Merge branch 'unstable' into stable
This commit is contained in:
commit
f2cfb85926
25
CHANGELOG.md
25
CHANGELOG.md
|
@ -18,6 +18,31 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [9.4.0] - 2018-09-20
|
||||||
|
|
||||||
|
### Added
|
||||||
|
* etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
|
||||||
|
* evolinux-base: better shell history
|
||||||
|
* evolinux-users: add user to /etc/aliases
|
||||||
|
* generate-ldif: add a section for postgresql
|
||||||
|
* logstash: tmp directory can be customized
|
||||||
|
* logstash: max memory is set to 512M by default
|
||||||
|
* logstash: version 6.x is installed by default
|
||||||
|
* mysql: add a variable to prevent mysql from restarting
|
||||||
|
* networkd-to-ifconfig: add a role to switch from networkd to ifconfig
|
||||||
|
* webapps/evoadmin-web: add users to /etc/aliases
|
||||||
|
* redis: add support for multi instances
|
||||||
|
* nagios-nrpe: add check_redis_instances
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
* dovecot: stronger TLS configuration
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
* apache: cleaner way to overwrite the server status suffix
|
||||||
|
* packweb-apache: don't regenerate phpMyAdmin suffix each time
|
||||||
|
* nginx: cleaner way to overwrite the server status suffix
|
||||||
|
* redis: add missing tags
|
||||||
|
|
||||||
## [9.3.2] - 2018-09-06
|
## [9.3.2] - 2018-09-06
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
@ -9,7 +9,11 @@
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: set apache serverstatus suffix if provided
|
- name: set apache serverstatus suffix if provided
|
||||||
shell: "echo {{ apache_serverstatus_suffix }} > {{ apache_serverstatus_suffix_file }}"
|
copy:
|
||||||
|
dest: "{{ apache_serverstatus_suffix_file }}"
|
||||||
|
# The last character "\u000A" is a line feed (LF), it's better to keep it
|
||||||
|
content: "{{ apache_serverstatus_suffix }}\u000A"
|
||||||
|
force: yes
|
||||||
when: apache_serverstatus_suffix != ""
|
when: apache_serverstatus_suffix != ""
|
||||||
|
|
||||||
- name: generate random string for server-status suffix
|
- name: generate random string for server-status suffix
|
||||||
|
|
|
@ -37,5 +37,10 @@ mail_max_userip_connections = 42
|
||||||
|
|
||||||
# SSL/TLS
|
# SSL/TLS
|
||||||
ssl = yes
|
ssl = yes
|
||||||
|
ssl_prefer_server_ciphers = yes
|
||||||
|
ssl_dh_parameters_length = 2048
|
||||||
|
ssl_options = no_compression no_ticket
|
||||||
|
ssl_protocols = !TLSv1 !TLSv1.1
|
||||||
|
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||||
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
|
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
|
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
|
|
@ -53,4 +53,4 @@
|
||||||
tags:
|
tags:
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
when: elastic_stack_version | version_compare('6', '>=')
|
when: elastic_stack_version | version_compare('6', '>=')
|
||||||
when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec | success
|
when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec.rc == 0
|
||||||
|
|
|
@ -29,3 +29,7 @@ There is also an independant task that can be executed to commit changes made in
|
||||||
vars:
|
vars:
|
||||||
commit_message: "Ansible post-run my splendid playbook"
|
commit_message: "Ansible post-run my splendid playbook"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Available variables
|
||||||
|
|
||||||
|
* `etc_git_monitor_status`: monitor uncommited changes in /etc/.git (default: `True`) ;
|
||||||
|
|
|
@ -1,2 +1,4 @@
|
||||||
---
|
---
|
||||||
commit_message: Ansible run
|
commit_message: Ansible run
|
||||||
|
|
||||||
|
etc_git_monitor_status: True
|
||||||
|
|
|
@ -88,3 +88,20 @@
|
||||||
force: no
|
force: no
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
|
- name: Cron job for /etc/.git status is installed
|
||||||
|
template:
|
||||||
|
src: etc-git-status.j2
|
||||||
|
dest: /etc/cron.d/etc-git-status
|
||||||
|
mode: "0644"
|
||||||
|
when: etc_git_monitor_status
|
||||||
|
tags:
|
||||||
|
- etc-git
|
||||||
|
|
||||||
|
- name: Cron job for /etc/.git status is removed
|
||||||
|
file:
|
||||||
|
dest: /etc/cron.d/etc-git-status
|
||||||
|
state: absent
|
||||||
|
when: not etc_git_monitor_status
|
||||||
|
tags:
|
||||||
|
- etc-git
|
||||||
|
|
4
etc-git/templates/etc-git-status.j2
Normal file
4
etc-git/templates/etc-git-status.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
@hourly root who > /dev/null || git --git-dir=/etc/.git --work-tree=/etc status --short
|
||||||
|
21 21 * * * root git --git-dir=/etc/.git --work-tree=/etc status --short
|
|
@ -14,9 +14,11 @@
|
||||||
create: yes
|
create: yes
|
||||||
state: present
|
state: present
|
||||||
with_items:
|
with_items:
|
||||||
- "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth"
|
- "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth,erasedups"
|
||||||
- "export HISTSIZE=65535"
|
- "export HISTSIZE=65535"
|
||||||
- "export HISTTIMEFORMAT=\"%c : \""
|
- "export HISTTIMEFORMAT=\"%c : \""
|
||||||
|
- "shopt -s histappend"
|
||||||
|
- "PROMPT_COMMAND=\"history -a;${PROMPT_COMMAND}\""
|
||||||
when: evolinux_root_bashrc
|
when: evolinux_root_bashrc
|
||||||
|
|
||||||
## .bash_history should be append-only
|
## .bash_history should be append-only
|
||||||
|
|
|
@ -41,6 +41,20 @@
|
||||||
- loginisbusy.rc != 0
|
- loginisbusy.rc != 0
|
||||||
- uidisbusy.rc == 0
|
- uidisbusy.rc == 0
|
||||||
|
|
||||||
|
- name: Is /etc/aliases present?
|
||||||
|
stat:
|
||||||
|
path: /etc/aliases
|
||||||
|
register: etc_aliases
|
||||||
|
|
||||||
|
- name: Set mail alias
|
||||||
|
lineinfile:
|
||||||
|
state: present
|
||||||
|
dest: /etc/aliases
|
||||||
|
line: '{{ user.name }}: root'
|
||||||
|
regexp: '^{{ user.name }}:'
|
||||||
|
when: etc_aliases.stat.exists
|
||||||
|
notify: "newaliases"
|
||||||
|
|
||||||
# Unix groups
|
# Unix groups
|
||||||
|
|
||||||
## Group for SSH authorizations
|
## Group for SSH authorizations
|
||||||
|
|
|
@ -547,6 +547,24 @@ ServiceVersion: Elasticsearch ${elasticsearch_version}
|
||||||
EOT
|
EOT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# PostgreSQL
|
||||||
|
if is_pkg_installed postgresql; then
|
||||||
|
postgresql_version=$(get_pkg_version postgresql)
|
||||||
|
fi
|
||||||
|
if [ -n "${postgresql_version}" ]; then
|
||||||
|
cat <<EOT >> "${ldif_file}"
|
||||||
|
|
||||||
|
dn: ServiceName=postgresql,${computer_dn}
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
ipServiceProtocol: tcp
|
||||||
|
objectClass: EvoService
|
||||||
|
ServiceName: postgresql
|
||||||
|
ipServicePort: 5432
|
||||||
|
ServiceType: database
|
||||||
|
ServiceVersion: PostgreSQL ${elasticsearch_version}
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
||||||
# test if we have a stdout
|
# test if we have a stdout
|
||||||
if [ -t 1 ]; then
|
if [ -t 1 ]; then
|
||||||
echo "Output is in ${ldif_file}"
|
echo "Output is in ${ldif_file}"
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "5.x"
|
elastic_stack_version: "6.x"
|
||||||
|
|
||||||
logstash_jvm_xms: 256m
|
logstash_jvm_xms: 256m
|
||||||
logstash_jvm_xmx: 1g
|
logstash_jvm_xmx: 512g
|
||||||
logstash_log_rotate_days: 365
|
logstash_log_rotate_days: 365
|
||||||
|
logstash_custom_tmpdir: Null
|
||||||
|
logstash_default_tmpdir: /var/lib/logstash/tmp
|
||||||
|
|
|
@ -75,3 +75,5 @@
|
||||||
verbosity: 1
|
verbosity: 1
|
||||||
|
|
||||||
- include: logs.yml
|
- include: logs.yml
|
||||||
|
|
||||||
|
- include: tmpdir.yml
|
||||||
|
|
31
logstash/tasks/tmpdir.yml
Normal file
31
logstash/tasks/tmpdir.yml
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Check if /tmp is noexec
|
||||||
|
shell: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec"
|
||||||
|
register: fstab_tmp_noexec
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
check_mode: no
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: "Create {{ logstash_custom_tmpdir or logstash_default_tmpdir | mandatory }}"
|
||||||
|
file:
|
||||||
|
path: "{{ logstash_custom_tmpdir or logstash_default_tmpdir | mandatory }}"
|
||||||
|
owner: logstash
|
||||||
|
group: logstash
|
||||||
|
mode: "0755"
|
||||||
|
state: directory
|
||||||
|
tags:
|
||||||
|
- logstash
|
||||||
|
|
||||||
|
- name: change JVM tmpdir
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/logstash/jvm.options
|
||||||
|
line: "-Djava.io.tmpdir={{ logstash_custom_tmpdir or logstash_default_tmpdir | mandatory }}"
|
||||||
|
regexp: "^-Djava.io.tmpdir="
|
||||||
|
insertafter: "## JVM configuration"
|
||||||
|
notify:
|
||||||
|
- restart logstash
|
||||||
|
tags:
|
||||||
|
- logstash
|
||||||
|
when: (logstash_custom_tmpdir != '' and logstash_custom_tmpdir != None) or fstab_tmp_noexec.rc == 0
|
|
@ -28,6 +28,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
|
||||||
* `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`).
|
* `general_scripts_dir`: general directory for scripts installation (default: `/usr/local/bin`).
|
||||||
* `mysql_scripts_dir`: email address to send Log2mail messages to (default: `general_scripts_dir`).
|
* `mysql_scripts_dir`: email address to send Log2mail messages to (default: `general_scripts_dir`).
|
||||||
* `mysql_force_new_nrpe_password` : change the password for NRPE even if it exists already (default: `False`).
|
* `mysql_force_new_nrpe_password` : change the password for NRPE even if it exists already (default: `False`).
|
||||||
|
* `mysql_restart_if_needed` : should the restart handler be executed (default: `True`)
|
||||||
|
|
||||||
NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet).
|
NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet).
|
||||||
|
|
||||||
|
|
|
@ -22,3 +22,5 @@ mysql_cron_mysqltuner: True
|
||||||
mysql_cron_mysqltuner_frequency: monthly
|
mysql_cron_mysqltuner_frequency: monthly
|
||||||
|
|
||||||
mysql_force_new_nrpe_password: False
|
mysql_force_new_nrpe_password: False
|
||||||
|
|
||||||
|
mysql_restart_if_needed: True
|
||||||
|
|
|
@ -14,6 +14,11 @@
|
||||||
name: mysql
|
name: mysql
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart mysql (noop)
|
||||||
|
meta: noop
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
systemd:
|
systemd:
|
||||||
name: mysql
|
name: mysql
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}"
|
||||||
|
|
||||||
- include: packages.yml
|
- include: packages.yml
|
||||||
|
|
||||||
- include: users.yml
|
- include: users.yml
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
section: mysqld
|
section: mysqld
|
||||||
option: tmpdir
|
option: tmpdir
|
||||||
value: "{{ mysql_custom_tmpdir }}"
|
value: "{{ mysql_custom_tmpdir }}"
|
||||||
notify: restart mysql
|
notify: "{{ mysql_restart_handler_name }}"
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
when: mysql_custom_tmpdir != ''
|
when: mysql_custom_tmpdir != ''
|
||||||
|
|
|
@ -38,5 +38,6 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
|
||||||
* `mysql_scripts_dir`: email address to send Log2mail messages to (default: `general_scripts_dir`).
|
* `mysql_scripts_dir`: email address to send Log2mail messages to (default: `general_scripts_dir`).
|
||||||
* `mysql_force_new_nrpe_password` : change the password for NRPE even if it exists already (default: `False`).
|
* `mysql_force_new_nrpe_password` : change the password for NRPE even if it exists already (default: `False`).
|
||||||
* `mysql_install_libclient`: install mysql client libraries (default: `False`).
|
* `mysql_install_libclient`: install mysql client libraries (default: `False`).
|
||||||
|
* `mysql_restart_if_needed` : should the restart handler be executed (default: `True`)
|
||||||
|
|
||||||
NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet).
|
NB : changing the _datadir_ location can be done multiple times, as long as it is not restored to the default initial location, (because a symlink is created and can't be switched back, yet).
|
||||||
|
|
|
@ -40,3 +40,5 @@ mysql_force_new_nrpe_password: False
|
||||||
|
|
||||||
mysql_evolinux_defaults_file: z-evolinux-defaults.cnf
|
mysql_evolinux_defaults_file: z-evolinux-defaults.cnf
|
||||||
mysql_evolinux_custom_file: zzz-evolinux-custom.cnf
|
mysql_evolinux_custom_file: zzz-evolinux-custom.cnf
|
||||||
|
|
||||||
|
mysql_restart_if_needed: True
|
||||||
|
|
|
@ -14,6 +14,11 @@
|
||||||
name: mysql
|
name: mysql
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart mysql (noop)
|
||||||
|
meta: noop
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
systemd:
|
systemd:
|
||||||
name: mysql
|
name: mysql
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}"
|
||||||
|
|
||||||
- include: packages_stretch.yml
|
- include: packages_stretch.yml
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
section: mysqld
|
section: mysqld
|
||||||
option: tmpdir
|
option: tmpdir
|
||||||
value: "{{ mysql_custom_tmpdir }}"
|
value: "{{ mysql_custom_tmpdir }}"
|
||||||
notify: restart mysql
|
notify: "{{ mysql_restart_handler_name }}"
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
when: mysql_custom_tmpdir != ''
|
when: mysql_custom_tmpdir != ''
|
||||||
|
|
49
nagios-nrpe/files/plugins/check_redis_instances
Executable file
49
nagios-nrpe/files/plugins/check_redis_instances
Executable file
|
@ -0,0 +1,49 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -u
|
||||||
|
|
||||||
|
return=0
|
||||||
|
nb_crit=0
|
||||||
|
nb_warn=0
|
||||||
|
nb_ok=0
|
||||||
|
nb_unchk=0
|
||||||
|
output=""
|
||||||
|
|
||||||
|
instances=$(ls /etc/redis/redis-*.conf)
|
||||||
|
for instance in ${instances}; do
|
||||||
|
name=$(basename "${instance}"| sed '{s/redis-//;s/.conf//}')
|
||||||
|
port=$(grep "port" "${instance}"|grep -oE "[0-9]*")
|
||||||
|
if [ -h "/etc/systemd/system/multi-user.target.wants/redis-server@${name}.service" ]; then
|
||||||
|
/usr/lib/nagios/plugins/check_tcp -p "${port}" >/dev/null 2>&1
|
||||||
|
ret="${?}"
|
||||||
|
if [ "${ret}" -ge 2 ]; then
|
||||||
|
nb_crit=$((nb_crit + 1))
|
||||||
|
output="${output}CRITICAL - ${name} (${port})\n"
|
||||||
|
[ "${return}" -le 2 ] && return=2
|
||||||
|
elif [ "${ret}" -ge 1 ]; then
|
||||||
|
nb_warn=$((nb_warn + 1))
|
||||||
|
output="${output}WARNING - ${name} (${port})\n"
|
||||||
|
[ "${return}" -le 1 ] && return=1
|
||||||
|
else
|
||||||
|
nb_ok=$((nb_ok + 1))
|
||||||
|
output="${output}OK - ${name} (${port})\n"
|
||||||
|
[ "${return}" -le 0 ] && return=0
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
nb_unchk=$((nb_unchk + 1))
|
||||||
|
output="${output}UNCHK - ${name} (${port})\n"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
[ "${return}" -ge 0 ] && header="OK"
|
||||||
|
[ "${return}" -ge 1 ] && header="WARNING"
|
||||||
|
[ "${return}" -ge 2 ] && header="CRITICAL"
|
||||||
|
|
||||||
|
printf "%s - %s UNCHK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unchk}" "${nb_crit}" "${nb_warn}" "${nb_ok}"
|
||||||
|
|
||||||
|
printf "${output}" | grep -E "^CRITICAL"
|
||||||
|
printf "${output}" | grep -E "^WARNING"
|
||||||
|
printf "${output}" | grep -E "^OK"
|
||||||
|
printf "${output}" | grep -E "^UNCHK"
|
||||||
|
|
||||||
|
exit "${return}"
|
|
@ -68,6 +68,7 @@ command[check_supervisord_status]={{ nagios_plugins_directory }}/check_superviso
|
||||||
command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
|
command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
|
||||||
command[check_haproxy]={{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90
|
command[check_haproxy]={{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90
|
||||||
command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
|
command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
|
||||||
|
command[check_redis_instances]={{ nagios_plugins_directory }}/check_redis_instances
|
||||||
|
|
||||||
# Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
|
# Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
|
||||||
# Beware! All checks must not take more than 10s!
|
# Beware! All checks must not take more than 10s!
|
||||||
|
|
9
networkd-to-ifconfig/README.md
Normal file
9
networkd-to-ifconfig/README.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
# networkd-to-ifconfig
|
||||||
|
|
||||||
|
Switch back from systemd "networkd" to plain old /etc/network/interfaces.
|
||||||
|
|
||||||
|
The role does nothing if an /etc/network/interfaces file is present.
|
||||||
|
|
||||||
|
You should always double-check if everything seems OK, then reboot.
|
||||||
|
|
||||||
|
Caveat: a public IPv4 and a public IPv6 are expected.
|
19
networkd-to-ifconfig/meta/main.yml
Normal file
19
networkd-to-ifconfig/meta/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: Evolix
|
||||||
|
description: Switch back from systemd "networkd" to plain old /etc/network/interfaces.
|
||||||
|
|
||||||
|
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||||
|
|
||||||
|
license: GPLv2
|
||||||
|
|
||||||
|
min_ansible_version: 2.2
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- stretch
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line.
|
||||||
|
# Be sure to remove the '[]' above if you add dependencies
|
||||||
|
# to this list.
|
54
networkd-to-ifconfig/tasks/main.yml
Normal file
54
networkd-to-ifconfig/tasks/main.yml
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Check state of /etc/network/interfaces
|
||||||
|
stat:
|
||||||
|
path: /etc/network/interfaces
|
||||||
|
register: interfaces_file
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
msg: A /etc/network/interfaces file already exists, nothing is done.
|
||||||
|
when: interfaces_file.stat.exists
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: "Parse addresses"
|
||||||
|
shell: "grep Address= /etc/systemd/network/50-default.network | cut -d'=' -f2"
|
||||||
|
register: network_address_grep
|
||||||
|
check_mode: no
|
||||||
|
|
||||||
|
- name: "Parse gateways"
|
||||||
|
shell: "grep Gateway= /etc/systemd/network/50-default.network | cut -d'=' -f2"
|
||||||
|
register: network_gateway_grep
|
||||||
|
check_mode: no
|
||||||
|
|
||||||
|
- name: Prepare variables
|
||||||
|
set_fact:
|
||||||
|
eni_interface_name: "{{ ansible_default_ipv4.interface }}"
|
||||||
|
eni_ipv4_address: "{{ network_address_grep.stdout_lines | ipv4 | first }}"
|
||||||
|
eni_ipv4_gateway: "{{ network_gateway_grep.stdout_lines | ipv4 | first }}"
|
||||||
|
eni_ipv6_address: "{{ network_address_grep.stdout_lines | ipv6 | first }}"
|
||||||
|
eni_ipv6_gateway: "{{ network_gateway_grep.stdout_lines | ipv6 | first }}"
|
||||||
|
|
||||||
|
- name: "A new /etc/network/interfaces is generated"
|
||||||
|
template:
|
||||||
|
src: interfaces.j2
|
||||||
|
dest: /etc/network/interfaces
|
||||||
|
mode: "0644"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: "Systemd 'networkd' unit is stopped and disabled"
|
||||||
|
systemd:
|
||||||
|
name: systemd-networkd.service
|
||||||
|
enabled: False
|
||||||
|
state: stopped
|
||||||
|
|
||||||
|
- name: "Systemd 'networking' unit is restarted (it often results in error)"
|
||||||
|
systemd:
|
||||||
|
name: networking
|
||||||
|
enabled: True
|
||||||
|
state: restarted
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
msg: You should verify your configuration, then reboot the server.
|
||||||
|
when: not interfaces_file.stat.exists
|
17
networkd-to-ifconfig/templates/interfaces.j2
Normal file
17
networkd-to-ifconfig/templates/interfaces.j2
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# This file describes the network interfaces available on your system
|
||||||
|
# and how to activate them. For more information, see interfaces(5).
|
||||||
|
|
||||||
|
# The loopback network interface
|
||||||
|
iface lo inet loopback
|
||||||
|
|
||||||
|
# The primary network interface
|
||||||
|
auto {{ eni_interface_name }}
|
||||||
|
iface {{ eni_interface_name }} inet static
|
||||||
|
address {{ eni_ipv4_address }}
|
||||||
|
gateway {{ eni_ipv4_gateway }}
|
||||||
|
|
||||||
|
iface {{ eni_interface_name }} inet6 static
|
||||||
|
address {{ eni_ipv6_address }}
|
||||||
|
gateway {{ eni_ipv6_gateway }}
|
||||||
|
post-up /sbin/ip -6 route add {{ eni_ipv6_gateway }} dev {{ eni_interface_name }}
|
||||||
|
post-up /sbin/ip -6 route add default via IPV6
|
|
@ -9,7 +9,11 @@
|
||||||
state: directory
|
state: directory
|
||||||
|
|
||||||
- name: set nginx serverstatus suffix if provided
|
- name: set nginx serverstatus suffix if provided
|
||||||
shell: "echo {{ nginx_serverstatus_suffix }} > {{ nginx_serverstatus_suffix_file }}"
|
copy:
|
||||||
|
dest: "{{ nginx_serverstatus_suffix_file }}"
|
||||||
|
# The last character "\u000A" is a line feed (LF), it's better to keep it
|
||||||
|
content: "{{ nginx_serverstatus_suffix }}\u000A"
|
||||||
|
force: yes
|
||||||
when: nginx_serverstatus_suffix != ""
|
when: nginx_serverstatus_suffix != ""
|
||||||
|
|
||||||
- name: generate random string for server-status suffix
|
- name: generate random string for server-status suffix
|
||||||
|
|
|
@ -8,5 +8,6 @@ packweb_apache_modphp: True
|
||||||
packweb_apache_fpm: False
|
packweb_apache_fpm: False
|
||||||
|
|
||||||
packweb_phpmyadmin_suffix: ""
|
packweb_phpmyadmin_suffix: ""
|
||||||
|
packweb_phpmyadmin_suffix_file: "/etc/evolinux/phpmyadmin_suffix"
|
||||||
|
|
||||||
packweb_mysql_variant: "debian"
|
packweb_mysql_variant: "debian"
|
||||||
|
|
|
@ -23,16 +23,40 @@
|
||||||
changed_when: "'Disabling' in command_result.stderr"
|
changed_when: "'Disabling' in command_result.stderr"
|
||||||
when: pma_default_config.stat.exists
|
when: pma_default_config.stat.exists
|
||||||
|
|
||||||
|
- name: "phpmyadmin suffix dirname '{{ packweb_phpmyadmin_suffix_file | dirname }}' exists"
|
||||||
|
file:
|
||||||
|
dest: "{{ packweb_phpmyadmin_suffix_file | dirname }}"
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: set phpmyadmin suffix if provided
|
||||||
|
copy:
|
||||||
|
dest: "{{ packweb_phpmyadmin_suffix_file }}"
|
||||||
|
# The last character "\u000A" is a line feed (LF), it's better to keep it
|
||||||
|
content: "{{ packweb_phpmyadmin_suffix }}\u000A"
|
||||||
|
force: yes
|
||||||
|
when: packweb_phpmyadmin_suffix != ""
|
||||||
|
|
||||||
- name: generate random string for phpmyadmin suffix
|
- name: generate random string for phpmyadmin suffix
|
||||||
command: "apg -a 1 -M N -n 1"
|
shell: "apg -a 1 -M N -n 1 > {{ packweb_phpmyadmin_suffix_file }}"
|
||||||
|
args:
|
||||||
|
creates: "{{ packweb_phpmyadmin_suffix_file }}"
|
||||||
|
|
||||||
|
- name: read phpmyadmin suffix
|
||||||
|
command: "tail -n 1 {{ packweb_phpmyadmin_suffix_file }}"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
check_mode: False
|
check_mode: no
|
||||||
register: _random_phpmyadmin_suffix
|
register: new_packweb_phpmyadmin_suffix
|
||||||
|
|
||||||
- name: overwrite packweb_phpmyadmin_suffix
|
- name: overwrite packweb_phpmyadmin_suffix
|
||||||
set_fact:
|
set_fact:
|
||||||
packweb_phpmyadmin_suffix: "{{ _random_phpmyadmin_suffix.stdout }}"
|
packweb_phpmyadmin_suffix: "{{ new_packweb_phpmyadmin_suffix.stdout }}"
|
||||||
when: packweb_phpmyadmin_suffix == ""
|
|
||||||
|
- debug:
|
||||||
|
var: packweb_phpmyadmin_suffix
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
- name: enable phpMyAdmin config
|
- name: enable phpMyAdmin config
|
||||||
blockinfile:
|
blockinfile:
|
||||||
|
|
|
@ -5,6 +5,7 @@ redis_conf_path: /etc/redis/redis.conf
|
||||||
redis_port: 6379
|
redis_port: 6379
|
||||||
redis_bind_interface: 127.0.0.1
|
redis_bind_interface: 127.0.0.1
|
||||||
redis_unixsocket: '/var/run/redis/redis.sock'
|
redis_unixsocket: '/var/run/redis/redis.sock'
|
||||||
|
redis_pidfile: "/var/run/redis/{{ redis_daemon }}.pid"
|
||||||
redis_timeout: 300
|
redis_timeout: 300
|
||||||
|
|
||||||
redis_password: NULL
|
redis_password: NULL
|
||||||
|
|
18
redis/files/redis-server@.service
Normal file
18
redis/files/redis-server@.service
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Advanced key-value store
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStartPre=/bin/mkdir -m 0755 -p /run/redis/%i
|
||||||
|
ExecStartPre=/bin/chown redis-%i: /run/redis/%i
|
||||||
|
PermissionsStartOnly=yes
|
||||||
|
|
||||||
|
Type=forking
|
||||||
|
ExecStart=/usr/bin/redis-server /etc/redis/redis-%i.conf --unixsocket /run/redis/%i/redis.sock --pidfile /run/redis/%i/redis-server.pid
|
||||||
|
ExecStop=/usr/bin/redis-cli -s /run/redis/%i/redis.sock shutdown
|
||||||
|
Restart=always
|
||||||
|
User=redis-%i
|
||||||
|
Group=redis-%i
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: restart redis
|
- name: restart redis
|
||||||
service:
|
systemd:
|
||||||
name: "{{ redis_daemon }}"
|
name: "{{ redis_daemon }}"
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
|
75
redis/tasks/instances.yml
Normal file
75
redis/tasks/instances.yml
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
---
|
||||||
|
- name: Systemd template for redis instances is installed
|
||||||
|
copy:
|
||||||
|
src: 'redis-server@.service'
|
||||||
|
dest: '/etc/systemd/system/'
|
||||||
|
mode: "0644"
|
||||||
|
tags:
|
||||||
|
- redis
|
||||||
|
|
||||||
|
- name: Redis SysVinit script is stopped and disabled
|
||||||
|
service:
|
||||||
|
name: "redis-server"
|
||||||
|
enabled: no
|
||||||
|
state: stopped
|
||||||
|
tags:
|
||||||
|
- redis
|
||||||
|
|
||||||
|
- name: Set variables for the instance
|
||||||
|
set_fact:
|
||||||
|
redis_daemon: "redis-server@{{ redis_instance_name }}"
|
||||||
|
redis_conf_path: "/etc/redis/redis-{{ redis_instance_name }}.conf"
|
||||||
|
redis_unixsocket: "/var/run/redis/{{ redis_instance_name }}/redis.sock"
|
||||||
|
redis_pidfile: "/var/run/redis/{{ redis_instance_name }}/{{ redis_daemon }}.pid"
|
||||||
|
redis_logfile: "/var/log/redis/{{ redis_instance_name }}/redis-server.log"
|
||||||
|
redis_dbdir: "/var/lib/redis/{{ redis_instance_name }}"
|
||||||
|
tags:
|
||||||
|
- redis
|
||||||
|
|
||||||
|
- name: Redis instance configuration file is present.
|
||||||
|
template:
|
||||||
|
src: redis.conf.j2
|
||||||
|
dest: "{{ redis_conf_path }}"
|
||||||
|
mode: "0644"
|
||||||
|
tags:
|
||||||
|
- redis
|
||||||
|
|
||||||
|
- name: Redis instance group is present
|
||||||
|
group:
|
||||||
|
name: "redis-{{ redis_instance_name }}"
|
||||||
|
state: present
|
||||||
|
system: True
|
||||||
|
tags:
|
||||||
|
- redis
|
||||||
|
|
||||||
|
- name: Redis instance user is present
|
||||||
|
user:
|
||||||
|
name: "redis-{{ redis_instance_name }}"
|
||||||
|
group: "redis-{{ redis_instance_name }}"
|
||||||
|
state: present
|
||||||
|
system: True
|
||||||
|
shell: '/bin/falase'
|
||||||
|
tags:
|
||||||
|
- redis
|
||||||
|
|
||||||
|
- name: Instances directories are present
|
||||||
|
file:
|
||||||
|
dest: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
owner: "redis-{{ redis_instance_name }}"
|
||||||
|
group: "redis-{{ redis_instance_name }}"
|
||||||
|
with_items:
|
||||||
|
- "{{ redis_dbdir }}"
|
||||||
|
- "{{ redis_logfile | dirname }}"
|
||||||
|
tags:
|
||||||
|
- redis
|
||||||
|
|
||||||
|
- name: Redis systemd unit is enabled and started
|
||||||
|
systemd:
|
||||||
|
name: "{{ redis_daemon }}"
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
daemon_reload: yes
|
||||||
|
tags:
|
||||||
|
- redis
|
|
@ -15,10 +15,17 @@
|
||||||
changed_when: false
|
changed_when: false
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: _redis_installed_version
|
register: _redis_installed_version
|
||||||
|
tags:
|
||||||
|
- redis
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
redis_installed_version: "{{ _redis_installed_version.stdout }}"
|
redis_installed_version: "{{ _redis_installed_version.stdout }}"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
tags:
|
||||||
|
- redis
|
||||||
|
|
||||||
|
- include: instances.yml
|
||||||
|
when: redis_instance_name is defined
|
||||||
|
|
||||||
- name: Redis is configured.
|
- name: Redis is configured.
|
||||||
template:
|
template:
|
||||||
|
@ -26,14 +33,16 @@
|
||||||
dest: "{{ redis_conf_path }}"
|
dest: "{{ redis_conf_path }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: restart redis
|
notify: restart redis
|
||||||
|
when: redis_instance_name is not defined
|
||||||
tags:
|
tags:
|
||||||
- redis
|
- redis
|
||||||
|
|
||||||
- name: Redis is running and enabled on boot.
|
- name: Redis is running and enabled on boot.
|
||||||
service:
|
systemd:
|
||||||
name: "{{ redis_daemon }}"
|
name: "{{ redis_daemon }}"
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
when: redis_instance_name is not defined
|
||||||
tags:
|
tags:
|
||||||
- redis
|
- redis
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
daemonize yes
|
daemonize yes
|
||||||
pidfile /var/run/redis/{{ redis_daemon }}.pid
|
pidfile {{ redis_pidfile }}
|
||||||
port {{ redis_port }}
|
port {{ redis_port }}
|
||||||
bind {{ redis_bind_interface }}
|
bind {{ redis_bind_interface }}
|
||||||
|
|
||||||
|
|
|
@ -11,6 +11,7 @@ evoadminmail_scripts_dir: /usr/share/scripts/
|
||||||
evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}"
|
evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}"
|
||||||
|
|
||||||
evoadminmail_enable_vhost: True
|
evoadminmail_enable_vhost: True
|
||||||
|
evoadminmail_webserver: apache
|
||||||
|
|
||||||
evoadminmail_tpl_servername: "{{ ansible_fqdn }}"
|
evoadminmail_tpl_servername: "{{ ansible_fqdn }}"
|
||||||
evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}"
|
evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}"
|
||||||
|
|
14
webapps/evoadmin-mail/files/pool.evoadmin-mail.conf
Normal file
14
webapps/evoadmin-mail/files/pool.evoadmin-mail.conf
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
[evoadmin-mail]
|
||||||
|
|
||||||
|
user = www-evoadmin-mail
|
||||||
|
group = evoadmin-mail
|
||||||
|
|
||||||
|
listen = /run/php/php7.0-evoadmin-mail-fpm.sock
|
||||||
|
|
||||||
|
listen.owner = www-data
|
||||||
|
listen.group = www-data
|
||||||
|
;listen.mode = 0660
|
||||||
|
|
||||||
|
pm = ondemand
|
||||||
|
pm.max_children = 25
|
||||||
|
|
|
@ -3,3 +3,13 @@
|
||||||
service:
|
service:
|
||||||
name: apache2
|
name: apache2
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: reload nginx
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: reload php-fpm
|
||||||
|
service:
|
||||||
|
name: php7.0-fpm
|
||||||
|
state: reload
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
- name: Install evoadminmail VHost
|
- name: Install evoadminmail VHost
|
||||||
template:
|
template:
|
||||||
src: evoadminmail.conf.j2
|
src: apache_evoadminmail.conf.j2
|
||||||
dest: /etc/apache2/sites-available/evoadminmail.conf
|
dest: /etc/apache2/sites-available/evoadminmail.conf
|
||||||
notify: reload apache2
|
notify: reload apache2
|
||||||
|
|
|
@ -8,7 +8,11 @@
|
||||||
|
|
||||||
- include: ssl.yml
|
- include: ssl.yml
|
||||||
|
|
||||||
- include: web.yml
|
- include: apache.yml
|
||||||
|
when: evoadminmail_webserver == "apache"
|
||||||
|
|
||||||
|
- include: nginx.yml
|
||||||
|
when: evoadminmail_webserver == "nginx"
|
||||||
|
|
||||||
- name: enable evoadmin-mail link in default site index
|
- name: enable evoadmin-mail link in default site index
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|
35
webapps/evoadmin-mail/tasks/nginx.yml
Normal file
35
webapps/evoadmin-mail/tasks/nginx.yml
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Set custom values for PHP config (Debian 9 or later)"
|
||||||
|
ini_file:
|
||||||
|
dest: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini
|
||||||
|
section: PHP
|
||||||
|
option: "disable_functions"
|
||||||
|
value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority"
|
||||||
|
notify: reload nginx
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: Copy php-fpm evoadmin-mail pool
|
||||||
|
copy:
|
||||||
|
src: pool.evoadmin-mail.conf
|
||||||
|
dest: /etc/php/7.0/fpm/pool.d/evoadmin-mail.conf
|
||||||
|
notify: reload php-fpm
|
||||||
|
|
||||||
|
- name: Install evoadminmail VHost
|
||||||
|
template:
|
||||||
|
src: nginx_evoadminmail.conf.j2
|
||||||
|
dest: /etc/nginx/sites-available/evoadminmail.conf
|
||||||
|
notify: reload nginx
|
||||||
|
|
||||||
|
- name: Active evoadminmail VHost
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/sites-available/evoadminmail.conf"
|
||||||
|
dest: "/etc/nginx/sites-enabled/evoadminmail.conf"
|
||||||
|
state: link
|
||||||
|
notify: reload nginx
|
||||||
|
when: evoadminmail_enable_vhost
|
||||||
|
|
||||||
|
- name: Disable evoadminmail vhost
|
||||||
|
command: "unlink /etc/nginx/sites-enabled/evoadminmail.conf"
|
||||||
|
notify: reload nginx
|
||||||
|
when: not evoadminmail_enable_vhost
|
|
@ -29,6 +29,13 @@
|
||||||
createhome: no
|
createhome: no
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: Add www-data to app's group
|
||||||
|
user:
|
||||||
|
name: 'www-data'
|
||||||
|
groups: "{{ evoadminmail_username }}"
|
||||||
|
append: yes
|
||||||
|
when: evoadminmail_webserver == "nginx"
|
||||||
|
|
||||||
- name: Install Git
|
- name: Install Git
|
||||||
apt:
|
apt:
|
||||||
name: git
|
name: git
|
||||||
|
|
56
webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2
Normal file
56
webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
server {
|
||||||
|
listen [::]:80;
|
||||||
|
listen 80;
|
||||||
|
server_name {{ evoadminmail_host }};
|
||||||
|
|
||||||
|
return 301 https://{{ evoadminmail_host }}$request_uri;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
# listen [::]:80 default_server ipv6only=on; ## listen for ipv6
|
||||||
|
|
||||||
|
ssl_certificate /etc/ssl/certs/{{ evoadminmail_host }}.crt;
|
||||||
|
ssl_certificate_key /etc/ssl/private/{{ evoadminmail_host }}.key;
|
||||||
|
|
||||||
|
server_name {{ evoadminmail_host }};
|
||||||
|
index index.php;
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
|
root {{ evoadminmail_document_root }}/htdocs/;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
index index.html index.htm;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
fastcgi_pass unix:/run/php/php7.0-evoadmin-mail-fpm.sock;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||||
|
fastcgi_param DOCUMENT_ROOT $realpath_root;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /fpm-status {
|
||||||
|
fastcgi_pass unix:/run/php/php7.0-evoadmin-mail-fpm.sock;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
include fastcgi_params;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
allow 127.0.0.1;
|
||||||
|
{% for ip in nginx_additional_ipaddr_whitelist_ips %}
|
||||||
|
allow {{ ip }};
|
||||||
|
{% endfor %}
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /nginx_status {
|
||||||
|
stub_status on;
|
||||||
|
access_log off;
|
||||||
|
allow 127.0.0.1;
|
||||||
|
{% for ip in nginx_additional_ipaddr_whitelist_ips %}
|
||||||
|
allow {{ ip }};
|
||||||
|
{% endfor %}
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -4,3 +4,6 @@
|
||||||
service:
|
service:
|
||||||
name: apache2
|
name: apache2
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: newaliases
|
||||||
|
command: newaliases
|
||||||
|
|
|
@ -24,6 +24,23 @@
|
||||||
name: www-evoadmin
|
name: www-evoadmin
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: Is /etc/aliases present?
|
||||||
|
stat:
|
||||||
|
path: /etc/aliases
|
||||||
|
register: etc_aliases
|
||||||
|
|
||||||
|
- name: Set evoadmin aliases
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/aliases
|
||||||
|
line: "{{ item.line }}"
|
||||||
|
regexp: "{{ item.regexp }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- { line: 'evoadmin: root', regexp: '^evoadmin:'}
|
||||||
|
- { line: 'www-evoadmin: root', regexp: '^www-evoadmin:'}
|
||||||
|
notify: "newaliases"
|
||||||
|
when: etc_aliases.stat.exists
|
||||||
|
|
||||||
- name: Git is needed to clone the evoadmin repository
|
- name: Git is needed to clone the evoadmin repository
|
||||||
apt:
|
apt:
|
||||||
name: git
|
name: git
|
||||||
|
@ -75,7 +92,7 @@
|
||||||
args:
|
args:
|
||||||
creates: "{{ evoadmin_scripts_dir }}/web-add.sh"
|
creates: "{{ evoadmin_scripts_dir }}/web-add.sh"
|
||||||
|
|
||||||
# we use a shell command to have a "changed" thet really reflects the result.
|
# we use a shell command to have a "changed" that really reflects the result.
|
||||||
- name: Fix permissions
|
- name: Fix permissions
|
||||||
command: "chmod -R --verbose u=rwX,g=rX,o= {{ evoadmin_document_root }}"
|
command: "chmod -R --verbose u=rwX,g=rX,o= {{ evoadmin_document_root }}"
|
||||||
register: command_result
|
register: command_result
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
---
|
---
|
||||||
roundcube_host: "roundcube.{{ ansible_fqdn }}"
|
roundcube_host: "roundcube.{{ ansible_fqdn }}"
|
||||||
|
roundcube_webserver: apache
|
||||||
roundcube_imap_host: "localhost"
|
roundcube_imap_host: "localhost"
|
||||||
roundcube_imap_port: 143
|
roundcube_imap_port: 143
|
||||||
|
|
|
@ -3,3 +3,13 @@
|
||||||
systemd:
|
systemd:
|
||||||
name: imapproxy
|
name: imapproxy
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: reload apache2
|
||||||
|
service:
|
||||||
|
name: apache2
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: reload nginx
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
|
|
@ -85,24 +85,41 @@
|
||||||
tags:
|
tags:
|
||||||
- roundcube
|
- roundcube
|
||||||
|
|
||||||
- name: deploy roundcube vhost
|
- name: deploy apache roundcube vhost
|
||||||
template:
|
template:
|
||||||
src: apache2.conf.j2
|
src: apache2.conf.j2
|
||||||
dest: /etc/apache2/sites-available/rouncube.conf
|
dest: /etc/apache2/sites-available/rouncube.conf
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
notify: reload apache2
|
notify: reload apache2
|
||||||
|
when: roundcube_webserver == "apache"
|
||||||
tags:
|
tags:
|
||||||
- roundcube
|
- roundcube
|
||||||
|
|
||||||
- name: enable roundcube vhost
|
- name: enable apache roundcube vhost
|
||||||
file:
|
file:
|
||||||
src: /etc/apache2/sites-available/rouncube.conf
|
src: /etc/apache2/sites-available/rouncube.conf
|
||||||
dest: /etc/apache2/sites-enabled/rouncube.conf
|
dest: /etc/apache2/sites-enabled/rouncube.conf
|
||||||
state: link
|
state: link
|
||||||
notify: reload apache2
|
notify: reload apache2
|
||||||
|
when: roundcube_webserver == "apache"
|
||||||
tags:
|
tags:
|
||||||
- roundcube
|
- roundcube
|
||||||
|
|
||||||
|
- name: deploy Nginx roundcube vhost
|
||||||
|
template:
|
||||||
|
src: nginx.conf.j2
|
||||||
|
dest: /etc/nginx/sites-available/rouncube.conf
|
||||||
|
when: roundcube_webserver == "nginx"
|
||||||
|
notify: reload nginx
|
||||||
|
|
||||||
|
- name: enable Nginx roundcube vhost
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/sites-available/rouncube.conf"
|
||||||
|
dest: "/etc/nginx/sites-enabled/rouncube.conf"
|
||||||
|
state: link
|
||||||
|
when: roundcube_webserver == "nginx"
|
||||||
|
notify: reload nginx
|
||||||
|
|
||||||
- name: enable roundcube link in default site index
|
- name: enable roundcube link in default site index
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /var/www/index.html
|
dest: /var/www/index.html
|
||||||
|
|
49
webapps/roundcube/templates/nginx.conf.j2
Normal file
49
webapps/roundcube/templates/nginx.conf.j2
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name {{ roundcube_host }};
|
||||||
|
return 301 https://{{ roundcube_host }}$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name {{ roundcube_host }};
|
||||||
|
access_log /var/log/nginx/.{{ roundcube_host }}.access.log;
|
||||||
|
error_log /var/log/nginx/.{{ roundcube_host }}.error.log;
|
||||||
|
|
||||||
|
root /var/lib/roundcube/;
|
||||||
|
index index.php;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ /index.php?q=$uri&$args;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^/(config|temp|logs)/ {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ /\. {
|
||||||
|
deny all;
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
try_files $uri =404;
|
||||||
|
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
include fastcgi_params;
|
||||||
|
}
|
||||||
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||||
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||||
|
ssl_prefer_server_ciphers On;
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
|
||||||
|
ssl_session_cache shared:SSL:20m;
|
||||||
|
ssl_session_timeout 10m;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000";
|
||||||
|
}
|
Loading…
Reference in a new issue