Merge branch 'unstable' into stable

CHANGELOG.md

@@ -20,6 +20,30 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Security
 
+## [22.06.2] 2022-06-10
+
+### Added
+
+* postgresql: add variable to configure binding addresses (default: 127.0.0.1)
+
+### Changed
+
+* evocheck: upstream release 22.06.2
+* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal)
+* fail2ban: If jail.local was overriden, add a warning
+* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
+* fail2ban: Allow to tune the default action with ansible
+* fail2ban: Change default action to ban only (instead of ban + mail with whois report)
+* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage
+* redis: binding is possible on multiple interfaces (breaking change)
+
+### Fixed
+
+* Enforce String notation for mode
+* postgresql: fix nested loop for Munin plugins
+* postgresql: Fix task order when using pgdg repo
+* postgresql: Install the right pg version
+
 ## [22.06.1] 2022-06-06
 
 ### Changed

elasticsearch/tasks/configuration.yml

@@ -102,7 +102,7 @@
     create: yes
     owner: root
     group: elasticsearch
-    mode: 0640
+    mode: "0640"
   tags:
     - config
 
@@ -114,7 +114,7 @@
     create: yes
     owner: root
     group: elasticsearch
-    mode: 0640
+    mode: "0640"
   tags:
     - config
 

elasticsearch/tasks/tmpdir.yml

@@ -32,7 +32,7 @@
         create: yes
         owner: root
         group: elasticsearch
-        mode: 0640
+        mode: "0640"
       notify:
         - restart elasticsearch
       tags:

evobackup-client/tasks/upload_scripts.yml

@@ -5,7 +5,7 @@
     src: "{{ item }}"
     dest: "{{ evobackup_client__cron_path }}"
     force: true
-    mode: 0755
+    mode: "0755"
   loop: "{{ query('first_found', templates) }}"
   vars:
     templates:

evocheck/files/evocheck.sh

@@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-VERSION="22.06.1"
+VERSION="22.06.2"
 readonly VERSION
 
 # base functions
@@ -742,9 +742,7 @@ check_backupuptodate() {
     backup_dir="/home/backup"
     if [ -d "${backup_dir}" ]; then
         if [ -n "$(ls -A ${backup_dir})" ]; then
-            # Look for all files, including subdirectories.
-            # If this turns out to be problematic, we can go back to first level only, with --max-depth=1
-            find "${backup_dir}" -type f | while read -r file; do
+            find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do
                 limit=$(date +"%s" -d "now - 2 day")
                 updated_at=$(stat -c "%Y" "$file")
 

fail2ban/defaults/main.yml

@@ -6,10 +6,43 @@ fail2ban_alert_email: Null
 # "127.0.0.1/8" is always added to the list, even if the following lists are empty.
 fail2ban_default_ignore_ips: []
 fail2ban_additional_ignore_ips: []
+
 # WARN: setting this to True will overwrite the list of ignored IP
 fail2ban_force_update_ignore_ips: False
 
-fail2ban_wordpress: False
-fail2ban_roundcube: False
+fail2ban_override_jaillocal: False
 
-fail2ban_disable_ssh: False
+fail2ban_default_maxretry: 5
+fail2ban_default_bantime: 10m
+fail2ban_default_findtime: 10m
+
+# Default fail2ban action. Chose beetween :
+# - "action_" : (default) - ban only (following banaction)
+# - "action_mw" : ban & send an email with whois report
+# - "action_mwl" : ban & send an email with whois and log lines
+fail2ban_default_action: "action_"
+
+fail2ban_sshd: True
+fail2ban_sshd_maxretry: 10
+fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}"
+fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}"
+
+fail2ban_recidive: False
+fail2ban_recidive_maxretry: 3
+fail2ban_recidive_bantime: 1w
+fail2ban_recidive_findtime: 1d
+
+fail2ban_wordpress_hard: False
+fail2ban_wordpress_hard_maxretry: 1
+fail2ban_wordpress_hard_bantime: "{{ fail2ban_default_bantime }}"
+fail2ban_wordpress_hard_findtime: "{{ fail2ban_default_findtime }}"
+
+fail2ban_wordpress_soft: False
+fail2ban_wordpress_soft_maxretry: 5
+fail2ban_wordpress_soft_bantime: "{{ fail2ban_default_bantime }}"
+fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}"
+
+fail2ban_roundcube: False
+fail2ban_roundcube_maxretry: 5
+fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}"
+fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"

fail2ban/tasks/main.yml

@@ -12,6 +12,7 @@
   loop:
     - "/etc/fail2ban"
     - "/etc/fail2ban/filter.d"
+    - "/etc/fail2ban/fail2ban.d"
   tags:
     - fail2ban
 
@@ -25,7 +26,7 @@
     src: jail.local.j2
     dest: /etc/fail2ban/jail.local
     mode: "0644"
-    force: no
+    force: "{{ fail2ban_override_jaillocal }}"
   notify: restart fail2ban
   tags:
     - fail2ban
@@ -36,17 +37,6 @@
   tags:
     - fail2ban
 
-- name: Disable SSH filter
-  ini_file:
-    dest: /etc/fail2ban/jail.local
-    section: sshd
-    option: enabled
-    value: false
-  notify: restart fail2ban
-  when: fail2ban_disable_ssh | bool
-  tags:
-    - fail2ban
-
 - name: custom filters are installed
   copy:
     src: "{{ item }}"
@@ -62,7 +52,7 @@
   tags:
     - fail2ban
 
-- name: package is installed
+- name: package fail2ban is installed
   apt:
     name: fail2ban
     state: present
@@ -100,3 +90,17 @@
   tags:
     - fail2ban
     - munin
+
+- name: "Extend dbpurgeage if recidive jail is enabled"
+  blockinfile:
+    dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage
+    marker: "# ANSIBLE MANAGED"
+    block: |
+      [DEFAULT]
+      dbpurgeage = {{ fail2ban_recidive_bantime}}
+    insertafter: EOF
+    create: yes
+    mode: "0644"
+  notify: restart fail2ban
+  when:
+    - fail2ban_recidive

fail2ban/templates/jail.local.j2

@@ -1,61 +1,65 @@
 # EvoLinux Fail2Ban config.
 
+{% if fail2ban_override_jaillocal %}
+# WARNING : THIS FILE IS (PROBABLY) ANSIBLE MANAGED AS IT WAS OVERWRITTEN BY ANSIBLE
+{% endif %}
+
 [DEFAULT]
 
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
 ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
 
-bantime  = 600
-maxretry = 3
-
-# "backend" specifies the backend used to get files modification. Available
-# options are "gamin", "polling" and "auto".
-# yoh: For some reason Debian shipped python-gamin didn't work as expected
-#      This issue left ToDo, so polling is default backend for now
-backend = auto
+bantime  = {{ fail2ban_default_bantime }}
+maxretry = {{ fail2ban_default_maxretry }}
 
 destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
 
 # ACTIONS
-
 banaction = iptables-multiport
-mta = sendmail
-protocol = tcp
-chain = INPUT
-action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+action = %({{fail2ban_default_action}})s
 
-action = %(action_mwl)s
 
 [sshd]
+enabled = {{ fail2ban_sshd }}
 port    = ssh,2222,22222
-logpath = %(sshd_log)s
-backend = %(sshd_backend)s
-maxretry = 10
 
-{% if fail2ban_wordpress %}
+maxretry = {{ fail2ban_sshd_maxretry }}
+findtime = {{ fail2ban_sshd_findtime }}
+bantime = {{ fail2ban_sshd_bantime }}
+
+[recidive]
+enabled = {{ fail2ban_recidive }}
+
+maxretry = {{ fail2ban_recidive_maxretry }}
+findtime = {{ fail2ban_recidive_findtime }}
+bantime = {{ fail2ban_recidive_bantime }}
+
+
+# Evolix custom jails 
+
 [wordpress-hard]
-enabled = true
-port = http,https
+enabled = {{ fail2ban_wordpress_hard }}
+port = http, https
 filter = wordpress-hard
 logpath = /var/log/auth.log
-maxretry = 1
-findtime = 300
+maxretry = {{ fail2ban_wordpress_hard_maxretry }}
+findtime = {{ fail2ban_wordpress_hard_findtime }}
+bantime = {{ fail2ban_wordpress_hard_bantime }}
 
 [wordpress-soft]
-enabled = true
-port = http,https
+enabled = {{ fail2ban_wordpress_soft }}
+port = http, https
 filter = wordpress-soft
 logpath = /var/log/auth.log
-maxretry = 5
-findtime = 300
-{% endif %}
+maxretry = {{ fail2ban_wordpress_soft_maxretry }}
+findtime = {{ fail2ban_wordpress_soft_findtime }}
+bantime = {{ fail2ban_wordpress_soft_bantime }}
 
-{% if fail2ban_roundcube %}
 [roundcube]
-enabled  = true
-port     = http,https
+enabled  = {{ fail2ban_roundcube }}
+port     = http, https
 filter   = roundcube
 logpath  = /var/lib/roundcube/logs/errors
-maxretry = 5
-{% endif %}
+maxretry = {{ fail2ban_roundcube_maxretry }}
+findtime = {{ fail2ban_roundcube_findtime }}
+bantime = {{ fail2ban_roundcube_bantime }}

keepalived/tasks/main.yml

@@ -46,7 +46,7 @@
   template:
     src: keepalived.conf.j2
     dest: /etc/keepalived/keepalived.conf
-    mode: 0644
+    mode: "0644"
   notify: restart keepalived
   tags:
     - keepalived

kvm-host/tasks/munin.yml

@@ -27,16 +27,18 @@
     - kvm_mem
   notify: restart munin-node
 
-- name: Enable redis munin plugin
+- name: Enable Munin plugins
   file:
-    src: "/usr/local/share/munin/plugins/{{item}}"
-    dest: "/etc/munin/plugins/{{item}}"
+    src: "/usr/local/share/munin/plugins/{{ plugin_name }}"
+    dest: "/etc/munin/plugins/{{ plugin_name }}"
     state: link
     force: yes
   loop:
     - kvm_cpu
     - kvm_io
     - kvm_mem
+  loop_control:
+    loop_var: plugin_name
   notify: restart munin-node
 
 - name: Copy Munin plugins conf

packweb-apache/tasks/multiphp.yml

@@ -13,13 +13,13 @@
   copy:
     src: phpContainer
     dest: /usr/local/bin/phpContainer
-    mode: 0755
+    mode: "0755"
 
 # - name: Copy php shim to call phpContainer when the user is a web user
 #   copy:
 #     src: multiphp-shim
 #     dest: /usr/local/bin/php
-#     mode: 0755
+#     mode: "0755"
 
 # - name: Modify bashrc skel file
 #   lineinfile:

postgresql/defaults/main.yml

@@ -8,6 +8,10 @@ postgresql_work_mem: 8MB
 postgresql_random_page_cost: 1.5
 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
 
+# Binding
+postgresql_listen_addresses:
+  - "127.0.0.1"
+
 # PostgreSQL version
 postgresql_version: ''
 

postgresql/tasks/munin.yml

@@ -30,7 +30,15 @@
     dest: '/etc/munin/plugins/{{item[0]}}{{item[1]}}'
   loop: "{{ _plugins | product(_databases) | list }}"
   vars:
-    _plugins: ['postgres_cache_', 'postgres_connections_', 'postgres_locks_', 'postgres_querylength_', 'postgres_scans_', 'postgres_size_', 'postgres_transactions_', 'postgres_tuples_']
-    _databases: postgresql_databases
+    _plugins:
+      - 'postgres_cache_'
+      - 'postgres_connections_'
+      - 'postgres_locks_'
+      - 'postgres_querylength_'
+      - 'postgres_scans_'
+      - 'postgres_size_'
+      - 'postgres_transactions_'
+      - 'postgres_tuples_'
+    _databases: "{{ postgresql_databases }}"
   notify: restart munin-node
   when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists

postgresql/tasks/packages_bullseye.yml

@@ -11,6 +11,6 @@
 - name: Install postgresql package
   apt:
     name:
-      - postgresql
+      - "postgresql-{{postgresql_version}}"
       - pgtop
       - libdbd-pg-perl

postgresql/tasks/packages_buster.yml

@@ -11,6 +11,6 @@
 - name: Install postgresql package
   apt:
     name:
-      - postgresql
+      - "postgresql-{{postgresql_version}}"
       - pgtop
       - libdbd-pg-perl

postgresql/tasks/packages_stretch.yml

@@ -11,6 +11,6 @@
 - name: Install postgresql package
   apt:
     name:
-      - postgresql
+      - "postgresql-{{postgresql_version}}"
       - ptop
       - libdbd-pg-perl

postgresql/tasks/pgdg-repo.yml

@@ -2,17 +2,12 @@
 - name: Open firewall for PGDG repository
   replace:
     name: /etc/default/minifirewall
-    regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org).)*)'$"
+    regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org|0\\.0\\.0\\.0).)*)'$"
     replace: "\\1 apt.postgresql.org'"
   notify: Restart minifirewall
 
 - meta: flush_handlers
 
-- name: Add PGDG repository
-  apt_repository:
-    repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
-    update_cache: yes
-
 - name: Look for legacy apt keyring
   stat:
     path: /etc/apt/trusted.gpg
@@ -34,9 +29,9 @@
     owner: root
     group: root
 
-- name: Update and upgrade apt packages for PGDG repository
-  apt:
-    upgrade: yes
+- name: Add PGDG repository
+  apt_repository:
+    repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
     update_cache: yes
 
 - name: Add APT preference file

postgresql/templates/postgresql.conf.j2

@@ -1,6 +1,7 @@
 # Tuning
 shared_buffers = {{ postgresql_shared_buffers }}
 work_mem = {{ postgresql_work_mem }}
+listen_addresses = '{{ postgresql_listen_addresses | join(',') }}'
 #shared_preload_libraries = 'pg_stat_statements'
 #synchronous_commit = off
 {% if postgresql_version is version('9.5', '<') %}
@@ -13,7 +14,7 @@ checkpoint_completion_target = 0.9
 random_page_cost = {{ postgresql_random_page_cost }}
 effective_cache_size = {{ postgresql_effective_cache_size }}
 
-# Loging
+# Logging
 log_min_duration_statement = 1s
 log_checkpoints = on
 log_lock_waits = on

redis/README.md

@@ -14,7 +14,7 @@ Main variables are :
 
 * `redis_conf_dir`: config directory ;
 * `redis_port`: listening TCP port ;
-* `redis_bind_interface`: listening IP address ;
+* `redis_bind_interfaces`: listening IP addresses (array) ;
 * `redis_password`: password for redis. Empty means no password ;
 * `redis_socket_dir`: Unix socket directory ;
 * `redis_log_level`: log verbosity ;

redis/defaults/main.yml

@@ -6,7 +6,8 @@ redis_conf_dir_prefix: /etc/redis
 redis_force_instance_port: False
 
 redis_port: 6379
-redis_bind_interface: 127.0.0.1
+redis_bind_interfaces:
+  - 127.0.0.1
 
 redis_socket_enabled: True
 redis_socket_dir_prefix: '/run/redis'

redis/tasks/default-munin.yml

@@ -39,7 +39,7 @@
 - name: Enable redis munin plugin
   file:
     src: /usr/local/share/munin/plugins/redis_
-    dest: "/etc/munin/plugins/redis_{{item}}"
+    dest: "/etc/munin/plugins/redis_{{ plugin_name }}"
     state: link
   loop:
     - connected_clients
@@ -48,6 +48,8 @@
     - per_sec
     - used_keys
     - used_memory
+  loop_control:
+    loop_var: plugin_name
   notify: restart munin-node
   when: not ansible_check_mode
   tags:

redis/tasks/instance-munin.yml

@@ -39,7 +39,7 @@
 - name: Enable redis munin plugin
   file:
     src: /usr/local/share/munin/plugins/redis_
-    dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}"
+    dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{ plugin_name }}"
     state: link
   loop:
     - connected_clients
@@ -48,6 +48,8 @@
     - per_sec
     - used_keys
     - used_memory
+  loop_control:
+    loop_var: plugin_name
   notify: restart munin-node
   when: not ansible_check_mode
   tags:
@@ -57,6 +59,6 @@
   template:
     src: templates/munin-plugin-instances.conf.j2
     dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}'
-    mode: 0740
+    mode: "0740"
   notify: restart munin-node
   tags: redis

redis/tasks/instance-server.yml

@@ -38,7 +38,7 @@
 
 - name: "Instance '{{ redis_instance_name }}' config hooks directories are present"
   file:
-    dest: "{{ item }}"
+    dest: "{{ _dir }}"
     mode: "0755"
     owner: "root"
     group: "root"
@@ -49,6 +49,8 @@
     - "{{ redis_conf_dir }}/redis-server.post-up.d"
     - "{{ redis_conf_dir }}/redis-server.pre-down.d"
     - "{{ redis_conf_dir }}/redis-server.post-down.d"
+  loop_control:
+    loop_var: _dir
   when:
     - ansible_distribution == "Debian"
     - ansible_distribution_major_version is version('9', '=')
@@ -56,14 +58,16 @@
     - redis
 
 - name: "Instance '{{ redis_instance_name }}' hooks examples are present"
-  command: "cp -a /etc/redis/{{ item }}/00_example {{ redis_conf_dir }}/{{ item }}"
+  command: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}"
   args:
-    creates: "{{ redis_conf_dir }}/{{ item }}/00_example"
+    creates: "{{ redis_conf_dir }}/{{ _dir }}/00_example"
   loop:
     - "redis-server.pre-up.d"
     - "redis-server.post-up.d"
     - "redis-server.pre-down.d"
     - "redis-server.post-down.d"
+  loop_control:
+    loop_var: _dir
   when:
     - ansible_distribution == "Debian"
     - ansible_distribution_major_version is version('9', '=')
@@ -72,7 +76,7 @@
 
 - name: "Instance '{{ redis_instance_name }}' socket/pid directories are present"
   file:
-    dest: "{{ item }}"
+    dest: "{{ _dir }}"
     mode: "0755"
     owner: "redis-{{ redis_instance_name }}"
     group: "redis-{{ redis_instance_name }}"
@@ -81,12 +85,14 @@
   loop:
     - "{{ redis_pid_dir }}"
     - "{{ redis_socket_dir }}"
+  loop_control:
+    loop_var: _dir
   tags:
     - redis
 
 - name: "Instance '{{ redis_instance_name }}' data/log directories are present"
   file:
-    dest: "{{ item }}"
+    dest: "{{ _dir }}"
     mode: "0751"
     owner: "redis-{{ redis_instance_name }}"
     group: "redis-{{ redis_instance_name }}"
@@ -95,6 +101,8 @@
   loop:
     - "{{ redis_data_dir }}"
     - "{{ redis_log_dir }}"
+  loop_control:
+    loop_var: _dir
   tags:
     - redis
 

redis/tasks/main.yml

@@ -63,6 +63,14 @@
     redis_data_dir: "{{ redis_data_dir_prefix }}-{{ redis_instance_name }}"
   when: redis_instance_name is defined
 
+- name: Fail if redis_bind_interface is set
+  fail:
+    msg: "Please change 'redis_bind_interface' (String) to 'redis_bind_interfaces' (List)"
+  when:
+    - redis_bind_interface is defined
+    - redis_bind_interface is not none
+    - redis_bind_interface | length > 0
+
 - name: configure Redis for default mode
   include: default-server.yml
   when: redis_instance_name is not defined

redis/tasks/nrpe.yml

@@ -60,7 +60,7 @@
   replace:
     dest: /etc/nagios/nrpe.d/evolix.cfg
     regexp: '^command\[check_redis\]=.+'
-    replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interface }} -p {{ redis_port }}'
+    replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
   when: redis_instance_name is undefined
   notify: restart nagios-nrpe-server
   tags:

redis/templates/redis.conf.j2

@@ -1,7 +1,7 @@
 daemonize yes
 pidfile {{ redis_pid_dir }}/redis-server.pid
 port {{ redis_port }}
-bind {{ redis_bind_interface }}
+bind {{ redis_bind_interfaces | join(' ') }}
 
 {% if redis_socket_enabled %}
 unixsocket {{ redis_socket_dir }}/redis.sock