. +# "127.0.0.1/8" is always added to the list, even if the following lists are empty. fail2ban_default_ignore_ips: [] fail2ban_additional_ignore_ips: [] -fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}" +# WARN: setting this to True will overwrite the list of ignored IP +fail2ban_force_update_ignore_ips: False fail2ban_wordpress: False fail2ban_roundcube: False + +fail2ban_disable_ssh: False diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 8e02f044..db6af2d4 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -15,6 +15,9 @@ tags: - fail2ban +- set_fact: + fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}" + - name: local jail is installed template: src: jail.local.j2 @@ -25,6 +28,28 @@ tags: - fail2ban +- name: update ignoreips lists + ini_file: + dest: /etc/fail2ban/jail.local + section: "[DEFAULT]" + option: "ignoreips" + value: "{{ fail2ban_ignore_ips | join(' ') }}" + notify: restart fail2ban + when: fail2ban_force_update_ignore_ips + tags: + - fail2ban + +- name: Disable SSH filter + ini_file: + dest: /etc/fail2ban/jail.local + section: sshd + option: enabled + value: false + notify: restart fail2ban + when: fail2ban_disable_ssh + tags: + - fail2ban + - name: custom filters are installed copy: src: "{{ item }}" diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 73b5f21f..4c3999bc 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -3,7 +3,7 @@ [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host -ignoreip = {{ (['127.0.0.1/8'] + fail2ban_ignore_ips) | join(' ') }} +ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }} bantime = 600 maxretry = 3 diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index f0cdd233..73fe88c8 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -6,7 +6,7 @@ if [ $(id -u) != 0 ]; then fi is_pkg_installed() { - dpkg -l "$1" 2>/dev/null | grep -q '^ii' + dpkg -l "$1" 2>/dev/null | grep -q -E '^(i|h)i' } get_pkg_version() { diff --git a/haproxy/README.md b/haproxy/README.md index 9f597baa..54416827 100644 --- a/haproxy/README.md +++ b/haproxy/README.md @@ -8,7 +8,7 @@ Everything is in the `tasks/main.yml` file. ## Available variables -* `haproxy_jessie_backports` : on Debian Jessie, we can prefer v1.7 from backports (default: `False`) +* `haproxy_backports` : We can either prefer v1.7 from backports for Debian Jessie or v1.8 for Debian Stretch (default: `False`) ## Configuration templates diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml index 31f054ab..4a05ffb7 100644 --- a/haproxy/defaults/main.yml +++ b/haproxy/defaults/main.yml @@ -1,3 +1,4 @@ --- -haproxy_jessie_backports: False +# backward compatibility with a previously used variable +haproxy_backports: "{{ haproxy_jessie_backports | default(false, true) }}" haproxy_stats_url: "http://127.0.0.1:8080/" diff --git a/haproxy/files/haproxy_apt_preferences b/haproxy/files/haproxy_apt_preferences deleted file mode 100644 index bae1e794..00000000 --- a/haproxy/files/haproxy_apt_preferences +++ /dev/null @@ -1,3 +0,0 @@ -Package: haproxy libssl1.0.0 -Pin: release a=jessie-backports -Pin-Priority: 999 diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index 37afe8df..0c8cb1fe 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -2,18 +2,18 @@ - name: ssl-cert package is installed apt: name: ssl-cert - state: installed + state: present tags: - haproxy - packages -- include: packages_jessie_backports.yml - when: ansible_distribution_release == "jessie" and haproxy_jessie_backports +- include: packages_backports.yml + when: haproxy_backports - name: Install HAProxy package apt: name: haproxy - state: installed + state: present tags: - haproxy - packages diff --git a/haproxy/tasks/nagios.yml b/haproxy/tasks/nagios.yml index eff711ac..1663b71b 100644 --- a/haproxy/tasks/nagios.yml +++ b/haproxy/tasks/nagios.yml @@ -1,4 +1,6 @@ --- +- include_role: + name: remount-usr - name: "Install check_haproxy_stats script" copy: diff --git a/haproxy/tasks/packages_jessie_backports.yml b/haproxy/tasks/packages_backports.yml similarity index 79% rename from haproxy/tasks/packages_jessie_backports.yml rename to haproxy/tasks/packages_backports.yml index 17218ee6..3be91268 100644 --- a/haproxy/tasks/packages_jessie_backports.yml +++ b/haproxy/tasks/packages_backports.yml @@ -7,9 +7,9 @@ - haproxy - packages -- name: Prefer HAProxy package from jessie-backports - copy: - src: haproxy_apt_preferences +- name: Prefer HAProxy package from backports + template: + src: haproxy_apt_preferences.j2 dest: /etc/apt/preferences.d/999-haproxy force: yes mode: "0640" diff --git a/haproxy/templates/haproxy_apt_preferences.j2 b/haproxy/templates/haproxy_apt_preferences.j2 new file mode 100644 index 00000000..706ee67d --- /dev/null +++ b/haproxy/templates/haproxy_apt_preferences.j2 @@ -0,0 +1,3 @@ +Package: haproxy libssl1.0.0 +Pin: release a={{ ansible_distribution_release }}-backports +Pin-Priority: 999 diff --git a/java/.kitchen.yml b/java/.kitchen.yml new file mode 100644 index 00000000..b21cc3db --- /dev/null +++ b/java/.kitchen.yml @@ -0,0 +1,28 @@ +--- +driver: + name: docker + privileged: true + use_sudo: false + +provisioner: + name: ansible_playbook + hosts: test-kitchen + roles_path: ../ + ansible_verbose: true + require_ansible_source: false + require_chef_for_busser: false + idempotency_test: true + +platforms: + - name: debian + driver_config: + image: evolix/ansible:2.2.1 + +suites: + - name: default + provisioner: + name: ansible_playbook + playbook: ./tests/test.yml + +transport: + max_ssh_sessions: 6 diff --git a/java/README.md b/java/README.md new file mode 100644 index 00000000..72740bb3 --- /dev/null +++ b/java/README.md @@ -0,0 +1,14 @@ +# java + +Install OpenJDK or OracleJDK + +## Tasks + +* `openjdk.yml` : install of OpenJDK +* `oracle.yml` : install or OracleJDK + +## Available variables + +* `java_alternative`: choose between openjdk or oraclejdk (default to openjdk) +* `java_version`: java version (default to 8) +* `java_default_alternative`: make this verison the default alternative (default to true) diff --git a/java/defaults/main.yml b/java/defaults/main.yml new file mode 100644 index 00000000..89f5cdac --- /dev/null +++ b/java/defaults/main.yml @@ -0,0 +1,4 @@ +--- +java_alternative: 'openjdk' +java_version: 8 +java_default_alternative: True diff --git a/java8/meta/main.yml b/java/meta/main.yml similarity index 81% rename from java8/meta/main.yml rename to java/meta/main.yml index 632cd4f4..c5b91643 100644 --- a/java8/meta/main.yml +++ b/java/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: Evolix - description: Installation of Java 8 + description: Installation of Java issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues @@ -13,3 +13,4 @@ galaxy_info: - name: Debian versions: - jessie + - stretch diff --git a/java/tasks/main.yml b/java/tasks/main.yml new file mode 100644 index 00000000..1249533e --- /dev/null +++ b/java/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- fail: + msg: "This role support only java 8 for now !" + when: java_version != 8 + +- include: openjdk.yml + when: "{{ java_alternative == 'openjdk' }}" + +- include: oracle.yml + when: "{{ java_alternative == 'oracle' }}" diff --git a/java/tasks/openjdk.yml b/java/tasks/openjdk.yml new file mode 100644 index 00000000..9b4f0b7d --- /dev/null +++ b/java/tasks/openjdk.yml @@ -0,0 +1,31 @@ +--- +- name: Decide which Debian release to use + set_fact: + java_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}' + tags: + - java + +- name: Install jessie-backports + include_role: + name: apt + tasks_from: backports.yml + when: ansible_distribution_release == "jessie" + tags: + - java + +- name: Install openjdk package + apt: + name: "openjdk-{{ java_version}}-jre-headless" + default_release: "{{ java_apt_release }}" + state: present + tags: + - java + - packages + +- name: This openjdk version is the default alternative + alternatives: + name: java + path: "/usr/lib/jvm/java-{{ java_version }}-openjdk-amd64/jre/bin/java" + when: java_default_alternative + tags: + - java diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml new file mode 100644 index 00000000..da3473da --- /dev/null +++ b/java/tasks/oracle.yml @@ -0,0 +1,58 @@ +--- +- name: Install dependencies for build java package + apt: + name: "{{ item }}" + state: present + with_items: + - java-package + - build-essential + tags: + - java + +- name: Create jvm dir + file: + path: "{{ item }}" + state: directory + mode: "0777" + with_items: + - /srv/java-package + - /srv/java-package/src + - /srv/java-package/tmp + tags: + - java + +- name: Get Oracle jre archive + get_url: + url: 'http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.tar.gz' + dest: '/srv/java-package/src/' + checksum: 'sha256:f08f25aec2bdc86138ccba8fd5b904451e3afa1d24a88c85f28c2d84bfd45bad' + headers: 'Cookie: oraclelicense=accept-securebackup-cookie' + mode: "0644" + tags: + - java + +- name: Make Debian package from Oracle JDK archive + shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/jre-8u172-linux-x64.tar.gz" + args: + chdir: /srv/java-package + creates: /srv/java-package/oracle-java8-jre_8u172_amd64.deb + become: False + tags: + - java + +- include_role: + name: remount-usr + +- name: Install java package + apt: + deb: /srv/java-package/oracle-java8-jre_8u172_amd64.deb + tags: + - java + +- name: This openjdk version is the default alternative + alternatives: + name: java + path: "/usr/lib/jvm/jre-{{ java_version }}-oracle-x64/bin/java" + when: java_default_alternative + tags: + - java diff --git a/java8/tests/test.yml b/java/tests/test.yml similarity index 66% rename from java8/tests/test.yml rename to java/tests/test.yml index 624e2d3b..984c2eb4 100644 --- a/java8/tests/test.yml +++ b/java/tests/test.yml @@ -1,4 +1,4 @@ --- - hosts: test-kitchen roles: - - role: java8 + - role: java diff --git a/java8 b/java8 new file mode 120000 index 00000000..85863977 --- /dev/null +++ b/java8 @@ -0,0 +1 @@ +java \ No newline at end of file diff --git a/java8/README.md b/java8/README.md deleted file mode 100644 index 6279675d..00000000 --- a/java8/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# java8 - -Install OpenJDK 1.8 (from jessie-backports) - -## Tasks - -Everything is in the `tasks/main.yml` file. - -## Available variables - -* `java8_default_alternative`: make this verison the default alternative (defaults to true) diff --git a/java8/defaults/main.yml b/java8/defaults/main.yml deleted file mode 100644 index 9f57f290..00000000 --- a/java8/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -java8_default_alternative: True diff --git a/java8/tasks/main.yml b/java8/tasks/main.yml deleted file mode 100644 index 8e24def3..00000000 --- a/java8/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Decide which Debian release to use - set_fact: - java8_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}' - -- name: install jessie-backports - include_role: - name: apt - tasks_from: backports.yml - when: ansible_distribution_release == "jessie" - -- name: Java 8 is installed - apt: - name: openjdk-8-jre-headless - default_release: "{{ java8_apt_release }}" - state: present - tags: - - java - - packages - -- name: Java 8 is the default alternative - alternatives: - name: java - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java - when: java8_default_alternative - tags: - - java diff --git a/jenkins/meta/main.yml b/jenkins/meta/main.yml index eda76a17..0f0b5b69 100644 --- a/jenkins/meta/main.yml +++ b/jenkins/meta/main.yml @@ -24,4 +24,4 @@ galaxy_info: # alphanumeric characters. Maximum 20 tags per role. dependencies: - - java8 + - { role: java, java_alternative: 'openjdk', java_version: 8 } diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 7ee07b5f..b1e7cb42 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -50,6 +50,22 @@ insertafter: '^#server.basePath:' notify: restart kibana +- name: kibana log destination is present + file: + dest: /var/log/kibana + owner: kibana + group: kibana + mode: "0750" + state: directory + +- name: kibana log messages go to custom file + lineinfile: + dest: /etc/kibana/kibana.yml + line: "logging.dest: \"/var/log/kibana/kibana.log\"" + regexp: '^logging.dest:' + insertafter: '^#logging.dest:' + notify: restart kibana + - name: Kibana service is enabled and started systemd: name: kibana diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml index 9fc73e93..71fcda41 100644 --- a/kvm-host/tasks/main.yml +++ b/kvm-host/tasks/main.yml @@ -5,15 +5,6 @@ - include: packages.yml -- include_role: - name: remount-usr - -- name: Copy add-vm script - get_url: - url: https://forge.evolix.org/projects/kvm-tools/repository/revisions/master/raw/add-vm.sh - dest: /usr/share/scripts/add-vm.sh - mode: "0750" - - include: munin.yml - include: images.yml diff --git a/kvm-host/tasks/packages.yml b/kvm-host/tasks/packages.yml index 7188239a..e371067f 100644 --- a/kvm-host/tasks/packages.yml +++ b/kvm-host/tasks/packages.yml @@ -10,3 +10,4 @@ - virtinst - libvirt-daemon-system - libvirt-clients + - kvm-tools diff --git a/logstash/meta/main.yml b/logstash/meta/main.yml index c74021e7..62a4cf71 100644 --- a/logstash/meta/main.yml +++ b/logstash/meta/main.yml @@ -14,4 +14,4 @@ galaxy_info: - jessie dependencies: - - java8 + - { role: java, java_alternative: 'openjdk', java_version: 8 } diff --git a/memcached/README.md b/memcached/README.md index 38e5f89d..a5f3e79e 100644 --- a/memcached/README.md +++ b/memcached/README.md @@ -15,5 +15,14 @@ Main variables are : * `memcached_port`: opened port (default: `11211`) ; * `memcached_bind_interface`: interface to listen to (default: `127.0.0.1`) ; * `memcached_connections`: number of simultaneous incoming connections (default: `1024`) ; +* `memcached_instance_name`: use this to set up multiple memcached instances (default: `False`) ; The full list of variables (with default values) can be found in `defaults/main.yml`. + +## Multiple intances + +When using memcached_instance_name variable, you can set up multiple memcached instances : + + roles: + - { role: memcached, memcached_instance_name: "instance1" } + - { role: memcached, memcached_instance_name: "instance2", memcached_port: 11212 } diff --git a/memcached/defaults/main.yml b/memcached/defaults/main.yml index b71c36e9..a99f576a 100644 --- a/memcached/defaults/main.yml +++ b/memcached/defaults/main.yml @@ -1,4 +1,5 @@ --- +memcached_instance_name: "" memcached_logfile: '/var/log/memcached.log' memcached_mem: 64 memcached_user: 'nobody' diff --git a/memcached/files/memcached@.service b/memcached/files/memcached@.service new file mode 100644 index 00000000..1f21b319 --- /dev/null +++ b/memcached/files/memcached@.service @@ -0,0 +1,10 @@ +[Unit] +Description=memcached daemon +After=network.target +ConditionPathExists=/etc/memcached_%i.conf + +[Service] +ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached_%i.conf + +[Install] +WantedBy=multi-user.target diff --git a/memcached/tasks/main.yml b/memcached/tasks/main.yml index 083c0134..0bf81713 100644 --- a/memcached/tasks/main.yml +++ b/memcached/tasks/main.yml @@ -3,7 +3,7 @@ name: memcached state: present tags: - - memcached + - memcached - name: Memcached is configured. template: @@ -12,7 +12,8 @@ mode: "0644" notify: restart memcached tags: - - memcached + - memcached + when: memcached_instance_name == "" - name: Memcached is running and enabled on boot. service: @@ -20,7 +21,54 @@ enabled: yes state: started tags: - - memcached + - memcached + when: memcached_instance_name == "" + +- name: Add systemd template + copy: + src: memcached@.service + dest: /etc/systemd/system/memcached@.service + tags: + - memcached + when: memcached_instance_name != "" + +- name: Delete default memcached systemd configuration file + systemd: + name: memcached + enabled: false + state: stopped + tags: + - memcached + when: memcached_instance_name != "" + +- name: Make sure memcached.conf is absent + file: + path: /etc/memcached.conf + state: absent + tags: + - memcached + when: memcached_instance_name != "" + +- name: Create a configuration file + template: + src: memcached.conf.j2 + dest: /etc/memcached_{{ memcached_instance_name }}.conf + mode: "0644" + tags: + - memcached + when: memcached_instance_name != "" + +- name: Enable and start the memcached instance + systemd: + name: memcached@{{ memcached_instance_name }} + enabled: yes + state: started + daemon_reload: yes + masked: no + tags: + - memcached + when: memcached_instance_name != "" - include: munin.yml + - include: nrpe.yml diff --git a/memcached/tasks/munin.yml b/memcached/tasks/munin.yml index c2d56022..4d98ca5d 100644 --- a/memcached/tasks/munin.yml +++ b/memcached/tasks/munin.yml @@ -1,4 +1,8 @@ --- +- name: Choose packages (Oracle) + set_fact: + multi: "multi_" + when: memcached_instance_name != False - name: is Munin present ? stat: @@ -21,7 +25,7 @@ - name: Enable core Munin plugins file: src: '/usr/share/munin/plugins/memcached_' - dest: /etc/munin/plugins/{{ item }} + dest: /etc/munin/plugins/{{ multi }}{{ item }} state: link with_items: - memcached_bytes diff --git a/memcached/tasks/nrpe.yml b/memcached/tasks/nrpe.yml index 139a3a10..178db3ad 100644 --- a/memcached/tasks/nrpe.yml +++ b/memcached/tasks/nrpe.yml @@ -1,4 +1,7 @@ --- +- include_role: + name: remount-usr + - name: Is nrpe present ? stat: path: /etc/nagios/nrpe.d/evolix.cfg @@ -15,12 +18,13 @@ dest: /usr/local/lib/nagios/plugins/ mode: "0755" + # TODO: install a "multi-instances" check if the memcached_instance_name variable is not null + - name: Add NRPE check lineinfile: name: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_memcached\]=' - line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1' + line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}' notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists - diff --git a/metricbeat/.kitchen.yml b/metricbeat/.kitchen.yml new file mode 100644 index 00000000..b21cc3db --- /dev/null +++ b/metricbeat/.kitchen.yml @@ -0,0 +1,28 @@ +--- +driver: + name: docker + privileged: true + use_sudo: false + +provisioner: + name: ansible_playbook + hosts: test-kitchen + roles_path: ../ + ansible_verbose: true + require_ansible_source: false + require_chef_for_busser: false + idempotency_test: true + +platforms: + - name: debian + driver_config: + image: evolix/ansible:2.2.1 + +suites: + - name: default + provisioner: + name: ansible_playbook + playbook: ./tests/test.yml + +transport: + max_ssh_sessions: 6 diff --git a/metricbeat/README.md b/metricbeat/README.md new file mode 100644 index 00000000..443e1107 --- /dev/null +++ b/metricbeat/README.md @@ -0,0 +1,11 @@ +# filebeat + +Install Metricbeat. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +* `elastic_stack_version`: version to install (default: `6.x`); diff --git a/metricbeat/defaults/main.yml b/metricbeat/defaults/main.yml new file mode 100644 index 00000000..fc833c4f --- /dev/null +++ b/metricbeat/defaults/main.yml @@ -0,0 +1,2 @@ +--- +elastic_stack_version: "6.x" diff --git a/metricbeat/files/elasticsearch.key b/metricbeat/files/elasticsearch.key new file mode 100644 index 00000000..1b50dcca --- /dev/null +++ b/metricbeat/files/elasticsearch.key @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/metricbeat/meta/main.yml b/metricbeat/meta/main.yml new file mode 100644 index 00000000..5440675d --- /dev/null +++ b/metricbeat/meta/main.yml @@ -0,0 +1,20 @@ +galaxy_info: + author: Evolix + description: Installation and basic configuration of Metricbeat. + + issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - jessie + - stretch + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml new file mode 100644 index 00000000..07ffb67a --- /dev/null +++ b/metricbeat/tasks/main.yml @@ -0,0 +1,41 @@ +--- + +- name: APT https transport is enabled + apt: + name: apt-transport-https + state: present + tags: + - metricbeat + - packages + +- name: Elastic GPG key is installed + apt_key: + # url: https://artifacts.elastic.co/GPG-KEY-elasticsearch + data: "{{ lookup('file', 'elasticsearch.key') }}" + state: present + tags: + - metricbeat + - packages + +- name: Elastic sources list is available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + tags: + - metricbeat + - packages + +- name: Metricbeat is installed + apt: + name: metricbeat + state: present + tags: + - metricbeat + - packages + +- name: Metricbeat service is enabled + systemd: + name: metricbeat + enabled: yes diff --git a/metricbeat/tests/test.yml b/metricbeat/tests/test.yml new file mode 100644 index 00000000..670cd0d3 --- /dev/null +++ b/metricbeat/tests/test.yml @@ -0,0 +1,4 @@ +--- +- hosts: test-kitchen + roles: + - role: metricbeat diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index a6eaa2fc..2b37a5cf 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -1,5 +1,6 @@ --- minifirewall_tail_included: False +minifirewall_tail_force: yes minifirewall_git_url: "https://forge.evolix.org/minifirewall.git" minifirewall_checkout_path: "/tmp/minifirewall" diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index 00d9c0e4..3d61025d 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -3,7 +3,7 @@ template: src: "{{ item }}" dest: /etc/default/minifirewall.tail - force: yes + force: "{{ minifirewall_tail_force | bool | ternary('yes', 'no') }}" with_first_found: - "templates/minifirewall-tail/minifirewall.{{ inventory_hostname }}.tail.j2" - "templates/minifirewall-tail/minifirewall.{{ host_group }}.tail.j2" diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml index 0cec9f2c..db69c7c7 100644 --- a/mongodb/tasks/main_jessie.yml +++ b/mongodb/tasks/main_jessie.yml @@ -16,12 +16,12 @@ apt: name: mongodb-org allow_unauthenticated: yes - state: installed + state: present - name: install dependency for monitoring apt: name: python-pymongo - state: installed + state: present - name: Custom configuration template: diff --git a/mongodb/tasks/main_stretch.yml b/mongodb/tasks/main_stretch.yml index 3f553c41..bed975e3 100644 --- a/mongodb/tasks/main_stretch.yml +++ b/mongodb/tasks/main_stretch.yml @@ -3,7 +3,7 @@ - name: Install packages apt: name: "{{ item }}" - state: installed + state: present with_items: - mongodb - mongo-tools @@ -11,7 +11,7 @@ - name: install dependency for monitoring apt: name: python-pymongo - state: installed + state: present - name: Custom configuration template: diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index ae1644fe..f08f2005 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -22,7 +22,7 @@ notify: restart munin-node - name: Rename the localdomain data dir - command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} + shell: "mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename \"s/localhost.localdomain/{{ ansible_fqdn }}/\" /var/lib/munin/{{ ansible_domain }}/*" args: creates: /var/lib/munin/{{ ansible_domain }} removes: /var/lib/munin/localdomain diff --git a/mysql-oracle/defaults/main.yml b/mysql-oracle/defaults/main.yml index e79fe036..e37f0680 100644 --- a/mysql-oracle/defaults/main.yml +++ b/mysql-oracle/defaults/main.yml @@ -5,6 +5,8 @@ log2mail_alert_email: Null general_scripts_dir: "/usr/share/scripts" mysql_scripts_dir: Null +mysql_install_libclient: False + mysql_replace_root_with_mysqladmin: True mysql_custom_datadir: '' diff --git a/mysql-oracle/tasks/config.yml b/mysql-oracle/tasks/config.yml index 82ae50cb..16590a59 100644 --- a/mysql-oracle/tasks/config.yml +++ b/mysql-oracle/tasks/config.yml @@ -1,9 +1,12 @@ --- +- set_fact: + mysql_config_directory: "/etc/mysql/mysql.conf.d" + - name: "Copy MySQL defaults config file" copy: src: evolinux-defaults.cnf - dest: "/etc/mysql/mysql.conf.d/z-evolinux-defaults.cnf" + dest: "{{ mysql_config_directory }}/z-evolinux-defaults.cnf" owner: root group: root mode: "0644" @@ -14,7 +17,7 @@ - name: "Copy MySQL custom config file" template: src: evolinux-custom.cnf.j2 - dest: "/etc/mysql/mysql.conf.d/zzz-evolinux-custom.cnf" + dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf" owner: root group: root mode: "0644" diff --git a/mysql-oracle/tasks/packages.yml b/mysql-oracle/tasks/packages.yml index 8be552bf..1d6ebf64 100644 --- a/mysql-oracle/tasks/packages.yml +++ b/mysql-oracle/tasks/packages.yml @@ -11,7 +11,7 @@ - name: MySQL APT config package is installed apt: deb: /root/mysql-apt-config_0.8.9-1_all.deb - state: installed + state: present register: mysql_apt_config_deb - name: Open firewall for MySQL.com repository @@ -36,10 +36,21 @@ with_items: - mysql-server - mysql-client + tags: + - mysql + - packages + +- name: Install MySQL dev packages + apt: + name: '{{ item }}' + update_cache: yes + state: present + with_items: - libmysqlclient20 tags: - mysql - packages + when: mysql_install_libclient - include_role: name: remount-usr diff --git a/mysql-oracle/tasks/tmpdir.yml b/mysql-oracle/tasks/tmpdir.yml index 2c2c0d91..ca560077 100644 --- a/mysql-oracle/tasks/tmpdir.yml +++ b/mysql-oracle/tasks/tmpdir.yml @@ -13,7 +13,7 @@ - name: Configure tmpdir ini_file: - dest: "/etc/mysql/conf.d/zzz-evolinux-custom.cnf" + dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf" section: mysqld option: tmpdir value: "{{ mysql_custom_tmpdir }}" diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml index bab76418..696743f3 100644 --- a/mysql-oracle/tasks/users.yml +++ b/mysql-oracle/tasks/users.yml @@ -37,7 +37,7 @@ create: yes with_items: - { option: 'user', value: 'mysqladmin' } - - { option: password, value: '{{ mysql_admin_password.stdout }}' } + - { option: 'password', value: '{{ mysql_admin_password.stdout }}' } when: create_mysqladmin_user | changed tags: - mysql @@ -73,7 +73,7 @@ with_nested: - [ "client", "mysql_upgrade" ] - [ { option: 'user', value: 'debian-sys-maint' }, - { option: password, value: '{{ mysql_debian_password.stdout }}' } + { option: 'password', value: '{{ mysql_debian_password.stdout }}' } ] when: create_debian_user | changed tags: diff --git a/mysql/README.md b/mysql/README.md index b1e4bf57..4c813a15 100644 --- a/mysql/README.md +++ b/mysql/README.md @@ -22,12 +22,21 @@ Tasks are extracted in several files, included in `tasks/main.yml` : * `mysql_replace_root_with_mysqladmin`: switch from `root` to `mysqladmin` user or not ; * `mysql_thread_cache_size`: number of threads for the cache ; * `mysql_innodb_buffer_pool_size`: amount of RAM dedicated to InnoDB ; -* `mysql_custom_datadir`: custom datadir +* `mysql_bind_address` : (default: `Null`, default evolinux config is then used) ; +* `mysql_max_connections`: maximum number of simultaneous connections (default: `Null`, default evolinux config is then used) ; +* `mysql_max_connect_errors`: number of permitted successive interrupted connection requests before a host gets blocked (default: `Null`, default evolinux config is then used) ; +* `mysql_table_cache`: (default: `Null`, default evolinux config is then used) ; +* `mysql_tmp_table_size`: (default: `Null`, default evolinux config is then used) ; +* `mysql_max_heap_table_size`: (default: `Null`, default evolinux config is then used) ; +* `mysql_query_cache_limit`: (default: `Null`, default evolinux config is then used) ; +* `mysql_query_cache_size`: (default: `Null`, default evolinux config is then used) ; +* `mysql_custom_datadir`: custom datadir. * `mysql_custom_tmpdir`: custom tmpdir. * `general_alert_email`: email address to send various alert messages (default: `root@localhost`). * `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). * `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`). * `mysql_scripts_dir`: email address to send Log2mail messages to (default: `general_scripts_dir`). * `mysql_force_new_nrpe_password` : change the password for NRPE even if it exists already (default: `False`). +* `mysql_install_libclient`: install mysql client libraries (default: `False`). NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet). diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index ff40c88a..d93f7270 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -7,6 +7,8 @@ mysql_scripts_dir: Null mysql_variant: oracle +mysql_install_libclient: False + mysql_replace_root_with_mysqladmin: True mysql_custom_datadir: '' @@ -15,6 +17,19 @@ mysql_custom_tmpdir: '' mysql_thread_cache_size: '{{ ansible_processor_cores }}' mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M' +# If these variables are changed to non-Null values, +# they will be added in the zzz-evolinux-custom.cnf file. +# Otherwise, the value from de the z-evolinux-defaults.cnf file will preveil. +mysql_bind_address: Null +mysql_max_connections: Null +mysql_max_connect_errors: Null +mysql_table_cache: Null +mysql_tmp_table_size: Null +mysql_max_heap_table_size: Null +mysql_query_cache_limit: Null +mysql_query_cache_size: Null + + mysql_cron_optimize: True mysql_cron_optimize_frequency: weekly diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml index 1d376e03..06359e35 100644 --- a/mysql/tasks/packages_jessie.yml +++ b/mysql/tasks/packages_jessie.yml @@ -26,6 +26,18 @@ - mysql - packages +- name: Install MySQL dev packages + apt: + name: '{{ item }}' + update_cache: yes + state: present + with_items: + - libmysqlclient-dev + tags: + - mysql + - packages + when: mysql_install_libclient + - name: MySQL is started service: name: mysql diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index d625f691..83256472 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -12,6 +12,18 @@ - mysql - packages +- name: Install MySQL dev packages + apt: + name: '{{ item }}' + update_cache: yes + state: present + with_items: + - default-libmysqlclient-dev + tags: + - mysql + - packages + when: mysql_install_libclient + - name: MySQL is started service: name: mysql diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml index 6b180612..70ae9933 100644 --- a/mysql/tasks/users_stretch.yml +++ b/mysql/tasks/users_stretch.yml @@ -76,7 +76,7 @@ with_nested: - [ "client", "mysql_upgrade" ] - [ { option: 'user', value: 'debian-sys-maint' }, - { option: password, value: '{{ mysql_debian_password.stdout }}' } + { option: 'password', value: '{{ mysql_debian_password.stdout }}' } ] when: create_debian_user.changed tags: diff --git a/mysql/templates/evolinux-custom.cnf.j2 b/mysql/templates/evolinux-custom.cnf.j2 index fa818eaf..796a1429 100644 --- a/mysql/templates/evolinux-custom.cnf.j2 +++ b/mysql/templates/evolinux-custom.cnf.j2 @@ -1,4 +1,31 @@ [mysqld] -#bind-address = 0.0.0.0 +{% if mysql_bind_address %} +bind-address = {{ mysql_bind_address }} +{% endif %} +{% if mysql_thread_cache_size %} thread_cache_size = {{ mysql_thread_cache_size }} +{% endif %} +{% if mysql_innodb_buffer_pool_size %} innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }} +{% endif %} +{% if mysql_max_connections %} +max_connections = {{ mysql_max_connections }} +{% endif %} +{% if mysql_max_connect_errors %} +max_connect_errors = {{ mysql_max_connect_errors }} +{% endif %} +{% if mysql_table_cache %} +table_cache = {{ mysql_table_cache }} +{% endif %} +{% if mysql_tmp_table_size %} +tmp_table_size = {{ mysql_tmp_table_size }} +{% endif %} +{% if mysql_max_heap_table_size %} +max_heap_table_size = {{ mysql_max_heap_table_size }} +{% endif %} +{% if mysql_query_cache_limit %} +query_cache_limit = {{ mysql_query_cache_limit }} +{% endif %} +{% if mysql_query_cache_limit %} +query_cache_size = {{ mysql_query_cache_size }} +{% endif %} diff --git a/nagios-nrpe/files/plugins/check_http_many b/nagios-nrpe/files/plugins/check_http_many index e027e23a..243c24b7 100755 --- a/nagios-nrpe/files/plugins/check_http_many +++ b/nagios-nrpe/files/plugins/check_http_many @@ -16,7 +16,7 @@ check_state() { cat $result >> ${result}.err :> $result fi - if [[ $1 -eq 2 ]]; then + if [[ $1 -ge 2 ]]; then critical=true cat $result >> ${result}.err :> $result diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 0be4e38e..845bae33 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} # System checks command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20% -command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home +command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 @@ -51,7 +51,8 @@ command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211 command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321 -command[check_bkctld]=/usr/lib/nagios/plugins/check_bkctld +command[check_bkctld]=sudo /usr/sbin/bkctld check +command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023 # Local checks (not packaged) command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10 diff --git a/newrelic/tasks/php.yml b/newrelic/tasks/php.yml index 712b42f2..7d1177dc 100644 --- a/newrelic/tasks/php.yml +++ b/newrelic/tasks/php.yml @@ -39,4 +39,4 @@ - name: Install package for PHP apt: name: newrelic-php5 - state: installed + state: present diff --git a/nginx/README.md b/nginx/README.md index 73ede527..96d061ed 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -17,7 +17,7 @@ The regular mode is for full fledged web services with optimized defaults. Main variables are : * `nginx_minimal` : very basic install and config (default: `False`) ; -* `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ; +* `nginx_backports` : we can prefer higher version from backports (default: `False`) ; * `nginx_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; * `nginx_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ; * `nginx_private_htpasswd_present` : list of users to have in the private htpasswd ; diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 0591945d..932356b0 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -1,7 +1,8 @@ --- nginx_minimal: False -nginx_jessie_backports: False +# backward compatibility with a previously used variable +nginx_backports: "{{ nginx_jessie_backports | default(false, true) }}" nginx_package_name: "nginx-full" diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index f4dce1d7..559bc5d1 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -1,10 +1,6 @@ --- -- include: packages_jessie.yml - when: ansible_distribution_release == "jessie" - -- include: packages_stretch.yml - when: ansible_distribution_major_version | version_compare('9', '>=') +- include: packages.yml # TODO: find a way to override the main configuration # without touching the main file diff --git a/nginx/tasks/packages_stretch.yml b/nginx/tasks/packages.yml similarity index 70% rename from nginx/tasks/packages_stretch.yml rename to nginx/tasks/packages.yml index 565b9b1d..ccbd3705 100644 --- a/nginx/tasks/packages_stretch.yml +++ b/nginx/tasks/packages.yml @@ -1,4 +1,6 @@ ---- +- include: packages_backports.yml + when: nginx_backports + # TODO: install "nginx" + only necessary modules, instead of "nginx-full" - name: Ensure Nginx is installed @@ -7,5 +9,5 @@ state: present notify: restart nginx tags: - - nginx - - packages + - nginx + - packages diff --git a/nginx/tasks/packages_jessie_backports.yml b/nginx/tasks/packages_backports.yml similarity index 86% rename from nginx/tasks/packages_jessie_backports.yml rename to nginx/tasks/packages_backports.yml index 91a6643b..dbb3a76a 100644 --- a/nginx/tasks/packages_jessie_backports.yml +++ b/nginx/tasks/packages_backports.yml @@ -7,8 +7,8 @@ - nginx - packages -- name: Prefer Nginx packages from jessie-backports - copy: +- name: Prefer Nginx packages from backports + template: src: apt/nginx_preferences dest: /etc/apt/preferences.d/999-nginx force: yes diff --git a/nginx/tasks/packages_jessie.yml b/nginx/tasks/packages_jessie.yml deleted file mode 100644 index 25cc18ed..00000000 --- a/nginx/tasks/packages_jessie.yml +++ /dev/null @@ -1,11 +0,0 @@ -- include: packages_jessie_backports.yml - when: ansible_distribution_release == "jessie" and nginx_jessie_backports - -- name: Ensure Nginx is installed - apt: - name: "{{ nginx_package_name }}" - state: present - notify: restart nginx - tags: - - nginx - - packages diff --git a/nginx/files/apt/nginx_preferences b/nginx/templates/apt/nginx_preferences similarity index 50% rename from nginx/files/apt/nginx_preferences rename to nginx/templates/apt/nginx_preferences index 1c8275d1..84bf65ff 100644 --- a/nginx/files/apt/nginx_preferences +++ b/nginx/templates/apt/nginx_preferences @@ -1,3 +1,3 @@ Package: nginx nginx-* libnginx-* libssl* -Pin: release a=jessie-backports +Pin: release a={{ ansible_distribution_release }}-backports Pin-Priority: 999 diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 31c87470..63a3e0a6 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -1,5 +1,11 @@ --- -- name: restart php-fpm + +- name: restart php5-fpm service: - name: php-fpm + name: php5-fpm + state: restarted + +- name: restart php7.0-fpm + service: + name: php7.0-fpm state: restarted diff --git a/php/tasks/apache.yml b/php/tasks/apache.yml deleted file mode 100644 index cefeb95c..00000000 --- a/php/tasks/apache.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- - -- name: "Install mod_php packages (jessie)" - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-php5 - - php5 - when: ansible_distribution_release == "jessie" - -- name: "Install mod_php packages (Debian 9 or later)" - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-php - - php - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Set php.ini config for apache2 (jessie)" - set_fact: - php_apache_defaults_file: /etc/php5/apache2/conf.d/z-evolinux-defaults.ini - php_apache_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini - when: ansible_distribution_release == "jessie" - -- name: "Set php.ini config for apache2 (Debian 9 or later)" - set_fact: - php_apache_defaults_file: /etc/php/7.0/apache2/conf.d/z-evolinux-defaults.ini - php_apache_custom_file: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: Set default values for PHP - ini_file: - dest: "{{ php_apache_defaults_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - create: yes - with_items: - - { option: "short_open_tag", value: "Off" } - - { option: "expose_php", value: "Off" } - - { option: "display_errors", value: "Off" } - - { option: "log_errors", value: "On" } - - { option: "html_errors", value: "Off" } - - { option: "allow_url_fopen", value: "Off" } - -- name: Disable PHP functions - ini_file: - dest: "{{ php_apache_defaults_file }}" - section: PHP - option: disable_functions - value: "exec,shell-exec,system,passthru,putenv,popen" - mode: "0644" - -- name: Custom php.ini - copy: - dest: "{{ php_apache_custom_file }}" - content: | - ; Put customized values here. - ; default_charset = "ISO-8859-1" - mode: "0644" - force: no - -- name: "Set custom values for PHP to enable Symfony" - ini_file: - dest: "{{ php_apache_custom_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - with_items: - - { option: "date.timezone", value: "Europe/Paris" } - when: php_symfony_requirements diff --git a/php/tasks/config_apache.yml b/php/tasks/config_apache.yml new file mode 100644 index 00000000..a199c651 --- /dev/null +++ b/php/tasks/config_apache.yml @@ -0,0 +1,45 @@ +--- + +- name: Set default values for PHP + ini_file: + dest: "{{ php_apache_defaults_ini_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "html_errors", value: "Off" } + - { option: "allow_url_fopen", value: "Off" } + +- name: Disable PHP functions + ini_file: + dest: "{{ php_apache_defaults_ini_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + mode: "0644" + +- name: Custom php.ini + copy: + dest: "{{ php_apache_custom_ini_file }}" + content: | + ; Put customized values here. + ; default_charset = "ISO-8859-1" + mode: "0644" + force: no + +- name: "Set custom values for PHP to enable Symfony" + ini_file: + dest: "{{ php_apache_custom_ini_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + with_items: + - { option: "date.timezone", value: "Europe/Paris" } + when: php_symfony_requirements diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml new file mode 100644 index 00000000..75c81080 --- /dev/null +++ b/php/tasks/config_cli.yml @@ -0,0 +1,48 @@ +--- +- name: "Set default php.ini values for CLI (jessie)" + ini_file: + dest: "{{ php_cli_defaults_ini_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "html_errors", value: "Off" } + - { option: "allow_url_fopen", value: "Off" } + +- name: "Disable PHP functions for CLI (jessie)" + ini_file: + dest: "{{ php_cli_defaults_ini_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + +- name: Custom php.ini for CLI (jessie) + copy: + dest: "{{ php_cli_custom_ini_file }}" + content: | + ; Put customized values here. + force: no + +# This task is not merged with the above copy +# because "force: no" prevents any fix after the fact +- name: "Permissions for custom php.ini for CLI (jessie)" + file: + dest: "{{ php_cli_custom_ini_file }}" + mode: "0644" + +- name: "Set custom values for PHP to enable Symfony (jessie)" + ini_file: + dest: "{{ php_cli_custom_ini_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + with_items: + - { option: "date.timezone", value: "Europe/Paris" } + when: php_symfony_requirements diff --git a/php/tasks/fpm.yml b/php/tasks/config_fpm.yml similarity index 51% rename from php/tasks/fpm.yml rename to php/tasks/config_fpm.yml index 6736f971..45cab1f1 100644 --- a/php/tasks/fpm.yml +++ b/php/tasks/config_fpm.yml @@ -1,42 +1,8 @@ --- -- name: "Install PHP FPM packages (jessie)" - apt: - name: '{{ item }}' - state: present - with_items: - - php5-fpm - - php5 - when: ansible_distribution_release == "jessie" - -- name: "Install PHP FPM packages (Debian 9 or later)" - apt: - name: '{{ item }}' - state: present - with_items: - - php-fpm - - php - when: ansible_distribution_major_version | version_compare('9', '>=') - -- name: "Set config files for FPM (jessie)" - set_fact: - phpini_fpm_defaults_file: /etc/php5/fpm/conf.d/z-evolinux-defaults.ini - phpini_fpm_custom_file: /etc/php5/fpm/conf.d/zzz-evolinux-custom.ini - php_fpm_defaults_file: /etc/php5/fpm/pool.d/z-evolinux-defaults.conf - php_fpm_custom_file: /etc/php5/fpm/pool.d/zzz-evolinux-custom.conf - when: ansible_distribution_release == "jessie" - -- name: "Set config files for FPM (Debian 9 or later)" - set_fact: - phpini_fpm_defaults_file: /etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini - phpini_fpm_custom_file: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini - php_fpm_defaults_file: /etc/php/7.0/fpm/pool.d/z-evolinux-defaults.conf - php_fpm_custom_file: /etc/php/7.0/fpm/pool.d/zzz-evolinux-custom.conf - when: ansible_distribution_major_version | version_compare('9', '>=') - - name: Set default php.ini values for FPM ini_file: - dest: "{{ phpini_fpm_defaults_file }}" + dest: "{{ php_fpm_defaults_ini_file }}" section: PHP option: "{{ item.option }}" value: "{{ item.value }}" @@ -49,27 +15,27 @@ - { option: "log_errors", value: "On" } - { option: "html_errors", value: "Off" } - { option: "allow_url_fopen", value: "Off" } - notify: restart php-fpm + notify: "restart {{ php_fpm_service_name }}" - name: Disable PHP functions for FPM ini_file: - dest: "{{ phpini_fpm_defaults_file }}" + dest: "{{ php_fpm_defaults_ini_file }}" section: PHP option: disable_functions value: "exec,shell-exec,system,passthru,putenv,popen" - notify: restart php-fpm + notify: "restart {{ php_fpm_service_name }}" - name: Custom php.ini for FPM copy: - dest: "{{ phpini_fpm_custom_file }}" + dest: "{{ php_fpm_custom_ini_file }}" content: | ; Put customized values here. force: no - notify: restart php-fpm + notify: "restart {{ php_fpm_service_name }}" - name: Set default PHP FPM values ini_file: - dest: "{{ php_fpm_defaults_file }}" + dest: "{{ php_fpm_defaults_conf_file }}" section: www option: "{{ item.option }}" value: "{{ item.value }}" @@ -79,32 +45,32 @@ - { option: "pm", value: "ondemand" } - { option: "pm.max_children", value: "100" } - { option: "pm.process_idle_timeout", value: "10s" } - - { option: "slowlog", value: "log/$pool.log.slow" } + - { option: "slowlog", value: "/var/log/$pool.log.slow" } - { option: "request_slowlog_timeout", value: "5s" } - { option: "pm.status_path", value: "/fpm_status" } - { option: "request_terminate_timeout", value: "60s" } - { option: "chroot", value: "/var/www/html" } - notify: restart php-fpm + notify: "restart {{ php_fpm_service_name }}" when: ansible_distribution_major_version | version_compare('9', '>=') - name: Custom PHP FPM values copy: - dest: "{{ php_fpm_custom_file }}" + dest: "{{ php_fpm_custom_conf_file }}" content: | ; Put customized values here. ; default_charset = "ISO-8859-1" mode: "0644" force: no - notify: restart php-fpm + notify: "restart {{ php_fpm_service_name }}" - name: "Set custom values for PHP to enable Symfony" ini_file: - dest: "{{ phpini_cli_custom_file }}" + dest: "{{ php_cli_custom_ini_file }}" section: PHP option: "{{ item.option }}" value: "{{ item.value }}" mode: "0644" with_items: - { option: "date.timezone", value: "Europe/Paris" } - notify: restart php-fpm + notify: "restart {{ php_fpm_service_name }}" when: php_symfony_requirements diff --git a/php/tasks/main.yml b/php/tasks/main.yml index 9b1d3375..38ece76b 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -5,18 +5,8 @@ when: - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') -- include: php_jessie.yml +- include: main_jessie.yml when: ansible_distribution_release == "jessie" -- include: php_stretch_sury.yml - when: ansible_distribution_major_version | version_compare('9', '>=') and php_sury_enable - -- include: php_stretch.yml +- include: main_stretch.yml when: ansible_distribution_major_version | version_compare('9', '>=') - -- include: fpm.yml - when: php_fpm_enable - -- include: apache.yml - when: php_apache_enable - diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml new file mode 100644 index 00000000..e8d8d85e --- /dev/null +++ b/php/tasks/main_jessie.yml @@ -0,0 +1,80 @@ +--- + +- name: "Set variables (jessie)" + set_fact: + php_cli_defaults_ini_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini + php_cli_custom_ini_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini + php_apache_defaults_ini_file: /etc/php5/apache2/conf.d/z-evolinux-defaults.ini + php_apache_custom_ini_file: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_ini_file: /etc/php5/fpm/conf.d/z-evolinux-defaults.ini + php_fpm_custom_ini_file: /etc/php5/fpm/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_conf_file: /etc/php5/fpm/pool.d/z-evolinux-defaults.conf + php_fpm_custom_conf_file: /etc/php5/fpm/pool.d/zzz-evolinux-custom.conf + php_fpm_service_name: php5-fpm + +# Packages + +- name: "Install PHP packages (jessie)" + apt: + name: '{{ item }}' + state: present + with_items: + - php5-cli + - php5-gd + - php5-imap + - php5-ldap + - php5-mcrypt + - php5-mysql + - php5-pgsql + - php-gettext + - php5-intl + - php5-curl + - php5-ssh2 + - libphp-phpmailer + +- name: "Install mod_php packages (jessie)" + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-php5 + - php5 + when: php_apache_enable + +- name: "Install PHP FPM packages (jessie)" + apt: + name: '{{ item }}' + state: present + with_items: + - php5-fpm + - php5 + when: php_fpm_enable + +# Configuration + +- name: Enforce permissions on PHP directory + file: + dest: /etc/php5 + mode: "0755" + +- include: config_cli.yml +- name: Enforce permissions on PHP cli directory + file: + dest: /etc/php5/cli + mode: "0755" + +- include: config_fpm.yml + when: php_fpm_enable +- name: Enforce permissions on PHP fpm directory + file: + dest: /etc/php5/fpm + mode: "0755" + when: php_fpm_enable + +- include: config_apache.yml + when: php_apache_enable +- name: Enforce permissions on PHP apache2 directory + file: + dest: /etc/php5/apache2 + mode: "0755" + when: php_apache_enable diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml new file mode 100644 index 00000000..d97ba527 --- /dev/null +++ b/php/tasks/main_stretch.yml @@ -0,0 +1,94 @@ +--- + +- name: "Set variables (Debian 9 or later)" + set_fact: + php_cli_defaults_ini_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini + php_cli_custom_ini_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini + php_apache_defaults_ini_file: /etc/php/7.0/apache2/conf.d/z-evolinux-defaults.ini + php_apache_custom_ini_file: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_ini_file: /etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini + php_fpm_custom_ini_file: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_conf_file: /etc/php/7.0/fpm/pool.d/z-evolinux-defaults.conf + php_fpm_custom_conf_file: /etc/php/7.0/fpm/pool.d/zzz-evolinux-custom.conf + php_fpm_service_name: php7.0-fpm + +# Packages + +- name: "Set package list (Debian 9 or later)" + set_fact: + php_stretch_packages: + - php-cli + - php-gd + - php-intl + - php-imap + - php-ldap + - php-mysql + # php-mcrypt is no longer packaged for PHP 7.2 + - php-pgsql + - php-gettext + - php-curl + - php-ssh2 + - composer + - libphp-phpmailer + +- include: sury_pre.yml + when: php_sury_enable + +- name: "Install PHP packages (Debian 9 or later)" + apt: + name: '{{ item }}' + state: present + with_items: "{{ php_stretch_packages }}" + +- name: "Install mod_php packages (Debian 9 or later)" + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-php + - php + when: php_apache_enable + +- name: "Install PHP FPM packages (Debian 9 or later)" + apt: + name: '{{ item }}' + state: present + with_items: + - php-fpm + - php + when: php_fpm_enable + +# Configuration + +- name: Enforce permissions on PHP directory + file: + dest: "{{ item }}" + mode: "0755" + with_items: + - /etc/php + - /etc/php/7.0 + +- include: config_cli.yml +- name: Enforce permissions on PHP cli directory + file: + dest: /etc/php/7.0/cli + mode: "0755" + +- include: config_fpm.yml + when: php_fpm_enable +- name: Enforce permissions on PHP fpm directory + file: + dest: /etc/php/7.0/fpm + mode: "0755" + when: php_fpm_enable + +- include: config_apache.yml + when: php_apache_enable +- name: Enforce permissions on PHP apache2 directory + file: + dest: /etc/php/7.0/apache2 + mode: "0755" + when: php_apache_enable + +- include: sury_post.yml + when: php_sury_enable diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml deleted file mode 100644 index 5d1d6965..00000000 --- a/php/tasks/php_jessie.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- - -- name: "Install PHP packages (jessie)" - apt: - name: '{{ item }}' - state: present - with_items: - - php5-cli - - php5-gd - - php5-imap - - php5-ldap - - php5-mcrypt - - php5-mysql - - php5-pgsql - - php-gettext - - php5-intl - - php5-curl - - php5-ssh2 - - libphp-phpmailer - -- name: "Set php.ini config for CLI (jessie)" - set_fact: - phpini_cli_defaults_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini - phpini_cli_custom_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini - -- name: "Set default php.ini values for CLI (jessie)" - ini_file: - dest: "{{ phpini_cli_defaults_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - create: yes - with_items: - - { option: "short_open_tag", value: "Off" } - - { option: "expose_php", value: "Off" } - - { option: "display_errors", value: "Off" } - - { option: "log_errors", value: "On" } - - { option: "html_errors", value: "Off" } - - { option: "allow_url_fopen", value: "Off" } - -- name: "Disable PHP functions for CLI (jessie)" - ini_file: - dest: "{{ phpini_cli_defaults_file }}" - section: PHP - option: disable_functions - value: "exec,shell-exec,system,passthru,putenv,popen" - -- name: Custom php.ini for CLI - copy: - dest: "{{ phpini_cli_custom_file }}" - mode: "0644" - content: | - ; Put customized values here. - force: no - -- name: "Set custom values for PHP to enable Symfony (jessie)" - ini_file: - dest: "{{ phpini_cli_custom_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - with_items: - - { option: "date.timezone", value: "Europe/Paris" } - when: php_symfony_requirements diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml deleted file mode 100644 index f20dbafb..00000000 --- a/php/tasks/php_stretch.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- - -- name: "Install PHP packages (Debian 9 or later)" - apt: - name: '{{ item }}' - state: present - with_items: - - php-cli - - php-gd - - php-intl - - php-imap - - php-ldap - - php-mcrypt - - php-mysql - - php-pgsql - - php-gettext - - php-curl - - php-ssh2 - - composer - - libphp-phpmailer - -- name: "Set php.ini config for CLI (Debian 9 or later)" - set_fact: - phpini_cli_defaults_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini - phpini_cli_custom_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini - -- name: "Set default php.ini values for CLI (Debian 9 or later)" - ini_file: - dest: "{{ phpini_cli_defaults_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - create: yes - with_items: - - { option: "short_open_tag", value: "Off" } - - { option: "expose_php", value: "Off" } - - { option: "display_errors", value: "Off" } - - { option: "log_errors", value: "On" } - - { option: "html_errors", value: "Off" } - - { option: "allow_url_fopen", value: "Off" } - -- name: "Disable PHP functions for CLI (Debian 9 or later)" - ini_file: - dest: "{{ phpini_cli_defaults_file }}" - section: PHP - option: disable_functions - value: "exec,shell-exec,system,passthru,putenv,popen" - -- name: "Custom php.ini for CLI (Debian 9 or later)" - copy: - dest: "{{ phpini_cli_custom_file }}" - mode: "0644" - content: | - ; Put customized values here. - ; default_charset = "ISO-8859-1" - force: no - -- name: "Set custom values for PHP to enable Symfony (Debian 9 or later)" - ini_file: - dest: "{{ phpini_cli_custom_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - with_items: - - { option: "date.timezone", value: "Europe/Paris" } - when: php_symfony_requirements diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml new file mode 100644 index 00000000..325b78e8 --- /dev/null +++ b/php/tasks/sury_post.yml @@ -0,0 +1,52 @@ +--- + +- name: Symlink Evolix CLI config files from 7.2 to 7.0 + file: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + force: yes + state: link + with_items: + - { src: "{{ php_cli_defaults_ini_file }}", dest: "/etc/php/7.2/cli/conf.d/z-evolinux-defaults.ini" } + - { src: "{{ php_cli_custom_ini_file }}", dest: "/etc/php/7.2/cli/conf.d/zzz-evolinux-custom.ini" } + +- name: Enforce permissions on PHP 7.2/cli directory + file: + dest: /etc/php/7.2/cli + mode: "0755" + +- name: Symlink Evolix Apache config files from 7.2 to 7.0 + file: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + force: yes + state: link + with_items: + - { src: "{{ php_apache_defaults_ini_file }}", dest: "/etc/php/7.2/apache2/conf.d/z-evolinux-defaults.ini" } + - { src: "{{ php_apache_custom_ini_file }}", dest: "/etc/php/7.2/apache2/conf.d/zzz-evolinux-custom.ini" } + when: php_apache_enable + +- name: Enforce permissions on PHP 7.2/cli directory + file: + dest: /etc/php/7.2/apache2 + mode: "0755" + when: php_apache_enable + +- name: Symlink Evolix FPM config files from 7.2 to 7.0 + file: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + force: yes + state: link + with_items: + - { src: "{{ php_fpm_defaults_ini_file }}", dest: "/etc/php/7.2/fpm/conf.d/z-evolinux-defaults.ini" } + - { src: "{{ php_fpm_custom_ini_file }}", dest: "/etc/php/7.2/fpm/conf.d/zzz-evolinux-custom.ini" } + - { src: "{{ php_fpm_defaults_conf_file }}", dest: "/etc/php/7.2/fpm/pool.d/z-evolinux-defaults.conf" } + - { src: "{{ php_fpm_custom_conf_file }}", dest: "/etc/php/7.2/fpm/pool.d/zzz-evolinux-custom.conf" } + when: php_fpm_enable + +- name: Enforce permissions on PHP 7.2/cli directory + file: + dest: /etc/php/7.2/fpm + mode: "0755" + when: php_fpm_enable diff --git a/php/tasks/php_stretch_sury.yml b/php/tasks/sury_pre.yml similarity index 62% rename from php/tasks/php_stretch_sury.yml rename to php/tasks/sury_pre.yml index be549804..9ab816ab 100644 --- a/php/tasks/php_stretch_sury.yml +++ b/php/tasks/sury_pre.yml @@ -21,3 +21,20 @@ repo: "deb https://packages.sury.org/php/ stretch main" filename: sury state: present + +- name: "Override package list for Sury (Debian 9 or later)" + set_fact: + php_stretch_packages: + - php-cli + - php-gd + - php-intl + - php-imap + - php-ldap + - php-mysql + # php-mcrypt is no longer packaged for PHP 7.2 + - php-pgsql + - php-gettext + - php-curl + - php-ssh2 + - composer + - libphp-phpmailer diff --git a/postgresql/tests/test.yml b/postgresql/tests/test.yml index 0ab835ec..d8386b29 100644 --- a/postgresql/tests/test.yml +++ b/postgresql/tests/test.yml @@ -5,7 +5,7 @@ - name: Install locales apt: name: locales - state: installed + state: present changed_when: false - name: Setting default locales diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index 116bd75d..02c7c97b 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -3,7 +3,7 @@ - name: check_rabbitmq dependencies apt: name: python-requests - state: installed + state: present - include_role: name: remount-usr diff --git a/rbenv/defaults/main.yml b/rbenv/defaults/main.yml index 6a75a5b1..39467eaa 100644 --- a/rbenv/defaults/main.yml +++ b/rbenv/defaults/main.yml @@ -1,13 +1,15 @@ --- rbenv_version: v1.1.1 -rbenv_ruby_version: 2.5.0 +rbenv_ruby_version: 2.5.1 rbenv_root: "~/.rbenv" rbenv_repo: "https://github.com/rbenv/rbenv.git" rbenv_plugins: -- { name: "rbenv-vars", repo: "https://github.com/rbenv/rbenv-vars.git", version: "v1.2.0" } -- { name: "ruby-build", repo: "https://github.com/rbenv/ruby-build.git", version: "master" } -- { name: "rbenv-default-gems", repo: "https://github.com/rbenv/rbenv-default-gems.git", version: "master" } -- { name: "rbenv-installer", repo: "https://github.com/rbenv/rbenv-installer.git", version: "master" } -- { name: "rbenv-update", repo: "https://github.com/rkh/rbenv-update.git", version: "master" } -- { name: "rbenv-whatis", repo: "https://github.com/rkh/rbenv-whatis.git", version: "v1.0.0" } -- { name: "rbenv-use", repo: "https://github.com/rkh/rbenv-use.git", version: "v1.0.0" } + - { name: "rbenv-vars", repo: "https://github.com/rbenv/rbenv-vars.git", version: "v1.2.0" } + - { name: "ruby-build", repo: "https://github.com/rbenv/ruby-build.git", version: "master" } + - { name: "rbenv-default-gems", repo: "https://github.com/rbenv/rbenv-default-gems.git", version: "master" } + - { name: "rbenv-installer", repo: "https://github.com/rbenv/rbenv-installer.git", version: "master" } + - { name: "rbenv-update", repo: "https://github.com/rkh/rbenv-update.git", version: "master" } + - { name: "rbenv-whatis", repo: "https://github.com/rkh/rbenv-whatis.git", version: "v1.0.0" } + - { name: "rbenv-use", repo: "https://github.com/rkh/rbenv-use.git", version: "v1.0.0" } +rbenv_default_gems: + - bundler diff --git a/rbenv/files/default-gems b/rbenv/files/default-gems deleted file mode 100644 index b841526f..00000000 --- a/rbenv/files/default-gems +++ /dev/null @@ -1 +0,0 @@ -bundler diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index aa914508..693ff0f6 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -1,31 +1,33 @@ --- -- name: Rbenv dependencies are installed +- name: "Rbenv dependencies are installed" apt: name: '{{ item }}' state: present with_items: - - build-essential - - git - - libcurl4-openssl-dev - - libffi-dev - - libreadline-dev - - libssl-dev - - libxml2-dev - - libxslt1-dev - - zlib1g-dev + - build-essential + - git + - libcurl4-openssl-dev + - libffi-dev + - libreadline-dev + - libssl-dev + - libxml2-dev + - libxslt1-dev + - zlib1g-dev tags: - - rbenv - - packages + - rbenv + - packages -- name: gemrc for {{ username }} +- name: "gemrc for {{ username }}" copy: src: gemrc dest: "~{{ username }}/.gemrc" owner: '{{ username }}' group: '{{ username }}' + tags: + - rbenv -- name: Rbenv repository is checked out for {{ username }} +- name: "Rbenv repository is checked out for {{ username }}" git: repo: '{{ rbenv_repo }}' dest: '{{ rbenv_root }}' @@ -35,25 +37,31 @@ become_user: "{{ username }}" become: yes tags: - - rbenv + - rbenv -- name: default gems are installed for {{ username }} - copy: - src: default-gems +- name: "default gems are installed for {{ username }}" + lineinfile: dest: '{{ rbenv_root }}/default-gems' + line: "{{ item }}" owner: '{{ username }}' group: '{{ username }}' + create: yes + with_items: '{{ rbenv_default_gems }}' + become_user: "{{ username }}" + become: yes + tags: + - rbenv -- name: plugins directory for {{ username }} +- name: "plugins directory for {{ username }}" file: path: '{{ rbenv_root }}/plugins' state: directory become_user: "{{ username }}" become: yes tags: - - rbenv + - rbenv -- name: plugins are installed for {{ username }} +- name: "plugins are installed for {{ username }}" git: repo: '{{ item.repo }}' dest: '{{ rbenv_root }}/plugins/{{ item.name }}' @@ -65,9 +73,9 @@ become_user: "{{ username }}" become: yes tags: - - rbenv + - rbenv -- name: Rbenv is initialized in profile for {{ username }} +- name: "Rbenv is initialized in profile for {{ username }}" blockinfile: dest: '~{{ username }}/.profile' block: | @@ -77,9 +85,9 @@ become_user: "{{ username }}" become: yes tags: - - rbenv + - rbenv -- name: is Ruby {{ rbenv_ruby_version }} available for {{ username }} ? +- name: "is Ruby {{ rbenv_ruby_version }} available for {{ username }} ?" shell: /bin/bash -lc "rbenv versions | grep {{ rbenv_ruby_version }}" args: warn: no @@ -89,9 +97,9 @@ become_user: "{{ username }}" become: yes tags: - - rbenv + - rbenv -- name: Ruby {{ rbenv_ruby_version }} is available for {{ username }} (be patient... could be long) +- name: "Ruby {{ rbenv_ruby_version }} is available for {{ username }} (be patient... could be long)" shell: /bin/bash -lc "TMPDIR=~/tmp rbenv install {{ rbenv_ruby_version }}" args: warn: no @@ -99,9 +107,9 @@ become_user: "{{ username }}" become: yes tags: - - rbenv + - rbenv -- name: is Ruby {{ rbenv_ruby_version }} selected for {{ username }} ? +- name: "is Ruby {{ rbenv_ruby_version }} selected for {{ username }} ?" shell: /bin/bash -lc "rbenv version | cut -d ' ' -f 1 | grep -Fx '{{ rbenv_ruby_version }}'" args: warn: no @@ -111,9 +119,9 @@ become_user: "{{ username }}" become: yes tags: - - rbenv + - rbenv -- name: select Ruby {{ rbenv_ruby_version }} for {{ username }} +- name: "select Ruby {{ rbenv_ruby_version }} for {{ username }}" shell: /bin/bash -lc "rbenv global {{ rbenv_ruby_version }} && rbenv rehash" args: warn: no @@ -121,4 +129,4 @@ become_user: "{{ username }}" become: yes tags: - - rbenv + - rbenv diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml index 2535a369..5f2a2dc7 100644 --- a/redis/tasks/munin.yml +++ b/redis/tasks/munin.yml @@ -66,11 +66,17 @@ option: env.password value: '{{ redis_password }}' notify: restart munin-node - when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} <= 1" + when: + - redis_password != '' + - redis_password != None + - (munin_redis_blocs_in_config.stdout | int) <= 1 tags: redis - name: Warn if multiple instance in munin-plugins configuration debug: msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed" - when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} > 1 " + when: + - redis_password != '' + - redis_password != None + - (munin_redis_blocs_in_config.stdout | int) > 1 diff --git a/redmine/tasks/main.yml b/redmine/tasks/main.yml index 7864fa51..d5a93a36 100644 --- a/redmine/tasks/main.yml +++ b/redmine/tasks/main.yml @@ -194,6 +194,7 @@ option: '{{ item.option }}' value: '{{ item.value }}' with_items: + - { option: 'host', value: "{{ redmine_db_host }}" } - { option: 'user', value: "{{ redmine_db_username }}" } - { option: 'database', value: "{{ redmine_db_name }}" } - { option: 'password', value: '{{ redmine_db_pass }}' } diff --git a/redmine/templates/database.yml.j2 b/redmine/templates/database.yml.j2 index c694644c..30cec4c2 100644 --- a/redmine/templates/database.yml.j2 +++ b/redmine/templates/database.yml.j2 @@ -1,7 +1,6 @@ production: adapter: mysql2 - database: {{ redmine_db_name }} - host: {{ redmine_db_host }} - username: {{ redmine_db_username }} - password: "{{ redmine_db_pass }}" encoding: utf8 + username: {{ redmine_db_username }} + default_file: /home/{{ redmine_db_username }}/.my.cnf + default_group: client diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml index cdc7e10e..6cbcfa00 100644 --- a/remount-usr/tasks/main.yml +++ b/remount-usr/tasks/main.yml @@ -12,5 +12,6 @@ command: 'mount -o remount,rw /usr' args: warn: no + changed_when: False when: usr_partition.rc == 0 notify: remount usr diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index e4dc240d..2bbebf5b 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -26,6 +26,9 @@ ^www\.wordpress-fr\.net$ ^pixel\.wp\.com$ ^wp-updates\.com$ +^misc\.optimizingmatters\.com$ +^wp-rocket\.me$ +^backwpup\.com$ # Wordpress pingback ^rpc\.pingomatic\.com$ @@ -75,6 +78,7 @@ ^www\.bolderelements\.net$ ^wpbakery\.com$ ^backwpup\.com$ +^support\.wpbakery\.com$ # Magento Plugins ^extensions\.activo\.com$ @@ -88,6 +92,7 @@ ^www\.joomlaworks\.net$ ^cdn\.joomlaworks\.org$ ^download\.regularlabs\.com$ +^download\.nonumber\.nl$ # Prestashop ^.*\.prestashop\.com$ @@ -112,6 +117,7 @@ ^maps\.google\..*$ ^translate\.google\.com$ ^www\.google\.com$ +^fonts\.googleapis\.com$ # Facebook ^.*\.facebook\.com$ @@ -120,6 +126,14 @@ # Maxmind ^geolite\.maxmind\.com$ +# News +^www\.lped\.fr$ +^www\.lefigaro\.fr$ +^madeinmarseille\.net$ +^www\.leparisien\.fr$ +^www\.parismatch\.com$ +^www\.liberation\.fr$ + # Others #^.*\.amazon.com$ ^.*\.twitter\.com$ @@ -128,8 +142,8 @@ ^geoip-api\.meteor\.com$ ^www\.bing\.com$ ^www\.telize\.com$ -^.*ident\.me$ -^.*icanhazip\.com$ +^.*\.ident\.me$ +^.*\.icanhazip\.com$ ^www\.express-mailing\.com$ ^bot\.whatismyipaddress\.com$ ^ipecho\.net$ @@ -142,3 +156,10 @@ ^apt\.newrelic\.com$ ^.*\.cloudfront\.net$ ^api\.mailjet\.com$ +^bfmbusiness\.bfmtv\.com$ +^api\.pinterest\.com$ +^api\.openweathermap\.org$ +^www\.lefigaro\.fr$ +^www\.dailymotion\.com$ +^.*\.123rf\.com$ +^.*.gouv\.fr$ diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index bd3f33e0..07f38a3f 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -26,6 +26,9 @@ http://.*.gravatar.com/.* http://www.wordpress-fr.net/.* http://pixel.wp.com/.* http://wp-updates.com/.* +http://misc.optimizingmatters.com/* +http://wp-rocket.me/.* +http://backwpup.com/.* # Wordpress pingback http://rpc.pingomatic.com/.* @@ -73,6 +76,7 @@ http://wpcdn.io/.* http://vimeo.com/.* http://api.genesistheme.com/update-themes/ http://www.bolderelements.net/updates/.* +http://support.wpbakery.com/* # Magento Plugins http://extensions.activo.com/.* @@ -88,6 +92,7 @@ http://mijosoft.com/.* http://www.joomlaworks.net/.* http://cdn.joomlaworks.org/.* http://download.regularlabs.com/.* +http://download.nonumber.nl/.* # Prestashop http://.*.prestashop.com/.* @@ -111,6 +116,7 @@ http://csi.gstatic.com/.* http://maps.google.*/.* http://translate.google.com/.* http://www.google.com/webmasters/tools/.* +http://fonts.googleapis.com/.* # Facebook http://.*.facebook.com/.* @@ -119,6 +125,14 @@ http://.*.fbcdn.net/.* # Maxmind http://geolite.maxmind.com/.* +# News +http://www.lped.fr/.* +http://www.lefigaro.fr/.* +http://madeinmarseille.net/.* +http://www.leparisien.fr/.* +http://www.parismatch.com/.* +http://www.liberation.fr/.* + # Others #http://.*.amazon.com/.* http://.*.twitter.com/.* @@ -141,3 +155,9 @@ http://ftp.icm.edu.pl/.* http://apt.newrelic.com/.* http://.*.cloudfront.net/.* http://api.mailjet.com/.* +http://bfmbusiness.bfmtv.com/.* +http://api.pinterest.com/.* +http://api.openweathermap.org/.* +http://www.lefigaro.fr/.* +http://www.dailymotion.com/.* +http://.*.gouv.fr/.* diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 19e6949c..17429954 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -44,7 +44,7 @@ notify: "reload squid3" when: ansible_distribution_release == "jessie" -- name: "evolinux custom squid file (Debian 9 or later)" +- name: "evolinux defaults squid file (Debian 9 or later)" copy: src: evolinux-defaults.conf dest: /etc/squid/evolinux-defaults.conf diff --git a/tomcat/templates/check_tomcat_instance.sh.j2 b/tomcat/templates/check_tomcat_instance.sh.j2 index 8ed63475..60fe0ef3 100644 --- a/tomcat/templates/check_tomcat_instance.sh.j2 +++ b/tomcat/templates/check_tomcat_instance.sh.j2 @@ -1,18 +1,50 @@ -#!/bin/bash +#!/bin/sh + +set -u TOMCAT_ROOT='{{ tomcat_instance_root }}' -alert=0 -for instance in $(ls $TOMCAT_ROOT); do - port=$(id -u $instance) - if [ -h ${TOMCAT_ROOT}/${instance}/.config/systemd/user/default.target.wants/tomcat.service ]; then - echo -n "$instance ($port) : " - /usr/lib/nagios/plugins/check_tcp -p $port - ret=$? - if [ $ret != 0 ]; then - alert=$ret - fi +return=0 +nb_crit=0 +nb_warn=0 +nb_ok=0 +nb_unchk=0 +output="" + +instances=$(ls "${TOMCAT_ROOT}") +for instance in ${instances}; do + port=$(id -u "${instance}") + if [ -h "${TOMCAT_ROOT}/${instance}/.config/systemd/user/default.target.wants/tomcat.service" ]; then + /usr/lib/nagios/plugins/check_tcp -p "${port}" >/dev/null 2>&1 + ret="${?}" + if [ "${ret}" -ge 2 ]; then + nb_crit=$((nb_crit + 1)) + output="${output}CRITICAL - ${instance} (${port})\n" + [ "${return}" -le 2 ] && return=2 + elif [ "${ret}" -ge 1 ]; then + nb_warn=$((nb_warn + 1)) + output="${output}WARNING - ${instance} (${port})\n" + [ "${return}" -le 1 ] && return=1 + else + nb_ok=$((nb_ok + 1)) + output="${output}OK - ${instance} (${port})\n" + [ "${return}" -le 0 ] && return=0 fi + else + nb_unchk=$((nb_unchk + 1)) + output="${output}UNCHK - ${instance} (${port})\n" + fi done -exit $alert +[ "${return}" -ge 0 ] && header="OK" +[ "${return}" -ge 1 ] && header="WARNING" +[ "${return}" -ge 2 ] && header="CRITICAL" + +printf "%s - %s UNCHK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unchk}" "${nb_crit}" "${nb_warn}" "${nb_ok}" + +printf "${output}" | grep -E "^CRITICAL" +printf "${output}" | grep -E "^WARNING" +printf "${output}" | grep -E "^OK" +printf "${output}" | grep -E "^UNCHK" + +exit "${return}" diff --git a/webapps/evoadmin-mail/tasks/packages.yml b/webapps/evoadmin-mail/tasks/packages.yml index b1b8a1dd..b92aa5a0 100644 --- a/webapps/evoadmin-mail/tasks/packages.yml +++ b/webapps/evoadmin-mail/tasks/packages.yml @@ -12,3 +12,4 @@ - php-pear - php-log - php-crypt-chap + - php-twig diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index a78150a1..d78d50ff 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -3,7 +3,7 @@ - name: patch must be installed apt: name: patch - state: installed + state: present - name: Patch ProFTPd config file patch: diff --git a/webapps/roundcube/templates/apache2.conf.j2 b/webapps/roundcube/templates/apache2.conf.j2 index 47865c01..01c25f3a 100644 --- a/webapps/roundcube/templates/apache2.conf.j2 +++ b/webapps/roundcube/templates/apache2.conf.j2 @@ -1,6 +1,6 @@ ServerName {{ roundcube_host }} - Redirect permanent / https://{{ roundcube_host }} + Redirect permanent / https://{{ roundcube_host }}/