diff --git a/CHANGELOG.md b/CHANGELOG.md index 7033e693..6d85ed31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,30 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Security +## [22.06.2] 2022-06-10 + +### Added + +* postgresql: add variable to configure binding addresses (default: 127.0.0.1) + +### Changed + +* evocheck: upstream release 22.06.2 +* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal) +* fail2ban: If jail.local was overriden, add a warning +* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible +* fail2ban: Allow to tune the default action with ansible +* fail2ban: Change default action to ban only (instead of ban + mail with whois report) +* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage +* redis: binding is possible on multiple interfaces (breaking change) + +### Fixed + +* Enforce String notation for mode +* postgresql: fix nested loop for Munin plugins +* postgresql: Fix task order when using pgdg repo +* postgresql: Install the right pg version + ## [22.06.1] 2022-06-06 ### Changed diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index 83dd130a..99c311c2 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -102,7 +102,7 @@ create: yes owner: root group: elasticsearch - mode: 0640 + mode: "0640" tags: - config @@ -114,7 +114,7 @@ create: yes owner: root group: elasticsearch - mode: 0640 + mode: "0640" tags: - config diff --git a/elasticsearch/tasks/tmpdir.yml b/elasticsearch/tasks/tmpdir.yml index c9ad3c19..30375af1 100644 --- a/elasticsearch/tasks/tmpdir.yml +++ b/elasticsearch/tasks/tmpdir.yml @@ -32,7 +32,7 @@ create: yes owner: root group: elasticsearch - mode: 0640 + mode: "0640" notify: - restart elasticsearch tags: diff --git a/evobackup-client/tasks/upload_scripts.yml b/evobackup-client/tasks/upload_scripts.yml index 79e5d7db..1ef4a74f 100644 --- a/evobackup-client/tasks/upload_scripts.yml +++ b/evobackup-client/tasks/upload_scripts.yml @@ -5,7 +5,7 @@ src: "{{ item }}" dest: "{{ evobackup_client__cron_path }}" force: true - mode: 0755 + mode: "0755" loop: "{{ query('first_found', templates) }}" vars: templates: diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 5b1afb09..9391f119 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.06.1" +VERSION="22.06.2" readonly VERSION # base functions @@ -742,9 +742,7 @@ check_backupuptodate() { backup_dir="/home/backup" if [ -d "${backup_dir}" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then - # Look for all files, including subdirectories. - # If this turns out to be problematic, we can go back to first level only, with --max-depth=1 - find "${backup_dir}" -type f | while read -r file; do + find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index d983b32a..098a550a 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -6,10 +6,43 @@ fail2ban_alert_email: Null # "127.0.0.1/8" is always added to the list, even if the following lists are empty. fail2ban_default_ignore_ips: [] fail2ban_additional_ignore_ips: [] + # WARN: setting this to True will overwrite the list of ignored IP fail2ban_force_update_ignore_ips: False -fail2ban_wordpress: False -fail2ban_roundcube: False +fail2ban_override_jaillocal: False -fail2ban_disable_ssh: False +fail2ban_default_maxretry: 5 +fail2ban_default_bantime: 10m +fail2ban_default_findtime: 10m + +# Default fail2ban action. Chose beetween : +# - "action_" : (default) - ban only (following banaction) +# - "action_mw" : ban & send an email with whois report +# - "action_mwl" : ban & send an email with whois and log lines +fail2ban_default_action: "action_" + +fail2ban_sshd: True +fail2ban_sshd_maxretry: 10 +fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_recidive: False +fail2ban_recidive_maxretry: 3 +fail2ban_recidive_bantime: 1w +fail2ban_recidive_findtime: 1d + +fail2ban_wordpress_hard: False +fail2ban_wordpress_hard_maxretry: 1 +fail2ban_wordpress_hard_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_wordpress_hard_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_wordpress_soft: False +fail2ban_wordpress_soft_maxretry: 5 +fail2ban_wordpress_soft_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_roundcube: False +fail2ban_roundcube_maxretry: 5 +fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}" \ No newline at end of file diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 30c795c9..56378c9b 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -12,6 +12,7 @@ loop: - "/etc/fail2ban" - "/etc/fail2ban/filter.d" + - "/etc/fail2ban/fail2ban.d" tags: - fail2ban @@ -25,7 +26,7 @@ src: jail.local.j2 dest: /etc/fail2ban/jail.local mode: "0644" - force: no + force: "{{ fail2ban_override_jaillocal }}" notify: restart fail2ban tags: - fail2ban @@ -36,17 +37,6 @@ tags: - fail2ban -- name: Disable SSH filter - ini_file: - dest: /etc/fail2ban/jail.local - section: sshd - option: enabled - value: false - notify: restart fail2ban - when: fail2ban_disable_ssh | bool - tags: - - fail2ban - - name: custom filters are installed copy: src: "{{ item }}" @@ -62,7 +52,7 @@ tags: - fail2ban -- name: package is installed +- name: package fail2ban is installed apt: name: fail2ban state: present @@ -100,3 +90,17 @@ tags: - fail2ban - munin + +- name: "Extend dbpurgeage if recidive jail is enabled" + blockinfile: + dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage + marker: "# ANSIBLE MANAGED" + block: | + [DEFAULT] + dbpurgeage = {{ fail2ban_recidive_bantime}} + insertafter: EOF + create: yes + mode: "0644" + notify: restart fail2ban + when: + - fail2ban_recidive \ No newline at end of file diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 7e097e4f..19c4f35b 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -1,61 +1,65 @@ # EvoLinux Fail2Ban config. +{% if fail2ban_override_jaillocal %} +# WARNING : THIS FILE IS (PROBABLY) ANSIBLE MANAGED AS IT WAS OVERWRITTEN BY ANSIBLE +{% endif %} + [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }} -bantime = 600 -maxretry = 3 - -# "backend" specifies the backend used to get files modification. Available -# options are "gamin", "polling" and "auto". -# yoh: For some reason Debian shipped python-gamin didn't work as expected -# This issue left ToDo, so polling is default backend for now -backend = auto +bantime = {{ fail2ban_default_bantime }} +maxretry = {{ fail2ban_default_maxretry }} destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }} # ACTIONS - banaction = iptables-multiport -mta = sendmail -protocol = tcp -chain = INPUT -action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] +action = %({{fail2ban_default_action}})s -action = %(action_mwl)s [sshd] +enabled = {{ fail2ban_sshd }} port = ssh,2222,22222 -logpath = %(sshd_log)s -backend = %(sshd_backend)s -maxretry = 10 -{% if fail2ban_wordpress %} +maxretry = {{ fail2ban_sshd_maxretry }} +findtime = {{ fail2ban_sshd_findtime }} +bantime = {{ fail2ban_sshd_bantime }} + +[recidive] +enabled = {{ fail2ban_recidive }} + +maxretry = {{ fail2ban_recidive_maxretry }} +findtime = {{ fail2ban_recidive_findtime }} +bantime = {{ fail2ban_recidive_bantime }} + + +# Evolix custom jails + [wordpress-hard] -enabled = true -port = http,https +enabled = {{ fail2ban_wordpress_hard }} +port = http, https filter = wordpress-hard logpath = /var/log/auth.log -maxretry = 1 -findtime = 300 +maxretry = {{ fail2ban_wordpress_hard_maxretry }} +findtime = {{ fail2ban_wordpress_hard_findtime }} +bantime = {{ fail2ban_wordpress_hard_bantime }} [wordpress-soft] -enabled = true -port = http,https +enabled = {{ fail2ban_wordpress_soft }} +port = http, https filter = wordpress-soft logpath = /var/log/auth.log -maxretry = 5 -findtime = 300 -{% endif %} +maxretry = {{ fail2ban_wordpress_soft_maxretry }} +findtime = {{ fail2ban_wordpress_soft_findtime }} +bantime = {{ fail2ban_wordpress_soft_bantime }} -{% if fail2ban_roundcube %} [roundcube] -enabled = true -port = http,https +enabled = {{ fail2ban_roundcube }} +port = http, https filter = roundcube logpath = /var/lib/roundcube/logs/errors -maxretry = 5 -{% endif %} +maxretry = {{ fail2ban_roundcube_maxretry }} +findtime = {{ fail2ban_roundcube_findtime }} +bantime = {{ fail2ban_roundcube_bantime }} diff --git a/keepalived/tasks/main.yml b/keepalived/tasks/main.yml index e468da58..b98ff1ae 100644 --- a/keepalived/tasks/main.yml +++ b/keepalived/tasks/main.yml @@ -46,7 +46,7 @@ template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf - mode: 0644 + mode: "0644" notify: restart keepalived tags: - keepalived diff --git a/kvm-host/tasks/munin.yml b/kvm-host/tasks/munin.yml index d0bf1b0a..d16bcfd9 100644 --- a/kvm-host/tasks/munin.yml +++ b/kvm-host/tasks/munin.yml @@ -27,16 +27,18 @@ - kvm_mem notify: restart munin-node -- name: Enable redis munin plugin +- name: Enable Munin plugins file: - src: "/usr/local/share/munin/plugins/{{item}}" - dest: "/etc/munin/plugins/{{item}}" + src: "/usr/local/share/munin/plugins/{{ plugin_name }}" + dest: "/etc/munin/plugins/{{ plugin_name }}" state: link force: yes loop: - kvm_cpu - kvm_io - kvm_mem + loop_control: + loop_var: plugin_name notify: restart munin-node - name: Copy Munin plugins conf diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 01f0b130..8a7c9613 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -13,13 +13,13 @@ copy: src: phpContainer dest: /usr/local/bin/phpContainer - mode: 0755 + mode: "0755" # - name: Copy php shim to call phpContainer when the user is a web user # copy: # src: multiphp-shim # dest: /usr/local/bin/php -# mode: 0755 +# mode: "0755" # - name: Modify bashrc skel file # lineinfile: diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index 7b2b3734..dcdffb05 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -8,6 +8,10 @@ postgresql_work_mem: 8MB postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" +# Binding +postgresql_listen_addresses: + - "127.0.0.1" + # PostgreSQL version postgresql_version: '' diff --git a/postgresql/tasks/munin.yml b/postgresql/tasks/munin.yml index ed2cc883..227304c8 100644 --- a/postgresql/tasks/munin.yml +++ b/postgresql/tasks/munin.yml @@ -30,7 +30,15 @@ dest: '/etc/munin/plugins/{{item[0]}}{{item[1]}}' loop: "{{ _plugins | product(_databases) | list }}" vars: - _plugins: ['postgres_cache_', 'postgres_connections_', 'postgres_locks_', 'postgres_querylength_', 'postgres_scans_', 'postgres_size_', 'postgres_transactions_', 'postgres_tuples_'] - _databases: postgresql_databases + _plugins: + - 'postgres_cache_' + - 'postgres_connections_' + - 'postgres_locks_' + - 'postgres_querylength_' + - 'postgres_scans_' + - 'postgres_size_' + - 'postgres_transactions_' + - 'postgres_tuples_' + _databases: "{{ postgresql_databases }}" notify: restart munin-node when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists diff --git a/postgresql/tasks/packages_bullseye.yml b/postgresql/tasks/packages_bullseye.yml index 558578f2..1b4cb0ac 100644 --- a/postgresql/tasks/packages_bullseye.yml +++ b/postgresql/tasks/packages_bullseye.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - postgresql + - "postgresql-{{postgresql_version}}" - pgtop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 76017545..815e741d 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - postgresql + - "postgresql-{{postgresql_version}}" - pgtop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index d8ebb9e4..a43c313b 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - postgresql + - "postgresql-{{postgresql_version}}" - ptop - libdbd-pg-perl diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index a13b7469..38f21079 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -2,17 +2,12 @@ - name: Open firewall for PGDG repository replace: name: /etc/default/minifirewall - regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org).)*)'$" + regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org|0\\.0\\.0\\.0).)*)'$" replace: "\\1 apt.postgresql.org'" notify: Restart minifirewall - meta: flush_handlers -- name: Add PGDG repository - apt_repository: - repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" - update_cache: yes - - name: Look for legacy apt keyring stat: path: /etc/apt/trusted.gpg @@ -34,9 +29,9 @@ owner: root group: root -- name: Update and upgrade apt packages for PGDG repository - apt: - upgrade: yes +- name: Add PGDG repository + apt_repository: + repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" update_cache: yes - name: Add APT preference file diff --git a/postgresql/templates/postgresql.conf.j2 b/postgresql/templates/postgresql.conf.j2 index 25597519..9adce0b4 100644 --- a/postgresql/templates/postgresql.conf.j2 +++ b/postgresql/templates/postgresql.conf.j2 @@ -1,6 +1,7 @@ # Tuning shared_buffers = {{ postgresql_shared_buffers }} work_mem = {{ postgresql_work_mem }} +listen_addresses = '{{ postgresql_listen_addresses | join(',') }}' #shared_preload_libraries = 'pg_stat_statements' #synchronous_commit = off {% if postgresql_version is version('9.5', '<') %} @@ -13,7 +14,7 @@ checkpoint_completion_target = 0.9 random_page_cost = {{ postgresql_random_page_cost }} effective_cache_size = {{ postgresql_effective_cache_size }} -# Loging +# Logging log_min_duration_statement = 1s log_checkpoints = on log_lock_waits = on diff --git a/redis/README.md b/redis/README.md index 850af13a..57aa4f41 100644 --- a/redis/README.md +++ b/redis/README.md @@ -14,7 +14,7 @@ Main variables are : * `redis_conf_dir`: config directory ; * `redis_port`: listening TCP port ; -* `redis_bind_interface`: listening IP address ; +* `redis_bind_interfaces`: listening IP addresses (array) ; * `redis_password`: password for redis. Empty means no password ; * `redis_socket_dir`: Unix socket directory ; * `redis_log_level`: log verbosity ; diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 93bbc741..1a86c95c 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -6,7 +6,8 @@ redis_conf_dir_prefix: /etc/redis redis_force_instance_port: False redis_port: 6379 -redis_bind_interface: 127.0.0.1 +redis_bind_interfaces: + - 127.0.0.1 redis_socket_enabled: True redis_socket_dir_prefix: '/run/redis' diff --git a/redis/tasks/default-munin.yml b/redis/tasks/default-munin.yml index 7856741e..1c9ab759 100644 --- a/redis/tasks/default-munin.yml +++ b/redis/tasks/default-munin.yml @@ -39,7 +39,7 @@ - name: Enable redis munin plugin file: src: /usr/local/share/munin/plugins/redis_ - dest: "/etc/munin/plugins/redis_{{item}}" + dest: "/etc/munin/plugins/redis_{{ plugin_name }}" state: link loop: - connected_clients @@ -48,6 +48,8 @@ - per_sec - used_keys - used_memory + loop_control: + loop_var: plugin_name notify: restart munin-node when: not ansible_check_mode tags: diff --git a/redis/tasks/instance-munin.yml b/redis/tasks/instance-munin.yml index bc8d8e9a..72865e98 100644 --- a/redis/tasks/instance-munin.yml +++ b/redis/tasks/instance-munin.yml @@ -39,7 +39,7 @@ - name: Enable redis munin plugin file: src: /usr/local/share/munin/plugins/redis_ - dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}" + dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{ plugin_name }}" state: link loop: - connected_clients @@ -48,6 +48,8 @@ - per_sec - used_keys - used_memory + loop_control: + loop_var: plugin_name notify: restart munin-node when: not ansible_check_mode tags: @@ -57,6 +59,6 @@ template: src: templates/munin-plugin-instances.conf.j2 dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}' - mode: 0740 + mode: "0740" notify: restart munin-node tags: redis diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml index 462ee8f4..3e6af623 100644 --- a/redis/tasks/instance-server.yml +++ b/redis/tasks/instance-server.yml @@ -38,7 +38,7 @@ - name: "Instance '{{ redis_instance_name }}' config hooks directories are present" file: - dest: "{{ item }}" + dest: "{{ _dir }}" mode: "0755" owner: "root" group: "root" @@ -49,6 +49,8 @@ - "{{ redis_conf_dir }}/redis-server.post-up.d" - "{{ redis_conf_dir }}/redis-server.pre-down.d" - "{{ redis_conf_dir }}/redis-server.post-down.d" + loop_control: + loop_var: _dir when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '=') @@ -56,14 +58,16 @@ - redis - name: "Instance '{{ redis_instance_name }}' hooks examples are present" - command: "cp -a /etc/redis/{{ item }}/00_example {{ redis_conf_dir }}/{{ item }}" + command: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}" args: - creates: "{{ redis_conf_dir }}/{{ item }}/00_example" + creates: "{{ redis_conf_dir }}/{{ _dir }}/00_example" loop: - "redis-server.pre-up.d" - "redis-server.post-up.d" - "redis-server.pre-down.d" - "redis-server.post-down.d" + loop_control: + loop_var: _dir when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '=') @@ -72,7 +76,7 @@ - name: "Instance '{{ redis_instance_name }}' socket/pid directories are present" file: - dest: "{{ item }}" + dest: "{{ _dir }}" mode: "0755" owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" @@ -81,12 +85,14 @@ loop: - "{{ redis_pid_dir }}" - "{{ redis_socket_dir }}" + loop_control: + loop_var: _dir tags: - redis - name: "Instance '{{ redis_instance_name }}' data/log directories are present" file: - dest: "{{ item }}" + dest: "{{ _dir }}" mode: "0751" owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" @@ -95,6 +101,8 @@ loop: - "{{ redis_data_dir }}" - "{{ redis_log_dir }}" + loop_control: + loop_var: _dir tags: - redis diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 10598aa6..871ab3eb 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -63,6 +63,14 @@ redis_data_dir: "{{ redis_data_dir_prefix }}-{{ redis_instance_name }}" when: redis_instance_name is defined +- name: Fail if redis_bind_interface is set + fail: + msg: "Please change 'redis_bind_interface' (String) to 'redis_bind_interfaces' (List)" + when: + - redis_bind_interface is defined + - redis_bind_interface is not none + - redis_bind_interface | length > 0 + - name: configure Redis for default mode include: default-server.yml when: redis_instance_name is not defined diff --git a/redis/tasks/nrpe.yml b/redis/tasks/nrpe.yml index 9e042479..b42e2da2 100644 --- a/redis/tasks/nrpe.yml +++ b/redis/tasks/nrpe.yml @@ -60,7 +60,7 @@ replace: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_redis\]=.+' - replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interface }} -p {{ redis_port }}' + replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}' when: redis_instance_name is undefined notify: restart nagios-nrpe-server tags: diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index b10a11b9..720f724f 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -1,7 +1,7 @@ daemonize yes pidfile {{ redis_pid_dir }}/redis-server.pid port {{ redis_port }} -bind {{ redis_bind_interface }} +bind {{ redis_bind_interfaces | join(' ') }} {% if redis_socket_enabled %} unixsocket {{ redis_socket_dir }}/redis.sock