Merge remote-tracking branch 'origin/unstable' into change_timezone

CHANGELOG.md

@@ -12,6 +12,22 @@ The **patch** part changes incrementally at each release.
 
 ### Added
 
+* varnish: variable for jail configuration
+
+### Changed
+
+### Fixed
+
+* lxc: Force lxc containers to be in the correct timezone
+
+### Removed
+
+### Security
+
+## [10.3.0] 2020-12-21
+
+### Added
+
 * dovecot: Update munin plugin & configure it
 * dovecot: vmail uid/gid are configurable
 * evoacme: variable to disable Debian version check (default: False)
@@ -23,21 +39,23 @@ The **patch** part changes incrementally at each release.
 * redis: variable to force use of port 6379 in instances mode
 * redis: check maxmemory in NRPE check
 * lxc-php: Allow php containers to contact local MySQL with localhost
+* varnish: config file name is configurable
 
 ### Changed
 
+* Create system users for vmail (dovecot) and evoadmin
 * apt: disable APT Periodic
 * evoacme: upstream release 20.12
 * evocheck: upstream release 20.12
+* evolinux-users: improve uid/login checks
+* tomcat-instance: fail if uid already exists
+* varnish: change template name for better readability
+* varnish: no threadpool delay by default
+* varnish: no custom reload script for Debian 10 and later 
 
 ### Fixed
 
 * cerbot: parse HAProxy config file only if HAProxy is found
-* lxc: Force lxc containers to be in the correct timezone
-
-### Removed
-
-### Security
 
 ## [10.2.0] 2020-09-17
 

dovecot/tasks/main.yml

@@ -41,6 +41,7 @@
   group:
     name: vmail
     gid: "{{ dovecot_vmail_gid }}"
+    system: True
   tags:
   - dovecot
 
@@ -50,6 +51,7 @@
     group: vmail
     uid: "{{ dovecot_vmail_uid }}"
     shell: /bin/false
+    system: True
   tags:
   - dovecot
 

evolinux-users/tasks/user.yml

@@ -2,20 +2,41 @@
 
 # Unix account
 
+- fail:
+    msg: "You must provide a value for the 'user.name ' variable."
+  when: user.name  is not defined or user.name  == ''
+
+- fail:
+    msg: "You must provide a value for the 'user.uid ' variable."
+  when: user.uid  is not defined or user.uid  == ''
+
 - name: "Test if '{{ user.name }}' exists"
-  command: 'getent passwd {{ user.name }}'
-  register: loginisbusy
+  command: 'id -u "{{ user.name }}"'
+  register: get_id_from_login
   failed_when: False
   changed_when: False
   check_mode: no
 
-- name: "Test if uid exists for '{{ user.name }}'"
-  command: 'getent passwd {{ user.uid }}'
-  register: uidisbusy
+- name: "Test if uid '{{ user.uid }}' exists"
+  command: 'id -un -- "{{ user.uid }}"'
+  register: get_login_from_id
   failed_when: False
   changed_when: False
   check_mode: no
 
+# Error if
+# the uid already exists
+# and the user associated with this uid is not the desired user
+- name: "Fail if uid already exists for another user"
+  fail:
+    msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'"
+  when:
+    - get_login_from_id.rc == 0
+    - get_login_from_id.stdout != user.name
+
+# Create/Update the user account with defined uid if
+# the user doesn't already exist and the uid isn't already used
+# or the user exists with the defined uid
 - name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
   user:
     state: present
@@ -24,11 +45,13 @@
     comment: '{{ user.fullname }}'
     shell: /bin/bash
     password: '{{ user.password_hash }}'
-    update_password: on_create
+    update_password: "on_create"
   when:
-    - loginisbusy.rc != 0
-    - uidisbusy.rc   != 0
+    - (get_id_from_login.rc != 0 and get_login_from_id.rc != 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout == user.name)
 
+# Create/Update the user account without defined uid if
+# the user doesn't already exist but the defined uid is already used
+# or another user already exists with a the same uid
 - name: "Unix account for '{{ user.name }}' is present (with random uid)"
   user:
     state: present
@@ -36,10 +59,9 @@
     comment: '{{ user.fullname }}'
     shell: /bin/bash
     password: '{{ user.password_hash }}'
-    update_password: on_create
+    update_password: "on_create"
   when:
-    - loginisbusy.rc != 0
-    - uidisbusy.rc   == 0
+    - (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name)
 
 - name: Is /etc/aliases present?
   stat:

tomcat-instance/tasks/user.yml

@@ -1,4 +1,24 @@
 ---
+
+- fail:
+    msg: "You must provide a value for the 'tomcat_instance_port' variable."
+  when: tomcat_instance_port is not defined or tomcat_instance_port == ''
+
+
+- name: "Test if uid '{{ tomcat_instance_port }}' exists"
+  command: 'id -un -- "{{ tomcat_instance_port }}"'
+  register: get_login_from_id
+  failed_when: False
+  changed_when: False
+  check_mode: no
+
+- name: "Fail if uid already exists for another user"
+  fail:
+    msg: "Uid '{{ tomcat_instance_port }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ tomcat_instance_name }}'"
+  when:
+    - get_login_from_id.rc == 0
+    - get_login_from_id.stdout != tomcat_instance_name
+
 - name: Create group instance
   group:
     name: "{{ tomcat_instance_name }}"

varnish/defaults/main.yml

@@ -10,9 +10,10 @@ varnish_malloc_size: "2G"
 varnish_storage: malloc,{{ varnish_malloc_size }}
 
 varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}"
-varnish_thread_pool_add_delay: 2
+varnish_thread_pool_add_delay: 0
 varnish_thread_pool_min: 500
 varnish_thread_pool_max: 5000
+varnish_jail: "unix,user=vcache"
 
 varnish_config_file: /etc/varnish/default.vcl
 varnish_secret_file: /etc/varnish/secret

varnish/files/reload-vcl.sh

@@ -1,5 +0,0 @@
-#!/bin/sh
-UUID=`cat /proc/sys/kernel/random/uuid`
-/usr/sbin/varnishd -C -f /etc/varnish/default.vcl >/dev/null \
- &&/usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.load vcl_$UUID /etc/varnish/default.vcl" \
- && /usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.use vcl_$UUID"

varnish/tasks/main.yml

@@ -4,49 +4,62 @@
     name: varnish
     state: present
   tags:
-  - varnish
+    - varnish
 
 - name: Remove default varnish configuration files
   file:
     path: "{{ item }}"
     state: absent
   with_items:
-    -  /etc/default/varnish
-    -  /etc/default/varnishncsa
-    -  /etc/default/varnishlog
+    - /etc/default/varnish
+    - /etc/default/varnishncsa
+    - /etc/default/varnishlog
   notify: reload varnish
   tags:
-  - varnish
+    - varnish
 
-- name: Copy Custom Varnish ExecReload script (Debian <=9)
-  copy:
-    src: "reload-vcl.sh"
+- name: Copy Custom Varnish ExecReload script (Debian <10)
+  template:
+    src: "reload-vcl.sh.j2"
     dest: "/etc/varnish/reload-vcl.sh"
     mode: "0700"
     owner: root
     group: root
-  when: ansible_distribution_major_version is version('9', '<=')
+  when: ansible_distribution_major_version is version('10', '<')
   notify: reload varnish
   tags:
-  - varnish
+    - varnish
 
 - name: Create a system config directory for systemd overrides
   file:
     path: /etc/systemd/system/varnish.service.d
     state: directory
   tags:
-  - varnish
+    - varnish
 
-- name: Override Varnish systemd unit
+- name: Override Varnish systemd unit (Stretch and before)
   template:
-    src: varnish.conf.j2
+    src: varnish.conf.jessie.j2
     dest: /etc/systemd/system/varnish.service.d/evolinux.conf
     force: yes
+  when: ansible_distribution_major_version is version('10', '<')
   notify:
     - reload systemd
     - restart varnish
   tags:
-  - varnish
+    - varnish
+
+- name: Override Varnish systemd unit (Buster and later)
+  template:
+    src: varnish.conf.buster.j2
+    dest: /etc/systemd/system/varnish.service.d/evolinux.conf
+    force: yes
+  when: ansible_distribution_major_version is version('10', '>=')
+  notify:
+    - reload systemd
+    - restart varnish
+  tags:
+    - varnish
 
 - name: Patch logrotate conf
   replace:
@@ -57,22 +70,26 @@
     - varnishlog
     - varnishncsa
   tags:
-  - varnish
+    - varnish
 
 - name: Copy Varnish configuration
   template:
     src: "{{ item }}"
-    dest: /etc/varnish/default.vcl
+    dest: "{{ varnish_config_file }}"
     mode: "0644"
     force: yes
   with_first_found:
-  - "templates/varnish/default.{{ inventory_hostname }}.vcl.j2"
-  - "templates/varnish/default.{{ host_group }}.vcl.j2"
-  - "templates/varnish/default.default.vcl.j2"
-  - "default.vcl.j2"
+    - "templates/varnish/varnish.{{ inventory_hostname }}.vcl.j2"
+    - "templates/varnish/default.{{ inventory_hostname }}.vcl.j2"
+    - "templates/varnish/varnish.{{ host_group }}.vcl.j2"
+    - "templates/varnish/default.{{ host_group }}.vcl.j2"
+    - "templates/varnish/varnish.default.vcl.j2"
+    - "templates/varnish/default.default.vcl.j2"
+    - "varnish.vcl.j2"
+    - "default.vcl.j2"
   notify: reload varnish
   tags:
-  - varnish
+    - varnish
 
 - name: Create Varnish config dir
   file:
@@ -80,7 +97,7 @@
     state: directory
     mode: "0755"
   tags:
-  - varnish
+    - varnish
 
 - name: Copy included Varnish config
   template:
@@ -92,6 +109,6 @@
   - "templates/varnish/conf.d/*.vcl"
   notify: reload varnish
   tags:
-  - varnish
+    - varnish
 
 - include: munin.yml

varnish/templates/reload-vcl.sh.j2

@@ -0,0 +1,5 @@
+#!/bin/sh
+UUID=`cat /proc/sys/kernel/random/uuid`
+/usr/sbin/varnishd -C -f {{ varnish_config_file }} >/dev/null \
+  && /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.load vcl_$UUID {{ varnish_config_file }}" \
+  && /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.use vcl_$UUID"

varnish/templates/varnish.conf.buster.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}

varnish/templates/varnish.conf.j2

@@ -1,7 +0,0 @@
-# {{ ansible_managed }}
-
-[Service]
-ExecStart=
-ExecStart=/usr/sbin/varnishd -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
-ExecReload=
-ExecReload=/etc/varnish/reload-vcl.sh

varnish/templates/varnish.conf.jessie.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
+ExecReload=
+ExecReload=/etc/varnish/reload-vcl.sh

webapps/evoadmin-web/tasks/user.yml

@@ -6,6 +6,7 @@
     comment: "Evoadmin Web Account"
     home: "{{ evoadmin_home_dir }}"
     password: "!"
+    system: yes
 
 - name: Create www-evoadmin group
   group:
@@ -22,6 +23,7 @@
 - name: "Create www-evoadmin (Debian 9 or later)"
   user:
     name: www-evoadmin
+    system: yes
   when: ansible_distribution_major_version is version('9', '>=')
 
 - name: Is /etc/aliases present?