diff --git a/CHANGELOG.md b/CHANGELOG.md index 78ecd6ca..81b3031e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,22 @@ The **patch** part changes incrementally at each release. ### Added +* varnish: variable for jail configuration + +### Changed + +### Fixed + +* lxc: Force lxc containers to be in the correct timezone + +### Removed + +### Security + +## [10.3.0] 2020-12-21 + +### Added + * dovecot: Update munin plugin & configure it * dovecot: vmail uid/gid are configurable * evoacme: variable to disable Debian version check (default: False) @@ -23,21 +39,23 @@ The **patch** part changes incrementally at each release. * redis: variable to force use of port 6379 in instances mode * redis: check maxmemory in NRPE check * lxc-php: Allow php containers to contact local MySQL with localhost +* varnish: config file name is configurable ### Changed +* Create system users for vmail (dovecot) and evoadmin * apt: disable APT Periodic * evoacme: upstream release 20.12 * evocheck: upstream release 20.12 +* evolinux-users: improve uid/login checks +* tomcat-instance: fail if uid already exists +* varnish: change template name for better readability +* varnish: no threadpool delay by default +* varnish: no custom reload script for Debian 10 and later ### Fixed * cerbot: parse HAProxy config file only if HAProxy is found -* lxc: Force lxc containers to be in the correct timezone - -### Removed - -### Security ## [10.2.0] 2020-09-17 diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 8508a902..1a7e4280 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -41,6 +41,7 @@ group: name: vmail gid: "{{ dovecot_vmail_gid }}" + system: True tags: - dovecot @@ -50,6 +51,7 @@ group: vmail uid: "{{ dovecot_vmail_uid }}" shell: /bin/false + system: True tags: - dovecot diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 2f5e4e43..b8dda1d2 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -2,20 +2,41 @@ # Unix account +- fail: + msg: "You must provide a value for the 'user.name ' variable." + when: user.name is not defined or user.name == '' + +- fail: + msg: "You must provide a value for the 'user.uid ' variable." + when: user.uid is not defined or user.uid == '' + - name: "Test if '{{ user.name }}' exists" - command: 'getent passwd {{ user.name }}' - register: loginisbusy + command: 'id -u "{{ user.name }}"' + register: get_id_from_login failed_when: False changed_when: False check_mode: no -- name: "Test if uid exists for '{{ user.name }}'" - command: 'getent passwd {{ user.uid }}' - register: uidisbusy +- name: "Test if uid '{{ user.uid }}' exists" + command: 'id -un -- "{{ user.uid }}"' + register: get_login_from_id failed_when: False changed_when: False check_mode: no +# Error if +# the uid already exists +# and the user associated with this uid is not the desired user +- name: "Fail if uid already exists for another user" + fail: + msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'" + when: + - get_login_from_id.rc == 0 + - get_login_from_id.stdout != user.name + +# Create/Update the user account with defined uid if +# the user doesn't already exist and the uid isn't already used +# or the user exists with the defined uid - name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')" user: state: present @@ -24,11 +45,13 @@ comment: '{{ user.fullname }}' shell: /bin/bash password: '{{ user.password_hash }}' - update_password: on_create + update_password: "on_create" when: - - loginisbusy.rc != 0 - - uidisbusy.rc != 0 + - (get_id_from_login.rc != 0 and get_login_from_id.rc != 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout == user.name) +# Create/Update the user account without defined uid if +# the user doesn't already exist but the defined uid is already used +# or another user already exists with a the same uid - name: "Unix account for '{{ user.name }}' is present (with random uid)" user: state: present @@ -36,10 +59,9 @@ comment: '{{ user.fullname }}' shell: /bin/bash password: '{{ user.password_hash }}' - update_password: on_create + update_password: "on_create" when: - - loginisbusy.rc != 0 - - uidisbusy.rc == 0 + - (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name) - name: Is /etc/aliases present? stat: diff --git a/tomcat-instance/tasks/user.yml b/tomcat-instance/tasks/user.yml index a4a7bcb2..64244799 100644 --- a/tomcat-instance/tasks/user.yml +++ b/tomcat-instance/tasks/user.yml @@ -1,4 +1,24 @@ --- + +- fail: + msg: "You must provide a value for the 'tomcat_instance_port' variable." + when: tomcat_instance_port is not defined or tomcat_instance_port == '' + + +- name: "Test if uid '{{ tomcat_instance_port }}' exists" + command: 'id -un -- "{{ tomcat_instance_port }}"' + register: get_login_from_id + failed_when: False + changed_when: False + check_mode: no + +- name: "Fail if uid already exists for another user" + fail: + msg: "Uid '{{ tomcat_instance_port }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ tomcat_instance_name }}'" + when: + - get_login_from_id.rc == 0 + - get_login_from_id.stdout != tomcat_instance_name + - name: Create group instance group: name: "{{ tomcat_instance_name }}" diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml index 544d0cf7..fd22bfe2 100644 --- a/varnish/defaults/main.yml +++ b/varnish/defaults/main.yml @@ -10,9 +10,10 @@ varnish_malloc_size: "2G" varnish_storage: malloc,{{ varnish_malloc_size }} varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}" -varnish_thread_pool_add_delay: 2 +varnish_thread_pool_add_delay: 0 varnish_thread_pool_min: 500 varnish_thread_pool_max: 5000 +varnish_jail: "unix,user=vcache" varnish_config_file: /etc/varnish/default.vcl varnish_secret_file: /etc/varnish/secret diff --git a/varnish/files/reload-vcl.sh b/varnish/files/reload-vcl.sh deleted file mode 100644 index 537dcddf..00000000 --- a/varnish/files/reload-vcl.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -UUID=`cat /proc/sys/kernel/random/uuid` -/usr/sbin/varnishd -C -f /etc/varnish/default.vcl >/dev/null \ - &&/usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.load vcl_$UUID /etc/varnish/default.vcl" \ - && /usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.use vcl_$UUID" diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index c55218ef..7274cba8 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -4,49 +4,62 @@ name: varnish state: present tags: - - varnish + - varnish - name: Remove default varnish configuration files file: path: "{{ item }}" state: absent with_items: - - /etc/default/varnish - - /etc/default/varnishncsa - - /etc/default/varnishlog + - /etc/default/varnish + - /etc/default/varnishncsa + - /etc/default/varnishlog notify: reload varnish tags: - - varnish + - varnish -- name: Copy Custom Varnish ExecReload script (Debian <=9) - copy: - src: "reload-vcl.sh" +- name: Copy Custom Varnish ExecReload script (Debian <10) + template: + src: "reload-vcl.sh.j2" dest: "/etc/varnish/reload-vcl.sh" mode: "0700" owner: root group: root - when: ansible_distribution_major_version is version('9', '<=') + when: ansible_distribution_major_version is version('10', '<') notify: reload varnish tags: - - varnish + - varnish - name: Create a system config directory for systemd overrides file: path: /etc/systemd/system/varnish.service.d state: directory tags: - - varnish + - varnish -- name: Override Varnish systemd unit +- name: Override Varnish systemd unit (Stretch and before) template: - src: varnish.conf.j2 + src: varnish.conf.jessie.j2 dest: /etc/systemd/system/varnish.service.d/evolinux.conf force: yes + when: ansible_distribution_major_version is version('10', '<') notify: - reload systemd - restart varnish tags: - - varnish + - varnish + +- name: Override Varnish systemd unit (Buster and later) + template: + src: varnish.conf.buster.j2 + dest: /etc/systemd/system/varnish.service.d/evolinux.conf + force: yes + when: ansible_distribution_major_version is version('10', '>=') + notify: + - reload systemd + - restart varnish + tags: + - varnish - name: Patch logrotate conf replace: @@ -57,22 +70,26 @@ - varnishlog - varnishncsa tags: - - varnish + - varnish - name: Copy Varnish configuration template: src: "{{ item }}" - dest: /etc/varnish/default.vcl + dest: "{{ varnish_config_file }}" mode: "0644" force: yes with_first_found: - - "templates/varnish/default.{{ inventory_hostname }}.vcl.j2" - - "templates/varnish/default.{{ host_group }}.vcl.j2" - - "templates/varnish/default.default.vcl.j2" - - "default.vcl.j2" + - "templates/varnish/varnish.{{ inventory_hostname }}.vcl.j2" + - "templates/varnish/default.{{ inventory_hostname }}.vcl.j2" + - "templates/varnish/varnish.{{ host_group }}.vcl.j2" + - "templates/varnish/default.{{ host_group }}.vcl.j2" + - "templates/varnish/varnish.default.vcl.j2" + - "templates/varnish/default.default.vcl.j2" + - "varnish.vcl.j2" + - "default.vcl.j2" notify: reload varnish tags: - - varnish + - varnish - name: Create Varnish config dir file: @@ -80,7 +97,7 @@ state: directory mode: "0755" tags: - - varnish + - varnish - name: Copy included Varnish config template: @@ -92,6 +109,6 @@ - "templates/varnish/conf.d/*.vcl" notify: reload varnish tags: - - varnish + - varnish - include: munin.yml diff --git a/varnish/templates/reload-vcl.sh.j2 b/varnish/templates/reload-vcl.sh.j2 new file mode 100644 index 00000000..e60d8257 --- /dev/null +++ b/varnish/templates/reload-vcl.sh.j2 @@ -0,0 +1,5 @@ +#!/bin/sh +UUID=`cat /proc/sys/kernel/random/uuid` +/usr/sbin/varnishd -C -f {{ varnish_config_file }} >/dev/null \ + && /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.load vcl_$UUID {{ varnish_config_file }}" \ + && /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.use vcl_$UUID" diff --git a/varnish/templates/varnish.conf.buster.j2 b/varnish/templates/varnish.conf.buster.j2 new file mode 100644 index 00000000..63439b61 --- /dev/null +++ b/varnish/templates/varnish.conf.buster.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +[Service] +ExecStart= +ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} diff --git a/varnish/templates/varnish.conf.j2 b/varnish/templates/varnish.conf.j2 deleted file mode 100644 index 3020d556..00000000 --- a/varnish/templates/varnish.conf.j2 +++ /dev/null @@ -1,7 +0,0 @@ -# {{ ansible_managed }} - -[Service] -ExecStart= -ExecStart=/usr/sbin/varnishd -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} -ExecReload= -ExecReload=/etc/varnish/reload-vcl.sh diff --git a/varnish/templates/varnish.conf.jessie.j2 b/varnish/templates/varnish.conf.jessie.j2 new file mode 100644 index 00000000..f340323d --- /dev/null +++ b/varnish/templates/varnish.conf.jessie.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +[Service] +ExecStart= +ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} +ExecReload= +ExecReload=/etc/varnish/reload-vcl.sh diff --git a/varnish/templates/default.vcl.j2 b/varnish/templates/varnish.vcl.j2 similarity index 100% rename from varnish/templates/default.vcl.j2 rename to varnish/templates/varnish.vcl.j2 diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 5aa6c29c..7b58270c 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -6,6 +6,7 @@ comment: "Evoadmin Web Account" home: "{{ evoadmin_home_dir }}" password: "!" + system: yes - name: Create www-evoadmin group group: @@ -22,6 +23,7 @@ - name: "Create www-evoadmin (Debian 9 or later)" user: name: www-evoadmin + system: yes when: ansible_distribution_major_version is version('9', '>=') - name: Is /etc/aliases present?