minifirewall: fix task name

vrrpd: configure minifirewall with blocks instead of lines
haproxy: support bookworm for backport packages
2024-04-18 15:18:58 +02:00 · 2024-04-18 15:18:42 +02:00 · 2024-04-18 15:11:34 +02:00 · 2024-04-18 15:10:01 +02:00
8 changed files with 48 additions and 20 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -17,11 +17,14 @@ The **patch** part is incremented if multiple releases happen the same month

 * autosysadmin-agent: upstream release 24.03.2
 * evolinux-base: Add new variable to disable global customisation of bash config
-* roundcube: Use /var/log/roundcube directly
+* evolinux-base: Disable logcheck monitoring of journald only if journald.logfiles exists
 * evolinux-users: Add sudo mvcli for nagios user
-* vrrpd : configure and restart minifirewall before starting VRRP
+* haproxy: support bookworm for backport packages
 * nrpe: !disk1 exclude filesystem type overlay
 * postfix/amavis: max servers is now 3 (previously 2)
+* roundcube: Use /var/log/roundcube directly
+* vrrpd: configure and restart minifirewall before starting VRRP
+* vrrpd: configure minifirewall with blocks instead of lines

 ### Fixed

--- a/evolinux-base/tasks/logs.yml
+++ b/evolinux-base/tasks/logs.yml
@ -64,12 +64,19 @@
  when: evolinux_logs_default_dateext | bool

 # Logcheck
+- name: Check if journald.logfiles exists
+  stat:
+    path: /etc/logcheck/logcheck.logfiles.d/journal.logfiles
+  register: _logcheck_journald_logfiles
+
 - name: Disable logcheck monitoring of journald
  ansible.builtin.lineinfile:
    dest: /etc/logcheck/logcheck.logfiles.d/journal.logfiles
    line: "#journal"
    regexp: "^journal"
-  when: evolinux_logs_disable_logcheck_journald | bool
+  when:
+    - _logcheck_journald_logfiles.stat.exists
+    - evolinux_logs_disable_logcheck_journald | bool

 # Journald
 - name: /etc/systemd/journald.conf.d/ is present
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@ -35,5 +35,6 @@ haproxy_deny_ips: []
 haproxy_backports_packages_stretch: haproxy libssl1.0.0
 haproxy_backports_packages_buster: haproxy
 haproxy_backports_packages_bullseye: haproxy
+haproxy_backports_packages_bookworm: haproxy

-haproxy_allow_ip_nonlocal_bind: Null
+haproxy_allow_ip_nonlocal_bind: Null
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@ -21,7 +21,6 @@
 - name: Self-signed certificate is present in HAProxy ssl directory
  ansible.builtin.shell:
    cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
-  args:
    creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
  notify: reload haproxy
  tags:
--- a/haproxy/tasks/packages_backports.yml
+++ b/haproxy/tasks/packages_backports.yml
@ -19,6 +19,10 @@
    haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}"
  when: ansible_distribution_release == 'bullseye'

+- ansible.builtin.set_fact:
+    haproxy_backports_packages: "{{ haproxy_backports_packages_bookworm }}"
+  when: ansible_distribution_release == 'bookworm'
+
 - name: Prefer HAProxy package from backports
  ansible.builtin.template:
    src: haproxy_apt_preferences.j2
--- a/minifirewall/tasks/main.yml
+++ b/minifirewall/tasks/main.yml
@ -74,7 +74,7 @@

 #######################################################################

- name: Fail if minifirewall_main_file is defined (legacy mode)
+- name: Fail if minifirewall_main_file is defined (modern mode)
  ansible.builtin.fail:
    msg: "Variable minifirewall_main_file is deprecated and not configurable anymore."
  when:
@ -179,4 +179,4 @@
    - always
  when:
    - minifirewall_install_mode != 'legacy'
-    - minifirewall_restart_force | bool
+    - minifirewall_restart_force | bool
--- a/vrrpd/defaults/main.yml
+++ b/vrrpd/defaults/main.yml
@ -9,9 +9,12 @@ vrrp_addresses: []
 #     priority: Null          # the priority of this host in the virtual server (default: 100)
 #     authentication: Null    # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+
 #     label: Null             # use this name is syslog messages (helps when several vrid are running)
-#     ip: Null                # the ip address(es) (and optionnaly subnet mask) of the virtual server
+#     ip: Null                # the IP address(es) (and optionnaly subnet mask) of the virtual server
+#     peers: [IP1, IP2]       # list of peers (IP), for minifirewall rules
 #     state: Null             # 'started' or 'stopped'
 #   }

+vrrp_manage_minifirewall: true
+
 minifirewall_restart_if_needed: True
 minifirewall_restart_force: False
--- a/vrrpd/tasks/ip.yml
+++ b/vrrpd/tasks/ip.yml
@ -11,35 +11,46 @@
    minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"

 - name: VRRP output is authorized in minifirewall
-  lineinfile:
+  ansible.builtin.blockinfile:
    path: /etc/minifirewall.d/vrrpd
-    line: "/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}"
-    regexp: "# Allow VRRP output on {{ vrrp_address.interface }}$"
+    marker: "## {mark} ANSIBLE MANAGED OUTPUT RULES FOR VRID {{ vrrp_address.id }}"
+    block: |
+      /sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}
    create: yes
    mode: "0600"
    owner: "root"
    group: "root"
  notify: "{{ minifirewall_restart_handler_name }}"
-  when: _minifirewall_dir.stat.exists
+  when:
+    - vrrp_manage_minifirewall | bool
+    - _minifirewall_dir.stat.exists

 - name: VRRP input is authorized in minifirewall
-  lineinfile:
+  ansible.builtin.blockinfile:
    path: /etc/minifirewall.d/vrrpd
-    line: "/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
-    regexp: "# Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
+    marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
+    block: |
+      {% if vrrp_address.peers | default([]) | length <= 0 %}
+        /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
+      {% else %}
+        {% for peer in vrrp_address.peers %}
+          /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
+        {% endfor %}
+      {% endif %}
    create: yes
    mode: "0600"
    owner: "root"
    group: "root"
-  loop: "{{ vrrp_address.peers | default([]) }}"
-  loop_control:
-    loop_var: peer
  notify: "{{ minifirewall_restart_handler_name }}"
-  when: _minifirewall_dir.stat.exists
+  when:
+    - vrrp_manage_minifirewall | bool
+    - _minifirewall_dir.stat.exists

 - name: Flush handlers to restart minifirewall
  ansible.builtin.meta: flush_handlers
-  when: _minifirewall_dir.stat.exists
+  when:
+    - vrrp_manage_minifirewall | bool
+    - _minifirewall_dir.stat.exists


 # Configure VRRP service
Author	SHA1	Message	Date
Jérémy Lecour	8cd887ee21	minifirewall: fix task name	2024-04-18 15:18:58 +02:00
Jérémy Lecour	42ad242aaf	vrrpd: configure minifirewall with blocks instead of lines	2024-04-18 15:18:42 +02:00
Jérémy Lecour	f8e92d2eeb	haproxy: support bookworm for backport packages	2024-04-18 15:11:34 +02:00
Jérémy Lecour	9a65312190	evolinux-base: disable logcheck monitoring of journald only if journald.logfiles exists	2024-04-18 15:10:01 +02:00