Merge branch 'unstable' into stable
This commit is contained in:
commit
f717c31acc
22
CHANGELOG.md
22
CHANGELOG.md
|
@ -20,6 +20,28 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Security
|
||||
|
||||
## [10.2.0] 2020-09-17
|
||||
|
||||
### Added
|
||||
|
||||
* evoacme: remount /usr if necessary
|
||||
* evolinux-base: swappiness is customizable
|
||||
* evolinux-base: install wget
|
||||
* tomcat: root directory owner/group are configurable
|
||||
|
||||
### Changed
|
||||
|
||||
* Change default public SSH/SFTP port from 2222 to 22222
|
||||
|
||||
### Fixed
|
||||
|
||||
* certbot: an empty change shouldn't raise an exception
|
||||
* certbot: fix "no-self-upgrade" option
|
||||
|
||||
### Removed
|
||||
|
||||
* evoacme: remove Debian 9 support
|
||||
|
||||
## [10.1.0] 2020-08-21
|
||||
|
||||
### Added
|
||||
|
|
|
@ -122,6 +122,10 @@ ec2_evolinux_security_group:
|
|||
from_port: 2222
|
||||
to_port: 2222
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 22222
|
||||
to_port: 22222
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 2223
|
||||
to_port: 2223
|
||||
|
|
|
@ -8,4 +8,4 @@
|
|||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-update -q renew
|
||||
0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-upgrade -q renew
|
||||
|
|
|
@ -22,7 +22,7 @@ main() {
|
|||
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
|
||||
${git_bin} commit --message "${message}" --quiet
|
||||
else
|
||||
error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
|
||||
debug "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
|
|
@ -11,8 +11,8 @@ galaxy_info:
|
|||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
---
|
||||
|
||||
- fail:
|
||||
msg: only compatible with Debian >= 8
|
||||
when:
|
||||
- ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
|
||||
- name: Verify Debian version
|
||||
assert:
|
||||
that:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('9', '>=')
|
||||
msg: only compatible with Debian >= 9
|
||||
|
||||
- include: certbot.yml
|
||||
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
---
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: Create CSR dir
|
||||
file:
|
||||
path: "{{ evoacme_csr_dir }}"
|
||||
|
|
|
@ -50,7 +50,8 @@ evolinux_kernel_include: True
|
|||
|
||||
evolinux_kernel_reboot_after_panic: True
|
||||
evolinux_kernel_disable_tcp_timestamps: True
|
||||
evolinux_kernel_reduce_swapiness: True
|
||||
evolinux_kernel_customize_swappiness: True
|
||||
evolinux_kernel_swappiness: 20
|
||||
evolinux_kernel_cve20165696: True
|
||||
|
||||
# fstab
|
||||
|
|
|
@ -32,14 +32,14 @@
|
|||
reload: yes
|
||||
when: evolinux_kernel_disable_tcp_timestamps
|
||||
|
||||
- name: Reduce the swapiness
|
||||
- name: Customize the swappiness
|
||||
sysctl:
|
||||
name: vm.swappiness
|
||||
value: 20
|
||||
value: "{{ evolinux_kernel_swappiness }}"
|
||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||
state: present
|
||||
reload: yes
|
||||
when: evolinux_kernel_reduce_swapiness
|
||||
when: evolinux_kernel_customize_swappiness
|
||||
|
||||
- name: Patch for TCP stack vulnerability CVE-2016-5696
|
||||
sysctl:
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
- tcpdump
|
||||
- mtr-tiny
|
||||
- curl
|
||||
- wget
|
||||
- telnet
|
||||
- traceroute
|
||||
- man
|
||||
|
|
|
@ -28,7 +28,7 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto
|
|||
action = %(action_mwl)s
|
||||
|
||||
[sshd]
|
||||
port = ssh,2222
|
||||
port = ssh,2222,22222
|
||||
logpath = %(sshd_log)s
|
||||
backend = %(sshd_backend)s
|
||||
maxretry = 10
|
||||
|
|
|
@ -19,7 +19,7 @@ minifirewall_privilegied_ips: []
|
|||
|
||||
minifirewall_protected_ports_tcp: [22]
|
||||
minifirewall_protected_ports_udp: []
|
||||
minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
|
||||
minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 22222]
|
||||
minifirewall_public_ports_udp: [53]
|
||||
minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
|
||||
minifirewall_semipublic_ports_udp: []
|
||||
|
|
|
@ -29,7 +29,7 @@ SERVICESTCP1p='22'
|
|||
SERVICESUDP1p=''
|
||||
|
||||
# Public services (IPv4/IPv6)
|
||||
SERVICESTCP1='25 53 443 993 995 2222'
|
||||
SERVICESTCP1='25 53 443 993 995 22222'
|
||||
SERVICESUDP1='53'
|
||||
|
||||
# Semi-public services (IPv4)
|
||||
|
|
|
@ -9,6 +9,6 @@ proftpd_ftps_port: 990
|
|||
proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
|
||||
proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
|
||||
proftpd_sftp_enable: False
|
||||
proftpd_sftp_port: 2222
|
||||
proftpd_sftp_port: 22222
|
||||
proftpd_accounts: []
|
||||
proftpd_accounts_final: []
|
||||
|
|
|
@ -1,2 +1,5 @@
|
|||
---
|
||||
tomcat_instance_root: '/srv/tomcat'
|
||||
|
||||
tomcat_root_dir_owner: root
|
||||
tomcat_root_dir_group: root
|
||||
|
|
|
@ -33,8 +33,8 @@
|
|||
file:
|
||||
path: "{{ tomcat_instance_root }}"
|
||||
state: directory
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
owner: "{{ tomcat_root_dir_owner | default('root') }}"
|
||||
group: "{{ tomcat_root_dir_group | default('root') }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: Copy systemd unit
|
||||
|
|
Loading…
Reference in a new issue