Merge branch 'unstable' into stable

bookworm suite has been enabled on our new repository.

This reverts commit 1fae737ac4.

.Jenkinsfile

@@ -6,6 +6,20 @@ pipeline {
     }
 
     stages {
+        stage('Anible Lint') {
+            agent {
+                docker {
+                    image 'evolix/ansible-lint:latest'
+                }
+            }
+            steps {
+                script {
+                    sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir || : ; done'
+                    recordIssues(tools: [ansibleLint()])
+                }
+            }
+        }
+
         stage('Build tagged docker image') {
             when {
                 buildingTag()

.vscode/settings.json

@@ -0,0 +1,7 @@
+{
+    "files.associations": {
+        "*.yml": "ansible",
+        "*.yaml": "ansible"
+    },
+    "yaml.format.enable": false
+}

CHANGELOG.md

@@ -8,6 +8,7 @@ The **major** part of the version is the year
 The **minor** part changes is the month
 The **patch** part changes is incremented if multiple releases happen the same month
 
+
 ## [Unreleased]
 
 ### Added
@@ -20,6 +21,75 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Security
 
+## [23.03.1] 2023-03-16
+
+### Added
+
+* pgbouncer: new role
+
+### Changed
+
+* apt: deb822 migration python script is looked relative to shell script
+* listupgrade: remove old typo version of the cron task
+* minifirewall: support protocols in numeric form
+
+## [23.03] 2023-03-16
+
+### Added
+
+* apache: add task to enable mailgraph on default vhost and index.html
+* apt: add move-apt-keyrings script/tasks
+* apt: add tools to migrate sources to deb822 format
+* fail2ban: add "Internal login failure" to Dovecot filter
+* lxc: copy `/etc/profile.d/evolinux.sh` from host into container
+* nagios-nrpe: add tasks/files for a wrapper
+* nagios-nrpe: Print pool config path in check_phpfpm_multi output
+* php: add `php_version` variable when sury is activated for each Debian version
+* php: add a way to choose which version to install using sury repository
+* postfix: Add task to enable mailgraph on packmail
+* postgresql: configure max_connections
+* userlogrotate: create dedicated role, separated from packweb-apache
+* varnish: add `varnish_update_config` variable to disable configuration update
+
+### Changed
+
+* Use systemd module instead of command
+* Removed all `warn: False` args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
+* apt: Use pub.evolix.org instead of pub.evolix.net
+* bind: refactor role
+* elasticsearch: Disable garabge collector logging (JDK >= 9)
+* evolinux-users: Update sudoers template to remove commands allowed without password
+* listupgrade: upstream release 23.03.3
+* kvmstats: use virsh domstats | awk to get guests informations
+* nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …)
+* openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change
+* postfix: come back to default value of `notify_classes` for pack mails.
+* userlogrotate: set rotate date format in right order (YYYY-MM-DD)!
+* webapps/nextcloud : Change default data directory to be outside web root
+* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
+* yarn: update apt key
+
+### Fixed
+
+* Proper jinja spacing
+* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurring failures in Postfix.
+* docker-host: fix type in `daemon.json` and remove host configuration that is already in the systemd service by default
+* evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
+* haproxy: fix missing admin ACL in stats module access permissions
+* openvpn: fix the client cipher configuration to match the server cipher configuration
+* php: fix error introduced in #33503e4538 (`False` evaluated as a String instead of Boolean)
+* php: install using Sury repositories on Bullseye
+* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
+* postfix: avoid Amavis transport to be considered dead when restarted.
+* postfix: remove unused `aliases_scope=sub` from virtual_aliases.cf (it generated warnings)
+* userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped)
+* userlogrotate: skip zipping if .gz log already exists (prevents interactive question)
+
+### Removed
+
+* evolinux-base: subversion is not installed anymore
+
+
 ## [22.12] 2022-12-14
 
 ### Added
@@ -34,6 +104,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * packweb-apache: enable `log_forensic` module
 * rabbitmq: add link in default page
 * varnish: create special tmp directory for syntax validation
+* postfix: add localhost.$mydomain to mydestination
 
 ### Changed
 

amazon-ec2/tasks/create-instance.yml

@@ -3,34 +3,34 @@
 - name: Launch new instance(s)
   ec2:
     state: present
-    aws_access_key: "{{aws_access_key}}"
-    aws_secret_key: "{{aws_secret_key}}"
-    region: "{{aws_region}}"
-    image: "{{ec2_base_ami}}"
-    instance_type: "{{ec2_instance_type}}"
-    count: "{{ec2_instance_count}}"
-    assign_public_ip: "{{ec2_public_ip}}"
-    group: "{{ec2_security_group.name}}"
-    key_name: "{{ec2_keyname}}"
+    aws_access_key: "{{ aws_access_key }}"
+    aws_secret_key: "{{ aws_secret_key }}"
+    region: "{{ aws_region }}"
+    image: "{{ ec2_base_ami }}"
+    instance_type: "{{ ec2_instance_type }}"
+    count: "{{ ec2_instance_count }}"
+    assign_public_ip: "{{ ec2_public_ip }}"
+    group: "{{ ec2_security_group.name }}"
+    key_name: "{{ ec2_keyname }}"
     wait: yes
   register: ec2
 
 - name: Add newly created instance(s) to inventory
   add_host:
-    hostname: "{{item.public_dns_name}}"
+    hostname: "{{ item.public_dns_name }}"
     groupname: launched-instances
     ansible_user: admin
     ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
-  loop: "{{ec2.instances}}"
+  loop: "{{ ec2.instances }}"
 
 - debug:
-    msg: "Your newly created instance is reachable at: {{item.public_dns_name}}"
-  loop: "{{ec2.instances}}"
+    msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
+  loop: "{{ ec2.instances }}"
 
 - name: Wait for SSH to come up on all instances (give up after 2m)
   wait_for:
     state: started
-    host: "{{item.public_dns_name}}"
+    host: "{{ item.public_dns_name }}"
     port: 22
     timeout: 120
-  loop: "{{ec2.instances}}"
+  loop: "{{ ec2.instances }}"

apache/tasks/server_status.yml

@@ -68,3 +68,10 @@
     insertafter: "[apache_*]"
     create: no
   notify: restart munin-node
+
+- name: add mailgraph URL in index.html
+  lineinfile:
+    dest: /var/www/index.html
+    state: present
+    line: '            <li><a href="/mailgraph">Stats Mail</a></li>'
+    insertbefore: "</ul>"

apache/templates/evolinux-default.conf.j2

@@ -35,6 +35,15 @@
         Include /etc/apache2/ipaddr_whitelist.conf
     </Directory>
 
+    # Mailgraph configuration
+    Alias /mailgraph /usr/share/mailgraph
+    <Directory /usr/share/mailgraph>
+        DirectoryIndex mailgraph.cgi
+        Require all granted
+        Options +FollowSymLinks +ExecCGI
+        AddHandler cgi-script .cgi
+    </Directory>
+
     CustomLog /var/log/apache2/access.log vhost_combined
     ErrorLog /var/log/apache2/error.log
     LogLevel warn
@@ -118,6 +127,15 @@
             Include /etc/apache2/ipaddr_whitelist.conf
         </Location>
 
+        # Mailgraph configuration
+        Alias /mailgraph /usr/share/mailgraph
+        <Directory /usr/share/mailgraph>
+            DirectoryIndex mailgraph.cgi
+            Require all granted
+            Options +FollowSymLinks +ExecCGI
+            AddHandler cgi-script .cgi
+        </Directory>
+
 # BEGIN phpMyAdmin section
 # END phpMyAdmin section
 

apt/files/deb822-migration.py

@@ -0,0 +1,96 @@
+#!/bin/env python3
+
+import re
+import sys
+import os
+
+if len(sys.argv) > 1:
+    src_file = sys.argv[1]
+else:
+    print("You must provide a source file as first argument", file=sys.stderr)
+    sys.exit(1)
+
+if not os.access(src_file, os.R_OK):
+    print(src_file, "is not readable", file=sys.stderr)
+    sys.exit(2)
+
+pattern = re.compile('^(?P<type>deb|deb-src) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
+
+sources = {}
+
+def split_options(raw):
+    table = str.maketrans({
+        "[": None,
+        "]": None
+    })
+    options = raw.translate(table).split(' ')
+
+    return options
+
+with open(src_file,'r') as file:
+    for line in file:
+        matches = re.match(pattern, line)
+        if matches is not None:
+            # print(matches.groupdict())
+            uri = matches['uri']
+
+            options = {}
+            if matches.group('options'):
+                for option in split_options(matches['options']):
+                    if "=" in option:
+                        key, value = option.split("=")
+                        options[key] = value
+
+            if uri in sources:
+                sources[uri]["Types"].add(matches["type"])
+                sources[uri]["URIs"] = matches["uri"]
+                sources[uri]["Suites"].add(matches["suite"])
+                sources[uri]["Components"].update(matches["components"].split(' '))
+            else:
+                source = {
+                    "Types": {matches['type']},
+                    "URIs": matches['uri'],
+                    "Enabled": "yes",
+                }
+
+                if matches.group('suite'):
+                    source["Suites"] = set(matches['suite'].split(' '))
+
+                if matches.group('components'):
+                    source["Components"] = set(matches['components'].split(' '))
+
+                if "arch" in options:
+                    if "Architectures" in source:
+                        source["Architectures"].append(options["arch"])
+                    else:
+                        source["Architectures"] = {options["arch"]}
+
+                if "signed-by" in options:
+                    if "Signed-by" in source:
+                        source["Signed-by"].append(options["signed-by"])
+                    else:
+                        source["Signed-by"] = {options["signed-by"]}
+
+                if "lang" in options:
+                    if "Languages" in source:
+                        source["Languages"].append(options["lang"])
+                    else:
+                        source["Languages"] = {options["lang"]}
+
+                if "target" in options:
+                    if "Targets" in source:
+                        source["Targets"].append(options["target"])
+                    else:
+                        source["Targets"] = {options["target"]}
+
+                sources[uri] = source
+
+for i, (uri, source) in enumerate(sources.items()):
+    if i > 0:
+        print("")
+    for key, value in source.items():
+        if isinstance(value, str):
+            print("{}: {}".format(key, value) )
+        else:
+            print("{}: {}".format(key, ' '.join(value)) )
+    i += 1

apt/files/deb822-migration.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+deb822_migrate_script=$(command -v deb822-migration.py)
+
+if [ -z "${deb822_migrate_script}" ]; then
+    deb822_migrate_script="$(dirname "$0")/deb822-migration.py"
+fi
+if [ ! -x "${deb822_migrate_script}" ]; then
+    >&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"
+    exit 1
+fi
+
+dest_dir="/etc/apt/sources.list.d"
+rc=0
+
+migrate_file() {
+    legacy_file=$1
+    deb822_file=$2
+
+    if [ -f "${legacy_file}" ]; then
+        if [ -f "${deb822_file}" ]; then
+            >&2 echo "ERROR: '${deb822_file}' already exists"
+            rc=2
+        else
+            ${deb822_migrate_script} "${legacy_file}" > "${deb822_file}"
+            if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then
+                mv "${legacy_file}" "${legacy_file}.bak"
+                echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak"
+            else
+                >&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'"
+                rc=2
+            fi
+        fi
+    else
+        >&2 echo "ERROR: '${legacy_file}' not found"
+        rc=2
+    fi
+}
+
+migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources"
+
+# shellcheck disable=SC2044
+for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
+    deb822_file=$(basename "${legacy_file}" .list)
+    migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources"
+done
+
+exit ${rc}

apt/files/move-apt-keyrings.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# Move apt repository key from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ and add "signed-by" tag in source list
+# 
+# Example: move-apt-keyrings.sh http://repo.mongodb.org/apt/debian mongodb-server-[0-9\\.]+.asc
+
+repository_pattern=$1
+key=$2
+
+found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/*.list")
+
+old_key_file="/etc/apt/trusted.gpg.d/${key}"
+new_key_file="/etc/apt/keyrings/${key}"
+
+for file in ${found_files}; do
+    if ! grep --quiet "signed-by" "${file}"; then
+        signed_by="signed-by=${new_key_file}"
+        if grep --quiet "deb(-src)? \[" "${file}"; then
+            sed -i "s@deb\(-src\)\? \[\([^]]\+\)\]@deb\1 [\2 ${signed_by}]@" "${file}"
+        else
+            sed -i "s@deb\(-src\)\? @deb\1 [${signed_by}] @" "${file}"
+        fi
+    fi
+done
+
+if [ -f "${old_key_file}" ] && [ ! -f "${new_key_file}" ]; then
+    mv "${old_key_file}" "${new_key_file}"
+fi
+if [ -f "${new_key_file}" ]; then
+    chmod 644 "${new_key_file}"
+    chown root: "${new_key_file}"
+fi

apt/files/pub_evolix.asc

@@ -0,0 +1,87 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N
+YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN
+OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV
+Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw
+ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7
+7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11
+mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma
+dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3
+huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm
+vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk
++XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB
+tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy
+PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A
+BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy
+x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq
+yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7
+D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt
+c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N
+q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F
+btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ
+ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa
+C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D
+jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp
+5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo
+JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3
+Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F
+5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o
+aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba
+mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp
+g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs
+h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M
+Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb
+sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A
+5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A
+etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8
+smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ
+Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX
+mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F
+V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT
+foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7
+b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5
+FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI
+7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb
++dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc
+fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF
+bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR
+Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+
+7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/
+RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc
+8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX
+fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd
+gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/
+YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1
+4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL
+1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK
+3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj
+9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB
+jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC
+LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG
+j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H
+BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M
+jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q
+BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym
+Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6
+lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH
+El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV
+sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp
+IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz
+DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM
+G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0
+IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs
+UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac
+lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm
+AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r
+adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf
+SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v
+2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz
+kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg
+2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad
+OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf
+nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk
+jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH
+oA9QflpnDubMnCve
+=ZCml
+-----END PGP PUBLIC KEY BLOCK-----

apt/tasks/evolix_public.yml

@@ -18,8 +18,8 @@
 
 - name: Add Evolix GPG key
   copy:
-    src: reg.asc
-    dest: "{{ apt_keyring_dir }}/reg.asc"
+    src: pub_evolix.asc
+    dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
     force: yes
     mode: "0644"
     owner: root

apt/tasks/hold_packages.yml

@@ -1,5 +1,8 @@
 ---
 
+- include_role:
+    name: evolix/remount-usr
+
 - name: "hold packages (apt)"
   shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
   args:
@@ -76,8 +79,8 @@
 - name: Check if Cron is installed
   shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
   register: is_cron
-  changed_when: false
-  failed_when: false
+  changed_when: False
+  failed_when: False
   check_mode: no
   tags:
     - apt

apt/tasks/migrate-to-deb822.yml

@@ -0,0 +1,31 @@
+---
+- include_role:
+    name: evolix/remount-usr
+
+- name: /usr/share/scripts exists
+  file:
+    dest: /usr/share/scripts
+    mode: "0700"
+    owner: root
+    group: root
+    state: directory
+  tags:
+    - apt
+
+- name: Migration scripts are installed
+  copy:
+    src: "{{ item  }}"
+    dest: "/usr/share/scripts/{{ item  }}"
+    force: yes
+    mode: "0755"
+  loop:
+    - deb822-migration.py
+    - deb822-migration.sh
+  tags:
+    - apt
+
+- name: Exec migration script
+  command: /usr/share/scripts/deb822-migration.sh
+  ignore_errors: yes
+  tags:
+    - apt

apt/tasks/move-apt-keyring.yml

@@ -0,0 +1,52 @@
+---
+
+- name: New APT keyrings directory is present
+  file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: /usr/share/scripts exists
+  file:
+    dest: /usr/share/scripts
+    mode: "0700"
+    owner: root
+    group: root
+    state: directory
+  tags:
+    - apt
+
+- name: migration script is present
+  copy:
+    src: move-apt-keyrings.sh
+    dest: /usr/share/scripts/move-apt-keyrings.sh
+    mode: "0755"
+    owner: root
+    group: root
+
+- name: Move repository signing key
+  command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
+  loop:
+    - { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
+    - { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
+    - { repository_pattern: "https://pub.evolix.org/evolix", key: "pub_evolix.asc" }
+    - { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" }
+    - { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" }
+    - { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" }
+    - { repository_pattern: "http://pkg.jenkins-ci.org/debian-stable", key: "jenkins.asc" }
+    - { repository_pattern: "https://packages.sury.org/php/", key: "sury.gpg" }
+    - { repository_pattern: "http://repo.mongodb.org/apt/debian", key: "mongodb-server-[0-9\\.]+.asc" }
+    - { repository_pattern: "http://apt.newrelic.com/debian/", key: "newrelic.asc" }
+    - { repository_pattern: "https://deb.nodesource.com/", key: "nodesource.asc" }
+    - { repository_pattern: "https://dl.yarnpkg.com/debian/", key: "yarn.asc" }
+    - { repository_pattern: "http://apt.postgresql.org/pub/repos/apt/", key: "postgresql.asc" }
+  register: _cmd
+
+- name: Debug command
+  debug:
+    var: _cmd

apt/templates/evolix_public.list.j2

@@ -1,7 +1,3 @@
 # {{ ansible_managed }}
 
-{% if ansible_distribution_release == "bookworm" %}
-deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/
-{% else %}
-deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/
-{% endif %}
+deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main

bind/defaults/main.yml

@@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service
 bind_statistics_file: /var/run/named.stats
 bind_log_file: /var/log/bind.log
 bind_query_file: /var/log/bind_queries.log
+bind_query_file_enabled: False
 bind_cache_dir: /var/cache/bind

bind/handlers/main.yml

@@ -1,19 +1,21 @@
 ---
 - name: reload systemd
-  command: systemctl daemon-reload
+  systemd:
+    daemon-reload: yes
+
 
 - name: restart apparmor
-  service:
+  systemd:
     name: apparmor
     state: restarted
 
 - name: restart bind
-  service:
+  systemd:
     name: bind9
     state: restarted
 
 - name: restart munin-node
-  service:
+  systemd:
     name: munin-node
     state: restarted
 

bind/tasks/authoritative.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Set bind configuration for authoritative server
+  template:
+    src: named.conf.options_authoritative.j2
+    dest: /etc/bind/named.conf.options
+    owner: bind
+    group: bind
+    mode: "0644"
+    force: yes
+  notify: restart bind

bind/tasks/main.yml

@@ -1,22 +1,30 @@
 # Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
 - name: set chroot variables
   set_fact:
-     bind_log_file: /var/log/bind.log
-     bind_query_file: /var/log/bind_queries.log
-     bind_cache_dir: /var/cache/bind
-     bind_statistics_file: /var/run/named.stats
-     bind_chroot_path: /var/chroot-bind
+    bind_log_file: /var/log/bind.log
+    bind_query_file: /var/log/bind_queries.log
+    bind_cache_dir: /var/cache/bind
+    bind_statistics_file: /var/run/named.stats
+    bind_chroot_path: /var/chroot-bind
   when: bind_chroot_set | bool
 
+- name: Check AppArmor
+  shell: systemctl is-active apparmor || systemctl is-enabled apparmor
+  failed_when: False
+  changed_when: False
+  check_mode: no
+  register: check_apparmor
+
 - name: configure apparmor
   template:
     src: apparmor.usr.sbin.named.j2
     dest: /etc/apparmor.d/usr.sbin.named
     owner: root
     group: root
-    mode: '0644'
+    mode: "0644"
     force: yes
   notify: restart apparmor
+  when: check_apparmor.rc == 0
 
 - name: package are installed
   apt:
@@ -25,47 +33,23 @@
       - dnstop
     state: present
 
-- name: Set bind configuration for recursive server
-  template:
-    src: named.conf.options_recursive.j2
-    dest: /etc/bind/named.conf.options
-    owner: bind
-    group: bind
-    mode: "0644"
-    force: yes
-  notify: restart bind
-  when: bind_recursive_server | bool
+- include: authoritative.yml
+  when: bind_authoritative_server | bool
 
-- name: enable zones.rfc1918 for recursive server
-  lineinfile:
-    dest: /etc/bind/named.conf.local
-    line: 'include "/etc/bind/zones.rfc1918";'
-    regexp: "zones.rfc1918"
-  notify: restart bind
+- include: recursive.yml
   when: bind_recursive_server | bool
 
-- name: Set bind configuration for authoritative server
-  template:
-    src: named.conf.options_authoritative.j2
-    dest: /etc/bind/named.conf.options
-    owner: bind
-    group: bind
-    mode: "0644"
-    force: yes
-  notify: restart bind
-  when: bind_authoritative_server | bool
-
-- name: Create systemd service
+- name: Create systemd service for Debian 8 (Jessie)
   template:
-    src: bind9.service.j2
+    src: bind9.service.jessie.j2
     dest: "{{ bind_systemd_service_path }}"
     owner: root
     group: root
     mode: "0644"
     force: yes
   notify:
-  - reload systemd
-  - restart bind
+    - reload systemd
+    - restart bind
   when: ansible_distribution_release == "jessie"
 
 - name: "touch {{ bind_log_file }} if non chroot"

bind/tasks/munin.yml

@@ -19,7 +19,7 @@
     - bind9_rndc
   notify: restart munin-node
   when:
-    - bind_authoritative_server
+    - bind_authoritative_server | bool
     - munin_node_plugins_config.stat.exists
   tags:
     - bind
@@ -32,10 +32,10 @@
     state: link
   loop:
     - bind9
-    - bind9_rndc
   notify: restart munin-node
   when:
-    - bind_recursive_server
+    - bind_recursive_server | bool
+    - bind_query_file_enabled | bool
     - munin_node_plugins_config.stat.exists
   tags:
     - bind

bind/tasks/recursive.yml

@@ -0,0 +1,19 @@
+---
+
+
+- name: Set bind configuration for recursive server
+  template:
+    src: named.conf.options_recursive.j2
+    dest: /etc/bind/named.conf.options
+    owner: bind
+    group: bind
+    mode: "0644"
+    force: yes
+  notify: restart bind
+
+- name: enable zones.rfc1918 for recursive server
+  lineinfile:
+    dest: /etc/bind/named.conf.local
+    line: 'include "/etc/bind/zones.rfc1918";'
+    regexp: "zones.rfc1918"
+  notify: restart bind

bind/templates/apparmor.usr.sbin.named.j2

@@ -56,7 +56,9 @@
   # some people like to put logs in /var/log/named/ instead of having
   # syslog do the heavy lifting.
   {{ bind_log_file }} rw,
+{% if bind_query_file_enabled | bool %}
   {{ bind_query_file }} rw,
+{% endif %}
 
   # gssapi
   /var/lib/sss/pubconf/krb5.include.d/** r,

bind/templates/logrotate_bind.j2

@@ -1,7 +1,7 @@
-{% if bind_chroot_set %}
-{{ bind_chroot_path }}{{bind_log_file}} {
+{% if bind_chroot_set | bool %}
+{{ bind_chroot_path }}{{ bind_log_file }} {
 {% else %}
-{{bind_log_file}} {
+{{ bind_log_file }} {
 {% endif %}
     weekly
     missingok

bind/templates/munin-env_bind9.j2

@@ -1,9 +1,17 @@
 [bind*]
 user root
 
-env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
+{% if bind_query_file_enabled | bool %}
+{% if bind_chroot_set | bool %}
+env.logfile {{ bind_chroot_path }}{{ bind_query_file }}
+{% else %}
+env.logfile {{ bind_query_file }}
+{% endif %}
+{% endif %}
+
 {% if bind_authoritative_server %}
 env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
 {% endif %}
+
 env.MUNIN_PLUGSTATE /var/lib/munin
 timeout 120

bind/templates/named.conf.options_authoritative.j2

@@ -1,7 +1,7 @@
-acl "foo" {
-    ::ffff:192.0.2.21; 192.0.2.21;
-    2001:db8::21;
-};
+// acl "foo" {
+//     ::ffff:192.0.2.21; 192.0.2.21;
+//     2001:db8::21;
+// };
 
 options {
       directory "{{ bind_cache_dir }}";
@@ -20,16 +20,20 @@ options {
 
 logging {
     category default { default_file; };
+{% if bind_query_file_enabled | bool %}
     category queries { query_logging; };
+{% endif %}
 
     channel default_file {
         file "{{ bind_log_file }}";
         severity info;
     };
+{% if bind_query_file_enabled | bool %}
     channel query_logging {
         file "{{ bind_query_file }}" versions 2 size 128M;
         print-category yes;
         print-severity yes;
         print-time yes;
     };
+{% endif %}
 };

bind/templates/named.conf.options_recursive.j2

@@ -9,16 +9,20 @@ options {
 
 logging {
     category default { default_file; };
+{% if bind_query_file_enabled | bool %}
     category queries { query_logging; };
+{% endif %}
 
     channel default_file {
         file "{{ bind_log_file }}";
         severity info;
     };
+{% if bind_query_file_enabled | bool %}
     channel query_logging {
         file "{{ bind_query_file }}" versions 2 size 128M;
         print-category yes;
         print-severity yes;
         print-time yes;
     };
+{% endif %}
 };

clamav/tasks/main.yml

@@ -13,7 +13,7 @@
     - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
     - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
     - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
-    - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
+    - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '200' }
     - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
     - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
     - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }