Merge branch 'unstable' into stable
This commit is contained in:
commit
f8cb5d9496
19
CHANGELOG.md
19
CHANGELOG.md
|
@ -20,6 +20,25 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [22.07] 2022-07-06
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours)
|
||||||
|
* haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
|
||||||
|
* kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
|
||||||
|
* openvpn: configure logrotate
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* openvpn: minimal rights on /etc/shellpki/ and crl.pem
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* evolinux-base: Update PermitRootLogin task to work on Debian 11
|
||||||
|
* evolinux-user: Update PermitRootLogin task to work on Debian 11
|
||||||
|
* minifirewall: docker mode is configurable
|
||||||
|
|
||||||
## [22.06.3] 2022-06-17
|
## [22.06.3] 2022-06-17
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
|
@ -107,6 +107,7 @@ evolinux_system_profile: True
|
||||||
evolinux_system_dirmode_adduser: True
|
evolinux_system_dirmode_adduser: True
|
||||||
evolinux_system_restrict_securetty: False
|
evolinux_system_restrict_securetty: False
|
||||||
evolinux_system_set_timeout: True
|
evolinux_system_set_timeout: True
|
||||||
|
evolinux_system_timeout: 36000
|
||||||
evolinux_system_cron_verboselog: True
|
evolinux_system_cron_verboselog: True
|
||||||
evolinux_system_cron_umask: True
|
evolinux_system_cron_umask: True
|
||||||
evolinux_system_cron_random: True
|
evolinux_system_cron_random: True
|
||||||
|
|
15
evolinux-base/tasks/dump-server-state.yml
Normal file
15
evolinux-base/tasks/dump-server-state.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
- name: dump-server-state script is present
|
||||||
|
copy:
|
||||||
|
src: "dump-server-state.sh"
|
||||||
|
dest: /usr/local/sbin/dump-server-state
|
||||||
|
force: True
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
- name: symlink backup-server-state to dump-server-state
|
||||||
|
file:
|
||||||
|
src: /usr/local/sbin/dump-server-state
|
||||||
|
dest: /usr/local/sbin/backup-server-state
|
||||||
|
state: link
|
||||||
|
force: yes
|
|
@ -91,7 +91,7 @@
|
||||||
- name: disable SSH access for root
|
- name: disable SSH access for root
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
|
||||||
replace: "PermitRootLogin no"
|
replace: "PermitRootLogin no"
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
|
|
|
@ -77,7 +77,8 @@
|
||||||
- name: Setting TMOUT to disconnect inactive users
|
- name: Setting TMOUT to disconnect inactive users
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/profile.d/evolinux.sh
|
dest: /etc/profile.d/evolinux.sh
|
||||||
line: "export TMOUT=36000"
|
line: "export TMOUT={{ evolinux_system_timeout }}"
|
||||||
|
regexp: "^export TMOUT="
|
||||||
create: yes
|
create: yes
|
||||||
state: present
|
state: present
|
||||||
when: evolinux_system_set_timeout | bool
|
when: evolinux_system_set_timeout | bool
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: Deploy top configuration file
|
- name: Deploy top configuration file
|
||||||
copy:
|
file:
|
||||||
# The config format is unredable; ATM it only add the SWAP column
|
path: /etc/topdefaultrc
|
||||||
src: topdefaultrc
|
state: absent
|
||||||
dest: /etc/topdefaultrc
|
|
||||||
mode: "0644"
|
|
||||||
|
|
|
@ -3,21 +3,8 @@
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: dump-server-state script is present
|
- include_tasks:
|
||||||
copy:
|
file: dump-server-state.yml
|
||||||
src: "dump-server-state.sh"
|
|
||||||
dest: /usr/local/sbin/dump-server-state
|
|
||||||
force: True
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0750"
|
|
||||||
|
|
||||||
- name: symlink backup-server-state to dump-server-state
|
|
||||||
file:
|
|
||||||
src: /usr/local/sbin/dump-server-state
|
|
||||||
dest: /usr/local/sbin/backup-server-state
|
|
||||||
state: link
|
|
||||||
force: yes
|
|
||||||
|
|
||||||
- name: "/sbin/deny script is present"
|
- name: "/sbin/deny script is present"
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -56,7 +56,7 @@
|
||||||
- name: disable root login
|
- name: disable root login
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
|
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
||||||
replace: "PermitRootLogin no"
|
replace: "PermitRootLogin no"
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when: evolinux_root_disable_ssh | bool
|
when: evolinux_root_disable_ssh | bool
|
||||||
|
|
|
@ -35,3 +35,5 @@ haproxy_deny_ips: []
|
||||||
haproxy_backports_packages_stretch: haproxy libssl1.0.0
|
haproxy_backports_packages_stretch: haproxy libssl1.0.0
|
||||||
haproxy_backports_packages_buster: haproxy
|
haproxy_backports_packages_buster: haproxy
|
||||||
haproxy_backports_packages_bullseye: haproxy
|
haproxy_backports_packages_bullseye: haproxy
|
||||||
|
|
||||||
|
haproxy_allow_ip_nonlocal_bind: Null
|
|
@ -134,4 +134,17 @@
|
||||||
- haproxy
|
- haproxy
|
||||||
- logrotate
|
- logrotate
|
||||||
|
|
||||||
|
- name: Set net.ipv4.ip_nonlocal_bind
|
||||||
|
sysctl:
|
||||||
|
name: net.ipv4.ip_nonlocal_bind
|
||||||
|
value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}"
|
||||||
|
sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}"
|
||||||
|
state: present
|
||||||
|
reload: yes
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
when:
|
||||||
|
- haproxy_allow_ip_nonlocal_bind is defined
|
||||||
|
- haproxy_allow_ip_nonlocal_bind is not none
|
||||||
|
|
||||||
- include: munin.yml
|
- include: munin.yml
|
||||||
|
|
|
@ -219,7 +219,7 @@ ${drbdadm} -- --overwrite-data-of-peer primary "${vmName}"
|
||||||
|
|
||||||
if ! isDryRun; then
|
if ! isDryRun; then
|
||||||
sleep 5
|
sleep 5
|
||||||
drbd-overview | tail -4
|
drbdadm status | tail -4
|
||||||
|
|
||||||
drbdDiskPath="/dev/drbd/by-res/${vmName}/0"
|
drbdDiskPath="/dev/drbd/by-res/${vmName}/0"
|
||||||
if ! [ -b "${drbdDiskPath}" ]; then
|
if ! [ -b "${drbdDiskPath}" ]; then
|
||||||
|
|
|
@ -70,7 +70,7 @@
|
||||||
# WARNING : If the port mapping is different between the host and the container
|
# WARNING : If the port mapping is different between the host and the container
|
||||||
# (ie: Listen on :8090 on host, but :8080 in container)
|
# (ie: Listen on :8090 on host, but :8080 in container)
|
||||||
# then you need to give the port used inside the container
|
# then you need to give the port used inside the container
|
||||||
DOCKER='off'
|
DOCKER='{{ minifirewall_docker }}'
|
||||||
|
|
||||||
# Trusted IPv4 local network
|
# Trusted IPv4 local network
|
||||||
# ...will be often IP/32 if you don't trust anything
|
# ...will be often IP/32 if you don't trust anything
|
||||||
|
|
20
nagios-nrpe/files/plugins/check_readwrite
Executable file
20
nagios-nrpe/files/plugins/check_readwrite
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# Verify mounted filesystems are readable and writable.
|
||||||
|
|
||||||
|
filesystems=$*
|
||||||
|
|
||||||
|
exit_code=0
|
||||||
|
for filesystem in $filesystems; do
|
||||||
|
if findmnt --options ro --noheadings "${filesystem}"; then
|
||||||
|
exit_code=2
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $exit_code != 0 ]; then
|
||||||
|
echo "CRITICAL - Above filesystems aren't monted in read and write mode"
|
||||||
|
else
|
||||||
|
echo "OK - All fine"
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit "${exit_code}"
|
|
@ -16,12 +16,3 @@
|
||||||
tags:
|
tags:
|
||||||
- nginx
|
- nginx
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
- name: Service is running as configured.
|
|
||||||
service:
|
|
||||||
name: nginx
|
|
||||||
state: "{{ nginx_service_state }}"
|
|
||||||
enabled: "{{ nginx_service_enabled }}"
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
- packages
|
|
||||||
|
|
10
openvpn/files/logrotate_openvpn
Normal file
10
openvpn/files/logrotate_openvpn
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
/var/log/openvpn.log
|
||||||
|
{
|
||||||
|
weekly
|
||||||
|
rotate 52
|
||||||
|
missingok
|
||||||
|
notifempty
|
||||||
|
delaycompress
|
||||||
|
compress
|
||||||
|
copytruncate
|
||||||
|
}
|
|
@ -74,8 +74,8 @@
|
||||||
insertafter: "{{ item.insertafter }}"
|
insertafter: "{{ item.insertafter }}"
|
||||||
line: "{{ item.line }}"
|
line: "{{ item.line }}"
|
||||||
with_items:
|
with_items:
|
||||||
- { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
|
- { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
|
||||||
- { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' }
|
- { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' }
|
||||||
|
|
||||||
- name: Deploy OpenVPN server config
|
- name: Deploy OpenVPN server config
|
||||||
template:
|
template:
|
||||||
|
@ -149,6 +149,12 @@
|
||||||
value: "1"
|
value: "1"
|
||||||
sysctl_file: "/etc/sysctl.d/openvpn.conf"
|
sysctl_file: "/etc/sysctl.d/openvpn.conf"
|
||||||
|
|
||||||
|
- name: Configure logrotate for OpenVPN
|
||||||
|
copy:
|
||||||
|
src: logrotate_openvpn
|
||||||
|
dest: /etc/logrotate.d/openvpn
|
||||||
|
force: no
|
||||||
|
|
||||||
- name: Generate a password for the management interface
|
- name: Generate a password for the management interface
|
||||||
set_fact:
|
set_fact:
|
||||||
management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
|
management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
|
||||||
|
|
|
@ -65,8 +65,8 @@
|
||||||
insertafter: "{{ item.insertafter }}"
|
insertafter: "{{ item.insertafter }}"
|
||||||
line: "{{ item.line }}"
|
line: "{{ item.line }}"
|
||||||
with_items:
|
with_items:
|
||||||
- { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
|
- { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
|
||||||
- { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' }
|
- { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' }
|
||||||
|
|
||||||
- name: Deploy OpenVPN server config
|
- name: Deploy OpenVPN server config
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -6,11 +6,11 @@ $localconf['debug'] = FALSE;
|
||||||
$localconf['superadmin'] = array();
|
$localconf['superadmin'] = array();
|
||||||
$localconf['script_path'] = '{{ evoadmin_scripts_dir }}';
|
$localconf['script_path'] = '{{ evoadmin_scripts_dir }}';
|
||||||
$localconf['cluster'] = FALSE;
|
$localconf['cluster'] = FALSE;
|
||||||
// auth (sha256 hashs) / echo -n YourPass | sha256sum
|
|
||||||
|
|
||||||
$oriconf['logins'] = array();
|
// Generate password hashes : mkpasswd --method=sha-512 (cli) or with PHP's password_hash()
|
||||||
//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477';
|
$localconf['logins'] = array();
|
||||||
//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';
|
//$localconf['logins']['foo'] = '$6$X0jqa/ausLSBkj4m$dLMMcPGVxak.aDPo4V/GJLm2d8vU8/QA5LbGTuqXCdxSNYU0kRKBgDl16GAyp0GqXXZ5wwDEJKQ1npgFwiuV81';
|
||||||
|
//$localconf['logins']['bar'] = '$6$Q6233S6mlWAF6p.j$LtzwG02YucozwqjAgSpeldh24Mnz7lBuVSbOQYbKKh9FiUx3tMVl6kJZkmrNdPqeadFXKAYXrqn.gy8KposF5.';
|
||||||
|
|
||||||
{% if evoadmin_multiphp_versions != [] %}
|
{% if evoadmin_multiphp_versions != [] %}
|
||||||
$localconf['php_versions'] = array( {{ evoadmin_multiphp_versions | join(', ') | replace('php', '') }} );
|
$localconf['php_versions'] = array( {{ evoadmin_multiphp_versions | join(', ') | replace('php', '') }} );
|
||||||
|
|
Loading…
Reference in a new issue