Compare commits
4 commits
16394060c9
...
8cd887ee21
Author | SHA1 | Date | |
---|---|---|---|
Jérémy Lecour | 8cd887ee21 | ||
Jérémy Lecour | 42ad242aaf | ||
Jérémy Lecour | f8e92d2eeb | ||
Jérémy Lecour | 9a65312190 |
|
@ -17,11 +17,14 @@ The **patch** part is incremented if multiple releases happen the same month
|
|||
|
||||
* autosysadmin-agent: upstream release 24.03.2
|
||||
* evolinux-base: Add new variable to disable global customisation of bash config
|
||||
* roundcube: Use /var/log/roundcube directly
|
||||
* evolinux-base: Disable logcheck monitoring of journald only if journald.logfiles exists
|
||||
* evolinux-users: Add sudo mvcli for nagios user
|
||||
* vrrpd : configure and restart minifirewall before starting VRRP
|
||||
* haproxy: support bookworm for backport packages
|
||||
* nrpe: !disk1 exclude filesystem type overlay
|
||||
* postfix/amavis: max servers is now 3 (previously 2)
|
||||
* roundcube: Use /var/log/roundcube directly
|
||||
* vrrpd: configure and restart minifirewall before starting VRRP
|
||||
* vrrpd: configure minifirewall with blocks instead of lines
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
|
@ -64,12 +64,19 @@
|
|||
when: evolinux_logs_default_dateext | bool
|
||||
|
||||
# Logcheck
|
||||
- name: Check if journald.logfiles exists
|
||||
stat:
|
||||
path: /etc/logcheck/logcheck.logfiles.d/journal.logfiles
|
||||
register: _logcheck_journald_logfiles
|
||||
|
||||
- name: Disable logcheck monitoring of journald
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/logcheck/logcheck.logfiles.d/journal.logfiles
|
||||
line: "#journal"
|
||||
regexp: "^journal"
|
||||
when: evolinux_logs_disable_logcheck_journald | bool
|
||||
when:
|
||||
- _logcheck_journald_logfiles.stat.exists
|
||||
- evolinux_logs_disable_logcheck_journald | bool
|
||||
|
||||
# Journald
|
||||
- name: /etc/systemd/journald.conf.d/ is present
|
||||
|
|
|
@ -35,5 +35,6 @@ haproxy_deny_ips: []
|
|||
haproxy_backports_packages_stretch: haproxy libssl1.0.0
|
||||
haproxy_backports_packages_buster: haproxy
|
||||
haproxy_backports_packages_bullseye: haproxy
|
||||
haproxy_backports_packages_bookworm: haproxy
|
||||
|
||||
haproxy_allow_ip_nonlocal_bind: Null
|
||||
haproxy_allow_ip_nonlocal_bind: Null
|
||||
|
|
|
@ -21,7 +21,6 @@
|
|||
- name: Self-signed certificate is present in HAProxy ssl directory
|
||||
ansible.builtin.shell:
|
||||
cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
|
||||
args:
|
||||
creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
|
||||
notify: reload haproxy
|
||||
tags:
|
||||
|
|
|
@ -19,6 +19,10 @@
|
|||
haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}"
|
||||
when: ansible_distribution_release == 'bullseye'
|
||||
|
||||
- ansible.builtin.set_fact:
|
||||
haproxy_backports_packages: "{{ haproxy_backports_packages_bookworm }}"
|
||||
when: ansible_distribution_release == 'bookworm'
|
||||
|
||||
- name: Prefer HAProxy package from backports
|
||||
ansible.builtin.template:
|
||||
src: haproxy_apt_preferences.j2
|
||||
|
|
|
@ -74,7 +74,7 @@
|
|||
|
||||
#######################################################################
|
||||
|
||||
- name: Fail if minifirewall_main_file is defined (legacy mode)
|
||||
- name: Fail if minifirewall_main_file is defined (modern mode)
|
||||
ansible.builtin.fail:
|
||||
msg: "Variable minifirewall_main_file is deprecated and not configurable anymore."
|
||||
when:
|
||||
|
@ -179,4 +179,4 @@
|
|||
- always
|
||||
when:
|
||||
- minifirewall_install_mode != 'legacy'
|
||||
- minifirewall_restart_force | bool
|
||||
- minifirewall_restart_force | bool
|
||||
|
|
|
@ -9,9 +9,12 @@ vrrp_addresses: []
|
|||
# priority: Null # the priority of this host in the virtual server (default: 100)
|
||||
# authentication: Null # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+
|
||||
# label: Null # use this name is syslog messages (helps when several vrid are running)
|
||||
# ip: Null # the ip address(es) (and optionnaly subnet mask) of the virtual server
|
||||
# ip: Null # the IP address(es) (and optionnaly subnet mask) of the virtual server
|
||||
# peers: [IP1, IP2] # list of peers (IP), for minifirewall rules
|
||||
# state: Null # 'started' or 'stopped'
|
||||
# }
|
||||
|
||||
vrrp_manage_minifirewall: true
|
||||
|
||||
minifirewall_restart_if_needed: True
|
||||
minifirewall_restart_force: False
|
||||
|
|
|
@ -11,35 +11,46 @@
|
|||
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
||||
|
||||
- name: VRRP output is authorized in minifirewall
|
||||
lineinfile:
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/minifirewall.d/vrrpd
|
||||
line: "/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}"
|
||||
regexp: "# Allow VRRP output on {{ vrrp_address.interface }}$"
|
||||
marker: "## {mark} ANSIBLE MANAGED OUTPUT RULES FOR VRID {{ vrrp_address.id }}"
|
||||
block: |
|
||||
/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}
|
||||
create: yes
|
||||
mode: "0600"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
notify: "{{ minifirewall_restart_handler_name }}"
|
||||
when: _minifirewall_dir.stat.exists
|
||||
when:
|
||||
- vrrp_manage_minifirewall | bool
|
||||
- _minifirewall_dir.stat.exists
|
||||
|
||||
- name: VRRP input is authorized in minifirewall
|
||||
lineinfile:
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/minifirewall.d/vrrpd
|
||||
line: "/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
|
||||
regexp: "# Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
|
||||
marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
|
||||
block: |
|
||||
{% if vrrp_address.peers | default([]) | length <= 0 %}
|
||||
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
|
||||
{% else %}
|
||||
{% for peer in vrrp_address.peers %}
|
||||
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
create: yes
|
||||
mode: "0600"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
loop: "{{ vrrp_address.peers | default([]) }}"
|
||||
loop_control:
|
||||
loop_var: peer
|
||||
notify: "{{ minifirewall_restart_handler_name }}"
|
||||
when: _minifirewall_dir.stat.exists
|
||||
when:
|
||||
- vrrp_manage_minifirewall | bool
|
||||
- _minifirewall_dir.stat.exists
|
||||
|
||||
- name: Flush handlers to restart minifirewall
|
||||
ansible.builtin.meta: flush_handlers
|
||||
when: _minifirewall_dir.stat.exists
|
||||
when:
|
||||
- vrrp_manage_minifirewall | bool
|
||||
- _minifirewall_dir.stat.exists
|
||||
|
||||
|
||||
# Configure VRRP service
|
||||
|
|
Loading…
Reference in a new issue