Compare commits
441 commits
emorino/pa
...
stable
Author | SHA1 | Date | |
---|---|---|---|
8ad55d9a84 | |||
f7ceaf2fb6 | |||
Jérémy Lecour | fe1e66f79c | ||
Jérémy Lecour | 2e529524f7 | ||
Jérémy Lecour | f05c8c03c9 | ||
Jérémy Lecour | 24f1e72147 | ||
Jérémy Lecour | 22f7a6b831 | ||
Jérémy Lecour | 4128962d05 | ||
c1dc380e85 | |||
Jérémy Lecour | 346317081e | ||
Jérémy Lecour | 5be04c36ee | ||
e0f81f14d0 | |||
63c09e2ae5 | |||
Jérémy Lecour | d4343833c9 | ||
Jérémy Lecour | cf430f286a | ||
Jérémy Lecour | 38e498cf9a | ||
Jérémy Lecour | 5903ff8c81 | ||
Jérémy Lecour | 1d342f6952 | ||
Jérémy Lecour | 0397612541 | ||
Jérémy Lecour | 9be5a18c2e | ||
Jérémy Lecour | 110a4a4282 | ||
Jérémy Lecour | 145b279a12 | ||
Jérémy Lecour | 6ee1e609ac | ||
Jérémy Lecour | 2ad2ae8521 | ||
Jérémy Lecour | e3746d18fb | ||
Jérémy Lecour | 1d5415237c | ||
Jérémy Lecour | e5bbb601d3 | ||
Mathieu Trossevin | 4c2548b21d | ||
Ludovic Poujol | 5d11468327 | ||
Ludovic Poujol | a41e78b556 | ||
Jérémy Lecour | 8cd887ee21 | ||
Jérémy Lecour | 42ad242aaf | ||
Jérémy Lecour | f8e92d2eeb | ||
Jérémy Lecour | 9a65312190 | ||
Jérémy Dubois | 16394060c9 | ||
Jérémy Dubois | f4e6aabe8a | ||
0ec343766d | |||
d1410e38a1 | |||
mgauthier | 7272106bce | ||
d11cf4987b | |||
Jérémy Lecour | 2a264dd2bc | ||
5708e7205d | |||
4bbe2f4f72 | |||
Jérémy Lecour | 7a9be8d6fa | ||
5acb1956f5 | |||
96504b1deb | |||
56eef89084 | |||
b30b7c884a | |||
fe66ad9c4f | |||
96c1017b5d | |||
23f4f9690f | |||
Jérémy Lecour | d758afdd4b | ||
Ludovic Poujol | ae2e447bc4 | ||
8e3724d5e7 | |||
ff19df2444 | |||
eda69725d5 | |||
bc9609ce48 | |||
Ludovic Poujol | aca146adbc | ||
ccff3b2105 | |||
2fe0d25277 | |||
Jérémy Lecour | 501f5e7577 | ||
8b68f03910 | |||
Jérémy Lecour | 78326e43e8 | ||
Jérémy Lecour | 2a856d579e | ||
Jérémy Lecour | beea53aa64 | ||
Jérémy Lecour | 342380876a | ||
Jérémy Lecour | 24cbbf2f54 | ||
Jérémy Lecour | 56237bb3c6 | ||
Jérémy Lecour | abd329b9c1 | ||
Jérémy Lecour | 037ec9d376 | ||
Jérémy Lecour | c333970606 | ||
Jérémy Lecour | 10b507adc4 | ||
Jérémy Lecour | b2e22413bc | ||
bec868009c | |||
aea710cb25 | |||
Ludovic Poujol | b0ba70f06c | ||
Jérémy Dubois | 0a4a220bdf | ||
Jérémy Lecour | 282dcb28f4 | ||
a0fc763a0c | |||
a56e8c27ee | |||
Jérémy Lecour | 56db6e1fbc | ||
Jérémy Lecour | 015cac688e | ||
Jérémy Lecour | c12c581f63 | ||
7c2fd5e394 | |||
Jérémy Lecour | 9402458304 | ||
Jérémy Lecour | cf0fab1e22 | ||
Jérémy Lecour | 13284645de | ||
Jérémy Lecour | 2f96151c70 | ||
Jérémy Lecour | d4fcc6f8f4 | ||
Jérémy Lecour | eb3aac9d3e | ||
Jérémy Lecour | 2e9b6c0680 | ||
Jérémy Lecour | 0b859fd1a4 | ||
Jérémy Lecour | fe5a61289b | ||
Jérémy Lecour | ae665ea178 | ||
Jérémy Lecour | d401778024 | ||
Jérémy Lecour | 4fb49dd6c9 | ||
Jérémy Lecour | ef2e65287e | ||
Jérémy Lecour | 8af6cdc4d6 | ||
3bb29aa6ba | |||
Jérémy Lecour | 47d7141a66 | ||
Jérémy Lecour | 75650032d4 | ||
5df27a4bc5 | |||
Jérémy Lecour | 2768b3146f | ||
Jérémy Lecour | 8f86584605 | ||
Jérémy Lecour | ba827b79d9 | ||
Jérémy Lecour | 12993a8d7c | ||
Jérémy Lecour | ff233b65a6 | ||
Jérémy Lecour | 8dd9c64cbc | ||
Jérémy Lecour | 112bc2133a | ||
Jérémy Lecour | 63745c2697 | ||
1f8738fbda | |||
554bbaa36f | |||
bc07010aa6 | |||
9f530d78db | |||
de0a98d693 | |||
8741167a80 | |||
4c9e4a30cc | |||
d67e2b122f | |||
393c1f4ff1 | |||
e14408cb05 | |||
1924324c07 | |||
d55b2b14bb | |||
b31aa53c81 | |||
dae2a25f78 | |||
cce7280cd0 | |||
68d9d3c47c | |||
251416f3e8 | |||
9b67202acc | |||
30bd72614d | |||
aa2593f34c | |||
bc19912b71 | |||
Jérémy Lecour | 0c17e4d8fc | ||
Jérémy Lecour | 51280c586a | ||
Jérémy Lecour | f994e19946 | ||
531b633d99 | |||
bceb3f5c27 | |||
422f007e9d | |||
72727a8332 | |||
Jérémy Lecour | f3eb7a4981 | ||
Jérémy Lecour | bca5b9f28c | ||
Jérémy Lecour | c9df19e146 | ||
Jérémy Lecour | bf07ef74c3 | ||
f5d5e84caf | |||
e089796c4c | |||
0a590b6679 | |||
41897f4c62 | |||
1ac497282c | |||
9fb635b45f | |||
Mathieu Trossevin | c2de4b4cd1 | ||
Jérémy Lecour | d93eb2495b | ||
Jérémy Lecour | 046f1411b3 | ||
Ludovic Poujol | 4a1b94f55d | ||
1eb5a47c71 | |||
d4ac4ef7a1 | |||
70c2d25837 | |||
Mathieu Trossevin | c0f27426bc | ||
Mathieu Trossevin | 62c596046d | ||
Jérémy Lecour | b4c9fcf6f7 | ||
9e67db57e5 | |||
Mathieu Trossevin | 0c09763e87 | ||
95610e16be | |||
5f158e031b | |||
Jérémy Lecour | b0992bcaf9 | ||
Jérémy Lecour | 26e3dc1be6 | ||
Jérémy Lecour | a920d2d402 | ||
Jérémy Lecour | 6c0ca02391 | ||
Jérémy Lecour | db63902206 | ||
Jérémy Lecour | ca5d9d5202 | ||
Jérémy Lecour | fb7218972f | ||
66b69f1502 | |||
Jérémy Lecour | c90afcb4f4 | ||
Ludovic Poujol | e32e1c5496 | ||
cbc51c462a | |||
4d7de89ad4 | |||
c9e8b6c4e1 | |||
31826b9ee5 | |||
43aff50891 | |||
de949fd348 | |||
57ce920d7f | |||
Jérémy Lecour | ae79f33e3a | ||
c861fe1974 | |||
9867dcb319 | |||
066a66eb4b | |||
b8732dffaf | |||
4d9e1af40f | |||
59afbb2e9a | |||
Mathieu Trossevin | 0ca31b91fe | ||
fba894cad9 | |||
1a74bef0bc | |||
83e61b25a5 | |||
Jérémy Lecour | 06c47493e9 | ||
Jérémy Lecour | 81d97bb3fb | ||
Jérémy Lecour | 9e3e20e3a8 | ||
Jérémy Lecour | f9125b8f3f | ||
e5f5425f6d | |||
69bc93ff6e | |||
8f1fa57c37 | |||
cb03831ae8 | |||
892067cf2b | |||
c93748487b | |||
2c86660e52 | |||
95aeb9a68e | |||
239065bf36 | |||
736ed26036 | |||
96d15eb5aa | |||
33d22b2614 | |||
3bd87906ce | |||
9cedf84dae | |||
7ad55027da | |||
c71521acc3 | |||
8993242b2c | |||
Jérémy Lecour | 4cba25d8fc | ||
Jérémy Lecour | f01e7453fb | ||
Jérémy Lecour | 71ed4c4c8c | ||
Jérémy Lecour | 00fad357b5 | ||
Jérémy Lecour | 83c178f244 | ||
Jérémy Lecour | 642fbb1ea4 | ||
a5e4359d0e | |||
0578d5a3ec | |||
ac72c7ac31 | |||
b1a67d1a5c | |||
1394052fd6 | |||
4a6e6e6ba2 | |||
Ludovic Poujol | b77845cc8c | ||
Jérémy Lecour | c97e94bfe7 | ||
6ae9e04f27 | |||
aab3381887 | |||
009de62e28 | |||
41ec5b737b | |||
c9c8ade55d | |||
bc284f8248 | |||
74a6b2ead1 | |||
331f4e8875 | |||
953ca015c5 | |||
45436d77b1 | |||
1259b88588 | |||
b05fa5a779 | |||
03c09dc092 | |||
Jérémy Lecour | ab30ea4cde | ||
679e170dce | |||
Jérémy Lecour | 198f3fab0a | ||
Jérémy Lecour | 3b3b130248 | ||
Jérémy Lecour | 31990cfe80 | ||
Jérémy Lecour | 3e55768c49 | ||
Jérémy Lecour | 86e753b7a0 | ||
Jérémy Lecour | 9c56cff642 | ||
Jérémy Lecour | 243c64f555 | ||
bbf6ce6f6e | |||
dbd1103078 | |||
bc3656dd4c | |||
a80076a5ea | |||
Jérémy Lecour | 3347ac4271 | ||
0c9b55e5e1 | |||
Jérémy Lecour | c673ed10c6 | ||
Jérémy Lecour | 0f15484ada | ||
Jérémy Lecour | d6a777be72 | ||
Jérémy Lecour | 31456aa126 | ||
Jérémy Lecour | 9cd0426d2b | ||
fef86b0a3f | |||
f2c37dddff | |||
35e7f22210 | |||
b722ca822f | |||
a2306e6a15 | |||
ca67feb39e | |||
aa13171f91 | |||
ec4c9108e7 | |||
c03dd0ca2f | |||
d69259f2ca | |||
Ludovic Poujol | a65230b5e0 | ||
Bruno TATU | ee6bd8cec4 | ||
e4a70b3c0c | |||
4c91f424c6 | |||
Jérémy Lecour | dfe2448e86 | ||
Jérémy Lecour | b5550d2ce2 | ||
Jérémy Lecour | cc9d0c59d3 | ||
6cd4048a0c | |||
Jérémy Lecour | 1dbe51fc65 | ||
Jérémy Lecour | 050b2ae419 | ||
Bruno TATU | 45fc4b3371 | ||
1848a6162a | |||
Iliane Said | 4ca17f06c1 | ||
2c98717ebc | |||
f8b9361afd | |||
d7d8ee63b2 | |||
92788a8b93 | |||
689ed21b38 | |||
682fac14b2 | |||
ac70793ad6 | |||
Jérémy Lecour | b57a5c3b3c | ||
Jérémy Lecour | 53a0e56472 | ||
Jérémy Lecour | 41004e20b4 | ||
2af2e5ee78 | |||
2a7d2d9c58 | |||
Mathieu Trossevin | 4ee7c89410 | ||
Mathieu Trossevin | cfca604670 | ||
7ad296e74f | |||
1b6700925c | |||
5b63ba112c | |||
e289fd7119 | |||
a440110cad | |||
bfe3bd7ef4 | |||
ec4fd5d27f | |||
73c0a0d29a | |||
354c11fc25 | |||
Jérémy Lecour | 8ca7cc4692 | ||
Jérémy Lecour | e2dea8054f | ||
df202197c7 | |||
6e5ba9bd9a | |||
090495e920 | |||
Ludovic Poujol | 594146bdac | ||
Ludovic Poujol | e71cffd8fd | ||
8c72a7de8e | |||
b8b48bbcb9 | |||
53aab6f405 | |||
fe369257ed | |||
0e1fe0e81f | |||
Ludovic Poujol | 5cc7c13104 | ||
Jérémy Lecour | bb41d313a9 | ||
a56682a7ca | |||
Jérémy Lecour | feba74c469 | ||
Jérémy Lecour | 67c6167474 | ||
536d051890 | |||
36cd982f35 | |||
263f940c3d | |||
a478348716 | |||
f7f578705c | |||
4a0d3a4965 | |||
fbb0b73e3a | |||
7e15e01b14 | |||
86978a8225 | |||
0098cd2f08 | |||
e70ab6d039 | |||
fc8105e84e | |||
87711ef00c | |||
fc241f2835 | |||
eca2b5e4bf | |||
ec34d8afe1 | |||
5265119912 | |||
b92871bfef | |||
81849c6537 | |||
Ludovic Poujol | 204b8af59b | ||
a867da5ca9 | |||
Ludovic Poujol | f0abb53750 | ||
87d09275a0 | |||
eca010d959 | |||
Jérémy Lecour | 3ce412341f | ||
05715d92f3 | |||
bc714c5ac8 | |||
Ludovic Poujol | 16bba8b469 | ||
7e193e4916 | |||
e6ef4396f3 | |||
8e99b9fcb8 | |||
043f714722 | |||
Eric Morino | 6f218a7763 | ||
5bd6893dac | |||
3c3db4fefa | |||
4b4b34e849 | |||
b64072fbbb | |||
c2e27d025c | |||
b6886384b9 | |||
1a1d4265a7 | |||
ef642e564e | |||
030871ea9b | |||
440a54c21c | |||
f2eaac0894 | |||
67f0fa5942 | |||
7133783695 | |||
Jérémy Lecour | 4476c4b633 | ||
Jérémy Lecour | 83f7b6cdca | ||
Ludovic Poujol | f50848917a | ||
fa35cb6d8f | |||
016750685f | |||
da0110b4f3 | |||
Mathieu Trossevin | 831715e44c | ||
53f82edefb | |||
aa10f719b4 | |||
Jérémy Lecour | d747ee0f83 | ||
Jérémy Lecour | 0331c23ad6 | ||
Jérémy Lecour | e347b6eca8 | ||
Bruno TATU | fb184a0ecf | ||
bb54c9209e | |||
1ecb463104 | |||
e4436d9066 | |||
Jérémy Lecour | a6bac1f20b | ||
Bruno TATU | 18f160fb83 | ||
Jérémy Lecour | 00fe225a3c | ||
def4d54538 | |||
9f632100fb | |||
42ad894d45 | |||
64c1da40b0 | |||
Ludovic Poujol | aec5406043 | ||
2e73bf09f7 | |||
19787152d8 | |||
Jérémy Lecour | 1c60b02e77 | ||
Ludovic Poujol | 9a5b5a39a9 | ||
Eric Morino | 1ec212f514 | ||
Ludovic Poujol | 24d7fe5def | ||
Ludovic Poujol | b234fdaea9 | ||
Ludovic Poujol | 5c095dc862 | ||
e00af3aafb | |||
Jérémy Lecour | 060018be26 | ||
Jérémy Lecour | 318991fe42 | ||
Jérémy Lecour | 5027151011 | ||
Jérémy Lecour | 2c079755e9 | ||
Eric Morino | 9f87049ee4 | ||
Eric Morino | 81e1d1b0c1 | ||
Jérémy Lecour | 1ae40e7686 | ||
emorino | 6837df5a9e | ||
emorino | 3e00632a41 | ||
9ff615f19a | |||
5563b4f8f2 | |||
Ludovic Poujol | 91bcd2a605 | ||
Jérémy Lecour | 8706a35705 | ||
Eric Morino | 7b667d1650 | ||
5ef4d91f1c | |||
Jérémy Lecour | 7660444c9a | ||
Jérémy Lecour | f79d8456d6 | ||
3d8ae87368 | |||
6ab34517b6 | |||
ad2d96d890 | |||
Jérémy Lecour | d3345d2866 | ||
db0b5ab3db | |||
9821fc8f78 | |||
5c60fad29c | |||
8f4bcccbc3 | |||
Jérémy Lecour | a10cff94d0 | ||
Jérémy Lecour | 6cd72cf9f4 | ||
Jérémy Lecour | 42e98791d9 | ||
e8c7d2c3e3 | |||
37e6b14001 | |||
Eric Morino | 602bb22984 | ||
0c2e06de33 | |||
956e644ac4 | |||
Eric Morino | 23b26fa239 | ||
Eric Morino | b7723cfe69 | ||
Eric Morino | 8ec5c79ca1 | ||
Eric Morino | 7d75ed1a96 | ||
Eric Morino | c157450a2c | ||
Jérémy Lecour | 7052b7bd1e | ||
Jérémy Lecour | 8e4e77cb8b | ||
Jérémy Lecour | e1e4f39778 |
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -2,3 +2,4 @@
|
||||||
.kateproject.d
|
.kateproject.d
|
||||||
.vagrant/
|
.vagrant/
|
||||||
*.swp
|
*.swp
|
||||||
|
.vscode
|
4
.markdownlint.json
Normal file
4
.markdownlint.json
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
{
|
||||||
|
"MD013": false,
|
||||||
|
"MD024": false
|
||||||
|
}
|
3
.vscode/settings.json
vendored
3
.vscode/settings.json
vendored
|
@ -3,5 +3,6 @@
|
||||||
"*.yml": "ansible",
|
"*.yml": "ansible",
|
||||||
"*.yaml": "ansible"
|
"*.yaml": "ansible"
|
||||||
},
|
},
|
||||||
"yaml.format.enable": false
|
"yaml.format.enable": false,
|
||||||
|
"ansible.python.interpreterPath": "/bin/python"
|
||||||
}
|
}
|
388
CHANGELOG.md
388
CHANGELOG.md
|
@ -1,22 +1,312 @@
|
||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
All notable changes to this project will be documented in this file.
|
All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
||||||
|
|
||||||
This project does not follow semantic versioning.
|
This project does not follow semantic versioning.
|
||||||
The **major** part of the version is the year
|
The **major** part of the version is the year
|
||||||
The **minor** part changes is the month
|
The **minor** part is the month
|
||||||
The **patch** part changes is incremented if multiple releases happen the same month
|
The **patch** part is incremented if multiple releases happen the same month
|
||||||
|
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* graylog: new role
|
### Changed
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
### Security
|
||||||
|
|
||||||
|
## [24.05] 2024-05-15
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* apt: add list-upgradable-held-packages.sh
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
|
* evobackup-client: upstream release 24.05.1
|
||||||
|
* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
|
||||||
|
* evolinux-users: improve SSH configuration
|
||||||
|
* evomaintenance: upstream release 24.05
|
||||||
|
* evomaintenance: move upstream files into upstream folder
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* apt: use archive.debian.org with Buster
|
||||||
|
|
||||||
|
## [24.04] 2024-04-30
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* proftpd: optional configuration of IP whitelists per groups of users
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* autosysadmin-agent: upstream release 24.03.2
|
||||||
|
* evobackup-client: replace non-functional role with install tasks
|
||||||
|
* evobackup-client: upstream release 24.04.1
|
||||||
|
* evolinux-base: Add new variable to disable global customisation of bash config
|
||||||
|
* evolinux-base: Disable logcheck monitoring of journald only if journald.logfiles exists
|
||||||
|
* evolinux-users: Add sudo mvcli for nagios user
|
||||||
|
* haproxy: support bookworm for backport packages
|
||||||
|
* nrpe: !disk1 exclude filesystem type overlay
|
||||||
|
* postfix/amavis: max servers is now 3 (previously 2)
|
||||||
|
* roundcube: Use /var/log/roundcube directly
|
||||||
|
* vrrpd: configure and restart minifirewall before starting VRRP
|
||||||
|
* vrrpd: configure minifirewall with blocks instead of lines
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* certbot: Fix HAPEE renewal hook
|
||||||
|
* certbot: Fix HAProxy renewal hook
|
||||||
|
* evolinux-base/logcheck: fix conf patch, journal check was not disabled when asked
|
||||||
|
* fail2ban: SQLite purge script didn't vacuum as expected + error when vacuum cannot be done
|
||||||
|
* keepalived: Fix tasks that use file instead of copy
|
||||||
|
* memcached: Fix conditions not properly writen (installation was always in multi-instance mode)
|
||||||
|
* nagios-nrpe: create /etc/bash_completion.d if missing
|
||||||
|
* openvpn: install packages manually, because openbsd_pkg module is broken since OpenBSD 7.4 with the version of Ansible we currently use
|
||||||
|
* packweb: fix old bug (2017!) .orig file created by module patch and taken in account by ProFTPd
|
||||||
|
* redis: replace inline argument with environment variable for the password
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
* docker-host: Removed `docker_conf_use_iptables` variable (iptable usage forced to true)
|
||||||
|
|
||||||
|
## [24.03] 2024-03-01
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* autosysadmin-agent: upstream release 24.03
|
||||||
|
* autosysadmin-restart_nrpe: add role
|
||||||
|
* certbot: Renewal hook for NRPE
|
||||||
|
* kvm-host: add minifirewall rules if DRBD interface is configured
|
||||||
|
* proftpd: add whitelist ip
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* apt: add ftp.evolix.org as recognized system source
|
||||||
|
* autosysadmin-agent: logs clearing is done weekly
|
||||||
|
* autosysadmin-agent: rename /usr/share/scripts/autosysadmin/{auto,restart}
|
||||||
|
* certbot: use pkey to test the key
|
||||||
|
* evolinux-base: execute autosysadmin-agent and autosysadmin-restart_nrpe roles
|
||||||
|
* lxc-php, php: Update sury PGP key
|
||||||
|
* openvpn: earlier alert for CA expiration
|
||||||
|
* redis: create sysfs config file if missing
|
||||||
|
* nextcloud: use latest version by default
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
* autosysadmin: replaced by autosysadmin-agent
|
||||||
|
|
||||||
|
## [24.02.1] 2024-02-08
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* fail2ban: fix Ansible syntax
|
||||||
|
|
||||||
|
## [24.02] 2024-02-08
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* Support for PHP 8.3 with bookworm LXC containers
|
||||||
|
* apt: add task file to install ELTS repository (default: False)
|
||||||
|
* autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation
|
||||||
|
* check_free_space: added role
|
||||||
|
* etc-git: add /var/chroot-bind/etc/bind repo
|
||||||
|
* fail2ban: add script unban_ip
|
||||||
|
* generateldif: new Services for check_pressure_{cpu,io,mem}
|
||||||
|
* kvm-host: Automatically add an LVM filter when LVM is present
|
||||||
|
* lxc-php: Allow one to install php83 on Bookworm container
|
||||||
|
* minifirewall: Fix nagios check for old versions of minifirewall
|
||||||
|
* mongodb: add gpg key for 7.0
|
||||||
|
* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
|
||||||
|
* nagios-nrpe: new check_pressure_{cpu,io,mem}
|
||||||
|
* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
|
||||||
|
* vrrpd: configure minifirewall
|
||||||
|
* vrrpd: test if interface exists before deleting it
|
||||||
|
* webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm
|
||||||
|
* webapps/nextcloud: Add condition for archive tasks
|
||||||
|
* webapps/nextcloud: Add condition for config tasks
|
||||||
|
* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
|
||||||
|
* webapps/nextcloud: Set ownership and permissions of data directory
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* add-vm.sh: allow VM name max length > 20
|
||||||
|
* amavis: make ldap_suffix mandatory
|
||||||
|
* apache : fix goaway pattern for bad bots
|
||||||
|
* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
|
||||||
|
* apache: use backward compatible Redirect directive
|
||||||
|
* apt: Disable archive repository for Debian 8
|
||||||
|
* apt: Use the GPG version of the key for Debian 8-9
|
||||||
|
* bind: Update role for Buster, Bullseye and Bookworm support
|
||||||
|
* dovecot: add variables for LDAP
|
||||||
|
* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
|
||||||
|
* evocheck: upstream release 24.01
|
||||||
|
* evolinux-base: dump-server-state upstream release 23.11
|
||||||
|
* evolinux-base: use separate default config file for rsyslog
|
||||||
|
* kvmstats: use .capacity instead of .physical for disk size
|
||||||
|
* ldap: make ldap_suffix mandatory
|
||||||
|
* listupgrade : old-kernel-removal.sh upstream release 24.01
|
||||||
|
* log2mail: move custom config in separate file
|
||||||
|
* lxc: init /etc git repository in lxc container
|
||||||
|
* mysql: disable performance schema for Debian 8
|
||||||
|
* nagios: add dockerd check in nrpe check template
|
||||||
|
* nagios: cleaning nrpe check template
|
||||||
|
* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
|
||||||
|
* nagios: add option --full to check pressure IO and mem to avoid flaps
|
||||||
|
* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
|
||||||
|
* redis: manage config template inside a block, to allow custom modifications outside
|
||||||
|
* spamassassin: Use spamd starting with Bookworm
|
||||||
|
* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
|
||||||
|
* unbound: Add config file to allow configuration reload on Debian 11 and lower
|
||||||
|
* unbound: Add munin configuration & setup plugin
|
||||||
|
* unbound: Big cleanup
|
||||||
|
* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf`
|
||||||
|
* unbound: Use root hints provided by debian package dns-root-data instead of downloading them
|
||||||
|
* vrrpd: replace switch script with custom one (fix MAC issue, use `ip(8)`, shell cleanup…)
|
||||||
|
* vrrpd: variable to force update the switch script (default: false)
|
||||||
|
* webapps/nextcloud: Add Ceph volume to fstab
|
||||||
|
* webapps/nextcloud: Set home directory's mode
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* Add php-fpm82 to LDAP when relevant
|
||||||
|
* Check stat.exists before stat.isdir
|
||||||
|
* apache: fix MaxRequestsPerChild value to be sync with wiki.e.o
|
||||||
|
* apt: use archive.debian.org with Stretch
|
||||||
|
* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
|
||||||
|
* dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »).
|
||||||
|
* dovecot: fix missing default mails
|
||||||
|
* dovecot: fix plugin dovecot1
|
||||||
|
* evoadmin-web: Fix PHP version for Bookworm
|
||||||
|
* evolinux-base: fix hardware.yml (wrong repo, missing update cache)
|
||||||
|
* evolinux-base: start to install linux-image-cloud-amd64 with Buster
|
||||||
|
* fail2ban: fix template marker
|
||||||
|
* minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore.
|
||||||
|
* nagios: fix default file to monitor for check_clamav_db
|
||||||
|
* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode
|
||||||
|
* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
|
||||||
|
* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
|
||||||
|
* nginx: keep indentation
|
||||||
|
* nginx: take care of « already defined » and « not yet defined » server status suffix in check mode
|
||||||
|
* php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository
|
||||||
|
* php: drop apt_preferences(5) file for sury
|
||||||
|
* postfix: remove dependency on evolinux_fqdn var
|
||||||
|
* proftpd: set missing default listen IP for SFTP
|
||||||
|
* roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL)
|
||||||
|
* ssl: no not execute haproxy tasks and reload if haproxy is disabled
|
||||||
|
* unbound: Add a apt cache validity to enforce an apt update if needed
|
||||||
|
* webapps/nextcloud: added check that nextcloud uid is over 3000
|
||||||
|
* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
|
||||||
|
* webapps/nextcloud: fix misplaced gid attribute
|
||||||
|
* webapps/nextcloud: fix missing gid
|
||||||
|
* webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice)
|
||||||
|
* amavis: Add variables for generate "ldap_suffix"
|
||||||
|
* proftpd: fix error when no SSH key is provided
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
* evolinux-base: no need to remove update-evobackup-canary from sbin anymore
|
||||||
|
* evolinux-base: no need to symlink backup-server-state to dump-server-state anymore
|
||||||
|
|
||||||
|
## [23.10] 2023-10-14
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* apt: disable `NonFreeFirmware` warning for VM on Debian 12+
|
||||||
|
* apt: explicit `signed-by` directives for official sources
|
||||||
|
* bind: add reload-zone helper
|
||||||
|
* certbot: deploy-hook for proftpd
|
||||||
|
* docker-host: added var for user namespace setting
|
||||||
|
* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
|
||||||
|
* dovecot: fix old_stats plugin for Dovecot 2.3
|
||||||
|
* evocheck: add support for Debian >= 12 split SSH configuration
|
||||||
|
* evolinux-base: add split SSH configuration for Debian >= 12
|
||||||
|
* evolinux-base: configure `.bashrc` for all users
|
||||||
|
* evolinux-base: New variable `evolinux_system_include_ntpd` to chose wether or not to include `ntpd` role
|
||||||
|
* evolinux-base: reboot the server if the Cloud kernel has been installed
|
||||||
|
* evolinux-users: add split SSH configuration for Debian >= 12
|
||||||
|
* evolinux: install HPE Agentless Management Service (amsd)
|
||||||
|
* fail2ban: add default variable fail2ban_dbpurgeage_default
|
||||||
|
* fail2ban: add `fail2ban_sshd_port` variable to configure sshd port
|
||||||
|
* kvm-host: release 23.10 for migrate-vm.sh
|
||||||
|
* metricbeat/logstash: fix Ansible syntax
|
||||||
|
* mysql: new munin graph to follow binlog_days over time
|
||||||
|
* nagios-nrpe: add a NRPE check-local command with completion.
|
||||||
|
* nagios-nrpe: add a proper monitoring plugin for GlusterFS (on servers, not for clients)
|
||||||
|
* php: add new variable to disable overriding settings of php-fpm default pool (www)
|
||||||
|
* policy_pam: New role to manage password policy with `pam_pwquality` & `pam_pwhistory`
|
||||||
|
* userlogrotate: add a `userlogpurge` script disabled by default
|
||||||
|
* userlogrotate: new version, with separate conf file
|
||||||
|
* userlogrotate: rotate also php.log
|
||||||
|
* java: allow version 17
|
||||||
|
* timesyncd: new role, used instead of ntpd by default starting with Debian 12
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* all: change syntax "become: [yes,no]" → "become: [true,false]"
|
||||||
|
* all: change syntax "force: [yes,no]" → "force: [true,false]"
|
||||||
|
* elasticsearch: improve networking configuration
|
||||||
|
* evolinux-base: include files under `sshd_config.d`
|
||||||
|
* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
|
||||||
|
* evomaintenance: upstream release 23.10.1
|
||||||
|
* lxc-php: change LXC container in bookworm for php82
|
||||||
|
* minifirewall: update nrpe script to check active configuration
|
||||||
|
* minifirewall: upstream release 23.07
|
||||||
|
* mysql: improve shell syntax for mysql_skip script
|
||||||
|
* nagios-nrpe: set default check_load --per-cpu for BSD
|
||||||
|
* pgbouncer: minor fixes
|
||||||
|
* postfix (packmail or when postfix_slow_transport_include is True): change `miniprofmal_backoff_time` from 2h to 15m (see HowtoPostfix)
|
||||||
|
* postfix (packmail) : optimize Amavis integration
|
||||||
|
* postfix: disable sending mails via IPv6
|
||||||
|
* postfix: new spam.sh update script that avoids reloading if files did not change.
|
||||||
|
* postgresql: fix file `postgresql.pref.j2` for exclude package
|
||||||
|
* postgresql: fix task `update apt cache` for PGDG repo
|
||||||
|
* redis: standardize plugins path from `/usr/local/share/munin/` to `/usr/local/lib/munin/plugins/`
|
||||||
|
* varnish: allow the systemd template to be overridden with a template outside of the role
|
||||||
|
* lxc: purge openssh-server from container on install
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* elasticsearch: comment the `Xlog:gc` line instead of changing it completely
|
||||||
|
* evocheck: fix IS_SSHALLOWUSERS condition
|
||||||
|
* evolinux-base, evolinux-users: Fix files mode under `/etc/ssh/sshd_config.d`
|
||||||
|
* evolinux-base: fix file extension
|
||||||
|
* fail2ban: fix cron `fail2ban_dbpurge` (should be bash instead of sh)
|
||||||
|
* lxc-php: fix APT keyring path inside containers
|
||||||
|
* nagios-nrpe: `check_ssl_local` now has an output that nrpe can understand when it isn't OK
|
||||||
|
* nagios-nrpe: remount `/usr` **after** installing the packages
|
||||||
|
* nagios-nrpe: sync Redis check from redis roles
|
||||||
|
* nginx: set default server directive in default vhost
|
||||||
|
* opendkim: update apt cache before install
|
||||||
|
* packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container
|
||||||
|
* postfix: add missing `localhost.$mydomain` to `mydestination`
|
||||||
|
* redis: replace erroneous `ini_file` module for Munin config, fix dedicated Munin config filename (z-XXX).
|
||||||
|
* evolinux-base: use lineinfile instead of replace under root task
|
||||||
|
* evolinux-base: Corriger autorisation pour evolinux_user
|
||||||
|
* docker-host: Retirer directive state en trop
|
||||||
|
* rbenv: Installer libyaml-dev
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
* dovecot: remove Munin plugin dovecot (not working)
|
||||||
|
|
||||||
|
## [23.04] 2023-04-23
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* graylog: new role
|
||||||
|
* lxc-php: add support for PHP 8.2 container
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* Use FQCN (Fully Qualified Collection Name)
|
||||||
* apt: with Debian 12, backports are installed but disabled by default
|
* apt: with Debian 12, backports are installed but disabled by default
|
||||||
* openvpn: updated the README file
|
* openvpn: updated the README file
|
||||||
* pgbouncer: add handler to restart the service
|
* pgbouncer: add handler to restart the service
|
||||||
|
@ -25,10 +315,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
* generate-ldif: Support for Debian 12
|
* generate-ldif: Support for Debian 12
|
||||||
|
|
||||||
### Removed
|
|
||||||
|
|
||||||
### Security
|
|
||||||
|
|
||||||
## [23.03.1] 2023-03-16
|
## [23.03.1] 2023-03-16
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
@ -97,7 +383,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
* evolinux-base: subversion is not installed anymore
|
* evolinux-base: subversion is not installed anymore
|
||||||
|
|
||||||
|
|
||||||
## [22.12] 2022-12-14
|
## [22.12] 2022-12-14
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
@ -152,7 +437,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
|
* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
|
||||||
|
|
||||||
|
|
||||||
## [22.09] 2022-09-19
|
## [22.09] 2022-09-19
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
@ -166,7 +450,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* proftpd: Add options to override configs (and add a warning if file was overriden)
|
* proftpd: Add options to override configs (and add a warning if file was overriden)
|
||||||
* proftpd: Allow user auth with ssh keys
|
* proftpd: Allow user auth with ssh keys
|
||||||
|
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* evocheck: upstream release 22.09
|
* evocheck: upstream release 22.09
|
||||||
|
@ -292,16 +575,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* docker : Introduce new default settings + allow to change the docker data directory
|
* docker: Introduce new default settings + allow to change the docker data directory
|
||||||
* docker : Introduce new variables to tweak daemon settings
|
* docker: Introduce new variables to tweak daemon settings
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* evocheck: upstream release 22.05
|
* evocheck: Upstream release 22.05
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
* docker : Removed Debian Jessie support
|
* docker: Removed Debian Jessie support
|
||||||
|
|
||||||
## [22.05] 2022-05-10
|
## [22.05] 2022-05-10
|
||||||
|
|
||||||
|
@ -688,6 +971,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [10.0.0] - 2020-05-13
|
## [10.0.0] - 2020-05-13
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* apache: the default VHost doesn't redirect to https for ".well-known" paths
|
* apache: the default VHost doesn't redirect to https for ".well-known" paths
|
||||||
* apt: added buster backports prerferences
|
* apt: added buster backports prerferences
|
||||||
* apt: check if cron is installed before adding a cron job
|
* apt: check if cron is installed before adding a cron job
|
||||||
|
@ -724,6 +1008,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* bind: enable bind9 munin plugin for recursive resolvers
|
* bind: enable bind9 munin plugin for recursive resolvers
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* replace version_compare() with version()s
|
* replace version_compare() with version()s
|
||||||
* removed some deprecations for Ansible 2.7
|
* removed some deprecations for Ansible 2.7
|
||||||
* apache: improve permissions in save_apache_status script
|
* apache: improve permissions in save_apache_status script
|
||||||
|
@ -769,6 +1054,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* varnish: remove custom ExecReload= script for Debian 10+
|
* varnish: remove custom ExecReload= script for Debian 10+
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* etc-git: fix warnings ansible-lint
|
* etc-git: fix warnings ansible-lint
|
||||||
* evoadmin-web: Put the php config at the right place for Buster
|
* evoadmin-web: Put the php config at the right place for Buster
|
||||||
* lxc: Don't stop the container if it already exists
|
* lxc: Don't stop the container if it already exists
|
||||||
|
@ -791,16 +1077,19 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available
|
* packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
* clamav : do not install the zoo package anymore
|
* clamav : do not install the zoo package anymore
|
||||||
|
|
||||||
## [9.10.1] - 2019-06-21
|
## [9.10.1] - 2019-06-21
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* evocheck : update (version 19.06) from upstream
|
* evocheck : update (version 19.06) from upstream
|
||||||
|
|
||||||
## [9.10.0] - 2019-06-21
|
## [9.10.0] - 2019-06-21
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* apache: add server status suffix in VHost (and default site) if missing
|
* apache: add server status suffix in VHost (and default site) if missing
|
||||||
* apache: add a variable to customize the server-status host
|
* apache: add a variable to customize the server-status host
|
||||||
* apt: add a script to manage packages with "hold" mark
|
* apt: add a script to manage packages with "hold" mark
|
||||||
|
@ -811,6 +1100,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* redmine: enable gzip compression in nginx vhost
|
* redmine: enable gzip compression in nginx vhost
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* evocheck : update (unreleased) from upstream
|
* evocheck : update (unreleased) from upstream
|
||||||
* evomaintenance : use the web API instead of PG Insert
|
* evomaintenance : use the web API instead of PG Insert
|
||||||
* fluentd: store gpg key locally
|
* fluentd: store gpg key locally
|
||||||
|
@ -823,23 +1113,26 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* apt: Add Debian Buster repositories
|
* apt: Add Debian Buster repositories
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* rbenv: add check_mode for check rbenv and ruby versions
|
* rbenv: add check_mode for check rbenv and ruby versions
|
||||||
* nagios-nrpe: fix redis_instances check when Redis port equal 0
|
* nagios-nrpe: fix redis_instances check when Redis port equal 0
|
||||||
* redmine: fix 500 error on logging
|
* redmine: fix 500 error on logging
|
||||||
* evolinux-base: Validate sshd config with "-t" instead of "-T"
|
* evolinux-base: Validate sshd config with "-t" instead of "-T"
|
||||||
* evolinux-base: Ensure rename is present
|
* evolinux-base: Ensure rename is present
|
||||||
* evolinux-users: Validate sshd config with "-t" instead of "-T"
|
* evolinux-users: Validate sshd config with "-t" instead of "-T"
|
||||||
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
|
* nagios-nrpe: Replace the dummy packages nagios-plugins-*with monitoring-plugins-*
|
||||||
|
|
||||||
## [9.9.0] - 2019-04-16
|
## [9.9.0] - 2019-04-16
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* etc-git: ignore evobackup/.keep-* files
|
* etc-git: ignore evobackup/.keep-* files
|
||||||
* lxc: /home is mounted in the container by default
|
* lxc: /home is mounted in the container by default
|
||||||
* nginx : add "x-frame-options: sameorigin" for Munin
|
* nginx : add "x-frame-options: sameorigin" for Munin
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
|
|
||||||
|
* changed remote repository to <https://gitea.evolix.org/evolix/ansible-roles>
|
||||||
* apt: Ensure jessie-backport from archives.debian.org is accepted
|
* apt: Ensure jessie-backport from archives.debian.org is accepted
|
||||||
* apt: Remove jessie-update suite as it's no longer exists
|
* apt: Remove jessie-update suite as it's no longer exists
|
||||||
* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
|
* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
|
||||||
|
@ -852,8 +1145,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* tomcat: better tomcat version management
|
* tomcat: better tomcat version management
|
||||||
* webapps/evoadmin-web: add dbadmin.sh to sudoers file
|
* webapps/evoadmin-web: add dbadmin.sh to sudoers file
|
||||||
|
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* spamassasin: fix sa-update.sh and ensure service is started and enabled
|
* spamassasin: fix sa-update.sh and ensure service is started and enabled
|
||||||
* tomcat-instance: deploy correct version of config files
|
* tomcat-instance: deploy correct version of config files
|
||||||
* tomcat-instance: deploy correct version of server.xml
|
* tomcat-instance: deploy correct version of server.xml
|
||||||
|
@ -861,20 +1154,24 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.8.0] - 2019-01-31
|
## [9.8.0] - 2019-01-31
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* filebeat: disable cloud_metadata processor by default
|
* filebeat: disable cloud_metadata processor by default
|
||||||
* metricbeat: disable cloud_metadata processor by default
|
* metricbeat: disable cloud_metadata processor by default
|
||||||
* percona : new role to install Percona repositories and tools
|
* percona : new role to install Percona repositories and tools
|
||||||
* redis: add variable for configure unixsocketperm
|
* redis: add variable for configure unixsocketperm
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* redmine: refactoring of redmine role with use of rbenv
|
* redmine: refactoring of redmine role with use of rbenv
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config
|
* ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config
|
||||||
|
|
||||||
## [9.7.0] - 2019-01-17
|
## [9.7.0] - 2019-01-17
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* apache: add Munin configuration for Apache server-status URL
|
* apache: add Munin configuration for Apache server-status URL
|
||||||
* evomaintenance: database variables must be set or the task fails
|
* evomaintenance: database variables must be set or the task fails
|
||||||
* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
|
* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
|
||||||
|
@ -887,6 +1184,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* proftpd: add FTPS and SFTP support
|
* proftpd: add FTPS and SFTP support
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* redis: distinction between main and master password
|
* redis: distinction between main and master password
|
||||||
* evocheck: update evocheck.sh for source install
|
* evocheck: update evocheck.sh for source install
|
||||||
* php: added php-zip in the installed package list for debian 9 (and later)
|
* php: added php-zip in the installed package list for debian 9 (and later)
|
||||||
|
@ -894,6 +1192,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* java: update Oracle java package to 8u192
|
* java: update Oracle java package to 8u192
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* fail2ban: fix "ignoreip" update
|
* fail2ban: fix "ignoreip" update
|
||||||
* metricbeat: fix username/password replacement
|
* metricbeat: fix username/password replacement
|
||||||
* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
|
* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
|
||||||
|
@ -902,16 +1201,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
|
* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
|
||||||
* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
|
* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
|
||||||
|
|
||||||
|
|
||||||
## [9.6.0] - 2018-12-04
|
## [9.6.0] - 2018-12-04
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* evolinux-base: deploy custom motd if template are present
|
* evolinux-base: deploy custom motd if template are present
|
||||||
* minifirewall: all variables are configurable (untouched by default)
|
* minifirewall: all variables are configurable (untouched by default)
|
||||||
* minifirewall: main file is configurable
|
* minifirewall: main file is configurable
|
||||||
* squid: minifirewall main file is configurable
|
* squid: minifirewall main file is configurable
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* minifirewall: compare config before/after (for restart condition)
|
* minifirewall: compare config before/after (for restart condition)
|
||||||
* squid: better replacement in minifirewall config
|
* squid: better replacement in minifirewall config
|
||||||
* evoadmin-mail: complete refactoring, use Debian Package
|
* evoadmin-mail: complete refactoring, use Debian Package
|
||||||
|
@ -919,6 +1219,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.5.0] - 2018-11-14
|
## [9.5.0] - 2018-11-14
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* apache: separate task to update IP whitelist
|
* apache: separate task to update IP whitelist
|
||||||
* evolinux-base: install man package
|
* evolinux-base: install man package
|
||||||
* evolinux-users: add newaliases handler
|
* evolinux-users: add newaliases handler
|
||||||
|
@ -932,11 +1233,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* mysql: logdir can be customized
|
* mysql: logdir can be customized
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* evocheck: update script from upstream
|
* evocheck: update script from upstream
|
||||||
* evomaintenance: update script from upstream
|
* evomaintenance: update script from upstream
|
||||||
* mysql: restart service if systemd unit has been patched
|
* mysql: restart service if systemd unit has been patched
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* packweb-apache: mod-security config is already included elsewhere
|
* packweb-apache: mod-security config is already included elsewhere
|
||||||
* redis: for permissions on log and lib directories
|
* redis: for permissions on log and lib directories
|
||||||
* redis: fix shell for instance users
|
* redis: fix shell for instance users
|
||||||
|
@ -945,13 +1248,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.4.2] - 2018-10-12
|
## [9.4.2] - 2018-10-12
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* evomaintenance: install dependencies manually when installing vendored version
|
* evomaintenance: install dependencies manually when installing vendored version
|
||||||
* nagios-nrpe: add an option to ignore servers in NOLB status
|
* nagios-nrpe: add an option to ignore servers in NOLB status
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* haproxy: move check_haproxy_stats to nagios-nrpe role
|
* haproxy: move check_haproxy_stats to nagios-nrpe role
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* evoacme: better error when apache2ctl fails
|
* evoacme: better error when apache2ctl fails
|
||||||
* evomaintenance: fix role compatibility with OpenBSD
|
* evomaintenance: fix role compatibility with OpenBSD
|
||||||
* spamassassin: add missing right for amavis
|
* spamassassin: add missing right for amavis
|
||||||
|
@ -960,16 +1266,19 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.4.1] - 2018-09-28
|
## [9.4.1] - 2018-09-28
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* redis: set masterauth when redis_password is defined
|
* redis: set masterauth when redis_password is defined
|
||||||
* evomaintenance: variable to install a vendored version
|
* evomaintenance: variable to install a vendored version
|
||||||
* evomaintenance: tasks/variables to handle minifirewall restarts
|
* evomaintenance: tasks/variables to handle minifirewall restarts
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* mysql-oracle: better handle packages and users
|
* mysql-oracle: better handle packages and users
|
||||||
|
|
||||||
## [9.4.0] - 2018-09-20
|
## [9.4.0] - 2018-09-20
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
|
* etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
|
||||||
* evolinux-base: better shell history
|
* evolinux-base: better shell history
|
||||||
* evolinux-users: add user to /etc/aliases
|
* evolinux-users: add user to /etc/aliases
|
||||||
|
@ -984,9 +1293,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* nagios-nrpe: add check_redis_instances
|
* nagios-nrpe: add check_redis_instances
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* dovecot: stronger TLS configuration
|
* dovecot: stronger TLS configuration
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* apache: cleaner way to overwrite the server status suffix
|
* apache: cleaner way to overwrite the server status suffix
|
||||||
* packweb-apache: don't regenerate phpMyAdmin suffix each time
|
* packweb-apache: don't regenerate phpMyAdmin suffix each time
|
||||||
* nginx: cleaner way to overwrite the server status suffix
|
* nginx: cleaner way to overwrite the server status suffix
|
||||||
|
@ -995,11 +1306,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.3.2] - 2018-09-06
|
## [9.3.2] - 2018-09-06
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* minifirewall: add a variable to disable the restart handler
|
* minifirewall: add a variable to disable the restart handler
|
||||||
* minifirewall: add a variable to force a restart of the firewall (even with no change)
|
* minifirewall: add a variable to force a restart of the firewall (even with no change)
|
||||||
* minifirewall: improve variables values and documentation
|
* minifirewall: improve variables values and documentation
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* dovecot: enable SSL/TLS by default with snakeoil certificate
|
* dovecot: enable SSL/TLS by default with snakeoil certificate
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
@ -1009,11 +1322,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.3.1] - 2018-08-30
|
## [9.3.1] - 2018-08-30
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* metricbeat: new variables to configure elasticsearch hosts and auth
|
* metricbeat: new variables to configure elasticsearch hosts and auth
|
||||||
|
|
||||||
## [9.3.0] - 2018-08-24
|
## [9.3.0] - 2018-08-24
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* elasticsearch: tmpdir configuration compatible with 5.x also
|
* elasticsearch: tmpdir configuration compatible with 5.x also
|
||||||
* elasticsearch: add http.publish_host variable
|
* elasticsearch: add http.publish_host variable
|
||||||
* evoacme: disable old certbot cron also in cron.daily
|
* evoacme: disable old certbot cron also in cron.daily
|
||||||
|
@ -1034,6 +1349,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* nagios-nrpe: add check_postgrey
|
* nagios-nrpe: add check_postgrey
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* etc-git: some entries of .gitignore are mandatory
|
* etc-git: some entries of .gitignore are mandatory
|
||||||
* evocheck: update upstream script
|
* evocheck: update upstream script
|
||||||
* evolinux-base: improve hostname configuration (real vs. internal)
|
* evolinux-base: improve hostname configuration (real vs. internal)
|
||||||
|
@ -1052,6 +1368,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* kvm-host: install kvm-tools package instead of copying add-vm.sh
|
* kvm-host: install kvm-tools package instead of copying add-vm.sh
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
|
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
|
||||||
* bind: chroot-bind.sh must not be executed in check mode
|
* bind: chroot-bind.sh must not be executed in check mode
|
||||||
* evoacme: fix module detection in apache config
|
* evoacme: fix module detection in apache config
|
||||||
|
@ -1063,12 +1380,14 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.2.0] - 2018-05-16
|
## [9.2.0] - 2018-05-16
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* filebeat: install version 6.x by default
|
* filebeat: install version 6.x by default
|
||||||
* filebeat: cleanup unused code
|
* filebeat: cleanup unused code
|
||||||
* squid: add some domaine and fix broken restrictions
|
* squid: add some domaine and fix broken restrictions
|
||||||
* elasticsearch: defaults to version 6.x
|
* elasticsearch: defaults to version 6.x
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* evolinux-users: secondary groups are comma-separated
|
* evolinux-users: secondary groups are comma-separated
|
||||||
* ntpd: fix configuration (server and ACL)
|
* ntpd: fix configuration (server and ACL)
|
||||||
* varnish: don't fork the process on startup with systemd
|
* varnish: don't fork the process on startup with systemd
|
||||||
|
@ -1078,6 +1397,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* apache: customize logrotate (52 weeks)
|
* apache: customize logrotate (52 weeks)
|
||||||
* evolinux: groups for SSH configuration are used with Debian 10 and later
|
* evolinux: groups for SSH configuration are used with Debian 10 and later
|
||||||
* evolinux-base: fail2ban is not enabled by default
|
* evolinux-base: fail2ban is not enabled by default
|
||||||
|
@ -1089,9 +1409,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.1.8] - 2018-04-16
|
## [9.1.8] - 2018-04-16
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* packweb-apache: use dependencies instead of include_role for apache and php roles
|
* packweb-apache: use dependencies instead of include_role for apache and php roles
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* mysql: use check_mode for apg command (Fix --check)
|
* mysql: use check_mode for apg command (Fix --check)
|
||||||
* mysql/mysql-oracle: properly reload systemd
|
* mysql/mysql-oracle: properly reload systemd
|
||||||
* packweb-apache: use check_mode for apg command (Fix --check)
|
* packweb-apache: use check_mode for apg command (Fix --check)
|
||||||
|
@ -1099,6 +1421,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.1.7] - 2018-04-06
|
## [9.1.7] - 2018-04-06
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* added a few become attributes where missing
|
* added a few become attributes where missing
|
||||||
* etc-git: add tags for Ansible
|
* etc-git: add tags for Ansible
|
||||||
* evolinux-base: install ncurses-term package
|
* evolinux-base: install ncurses-term package
|
||||||
|
@ -1116,6 +1439,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* redmine: added missing tags
|
* redmine: added missing tags
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
||||||
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
||||||
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
||||||
|
@ -1131,6 +1455,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
|
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* dovecot: fix support of plus sign
|
* dovecot: fix support of plus sign
|
||||||
* mysql/mysql-oracle: mysqltuner cron task is executable
|
* mysql/mysql-oracle: mysqltuner cron task is executable
|
||||||
* nginx: fix basic auth for default vhost
|
* nginx: fix basic auth for default vhost
|
||||||
|
@ -1139,21 +1464,25 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.1.6] - 2018-02-02
|
## [9.1.6] - 2018-02-02
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* mongodb: install python-pymongo for monitoring
|
* mongodb: install python-pymongo for monitoring
|
||||||
* nagios-nrpe: allowed_hosts can be updated
|
* nagios-nrpe: allowed_hosts can be updated
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* Changelog: explain the versioning scheme
|
* Changelog: explain the versioning scheme
|
||||||
* Changelog: add a release date for 9.1.5
|
* Changelog: add a release date for 9.1.5
|
||||||
* evoacme: exclude typical certbot directories
|
* evoacme: exclude typical certbot directories
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* fail2ban: fix horrible typo, Python is not Ruby
|
* fail2ban: fix horrible typo, Python is not Ruby
|
||||||
* nginx: fix servers status dirname
|
* nginx: fix servers status dirname
|
||||||
|
|
||||||
## [9.1.5] - 2018-01-18
|
## [9.1.5] - 2018-01-18
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* There is a changelog!
|
* There is a changelog!
|
||||||
* redis: configuration variable for protected mode (v3.2+)
|
* redis: configuration variable for protected mode (v3.2+)
|
||||||
* evolinux-users: users are in "adm" group for Debian 9 or later
|
* evolinux-users: users are in "adm" group for Debian 9 or later
|
||||||
|
@ -1165,41 +1494,49 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* redmine: ability to install themes and plugins
|
* redmine: ability to install themes and plugins
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* rbenv: Ruby 2.5 becomes the default version
|
* rbenv: Ruby 2.5 becomes the default version
|
||||||
* evocheck: update upstream version embedded in role (c993244)
|
* evocheck: update upstream version embedded in role (c993244)
|
||||||
* bind: keep 52 weeks of logs
|
* bind: keep 52 weeks of logs
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* squid: different logrotate file for Jessie or Stretch+
|
* squid: different logrotate file for Jessie or Stretch+
|
||||||
* evoacme: don't invoke evoacme if no vhost is found
|
* evoacme: don't invoke evoacme if no vhost is found
|
||||||
* evomaintenance: explicit quotes in config file
|
* evomaintenance: explicit quotes in config file
|
||||||
* redmine: force xpath gem < 3.0.0
|
* redmine: force xpath gem < 3.0.0
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
* evomaintenance: fix permissions for config file
|
* evomaintenance: fix permissions for config file
|
||||||
|
|
||||||
## [9.1.4] - 2017-12-20
|
## [9.1.4] - 2017-12-20
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
|
* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
|
||||||
* mysql: add a check_mysql_slave in nrpe configuration
|
* mysql: add a check_mysql_slave in nrpe configuration
|
||||||
* ldap: slapd tcp port is configurable
|
* ldap: slapd tcp port is configurable
|
||||||
* elasticsearch: broader patterns for log rotation
|
* elasticsearch: broader patterns for log rotation
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* split IP lists in 2 – default and additional – for easier customization.
|
* split IP lists in 2 – default and additional – for easier customization.
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* minifirewall: allow outgoing SSH connections over IPv6
|
* minifirewall: allow outgoing SSH connections over IPv6
|
||||||
* nodejs: rename source.list file
|
* nodejs: rename source.list file
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
* evoadmin-web: change config.local.php file permissions
|
* evoadmin-web: change config.local.php file permissions
|
||||||
* evolinux-base: change default_www file permissions
|
* evolinux-base: change default_www file permissions
|
||||||
|
|
||||||
## [9.1.3] 2017-12-08
|
## [9.1.3] 2017-12-08
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* evolinux-base: install traceroute package
|
* evolinux-base: install traceroute package
|
||||||
* evolinux-base/ntpd: purge openntpd
|
* evolinux-base/ntpd: purge openntpd
|
||||||
* tomcat: add Tomcat 8 cmpatibility
|
* tomcat: add Tomcat 8 cmpatibility
|
||||||
|
@ -1211,6 +1548,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* elastic: option for stack main version
|
* elastic: option for stack main version
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* nginx: rename Let's Encrypt snippet
|
* nginx: rename Let's Encrypt snippet
|
||||||
* nginx: simpler apt preferences for backports
|
* nginx: simpler apt preferences for backports
|
||||||
* generate-ldif: add clamd service instead of clamav_db
|
* generate-ldif: add clamd service instead of clamav_db
|
||||||
|
@ -1222,10 +1560,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* mongodb: comatible with Stretch
|
* mongodb: comatible with Stretch
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
* mongodb: logfile/pidfile are not configurable on Jessie
|
* mongodb: logfile/pidfile are not configurable on Jessie
|
||||||
* minifirewall: remove zidane.evolix.net from HTTPSITES
|
* minifirewall: remove zidane.evolix.net from HTTPSITES
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* nginx: fix munin CGI graphs
|
* nginx: fix munin CGI graphs
|
||||||
* ntpd: fix default configuration (localhost only)
|
* ntpd: fix default configuration (localhost only)
|
||||||
* logstash: fix permissions on pipeline configuration
|
* logstash: fix permissions on pipeline configuration
|
||||||
|
@ -1236,14 +1576,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
## [9.1.2] 2017-12-05
|
## [9.1.2] 2017-12-05
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* listupgrade: remount /usr as rw
|
* listupgrade: remount /usr as rw
|
||||||
|
|
||||||
## [9.1.1] 2017-11-21
|
## [9.1.1] 2017-11-21
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* amazon-ec2: add egress rules
|
* amazon-ec2: add egress rules
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* evoacme: fix multiple bugs
|
* evoacme: fix multiple bugs
|
||||||
|
|
||||||
## [9.1.0] 2017-11-19
|
## [9.1.0] 2017-11-19
|
||||||
|
@ -1251,6 +1594,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
_Warning: huge release, many entries are missing below._
|
_Warning: huge release, many entries are missing below._
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* amazon-ec2: new role, for EC2 instances creation
|
* amazon-ec2: new role, for EC2 instances creation
|
||||||
* Move /usr rw remount into remount-usr role
|
* Move /usr rw remount into remount-usr role
|
||||||
* kibana: host and basepath configuration
|
* kibana: host and basepath configuration
|
||||||
|
@ -1261,6 +1605,7 @@ _Warning: huge release, many entries are missing below._
|
||||||
* nagios-nrpe: add opendkim check
|
* nagios-nrpe: add opendkim check
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* Combine evolix and additional trusted IP addresses
|
* Combine evolix and additional trusted IP addresses
|
||||||
* amazon-ec2: split tasks
|
* amazon-ec2: split tasks
|
||||||
* apt: don't upgrade by default
|
* apt: don't upgrade by default
|
||||||
|
@ -1271,6 +1616,7 @@ _Warning: huge release, many entries are missing below._
|
||||||
* ldap: better variables
|
* ldap: better variables
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* fail2ban: create config hierarchy beforehand
|
* fail2ban: create config hierarchy beforehand
|
||||||
* elasticsearch: fix datadir/tmpdir conditions
|
* elasticsearch: fix datadir/tmpdir conditions
|
||||||
* elastic: remove double ".list" suffix
|
* elastic: remove double ".list" suffix
|
||||||
|
@ -1281,10 +1627,10 @@ _Warning: huge release, many entries are missing below._
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
|
||||||
## [9.0.1] 2017-10-02
|
## [9.0.1] 2017-10-02
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* haproxy: add a Nagios check
|
* haproxy: add a Nagios check
|
||||||
* php: add "sury" mode for PHP 7.1 on Stretch
|
* php: add "sury" mode for PHP 7.1 on Stretch
|
||||||
* minifirewall: explicit dependency on iptables
|
* minifirewall: explicit dependency on iptables
|
||||||
|
@ -1292,9 +1638,11 @@ _Warning: huge release, many entries are missing below._
|
||||||
* docker-host: new variable for docker home
|
* docker-host: new variable for docker home
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* php: install php5/php package after fpm/libapache2-mod-php
|
* php: install php5/php package after fpm/libapache2-mod-php
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
* mysql: add "REPLICATION CLIENT" privilege for nrpe
|
* mysql: add "REPLICATION CLIENT" privilege for nrpe
|
||||||
* evoadmin-web: revert from variables to keywords in the templates
|
* evoadmin-web: revert from variables to keywords in the templates
|
||||||
* evoacme: many fixes
|
* evoacme: many fixes
|
||||||
|
|
5
amavis/defaults/main.yml
Normal file
5
amavis/defaults/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
ldap_hostname: "{{ ansible_hostname }}"
|
||||||
|
ldap_domain: "{{ ansible_domain }}"
|
||||||
|
ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
|
2
amavis/files/amavis_purge_virusmails
Normal file
2
amavis/files/amavis_purge_virusmails
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
#!/bin/bash
|
||||||
|
find /var/lib/amavis/virusmails/ -type f -mtime +30 -delete
|
|
@ -6,7 +6,7 @@
|
||||||
- amavisd-new
|
- amavisd-new
|
||||||
state: present
|
state: present
|
||||||
tags:
|
tags:
|
||||||
- amavis
|
- amavis
|
||||||
|
|
||||||
- name: configure Amavis
|
- name: configure Amavis
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
|
@ -15,4 +15,13 @@
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: restart amavis
|
notify: restart amavis
|
||||||
tags:
|
tags:
|
||||||
- amavis
|
- amavis
|
||||||
|
|
||||||
|
- name: Install purge custom cron
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: amavis_purge_virusmails
|
||||||
|
dest: /etc/cron.daily/amavis_purge_virusmails
|
||||||
|
mode: "0755"
|
||||||
|
tags:
|
||||||
|
- amavis
|
||||||
|
- amavis_purge_cron
|
||||||
|
|
|
@ -39,12 +39,12 @@ $sa_spam_subject_tag = '[SPAM]';
|
||||||
$log_level = 2;
|
$log_level = 2;
|
||||||
|
|
||||||
# En fonction besoin/ressources, on a juste le nbre de process
|
# En fonction besoin/ressources, on a juste le nbre de process
|
||||||
$max_servers = 2;
|
$max_servers = 3;
|
||||||
|
|
||||||
$enable_ldap = 1;
|
$enable_ldap = 1;
|
||||||
$default_ldap = {
|
$default_ldap = {
|
||||||
hostname => '127.0.0.1', tls => 0,
|
hostname => '127.0.0.1', tls => 0,
|
||||||
base => '{{ ldap_suffix }}', scope => 'sub',
|
base => '{{ ldap_suffix | mandatory }}', scope => 'sub',
|
||||||
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
|
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
|
|
||||||
- name: Install Evolinux
|
- name: Install Evolinux
|
||||||
hosts: launched-instances
|
hosts: launched-instances
|
||||||
become: yes
|
become: true
|
||||||
|
|
||||||
vars_files:
|
vars_files:
|
||||||
- 'vars/secrets.yml'
|
- 'vars/secrets.yml'
|
||||||
|
|
|
@ -10,7 +10,7 @@ MaxKeepAliveRequests 10
|
||||||
StartServers 50
|
StartServers 50
|
||||||
MinSpareServers 20
|
MinSpareServers 20
|
||||||
MaxSpareServers 30
|
MaxSpareServers 30
|
||||||
MaxRequestsPerChild 0
|
MaxConnectionsPerChild 100
|
||||||
</IfModule>
|
</IfModule>
|
||||||
|
|
||||||
<IfModule mpm_worker_module>
|
<IfModule mpm_worker_module>
|
||||||
|
@ -20,7 +20,7 @@ MaxKeepAliveRequests 10
|
||||||
ThreadLimit 64
|
ThreadLimit 64
|
||||||
ThreadsPerChild 25
|
ThreadsPerChild 25
|
||||||
MaxRequestWorkers 150
|
MaxRequestWorkers 150
|
||||||
MaxConnectionsPerChild 0
|
MaxConnectionsPerChild 100
|
||||||
</IfModule>
|
</IfModule>
|
||||||
|
|
||||||
<IfModule mpm_itk_module>
|
<IfModule mpm_itk_module>
|
||||||
|
@ -40,28 +40,25 @@ MaxKeepAliveRequests 10
|
||||||
</IfModule>
|
</IfModule>
|
||||||
</IfModule>
|
</IfModule>
|
||||||
|
|
||||||
|
# Go away bad bots (define "bad bots" in zzz-evolinux-custom.conf)
|
||||||
<Directory /home/>
|
<If "reqenv('GoAway') -eq 1">
|
||||||
AllowOverride None
|
Require all denied
|
||||||
Require all granted
|
</If>
|
||||||
# "Require not env XXX" is not supported :(
|
|
||||||
Deny from env=GoAway
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
<DirectoryMatch "/\.git">
|
<DirectoryMatch "/\.git">
|
||||||
# We don't want to let the client know a file exist on the server,
|
# We don't want to let the client know a file exist on the server,
|
||||||
# so we return 404 "Not found" instead of 403 "Forbidden".
|
# so we return 404 "Not found" instead of 403 "Forbidden".
|
||||||
Redirect 404
|
Redirect 404 "-"
|
||||||
</DirectoryMatch>
|
</DirectoryMatch>
|
||||||
|
|
||||||
# File names starting with
|
# File names starting with
|
||||||
<FilesMatch "^\.(git|env)">
|
<FilesMatch "^\.(git|env)">
|
||||||
Redirect 404
|
Redirect 404 "-"
|
||||||
</FilesMatch>
|
</FilesMatch>
|
||||||
|
|
||||||
# File names ending with
|
# File names ending with
|
||||||
<FilesMatch "\.(inc|bak)$">
|
<FilesMatch "\.(inc|bak)$">
|
||||||
Redirect 404
|
Redirect 404 "-"
|
||||||
</FilesMatch>
|
</FilesMatch>
|
||||||
|
|
||||||
<LocationMatch "^/evolinux_fpm_status-.*">
|
<LocationMatch "^/evolinux_fpm_status-.*">
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
force: no
|
force: false
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
force: no
|
force: false
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||||
line: "Require ip {{ item }}"
|
line: "Require ip {{ item }}"
|
||||||
state: present
|
state: present
|
||||||
|
create: yes
|
||||||
loop: "{{ apache_ipaddr_whitelist_present }}"
|
loop: "{{ apache_ipaddr_whitelist_present }}"
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -14,6 +14,6 @@
|
||||||
owner: log2mail
|
owner: log2mail
|
||||||
group: adm
|
group: adm
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: no
|
force: false
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
|
@ -73,7 +73,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
force: yes
|
force: true
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
@ -85,7 +85,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
force: no
|
force: false
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
@ -119,7 +119,7 @@
|
||||||
src: evolinux-default.conf.j2
|
src: evolinux-default.conf.j2
|
||||||
dest: /etc/apache2/sites-available/000-evolinux-default.conf
|
dest: /etc/apache2/sites-available/000-evolinux-default.conf
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
force: no
|
force: false
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
@ -129,7 +129,7 @@
|
||||||
src: /etc/apache2/sites-available/000-evolinux-default.conf
|
src: /etc/apache2/sites-available/000-evolinux-default.conf
|
||||||
dest: /etc/apache2/sites-enabled/000-default.conf
|
dest: /etc/apache2/sites-enabled/000-default.conf
|
||||||
state: link
|
state: link
|
||||||
force: yes
|
force: true
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
when: apache_evolinux_default_enabled | bool
|
when: apache_evolinux_default_enabled | bool
|
||||||
tags:
|
tags:
|
||||||
|
@ -181,7 +181,7 @@
|
||||||
src: save_apache_status.sh
|
src: save_apache_status.sh
|
||||||
dest: /usr/share/scripts/save_apache_status.sh
|
dest: /usr/share/scripts/save_apache_status.sh
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
force: no
|
force: false
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
dest: "{{ apache_serverstatus_suffix_file }}"
|
dest: "{{ apache_serverstatus_suffix_file }}"
|
||||||
# The last character "\u000A" is a line feed (LF), it's better to keep it
|
# The last character "\u000A" is a line feed (LF), it's better to keep it
|
||||||
content: "{{ apache_serverstatus_suffix }}\u000A"
|
content: "{{ apache_serverstatus_suffix }}\u000A"
|
||||||
force: yes
|
force: true
|
||||||
when: apache_serverstatus_suffix | length > 0
|
when: apache_serverstatus_suffix | length > 0
|
||||||
|
|
||||||
- name: generate random string for server-status suffix
|
- name: generate random string for server-status suffix
|
||||||
|
|
|
@ -14,6 +14,7 @@ apt_install_backports: False
|
||||||
apt_backports_components: "main"
|
apt_backports_components: "main"
|
||||||
|
|
||||||
apt_install_evolix_public: True
|
apt_install_evolix_public: True
|
||||||
|
apt_install_extended_lts: False
|
||||||
|
|
||||||
apt_clean_gandi_sourceslist: False
|
apt_clean_gandi_sourceslist: False
|
||||||
|
|
||||||
|
@ -28,4 +29,7 @@ apt_check_hold_cron_weekday: "*"
|
||||||
apt_check_hold_cron_day: "*"
|
apt_check_hold_cron_day: "*"
|
||||||
apt_check_hold_cron_month: "*"
|
apt_check_hold_cron_month: "*"
|
||||||
|
|
||||||
|
apt_list_upgradable_held_enabled: False
|
||||||
|
apt_list_upgradable_held_special_time: "weekly"
|
||||||
|
|
||||||
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
|
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
|
|
@ -1,3 +0,0 @@
|
||||||
Package: *
|
|
||||||
Pin: release a=bookworm-backports
|
|
||||||
Pin-Priority: 50
|
|
|
@ -1,3 +0,0 @@
|
||||||
Package: *
|
|
||||||
Pin: release a=bullseye-backports
|
|
||||||
Pin-Priority: 50
|
|
|
@ -1,3 +0,0 @@
|
||||||
Package: *
|
|
||||||
Pin: release a=buster-backports
|
|
||||||
Pin-Priority: 50
|
|
|
@ -1,4 +1,10 @@
|
||||||
#!/bin/env python3
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
##########
|
||||||
|
# This script takes a multi-lines input of "oneliner-style" APT sources definitions.
|
||||||
|
# It converts them into "deb822-style" sources.
|
||||||
|
# Each generated file will have only one stanza, possibly with multiple Types/Suites/Components
|
||||||
|
##########
|
||||||
|
|
||||||
import re
|
import re
|
||||||
import sys
|
import sys
|
||||||
|
@ -10,11 +16,16 @@ import apt_pkg
|
||||||
# Order matters !
|
# Order matters !
|
||||||
destinations = {
|
destinations = {
|
||||||
"debian-security": "security.sources",
|
"debian-security": "security.sources",
|
||||||
|
|
||||||
".*-backports": "backports.sources",
|
".*-backports": "backports.sources",
|
||||||
|
|
||||||
".debian.org": "system.sources",
|
".debian.org": "system.sources",
|
||||||
"mirror.evolix.org": "system.sources",
|
"mirror.evolix.org": "system.sources",
|
||||||
"pub.evolix.net": "evolix_public_old.sources",
|
"ftp.evolix.org": "system.sources",
|
||||||
|
|
||||||
|
"pub.evolix.net": "evolix_public_old.sources.bak",
|
||||||
"pub.evolix.org": "evolix_public.sources",
|
"pub.evolix.org": "evolix_public.sources",
|
||||||
|
|
||||||
"artifacts.elastic.co": "elastic.sources",
|
"artifacts.elastic.co": "elastic.sources",
|
||||||
"download.docker.com": "docker.sources",
|
"download.docker.com": "docker.sources",
|
||||||
"downloads.linux.hpe.com": "hp.sources",
|
"downloads.linux.hpe.com": "hp.sources",
|
||||||
|
@ -76,6 +87,11 @@ def prepare_sources(lines):
|
||||||
key, value = option.split("=")
|
key, value = option.split("=")
|
||||||
options[key] = value
|
options[key] = value
|
||||||
|
|
||||||
|
### WARNING ###
|
||||||
|
# if there are multiple lines with different URIS for a given destination (eg. "system")
|
||||||
|
# each one will overwrite the previous one
|
||||||
|
# and the last evaluated will be what remains.
|
||||||
|
|
||||||
if dest in sources:
|
if dest in sources:
|
||||||
sources[dest]["Types"].add(matches["type"])
|
sources[dest]["Types"].add(matches["type"])
|
||||||
sources[dest]["URIs"] = matches["uri"]
|
sources[dest]["URIs"] = matches["uri"]
|
||||||
|
|
|
@ -1,5 +1,11 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
|
##########
|
||||||
|
# This script changes all "one-line" APT sources into "deb822" sources.
|
||||||
|
# It is responsible for searching and processing the files.
|
||||||
|
# The actual format migration is done by a python script.
|
||||||
|
##########
|
||||||
|
|
||||||
deb822_migrate_script=$(command -v deb822-migration.py)
|
deb822_migrate_script=$(command -v deb822-migration.py)
|
||||||
|
|
||||||
if [ -z "${deb822_migrate_script}" ]; then
|
if [ -z "${deb822_migrate_script}" ]; then
|
||||||
|
|
BIN
apt/files/freexian-archive-extended-lts.gpg
Normal file
BIN
apt/files/freexian-archive-extended-lts.gpg
Normal file
Binary file not shown.
|
@ -1,3 +0,0 @@
|
||||||
Package: *
|
|
||||||
Pin: release a=jessie-backports
|
|
||||||
Pin-Priority: 50
|
|
127
apt/files/list-upgradable-held-packages.sh
Normal file
127
apt/files/list-upgradable-held-packages.sh
Normal file
|
@ -0,0 +1,127 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#####
|
||||||
|
# This script will send an email if some packages are on hold
|
||||||
|
# but have available updates.
|
||||||
|
#####
|
||||||
|
|
||||||
|
readonly VERSION="24.05"
|
||||||
|
|
||||||
|
# set all programs to C language (english)
|
||||||
|
export LC_ALL=C
|
||||||
|
|
||||||
|
# If expansion is attempted on an unset variable or parameter, the shell prints an
|
||||||
|
# error message, and, if not interactive, exits with a non-zero status.
|
||||||
|
set -o nounset
|
||||||
|
# The pipeline's return status is the value of the last (rightmost) command
|
||||||
|
# to exit with a non-zero status, or zero if all commands exit successfully.
|
||||||
|
set -o pipefail
|
||||||
|
# Enable trace mode if called with environment variable TRACE=1
|
||||||
|
if [[ "${TRACE-0}" == "1" ]]; then
|
||||||
|
set -o xtrace
|
||||||
|
fi
|
||||||
|
|
||||||
|
# shellcheck disable=SC2155
|
||||||
|
readonly PROGPATH=$(readlink -m "${0}")
|
||||||
|
# readonly PROGNAME=$(basename "${PROGPATH}")
|
||||||
|
# # shellcheck disable=SC2124
|
||||||
|
# readonly ARGS=$@
|
||||||
|
|
||||||
|
# Fetch values from evomaintenance configuration
|
||||||
|
get_evomaintenance_mail() {
|
||||||
|
grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2
|
||||||
|
}
|
||||||
|
get_fqdn() {
|
||||||
|
hostname --fqdn
|
||||||
|
}
|
||||||
|
get_complete_hostname() {
|
||||||
|
REAL_HOSTNAME="$(get_fqdn)"
|
||||||
|
if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
|
||||||
|
echo "${HOSTNAME}"
|
||||||
|
else
|
||||||
|
echo "${HOSTNAME} (${REAL_HOSTNAME})"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
format_mail() {
|
||||||
|
cat <<EOTEMPLATE
|
||||||
|
From: Evolix <${EMAIL_FROM}>
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
X-Script: ${PROGPATH}
|
||||||
|
X-Script-Version: ${VERSION}
|
||||||
|
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
|
||||||
|
Subject: Mise a jour manuelle disponible
|
||||||
|
|
||||||
|
Bonjour,
|
||||||
|
|
||||||
|
Un ou plusieurs paquets dont la mise à jour automatique a été
|
||||||
|
explicitement bloquée ont une nouvelle version disponible.
|
||||||
|
|
||||||
|
Nom du serveur :
|
||||||
|
${HOSTNAME_TEXT}
|
||||||
|
|
||||||
|
Liste des paquets :
|
||||||
|
${upgradable_held_packages}
|
||||||
|
|
||||||
|
Pour que nous appliquions ces mises à jour vous devez
|
||||||
|
nous contacter explicitement, de préférence par ticket,
|
||||||
|
en mentionnant le serveur et les paquets concernés,
|
||||||
|
ainsi que les modalités de mise à jour (créneau horaire,
|
||||||
|
procédure technique…).
|
||||||
|
|
||||||
|
Cordialement
|
||||||
|
|
||||||
|
--
|
||||||
|
Evolix
|
||||||
|
EOTEMPLATE
|
||||||
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
|
held_packages=$(apt-mark showhold)
|
||||||
|
upgradable_packages=$(apt list --upgradable 2> /dev/null)
|
||||||
|
|
||||||
|
if [ -z "${held_packages}" ]; then
|
||||||
|
# No packages are on hold
|
||||||
|
exit 0
|
||||||
|
elif [ -z "${upgradable_packages}" ]; then
|
||||||
|
# No packages are upgradable
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
kept_back_output=$(LC_ALL=C apt-get upgrade --dry-run | grep -A 1 'The following packages have been kept back:')
|
||||||
|
if [ -z "${kept_back_output}" ]; then
|
||||||
|
# No packages are kept back
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
upgradable_held_packages=$(apt list --upgradable 2> /dev/null | grep -f <(echo "${kept_back_output}" | tail -1 | tr ' ' '\n' | sed -e '/^$/d'))
|
||||||
|
|
||||||
|
if [ -z "${upgradable_held_packages}" ]; then
|
||||||
|
# No held packages are upgradable
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
HOSTNAME="$(get_fqdn)"
|
||||||
|
HOSTNAME_TEXT="$(get_complete_hostname)"
|
||||||
|
EMAIL_CLIENT="$(get_evomaintenance_mail)"
|
||||||
|
EMAIL_FROM="equipe@evolix.fr"
|
||||||
|
MAIL_CONTENT="$(format_mail)"
|
||||||
|
|
||||||
|
SENDMAIL_BIN="$(command -v sendmail)"
|
||||||
|
|
||||||
|
if [ -z "${SENDMAIL_BIN}" ]; then
|
||||||
|
>&2 echo "ERROR: No \`sendmail' command has been found, can't send mail."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ ! -x "${SENDMAIL_BIN}" ]; then
|
||||||
|
>&2 echo "ERROR: \`${SENDMAIL_BIN}' is not executable, can't send mail."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.fr"
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
main
|
|
@ -1,3 +0,0 @@
|
||||||
Package: *
|
|
||||||
Pin: release a=stretch-backports
|
|
||||||
Pin-Priority: 50
|
|
|
@ -4,25 +4,15 @@
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: '{{ ansible_distribution_release }}_backports.sources.j2'
|
src: '{{ ansible_distribution_release }}_backports.sources.j2'
|
||||||
dest: /etc/apt/sources.list.d/backports.sources
|
dest: /etc/apt/sources.list.d/backports.sources
|
||||||
force: yes
|
force: true
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
register: apt_backports_sources
|
register: apt_backports_sources
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Backports configuration
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: '{{ ansible_distribution_release }}_backports_preferences'
|
|
||||||
dest: /etc/apt/preferences.d/0-backports-defaults
|
|
||||||
force: yes
|
|
||||||
mode: "0640"
|
|
||||||
register: apt_backports_config
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Apt update
|
- name: Apt update
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
when: apt_backports_sources is changed or apt_backports_config is changed
|
when: apt_backports_sources is changed
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
|
@ -11,22 +11,12 @@
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: '{{ ansible_distribution_release }}_backports.list.j2'
|
src: '{{ ansible_distribution_release }}_backports.list.j2'
|
||||||
dest: /etc/apt/sources.list.d/backports.list
|
dest: /etc/apt/sources.list.d/backports.list
|
||||||
force: yes
|
force: true
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
register: apt_backports_list
|
register: apt_backports_list
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Backports configuration
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: '{{ ansible_distribution_release }}_backports_preferences'
|
|
||||||
dest: /etc/apt/preferences.d/0-backports-defaults
|
|
||||||
force: yes
|
|
||||||
mode: "0640"
|
|
||||||
register: apt_backports_config
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Archived backport are accepted (jessie)
|
- name: Archived backport are accepted (jessie)
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
|
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
|
||||||
|
@ -42,4 +32,4 @@
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
when: apt_backports_list is changed or apt_backports_config is changed
|
when: apt_backports_list is changed
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
src: "{{ ansible_distribution_release }}_basics.sources.j2"
|
src: "{{ ansible_distribution_release }}_basics.sources.j2"
|
||||||
dest: /etc/apt/sources.list.d/system.sources
|
dest: /etc/apt/sources.list.d/system.sources
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: true
|
||||||
register: apt_basic_sources
|
register: apt_basic_sources
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
@ -15,7 +15,7 @@
|
||||||
src: "{{ ansible_distribution_release }}_security.sources.j2"
|
src: "{{ ansible_distribution_release }}_security.sources.j2"
|
||||||
dest: /etc/apt/sources.list.d/security.sources
|
dest: /etc/apt/sources.list.d/security.sources
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: true
|
||||||
register: apt_security_sources
|
register: apt_security_sources
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
src: "{{ ansible_distribution_release }}_basics.list.j2"
|
src: "{{ ansible_distribution_release }}_basics.list.j2"
|
||||||
dest: /etc/apt/sources.list
|
dest: /etc/apt/sources.list
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: true
|
||||||
register: apt_basic_list
|
register: apt_basic_list
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
|
@ -16,11 +16,25 @@
|
||||||
- apt
|
- apt
|
||||||
when: _trusted_gpg_keyring.stat.exists
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
|
|
||||||
|
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||||
|
file:
|
||||||
|
path: "{{ apt_keyring_dir }}"
|
||||||
|
state: directory
|
||||||
|
mode: "755"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Set Evolix GPG key format to ASC
|
||||||
|
set_fact:
|
||||||
|
apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Add Evolix GPG key
|
- name: Add Evolix GPG key
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: pub_evolix.asc
|
src: pub_evolix.asc
|
||||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
dest: "{{ apt_evolix_public_key }}"
|
||||||
force: yes
|
force: true
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
@ -31,7 +45,7 @@
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: evolix_public.sources.j2
|
src: evolix_public.sources.j2
|
||||||
dest: /etc/apt/sources.list.d/evolix_public.sources
|
dest: /etc/apt/sources.list.d/evolix_public.sources
|
||||||
force: yes
|
force: true
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
register: apt_evolix_public
|
register: apt_evolix_public
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -16,11 +16,35 @@
|
||||||
- apt
|
- apt
|
||||||
when: _trusted_gpg_keyring.stat.exists
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
|
|
||||||
|
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||||
|
file:
|
||||||
|
path: "{{ apt_keyring_dir }}"
|
||||||
|
state: directory
|
||||||
|
mode: "755"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Set Evolix GPG key format to GPG (Debian < 9)
|
||||||
|
set_fact:
|
||||||
|
apt_evolix_public_key: "pub_evolix.gpg"
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('9', '<')
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Set Evolix GPG key format to ASC (Debian >= 9)
|
||||||
|
set_fact:
|
||||||
|
apt_evolix_public_key: "pub_evolix.asc"
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Add Evolix GPG key
|
- name: Add Evolix GPG key
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: pub_evolix.asc
|
src: "{{ apt_evolix_public_key }}"
|
||||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}"
|
||||||
force: yes
|
force: true
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
@ -31,7 +55,7 @@
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: evolix_public.list.j2
|
src: evolix_public.list.j2
|
||||||
dest: /etc/apt/sources.list.d/evolix_public.list
|
dest: /etc/apt/sources.list.d/evolix_public.list
|
||||||
force: yes
|
force: true
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
register: apt_evolix_public
|
register: apt_evolix_public
|
||||||
tags:
|
tags:
|
||||||
|
|
37
apt/tasks/extended-lts.oneline.yml
Normal file
37
apt/tasks/extended-lts.oneline.yml
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||||
|
file:
|
||||||
|
path: "{{ apt_keyring_dir }}"
|
||||||
|
state: directory
|
||||||
|
mode: "755"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Add Evolix GPG key
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "freexian-archive-extended-lts.gpg"
|
||||||
|
dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"
|
||||||
|
force: true
|
||||||
|
mode: "0644"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: ELTS list is installed
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ ansible_distribution_release }}_extended-lts.list.j2"
|
||||||
|
dest: /etc/apt/sources.list.d/extended-lts.list
|
||||||
|
force: true
|
||||||
|
mode: "0640"
|
||||||
|
register: apt_extended_lts
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Apt update
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: apt_extended_lts is changed
|
|
@ -71,12 +71,21 @@
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: check_held_packages.sh
|
src: check_held_packages.sh
|
||||||
dest: /usr/share/scripts/check_held_packages.sh
|
dest: /usr/share/scripts/check_held_packages.sh
|
||||||
force: yes
|
force: true
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Check if Cron is installed
|
- name: List scripts is installed
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: list-upgradable-held-packages.sh
|
||||||
|
dest: /usr/share/scripts/list-upgradable-held-packages.sh
|
||||||
|
force: true
|
||||||
|
mode: "0755"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Check if cron is installed
|
||||||
ansible.builtin.shell:
|
ansible.builtin.shell:
|
||||||
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
|
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||||
register: is_cron
|
register: is_cron
|
||||||
|
@ -101,3 +110,15 @@
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
when: is_cron.rc == 0
|
when: is_cron.rc == 0
|
||||||
|
|
||||||
|
- name: List upgradable held packages (script)
|
||||||
|
ansible.builtin.cron:
|
||||||
|
cron_file: apt-hold-packages
|
||||||
|
name: list-upgradable-held-packages
|
||||||
|
job: "/usr/share/scripts/list-upgradable-held-packages.sh"
|
||||||
|
user: root
|
||||||
|
special_time: "{{ apt_list_upgradable_held_special_time | mandatory }}"
|
||||||
|
state: "{{ apt_list_upgradable_held_enabled | bool | ternary('present', 'absent') }}"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: is_cron.rc == 0
|
||||||
|
|
|
@ -80,6 +80,14 @@
|
||||||
- apt_install_evolix_public | bool
|
- apt_install_evolix_public | bool
|
||||||
- ansible_distribution_major_version is version('12', '>=')
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
- name: Install Extended-LTS repositories (Debian < 10)
|
||||||
|
ansible.builtin.import_tasks: extended-lts.oneline.yml
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when:
|
||||||
|
- apt_install_extended_lts | bool
|
||||||
|
- ansible_distribution_major_version is version('10', '<')
|
||||||
|
|
||||||
- name: Clean GANDI sources
|
- name: Clean GANDI sources
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: '{{ item }}'
|
path: '{{ item }}'
|
||||||
|
@ -96,6 +104,18 @@
|
||||||
when: apt_clean_gandi_sourceslist | bool
|
when: apt_clean_gandi_sourceslist | bool
|
||||||
|
|
||||||
|
|
||||||
|
- name: "Disable NonFreeFirmware warning for VM on Debian 12+"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /etc/apt/apt.conf.d/no-bookworm-firmware.conf
|
||||||
|
create: yes
|
||||||
|
line: "APT::Get::Update::SourceListWarnings::NonFreeFirmware \"false\";"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
- ansible_virtualization_role == "guest"
|
||||||
|
|
||||||
|
|
||||||
- name: Install check for packages marked hold
|
- name: Install check for packages marked hold
|
||||||
ansible.builtin.import_tasks: hold_packages.yml
|
ansible.builtin.import_tasks: hold_packages.yml
|
||||||
when: apt_install_hold_packages | bool
|
when: apt_install_hold_packages | bool
|
||||||
|
|
|
@ -14,9 +14,9 @@
|
||||||
|
|
||||||
- name: Migration scripts are installed
|
- name: Migration scripts are installed
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: "/usr/share/scripts/{{ item }}"
|
dest: "/usr/share/scripts/{{ item }}"
|
||||||
force: yes
|
force: true
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
loop:
|
loop:
|
||||||
- deb822-migration.py
|
- deb822-migration.py
|
||||||
|
@ -30,3 +30,33 @@
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
|
- name: Is system.sources present?
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /etc/apt/sources.list.d/system.sources
|
||||||
|
register: _system_sources
|
||||||
|
|
||||||
|
- name: Add signed-by when relevant for bookworm
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
dest: /etc/apt/sources.list.d/system.sources
|
||||||
|
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
|
||||||
|
insertafter: "Suites: bookworm bookworm-updates"
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: _system_sources.stat.exists or not ansible_check_mode
|
||||||
|
|
||||||
|
- name: Is security.sources present?
|
||||||
|
ansible.builtin.stat:
|
||||||
|
path: /etc/apt/sources.list.d/security.sources
|
||||||
|
register: _security_sources
|
||||||
|
|
||||||
|
- name: Add signed-by when relevant for bookworm-security
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
dest: /etc/apt/sources.list.d/security.sources
|
||||||
|
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
|
||||||
|
insertafter: "Suites: bookworm-security"
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: _security_sources.stat.exists or not ansible_check_mode
|
||||||
|
|
|
@ -5,3 +5,4 @@ URIs: http://mirror.evolix.org/debian
|
||||||
Suites: bookworm bookworm-updates
|
Suites: bookworm bookworm-updates
|
||||||
Components: {{ apt_basics_components | mandatory }}
|
Components: {{ apt_basics_components | mandatory }}
|
||||||
Enabled: yes
|
Enabled: yes
|
||||||
|
Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg
|
||||||
|
|
|
@ -5,3 +5,4 @@ URIs: https://security.debian.org/debian-security
|
||||||
Suites: bookworm-security
|
Suites: bookworm-security
|
||||||
Components: {{ apt_basics_components | mandatory }}
|
Components: {{ apt_basics_components | mandatory }}
|
||||||
Enabled: yes
|
Enabled: yes
|
||||||
|
Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
|
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
|
||||||
deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }}
|
deb http://mirror.evolix.org/debian bullseye-updates {{ apt_basics_components | mandatory }}
|
||||||
deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
|
deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb http://mirror.evolix.org/debian buster-backports {{ apt_backports_components | mandatory }}
|
deb http://archive.debian.org/debian buster-backports {{ apt_backports_components | mandatory }}
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }}
|
deb http://archive.debian.org/debian buster {{ apt_basics_components | mandatory }}
|
||||||
deb http://mirror.evolix.org/debian/ buster-updates {{ apt_basics_components | mandatory }}
|
|
||||||
deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}
|
deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
Types:deb
|
Types: deb
|
||||||
URIs: http://pub.evolix.org/evolix
|
URIs: http://pub.evolix.org/evolix
|
||||||
Suites: {{ ansible_distribution_release }}
|
Suites: {{ ansible_distribution_release }}
|
||||||
Components: main
|
Components: main
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }}
|
### Those repositories are unusable. Move to ELTS (manually).
|
||||||
deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }}
|
# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }}
|
||||||
|
# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
|
||||||
|
|
4
apt/templates/jessie_extended-lts.list.j2
Normal file
4
apt/templates/jessie_extended-lts.list.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main
|
||||||
|
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main
|
|
@ -1,3 +1,3 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }}
|
deb http://archive.debian.org/debian stretch-backports {{ apt_backports_components | mandatory }}
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb http://mirror.evolix.org/debian stretch {{ apt_basics_components | mandatory }}
|
deb http://archive.debian.org/debian stretch {{ apt_basics_components | mandatory }}
|
||||||
deb http://mirror.evolix.org/debian/ stretch-updates {{ apt_basics_components | mandatory }}
|
deb http://archive.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}
|
||||||
deb http://security.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}
|
|
||||||
|
|
4
apt/templates/stretch_extended-lts.list.j2
Normal file
4
apt/templates/stretch_extended-lts.list.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main
|
||||||
|
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main
|
17
autosysadmin-agent/defaults/main.yml
Normal file
17
autosysadmin-agent/defaults/main.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
general_scripts_dir: "/usr/share/scripts"
|
||||||
|
|
||||||
|
autosysadmin_agent_bin_dir: "/usr/local/bin/autosysadmin"
|
||||||
|
autosysadmin_agent_lib_dir: "/usr/local/lib/autosysadmin"
|
||||||
|
autosysadmin_agent_auto_dir: "{{ general_scripts_dir }}/autosysadmin/restart"
|
||||||
|
|
||||||
|
autosysadmin_agent_crontab_enabled: true
|
||||||
|
autosysadmin_agent_log_retention_days: 365
|
||||||
|
|
||||||
|
autosysadmin_config: []
|
||||||
|
### All repair are disabled if set to 'off'
|
||||||
|
### even if a specific repair value is 'on'
|
||||||
|
# repair_all: 'on'
|
||||||
|
### Default values for checks
|
||||||
|
# repair_foo: 'off'
|
13
autosysadmin-agent/files/autosysadmin.logrotate.conf
Normal file
13
autosysadmin-agent/files/autosysadmin.logrotate.conf
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
/var/log/autosysadmin.log {
|
||||||
|
daily
|
||||||
|
missingok
|
||||||
|
rotate 365
|
||||||
|
compress
|
||||||
|
nodelaycompress
|
||||||
|
notifempty
|
||||||
|
dateext
|
||||||
|
dateformat .%Y-%m-%d
|
||||||
|
dateyesterday
|
||||||
|
copytruncate
|
||||||
|
create 0640 root adm
|
||||||
|
}
|
3
autosysadmin-agent/files/autosysadmin.rsyslog.conf
Normal file
3
autosysadmin-agent/files/autosysadmin.rsyslog.conf
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
$template autosysadmin, "/var/log/autosysadmin.log"
|
||||||
|
if $programname contains 'autosysadmin' then ?autosysadmin
|
||||||
|
& stop
|
25
autosysadmin-agent/files/upstream/bin/delete_old_logs.sh
Normal file
25
autosysadmin-agent/files/upstream/bin/delete_old_logs.sh
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
days=${1:-365}
|
||||||
|
log_dir="/var/log/autosysadmin/"
|
||||||
|
|
||||||
|
if [ -d "${log_dir}" ]; then
|
||||||
|
find_run_dirs() {
|
||||||
|
find "${log_dir}" \
|
||||||
|
-mindepth 1 \
|
||||||
|
-maxdepth 1 \
|
||||||
|
-type d \
|
||||||
|
-ctime "+${days}" \
|
||||||
|
-print0
|
||||||
|
}
|
||||||
|
log() {
|
||||||
|
/usr/bin/logger -p local0.notice -t autosysadmin "${1}"
|
||||||
|
}
|
||||||
|
|
||||||
|
while IFS= read -r -d '' run_dir; do
|
||||||
|
rm --recursive --force "${run_dir}"
|
||||||
|
log "Delete ${run_dir} (older than ${days} days)"
|
||||||
|
done < <(find_run_dirs)
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
907
autosysadmin-agent/files/upstream/lib/common.sh
Executable file
907
autosysadmin-agent/files/upstream/lib/common.sh
Executable file
|
@ -0,0 +1,907 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
VERSION="24.03.2"
|
||||||
|
|
||||||
|
# Common functions for "repair" and "restart" scripts
|
||||||
|
|
||||||
|
set -u
|
||||||
|
|
||||||
|
# Initializes the program, context, configuration…
|
||||||
|
initialize() {
|
||||||
|
PATH="${PATH}":/usr/sbin:/sbin
|
||||||
|
|
||||||
|
# Used in many places to refer to the program name.
|
||||||
|
# Examples: repair_mysql, restart_nrpe…
|
||||||
|
PROGNAME=$(basename "${0}")
|
||||||
|
|
||||||
|
# find out if running in interactive mode, or not
|
||||||
|
if [ -t 0 ]; then
|
||||||
|
INTERACTIVE=1
|
||||||
|
else
|
||||||
|
INTERACTIVE=0
|
||||||
|
fi
|
||||||
|
readonly INTERACTIVE
|
||||||
|
|
||||||
|
# Default empty value for Debug mode
|
||||||
|
DEBUG="${DEBUG:-""}"
|
||||||
|
|
||||||
|
# Repair scripts obey to the value of a variable named after the script
|
||||||
|
# You can set the value ("on" or "off") in /etc/evolinux/autosysadmin
|
||||||
|
# Here we set the default value to "on".
|
||||||
|
declare -g "${PROGNAME}"=on # dynamic variable assignment ($PROGNAME == repair_*)
|
||||||
|
|
||||||
|
PID=$$
|
||||||
|
readonly PID
|
||||||
|
|
||||||
|
# Each execution (run) gets a unique ID
|
||||||
|
RUN_ID="$(date +"%Y-%m-%d_%H-%M")_${PROGNAME}_${PID}"
|
||||||
|
readonly RUN_ID
|
||||||
|
|
||||||
|
# Main log directory
|
||||||
|
MAIN_LOG_DIR="/var/log/autosysadmin"
|
||||||
|
readonly MAIN_LOG_DIR
|
||||||
|
# shellcheck disable=SC2174
|
||||||
|
mkdir --mode=750 --parents "${MAIN_LOG_DIR}"
|
||||||
|
chgrp adm "${MAIN_LOG_DIR}"
|
||||||
|
|
||||||
|
# Each execution store some information
|
||||||
|
# in a unique directory based on the RUN_ID
|
||||||
|
RUN_LOG_DIR="${MAIN_LOG_DIR}/${RUN_ID}"
|
||||||
|
readonly RUN_LOG_DIR
|
||||||
|
# shellcheck disable=SC2174
|
||||||
|
mkdir --mode=750 --parents "${RUN_LOG_DIR}"
|
||||||
|
chgrp adm "${RUN_LOG_DIR}"
|
||||||
|
|
||||||
|
# This log file contains all events
|
||||||
|
RUN_LOG_FILE="${RUN_LOG_DIR}/autosysadmin.log"
|
||||||
|
readonly RUN_LOG_FILE
|
||||||
|
|
||||||
|
# This log file contains notable actions
|
||||||
|
ACTIONS_FILE="${RUN_LOG_DIR}/actions.log"
|
||||||
|
readonly ACTIONS_FILE
|
||||||
|
touch "${ACTIONS_FILE}"
|
||||||
|
# This log file contains abort reasons (if any)
|
||||||
|
ABORT_FILE="${RUN_LOG_DIR}/abort.log"
|
||||||
|
readonly ABORT_FILE
|
||||||
|
# touch "${ABORT_FILE}"
|
||||||
|
|
||||||
|
# Date format for log messages
|
||||||
|
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
|
||||||
|
|
||||||
|
# This will contain lock, last-run markers…
|
||||||
|
# It's ok to lose the content after a reboot
|
||||||
|
RUN_DIR="/run/autosysadmin"
|
||||||
|
readonly RUN_DIR
|
||||||
|
mkdir -p "${RUN_DIR}"
|
||||||
|
|
||||||
|
# Only a singe instace of each script can run simultaneously
|
||||||
|
# We use a customizable lock name for this.
|
||||||
|
# By default it's the script's name
|
||||||
|
LOCK_NAME=${LOCK_NAME:-${PROGNAME}}
|
||||||
|
# If a lock is found, we can wait for it to disappear.
|
||||||
|
# The value must be understood by sleep(1)
|
||||||
|
LOCK_WAIT="0"
|
||||||
|
|
||||||
|
# Default values for email headers
|
||||||
|
EMAIL_FROM="equipe+autosysadmin@evolix.net"
|
||||||
|
EMAIL_INTERNAL="autosysadmin@evolix.fr"
|
||||||
|
|
||||||
|
LOCK_FILE="${RUN_DIR}/${LOCK_NAME}.lock"
|
||||||
|
readonly LOCK_FILE
|
||||||
|
# Remove lock file at exit
|
||||||
|
cleanup() {
|
||||||
|
# shellcheck disable=SC2317
|
||||||
|
rm -f "${LOCK_FILE}"
|
||||||
|
}
|
||||||
|
trap 'cleanup' 0
|
||||||
|
|
||||||
|
# Load configuration
|
||||||
|
# shellcheck disable=SC1091
|
||||||
|
test -f /etc/evolinux/autosysadmin && source /etc/evolinux/autosysadmin
|
||||||
|
|
||||||
|
log_all "Begin ${PROGNAME} RUN_ID: ${RUN_ID}"
|
||||||
|
log_all "Log directory is ${RUN_LOG_DIR}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Executes a list of tasks before exiting:
|
||||||
|
# * prepare a summary of actions and possible abort reasons
|
||||||
|
# * send emails
|
||||||
|
# * do some cleanup
|
||||||
|
quit() {
|
||||||
|
log_all "End ${PROGNAME} RUN_ID: ${RUN_ID}"
|
||||||
|
|
||||||
|
summary="RUN_ID: ${RUN_ID}"
|
||||||
|
if [ -s "${ABORT_FILE}" ]; then
|
||||||
|
# Add abort reasons to summary
|
||||||
|
summary="${summary}\n$(print_abort_reasons)"
|
||||||
|
hook_mail "abort"
|
||||||
|
|
||||||
|
return_code=1
|
||||||
|
else
|
||||||
|
if [ -s "${ACTIONS_FILE}" ]; then
|
||||||
|
# Add notable actions to summary
|
||||||
|
summary="${summary}\n$(print_actions "Aucune action")"
|
||||||
|
hook_mail "success"
|
||||||
|
fi
|
||||||
|
|
||||||
|
return_code=0
|
||||||
|
fi
|
||||||
|
|
||||||
|
hook_mail "internal"
|
||||||
|
|
||||||
|
if is_interactive; then
|
||||||
|
# shellcheck disable=SC2001
|
||||||
|
echo "${summary}" | sed -e 's/\\n/\n/g'
|
||||||
|
else
|
||||||
|
/usr/share/scripts/evomaintenance.sh --auto --user autosysadmin --message "${summary}" --no-commit --no-mail
|
||||||
|
fi
|
||||||
|
|
||||||
|
teardown
|
||||||
|
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
exit ${return_code}
|
||||||
|
}
|
||||||
|
|
||||||
|
teardown() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Return true/false
|
||||||
|
is_interactive() {
|
||||||
|
test "${INTERACTIVE}" -eq "1"
|
||||||
|
}
|
||||||
|
|
||||||
|
save_server_state() {
|
||||||
|
DUMP_SERVER_STATE_BIN="$(command -v dump-server-state || command -v backup-server-state)"
|
||||||
|
|
||||||
|
if [ -z "${DUMP_SERVER_STATE_BIN}" ]; then
|
||||||
|
log_all "Warning: dump-server-state is not present. No server state recorded."
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -x "${DUMP_SERVER_STATE_BIN}" ]; then
|
||||||
|
DUMP_DIR=$(file_path_in_log_dir "server-state")
|
||||||
|
# We don't want the logging to take too much time,
|
||||||
|
# so we kill it if it takes more than 20 seconds.
|
||||||
|
timeout --signal 9 20 \
|
||||||
|
"${DUMP_SERVER_STATE_BIN}" \
|
||||||
|
--dump-dir="${DUMP_DIR}" \
|
||||||
|
--df \
|
||||||
|
--dmesg \
|
||||||
|
--iptables \
|
||||||
|
--lxc \
|
||||||
|
--netcfg \
|
||||||
|
--netstat \
|
||||||
|
--uname \
|
||||||
|
--processes \
|
||||||
|
--systemctl \
|
||||||
|
--uptime \
|
||||||
|
--virsh \
|
||||||
|
--disks \
|
||||||
|
--mysql-processes \
|
||||||
|
--no-apt-states \
|
||||||
|
--no-apt-config \
|
||||||
|
--no-dpkg-full \
|
||||||
|
--no-dpkg-status \
|
||||||
|
--no-mount \
|
||||||
|
--no-packages \
|
||||||
|
--no-sysctl \
|
||||||
|
--no-etc
|
||||||
|
|
||||||
|
log_run "Server state saved in \`server-state' directory."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
is_debug() {
|
||||||
|
# first time: do the check…
|
||||||
|
# other times: pass
|
||||||
|
if [ -z "${DEBUG:-""}" ]; then
|
||||||
|
debug_file="/etc/evolinux/autosysadmin.debug"
|
||||||
|
|
||||||
|
if [ -e "${debug_file}" ]; then
|
||||||
|
last_change=$(stat -c %Z "${debug_file}")
|
||||||
|
limit_date=$(date --date "14400 seconds ago" +"%s")
|
||||||
|
|
||||||
|
if [ $(( last_change - limit_date )) -le "0" ]; then
|
||||||
|
log_run "Debug mode disabled; file is too old (%{last_change} seconds)."
|
||||||
|
rm "${debug_file}"
|
||||||
|
# Debug mode disabled
|
||||||
|
DEBUG="0"
|
||||||
|
else
|
||||||
|
log_run "Debug mode enabled."
|
||||||
|
# Debug mode enabled
|
||||||
|
DEBUG="1"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# log_run "Debug mode disabled; file is absent."
|
||||||
|
# Debug mode disabled
|
||||||
|
DEBUG="0"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
# return the value
|
||||||
|
test "${DEBUG}" -eq "1"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Uses the who(1) definition of "active"
|
||||||
|
currently_active_users() {
|
||||||
|
LC_ALL=C who --users | grep --extended-regexp "\s+\.\s+" | awk '{print $1}' | sort --human-numeric-sort | uniq
|
||||||
|
}
|
||||||
|
# Users active in the last 29 minutes
|
||||||
|
recently_active_users() {
|
||||||
|
LC_ALL=C who --users | grep --extended-regexp "\s+00:(0|1|2)[0-9]\s+" | awk --field-separator ' ' '{print $1,$6}'
|
||||||
|
}
|
||||||
|
# Save the list of users to a file in the log directory
|
||||||
|
save_active_users() {
|
||||||
|
LC_ALL=C who --users | save_in_log_dir "who-users"
|
||||||
|
}
|
||||||
|
|
||||||
|
# An autosysadmin must not perform actions if a user is active or was active recently.
|
||||||
|
#
|
||||||
|
# This can by bypassed in interactive mode.
|
||||||
|
# It's OK to lose this data after a reboot.
|
||||||
|
ensure_no_active_users_or_exit() {
|
||||||
|
# Save all active users
|
||||||
|
save_active_users
|
||||||
|
|
||||||
|
if is_debug; then
|
||||||
|
log_run "Debug mode enabled: continue without checking active users."
|
||||||
|
return 0;
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Is there any currently active user?
|
||||||
|
currently_active_users=$(currently_active_users)
|
||||||
|
if [ -n "${currently_active_users}" ]; then
|
||||||
|
# shellcheck disable=SC2001
|
||||||
|
users_oneliner=$(echo "${currently_active_users}" | sed -e 's/\n/ /')
|
||||||
|
log_run "Currently active users: ${users_oneliner}"
|
||||||
|
if is_interactive; then
|
||||||
|
echo "Some users are currently active:"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
|
echo "${currently_active_users}" | sed -e 's/\(.\+\)/* \1/'
|
||||||
|
answer=""
|
||||||
|
while :; do
|
||||||
|
printf "> Continue? [Y,n,?] "
|
||||||
|
read -r answer
|
||||||
|
case ${answer} in
|
||||||
|
[Yy]|"" )
|
||||||
|
log_run "Active users check bypassed manually in interactive mode."
|
||||||
|
return
|
||||||
|
;;
|
||||||
|
[Nn] )
|
||||||
|
log_run "Active users check confirmed manually in interactive mode."
|
||||||
|
log_abort_and_quit "Active users detected: ${users_oneliner}"
|
||||||
|
;;
|
||||||
|
* )
|
||||||
|
printf "y - yes, continue\n"
|
||||||
|
printf "n - no, exit\n"
|
||||||
|
printf "? - print this help\n"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
else
|
||||||
|
log_abort_and_quit "Currently active users detected: ${users_oneliner}."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# or recently (the last 30 minutes) active user?
|
||||||
|
recently_active_users=$(recently_active_users)
|
||||||
|
if [ -n "${recently_active_users}" ]; then
|
||||||
|
# shellcheck disable=SC2001
|
||||||
|
users_oneliner=$(echo "${recently_active_users}" | sed -e 's/\n/ /')
|
||||||
|
log_run "Recently active users: ${users_oneliner}"
|
||||||
|
if is_interactive; then
|
||||||
|
echo "Some users were recently active:"
|
||||||
|
# shellcheck disable=SC2001
|
||||||
|
echo "${recently_active_users}" | sed -e 's/\(.\+\)/* \1/'
|
||||||
|
answer=""
|
||||||
|
while :; do
|
||||||
|
printf "> Continue? [Y,n,?] "
|
||||||
|
read -r answer
|
||||||
|
case ${answer} in
|
||||||
|
[Yy]|"" )
|
||||||
|
log_run "Active users check bypassed manually in interactive mode."
|
||||||
|
return
|
||||||
|
;;
|
||||||
|
[Nn] )
|
||||||
|
log_run "Active users check confirmed manually in interactive mode."
|
||||||
|
log_abort_and_quit "Recently active users detected: ${users_oneliner}."
|
||||||
|
;;
|
||||||
|
* )
|
||||||
|
printf "y - yes, continue\n"
|
||||||
|
printf "n - no, exit\n"
|
||||||
|
printf "? - print this help\n"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
else
|
||||||
|
log_abort_and_quit "Recently active users detected: ${users_oneliner}."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Takes an NRPE command name as 1st parameter,
|
||||||
|
# and executes the full command if found in the configuration.
|
||||||
|
# Return the result and the return code of the command.
|
||||||
|
check_nrpe() {
|
||||||
|
check="$1"
|
||||||
|
|
||||||
|
nrpe_files=""
|
||||||
|
|
||||||
|
# Check if NRPE config is found
|
||||||
|
if [ -f "/etc/nagios/nrpe.cfg" ]; then
|
||||||
|
nrpe_files="${nrpe_files} /etc/nagios/nrpe.cfg"
|
||||||
|
else
|
||||||
|
msg="NRPE configuration not found: /etc/nagios/nrpe.cfg"
|
||||||
|
log_run "${msg}"
|
||||||
|
echo "${msg}"
|
||||||
|
return 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Search for included files
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
while IFS= read -r include_file; do
|
||||||
|
nrpe_files="${nrpe_files} ${include_file}"
|
||||||
|
done < <(grep --extended-regexp '^\s*include=.+' ${nrpe_files} | cut -d = -f 2)
|
||||||
|
|
||||||
|
# Search for files in included directories
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
while IFS= read -r include_dir; do
|
||||||
|
nrpe_files="${nrpe_files} ${include_dir}/*.cfg"
|
||||||
|
done < <(grep --extended-regexp '^\s*include_dir=.+' ${nrpe_files} | cut -d = -f 2)
|
||||||
|
|
||||||
|
# Fetch uncommented commands in (sorted) config files
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
nrpe_commands=$(grep --no-filename --exclude=*~ --fixed-strings "[${check}]" ${nrpe_files} | grep --invert-match --extended-regexp '^\s*#\s*command' | cut -d = -f 2)
|
||||||
|
nrpe_commands_count=$(echo "${nrpe_commands}" | wc -l)
|
||||||
|
|
||||||
|
if is_debian_version "9" "<=" && [ "${nrpe_commands_count}" -gt "1" ]; then
|
||||||
|
# On Debian <= 9, NRPE loading was not sorted
|
||||||
|
# we need to raise an error if we have multiple defined commands
|
||||||
|
msg="Unable to determine which NRPE command to run"
|
||||||
|
log_run "${msg}"
|
||||||
|
echo "${msg}"
|
||||||
|
return 3
|
||||||
|
else
|
||||||
|
# On Debian > 9, use the last command
|
||||||
|
nrpe_command=$(echo "${nrpe_commands}" | tail -n 1)
|
||||||
|
|
||||||
|
nrpe_result=$(${nrpe_command})
|
||||||
|
nrpe_rc=$?
|
||||||
|
|
||||||
|
log_run "NRPE command (exited with ${nrpe_rc}): ${nrpe_command}"
|
||||||
|
log_run "${nrpe_result}"
|
||||||
|
|
||||||
|
echo "${nrpe_result}"
|
||||||
|
return "${nrpe_rc}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# An autosysadmin script must not run twice (or more) simultaneously.
|
||||||
|
# We use a customizable (with LOCK_NAME) lock file to keep track of this.
|
||||||
|
# A wait time can be configured.
|
||||||
|
#
|
||||||
|
# This can by bypassed in interactive mode.
|
||||||
|
# It's OK to lose this data after a reboot.
|
||||||
|
acquire_lock_or_exit() {
|
||||||
|
lock_file="${1:-${LOCK_FILE}}"
|
||||||
|
lock_wait="${2:-${LOCK_WAIT}}"
|
||||||
|
|
||||||
|
# lock_wait must be compatible with sleep(1), otherwise fallback to 0
|
||||||
|
if ! echo "${lock_wait}" | grep -Eq '^[0-9]+[smhd]?$'; then
|
||||||
|
log_run "Lock wait: incorrect value '${lock_wait}', fallback to 0."
|
||||||
|
lock_wait=0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${lock_wait}" != "0" ] && [ -f "${lock_file}" ]; then
|
||||||
|
log_run "Lock file present. Let's wait ${lock_wait} and check again."
|
||||||
|
sleep "${lock_wait}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f "${lock_file}" ]; then
|
||||||
|
log_abort_and_quit "Lock file still present."
|
||||||
|
else
|
||||||
|
log_run "Lock file absent. Let's put one."
|
||||||
|
touch "${lock_file}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# If a script has been run in the ast 30 minutes, running it again won't fix the issue.
|
||||||
|
# We use a /run/ausosysadmin/${PROGNAME}_lastrun file to keep track of this.
|
||||||
|
#
|
||||||
|
# This can by bypassed in interactive mode.
|
||||||
|
# This is bypassed in debug mode.
|
||||||
|
# It's OK to lose this data after a reboot.
|
||||||
|
ensure_not_too_soon_or_exit() {
|
||||||
|
if is_debug; then
|
||||||
|
log_run "Debug mode enabled: continue without checking when was the last run."
|
||||||
|
return 0;
|
||||||
|
fi
|
||||||
|
|
||||||
|
lastrun_file="${RUN_DIR}/${PROGNAME}_lastrun"
|
||||||
|
if [ -f "${lastrun_file}" ]; then
|
||||||
|
lastrun_age="$(($(date +%s)-$(stat -c "%Y" "${lastrun_file}")))"
|
||||||
|
log_run "Last run was ${lastrun_age} seconds ago."
|
||||||
|
if [ "${lastrun_age}" -lt 1800 ]; then
|
||||||
|
if is_interactive; then
|
||||||
|
echo "${PROGNAME} was run ${lastrun_age} seconds ago."
|
||||||
|
answer=""
|
||||||
|
while :; do
|
||||||
|
printf "> Continue? [Y,n,?] "
|
||||||
|
read -r answer
|
||||||
|
case ${answer} in
|
||||||
|
[Yy]|"" )
|
||||||
|
log_run "Last run check bypassed manually in interactive mode."
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
[Nn] )
|
||||||
|
log_run "Last run check confirmed manually in interactive mode."
|
||||||
|
log_abort_and_quit 'Last run too recent.'
|
||||||
|
;;
|
||||||
|
* )
|
||||||
|
printf "y - yes, continue\n"
|
||||||
|
printf "n - no, exit\n"
|
||||||
|
printf "? - print this help\n"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
else
|
||||||
|
log_abort_and_quit "Last run too recent."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
touch "${lastrun_file}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Populate DEBIAN_VERSION and DEBIAN_RELEASE variables
|
||||||
|
# based on gathered information about the operating system
|
||||||
|
detect_os() {
|
||||||
|
DEBIAN_RELEASE="unknown"
|
||||||
|
DEBIAN_VERSION="unknown"
|
||||||
|
LSB_RELEASE_BIN="$(command -v lsb_release)"
|
||||||
|
|
||||||
|
if [ -e /etc/debian_version ]; then
|
||||||
|
DEBIAN_VERSION="$(cut -d "." -f 1 < /etc/debian_version)"
|
||||||
|
if [ -x "${LSB_RELEASE_BIN}" ]; then
|
||||||
|
DEBIAN_RELEASE="$("${LSB_RELEASE_BIN}" --codename --short)"
|
||||||
|
else
|
||||||
|
case "${DEBIAN_VERSION}" in
|
||||||
|
7) DEBIAN_RELEASE="wheezy" ;;
|
||||||
|
8) DEBIAN_RELEASE="jessie" ;;
|
||||||
|
9) DEBIAN_RELEASE="stretch" ;;
|
||||||
|
10) DEBIAN_RELEASE="buster" ;;
|
||||||
|
11) DEBIAN_RELEASE="bullseye" ;;
|
||||||
|
12) DEBIAN_RELEASE="bookworm" ;;
|
||||||
|
13) DEBIAN_RELEASE="trixie" ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
# log_run "Detected OS: Debian version=${DEBIAN_VERSION} release=${DEBIAN_RELEASE}"
|
||||||
|
# else
|
||||||
|
# log_run "Detected OS: unknown (missing /etc/debian_version)"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
is_debian_wheezy() {
|
||||||
|
test "${DEBIAN_RELEASE}" = "wheezy"
|
||||||
|
}
|
||||||
|
is_debian_jessie() {
|
||||||
|
test "${DEBIAN_RELEASE}" = "jessie"
|
||||||
|
}
|
||||||
|
is_debian_stretch() {
|
||||||
|
test "${DEBIAN_RELEASE}" = "stretch"
|
||||||
|
}
|
||||||
|
is_debian_buster() {
|
||||||
|
test "${DEBIAN_RELEASE}" = "buster"
|
||||||
|
}
|
||||||
|
is_debian_bullseye() {
|
||||||
|
test "${DEBIAN_RELEASE}" = "bullseye"
|
||||||
|
}
|
||||||
|
is_debian_bookworm() {
|
||||||
|
test "${DEBIAN_RELEASE}" = "bookworm"
|
||||||
|
}
|
||||||
|
is_debian_trixie() {
|
||||||
|
test "${DEBIAN_RELEASE}" = "trixie"
|
||||||
|
}
|
||||||
|
is_debian_version() {
|
||||||
|
local version=$1
|
||||||
|
local relation=${2:-"eq"}
|
||||||
|
|
||||||
|
if [ -z "${DEBIAN_VERSION:-""}" ]; then
|
||||||
|
detect_os
|
||||||
|
fi
|
||||||
|
|
||||||
|
dpkg --compare-versions "${DEBIAN_VERSION}" "${relation}" "${version}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# List systemd services (only names), even if stopped
|
||||||
|
systemd_list_services() {
|
||||||
|
pattern=$1
|
||||||
|
|
||||||
|
systemctl list-units --all --no-legend --type=service "${pattern}" | grep --only-matching --extended-regexp '\S+\.service'
|
||||||
|
}
|
||||||
|
|
||||||
|
is_systemd_enabled() {
|
||||||
|
systemctl --quiet is-enabled "$1" 2> /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
is_systemd_active() {
|
||||||
|
systemctl --quiet is-active "$1" 2> /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
is_sysvinit_enabled() {
|
||||||
|
find /etc/rc2.d/ -name "$1" > /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
get_fqdn() {
|
||||||
|
# shellcheck disable=SC2155
|
||||||
|
local system=$(uname -s)
|
||||||
|
|
||||||
|
if [ "${system}" = "Linux" ]; then
|
||||||
|
hostname --fqdn
|
||||||
|
elif [ "${system}" = "OpenBSD" ]; then
|
||||||
|
hostname
|
||||||
|
else
|
||||||
|
log_abort_and_quit "System '${system}' not recognized."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
get_complete_hostname() {
|
||||||
|
REAL_HOSTNAME="$(get_fqdn)"
|
||||||
|
if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
|
||||||
|
echo "${HOSTNAME}"
|
||||||
|
else
|
||||||
|
echo "${HOSTNAME} (${REAL_HOSTNAME})"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
# Fetch values from evomaintenance configuration
|
||||||
|
get_evomaintenance_mail() {
|
||||||
|
grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2
|
||||||
|
}
|
||||||
|
get_evomaintenance_emergency_mail() {
|
||||||
|
grep "URGENCYFROM=" /etc/evomaintenance.cf | cut -d '=' -f2
|
||||||
|
}
|
||||||
|
get_evomaintenance_emergency_tel() {
|
||||||
|
grep "URGENCYTEL=" /etc/evomaintenance.cf | cut -d '=' -f2
|
||||||
|
}
|
||||||
|
|
||||||
|
# Log a message to the log file in the log directory
|
||||||
|
log_run() {
|
||||||
|
local msg="${1:-$(cat /dev/stdin)}"
|
||||||
|
# shellcheck disable=SC2155
|
||||||
|
local date=$(/bin/date +"${DATE_FORMAT}")
|
||||||
|
|
||||||
|
printf "[%s] %s[%s]: %s\\n" \
|
||||||
|
"${date}" "${PROGNAME}" "${PID}" "${msg}" \
|
||||||
|
>> "${RUN_LOG_FILE}"
|
||||||
|
}
|
||||||
|
# Log a message in the system log file (syslog or journald)
|
||||||
|
log_global() {
|
||||||
|
local msg="${1:-$(cat /dev/stdin)}"
|
||||||
|
|
||||||
|
echo "${msg}" \
|
||||||
|
| /usr/bin/logger -p local0.notice -t autosysadmin
|
||||||
|
}
|
||||||
|
# Log a message in both places
|
||||||
|
log_all() {
|
||||||
|
local msg="${1:-$(cat /dev/stdin)}"
|
||||||
|
|
||||||
|
log_global "${msg}"
|
||||||
|
log_run "${msg}"
|
||||||
|
}
|
||||||
|
# Log a notable action in regular places
|
||||||
|
# and append it to the dedicated list
|
||||||
|
log_action() {
|
||||||
|
log_all "$*"
|
||||||
|
append_action "$*"
|
||||||
|
}
|
||||||
|
# Append a line in the actions.log file in the log directory
|
||||||
|
append_action() {
|
||||||
|
echo "$*" >> "${ACTIONS_FILE}"
|
||||||
|
}
|
||||||
|
# Print the content of the actions.log file
|
||||||
|
# or a fallback content (1st parameter) if empty
|
||||||
|
# shellcheck disable=SC2120
|
||||||
|
print_actions() {
|
||||||
|
local fallback=${1:-""}
|
||||||
|
if [ -s "${ACTIONS_FILE}" ]; then
|
||||||
|
cat "${ACTIONS_FILE}"
|
||||||
|
elif [ -n "${fallback}" ]; then
|
||||||
|
echo "${fallback}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Log a an abort reason in regular places
|
||||||
|
# and append it to the dedicated list
|
||||||
|
log_abort() {
|
||||||
|
log_all "$*"
|
||||||
|
append_abort_reason "$*"
|
||||||
|
}
|
||||||
|
# Append a line in the abort.log file in the log directory
|
||||||
|
append_abort_reason() {
|
||||||
|
echo "$*" >> "${ABORT_FILE}"
|
||||||
|
}
|
||||||
|
# Print the content of the abort.log file
|
||||||
|
# or a fallback content (1st parameter) if empty
|
||||||
|
# shellcheck disable=SC2120
|
||||||
|
print_abort_reasons() {
|
||||||
|
local fallback=${1:-""}
|
||||||
|
if [ -s "${ABORT_FILE}" ]; then
|
||||||
|
cat "${ABORT_FILE}"
|
||||||
|
elif [ -n "${fallback}" ]; then
|
||||||
|
echo "${fallback}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
# Print the content of the main log from the log directory
|
||||||
|
print_main_log() {
|
||||||
|
cat "${RUN_LOG_FILE}"
|
||||||
|
}
|
||||||
|
# Log an abort reason and quit the script
|
||||||
|
log_abort_and_quit() {
|
||||||
|
log_abort "$*"
|
||||||
|
quit
|
||||||
|
}
|
||||||
|
|
||||||
|
# Store the content from standard inpu
|
||||||
|
# into a file in the log directory named after the 1st parameter
|
||||||
|
save_in_log_dir() {
|
||||||
|
local file_name=$1
|
||||||
|
local file_path="${RUN_LOG_DIR}/${file_name}"
|
||||||
|
|
||||||
|
cat /dev/stdin > "${file_path}"
|
||||||
|
|
||||||
|
log_run "Saved \`${file_name}' file."
|
||||||
|
}
|
||||||
|
# Return the full path of the file in log directory
|
||||||
|
# based on the name in the 1st parameter
|
||||||
|
file_path_in_log_dir() {
|
||||||
|
echo "${RUN_LOG_DIR}/${1}"
|
||||||
|
}
|
||||||
|
|
||||||
|
format_mail_success() {
|
||||||
|
cat <<EOTEMPLATE
|
||||||
|
From: AutoSysadmin Evolix <${EMAIL_FROM}>
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
X-Script: ${PROGNAME}
|
||||||
|
X-RunId: ${RUN_ID}
|
||||||
|
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
|
||||||
|
Cc: ${EMAIL_INTERNAL}
|
||||||
|
Subject: [autosysadmin] Intervention automatisée sur ${HOSTNAME_TEXT}
|
||||||
|
|
||||||
|
Bonjour,
|
||||||
|
|
||||||
|
Une intervention automatisée vient de se terminer.
|
||||||
|
|
||||||
|
Nom du serveur : ${HOSTNAME_TEXT}
|
||||||
|
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
|
||||||
|
Script déclenché : ${PROGNAME}
|
||||||
|
|
||||||
|
### Actions réalisées
|
||||||
|
|
||||||
|
$(print_actions "Aucune")
|
||||||
|
|
||||||
|
### Réagir à cette intervention
|
||||||
|
|
||||||
|
Vous pouvez répondre à ce message (${EMAIL_FROM}).
|
||||||
|
|
||||||
|
En cas d'urgence, utilisez l'adresse ${EMERGENCY_MAIL}
|
||||||
|
ou notre ligne d'astreinte (${EMERGENCY_TEL})
|
||||||
|
|
||||||
|
--
|
||||||
|
Votre AutoSysadmin
|
||||||
|
EOTEMPLATE
|
||||||
|
}
|
||||||
|
|
||||||
|
format_mail_abort() {
|
||||||
|
cat <<EOTEMPLATE
|
||||||
|
From: AutoSysadmin Evolix <${EMAIL_FROM}>
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
X-Script: ${PROGNAME}
|
||||||
|
X-RunId: ${RUN_ID}
|
||||||
|
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
|
||||||
|
Cc: ${EMAIL_INTERNAL}
|
||||||
|
Subject: [autosysadmin] Intervention automatisée interrompue sur ${HOSTNAME_TEXT}
|
||||||
|
|
||||||
|
Bonjour,
|
||||||
|
|
||||||
|
Une intervention automatisée a été déclenchée mais s'est interrompue.
|
||||||
|
|
||||||
|
Nom du serveur : ${HOSTNAME_TEXT}
|
||||||
|
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
|
||||||
|
Script déclenché : ${PROGNAME}
|
||||||
|
|
||||||
|
### Actions réalisées
|
||||||
|
|
||||||
|
$(print_actions "Aucune")
|
||||||
|
|
||||||
|
### Raison(s) de l'interruption
|
||||||
|
|
||||||
|
$(print_abort_reasons "Inconnue")
|
||||||
|
|
||||||
|
### Réagir à cette intervention
|
||||||
|
|
||||||
|
Vous pouvez répondre à ce message (${EMAIL_FROM}).
|
||||||
|
|
||||||
|
En cas d'urgence, utilisez l'adresse ${EMERGENCY_MAIL}
|
||||||
|
ou notre ligne d'astreinte (${EMERGENCY_TEL})
|
||||||
|
|
||||||
|
--
|
||||||
|
Votre AutoSysadmin
|
||||||
|
EOTEMPLATE
|
||||||
|
}
|
||||||
|
|
||||||
|
# shellcheck disable=SC2028
|
||||||
|
print_report_information() {
|
||||||
|
echo "**Uptime**"
|
||||||
|
echo ""
|
||||||
|
uptime
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "**Utilisateurs récents**"
|
||||||
|
echo ""
|
||||||
|
who_file=$(file_path_in_log_dir "who-users")
|
||||||
|
if [ -s "${who_file}" ]; then
|
||||||
|
cat "${who_file}"
|
||||||
|
else
|
||||||
|
who --users
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "**Espace disque**"
|
||||||
|
echo ""
|
||||||
|
df_file=$(file_path_in_log_dir "server-state/df.txt")
|
||||||
|
if [ -s "${df_file}" ]; then
|
||||||
|
cat "${df_file}"
|
||||||
|
else
|
||||||
|
df -h
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "**Dmesg**"
|
||||||
|
echo ""
|
||||||
|
dmesg_file=$(file_path_in_log_dir "server-state/dmesg.txt")
|
||||||
|
if [ -s "${dmesg_file}" ]; then
|
||||||
|
tail -n 5 "${dmesg_file}"
|
||||||
|
else
|
||||||
|
dmesg | tail -n 5
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "**systemd failed services**"
|
||||||
|
echo ""
|
||||||
|
failed_services_file=$(file_path_in_log_dir "server-state/systemctl-failed-services.txt")
|
||||||
|
if [ -s "${failed_services_file}" ]; then
|
||||||
|
cat "${failed_services_file}"
|
||||||
|
else
|
||||||
|
systemctl --no-legend --state=failed --type=service
|
||||||
|
fi
|
||||||
|
|
||||||
|
if command -v lxc-ls > /dev/null 2>&1; then
|
||||||
|
echo ""
|
||||||
|
echo "**LXC containers**"
|
||||||
|
echo ""
|
||||||
|
lxc_ls_file=$(file_path_in_log_dir "server-state/lxc-list.txt")
|
||||||
|
if [ -s "${lxc_ls_file}" ]; then
|
||||||
|
cat "${lxc_ls_file}"
|
||||||
|
else
|
||||||
|
lxc-ls --fancy
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
apache_errors_file=$(file_path_in_log_dir "apache-errors.log")
|
||||||
|
if [ -f "${apache_errors_file}" ]; then
|
||||||
|
echo ""
|
||||||
|
echo "**Apache errors**"
|
||||||
|
echo ""
|
||||||
|
cat "${apache_errors_file}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
nginx_errors_file=$(file_path_in_log_dir "nginx-errors.log")
|
||||||
|
if [ -f "${nginx_errors_file}" ]; then
|
||||||
|
echo ""
|
||||||
|
echo "**Nginx errors**"
|
||||||
|
echo ""
|
||||||
|
cat "${nginx_errors_file}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
format_mail_internal() {
|
||||||
|
cat <<EOTEMPLATE
|
||||||
|
From: AutoSysadmin Evolix <${EMAIL_FROM}>
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
X-Script: ${PROGNAME}
|
||||||
|
X-RunId: ${RUN_ID}
|
||||||
|
To: ${EMAIL_INTERNAL}
|
||||||
|
Subject: [autosysadmin] Rapport interne d'intervention sur ${HOSTNAME_TEXT}
|
||||||
|
|
||||||
|
Bonjour,
|
||||||
|
|
||||||
|
Une intervention automatique vient de se terminer.
|
||||||
|
|
||||||
|
Nom du serveur : ${HOSTNAME_TEXT}
|
||||||
|
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
|
||||||
|
Script déclenché : ${PROGNAME}
|
||||||
|
|
||||||
|
### Actions réalisées
|
||||||
|
|
||||||
|
$(print_actions "Aucune")
|
||||||
|
|
||||||
|
### Raison(s) de l'interruption
|
||||||
|
|
||||||
|
$(print_abort_reasons "Aucune")
|
||||||
|
|
||||||
|
### Log autosysadmin
|
||||||
|
|
||||||
|
$(print_main_log)
|
||||||
|
|
||||||
|
### Informations additionnelles
|
||||||
|
|
||||||
|
$(print_report_information)
|
||||||
|
|
||||||
|
--
|
||||||
|
Votre AutoSysadmin
|
||||||
|
EOTEMPLATE
|
||||||
|
}
|
||||||
|
|
||||||
|
# Generic function to send emails at the end of the script.
|
||||||
|
# Takes a template as 1st parameter
|
||||||
|
hook_mail() {
|
||||||
|
if is_debug; then
|
||||||
|
log_run "Debug mode enabled: continue without sending mail."
|
||||||
|
return 0;
|
||||||
|
fi
|
||||||
|
|
||||||
|
HOSTNAME="${HOSTNAME:-"$(get_fqdn)"}"
|
||||||
|
HOSTNAME_TEXT="$(get_complete_hostname)"
|
||||||
|
EMAIL_CLIENT="$(get_evomaintenance_mail)"
|
||||||
|
EMERGENCY_MAIL="$(get_evomaintenance_emergency_mail)"
|
||||||
|
EMERGENCY_TEL="$(get_evomaintenance_emergency_tel)"
|
||||||
|
|
||||||
|
MAIL_CONTENT="$(format_mail_"$1")"
|
||||||
|
|
||||||
|
SENDMAIL_BIN="$(command -v sendmail)"
|
||||||
|
|
||||||
|
if [ -z "${SENDMAIL_BIN}" ]; then
|
||||||
|
log_global "ERROR: No \`sendmail' command has been found, can't send mail."
|
||||||
|
fi
|
||||||
|
if [ -x "${SENDMAIL_BIN}" ]; then
|
||||||
|
echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.fr"
|
||||||
|
log_global "Sent '$1' mail for RUN_ID: ${RUN_ID}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
is_holiday() {
|
||||||
|
# gcal mark today as a holiday by surrounding with < and > the day
|
||||||
|
# of the month of that holiday line. For example if today is 2022-05-01 we'll
|
||||||
|
# get among other lines:
|
||||||
|
# Fête du Travail (FR) + Di, < 1>Mai 2022
|
||||||
|
# Jour de la Victoire (FR) + Di, : 8:Mai 2022 = +7 jours
|
||||||
|
LANGUAGE=fr_FR.UTF-8 TZ=Europe/Paris gcal --cc-holidays=fr --holiday-list=short | grep -E '<[0-9 ]{2}>' --quiet
|
||||||
|
}
|
||||||
|
|
||||||
|
is_weekend() {
|
||||||
|
day_of_week=$(date +%u)
|
||||||
|
if [ "${day_of_week}" != 6 ] && [ "${day_of_week}" != 7 ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
is_workday() {
|
||||||
|
if is_holiday || is_weekend; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
is_worktime() {
|
||||||
|
if ! is_workday; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
hour=$(date +%H)
|
||||||
|
if [ "${hour}" -lt 9 ] || { [ "${hour}" -ge 12 ] && [ "${hour}" -lt 14 ] ; } || [ "${hour}" -ge 18 ]; then
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
112
autosysadmin-agent/files/upstream/lib/repair.sh
Normal file
112
autosysadmin-agent/files/upstream/lib/repair.sh
Normal file
|
@ -0,0 +1,112 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Specific functions for "repair" scripts
|
||||||
|
|
||||||
|
is_all_repair_disabled() {
|
||||||
|
# Fetch values from the config
|
||||||
|
# and if it is not defined or has no value, then assign "on"
|
||||||
|
|
||||||
|
local status=${repair_all:=on}
|
||||||
|
|
||||||
|
|
||||||
|
test "${status}" = "off" || test "${status}" = "0"
|
||||||
|
}
|
||||||
|
|
||||||
|
is_current_repair_disabled() {
|
||||||
|
# Fetch values from the config
|
||||||
|
# and if it is not defined or has no value, then assign "on"
|
||||||
|
|
||||||
|
local status=${!PROGNAME:=on}
|
||||||
|
|
||||||
|
test "${status}" = "off" || test "${status}" = "0"
|
||||||
|
}
|
||||||
|
|
||||||
|
ensure_not_disabled_or_exit() {
|
||||||
|
if is_all_repair_disabled; then
|
||||||
|
log_global 'All repair scripts are disabled.'
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
if is_current_repair_disabled; then
|
||||||
|
log_global "Current repair script (${PROGNAME}) is disabled."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set of actions to do at the begining of a "repair" script
|
||||||
|
pre_repair() {
|
||||||
|
initialize
|
||||||
|
|
||||||
|
# Are we supposed to run?
|
||||||
|
ensure_not_disabled_or_exit
|
||||||
|
|
||||||
|
# Has it recently been run?
|
||||||
|
ensure_not_too_soon_or_exit
|
||||||
|
|
||||||
|
# Can we acquire a lock?
|
||||||
|
acquire_lock_or_exit
|
||||||
|
|
||||||
|
# Is there any active user?
|
||||||
|
ensure_no_active_users_or_exit
|
||||||
|
|
||||||
|
# Save important information
|
||||||
|
save_server_state
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set of actions to do at the end of a "repair" script
|
||||||
|
post_repair() {
|
||||||
|
quit
|
||||||
|
}
|
||||||
|
|
||||||
|
repair_lxc_php() {
|
||||||
|
container_name=$1
|
||||||
|
|
||||||
|
if is_systemd_enabled 'lxc.service'; then
|
||||||
|
lxc_path=$(lxc-config lxc.lxcpath)
|
||||||
|
if lxc-info --name "${container_name}" > /dev/null; then
|
||||||
|
rootfs="${lxc_path}/${container_name}/rootfs"
|
||||||
|
case "${container_name}" in
|
||||||
|
php56) fpm_log_file="${rootfs}/var/log/php5-fpm.log" ;;
|
||||||
|
php70) fpm_log_file="${rootfs}/var/log/php7.0-fpm.log" ;;
|
||||||
|
php73) fpm_log_file="${rootfs}/var/log/php7.3-fpm.log" ;;
|
||||||
|
php74) fpm_log_file="${rootfs}/var/log/php7.4-fpm.log" ;;
|
||||||
|
php80) fpm_log_file="${rootfs}/var/log/php8.0-fpm.log" ;;
|
||||||
|
php81) fpm_log_file="${rootfs}/var/log/php8.1-fpm.log" ;;
|
||||||
|
php82) fpm_log_file="${rootfs}/var/log/php8.2-fpm.log" ;;
|
||||||
|
php83) fpm_log_file="${rootfs}/var/log/php8.3-fpm.log" ;;
|
||||||
|
*)
|
||||||
|
log_abort_and_quit "Unknown container '${container_name}'"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Determine FPM Pool path
|
||||||
|
php_path_pool=$(find "${lxc_path}/${container_name}/" -type d -name "pool.d")
|
||||||
|
|
||||||
|
# Save LXC info (before restart)
|
||||||
|
lxc-info --name "${container_name}" | save_in_log_dir "lxc-${container_name}.before.status"
|
||||||
|
# Save last lines of FPM log (before restart)
|
||||||
|
tail "${fpm_log_file}" | save_in_log_dir "$(basename "${fpm_log_file}" | sed -e 's/.log/.before.log/')"
|
||||||
|
# Save NRPE check (before restart)
|
||||||
|
/usr/local/lib/nagios/plugins/check_phpfpm_multi "${php_path_pool}" | save_in_log_dir "check_fpm_${container_name}.before.out"
|
||||||
|
|
||||||
|
lxc-stop --timeout 20 --name "${container_name}"
|
||||||
|
lxc-start --daemon --name "${container_name}"
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart LXC container '${container_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart LXC container '${container_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save LXC info (after restart)
|
||||||
|
lxc-info --name "${container_name}" | save_in_log_dir "lxc-${container_name}.after.status"
|
||||||
|
# Save last lines of FPM log (after restart)
|
||||||
|
tail "${fpm_log_file}" | save_in_log_dir "$(basename "${fpm_log_file}" | sed -e 's/.log/.after.log/')"
|
||||||
|
# Save NRPE check (after restart)
|
||||||
|
/usr/local/lib/nagios/plugins/check_phpfpm_multi "${php_path_pool}" | save_in_log_dir "check_fpm_${container_name}.after.out"
|
||||||
|
else
|
||||||
|
log_abort_and_quit "LXC container '${container_name}' doesn't exist."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_abort_and_quit 'LXC not found.'
|
||||||
|
fi
|
||||||
|
}
|
76
autosysadmin-agent/files/upstream/lib/restart.sh
Normal file
76
autosysadmin-agent/files/upstream/lib/restart.sh
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Specific functions for "restart" scripts
|
||||||
|
|
||||||
|
running_custom() {
|
||||||
|
# Placeholder that returns 1, to prevent running if not redefined
|
||||||
|
log_global "running_custom() function has not been redefined! Let's quit."
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Examine RUNNING variable and decide if the script should run or not
|
||||||
|
is_supposed_to_run() {
|
||||||
|
if is_debug; then return 0; fi
|
||||||
|
|
||||||
|
case ${RUNNING} in
|
||||||
|
never)
|
||||||
|
# log_global "is_supposed_to_run: no (never)"
|
||||||
|
return 1
|
||||||
|
;;
|
||||||
|
always)
|
||||||
|
# log_global "is_supposed_to_run: yes (always)"
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
nwh-fr)
|
||||||
|
! is_worktime
|
||||||
|
rc=$?
|
||||||
|
# if [ ${rc} -eq 0 ]; then
|
||||||
|
# log_global "is_supposed_to_run: yes (nwh-fr returned ${rc})"
|
||||||
|
# else
|
||||||
|
# log_global "is_supposed_to_run: no (nwh-fr returned ${rc})"
|
||||||
|
# fi
|
||||||
|
return ${rc}
|
||||||
|
;;
|
||||||
|
nwh-ca)
|
||||||
|
# Not implemented yet
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
custom)
|
||||||
|
running_custom
|
||||||
|
rc=$?
|
||||||
|
# if [ ${rc} -eq 0 ]; then
|
||||||
|
# log_global "is_supposed_to_run: yes (custom returned ${rc})"
|
||||||
|
# else
|
||||||
|
# log_global "is_supposed_to_run: no (custom returned ${rc})"
|
||||||
|
# fi
|
||||||
|
return ${rc}
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
ensure_supposed_to_run_or_exit() {
|
||||||
|
if ! is_supposed_to_run; then
|
||||||
|
# simply quit (no logging, no notifications…)
|
||||||
|
# log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set of actions to do at the begining of a "restart" script
|
||||||
|
pre_restart() {
|
||||||
|
initialize
|
||||||
|
|
||||||
|
# Has it recently been run?
|
||||||
|
ensure_not_too_soon_or_exit
|
||||||
|
|
||||||
|
# Can we acquire a lock?
|
||||||
|
acquire_lock_or_exit
|
||||||
|
|
||||||
|
# Save important information
|
||||||
|
save_server_state
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set of actions to do at the end of a "restart" script
|
||||||
|
post_restart() {
|
||||||
|
quit
|
||||||
|
}
|
157
autosysadmin-agent/files/upstream/repair/repair_disk
Executable file
157
autosysadmin-agent/files/upstream/repair/repair_disk
Executable file
|
@ -0,0 +1,157 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
|
||||||
|
# We always keep some reserved blocks to avoid missing some logs
|
||||||
|
# https://gitea.evolix.org/evolix/autosysadmin/issues/22
|
||||||
|
RESERVED_BLOCKS_MIN=1
|
||||||
|
|
||||||
|
get_mountpoints() {
|
||||||
|
# the $(...) get the check_disk1 command
|
||||||
|
# the cut command selects the critical part of the check_disk1 output
|
||||||
|
# the grep command extracts the mountpoints and available disk space
|
||||||
|
# the last cut command selects the mountpoints
|
||||||
|
check_disk1_command=$(grep check_disk1 /etc/nagios/nrpe.d/evolix.cfg | cut -d'=' -f2-)
|
||||||
|
|
||||||
|
${check_disk1_command} -e | cut -d'|' -f1 | grep --extended-regexp --only-matching '/[[:graph:]]* [0-9]+ [A-Z][A-Z]' | cut -d' ' -f1
|
||||||
|
}
|
||||||
|
|
||||||
|
is_reserved_blocks_nominal() {
|
||||||
|
partition=${1}
|
||||||
|
|
||||||
|
fs_type="$(findmnt -n --output=fstype "${partition}")"
|
||||||
|
if [ "${fs_type}" = "ext4" ]; then
|
||||||
|
device="$(findmnt -n --output=source "${partition}")"
|
||||||
|
reserved_block_count="$(tune2fs -l "${device}" | grep 'Reserved block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
|
||||||
|
block_count="$(tune2fs -l "${device}" | grep 'Block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
|
||||||
|
percentage=$(awk "BEGIN { pc=100*${reserved_block_count}/${block_count}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
|
||||||
|
|
||||||
|
log_run "Reserved blocks for ${partition} is currently at ${percentage}%"
|
||||||
|
if [ "${percentage}" -gt "${RESERVED_BLOCKS_MIN}" ]; then
|
||||||
|
log_run "Allowing tune2fs action to reduce the number of reserved blocks"
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
log_run "Reserved blocks already at or bellow ${RESERVED_BLOCKS_MIN}%, no automatic action possible"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_run "Filesystem for ${partition} (${fs_type}) is incompatible with reserved block reduction."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
reduce_reserved_blocks() {
|
||||||
|
partition=${1}
|
||||||
|
|
||||||
|
device=$(findmnt -n --output=source "${partition}")
|
||||||
|
tune2fs -m "${RESERVED_BLOCKS_MIN}" "${device}"
|
||||||
|
log_action "Reserved blocks for ${partition} changed to ${RESERVED_BLOCKS_MIN} percent"
|
||||||
|
}
|
||||||
|
|
||||||
|
is_tmp_to_delete() {
|
||||||
|
size="$(find /var/log/ -type f -ctime +1 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
|
||||||
|
if [ -n "${size}" ]; then
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
is_log_to_delete() {
|
||||||
|
size="$(find /var/log/ -type f -mtime +365 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
|
||||||
|
if [ -n "${size}" ]; then
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
clean_apt_cache() {
|
||||||
|
for container in $(lxc-ls -1); do
|
||||||
|
if [ -e "$(lxc-config lxc.lxcpath)/${container}/rootfs/var/cache" ]; then
|
||||||
|
lxc-attach --name "${container}" -- apt-get clean
|
||||||
|
log_action "Clean apt cache in LXC container ${container}";
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# NOTE: "head -n 1" might be superfluous, but let's be sure to have only the first returned value
|
||||||
|
biggest_subdir=$(du --summarize --one-file-system "/var/*" | sort --numeric-sort --reverse | sed 's/^[0-9]\+[[:space:]]\+//;q' | head -n 1)
|
||||||
|
case "${biggest_subdir}" in
|
||||||
|
'/var/cache')
|
||||||
|
apt-get clean
|
||||||
|
log_action 'Clean apt cache'
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
clean_amavis_virusmails() {
|
||||||
|
if du --inodes /var/lib/* | sort --numeric-sort | tail -n 3 | grep --quiet 'virusmails$'; then
|
||||||
|
find /var/lib/amavis/virusmails/ -type f -atime +30 -delete
|
||||||
|
log_action 'Clean amavis infected mails'
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
critical_mountpoints=$(get_mountpoints)
|
||||||
|
|
||||||
|
if [ -z "${critical_mountpoints}" ]; then
|
||||||
|
log_abort_and_quit "No partition is in critical state, nothing left to do."
|
||||||
|
else
|
||||||
|
for mountpoint in ${critical_mountpoints}; do
|
||||||
|
case "${mountpoint}" in
|
||||||
|
/var)
|
||||||
|
#if is_log_to_delete
|
||||||
|
#then
|
||||||
|
# find /var/log/ -type f -mtime +365 -delete
|
||||||
|
# log_action "$size Mo of disk space freed in /var"
|
||||||
|
#fi
|
||||||
|
if is_reserved_blocks_nominal /var; then
|
||||||
|
reduce_reserved_blocks /var
|
||||||
|
clean_apt_cache
|
||||||
|
clean_amavis_virusmails
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
/tmp)
|
||||||
|
#if is_tmp_to_delete
|
||||||
|
#then
|
||||||
|
# find /tmp/ -type f -ctime +1 -delete
|
||||||
|
# log_action "$size Mo of disk space freed in /tmp"
|
||||||
|
#fi
|
||||||
|
if is_reserved_blocks_nominal /tmp; then
|
||||||
|
reduce_reserved_blocks /tmp
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
/home)
|
||||||
|
if is_reserved_blocks_nominal /home; then
|
||||||
|
reduce_reserved_blocks /home
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
/srv)
|
||||||
|
if is_reserved_blocks_nominal /srv; then
|
||||||
|
reduce_reserved_blocks /srv
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
/filer)
|
||||||
|
if is_reserved_blocks_nominal /filer; then
|
||||||
|
reduce_reserved_blocks /filer
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
/)
|
||||||
|
if is_reserved_blocks_nominal /; then
|
||||||
|
reduce_reserved_blocks /
|
||||||
|
# Suggest remove old kernel ?
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# unknown
|
||||||
|
log_run 'Unknown partition (or weird case) or nothing to do'
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
post_repair
|
35
autosysadmin-agent/files/upstream/repair/repair_elasticsearch
Executable file
35
autosysadmin-agent/files/upstream/repair/repair_elasticsearch
Executable file
|
@ -0,0 +1,35 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
service="elasticsearch.service"
|
||||||
|
service_name="elasticsearch"
|
||||||
|
|
||||||
|
if is_systemd_enabled "${service}"; then
|
||||||
|
if is_systemd_active "${service}"; then
|
||||||
|
log_abort_and_quit "${service} is active, nothing left to do."
|
||||||
|
else
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 systemctl restart "${service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_abort_and_quit "${service} is disabled (or missing), nothing left to do."
|
||||||
|
fi
|
||||||
|
|
||||||
|
post_repair
|
131
autosysadmin-agent/files/upstream/repair/repair_http
Executable file
131
autosysadmin-agent/files/upstream/repair/repair_http
Executable file
|
@ -0,0 +1,131 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
## Apache
|
||||||
|
|
||||||
|
service="apache2.service"
|
||||||
|
service_name="apache2"
|
||||||
|
|
||||||
|
if is_systemd_enabled "${service}"; then
|
||||||
|
if is_systemd_active "${service}"; then
|
||||||
|
log_all "${service} is active. Skip."
|
||||||
|
else
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# check syntax
|
||||||
|
if apache2ctl -t > /dev/null 2>&1; then
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 systemctl restart "${service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
|
||||||
|
# Save error logs
|
||||||
|
date=$(LANG=en_US.UTF-8 date '+%b %d')
|
||||||
|
grep "${date}" /home/*/log/error.log /var/log/apache2/*error.log \
|
||||||
|
| grep -v \
|
||||||
|
-e "Got error 'PHP message:" \
|
||||||
|
-e "No matching DirectoryIndex" \
|
||||||
|
-e "client denied by server configuration" \
|
||||||
|
-e "server certificate does NOT include an ID which matches the server name" \
|
||||||
|
| save_in_log_dir "apache-errors.log"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: skip (invalid configuration)"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_all "${service} is disabled (or missing). Skip."
|
||||||
|
fi
|
||||||
|
|
||||||
|
## Nginx
|
||||||
|
|
||||||
|
service="nginx.service"
|
||||||
|
service_name="nginx"
|
||||||
|
|
||||||
|
if is_systemd_enabled "${service}"; then
|
||||||
|
if is_systemd_active "${service}"; then
|
||||||
|
log_all "${service} is active. Skip."
|
||||||
|
else
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# check syntax
|
||||||
|
if nginx -t > /dev/null 2>&1; then
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 systemctl restart "${service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
|
||||||
|
# Save error logs
|
||||||
|
### Consider doing for Nginx the same as Apache
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: skip (invalid configuration)"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_all "${service} is disabled (or missing). Skip."
|
||||||
|
fi
|
||||||
|
|
||||||
|
## LXC
|
||||||
|
|
||||||
|
if is_systemd_enabled 'lxc.service'; then
|
||||||
|
for container in $(lxc-ls -1 | grep --fixed-strings 'php' | grep --extended-regexp --invert-match --regexp '\bold\b' --regexp '\bdisabled\b'); do
|
||||||
|
repair_lxc_php "${container}"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
log_all "LXC is disabled (or missing). Skip."
|
||||||
|
fi
|
||||||
|
|
||||||
|
## FPM
|
||||||
|
|
||||||
|
fpm_services=$(systemd_list_services 'php*-fpm*')
|
||||||
|
if [ -n "${fpm_services}" ]; then
|
||||||
|
for service in ${fpm_services}; do
|
||||||
|
service_name="${service//.service/}"
|
||||||
|
if is_systemd_enabled "${service}"; then
|
||||||
|
if is_systemd_active "${service}"; then
|
||||||
|
log_all "${service} is active. Skip."
|
||||||
|
else
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 systemctl restart "${service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_all "${service} is disabled (or missing). Skip."
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
log_all "PHP FPM not found. Skip."
|
||||||
|
fi
|
||||||
|
|
||||||
|
post_repair
|
69
autosysadmin-agent/files/upstream/repair/repair_mysql
Executable file
69
autosysadmin-agent/files/upstream/repair/repair_mysql
Executable file
|
@ -0,0 +1,69 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
if is_debian_version "8" "<="; then
|
||||||
|
|
||||||
|
if is_sysvinit_enabled '*mysql*'; then
|
||||||
|
if ! pgrep -u mysql mysqld > /dev/null; then
|
||||||
|
|
||||||
|
# Save service status before restart
|
||||||
|
timeout 2 mysqladmin status 2>&1 | save_in_log_dir "mysql.before.status"
|
||||||
|
|
||||||
|
timeout 20 /etc/init.d/mysql restart > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart mysql: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart mysql: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
timeout 2 mysqladmin status 2>&1 | save_in_log_dir "mysql.after.status"
|
||||||
|
else
|
||||||
|
log_abort_and_quit "mysqld process alive. Aborting"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_abort_and_quit "MySQL not enabled. Aborting"
|
||||||
|
fi
|
||||||
|
|
||||||
|
else
|
||||||
|
|
||||||
|
if is_debian_version "12" ">="; then
|
||||||
|
service="mariadb.service"
|
||||||
|
service_name="mariadb"
|
||||||
|
else
|
||||||
|
service="mysql.service"
|
||||||
|
service_name="mysql"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if is_systemd_enabled "${service}"; then
|
||||||
|
if is_systemd_active "${service}"; then
|
||||||
|
log_abort_and_quit "${service} is active, nothing left to do."
|
||||||
|
else
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 systemctl restart "${service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_abort_and_quit "${service} is disabled (or missing), nothing left to do."
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
post_repair
|
35
autosysadmin-agent/files/upstream/repair/repair_opendkim
Executable file
35
autosysadmin-agent/files/upstream/repair/repair_opendkim
Executable file
|
@ -0,0 +1,35 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
service="opendkim.service"
|
||||||
|
service_name="opendkim"
|
||||||
|
|
||||||
|
if is_systemd_enabled "${service}"; then
|
||||||
|
if is_systemd_active "${service}"; then
|
||||||
|
log_abort_and_quit "${service} is active, nothing left to do."
|
||||||
|
else
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 systemctl restart "${service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_abort_and_quit "${service} is disabled (or missing). Abort."
|
||||||
|
fi
|
||||||
|
|
||||||
|
post_repair
|
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm56
Executable file
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm56
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
LOCK_WAIT="15s"
|
||||||
|
LOCK_NAME="repair_http"
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
repair_lxc_php php56
|
||||||
|
|
||||||
|
post_repair
|
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm70
Executable file
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm70
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
LOCK_WAIT="15s"
|
||||||
|
LOCK_NAME="repair_http"
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
repair_lxc_php php70
|
||||||
|
|
||||||
|
post_repair
|
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm73
Executable file
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm73
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
LOCK_WAIT="15s"
|
||||||
|
LOCK_NAME="repair_http"
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
repair_lxc_php php73
|
||||||
|
|
||||||
|
post_repair
|
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm74
Executable file
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm74
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
LOCK_WAIT="15s"
|
||||||
|
LOCK_NAME="repair_http"
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
repair_lxc_php php74
|
||||||
|
|
||||||
|
post_repair
|
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm80
Executable file
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm80
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
LOCK_WAIT="15s"
|
||||||
|
LOCK_NAME="repair_http"
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
repair_lxc_php php80
|
||||||
|
|
||||||
|
post_repair
|
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm81
Executable file
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm81
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
LOCK_WAIT="15s"
|
||||||
|
LOCK_NAME="repair_http"
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
repair_lxc_php php81
|
||||||
|
|
||||||
|
post_repair
|
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm82
Executable file
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm82
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
LOCK_WAIT="15s"
|
||||||
|
LOCK_NAME="repair_http"
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
repair_lxc_php php82
|
||||||
|
|
||||||
|
post_repair
|
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm83
Executable file
14
autosysadmin-agent/files/upstream/repair/repair_php_fpm83
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
LOCK_WAIT="15s"
|
||||||
|
LOCK_NAME="repair_http"
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
repair_lxc_php php83
|
||||||
|
|
||||||
|
post_repair
|
32
autosysadmin-agent/files/upstream/repair/repair_redis
Executable file
32
autosysadmin-agent/files/upstream/repair/repair_redis
Executable file
|
@ -0,0 +1,32 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
for service in $(systemd_list_services 'redis-server*'); do
|
||||||
|
service_name="${service//.service/}"
|
||||||
|
|
||||||
|
if is_systemd_active "${service}"; then
|
||||||
|
log_all "${service} is active. Skip."
|
||||||
|
else
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 systemctl restart "${service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK."
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
post_repair
|
34
autosysadmin-agent/files/upstream/repair/repair_tomcat_instance
Executable file
34
autosysadmin-agent/files/upstream/repair/repair_tomcat_instance
Executable file
|
@ -0,0 +1,34 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
repair_tomcat_instance_handle_tomcat() {
|
||||||
|
|
||||||
|
if /bin/su - "${1}" -c "/bin/systemctl --quiet --user is-active tomcat.service" ; then
|
||||||
|
if ! /bin/su - "${1}" -c "/usr/bin/timeout 20 /bin/systemctl --quiet --user restart tomcat.service"
|
||||||
|
then
|
||||||
|
log_abort_and_quit "Echec de redémarrage instance tomcat utilisateur ${1}"
|
||||||
|
else
|
||||||
|
log_action "Redémarrage instance tomcat utilisateur ${1}"
|
||||||
|
fi
|
||||||
|
elif /bin/systemctl --quiet is-active "${1}".service ; then
|
||||||
|
if ! /usr/bin/timeout 20 systemctl --quiet restart "${1}".service
|
||||||
|
then
|
||||||
|
log_abort_and_quit "Echec de redémarrage instance tomcat ${1}"
|
||||||
|
else
|
||||||
|
log_action "Redémarrage instance tomcat ${1}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
for instance in $( /usr/local/lib/nagios/plugins/check_tomcat_instance.sh |grep CRITICAL |awk '{print $3}' |sed '1d') ;
|
||||||
|
do
|
||||||
|
repair_tomcat_instance_handle_tomcat "${instance}"
|
||||||
|
done
|
||||||
|
|
||||||
|
post_repair
|
41
autosysadmin-agent/files/upstream/repair/zzz-repair_example.template
Executable file
41
autosysadmin-agent/files/upstream/repair/zzz-repair_example.template
Executable file
|
@ -0,0 +1,41 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
|
||||||
|
|
||||||
|
## Custom lock wait and/or lock name
|
||||||
|
# LOCK_WAIT="15s"
|
||||||
|
# LOCK_NAME="repair_http"
|
||||||
|
|
||||||
|
pre_repair
|
||||||
|
|
||||||
|
## The name of the service, mainly for logging
|
||||||
|
service_name="example"
|
||||||
|
## The systemd service name
|
||||||
|
systemd_service="${service_name}.service"
|
||||||
|
|
||||||
|
if is_systemd_enabled "${systemd_service}"; then
|
||||||
|
if is_systemd_active "${systemd_service}"; then
|
||||||
|
log_abort_and_quit "${systemd_service} is active, nothing left to do."
|
||||||
|
else
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 systemctl restart "${systemd_service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log_abort_and_quit "${service_name} is disabled (or missing), nothing left to do."
|
||||||
|
fi
|
||||||
|
|
||||||
|
post_repair
|
19
autosysadmin-agent/files/upstream/restart/README
Normal file
19
autosysadmin-agent/files/upstream/restart/README
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
Autosysadmin "restart auto" scripts
|
||||||
|
===================================
|
||||||
|
|
||||||
|
In this directory you can place scripts that will be executed automatically by a cron job (stored in `/etc/cron.d/autosysadmin`).
|
||||||
|
|
||||||
|
They must satisfy the default `run-parts(8)` constraints :
|
||||||
|
|
||||||
|
* be "executable"
|
||||||
|
* belong to the Debian cron script namespace (`^[a-zA-Z0-9_-]+$`), example: `restart_amavis`
|
||||||
|
|
||||||
|
Warning: scripts that do not satisfy those criteria will NOT be run (silently)!
|
||||||
|
|
||||||
|
You can print the names of the scripts which would be run, without actually running them, with this command :
|
||||||
|
|
||||||
|
```
|
||||||
|
$ run-parts --test /usr/share/scripts/autosysadmin/restart
|
||||||
|
```
|
||||||
|
|
||||||
|
You can use `zzz-restart_example.template` as boilerplate code to make your own "restart" script.
|
|
@ -0,0 +1,120 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/restart.sh" || exit 1
|
||||||
|
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
RUNNING="nwh-fr"
|
||||||
|
|
||||||
|
## Possible values for RUNNING :
|
||||||
|
## never => disabled
|
||||||
|
## always => enabled
|
||||||
|
## nwh-fr => enabled during non-working-hours in France
|
||||||
|
## nwh-ca => enabled during non-working-hours in Canada (not supported yet)
|
||||||
|
## custom => enabled if `running_custom()` function returns 0, otherwise disabled.
|
||||||
|
|
||||||
|
## Uncomment and customize this method if you want to have a special logic :
|
||||||
|
##
|
||||||
|
## return 1 if we should not run
|
||||||
|
## return 0 if we should run
|
||||||
|
##
|
||||||
|
## Some available functions :
|
||||||
|
## is_weekend() : Saturday or Sunday
|
||||||
|
## is_holiday() : holiday in France (based on `gcal(1)`)
|
||||||
|
## is_workday() : not weekend and not holiday
|
||||||
|
## is_worktime() : work day between 9-12h and 14-18h
|
||||||
|
#
|
||||||
|
# running_custom() {
|
||||||
|
# # implement your own custom method to decide if we should run or not
|
||||||
|
# }
|
||||||
|
|
||||||
|
## The name of the service, mainly for logging
|
||||||
|
service_name="example"
|
||||||
|
## The SysVinit script name
|
||||||
|
sysvinit_script="${service_name}"
|
||||||
|
## The systemd service name
|
||||||
|
systemd_service="${service_name}.service"
|
||||||
|
|
||||||
|
is_service_alive() {
|
||||||
|
## this must return 0 if the service is alive, otherwise return 1
|
||||||
|
## Example:
|
||||||
|
pgrep -u USER PROCESS_NAME > /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
## Action for SysVinit system
|
||||||
|
sysvinit_action() {
|
||||||
|
# Save service status before restart
|
||||||
|
timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 "/etc/init.d/${sysvinit_script}" restart > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.after.status"
|
||||||
|
}
|
||||||
|
|
||||||
|
## Action for systemd system
|
||||||
|
systemd_action() {
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
# systemctl (only for NRPE ?) sometimes returns 0 even if the service has failed to start
|
||||||
|
# so we check the status explicitly
|
||||||
|
timeout 20 systemctl restart "${systemd_service}" > /dev/null \
|
||||||
|
&& sleep 1 \
|
||||||
|
&& systemctl status "${systemd_service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Should we run?
|
||||||
|
if ! is_supposed_to_run; then
|
||||||
|
# log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
if is_service_alive; then
|
||||||
|
# log_global "${service_name} process alive. Aborting"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Yes we do, so check for sysvinit or systemd
|
||||||
|
if is_debian_version "8" "<="; then
|
||||||
|
if ! is_sysvinit_enabled "*${sysvinit_script}*"; then
|
||||||
|
# log_global "${service_name} not enabled. Aborting"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Let's finally do the action
|
||||||
|
pre_restart
|
||||||
|
sysvinit_action
|
||||||
|
post_restart
|
||||||
|
else
|
||||||
|
if ! is_systemd_enabled "${systemd_service}"; then
|
||||||
|
# log_global "${service_name} is disabled (or missing), nothing left to do."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
if is_systemd_active "${systemd_service}"; then
|
||||||
|
# log_global "${service_name} is active, nothing left to do."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Let's finally do the action
|
||||||
|
pre_restart
|
||||||
|
systemd_action
|
||||||
|
post_restart
|
||||||
|
fi
|
16
autosysadmin-agent/handlers/main.yml
Normal file
16
autosysadmin-agent/handlers/main.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: restart nagios-nrpe-server
|
||||||
|
service:
|
||||||
|
name: nagios-nrpe-server
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart nrpe
|
||||||
|
service:
|
||||||
|
name: nrpe
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart rsyslog
|
||||||
|
service:
|
||||||
|
name: rsyslog
|
||||||
|
state: restarted
|
25
autosysadmin-agent/tasks/crontab.yml
Normal file
25
autosysadmin-agent/tasks/crontab.yml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Add begin marker if missing"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: "/etc/cron.d/autosysadmin"
|
||||||
|
line: "# BEGIN ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
|
||||||
|
insertbefore: BOF
|
||||||
|
create: yes
|
||||||
|
|
||||||
|
- name: "Add end marker if missing"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: "/etc/cron.d/autosysadmin"
|
||||||
|
line: "# END ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
|
||||||
|
insertbefore: "EOF"
|
||||||
|
create: yes
|
||||||
|
|
||||||
|
- name: "Create config if missing"
|
||||||
|
ansible.builtin.blockinfile:
|
||||||
|
path: "/etc/cron.d/autosysadmin"
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
|
||||||
|
block: "{{ lookup('ansible.builtin.template', '../templates/autosysadmin.cron.j2') }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0750"
|
||||||
|
create: yes
|
4
autosysadmin-agent/tasks/dependencies.yml
Normal file
4
autosysadmin-agent/tasks/dependencies.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
- name: Install gcal
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: gcal
|
114
autosysadmin-agent/tasks/install.yml
Normal file
114
autosysadmin-agent/tasks/install.yml
Normal file
|
@ -0,0 +1,114 @@
|
||||||
|
---
|
||||||
|
- name: "Remount /usr if needed"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: remount-usr
|
||||||
|
|
||||||
|
- name: Previous autosysadmin restart directory is renamed
|
||||||
|
command:
|
||||||
|
cmd: mv "/usr/share/scripts/autosysadmin/auto" "{{ autosysadmin_agent_auto_dir }}"
|
||||||
|
removes: "/usr/share/scripts/autosysadmin/auto"
|
||||||
|
creates: "{{ autosysadmin_agent_auto_dir }}"
|
||||||
|
|
||||||
|
- name: Create autosysadmin directories
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: "0750"
|
||||||
|
loop:
|
||||||
|
- "{{ autosysadmin_agent_bin_dir }}"
|
||||||
|
- "{{ autosysadmin_agent_lib_dir }}"
|
||||||
|
- "{{ autosysadmin_agent_auto_dir }}"
|
||||||
|
|
||||||
|
- name: Copy libraries
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "upstream/lib/"
|
||||||
|
dest: "{{ autosysadmin_agent_lib_dir }}/"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
- name: Copy repair scripts
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "upstream/repair/"
|
||||||
|
dest: "{{ autosysadmin_agent_bin_dir }}/"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
- name: Copy other utilities
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "upstream/bin/"
|
||||||
|
dest: "{{ autosysadmin_agent_bin_dir }}/"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
### WARNING: thos files are explicitly marked as non-executable
|
||||||
|
### to prevent them from being run automatically by run-parts
|
||||||
|
|
||||||
|
- name: Copy restart scripts
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "upstream/restart/"
|
||||||
|
dest: "{{ autosysadmin_agent_auto_dir }}/"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0640"
|
||||||
|
|
||||||
|
- name: Ensure /etc/evolinux folder exists
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "/etc/evolinux"
|
||||||
|
state: directory
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: "0700"
|
||||||
|
|
||||||
|
- name: Copy the configuration file if missing
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "autosysadmin.cf.j2"
|
||||||
|
dest: "/etc/evolinux/autosysadmin"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0640"
|
||||||
|
force: no
|
||||||
|
|
||||||
|
# Repair scripts are supposed to be 'on' by default
|
||||||
|
# A line "repair_XXX=off" is added to the file only if the script is to be disabled.
|
||||||
|
# That's why all the ternary logic for the state is reversed.
|
||||||
|
- name: Update value per variable
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
dest: "/etc/evolinux/autosysadmin"
|
||||||
|
line: "{{ item }}={{ autosysadmin_config[item] | default(true) | bool | ternary('on', 'off') }}"
|
||||||
|
regexp: '^(#\s*)?{{ item }}=.*'
|
||||||
|
state: "{{ autosysadmin_config[item] | default(true) | bool | ternary('absent', 'present') }}"
|
||||||
|
register: _line
|
||||||
|
loop: "{{ autosysadmin_repair_scripts | union(['repair_all']) }}"
|
||||||
|
|
||||||
|
- name: Ensure restart folder exists
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "auto"
|
||||||
|
state: directory
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: "0700"
|
||||||
|
|
||||||
|
- name: Legacy scripts are removed
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ general_scripts_dir }}/autosysadmin/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop:
|
||||||
|
- repair_amavis.sh
|
||||||
|
- repair_disk.sh
|
||||||
|
- repair_elasticsearch.sh
|
||||||
|
- repair_http.sh
|
||||||
|
- repair_mysql.sh
|
||||||
|
- repair_opendkim.sh
|
||||||
|
- repair_php_fpm56.sh
|
||||||
|
- repair_php_fpm70.sh
|
||||||
|
- repair_php_fpm73.sh
|
||||||
|
- repair_php_fpm74.sh
|
||||||
|
- repair_php_fpm80.sh
|
||||||
|
- repair_php_fpm81.sh
|
||||||
|
- repair_redis.sh
|
||||||
|
- repair_tomcat_instance.sh
|
8
autosysadmin-agent/tasks/logrotate.yml
Normal file
8
autosysadmin-agent/tasks/logrotate.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: Copy logrotate configuration for autosysadmin
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "files/autosysadmin.logrotate.conf"
|
||||||
|
dest: "/etc/logrotate.d/autosysadmin"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
31
autosysadmin-agent/tasks/main.yml
Normal file
31
autosysadmin-agent/tasks/main.yml
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: The list of all repair scripts is composed.
|
||||||
|
set_fact:
|
||||||
|
autosysadmin_repair_scripts: "{{ lookup('ansible.builtin.fileglob', '../../../autosysadmin/agent/repair/repair_*', wantlist=True) | map('basename') | sort }}"
|
||||||
|
|
||||||
|
- name: Install dependencies
|
||||||
|
ansible.builtin.include_tasks: dependencies.yml
|
||||||
|
|
||||||
|
- name: Install autosysadmin
|
||||||
|
ansible.builtin.include_tasks: install.yml
|
||||||
|
|
||||||
|
- name: Crontab configuration
|
||||||
|
ansible.builtin.include_tasks: crontab.yml
|
||||||
|
|
||||||
|
- name: NRPE configuration
|
||||||
|
ansible.builtin.include_tasks: nrpe.yml
|
||||||
|
|
||||||
|
- name: sudo configuration
|
||||||
|
ansible.builtin.include_tasks: sudo.yml
|
||||||
|
|
||||||
|
- name: rsyslog configuration
|
||||||
|
ansible.builtin.include_tasks: rsyslog.yml
|
||||||
|
|
||||||
|
- name: logrotate configuration
|
||||||
|
ansible.builtin.include_tasks: logrotate.yml
|
||||||
|
|
||||||
|
- name: Install latest version of dump-server-state
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: evolinux-base
|
||||||
|
tasks_from: dump-server-state.yml
|
9
autosysadmin-agent/tasks/nrpe.yml
Normal file
9
autosysadmin-agent/tasks/nrpe.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
- name: custom configuration is present
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: autosysadmin.nrpe.cfg.j2
|
||||||
|
dest: /etc/nagios/nrpe.d/autosysadmin.cfg
|
||||||
|
group: nagios
|
||||||
|
mode: "0640"
|
||||||
|
force: yes
|
||||||
|
notify: restart nagios-nrpe-server
|
9
autosysadmin-agent/tasks/rsyslog.yml
Normal file
9
autosysadmin-agent/tasks/rsyslog.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
- name: Copy rsyslog configuration for autosysadmin
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "files/autosysadmin.rsyslog.conf"
|
||||||
|
dest: "/etc/rsyslog.d/autosysadmin.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart rsyslog
|
7
autosysadmin-agent/tasks/sudo.yml
Normal file
7
autosysadmin-agent/tasks/sudo.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: Add autosysadmin sudoers file
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: autosysadmin.sudoers.j2
|
||||||
|
dest: /etc/sudoers.d/autosysadmin
|
||||||
|
mode: "0600"
|
||||||
|
validate: "visudo -cf %s"
|
12
autosysadmin-agent/templates/autosysadmin.cf.j2
Normal file
12
autosysadmin-agent/templates/autosysadmin.cf.j2
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
# This configuration is partially managed by Ansible
|
||||||
|
# You can change specific values manually, but they may be overridden by Ansible
|
||||||
|
#
|
||||||
|
# To be safe, update the hosts_vars/group_vars in the autosysadmin project
|
||||||
|
# https://gitea.evolix.org/evolix/autosysadmin/src/branch/master
|
||||||
|
# then use the "agent" playbook to deploy.
|
||||||
|
#
|
||||||
|
# Configuration for autosysadmin
|
||||||
|
# Use this file to change configuration values defined in repair scripts
|
||||||
|
# To disable all repair scripts : repair_all=off
|
||||||
|
# To disable "repair_http" : repair_http=off
|
||||||
|
#
|
7
autosysadmin-agent/templates/autosysadmin.cron.j2
Normal file
7
autosysadmin-agent/templates/autosysadmin.cron.j2
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
|
|
||||||
|
# Run each enabled script
|
||||||
|
*/5 * * * * root run-parts /usr/share/scripts/autosysadmin/restart
|
||||||
|
|
||||||
|
# Clean run log files
|
||||||
|
@weekly root {{ autosysadmin_agent_bin_dir | mandatory }}/delete_old_logs.sh {{ autosysadmin_agent_log_retention_days | default('365') }}
|
8
autosysadmin-agent/templates/autosysadmin.nrpe.cfg.j2
Normal file
8
autosysadmin-agent/templates/autosysadmin.nrpe.cfg.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
#
|
||||||
|
# Ansible managed - DO NOT MODIFY, your changes will be overwritten !
|
||||||
|
#
|
||||||
|
|
||||||
|
# Autosysadmin repair commands
|
||||||
|
{% for script in lookup('ansible.builtin.fileglob', '../../../autosysadmin/agent/repair/repair_*', wantlist=True) | map("basename") | sort %}
|
||||||
|
command[{{ script }}]=sudo {{ autosysadmin_agent_bin_dir }}/{{ script }}
|
||||||
|
{% endfor %}
|
7
autosysadmin-agent/templates/autosysadmin.sudoers.j2
Normal file
7
autosysadmin-agent/templates/autosysadmin.sudoers.j2
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
#
|
||||||
|
# Ansible managed - DO NOT MODIFY, your changes will be overwritten !
|
||||||
|
#
|
||||||
|
|
||||||
|
{% for script in lookup('ansible.builtin.fileglob', '../../../autosysadmin/agent/repair/repair_*', wantlist=True) | map("basename") | sort %}
|
||||||
|
nagios ALL = NOPASSWD: {{ autosysadmin_agent_bin_dir }}/{{ script }}
|
||||||
|
{% endfor %}
|
8
autosysadmin-restart_nrpe/defaults/main.yml
Normal file
8
autosysadmin-restart_nrpe/defaults/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
general_scripts_dir: "/usr/share/scripts"
|
||||||
|
|
||||||
|
restart_nrpe_path: "{{ general_scripts_dir }}/autosysadmin/restart/restart_nrpe"
|
||||||
|
|
||||||
|
# Change this to customize the RUNNING value in the script
|
||||||
|
restart_nrpe_running: Null
|
105
autosysadmin-restart_nrpe/files/upstream/restart_nrpe
Executable file
105
autosysadmin-restart_nrpe/files/upstream/restart_nrpe
Executable file
|
@ -0,0 +1,105 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
|
||||||
|
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
|
||||||
|
source "${AUTOSYSADMIN_LIB}/restart.sh" || exit 1
|
||||||
|
|
||||||
|
## Possible values for RUNNING :
|
||||||
|
## never => disabled
|
||||||
|
## always => enabled
|
||||||
|
## nwh-fr => enabled during non-working-hours in France
|
||||||
|
## nwh-ca => enabled during non-working-hours in Canada (not supported yet)
|
||||||
|
## custom => enabled if `running_custom()` function return 0, otherwise disabled.
|
||||||
|
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
RUNNING="nwh-fr"
|
||||||
|
|
||||||
|
## The name of the service, mainly for logging
|
||||||
|
service_name="nagios-nrpe-server"
|
||||||
|
## The SysVinit script name
|
||||||
|
sysvinit_script="${service_name}"
|
||||||
|
## The systemd service name
|
||||||
|
systemd_service="${service_name}.service"
|
||||||
|
|
||||||
|
is_service_alive() {
|
||||||
|
## this must return 0 if the service is alive, otherwise return 1
|
||||||
|
## Example:
|
||||||
|
pgrep -u nagios nrpe > /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
## Action for SysVinit system
|
||||||
|
sysvinit_action() {
|
||||||
|
# Save service status before restart
|
||||||
|
timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
timeout 20 "/etc/init.d/${sysvinit_script}" restart > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.after.status"
|
||||||
|
}
|
||||||
|
|
||||||
|
## Action for systemd system
|
||||||
|
systemd_action() {
|
||||||
|
# Save service status before restart
|
||||||
|
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
|
||||||
|
|
||||||
|
# Try to restart
|
||||||
|
# systemctl (only for NRPE ?) sometimes returns 0 even if the service has failed to start
|
||||||
|
# so we check the status explicitly
|
||||||
|
timeout 20 systemctl restart "${systemd_service}" > /dev/null \
|
||||||
|
&& sleep 1 \
|
||||||
|
&& systemctl status "${systemd_service}" > /dev/null
|
||||||
|
rc=$?
|
||||||
|
if [ "${rc}" -eq "0" ]; then
|
||||||
|
log_action "Restart ${service_name}: OK"
|
||||||
|
else
|
||||||
|
log_action "Restart ${service_name}: failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Save service status after restart
|
||||||
|
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Should we run?
|
||||||
|
if ! is_supposed_to_run; then
|
||||||
|
# log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
if is_service_alive; then
|
||||||
|
# log_global "${service_name} process alive. Aborting"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Yes we do, so check for sysvinit or systemd
|
||||||
|
if is_debian_version "8" "<="; then
|
||||||
|
if ! is_sysvinit_enabled "*${sysvinit_script}*"; then
|
||||||
|
# log_global "${service_name} not enabled. Aborting"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Let's finally do the action
|
||||||
|
pre_restart
|
||||||
|
sysvinit_action
|
||||||
|
post_restart
|
||||||
|
else
|
||||||
|
if ! is_systemd_enabled "${systemd_service}"; then
|
||||||
|
# log_global "${service_name} is disabled (or missing), nothing left to do."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
if is_systemd_active "${systemd_service}"; then
|
||||||
|
# log_global "${service_name} is active, nothing left to do."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Let's finally do the action
|
||||||
|
pre_restart
|
||||||
|
systemd_action
|
||||||
|
post_restart
|
||||||
|
fi
|
24
autosysadmin-restart_nrpe/tasks/main.yml
Normal file
24
autosysadmin-restart_nrpe/tasks/main.yml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Remount /usr if needed"
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: remount-usr
|
||||||
|
|
||||||
|
- name: "Copy restart_nrpe"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: upstream/restart_nrpe
|
||||||
|
dest: "{{ restart_nrpe_path }}"
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
- name: "Customize RUNNING value"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: "{{ restart_nrpe_path }}"
|
||||||
|
line: "RUNNING=\"{{ restart_nrpe_running }}\""
|
||||||
|
regexp: "^ *RUNNING="
|
||||||
|
create: False
|
||||||
|
when:
|
||||||
|
- restart_nrpe_running is defined
|
||||||
|
- restart_nrpe_running != None
|
||||||
|
- restart_nrpe_running | length > 0
|
|
@ -10,4 +10,4 @@ Minimal configuration is in `tasks/main.yml`
|
||||||
|
|
||||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||||
|
|
||||||
waening : sync chroot-bind.sh
|
warning : sync chroot-bind.sh
|
||||||
|
|
5
bind/files/apparmor.usr.sbin.named
Normal file
5
bind/files/apparmor.usr.sbin.named
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
/var/chroot-bind/etc/bind/** r,
|
||||||
|
/var/chroot-bind/var/** rw,
|
||||||
|
/var/chroot-bind/dev/** rw,
|
||||||
|
/var/chroot-bind/run/** rw,
|
||||||
|
/var/chroot-bind/usr/** r,
|
37
bind/files/bind-reload-zone.sh
Executable file
37
bind/files/bind-reload-zone.sh
Executable file
|
@ -0,0 +1,37 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Script utilitaire pour tester et recharger facilement une zone dans Bind
|
||||||
|
#
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
echo "Usage: bind-reload-zone <DOMAIN>"
|
||||||
|
echo " bind-reload-zone -h|--help"
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ $# -ne 1 ] ; then
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
while :; do
|
||||||
|
case $1 in
|
||||||
|
-h|--help)
|
||||||
|
usage
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
zone=$1
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
if ! [ -f "/etc/bind/db.${zone}" ]; then
|
||||||
|
>&2 echo "Error: zone for ${zone} not found."
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
named-checkzone "${zone}" /etc/bind/db."${zone}" && rndc reload "${zone}"
|
||||||
|
|
18
bind/files/bind-reload-zone_completion.sh
Normal file
18
bind/files/bind-reload-zone_completion.sh
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
_bind_reload_zone_dynamic_completion() {
|
||||||
|
local cur;
|
||||||
|
cur=${COMP_WORDS[COMP_CWORD]};
|
||||||
|
COMPREPLY=();
|
||||||
|
COMPREPLY=( $( compgen -W '$(grep -v -h '"'"'//'"'"' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep -v arpa | awk '"'"'{gsub(/"/, "", $2); print $2}'"'"' | sort | uniq)' -- $cur ) );
|
||||||
|
|
||||||
|
# reverse ipv4 :
|
||||||
|
#grep -v -h '//' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep arpa | grep -v ip6 | awk '{gsub(/"/, "", $2); gsub(/.in-addr.arpa/, "", $2); print $2}' | sort | uniq | awk -F'.' '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1 }'
|
||||||
|
|
||||||
|
# reveres ipv6 : je bloque sur l'inversion 4 par 4
|
||||||
|
#grep -v -h '//' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep arpa | grep ip6 | awk '{gsub(/"/, "", $2); gsub(/.ip6.arpa/, "", $2); print $2}' | sort | uniq | awk -F'.' '{ for (i=NF; i>1; i--) { if ($i % 4 == 0) printf("%s.",$i); else printf("%s",$i); } print $1 }'
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
complete -F _bind_reload_zone_dynamic_completion bind-reload-zone
|
||||||
|
|
|
@ -3,12 +3,17 @@
|
||||||
# Gregory Colpart <reg@debian.org>
|
# Gregory Colpart <reg@debian.org>
|
||||||
# chroot (or re-chroot) script for bind9
|
# chroot (or re-chroot) script for bind9
|
||||||
|
|
||||||
# tested on Debian Wheezy/Jessie/Stretch
|
# tested on Debian Wheezy/Jessie/Stretch/Buster/Bullseye/Bookworm
|
||||||
# Exec this script after `(apt-get|aptitude|apt) install bind9`
|
# Exec this script after `(apt-get|aptitude|apt) install bind9`
|
||||||
# and after *each* bind9 upgrade
|
# and after *each* bind9 upgrade
|
||||||
|
|
||||||
# When the script is finished, ensure you have
|
# When the script is finished, ensure you have
|
||||||
# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9
|
# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/named
|
||||||
|
# (since Bullseye) or, until Buster, in /etc/default/bind9
|
||||||
|
#
|
||||||
|
# Since Bookmworm, one also needs to handle bind mount points
|
||||||
|
# https://wiki.evolix.org/HowtoBind#bind-mount-%C3%A0-partir-de-bookworm-debian-12
|
||||||
|
#
|
||||||
# and /etc/init.d/bind9 (re)start
|
# and /etc/init.d/bind9 (re)start
|
||||||
#
|
#
|
||||||
# for Jessie/systemd only:
|
# for Jessie/systemd only:
|
||||||
|
@ -22,8 +27,10 @@ mkdir -p /var/chroot-bind
|
||||||
mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
|
mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
|
||||||
/var/chroot-bind/lib /var/chroot-bind/usr/lib \
|
/var/chroot-bind/lib /var/chroot-bind/usr/lib \
|
||||||
/var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \
|
/var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \
|
||||||
/var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \
|
/var/chroot-bind/var/log /var/chroot-bind/var/run/named \
|
||||||
/var/chroot-bind/run/named/
|
/var/chroot-bind/run/named /var/chroot-bind/usr/share/dns
|
||||||
|
|
||||||
|
chmod 750 /var/chroot-bind
|
||||||
|
|
||||||
# for conf
|
# for conf
|
||||||
if [ ! -h "/etc/bind" ]; then
|
if [ ! -h "/etc/bind" ]; then
|
||||||
|
@ -31,6 +38,11 @@ if [ ! -h "/etc/bind" ]; then
|
||||||
ln -s /var/chroot-bind/etc/bind/ /etc/bind
|
ln -s /var/chroot-bind/etc/bind/ /etc/bind
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# for dns
|
||||||
|
if [ -d "/usr/share/dns" ]; then
|
||||||
|
cp -a /usr/share/dns/* /var/chroot-bind/usr/share/dns/
|
||||||
|
fi
|
||||||
|
|
||||||
# for logs
|
# for logs
|
||||||
touch /var/chroot-bind/var/log/bind.log
|
touch /var/chroot-bind/var/log/bind.log
|
||||||
if [ ! -h "/var/log/bind.log" ]; then
|
if [ ! -h "/var/log/bind.log" ]; then
|
||||||
|
@ -58,11 +70,16 @@ fi
|
||||||
#chmod 666 /var/chroot-bind/dev/{null,random}
|
#chmod 666 /var/chroot-bind/dev/{null,random}
|
||||||
|
|
||||||
# essential libs
|
# essential libs
|
||||||
for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \
|
for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1`
|
||||||
/usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do
|
do install -D $i /var/chroot-bind/${i##/}
|
||||||
install -D $i /var/chroot-bind/${i##/}
|
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if [ ls /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so 1>/dev/null 2>&1 ]; then
|
||||||
|
for i in /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so
|
||||||
|
do install -D $i /var/chroot-bind/${i##/}
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
# essential (hum, bash is required ??)
|
# essential (hum, bash is required ??)
|
||||||
#cp /bin/bash /var/chroot-bind/bin/
|
#cp /bin/bash /var/chroot-bind/bin/
|
||||||
cp /usr/sbin/named /var/chroot-bind/usr/sbin/
|
cp /usr/sbin/named /var/chroot-bind/usr/sbin/
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
daemon-reload: yes
|
daemon-reload: yes
|
||||||
|
|
||||||
|
|
||||||
- name: restart apparmor
|
- name: restart apparmor
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: apparmor
|
name: apparmor
|
||||||
|
|
|
@ -14,6 +14,8 @@ galaxy_info:
|
||||||
- jessie
|
- jessie
|
||||||
- stretch
|
- stretch
|
||||||
- buster
|
- buster
|
||||||
|
- bullseye
|
||||||
|
- bookworm
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags: []
|
||||||
# Be sure to remove the '[]' above if you add dependencies
|
# Be sure to remove the '[]' above if you add dependencies
|
||||||
|
|
|
@ -7,5 +7,5 @@
|
||||||
owner: bind
|
owner: bind
|
||||||
group: bind
|
group: bind
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: true
|
||||||
notify: restart bind
|
notify: restart bind
|
|
@ -17,13 +17,13 @@
|
||||||
register: check_apparmor
|
register: check_apparmor
|
||||||
|
|
||||||
- name: configure apparmor
|
- name: configure apparmor
|
||||||
ansible.builtin.template:
|
ansible.builtin.copy:
|
||||||
src: apparmor.usr.sbin.named.j2
|
src: apparmor.usr.sbin.named
|
||||||
dest: /etc/apparmor.d/usr.sbin.named
|
dest: /etc/apparmor.d/local/usr.sbin.named
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
owner: root
|
||||||
|
force: true
|
||||||
|
backup: yes
|
||||||
notify: restart apparmor
|
notify: restart apparmor
|
||||||
when: check_apparmor.rc == 0
|
when: check_apparmor.rc == 0
|
||||||
|
|
||||||
|
@ -47,7 +47,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: true
|
||||||
notify:
|
notify:
|
||||||
- reload systemd
|
- reload systemd
|
||||||
- restart bind
|
- restart bind
|
||||||
|
@ -77,7 +77,7 @@
|
||||||
dest: /root/chroot-bind.sh
|
dest: /root/chroot-bind.sh
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
owner: root
|
owner: root
|
||||||
force: yes
|
force: true
|
||||||
backup: yes
|
backup: yes
|
||||||
when: bind_chroot_set | bool
|
when: bind_chroot_set | bool
|
||||||
|
|
||||||
|
@ -94,13 +94,67 @@
|
||||||
- bind_chroot_set | bool
|
- bind_chroot_set | bool
|
||||||
- chrootbind_run.stdout | length > 0
|
- chrootbind_run.stdout | length > 0
|
||||||
|
|
||||||
- name: Modify OPTIONS in /etc/default/bind9 for chroot
|
- name: Modify OPTIONS in /etc/default/bind9 for chroot (until Buster)
|
||||||
ansible.builtin.replace:
|
ansible.builtin.replace:
|
||||||
dest: /etc/default/bind9
|
dest: /etc/default/bind9
|
||||||
regexp: '^OPTIONS=.*'
|
regexp: '^OPTIONS=.*'
|
||||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
||||||
notify: restart bind
|
notify: restart bind
|
||||||
when: bind_chroot_set | bool
|
when:
|
||||||
|
- bind_chroot_set | bool
|
||||||
|
- ansible_distribution_major_version is version('11', '<')
|
||||||
|
|
||||||
|
- name: Modify OPTIONS in /etc/default/named for chroot (since Bullseye)
|
||||||
|
ansible.builtin.replace:
|
||||||
|
dest: /etc/default/named
|
||||||
|
regexp: '^OPTIONS=.*'
|
||||||
|
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
||||||
|
notify: restart bind
|
||||||
|
when:
|
||||||
|
- bind_chroot_set | bool
|
||||||
|
- ansible_distribution_major_version is version('11', '>=')
|
||||||
|
|
||||||
|
- name: Create mount target directory for chroot (since Bookworm)
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /var/chroot-bind/run/systemd/journal
|
||||||
|
state: directory
|
||||||
|
owner: bind
|
||||||
|
group: bind
|
||||||
|
notify: restart bind
|
||||||
|
when:
|
||||||
|
- bind_chroot_set | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
- name: Create mount targets for chroot (since Bookworm)
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: '{{ item }}'
|
||||||
|
state: touch
|
||||||
|
owner: bind
|
||||||
|
group: bind
|
||||||
|
loop:
|
||||||
|
- /var/chroot-bind/run/systemd/journal/socket
|
||||||
|
- /var/chroot-bind/run/systemd/journal/stdout
|
||||||
|
- /var/chroot-bind/run/systemd/notify
|
||||||
|
notify: restart bind
|
||||||
|
when:
|
||||||
|
- bind_chroot_set | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
- name: Set up bind mount for chroot (since Bookworm)
|
||||||
|
ansible.posix.mount:
|
||||||
|
src: "{{ item }}"
|
||||||
|
path: "/var/chroot-bind{{ item }}"
|
||||||
|
opts: bind
|
||||||
|
state: mounted
|
||||||
|
fstype: none
|
||||||
|
loop:
|
||||||
|
- /run/systemd/journal/socket
|
||||||
|
- /run/systemd/journal/stdout
|
||||||
|
- /run/systemd/notify
|
||||||
|
notify: restart bind
|
||||||
|
when:
|
||||||
|
- bind_chroot_set | bool
|
||||||
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
- name: logrotate for bind
|
- name: logrotate for bind
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
|
@ -109,7 +163,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: true
|
||||||
notify: restart bind
|
notify: restart bind
|
||||||
|
|
||||||
- ansible.builtin.include: munin.yml
|
- ansible.builtin.include: munin.yml
|
||||||
|
|
|
@ -48,7 +48,7 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: true
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
tags:
|
tags:
|
||||||
- bind
|
- bind
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
owner: bind
|
owner: bind
|
||||||
group: bind
|
group: bind
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: true
|
||||||
notify: restart bind
|
notify: restart bind
|
||||||
|
|
||||||
- name: enable zones.rfc1918 for recursive server
|
- name: enable zones.rfc1918 for recursive server
|
||||||
|
|
|
@ -1,97 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
# Last Modified: Tue Mar 9 14:17:50 EST 2021
|
|
||||||
#include <tunables/global>
|
|
||||||
|
|
||||||
/usr/sbin/named flags=(attach_disconnected) {
|
|
||||||
#include <abstractions/base>
|
|
||||||
#include <abstractions/nameservice>
|
|
||||||
|
|
||||||
capability net_bind_service,
|
|
||||||
capability setgid,
|
|
||||||
capability setuid,
|
|
||||||
capability sys_chroot,
|
|
||||||
capability sys_resource,
|
|
||||||
|
|
||||||
# /etc/bind should be read-only for bind
|
|
||||||
# /var/lib/bind is for dynamically updated zone (and journal) files.
|
|
||||||
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
|
|
||||||
# See /usr/share/doc/bind9/README.Debian.gz
|
|
||||||
/etc/bind/** r,
|
|
||||||
/var/lib/bind/** rw,
|
|
||||||
/var/lib/bind/ rw,
|
|
||||||
/var/cache/bind/** lrw,
|
|
||||||
/var/cache/bind/ rw,
|
|
||||||
|
|
||||||
# Database file used by allow-new-zones
|
|
||||||
/var/cache/bind/_default.nzd-lock rwk,
|
|
||||||
|
|
||||||
# gssapi
|
|
||||||
/etc/krb5.keytab kr,
|
|
||||||
/etc/bind/krb5.keytab kr,
|
|
||||||
|
|
||||||
# ssl
|
|
||||||
/etc/ssl/openssl.cnf r,
|
|
||||||
|
|
||||||
# root hints from dns-data-root
|
|
||||||
/usr/share/dns/root.* r,
|
|
||||||
|
|
||||||
# GeoIP data files for GeoIP ACLs
|
|
||||||
/usr/share/GeoIP/** r,
|
|
||||||
|
|
||||||
# dnscvsutil package
|
|
||||||
/var/lib/dnscvsutil/compiled/** rw,
|
|
||||||
|
|
||||||
# Allow changing worker thread names
|
|
||||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
|
||||||
|
|
||||||
@{PROC}/net/if_inet6 r,
|
|
||||||
@{PROC}/*/net/if_inet6 r,
|
|
||||||
@{PROC}/sys/net/ipv4/ip_local_port_range r,
|
|
||||||
/usr/sbin/named mr,
|
|
||||||
/{,var/}run/named/named.pid w,
|
|
||||||
/{,var/}run/named/session.key w,
|
|
||||||
# support for resolvconf
|
|
||||||
/{,var/}run/named/named.options r,
|
|
||||||
|
|
||||||
# some people like to put logs in /var/log/named/ instead of having
|
|
||||||
# syslog do the heavy lifting.
|
|
||||||
{{ bind_log_file }} rw,
|
|
||||||
{% if bind_query_file_enabled | bool %}
|
|
||||||
{{ bind_query_file }} rw,
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
# gssapi
|
|
||||||
/var/lib/sss/pubconf/krb5.include.d/** r,
|
|
||||||
/var/lib/sss/pubconf/krb5.include.d/ r,
|
|
||||||
/var/lib/sss/mc/initgroups r,
|
|
||||||
/etc/gss/mech.d/ r,
|
|
||||||
|
|
||||||
# ldap
|
|
||||||
/etc/ldap/ldap.conf r,
|
|
||||||
/{,var/}run/slapd-*.socket rw,
|
|
||||||
|
|
||||||
# dynamic updates
|
|
||||||
/var/tmp/DNS_* rw,
|
|
||||||
|
|
||||||
# dyndb backends
|
|
||||||
/usr/lib/bind/*.so rm,
|
|
||||||
|
|
||||||
# Samba DLZ
|
|
||||||
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
|
|
||||||
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
|
|
||||||
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
|
|
||||||
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
|
|
||||||
/var/lib/samba/bind-dns/dns.keytab rk,
|
|
||||||
/var/lib/samba/bind-dns/named.conf r,
|
|
||||||
/var/lib/samba/bind-dns/dns/** rwk,
|
|
||||||
/var/lib/samba/private/dns.keytab rk,
|
|
||||||
/var/lib/samba/private/named.conf r,
|
|
||||||
/var/lib/samba/private/dns/** rwk,
|
|
||||||
/etc/samba/smb.conf r,
|
|
||||||
/dev/urandom rwmk,
|
|
||||||
owner /var/tmp/krb5_* rwk,
|
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
#include <local/usr.sbin.named>
|
|
||||||
}
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue