Merge branch 'unstable' into stable
This commit is contained in:
commit
e3715ca2d6
24
CHANGELOG.md
24
CHANGELOG.md
|
@ -20,6 +20,30 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Security
|
||||
|
||||
## [22.06.2] 2022-06-10
|
||||
|
||||
### Added
|
||||
|
||||
* postgresql: add variable to configure binding addresses (default: 127.0.0.1)
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck: upstream release 22.06.2
|
||||
* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal)
|
||||
* fail2ban: If jail.local was overriden, add a warning
|
||||
* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
|
||||
* fail2ban: Allow to tune the default action with ansible
|
||||
* fail2ban: Change default action to ban only (instead of ban + mail with whois report)
|
||||
* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage
|
||||
* redis: binding is possible on multiple interfaces (breaking change)
|
||||
|
||||
### Fixed
|
||||
|
||||
* Enforce String notation for mode
|
||||
* postgresql: fix nested loop for Munin plugins
|
||||
* postgresql: Fix task order when using pgdg repo
|
||||
* postgresql: Install the right pg version
|
||||
|
||||
## [22.06.1] 2022-06-06
|
||||
|
||||
### Changed
|
||||
|
|
|
@ -102,7 +102,7 @@
|
|||
create: yes
|
||||
owner: root
|
||||
group: elasticsearch
|
||||
mode: 0640
|
||||
mode: "0640"
|
||||
tags:
|
||||
- config
|
||||
|
||||
|
@ -114,7 +114,7 @@
|
|||
create: yes
|
||||
owner: root
|
||||
group: elasticsearch
|
||||
mode: 0640
|
||||
mode: "0640"
|
||||
tags:
|
||||
- config
|
||||
|
||||
|
|
|
@ -32,7 +32,7 @@
|
|||
create: yes
|
||||
owner: root
|
||||
group: elasticsearch
|
||||
mode: 0640
|
||||
mode: "0640"
|
||||
notify:
|
||||
- restart elasticsearch
|
||||
tags:
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
src: "{{ item }}"
|
||||
dest: "{{ evobackup_client__cron_path }}"
|
||||
force: true
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
loop: "{{ query('first_found', templates) }}"
|
||||
vars:
|
||||
templates:
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Debian/OpenBSD server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="22.06.1"
|
||||
VERSION="22.06.2"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
@ -742,9 +742,7 @@ check_backupuptodate() {
|
|||
backup_dir="/home/backup"
|
||||
if [ -d "${backup_dir}" ]; then
|
||||
if [ -n "$(ls -A ${backup_dir})" ]; then
|
||||
# Look for all files, including subdirectories.
|
||||
# If this turns out to be problematic, we can go back to first level only, with --max-depth=1
|
||||
find "${backup_dir}" -type f | while read -r file; do
|
||||
find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do
|
||||
limit=$(date +"%s" -d "now - 2 day")
|
||||
updated_at=$(stat -c "%Y" "$file")
|
||||
|
||||
|
|
|
@ -6,10 +6,43 @@ fail2ban_alert_email: Null
|
|||
# "127.0.0.1/8" is always added to the list, even if the following lists are empty.
|
||||
fail2ban_default_ignore_ips: []
|
||||
fail2ban_additional_ignore_ips: []
|
||||
|
||||
# WARN: setting this to True will overwrite the list of ignored IP
|
||||
fail2ban_force_update_ignore_ips: False
|
||||
|
||||
fail2ban_wordpress: False
|
||||
fail2ban_roundcube: False
|
||||
fail2ban_override_jaillocal: False
|
||||
|
||||
fail2ban_disable_ssh: False
|
||||
fail2ban_default_maxretry: 5
|
||||
fail2ban_default_bantime: 10m
|
||||
fail2ban_default_findtime: 10m
|
||||
|
||||
# Default fail2ban action. Chose beetween :
|
||||
# - "action_" : (default) - ban only (following banaction)
|
||||
# - "action_mw" : ban & send an email with whois report
|
||||
# - "action_mwl" : ban & send an email with whois and log lines
|
||||
fail2ban_default_action: "action_"
|
||||
|
||||
fail2ban_sshd: True
|
||||
fail2ban_sshd_maxretry: 10
|
||||
fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}"
|
||||
|
||||
fail2ban_recidive: False
|
||||
fail2ban_recidive_maxretry: 3
|
||||
fail2ban_recidive_bantime: 1w
|
||||
fail2ban_recidive_findtime: 1d
|
||||
|
||||
fail2ban_wordpress_hard: False
|
||||
fail2ban_wordpress_hard_maxretry: 1
|
||||
fail2ban_wordpress_hard_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_wordpress_hard_findtime: "{{ fail2ban_default_findtime }}"
|
||||
|
||||
fail2ban_wordpress_soft: False
|
||||
fail2ban_wordpress_soft_maxretry: 5
|
||||
fail2ban_wordpress_soft_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}"
|
||||
|
||||
fail2ban_roundcube: False
|
||||
fail2ban_roundcube_maxretry: 5
|
||||
fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"
|
|
@ -12,6 +12,7 @@
|
|||
loop:
|
||||
- "/etc/fail2ban"
|
||||
- "/etc/fail2ban/filter.d"
|
||||
- "/etc/fail2ban/fail2ban.d"
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
|
@ -25,7 +26,7 @@
|
|||
src: jail.local.j2
|
||||
dest: /etc/fail2ban/jail.local
|
||||
mode: "0644"
|
||||
force: no
|
||||
force: "{{ fail2ban_override_jaillocal }}"
|
||||
notify: restart fail2ban
|
||||
tags:
|
||||
- fail2ban
|
||||
|
@ -36,17 +37,6 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: Disable SSH filter
|
||||
ini_file:
|
||||
dest: /etc/fail2ban/jail.local
|
||||
section: sshd
|
||||
option: enabled
|
||||
value: false
|
||||
notify: restart fail2ban
|
||||
when: fail2ban_disable_ssh | bool
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: custom filters are installed
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
|
@ -62,7 +52,7 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: package is installed
|
||||
- name: package fail2ban is installed
|
||||
apt:
|
||||
name: fail2ban
|
||||
state: present
|
||||
|
@ -100,3 +90,17 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
- munin
|
||||
|
||||
- name: "Extend dbpurgeage if recidive jail is enabled"
|
||||
blockinfile:
|
||||
dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage
|
||||
marker: "# ANSIBLE MANAGED"
|
||||
block: |
|
||||
[DEFAULT]
|
||||
dbpurgeage = {{ fail2ban_recidive_bantime}}
|
||||
insertafter: EOF
|
||||
create: yes
|
||||
mode: "0644"
|
||||
notify: restart fail2ban
|
||||
when:
|
||||
- fail2ban_recidive
|
|
@ -1,61 +1,65 @@
|
|||
# EvoLinux Fail2Ban config.
|
||||
|
||||
{% if fail2ban_override_jaillocal %}
|
||||
# WARNING : THIS FILE IS (PROBABLY) ANSIBLE MANAGED AS IT WAS OVERWRITTEN BY ANSIBLE
|
||||
{% endif %}
|
||||
|
||||
[DEFAULT]
|
||||
|
||||
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
|
||||
ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }}
|
||||
|
||||
bantime = 600
|
||||
maxretry = 3
|
||||
|
||||
# "backend" specifies the backend used to get files modification. Available
|
||||
# options are "gamin", "polling" and "auto".
|
||||
# yoh: For some reason Debian shipped python-gamin didn't work as expected
|
||||
# This issue left ToDo, so polling is default backend for now
|
||||
backend = auto
|
||||
bantime = {{ fail2ban_default_bantime }}
|
||||
maxretry = {{ fail2ban_default_maxretry }}
|
||||
|
||||
destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
|
||||
|
||||
# ACTIONS
|
||||
|
||||
banaction = iptables-multiport
|
||||
mta = sendmail
|
||||
protocol = tcp
|
||||
chain = INPUT
|
||||
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
|
||||
action = %({{fail2ban_default_action}})s
|
||||
|
||||
action = %(action_mwl)s
|
||||
|
||||
[sshd]
|
||||
enabled = {{ fail2ban_sshd }}
|
||||
port = ssh,2222,22222
|
||||
logpath = %(sshd_log)s
|
||||
backend = %(sshd_backend)s
|
||||
maxretry = 10
|
||||
|
||||
{% if fail2ban_wordpress %}
|
||||
maxretry = {{ fail2ban_sshd_maxretry }}
|
||||
findtime = {{ fail2ban_sshd_findtime }}
|
||||
bantime = {{ fail2ban_sshd_bantime }}
|
||||
|
||||
[recidive]
|
||||
enabled = {{ fail2ban_recidive }}
|
||||
|
||||
maxretry = {{ fail2ban_recidive_maxretry }}
|
||||
findtime = {{ fail2ban_recidive_findtime }}
|
||||
bantime = {{ fail2ban_recidive_bantime }}
|
||||
|
||||
|
||||
# Evolix custom jails
|
||||
|
||||
[wordpress-hard]
|
||||
enabled = true
|
||||
port = http,https
|
||||
enabled = {{ fail2ban_wordpress_hard }}
|
||||
port = http, https
|
||||
filter = wordpress-hard
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = 1
|
||||
findtime = 300
|
||||
maxretry = {{ fail2ban_wordpress_hard_maxretry }}
|
||||
findtime = {{ fail2ban_wordpress_hard_findtime }}
|
||||
bantime = {{ fail2ban_wordpress_hard_bantime }}
|
||||
|
||||
[wordpress-soft]
|
||||
enabled = true
|
||||
port = http,https
|
||||
enabled = {{ fail2ban_wordpress_soft }}
|
||||
port = http, https
|
||||
filter = wordpress-soft
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = 5
|
||||
findtime = 300
|
||||
{% endif %}
|
||||
maxretry = {{ fail2ban_wordpress_soft_maxretry }}
|
||||
findtime = {{ fail2ban_wordpress_soft_findtime }}
|
||||
bantime = {{ fail2ban_wordpress_soft_bantime }}
|
||||
|
||||
{% if fail2ban_roundcube %}
|
||||
[roundcube]
|
||||
enabled = true
|
||||
port = http,https
|
||||
enabled = {{ fail2ban_roundcube }}
|
||||
port = http, https
|
||||
filter = roundcube
|
||||
logpath = /var/lib/roundcube/logs/errors
|
||||
maxretry = 5
|
||||
{% endif %}
|
||||
maxretry = {{ fail2ban_roundcube_maxretry }}
|
||||
findtime = {{ fail2ban_roundcube_findtime }}
|
||||
bantime = {{ fail2ban_roundcube_bantime }}
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
template:
|
||||
src: keepalived.conf.j2
|
||||
dest: /etc/keepalived/keepalived.conf
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
notify: restart keepalived
|
||||
tags:
|
||||
- keepalived
|
||||
|
|
|
@ -27,16 +27,18 @@
|
|||
- kvm_mem
|
||||
notify: restart munin-node
|
||||
|
||||
- name: Enable redis munin plugin
|
||||
- name: Enable Munin plugins
|
||||
file:
|
||||
src: "/usr/local/share/munin/plugins/{{item}}"
|
||||
dest: "/etc/munin/plugins/{{item}}"
|
||||
src: "/usr/local/share/munin/plugins/{{ plugin_name }}"
|
||||
dest: "/etc/munin/plugins/{{ plugin_name }}"
|
||||
state: link
|
||||
force: yes
|
||||
loop:
|
||||
- kvm_cpu
|
||||
- kvm_io
|
||||
- kvm_mem
|
||||
loop_control:
|
||||
loop_var: plugin_name
|
||||
notify: restart munin-node
|
||||
|
||||
- name: Copy Munin plugins conf
|
||||
|
|
|
@ -13,13 +13,13 @@
|
|||
copy:
|
||||
src: phpContainer
|
||||
dest: /usr/local/bin/phpContainer
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
|
||||
# - name: Copy php shim to call phpContainer when the user is a web user
|
||||
# copy:
|
||||
# src: multiphp-shim
|
||||
# dest: /usr/local/bin/php
|
||||
# mode: 0755
|
||||
# mode: "0755"
|
||||
|
||||
# - name: Modify bashrc skel file
|
||||
# lineinfile:
|
||||
|
|
|
@ -8,6 +8,10 @@ postgresql_work_mem: 8MB
|
|||
postgresql_random_page_cost: 1.5
|
||||
postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
|
||||
|
||||
# Binding
|
||||
postgresql_listen_addresses:
|
||||
- "127.0.0.1"
|
||||
|
||||
# PostgreSQL version
|
||||
postgresql_version: ''
|
||||
|
||||
|
|
|
@ -30,7 +30,15 @@
|
|||
dest: '/etc/munin/plugins/{{item[0]}}{{item[1]}}'
|
||||
loop: "{{ _plugins | product(_databases) | list }}"
|
||||
vars:
|
||||
_plugins: ['postgres_cache_', 'postgres_connections_', 'postgres_locks_', 'postgres_querylength_', 'postgres_scans_', 'postgres_size_', 'postgres_transactions_', 'postgres_tuples_']
|
||||
_databases: postgresql_databases
|
||||
_plugins:
|
||||
- 'postgres_cache_'
|
||||
- 'postgres_connections_'
|
||||
- 'postgres_locks_'
|
||||
- 'postgres_querylength_'
|
||||
- 'postgres_scans_'
|
||||
- 'postgres_size_'
|
||||
- 'postgres_transactions_'
|
||||
- 'postgres_tuples_'
|
||||
_databases: "{{ postgresql_databases }}"
|
||||
notify: restart munin-node
|
||||
when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists
|
||||
|
|
|
@ -11,6 +11,6 @@
|
|||
- name: Install postgresql package
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- "postgresql-{{postgresql_version}}"
|
||||
- pgtop
|
||||
- libdbd-pg-perl
|
||||
|
|
|
@ -11,6 +11,6 @@
|
|||
- name: Install postgresql package
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- "postgresql-{{postgresql_version}}"
|
||||
- pgtop
|
||||
- libdbd-pg-perl
|
||||
|
|
|
@ -11,6 +11,6 @@
|
|||
- name: Install postgresql package
|
||||
apt:
|
||||
name:
|
||||
- postgresql
|
||||
- "postgresql-{{postgresql_version}}"
|
||||
- ptop
|
||||
- libdbd-pg-perl
|
||||
|
|
|
@ -2,17 +2,12 @@
|
|||
- name: Open firewall for PGDG repository
|
||||
replace:
|
||||
name: /etc/default/minifirewall
|
||||
regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org).)*)'$"
|
||||
regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org|0\\.0\\.0\\.0).)*)'$"
|
||||
replace: "\\1 apt.postgresql.org'"
|
||||
notify: Restart minifirewall
|
||||
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: Add PGDG repository
|
||||
apt_repository:
|
||||
repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
|
||||
update_cache: yes
|
||||
|
||||
- name: Look for legacy apt keyring
|
||||
stat:
|
||||
path: /etc/apt/trusted.gpg
|
||||
|
@ -34,9 +29,9 @@
|
|||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Update and upgrade apt packages for PGDG repository
|
||||
apt:
|
||||
upgrade: yes
|
||||
- name: Add PGDG repository
|
||||
apt_repository:
|
||||
repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
|
||||
update_cache: yes
|
||||
|
||||
- name: Add APT preference file
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# Tuning
|
||||
shared_buffers = {{ postgresql_shared_buffers }}
|
||||
work_mem = {{ postgresql_work_mem }}
|
||||
listen_addresses = '{{ postgresql_listen_addresses | join(',') }}'
|
||||
#shared_preload_libraries = 'pg_stat_statements'
|
||||
#synchronous_commit = off
|
||||
{% if postgresql_version is version('9.5', '<') %}
|
||||
|
@ -13,7 +14,7 @@ checkpoint_completion_target = 0.9
|
|||
random_page_cost = {{ postgresql_random_page_cost }}
|
||||
effective_cache_size = {{ postgresql_effective_cache_size }}
|
||||
|
||||
# Loging
|
||||
# Logging
|
||||
log_min_duration_statement = 1s
|
||||
log_checkpoints = on
|
||||
log_lock_waits = on
|
||||
|
|
|
@ -14,7 +14,7 @@ Main variables are :
|
|||
|
||||
* `redis_conf_dir`: config directory ;
|
||||
* `redis_port`: listening TCP port ;
|
||||
* `redis_bind_interface`: listening IP address ;
|
||||
* `redis_bind_interfaces`: listening IP addresses (array) ;
|
||||
* `redis_password`: password for redis. Empty means no password ;
|
||||
* `redis_socket_dir`: Unix socket directory ;
|
||||
* `redis_log_level`: log verbosity ;
|
||||
|
|
|
@ -6,7 +6,8 @@ redis_conf_dir_prefix: /etc/redis
|
|||
redis_force_instance_port: False
|
||||
|
||||
redis_port: 6379
|
||||
redis_bind_interface: 127.0.0.1
|
||||
redis_bind_interfaces:
|
||||
- 127.0.0.1
|
||||
|
||||
redis_socket_enabled: True
|
||||
redis_socket_dir_prefix: '/run/redis'
|
||||
|
|
|
@ -39,7 +39,7 @@
|
|||
- name: Enable redis munin plugin
|
||||
file:
|
||||
src: /usr/local/share/munin/plugins/redis_
|
||||
dest: "/etc/munin/plugins/redis_{{item}}"
|
||||
dest: "/etc/munin/plugins/redis_{{ plugin_name }}"
|
||||
state: link
|
||||
loop:
|
||||
- connected_clients
|
||||
|
@ -48,6 +48,8 @@
|
|||
- per_sec
|
||||
- used_keys
|
||||
- used_memory
|
||||
loop_control:
|
||||
loop_var: plugin_name
|
||||
notify: restart munin-node
|
||||
when: not ansible_check_mode
|
||||
tags:
|
||||
|
|
|
@ -39,7 +39,7 @@
|
|||
- name: Enable redis munin plugin
|
||||
file:
|
||||
src: /usr/local/share/munin/plugins/redis_
|
||||
dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}"
|
||||
dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{ plugin_name }}"
|
||||
state: link
|
||||
loop:
|
||||
- connected_clients
|
||||
|
@ -48,6 +48,8 @@
|
|||
- per_sec
|
||||
- used_keys
|
||||
- used_memory
|
||||
loop_control:
|
||||
loop_var: plugin_name
|
||||
notify: restart munin-node
|
||||
when: not ansible_check_mode
|
||||
tags:
|
||||
|
@ -57,6 +59,6 @@
|
|||
template:
|
||||
src: templates/munin-plugin-instances.conf.j2
|
||||
dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}'
|
||||
mode: 0740
|
||||
mode: "0740"
|
||||
notify: restart munin-node
|
||||
tags: redis
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
|
||||
- name: "Instance '{{ redis_instance_name }}' config hooks directories are present"
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
dest: "{{ _dir }}"
|
||||
mode: "0755"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
|
@ -49,6 +49,8 @@
|
|||
- "{{ redis_conf_dir }}/redis-server.post-up.d"
|
||||
- "{{ redis_conf_dir }}/redis-server.pre-down.d"
|
||||
- "{{ redis_conf_dir }}/redis-server.post-down.d"
|
||||
loop_control:
|
||||
loop_var: _dir
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('9', '=')
|
||||
|
@ -56,14 +58,16 @@
|
|||
- redis
|
||||
|
||||
- name: "Instance '{{ redis_instance_name }}' hooks examples are present"
|
||||
command: "cp -a /etc/redis/{{ item }}/00_example {{ redis_conf_dir }}/{{ item }}"
|
||||
command: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}"
|
||||
args:
|
||||
creates: "{{ redis_conf_dir }}/{{ item }}/00_example"
|
||||
creates: "{{ redis_conf_dir }}/{{ _dir }}/00_example"
|
||||
loop:
|
||||
- "redis-server.pre-up.d"
|
||||
- "redis-server.post-up.d"
|
||||
- "redis-server.pre-down.d"
|
||||
- "redis-server.post-down.d"
|
||||
loop_control:
|
||||
loop_var: _dir
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('9', '=')
|
||||
|
@ -72,7 +76,7 @@
|
|||
|
||||
- name: "Instance '{{ redis_instance_name }}' socket/pid directories are present"
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
dest: "{{ _dir }}"
|
||||
mode: "0755"
|
||||
owner: "redis-{{ redis_instance_name }}"
|
||||
group: "redis-{{ redis_instance_name }}"
|
||||
|
@ -81,12 +85,14 @@
|
|||
loop:
|
||||
- "{{ redis_pid_dir }}"
|
||||
- "{{ redis_socket_dir }}"
|
||||
loop_control:
|
||||
loop_var: _dir
|
||||
tags:
|
||||
- redis
|
||||
|
||||
- name: "Instance '{{ redis_instance_name }}' data/log directories are present"
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
dest: "{{ _dir }}"
|
||||
mode: "0751"
|
||||
owner: "redis-{{ redis_instance_name }}"
|
||||
group: "redis-{{ redis_instance_name }}"
|
||||
|
@ -95,6 +101,8 @@
|
|||
loop:
|
||||
- "{{ redis_data_dir }}"
|
||||
- "{{ redis_log_dir }}"
|
||||
loop_control:
|
||||
loop_var: _dir
|
||||
tags:
|
||||
- redis
|
||||
|
||||
|
|
|
@ -63,6 +63,14 @@
|
|||
redis_data_dir: "{{ redis_data_dir_prefix }}-{{ redis_instance_name }}"
|
||||
when: redis_instance_name is defined
|
||||
|
||||
- name: Fail if redis_bind_interface is set
|
||||
fail:
|
||||
msg: "Please change 'redis_bind_interface' (String) to 'redis_bind_interfaces' (List)"
|
||||
when:
|
||||
- redis_bind_interface is defined
|
||||
- redis_bind_interface is not none
|
||||
- redis_bind_interface | length > 0
|
||||
|
||||
- name: configure Redis for default mode
|
||||
include: default-server.yml
|
||||
when: redis_instance_name is not defined
|
||||
|
|
|
@ -60,7 +60,7 @@
|
|||
replace:
|
||||
dest: /etc/nagios/nrpe.d/evolix.cfg
|
||||
regexp: '^command\[check_redis\]=.+'
|
||||
replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interface }} -p {{ redis_port }}'
|
||||
replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}'
|
||||
when: redis_instance_name is undefined
|
||||
notify: restart nagios-nrpe-server
|
||||
tags:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
daemonize yes
|
||||
pidfile {{ redis_pid_dir }}/redis-server.pid
|
||||
port {{ redis_port }}
|
||||
bind {{ redis_bind_interface }}
|
||||
bind {{ redis_bind_interfaces | join(' ') }}
|
||||
|
||||
{% if redis_socket_enabled %}
|
||||
unixsocket {{ redis_socket_dir }}/redis.sock
|
||||
|
|
Loading…
Reference in a new issue