Merge branch 'unstable' into stable

CHANGELOG.md

@@ -20,6 +20,28 @@ The **patch** part changes incrementally at each release.
 
 ### Security
 
+## [10.2.0] 2020-09-17
+
+### Added
+
+* evoacme: remount /usr if necessary
+* evolinux-base: swappiness is customizable
+* evolinux-base: install wget
+* tomcat: root directory owner/group are configurable
+
+### Changed
+
+* Change default public SSH/SFTP port from 2222 to 22222
+
+### Fixed
+
+* certbot: an empty change shouldn't raise an exception
+* certbot: fix "no-self-upgrade" option
+
+### Removed
+
+* evoacme: remove Debian 9 support
+
 ## [10.1.0] 2020-08-21
 
 ### Added

amazon-ec2/defaults/main.yml

@@ -122,6 +122,10 @@ ec2_evolinux_security_group:
       from_port: 2222
       to_port: 2222
       cidr_ip: 0.0.0.0/0
+    - proto: tcp
+      from_port: 22222
+      to_port: 22222
+      cidr_ip: 0.0.0.0/0
     - proto: tcp
       from_port: 2223
       to_port: 2223

certbot/files/cron_jessie

@@ -8,4 +8,4 @@
 SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-update -q renew
+0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-upgrade -q renew

certbot/files/hooks/z-commit-etc.sh

@@ -22,7 +22,7 @@ main() {
           message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
           ${git_bin} commit --message "${message}" --quiet
       else
-          error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
+          debug "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
       fi
     fi
 }

evoacme/meta/main.yml

@@ -11,8 +11,8 @@ galaxy_info:
   platforms:
   - name: Debian
     versions:
-    - jessie
     - stretch
+    - buster
 
 dependencies: []
   # List your role dependencies here, one per line.

evoacme/tasks/main.yml

@@ -1,9 +1,11 @@
 ---
 
-- fail:
-    msg: only compatible with Debian >= 8
-  when:
-  - ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
+- name: Verify Debian version
+  assert:
+    that:
+      - ansible_distribution == "Debian"
+      - ansible_distribution_major_version is version('9', '>=')
+    msg: only compatible with Debian >= 9
 
 - include: certbot.yml
 

evoacme/tasks/scripts.yml

@@ -1,4 +1,8 @@
 ---
+
+- include_role:
+    name: evolix/remount-usr
+
 - name: Create CSR dir
   file:
     path: "{{ evoacme_csr_dir }}"
@@ -36,5 +40,5 @@
     path: "/usr/local/bin/{{ item }}"
     state: absent
   with_items:
-  - 'make-csr'
-  - 'evoacme'
+    - 'make-csr'
+    - 'evoacme'

evolinux-base/defaults/main.yml

@@ -50,7 +50,8 @@ evolinux_kernel_include: True
 
 evolinux_kernel_reboot_after_panic: True
 evolinux_kernel_disable_tcp_timestamps: True
-evolinux_kernel_reduce_swapiness: True
+evolinux_kernel_customize_swappiness: True
+evolinux_kernel_swappiness: 20
 evolinux_kernel_cve20165696: True
 
 # fstab

evolinux-base/tasks/kernel.yml

@@ -32,14 +32,14 @@
     reload: yes
   when: evolinux_kernel_disable_tcp_timestamps
 
-- name: Reduce the swapiness
+- name: Customize the swappiness
   sysctl:
     name: vm.swappiness
-    value: 20
+    value: "{{ evolinux_kernel_swappiness }}"
     sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
     state: present
     reload: yes
-  when: evolinux_kernel_reduce_swapiness
+  when: evolinux_kernel_customize_swappiness
 
 - name: Patch for TCP stack vulnerability CVE-2016-5696
   sysctl:

evolinux-base/tasks/packages.yml

@@ -30,6 +30,7 @@
       - tcpdump
       - mtr-tiny
       - curl
+      - wget
       - telnet
       - traceroute
       - man

fail2ban/templates/jail.local.j2

@@ -28,7 +28,7 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto
 action = %(action_mwl)s
 
 [sshd]
-port    = ssh,2222
+port    = ssh,2222,22222
 logpath = %(sshd_log)s
 backend = %(sshd_backend)s
 maxretry = 10

minifirewall/defaults/main.yml

@@ -19,7 +19,7 @@ minifirewall_privilegied_ips: []
 
 minifirewall_protected_ports_tcp: [22]
 minifirewall_protected_ports_udp: []
-minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
+minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 22222]
 minifirewall_public_ports_udp: [53]
 minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
 minifirewall_semipublic_ports_udp: []

minifirewall/files/minifirewall.conf

@@ -29,7 +29,7 @@ SERVICESTCP1p='22'
 SERVICESUDP1p=''
 
 # Public services (IPv4/IPv6)
-SERVICESTCP1='25 53 443 993 995 2222'
+SERVICESTCP1='25 53 443 993 995 22222'
 SERVICESUDP1='53'
 
 # Semi-public services (IPv4)

proftpd/defaults/main.yml

@@ -9,6 +9,6 @@ proftpd_ftps_port: 990
 proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
 proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
 proftpd_sftp_enable: False
-proftpd_sftp_port: 2222
+proftpd_sftp_port: 22222
 proftpd_accounts: []
 proftpd_accounts_final: []

tomcat/defaults/main.yml

@@ -1,2 +1,5 @@
 ---
 tomcat_instance_root: '/srv/tomcat'
+
+tomcat_root_dir_owner: root
+tomcat_root_dir_group: root

tomcat/tasks/packages.yml

@@ -33,8 +33,8 @@
   file:
     path: "{{ tomcat_instance_root }}"
     state: directory
-    owner: 'root'
-    group: 'root'
+    owner: "{{ tomcat_root_dir_owner | default('root') }}"
+    group: "{{ tomcat_root_dir_group | default('root') }}"
     mode: "0755"
 
 - name: Copy systemd unit