From b677defd972f1c5d131ac33e250b83d95c5578c7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 15:36:47 +0200 Subject: [PATCH 01/10] redis: binding is possible on multiple interfaces --- CHANGELOG.md | 2 ++ redis/README.md | 2 +- redis/defaults/main.yml | 3 ++- redis/tasks/main.yml | 8 ++++++++ redis/tasks/nrpe.yml | 2 +- redis/templates/redis.conf.j2 | 2 +- 6 files changed, 15 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7033e693..8ad2a22c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* redis: binding is possible on multiple interfaces (breaking change) + ### Fixed ### Removed diff --git a/redis/README.md b/redis/README.md index 850af13a..57aa4f41 100644 --- a/redis/README.md +++ b/redis/README.md @@ -14,7 +14,7 @@ Main variables are : * `redis_conf_dir`: config directory ; * `redis_port`: listening TCP port ; -* `redis_bind_interface`: listening IP address ; +* `redis_bind_interfaces`: listening IP addresses (array) ; * `redis_password`: password for redis. Empty means no password ; * `redis_socket_dir`: Unix socket directory ; * `redis_log_level`: log verbosity ; diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 93bbc741..1a86c95c 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -6,7 +6,8 @@ redis_conf_dir_prefix: /etc/redis redis_force_instance_port: False redis_port: 6379 -redis_bind_interface: 127.0.0.1 +redis_bind_interfaces: + - 127.0.0.1 redis_socket_enabled: True redis_socket_dir_prefix: '/run/redis' diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 10598aa6..871ab3eb 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -63,6 +63,14 @@ redis_data_dir: "{{ redis_data_dir_prefix }}-{{ redis_instance_name }}" when: redis_instance_name is defined +- name: Fail if redis_bind_interface is set + fail: + msg: "Please change 'redis_bind_interface' (String) to 'redis_bind_interfaces' (List)" + when: + - redis_bind_interface is defined + - redis_bind_interface is not none + - redis_bind_interface | length > 0 + - name: configure Redis for default mode include: default-server.yml when: redis_instance_name is not defined diff --git a/redis/tasks/nrpe.yml b/redis/tasks/nrpe.yml index 9e042479..b42e2da2 100644 --- a/redis/tasks/nrpe.yml +++ b/redis/tasks/nrpe.yml @@ -60,7 +60,7 @@ replace: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_redis\]=.+' - replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interface }} -p {{ redis_port }}' + replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}' when: redis_instance_name is undefined notify: restart nagios-nrpe-server tags: diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index b10a11b9..720f724f 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -1,7 +1,7 @@ daemonize yes pidfile {{ redis_pid_dir }}/redis-server.pid port {{ redis_port }} -bind {{ redis_bind_interface }} +bind {{ redis_bind_interfaces | join(' ') }} {% if redis_socket_enabled %} unixsocket {{ redis_socket_dir }}/redis.sock From cbe79858145422f8fd44a2ef288da98cebfcf038 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 15:38:21 +0200 Subject: [PATCH 02/10] Enforce String notation for mode --- CHANGELOG.md | 2 ++ elasticsearch/tasks/configuration.yml | 4 ++-- elasticsearch/tasks/tmpdir.yml | 2 +- evobackup-client/tasks/upload_scripts.yml | 2 +- keepalived/tasks/main.yml | 2 +- packweb-apache/tasks/multiphp.yml | 4 ++-- redis/tasks/instance-munin.yml | 2 +- 7 files changed, 10 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ad2a22c..e54372b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* Enforce String notation for mode + ### Removed ### Security diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index 83dd130a..99c311c2 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -102,7 +102,7 @@ create: yes owner: root group: elasticsearch - mode: 0640 + mode: "0640" tags: - config @@ -114,7 +114,7 @@ create: yes owner: root group: elasticsearch - mode: 0640 + mode: "0640" tags: - config diff --git a/elasticsearch/tasks/tmpdir.yml b/elasticsearch/tasks/tmpdir.yml index c9ad3c19..30375af1 100644 --- a/elasticsearch/tasks/tmpdir.yml +++ b/elasticsearch/tasks/tmpdir.yml @@ -32,7 +32,7 @@ create: yes owner: root group: elasticsearch - mode: 0640 + mode: "0640" notify: - restart elasticsearch tags: diff --git a/evobackup-client/tasks/upload_scripts.yml b/evobackup-client/tasks/upload_scripts.yml index 79e5d7db..1ef4a74f 100644 --- a/evobackup-client/tasks/upload_scripts.yml +++ b/evobackup-client/tasks/upload_scripts.yml @@ -5,7 +5,7 @@ src: "{{ item }}" dest: "{{ evobackup_client__cron_path }}" force: true - mode: 0755 + mode: "0755" loop: "{{ query('first_found', templates) }}" vars: templates: diff --git a/keepalived/tasks/main.yml b/keepalived/tasks/main.yml index e468da58..b98ff1ae 100644 --- a/keepalived/tasks/main.yml +++ b/keepalived/tasks/main.yml @@ -46,7 +46,7 @@ template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf - mode: 0644 + mode: "0644" notify: restart keepalived tags: - keepalived diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 01f0b130..8a7c9613 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -13,13 +13,13 @@ copy: src: phpContainer dest: /usr/local/bin/phpContainer - mode: 0755 + mode: "0755" # - name: Copy php shim to call phpContainer when the user is a web user # copy: # src: multiphp-shim # dest: /usr/local/bin/php -# mode: 0755 +# mode: "0755" # - name: Modify bashrc skel file # lineinfile: diff --git a/redis/tasks/instance-munin.yml b/redis/tasks/instance-munin.yml index bc8d8e9a..2b664092 100644 --- a/redis/tasks/instance-munin.yml +++ b/redis/tasks/instance-munin.yml @@ -57,6 +57,6 @@ template: src: templates/munin-plugin-instances.conf.j2 dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}' - mode: 0740 + mode: "0740" notify: restart munin-node tags: redis From e6ea44ff29087898aa3854946a8b6e3ef73d9d8a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 15:38:48 +0200 Subject: [PATCH 03/10] Explicit loop variable names --- kvm-host/tasks/munin.yml | 8 +++++--- redis/tasks/default-munin.yml | 4 +++- redis/tasks/instance-munin.yml | 4 +++- redis/tasks/instance-server.yml | 18 +++++++++++++----- 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/kvm-host/tasks/munin.yml b/kvm-host/tasks/munin.yml index d0bf1b0a..d16bcfd9 100644 --- a/kvm-host/tasks/munin.yml +++ b/kvm-host/tasks/munin.yml @@ -27,16 +27,18 @@ - kvm_mem notify: restart munin-node -- name: Enable redis munin plugin +- name: Enable Munin plugins file: - src: "/usr/local/share/munin/plugins/{{item}}" - dest: "/etc/munin/plugins/{{item}}" + src: "/usr/local/share/munin/plugins/{{ plugin_name }}" + dest: "/etc/munin/plugins/{{ plugin_name }}" state: link force: yes loop: - kvm_cpu - kvm_io - kvm_mem + loop_control: + loop_var: plugin_name notify: restart munin-node - name: Copy Munin plugins conf diff --git a/redis/tasks/default-munin.yml b/redis/tasks/default-munin.yml index 7856741e..1c9ab759 100644 --- a/redis/tasks/default-munin.yml +++ b/redis/tasks/default-munin.yml @@ -39,7 +39,7 @@ - name: Enable redis munin plugin file: src: /usr/local/share/munin/plugins/redis_ - dest: "/etc/munin/plugins/redis_{{item}}" + dest: "/etc/munin/plugins/redis_{{ plugin_name }}" state: link loop: - connected_clients @@ -48,6 +48,8 @@ - per_sec - used_keys - used_memory + loop_control: + loop_var: plugin_name notify: restart munin-node when: not ansible_check_mode tags: diff --git a/redis/tasks/instance-munin.yml b/redis/tasks/instance-munin.yml index 2b664092..72865e98 100644 --- a/redis/tasks/instance-munin.yml +++ b/redis/tasks/instance-munin.yml @@ -39,7 +39,7 @@ - name: Enable redis munin plugin file: src: /usr/local/share/munin/plugins/redis_ - dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}" + dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{ plugin_name }}" state: link loop: - connected_clients @@ -48,6 +48,8 @@ - per_sec - used_keys - used_memory + loop_control: + loop_var: plugin_name notify: restart munin-node when: not ansible_check_mode tags: diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml index 462ee8f4..3e6af623 100644 --- a/redis/tasks/instance-server.yml +++ b/redis/tasks/instance-server.yml @@ -38,7 +38,7 @@ - name: "Instance '{{ redis_instance_name }}' config hooks directories are present" file: - dest: "{{ item }}" + dest: "{{ _dir }}" mode: "0755" owner: "root" group: "root" @@ -49,6 +49,8 @@ - "{{ redis_conf_dir }}/redis-server.post-up.d" - "{{ redis_conf_dir }}/redis-server.pre-down.d" - "{{ redis_conf_dir }}/redis-server.post-down.d" + loop_control: + loop_var: _dir when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '=') @@ -56,14 +58,16 @@ - redis - name: "Instance '{{ redis_instance_name }}' hooks examples are present" - command: "cp -a /etc/redis/{{ item }}/00_example {{ redis_conf_dir }}/{{ item }}" + command: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}" args: - creates: "{{ redis_conf_dir }}/{{ item }}/00_example" + creates: "{{ redis_conf_dir }}/{{ _dir }}/00_example" loop: - "redis-server.pre-up.d" - "redis-server.post-up.d" - "redis-server.pre-down.d" - "redis-server.post-down.d" + loop_control: + loop_var: _dir when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '=') @@ -72,7 +76,7 @@ - name: "Instance '{{ redis_instance_name }}' socket/pid directories are present" file: - dest: "{{ item }}" + dest: "{{ _dir }}" mode: "0755" owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" @@ -81,12 +85,14 @@ loop: - "{{ redis_pid_dir }}" - "{{ redis_socket_dir }}" + loop_control: + loop_var: _dir tags: - redis - name: "Instance '{{ redis_instance_name }}' data/log directories are present" file: - dest: "{{ item }}" + dest: "{{ _dir }}" mode: "0751" owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" @@ -95,6 +101,8 @@ loop: - "{{ redis_data_dir }}" - "{{ redis_log_dir }}" + loop_control: + loop_var: _dir tags: - redis From bcaacdf57f6156e68dc8c5632031d7ee726b44df Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 15:39:34 +0200 Subject: [PATCH 04/10] postgresql: fix nested loop for Munin plugins --- CHANGELOG.md | 1 + postgresql/tasks/munin.yml | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e54372b7..ad5eecd5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed * Enforce String notation for mode +* postgresql: fix nested loop for Munin plugins ### Removed diff --git a/postgresql/tasks/munin.yml b/postgresql/tasks/munin.yml index ed2cc883..227304c8 100644 --- a/postgresql/tasks/munin.yml +++ b/postgresql/tasks/munin.yml @@ -30,7 +30,15 @@ dest: '/etc/munin/plugins/{{item[0]}}{{item[1]}}' loop: "{{ _plugins | product(_databases) | list }}" vars: - _plugins: ['postgres_cache_', 'postgres_connections_', 'postgres_locks_', 'postgres_querylength_', 'postgres_scans_', 'postgres_size_', 'postgres_transactions_', 'postgres_tuples_'] - _databases: postgresql_databases + _plugins: + - 'postgres_cache_' + - 'postgres_connections_' + - 'postgres_locks_' + - 'postgres_querylength_' + - 'postgres_scans_' + - 'postgres_size_' + - 'postgres_transactions_' + - 'postgres_tuples_' + _databases: "{{ postgresql_databases }}" notify: restart munin-node when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists From 1e19418fb0d26b45000794b6148201d94392f403 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 8 Jun 2022 17:55:58 +0200 Subject: [PATCH 05/10] Fail2ban: Multiple changes & improvements : * Give the possibility to override jail.local (with fail2ban_override_jaillocal) * If jail.local was overriden, add a warning * Allow to tune some jail settings (maxretry, bantime, findtime) with ansible * Allow to tune the default action with ansible * Change default action to ban only (instead of ban + mail with whois report) * Configure recidive jail (off by default) + extend dbpurgeage --- CHANGELOG.md | 6 +++ fail2ban/defaults/main.yml | 39 ++++++++++++++++-- fail2ban/tasks/main.yml | 30 ++++++++------ fail2ban/templates/jail.local.j2 | 70 +++++++++++++++++--------------- 4 files changed, 96 insertions(+), 49 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad5eecd5..2798b03e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,12 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal) +* fail2ban: If jail.local was overriden, add a warning +* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible +* fail2ban: Allow to tune the default action with ansible +* fail2ban: Change default action to ban only (instead of ban + mail with whois report) +* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage * redis: binding is possible on multiple interfaces (breaking change) ### Fixed diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index d983b32a..098a550a 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -6,10 +6,43 @@ fail2ban_alert_email: Null # "127.0.0.1/8" is always added to the list, even if the following lists are empty. fail2ban_default_ignore_ips: [] fail2ban_additional_ignore_ips: [] + # WARN: setting this to True will overwrite the list of ignored IP fail2ban_force_update_ignore_ips: False -fail2ban_wordpress: False -fail2ban_roundcube: False +fail2ban_override_jaillocal: False -fail2ban_disable_ssh: False +fail2ban_default_maxretry: 5 +fail2ban_default_bantime: 10m +fail2ban_default_findtime: 10m + +# Default fail2ban action. Chose beetween : +# - "action_" : (default) - ban only (following banaction) +# - "action_mw" : ban & send an email with whois report +# - "action_mwl" : ban & send an email with whois and log lines +fail2ban_default_action: "action_" + +fail2ban_sshd: True +fail2ban_sshd_maxretry: 10 +fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_recidive: False +fail2ban_recidive_maxretry: 3 +fail2ban_recidive_bantime: 1w +fail2ban_recidive_findtime: 1d + +fail2ban_wordpress_hard: False +fail2ban_wordpress_hard_maxretry: 1 +fail2ban_wordpress_hard_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_wordpress_hard_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_wordpress_soft: False +fail2ban_wordpress_soft_maxretry: 5 +fail2ban_wordpress_soft_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_roundcube: False +fail2ban_roundcube_maxretry: 5 +fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}" \ No newline at end of file diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 30c795c9..56378c9b 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -12,6 +12,7 @@ loop: - "/etc/fail2ban" - "/etc/fail2ban/filter.d" + - "/etc/fail2ban/fail2ban.d" tags: - fail2ban @@ -25,7 +26,7 @@ src: jail.local.j2 dest: /etc/fail2ban/jail.local mode: "0644" - force: no + force: "{{ fail2ban_override_jaillocal }}" notify: restart fail2ban tags: - fail2ban @@ -36,17 +37,6 @@ tags: - fail2ban -- name: Disable SSH filter - ini_file: - dest: /etc/fail2ban/jail.local - section: sshd - option: enabled - value: false - notify: restart fail2ban - when: fail2ban_disable_ssh | bool - tags: - - fail2ban - - name: custom filters are installed copy: src: "{{ item }}" @@ -62,7 +52,7 @@ tags: - fail2ban -- name: package is installed +- name: package fail2ban is installed apt: name: fail2ban state: present @@ -100,3 +90,17 @@ tags: - fail2ban - munin + +- name: "Extend dbpurgeage if recidive jail is enabled" + blockinfile: + dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage + marker: "# ANSIBLE MANAGED" + block: | + [DEFAULT] + dbpurgeage = {{ fail2ban_recidive_bantime}} + insertafter: EOF + create: yes + mode: "0644" + notify: restart fail2ban + when: + - fail2ban_recidive \ No newline at end of file diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 7e097e4f..19c4f35b 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -1,61 +1,65 @@ # EvoLinux Fail2Ban config. +{% if fail2ban_override_jaillocal %} +# WARNING : THIS FILE IS (PROBABLY) ANSIBLE MANAGED AS IT WAS OVERWRITTEN BY ANSIBLE +{% endif %} + [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }} -bantime = 600 -maxretry = 3 - -# "backend" specifies the backend used to get files modification. Available -# options are "gamin", "polling" and "auto". -# yoh: For some reason Debian shipped python-gamin didn't work as expected -# This issue left ToDo, so polling is default backend for now -backend = auto +bantime = {{ fail2ban_default_bantime }} +maxretry = {{ fail2ban_default_maxretry }} destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }} # ACTIONS - banaction = iptables-multiport -mta = sendmail -protocol = tcp -chain = INPUT -action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] +action = %({{fail2ban_default_action}})s -action = %(action_mwl)s [sshd] +enabled = {{ fail2ban_sshd }} port = ssh,2222,22222 -logpath = %(sshd_log)s -backend = %(sshd_backend)s -maxretry = 10 -{% if fail2ban_wordpress %} +maxretry = {{ fail2ban_sshd_maxretry }} +findtime = {{ fail2ban_sshd_findtime }} +bantime = {{ fail2ban_sshd_bantime }} + +[recidive] +enabled = {{ fail2ban_recidive }} + +maxretry = {{ fail2ban_recidive_maxretry }} +findtime = {{ fail2ban_recidive_findtime }} +bantime = {{ fail2ban_recidive_bantime }} + + +# Evolix custom jails + [wordpress-hard] -enabled = true -port = http,https +enabled = {{ fail2ban_wordpress_hard }} +port = http, https filter = wordpress-hard logpath = /var/log/auth.log -maxretry = 1 -findtime = 300 +maxretry = {{ fail2ban_wordpress_hard_maxretry }} +findtime = {{ fail2ban_wordpress_hard_findtime }} +bantime = {{ fail2ban_wordpress_hard_bantime }} [wordpress-soft] -enabled = true -port = http,https +enabled = {{ fail2ban_wordpress_soft }} +port = http, https filter = wordpress-soft logpath = /var/log/auth.log -maxretry = 5 -findtime = 300 -{% endif %} +maxretry = {{ fail2ban_wordpress_soft_maxretry }} +findtime = {{ fail2ban_wordpress_soft_findtime }} +bantime = {{ fail2ban_wordpress_soft_bantime }} -{% if fail2ban_roundcube %} [roundcube] -enabled = true -port = http,https +enabled = {{ fail2ban_roundcube }} +port = http, https filter = roundcube logpath = /var/lib/roundcube/logs/errors -maxretry = 5 -{% endif %} +maxretry = {{ fail2ban_roundcube_maxretry }} +findtime = {{ fail2ban_roundcube_findtime }} +bantime = {{ fail2ban_roundcube_bantime }} From 4d1d77faaf3c68740ac0d3b9d1445be5511ed964 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 16:45:41 +0200 Subject: [PATCH 06/10] postgresql: add variable to configure binding addresses (default: 127.0.0.1) --- CHANGELOG.md | 2 ++ postgresql/defaults/main.yml | 4 ++++ postgresql/templates/postgresql.conf.j2 | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2798b03e..dc3a5840 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* postgresql: add variable to configure binding addresses (default: 127.0.0.1) + ### Changed * fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal) diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index 7b2b3734..dcdffb05 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -8,6 +8,10 @@ postgresql_work_mem: 8MB postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" +# Binding +postgresql_listen_addresses: + - "127.0.0.1" + # PostgreSQL version postgresql_version: '' diff --git a/postgresql/templates/postgresql.conf.j2 b/postgresql/templates/postgresql.conf.j2 index 25597519..9adce0b4 100644 --- a/postgresql/templates/postgresql.conf.j2 +++ b/postgresql/templates/postgresql.conf.j2 @@ -1,6 +1,7 @@ # Tuning shared_buffers = {{ postgresql_shared_buffers }} work_mem = {{ postgresql_work_mem }} +listen_addresses = '{{ postgresql_listen_addresses | join(',') }}' #shared_preload_libraries = 'pg_stat_statements' #synchronous_commit = off {% if postgresql_version is version('9.5', '<') %} @@ -13,7 +14,7 @@ checkpoint_completion_target = 0.9 random_page_cost = {{ postgresql_random_page_cost }} effective_cache_size = {{ postgresql_effective_cache_size }} -# Loging +# Logging log_min_duration_statement = 1s log_checkpoints = on log_lock_waits = on From cea1408bba937656c504fd691e22c023b1198ebf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 9 Jun 2022 07:41:49 +0200 Subject: [PATCH 07/10] evocheck: upstream release 22.06.2 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc3a5840..07847f87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.06.2 * fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal) * fail2ban: If jail.local was overriden, add a warning * fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 5b1afb09..87d9e3e3 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.06.1" +VERSION="22.06.2" readonly VERSION # base functions @@ -744,7 +744,7 @@ check_backupuptodate() { if [ -n "$(ls -A ${backup_dir})" ]; then # Look for all files, including subdirectories. # If this turns out to be problematic, we can go back to first level only, with --max-depth=1 - find "${backup_dir}" -type f | while read -r file; do + find "${backup_dir}" -type f --max-depth=1 | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") From 31c49a125b9ad8f9dcdf61c9714ca810f058712b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 9 Jun 2022 07:47:00 +0200 Subject: [PATCH 08/10] evocheck: manual fix of find syntax --- evocheck/files/evocheck.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 87d9e3e3..9391f119 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -742,9 +742,7 @@ check_backupuptodate() { backup_dir="/home/backup" if [ -d "${backup_dir}" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then - # Look for all files, including subdirectories. - # If this turns out to be problematic, we can go back to first level only, with --max-depth=1 - find "${backup_dir}" -type f --max-depth=1 | while read -r file; do + find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") From b3ac39decdb734655a1b17cb71f059b7bc2c8b31 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 9 Jun 2022 10:33:28 +0200 Subject: [PATCH 09/10] postgresql: Fix task order when using pgdg repo & Install the right pg version --- CHANGELOG.md | 2 ++ postgresql/tasks/packages_bullseye.yml | 2 +- postgresql/tasks/packages_buster.yml | 2 +- postgresql/tasks/packages_stretch.yml | 2 +- postgresql/tasks/pgdg-repo.yml | 13 ++++--------- 5 files changed, 9 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 07847f87..8a00a318 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * Enforce String notation for mode * postgresql: fix nested loop for Munin plugins +* postgresql: Fix task order when using pgdg repo +* postgresql: Install the right pg version ### Removed diff --git a/postgresql/tasks/packages_bullseye.yml b/postgresql/tasks/packages_bullseye.yml index 558578f2..1b4cb0ac 100644 --- a/postgresql/tasks/packages_bullseye.yml +++ b/postgresql/tasks/packages_bullseye.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - postgresql + - "postgresql-{{postgresql_version}}" - pgtop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 76017545..815e741d 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - postgresql + - "postgresql-{{postgresql_version}}" - pgtop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index d8ebb9e4..a43c313b 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - postgresql + - "postgresql-{{postgresql_version}}" - ptop - libdbd-pg-perl diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index a13b7469..38f21079 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -2,17 +2,12 @@ - name: Open firewall for PGDG repository replace: name: /etc/default/minifirewall - regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org).)*)'$" + regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org|0\\.0\\.0\\.0).)*)'$" replace: "\\1 apt.postgresql.org'" notify: Restart minifirewall - meta: flush_handlers -- name: Add PGDG repository - apt_repository: - repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" - update_cache: yes - - name: Look for legacy apt keyring stat: path: /etc/apt/trusted.gpg @@ -34,9 +29,9 @@ owner: root group: root -- name: Update and upgrade apt packages for PGDG repository - apt: - upgrade: yes +- name: Add PGDG repository + apt_repository: + repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" update_cache: yes - name: Add APT preference file From 556719bbf257a583e20b398aee28d40772cd9eef Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 10 Jun 2022 11:11:44 +0200 Subject: [PATCH 10/10] Release 22.06.2 --- CHANGELOG.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a00a318..6d85ed31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [22.06.2] 2022-06-10 + +### Added + * postgresql: add variable to configure binding addresses (default: 127.0.0.1) ### Changed @@ -32,10 +44,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * postgresql: Fix task order when using pgdg repo * postgresql: Install the right pg version -### Removed - -### Security - ## [22.06.1] 2022-06-06 ### Changed