Merge branch 'unstable' into stable
This commit is contained in:
commit
f8cb5d9496
19
CHANGELOG.md
19
CHANGELOG.md
|
@ -20,6 +20,25 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Security
|
||||
|
||||
## [22.07] 2022-07-06
|
||||
|
||||
### Added
|
||||
|
||||
* evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours)
|
||||
* haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
|
||||
* kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
|
||||
* openvpn: configure logrotate
|
||||
|
||||
### Changed
|
||||
|
||||
* openvpn: minimal rights on /etc/shellpki/ and crl.pem
|
||||
|
||||
### Fixed
|
||||
|
||||
* evolinux-base: Update PermitRootLogin task to work on Debian 11
|
||||
* evolinux-user: Update PermitRootLogin task to work on Debian 11
|
||||
* minifirewall: docker mode is configurable
|
||||
|
||||
## [22.06.3] 2022-06-17
|
||||
|
||||
### Changed
|
||||
|
|
|
@ -107,6 +107,7 @@ evolinux_system_profile: True
|
|||
evolinux_system_dirmode_adduser: True
|
||||
evolinux_system_restrict_securetty: False
|
||||
evolinux_system_set_timeout: True
|
||||
evolinux_system_timeout: 36000
|
||||
evolinux_system_cron_verboselog: True
|
||||
evolinux_system_cron_umask: True
|
||||
evolinux_system_cron_random: True
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
- name: dump-server-state script is present
|
||||
copy:
|
||||
src: "dump-server-state.sh"
|
||||
dest: /usr/local/sbin/dump-server-state
|
||||
force: True
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
- name: symlink backup-server-state to dump-server-state
|
||||
file:
|
||||
src: /usr/local/sbin/dump-server-state
|
||||
dest: /usr/local/sbin/backup-server-state
|
||||
state: link
|
||||
force: yes
|
|
@ -91,7 +91,7 @@
|
|||
- name: disable SSH access for root
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
|
|
|
@ -77,7 +77,8 @@
|
|||
- name: Setting TMOUT to disconnect inactive users
|
||||
lineinfile:
|
||||
dest: /etc/profile.d/evolinux.sh
|
||||
line: "export TMOUT=36000"
|
||||
line: "export TMOUT={{ evolinux_system_timeout }}"
|
||||
regexp: "^export TMOUT="
|
||||
create: yes
|
||||
state: present
|
||||
when: evolinux_system_set_timeout | bool
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
---
|
||||
- name: Deploy top configuration file
|
||||
copy:
|
||||
# The config format is unredable; ATM it only add the SWAP column
|
||||
src: topdefaultrc
|
||||
dest: /etc/topdefaultrc
|
||||
mode: "0644"
|
||||
file:
|
||||
path: /etc/topdefaultrc
|
||||
state: absent
|
||||
|
|
|
@ -3,21 +3,8 @@
|
|||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: dump-server-state script is present
|
||||
copy:
|
||||
src: "dump-server-state.sh"
|
||||
dest: /usr/local/sbin/dump-server-state
|
||||
force: True
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
- name: symlink backup-server-state to dump-server-state
|
||||
file:
|
||||
src: /usr/local/sbin/dump-server-state
|
||||
dest: /usr/local/sbin/backup-server-state
|
||||
state: link
|
||||
force: yes
|
||||
- include_tasks:
|
||||
file: dump-server-state.yml
|
||||
|
||||
- name: "/sbin/deny script is present"
|
||||
copy:
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
- name: disable root login
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
when: evolinux_root_disable_ssh | bool
|
||||
|
|
|
@ -35,3 +35,5 @@ haproxy_deny_ips: []
|
|||
haproxy_backports_packages_stretch: haproxy libssl1.0.0
|
||||
haproxy_backports_packages_buster: haproxy
|
||||
haproxy_backports_packages_bullseye: haproxy
|
||||
|
||||
haproxy_allow_ip_nonlocal_bind: Null
|
|
@ -134,4 +134,17 @@
|
|||
- haproxy
|
||||
- logrotate
|
||||
|
||||
- name: Set net.ipv4.ip_nonlocal_bind
|
||||
sysctl:
|
||||
name: net.ipv4.ip_nonlocal_bind
|
||||
value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}"
|
||||
sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}"
|
||||
state: present
|
||||
reload: yes
|
||||
tags:
|
||||
- haproxy
|
||||
when:
|
||||
- haproxy_allow_ip_nonlocal_bind is defined
|
||||
- haproxy_allow_ip_nonlocal_bind is not none
|
||||
|
||||
- include: munin.yml
|
||||
|
|
|
@ -219,7 +219,7 @@ ${drbdadm} -- --overwrite-data-of-peer primary "${vmName}"
|
|||
|
||||
if ! isDryRun; then
|
||||
sleep 5
|
||||
drbd-overview | tail -4
|
||||
drbdadm status | tail -4
|
||||
|
||||
drbdDiskPath="/dev/drbd/by-res/${vmName}/0"
|
||||
if ! [ -b "${drbdDiskPath}" ]; then
|
||||
|
|
|
@ -70,7 +70,7 @@
|
|||
# WARNING : If the port mapping is different between the host and the container
|
||||
# (ie: Listen on :8090 on host, but :8080 in container)
|
||||
# then you need to give the port used inside the container
|
||||
DOCKER='off'
|
||||
DOCKER='{{ minifirewall_docker }}'
|
||||
|
||||
# Trusted IPv4 local network
|
||||
# ...will be often IP/32 if you don't trust anything
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Verify mounted filesystems are readable and writable.
|
||||
|
||||
filesystems=$*
|
||||
|
||||
exit_code=0
|
||||
for filesystem in $filesystems; do
|
||||
if findmnt --options ro --noheadings "${filesystem}"; then
|
||||
exit_code=2
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $exit_code != 0 ]; then
|
||||
echo "CRITICAL - Above filesystems aren't monted in read and write mode"
|
||||
else
|
||||
echo "OK - All fine"
|
||||
fi
|
||||
|
||||
exit "${exit_code}"
|
|
@ -16,12 +16,3 @@
|
|||
tags:
|
||||
- nginx
|
||||
- packages
|
||||
|
||||
- name: Service is running as configured.
|
||||
service:
|
||||
name: nginx
|
||||
state: "{{ nginx_service_state }}"
|
||||
enabled: "{{ nginx_service_enabled }}"
|
||||
tags:
|
||||
- nginx
|
||||
- packages
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
/var/log/openvpn.log
|
||||
{
|
||||
weekly
|
||||
rotate 52
|
||||
missingok
|
||||
notifempty
|
||||
delaycompress
|
||||
compress
|
||||
copytruncate
|
||||
}
|
|
@ -74,8 +74,8 @@
|
|||
insertafter: "{{ item.insertafter }}"
|
||||
line: "{{ item.line }}"
|
||||
with_items:
|
||||
- { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
|
||||
- { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' }
|
||||
- { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
|
||||
- { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' }
|
||||
|
||||
- name: Deploy OpenVPN server config
|
||||
template:
|
||||
|
@ -149,6 +149,12 @@
|
|||
value: "1"
|
||||
sysctl_file: "/etc/sysctl.d/openvpn.conf"
|
||||
|
||||
- name: Configure logrotate for OpenVPN
|
||||
copy:
|
||||
src: logrotate_openvpn
|
||||
dest: /etc/logrotate.d/openvpn
|
||||
force: no
|
||||
|
||||
- name: Generate a password for the management interface
|
||||
set_fact:
|
||||
management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
|
||||
|
|
|
@ -65,8 +65,8 @@
|
|||
insertafter: "{{ item.insertafter }}"
|
||||
line: "{{ item.line }}"
|
||||
with_items:
|
||||
- { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
|
||||
- { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' }
|
||||
- { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
|
||||
- { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' }
|
||||
|
||||
- name: Deploy OpenVPN server config
|
||||
template:
|
||||
|
|
|
@ -6,11 +6,11 @@ $localconf['debug'] = FALSE;
|
|||
$localconf['superadmin'] = array();
|
||||
$localconf['script_path'] = '{{ evoadmin_scripts_dir }}';
|
||||
$localconf['cluster'] = FALSE;
|
||||
// auth (sha256 hashs) / echo -n YourPass | sha256sum
|
||||
|
||||
$oriconf['logins'] = array();
|
||||
//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477';
|
||||
//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';
|
||||
// Generate password hashes : mkpasswd --method=sha-512 (cli) or with PHP's password_hash()
|
||||
$localconf['logins'] = array();
|
||||
//$localconf['logins']['foo'] = '$6$X0jqa/ausLSBkj4m$dLMMcPGVxak.aDPo4V/GJLm2d8vU8/QA5LbGTuqXCdxSNYU0kRKBgDl16GAyp0GqXXZ5wwDEJKQ1npgFwiuV81';
|
||||
//$localconf['logins']['bar'] = '$6$Q6233S6mlWAF6p.j$LtzwG02YucozwqjAgSpeldh24Mnz7lBuVSbOQYbKKh9FiUx3tMVl6kJZkmrNdPqeadFXKAYXrqn.gy8KposF5.';
|
||||
|
||||
{% if evoadmin_multiphp_versions != [] %}
|
||||
$localconf['php_versions'] = array( {{ evoadmin_multiphp_versions | join(', ') | replace('php', '') }} );
|
||||
|
|
Loading…
Reference in New Issue