Merge branch 'unstable' into stable

CHANGELOG.md

@@ -13,18 +13,32 @@ The **patch** part is incremented if multiple releases happen the same month
 
 ### Added
 
-* apt: add list-upgradable-held-packages.sh
-
 ### Changed
 
-* evobackup-client: upstream release 24.05
-
 ### Fixed
 
 ### Removed
 
 ### Security
 
+## [24.05] 2024-05-15
+
+### Added
+
+* apt: add list-upgradable-held-packages.sh
+
+### Changed
+
+* evobackup-client: upstream release 24.05.1
+* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
+* evolinux-users: improve SSH configuration
+* evomaintenance: upstream release 24.05
+* evomaintenance: move upstream files into upstream folder
+
+### Fixed
+
+* apt: use archive.debian.org with Buster
+
 ## [24.04] 2024-04-30
 
 ### Added

apt/files/list-upgradable-held-packages.sh

@@ -5,6 +5,8 @@
 # but have available updates.
 #####
 
+readonly VERSION="24.05"
+
 # set all programs to C language (english)
 export LC_ALL=C
 
@@ -48,6 +50,7 @@ Content-Type: text/plain; charset=UTF-8
 MIME-Version: 1.0
 Content-Transfer-Encoding: 8bit
 X-Script: ${PROGPATH}
+X-Script-Version: ${VERSION}
 To: ${EMAIL_CLIENT:-alert5@evolix.fr}
 Subject: Mise a jour manuelle disponible
 

apt/templates/buster_backports.list.j2

@@ -1,3 +1,3 @@
 # {{ ansible_managed }}
 
-deb http://mirror.evolix.org/debian buster-backports {{ apt_backports_components | mandatory }}
+deb http://archive.debian.org/debian buster-backports {{ apt_backports_components | mandatory }}

apt/templates/buster_basics.list.j2

@@ -1,5 +1,4 @@
 # {{ ansible_managed }}
 
-deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }}
-deb http://mirror.evolix.org/debian buster-updates {{ apt_basics_components | mandatory }}
+deb http://archive.debian.org/debian buster {{ apt_basics_components | mandatory }}
 deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}

evobackup-client/files/upstream/CHANGELOG.md

@@ -23,6 +23,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Security
 
+## [24.05.1] - 2022-05-14
+
+### Fixed
+
+* client: fix shell syntax error
+
 ## [24.05] - 2022-05-02
 
 ### Added

evobackup-client/files/upstream/lib/main.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC2034,SC2317
 
-readonly VERSION="24.05"
+readonly VERSION="24.05.1"
 
 # set all programs to C language (english)
 export LC_ALL=C

evobackup-client/files/upstream/lib/utilities.sh

@@ -105,7 +105,7 @@ test_server() {
 pick_server() {
     local -i increment=${1:-0}
     local -i list_length=${#SERVERS[@]}
-    local sync_name=${2:""}
+    local sync_name=${2:-""}
 
     if (( increment >= list_length )); then
         # We've reached the end of the list

evobackup-client/tasks/install.yml

@@ -14,7 +14,7 @@
 
 - name: copy evobackup libs
   ansible.builtin.copy:
-    src: upstream/lib
+    src: upstream/lib/
     dest: "{{ evobackup_client__lib_dir }}/"
     force: True
     mode: "0644"

evolinux-base/README.md

@@ -37,6 +37,6 @@ Main variables are:
 * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ;
 * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`)
 * `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`)
-* `evolinux_ssh_allow_current_user`: don't lock yourself out (default: `False`)
+* `evolinux_ssh_allow_current_user`: don't lock yourself out is there is an AllowUsers or AllowGroups directive (default: `False`)
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.

evolinux-base/tasks/ssh.included-files.yml

@@ -16,34 +16,78 @@
     dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
     mode: "0644"
 
-- name: "Get current user's group"
-  ansible.builtin.command:
-    cmd: logname
-  changed_when: False
-  register: logname
-  check_mode: no
-  when: evolinux_ssh_allow_current_user | bool
+# Should we allow the current user?
+- name: Allow the current user
+  block:
+  - name: "Get current user's login"
+    ansible.builtin.command:
+      cmd: logname
+    changed_when: False
+    register: _logname
+    check_mode: no
 
-- name: verify AllowUsers directive
-  ansible.builtin.command:
-    cmd: "grep -ER '^AllowUsers' /etc/ssh"
-  failed_when: False
-  changed_when: False
-  register: grep_allowusers_ssh
-  check_mode: no
-  when: evolinux_ssh_allow_current_user | bool
+  - name: verify AllowUsers directive
+    ansible.builtin.command:
+      cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
+    failed_when: False
+    changed_when: False
+    register: grep_allowusers_ssh
+    check_mode: no
 
-- name: "Add AllowUsers sshd directive for current user"
-  ansible.builtin.lineinfile:
-    dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf
-    create: yes
-    line: "AllowUsers {{ logname.stdout }}"
-    insertafter: 'Subsystem'
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
+  - name: verify AllowGroups directive
+    ansible.builtin.command:
+      cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
+    failed_when: False
+    changed_when: False
+    register: grep_allowgroups_ssh
+    check_mode: no
+
+  # If we have AllowUsers but not AllowGroups, append the user to the list
+  # (in the first file where we found the directive)
+
+  - name: "Append user to existing AllowUsers sshd directive"
+    ansible.builtin.replace:
+      dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}"
+      regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$'
+      replace: '\1 {{ _logname.stdout }}'
+      validate: '/usr/sbin/sshd -t -f %s'
+    notify: reload sshd
+    when:
+      - grep_allowusers_ssh.rc == 0
+      - grep_allowgroups_ssh.rc != 0
+
+  # If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list
+  # (in the first file where we found the directive)
+
+  - name: "Append evolinux ssh group to AllowGroups sshd directive"
+    ansible.builtin.replace:
+      dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}"
+      regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$'
+      replace: '\1 {{ evolinux_ssh_group }}'
+      validate: '/usr/sbin/sshd -t -f %s'
+    notify: reload sshd
+    when:
+      - grep_allowusers_ssh.rc != 0
+      - grep_allowgroups_ssh.rc == 0
+  
+  - name: "evolinux ssh group is present"
+    ansible.builtin.group:
+      name: "{{ evolinux_ssh_group }}"
+    when:
+      - grep_allowusers_ssh.rc != 0
+      - grep_allowgroups_ssh.rc == 0
+  
+  - name: "Add current user to evolinux ssh group"
+    ansible.builtin.user:
+      name: "{{ _logname.stdout }}"
+      group: "{{ evolinux_ssh_group }}"
+      append: yes
+    when:
+      - grep_allowusers_ssh.rc != 0
+      - grep_allowgroups_ssh.rc == 0
+
+  # If we don't have AllowGroups nor AllowUsers, do nothing
+
+  when: evolinux_ssh_allow_current_user | bool
 
 - ansible.builtin.meta: flush_handlers
-
-# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
-# TODO si allowgroups, ajouter groupe de l’utilisateur

evolinux-base/tasks/ssh.single-file.yml

@@ -61,40 +61,66 @@
   notify: reload sshd
   when: ansible_distribution_major_version is version('9', '>=')
 
-- name: "Get current user"
-  ansible.builtin.command:
-    cmd: logname
-  changed_when: False
-  register: logname
-  check_mode: no
+# Should we allow the current user?
+- name: Allow the current user
+  block:
+  - name: "Get current user"
+    ansible.builtin.command:
+      cmd: logname
+    changed_when: False
+    register: _logname
+    check_mode: no
+
+  - name: verify AllowUsers directive
+    ansible.builtin.command:
+      cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+    failed_when: False
+    changed_when: False
+    register: grep_allowusers_ssh
+    check_mode: no
+
+  - name: verify AllowGroups directive
+    ansible.builtin.command:
+      cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+    failed_when: False
+    changed_when: False
+    register: grep_allowgroups_ssh
+    check_mode: no
+
+  # If we have AllowUsers but not AllowGroups, append the user to the list
+
+  - name: "Modify AllowUsers sshd directive for current user"
+    ansible.builtin.replace:
+      dest: /etc/ssh/sshd_config
+      regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$'
+      replace: '\1 {{ _logname.stdout }}'
+      validate: '/usr/sbin/sshd -t -f %s'
+    notify: reload sshd
+    when:
+      - grep_allowusers_ssh.rc == 0
+      - grep_allowgroups_ssh.rc != 0
+
+  # If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list
+  
+  - name: "Add current user to {{ evolinux_ssh_group }} group"
+    ansible.builtin.user:
+      name: "{{ _logname.stdout }}"
+      group: "{{ evolinux_ssh_group }}"
+      append: yes
+    when:
+      - grep_allowusers_ssh.rc != 0
+      - grep_allowgroups_ssh.rc == 0
+
+  - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
+    ansible.builtin.replace:
+      dest: "/etc/ssh/sshd_config"
+      regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$'
+      replace: '\1 {{ evolinux_ssh_group }}'
+      validate: '/usr/sbin/sshd -t -f %s'
+    notify: reload sshd
+    when:
+      - grep_allowusers_ssh.rc != 0
+      - grep_allowgroups_ssh.rc == 0
   when: evolinux_ssh_allow_current_user | bool
 
-# we must double-escape caracters, because python
-- name: verify AllowUsers directive
-  ansible.builtin.command:
-    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
-  failed_when: False
-  changed_when: False
-  register: grep_allowusers_ssh
-  check_mode: no
-  when: evolinux_ssh_allow_current_user | bool
-
-- name: "Add AllowUsers sshd directive for current user"
-  ansible.builtin.lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "\nAllowUsers {{ logname.stdout }}"
-    insertafter: 'Subsystem'
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
-
-- name: "Modify AllowUsers sshd directive for current user"
-  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
-    replace: '\1 {{ logname.stdout }}'
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
-
 - ansible.builtin.meta: flush_handlers

evolinux-users/tasks/ssh.yml

@@ -1,8 +1,23 @@
 ---
 
+- name: Fetch SSHd config files
+  ansible.builtin.command:
+    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
+  changed_when: False
+  check_mode: no
+  register: _ssh_config_paths
+
+- ansible.builtin.debug:
+    var: _ssh_config_paths
+    verbosity: 1
+
+############################
+# AllowUsers or AllowGroups
+############################
+
 - name: verify AllowGroups directive
   ansible.builtin.command:
-    cmd: "grep -Er '^AllowGroups' /etc/ssh"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
   changed_when: False
   failed_when: False
   check_mode: no
@@ -14,7 +29,7 @@
 
 - name: verify AllowUsers directive
   ansible.builtin.command:
-    cmd: "grep -Er '^AllowUsers' /etc/ssh"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
   changed_when: False
   failed_when: False
   check_mode: no
@@ -42,12 +57,14 @@
     var: ssh_allowusers
     verbosity: 1
 
-- ansible.builtin.include: ssh_allowgroups.yml
+- name: Configure SSH in AllowGroups mode
+  ansible.builtin.include: ssh_allowgroups.yml
   when:
     - ssh_allowgroups
     - not ssh_allowusers
 
-- ansible.builtin.include: ssh_allowusers.yml
+- name: Configure SSH in AllowUsers mode
+  ansible.builtin.include: ssh_allowusers.yml
   vars:
     user: "{{ item.value }}"
   loop: "{{ evolinux_users | dict2items }}"
@@ -56,7 +73,24 @@
     - ssh_allowusers
     - not ssh_allowgroups
 
-- name: disable root login
+# Do this again, to update the value
+
+- name: Fetch SSHd config files
+  ansible.builtin.command:
+    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
+  changed_when: False
+  check_mode: no
+  register: _ssh_config_paths
+
+##################
+# PermitRootLogin
+##################
+
+### For Debian < 12
+#   if there is a commented value for PermitRootLogin
+#   we replace it with a "no"
+
+- name: Root login is disabled (Debian < 12)
   ansible.builtin.replace:
     dest: /etc/ssh/sshd_config
     regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
@@ -64,11 +98,15 @@
   notify: reload sshd
   when:
     - evolinux_root_disable_ssh | bool
-    - ansible_distribution_major_version is version('11', '<=')
+    - ansible_distribution_major_version is version('12', '<')
+
+### For Debian >= 12
+#   if there is no value for PermitRootLogin (anywhere)
+#   we add a "no" in z-evolinux-users.conf 
 
 - name: verify PermitRootLogin directive (Debian >= 12)
   ansible.builtin.command:
-    cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^PermitRootLogin' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
   changed_when: False
   failed_when: False
   check_mode: no
@@ -76,12 +114,7 @@
   when:
     - ansible_distribution_major_version is version('12', '>=')
 
-# TODO avertir lorsque PermitRootLogin est déjà configuré?
-- ansible.builtin.debug:
-    var: grep_permitrootlogin_ssh
-    verbosity: 1
-
-- name: disable root login (Debian >= 12)
+- name: Root login is disabled (Debian >= 12)
   ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
     line: "PermitRootLogin no"
@@ -93,6 +126,48 @@
   when:
     - evolinux_root_disable_ssh | bool
     - ansible_distribution_major_version is version('12', '>=')
-    - grep_permitrootlogin_ssh.rc == 1
+    - grep_permitrootlogin_ssh.rc != 0
+
+#####################
+# Allow current user 
+#####################
+
+- name: Allow current user
+  block:
+  - name: Check if evolinux ssh group is used
+    ansible.builtin.command:
+      cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups.+{{ evolinux_ssh_group }}' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
+    changed_when: False
+    failed_when: False
+    check_mode: no
+    register: grep_evolinux_group_ssh
+
+  - debug:
+      var: grep_evolinux_group_ssh
+
+  - name: "Get current user's login"
+    ansible.builtin.command:
+      cmd: logname
+    changed_when: False
+    register: _logname
+    check_mode: no
+
+  - debug:
+      var: evolinux_ssh_group
+
+  - debug:
+      var: evolinux_ssh_allow_current_user
+
+  - name: "Add current user ({{ _logname.stdout }}) to {{ evolinux_ssh_group }} group"
+    ansible.builtin.user:
+      name: "{{ _logname.stdout }}"
+      groups: "{{ evolinux_ssh_group }}"
+      append: yes
+    when:
+      - grep_evolinux_group_ssh.rc == 0
+  when:
+    - evolinux_ssh_group is defined
+    - evolinux_ssh_group | length > 0
+    - evolinux_ssh_allow_current_user | bool
 
 - ansible.builtin.meta: flush_handlers

evolinux-users/tasks/ssh_allowgroups.yml

@@ -1,18 +1,27 @@
 ---
 
+###
 # this check must be repeated for each user
 # even if it's been done before
+
+- name: Fetch SSHd config files
+  ansible.builtin.command:
+    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
+  changed_when: False
+  check_mode: no
+  register: _ssh_config_paths
+
 - name: verify AllowGroups directive
   ansible.builtin.command:
-    cmd: "grep -Er '^AllowGroups' /etc/ssh"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
   changed_when: False
   failed_when: False
   check_mode: no
   register: grep_allowgroups_ssh
-  when:
-    - ansible_distribution_major_version is version('11', '<=')
 
-- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
+###
+
+- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian < 12)"
   ansible.builtin.lineinfile:
     dest: /etc/ssh/sshd_config
     line: "\nAllowGroups {{ evolinux_ssh_group }}"
@@ -21,25 +30,25 @@
   notify: reload sshd
   when:
     - ansible_distribution_major_version is version('11', '<=')
-    - grep_allowgroups_ssh.rc != 0
+    - grep_allowgroups_ssh.rc == 1 # Not found
+
+- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian >= 12)"
+  ansible.builtin.lineinfile:
+    dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf
+    line: "\nAllowGroups {{ evolinux_ssh_group }}"
+    validate: '/usr/sbin/sshd -t -f %s'
+    create: yes
+  notify: reload sshd
+  when:
+    - ansible_distribution_major_version is version('12', '>=')
+    - grep_allowgroups_ssh.rc == 1 # Not found
 
 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
   ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
+    dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}"
     regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
     replace: '\1 {{ evolinux_ssh_group }}'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
   when:
-    - ansible_distribution_major_version is version('11', '<=')
-    - grep_allowgroups_ssh.rc == 0
-
-- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
-    line: "AllowGroups {{ evolinux_ssh_group }}"
-    create: yes
-    mode: "0644"
-    validate: '/usr/sbin/sshd -t -f %s'
-  when:
-    - ansible_distribution_major_version is version('12', '>=')
+    - grep_allowgroups_ssh.rc == 0 or grep_allowgroups_ssh.rc == 2 # Found, return code can be 0 or 2

evolinux-users/tasks/ssh_allowusers.yml

@@ -1,55 +1,84 @@
 ---
 
-# this check must be repeated for each user
+###
+# these checks must be repeated for each user
 # even if it's been done before
-- name: verify AllowUsers directive
+
+- name: Fetch SSHd config files
   ansible.builtin.command:
-    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
+  changed_when: False
+  check_mode: no
+  register: _ssh_config_paths
+
+- name: Verify AllowUsers directive
+  ansible.builtin.command:
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
   changed_when: False
   failed_when: False
   check_mode: no
   register: grep_allowusers_ssh
 
-- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
+###
+
+- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian < 12)"
   ansible.builtin.lineinfile:
     dest: /etc/ssh/sshd_config
     line: "\nAllowUsers {{ user.name }}"
     insertafter: 'Subsystem'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: grep_allowusers_ssh.rc != 0
+  when:
+    - grep_allowusers_ssh.rc != 0
+    - ansible_distribution_major_version is version('12', '<')
+
+- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian >= 12)"
+  ansible.builtin.lineinfile:
+    dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf
+    line: "\nAllowUsers {{ user.name }}"
+    insertafter: 'Subsystem'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - grep_allowusers_ssh.rc != 0
+    - ansible_distribution_major_version is version('12', '>=')
 
 - name: "Append '{{ user.name }}' to AllowUsers sshd directive"
   ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
+    dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}"
     regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
     replace: '\1 {{ user.name }}'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: grep_allowusers_ssh.rc == 0
+  when:
+    - grep_allowusers_ssh.rc == 0
 
 - name: "verify Match User directive"
   ansible.builtin.command:
-    cmd: "grep -E '^Match User' /etc/ssh/sshd_config"
+    cmd: "grep --extended-regexp --recursive --files-with-matches '^Match User' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
   changed_when: False
   failed_when: False
   check_mode: no
   register: grep_matchuser_ssh
 
-- name: "Add Match User sshd directive with '{{ user.name }}'"
+- name: "Add Match User sshd directive with '{{ user.name }}' (Debian <= 10)"
   ansible.builtin.lineinfile:
     dest: /etc/ssh/sshd_config
     line: "\nMatch User {{ user.name }}\n    PasswordAuthentication no"
     insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: grep_matchuser_ssh.rc != 0
+  when:
+    - grep_matchuser_ssh.rc != 0
+    - ansible_distribution_major_version is version('10', '<=')
 
-- name: "Append '{{ user.name }}' to Match User's sshd directive"
+- name: "Append '{{ user.name }}' to Match User's sshd directive (Debian <= 10)"
   ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
+    dest: "{{ grep_matchuser_ssh.stdout_lines[0] }}"
     regexp: '^(Match User ((?!{{ user.name }}).)*)$'
     replace: '\1,{{ user.name }}'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: grep_matchuser_ssh.rc == 0
+  when:
+    - grep_matchuser_ssh.rc == 0
+    - ansible_distribution_major_version is version('10', '<=')

evomaintenance/files/evomaintenance.tpl

@@ -1,33 +0,0 @@
-From: __FULLFROM__
-Content-Type: text/plain; charset=UTF-8
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-To: __TO__
-Subject: [evomaintenance] Intervention sur __HOSTNAME__ (__USER__)
-
-Bonjour,
-
-Une intervention vient de se terminer sur votre serveur.
-Voici les renseignements sur l'intervention :
-
-Nom du serveur : __HOSTNAME__
-Personne ayant réalisée l'intervention : __USER__
-Intervention réalisée depuis : __IP__
-Début de l'intervention : __BEGIN_DATE__
-Fin de l'intervention : __END_DATE__
-
-###
-Renseignements sur l'intervention :
-__TEXTE__
-###
-
-__GIT_COMMITS__
-
-Pour réagir à cette intervention, vous pouvez répondre à ce message
-(sur l'adresse mail __FROM__). En cas d'urgence, utilisez
-l'adresse __URGENCYFROM__ ou notre téléphone portable d'astreinte
-(__URGENCYTEL__)
-
-Cordialement,
---
-__FULLFROM__

evomaintenance/files/upstream/CHANGELOG.md

@@ -0,0 +1,100 @@
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project **does not adhere to [Semantic Versioning](http://semver.org/spec/v2.0.0.html)**.
+
+## [Unreleased]
+
+### Added
+
+Add missing (but documented) `--(no-)evocheck` options
+
+### Changed
+
+### Deprecated
+
+### Removed
+
+### Fixed
+
+### Security
+
+## [23.10.1] - 2023-10-09
+
+### Fixed
+
+* Use a special variable name since USER is always defined from the environment
+
+## [23.10] - 2023-10-09
+
+### Added
+
+* Force a user name with `-u,--user` option (default is still `logname(1)`).
+* More people credited
+
+### Deprecated
+
+* `--autosysadmin` is replaced by `--user autosysadmin`
+
+
+
+## [22.07] - 2022-07-05
+
+### Added
+
+* Add `--autosysadmin` flag
+* Commit change in /etc of lxc containers
+
+### Changed
+
+### Deprecated
+
+### Removed
+
+### Fixed
+
+### Security
+
+## [22.01] - 2022-01-25
+
+### Added
+
+* version/host/user headers in sent email
+
+### Changed
+
+New version pattern
+
+## [0.6.4] - 2021-06-17
+
+### Added
+
+* fallback if findmnt is absent
+
+## [0.6.3] - 2020-02-02
+
+### Added
+
+* Notify syslog when partitions are re-mounted (Linux)
+
+## [0.6.2] - 2020-02-02
+
+### Fixed
+
+* better detection of read-only partitions (Linux)
+
+## [0.6.0] - 2019-11-05
+
+### Added
+
+* commit changes in /usr/share/scripts/ if needed
+
+## Previous changelog
+
+* 0.5.0 : options et mode interactif pour l'exécution des actions, meilleure compatibilité POSIX
+* 0.4.1 : Utilisation de "printf" à la place de "echo" pour mieux gérer les sauts de ligne
+* 0.4.0 : Amélioration de la récupération d'information (plus de cas gérés). Infos Git avant la saisie.
+* 0.3.0 : Écriture dans un fichier de log, amélioration de la récupération d'informations, amélioration de la syntaxe shell
+* 0.2.7 : Correction d'un bug lors de l'utilisation de '&' dans le texte
+* 0.2.6 : Precision du charset dans les entetes du mail
+* 0.2.5 : Correction d'un bug avec le path de sendmail sous OpenBSD
+* 0.2.4 : Correction d'un bug lors de l'utilisation de '/' dans le texte
+* 0.2.3 : Correction d'un bug avec $REALM

evomaintenance/files/upstream/README.md

@@ -0,0 +1,30 @@
+# Evomaintenance
+
+```.plain
+$ evomaintenance --help
+evomaintenance is a program that helps reporting what you've done on a server
+
+Usage: evomaintenance
+  or   evomaintenance --message="add new host"
+  or   evomaintenance --no-api --no-mail --no-commit
+  or   echo "add new vhost" | evomaintenance
+
+Options
+ -m, --message=MESSAGE       set the message from the command line
+     --mail                  enable the mail hook (default)
+     --no-mail               disable the mail hook
+     --db                    enable the database hook
+     --no-db                 disable the database hook (default)
+     --api                   enable the API hook (default)
+     --no-api                disable the API hook
+     --commit                enable the commit hook (default)
+     --no-commit             disable the commit hook
+     --evocheck              enable evocheck execution (default)
+     --no-evocheck           disable evocheck execution
+     --auto                  use "auto" mode
+     --no-auto               use "manual" mode (default)
+ -v, --verbose               increase verbosity
+ -n, --dry-run               actions are not executed
+     --help                  print this message and exit
+     --version               print version and exit
+```

evomaintenance/files/upstream/evomaintenance.sh

@@ -1,12 +1,12 @@
 #!/bin/sh
 
-VERSION="23.10.1"
+VERSION="24.05"
 
 show_version() {
     cat <<END
 evomaintenance version ${VERSION}
 
-Copyright 2007-2023 Evolix <info@evolix.fr>,
+Copyright 2007-2024 Evolix <info@evolix.fr>,
                     Gregory Colpart <reg@evolix.fr>,
                     Jérémy Lecour <jlecour@evolix.fr>,
                     Brice Waegeneire <bwaegeneire@evolix.fr>,
@@ -437,6 +437,14 @@ while :; do
             printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
             exit 1
             ;;
+        --no-evocheck)
+            # disable evocheck hook
+            EVOCHECK=0
+            ;;
+        --evocheck)
+            # enable evocheck hook
+            EVOCHECK=1
+            ;;
         --no-commit)
             # disable commit hook
             HOOK_COMMIT=0
@@ -581,7 +589,7 @@ GIT_REPOSITORIES="/etc /etc/bind /usr/share/scripts"
 
 # Add /etc directories from lxc containers if they are git directories
 if [ -d /var/lib/lxc ]; then
-    GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')"
+    GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find -L /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')"
 fi
 
 # initialize variable

evomaintenance/tasks/install_vendor_debian.yml

@@ -35,15 +35,12 @@
 
 - name: Evomaintenance script and template are installed
   ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
+    src: "upstream/evomaintenance.sh"
+    dest: "/usr/share/scripts/"
     owner: root
     group: root
-    mode: "{{ item.mode }}"
+    mode: "0700"
     force: true
     backup: yes
-  loop:
-    - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
-    - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
   tags:
-    - evomaintenance
+    - evomaintenance

nodejs/files/nodesource.asc

@@ -1,52 +1,29 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
-Comment: GPGTools - https://gpgtools.org
 
-mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+
-W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs
-fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy
-qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7
-89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD
-Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7
-C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/
-G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc
-Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft
-qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm
-EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB
-tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2
-AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy
-jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ
-kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1
-GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm
-XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU
-VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka
-1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI
-IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc
-pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn
-xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y
-gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI
-AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ
-fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ
-Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh
-41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea
-JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD
-xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi
-vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/
-aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o
-QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK
-yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3
-QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek
-fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK
-CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec
-0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1
-PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh
-qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15
-ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac
-hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb
-DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4
-xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu
-G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd
-sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy
-/qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g==
-=CLGF
+mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B
+hNS67t93etHsxEy7E0qwsZH32bKazMqe9zDwoa3aVImryjh6SHC9lMtW27JPHFeM
+Srkt9YmH1WMwWcRO6eSY9B3PpazquhnvbammLuUojXRIxkDroy6Fw4UKmUNSRr32
+9Ej87jRoR1B2/57Kfp2Y4+vFGGzSvh3AFQpBHq51qsNHALU6+8PjLfIt+5TPvaWR
+TB+kAZnQZkaIQM2nr1n3oj6ak2RATY/+kjLizgFWzgEfbCrbsyq68UoY5FPBnu4Z
+E3iDZpaIqwKr0seUC7iA1xM5eHi5kty1oB7HABEBAAG0Ik5Tb2xpZCA8bnNvbGlk
+LWdwZ0Bub2Rlc291cmNlLmNvbT6JATgEEwECACIFAldDN1ACGwMGCwkIBwMCBhUI
+AgkKCwQWAgMBAh4BAheAAAoJEC9ZtfmbG+C0y7wH/i4xnab36dtrYW7RZwL8i6Sc
+NjMx4j9+U1kr/F6YtqWd+JwCbBdar5zRghxPcYEq/qf7MbgAYcs1eSOuTOb7n7+o
+xUwdH2iCtHhKh3Jr2mRw1ks7BbFZPB5KmkxHaEBfLT4d+I91ZuUdPXJ+0SXs9gzk
+Dbz65Uhoz3W03aiF8HeL5JNARZFMbHHNVL05U1sTGTCOtu+1c/33f3TulQ/XZ3Y4
+hwGCpLe0Tv7g7Lp3iLMZMWYPEa0a7S4u8he5IEJQLd8bE8jltcQvrdr3Fm8kI2Jg
+BJmUmX4PSfhuTCFaR/yeCt3UoW883bs9LfbTzIx9DJGpRIu8Y0IL3b4sj/GoZVq5
+AQ0EV0M3UAEIAKrTaC62ayzqOIPa7nS90BHHck4Z33a2tZF/uof38xNOiyWGhT8u
+JeFoTTHn5SQq5Ftyu4K3K2fbbpuu/APQF05AaljzVkDGNMW4pSkgOasdysj831cu
+ssrHX2RYS22wg80k6C/Hwmh5F45faEuNxsV+bPx7oPUrt5n6GMx84vEP3i1+FDBi
+0pt/B/QnDFBXki1BGvJ35f5NwDefK8VaInxXP3ZN/WIbtn5dqxppkV/YkO7GiJlp
+Jlju9rf3kKUIQzKQWxFsbCAPIHoWv7rH9RSxgDithXtG6Yg5R1aeBbJaPNXL9wpJ
+YBJbiMjkAFaz4B95FOqZm3r7oHugiCGsHX0AEQEAAYkBHwQYAQIACQUCV0M3UAIb
+DAAKCRAvWbX5mxvgtE/OB/0VN88DR3Y3fuqy7lq/dthkn7Dqm9YXdorZl3L152eE
+IF882aG8FE3qZdaLGjQO4oShAyNWmRfSGuoH0XERXAI9n0r8m4mDMxE6rtP7tHet
+y/5M8x3CTyuMgx5GLDaEUvBusnTD+/v/fBMwRK/cZ9du5PSG4R50rtst+oYyC2ao
+x4I2SgjtF/cY7bECsZDplzatN3gv34PkcdIg8SLHAVlL4N5tzumDeizRspcSyoy2
+K2+hwKU4C4+dekLLTg8rjnRROvplV2KtaEk6rxKtIRFDCoQng8wfJuIMrDNKvqZw
+FRGt7cbvW5MCnuH8MhItOl9Uxp1wHp6gtav/h8Gp6MBa
+=MARt
 -----END PGP PUBLIC KEY BLOCK-----

nodejs/tasks/main.yml

@@ -24,7 +24,7 @@
 
 - name: Add NodeJS repository (Debian <12)
   ansible.builtin.apt_repository:
-    repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} nodistro main"
     filename: nodesource
     update_cache: yes
     state: present

nodejs/templates/nodesource.sources.j2

@@ -2,7 +2,7 @@
 
 Types: deb
 URIs: https://deb.nodesource.com/{{ nodejs_apt_version }}
-Suites: {{ ansible_distribution_release }}
+Suites: nodistro
 Components: main
 Signed-by: {{ apt_keyring_dir }}/nodesource.asc
-Enabled: yes
+Enabled: yes

vrrpd/tasks/ip.yml

@@ -31,11 +31,11 @@
     marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
     block: |
       {% if vrrp_address.peers | default([]) | length <= 0 %}
-        /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
+      /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
       {% else %}
-        {% for peer in vrrp_address.peers %}
-          /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
-        {% endfor %}
+      {% for peer in vrrp_address.peers %}
+      /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
+      {% endfor %}
       {% endif %}
     create: yes
     mode: "0600"