Browse Source

Merge branch 'unstable' into stable

tags/10.2.0
Jérémy Lecour 1 month ago
committed by Jérémy Lecour
parent
commit
f717c31acc
16 changed files with 56 additions and 19 deletions
  1. +22
    -0
      CHANGELOG.md
  2. +4
    -0
      amazon-ec2/defaults/main.yml
  3. +1
    -1
      certbot/files/cron_jessie
  4. +1
    -1
      certbot/files/hooks/z-commit-etc.sh
  5. +1
    -1
      evoacme/meta/main.yml
  6. +6
    -4
      evoacme/tasks/main.yml
  7. +6
    -2
      evoacme/tasks/scripts.yml
  8. +2
    -1
      evolinux-base/defaults/main.yml
  9. +3
    -3
      evolinux-base/tasks/kernel.yml
  10. +1
    -0
      evolinux-base/tasks/packages.yml
  11. +1
    -1
      fail2ban/templates/jail.local.j2
  12. +1
    -1
      minifirewall/defaults/main.yml
  13. +1
    -1
      minifirewall/files/minifirewall.conf
  14. +1
    -1
      proftpd/defaults/main.yml
  15. +3
    -0
      tomcat/defaults/main.yml
  16. +2
    -2
      tomcat/tasks/packages.yml

+ 22
- 0
CHANGELOG.md View File

@@ -20,6 +20,28 @@ The **patch** part changes incrementally at each release.

### Security

## [10.2.0] 2020-09-17

### Added

* evoacme: remount /usr if necessary
* evolinux-base: swappiness is customizable
* evolinux-base: install wget
* tomcat: root directory owner/group are configurable

### Changed

* Change default public SSH/SFTP port from 2222 to 22222

### Fixed

* certbot: an empty change shouldn't raise an exception
* certbot: fix "no-self-upgrade" option

### Removed

* evoacme: remove Debian 9 support

## [10.1.0] 2020-08-21

### Added


+ 4
- 0
amazon-ec2/defaults/main.yml View File

@@ -122,6 +122,10 @@ ec2_evolinux_security_group:
from_port: 2222
to_port: 2222
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 22222
to_port: 22222
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 2223
to_port: 2223


+ 1
- 1
certbot/files/cron_jessie View File

@@ -8,4 +8,4 @@
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-update -q renew
0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-upgrade -q renew

+ 1
- 1
certbot/files/hooks/z-commit-etc.sh View File

@@ -22,7 +22,7 @@ main() {
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
${git_bin} commit --message "${message}" --quiet
else
error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
debug "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
fi
fi
}


+ 1
- 1
evoacme/meta/main.yml View File

@@ -11,8 +11,8 @@ galaxy_info:
platforms:
- name: Debian
versions:
- jessie
- stretch
- buster

dependencies: []
# List your role dependencies here, one per line.


+ 6
- 4
evoacme/tasks/main.yml View File

@@ -1,9 +1,11 @@
---

- fail:
msg: only compatible with Debian >= 8
when:
- ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
- name: Verify Debian version
assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '>=')
msg: only compatible with Debian >= 9

- include: certbot.yml



+ 6
- 2
evoacme/tasks/scripts.yml View File

@@ -1,4 +1,8 @@
---

- include_role:
name: evolix/remount-usr

- name: Create CSR dir
file:
path: "{{ evoacme_csr_dir }}"
@@ -36,5 +40,5 @@
path: "/usr/local/bin/{{ item }}"
state: absent
with_items:
- 'make-csr'
- 'evoacme'
- 'make-csr'
- 'evoacme'

+ 2
- 1
evolinux-base/defaults/main.yml View File

@@ -50,7 +50,8 @@ evolinux_kernel_include: True

evolinux_kernel_reboot_after_panic: True
evolinux_kernel_disable_tcp_timestamps: True
evolinux_kernel_reduce_swapiness: True
evolinux_kernel_customize_swappiness: True
evolinux_kernel_swappiness: 20
evolinux_kernel_cve20165696: True

# fstab


+ 3
- 3
evolinux-base/tasks/kernel.yml View File

@@ -32,14 +32,14 @@
reload: yes
when: evolinux_kernel_disable_tcp_timestamps

- name: Reduce the swapiness
- name: Customize the swappiness
sysctl:
name: vm.swappiness
value: 20
value: "{{ evolinux_kernel_swappiness }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
state: present
reload: yes
when: evolinux_kernel_reduce_swapiness
when: evolinux_kernel_customize_swappiness

- name: Patch for TCP stack vulnerability CVE-2016-5696
sysctl:


+ 1
- 0
evolinux-base/tasks/packages.yml View File

@@ -30,6 +30,7 @@
- tcpdump
- mtr-tiny
- curl
- wget
- telnet
- traceroute
- man


+ 1
- 1
fail2ban/templates/jail.local.j2 View File

@@ -28,7 +28,7 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto
action = %(action_mwl)s

[sshd]
port = ssh,2222
port = ssh,2222,22222
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 10


+ 1
- 1
minifirewall/defaults/main.yml View File

@@ -19,7 +19,7 @@ minifirewall_privilegied_ips: []

minifirewall_protected_ports_tcp: [22]
minifirewall_protected_ports_udp: []
minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 22222]
minifirewall_public_ports_udp: [53]
minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
minifirewall_semipublic_ports_udp: []


+ 1
- 1
minifirewall/files/minifirewall.conf View File

@@ -29,7 +29,7 @@ SERVICESTCP1p='22'
SERVICESUDP1p=''

# Public services (IPv4/IPv6)
SERVICESTCP1='25 53 443 993 995 2222'
SERVICESTCP1='25 53 443 993 995 22222'
SERVICESUDP1='53'

# Semi-public services (IPv4)


+ 1
- 1
proftpd/defaults/main.yml View File

@@ -9,6 +9,6 @@ proftpd_ftps_port: 990
proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
proftpd_sftp_enable: False
proftpd_sftp_port: 2222
proftpd_sftp_port: 22222
proftpd_accounts: []
proftpd_accounts_final: []

+ 3
- 0
tomcat/defaults/main.yml View File

@@ -1,2 +1,5 @@
---
tomcat_instance_root: '/srv/tomcat'

tomcat_root_dir_owner: root
tomcat_root_dir_group: root

+ 2
- 2
tomcat/tasks/packages.yml View File

@@ -33,8 +33,8 @@
file:
path: "{{ tomcat_instance_root }}"
state: directory
owner: 'root'
group: 'root'
owner: "{{ tomcat_root_dir_owner | default('root') }}"
group: "{{ tomcat_root_dir_group | default('root') }}"
mode: "0755"

- name: Copy systemd unit


Loading…
Cancel
Save