Merge branch 'unstable' into stable
continuous-integration/drone/push Build is passing Details
continuous-integration/drone/tag Build is failing Details

This commit is contained in:
Jérémy Lecour 2022-07-06 18:03:18 +02:00 committed by Jérémy Lecour
commit f8cb5d9496
18 changed files with 105 additions and 42 deletions

View File

@ -20,6 +20,25 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Security
## [22.07] 2022-07-06
### Added
* evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours)
* haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
* kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
* openvpn: configure logrotate
### Changed
* openvpn: minimal rights on /etc/shellpki/ and crl.pem
### Fixed
* evolinux-base: Update PermitRootLogin task to work on Debian 11
* evolinux-user: Update PermitRootLogin task to work on Debian 11
* minifirewall: docker mode is configurable
## [22.06.3] 2022-06-17
### Changed

View File

@ -107,6 +107,7 @@ evolinux_system_profile: True
evolinux_system_dirmode_adduser: True
evolinux_system_restrict_securetty: False
evolinux_system_set_timeout: True
evolinux_system_timeout: 36000
evolinux_system_cron_verboselog: True
evolinux_system_cron_umask: True
evolinux_system_cron_random: True

View File

@ -0,0 +1,15 @@
- name: dump-server-state script is present
copy:
src: "dump-server-state.sh"
dest: /usr/local/sbin/dump-server-state
force: True
owner: root
group: root
mode: "0750"
- name: symlink backup-server-state to dump-server-state
file:
src: /usr/local/sbin/dump-server-state
dest: /usr/local/sbin/backup-server-state
state: link
force: yes

View File

@ -91,7 +91,7 @@
- name: disable SSH access for root
replace:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd

View File

@ -77,7 +77,8 @@
- name: Setting TMOUT to disconnect inactive users
lineinfile:
dest: /etc/profile.d/evolinux.sh
line: "export TMOUT=36000"
line: "export TMOUT={{ evolinux_system_timeout }}"
regexp: "^export TMOUT="
create: yes
state: present
when: evolinux_system_set_timeout | bool

View File

@ -1,7 +1,5 @@
---
- name: Deploy top configuration file
copy:
# The config format is unredable; ATM it only add the SWAP column
src: topdefaultrc
dest: /etc/topdefaultrc
mode: "0644"
file:
path: /etc/topdefaultrc
state: absent

View File

@ -3,21 +3,8 @@
- include_role:
name: evolix/remount-usr
- name: dump-server-state script is present
copy:
src: "dump-server-state.sh"
dest: /usr/local/sbin/dump-server-state
force: True
owner: root
group: root
mode: "0750"
- name: symlink backup-server-state to dump-server-state
file:
src: /usr/local/sbin/dump-server-state
dest: /usr/local/sbin/backup-server-state
state: link
force: yes
- include_tasks:
file: dump-server-state.yml
- name: "/sbin/deny script is present"
copy:

View File

@ -56,7 +56,7 @@
- name: disable root login
replace:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
notify: reload sshd
when: evolinux_root_disable_ssh | bool

View File

@ -35,3 +35,5 @@ haproxy_deny_ips: []
haproxy_backports_packages_stretch: haproxy libssl1.0.0
haproxy_backports_packages_buster: haproxy
haproxy_backports_packages_bullseye: haproxy
haproxy_allow_ip_nonlocal_bind: Null

View File

@ -134,4 +134,17 @@
- haproxy
- logrotate
- name: Set net.ipv4.ip_nonlocal_bind
sysctl:
name: net.ipv4.ip_nonlocal_bind
value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}"
sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}"
state: present
reload: yes
tags:
- haproxy
when:
- haproxy_allow_ip_nonlocal_bind is defined
- haproxy_allow_ip_nonlocal_bind is not none
- include: munin.yml

View File

@ -219,7 +219,7 @@ ${drbdadm} -- --overwrite-data-of-peer primary "${vmName}"
if ! isDryRun; then
sleep 5
drbd-overview | tail -4
drbdadm status | tail -4
drbdDiskPath="/dev/drbd/by-res/${vmName}/0"
if ! [ -b "${drbdDiskPath}" ]; then

View File

@ -70,7 +70,7 @@
# WARNING : If the port mapping is different between the host and the container
# (ie: Listen on :8090 on host, but :8080 in container)
# then you need to give the port used inside the container
DOCKER='off'
DOCKER='{{ minifirewall_docker }}'
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything

View File

@ -0,0 +1,20 @@
#!/bin/sh
#
# Verify mounted filesystems are readable and writable.
filesystems=$*
exit_code=0
for filesystem in $filesystems; do
if findmnt --options ro --noheadings "${filesystem}"; then
exit_code=2
fi
done
if [ $exit_code != 0 ]; then
echo "CRITICAL - Above filesystems aren't monted in read and write mode"
else
echo "OK - All fine"
fi
exit "${exit_code}"

View File

@ -16,12 +16,3 @@
tags:
- nginx
- packages
- name: Service is running as configured.
service:
name: nginx
state: "{{ nginx_service_state }}"
enabled: "{{ nginx_service_enabled }}"
tags:
- nginx
- packages

View File

@ -0,0 +1,10 @@
/var/log/openvpn.log
{
weekly
rotate 52
missingok
notifempty
delaycompress
compress
copytruncate
}

View File

@ -74,8 +74,8 @@
insertafter: "{{ item.insertafter }}"
line: "{{ item.line }}"
with_items:
- { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
- { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' }
- { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
- { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' }
- name: Deploy OpenVPN server config
template:
@ -149,6 +149,12 @@
value: "1"
sysctl_file: "/etc/sysctl.d/openvpn.conf"
- name: Configure logrotate for OpenVPN
copy:
src: logrotate_openvpn
dest: /etc/logrotate.d/openvpn
force: no
- name: Generate a password for the management interface
set_fact:
management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"

View File

@ -65,8 +65,8 @@
insertafter: "{{ item.insertafter }}"
line: "{{ item.line }}"
with_items:
- { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
- { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' }
- { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
- { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' }
- name: Deploy OpenVPN server config
template:

View File

@ -6,11 +6,11 @@ $localconf['debug'] = FALSE;
$localconf['superadmin'] = array();
$localconf['script_path'] = '{{ evoadmin_scripts_dir }}';
$localconf['cluster'] = FALSE;
// auth (sha256 hashs) / echo -n YourPass | sha256sum
$oriconf['logins'] = array();
//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477';
//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';
// Generate password hashes : mkpasswd --method=sha-512 (cli) or with PHP's password_hash()
$localconf['logins'] = array();
//$localconf['logins']['foo'] = '$6$X0jqa/ausLSBkj4m$dLMMcPGVxak.aDPo4V/GJLm2d8vU8/QA5LbGTuqXCdxSNYU0kRKBgDl16GAyp0GqXXZ5wwDEJKQ1npgFwiuV81';
//$localconf['logins']['bar'] = '$6$Q6233S6mlWAF6p.j$LtzwG02YucozwqjAgSpeldh24Mnz7lBuVSbOQYbKKh9FiUx3tMVl6kJZkmrNdPqeadFXKAYXrqn.gy8KposF5.';
{% if evoadmin_multiphp_versions != [] %}
$localconf['php_versions'] = array( {{ evoadmin_multiphp_versions | join(', ') | replace('php', '') }} );