Merge branch 'unstable' into stable
This commit is contained in:
commit
e3715ca2d6
24
CHANGELOG.md
24
CHANGELOG.md
|
@ -20,6 +20,30 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [22.06.2] 2022-06-10
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* postgresql: add variable to configure binding addresses (default: 127.0.0.1)
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* evocheck: upstream release 22.06.2
|
||||||
|
* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal)
|
||||||
|
* fail2ban: If jail.local was overriden, add a warning
|
||||||
|
* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
|
||||||
|
* fail2ban: Allow to tune the default action with ansible
|
||||||
|
* fail2ban: Change default action to ban only (instead of ban + mail with whois report)
|
||||||
|
* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage
|
||||||
|
* redis: binding is possible on multiple interfaces (breaking change)
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* Enforce String notation for mode
|
||||||
|
* postgresql: fix nested loop for Munin plugins
|
||||||
|
* postgresql: Fix task order when using pgdg repo
|
||||||
|
* postgresql: Install the right pg version
|
||||||
|
|
||||||
## [22.06.1] 2022-06-06
|
## [22.06.1] 2022-06-06
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
|
@ -102,7 +102,7 @@
|
||||||
create: yes
|
create: yes
|
||||||
owner: root
|
owner: root
|
||||||
group: elasticsearch
|
group: elasticsearch
|
||||||
mode: 0640
|
mode: "0640"
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
|
@ -114,7 +114,7 @@
|
||||||
create: yes
|
create: yes
|
||||||
owner: root
|
owner: root
|
||||||
group: elasticsearch
|
group: elasticsearch
|
||||||
mode: 0640
|
mode: "0640"
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@
|
||||||
create: yes
|
create: yes
|
||||||
owner: root
|
owner: root
|
||||||
group: elasticsearch
|
group: elasticsearch
|
||||||
mode: 0640
|
mode: "0640"
|
||||||
notify:
|
notify:
|
||||||
- restart elasticsearch
|
- restart elasticsearch
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: "{{ evobackup_client__cron_path }}"
|
dest: "{{ evobackup_client__cron_path }}"
|
||||||
force: true
|
force: true
|
||||||
mode: 0755
|
mode: "0755"
|
||||||
loop: "{{ query('first_found', templates) }}"
|
loop: "{{ query('first_found', templates) }}"
|
||||||
vars:
|
vars:
|
||||||
templates:
|
templates:
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
# Script to verify compliance of a Debian/OpenBSD server
|
# Script to verify compliance of a Debian/OpenBSD server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
VERSION="22.06.1"
|
VERSION="22.06.2"
|
||||||
readonly VERSION
|
readonly VERSION
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
@ -742,9 +742,7 @@ check_backupuptodate() {
|
||||||
backup_dir="/home/backup"
|
backup_dir="/home/backup"
|
||||||
if [ -d "${backup_dir}" ]; then
|
if [ -d "${backup_dir}" ]; then
|
||||||
if [ -n "$(ls -A ${backup_dir})" ]; then
|
if [ -n "$(ls -A ${backup_dir})" ]; then
|
||||||
# Look for all files, including subdirectories.
|
find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do
|
||||||
# If this turns out to be problematic, we can go back to first level only, with --max-depth=1
|
|
||||||
find "${backup_dir}" -type f | while read -r file; do
|
|
||||||
limit=$(date +"%s" -d "now - 2 day")
|
limit=$(date +"%s" -d "now - 2 day")
|
||||||
updated_at=$(stat -c "%Y" "$file")
|
updated_at=$(stat -c "%Y" "$file")
|
||||||
|
|
||||||
|
|
|
@ -6,10 +6,43 @@ fail2ban_alert_email: Null
|
||||||
# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
|
# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
|
||||||
fail2ban_default_ignore_ips: []
|
fail2ban_default_ignore_ips: []
|
||||||
fail2ban_additional_ignore_ips: []
|
fail2ban_additional_ignore_ips: []
|
||||||
|
|
||||||
# WARN: setting this to True will overwrite the list of ignored IP
|
# WARN: setting this to True will overwrite the list of ignored IP
|
||||||
fail2ban_force_update_ignore_ips: False
|
fail2ban_force_update_ignore_ips: False
|
||||||
|
|
||||||
fail2ban_wordpress: False
|
fail2ban_override_jaillocal: False
|
||||||
fail2ban_roundcube: False
|
|
||||||
|
|
||||||
fail2ban_disable_ssh: False
|
fail2ban_default_maxretry: 5
|
||||||
|
fail2ban_default_bantime: 10m
|
||||||
|
fail2ban_default_findtime: 10m
|
||||||
|
|
||||||
|
# Default fail2ban action. Chose beetween :
|
||||||
|
# - "action_" : (default) - ban only (following banaction)
|
||||||
|
# - "action_mw" : ban & send an email with whois report
|
||||||
|
# - "action_mwl" : ban & send an email with whois and log lines
|
||||||
|
fail2ban_default_action: "action_"
|
||||||
|
|
||||||
|
fail2ban_sshd: True
|
||||||
|
fail2ban_sshd_maxretry: 10
|
||||||
|
fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}"
|
||||||
|
fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}"
|
||||||
|
|
||||||
|
fail2ban_recidive: False
|
||||||
|
fail2ban_recidive_maxretry: 3
|
||||||
|
fail2ban_recidive_bantime: 1w
|
||||||
|
fail2ban_recidive_findtime: 1d
|
||||||
|
|
||||||
|
fail2ban_wordpress_hard: False
|
||||||
|
fail2ban_wordpress_hard_maxretry: 1
|
||||||
|
fail2ban_wordpress_hard_bantime: "{{ fail2ban_default_bantime }}"
|
||||||
|
fail2ban_wordpress_hard_findtime: "{{ fail2ban_default_findtime }}"
|
||||||
|
|
||||||
|
fail2ban_wordpress_soft: False
|
||||||
|
fail2ban_wordpress_soft_maxretry: 5
|
||||||
|
fail2ban_wordpress_soft_bantime: "{{ fail2ban_default_bantime }}"
|
||||||
|
fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}"
|
||||||
|
|
||||||
|
fail2ban_roundcube: False
|
||||||
|
fail2ban_roundcube_maxretry: 5
|
||||||
|
fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}"
|
||||||
|
fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"
|
|
@ -12,6 +12,7 @@
|
||||||
loop:
|
loop:
|
||||||
- "/etc/fail2ban"
|
- "/etc/fail2ban"
|
||||||
- "/etc/fail2ban/filter.d"
|
- "/etc/fail2ban/filter.d"
|
||||||
|
- "/etc/fail2ban/fail2ban.d"
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
||||||
|
@ -25,7 +26,7 @@
|
||||||
src: jail.local.j2
|
src: jail.local.j2
|
||||||
dest: /etc/fail2ban/jail.local
|
dest: /etc/fail2ban/jail.local
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: no
|
force: "{{ fail2ban_override_jaillocal }}"
|
||||||
notify: restart fail2ban
|
notify: restart fail2ban
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
@ -36,17 +37,6 @@
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
||||||
- name: Disable SSH filter
|
|
||||||
ini_file:
|
|
||||||
dest: /etc/fail2ban/jail.local
|
|
||||||
section: sshd
|
|
||||||
option: enabled
|
|
||||||
value: false
|
|
||||||
notify: restart fail2ban
|
|
||||||
when: fail2ban_disable_ssh | bool
|
|
||||||
tags:
|
|
||||||
- fail2ban
|
|
||||||
|
|
||||||
- name: custom filters are installed
|
- name: custom filters are installed
|
||||||
copy:
|
copy:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
|
@ -62,7 +52,7 @@
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
||||||
- name: package is installed
|
- name: package fail2ban is installed
|
||||||
apt:
|
apt:
|
||||||
name: fail2ban
|
name: fail2ban
|
||||||
state: present
|
state: present
|
||||||
|
@ -100,3 +90,17 @@
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
- munin
|
- munin
|
||||||
|
|
||||||
|
- name: "Extend dbpurgeage if recidive jail is enabled"
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage
|
||||||
|
marker: "# ANSIBLE MANAGED"
|
||||||
|
block: |
|
||||||
|
[DEFAULT]
|
||||||
|
dbpurgeage = {{ fail2ban_recidive_bantime}}
|
||||||
|
insertafter: EOF
|
||||||
|
create: yes
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart fail2ban
|
||||||
|
when:
|
||||||
|
- fail2ban_recidive
|
|
@ -1,61 +1,65 @@
|
||||||
# EvoLinux Fail2Ban config.
|
# EvoLinux Fail2Ban config.
|
||||||
|
|
||||||
|
{% if fail2ban_override_jaillocal %}
|
||||||
|
# WARNING : THIS FILE IS (PROBABLY) ANSIBLE MANAGED AS IT WAS OVERWRITTEN BY ANSIBLE
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
|
|
||||||
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
|
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
|
||||||
ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
|
ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
|
||||||
|
|
||||||
bantime = 600
|
bantime = {{ fail2ban_default_bantime }}
|
||||||
maxretry = 3
|
maxretry = {{ fail2ban_default_maxretry }}
|
||||||
|
|
||||||
# "backend" specifies the backend used to get files modification. Available
|
|
||||||
# options are "gamin", "polling" and "auto".
|
|
||||||
# yoh: For some reason Debian shipped python-gamin didn't work as expected
|
|
||||||
# This issue left ToDo, so polling is default backend for now
|
|
||||||
backend = auto
|
|
||||||
|
|
||||||
destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
|
destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
|
||||||
|
|
||||||
# ACTIONS
|
# ACTIONS
|
||||||
|
|
||||||
banaction = iptables-multiport
|
banaction = iptables-multiport
|
||||||
mta = sendmail
|
action = %({{fail2ban_default_action}})s
|
||||||
protocol = tcp
|
|
||||||
chain = INPUT
|
|
||||||
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
||||||
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
|
|
||||||
|
|
||||||
action = %(action_mwl)s
|
|
||||||
|
|
||||||
[sshd]
|
[sshd]
|
||||||
|
enabled = {{ fail2ban_sshd }}
|
||||||
port = ssh,2222,22222
|
port = ssh,2222,22222
|
||||||
logpath = %(sshd_log)s
|
|
||||||
backend = %(sshd_backend)s
|
|
||||||
maxretry = 10
|
|
||||||
|
|
||||||
{% if fail2ban_wordpress %}
|
maxretry = {{ fail2ban_sshd_maxretry }}
|
||||||
|
findtime = {{ fail2ban_sshd_findtime }}
|
||||||
|
bantime = {{ fail2ban_sshd_bantime }}
|
||||||
|
|
||||||
|
[recidive]
|
||||||
|
enabled = {{ fail2ban_recidive }}
|
||||||
|
|
||||||
|
maxretry = {{ fail2ban_recidive_maxretry }}
|
||||||
|
findtime = {{ fail2ban_recidive_findtime }}
|
||||||
|
bantime = {{ fail2ban_recidive_bantime }}
|
||||||
|
|
||||||
|
|
||||||
|
# Evolix custom jails
|
||||||
|
|
||||||
[wordpress-hard]
|
[wordpress-hard]
|
||||||
enabled = true
|
enabled = {{ fail2ban_wordpress_hard }}
|
||||||
port = http,https
|
port = http, https
|
||||||
filter = wordpress-hard
|
filter = wordpress-hard
|
||||||
logpath = /var/log/auth.log
|
logpath = /var/log/auth.log
|
||||||
maxretry = 1
|
maxretry = {{ fail2ban_wordpress_hard_maxretry }}
|
||||||
findtime = 300
|
findtime = {{ fail2ban_wordpress_hard_findtime }}
|
||||||
|
bantime = {{ fail2ban_wordpress_hard_bantime }}
|
||||||
|
|
||||||
[wordpress-soft]
|
[wordpress-soft]
|
||||||
enabled = true
|
enabled = {{ fail2ban_wordpress_soft }}
|
||||||
port = http,https
|
port = http, https
|
||||||
filter = wordpress-soft
|
filter = wordpress-soft
|
||||||
logpath = /var/log/auth.log
|
logpath = /var/log/auth.log
|
||||||
maxretry = 5
|
maxretry = {{ fail2ban_wordpress_soft_maxretry }}
|
||||||
findtime = 300
|
findtime = {{ fail2ban_wordpress_soft_findtime }}
|
||||||
{% endif %}
|
bantime = {{ fail2ban_wordpress_soft_bantime }}
|
||||||
|
|
||||||
{% if fail2ban_roundcube %}
|
|
||||||
[roundcube]
|
[roundcube]
|
||||||
enabled = true
|
enabled = {{ fail2ban_roundcube }}
|
||||||
port = http,https
|
port = http, https
|
||||||
filter = roundcube
|
filter = roundcube
|
||||||
logpath = /var/lib/roundcube/logs/errors
|
logpath = /var/lib/roundcube/logs/errors
|
||||||
maxretry = 5
|
maxretry = {{ fail2ban_roundcube_maxretry }}
|
||||||
{% endif %}
|
findtime = {{ fail2ban_roundcube_findtime }}
|
||||||
|
bantime = {{ fail2ban_roundcube_bantime }}
|
||||||
|
|
|
@ -46,7 +46,7 @@
|
||||||
template:
|
template:
|
||||||
src: keepalived.conf.j2
|
src: keepalived.conf.j2
|
||||||
dest: /etc/keepalived/keepalived.conf
|
dest: /etc/keepalived/keepalived.conf
|
||||||
mode: 0644
|
mode: "0644"
|
||||||
notify: restart keepalived
|
notify: restart keepalived
|
||||||
tags:
|
tags:
|
||||||
- keepalived
|
- keepalived
|
||||||
|
|
|
@ -27,16 +27,18 @@
|
||||||
- kvm_mem
|
- kvm_mem
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
|
|
||||||
- name: Enable redis munin plugin
|
- name: Enable Munin plugins
|
||||||
file:
|
file:
|
||||||
src: "/usr/local/share/munin/plugins/{{item}}"
|
src: "/usr/local/share/munin/plugins/{{ plugin_name }}"
|
||||||
dest: "/etc/munin/plugins/{{item}}"
|
dest: "/etc/munin/plugins/{{ plugin_name }}"
|
||||||
state: link
|
state: link
|
||||||
force: yes
|
force: yes
|
||||||
loop:
|
loop:
|
||||||
- kvm_cpu
|
- kvm_cpu
|
||||||
- kvm_io
|
- kvm_io
|
||||||
- kvm_mem
|
- kvm_mem
|
||||||
|
loop_control:
|
||||||
|
loop_var: plugin_name
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
|
|
||||||
- name: Copy Munin plugins conf
|
- name: Copy Munin plugins conf
|
||||||
|
|
|
@ -13,13 +13,13 @@
|
||||||
copy:
|
copy:
|
||||||
src: phpContainer
|
src: phpContainer
|
||||||
dest: /usr/local/bin/phpContainer
|
dest: /usr/local/bin/phpContainer
|
||||||
mode: 0755
|
mode: "0755"
|
||||||
|
|
||||||
# - name: Copy php shim to call phpContainer when the user is a web user
|
# - name: Copy php shim to call phpContainer when the user is a web user
|
||||||
# copy:
|
# copy:
|
||||||
# src: multiphp-shim
|
# src: multiphp-shim
|
||||||
# dest: /usr/local/bin/php
|
# dest: /usr/local/bin/php
|
||||||
# mode: 0755
|
# mode: "0755"
|
||||||
|
|
||||||
# - name: Modify bashrc skel file
|
# - name: Modify bashrc skel file
|
||||||
# lineinfile:
|
# lineinfile:
|
||||||
|
|
|
@ -8,6 +8,10 @@ postgresql_work_mem: 8MB
|
||||||
postgresql_random_page_cost: 1.5
|
postgresql_random_page_cost: 1.5
|
||||||
postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
|
postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
|
||||||
|
|
||||||
|
# Binding
|
||||||
|
postgresql_listen_addresses:
|
||||||
|
- "127.0.0.1"
|
||||||
|
|
||||||
# PostgreSQL version
|
# PostgreSQL version
|
||||||
postgresql_version: ''
|
postgresql_version: ''
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,15 @@
|
||||||
dest: '/etc/munin/plugins/{{item[0]}}{{item[1]}}'
|
dest: '/etc/munin/plugins/{{item[0]}}{{item[1]}}'
|
||||||
loop: "{{ _plugins | product(_databases) | list }}"
|
loop: "{{ _plugins | product(_databases) | list }}"
|
||||||
vars:
|
vars:
|
||||||
_plugins: ['postgres_cache_', 'postgres_connections_', 'postgres_locks_', 'postgres_querylength_', 'postgres_scans_', 'postgres_size_', 'postgres_transactions_', 'postgres_tuples_']
|
_plugins:
|
||||||
_databases: postgresql_databases
|
- 'postgres_cache_'
|
||||||
|
- 'postgres_connections_'
|
||||||
|
- 'postgres_locks_'
|
||||||
|
- 'postgres_querylength_'
|
||||||
|
- 'postgres_scans_'
|
||||||
|
- 'postgres_size_'
|
||||||
|
- 'postgres_transactions_'
|
||||||
|
- 'postgres_tuples_'
|
||||||
|
_databases: "{{ postgresql_databases }}"
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists
|
when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists
|
||||||
|
|
|
@ -11,6 +11,6 @@
|
||||||
- name: Install postgresql package
|
- name: Install postgresql package
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- postgresql
|
- "postgresql-{{postgresql_version}}"
|
||||||
- pgtop
|
- pgtop
|
||||||
- libdbd-pg-perl
|
- libdbd-pg-perl
|
||||||
|
|
|
@ -11,6 +11,6 @@
|
||||||
- name: Install postgresql package
|
- name: Install postgresql package
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- postgresql
|
- "postgresql-{{postgresql_version}}"
|
||||||
- pgtop
|
- pgtop
|
||||||
- libdbd-pg-perl
|
- libdbd-pg-perl
|
||||||
|
|
|
@ -11,6 +11,6 @@
|
||||||
- name: Install postgresql package
|
- name: Install postgresql package
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- postgresql
|
- "postgresql-{{postgresql_version}}"
|
||||||
- ptop
|
- ptop
|
||||||
- libdbd-pg-perl
|
- libdbd-pg-perl
|
||||||
|
|
|
@ -2,17 +2,12 @@
|
||||||
- name: Open firewall for PGDG repository
|
- name: Open firewall for PGDG repository
|
||||||
replace:
|
replace:
|
||||||
name: /etc/default/minifirewall
|
name: /etc/default/minifirewall
|
||||||
regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org).)*)'$"
|
regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org|0\\.0\\.0\\.0).)*)'$"
|
||||||
replace: "\\1 apt.postgresql.org'"
|
replace: "\\1 apt.postgresql.org'"
|
||||||
notify: Restart minifirewall
|
notify: Restart minifirewall
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
||||||
- name: Add PGDG repository
|
|
||||||
apt_repository:
|
|
||||||
repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
|
|
||||||
update_cache: yes
|
|
||||||
|
|
||||||
- name: Look for legacy apt keyring
|
- name: Look for legacy apt keyring
|
||||||
stat:
|
stat:
|
||||||
path: /etc/apt/trusted.gpg
|
path: /etc/apt/trusted.gpg
|
||||||
|
@ -34,9 +29,9 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: Update and upgrade apt packages for PGDG repository
|
- name: Add PGDG repository
|
||||||
apt:
|
apt_repository:
|
||||||
upgrade: yes
|
repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Add APT preference file
|
- name: Add APT preference file
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
# Tuning
|
# Tuning
|
||||||
shared_buffers = {{ postgresql_shared_buffers }}
|
shared_buffers = {{ postgresql_shared_buffers }}
|
||||||
work_mem = {{ postgresql_work_mem }}
|
work_mem = {{ postgresql_work_mem }}
|
||||||
|
listen_addresses = '{{ postgresql_listen_addresses | join(',') }}'
|
||||||
#shared_preload_libraries = 'pg_stat_statements'
|
#shared_preload_libraries = 'pg_stat_statements'
|
||||||
#synchronous_commit = off
|
#synchronous_commit = off
|
||||||
{% if postgresql_version is version('9.5', '<') %}
|
{% if postgresql_version is version('9.5', '<') %}
|
||||||
|
@ -13,7 +14,7 @@ checkpoint_completion_target = 0.9
|
||||||
random_page_cost = {{ postgresql_random_page_cost }}
|
random_page_cost = {{ postgresql_random_page_cost }}
|
||||||
effective_cache_size = {{ postgresql_effective_cache_size }}
|
effective_cache_size = {{ postgresql_effective_cache_size }}
|
||||||
|
|
||||||
# Loging
|
# Logging
|
||||||
log_min_duration_statement = 1s
|
log_min_duration_statement = 1s
|
||||||
log_checkpoints = on
|
log_checkpoints = on
|
||||||
log_lock_waits = on
|
log_lock_waits = on
|
||||||
|
|
|
@ -14,7 +14,7 @@ Main variables are :
|
||||||
|
|
||||||
* `redis_conf_dir`: config directory ;
|
* `redis_conf_dir`: config directory ;
|
||||||
* `redis_port`: listening TCP port ;
|
* `redis_port`: listening TCP port ;
|
||||||
* `redis_bind_interface`: listening IP address ;
|
* `redis_bind_interfaces`: listening IP addresses (array) ;
|
||||||
* `redis_password`: password for redis. Empty means no password ;
|
* `redis_password`: password for redis. Empty means no password ;
|
||||||
* `redis_socket_dir`: Unix socket directory ;
|
* `redis_socket_dir`: Unix socket directory ;
|
||||||
* `redis_log_level`: log verbosity ;
|
* `redis_log_level`: log verbosity ;
|
||||||
|
|
|
@ -6,7 +6,8 @@ redis_conf_dir_prefix: /etc/redis
|
||||||
redis_force_instance_port: False
|
redis_force_instance_port: False
|
||||||
|
|
||||||
redis_port: 6379
|
redis_port: 6379
|
||||||
redis_bind_interface: 127.0.0.1
|
redis_bind_interfaces:
|
||||||
|
- 127.0.0.1
|
||||||
|
|
||||||
redis_socket_enabled: True
|
redis_socket_enabled: True
|
||||||
redis_socket_dir_prefix: '/run/redis'
|
redis_socket_dir_prefix: '/run/redis'
|
||||||
|
|
|
@ -39,7 +39,7 @@
|
||||||
- name: Enable redis munin plugin
|
- name: Enable redis munin plugin
|
||||||
file:
|
file:
|
||||||
src: /usr/local/share/munin/plugins/redis_
|
src: /usr/local/share/munin/plugins/redis_
|
||||||
dest: "/etc/munin/plugins/redis_{{item}}"
|
dest: "/etc/munin/plugins/redis_{{ plugin_name }}"
|
||||||
state: link
|
state: link
|
||||||
loop:
|
loop:
|
||||||
- connected_clients
|
- connected_clients
|
||||||
|
@ -48,6 +48,8 @@
|
||||||
- per_sec
|
- per_sec
|
||||||
- used_keys
|
- used_keys
|
||||||
- used_memory
|
- used_memory
|
||||||
|
loop_control:
|
||||||
|
loop_var: plugin_name
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
when: not ansible_check_mode
|
when: not ansible_check_mode
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -39,7 +39,7 @@
|
||||||
- name: Enable redis munin plugin
|
- name: Enable redis munin plugin
|
||||||
file:
|
file:
|
||||||
src: /usr/local/share/munin/plugins/redis_
|
src: /usr/local/share/munin/plugins/redis_
|
||||||
dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}"
|
dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{ plugin_name }}"
|
||||||
state: link
|
state: link
|
||||||
loop:
|
loop:
|
||||||
- connected_clients
|
- connected_clients
|
||||||
|
@ -48,6 +48,8 @@
|
||||||
- per_sec
|
- per_sec
|
||||||
- used_keys
|
- used_keys
|
||||||
- used_memory
|
- used_memory
|
||||||
|
loop_control:
|
||||||
|
loop_var: plugin_name
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
when: not ansible_check_mode
|
when: not ansible_check_mode
|
||||||
tags:
|
tags:
|
||||||
|
@ -57,6 +59,6 @@
|
||||||
template:
|
template:
|
||||||
src: templates/munin-plugin-instances.conf.j2
|
src: templates/munin-plugin-instances.conf.j2
|
||||||
dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}'
|
dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}'
|
||||||
mode: 0740
|
mode: "0740"
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
tags: redis
|
tags: redis
|
||||||
|
|
|
@ -38,7 +38,7 @@
|
||||||
|
|
||||||
- name: "Instance '{{ redis_instance_name }}' config hooks directories are present"
|
- name: "Instance '{{ redis_instance_name }}' config hooks directories are present"
|
||||||
file:
|
file:
|
||||||
dest: "{{ item }}"
|
dest: "{{ _dir }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: "root"
|
owner: "root"
|
||||||
group: "root"
|
group: "root"
|
||||||
|
@ -49,6 +49,8 @@
|
||||||
- "{{ redis_conf_dir }}/redis-server.post-up.d"
|
- "{{ redis_conf_dir }}/redis-server.post-up.d"
|
||||||
- "{{ redis_conf_dir }}/redis-server.pre-down.d"
|
- "{{ redis_conf_dir }}/redis-server.pre-down.d"
|
||||||
- "{{ redis_conf_dir }}/redis-server.post-down.d"
|
- "{{ redis_conf_dir }}/redis-server.post-down.d"
|
||||||
|
loop_control:
|
||||||
|
loop_var: _dir
|
||||||
when:
|
when:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('9', '=')
|
- ansible_distribution_major_version is version('9', '=')
|
||||||
|
@ -56,14 +58,16 @@
|
||||||
- redis
|
- redis
|
||||||
|
|
||||||
- name: "Instance '{{ redis_instance_name }}' hooks examples are present"
|
- name: "Instance '{{ redis_instance_name }}' hooks examples are present"
|
||||||
command: "cp -a /etc/redis/{{ item }}/00_example {{ redis_conf_dir }}/{{ item }}"
|
command: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}"
|
||||||
args:
|
args:
|
||||||
creates: "{{ redis_conf_dir }}/{{ item }}/00_example"
|
creates: "{{ redis_conf_dir }}/{{ _dir }}/00_example"
|
||||||
loop:
|
loop:
|
||||||
- "redis-server.pre-up.d"
|
- "redis-server.pre-up.d"
|
||||||
- "redis-server.post-up.d"
|
- "redis-server.post-up.d"
|
||||||
- "redis-server.pre-down.d"
|
- "redis-server.pre-down.d"
|
||||||
- "redis-server.post-down.d"
|
- "redis-server.post-down.d"
|
||||||
|
loop_control:
|
||||||
|
loop_var: _dir
|
||||||
when:
|
when:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('9', '=')
|
- ansible_distribution_major_version is version('9', '=')
|
||||||
|
@ -72,7 +76,7 @@
|
||||||
|
|
||||||
- name: "Instance '{{ redis_instance_name }}' socket/pid directories are present"
|
- name: "Instance '{{ redis_instance_name }}' socket/pid directories are present"
|
||||||
file:
|
file:
|
||||||
dest: "{{ item }}"
|
dest: "{{ _dir }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
owner: "redis-{{ redis_instance_name }}"
|
owner: "redis-{{ redis_instance_name }}"
|
||||||
group: "redis-{{ redis_instance_name }}"
|
group: "redis-{{ redis_instance_name }}"
|
||||||
|
@ -81,12 +85,14 @@
|
||||||
loop:
|
loop:
|
||||||
- "{{ redis_pid_dir }}"
|
- "{{ redis_pid_dir }}"
|
||||||
- "{{ redis_socket_dir }}"
|
- "{{ redis_socket_dir }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: _dir
|
||||||
tags:
|
tags:
|
||||||
- redis
|
- redis
|
||||||
|
|
||||||
- name: "Instance '{{ redis_instance_name }}' data/log directories are present"
|
- name: "Instance '{{ redis_instance_name }}' data/log directories are present"
|
||||||
file:
|
file:
|
||||||
dest: "{{ item }}"
|
dest: "{{ _dir }}"
|
||||||
mode: "0751"
|
mode: "0751"
|
||||||
owner: "redis-{{ redis_instance_name }}"
|
owner: "redis-{{ redis_instance_name }}"
|
||||||
group: "redis-{{ redis_instance_name }}"
|
group: "redis-{{ redis_instance_name }}"
|
||||||
|
@ -95,6 +101,8 @@
|
||||||
loop:
|
loop:
|
||||||
- "{{ redis_data_dir }}"
|
- "{{ redis_data_dir }}"
|
||||||
- "{{ redis_log_dir }}"
|
- "{{ redis_log_dir }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: _dir
|
||||||
tags:
|
tags:
|
||||||
- redis
|
- redis
|
||||||
|
|
||||||
|
|
|
@ -63,6 +63,14 @@
|
||||||
redis_data_dir: "{{ redis_data_dir_prefix }}-{{ redis_instance_name }}"
|
redis_data_dir: "{{ redis_data_dir_prefix }}-{{ redis_instance_name }}"
|
||||||
when: redis_instance_name is defined
|
when: redis_instance_name is defined
|
||||||
|
|
||||||
|
- name: Fail if redis_bind_interface is set
|
||||||
|
fail:
|
||||||
|
msg: "Please change 'redis_bind_interface' (String) to 'redis_bind_interfaces' (List)"
|
||||||
|
when:
|
||||||
|
- redis_bind_interface is defined
|
||||||
|
- redis_bind_interface is not none
|
||||||
|
- redis_bind_interface | length > 0
|
||||||
|
|
||||||
- name: configure Redis for default mode
|
- name: configure Redis for default mode
|
||||||
include: default-server.yml
|
include: default-server.yml
|
||||||
when: redis_instance_name is not defined
|
when: redis_instance_name is not defined
|
||||||
|
|
|
@ -60,7 +60,7 @@
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||||
regexp: '^command\[check_redis\]=.+'
|
regexp: '^command\[check_redis\]=.+'
|
||||||
replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interface }} -p {{ redis_port }}'
|
replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
|
||||||
when: redis_instance_name is undefined
|
when: redis_instance_name is undefined
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
daemonize yes
|
daemonize yes
|
||||||
pidfile {{ redis_pid_dir }}/redis-server.pid
|
pidfile {{ redis_pid_dir }}/redis-server.pid
|
||||||
port {{ redis_port }}
|
port {{ redis_port }}
|
||||||
bind {{ redis_bind_interface }}
|
bind {{ redis_bind_interfaces | join(' ') }}
|
||||||
|
|
||||||
{% if redis_socket_enabled %}
|
{% if redis_socket_enabled %}
|
||||||
unixsocket {{ redis_socket_dir }}/redis.sock
|
unixsocket {{ redis_socket_dir }}/redis.sock
|
||||||
|
|
Loading…
Reference in a new issue