From 519ef930df2525ac8fdb7beda350b11c4a299986 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Tue, 21 Jun 2022 15:13:33 +0200
Subject: [PATCH 01/14] Update PermitRootLogin task to work on Debian 11

---
 CHANGELOG.md                 | 3 +++
 evolinux-base/tasks/root.yml | 2 +-
 evolinux-users/tasks/ssh.yml | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 66f33653..deb6642c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Fixed
 
+* evolinux-base : Update PermitRootLogin task to work on Debian 11
+* evolinux-user : Update PermitRootLogin task to work on Debian 11
+
 ### Removed
 
 ### Security
diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml
index df50d977..3e3d6add 100644
--- a/evolinux-base/tasks/root.yml
+++ b/evolinux-base/tasks/root.yml
@@ -91,7 +91,7 @@
 - name: disable SSH access for root
   replace:
     dest: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
+    regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
     replace: "PermitRootLogin no"
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml
index ac2fdf12..b0bf8b58 100644
--- a/evolinux-users/tasks/ssh.yml
+++ b/evolinux-users/tasks/ssh.yml
@@ -56,7 +56,7 @@
 - name: disable root login
   replace:
     dest: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
+    regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
     replace: "PermitRootLogin no"
   notify: reload sshd
   when: evolinux_root_disable_ssh | bool

From abb14e5b52fd2e83bef96e7727b63b7ed95a7d4d Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 22 Jun 2022 15:32:10 +0200
Subject: [PATCH 02/14] haproxy: add haproxy_allow_ip_nonlocal_bind to set
 sysctl value

---
 CHANGELOG.md              |  2 ++
 haproxy/defaults/main.yml |  2 ++
 haproxy/tasks/main.yml    | 13 +++++++++++++
 3 files changed, 17 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index deb6642c..9c4b3dd5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
+* haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
+
 ### Changed
 
 ### Fixed
diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index 0745f1a9..50f6bb48 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -35,3 +35,5 @@ haproxy_deny_ips: []
 haproxy_backports_packages_stretch: haproxy libssl1.0.0
 haproxy_backports_packages_buster: haproxy
 haproxy_backports_packages_bullseye: haproxy
+
+haproxy_allow_ip_nonlocal_bind: Null
\ No newline at end of file
diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml
index d29e3cbc..d38e83af 100644
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@@ -134,4 +134,17 @@
     - haproxy
     - logrotate
 
+- name: Set net.ipv4.ip_nonlocal_bind
+  sysctl:
+    name: net.ipv4.ip_nonlocal_bind
+    value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}"
+    sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}"
+    state: present
+    reload: yes
+  tags:
+    - haproxy
+  when:
+    - haproxy_allow_ip_nonlocal_bind is defined
+    - haproxy_allow_ip_nonlocal_bind is not none
+
 - include: munin.yml

From 205e69935598ff544fcf628218641ca5a2f4e829 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 22 Jun 2022 17:20:15 +0200
Subject: [PATCH 03/14] minifirewall: docker mode is configurable

---
 CHANGELOG.md                  | 5 +++--
 minifirewall/tasks/config.yml | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9c4b3dd5..c280565b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,8 +18,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Fixed
 
-* evolinux-base : Update PermitRootLogin task to work on Debian 11
-* evolinux-user : Update PermitRootLogin task to work on Debian 11
+* evolinux-base: Update PermitRootLogin task to work on Debian 11
+* evolinux-user: Update PermitRootLogin task to work on Debian 11
+* minifirewall: docker mode is configurable
 
 ### Removed
 
diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml
index 1ddb9695..c11b83e8 100644
--- a/minifirewall/tasks/config.yml
+++ b/minifirewall/tasks/config.yml
@@ -70,7 +70,7 @@
       # WARNING : If the port mapping is different between the host and the container
       # (ie: Listen on :8090 on host, but :8080 in container)
       # then you need to give the port used inside the container
-      DOCKER='off'
+      DOCKER='{{ minifirewall_docker }}'
 
       # Trusted IPv4 local network
       # ...will be often IP/32 if you don't trust anything

From 07c3c0226f86205c16405472cfffdb7765bbf0a7 Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Wed, 29 Jun 2022 16:09:04 +0200
Subject: [PATCH 04/14] openvpn: minimal rights on /etc/shellpki/ and crl.pem

---
 CHANGELOG.md              | 2 ++
 openvpn/tasks/debian.yml  | 4 ++--
 openvpn/tasks/openbsd.yml | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c280565b..ea992fc6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Changed
 
+* openvpn: minimal rights on /etc/shellpki/ and crl.pem
+
 ### Fixed
 
 * evolinux-base: Update PermitRootLogin task to work on Debian 11
diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml
index 3ace1f4c..8a9978d9 100644
--- a/openvpn/tasks/debian.yml
+++ b/openvpn/tasks/debian.yml
@@ -74,8 +74,8 @@
     insertafter: "{{ item.insertafter }}"
     line: "{{ item.line }}"
   with_items:
-     - { regexp: '^    chmod 644 /etc/shellpki/crl.pem$', line: "    chmod 644 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
-     - { regexp: '^    chmod 755 /etc/shellpki/$', line: "    chmod 755 /etc/shellpki/", insertafter: '^    chmod 644 /etc/shellpki/crl.pem$' }
+     - { regexp: '^    chmod 604 /etc/shellpki/crl.pem$', line: "    chmod 604 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
+     - { regexp: '^    chmod 751 /etc/shellpki/$', line: "    chmod 751 /etc/shellpki/", insertafter: '^    chmod 604 /etc/shellpki/crl.pem$' }
 
 - name: Deploy OpenVPN server config
   template:
diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml
index 18cd0156..d3238cea 100644
--- a/openvpn/tasks/openbsd.yml
+++ b/openvpn/tasks/openbsd.yml
@@ -65,8 +65,8 @@
     insertafter: "{{ item.insertafter }}"
     line: "{{ item.line }}"
   with_items:
-     - { regexp: '^    chmod 644 /etc/shellpki/crl.pem$', line: "    chmod 644 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
-     - { regexp: '^    chmod 755 /etc/shellpki/$', line: "    chmod 755 /etc/shellpki/", insertafter: '^    chmod 644 /etc/shellpki/crl.pem$' }
+     - { regexp: '^    chmod 604 /etc/shellpki/crl.pem$', line: "    chmod 604 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
+     - { regexp: '^    chmod 751 /etc/shellpki/$', line: "    chmod 751 /etc/shellpki/", insertafter: '^    chmod 604 /etc/shellpki/crl.pem$' }
 
 - name: Deploy OpenVPN server config
   template:

From 68ac8fc058e077f3c678a89a323b020c1d650612 Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Thu, 30 Jun 2022 10:11:12 +0200
Subject: [PATCH 05/14] openvpn: configure logrotate

---
 CHANGELOG.md                    |  1 +
 openvpn/files/logrotate_openvpn | 10 ++++++++++
 openvpn/tasks/debian.yml        |  6 ++++++
 3 files changed, 17 insertions(+)
 create mode 100644 openvpn/files/logrotate_openvpn

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ea992fc6..d2a42256 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Added
 
 * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
+* openvpn: configure logrotate
 
 ### Changed
 
diff --git a/openvpn/files/logrotate_openvpn b/openvpn/files/logrotate_openvpn
new file mode 100644
index 00000000..e240faf6
--- /dev/null
+++ b/openvpn/files/logrotate_openvpn
@@ -0,0 +1,10 @@
+/var/log/openvpn.log
+{
+    weekly
+    rotate 52
+    missingok
+    notifempty
+    delaycompress
+    compress
+    copytruncate
+}
diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml
index 8a9978d9..4c2f6c5d 100644
--- a/openvpn/tasks/debian.yml
+++ b/openvpn/tasks/debian.yml
@@ -149,6 +149,12 @@
     value: "1"
     sysctl_file: "/etc/sysctl.d/openvpn.conf"
 
+- name: Configure logrotate for OpenVPN
+  copy:
+    src: logrotate_openvpn
+    dest: /etc/logrotate.d/openvpn
+    force: no
+
 - name: Generate a password for the management interface
   set_fact:
     management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"

From 34a3591192eec1b3c4a358f0e925661d117c1723 Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Tue, 5 Jul 2022 10:16:47 +0200
Subject: [PATCH 06/14] Fix depreciation of drbd-overview by drbdadm status

---
 kvm-host/files/add-vm.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh
index 51b5c737..78acfe1c 100755
--- a/kvm-host/files/add-vm.sh
+++ b/kvm-host/files/add-vm.sh
@@ -219,7 +219,7 @@ ${drbdadm} -- --overwrite-data-of-peer primary "${vmName}"
 
 if ! isDryRun; then
     sleep 5
-    drbd-overview | tail -4
+    drbdadm status | tail -4
 
     drbdDiskPath="/dev/drbd/by-res/${vmName}/0"
     if ! [ -b "${drbdDiskPath}" ]; then

From 028bfe209a88ad88bf166b0c298c9a3bc742dcdd Mon Sep 17 00:00:00 2001
From: Eric Morino <emorino@evolix.fr>
Date: Tue, 5 Jul 2022 10:18:49 +0200
Subject: [PATCH 07/14] Add change in kvm-host

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2a42256..5f430136 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
 * openvpn: configure logrotate
+* kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
 
 ### Changed
 

From e198cf67dc4e06ca7320ad924d29621b300fa703 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Tue, 5 Jul 2022 11:26:36 +0200
Subject: [PATCH 08/14] evoadmin-web: Update comment in template on how
 password hashes should be generated

---
 webapps/evoadmin-web/templates/config.local.php.j2 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/webapps/evoadmin-web/templates/config.local.php.j2 b/webapps/evoadmin-web/templates/config.local.php.j2
index d4cd4903..335bc34b 100644
--- a/webapps/evoadmin-web/templates/config.local.php.j2
+++ b/webapps/evoadmin-web/templates/config.local.php.j2
@@ -6,11 +6,11 @@ $localconf['debug'] = FALSE;
 $localconf['superadmin'] = array();
 $localconf['script_path'] = '{{ evoadmin_scripts_dir }}';
 $localconf['cluster'] = FALSE;
-// auth (sha256 hashs) / echo -n YourPass | sha256sum
 
-$oriconf['logins'] = array();
-//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477';
-//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';
+// Generate password hashes : mkpasswd --method=sha-512 (cli) or with PHP's password_hash()
+$localconf['logins'] = array();
+//$localconf['logins']['foo'] = '$6$X0jqa/ausLSBkj4m$dLMMcPGVxak.aDPo4V/GJLm2d8vU8/QA5LbGTuqXCdxSNYU0kRKBgDl16GAyp0GqXXZ5wwDEJKQ1npgFwiuV81';
+//$localconf['logins']['bar'] = '$6$Q6233S6mlWAF6p.j$LtzwG02YucozwqjAgSpeldh24Mnz7lBuVSbOQYbKKh9FiUx3tMVl6kJZkmrNdPqeadFXKAYXrqn.gy8KposF5.';
 
 {% if evoadmin_multiphp_versions != [] %}
 $localconf['php_versions'] = array( {{ evoadmin_multiphp_versions | join(', ') | replace('php', '') }} );

From 71879b999c22b47927ac7fab6c588d3571263b08 Mon Sep 17 00:00:00 2001
From: Brice Waegeneire <bwaegeneire+git@evolix.fr>
Date: Wed, 1 Jun 2022 16:42:36 +0200
Subject: [PATCH 09/14] nginx: Start server once.

Nginx is already started at the end of the main task. Starting the
service before we configure it correctly can put the role as failed if
the default configuration don't work on the host.
---
 evolinux-base/tasks/top.yml | 8 +++-----
 nginx/tasks/packages.yml    | 9 ---------
 2 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/evolinux-base/tasks/top.yml b/evolinux-base/tasks/top.yml
index 64fdf6b6..367791e7 100644
--- a/evolinux-base/tasks/top.yml
+++ b/evolinux-base/tasks/top.yml
@@ -1,7 +1,5 @@
 ---
 - name: Deploy top configuration file
-  copy:
-    # The config format is unredable; ATM it only add the SWAP column
-    src: topdefaultrc
-    dest: /etc/topdefaultrc
-    mode: "0644"
+  file:
+    path: /etc/topdefaultrc
+    state: absent
diff --git a/nginx/tasks/packages.yml b/nginx/tasks/packages.yml
index f9a500c0..f2c0596f 100644
--- a/nginx/tasks/packages.yml
+++ b/nginx/tasks/packages.yml
@@ -16,12 +16,3 @@
   tags:
     - nginx
     - packages
-
-- name: Service is running as configured.
-  service:
-    name: nginx
-    state: "{{ nginx_service_state }}"
-    enabled: "{{ nginx_service_enabled }}"
-  tags:
-    - nginx
-    - packages

From 4d50bab03bd4aace1a9e281069f1b05af38af955 Mon Sep 17 00:00:00 2001
From: Brice Waegeneire <bwaegeneire+git@evolix.fr>
Date: Tue, 5 Jul 2022 15:55:47 +0200
Subject: [PATCH 10/14] base: Extract dump-server-state in task file

---
 evolinux-base/tasks/dump-server-state.yml | 15 +++++++++++++++
 evolinux-base/tasks/utils.yml             | 17 ++---------------
 2 files changed, 17 insertions(+), 15 deletions(-)
 create mode 100644 evolinux-base/tasks/dump-server-state.yml

diff --git a/evolinux-base/tasks/dump-server-state.yml b/evolinux-base/tasks/dump-server-state.yml
new file mode 100644
index 00000000..7d4a55cd
--- /dev/null
+++ b/evolinux-base/tasks/dump-server-state.yml
@@ -0,0 +1,15 @@
+- name: dump-server-state script is present
+  copy:
+    src: "dump-server-state.sh"
+    dest: /usr/local/sbin/dump-server-state
+    force: True
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: symlink backup-server-state to dump-server-state
+  file:
+    src: /usr/local/sbin/dump-server-state
+    dest: /usr/local/sbin/backup-server-state
+    state: link
+    force: yes
diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml
index 6c9e27b0..8236bd92 100644
--- a/evolinux-base/tasks/utils.yml
+++ b/evolinux-base/tasks/utils.yml
@@ -3,21 +3,8 @@
 - include_role:
     name: evolix/remount-usr
 
-- name: dump-server-state script is present
-  copy:
-    src: "dump-server-state.sh"
-    dest: /usr/local/sbin/dump-server-state
-    force: True
-    owner: root
-    group: root
-    mode: "0750"
-
-- name: symlink backup-server-state to dump-server-state
-  file:
-    src: /usr/local/sbin/dump-server-state
-    dest: /usr/local/sbin/backup-server-state
-    state: link
-    force: yes
+- include_tasks:
+    file: dump-server-state.yml
 
 - name: "/sbin/deny script is present"
   copy:

From 6d73acc866f1c33a82cfe3b3b67836a363954c60 Mon Sep 17 00:00:00 2001
From: Brice Waegeneire <bwaegeneire+git@evolix.fr>
Date: Tue, 5 Jul 2022 16:00:22 +0200
Subject: [PATCH 11/14] Add nagios check mount rw

---
 nagios-nrpe/files/plugins/check_readwrite | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100755 nagios-nrpe/files/plugins/check_readwrite

diff --git a/nagios-nrpe/files/plugins/check_readwrite b/nagios-nrpe/files/plugins/check_readwrite
new file mode 100755
index 00000000..578d9740
--- /dev/null
+++ b/nagios-nrpe/files/plugins/check_readwrite
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Verify mounted filesystems are readable and writable.
+
+filesystems=$*
+
+exit_code=0
+for filesystem in $filesystems; do
+    if findmnt --options ro --noheadings "${filesystem}"; then
+	exit_code=2
+    fi
+done
+
+if [ $exit_code != 0 ]; then
+	echo "CRITICAL - Above filesystems aren't monted in read and write mode"
+else
+	echo "OK - All fine"
+fi
+
+exit "${exit_code}"

From 0a3bfd7f270763b6883ff07a43acab2fa5ecb5d0 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 6 Jul 2022 14:24:38 +0200
Subject: [PATCH 12/14] evolinux-base: session timeout is configurable

---
 CHANGELOG.md                    | 1 +
 evolinux-base/defaults/main.yml | 1 +
 evolinux-base/tasks/system.yml  | 3 ++-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5f430136..43aa9b9b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
+* evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours)
 * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
 * openvpn: configure logrotate
 * kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml
index 6f28fd5e..ee307015 100644
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@@ -107,6 +107,7 @@ evolinux_system_profile: True
 evolinux_system_dirmode_adduser: True
 evolinux_system_restrict_securetty: False
 evolinux_system_set_timeout: True
+evolinux_system_timeout: 36000
 evolinux_system_cron_verboselog: True
 evolinux_system_cron_umask: True
 evolinux_system_cron_random: True
diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml
index e5363fed..5d71e827 100644
--- a/evolinux-base/tasks/system.yml
+++ b/evolinux-base/tasks/system.yml
@@ -77,7 +77,8 @@
 - name: Setting TMOUT to disconnect inactive users
   lineinfile:
     dest: /etc/profile.d/evolinux.sh
-    line: "export TMOUT=36000"
+    line: "export TMOUT={{ evolinux_system_timeout }}"
+    regexp: "^export TMOUT="
     create: yes
     state: present
   when: evolinux_system_set_timeout | bool

From a3873044837fada56403446c48c575032a8a5efe Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 6 Jul 2022 14:26:13 +0200
Subject: [PATCH 13/14] Fix CHANGELOG

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 43aa9b9b..9201a629 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,8 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours)
 * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
-* openvpn: configure logrotate
 * kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
+* openvpn: configure logrotate
 
 ### Changed
 

From 53847d99195aa6d35a5f64dda988b2c2ae3b625b Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 6 Jul 2022 18:02:42 +0200
Subject: [PATCH 14/14] Release 22.07

---
 CHANGELOG.md | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9201a629..2429f2fe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,18 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
+### Changed
+
+### Fixed
+
+### Removed
+
+### Security
+
+## [22.07] 2022-07-06
+
+### Added
+
 * evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours)
 * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
 * kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
@@ -27,10 +39,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * evolinux-user: Update PermitRootLogin task to work on Debian 11
 * minifirewall: docker mode is configurable
 
-### Removed
-
-### Security
-
 ## [22.06.3] 2022-06-17
 
 ### Changed