From f8babfd53236e9210d806bd65d4eb2083e2f5557 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 16 May 2018 12:15:04 +0200
Subject: [PATCH 001/101] elasticsearch: tmpdir configuration compatible with
 5.x also

---
 CHANGELOG.md                   |  1 +
 elasticsearch/tasks/tmpdir.yml | 18 ++++++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 056650ed..66f734f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release.
 ## [Unreleased]
 
 ### Added
+* elasticsearch: tmpdir configuration compatible with 5.x also
 
 ### Changed
 
diff --git a/elasticsearch/tasks/tmpdir.yml b/elasticsearch/tasks/tmpdir.yml
index d7046f02..f87a4ebe 100644
--- a/elasticsearch/tasks/tmpdir.yml
+++ b/elasticsearch/tasks/tmpdir.yml
@@ -18,7 +18,19 @@
     tags:
       - elasticsearch
 
-  - name: check if ES_TMPDIR is available
+  - name: change JVM tmpdir (< 6.x)
+    lineinfile:
+      dest: /etc/elasticsearch/jvm.options
+      line: "-Djava.io.tmpdir={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
+      regexp: "^-Djava.io.tmpdir="
+      insertafter: "## JVM configuration"
+    notify:
+      - restart elasticsearch
+    tags:
+      - elasticsearch
+    when: elastic_stack_version | version_compare('6', '<')
+
+  - name: check if ES_TMPDIR is available (>= 6.x)
     lineinfile:
       dest: /etc/default/elasticsearch
       line: "ES_TMPDIR={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
@@ -28,8 +40,9 @@
       - restart elasticsearch
     tags:
       - elasticsearch
+    when: elastic_stack_version | version_compare('6', '>=')
 
-  - name: change JVM tmpdir
+  - name: change JVM tmpdir (>= 6.x)
     lineinfile:
       dest: /etc/elasticsearch/jvm.options
       line: "-Djava.io.tmpdir=${ES_TMPDIR}"
@@ -39,4 +52,5 @@
       - restart elasticsearch
     tags:
       - elasticsearch
+    when: elastic_stack_version | version_compare('6', '>=')
   when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec | success

From ec535b036c786b5c0e40685fa5d1ad4e1dd91322 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 18 May 2018 09:33:25 +0200
Subject: [PATCH 002/101] apt module: Use "state: present" instead of "state:
 installed"

"state: installed" is deprecated in Ansible 2.5
---
 apache/tasks/munin.yml             | 4 ++--
 evocheck/tasks/install_package.yml | 2 +-
 evolinux-base/tasks/hostname.yml   | 2 +-
 haproxy/tasks/main.yml             | 4 ++--
 mongodb/tasks/main_jessie.yml      | 4 ++--
 mongodb/tasks/main_stretch.yml     | 4 ++--
 mysql-oracle/tasks/packages.yml    | 2 +-
 newrelic/tasks/php.yml             | 2 +-
 postgresql/tests/test.yml          | 2 +-
 rabbitmq/tasks/nrpe.yml            | 2 +-
 webapps/evoadmin-web/tasks/ftp.yml | 2 +-
 11 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml
index 9195ae0f..27aa7ad8 100644
--- a/apache/tasks/munin.yml
+++ b/apache/tasks/munin.yml
@@ -3,7 +3,7 @@
 - name: "Install munin-node and core plugins packages"
   apt:
     name: "{{ item }}"
-    state: installed
+    state: present
   with_items:
     - munin-node
     - munin-plugins-core
@@ -28,7 +28,7 @@
 - name: "Install fcgi packages for Munin graphs"
   apt:
     name: "{{ item }}"
-    state: installed
+    state: present
   with_items:
     - libapache2-mod-fcgid
     - libcgi-fast-perl
diff --git a/evocheck/tasks/install_package.yml b/evocheck/tasks/install_package.yml
index 7a2f875e..34e672e5 100644
--- a/evocheck/tasks/install_package.yml
+++ b/evocheck/tasks/install_package.yml
@@ -2,4 +2,4 @@
 - name: install evocheck from package
   apt:
     name: evocheck
-    state: installed
+    state: present
diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml
index 059b6763..4acb944d 100644
--- a/evolinux-base/tasks/hostname.yml
+++ b/evolinux-base/tasks/hostname.yml
@@ -2,7 +2,7 @@
 - name: dbus is installed
   apt:
     name: dbus
-    state: installed
+    state: present
 
 - name: Set hostname "{{ evolinux_hostname }}"
   hostname:
diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml
index 37afe8df..3d252a55 100644
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@@ -2,7 +2,7 @@
 - name: ssl-cert package is installed
   apt:
     name: ssl-cert
-    state: installed
+    state: present
   tags:
   - haproxy
   - packages
@@ -13,7 +13,7 @@
 - name: Install HAProxy package
   apt:
     name: haproxy
-    state: installed
+    state: present
   tags:
   - haproxy
   - packages
diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml
index 0cec9f2c..db69c7c7 100644
--- a/mongodb/tasks/main_jessie.yml
+++ b/mongodb/tasks/main_jessie.yml
@@ -16,12 +16,12 @@
   apt:
     name: mongodb-org
     allow_unauthenticated: yes
-    state: installed
+    state: present
 
 - name: install dependency for monitoring
   apt:
     name: python-pymongo
-    state: installed
+    state: present
 
 - name: Custom configuration
   template:
diff --git a/mongodb/tasks/main_stretch.yml b/mongodb/tasks/main_stretch.yml
index 3f553c41..bed975e3 100644
--- a/mongodb/tasks/main_stretch.yml
+++ b/mongodb/tasks/main_stretch.yml
@@ -3,7 +3,7 @@
 - name: Install packages
   apt:
     name: "{{ item }}"
-    state: installed
+    state: present
   with_items:
     - mongodb
     - mongo-tools
@@ -11,7 +11,7 @@
 - name: install dependency for monitoring
   apt:
     name: python-pymongo
-    state: installed
+    state: present
 
 - name: Custom configuration
   template:
diff --git a/mysql-oracle/tasks/packages.yml b/mysql-oracle/tasks/packages.yml
index 8be552bf..8dd255b1 100644
--- a/mysql-oracle/tasks/packages.yml
+++ b/mysql-oracle/tasks/packages.yml
@@ -11,7 +11,7 @@
 - name: MySQL APT config package is installed
   apt:
     deb: /root/mysql-apt-config_0.8.9-1_all.deb
-    state: installed
+    state: present
   register: mysql_apt_config_deb
 
 - name: Open firewall for MySQL.com repository
diff --git a/newrelic/tasks/php.yml b/newrelic/tasks/php.yml
index 712b42f2..7d1177dc 100644
--- a/newrelic/tasks/php.yml
+++ b/newrelic/tasks/php.yml
@@ -39,4 +39,4 @@
 - name: Install package for PHP
   apt:
     name: newrelic-php5
-    state: installed
+    state: present
diff --git a/postgresql/tests/test.yml b/postgresql/tests/test.yml
index 0ab835ec..d8386b29 100644
--- a/postgresql/tests/test.yml
+++ b/postgresql/tests/test.yml
@@ -5,7 +5,7 @@
   - name: Install locales
     apt:
       name: locales
-      state: installed
+      state: present
     changed_when: false
 
   - name: Setting default locales
diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml
index 116bd75d..02c7c97b 100644
--- a/rabbitmq/tasks/nrpe.yml
+++ b/rabbitmq/tasks/nrpe.yml
@@ -3,7 +3,7 @@
 - name: check_rabbitmq dependencies
   apt:
     name: python-requests
-    state: installed
+    state: present
 
 - include_role:
     name: remount-usr
diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml
index a78150a1..d78d50ff 100644
--- a/webapps/evoadmin-web/tasks/ftp.yml
+++ b/webapps/evoadmin-web/tasks/ftp.yml
@@ -3,7 +3,7 @@
 - name: patch must be installed
   apt:
     name: patch
-    state: installed
+    state: present
 
 - name: Patch ProFTPd config file
   patch:

From 50a1003f159b3508943a235436d5cc28357f2518 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 18 May 2018 09:44:25 +0200
Subject: [PATCH 003/101] don't use jinja2 templating delimiters with "when"
 statements

---
 elasticsearch/tasks/bootstrap_checks.yml |  2 +-
 redis/tasks/munin.yml                    | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/elasticsearch/tasks/bootstrap_checks.yml b/elasticsearch/tasks/bootstrap_checks.yml
index a79204b2..b1f79046 100644
--- a/elasticsearch/tasks/bootstrap_checks.yml
+++ b/elasticsearch/tasks/bootstrap_checks.yml
@@ -13,7 +13,7 @@
     name: vm.max_map_count
     value: 262144
     sysctl_file: /etc/sysctl.d/elasticsearch.conf
-  when: "{{ max_map_count|int < 262144 }}"
+  when: max_map_count | int < 262144
   tags:
   - config
 
diff --git a/redis/tasks/munin.yml b/redis/tasks/munin.yml
index 2535a369..5f2a2dc7 100644
--- a/redis/tasks/munin.yml
+++ b/redis/tasks/munin.yml
@@ -66,11 +66,17 @@
     option: env.password
     value: '{{ redis_password }}'
   notify: restart munin-node
-  when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} <= 1"
+  when:
+    - redis_password != ''
+    - redis_password != None
+    - (munin_redis_blocs_in_config.stdout | int) <= 1
   tags: redis
 
 
 - name: Warn if multiple instance in munin-plugins configuration
   debug:
     msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed"
-  when: "redis_password != '' and redis_password != None and {{munin_redis_blocs_in_config.stdout | int}} > 1 "
+  when:
+    - redis_password != ''
+    - redis_password != None
+    - (munin_redis_blocs_in_config.stdout | int) > 1

From b60a9d0ffaee850946f2a7d21439f27e514a99fa Mon Sep 17 00:00:00 2001
From: Bruno TATU <btatu@evolix.fr>
Date: Fri, 18 May 2018 16:01:51 +0200
Subject: [PATCH 004/101] squid: whitelist egain somes domains

---
 squid/files/evolinux-whitelist-defaults.conf | 7 +++++++
 squid/files/whitelist-evolinux.conf          | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf
index e4dc240d..8aaf30e3 100644
--- a/squid/files/evolinux-whitelist-defaults.conf
+++ b/squid/files/evolinux-whitelist-defaults.conf
@@ -26,6 +26,7 @@
 ^www\.wordpress-fr\.net$
 ^pixel\.wp\.com$
 ^wp-updates\.com$
+^misc\.optimizingmatters\.com$
 
 # Wordpress pingback
 ^rpc\.pingomatic\.com$
@@ -75,6 +76,7 @@
 ^www\.bolderelements\.net$
 ^wpbakery\.com$
 ^backwpup\.com$
+^support\.wpbakery\.com$
 
 # Magento Plugins
 ^extensions\.activo\.com$
@@ -112,6 +114,7 @@
 ^maps\.google\..*$
 ^translate\.google\.com$
 ^www\.google\.com$
+^fonts\.googleapis\.com$
 
 # Facebook
 ^.*\.facebook\.com$
@@ -142,3 +145,7 @@
 ^apt\.newrelic\.com$
 ^.*\.cloudfront\.net$
 ^api\.mailjet\.com$
+^bfmbusiness\.bfmtv\.com$
+^api\.pinterest\.com$
+^api\.openweathermap\.org$
+^www\.lefigaro\.fr$
diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf
index bd3f33e0..3b429a8a 100644
--- a/squid/files/whitelist-evolinux.conf
+++ b/squid/files/whitelist-evolinux.conf
@@ -26,6 +26,7 @@ http://.*.gravatar.com/.*
 http://www.wordpress-fr.net/.*
 http://pixel.wp.com/.*
 http://wp-updates.com/.*
+http://misc.optimizingmatters.com/*
 
 # Wordpress pingback
 http://rpc.pingomatic.com/.*
@@ -73,6 +74,7 @@ http://wpcdn.io/.*
 http://vimeo.com/.*
 http://api.genesistheme.com/update-themes/
 http://www.bolderelements.net/updates/.*
+http://support.wpbakery.com/*
 
 # Magento Plugins
 http://extensions.activo.com/.*
@@ -111,6 +113,7 @@ http://csi.gstatic.com/.*
 http://maps.google.*/.*
 http://translate.google.com/.*
 http://www.google.com/webmasters/tools/.*
+http://fonts.googleapis.com/.*
 
 # Facebook
 http://.*.facebook.com/.*
@@ -141,3 +144,7 @@ http://ftp.icm.edu.pl/.*
 http://apt.newrelic.com/.*
 http://.*.cloudfront.net/.*
 http://api.mailjet.com/.*
+http://bfmbusiness.bfmtv.com/.*
+http://api.pinterest.com/.*
+http://api.openweathermap.org/.*
+http://www.lefigaro.fr/.*

From 0054e4fdea9dc613b04cb94d1a3229d8efe6cb1a Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 22 May 2018 15:16:27 +0200
Subject: [PATCH 005/101] elasticsearch: add http.publish_host variable

---
 CHANGELOG.md                          |  1 +
 elasticsearch/README.md               |  3 ++-
 elasticsearch/defaults/main.yml       |  3 ++-
 elasticsearch/tasks/configuration.yml | 10 ++++++++++
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 66f734f5..e664b7f2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release.
 
 ### Added
 * elasticsearch: tmpdir configuration compatible with 5.x also
+* elasticsearch: add http.publish_host variable
 
 ### Changed
 
diff --git a/elasticsearch/README.md b/elasticsearch/README.md
index 9f968ae2..8db3e31a 100644
--- a/elasticsearch/README.md
+++ b/elasticsearch/README.md
@@ -17,7 +17,8 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
 * `elasticsearch_cluster_name`: cluster name ;
 * `elasticsearch_node_name`: node name, defaults to hostname ;
 * `elasticsearch_network_host`: which interfaces to bind to ;
-* `elasticsearch_network_publish_host`: which interface to publish ;
+* `elasticsearch_network_publish_host`: which interface to publish for node-to-node communication (default: `Null`) ;
+* `elasticsearch_http_publish_host`: which interface to publish for clients (default: `Null`) ;
 * `elasticsearch_custom_datadir`: custom datadir ;
 * `elasticsearch_custom_tmpdir`: custom tmpdir ;
 * `elasticsearch_jvm_xms`: mininum heap size reserved for the JVM (default: `2g`).
diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml
index 8b5dd20e..3d549462 100644
--- a/elasticsearch/defaults/main.yml
+++ b/elasticsearch/defaults/main.yml
@@ -4,7 +4,8 @@ elastic_stack_version: "6.x"
 elasticsearch_cluster_name: Null
 elasticsearch_node_name: "${HOSTNAME}"
 elasticsearch_network_host: "[_site_, _local_]"
-elasticsearch_network_publish_host: "_site_"
+elasticsearch_network_publish_host: Null
+elasticsearch_http_publish_host: Null
 elasticsearch_custom_datadir: Null
 elasticsearch_custom_tmpdir: Null
 elasticsearch_default_tmpdir: /var/lib/elasticsearch/tmp
diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml
index b9fecd47..9ea00955 100644
--- a/elasticsearch/tasks/configuration.yml
+++ b/elasticsearch/tasks/configuration.yml
@@ -39,6 +39,16 @@
   tags:
     - config
 
+- name: Configure http publish_host
+  lineinfile:
+    dest: /etc/elasticsearch/elasticsearch.yml
+    line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
+    regexp: "^http.publish_host:"
+    insertafter: "^http.port:"
+  when: elasticsearch_http_publish_host|default("", True)
+  tags:
+    - config
+
 - name: Configure RESTART_ON_UPGRADE
   lineinfile:
     dest: /etc/default/elasticsearch

From b4122be2b3aaa6d82c5e74054f535285640f2a32 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 22 May 2018 15:17:16 +0200
Subject: [PATCH 006/101] kibana: log messages go to /var/log/kibana/kibana.log

---
 CHANGELOG.md          |  1 +
 kibana/tasks/main.yml | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e664b7f2..8cba6ae6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
 ### Added
 * elasticsearch: tmpdir configuration compatible with 5.x also
 * elasticsearch: add http.publish_host variable
+* kibana: log messages go to /var/log/kibana/kibana.log
 
 ### Changed
 
diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml
index 7ee07b5f..b1e7cb42 100644
--- a/kibana/tasks/main.yml
+++ b/kibana/tasks/main.yml
@@ -50,6 +50,22 @@
     insertafter: '^#server.basePath:'
   notify: restart kibana
 
+- name: kibana log destination is present
+  file:
+    dest: /var/log/kibana
+    owner: kibana
+    group: kibana
+    mode: "0750"
+    state: directory
+
+- name: kibana log messages go to custom file
+  lineinfile:
+    dest: /etc/kibana/kibana.yml
+    line: "logging.dest: \"/var/log/kibana/kibana.log\""
+    regexp: '^logging.dest:'
+    insertafter: '^#logging.dest:'
+  notify: restart kibana
+
 - name: Kibana service is enabled and started
   systemd:
     name: kibana

From 3e5ea015c458e033a20f0a6a63382006796e2e0d Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 23 May 2018 16:18:23 +0200
Subject: [PATCH 007/101] rbenv: install Ruby 2.5.1 by default

---
 CHANGELOG.md            | 1 +
 rbenv/defaults/main.yml | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8cba6ae6..e1ea40c5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release.
 * kibana: log messages go to /var/log/kibana/kibana.log
 
 ### Changed
+* rbenv: install Ruby 2.5.1 by default
 
 ### Fixed
 
diff --git a/rbenv/defaults/main.yml b/rbenv/defaults/main.yml
index 6a75a5b1..3b898c35 100644
--- a/rbenv/defaults/main.yml
+++ b/rbenv/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 rbenv_version: v1.1.1
-rbenv_ruby_version: 2.5.0
+rbenv_ruby_version: 2.5.1
 rbenv_root: "~/.rbenv"
 rbenv_repo: "https://github.com/rbenv/rbenv.git"
 rbenv_plugins:

From 26791286d02d642d7f08e397fb147d8925cb4bbe Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 23 May 2018 16:19:37 +0200
Subject: [PATCH 008/101] whitespaces, quotes and tags

---
 rbenv/defaults/main.yml | 16 ++++++-----
 rbenv/tasks/main.yml    | 64 ++++++++++++++++++++++-------------------
 2 files changed, 43 insertions(+), 37 deletions(-)

diff --git a/rbenv/defaults/main.yml b/rbenv/defaults/main.yml
index 3b898c35..39467eaa 100644
--- a/rbenv/defaults/main.yml
+++ b/rbenv/defaults/main.yml
@@ -4,10 +4,12 @@ rbenv_ruby_version: 2.5.1
 rbenv_root: "~/.rbenv"
 rbenv_repo: "https://github.com/rbenv/rbenv.git"
 rbenv_plugins:
-- { name: "rbenv-vars",         repo: "https://github.com/rbenv/rbenv-vars.git",         version: "v1.2.0" }
-- { name: "ruby-build",         repo: "https://github.com/rbenv/ruby-build.git",         version: "master" }
-- { name: "rbenv-default-gems", repo: "https://github.com/rbenv/rbenv-default-gems.git", version: "master" }
-- { name: "rbenv-installer",    repo: "https://github.com/rbenv/rbenv-installer.git",    version: "master" }
-- { name: "rbenv-update",       repo: "https://github.com/rkh/rbenv-update.git",         version: "master" }
-- { name: "rbenv-whatis",       repo: "https://github.com/rkh/rbenv-whatis.git",         version: "v1.0.0" }
-- { name: "rbenv-use",          repo: "https://github.com/rkh/rbenv-use.git",            version: "v1.0.0" }
+  - { name: "rbenv-vars",         repo: "https://github.com/rbenv/rbenv-vars.git",         version: "v1.2.0" }
+  - { name: "ruby-build",         repo: "https://github.com/rbenv/ruby-build.git",         version: "master" }
+  - { name: "rbenv-default-gems", repo: "https://github.com/rbenv/rbenv-default-gems.git", version: "master" }
+  - { name: "rbenv-installer",    repo: "https://github.com/rbenv/rbenv-installer.git",    version: "master" }
+  - { name: "rbenv-update",       repo: "https://github.com/rkh/rbenv-update.git",         version: "master" }
+  - { name: "rbenv-whatis",       repo: "https://github.com/rkh/rbenv-whatis.git",         version: "v1.0.0" }
+  - { name: "rbenv-use",          repo: "https://github.com/rkh/rbenv-use.git",            version: "v1.0.0" }
+rbenv_default_gems:
+  - bundler
diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml
index aa914508..65df5302 100644
--- a/rbenv/tasks/main.yml
+++ b/rbenv/tasks/main.yml
@@ -1,31 +1,33 @@
 ---
 
-- name: Rbenv dependencies are installed
+- name: "Rbenv dependencies are installed"
   apt:
     name: '{{ item }}'
     state: present
   with_items:
-  - build-essential
-  - git
-  - libcurl4-openssl-dev
-  - libffi-dev
-  - libreadline-dev
-  - libssl-dev
-  - libxml2-dev
-  - libxslt1-dev
-  - zlib1g-dev
+    - build-essential
+    - git
+    - libcurl4-openssl-dev
+    - libffi-dev
+    - libreadline-dev
+    - libssl-dev
+    - libxml2-dev
+    - libxslt1-dev
+    - zlib1g-dev
   tags:
-  - rbenv
-  - packages
+    - rbenv
+    - packages
 
-- name: gemrc for {{ username }}
+- name: "gemrc for {{ username }}"
   copy:
     src: gemrc
     dest: "~{{ username }}/.gemrc"
     owner: '{{ username }}'
     group: '{{ username }}'
+  tags:
+    - rbenv
 
-- name: Rbenv repository is checked out for {{ username }}
+- name: "Rbenv repository is checked out for {{ username }}"
   git:
     repo: '{{ rbenv_repo }}'
     dest: '{{ rbenv_root }}'
@@ -35,25 +37,27 @@
   become_user: "{{ username }}"
   become: yes
   tags:
-  - rbenv
+    - rbenv
 
-- name: default gems are installed for {{ username }}
   copy:
     src: default-gems
+- name: "default gems are installed for {{ username }}"
     dest: '{{ rbenv_root }}/default-gems'
     owner: '{{ username }}'
     group: '{{ username }}'
+  tags:
+    - rbenv
 
-- name: plugins directory for {{ username }}
+- name: "plugins directory for {{ username }}"
   file:
     path: '{{ rbenv_root }}/plugins'
     state: directory
   become_user: "{{ username }}"
   become: yes
   tags:
-  - rbenv
+    - rbenv
 
-- name: plugins are installed for {{ username }}
+- name: "plugins are installed for {{ username }}"
   git:
     repo: '{{ item.repo }}'
     dest: '{{ rbenv_root }}/plugins/{{ item.name }}'
@@ -65,9 +69,9 @@
   become_user: "{{ username }}"
   become: yes
   tags:
-  - rbenv
+    - rbenv
 
-- name: Rbenv is initialized in profile for {{ username }}
+- name: "Rbenv is initialized in profile for {{ username }}"
   blockinfile:
     dest: '~{{ username }}/.profile'
     block: |
@@ -77,9 +81,9 @@
   become_user: "{{ username }}"
   become: yes
   tags:
-  - rbenv
+    - rbenv
 
-- name: is Ruby {{ rbenv_ruby_version }} available for {{ username }} ?
+- name: "is Ruby {{ rbenv_ruby_version }} available for {{ username }} ?"
   shell: /bin/bash -lc "rbenv versions | grep {{ rbenv_ruby_version }}"
   args:
     warn: no
@@ -89,9 +93,9 @@
   become_user: "{{ username }}"
   become: yes
   tags:
-  - rbenv
+    - rbenv
 
-- name: Ruby {{ rbenv_ruby_version }} is available for {{ username }} (be patient... could be long)
+- name: "Ruby {{ rbenv_ruby_version }} is available for {{ username }} (be patient... could be long)"
   shell: /bin/bash -lc "TMPDIR=~/tmp rbenv install {{ rbenv_ruby_version }}"
   args:
     warn: no
@@ -99,9 +103,9 @@
   become_user: "{{ username }}"
   become: yes
   tags:
-  - rbenv
+    - rbenv
 
-- name: is Ruby {{ rbenv_ruby_version }} selected for {{ username }} ?
+- name: "is Ruby {{ rbenv_ruby_version }} selected for {{ username }} ?"
   shell: /bin/bash -lc "rbenv version | cut -d ' ' -f 1 | grep -Fx '{{ rbenv_ruby_version }}'"
   args:
     warn: no
@@ -111,9 +115,9 @@
   become_user: "{{ username }}"
   become: yes
   tags:
-  - rbenv
+    - rbenv
 
-- name: select Ruby {{ rbenv_ruby_version }} for {{ username }}
+- name: "select Ruby {{ rbenv_ruby_version }} for {{ username }}"
   shell: /bin/bash -lc "rbenv global {{ rbenv_ruby_version }} && rbenv rehash"
   args:
     warn: no
@@ -121,4 +125,4 @@
   become_user: "{{ username }}"
   become: yes
   tags:
-  - rbenv
+    - rbenv

From 7738de6f41de90dc17539f027f7ffbf71a8a3123 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 23 May 2018 16:20:46 +0200
Subject: [PATCH 009/101] rbenv: switch from copy to lineinfile for default
 gems

---
 CHANGELOG.md             | 1 +
 rbenv/files/default-gems | 1 -
 rbenv/tasks/main.yml     | 8 ++++++--
 3 files changed, 7 insertions(+), 3 deletions(-)
 delete mode 100644 rbenv/files/default-gems

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e1ea40c5..41287ab8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 * rbenv: install Ruby 2.5.1 by default
+* rbenv: switch from copy to lineinfile for default gems
 
 ### Fixed
 
diff --git a/rbenv/files/default-gems b/rbenv/files/default-gems
deleted file mode 100644
index b841526f..00000000
--- a/rbenv/files/default-gems
+++ /dev/null
@@ -1 +0,0 @@
-bundler
diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml
index 65df5302..693ff0f6 100644
--- a/rbenv/tasks/main.yml
+++ b/rbenv/tasks/main.yml
@@ -39,12 +39,16 @@
   tags:
     - rbenv
 
-  copy:
-    src: default-gems
 - name: "default gems are installed for {{ username }}"
+  lineinfile:
     dest: '{{ rbenv_root }}/default-gems'
+    line: "{{ item }}"
     owner: '{{ username }}'
     group: '{{ username }}'
+    create: yes
+  with_items: '{{ rbenv_default_gems }}'
+  become_user: "{{ username }}"
+  become: yes
   tags:
     - rbenv
 

From d3eb8b870cf7cdd8ab24bf789d7d86e83976ab53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jlecour@evolix.fr>
Date: Wed, 23 May 2018 21:55:34 +0200
Subject: [PATCH 010/101] php: fix permissions on custom php.ini file

fixes #2433
---
 php/tasks/php_jessie.yml  | 10 ++++++++--
 php/tasks/php_stretch.yml |  8 +++++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml
index 5d1d6965..de5d94f4 100644
--- a/php/tasks/php_jessie.yml
+++ b/php/tasks/php_jessie.yml
@@ -46,14 +46,20 @@
     option: disable_functions
     value: "exec,shell-exec,system,passthru,putenv,popen"
 
-- name: Custom php.ini for CLI
+- name: Custom php.ini for CLI (jessie)
   copy:
     dest: "{{ phpini_cli_custom_file }}"
-    mode: "0644"
     content: |
       ; Put customized values here.
     force: no
 
+# This task is not merged with the above copy
+# because "force: no" prevents any fix after the fact
+- name: "Permissions for custom php.ini for CLI (jessie)"
+  file:
+    dest: "{{ phpini_cli_custom_file }}"
+    mode: "0644"
+
 - name: "Set custom values for PHP to enable Symfony (jessie)"
   ini_file:
     dest: "{{ phpini_cli_custom_file }}"
diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml
index f20dbafb..c39a63c2 100644
--- a/php/tasks/php_stretch.yml
+++ b/php/tasks/php_stretch.yml
@@ -50,12 +50,18 @@
 - name: "Custom php.ini for CLI (Debian 9 or later)"
   copy:
     dest: "{{ phpini_cli_custom_file }}"
-    mode: "0644"
     content: |
       ; Put customized values here.
       ; default_charset = "ISO-8859-1"
     force: no
 
+# This task is not merged with the above copy
+# because "force: no" prevents any fix after the fact
+- name: "Permissions for custom php.ini for CLI (Debian 9 or later)"
+  file:
+    dest: "{{ phpini_cli_custom_file }}"
+    mode: "0644"
+
 - name: "Set custom values for PHP to enable Symfony (Debian 9 or later)"
   ini_file:
     dest: "{{ phpini_cli_custom_file }}"

From 108cd0f597e16f971ba62623db47f85b33939eb6 Mon Sep 17 00:00:00 2001
From: Bruno TATU <btatu@evolix.fr>
Date: Tue, 29 May 2018 10:56:24 +0200
Subject: [PATCH 011/101] squid: whiteliste some news sites

---
 CHANGELOG.md                                 | 1 +
 squid/files/evolinux-whitelist-defaults.conf | 9 +++++++++
 squid/files/whitelist-evolinux.conf          | 9 +++++++++
 3 files changed, 19 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41287ab8..e402ae2a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
 ### Changed
 * rbenv: install Ruby 2.5.1 by default
 * rbenv: switch from copy to lineinfile for default gems
+* squid: whiteliste some news sites
 
 ### Fixed
 
diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf
index 8aaf30e3..6e2f94b9 100644
--- a/squid/files/evolinux-whitelist-defaults.conf
+++ b/squid/files/evolinux-whitelist-defaults.conf
@@ -27,6 +27,7 @@
 ^pixel\.wp\.com$
 ^wp-updates\.com$
 ^misc\.optimizingmatters\.com$
+^wp-rocket\.me$
 
 # Wordpress pingback
 ^rpc\.pingomatic\.com$
@@ -123,6 +124,14 @@
 # Maxmind
 ^geolite\.maxmind\.com$
 
+# News
+^www\.lped\.fr$
+^www\.lefigaro\.fr$
+^madeinmarseille\.net$
+^www\.leparisien\.fr$
+^www\.parismatch\.com$
+^www\.liberation\.fr$
+
 # Others
 #^.*\.amazon.com$
 ^.*\.twitter\.com$
diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf
index 3b429a8a..cc3b42f5 100644
--- a/squid/files/whitelist-evolinux.conf
+++ b/squid/files/whitelist-evolinux.conf
@@ -27,6 +27,7 @@ http://www.wordpress-fr.net/.*
 http://pixel.wp.com/.*
 http://wp-updates.com/.*
 http://misc.optimizingmatters.com/*
+http://wp-rocket.me/.*
 
 # Wordpress pingback
 http://rpc.pingomatic.com/.*
@@ -122,6 +123,14 @@ http://.*.fbcdn.net/.*
 # Maxmind
 http://geolite.maxmind.com/.*
 
+# News
+http://www.lped.fr/.*
+http://www.lefigaro.fr/.*
+http://madeinmarseille.net/.*
+http://www.leparisien.fr/.*
+http://www.parismatch.com/.*
+http://www.liberation.fr/.*
+
 # Others
 #http://.*.amazon.com/.*
 http://.*.twitter.com/.*

From 17c809371101e6be0e8d24c3c0f5a524e23c1d5c Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Wed, 30 May 2018 17:11:13 +0200
Subject: [PATCH 012/101] nagios-nrpe: use bkctld check subcommand for NRPE
 check

---
 CHANGELOG.md                                | 2 ++
 evolinux-users/templates/sudoers_jessie.j2  | 1 +
 evolinux-users/templates/sudoers_stretch.j2 | 1 +
 nagios-nrpe/templates/evolix.cfg.j2         | 2 +-
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e402ae2a..b0f7c653 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,8 @@ The **patch** part changes incrementally at each release.
 * rbenv: install Ruby 2.5.1 by default
 * rbenv: switch from copy to lineinfile for default gems
 * squid: whiteliste some news sites
+* nagios-nrpe: change nrpe check for bkctld command
+* evolinux-users: add sudo right for bkctld check
 
 ### Fixed
 
diff --git a/evolinux-users/templates/sudoers_jessie.j2 b/evolinux-users/templates/sudoers_jessie.j2
index 391ae898..c349ac09 100644
--- a/evolinux-users/templates/sudoers_jessie.j2
+++ b/evolinux-users/templates/sudoers_jessie.j2
@@ -5,6 +5,7 @@ User_Alias      ADMINS = {{ user.name }}
 
 nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
 ADMINS          ALL = (ALL:ALL) ALL
diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2
index 9a9ea7ed..fb785c46 100644
--- a/evolinux-users/templates/sudoers_stretch.j2
+++ b/evolinux-users/templates/sudoers_stretch.j2
@@ -4,6 +4,7 @@ Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
 
 nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
 %{{ evolinux_sudo_group }}  ALL=(ALL:ALL) ALL
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 0be4e38e..4a22f027 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -51,7 +51,7 @@ command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S
 command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex
 command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
 command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321
-command[check_bkctld]=/usr/lib/nagios/plugins/check_bkctld
+command[check_bkctld]=sudo /usr/sbin/bkctld check
 
 # Local checks (not packaged)
 command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10

From d67abef13d215b78459da62e30b30017ede8dca5 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 4 Jun 2018 16:30:25 +0200
Subject: [PATCH 013/101] minifirewall: the tail file can be overwritten, or
 not

---
 CHANGELOG.md                   | 5 +++--
 minifirewall/defaults/main.yml | 1 +
 minifirewall/tasks/tail.yml    | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b0f7c653..37e59591 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,11 +16,12 @@ The **patch** part changes incrementally at each release.
 * kibana: log messages go to /var/log/kibana/kibana.log
 
 ### Changed
+* evolinux-users: add sudo right for bkctld check
+* minifirewall: the tail file can be overwritten, or not (default: `True`)
+* nagios-nrpe: change nrpe check for bkctld command
 * rbenv: install Ruby 2.5.1 by default
 * rbenv: switch from copy to lineinfile for default gems
 * squid: whiteliste some news sites
-* nagios-nrpe: change nrpe check for bkctld command
-* evolinux-users: add sudo right for bkctld check
 
 ### Fixed
 
diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml
index a6eaa2fc..2b37a5cf 100644
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@@ -1,5 +1,6 @@
 ---
 minifirewall_tail_included: False
+minifirewall_tail_force: yes
 
 minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
 minifirewall_checkout_path: "/tmp/minifirewall"
diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml
index 00d9c0e4..3d61025d 100644
--- a/minifirewall/tasks/tail.yml
+++ b/minifirewall/tasks/tail.yml
@@ -3,7 +3,7 @@
   template:
     src: "{{ item }}"
     dest: /etc/default/minifirewall.tail
-    force: yes
+    force: "{{ minifirewall_tail_force | bool | ternary('yes', 'no') }}"
   with_first_found:
   - "templates/minifirewall-tail/minifirewall.{{ inventory_hostname }}.tail.j2"
   - "templates/minifirewall-tail/minifirewall.{{ host_group }}.tail.j2"

From d917d867bb59a98240bfd79a6dc8a7dcab9e0e39 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 7 Jun 2018 10:39:29 +0200
Subject: [PATCH 014/101] changelog: minor rewording

---
 CHANGELOG.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 37e59591..f722a5a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,12 +16,12 @@ The **patch** part changes incrementally at each release.
 * kibana: log messages go to /var/log/kibana/kibana.log
 
 ### Changed
-* evolinux-users: add sudo right for bkctld check
+* evolinux-users: add sudo permission for bkctld check
 * minifirewall: the tail file can be overwritten, or not (default: `True`)
-* nagios-nrpe: change nrpe check for bkctld command
-* rbenv: install Ruby 2.5.1 by default
+* nagios-nrpe: use bkctld internal check instead of nrpe plugin
+* rbenv: change default Ruby version (2.5.1)
 * rbenv: switch from copy to lineinfile for default gems
-* squid: whiteliste some news sites
+* squid: add a few news sites to the whitelist
 
 ### Fixed
 

From 03431fc116a932bc673bfcefde74dbde34059962 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jlecour@evolix.fr>
Date: Sat, 9 Jun 2018 13:15:08 +0200
Subject: [PATCH 015/101] mysql: add an option to install the dev client
 libraries

---
 CHANGELOG.md                     |  1 +
 mysql-oracle/defaults/main.yml   |  2 ++
 mysql-oracle/tasks/packages.yml  | 11 +++++++++++
 mysql/README.md                  |  1 +
 mysql/defaults/main.yml          |  2 ++
 mysql/tasks/packages_jessie.yml  | 12 ++++++++++++
 mysql/tasks/packages_stretch.yml | 12 ++++++++++++
 7 files changed, 41 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f722a5a6..06b92743 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: tmpdir configuration compatible with 5.x also
 * elasticsearch: add http.publish_host variable
 * kibana: log messages go to /var/log/kibana/kibana.log
+* mysql: add an option to install the client development  libraries (default: `False`)
 
 ### Changed
 * evolinux-users: add sudo permission for bkctld check
diff --git a/mysql-oracle/defaults/main.yml b/mysql-oracle/defaults/main.yml
index e79fe036..e37f0680 100644
--- a/mysql-oracle/defaults/main.yml
+++ b/mysql-oracle/defaults/main.yml
@@ -5,6 +5,8 @@ log2mail_alert_email: Null
 general_scripts_dir: "/usr/share/scripts"
 mysql_scripts_dir: Null
 
+mysql_install_libclient: False
+
 mysql_replace_root_with_mysqladmin: True
 
 mysql_custom_datadir: ''
diff --git a/mysql-oracle/tasks/packages.yml b/mysql-oracle/tasks/packages.yml
index 8dd255b1..1d6ebf64 100644
--- a/mysql-oracle/tasks/packages.yml
+++ b/mysql-oracle/tasks/packages.yml
@@ -36,10 +36,21 @@
   with_items:
     - mysql-server
     - mysql-client
+  tags:
+    - mysql
+    - packages
+
+- name: Install MySQL dev packages
+  apt:
+    name: '{{ item }}'
+    update_cache: yes
+    state: present
+  with_items:
     - libmysqlclient20
   tags:
     - mysql
     - packages
+  when: mysql_install_libclient
 
 - include_role:
     name: remount-usr
diff --git a/mysql/README.md b/mysql/README.md
index b1e4bf57..e3226c1c 100644
--- a/mysql/README.md
+++ b/mysql/README.md
@@ -29,5 +29,6 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
 * `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`).
 * `mysql_scripts_dir`: email address to send Log2mail messages to (default: `general_scripts_dir`).
 * `mysql_force_new_nrpe_password` : change the password for NRPE even if it exists already (default: `False`).
+* `mysql_install_libclient`: install mysql client libraries (default: `False`).
 
 NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet).
diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml
index ff40c88a..44b43d44 100644
--- a/mysql/defaults/main.yml
+++ b/mysql/defaults/main.yml
@@ -7,6 +7,8 @@ mysql_scripts_dir: Null
 
 mysql_variant: oracle
 
+mysql_install_libclient: False
+
 mysql_replace_root_with_mysqladmin: True
 
 mysql_custom_datadir: ''
diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml
index 1d376e03..06359e35 100644
--- a/mysql/tasks/packages_jessie.yml
+++ b/mysql/tasks/packages_jessie.yml
@@ -26,6 +26,18 @@
   - mysql
   - packages
 
+- name: Install MySQL dev packages
+  apt:
+    name: '{{ item }}'
+    update_cache: yes
+    state: present
+  with_items:
+  - libmysqlclient-dev
+  tags:
+  - mysql
+  - packages
+  when: mysql_install_libclient
+
 - name: MySQL is started
   service:
     name: mysql
diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml
index d625f691..83256472 100644
--- a/mysql/tasks/packages_stretch.yml
+++ b/mysql/tasks/packages_stretch.yml
@@ -12,6 +12,18 @@
   - mysql
   - packages
 
+- name: Install MySQL dev packages
+  apt:
+    name: '{{ item }}'
+    update_cache: yes
+    state: present
+  with_items:
+  - default-libmysqlclient-dev
+  tags:
+  - mysql
+  - packages
+  when: mysql_install_libclient
+
 - name: MySQL is started
   service:
     name: mysql

From fbd97a5f08829dd5688ec20277e5b1febc066475 Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Fri, 23 Mar 2018 11:47:13 +0100
Subject: [PATCH 016/101] java: support for Oracle JRE

---
 CHANGELOG.md                   |  2 ++
 elasticsearch/meta/main.yml    |  2 +-
 {java8 => java}/.kitchen.yml   |  0
 java/README.md                 | 14 ++++++++
 java/defaults/main.yml         |  4 +++
 {java8 => java}/meta/main.yml  |  3 +-
 java/tasks/main.yml            | 10 ++++++
 java/tasks/openjdk.yml         | 31 ++++++++++++++++++
 java/tasks/oracle.yml          | 58 ++++++++++++++++++++++++++++++++++
 {java8 => java}/tests/test.yml |  2 +-
 java8                          |  1 +
 java8/README.md                | 11 -------
 java8/defaults/main.yml        |  2 --
 java8/tasks/main.yml           | 27 ----------------
 jenkins/meta/main.yml          |  2 +-
 logstash/meta/main.yml         |  2 +-
 16 files changed, 126 insertions(+), 45 deletions(-)
 rename {java8 => java}/.kitchen.yml (100%)
 create mode 100644 java/README.md
 create mode 100644 java/defaults/main.yml
 rename {java8 => java}/meta/main.yml (81%)
 create mode 100644 java/tasks/main.yml
 create mode 100644 java/tasks/openjdk.yml
 create mode 100644 java/tasks/oracle.yml
 rename {java8 => java}/tests/test.yml (66%)
 create mode 120000 java8
 delete mode 100644 java8/README.md
 delete mode 100644 java8/defaults/main.yml
 delete mode 100644 java8/tasks/main.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 06b92743..2364de7c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: add http.publish_host variable
 * kibana: log messages go to /var/log/kibana/kibana.log
 * mysql: add an option to install the client development  libraries (default: `False`)
+* java: support for Oracle JRE
 
 ### Changed
 * evolinux-users: add sudo permission for bkctld check
@@ -23,6 +24,7 @@ The **patch** part changes incrementally at each release.
 * rbenv: change default Ruby version (2.5.1)
 * rbenv: switch from copy to lineinfile for default gems
 * squid: add a few news sites to the whitelist
+* java8: renamed to java (java8 symlinked to java for backward compatibility)
 
 ### Fixed
 
diff --git a/elasticsearch/meta/main.yml b/elasticsearch/meta/main.yml
index 54156392..cfc69425 100644
--- a/elasticsearch/meta/main.yml
+++ b/elasticsearch/meta/main.yml
@@ -25,4 +25,4 @@ galaxy_info:
     # alphanumeric characters. Maximum 20 tags per role.
 
 dependencies:
-  - java8
+  - { role: java, alternative: 'openjdk', java_version: 8 }
diff --git a/java8/.kitchen.yml b/java/.kitchen.yml
similarity index 100%
rename from java8/.kitchen.yml
rename to java/.kitchen.yml
diff --git a/java/README.md b/java/README.md
new file mode 100644
index 00000000..72740bb3
--- /dev/null
+++ b/java/README.md
@@ -0,0 +1,14 @@
+# java
+
+Install OpenJDK or OracleJDK
+
+## Tasks
+
+* `openjdk.yml` : install of OpenJDK
+* `oracle.yml` : install or OracleJDK
+
+## Available variables
+
+* `java_alternative`: choose between openjdk or oraclejdk (default to openjdk)
+* `java_version`: java version (default to 8)
+* `java_default_alternative`: make this verison the default alternative (default to true)
diff --git a/java/defaults/main.yml b/java/defaults/main.yml
new file mode 100644
index 00000000..89f5cdac
--- /dev/null
+++ b/java/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+java_alternative: 'openjdk'
+java_version: 8
+java_default_alternative: True
diff --git a/java8/meta/main.yml b/java/meta/main.yml
similarity index 81%
rename from java8/meta/main.yml
rename to java/meta/main.yml
index 632cd4f4..c5b91643 100644
--- a/java8/meta/main.yml
+++ b/java/meta/main.yml
@@ -1,7 +1,7 @@
 ---
 galaxy_info:
   author: Evolix
-  description: Installation of Java 8
+  description: Installation of Java
 
   issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
 
@@ -13,3 +13,4 @@ galaxy_info:
   - name: Debian
     versions:
     - jessie
+    - stretch
diff --git a/java/tasks/main.yml b/java/tasks/main.yml
new file mode 100644
index 00000000..1249533e
--- /dev/null
+++ b/java/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- fail:
+    msg: "This role support only java 8 for now !"
+  when: java_version != 8
+
+- include: openjdk.yml
+  when: "{{ java_alternative == 'openjdk' }}"
+
+- include: oracle.yml
+  when: "{{ java_alternative == 'oracle' }}"
diff --git a/java/tasks/openjdk.yml b/java/tasks/openjdk.yml
new file mode 100644
index 00000000..9b4f0b7d
--- /dev/null
+++ b/java/tasks/openjdk.yml
@@ -0,0 +1,31 @@
+---
+- name: Decide which Debian release to use
+  set_fact:
+    java_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}'
+  tags:
+    - java
+
+- name: Install jessie-backports
+  include_role:
+    name: apt
+    tasks_from: backports.yml
+  when: ansible_distribution_release == "jessie"
+  tags:
+    - java
+
+- name: Install openjdk package
+  apt:
+    name: "openjdk-{{ java_version}}-jre-headless"
+    default_release: "{{ java_apt_release }}"
+    state: present
+  tags:
+    - java
+    - packages
+
+- name: This openjdk version is the default alternative
+  alternatives:
+    name: java
+    path: "/usr/lib/jvm/java-{{ java_version }}-openjdk-amd64/jre/bin/java"
+  when: java_default_alternative
+  tags:
+    - java
diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml
new file mode 100644
index 00000000..da3473da
--- /dev/null
+++ b/java/tasks/oracle.yml
@@ -0,0 +1,58 @@
+---
+- name: Install dependencies for build java package
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - java-package
+    - build-essential
+  tags:
+  - java
+
+- name: Create jvm dir
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0777"
+  with_items:
+  - /srv/java-package
+  - /srv/java-package/src
+  - /srv/java-package/tmp
+  tags:
+  - java
+
+- name: Get Oracle jre archive
+  get_url:
+    url: 'http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.tar.gz'
+    dest: '/srv/java-package/src/'
+    checksum: 'sha256:f08f25aec2bdc86138ccba8fd5b904451e3afa1d24a88c85f28c2d84bfd45bad'
+    headers: 'Cookie: oraclelicense=accept-securebackup-cookie'
+    mode: "0644"
+  tags:
+  - java
+
+- name: Make Debian package from Oracle JDK archive
+  shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/jre-8u172-linux-x64.tar.gz"
+  args:
+    chdir: /srv/java-package
+    creates: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
+  become: False
+  tags:
+  - java
+
+- include_role:
+    name: remount-usr
+
+- name: Install java package
+  apt:
+    deb: /srv/java-package/oracle-java8-jre_8u172_amd64.deb
+  tags:
+   - java
+
+- name: This openjdk version is the default alternative
+  alternatives:
+    name: java
+    path: "/usr/lib/jvm/jre-{{ java_version }}-oracle-x64/bin/java"
+  when: java_default_alternative
+  tags:
+    - java
diff --git a/java8/tests/test.yml b/java/tests/test.yml
similarity index 66%
rename from java8/tests/test.yml
rename to java/tests/test.yml
index 624e2d3b..984c2eb4 100644
--- a/java8/tests/test.yml
+++ b/java/tests/test.yml
@@ -1,4 +1,4 @@
 ---
 - hosts: test-kitchen
   roles:
-    - role: java8
+    - role: java
diff --git a/java8 b/java8
new file mode 120000
index 00000000..85863977
--- /dev/null
+++ b/java8
@@ -0,0 +1 @@
+java
\ No newline at end of file
diff --git a/java8/README.md b/java8/README.md
deleted file mode 100644
index 6279675d..00000000
--- a/java8/README.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# java8
-
-Install OpenJDK 1.8 (from jessie-backports)
-
-## Tasks
-
-Everything is in the `tasks/main.yml` file.
-
-## Available variables
-
-* `java8_default_alternative`: make this verison the default alternative (defaults to true)
diff --git a/java8/defaults/main.yml b/java8/defaults/main.yml
deleted file mode 100644
index 9f57f290..00000000
--- a/java8/defaults/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-java8_default_alternative: True
diff --git a/java8/tasks/main.yml b/java8/tasks/main.yml
deleted file mode 100644
index 8e24def3..00000000
--- a/java8/tasks/main.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-- name: Decide which Debian release to use
-  set_fact:
-    java8_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}'
-
-- name: install jessie-backports
-  include_role:
-    name: apt
-    tasks_from: backports.yml
-  when: ansible_distribution_release == "jessie"
-
-- name: Java 8 is installed
-  apt:
-    name: openjdk-8-jre-headless
-    default_release: "{{ java8_apt_release }}"
-    state: present
-  tags:
-    - java
-    - packages
-
-- name: Java 8 is the default alternative
-  alternatives:
-    name: java
-    path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
-  when: java8_default_alternative
-  tags:
-    - java
diff --git a/jenkins/meta/main.yml b/jenkins/meta/main.yml
index eda76a17..0f0b5b69 100644
--- a/jenkins/meta/main.yml
+++ b/jenkins/meta/main.yml
@@ -24,4 +24,4 @@ galaxy_info:
     # alphanumeric characters. Maximum 20 tags per role.
 
 dependencies:
-  - java8
+  - { role: java, java_alternative: 'openjdk', java_version: 8 }
diff --git a/logstash/meta/main.yml b/logstash/meta/main.yml
index c74021e7..62a4cf71 100644
--- a/logstash/meta/main.yml
+++ b/logstash/meta/main.yml
@@ -14,4 +14,4 @@ galaxy_info:
     - jessie
 
 dependencies:
-  - java8
+  - { role: java, java_alternative: 'openjdk', java_version: 8 }

From b50ea625722686c6db00faef85f9068049c7b0f3 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 11 Jun 2018 14:15:19 +0200
Subject: [PATCH 017/101] whitespaces

---
 php/tasks/apache.yml     | 34 +++++++++++++++++-----------------
 php/tasks/php_jessie.yml | 38 +++++++++++++++++++-------------------
 2 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/php/tasks/apache.yml b/php/tasks/apache.yml
index cefeb95c..32ad6040 100644
--- a/php/tasks/apache.yml
+++ b/php/tasks/apache.yml
@@ -5,8 +5,8 @@
     name: '{{ item }}'
     state: present
   with_items:
-  - libapache2-mod-php5
-  - php5
+    - libapache2-mod-php5
+    - php5
   when: ansible_distribution_release == "jessie"
 
 - name: "Install mod_php packages (Debian 9 or later)"
@@ -14,41 +14,41 @@
     name: '{{ item }}'
     state: present
   with_items:
-  - libapache2-mod-php
-  - php
+    - libapache2-mod-php
+    - php
   when: ansible_distribution_major_version | version_compare('9', '>=')
 
 - name: "Set php.ini config for apache2 (jessie)"
   set_fact:
-    php_apache_defaults_file: /etc/php5/apache2/conf.d/z-evolinux-defaults.ini
-    php_apache_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini
+    php_apache_defaults_ini_file: /etc/php5/apache2/conf.d/z-evolinux-defaults.ini
+    php_apache_custom_ini_file: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini
   when: ansible_distribution_release == "jessie"
 
 - name: "Set php.ini config for apache2 (Debian 9 or later)"
   set_fact:
-    php_apache_defaults_file: /etc/php/7.0/apache2/conf.d/z-evolinux-defaults.ini
-    php_apache_custom_file: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini
+    php_apache_defaults_ini_file: /etc/php/7.0/apache2/conf.d/z-evolinux-defaults.ini
+    php_apache_custom_ini_file: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini
   when: ansible_distribution_major_version | version_compare('9', '>=')
 
 - name: Set default values for PHP
   ini_file:
-    dest: "{{ php_apache_defaults_file }}"
+    dest: "{{ php_apache_defaults_ini_file }}"
     section: PHP
     option: "{{ item.option }}"
     value: "{{ item.value }}"
     mode: "0644"
     create: yes
   with_items:
-  - { option: "short_open_tag", value: "Off" }
-  - { option: "expose_php", value: "Off" }
-  - { option: "display_errors", value: "Off" }
-  - { option: "log_errors", value: "On" }
-  - { option: "html_errors", value: "Off" }
-  - { option: "allow_url_fopen", value: "Off" }
+    - { option: "short_open_tag", value: "Off" }
+    - { option: "expose_php", value: "Off" }
+    - { option: "display_errors", value: "Off" }
+    - { option: "log_errors", value: "On" }
+    - { option: "html_errors", value: "Off" }
+    - { option: "allow_url_fopen", value: "Off" }
 
 - name: Disable PHP functions
   ini_file:
-    dest: "{{ php_apache_defaults_file }}"
+    dest: "{{ php_apache_defaults_ini_file }}"
     section: PHP
     option: disable_functions
     value: "exec,shell-exec,system,passthru,putenv,popen"
@@ -71,5 +71,5 @@
     value: "{{ item.value }}"
     mode: "0644"
   with_items:
-  - { option: "date.timezone", value: "Europe/Paris" }
+    - { option: "date.timezone", value: "Europe/Paris" }
   when: php_symfony_requirements
diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml
index de5d94f4..e1f4b64f 100644
--- a/php/tasks/php_jessie.yml
+++ b/php/tasks/php_jessie.yml
@@ -5,18 +5,18 @@
     name: '{{ item }}'
     state: present
   with_items:
-  - php5-cli
-  - php5-gd
-  - php5-imap
-  - php5-ldap
-  - php5-mcrypt
-  - php5-mysql
-  - php5-pgsql
-  - php-gettext
-  - php5-intl
-  - php5-curl
-  - php5-ssh2
-  - libphp-phpmailer
+    - php5-cli
+    - php5-gd
+    - php5-imap
+    - php5-ldap
+    - php5-mcrypt
+    - php5-mysql
+    - php5-pgsql
+    - php-gettext
+    - php5-intl
+    - php5-curl
+    - php5-ssh2
+    - libphp-phpmailer
 
 - name: "Set php.ini config for CLI (jessie)"
   set_fact:
@@ -32,12 +32,12 @@
     mode: "0644"
     create: yes
   with_items:
-  - { option: "short_open_tag", value: "Off" }
-  - { option: "expose_php", value: "Off" }
-  - { option: "display_errors", value: "Off" }
-  - { option: "log_errors", value: "On" }
-  - { option: "html_errors", value: "Off" }
-  - { option: "allow_url_fopen", value: "Off" }
+    - { option: "short_open_tag", value: "Off" }
+    - { option: "expose_php", value: "Off" }
+    - { option: "display_errors", value: "Off" }
+    - { option: "log_errors", value: "On" }
+    - { option: "html_errors", value: "Off" }
+    - { option: "allow_url_fopen", value: "Off" }
 
 - name: "Disable PHP functions for CLI (jessie)"
   ini_file:
@@ -68,5 +68,5 @@
     value: "{{ item.value }}"
     mode: "0644"
   with_items:
-  - { option: "date.timezone", value: "Europe/Paris" }
+    - { option: "date.timezone", value: "Europe/Paris" }
   when: php_symfony_requirements

From 17d0c9c6bf2b4d953a6b84dab49ce470148545c1 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 11 Jun 2018 14:22:42 +0200
Subject: [PATCH 018/101] php: clarify configuration

* Variables for config file names are normalized* With Sury, Evolix configs are linked to regular 7.0 paths
---
 CHANGELOG.md                                  |  1 +
 php/tasks/{apache.yml => config_apache.yml}   | 34 +--------
 php/tasks/{php_jessie.yml => config_cli.yml}  | 34 ++-------
 php/tasks/{fpm.yml => config_fpm.yml}         | 46 ++----------
 php/tasks/main.yml                            | 14 +---
 php/tasks/main_jessie.yml                     | 60 +++++++++++++++
 php/tasks/main_stretch.yml                    | 71 ++++++++++++++++++
 php/tasks/php_stretch.yml                     | 74 -------------------
 php/tasks/sury_post.yml                       | 35 +++++++++
 .../{php_stretch_sury.yml => sury_pre.yml}    | 17 +++++
 10 files changed, 199 insertions(+), 187 deletions(-)
 rename php/tasks/{apache.yml => config_apache.yml} (51%)
 rename php/tasks/{php_jessie.yml => config_cli.yml} (62%)
 rename php/tasks/{fpm.yml => config_fpm.yml} (57%)
 create mode 100644 php/tasks/main_jessie.yml
 create mode 100644 php/tasks/main_stretch.yml
 delete mode 100644 php/tasks/php_stretch.yml
 create mode 100644 php/tasks/sury_post.yml
 rename php/tasks/{php_stretch_sury.yml => sury_pre.yml} (62%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2364de7c..ceab3785 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@ The **patch** part changes incrementally at each release.
 * evolinux-users: add sudo permission for bkctld check
 * minifirewall: the tail file can be overwritten, or not (default: `True`)
 * nagios-nrpe: use bkctld internal check instead of nrpe plugin
+* php: reorganization of the role for Sury overrides and more clear configuration
 * rbenv: change default Ruby version (2.5.1)
 * rbenv: switch from copy to lineinfile for default gems
 * squid: add a few news sites to the whitelist
diff --git a/php/tasks/apache.yml b/php/tasks/config_apache.yml
similarity index 51%
rename from php/tasks/apache.yml
rename to php/tasks/config_apache.yml
index 32ad6040..a199c651 100644
--- a/php/tasks/apache.yml
+++ b/php/tasks/config_apache.yml
@@ -1,35 +1,5 @@
 ---
 
-- name: "Install mod_php packages (jessie)"
-  apt:
-    name: '{{ item }}'
-    state: present
-  with_items:
-    - libapache2-mod-php5
-    - php5
-  when: ansible_distribution_release == "jessie"
-
-- name: "Install mod_php packages (Debian 9 or later)"
-  apt:
-    name: '{{ item }}'
-    state: present
-  with_items:
-    - libapache2-mod-php
-    - php
-  when: ansible_distribution_major_version | version_compare('9', '>=')
-
-- name: "Set php.ini config for apache2 (jessie)"
-  set_fact:
-    php_apache_defaults_ini_file: /etc/php5/apache2/conf.d/z-evolinux-defaults.ini
-    php_apache_custom_ini_file: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini
-  when: ansible_distribution_release == "jessie"
-
-- name: "Set php.ini config for apache2 (Debian 9 or later)"
-  set_fact:
-    php_apache_defaults_ini_file: /etc/php/7.0/apache2/conf.d/z-evolinux-defaults.ini
-    php_apache_custom_ini_file: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini
-  when: ansible_distribution_major_version | version_compare('9', '>=')
-
 - name: Set default values for PHP
   ini_file:
     dest: "{{ php_apache_defaults_ini_file }}"
@@ -56,7 +26,7 @@
 
 - name: Custom php.ini
   copy:
-    dest: "{{ php_apache_custom_file }}"
+    dest: "{{ php_apache_custom_ini_file }}"
     content: |
       ; Put customized values here.
       ; default_charset = "ISO-8859-1"
@@ -65,7 +35,7 @@
 
 - name: "Set custom values for PHP to enable Symfony"
   ini_file:
-    dest: "{{ php_apache_custom_file }}"
+    dest: "{{ php_apache_custom_ini_file }}"
     section: PHP
     option: "{{ item.option }}"
     value: "{{ item.value }}"
diff --git a/php/tasks/php_jessie.yml b/php/tasks/config_cli.yml
similarity index 62%
rename from php/tasks/php_jessie.yml
rename to php/tasks/config_cli.yml
index e1f4b64f..75c81080 100644
--- a/php/tasks/php_jessie.yml
+++ b/php/tasks/config_cli.yml
@@ -1,31 +1,7 @@
 ---
-
-- name: "Install PHP packages (jessie)"
-  apt:
-    name: '{{ item }}'
-    state: present
-  with_items:
-    - php5-cli
-    - php5-gd
-    - php5-imap
-    - php5-ldap
-    - php5-mcrypt
-    - php5-mysql
-    - php5-pgsql
-    - php-gettext
-    - php5-intl
-    - php5-curl
-    - php5-ssh2
-    - libphp-phpmailer
-
-- name: "Set php.ini config for CLI (jessie)"
-  set_fact:
-    phpini_cli_defaults_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini
-    phpini_cli_custom_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini
-
 - name: "Set default php.ini values for CLI (jessie)"
   ini_file:
-    dest: "{{ phpini_cli_defaults_file }}"
+    dest: "{{ php_cli_defaults_ini_file }}"
     section: PHP
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -41,14 +17,14 @@
 
 - name: "Disable PHP functions for CLI (jessie)"
   ini_file:
-    dest: "{{ phpini_cli_defaults_file }}"
+    dest: "{{ php_cli_defaults_ini_file }}"
     section: PHP
     option: disable_functions
     value: "exec,shell-exec,system,passthru,putenv,popen"
 
 - name: Custom php.ini for CLI (jessie)
   copy:
-    dest: "{{ phpini_cli_custom_file }}"
+    dest: "{{ php_cli_custom_ini_file }}"
     content: |
       ; Put customized values here.
     force: no
@@ -57,12 +33,12 @@
 # because "force: no" prevents any fix after the fact
 - name: "Permissions for custom php.ini for CLI (jessie)"
   file:
-    dest: "{{ phpini_cli_custom_file }}"
+    dest: "{{ php_cli_custom_ini_file }}"
     mode: "0644"
 
 - name: "Set custom values for PHP to enable Symfony (jessie)"
   ini_file:
-    dest: "{{ phpini_cli_custom_file }}"
+    dest: "{{ php_cli_custom_ini_file }}"
     section: PHP
     option: "{{ item.option }}"
     value: "{{ item.value }}"
diff --git a/php/tasks/fpm.yml b/php/tasks/config_fpm.yml
similarity index 57%
rename from php/tasks/fpm.yml
rename to php/tasks/config_fpm.yml
index 6736f971..71232f49 100644
--- a/php/tasks/fpm.yml
+++ b/php/tasks/config_fpm.yml
@@ -1,42 +1,8 @@
 ---
 
-- name: "Install PHP FPM packages (jessie)"
-  apt:
-    name: '{{ item }}'
-    state: present
-  with_items:
-    - php5-fpm
-    - php5
-  when: ansible_distribution_release == "jessie"
-
-- name: "Install PHP FPM packages (Debian 9 or later)"
-  apt:
-    name: '{{ item }}'
-    state: present
-  with_items:
-    - php-fpm
-    - php
-  when: ansible_distribution_major_version | version_compare('9', '>=')
-
-- name: "Set config files for FPM (jessie)"
-  set_fact:
-    phpini_fpm_defaults_file: /etc/php5/fpm/conf.d/z-evolinux-defaults.ini
-    phpini_fpm_custom_file: /etc/php5/fpm/conf.d/zzz-evolinux-custom.ini
-    php_fpm_defaults_file: /etc/php5/fpm/pool.d/z-evolinux-defaults.conf
-    php_fpm_custom_file: /etc/php5/fpm/pool.d/zzz-evolinux-custom.conf
-  when: ansible_distribution_release == "jessie"
-
-- name: "Set config files for FPM (Debian 9 or later)"
-  set_fact:
-    phpini_fpm_defaults_file: /etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini
-    phpini_fpm_custom_file: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini
-    php_fpm_defaults_file: /etc/php/7.0/fpm/pool.d/z-evolinux-defaults.conf
-    php_fpm_custom_file: /etc/php/7.0/fpm/pool.d/zzz-evolinux-custom.conf
-  when: ansible_distribution_major_version | version_compare('9', '>=')
-
 - name: Set default php.ini values for FPM
   ini_file:
-    dest: "{{ phpini_fpm_defaults_file }}"
+    dest: "{{ php_fpm_defaults_ini_file }}"
     section: PHP
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -53,7 +19,7 @@
 
 - name: Disable PHP functions for FPM
   ini_file:
-    dest: "{{ phpini_fpm_defaults_file }}"
+    dest: "{{ php_fpm_defaults_ini_file }}"
     section: PHP
     option: disable_functions
     value: "exec,shell-exec,system,passthru,putenv,popen"
@@ -61,7 +27,7 @@
 
 - name: Custom php.ini for FPM
   copy:
-    dest: "{{ phpini_fpm_custom_file }}"
+    dest: "{{ php_fpm_custom_ini_file }}"
     content: |
       ; Put customized values here.
     force: no
@@ -69,7 +35,7 @@
 
 - name: Set default PHP FPM values
   ini_file:
-    dest: "{{ php_fpm_defaults_file }}"
+    dest: "{{ php_fpm_defaults_conf_file }}"
     section: www
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -89,7 +55,7 @@
 
 - name: Custom PHP FPM values
   copy:
-    dest: "{{ php_fpm_custom_file }}"
+    dest: "{{ php_fpm_custom_conf_file }}"
     content: |
       ; Put customized values here.
       ; default_charset = "ISO-8859-1"
@@ -99,7 +65,7 @@
 
 - name: "Set custom values for PHP to enable Symfony"
   ini_file:
-    dest: "{{ phpini_cli_custom_file }}"
+    dest: "{{ php_cli_custom_ini_file }}"
     section: PHP
     option: "{{ item.option }}"
     value: "{{ item.value }}"
diff --git a/php/tasks/main.yml b/php/tasks/main.yml
index 9b1d3375..38ece76b 100644
--- a/php/tasks/main.yml
+++ b/php/tasks/main.yml
@@ -5,18 +5,8 @@
   when:
   - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
 
-- include: php_jessie.yml
+- include: main_jessie.yml
   when: ansible_distribution_release == "jessie"
 
-- include: php_stretch_sury.yml
-  when: ansible_distribution_major_version | version_compare('9', '>=') and php_sury_enable
-
-- include: php_stretch.yml
+- include: main_stretch.yml
   when: ansible_distribution_major_version | version_compare('9', '>=')
-
-- include: fpm.yml
-  when: php_fpm_enable
-
-- include: apache.yml
-  when: php_apache_enable
-
diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml
new file mode 100644
index 00000000..4a9486af
--- /dev/null
+++ b/php/tasks/main_jessie.yml
@@ -0,0 +1,60 @@
+---
+
+- name: "Set config files paths (jessie)"
+  set_fact:
+    php_cli_defaults_ini_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini
+    php_cli_custom_ini_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini
+    php_apache_defaults_ini_file: /etc/php5/apache2/conf.d/z-evolinux-defaults.ini
+    php_apache_custom_ini_file: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini
+    php_fpm_defaults_ini_file: /etc/php5/fpm/conf.d/z-evolinux-defaults.ini
+    php_fpm_custom_ini_file: /etc/php5/fpm/conf.d/zzz-evolinux-custom.ini
+    php_fpm_defaults_conf_file: /etc/php5/fpm/pool.d/z-evolinux-defaults.conf
+    php_fpm_custom_conf_file: /etc/php5/fpm/pool.d/zzz-evolinux-custom.conf
+
+# Packages
+
+- name: "Install PHP packages (jessie)"
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+    - php5-cli
+    - php5-gd
+    - php5-imap
+    - php5-ldap
+    - php5-mcrypt
+    - php5-mysql
+    - php5-pgsql
+    - php-gettext
+    - php5-intl
+    - php5-curl
+    - php5-ssh2
+    - libphp-phpmailer
+
+- name: "Install mod_php packages (jessie)"
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+    - libapache2-mod-php5
+    - php5
+  when: php_apache_enable
+
+- name: "Install PHP FPM packages (jessie)"
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+    - php5-fpm
+    - php5
+  when: php_fpm_enable
+
+# Configuration
+
+- include: config_cli.yml
+
+- include: config_fpm.yml
+  when: php_fpm_enable
+
+- include: config_apache.yml
+  when: php_apache_enable
diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml
new file mode 100644
index 00000000..1122b1d9
--- /dev/null
+++ b/php/tasks/main_stretch.yml
@@ -0,0 +1,71 @@
+---
+
+- name: "Set config files paths (Debian 9 or later)"
+  set_fact:
+    php_cli_defaults_ini_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini
+    php_cli_custom_ini_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini
+    php_apache_defaults_ini_file: /etc/php/7.0/apache2/conf.d/z-evolinux-defaults.ini
+    php_apache_custom_ini_file: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini
+    php_fpm_defaults_ini_file: /etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini
+    php_fpm_custom_ini_file: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini
+    php_fpm_defaults_conf_file: /etc/php/7.0/fpm/pool.d/z-evolinux-defaults.conf
+    php_fpm_custom_conf_file: /etc/php/7.0/fpm/pool.d/zzz-evolinux-custom.conf
+
+# Packages
+
+- name: "Set package list (Debian 9 or later)"
+  set_fact:
+    php_stretch_packages:
+      - php-cli
+      - php-gd
+      - php-intl
+      - php-imap
+      - php-ldap
+      - php-mysql
+      # php-mcrypt is no longer packaged for PHP 7.2
+      - php-pgsql
+      - php-gettext
+      - php-curl
+      - php-ssh2
+      - composer
+      - libphp-phpmailer
+
+- include: sury_pre.yml
+  when: php_sury_enable
+
+- name: "Install PHP packages (Debian 9 or later)"
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items: "{{ php_stretch_packages }}"
+
+- name: "Install mod_php packages (Debian 9 or later)"
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+    - libapache2-mod-php
+    - php
+  when: php_apache_enable
+
+- name: "Install PHP FPM packages (Debian 9 or later)"
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+    - php-fpm
+    - php
+  when: php_fpm_enable
+
+# Configuration
+
+- include: config_cli.yml
+
+- include: config_fpm.yml
+  when: php_fpm_enable
+
+- include: config_apache.yml
+  when: php_apache_enable
+
+- include: sury_post.yml
+  when: php_sury_enable
diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml
deleted file mode 100644
index c39a63c2..00000000
--- a/php/tasks/php_stretch.yml
+++ /dev/null
@@ -1,74 +0,0 @@
----
-
-- name: "Install PHP packages (Debian 9 or later)"
-  apt:
-    name: '{{ item }}'
-    state: present
-  with_items:
-  - php-cli
-  - php-gd
-  - php-intl
-  - php-imap
-  - php-ldap
-  - php-mcrypt
-  - php-mysql
-  - php-pgsql
-  - php-gettext
-  - php-curl
-  - php-ssh2
-  - composer
-  - libphp-phpmailer
-
-- name: "Set php.ini config for CLI (Debian 9 or later)"
-  set_fact:
-    phpini_cli_defaults_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini
-    phpini_cli_custom_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini
-
-- name: "Set default php.ini values for CLI (Debian 9 or later)"
-  ini_file:
-    dest: "{{ phpini_cli_defaults_file }}"
-    section: PHP
-    option: "{{ item.option }}"
-    value: "{{ item.value }}"
-    mode: "0644"
-    create: yes
-  with_items:
-  - { option: "short_open_tag", value: "Off" }
-  - { option: "expose_php", value: "Off" }
-  - { option: "display_errors", value: "Off" }
-  - { option: "log_errors", value: "On" }
-  - { option: "html_errors", value: "Off" }
-  - { option: "allow_url_fopen", value: "Off" }
-
-- name: "Disable PHP functions for CLI (Debian 9 or later)"
-  ini_file:
-    dest: "{{ phpini_cli_defaults_file }}"
-    section: PHP
-    option: disable_functions
-    value: "exec,shell-exec,system,passthru,putenv,popen"
-
-- name: "Custom php.ini for CLI (Debian 9 or later)"
-  copy:
-    dest: "{{ phpini_cli_custom_file }}"
-    content: |
-      ; Put customized values here.
-      ; default_charset = "ISO-8859-1"
-    force: no
-
-# This task is not merged with the above copy
-# because "force: no" prevents any fix after the fact
-- name: "Permissions for custom php.ini for CLI (Debian 9 or later)"
-  file:
-    dest: "{{ phpini_cli_custom_file }}"
-    mode: "0644"
-
-- name: "Set custom values for PHP to enable Symfony (Debian 9 or later)"
-  ini_file:
-    dest: "{{ phpini_cli_custom_file }}"
-    section: PHP
-    option: "{{ item.option }}"
-    value: "{{ item.value }}"
-    mode: "0644"
-  with_items:
-  - { option: "date.timezone", value: "Europe/Paris" }
-  when: php_symfony_requirements
diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml
new file mode 100644
index 00000000..60b6b44c
--- /dev/null
+++ b/php/tasks/sury_post.yml
@@ -0,0 +1,35 @@
+---
+
+- name: Symlink Evolix CLI config files from 7.2 to 7.0
+  file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    force: yes
+    state: link
+  with_items:
+    - { src: "{{ php_cli_defaults_ini_file }}", dest: "/etc/php/7.2/cli/conf.d/z-evolinux-defaults.ini" }
+    - { src: "{{ php_cli_custom_ini_file }}", dest: "/etc/php/7.2/cli/conf.d/zzz-evolinux-custom.ini" }
+
+- name: Symlink Evolix Apache config files from 7.2 to 7.0
+  file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    force: yes
+    state: link
+  with_items:
+    - { src: "{{ php_apache_defaults_ini_file }}", dest: "/etc/php/7.2/apache2/conf.d/z-evolinux-defaults.ini" }
+    - { src: "{{ php_apache_custom_ini_file }}", dest: "/etc/php/7.2/apache2/conf.d/zzz-evolinux-custom.ini" }
+  when: php_apache_enable
+
+- name: Symlink Evolix FPM config files from 7.2 to 7.0
+  file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    force: yes
+    state: link
+  with_items:
+    - { src: "{{ php_fpm_defaults_ini_file }}", dest: "/etc/php/7.2/fpm/conf.d/z-evolinux-defaults.ini" }
+    - { src: "{{ php_fpm_custom_ini_file }}", dest: "/etc/php/7.2/fpm/conf.d/zzz-evolinux-custom.ini" }
+    - { src: "{{ php_fpm_defaults_conf_file }}", dest: "/etc/php/7.2/fpm/pool.d/z-evolinux-defaults.conf" }
+    - { src: "{{ php_fpm_custom_conf_file }}", dest: "/etc/php/7.2/fpm/pool.d/zzz-evolinux-custom.conf" }
+  when: php_fpm_enable
diff --git a/php/tasks/php_stretch_sury.yml b/php/tasks/sury_pre.yml
similarity index 62%
rename from php/tasks/php_stretch_sury.yml
rename to php/tasks/sury_pre.yml
index be549804..9ab816ab 100644
--- a/php/tasks/php_stretch_sury.yml
+++ b/php/tasks/sury_pre.yml
@@ -21,3 +21,20 @@
     repo: "deb https://packages.sury.org/php/ stretch main"
     filename: sury
     state: present
+
+- name: "Override package list for Sury (Debian 9 or later)"
+  set_fact:
+    php_stretch_packages:
+      - php-cli
+      - php-gd
+      - php-intl
+      - php-imap
+      - php-ldap
+      - php-mysql
+      # php-mcrypt is no longer packaged for PHP 7.2
+      - php-pgsql
+      - php-gettext
+      - php-curl
+      - php-ssh2
+      - composer
+      - libphp-phpmailer

From 767ce95b5c6d7a4ab3f10165b823885ecd688bf4 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 13 Jun 2018 09:37:55 +0200
Subject: [PATCH 019/101] php: variable service name for jessie and stretch

---
 php/handlers/main.yml      |  6 ++++++
 php/tasks/config_fpm.yml   | 12 ++++++------
 php/tasks/main_jessie.yml  |  3 ++-
 php/tasks/main_stretch.yml |  3 ++-
 4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/php/handlers/main.yml b/php/handlers/main.yml
index 31c87470..f1f71590 100644
--- a/php/handlers/main.yml
+++ b/php/handlers/main.yml
@@ -1,4 +1,10 @@
 ---
+
+- name: restart php5-fpm
+  service:
+    name: php5-fpm
+    state: restarted
+
 - name: restart php-fpm
   service:
     name: php-fpm
diff --git a/php/tasks/config_fpm.yml b/php/tasks/config_fpm.yml
index 71232f49..876a5195 100644
--- a/php/tasks/config_fpm.yml
+++ b/php/tasks/config_fpm.yml
@@ -15,7 +15,7 @@
     - { option: "log_errors", value: "On" }
     - { option: "html_errors", value: "Off" }
     - { option: "allow_url_fopen", value: "Off" }
-  notify: restart php-fpm
+  notify: "restart {{ php_fpm_service_name }}"
 
 - name: Disable PHP functions for FPM
   ini_file:
@@ -23,7 +23,7 @@
     section: PHP
     option: disable_functions
     value: "exec,shell-exec,system,passthru,putenv,popen"
-  notify: restart php-fpm
+  notify: "restart {{ php_fpm_service_name }}"
 
 - name: Custom php.ini for FPM
   copy:
@@ -31,7 +31,7 @@
     content: |
       ; Put customized values here.
     force: no
-  notify: restart php-fpm
+  notify: "restart {{ php_fpm_service_name }}"
 
 - name: Set default PHP FPM values
   ini_file:
@@ -50,7 +50,7 @@
     - { option: "pm.status_path", value: "/fpm_status" }
     - { option: "request_terminate_timeout", value: "60s" }
     - { option: "chroot", value: "/var/www/html" }
-  notify: restart php-fpm
+  notify: "restart {{ php_fpm_service_name }}"
   when: ansible_distribution_major_version | version_compare('9', '>=')
 
 - name: Custom PHP FPM values
@@ -61,7 +61,7 @@
       ; default_charset = "ISO-8859-1"
     mode: "0644"
     force: no
-  notify: restart php-fpm
+  notify: "restart {{ php_fpm_service_name }}"
 
 - name: "Set custom values for PHP to enable Symfony"
   ini_file:
@@ -72,5 +72,5 @@
     mode: "0644"
   with_items:
     - { option: "date.timezone", value: "Europe/Paris" }
-  notify: restart php-fpm
+  notify: "restart {{ php_fpm_service_name }}"
   when: php_symfony_requirements
diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml
index 4a9486af..097e5b09 100644
--- a/php/tasks/main_jessie.yml
+++ b/php/tasks/main_jessie.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: "Set config files paths (jessie)"
+- name: "Set variables (jessie)"
   set_fact:
     php_cli_defaults_ini_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini
     php_cli_custom_ini_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini
@@ -10,6 +10,7 @@
     php_fpm_custom_ini_file: /etc/php5/fpm/conf.d/zzz-evolinux-custom.ini
     php_fpm_defaults_conf_file: /etc/php5/fpm/pool.d/z-evolinux-defaults.conf
     php_fpm_custom_conf_file: /etc/php5/fpm/pool.d/zzz-evolinux-custom.conf
+    php_fpm_service_name: php5-fpm
 
 # Packages
 
diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml
index 1122b1d9..d13c58ab 100644
--- a/php/tasks/main_stretch.yml
+++ b/php/tasks/main_stretch.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: "Set config files paths (Debian 9 or later)"
+- name: "Set variables (Debian 9 or later)"
   set_fact:
     php_cli_defaults_ini_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini
     php_cli_custom_ini_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini
@@ -10,6 +10,7 @@
     php_fpm_custom_ini_file: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini
     php_fpm_defaults_conf_file: /etc/php/7.0/fpm/pool.d/z-evolinux-defaults.conf
     php_fpm_custom_conf_file: /etc/php/7.0/fpm/pool.d/zzz-evolinux-custom.conf
+    php_fpm_service_name: php5-fpm
 
 # Packages
 

From 6d9fbe8689fe94e278cbf27ee9beb7eff58e0ec1 Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Thu, 14 Jun 2018 13:49:35 +0200
Subject: [PATCH 020/101] nagios-nrpe: add check_postgrey

---
 CHANGELOG.md                        | 1 +
 nagios-nrpe/templates/evolix.cfg.j2 | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ceab3785..1515a228 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release.
 * kibana: log messages go to /var/log/kibana/kibana.log
 * mysql: add an option to install the client development  libraries (default: `False`)
 * java: support for Oracle JRE
+* nagios-nrpe: add check_postgrey
 
 ### Changed
 * evolinux-users: add sudo permission for bkctld check
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 4a22f027..5d0b6b8c 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -52,6 +52,7 @@ command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u
 command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211
 command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321
 command[check_bkctld]=sudo /usr/sbin/bkctld check
+command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023
 
 # Local checks (not packaged)
 command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10

From 5f09eac22e0cc69958110b01a360737da27c8176 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Thu, 14 Jun 2018 14:28:19 +0200
Subject: [PATCH 021/101] Include remount-usr in haproxy nagios task

---
 haproxy/tasks/nagios.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/haproxy/tasks/nagios.yml b/haproxy/tasks/nagios.yml
index eff711ac..1663b71b 100644
--- a/haproxy/tasks/nagios.yml
+++ b/haproxy/tasks/nagios.yml
@@ -1,4 +1,6 @@
 ---
+- include_role:
+    name: remount-usr
 
 - name: "Install check_haproxy_stats script"
   copy:

From 9f1487ac5853bdf659823410aaff56d39c6d422e Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Thu, 14 Jun 2018 15:13:02 +0200
Subject: [PATCH 022/101] evoadmin-mail: add php-twig to dependencies

---
 webapps/evoadmin-mail/tasks/packages.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/webapps/evoadmin-mail/tasks/packages.yml b/webapps/evoadmin-mail/tasks/packages.yml
index b1b8a1dd..b92aa5a0 100644
--- a/webapps/evoadmin-mail/tasks/packages.yml
+++ b/webapps/evoadmin-mail/tasks/packages.yml
@@ -12,3 +12,4 @@
   - php-pear
   - php-log
   - php-crypt-chap
+  - php-twig

From ba4db7acf85d10748b5eef20ebe2bf2bb571c64a Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Thu, 14 Jun 2018 17:10:23 +0200
Subject: [PATCH 023/101] Let's handle multi memcached instances

---
 memcached/tasks/main.yml | 69 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/memcached/tasks/main.yml b/memcached/tasks/main.yml
index 083c0134..9e550336 100644
--- a/memcached/tasks/main.yml
+++ b/memcached/tasks/main.yml
@@ -13,6 +13,7 @@
   notify: restart memcached
   tags:
   - memcached
+  when: memcached_instance_name == False
 
 - name: Memcached is running and enabled on boot.
   service:
@@ -21,6 +22,74 @@
     state: started
   tags:
   - memcached
+  when: memcached_instance_name == False
+
+- name: Add systemd template
+  copy:
+    src: memcached@.service
+    dest: /etc/systemd/system/memcached@.service
+  tags:
+  - memcached
+  when: memcached_instance_name != False
+
+- name: Delete default memcached systemd configuration file
+  file:
+    path: /etc/systemd/system/multi-user.target.wants/memcached.service
+    state: absent
+  tags:
+  - memcached
+  when: memcached_instance_name != False
+
+- name: Create a symbolic link to memcached@.service
+  file:
+    src: /etc/systemd/system/memcached@.service
+    dest: /etc/systemd/system/multi-user.target.wants/memcached@{{ memcached_instance_name }}.service
+    state: link
+  tags:
+  - memcached
+  when: memcached_instance_name != False
+
+- name: Make sure memcached.conf is absent
+  file:
+    path: /etc/memcached.conf
+    state: absent
+  tags:
+  - memcached
+  when: memcached_instance_name != False
+
+- name: Create a configuration file
+  template:
+    src: memcached.conf.j2
+    dest: /etc/memcached_{{ memcached_instance_name }}.conf
+    mode: "0644"
+  tags:
+  - memcached
+  when: memcached_instance_name != False
+
+- name: Reload systemd configuration
+  sudo: yes
+  command: "systemctl daemon-reload"
+  tags:
+  - memcached
+  when: memcached_instance_name != False
+
+# Ansible 2.4 and above
+#- name: Reload systemd configuration
+#  systemd:
+#    daemon_reload: yes
+#  tags:
+#  - memcached
+#  when: memcached_instance_name != False
+
+- name: Enable and start the memcached instance
+  systemd:
+    name: memcached@{{ memcached_instance_name }}
+    enabled: yes
+    state: started
+    masked: no
+  tags:
+  - memcached
+  when: memcached_instance_name != False
 
 - include: munin.yml
 - include: nrpe.yml

From aace200270c47d740605f6011aa10608d2939f8c Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Thu, 14 Jun 2018 17:13:20 +0200
Subject: [PATCH 024/101] Use multi memcached script when needed

---
 memcached/tasks/munin.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/memcached/tasks/munin.yml b/memcached/tasks/munin.yml
index c2d56022..4d98ca5d 100644
--- a/memcached/tasks/munin.yml
+++ b/memcached/tasks/munin.yml
@@ -1,4 +1,8 @@
 ---
+- name: Choose packages (Oracle)
+  set_fact:
+    multi: "multi_"
+  when: memcached_instance_name != False
 
 - name: is Munin present ?
   stat:
@@ -21,7 +25,7 @@
   - name: Enable core Munin plugins
     file:
       src: '/usr/share/munin/plugins/memcached_'
-      dest: /etc/munin/plugins/{{ item }}
+      dest: /etc/munin/plugins/{{ multi }}{{ item }}
       state: link
     with_items:
       - memcached_bytes

From a465744013dd19f1f21847ac0c270d8e9b5b9b58 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Thu, 14 Jun 2018 17:14:31 +0200
Subject: [PATCH 025/101] set port number by default to allow multiple checks

---
 memcached/tasks/nrpe.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/memcached/tasks/nrpe.yml b/memcached/tasks/nrpe.yml
index 139a3a10..b0210741 100644
--- a/memcached/tasks/nrpe.yml
+++ b/memcached/tasks/nrpe.yml
@@ -1,4 +1,7 @@
 ---
+- include_role:
+    name: remount-usr
+
 - name: Is nrpe present ?
   stat:
     path: /etc/nagios/nrpe.d/evolix.cfg
@@ -19,7 +22,7 @@
     lineinfile:
       name: /etc/nagios/nrpe.d/evolix.cfg
       regexp: '^command\[check_memcached\]='
-      line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1'
+      line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}'
     notify: restart nagios-nrpe-server
 
   when: nrpe_evolix_config.stat.exists

From 879b67d32e0b0275407d9616d7628a79ced20413 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Thu, 14 Jun 2018 17:18:06 +0200
Subject: [PATCH 026/101] Add memcached_instance_name default variable

---
 memcached/defaults/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/memcached/defaults/main.yml b/memcached/defaults/main.yml
index b71c36e9..d7b1fc1d 100644
--- a/memcached/defaults/main.yml
+++ b/memcached/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+memcached_instance_name: False
 memcached_logfile: '/var/log/memcached.log'
 memcached_mem: 64
 memcached_user: 'nobody'

From 001c8581c4d0e5e5fe102418a8f5b5eef9151c79 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Thu, 14 Jun 2018 17:26:50 +0200
Subject: [PATCH 027/101] Add systemd template

---
 memcached/files/memcached@.service | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 memcached/files/memcached@.service

diff --git a/memcached/files/memcached@.service b/memcached/files/memcached@.service
new file mode 100644
index 00000000..1f21b319
--- /dev/null
+++ b/memcached/files/memcached@.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=memcached daemon
+After=network.target
+ConditionPathExists=/etc/memcached_%i.conf
+
+[Service]
+ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached_%i.conf
+
+[Install]
+WantedBy=multi-user.target

From c1a14871d70328ee3bd07c8036c43a01445e7651 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Thu, 14 Jun 2018 17:27:21 +0200
Subject: [PATCH 028/101] Add documentation

---
 memcached/README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/memcached/README.md b/memcached/README.md
index 38e5f89d..a2039d57 100644
--- a/memcached/README.md
+++ b/memcached/README.md
@@ -15,5 +15,15 @@ Main variables are :
 * `memcached_port`: opened port (default: `11211`) ;
 * `memcached_bind_interface`: interface to listen to (default: `127.0.0.1`) ;
 * `memcached_connections`: number of simultaneous incoming connections (default: `1024`) ;
+* `memcached_instance_name`: use this to set up multiple memcached instances (default: `False`) ;
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
+
+## Multiple intances
+
+When using memcached_instance_name variable, you can set up multiple memcached instances :
+
+  roles:
+   - { role: memcached, memcached_instance_name: "instance1" }
+   - { role: memcached, memcached_instance_name: "instance2" }
+

From 82295b6f8ce09efac086366be9a3dbd6f5425a12 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 14 Jun 2018 11:40:24 +0200
Subject: [PATCH 029/101] php: fix php-fpm service name for Stretch

---
 php/tasks/main_stretch.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml
index d13c58ab..3839e8dd 100644
--- a/php/tasks/main_stretch.yml
+++ b/php/tasks/main_stretch.yml
@@ -10,7 +10,7 @@
     php_fpm_custom_ini_file: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini
     php_fpm_defaults_conf_file: /etc/php/7.0/fpm/pool.d/z-evolinux-defaults.conf
     php_fpm_custom_conf_file: /etc/php/7.0/fpm/pool.d/zzz-evolinux-custom.conf
-    php_fpm_service_name: php5-fpm
+    php_fpm_service_name: php-fpm
 
 # Packages
 

From 1593773937f2a2176e759a0819928a33227ab38e Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 15 Jun 2018 11:17:34 +0200
Subject: [PATCH 030/101] php: enforce permissions on /etc directories

---
 php/tasks/main_jessie.yml  | 19 +++++++++++++++++++
 php/tasks/main_stretch.yml | 22 ++++++++++++++++++++++
 php/tasks/sury_post.yml    | 17 +++++++++++++++++
 3 files changed, 58 insertions(+)

diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml
index 097e5b09..e8d8d85e 100644
--- a/php/tasks/main_jessie.yml
+++ b/php/tasks/main_jessie.yml
@@ -52,10 +52,29 @@
 
 # Configuration
 
+- name: Enforce permissions on PHP directory
+  file:
+    dest: /etc/php5
+    mode: "0755"
+
 - include: config_cli.yml
+- name: Enforce permissions on PHP cli directory
+  file:
+    dest: /etc/php5/cli
+    mode: "0755"
 
 - include: config_fpm.yml
   when: php_fpm_enable
+- name: Enforce permissions on PHP fpm directory
+  file:
+    dest: /etc/php5/fpm
+    mode: "0755"
+  when: php_fpm_enable
 
 - include: config_apache.yml
   when: php_apache_enable
+- name: Enforce permissions on PHP apache2 directory
+  file:
+    dest: /etc/php5/apache2
+    mode: "0755"
+  when: php_apache_enable
diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml
index 3839e8dd..3e48503b 100644
--- a/php/tasks/main_stretch.yml
+++ b/php/tasks/main_stretch.yml
@@ -60,13 +60,35 @@
 
 # Configuration
 
+- name: Enforce permissions on PHP directory
+  file:
+    dest: "{{ item ss}}"
+    mode: "0755"
+  with_items:
+    - /etc/php
+    - /etc/php/7.0
+
 - include: config_cli.yml
+- name: Enforce permissions on PHP cli directory
+  file:
+    dest: /etc/php/7.0/cli
+    mode: "0755"
 
 - include: config_fpm.yml
   when: php_fpm_enable
+- name: Enforce permissions on PHP fpm directory
+  file:
+    dest: /etc/php/7.0/fpm
+    mode: "0755"
+  when: php_fpm_enable
 
 - include: config_apache.yml
   when: php_apache_enable
+- name: Enforce permissions on PHP apache2 directory
+  file:
+    dest: /etc/php/7.0/apache2
+    mode: "0755"
+  when: php_apache_enable
 
 - include: sury_post.yml
   when: php_sury_enable
diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml
index 60b6b44c..325b78e8 100644
--- a/php/tasks/sury_post.yml
+++ b/php/tasks/sury_post.yml
@@ -10,6 +10,11 @@
     - { src: "{{ php_cli_defaults_ini_file }}", dest: "/etc/php/7.2/cli/conf.d/z-evolinux-defaults.ini" }
     - { src: "{{ php_cli_custom_ini_file }}", dest: "/etc/php/7.2/cli/conf.d/zzz-evolinux-custom.ini" }
 
+- name: Enforce permissions on PHP 7.2/cli directory
+  file:
+    dest: /etc/php/7.2/cli
+    mode: "0755"
+
 - name: Symlink Evolix Apache config files from 7.2 to 7.0
   file:
     src: "{{ item.src }}"
@@ -21,6 +26,12 @@
     - { src: "{{ php_apache_custom_ini_file }}", dest: "/etc/php/7.2/apache2/conf.d/zzz-evolinux-custom.ini" }
   when: php_apache_enable
 
+- name: Enforce permissions on PHP 7.2/cli directory
+  file:
+    dest: /etc/php/7.2/apache2
+    mode: "0755"
+  when: php_apache_enable
+
 - name: Symlink Evolix FPM config files from 7.2 to 7.0
   file:
     src: "{{ item.src }}"
@@ -33,3 +44,9 @@
     - { src: "{{ php_fpm_defaults_conf_file }}", dest: "/etc/php/7.2/fpm/pool.d/z-evolinux-defaults.conf" }
     - { src: "{{ php_fpm_custom_conf_file }}", dest: "/etc/php/7.2/fpm/pool.d/zzz-evolinux-custom.conf" }
   when: php_fpm_enable
+
+- name: Enforce permissions on PHP 7.2/cli directory
+  file:
+    dest: /etc/php/7.2/fpm
+    mode: "0755"
+  when: php_fpm_enable

From fb4a254b9c3f73c054692a2feb35679adb79f9cd Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 15 Jun 2018 14:41:24 +0200
Subject: [PATCH 031/101] mysql-oracle: fix configuration directory variable

---
 CHANGELOG.md                  | 1 +
 mysql-oracle/tasks/config.yml | 7 +++++--
 mysql-oracle/tasks/tmpdir.yml | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1515a228..827f30cb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@ The **patch** part changes incrementally at each release.
 * java8: renamed to java (java8 symlinked to java for backward compatibility)
 
 ### Fixed
+* mysql-oracle: fix configuration directory variable
 
 ### Security
 
diff --git a/mysql-oracle/tasks/config.yml b/mysql-oracle/tasks/config.yml
index 82ae50cb..16590a59 100644
--- a/mysql-oracle/tasks/config.yml
+++ b/mysql-oracle/tasks/config.yml
@@ -1,9 +1,12 @@
 ---
 
+- set_fact:
+    mysql_config_directory: "/etc/mysql/mysql.conf.d"
+
 - name: "Copy MySQL defaults config file"
   copy:
     src: evolinux-defaults.cnf
-    dest: "/etc/mysql/mysql.conf.d/z-evolinux-defaults.cnf"
+    dest: "{{ mysql_config_directory }}/z-evolinux-defaults.cnf"
     owner: root
     group: root
     mode: "0644"
@@ -14,7 +17,7 @@
 - name: "Copy MySQL custom config file"
   template:
     src: evolinux-custom.cnf.j2
-    dest: "/etc/mysql/mysql.conf.d/zzz-evolinux-custom.cnf"
+    dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf"
     owner: root
     group: root
     mode: "0644"
diff --git a/mysql-oracle/tasks/tmpdir.yml b/mysql-oracle/tasks/tmpdir.yml
index 2c2c0d91..ca560077 100644
--- a/mysql-oracle/tasks/tmpdir.yml
+++ b/mysql-oracle/tasks/tmpdir.yml
@@ -13,7 +13,7 @@
 
   - name: Configure tmpdir
     ini_file:
-      dest: "/etc/mysql/conf.d/zzz-evolinux-custom.cnf"
+      dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf"
       section: mysqld
       option: tmpdir
       value: "{{ mysql_custom_tmpdir }}"

From 469d9e6984f9ddf5c8fa977aa06ca2bf042a812e Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Mon, 18 Jun 2018 10:18:55 +0200
Subject: [PATCH 032/101] Fix bug when installing php-fpm. Absolute path is
 required. ERROR: Unable to create or open slowlog(/usr/log/www.log.slow): No
 such file or directory (2)

---
 php/tasks/config_fpm.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php/tasks/config_fpm.yml b/php/tasks/config_fpm.yml
index 876a5195..45cab1f1 100644
--- a/php/tasks/config_fpm.yml
+++ b/php/tasks/config_fpm.yml
@@ -45,7 +45,7 @@
     - { option: "pm", value: "ondemand" }
     - { option: "pm.max_children", value: "100" }
     - { option: "pm.process_idle_timeout", value: "10s" }
-    - { option: "slowlog", value: "log/$pool.log.slow" }
+    - { option: "slowlog", value: "/var/log/$pool.log.slow" }
     - { option: "request_slowlog_timeout", value: "5s" }
     - { option: "pm.status_path", value: "/fpm_status" }
     - { option: "request_terminate_timeout", value: "60s" }

From af6fcb8a57271c6718d411668916f1e42d6139ce Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Mon, 18 Jun 2018 10:34:20 +0200
Subject: [PATCH 033/101] Fix typing mistake

---
 php/tasks/main_stretch.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml
index 3e48503b..223770aa 100644
--- a/php/tasks/main_stretch.yml
+++ b/php/tasks/main_stretch.yml
@@ -62,7 +62,7 @@
 
 - name: Enforce permissions on PHP directory
   file:
-    dest: "{{ item ss}}"
+    dest: "{{ item }}"
     mode: "0755"
   with_items:
     - /etc/php

From 045492be85fb0d99d0751dca683a01441526a954 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 19 Jun 2018 16:51:27 +0200
Subject: [PATCH 034/101] Update changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 827f30cb..54cc1cec 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ The **patch** part changes incrementally at each release.
 
 ### Fixed
 * mysql-oracle: fix configuration directory variable
+* php: fpm slowlog needs an absolute path
 
 ### Security
 

From 9f34db8f9a17a3ffd1fd39f14e5c7db3a70a9560 Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Wed, 20 Jun 2018 11:06:46 +0200
Subject: [PATCH 035/101] evoacme: fix module detection in apache config

---
 CHANGELOG.md                     | 1 +
 evoacme/templates/apache.conf.j2 | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 54cc1cec..fbe93c88 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
 ### Fixed
 * mysql-oracle: fix configuration directory variable
 * php: fpm slowlog needs an absolute path
+* evoacme: fix module detection in apache config
 
 ### Security
 
diff --git a/evoacme/templates/apache.conf.j2 b/evoacme/templates/apache.conf.j2
index 014c4d3f..f0527728 100644
--- a/evoacme/templates/apache.conf.j2
+++ b/evoacme/templates/apache.conf.j2
@@ -1,7 +1,7 @@
-<IfModule jk>
+<IfModule jk_module>
 	SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
 </IfModule>
-<IfModule proxy>
+<IfModule proxy_module>
 	ProxyPass /.well-known/acme-challenge/ !
 </IfModule>
 Alias /.well-known/acme-challenge {{ evoacme_acme_dir }}/.well-known/acme-challenge

From 77b5f84567a89f235fcba172925e3cd88ee0089b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 21 Jun 2018 17:19:46 +0200
Subject: [PATCH 036/101] evoacme: disable old certbot cron also in cron.daily

---
 CHANGELOG.md              | 1 +
 evoacme/tasks/certbot.yml | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fbe93c88..8056141e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
 ### Added
 * elasticsearch: tmpdir configuration compatible with 5.x also
 * elasticsearch: add http.publish_host variable
+* evoacme: disable old certbot cron also in cron.daily
 * kibana: log messages go to /var/log/kibana/kibana.log
 * mysql: add an option to install the client development  libraries (default: `False`)
 * java: support for Oracle JRE
diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml
index 5288f5fd..003c92d0 100644
--- a/evoacme/tasks/certbot.yml
+++ b/evoacme/tasks/certbot.yml
@@ -34,6 +34,12 @@
     removes: /etc/cron.d/certbot
     creates: /etc/cron.d/certbot.disabled
 
+- name: Disable /etc/cron.daily/certbot
+  command: mv /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
+  args:
+    removes: /etc/cron.daily/certbot
+    creates: /etc/cron.daily/certbot.disabled
+
 - name: Install evoacme custom cron
   copy:
     src: evoacme.cron

From d2c37fe67b6e631da740bd7554bbacaea83bd1e7 Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Fri, 22 Jun 2018 10:49:24 +0200
Subject: [PATCH 037/101] redmine: use .my.cnf for mysql password

---
 redmine/tasks/main.yml            | 1 +
 redmine/templates/database.yml.j2 | 7 +++----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/redmine/tasks/main.yml b/redmine/tasks/main.yml
index 7864fa51..d5a93a36 100644
--- a/redmine/tasks/main.yml
+++ b/redmine/tasks/main.yml
@@ -194,6 +194,7 @@
     option: '{{ item.option }}'
     value: '{{ item.value }}'
   with_items:
+    - { option: 'host', value: "{{ redmine_db_host }}" }
     - { option: 'user', value: "{{ redmine_db_username }}" }
     - { option: 'database', value: "{{ redmine_db_name }}" }
     - { option: 'password', value: '{{ redmine_db_pass }}' }
diff --git a/redmine/templates/database.yml.j2 b/redmine/templates/database.yml.j2
index c694644c..30cec4c2 100644
--- a/redmine/templates/database.yml.j2
+++ b/redmine/templates/database.yml.j2
@@ -1,7 +1,6 @@
 production:
   adapter: mysql2
-  database: {{ redmine_db_name }}
-  host: {{ redmine_db_host }}
-  username: {{ redmine_db_username }}
-  password: "{{ redmine_db_pass }}"
   encoding: utf8
+  username: {{ redmine_db_username }}
+  default_file: /home/{{ redmine_db_username }}/.my.cnf
+  default_group: client

From f32eee4b68975e4891b41718731fc4e4cd22cf7c Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Mon, 25 Jun 2018 11:12:33 +0200
Subject: [PATCH 038/101] Update CHANGELOG

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8056141e..511d9bdc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,7 @@ The **patch** part changes incrementally at each release.
 * rbenv: switch from copy to lineinfile for default gems
 * squid: add a few news sites to the whitelist
 * java8: renamed to java (java8 symlinked to java for backward compatibility)
+* redmine: use .my.cnf for mysql password
 
 ### Fixed
 * mysql-oracle: fix configuration directory variable

From f56f8f76156406d6525dccab6e284460fafcc294 Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Mon, 25 Jun 2018 11:19:34 +0200
Subject: [PATCH 039/101] evolinux-base: add mail related aliases

---
 CHANGELOG.md                    | 1 +
 evolinux-base/tasks/postfix.yml | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 511d9bdc..58d4e601 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
 * mysql: add an option to install the client development  libraries (default: `False`)
 * java: support for Oracle JRE
 * nagios-nrpe: add check_postgrey
+* evolinux-base: add mail related aliases
 
 ### Changed
 * evolinux-users: add sudo permission for bkctld check
diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml
index 84bb06a2..fa30fb03 100644
--- a/evolinux-base/tasks/postfix.yml
+++ b/evolinux-base/tasks/postfix.yml
@@ -61,6 +61,9 @@
     - postmaster
     - abuse
     - mailer-daemon
+    - delay
+    - error
+    - bounce
   notify: newaliases
   when: evolinux_postfix_mailer_alias_root
   tags:

From 2e2745290e45038326de28d9da65f09a884f6924 Mon Sep 17 00:00:00 2001
From: Bruno TATU <btatu@evolix.fr>
Date: Mon, 25 Jun 2018 14:06:54 +0200
Subject: [PATCH 040/101] squid: whitelist egain somes domains

---
 squid/files/evolinux-whitelist-defaults.conf | 9 +++++++--
 squid/files/whitelist-evolinux.conf          | 4 ++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf
index 6e2f94b9..2bbebf5b 100644
--- a/squid/files/evolinux-whitelist-defaults.conf
+++ b/squid/files/evolinux-whitelist-defaults.conf
@@ -28,6 +28,7 @@
 ^wp-updates\.com$
 ^misc\.optimizingmatters\.com$
 ^wp-rocket\.me$
+^backwpup\.com$
 
 # Wordpress pingback
 ^rpc\.pingomatic\.com$
@@ -91,6 +92,7 @@
 ^www\.joomlaworks\.net$
 ^cdn\.joomlaworks\.org$
 ^download\.regularlabs\.com$
+^download\.nonumber\.nl$
 
 # Prestashop
 ^.*\.prestashop\.com$
@@ -140,8 +142,8 @@
 ^geoip-api\.meteor\.com$
 ^www\.bing\.com$
 ^www\.telize\.com$
-^.*ident\.me$
-^.*icanhazip\.com$
+^.*\.ident\.me$
+^.*\.icanhazip\.com$
 ^www\.express-mailing\.com$
 ^bot\.whatismyipaddress\.com$
 ^ipecho\.net$
@@ -158,3 +160,6 @@
 ^api\.pinterest\.com$
 ^api\.openweathermap\.org$
 ^www\.lefigaro\.fr$
+^www\.dailymotion\.com$
+^.*\.123rf\.com$
+^.*.gouv\.fr$
diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf
index cc3b42f5..07f38a3f 100644
--- a/squid/files/whitelist-evolinux.conf
+++ b/squid/files/whitelist-evolinux.conf
@@ -28,6 +28,7 @@ http://pixel.wp.com/.*
 http://wp-updates.com/.*
 http://misc.optimizingmatters.com/*
 http://wp-rocket.me/.*
+http://backwpup.com/.*
 
 # Wordpress pingback
 http://rpc.pingomatic.com/.*
@@ -91,6 +92,7 @@ http://mijosoft.com/.*
 http://www.joomlaworks.net/.*
 http://cdn.joomlaworks.org/.*
 http://download.regularlabs.com/.*
+http://download.nonumber.nl/.*
 
 # Prestashop
 http://.*.prestashop.com/.*
@@ -157,3 +159,5 @@ http://bfmbusiness.bfmtv.com/.*
 http://api.pinterest.com/.*
 http://api.openweathermap.org/.*
 http://www.lefigaro.fr/.*
+http://www.dailymotion.com/.*
+http://.*.gouv.fr/.*

From b18b3d3404f30ee4be1bab4a54f8e3dede0d687c Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Mon, 25 Jun 2018 16:57:18 +0200
Subject: [PATCH 041/101] roundcube: add missing slash to https redirection

---
 CHANGELOG.md                                | 1 +
 webapps/roundcube/templates/apache2.conf.j2 | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 58d4e601..75060589 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,6 +35,7 @@ The **patch** part changes incrementally at each release.
 * mysql-oracle: fix configuration directory variable
 * php: fpm slowlog needs an absolute path
 * evoacme: fix module detection in apache config
+* roundcube: add missing slash to https redirection
 
 ### Security
 
diff --git a/webapps/roundcube/templates/apache2.conf.j2 b/webapps/roundcube/templates/apache2.conf.j2
index 47865c01..01c25f3a 100644
--- a/webapps/roundcube/templates/apache2.conf.j2
+++ b/webapps/roundcube/templates/apache2.conf.j2
@@ -1,6 +1,6 @@
 <VirtualHost *:80>
     ServerName {{ roundcube_host }}
-    Redirect permanent / https://{{ roundcube_host }}
+    Redirect permanent / https://{{ roundcube_host }}/
 </VirtualHost>
 
 <VirtualHost *:443>

From 4eea7362e303cefa367de6f0694e2215c764e548 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 26 Jun 2018 16:04:06 +0200
Subject: [PATCH 042/101] php: fix php-fpm service name for Stretch

---
 php/handlers/main.yml      | 4 ++--
 php/tasks/main_stretch.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/php/handlers/main.yml b/php/handlers/main.yml
index f1f71590..63a3e0a6 100644
--- a/php/handlers/main.yml
+++ b/php/handlers/main.yml
@@ -5,7 +5,7 @@
     name: php5-fpm
     state: restarted
 
-- name: restart php-fpm
+- name: restart php7.0-fpm
   service:
-    name: php-fpm
+    name: php7.0-fpm
     state: restarted
diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml
index 223770aa..d97ba527 100644
--- a/php/tasks/main_stretch.yml
+++ b/php/tasks/main_stretch.yml
@@ -10,7 +10,7 @@
     php_fpm_custom_ini_file: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini
     php_fpm_defaults_conf_file: /etc/php/7.0/fpm/pool.d/z-evolinux-defaults.conf
     php_fpm_custom_conf_file: /etc/php/7.0/fpm/pool.d/zzz-evolinux-custom.conf
-    php_fpm_service_name: php-fpm
+    php_fpm_service_name: php7.0-fpm
 
 # Packages
 

From db84e63940be9a0848ac888ca52902e152c06b11 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Thu, 28 Jun 2018 14:18:31 +0200
Subject: [PATCH 043/101] Add role to install uvrrpd -
 https://forge.evolix.org/projects/uvrrpd

---
 uvrrpd/README.md      |  3 +++
 uvrrpd/meta/main.yml  | 12 ++++++++++++
 uvrrpd/tasks/main.yml | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 uvrrpd/README.md
 create mode 100644 uvrrpd/meta/main.yml
 create mode 100644 uvrrpd/tasks/main.yml

diff --git a/uvrrpd/README.md b/uvrrpd/README.md
new file mode 100644
index 00000000..c288d18d
--- /dev/null
+++ b/uvrrpd/README.md
@@ -0,0 +1,3 @@
+# uvrrpd
+
+Install Evolix's uvrrpd from sources.
diff --git a/uvrrpd/meta/main.yml b/uvrrpd/meta/main.yml
new file mode 100644
index 00000000..25d7be5a
--- /dev/null
+++ b/uvrrpd/meta/main.yml
@@ -0,0 +1,12 @@
+galaxy_info:
+  author: Evolix
+  description: Install uvrrpd from sources.
+
+  issue_tracker_url: https://forge.evolix.org/projects/uvrrpd/issues
+
+  min_ansible_version: 2.2
+
+  platforms:
+  - name: Debian
+    versions:
+    - stretch
diff --git a/uvrrpd/tasks/main.yml b/uvrrpd/tasks/main.yml
new file mode 100644
index 00000000..d6ace507
--- /dev/null
+++ b/uvrrpd/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+- include_role:
+    name: remount-usr
+  tags:
+  - uvrrpd
+
+- name: Get uvrrpd sources
+  unarchive:
+    src: 'https://github.com/Evolix/uvrrpd/archive/master.zip'
+    dest: /root/
+    remote_src: True
+    mode: "0755"
+  tags:
+  - uvrrpd
+
+- name: Pre-build configure
+  shell: 'cd /root/uvrrpd-master/;autoreconf -i;./configure'
+  tags:
+  - uvrrpd
+
+- name: Make 
+  make:
+    chdir: /root/uvrrpd-master/
+  tags:
+  - uvrrpd
+
+- name: Make install
+  make:
+    chdir: /root/uvrrpd-master/
+    target: install
+  tags:
+  - uvrrpd

From f3ab0b361b18ca8362ac92e686aef649514b4a5d Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Tue, 3 Jul 2018 12:24:11 +0200
Subject: [PATCH 044/101] tomcat: better nrpe check output

---
 CHANGELOG.md                                 |  1 +
 tomcat/templates/check_tomcat_instance.sh.j2 | 56 +++++++++++++++-----
 2 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 75060589..29e96480 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ The **patch** part changes incrementally at each release.
 * squid: add a few news sites to the whitelist
 * java8: renamed to java (java8 symlinked to java for backward compatibility)
 * redmine: use .my.cnf for mysql password
+* tomcat: better nrpe check output
 
 ### Fixed
 * mysql-oracle: fix configuration directory variable
diff --git a/tomcat/templates/check_tomcat_instance.sh.j2 b/tomcat/templates/check_tomcat_instance.sh.j2
index 8ed63475..60fe0ef3 100644
--- a/tomcat/templates/check_tomcat_instance.sh.j2
+++ b/tomcat/templates/check_tomcat_instance.sh.j2
@@ -1,18 +1,50 @@
-#!/bin/bash
+#!/bin/sh
+
+set -u
 
 TOMCAT_ROOT='{{ tomcat_instance_root }}'
-alert=0
 
-for instance in $(ls $TOMCAT_ROOT); do
-        port=$(id -u $instance)
-        if [ -h ${TOMCAT_ROOT}/${instance}/.config/systemd/user/default.target.wants/tomcat.service ]; then
-                echo -n "$instance ($port) : "
-                /usr/lib/nagios/plugins/check_tcp -p $port
-                ret=$?
-                if [ $ret != 0 ]; then
-                        alert=$ret
-                fi
+return=0
+nb_crit=0
+nb_warn=0
+nb_ok=0
+nb_unchk=0
+output=""
+
+instances=$(ls "${TOMCAT_ROOT}")
+for instance in ${instances}; do
+    port=$(id -u "${instance}")
+    if [ -h "${TOMCAT_ROOT}/${instance}/.config/systemd/user/default.target.wants/tomcat.service" ]; then
+        /usr/lib/nagios/plugins/check_tcp -p "${port}" >/dev/null 2>&1
+        ret="${?}"
+        if [ "${ret}" -ge 2 ]; then
+            nb_crit=$((nb_crit + 1))
+            output="${output}CRITICAL - ${instance} (${port})\n"
+            [ "${return}" -le 2 ] && return=2
+        elif [ "${ret}" -ge 1 ]; then
+            nb_warn=$((nb_warn + 1))
+            output="${output}WARNING - ${instance} (${port})\n"
+            [ "${return}" -le 1 ] && return=1
+        else
+            nb_ok=$((nb_ok + 1))
+            output="${output}OK - ${instance} (${port})\n"
+            [ "${return}" -le 0 ] && return=0
         fi
+    else
+        nb_unchk=$((nb_unchk + 1))
+        output="${output}UNCHK - ${instance} (${port})\n"
+    fi
 done
 
-exit $alert
+[ "${return}" -ge 0 ] && header="OK"
+[ "${return}" -ge 1 ] && header="WARNING"
+[ "${return}" -ge 2 ] && header="CRITICAL"
+
+printf "%s - %s UNCHK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unchk}" "${nb_crit}" "${nb_warn}" "${nb_ok}"
+
+printf "${output}" | grep -E "^CRITICAL"
+printf "${output}" | grep -E "^WARNING"
+printf "${output}" | grep -E "^OK"
+printf "${output}" | grep -E "^UNCHK"
+
+exit "${return}"

From 17e31604aff9d481710801b8379dc18619a9cc3b Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Wed, 4 Jul 2018 11:14:36 +0200
Subject: [PATCH 045/101] We need some packages installed beforehand

---
 uvrrpd/tasks/main.yml | 45 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/uvrrpd/tasks/main.yml b/uvrrpd/tasks/main.yml
index d6ace507..f8f1d9d2 100644
--- a/uvrrpd/tasks/main.yml
+++ b/uvrrpd/tasks/main.yml
@@ -1,6 +1,26 @@
 ---
-- include_role:
-    name: remount-usr
+- name: Make sure unzip is present
+  command: 'dpkg -l unzip'
+  check_mode: no
+  ignore_errors: yes
+  register: unzip_is_installed
+  tags:
+  - uvrrpd
+
+- name: Make sure dh-autoreconf is present
+  command: 'dpkg -l dh-autoreconf'
+  check_mode: no
+  ignore_errors: yes
+  register: autoreconf_is_installed
+  tags:
+  - uvrrpd
+
+- name: Make sure unzip and dh-autoreconf are installed
+  apt:
+    name: "{{item}}"
+  with_items:
+    - unzip
+    - dh-autoreconf
   tags:
   - uvrrpd
 
@@ -24,9 +44,30 @@
   tags:
   - uvrrpd
 
+- include_role:
+    name: remount-usr
+  tags:
+  - uvrrpd
+
 - name: Make install
   make:
     chdir: /root/uvrrpd-master/
     target: install
   tags:
   - uvrrpd
+
+- name: Remove unzip if initially not present
+  apt:
+    name: unzip
+    state: absent
+  when: unzip_is_installed.rc == 0 
+  tags:
+  - uvrrpd
+
+- name: Remove dh-autoreconf if initially not present
+  apt:
+    name: dh-autoreconf
+    state: absent
+  when: autoreconf_is_installed.rc == 0 
+  tags:
+  - uvrrpd

From 55d05cd4f0e0d750963834a51d9a30368de66394 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Wed, 4 Jul 2018 11:36:39 +0200
Subject: [PATCH 046/101] Don't install uvrrpd if already present

---
 uvrrpd/tasks/main.yml | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/uvrrpd/tasks/main.yml b/uvrrpd/tasks/main.yml
index f8f1d9d2..8f268587 100644
--- a/uvrrpd/tasks/main.yml
+++ b/uvrrpd/tasks/main.yml
@@ -1,9 +1,16 @@
 ---
+- name: "Is uvrrpd already installed ?"
+  stat:
+    path: /usr/local/sbin/uvrrpd
+  check_mode: no
+  register: uvrrpd_test
+
 - name: Make sure unzip is present
   command: 'dpkg -l unzip'
   check_mode: no
   ignore_errors: yes
   register: unzip_is_installed
+  when: not uvrrpd_test.stat.exists
   tags:
   - uvrrpd
 
@@ -12,6 +19,7 @@
   check_mode: no
   ignore_errors: yes
   register: autoreconf_is_installed
+  when: not uvrrpd_test.stat.exists
   tags:
   - uvrrpd
 
@@ -21,6 +29,7 @@
   with_items:
     - unzip
     - dh-autoreconf
+  when: not uvrrpd_test.stat.exists
   tags:
   - uvrrpd
 
@@ -30,22 +39,26 @@
     dest: /root/
     remote_src: True
     mode: "0755"
+  when: not uvrrpd_test.stat.exists
   tags:
   - uvrrpd
 
 - name: Pre-build configure
   shell: 'cd /root/uvrrpd-master/;autoreconf -i;./configure'
+  when: not uvrrpd_test.stat.exists
   tags:
   - uvrrpd
 
 - name: Make 
   make:
     chdir: /root/uvrrpd-master/
+  when: not uvrrpd_test.stat.exists
   tags:
   - uvrrpd
 
 - include_role:
     name: remount-usr
+  when: not uvrrpd_test.stat.exists
   tags:
   - uvrrpd
 
@@ -53,6 +66,7 @@
   make:
     chdir: /root/uvrrpd-master/
     target: install
+  when: not uvrrpd_test.stat.exists
   tags:
   - uvrrpd
 
@@ -60,7 +74,9 @@
   apt:
     name: unzip
     state: absent
-  when: unzip_is_installed.rc == 0 
+  when:
+    - not uvrrpd_test.stat.exists
+    - unzip_is_installed.rc == 0 
   tags:
   - uvrrpd
 
@@ -68,6 +84,8 @@
   apt:
     name: dh-autoreconf
     state: absent
-  when: autoreconf_is_installed.rc == 0 
+  when:
+    - not uvrrpd_test.stat.exists
+    - autoreconf_is_installed.rc == 0 
   tags:
   - uvrrpd

From 961d9da5e5de6aa36d6dbdcec1abb9e747c008ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= <bserie@evolix.fr>
Date: Tue, 10 Jul 2018 11:32:18 +0200
Subject: [PATCH 047/101] Backport fix from Daniel Jakots

Original commit:

The code was taken from check_http_many which apparently deals only with return
codes 0, 1 and 2. Here, we uses check_nrpe which iff it can't connect, it
returns 255
(https://github.com/danieljakots/mownitoring/commit/40717e320c04bb0e375f124ef81bed6485605306).

So I decided that if the return code is greater or equal to 2, then we consider
it's critical. I can't see any return code greater than 2 which may not be
critical.
---
 nagios-nrpe/files/plugins/check_http_many | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nagios-nrpe/files/plugins/check_http_many b/nagios-nrpe/files/plugins/check_http_many
index e027e23a..243c24b7 100755
--- a/nagios-nrpe/files/plugins/check_http_many
+++ b/nagios-nrpe/files/plugins/check_http_many
@@ -16,7 +16,7 @@ check_state() {
         cat $result >> ${result}.err
         :> $result
     fi
-    if [[ $1 -eq 2 ]]; then
+    if [[ $1 -ge 2 ]]; then
         critical=true
         cat $result >> ${result}.err
         :> $result

From 1439fdab8fe37b224d096be9072aceaf9c699fd0 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 28 Jun 2018 18:10:28 +0200
Subject: [PATCH 048/101] metricbeat: add a role (copied from filebeat)

---
 CHANGELOG.md                       |  1 +
 metricbeat/.kitchen.yml            | 28 ++++++++++++++++++++
 metricbeat/README.md               | 11 ++++++++
 metricbeat/defaults/main.yml       |  2 ++
 metricbeat/files/elasticsearch.key | 31 ++++++++++++++++++++++
 metricbeat/meta/main.yml           | 20 +++++++++++++++
 metricbeat/tasks/main.yml          | 41 ++++++++++++++++++++++++++++++
 metricbeat/tests/test.yml          |  4 +++
 8 files changed, 138 insertions(+)
 create mode 100644 metricbeat/.kitchen.yml
 create mode 100644 metricbeat/README.md
 create mode 100644 metricbeat/defaults/main.yml
 create mode 100644 metricbeat/files/elasticsearch.key
 create mode 100644 metricbeat/meta/main.yml
 create mode 100644 metricbeat/tasks/main.yml
 create mode 100644 metricbeat/tests/test.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 29e96480..b372d9e2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ The **patch** part changes incrementally at each release.
 * java: support for Oracle JRE
 * nagios-nrpe: add check_postgrey
 * evolinux-base: add mail related aliases
+* metricbeat: add a role (copied from filebeat)
 
 ### Changed
 * evolinux-users: add sudo permission for bkctld check
diff --git a/metricbeat/.kitchen.yml b/metricbeat/.kitchen.yml
new file mode 100644
index 00000000..b21cc3db
--- /dev/null
+++ b/metricbeat/.kitchen.yml
@@ -0,0 +1,28 @@
+---
+driver:
+  name: docker
+  privileged: true
+  use_sudo: false
+
+provisioner:
+  name: ansible_playbook
+  hosts: test-kitchen
+  roles_path: ../
+  ansible_verbose: true
+  require_ansible_source: false
+  require_chef_for_busser: false
+  idempotency_test: true
+
+platforms:
+  - name: debian
+    driver_config:
+      image: evolix/ansible:2.2.1
+
+suites:
+  - name: default
+    provisioner:
+      name: ansible_playbook
+      playbook: ./tests/test.yml
+
+transport:
+  max_ssh_sessions: 6
diff --git a/metricbeat/README.md b/metricbeat/README.md
new file mode 100644
index 00000000..443e1107
--- /dev/null
+++ b/metricbeat/README.md
@@ -0,0 +1,11 @@
+# filebeat
+
+Install Metricbeat.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+* `elastic_stack_version`: version to install (default: `6.x`);
diff --git a/metricbeat/defaults/main.yml b/metricbeat/defaults/main.yml
new file mode 100644
index 00000000..fc833c4f
--- /dev/null
+++ b/metricbeat/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+elastic_stack_version: "6.x"
diff --git a/metricbeat/files/elasticsearch.key b/metricbeat/files/elasticsearch.key
new file mode 100644
index 00000000..1b50dcca
--- /dev/null
+++ b/metricbeat/files/elasticsearch.key
@@ -0,0 +1,31 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.14 (GNU/Linux)
+
+mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
+A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
+CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
+j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
+1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
+2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
+KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
+Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
+F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
+nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
+7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
+TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
+8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
+eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
+zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
+RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
+1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
+Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
+KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
+EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
+c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
+TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
+6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
+vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
+cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
+qPDlGRlOgVTd9xUfHFkzB52c70E=
+=92oX
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/metricbeat/meta/main.yml b/metricbeat/meta/main.yml
new file mode 100644
index 00000000..5440675d
--- /dev/null
+++ b/metricbeat/meta/main.yml
@@ -0,0 +1,20 @@
+galaxy_info:
+  author: Evolix
+  description: Installation and basic configuration of Metricbeat.
+
+  issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
+
+  license: GPLv2
+
+  min_ansible_version: 2.2
+
+  platforms:
+  - name: Debian
+    versions:
+    - jessie
+    - stretch
+
+dependencies: []
+  # List your role dependencies here, one per line.
+  # Be sure to remove the '[]' above if you add dependencies
+  # to this list.
diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml
new file mode 100644
index 00000000..07ffb67a
--- /dev/null
+++ b/metricbeat/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+
+- name: APT https transport is enabled
+  apt:
+    name: apt-transport-https
+    state: present
+  tags:
+  - metricbeat
+  - packages
+
+- name: Elastic GPG key is installed
+  apt_key:
+    # url: https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    data: "{{ lookup('file', 'elasticsearch.key') }}"
+    state: present
+  tags:
+  - metricbeat
+  - packages
+
+- name: Elastic sources list is available
+  apt_repository:
+    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    filename: elastic
+    state: present
+    update_cache: yes
+  tags:
+  - metricbeat
+  - packages
+
+- name: Metricbeat is installed
+  apt:
+    name: metricbeat
+    state: present
+  tags:
+  - metricbeat
+  - packages
+
+- name: Metricbeat service is enabled
+  systemd:
+    name: metricbeat
+    enabled: yes
diff --git a/metricbeat/tests/test.yml b/metricbeat/tests/test.yml
new file mode 100644
index 00000000..670cd0d3
--- /dev/null
+++ b/metricbeat/tests/test.yml
@@ -0,0 +1,4 @@
+---
+- hosts: test-kitchen
+  roles:
+    - role: metricbeat

From ec1294839837c88fd6bb165baff8d719aedc41c2 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 9 Jul 2018 16:01:57 +0200
Subject: [PATCH 049/101] mysql: add quotes in a few tasks

---
 mysql-oracle/tasks/users.yml  | 4 ++--
 mysql/tasks/users_stretch.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml
index bab76418..696743f3 100644
--- a/mysql-oracle/tasks/users.yml
+++ b/mysql-oracle/tasks/users.yml
@@ -37,7 +37,7 @@
     create: yes
   with_items:
     - { option: 'user', value: 'mysqladmin' }
-    - { option: password, value: '{{ mysql_admin_password.stdout }}' }
+    - { option: 'password', value: '{{ mysql_admin_password.stdout }}' }
   when: create_mysqladmin_user | changed
   tags:
     - mysql
@@ -73,7 +73,7 @@
   with_nested:
     - [ "client", "mysql_upgrade" ]
     - [ { option: 'user', value: 'debian-sys-maint' },
-        { option: password, value: '{{ mysql_debian_password.stdout }}' }
+        { option: 'password', value: '{{ mysql_debian_password.stdout }}' }
       ]
   when: create_debian_user | changed
   tags:
diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml
index 6b180612..70ae9933 100644
--- a/mysql/tasks/users_stretch.yml
+++ b/mysql/tasks/users_stretch.yml
@@ -76,7 +76,7 @@
   with_nested:
   - [ "client", "mysql_upgrade" ]
   - [ { option: 'user', value: 'debian-sys-maint' },
-      { option: password, value: '{{ mysql_debian_password.stdout }}' }
+      { option: 'password', value: '{{ mysql_debian_password.stdout }}' }
     ]
   when: create_debian_user.changed
   tags:

From d387ed660a594a1b8f172a42ab759a218b0420b5 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 10 Jul 2018 16:25:25 +0200
Subject: [PATCH 050/101] munin: properly rename Munin cache directory

---
 CHANGELOG.md         | 1 +
 munin/tasks/main.yml | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b372d9e2..6f485f76 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: add http.publish_host variable
 * evoacme: disable old certbot cron also in cron.daily
 * kibana: log messages go to /var/log/kibana/kibana.log
+* munin: properly rename Munin cache directory
 * mysql: add an option to install the client development  libraries (default: `False`)
 * java: support for Oracle JRE
 * nagios-nrpe: add check_postgrey
diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml
index ae1644fe..0ca5eb29 100644
--- a/munin/tasks/main.yml
+++ b/munin/tasks/main.yml
@@ -22,7 +22,7 @@
     notify: restart munin-node
 
   - name: Rename the localdomain data dir
-    command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }}
+    shell: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename "s/localhost.localdomain/{{ ansible_fqdn }}/" /var/lib/munin/{{ ansible_domain }}/*
     args:
       creates: /var/lib/munin/{{ ansible_domain }}
       removes: /var/lib/munin/localdomain

From c57b069bf550e8f16225d4cfa8db20864ce63fd2 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 10 Jul 2018 16:27:04 +0200
Subject: [PATCH 051/101] Reorder lines in CHANGELOG

---
 CHANGELOG.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f485f76..60d1853c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,30 +14,30 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: tmpdir configuration compatible with 5.x also
 * elasticsearch: add http.publish_host variable
 * evoacme: disable old certbot cron also in cron.daily
+* evolinux-base: add mail related aliases
+* java: support for Oracle JRE
 * kibana: log messages go to /var/log/kibana/kibana.log
+* metricbeat: add a role (copied from filebeat)
 * munin: properly rename Munin cache directory
 * mysql: add an option to install the client development  libraries (default: `False`)
-* java: support for Oracle JRE
 * nagios-nrpe: add check_postgrey
-* evolinux-base: add mail related aliases
-* metricbeat: add a role (copied from filebeat)
 
 ### Changed
 * evolinux-users: add sudo permission for bkctld check
+* java8: renamed to java (java8 symlinked to java for backward compatibility)
 * minifirewall: the tail file can be overwritten, or not (default: `True`)
 * nagios-nrpe: use bkctld internal check instead of nrpe plugin
 * php: reorganization of the role for Sury overrides and more clear configuration
+* redmine: use .my.cnf for mysql password
 * rbenv: change default Ruby version (2.5.1)
 * rbenv: switch from copy to lineinfile for default gems
 * squid: add a few news sites to the whitelist
-* java8: renamed to java (java8 symlinked to java for backward compatibility)
-* redmine: use .my.cnf for mysql password
 * tomcat: better nrpe check output
 
 ### Fixed
+* evoacme: fix module detection in apache config
 * mysql-oracle: fix configuration directory variable
 * php: fpm slowlog needs an absolute path
-* evoacme: fix module detection in apache config
 * roundcube: add missing slash to https redirection
 
 ### Security

From 17159676d95ef6c2291a357a1f624357f515af8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= <bserie@evolix.fr>
Date: Tue, 10 Jul 2018 17:08:39 +0200
Subject: [PATCH 052/101] Add exit 0 after the command -v commands.

Otherwise it would exit 1 on nginx if you have not nginx installed.
---
 evoacme/files/make-csr.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh
index 10c0f8e9..7bbff77f 100755
--- a/evoacme/files/make-csr.sh
+++ b/evoacme/files/make-csr.sh
@@ -227,6 +227,7 @@ main() {
 
     command -v apache2ctl >/dev/null && sed_selfsigned_cert_path_for_apache "/etc/apache2/ssl/${VHOST}.conf"
     command -v nginx >/dev/null && sed_selfsigned_cert_path_for_nginx "/etc/nginx/ssl/${VHOST}.conf"
+    exit 0
 }
 
 readonly PROGNAME=$(basename "$0")

From de63c0747f4c596cdaa1cf264aa4715ed64977a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= <bserie@evolix.fr>
Date: Tue, 10 Jul 2018 17:46:41 +0200
Subject: [PATCH 053/101] Support for SAN in self-signed certificates

---
 evoacme/files/make-csr.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh
index 7bbff77f..f2257a2f 100755
--- a/evoacme/files/make-csr.sh
+++ b/evoacme/files/make-csr.sh
@@ -80,13 +80,17 @@ openssl_selfsigned() {
     local csr="$1"
     local key="$2"
     local crt="$3"
+    local cfg="$4"
     local crt_dir=$(dirname ${crt})
 
     [ -r "${csr}" ] || error "File ${csr} is not readable"
     [ -r "${key}" ] || error "File ${key} is not readable"
     [ -w "${crt_dir}" ] || error "Directory ${crt_dir} is not writable"
-
-    "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null
+    if grep -q SAN "${cfg}"; then
+        "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -extensions SAN -extfile "${cfg}" -signkey "${key}" -out "${crt}" 2> /dev/null
+    else
+        "${OPENSSL_BIN}" x509 -req -sha256 -days 365 -in "${csr}" -signkey "${key}" -out "${crt}" 2> /dev/null
+    fi
 
     [ -r "${crt}" ] || error "Something went wrong, ${crt} has not been generated"
 }
@@ -160,7 +164,7 @@ EOF
         chmod 644 "${CSR_FILE}"
         mkdir -p -m 0755 "${SELF_SIGNED_DIR}"
 
-        openssl_selfsigned "${CSR_FILE}" "${SSL_KEY_FILE}" "${SELF_SIGNED_FILE}"
+        openssl_selfsigned "${CSR_FILE}" "${SSL_KEY_FILE}" "${SELF_SIGNED_FILE}" "${config_file}"
 
         [ -r "${SELF_SIGNED_FILE}" ] && chmod 644 "${SELF_SIGNED_FILE}"
         debug "Self-signed certificate stored at ${SELF_SIGNED_FILE}"

From 5e9d4906add63b059324519e5244103eca6de244 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 12 Jul 2018 11:04:07 +0200
Subject: [PATCH 054/101] add quotes for shell command

---
 munin/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml
index 0ca5eb29..f08f2005 100644
--- a/munin/tasks/main.yml
+++ b/munin/tasks/main.yml
@@ -22,7 +22,7 @@
     notify: restart munin-node
 
   - name: Rename the localdomain data dir
-    shell: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename "s/localhost.localdomain/{{ ansible_fqdn }}/" /var/lib/munin/{{ ansible_domain }}/*
+    shell: "mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename \"s/localhost.localdomain/{{ ansible_fqdn }}/\" /var/lib/munin/{{ ansible_domain }}/*"
     args:
       creates: /var/lib/munin/{{ ansible_domain }}
       removes: /var/lib/munin/localdomain

From 758a537a8db8734c098226a054284abdb1858f92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= <bserie@evolix.fr>
Date: Thu, 12 Jul 2018 11:12:29 +0200
Subject: [PATCH 055/101] For SANs certificates, also add a CN for the first
 domain

---
 evoacme/files/make-csr.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh
index f2257a2f..c9ba8c92 100755
--- a/evoacme/files/make-csr.sh
+++ b/evoacme/files/make-csr.sh
@@ -153,6 +153,7 @@ EOF
         done
         san=$(echo "${san}" | sed 's/^,//')
         cat "${SSL_CONFIG_FILE}" - > "${config_file}" <<EOF
+CN=${domains%% *}
 [SAN]
 subjectAltName=${san}
 EOF

From 99747e72b539d855c4fdeb26583b76edd5df09d5 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Tue, 24 Jul 2018 12:17:07 +0200
Subject: [PATCH 056/101] 500px is too narrow, let's switch to 768px

---
 evolinux-base/templates/default_www/index.html.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2
index 4ede9d36..cf02ccb3 100644
--- a/evolinux-base/templates/default_www/index.html.j2
+++ b/evolinux-base/templates/default_www/index.html.j2
@@ -14,7 +14,7 @@
       }
       #container {
         padding-top: 20px;
-        width: 500px;
+        width: 768px;
         margin: auto;
         overflow: hidden;
       }
@@ -24,7 +24,7 @@
         border-bottom: 1px solid #a9a9a9;
         background-image: url(./img/background-top.png);
         background-repeat: no-repeat;
-        background-position: 245px 5px;
+        background-position: 510px 5px;
       }
       ul {
         list-style-type: none;

From e83ca81776e507b56625dd8a43a4fd4251f66061 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Tue, 24 Jul 2018 12:29:42 +0200
Subject: [PATCH 057/101] Haproxy role now handle haproxy installation from
 backports for Debian Stretch

---
 haproxy/README.md                                             | 2 +-
 haproxy/defaults/main.yml                                     | 2 +-
 haproxy/tasks/main.yml                                        | 4 ++--
 .../{packages_jessie_backports.yml => packages_backports.yml} | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)
 rename haproxy/tasks/{packages_jessie_backports.yml => packages_backports.yml} (88%)

diff --git a/haproxy/README.md b/haproxy/README.md
index 9f597baa..54416827 100644
--- a/haproxy/README.md
+++ b/haproxy/README.md
@@ -8,7 +8,7 @@ Everything is in the `tasks/main.yml` file.
 
 ## Available variables
 
-* `haproxy_jessie_backports` : on Debian Jessie, we can prefer v1.7 from backports (default: `False`)
+* `haproxy_backports` : We can either prefer v1.7 from backports for Debian Jessie or v1.8 for Debian Stretch (default: `False`)
 
 ## Configuration templates
 
diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index 31f054ab..f531a10a 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -1,3 +1,3 @@
 ---
-haproxy_jessie_backports: False
+haproxy_backports: False
 haproxy_stats_url: "http://127.0.0.1:8080/"
diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml
index 3d252a55..0c8cb1fe 100644
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@@ -7,8 +7,8 @@
   - haproxy
   - packages
 
-- include: packages_jessie_backports.yml
-  when: ansible_distribution_release == "jessie" and haproxy_jessie_backports
+- include: packages_backports.yml
+  when: haproxy_backports
 
 - name: Install HAProxy package
   apt:
diff --git a/haproxy/tasks/packages_jessie_backports.yml b/haproxy/tasks/packages_backports.yml
similarity index 88%
rename from haproxy/tasks/packages_jessie_backports.yml
rename to haproxy/tasks/packages_backports.yml
index 17218ee6..a5c33170 100644
--- a/haproxy/tasks/packages_jessie_backports.yml
+++ b/haproxy/tasks/packages_backports.yml
@@ -7,7 +7,7 @@
   - haproxy
   - packages
 
-- name: Prefer HAProxy package from jessie-backports
+- name: Prefer HAProxy package from backports
   copy:
     src: haproxy_apt_preferences
     dest: /etc/apt/preferences.d/999-haproxy

From db683ea9c33914b8d0b6f90bbcab44db986e31bb Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Tue, 24 Jul 2018 15:43:45 +0200
Subject: [PATCH 058/101] Fix role - shift haproxy_apt_preferences file to the
 templates directory

---
 haproxy/files/haproxy_apt_preferences        | 3 ---
 haproxy/tasks/packages_backports.yml         | 4 ++--
 haproxy/templates/haproxy_apt_preferences.j2 | 3 +++
 3 files changed, 5 insertions(+), 5 deletions(-)
 delete mode 100644 haproxy/files/haproxy_apt_preferences
 create mode 100644 haproxy/templates/haproxy_apt_preferences.j2

diff --git a/haproxy/files/haproxy_apt_preferences b/haproxy/files/haproxy_apt_preferences
deleted file mode 100644
index bae1e794..00000000
--- a/haproxy/files/haproxy_apt_preferences
+++ /dev/null
@@ -1,3 +0,0 @@
-Package: haproxy libssl1.0.0
-Pin: release a=jessie-backports
-Pin-Priority: 999
diff --git a/haproxy/tasks/packages_backports.yml b/haproxy/tasks/packages_backports.yml
index a5c33170..3be91268 100644
--- a/haproxy/tasks/packages_backports.yml
+++ b/haproxy/tasks/packages_backports.yml
@@ -8,8 +8,8 @@
   - packages
 
 - name: Prefer HAProxy package from backports
-  copy:
-    src: haproxy_apt_preferences
+  template:
+    src: haproxy_apt_preferences.j2
     dest: /etc/apt/preferences.d/999-haproxy
     force: yes
     mode: "0640"
diff --git a/haproxy/templates/haproxy_apt_preferences.j2 b/haproxy/templates/haproxy_apt_preferences.j2
new file mode 100644
index 00000000..706ee67d
--- /dev/null
+++ b/haproxy/templates/haproxy_apt_preferences.j2
@@ -0,0 +1,3 @@
+Package: haproxy libssl1.0.0
+Pin: release a={{ ansible_distribution_release }}-backports
+Pin-Priority: 999

From 8ad8c2c79823fdda46684207271d6f1d54c8ae17 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Tue, 24 Jul 2018 17:16:30 +0200
Subject: [PATCH 059/101] Add the first version of OpenVPN role

---
 openvpn/README.md                | 13 ++++++
 openvpn/defaults/main.yml        |  3 ++
 openvpn/files/shellpki           |  1 +
 openvpn/files/sudo_shellpki      |  1 +
 openvpn/handlers/main.yml        | 11 +++++
 openvpn/meta/main.yml            | 19 ++++++++
 openvpn/tasks/main.yml           | 78 ++++++++++++++++++++++++++++++++
 openvpn/templates/server.conf.j2 | 27 +++++++++++
 8 files changed, 153 insertions(+)
 create mode 100644 openvpn/README.md
 create mode 100644 openvpn/defaults/main.yml
 create mode 120000 openvpn/files/shellpki
 create mode 100644 openvpn/files/sudo_shellpki
 create mode 100644 openvpn/handlers/main.yml
 create mode 100644 openvpn/meta/main.yml
 create mode 100644 openvpn/tasks/main.yml
 create mode 100644 openvpn/templates/server.conf.j2

diff --git a/openvpn/README.md b/openvpn/README.md
new file mode 100644
index 00000000..18b459ff
--- /dev/null
+++ b/openvpn/README.md
@@ -0,0 +1,13 @@
+# OpenVPN
+
+Installation and custom configuration of OpenVPN server.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.
+
+NOTE: Make sure you have already cloned shellpki in ~/GIT/
diff --git a/openvpn/defaults/main.yml b/openvpn/defaults/main.yml
new file mode 100644
index 00000000..dbf2f802
--- /dev/null
+++ b/openvpn/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+openvpn_lan: "192.168.42.0"
+openvpn_netmask: "255.255.255.0"
diff --git a/openvpn/files/shellpki b/openvpn/files/shellpki
new file mode 120000
index 00000000..3036d457
--- /dev/null
+++ b/openvpn/files/shellpki
@@ -0,0 +1 @@
+/home/tpilat/GIT/shellpki/
\ No newline at end of file
diff --git a/openvpn/files/sudo_shellpki b/openvpn/files/sudo_shellpki
new file mode 100644
index 00000000..08ca1ab0
--- /dev/null
+++ b/openvpn/files/sudo_shellpki
@@ -0,0 +1 @@
+%shellpki ALL = (root) /usr/local/sbin/shellpki
diff --git a/openvpn/handlers/main.yml b/openvpn/handlers/main.yml
new file mode 100644
index 00000000..c87985aa
--- /dev/null
+++ b/openvpn/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: restart openvpn
+  service:
+    name: openvpn
+    state: restarted
+
+- name: restart minifirewall
+  command: /etc/init.d/minifirewall restart
+  register: minifirewall_init_restart
+  failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
+  changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
diff --git a/openvpn/meta/main.yml b/openvpn/meta/main.yml
new file mode 100644
index 00000000..7c4a6bd3
--- /dev/null
+++ b/openvpn/meta/main.yml
@@ -0,0 +1,19 @@
+galaxy_info:
+  author: Evolix
+  description: Installation and custom configuration of OpenVPN server.
+
+  issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
+
+  license: GPLv2
+
+  min_ansible_version: 2.2
+
+  platforms:
+  - name: Debian
+    versions:
+    - stretch
+
+dependencies: []
+  # List your role dependencies here, one per line.
+  # Be sure to remove the '[]' above if you add dependencies
+  # to this list.
diff --git a/openvpn/tasks/main.yml b/openvpn/tasks/main.yml
new file mode 100644
index 00000000..6f553ba9
--- /dev/null
+++ b/openvpn/tasks/main.yml
@@ -0,0 +1,78 @@
+---
+- name: Install OpenVPN package
+  apt:
+    name: "openvpn"
+  tags:
+  - openvpn
+
+- name: Deploy OpenVPN configuration
+  template:                    
+    src: "server.conf.j2" 
+    dest: "/etc/openvpn/server.conf"
+    mode: "0600"               
+  notify: restart openvpn
+  tags:
+  - openvpn
+
+- set_fact:
+    minifirewall_tail_included: True
+    minifirewall_tail_file: /etc/default/minifirewall.tail
+
+- include_role:
+    name: minifirewall
+  tags:
+  - openvpn
+
+- name: Allow OpenVPN input
+  blockinfile:
+    dest: "{{ minifirewall_tail_file }}"
+    marker: "# {mark} INPUT OPENVPN" 
+    block: |                   
+       /sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+  notify: restart minifirewall
+  tags:
+  - openvpn
+
+- name: Create /etc/shellpki directory
+  file:
+    path: /etc/shellpki
+    state: directory
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  tags:
+  - openvpn
+
+- name: Create shellpki user
+  user:
+    name: "shellpki"
+    system: yes
+    state: present    
+    home: "/etc/shellpki/"
+    shell: "/usr/sbin/nologin"
+  tags:
+  - openvpn
+
+- name: Copy some shellpki files
+  copy: 
+    src: "{{ item.src }}"      
+    dest: "{{ item.dest }}"    
+    owner: root                
+    group: root
+    mode: "{{ item.mode }}"
+    force: yes                 
+  with_items:
+          - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
+          - { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' }
+  tags:
+    - openvpn
+
+- name: Verify shellpki sudoers file presence
+  copy:
+    src: "sudo_shellpki"
+    dest: "/etc/sudoers.d/shellpki"
+    force: true
+    mode: "0440"               
+    validate: '/usr/sbin/visudo -cf %s'
+  tags:
+  - openvpn
diff --git a/openvpn/templates/server.conf.j2 b/openvpn/templates/server.conf.j2
new file mode 100644
index 00000000..356e88e8
--- /dev/null
+++ b/openvpn/templates/server.conf.j2
@@ -0,0 +1,27 @@
+user  nobody
+group nogroup
+
+local {{ ansible_default_ipv4.address }}
+port 1194
+proto udp
+dev tun
+mode server
+keepalive 10 120
+
+cipher AES-128-CBC # AES
+#comp-lzo
+# compress (à partir d'OpenVPN 2.4)
+
+persist-key
+persist-tun
+
+status /var/log/openvpn/openvpn-status.log
+log-append  /var/log/openvpn/openvpn.log
+
+ca   /etc/shellpki/cacert.pem
+cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
+key  /etc/shellpki/private/{{ ansible_fqdn }}.key
+dh   /etc/shellpkca/dh2048.pem
+
+server {{ openvpn_lan }} {{ openvpn_netmask }}
+

From 14e270b688d48b458fe235ab9f0911da01f341db Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Thu, 26 Jul 2018 11:48:14 +0200
Subject: [PATCH 060/101] Ajout verification minifirewall + /usr en ro + port
 management pour check_openvpn + certificat dhparam

---
 openvpn/tasks/main.yml           | 33 +++++++++++++++++---------------
 openvpn/templates/dh2048.pem.j2  |  8 ++++++++
 openvpn/templates/server.conf.j2 |  4 +++-
 3 files changed, 29 insertions(+), 16 deletions(-)
 create mode 100644 openvpn/templates/dh2048.pem.j2

diff --git a/openvpn/tasks/main.yml b/openvpn/tasks/main.yml
index 6f553ba9..d58dc4bf 100644
--- a/openvpn/tasks/main.yml
+++ b/openvpn/tasks/main.yml
@@ -14,24 +14,16 @@
   tags:
   - openvpn
 
-- set_fact:
-    minifirewall_tail_included: True
-    minifirewall_tail_file: /etc/default/minifirewall.tail
-
-- include_role:
-    name: minifirewall
-  tags:
-  - openvpn
-
 - name: Allow OpenVPN input
-  blockinfile:
-    dest: "{{ minifirewall_tail_file }}"
-    marker: "# {mark} INPUT OPENVPN" 
-    block: |                   
-       /sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-  notify: restart minifirewall
+  lineinfile: 
+    dest: /etc/default/minifirewall
+    line: "/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OPENVPN"
+    regexp: '#OPENVPN$'
+    state: present
+  failed_when: False
   tags:
   - openvpn
+  - openvpn-minifirewall
 
 - name: Create /etc/shellpki directory
   file:
@@ -53,6 +45,11 @@
   tags:
   - openvpn
 
+- include_role:
+    name: remount-usr
+  tags:
+  - openvpn
+
 - name: Copy some shellpki files
   copy: 
     src: "{{ item.src }}"      
@@ -67,6 +64,12 @@
   tags:
     - openvpn
 
+- name: Deploy DH PARAMETERS
+  template:                    
+    src: "dh2048.pem.j2" 
+    dest: "/etc/shellpki/dh2048.pem"
+    mode: "0600"               
+
 - name: Verify shellpki sudoers file presence
   copy:
     src: "sudo_shellpki"
diff --git a/openvpn/templates/dh2048.pem.j2 b/openvpn/templates/dh2048.pem.j2
new file mode 100644
index 00000000..9db20bb3
--- /dev/null
+++ b/openvpn/templates/dh2048.pem.j2
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP
+R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr
+TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv
+ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2
+Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ
+aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg==
+-----END DH PARAMETERS-----
diff --git a/openvpn/templates/server.conf.j2 b/openvpn/templates/server.conf.j2
index 356e88e8..466bb861 100644
--- a/openvpn/templates/server.conf.j2
+++ b/openvpn/templates/server.conf.j2
@@ -21,7 +21,9 @@ log-append  /var/log/openvpn/openvpn.log
 ca   /etc/shellpki/cacert.pem
 cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
 key  /etc/shellpki/private/{{ ansible_fqdn }}.key
-dh   /etc/shellpkca/dh2048.pem
+dh   /etc/shellpki/dh2048.pem
 
 server {{ openvpn_lan }} {{ openvpn_netmask }}
 
+# Management interface (used by check_openvpn for Nagios)
+management 127.0.0.1 1195 /etc/openvpn/management-pwd

From 57cf0a29ab756bed55411c047ad68289a5d89c66 Mon Sep 17 00:00:00 2001
From: Victor LABORIE <vlaborie@evolix.fr>
Date: Fri, 27 Jul 2018 11:27:27 +0200
Subject: [PATCH 061/101] kvm-host: install kvm-tools package instead of
 copying add-vm.sh

---
 CHANGELOG.md                | 1 +
 kvm-host/tasks/main.yml     | 9 ---------
 kvm-host/tasks/packages.yml | 1 +
 3 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 60d1853c..83aba681 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@ The **patch** part changes incrementally at each release.
 * rbenv: switch from copy to lineinfile for default gems
 * squid: add a few news sites to the whitelist
 * tomcat: better nrpe check output
+* kvm-host: install kvm-tools package instead of copying add-vm.sh
 
 ### Fixed
 * evoacme: fix module detection in apache config
diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml
index 9fc73e93..71fcda41 100644
--- a/kvm-host/tasks/main.yml
+++ b/kvm-host/tasks/main.yml
@@ -5,15 +5,6 @@
 
 - include: packages.yml
 
-- include_role:
-    name: remount-usr
-
-- name: Copy add-vm script
-  get_url:
-    url: https://forge.evolix.org/projects/kvm-tools/repository/revisions/master/raw/add-vm.sh
-    dest: /usr/share/scripts/add-vm.sh
-    mode: "0750"
-
 - include: munin.yml
 
 - include: images.yml
diff --git a/kvm-host/tasks/packages.yml b/kvm-host/tasks/packages.yml
index 7188239a..e371067f 100644
--- a/kvm-host/tasks/packages.yml
+++ b/kvm-host/tasks/packages.yml
@@ -10,3 +10,4 @@
     - virtinst
     - libvirt-daemon-system
     - libvirt-clients
+    - kvm-tools

From b095f87f85e4a2c34c131c8850dd78552ac4ab88 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Tue, 31 Jul 2018 16:05:47 +0200
Subject: [PATCH 062/101] Nginx role now handle Nginx installation from
 backports for either Debian Jessie or Stretch

---
 nginx/README.md                                       |  2 +-
 nginx/defaults/main.yml                               |  2 +-
 nginx/tasks/main_regular.yml                          |  6 +-----
 nginx/tasks/{packages_stretch.yml => packages.yml}    |  8 +++++---
 ...es_jessie_backports.yml => packages_backports.yml} |  4 ++--
 nginx/tasks/packages_jessie.yml                       | 11 -----------
 nginx/{files => templates}/apt/nginx_preferences      |  2 +-
 7 files changed, 11 insertions(+), 24 deletions(-)
 rename nginx/tasks/{packages_stretch.yml => packages.yml} (70%)
 rename nginx/tasks/{packages_jessie_backports.yml => packages_backports.yml} (86%)
 delete mode 100644 nginx/tasks/packages_jessie.yml
 rename nginx/{files => templates}/apt/nginx_preferences (50%)

diff --git a/nginx/README.md b/nginx/README.md
index 73ede527..96d061ed 100644
--- a/nginx/README.md
+++ b/nginx/README.md
@@ -17,7 +17,7 @@ The regular mode is for full fledged web services with optimized defaults.
 Main variables are :
 
 * `nginx_minimal` : very basic install and config (default: `False`) ;
-* `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ;
+* `nginx_backports` : we can prefer higher version from backports (default: `False`) ;
 * `nginx_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
 * `nginx_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ;
 * `nginx_private_htpasswd_present` : list of users to have in the private htpasswd ;
diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml
index 0591945d..836de7c7 100644
--- a/nginx/defaults/main.yml
+++ b/nginx/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 
 nginx_minimal: False
-nginx_jessie_backports: False
+nginx_backports: False
 
 nginx_package_name: "nginx-full"
 
diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml
index f4dce1d7..559bc5d1 100644
--- a/nginx/tasks/main_regular.yml
+++ b/nginx/tasks/main_regular.yml
@@ -1,10 +1,6 @@
 ---
 
-- include: packages_jessie.yml
-  when: ansible_distribution_release == "jessie"
-
-- include: packages_stretch.yml
-  when: ansible_distribution_major_version | version_compare('9', '>=')
+- include: packages.yml
 
 # TODO: find a way to override the main configuration
 # without touching the main file
diff --git a/nginx/tasks/packages_stretch.yml b/nginx/tasks/packages.yml
similarity index 70%
rename from nginx/tasks/packages_stretch.yml
rename to nginx/tasks/packages.yml
index 565b9b1d..ccbd3705 100644
--- a/nginx/tasks/packages_stretch.yml
+++ b/nginx/tasks/packages.yml
@@ -1,4 +1,6 @@
----
+- include: packages_backports.yml
+  when: nginx_backports
+
 # TODO: install "nginx" + only necessary modules, instead of "nginx-full"
 
 - name: Ensure Nginx is installed
@@ -7,5 +9,5 @@
     state: present
   notify: restart nginx
   tags:
-  - nginx
-  - packages
+    - nginx
+    - packages
diff --git a/nginx/tasks/packages_jessie_backports.yml b/nginx/tasks/packages_backports.yml
similarity index 86%
rename from nginx/tasks/packages_jessie_backports.yml
rename to nginx/tasks/packages_backports.yml
index 91a6643b..dbb3a76a 100644
--- a/nginx/tasks/packages_jessie_backports.yml
+++ b/nginx/tasks/packages_backports.yml
@@ -7,8 +7,8 @@
     - nginx
     - packages
 
-- name: Prefer Nginx packages from jessie-backports
-  copy:
+- name: Prefer Nginx packages from backports
+  template:
     src: apt/nginx_preferences
     dest: /etc/apt/preferences.d/999-nginx
     force: yes
diff --git a/nginx/tasks/packages_jessie.yml b/nginx/tasks/packages_jessie.yml
deleted file mode 100644
index 25cc18ed..00000000
--- a/nginx/tasks/packages_jessie.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-- include: packages_jessie_backports.yml
-  when: ansible_distribution_release == "jessie" and nginx_jessie_backports
-
-- name: Ensure Nginx is installed
-  apt:
-    name: "{{ nginx_package_name }}"
-    state: present
-  notify: restart nginx
-  tags:
-    - nginx
-    - packages
diff --git a/nginx/files/apt/nginx_preferences b/nginx/templates/apt/nginx_preferences
similarity index 50%
rename from nginx/files/apt/nginx_preferences
rename to nginx/templates/apt/nginx_preferences
index 1c8275d1..84bf65ff 100644
--- a/nginx/files/apt/nginx_preferences
+++ b/nginx/templates/apt/nginx_preferences
@@ -1,3 +1,3 @@
 Package: nginx nginx-* libnginx-* libssl*
-Pin: release a=jessie-backports
+Pin: release a={{ ansible_distribution_release }}-backports
 Pin-Priority: 999

From e817dffc0fc2df7cbf7c738050fbe3cf5c1cbde5 Mon Sep 17 00:00:00 2001
From: Daniel Jakots <djakots@evolix.ca>
Date: Wed, 27 Jun 2018 14:16:36 -0400
Subject: [PATCH 063/101] Ignore /sys/kernel/debug/tracing in check_disk1

---
 nagios-nrpe/templates/evolix.cfg.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 5d0b6b8c..845bae33 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
 # System checks
 command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
-command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home
+command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home
 command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
 command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10

From b9b0183ec552f8fa8b0cc948361ea8043ddf0efb Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 6 Aug 2018 15:01:52 +0200
Subject: [PATCH 064/101] remount-usr: mount doesn't report a change

It is arguable that this is a real change or not,
but in practice we have playbooks that report changes only for this and
it's very fun to scroll back each time to see if it's remount-usr or
a "real" change.
---
 CHANGELOG.md               | 1 +
 remount-usr/tasks/main.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 83aba681..a8c1773a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release.
 * redmine: use .my.cnf for mysql password
 * rbenv: change default Ruby version (2.5.1)
 * rbenv: switch from copy to lineinfile for default gems
+* remount-usr: mount doesn't report a change
 * squid: add a few news sites to the whitelist
 * tomcat: better nrpe check output
 * kvm-host: install kvm-tools package instead of copying add-vm.sh
diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml
index cdc7e10e..6cbcfa00 100644
--- a/remount-usr/tasks/main.yml
+++ b/remount-usr/tasks/main.yml
@@ -12,5 +12,6 @@
   command: 'mount -o remount,rw /usr'
   args:
     warn: no
+  changed_when: False
   when: usr_partition.rc == 0
   notify: remount usr

From fbc9bf3288f0af7938e4571f1640fd9fe33a95d7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 9 Aug 2018 17:11:47 +0200
Subject: [PATCH 065/101] haproxy: add a backward compatible variable for
 backports

---
 haproxy/defaults/main.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index f531a10a..4a05ffb7 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
-haproxy_backports: False
+# backward compatibility with a previously used variable
+haproxy_backports: "{{ haproxy_jessie_backports | default(false, true) }}"
 haproxy_stats_url: "http://127.0.0.1:8080/"

From 17b8b4c3d56b1df5b6d9175fb18700042819dfae Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 9 Aug 2018 17:13:04 +0200
Subject: [PATCH 066/101] nginx: add a backward compatible variable for
 backports

---
 nginx/defaults/main.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml
index 836de7c7..932356b0 100644
--- a/nginx/defaults/main.yml
+++ b/nginx/defaults/main.yml
@@ -1,7 +1,8 @@
 ---
 
 nginx_minimal: False
-nginx_backports: False
+# backward compatibility with a previously used variable
+nginx_backports: "{{ nginx_jessie_backports | default(false, true) }}"
 
 nginx_package_name: "nginx-full"
 

From adb00337226462a2fd8495ee5156d4d9e3f7a525 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 9 Aug 2018 17:25:50 +0200
Subject: [PATCH 067/101] memcached: add a TODO comment for multi-instances
 NRPE checks

---
 memcached/tasks/nrpe.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/memcached/tasks/nrpe.yml b/memcached/tasks/nrpe.yml
index b0210741..178db3ad 100644
--- a/memcached/tasks/nrpe.yml
+++ b/memcached/tasks/nrpe.yml
@@ -18,6 +18,8 @@
       dest: /usr/local/lib/nagios/plugins/
       mode: "0755"
 
+  # TODO: install a "multi-instances" check if the memcached_instance_name variable is not null
+
   - name: Add NRPE check
     lineinfile:
       name: /etc/nagios/nrpe.d/evolix.cfg
@@ -26,4 +28,3 @@
     notify: restart nagios-nrpe-server
 
   when: nrpe_evolix_config.stat.exists
-

From f2bd125cfc4b7d985a4d3c933352fdc79275ddf6 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 9 Aug 2018 17:46:31 +0200
Subject: [PATCH 068/101] memcached: improve systemd units management

---
 memcached/README.md         |  3 +-
 memcached/defaults/main.yml |  2 +-
 memcached/tasks/main.yml    | 63 +++++++++++++------------------------
 3 files changed, 23 insertions(+), 45 deletions(-)

diff --git a/memcached/README.md b/memcached/README.md
index a2039d57..a5f3e79e 100644
--- a/memcached/README.md
+++ b/memcached/README.md
@@ -25,5 +25,4 @@ When using memcached_instance_name variable, you can set up multiple memcached i
 
   roles:
    - { role: memcached, memcached_instance_name: "instance1" }
-   - { role: memcached, memcached_instance_name: "instance2" }
-
+   - { role: memcached, memcached_instance_name: "instance2", memcached_port: 11212 }
diff --git a/memcached/defaults/main.yml b/memcached/defaults/main.yml
index d7b1fc1d..a99f576a 100644
--- a/memcached/defaults/main.yml
+++ b/memcached/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-memcached_instance_name: False
+memcached_instance_name: ""
 memcached_logfile: '/var/log/memcached.log'
 memcached_mem: 64
 memcached_user: 'nobody'
diff --git a/memcached/tasks/main.yml b/memcached/tasks/main.yml
index 9e550336..0bf81713 100644
--- a/memcached/tasks/main.yml
+++ b/memcached/tasks/main.yml
@@ -3,7 +3,7 @@
     name: memcached
     state: present
   tags:
-  - memcached
+    - memcached
 
 - name: Memcached is configured.
   template:
@@ -12,8 +12,8 @@
     mode: "0644"
   notify: restart memcached
   tags:
-  - memcached
-  when: memcached_instance_name == False
+    - memcached
+  when: memcached_instance_name == ""
 
 - name: Memcached is running and enabled on boot.
   service:
@@ -21,41 +21,33 @@
     enabled: yes
     state: started
   tags:
-  - memcached
-  when: memcached_instance_name == False
+    - memcached
+  when: memcached_instance_name == ""
 
 - name: Add systemd template
   copy:
     src: memcached@.service
     dest: /etc/systemd/system/memcached@.service
   tags:
-  - memcached
-  when: memcached_instance_name != False
+    - memcached
+  when: memcached_instance_name != ""
 
 - name: Delete default memcached systemd configuration file
-  file:
-    path: /etc/systemd/system/multi-user.target.wants/memcached.service
-    state: absent
+  systemd:
+    name: memcached
+    enabled: false
+    state: stopped
   tags:
-  - memcached
-  when: memcached_instance_name != False
-
-- name: Create a symbolic link to memcached@.service
-  file:
-    src: /etc/systemd/system/memcached@.service
-    dest: /etc/systemd/system/multi-user.target.wants/memcached@{{ memcached_instance_name }}.service
-    state: link
-  tags:
-  - memcached
-  when: memcached_instance_name != False
+    - memcached
+  when: memcached_instance_name != ""
 
 - name: Make sure memcached.conf is absent
   file:
     path: /etc/memcached.conf
     state: absent
   tags:
-  - memcached
-  when: memcached_instance_name != False
+    - memcached
+  when: memcached_instance_name != ""
 
 - name: Create a configuration file
   template:
@@ -63,33 +55,20 @@
     dest: /etc/memcached_{{ memcached_instance_name }}.conf
     mode: "0644"
   tags:
-  - memcached
-  when: memcached_instance_name != False
-
-- name: Reload systemd configuration
-  sudo: yes
-  command: "systemctl daemon-reload"
-  tags:
-  - memcached
-  when: memcached_instance_name != False
-
-# Ansible 2.4 and above
-#- name: Reload systemd configuration
-#  systemd:
-#    daemon_reload: yes
-#  tags:
-#  - memcached
-#  when: memcached_instance_name != False
+    - memcached
+  when: memcached_instance_name != ""
 
 - name: Enable and start the memcached instance
   systemd:
     name: memcached@{{ memcached_instance_name }}
     enabled: yes
     state: started
+    daemon_reload: yes
     masked: no
   tags:
-  - memcached
-  when: memcached_instance_name != False
+    - memcached
+  when: memcached_instance_name != ""
 
 - include: munin.yml
+
 - include: nrpe.yml

From 2752650ea31085c8b1459854dc5871fa3c1d39c6 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 9 Aug 2018 18:04:02 +0200
Subject: [PATCH 069/101] The openvpn role is not ready for stable yet

---
 openvpn/README.md                | 13 -----
 openvpn/defaults/main.yml        |  3 --
 openvpn/files/shellpki           |  1 -
 openvpn/files/sudo_shellpki      |  1 -
 openvpn/handlers/main.yml        | 11 -----
 openvpn/meta/main.yml            | 19 --------
 openvpn/tasks/main.yml           | 81 --------------------------------
 openvpn/templates/dh2048.pem.j2  |  8 ----
 openvpn/templates/server.conf.j2 | 29 ------------
 9 files changed, 166 deletions(-)
 delete mode 100644 openvpn/README.md
 delete mode 100644 openvpn/defaults/main.yml
 delete mode 120000 openvpn/files/shellpki
 delete mode 100644 openvpn/files/sudo_shellpki
 delete mode 100644 openvpn/handlers/main.yml
 delete mode 100644 openvpn/meta/main.yml
 delete mode 100644 openvpn/tasks/main.yml
 delete mode 100644 openvpn/templates/dh2048.pem.j2
 delete mode 100644 openvpn/templates/server.conf.j2

diff --git a/openvpn/README.md b/openvpn/README.md
deleted file mode 100644
index 18b459ff..00000000
--- a/openvpn/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# OpenVPN
-
-Installation and custom configuration of OpenVPN server.
-
-## Tasks
-
-Everything is in the `tasks/main.yml` file.
-
-## Available variables
-
-The full list of variables (with default values) can be found in `defaults/main.yml`.
-
-NOTE: Make sure you have already cloned shellpki in ~/GIT/
diff --git a/openvpn/defaults/main.yml b/openvpn/defaults/main.yml
deleted file mode 100644
index dbf2f802..00000000
--- a/openvpn/defaults/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-openvpn_lan: "192.168.42.0"
-openvpn_netmask: "255.255.255.0"
diff --git a/openvpn/files/shellpki b/openvpn/files/shellpki
deleted file mode 120000
index 3036d457..00000000
--- a/openvpn/files/shellpki
+++ /dev/null
@@ -1 +0,0 @@
-/home/tpilat/GIT/shellpki/
\ No newline at end of file
diff --git a/openvpn/files/sudo_shellpki b/openvpn/files/sudo_shellpki
deleted file mode 100644
index 08ca1ab0..00000000
--- a/openvpn/files/sudo_shellpki
+++ /dev/null
@@ -1 +0,0 @@
-%shellpki ALL = (root) /usr/local/sbin/shellpki
diff --git a/openvpn/handlers/main.yml b/openvpn/handlers/main.yml
deleted file mode 100644
index c87985aa..00000000
--- a/openvpn/handlers/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-- name: restart openvpn
-  service:
-    name: openvpn
-    state: restarted
-
-- name: restart minifirewall
-  command: /etc/init.d/minifirewall restart
-  register: minifirewall_init_restart
-  failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
-  changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
diff --git a/openvpn/meta/main.yml b/openvpn/meta/main.yml
deleted file mode 100644
index 7c4a6bd3..00000000
--- a/openvpn/meta/main.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-galaxy_info:
-  author: Evolix
-  description: Installation and custom configuration of OpenVPN server.
-
-  issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
-
-  license: GPLv2
-
-  min_ansible_version: 2.2
-
-  platforms:
-  - name: Debian
-    versions:
-    - stretch
-
-dependencies: []
-  # List your role dependencies here, one per line.
-  # Be sure to remove the '[]' above if you add dependencies
-  # to this list.
diff --git a/openvpn/tasks/main.yml b/openvpn/tasks/main.yml
deleted file mode 100644
index d58dc4bf..00000000
--- a/openvpn/tasks/main.yml
+++ /dev/null
@@ -1,81 +0,0 @@
----
-- name: Install OpenVPN package
-  apt:
-    name: "openvpn"
-  tags:
-  - openvpn
-
-- name: Deploy OpenVPN configuration
-  template:                    
-    src: "server.conf.j2" 
-    dest: "/etc/openvpn/server.conf"
-    mode: "0600"               
-  notify: restart openvpn
-  tags:
-  - openvpn
-
-- name: Allow OpenVPN input
-  lineinfile: 
-    dest: /etc/default/minifirewall
-    line: "/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OPENVPN"
-    regexp: '#OPENVPN$'
-    state: present
-  failed_when: False
-  tags:
-  - openvpn
-  - openvpn-minifirewall
-
-- name: Create /etc/shellpki directory
-  file:
-    path: /etc/shellpki
-    state: directory
-    owner: "root"
-    group: "root"
-    mode: "0755"
-  tags:
-  - openvpn
-
-- name: Create shellpki user
-  user:
-    name: "shellpki"
-    system: yes
-    state: present    
-    home: "/etc/shellpki/"
-    shell: "/usr/sbin/nologin"
-  tags:
-  - openvpn
-
-- include_role:
-    name: remount-usr
-  tags:
-  - openvpn
-
-- name: Copy some shellpki files
-  copy: 
-    src: "{{ item.src }}"      
-    dest: "{{ item.dest }}"    
-    owner: root                
-    group: root
-    mode: "{{ item.mode }}"
-    force: yes                 
-  with_items:
-          - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
-          - { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' }
-  tags:
-    - openvpn
-
-- name: Deploy DH PARAMETERS
-  template:                    
-    src: "dh2048.pem.j2" 
-    dest: "/etc/shellpki/dh2048.pem"
-    mode: "0600"               
-
-- name: Verify shellpki sudoers file presence
-  copy:
-    src: "sudo_shellpki"
-    dest: "/etc/sudoers.d/shellpki"
-    force: true
-    mode: "0440"               
-    validate: '/usr/sbin/visudo -cf %s'
-  tags:
-  - openvpn
diff --git a/openvpn/templates/dh2048.pem.j2 b/openvpn/templates/dh2048.pem.j2
deleted file mode 100644
index 9db20bb3..00000000
--- a/openvpn/templates/dh2048.pem.j2
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP
-R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr
-TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv
-ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2
-Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ
-aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg==
------END DH PARAMETERS-----
diff --git a/openvpn/templates/server.conf.j2 b/openvpn/templates/server.conf.j2
deleted file mode 100644
index 466bb861..00000000
--- a/openvpn/templates/server.conf.j2
+++ /dev/null
@@ -1,29 +0,0 @@
-user  nobody
-group nogroup
-
-local {{ ansible_default_ipv4.address }}
-port 1194
-proto udp
-dev tun
-mode server
-keepalive 10 120
-
-cipher AES-128-CBC # AES
-#comp-lzo
-# compress (à partir d'OpenVPN 2.4)
-
-persist-key
-persist-tun
-
-status /var/log/openvpn/openvpn-status.log
-log-append  /var/log/openvpn/openvpn.log
-
-ca   /etc/shellpki/cacert.pem
-cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
-key  /etc/shellpki/private/{{ ansible_fqdn }}.key
-dh   /etc/shellpki/dh2048.pem
-
-server {{ openvpn_lan }} {{ openvpn_netmask }}
-
-# Management interface (used by check_openvpn for Nagios)
-management 127.0.0.1 1195 /etc/openvpn/management-pwd

From 3f74cbaf47086d111a156cac9d5beb91737b3912 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 9 Aug 2018 18:21:07 +0200
Subject: [PATCH 070/101] uvrrpd role is not ready for stable yet

---
 uvrrpd/README.md      |  3 --
 uvrrpd/meta/main.yml  | 12 ------
 uvrrpd/tasks/main.yml | 91 -------------------------------------------
 3 files changed, 106 deletions(-)
 delete mode 100644 uvrrpd/README.md
 delete mode 100644 uvrrpd/meta/main.yml
 delete mode 100644 uvrrpd/tasks/main.yml

diff --git a/uvrrpd/README.md b/uvrrpd/README.md
deleted file mode 100644
index c288d18d..00000000
--- a/uvrrpd/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# uvrrpd
-
-Install Evolix's uvrrpd from sources.
diff --git a/uvrrpd/meta/main.yml b/uvrrpd/meta/main.yml
deleted file mode 100644
index 25d7be5a..00000000
--- a/uvrrpd/meta/main.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-galaxy_info:
-  author: Evolix
-  description: Install uvrrpd from sources.
-
-  issue_tracker_url: https://forge.evolix.org/projects/uvrrpd/issues
-
-  min_ansible_version: 2.2
-
-  platforms:
-  - name: Debian
-    versions:
-    - stretch
diff --git a/uvrrpd/tasks/main.yml b/uvrrpd/tasks/main.yml
deleted file mode 100644
index 8f268587..00000000
--- a/uvrrpd/tasks/main.yml
+++ /dev/null
@@ -1,91 +0,0 @@
----
-- name: "Is uvrrpd already installed ?"
-  stat:
-    path: /usr/local/sbin/uvrrpd
-  check_mode: no
-  register: uvrrpd_test
-
-- name: Make sure unzip is present
-  command: 'dpkg -l unzip'
-  check_mode: no
-  ignore_errors: yes
-  register: unzip_is_installed
-  when: not uvrrpd_test.stat.exists
-  tags:
-  - uvrrpd
-
-- name: Make sure dh-autoreconf is present
-  command: 'dpkg -l dh-autoreconf'
-  check_mode: no
-  ignore_errors: yes
-  register: autoreconf_is_installed
-  when: not uvrrpd_test.stat.exists
-  tags:
-  - uvrrpd
-
-- name: Make sure unzip and dh-autoreconf are installed
-  apt:
-    name: "{{item}}"
-  with_items:
-    - unzip
-    - dh-autoreconf
-  when: not uvrrpd_test.stat.exists
-  tags:
-  - uvrrpd
-
-- name: Get uvrrpd sources
-  unarchive:
-    src: 'https://github.com/Evolix/uvrrpd/archive/master.zip'
-    dest: /root/
-    remote_src: True
-    mode: "0755"
-  when: not uvrrpd_test.stat.exists
-  tags:
-  - uvrrpd
-
-- name: Pre-build configure
-  shell: 'cd /root/uvrrpd-master/;autoreconf -i;./configure'
-  when: not uvrrpd_test.stat.exists
-  tags:
-  - uvrrpd
-
-- name: Make 
-  make:
-    chdir: /root/uvrrpd-master/
-  when: not uvrrpd_test.stat.exists
-  tags:
-  - uvrrpd
-
-- include_role:
-    name: remount-usr
-  when: not uvrrpd_test.stat.exists
-  tags:
-  - uvrrpd
-
-- name: Make install
-  make:
-    chdir: /root/uvrrpd-master/
-    target: install
-  when: not uvrrpd_test.stat.exists
-  tags:
-  - uvrrpd
-
-- name: Remove unzip if initially not present
-  apt:
-    name: unzip
-    state: absent
-  when:
-    - not uvrrpd_test.stat.exists
-    - unzip_is_installed.rc == 0 
-  tags:
-  - uvrrpd
-
-- name: Remove dh-autoreconf if initially not present
-  apt:
-    name: dh-autoreconf
-    state: absent
-  when:
-    - not uvrrpd_test.stat.exists
-    - autoreconf_is_installed.rc == 0 
-  tags:
-  - uvrrpd

From ccd8c00e3a15841db1e6a48001009a4216ff75f5 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 9 Aug 2018 18:24:48 +0200
Subject: [PATCH 071/101] CHANGELOG : add missing entries

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a8c1773a..bd0824cb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,15 +14,18 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: tmpdir configuration compatible with 5.x also
 * elasticsearch: add http.publish_host variable
 * evoacme: disable old certbot cron also in cron.daily
+* evoacme: support for SAN in self-signed certificates
 * evolinux-base: add mail related aliases
 * java: support for Oracle JRE
 * kibana: log messages go to /var/log/kibana/kibana.log
 * metricbeat: add a role (copied from filebeat)
+* memcached: add support for multiple instances
 * munin: properly rename Munin cache directory
 * mysql: add an option to install the client development  libraries (default: `False`)
 * nagios-nrpe: add check_postgrey
 
 ### Changed
+* evolinux-base: wider body for default page
 * evolinux-users: add sudo permission for bkctld check
 * java8: renamed to java (java8 symlinked to java for backward compatibility)
 * minifirewall: the tail file can be overwritten, or not (default: `True`)

From d3218142544656050c22b157bfb7b17a26295239 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Mon, 13 Aug 2018 17:49:10 +0200
Subject: [PATCH 072/101] Add cluster members configuration

---
 elasticsearch/README.md               |  2 ++
 elasticsearch/defaults/main.yml       |  2 ++
 elasticsearch/tasks/configuration.yml | 22 ++++++++++++++++++++++
 3 files changed, 26 insertions(+)

diff --git a/elasticsearch/README.md b/elasticsearch/README.md
index 8db3e31a..5088868a 100644
--- a/elasticsearch/README.md
+++ b/elasticsearch/README.md
@@ -15,6 +15,8 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
 ## Available variables
 
 * `elasticsearch_cluster_name`: cluster name ;
+* `elasticsearch_cluster_members:` members of a cluster (ex: ["10.0.0.1", "10.0.0.2", "10.0.0.3"]) (default: `Null`) ; 
+* `elasticsearch_minimum_master_nodes:` minimum of master nodes (the best practice is to have "number of elasticsearch_cluster_members / 2 + 1" as value) (default: `Null`) ; 
 * `elasticsearch_node_name`: node name, defaults to hostname ;
 * `elasticsearch_network_host`: which interfaces to bind to ;
 * `elasticsearch_network_publish_host`: which interface to publish for node-to-node communication (default: `Null`) ;
diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml
index 3d549462..52fc8856 100644
--- a/elasticsearch/defaults/main.yml
+++ b/elasticsearch/defaults/main.yml
@@ -2,6 +2,8 @@
 elastic_stack_version: "6.x"
 
 elasticsearch_cluster_name: Null
+elasticsearch_cluster_members: Null
+elasticsearch_minimum_master_nodes: Null
 elasticsearch_node_name: "${HOSTNAME}"
 elasticsearch_network_host: "[_site_, _local_]"
 elasticsearch_network_publish_host: Null
diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml
index 9ea00955..75e1c742 100644
--- a/elasticsearch/tasks/configuration.yml
+++ b/elasticsearch/tasks/configuration.yml
@@ -73,3 +73,25 @@
     line: "-Xmx{{ elasticsearch_jvm_xmx }}"
   tags:
     - config
+
+- name: Configure cluster members
+  lineinfile:
+    dest: /etc/elasticsearch/elasticsearch.yml
+    line: "discovery.zen.ping.unicast.hosts:{{ elasticsearch_cluster_members }}"
+    regexp: "^discovery.zen.ping.unicast.hosts:"
+    insertafter: "^#discovery.zen.ping.unicast.hosts"
+  when: elasticsearch_cluster_members|default("", True)
+  tags:
+    - config
+
+- name: Configure minimum master nodes
+  lineinfile:
+    dest: /etc/elasticsearch/elasticsearch.yml
+    line: "discovery.zen.minimum_master_nodes:{{ elasticsearch_minimum_master_nodes }}"
+    regexp: "^discovery.zen.ping.unicast.hosts:"
+    insertafter: "^#discovery.zen.minimum_master_nodes"
+  when: elasticsearch_minimum_master_nodes|default("", True)
+  tags:
+    - config
+
+

From 1d021e09543b63a83568c344be76b41bcb4a4b3c Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Tue, 14 Aug 2018 10:21:12 +0200
Subject: [PATCH 073/101] Fix mistaken task

---
 elasticsearch/README.md               | 2 +-
 elasticsearch/tasks/configuration.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/elasticsearch/README.md b/elasticsearch/README.md
index 5088868a..e8184019 100644
--- a/elasticsearch/README.md
+++ b/elasticsearch/README.md
@@ -15,7 +15,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
 ## Available variables
 
 * `elasticsearch_cluster_name`: cluster name ;
-* `elasticsearch_cluster_members:` members of a cluster (ex: ["10.0.0.1", "10.0.0.2", "10.0.0.3"]) (default: `Null`) ; 
+* `elasticsearch_cluster_members:` members of a cluster (ex: '["10.0.0.1", "10.0.0.2", "10.0.0.3"]') (default: `Null`) ; 
 * `elasticsearch_minimum_master_nodes:` minimum of master nodes (the best practice is to have "number of elasticsearch_cluster_members / 2 + 1" as value) (default: `Null`) ; 
 * `elasticsearch_node_name`: node name, defaults to hostname ;
 * `elasticsearch_network_host`: which interfaces to bind to ;
diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml
index 75e1c742..0026af94 100644
--- a/elasticsearch/tasks/configuration.yml
+++ b/elasticsearch/tasks/configuration.yml
@@ -88,7 +88,7 @@
   lineinfile:
     dest: /etc/elasticsearch/elasticsearch.yml
     line: "discovery.zen.minimum_master_nodes:{{ elasticsearch_minimum_master_nodes }}"
-    regexp: "^discovery.zen.ping.unicast.hosts:"
+    regexp: "^discovery.zen.minimum_master_nodes:"
     insertafter: "^#discovery.zen.minimum_master_nodes"
   when: elasticsearch_minimum_master_nodes|default("", True)
   tags:

From d07af3ca555fb41cd7047a4fd578c56843a5660b Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Tue, 14 Aug 2018 11:09:48 +0200
Subject: [PATCH 074/101] Fix forgotten spaces in configuration directives

---
 elasticsearch/tasks/configuration.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml
index 0026af94..50e8c98c 100644
--- a/elasticsearch/tasks/configuration.yml
+++ b/elasticsearch/tasks/configuration.yml
@@ -77,7 +77,7 @@
 - name: Configure cluster members
   lineinfile:
     dest: /etc/elasticsearch/elasticsearch.yml
-    line: "discovery.zen.ping.unicast.hosts:{{ elasticsearch_cluster_members }}"
+    line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}"
     regexp: "^discovery.zen.ping.unicast.hosts:"
     insertafter: "^#discovery.zen.ping.unicast.hosts"
   when: elasticsearch_cluster_members|default("", True)
@@ -87,7 +87,7 @@
 - name: Configure minimum master nodes
   lineinfile:
     dest: /etc/elasticsearch/elasticsearch.yml
-    line: "discovery.zen.minimum_master_nodes:{{ elasticsearch_minimum_master_nodes }}"
+    line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}"
     regexp: "^discovery.zen.minimum_master_nodes:"
     insertafter: "^#discovery.zen.minimum_master_nodes"
   when: elasticsearch_minimum_master_nodes|default("", True)

From bc8858fc0ab9b7ff7d9ce871c7cf2c2245d775ad Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 16 Aug 2018 16:17:26 +0200
Subject: [PATCH 075/101] evolinux-base: improve hostname configuration

We can have a "real" hostname and domain, but also an "internal" hostnae
and domain, used mostly for internal tools.
---
 CHANGELOG.md                    | 4 +---
 evolinux-base/defaults/main.yml | 7 +++++--
 evolinux-base/tasks/postfix.yml | 2 +-
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bd0824cb..ca073d83 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,18 +14,16 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: tmpdir configuration compatible with 5.x also
 * elasticsearch: add http.publish_host variable
 * evoacme: disable old certbot cron also in cron.daily
-* evoacme: support for SAN in self-signed certificates
 * evolinux-base: add mail related aliases
 * java: support for Oracle JRE
 * kibana: log messages go to /var/log/kibana/kibana.log
 * metricbeat: add a role (copied from filebeat)
-* memcached: add support for multiple instances
 * munin: properly rename Munin cache directory
 * mysql: add an option to install the client development  libraries (default: `False`)
 * nagios-nrpe: add check_postgrey
 
 ### Changed
-* evolinux-base: wider body for default page
+* evolinux-base: improve hostname configuration (real vs. internal)
 * evolinux-users: add sudo permission for bkctld check
 * java8: renamed to java (java8 symlinked to java for backward compatibility)
 * minifirewall: the tail file can be overwritten, or not (default: `True`)
diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml
index bb9725b2..88ea931d 100644
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@@ -37,9 +37,12 @@ evolinux_hostname_hosts: True
 evolinux_hostname_mailname: True
 
 evolinux_hostname: "{{ ansible_hostname }}"
-evolinux_domain: "{{ ansible_domain }}"
-evolinux_fqdn: "{{ ansible_fqdn }}"
+evolinux_domain:   "{{ ansible_domain }}"
+evolinux_fqdn:     "{{ evolinux_hostname }}.{{ evolinux_domain }}"
+
 evolinux_internal_hostname: "{{ evolinux_hostname }}"
+evolinux_internal_domain:   "{{ evolinux_domain }}"
+evolinux_internal_fqdn:     "{{ evolinux_internal_hostname }}.{{ evolinux_internal_domain }}"
 
 # kernel
 
diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml
index fa30fb03..d0c66a65 100644
--- a/evolinux-base/tasks/postfix.yml
+++ b/evolinux-base/tasks/postfix.yml
@@ -26,7 +26,7 @@
   lineinfile:
     dest: /etc/postfix/main.cf
     state: present
-    line: "mydestination = {{ evolinux_fqdn }} localhost.localdomain localhost"
+    line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
     regexp: '^mydestination'
   notify: reload postfix
   tags:

From 46fed05fa27ed627d619dbed82006809b4303ead Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 17 Aug 2018 10:04:07 +0200
Subject: [PATCH 076/101] evocheck: update upstream script

---
 CHANGELOG.md               |   1 +
 evocheck/files/evocheck.sh | 236 +++++++++++++++++++++++--------------
 2 files changed, 150 insertions(+), 87 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca073d83..94442132 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release.
 * nagios-nrpe: add check_postgrey
 
 ### Changed
+* evocheck: update upstream script
 * evolinux-base: improve hostname configuration (real vs. internal)
 * evolinux-users: add sudo permission for bkctld check
 * java8: renamed to java (java8 symlinked to java for backward compatibility)
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index ced2d71b..b6eb82ee 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -5,7 +5,7 @@
 # powered by Evolix
 
 # Repository: https://gitlab.evolix.org/evolix/evocheck
-# Commit: c99324488553a745a201022d44f8f78f224631eb
+# Commit: d5a02b343f2e8e9a0b6fcd10b6b5a5d1e8c9af03
 
 # Disable LANG*
 export LANG=C
@@ -100,6 +100,11 @@ IS_REDIS_BACKUP=1
 IS_ELASTIC_BACKUP=1
 IS_MONGO_BACKUP=1
 IS_MOUNT_FSTAB=1
+IS_NETWORK_INTERFACES=1
+IS_EVOBACKUP=1
+IS_DUPLICATE_FS_LABEL=1
+IS_EVOMAINTENANCE_FW=1
+IS_EVOLIX_USER=1
 
 #Proper to OpenBSD
 IS_SOFTDEP=1
@@ -124,6 +129,7 @@ test -f /etc/evocheck.cf && . /etc/evocheck.cf
 # If --cron is passed, ignore some checks.
 if [ "$1" = "--cron" ]; then
     IS_KERNELUPTODATE=0
+    IS_UPTIME=0
 fi
 
 # Functions
@@ -145,6 +151,11 @@ is_debianversion(){
     [ $(lsb_release -c -s) = $1 ] && return 0
 }
 
+is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc
+is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc
+is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall
+is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall
+
 #-----------------------------------------------------------
 #Vérifie si c'est une debian et fait les tests appropriés.
 #-----------------------------------------------------------
@@ -153,7 +164,7 @@ if [ -e /etc/debian_version ]; then
 
     if [ "$IS_DPKGWARNING" = 1 ]; then
         is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \
-            egrep -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
+            grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
             /etc/apt/apt.conf | wc -l | grep -q ^2$ || echo 'IS_DPKGWARNING FAILED!' )
         is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \
             ( test -e /etc/apt/apt.conf.d/80evolinux || echo 'IS_DPKGWARNING FAILED!' )
@@ -180,29 +191,29 @@ if [ -e /etc/debian_version ]; then
     fi
 
     if [ "$IS_CUSTOMSUDOERS" = 1 ]; then
-        egrep -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
+        grep -E -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
     fi
 
     if [ "$IS_VARTMPFS" = 1 ]; then
         df /var/tmp | grep -q tmpfs || echo 'IS_VARTMPFS FAILED!'
     fi
-    
+
     if [ "$IS_SERVEURBASE" = 1 ]; then
         is_installed serveur-base || echo 'IS_SERVEURBASE FAILED!'
     fi
-    
+
     if [ "$IS_LOGROTATECONF" = 1 ]; then
         test -e /etc/logrotate.d/zsyslog || echo 'IS_LOGROTATECONF FAILED!'
     fi
-    
+
     if [ "$IS_SYSLOGCONF" = 1 ]; then
         grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || echo 'IS_SYSLOGCONF FAILED!'
     fi
-    
+
     if [ "$IS_DEBIANSECURITY" = 1 ]; then
         grep -q "^deb.*security" /etc/apt/sources.list || echo 'IS_DEBIANSECURITY FAILED!'
     fi
-    
+
     if [ "$IS_APTITUDEONLY" = 1 ]; then
         is_debianversion squeeze && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
         is_debianversion wheezy && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
@@ -225,15 +236,15 @@ if [ -e /etc/debian_version ]; then
         test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
         ( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && echo 'IS_APTICRON FAILED!'
     fi
-    
+
     if [ "$IS_USRRO" = 1 ]; then
         grep /usr /etc/fstab | grep -q ro || echo 'IS_USRRO FAILED!'
     fi
-    
+
     if [ "$IS_TMPNOEXEC" = 1 ]; then
         mount | grep "on /tmp" | grep -q noexec || echo 'IS_TMPNOEXEC FAILED!'
     fi
-    
+
     if [ "$IS_MOUNT_FSTAB" = 1 ]; then
         # Test if lsblk available, if not skip this test...
         if test -x "$(command -v lsblk)"; then
@@ -247,30 +258,30 @@ if [ -e /etc/debian_version ]; then
         if is_debianversion stretch; then
             is_installed apt-listchanges && echo 'IS_LISTCHANGESCONF FAILED!'
         else
-            test -e /etc/apt/listchanges.conf && egrep "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!'
+            test -e /etc/apt/listchanges.conf && grep -E "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!'
         fi
     fi
-    
+
     if [ "$IS_CUSTOMCRONTAB" = 1 ]; then
-        egrep "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
+        grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
     fi
-    
+
     if [ "$IS_SSHALLOWUSERS" = 1 ]; then
-        egrep -qi "AllowUsers" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
+        grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
     fi
-    
+
     if [ "$IS_DISKPERF" = 1 ]; then
         test -e /root/disk-perf.txt || echo 'IS_DISKPERF FAILED!'
     fi
-    
+
     if [ "$IS_TMOUTPROFILE" = 1 ]; then
         grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!'
     fi
-    
+
     if [ "$IS_ALERT5BOOT" = 1 ]; then
         grep -q ^date /etc/rc2.d/S*alert5 || echo 'IS_ALERT5BOOT FAILED!'
     fi
-    
+
     if [ "$IS_ALERT5MINIFW" = 1 ]; then
         grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || echo 'IS_ALERT5MINIFW FAILED!'
     fi
@@ -278,42 +289,39 @@ if [ -e /etc/debian_version ]; then
     if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then
         /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || echo 'IS_MINIFW FAILED!'
     fi
-    
+
     if [ "$IS_NRPEPERMS" = 1 ]; then
         test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || echo 'IS_NRPEPERMS FAILED!'
     fi
-    
+
     if [ "$IS_MINIFWPERMS" = 1 ]; then
-        is_debianversion squeeze && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
-        is_debianversion wheezy && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
-        is_debianversion jessie && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
-        is_debianversion stretch && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
+        ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!'
     fi
-    
+
     if [ "$IS_NRPEDISKS" = 1 ]; then
         NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
-        DFDISKS=$(df -Pl | egrep -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
+        DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
         [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
     fi
 
     if [ "$IS_NRPEPID" = 1 ]; then
         is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPID FAILED!')
     fi
-    
+
     if [ "$IS_GRSECPROCS" = 1 ]; then
         uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || echo 'IS_GRSECPROCS FAILED!' )
     fi
-    
+
     if [ "$IS_APACHEMUNIN" = 1 ]; then
-        test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( egrep -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && egrep -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || egrep -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
+        test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
         test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || echo 'IS_APACHEMUNIN FAILED!' ) )
     fi
-    
+
     # Verification mytop + Munin si MySQL
     if [ "$IS_MYSQLUTILS" = 1 ]; then
         is_installed mysql-server && ( grep -q mysqladmin /root/.my.cnf && test -x /usr/bin/mytop && grep -q debian-sys-maint /root/.mytop || echo 'IS_MYSQLUTILS FAILED!' )
     fi
-    
+
     # Verification de la configuration du raid soft (mdadm)
     if [ "$IS_RAIDSOFT" = 1 ]; then
         test -e /proc/mdstat && grep -q md /proc/mdstat && \
@@ -321,12 +329,12 @@ if [ -e /etc/debian_version ]; then
         && grep -q "^START_DAEMON=true" /etc/default/mdadm \
         && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || echo 'IS_RAIDSOFT FAILED!')
     fi
-    
+
     # Verification du LogFormat de AWStats
     if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then
         is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || echo 'IS_AWSTATSLOGFORMAT FAILED!' )
     fi
-    
+
     # Verification de la présence de la config logrotate pour Munin
     if [ "$IS_MUNINLOGROTATE" = 1 ]; then
         ( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || echo 'IS_MUNINLOGROTATE FAILED!'
@@ -336,21 +344,27 @@ if [ -e /etc/debian_version ]; then
     #if [ "$IS_METCHE" = 1 ]; then
     #	is_installed metche || echo 'IS_METCHE FAILED!'
     #fi
-        
+
     # Verification de l'activation de Squid dans le cas d'un pack mail
     if [ "$IS_SQUID" = 1 ]; then
         squidconffile=/etc/squid*/squid.conf
-        is_debianversion squeeze && f=/etc/firewall.rc
-        is_debianversion wheezy && f=/etc/firewall.rc
-        is_debianversion jessie && f=/etc/default/minifirewall
-        is_debianversion stretch && f=/etc/default/minifirewall && squidconffile=/etc/squid/evolinux-custom.conf
+        is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf
         is_pack_web && ( is_installed squid || is_installed squid3 \
-        && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $f \
-        && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $f \
-        && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \
-        && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' )
+        && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \
+        && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \
+        && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \
+        && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' )
     fi
-    
+
+    if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
+        if [ -f "$MINIFW_FILE" ]; then
+            rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
+            if [ "$rulesNumber" -lt 4 ]; then
+                echo 'IS_EVOMAINTENANCE_FW FAILED!'
+            fi
+        fi
+    fi
+
     # Verification de la conf et de l'activation de mod-deflate
     if [ "$IS_MODDEFLATE" = 1 ]; then
         f=/etc/apache2/mods-enabled/deflate.conf
@@ -358,7 +372,7 @@ if [ -e /etc/debian_version ]; then
         && grep -q "AddOutputFilterByType DEFLATE text/css" $f \
         && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || echo 'IS_MODDEFLATE FAILED!')
     fi
-    
+
     # Verification de la conf log2mail
     if [ "$IS_LOG2MAILRUNNING" = 1 ]; then
         is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING')
@@ -378,7 +392,7 @@ if [ -e /etc/debian_version ]; then
         is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \
             /etc/log2mail/config/* 2>/dev/null || echo 'IS_LOG2MAILSQUID FAILED!' )
     fi
-    
+
     # Verification si bind est chroote
     if [ "$IS_BINDCHROOT" = 1 ]; then
         if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then
@@ -391,23 +405,32 @@ if [ -e /etc/debian_version ]; then
             fi
         fi
     fi
-    
+
     # Verification de la présence du depot volatile
     if [ "$IS_REPVOLATILE" = 1 ]; then
         test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
             test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
     fi
-    
+
+    # /etc/network/interfaces should be present, we don't manage systemd-network yet
+    if [ "$IS_NETWORK_INTERFACES" = 1 ]; then
+        if ! test -f /etc/network/interfaces; then
+            echo "IS_NETWORK_INTERFACES FAILED!"
+            IS_AUTOIF=0
+            IS_INTERFACESGW=0
+        fi
+    fi
+
     # Verify if all if are in auto
     if [ "$IS_AUTOIF" = 1 ]; then
-        is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |egrep -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
+        is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
                     grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
             done
-        is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |egrep -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
+        is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
                     grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
             done
     fi
-    
+
     # Network conf verification
     if [ "$IS_INTERFACESGW" = 1 ]; then
         number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
@@ -418,15 +441,15 @@ if [ -e /etc/debian_version ]; then
 
     # Verification de la mise en place d'evobackup
     if [ "$IS_EVOBACKUP" = 1 ]; then
-        ls /etc/cron* |grep -q "zz.backup$" || echo 'IS_EVOBACKUP FAILED!'
+        ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!'
     fi
-    
+
     # Verification de la presence du userlogrotate
     if [ "$IS_USERLOGROTATE" = 1 ]; then
         is_pack_web && (test -x /etc/cron.weekly/userlogrotate || echo 'IS_USERLOGROTATE FAILED!')
     fi
-    
-    
+
+
     # Verification de la syntaxe de la conf d'Apache
     if [ "$IS_APACHECTL" = 1 ]; then
         is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || echo 'IS_APACHECTL FAILED!')
@@ -454,22 +477,22 @@ if [ -e /etc/debian_version ]; then
         fi
         is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && echo 'IS_MUNINAPACHECONF FAILED!')
     fi
-    
+
     # Verification de la priorité du package samba si les backports sont utilisés
     if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then
         is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || echo 'IS_SAMBAPINPRIORITY FAILED!' )
     fi
-    
+
     # Verification si le système doit redémarrer suite màj kernel.
     if [ "$IS_KERNELUPTODATE" = 1 ]; then
         if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
             echo 'IS_KERNELUPTODATE FAILED!'
         fi
     fi
-    
+
     # Check if the server is running for more than a year.
     if [ "$IS_UPTIME" = 1 ]; then
-        if is_installed linux-image* && [ $(date -d "now - 1 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
+        if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
             echo 'IS_UPTIME FAILED!'
         fi
     fi
@@ -499,7 +522,14 @@ if [ -e /etc/debian_version ]; then
     # Check if no package has been upgraded since $limit.
     if [ "$IS_NOTUPGRADED" = 1 ]; then
         last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
-        limit=$(date +%s -d "now - 60 days")
+        if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
+        || grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
+            # Manual upgrade process
+            limit=$(date +%s -d "now - 180 days")
+        else
+            # Regular process
+            limit=$(date +%s -d "now - 90 days")
+        fi
         if [ -f /var/log/evolinux/00_prepare_system.log ]; then
             install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log)
         else
@@ -556,7 +586,7 @@ if [ -e /etc/debian_version ]; then
     if [ "$IS_BACKPORTSCONF" = 1 ]; then
         if is_debianversion stretch; then
             grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
-            grep -q backports /etc/apt/sources.list.d/*.list && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
+            grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
         fi
     fi
 
@@ -668,8 +698,17 @@ if [ -e /etc/debian_version ]; then
 
     if [ "$IS_MYSQLMUNIN" = 1 ]; then
         if is_debianversion stretch && is_installed mariadb-server; then
-            for file in mysql_bytes mysql_queries mysql_slowqueries mysql_threads mysql_connections mysql_files_tables mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores mysql_myisam_indexes mysql_qcache mysql_qcache_mem mysql_sorts mysql_tmp_tables; do
-                test -L /etc/munin/plugins/$file || echo 'IS_MYSQLMUNIN FAILED!'
+            for file in mysql_bytes mysql_queries mysql_slowqueries \
+            mysql_threads mysql_connections mysql_files_tables \
+            mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
+            mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
+            mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
+            mysql_sorts mysql_tmp_tables; do
+
+                if [[ ! -L /etc/munin/plugins/$file ]]; then
+                    echo 'IS_MYSQLMUNIN FAILED!'
+                    break
+                fi
             done
         fi
     fi
@@ -707,6 +746,29 @@ if [ -e /etc/debian_version ]; then
                 && test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
         fi
     fi
+
+    if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
+        # Do it only if thereis blkid binary
+        if [ -x "$(which blkid)" ]; then
+            tmpFile=$(mktemp -p /tmp)
+            for part in $(blkid | grep -v raid_member | grep -Eo ' LABEL=".*"' | cut -d'"' -f2); do
+                echo "$part" >> "$tmpFile"
+            done
+            tmpOutput=$(sort < "$tmpFile" | uniq -d)
+            # If there is no duplicate, uniq will have no output
+            # So, if $tmpOutput is not null, there is a duplicate
+            if [ -n "$tmpOutput" ]; then
+                echo 'IS_DUPLICATE_FS_LABEL FAILED!'
+                # For debug, you may echo the contents of $tmpOutput
+                # echo $tmpOutput
+            fi
+            rm $tmpFile
+        fi
+    fi
+
+    if [ "$IS_EVOLIX_USER" = 1 ]; then
+        getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!'
+    fi
 fi
 
 
@@ -715,19 +777,19 @@ if [ `uname -s` == "OpenBSD" ]; then
     if [ "$IS_SOFTDEP" = 1 ]; then
         grep -q "softdep" /etc/fstab || echo 'IS_SOFTDEP FAILED!'
     fi
-    
+
     if [ "$IS_WHEEL" = 1 ]; then
         grep -qE "^%wheel.*$" /etc/sudoers || echo 'IS_WHEEL FAILED!'
     fi
-    
+
     if [ "$IS_SUDOADMIN" = 1 ]; then
     grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || echo 'IS_SUDOADMIN FAILED!'
     fi
-    
+
     if [ "$IS_PKGMIRROR" = 1 ]; then
         grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || echo 'IS_PKGMIRROR FAILED!'
     fi
-    
+
     if [ "$IS_HISTORY" = 1 ]; then
         f=/root/.profile
         grep -q "^HISTFILE=\$HOME/.histfile" $f \
@@ -736,68 +798,68 @@ if [ `uname -s` == "OpenBSD" ]; then
         && grep -q "^export HISTSIZE" $f \
         || echo 'IS_HISTORY FAILED!'
     fi
-    
+
     if [ "$IS_VIM" = 1 ]; then
         which vim 2>1 >> /dev/null || echo 'IS_VIM FAILED!'
     fi
-    
+
     if [ "$IS_TTYC0SECURE" = 1 ]; then
         grep -Eqv "^ttyC0.*secure$" /etc/ttys || echo 'IS_TTYC0SECURE FAILED!'
     fi
-    
+
     if [ "$IS_CUSTOMSYSLOG" = 1 ]; then
         grep -q Evolix /etc/newsyslog.conf || echo 'IS_CUSTOMSYSLOG FAILED!'
     fi
-    
+
     if [ "$IS_NOINETD" = 1 ]; then
         grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || echo 'IS_NOINETD FAILED!'
     fi
-    
+
     if [ "$IS_SUDOMAINT" = 1 ]; then
         f=/etc/sudoers
         grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
         && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \
         || echo 'IS_SUDOMAINT FAILED!'
     fi
-    
+
     if [ "$IS_POSTGRESQL" = 1 ]; then
         pkg info | grep -q postgresql-client || echo 'IS_POSTGRESQL FAILED!'
     fi
-    
+
     if [ "$IS_NRPE" = 1 ]; then
         ( pkg info | grep -qE "nagios-plugins-[0-9.]" \
         && pkg info | grep -q nagios-plugins-ntp \
         && pkg info | grep -q nrpe ) || echo 'IS_NRPE FAILED!'
     fi
-    
+
 # if [ "$IS_NRPEDISKS" = 1 ]; then
 #     NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
-#     DFDISKS=$(df -Pl | egrep -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
+#     DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
 #     [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
 # fi
-    
+
 # Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
-# 
+#
 # if [ "$IS_NRPEPOSTFIX" = 1 ]; then
 #     pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || echo 'IS_NRPEPOSTFIX FAILED!' )
 # fi
-    
+
     if [ "$IS_NRPEDAEMON" = 1 ]; then
         grep -q "echo -n ' nrpe';        /usr/local/sbin/nrpe -d" /etc/rc.local || echo 'IS_NREPEDAEMON FAILED!'
     fi
-    
+
     if [ "$IS_ALERTBOOT" = 1 ]; then
         grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || echo 'IS_ALERTBOOT FAILED!'
     fi
-    
+
     if [ "$IS_RSYNC" = 1 ]; then
         pkg info | grep -q rsync || echo 'IS_RSYNC FAILED!'
     fi
-    
+
     if [ "$IS_CRONPATH" = 1 ]; then
         grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || echo 'IS_CRONPATH FAILED!'
     fi
-    
+
     #TODO
     # - Check en profondeur de postfix
     # - NRPEDISK et NRPEPOSTFIX
@@ -816,8 +878,8 @@ if [ "$IS_USRSHARESCRIPTS" = 1 ]; then
 fi
 
 if [ "$IS_SSHPERMITROOTNO" = 1 ]; then
-    is_debianversion stretch || ( egrep -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
-    is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( egrep -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
+    is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
+    is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
 fi
 
 if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
@@ -831,7 +893,7 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
             grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!'
         done
     else
-        for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do 
+        for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do
             grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!'
         done
     fi

From 446128194595987269b2c417481f21c184fdfd27 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 17 Aug 2018 10:07:36 +0200
Subject: [PATCH 077/101] evolinux-base: add internal FQDN/hostname in
 /etc/hosts if needed

---
 evolinux-base/tasks/hostname.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml
index 4acb944d..b73c11c7 100644
--- a/evolinux-base/tasks/hostname.yml
+++ b/evolinux-base/tasks/hostname.yml
@@ -20,7 +20,7 @@
   lineinfile:
     dest: /etc/hosts
     regexp: '^{{ ansible_default_ipv4.address }}\s+'
-    line: "{{ ansible_default_ipv4.address }}    {{ evolinux_fqdn }} {{ evolinux_hostname }}"
+    line: "{{ ansible_default_ipv4.address }}    {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}"
     insertafter: '127.0.0.1\s+localhost.localdomain'
   when: evolinux_hostname_hosts
 

From 40160e0c6eadd39ae300ca104298f0631cec1168 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 17 Aug 2018 11:56:35 +0200
Subject: [PATCH 078/101] generate-ldif: detect installed packages even if
 "held" by APT

---
 CHANGELOG.md                               | 1 +
 generate-ldif/templates/generateldif.sh.j2 | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 94442132..34c58cde 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: add http.publish_host variable
 * evoacme: disable old certbot cron also in cron.daily
 * evolinux-base: add mail related aliases
+* generate-ldif: detect installed packages even if "held" by APT
 * java: support for Oracle JRE
 * kibana: log messages go to /var/log/kibana/kibana.log
 * metricbeat: add a role (copied from filebeat)
diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2
index f0cdd233..73fe88c8 100755
--- a/generate-ldif/templates/generateldif.sh.j2
+++ b/generate-ldif/templates/generateldif.sh.j2
@@ -6,7 +6,7 @@ if [ $(id -u) != 0 ]; then
 fi
 
 is_pkg_installed() {
-    dpkg -l "$1" 2>/dev/null | grep -q '^ii'
+    dpkg -l "$1" 2>/dev/null | grep -q -E '^(i|h)i'
 }
 
 get_pkg_version() {

From 4d7e9b1c3f4cadec1c847e5d65fb0bf06fe779d7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 17 Aug 2018 14:59:22 +0200
Subject: [PATCH 079/101] evocheck: detect installed packages even if "held" by
 APT (manual fix)

---
 CHANGELOG.md               | 1 +
 evocheck/files/evocheck.sh | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34c58cde..36df5a50 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: tmpdir configuration compatible with 5.x also
 * elasticsearch: add http.publish_host variable
 * evoacme: disable old certbot cron also in cron.daily
+* evocheck: detect installed packages even if "held" by APT (manual fix)
 * evolinux-base: add mail related aliases
 * generate-ldif: detect installed packages even if "held" by APT
 * java: support for Oracle JRE
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index b6eb82ee..1eaf08ae 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -143,7 +143,7 @@ is_pack_samba(){
 
 is_installed(){
     for pkg in $*; do
-            dpkg -l $pkg 2>/dev/null |grep -q ^ii || return 1
+            dpkg -l $pkg 2>/dev/null |grep -q -E ^(i|h)i || return 1
     done
 }
 

From dbb72ef2a0533352e0a757a977fc1c366f4c251f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 17 Aug 2018 15:52:42 +0200
Subject: [PATCH 080/101] evocheck: fix quotes on grep regular expressions

---
 evocheck/files/evocheck.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index 1eaf08ae..200f0471 100644
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -143,7 +143,7 @@ is_pack_samba(){
 
 is_installed(){
     for pkg in $*; do
-            dpkg -l $pkg 2>/dev/null |grep -q -E ^(i|h)i || return 1
+            dpkg -l $pkg 2>/dev/null |grep -q -E '^(i|h)i' || return 1
     done
 }
 

From 51f41ff14ae47306668970c6b0a935ffaa377c2b Mon Sep 17 00:00:00 2001
From: Gregory Colpart <gcolpart+git@evolix.fr>
Date: Fri, 17 Aug 2018 21:28:14 +0200
Subject: [PATCH 081/101] Workaround by Evolix security team for old kernels
 and vulnerabiliy CVE-2018-5391 (FragmentSmack)

---
 evolinux-base/tasks/kernel.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml
index 10f0c00b..b9b8c99c 100644
--- a/evolinux-base/tasks/kernel.yml
+++ b/evolinux-base/tasks/kernel.yml
@@ -50,4 +50,36 @@
     reload: yes
   when: evolinux_kernel_cve20165696
 
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv4.ipfrag_low_thresh
+    value: 196608
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv6.ip6frag_low_thresh
+    value: 196608
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv4.ipfrag_high_thresh
+    value: 262144
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv6.ip6frag_high_thresh
+    value: 262144
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
 - meta: flush_handlers

From 26c46bfb96807385958703361da5609dce3c87c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jlecour@evolix.fr>
Date: Sat, 18 Aug 2018 09:41:59 +0200
Subject: [PATCH 082/101] evocheck: the crontab is updated by the role

---
 CHANGELOG.md               |  1 +
 evocheck/README.md         |  1 +
 evocheck/defaults/main.yml |  1 +
 evocheck/tasks/cron.yml    | 25 +++++++++++++++++++++++++
 evocheck/tasks/main.yml    |  3 +++
 5 files changed, 31 insertions(+)
 create mode 100644 evocheck/tasks/cron.yml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 36df5a50..494f78d2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: add http.publish_host variable
 * evoacme: disable old certbot cron also in cron.daily
 * evocheck: detect installed packages even if "held" by APT (manual fix)
+* evocheck: the crontab is updated by the role (default: `True`)
 * evolinux-base: add mail related aliases
 * generate-ldif: detect installed packages even if "held" by APT
 * java: support for Oracle JRE
diff --git a/evocheck/README.md b/evocheck/README.md
index b669fe54..807b9a44 100644
--- a/evocheck/README.md
+++ b/evocheck/README.md
@@ -18,3 +18,4 @@ A separate `exec.yml` file can be imported manually in playbooks or roles to exe
 We can force install via :
 * `evocheck_force_install: local` : will copy the script provided by the role
 * `evocheck_force_install: package` : will install the package via repositories
+* `evocheck_update_crontab` : will update the crontab (default: `True`)
diff --git a/evocheck/defaults/main.yml b/evocheck/defaults/main.yml
index 565849e3..e2d80c2a 100644
--- a/evocheck/defaults/main.yml
+++ b/evocheck/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 evocheck_force_install: False
+evocheck_update_crontab: True
 evocheck_bin_dir: /usr/share/scripts
diff --git a/evocheck/tasks/cron.yml b/evocheck/tasks/cron.yml
new file mode 100644
index 00000000..eb45fb2a
--- /dev/null
+++ b/evocheck/tasks/cron.yml
@@ -0,0 +1,25 @@
+---
+
+- name: evocheck runs normally on first day of month
+  cron:
+    cron_file: evocheck
+    month: "*"
+    weekday: "*"
+    day: "1"
+    hour: "1"
+    minute: "33"
+    user: "root"
+    job: "/usr/share/scripts/evocheck.sh"
+    state: present
+
+- name: evocheck runs with --cron on all other days of month
+  cron:
+    cron_file: evocheck
+    month: "*"
+    weekday: "*"
+    day: "2-31"
+    hour: "1"
+    minute: "33"
+    user: "root"
+    job: "/usr/share/scripts/evocheck.sh --cron"
+    state: present
diff --git a/evocheck/tasks/main.yml b/evocheck/tasks/main.yml
index 769dbbfe..0e374b92 100644
--- a/evocheck/tasks/main.yml
+++ b/evocheck/tasks/main.yml
@@ -5,3 +5,6 @@
 
 - include: install_package.yml
   when: evocheck_force_install == "package"
+
+- include: cron.yml
+  when: evocheck_update_crontab

From 47d51466424dce616037131bc384c6c2cc45d46e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jlecour@evolix.fr>
Date: Sat, 18 Aug 2018 09:59:26 +0200
Subject: [PATCH 083/101] evocheck: the crontab is overwritten

---
 evocheck/tasks/cron.yml       | 31 ++++++++-----------------------
 evocheck/templates/crontab.j2 |  4 ++++
 2 files changed, 12 insertions(+), 23 deletions(-)
 create mode 100644 evocheck/templates/crontab.j2

diff --git a/evocheck/tasks/cron.yml b/evocheck/tasks/cron.yml
index eb45fb2a..82f56130 100644
--- a/evocheck/tasks/cron.yml
+++ b/evocheck/tasks/cron.yml
@@ -1,25 +1,10 @@
 ---
 
-- name: evocheck runs normally on first day of month
-  cron:
-    cron_file: evocheck
-    month: "*"
-    weekday: "*"
-    day: "1"
-    hour: "1"
-    minute: "33"
-    user: "root"
-    job: "/usr/share/scripts/evocheck.sh"
-    state: present
-
-- name: evocheck runs with --cron on all other days of month
-  cron:
-    cron_file: evocheck
-    month: "*"
-    weekday: "*"
-    day: "2-31"
-    hour: "1"
-    minute: "33"
-    user: "root"
-    job: "/usr/share/scripts/evocheck.sh --cron"
-    state: present
+- name: evocheck crontab is updated
+  template:
+    src: crontab.j2
+    dest: /etc/cron.d/evocheck
+    mode: "0644"
+    owner: root
+    group: root
+    force: yes
diff --git a/evocheck/templates/crontab.j2 b/evocheck/templates/crontab.j2
new file mode 100644
index 00000000..fdd07649
--- /dev/null
+++ b/evocheck/templates/crontab.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+33 1 1    * * root /usr/share/scripts/evocheck.sh
+33 1 2-31 * * root /usr/share/scripts/evocheck.sh --cron

From 5721282a9f4d1640b52613e975bac9af6711c5bd Mon Sep 17 00:00:00 2001
From: Gregory Colpart <gcolpart+git@evolix.fr>
Date: Mon, 20 Aug 2018 22:25:06 +0200
Subject: [PATCH 084/101] Hot fix: remove .conf suffix because Amavis don't
 read it!

---
 amavis/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml
index 810ba505..6b8bcc63 100644
--- a/amavis/tasks/main.yml
+++ b/amavis/tasks/main.yml
@@ -12,7 +12,7 @@
 - name: configure Amavis
   template:
     src: amavis.conf.j2
-    dest: /etc/amavis/conf.d/49-evolinux-defaults.conf
+    dest: /etc/amavis/conf.d/49-evolinux-defaults
     mode: "0644"
   notify: restart amavis
   tags:

From b6fa349394cfcc3c2a36121f771fa898901593ee Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Mon, 20 Aug 2018 16:08:45 +0200
Subject: [PATCH 085/101] evolinux-base: compact multiple systctl tasks into
 one

---
 evolinux-base/tasks/kernel.yml | 35 ++++++++--------------------------
 1 file changed, 8 insertions(+), 27 deletions(-)

diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml
index b9b8c99c..9dc66c42 100644
--- a/evolinux-base/tasks/kernel.yml
+++ b/evolinux-base/tasks/kernel.yml
@@ -50,36 +50,17 @@
     reload: yes
   when: evolinux_kernel_cve20165696
 
-- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
   sysctl:
-    name: net.ipv4.ipfrag_low_thresh
-    value: 196608
-    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
-    state: present
-    reload: yes
-
-- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
-  sysctl:
-    name: net.ipv6.ip6frag_low_thresh
-    value: 196608
-    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
-    state: present
-    reload: yes
-
-- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
-  sysctl:
-    name: net.ipv4.ipfrag_high_thresh
-    value: 262144
-    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
-    state: present
-    reload: yes
-
-- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
-  sysctl:
-    name: net.ipv6.ip6frag_high_thresh
-    value: 262144
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
     sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
     state: present
     reload: yes
+  with_items:
+    - { name: "net.ipv4.ipfrag_low_thresh",   value: 196608 }
+    - { name: "net.ipv6.ip6frag_low_thresh",  value: 196608 }
+    - { name: "net.ipv4.ipfrag_high_thresh",  value: 262144 }
+    - { name: "net.ipv6.ip6frag_high_thresh", value: 262144 }
 
 - meta: flush_handlers

From 77aeb605443e56a412f252016a1bd5e9b5ca2466 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 21 Aug 2018 18:46:16 +0200
Subject: [PATCH 086/101] bind: chroot-bind.sh must not be executed in check
 mode

---
 CHANGELOG.md        | 1 +
 bind/tasks/main.yml | 3 ---
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 494f78d2..af0eb67c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -42,6 +42,7 @@ The **patch** part changes incrementally at each release.
 * kvm-host: install kvm-tools package instead of copying add-vm.sh
 
 ### Fixed
+* bind: chroot-bind.sh must not be executed in check mode
 * evoacme: fix module detection in apache config
 * mysql-oracle: fix configuration directory variable
 * php: fpm slowlog needs an absolute path
diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml
index 1d190135..8fdf1692 100644
--- a/bind/tasks/main.yml
+++ b/bind/tasks/main.yml
@@ -81,7 +81,6 @@
   command: "/root/chroot-bind.sh"
   register: chrootbind_run
   changed_when: False
-  check_mode: no
   when: bind_chroot_set
 
 - debug:
@@ -117,5 +116,3 @@
     force: yes
   notify: restart bind
   when: bind_chroot_set
-
-

From 012dabf6571d612c98ec58b3a576b41f00167b98 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 21 Aug 2018 23:13:47 +0200
Subject: [PATCH 087/101] fail2ban: fix fail2ban_ignore_ips definition

If the final variable is combined in the defaults file, it's component
can be overridden, but the final variable can't be overriden.
---
 CHANGELOG.md                     | 1 +
 fail2ban/defaults/main.yml       | 1 -
 fail2ban/tasks/main.yml          | 3 +++
 fail2ban/templates/jail.local.j2 | 2 +-
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index af0eb67c..1eba704f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,6 +44,7 @@ The **patch** part changes incrementally at each release.
 ### Fixed
 * bind: chroot-bind.sh must not be executed in check mode
 * evoacme: fix module detection in apache config
+* fail2ban: fix fail2ban_ignore_ips definition
 * mysql-oracle: fix configuration directory variable
 * php: fpm slowlog needs an absolute path
 * roundcube: add missing slash to https redirection
diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml
index 45c2477a..4893e7ae 100644
--- a/fail2ban/defaults/main.yml
+++ b/fail2ban/defaults/main.yml
@@ -4,7 +4,6 @@ fail2ban_alert_email: Null
 
 fail2ban_default_ignore_ips: []
 fail2ban_additional_ignore_ips: []
-fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
 
 fail2ban_wordpress: False
 fail2ban_roundcube: False
diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml
index 8e02f044..48b769db 100644
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@@ -15,6 +15,9 @@
   tags:
   - fail2ban
 
+- set_fact:
+    fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
+
 - name: local jail is installed
   template:
     src: jail.local.j2
diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2
index 73b5f21f..6adcef67 100644
--- a/fail2ban/templates/jail.local.j2
+++ b/fail2ban/templates/jail.local.j2
@@ -3,7 +3,7 @@
 [DEFAULT]
 
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
-ignoreip = {{ (['127.0.0.1/8'] + fail2ban_ignore_ips) | join(' ') }}
+ignoreip = {{ ['127.0.0.1/8'] union(fail2ban_ignore_ips) | unique | join(' ') }}
 
 bantime  = 600
 maxretry = 3

From 0869fb539ae1eb97e06efe91b30317aa7fc31938 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 21 Aug 2018 23:21:30 +0200
Subject: [PATCH 088/101] fail2ban: fix typo in jinja filters

---
 fail2ban/templates/jail.local.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2
index 6adcef67..4c3999bc 100644
--- a/fail2ban/templates/jail.local.j2
+++ b/fail2ban/templates/jail.local.j2
@@ -3,7 +3,7 @@
 [DEFAULT]
 
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
-ignoreip = {{ ['127.0.0.1/8'] union(fail2ban_ignore_ips) | unique | join(' ') }}
+ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
 
 bantime  = 600
 maxretry = 3

From e9391981594f123464f559dde5a36088a8e1cc53 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 23 Aug 2018 09:16:33 +0200
Subject: [PATCH 089/101] fail2ban: add a variable to disable the ssh filter
 (default: False)

---
 CHANGELOG.md               |  1 +
 fail2ban/README.md         |  1 +
 fail2ban/defaults/main.yml |  2 ++
 fail2ban/tasks/main.yml    | 11 +++++++++++
 4 files changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1eba704f..2af080ad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ The **patch** part changes incrementally at each release.
 * evocheck: detect installed packages even if "held" by APT (manual fix)
 * evocheck: the crontab is updated by the role (default: `True`)
 * evolinux-base: add mail related aliases
+* fail2ban: add a variable to disable the ssh filter (default: `False`)
 * generate-ldif: detect installed packages even if "held" by APT
 * java: support for Oracle JRE
 * kibana: log messages go to /var/log/kibana/kibana.log
diff --git a/fail2ban/README.md b/fail2ban/README.md
index af94e38a..d13dbb25 100644
--- a/fail2ban/README.md
+++ b/fail2ban/README.md
@@ -13,5 +13,6 @@ Main variables are :
 * `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
 * `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`).
 * `fail2ban_ignore_ips`: list of IPs to ignore (default: empty).
+* `fail2ban_disable_ssh`: if true, the "sshd" filter is disabled, otherwise nothing is done, not even enabling the filter (default: `False`).
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml
index 4893e7ae..06cd9d51 100644
--- a/fail2ban/defaults/main.yml
+++ b/fail2ban/defaults/main.yml
@@ -7,3 +7,5 @@ fail2ban_additional_ignore_ips: []
 
 fail2ban_wordpress: False
 fail2ban_roundcube: False
+
+fail2ban_disable_ssh: False
diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml
index 48b769db..e9bd0482 100644
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@@ -28,6 +28,17 @@
   tags:
   - fail2ban
 
+- name: Disable SSH filter
+  ini_file:
+    dest: /etc/fail2ban/jail.local
+    section: sshd
+    option: enabled
+    value: false
+  notify: restart fail2ban
+  when: fail2ban_disable_ssh
+  tags:
+    - fail2ban
+
 - name: custom filters are installed
   copy:
     src: "{{ item }}"

From 01ae7b0e311bf2220c21d336edd0b6474fc6179a Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Thu, 23 Aug 2018 09:30:53 +0200
Subject: [PATCH 090/101] Add some new customisable configuration parameters

---
 mysql/README.md                        | 10 +++++++++-
 mysql/defaults/main.yml                |  9 +++++++++
 mysql/templates/evolinux-custom.cnf.j2 | 10 +++++++++-
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/mysql/README.md b/mysql/README.md
index e3226c1c..f39c6f84 100644
--- a/mysql/README.md
+++ b/mysql/README.md
@@ -20,9 +20,17 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
 
 * `mysql_variant` : install Oracle's MySQL or MariaDB (default: `oracle`) [Debian 8 only];
 * `mysql_replace_root_with_mysqladmin`: switch from `root` to `mysqladmin` user or not ;
+* `mysql_bind_address` : (default: `127.0.0.1`) ;
 * `mysql_thread_cache_size`: number of threads for the cache ;
 * `mysql_innodb_buffer_pool_size`: amount of RAM dedicated to InnoDB ;
-* `mysql_custom_datadir`: custom datadir
+* `mysql_max_connections`: maximum number of simultaneous connections (default: `250`) ;
+* `mysql_max_connect_errors`: number of permitted successive interrupted connection requests before a host gets blocked (default: `10`) ;
+* `mysql_table_cache`: (default: `64`) ;
+* `mysql_tmp_table_size`: (default: `128M`) ;
+* `mysql_max_heap_table_size`: (default: `128M`) ;
+* `mysql_query_cache_limit`: (default: `8M`) ;
+* `mysql_query_cache_size`: (default: `256M`) ;
+* `mysql_custom_datadir`: custom datadir.
 * `mysql_custom_tmpdir`: custom tmpdir.
 * `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
 * `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml
index 44b43d44..1b83fc86 100644
--- a/mysql/defaults/main.yml
+++ b/mysql/defaults/main.yml
@@ -14,8 +14,17 @@ mysql_replace_root_with_mysqladmin: True
 mysql_custom_datadir: ''
 mysql_custom_tmpdir: ''
 
+mysql_bind_address: '127.0.0.1'
 mysql_thread_cache_size: '{{ ansible_processor_cores }}'
 mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M'
+mysql_max_connections: '250'
+mysql_max_connect_errors: '10'
+mysql_table_cache: '64'
+mysql_tmp_table_size: '128M'
+mysql_max_heap_table_size: '128M'
+mysql_query_cache_limit: '8M'
+mysql_query_cache_size: '256M'
+
 
 mysql_cron_optimize: True
 mysql_cron_optimize_frequency: weekly
diff --git a/mysql/templates/evolinux-custom.cnf.j2 b/mysql/templates/evolinux-custom.cnf.j2
index fa818eaf..0fff23b9 100644
--- a/mysql/templates/evolinux-custom.cnf.j2
+++ b/mysql/templates/evolinux-custom.cnf.j2
@@ -1,4 +1,12 @@
 [mysqld]
-#bind-address = 0.0.0.0
+bind-address = {{ mysql_bind_address }}
 thread_cache_size = {{ mysql_thread_cache_size }}
 innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }}
+max_connections = {{ mysql_max_connections }}
+max_connect_errors = {{ mysql_max_connect_errors }}
+table_cache = {{ mysql_table_cache }}
+tmp_table_size = {{ mysql_tmp_table_size }}
+max_heap_table_size = {{ mysql_max_heap_table_size }}
+query_cache_limit = {{ mysql_query_cache_limit }}
+query_cache_size = {{ mysql_query_cache_size }}
+

From 12c49ed93bb5e53f145bba7434b642ec5720c3c1 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 23 Aug 2018 11:24:11 +0200
Subject: [PATCH 091/101] fail2ban: add a variable to update the list of
 ignored IP addresses

---
 CHANGELOG.md               |  1 +
 fail2ban/README.md         |  3 ++-
 fail2ban/defaults/main.yml |  4 ++++
 fail2ban/tasks/main.yml    | 11 +++++++++++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2af080ad..62790ee1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
 * evocheck: the crontab is updated by the role (default: `True`)
 * evolinux-base: add mail related aliases
 * fail2ban: add a variable to disable the ssh filter (default: `False`)
+* fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`)
 * generate-ldif: detect installed packages even if "held" by APT
 * java: support for Oracle JRE
 * kibana: log messages go to /var/log/kibana/kibana.log
diff --git a/fail2ban/README.md b/fail2ban/README.md
index d13dbb25..99ab0ae3 100644
--- a/fail2ban/README.md
+++ b/fail2ban/README.md
@@ -12,7 +12,8 @@ Main variables are :
 
 * `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
 * `fail2ban_alert_email`: email address for messages sent to root (default: `general_alert_email`).
-* `fail2ban_ignore_ips`: list of IPs to ignore (default: empty).
+* `fail2ban_default_ignore_ips`: default list of IPs to ignore (default: empty).
+* `fail2ban_additional_ignore_ips`: additional list of IPs to ignore (default: empty).
 * `fail2ban_disable_ssh`: if true, the "sshd" filter is disabled, otherwise nothing is done, not even enabling the filter (default: `False`).
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml
index 06cd9d51..d983b32a 100644
--- a/fail2ban/defaults/main.yml
+++ b/fail2ban/defaults/main.yml
@@ -2,8 +2,12 @@
 general_alert_email: "root@localhost"
 fail2ban_alert_email: Null
 
+# Note: there are 2 variable to allow various overrides, but they are merged.
+# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
 fail2ban_default_ignore_ips: []
 fail2ban_additional_ignore_ips: []
+# WARN: setting this to True will overwrite the list of ignored IP
+fail2ban_force_update_ignore_ips: False
 
 fail2ban_wordpress: False
 fail2ban_roundcube: False
diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml
index e9bd0482..3c6fea69 100644
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@@ -28,6 +28,17 @@
   tags:
   - fail2ban
 
+- name: update ignoreips lists
+  ini_file:
+    dest: /etc/fail2ban/jail.local
+    section: "[DEFAULT]"
+    option: "ignoreips"
+    value: "{{ fail2ban_ignore_ips | join(' ') }}"
+  notify: restart fail2ban
+  when: fail2fail2ban_force_update_ignore_ips
+  tags:
+    - fail2ban
+
 - name: Disable SSH filter
   ini_file:
     dest: /etc/fail2ban/jail.local

From d09fd169b364f1118ce226b8fccdd47d947367c7 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 23 Aug 2018 12:17:13 +0200
Subject: [PATCH 092/101] mysql: default values should stay in the proper file

Default values are set in z-evolinux-defaults.cnf and should be added in
zzz-evolinux-custom.cnf only if the value differs from the default.
---
 mysql/README.md                        | 16 ++++++++--------
 mysql/defaults/main.yml                | 20 ++++++++++++--------
 mysql/templates/evolinux-custom.cnf.j2 | 21 ++++++++++++++++++++-
 3 files changed, 40 insertions(+), 17 deletions(-)

diff --git a/mysql/README.md b/mysql/README.md
index f39c6f84..4c813a15 100644
--- a/mysql/README.md
+++ b/mysql/README.md
@@ -20,16 +20,16 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
 
 * `mysql_variant` : install Oracle's MySQL or MariaDB (default: `oracle`) [Debian 8 only];
 * `mysql_replace_root_with_mysqladmin`: switch from `root` to `mysqladmin` user or not ;
-* `mysql_bind_address` : (default: `127.0.0.1`) ;
 * `mysql_thread_cache_size`: number of threads for the cache ;
 * `mysql_innodb_buffer_pool_size`: amount of RAM dedicated to InnoDB ;
-* `mysql_max_connections`: maximum number of simultaneous connections (default: `250`) ;
-* `mysql_max_connect_errors`: number of permitted successive interrupted connection requests before a host gets blocked (default: `10`) ;
-* `mysql_table_cache`: (default: `64`) ;
-* `mysql_tmp_table_size`: (default: `128M`) ;
-* `mysql_max_heap_table_size`: (default: `128M`) ;
-* `mysql_query_cache_limit`: (default: `8M`) ;
-* `mysql_query_cache_size`: (default: `256M`) ;
+* `mysql_bind_address` : (default: `Null`, default evolinux config is then used) ;
+* `mysql_max_connections`: maximum number of simultaneous connections (default: `Null`, default evolinux config is then used) ;
+* `mysql_max_connect_errors`: number of permitted successive interrupted connection requests before a host gets blocked (default: `Null`, default evolinux config is then used) ;
+* `mysql_table_cache`: (default: `Null`, default evolinux config is then used) ;
+* `mysql_tmp_table_size`: (default: `Null`, default evolinux config is then used) ;
+* `mysql_max_heap_table_size`: (default: `Null`, default evolinux config is then used) ;
+* `mysql_query_cache_limit`: (default: `Null`, default evolinux config is then used) ;
+* `mysql_query_cache_size`: (default: `Null`, default evolinux config is then used) ;
 * `mysql_custom_datadir`: custom datadir.
 * `mysql_custom_tmpdir`: custom tmpdir.
 * `general_alert_email`: email address to send various alert messages (default: `root@localhost`).
diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml
index 1b83fc86..d93f7270 100644
--- a/mysql/defaults/main.yml
+++ b/mysql/defaults/main.yml
@@ -14,16 +14,20 @@ mysql_replace_root_with_mysqladmin: True
 mysql_custom_datadir: ''
 mysql_custom_tmpdir: ''
 
-mysql_bind_address: '127.0.0.1'
 mysql_thread_cache_size: '{{ ansible_processor_cores }}'
 mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M'
-mysql_max_connections: '250'
-mysql_max_connect_errors: '10'
-mysql_table_cache: '64'
-mysql_tmp_table_size: '128M'
-mysql_max_heap_table_size: '128M'
-mysql_query_cache_limit: '8M'
-mysql_query_cache_size: '256M'
+
+# If these variables are changed to non-Null values,
+# they will be added in the zzz-evolinux-custom.cnf file.
+# Otherwise, the value from de the z-evolinux-defaults.cnf file will preveil.
+mysql_bind_address: Null
+mysql_max_connections: Null
+mysql_max_connect_errors: Null
+mysql_table_cache: Null
+mysql_tmp_table_size: Null
+mysql_max_heap_table_size: Null
+mysql_query_cache_limit: Null
+mysql_query_cache_size: Null
 
 
 mysql_cron_optimize: True
diff --git a/mysql/templates/evolinux-custom.cnf.j2 b/mysql/templates/evolinux-custom.cnf.j2
index 0fff23b9..796a1429 100644
--- a/mysql/templates/evolinux-custom.cnf.j2
+++ b/mysql/templates/evolinux-custom.cnf.j2
@@ -1,12 +1,31 @@
 [mysqld]
+{% if mysql_bind_address %}
 bind-address = {{ mysql_bind_address }}
+{% endif %}
+{% if mysql_thread_cache_size %}
 thread_cache_size = {{ mysql_thread_cache_size }}
+{% endif %}
+{% if mysql_innodb_buffer_pool_size %}
 innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }}
+{% endif %}
+{% if mysql_max_connections %}
 max_connections = {{ mysql_max_connections }}
+{% endif %}
+{% if mysql_max_connect_errors %}
 max_connect_errors = {{ mysql_max_connect_errors }}
+{% endif %}
+{% if mysql_table_cache %}
 table_cache = {{ mysql_table_cache }}
+{% endif %}
+{% if mysql_tmp_table_size %}
 tmp_table_size = {{ mysql_tmp_table_size }}
+{% endif %}
+{% if mysql_max_heap_table_size %}
 max_heap_table_size = {{ mysql_max_heap_table_size }}
+{% endif %}
+{% if mysql_query_cache_limit %}
 query_cache_limit = {{ mysql_query_cache_limit }}
+{% endif %}
+{% if mysql_query_cache_limit %}
 query_cache_size = {{ mysql_query_cache_size }}
-
+{% endif %}

From bb956fb5e7943e1fc15ec11de595f04887ba00e4 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 23 Aug 2018 13:02:25 +0200
Subject: [PATCH 093/101] apache: logrotate replacement is more subtle/precise

It replaces only the proper directive and not every occurence of the
word.
---
 CHANGELOG.md          | 1 +
 apache/tasks/main.yml | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 62790ee1..030606f1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,6 +44,7 @@ The **patch** part changes incrementally at each release.
 * kvm-host: install kvm-tools package instead of copying add-vm.sh
 
 ### Fixed
+* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
 * bind: chroot-bind.sh must not be executed in check mode
 * evoacme: fix module detection in apache config
 * fail2ban: fix fail2ban_ignore_ips definition
diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml
index 6801ba22..19858569 100644
--- a/apache/tasks/main.yml
+++ b/apache/tasks/main.yml
@@ -174,8 +174,8 @@
 - name: "logrotate: keep 52 files"
   replace:
     dest: /etc/logrotate.d/apache2
-    regexp: "rotate .+"
-    replace: "rotate 52"
+    regexp: '^(\s+rotate) \d+$'
+    replace: '\1 52'
   tags:
     - apache
 

From 6077986204869984ba382c8e41a1eb37bbb81471 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 23 Aug 2018 16:48:50 +0200
Subject: [PATCH 094/101] fail2ban: fix typo in variable name

---
 fail2ban/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml
index 3c6fea69..db6af2d4 100644
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@@ -35,7 +35,7 @@
     option: "ignoreips"
     value: "{{ fail2ban_ignore_ips | join(' ') }}"
   notify: restart fail2ban
-  when: fail2fail2ban_force_update_ignore_ips
+  when: fail2ban_force_update_ignore_ips
   tags:
     - fail2ban
 

From 3e3c6437e8c30008fb14e4d2c29b77c68faaf36d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jlecour@evolix.fr>
Date: Fri, 24 Aug 2018 00:28:15 +0200
Subject: [PATCH 095/101] etc-git: install a script to optimize the repository
 each month

---
 CHANGELOG.md                   | 1 +
 etc-git/files/optimize-etc-git | 3 +++
 etc-git/tasks/main.yml         | 9 +++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 etc-git/files/optimize-etc-git

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 030606f1..7a12ca9a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release.
 * evocheck: the crontab is updated by the role (default: `True`)
 * evolinux-base: add mail related aliases
 * fail2ban: add a variable to disable the ssh filter (default: `False`)
+* etc-git: install a script to optimize the repository each month
 * fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`)
 * generate-ldif: detect installed packages even if "held" by APT
 * java: support for Oracle JRE
diff --git a/etc-git/files/optimize-etc-git b/etc-git/files/optimize-etc-git
new file mode 100644
index 00000000..a7b7510f
--- /dev/null
+++ b/etc-git/files/optimize-etc-git
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+git --git-dir /etc/.git gc --quiet
diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml
index 53b63825..39f97e4d 100644
--- a/etc-git/tasks/main.yml
+++ b/etc-git/tasks/main.yml
@@ -65,3 +65,12 @@
   when: git_log.rc != 0 or (git_init is defined and git_init.changed)
   tags:
     - etc-git
+
+- name: Optimize script is installed in monthly crontab
+  copy:
+    src: optimize-etc-git
+    dest: /etc/cron.monthly/optimize-etc-git
+    mode: "0750"
+    force: no
+  tags:
+    - etc-git

From c1afb68d195b24d0d1ead3835686f6546928ec71 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 24 Aug 2018 12:08:55 +0200
Subject: [PATCH 096/101] Add an "evolinux-todo" role

It makes sure there is a /etc/evolinux/todo.txt where we can append
tasks to be done manually.

It has a task to output the content of the file, for exemple at the end
of a playbook run.
---
 evolinux-todo/.kitchen.yml            | 28 +++++++++++++++++++++++++
 evolinux-todo/README.md               | 15 ++++++++++++++
 evolinux-todo/files/todo.defaults.txt |  0
 evolinux-todo/meta/main.yml           | 30 +++++++++++++++++++++++++++
 evolinux-todo/tasks/cat.yml           | 16 ++++++++++++++
 evolinux-todo/tasks/main.yml          | 14 +++++++++++++
 evolinux-todo/tests/test.yml          |  4 ++++
 7 files changed, 107 insertions(+)
 create mode 100644 evolinux-todo/.kitchen.yml
 create mode 100644 evolinux-todo/README.md
 create mode 100644 evolinux-todo/files/todo.defaults.txt
 create mode 100644 evolinux-todo/meta/main.yml
 create mode 100644 evolinux-todo/tasks/cat.yml
 create mode 100644 evolinux-todo/tasks/main.yml
 create mode 100644 evolinux-todo/tests/test.yml

diff --git a/evolinux-todo/.kitchen.yml b/evolinux-todo/.kitchen.yml
new file mode 100644
index 00000000..b21cc3db
--- /dev/null
+++ b/evolinux-todo/.kitchen.yml
@@ -0,0 +1,28 @@
+---
+driver:
+  name: docker
+  privileged: true
+  use_sudo: false
+
+provisioner:
+  name: ansible_playbook
+  hosts: test-kitchen
+  roles_path: ../
+  ansible_verbose: true
+  require_ansible_source: false
+  require_chef_for_busser: false
+  idempotency_test: true
+
+platforms:
+  - name: debian
+    driver_config:
+      image: evolix/ansible:2.2.1
+
+suites:
+  - name: default
+    provisioner:
+      name: ansible_playbook
+      playbook: ./tests/test.yml
+
+transport:
+  max_ssh_sessions: 6
diff --git a/evolinux-todo/README.md b/evolinux-todo/README.md
new file mode 100644
index 00000000..52c397c7
--- /dev/null
+++ b/evolinux-todo/README.md
@@ -0,0 +1,15 @@
+# evocheck
+
+Creates an /etc/evolinux/todo.txt file to hold information about things to do, gathered by humans or other Ansible tasks
+
+## Tasks
+
+The main tasks install the default file if missing.
+
+A separate `cat.yml` file can be imported manually in playbooks or roles to get the content of the file. Example :
+
+```
+- include_role:
+    name: evolinux-todo
+    tasks_from: cat.yml
+```
diff --git a/evolinux-todo/files/todo.defaults.txt b/evolinux-todo/files/todo.defaults.txt
new file mode 100644
index 00000000..e69de29b
diff --git a/evolinux-todo/meta/main.yml b/evolinux-todo/meta/main.yml
new file mode 100644
index 00000000..041e58cc
--- /dev/null
+++ b/evolinux-todo/meta/main.yml
@@ -0,0 +1,30 @@
+galaxy_info:
+  author: Jeremy Lecour
+  description: Install evolinux-todo
+  company: Evolix
+
+  issue_tracker_url: https://forge.evolix.org/projects/evocheck/issues
+
+  license: GPLv2
+
+  min_ansible_version: 2.2
+
+  platforms:
+  - name: Debian
+    versions:
+    - jessie
+    - stretch
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is
+    # a keyword that describes and categorizes the role.
+    # Users find roles by searching for tags. Be sure to
+    # remove the '[]' above if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of
+    # alphanumeric characters. Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line.
+  # Be sure to remove the '[]' above if you add dependencies
+  # to this list.
diff --git a/evolinux-todo/tasks/cat.yml b/evolinux-todo/tasks/cat.yml
new file mode 100644
index 00000000..c303009d
--- /dev/null
+++ b/evolinux-todo/tasks/cat.yml
@@ -0,0 +1,16 @@
+---
+
+- name: cat /etc/evolinux/todo.txt
+  command: "cat /etc/evolinux/todo.txt"
+  register: evolinux_todo
+  changed_when: False
+  failed_when: False
+  check_mode: no
+
+- debug:
+    var: evolinux_todo.stdout_lines
+  when: evolinux_todo.stdout != ""
+
+- debug:
+    msg: "There is nothing to do !"
+  when: evolinux_todo.stdout == ""
diff --git a/evolinux-todo/tasks/main.yml b/evolinux-todo/tasks/main.yml
new file mode 100644
index 00000000..bd098c72
--- /dev/null
+++ b/evolinux-todo/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+
+- name: /etc/evolinux is present
+  file:
+    dest: /etc/evolinux
+    mode: "0700"
+    state: directory
+
+- name: /etc/evolinux/todo.txt is present
+  copy:
+    src: todo.defaults.txt
+    dest: /etc/evolinux/todo.txt
+    mode: "0640"
+    force: no
diff --git a/evolinux-todo/tests/test.yml b/evolinux-todo/tests/test.yml
new file mode 100644
index 00000000..2c9b5d72
--- /dev/null
+++ b/evolinux-todo/tests/test.yml
@@ -0,0 +1,4 @@
+---
+- hosts: test-kitchen
+  roles:
+    - role: evolinux-todo

From fe064c16d1fb0b9e8721220192877639bb01df81 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 24 Aug 2018 14:29:30 +0200
Subject: [PATCH 097/101] update CHANGELOG for evolinux-todo

---
 CHANGELOG.md                         |  2 ++
 evolinux-base/tasks/etc-evolinux.yml | 18 +++++++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7a12ca9a..a116e21d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ The **patch** part changes incrementally at each release.
 * evocheck: detect installed packages even if "held" by APT (manual fix)
 * evocheck: the crontab is updated by the role (default: `True`)
 * evolinux-base: add mail related aliases
+* evolinux-todo: new role, to help maintain a file of todo tasks
 * fail2ban: add a variable to disable the ssh filter (default: `False`)
 * etc-git: install a script to optimize the repository each month
 * fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`)
@@ -31,6 +32,7 @@ The **patch** part changes incrementally at each release.
 ### Changed
 * evocheck: update upstream script
 * evolinux-base: improve hostname configuration (real vs. internal)
+* evolinux-base: use the "evolinux-todo" role
 * evolinux-users: add sudo permission for bkctld check
 * java8: renamed to java (java8 symlinked to java for backward compatibility)
 * minifirewall: the tail file can be overwritten, or not (default: `True`)
diff --git a/evolinux-base/tasks/etc-evolinux.yml b/evolinux-base/tasks/etc-evolinux.yml
index 2aee963f..d6562e68 100644
--- a/evolinux-base/tasks/etc-evolinux.yml
+++ b/evolinux-base/tasks/etc-evolinux.yml
@@ -1,9 +1,13 @@
 ---
 
-- name: /etc/evolinux exists
-  file:
-    dest: /etc/evolinux
-    owner: root
-    group: root
-    mode: "0700"
-    state: directory
+### This is taken care of by the evolinux-todo role 
+# - name: /etc/evolinux exists
+#   file:
+#     dest: /etc/evolinux
+#     owner: root
+#     group: root
+#     mode: "0700"
+#     state: directory
+
+- include_role:
+    name: evolinux-todo

From d138c00db82f5a1b4df3a24405eb919dd055371f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 24 Aug 2018 14:44:51 +0200
Subject: [PATCH 098/101] etc-git: some entries of .gitignore are mandatory

---
 CHANGELOG.md            |  1 +
 etc-git/files/gitignore |  6 +-----
 etc-git/tasks/main.yml  | 16 +++++++++++++++-
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a116e21d..d4de0391 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -30,6 +30,7 @@ The **patch** part changes incrementally at each release.
 * nagios-nrpe: add check_postgrey
 
 ### Changed
+* etc-git: some entries of .gitignore are mandatory
 * evocheck: update upstream script
 * evolinux-base: improve hostname configuration (real vs. internal)
 * evolinux-base: use the "evolinux-todo" role
diff --git a/etc-git/files/gitignore b/etc-git/files/gitignore
index 7f8a0e4a..39002e32 100644
--- a/etc-git/files/gitignore
+++ b/etc-git/files/gitignore
@@ -1,5 +1 @@
-aliases.db
-*.swp
-postfix/sa-blacklist.access
-postfix/*.db
-postfix/spamd.cidr
+# Default /etc/.gitignore file
diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml
index 39f97e4d..452711c9 100644
--- a/etc-git/tasks/main.yml
+++ b/etc-git/tasks/main.yml
@@ -26,7 +26,7 @@
   tags:
     - etc-git
 
-- name: /etc/.git is secure
+- name: /etc/.git is restricted to root
   file:
     path: /etc/.git
     owner: root
@@ -41,6 +41,20 @@
     dest: /etc/.gitignore
     owner: root
     mode: "0600"
+    force: no
+  tags:
+    - etc-git
+
+- name: Some entries MUST be in the /etc/.gitignore file
+  lineinfile:
+    dest: /etc/.gitignore
+    line: "{{ item }}"
+  with_items:
+    - "aliases.db"
+    - "*.swp"
+    - "postfix/sa-blacklist.access"
+    - "postfix/*.db"
+    - "postfix/spamd.cidr"
   tags:
     - etc-git
 

From 673d5a68c5b32db618a9c75f31457fbfc996763f Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 24 Aug 2018 18:11:19 +0200
Subject: [PATCH 099/101] squid: change a task name

---
 squid/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml
index 19e6949c..17429954 100644
--- a/squid/tasks/main.yml
+++ b/squid/tasks/main.yml
@@ -44,7 +44,7 @@
   notify: "reload squid3"
   when: ansible_distribution_release == "jessie"
 
-- name: "evolinux custom squid file (Debian 9 or later)"
+- name: "evolinux defaults squid file (Debian 9 or later)"
   copy:
     src: evolinux-defaults.conf
     dest: /etc/squid/evolinux-defaults.conf

From 3f6739837151efd5c95e8a25cc6a2d07c168c2a4 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 24 Aug 2018 18:22:18 +0200
Subject: [PATCH 100/101] =?UTF-8?q?evolinux-todo:=20don't=20echo=20"nothin?=
 =?UTF-8?q?g=E2=80=A6"=20when=20verbosity=3D0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 evolinux-todo/tasks/cat.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/evolinux-todo/tasks/cat.yml b/evolinux-todo/tasks/cat.yml
index c303009d..9cebeca5 100644
--- a/evolinux-todo/tasks/cat.yml
+++ b/evolinux-todo/tasks/cat.yml
@@ -7,10 +7,7 @@
   failed_when: False
   check_mode: no
 
-- debug:
+- name: "Content of /etc/evolinux/todo.txt"
+  debug:
     var: evolinux_todo.stdout_lines
   when: evolinux_todo.stdout != ""
-
-- debug:
-    msg: "There is nothing to do !"
-  when: evolinux_todo.stdout == ""

From 191a49784d56f0392b8951c309f0deba33e8607c Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Fri, 24 Aug 2018 18:24:14 +0200
Subject: [PATCH 101/101] Release 9.3.0

---
 CHANGELOG.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d4de0391..9461a8c1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,16 @@ The **patch** part changes incrementally at each release.
 
 ## [Unreleased]
 
+### Added
+
+### Changed
+
+### Fixed
+
+### Security
+
+## [9.3.0] - 2018-08-24
+
 ### Added
 * elasticsearch: tmpdir configuration compatible with 5.x also
 * elasticsearch: add http.publish_host variable
@@ -56,8 +66,6 @@ The **patch** part changes incrementally at each release.
 * php: fpm slowlog needs an absolute path
 * roundcube: add missing slash to https redirection
 
-### Security
-
 ## [9.2.0] - 2018-05-16
 
 ### Changed