Merge branch 'unstable' into stable
This commit is contained in:
commit
f717c31acc
22
CHANGELOG.md
22
CHANGELOG.md
|
@ -20,6 +20,28 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [10.2.0] 2020-09-17
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* evoacme: remount /usr if necessary
|
||||||
|
* evolinux-base: swappiness is customizable
|
||||||
|
* evolinux-base: install wget
|
||||||
|
* tomcat: root directory owner/group are configurable
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* Change default public SSH/SFTP port from 2222 to 22222
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* certbot: an empty change shouldn't raise an exception
|
||||||
|
* certbot: fix "no-self-upgrade" option
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
* evoacme: remove Debian 9 support
|
||||||
|
|
||||||
## [10.1.0] 2020-08-21
|
## [10.1.0] 2020-08-21
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
@ -122,6 +122,10 @@ ec2_evolinux_security_group:
|
||||||
from_port: 2222
|
from_port: 2222
|
||||||
to_port: 2222
|
to_port: 2222
|
||||||
cidr_ip: 0.0.0.0/0
|
cidr_ip: 0.0.0.0/0
|
||||||
|
- proto: tcp
|
||||||
|
from_port: 22222
|
||||||
|
to_port: 22222
|
||||||
|
cidr_ip: 0.0.0.0/0
|
||||||
- proto: tcp
|
- proto: tcp
|
||||||
from_port: 2223
|
from_port: 2223
|
||||||
to_port: 2223
|
to_port: 2223
|
||||||
|
|
|
@ -8,4 +8,4 @@
|
||||||
SHELL=/bin/sh
|
SHELL=/bin/sh
|
||||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-update -q renew
|
0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-upgrade -q renew
|
||||||
|
|
|
@ -22,7 +22,7 @@ main() {
|
||||||
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
|
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
|
||||||
${git_bin} commit --message "${message}" --quiet
|
${git_bin} commit --message "${message}" --quiet
|
||||||
else
|
else
|
||||||
error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
|
debug "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,8 +11,8 @@ galaxy_info:
|
||||||
platforms:
|
platforms:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- jessie
|
|
||||||
- stretch
|
- stretch
|
||||||
|
- buster
|
||||||
|
|
||||||
dependencies: []
|
dependencies: []
|
||||||
# List your role dependencies here, one per line.
|
# List your role dependencies here, one per line.
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- fail:
|
- name: Verify Debian version
|
||||||
msg: only compatible with Debian >= 8
|
assert:
|
||||||
when:
|
that:
|
||||||
- ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
|
- ansible_distribution == "Debian"
|
||||||
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
|
msg: only compatible with Debian >= 9
|
||||||
|
|
||||||
- include: certbot.yml
|
- include: certbot.yml
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: Create CSR dir
|
- name: Create CSR dir
|
||||||
file:
|
file:
|
||||||
path: "{{ evoacme_csr_dir }}"
|
path: "{{ evoacme_csr_dir }}"
|
||||||
|
@ -36,5 +40,5 @@
|
||||||
path: "/usr/local/bin/{{ item }}"
|
path: "/usr/local/bin/{{ item }}"
|
||||||
state: absent
|
state: absent
|
||||||
with_items:
|
with_items:
|
||||||
- 'make-csr'
|
- 'make-csr'
|
||||||
- 'evoacme'
|
- 'evoacme'
|
||||||
|
|
|
@ -50,7 +50,8 @@ evolinux_kernel_include: True
|
||||||
|
|
||||||
evolinux_kernel_reboot_after_panic: True
|
evolinux_kernel_reboot_after_panic: True
|
||||||
evolinux_kernel_disable_tcp_timestamps: True
|
evolinux_kernel_disable_tcp_timestamps: True
|
||||||
evolinux_kernel_reduce_swapiness: True
|
evolinux_kernel_customize_swappiness: True
|
||||||
|
evolinux_kernel_swappiness: 20
|
||||||
evolinux_kernel_cve20165696: True
|
evolinux_kernel_cve20165696: True
|
||||||
|
|
||||||
# fstab
|
# fstab
|
||||||
|
|
|
@ -32,14 +32,14 @@
|
||||||
reload: yes
|
reload: yes
|
||||||
when: evolinux_kernel_disable_tcp_timestamps
|
when: evolinux_kernel_disable_tcp_timestamps
|
||||||
|
|
||||||
- name: Reduce the swapiness
|
- name: Customize the swappiness
|
||||||
sysctl:
|
sysctl:
|
||||||
name: vm.swappiness
|
name: vm.swappiness
|
||||||
value: 20
|
value: "{{ evolinux_kernel_swappiness }}"
|
||||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||||
state: present
|
state: present
|
||||||
reload: yes
|
reload: yes
|
||||||
when: evolinux_kernel_reduce_swapiness
|
when: evolinux_kernel_customize_swappiness
|
||||||
|
|
||||||
- name: Patch for TCP stack vulnerability CVE-2016-5696
|
- name: Patch for TCP stack vulnerability CVE-2016-5696
|
||||||
sysctl:
|
sysctl:
|
||||||
|
|
|
@ -30,6 +30,7 @@
|
||||||
- tcpdump
|
- tcpdump
|
||||||
- mtr-tiny
|
- mtr-tiny
|
||||||
- curl
|
- curl
|
||||||
|
- wget
|
||||||
- telnet
|
- telnet
|
||||||
- traceroute
|
- traceroute
|
||||||
- man
|
- man
|
||||||
|
|
|
@ -28,7 +28,7 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto
|
||||||
action = %(action_mwl)s
|
action = %(action_mwl)s
|
||||||
|
|
||||||
[sshd]
|
[sshd]
|
||||||
port = ssh,2222
|
port = ssh,2222,22222
|
||||||
logpath = %(sshd_log)s
|
logpath = %(sshd_log)s
|
||||||
backend = %(sshd_backend)s
|
backend = %(sshd_backend)s
|
||||||
maxretry = 10
|
maxretry = 10
|
||||||
|
|
|
@ -19,7 +19,7 @@ minifirewall_privilegied_ips: []
|
||||||
|
|
||||||
minifirewall_protected_ports_tcp: [22]
|
minifirewall_protected_ports_tcp: [22]
|
||||||
minifirewall_protected_ports_udp: []
|
minifirewall_protected_ports_udp: []
|
||||||
minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
|
minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 22222]
|
||||||
minifirewall_public_ports_udp: [53]
|
minifirewall_public_ports_udp: [53]
|
||||||
minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
|
minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
|
||||||
minifirewall_semipublic_ports_udp: []
|
minifirewall_semipublic_ports_udp: []
|
||||||
|
|
|
@ -29,7 +29,7 @@ SERVICESTCP1p='22'
|
||||||
SERVICESUDP1p=''
|
SERVICESUDP1p=''
|
||||||
|
|
||||||
# Public services (IPv4/IPv6)
|
# Public services (IPv4/IPv6)
|
||||||
SERVICESTCP1='25 53 443 993 995 2222'
|
SERVICESTCP1='25 53 443 993 995 22222'
|
||||||
SERVICESUDP1='53'
|
SERVICESUDP1='53'
|
||||||
|
|
||||||
# Semi-public services (IPv4)
|
# Semi-public services (IPv4)
|
||||||
|
|
|
@ -9,6 +9,6 @@ proftpd_ftps_port: 990
|
||||||
proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
|
proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
|
||||||
proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
|
proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
|
||||||
proftpd_sftp_enable: False
|
proftpd_sftp_enable: False
|
||||||
proftpd_sftp_port: 2222
|
proftpd_sftp_port: 22222
|
||||||
proftpd_accounts: []
|
proftpd_accounts: []
|
||||||
proftpd_accounts_final: []
|
proftpd_accounts_final: []
|
||||||
|
|
|
@ -1,2 +1,5 @@
|
||||||
---
|
---
|
||||||
tomcat_instance_root: '/srv/tomcat'
|
tomcat_instance_root: '/srv/tomcat'
|
||||||
|
|
||||||
|
tomcat_root_dir_owner: root
|
||||||
|
tomcat_root_dir_group: root
|
||||||
|
|
|
@ -33,8 +33,8 @@
|
||||||
file:
|
file:
|
||||||
path: "{{ tomcat_instance_root }}"
|
path: "{{ tomcat_instance_root }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: 'root'
|
owner: "{{ tomcat_root_dir_owner | default('root') }}"
|
||||||
group: 'root'
|
group: "{{ tomcat_root_dir_group | default('root') }}"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
- name: Copy systemd unit
|
- name: Copy systemd unit
|
||||||
|
|
Loading…
Reference in a new issue