Compare commits
8 commits
stable
...
sshd_modul
Author | SHA1 | Date | |
---|---|---|---|
Jérémy Lecour | b986763c62 | ||
Jérémy Lecour | 71ec63739d | ||
Jérémy Lecour | 24def5374f | ||
Jérémy Lecour | fcda84be4f | ||
Jérémy Lecour | 27a91e69f5 | ||
Jérémy Lecour | 4275cab72a | ||
Jérémy Lecour | c99ba0de82 | ||
Jérémy Lecour | fac6e15633 |
|
@ -17,17 +17,20 @@ The **patch** part changes incrementally at each release.
|
|||
* certbot: add script for manual deploy hooks execution
|
||||
* evolinux-base: install molly-guard by default
|
||||
* listupgrade: crontab is configurable
|
||||
* logstash: logging to syslog is configurable (default: True)
|
||||
* mongodb: create munin plugins directory if missing
|
||||
* mysql: script "mysql_connections" to display a compact list of connections
|
||||
* mysql: script "mysql-queries-killer.sh" to kill MySQL queries
|
||||
* nagios-nrpe + evolinux-users: new checks for bkctld
|
||||
* redis: instance service for Debian 11
|
||||
* squid: add *.o.lencr.org to default whitelist
|
||||
* varnish: validate configuration
|
||||
|
||||
### Changed
|
||||
|
||||
* Use python3 modules for Debian 11 and later
|
||||
* Remove embedded GPG keys only if legacy keyring is present
|
||||
* systemd files : 644 permissions and owner/group
|
||||
* apt: remove workaround for Evolix public repositories with Debian 11
|
||||
* apt: use the new security repository for Bullseye
|
||||
* certbot: silence letsencrypt deprecation warnings
|
||||
|
@ -40,11 +43,13 @@ The **patch** part changes incrementally at each release.
|
|||
* evolinux-base: split dpkg logrotate configuration
|
||||
* kibana: 7.x by default
|
||||
* listupgrade: upstream release 21.06.3
|
||||
* logstash: elastic_stack_version = 7.x
|
||||
* mysql: mariadb-client-10.5 on Debian 11
|
||||
* mysql: use python3 with Debian 11 and later
|
||||
* squid: improve default whitelist (more specific patterns)
|
||||
* squid: must be started in foreground mode for systemd
|
||||
* squid: remove obsolete variable on Squid 4
|
||||
* squid: remove custom systemd unit if present
|
||||
|
||||
### Fixed
|
||||
|
||||
|
@ -53,6 +58,7 @@ The **patch** part changes incrementally at each release.
|
|||
### Removed
|
||||
|
||||
* php: remove php-gettext for 7.4
|
||||
* logstash: no more dependency on Java
|
||||
|
||||
### Security
|
||||
|
||||
|
|
|
@ -70,6 +70,8 @@
|
|||
copy:
|
||||
src: docker.conf
|
||||
dest: /etc/systemd/system/docker.service.d/
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: reload systemd
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
failed_when: False
|
||||
changed_when: False
|
||||
tags:
|
||||
- config
|
||||
- config
|
||||
|
||||
- name: Maximum map count check
|
||||
sysctl:
|
||||
|
@ -15,7 +15,7 @@
|
|||
sysctl_file: /etc/sysctl.d/elasticsearch.conf
|
||||
when: max_map_count | int < 262144
|
||||
tags:
|
||||
- config
|
||||
- config
|
||||
|
||||
- name: bootstrap.memory_lock
|
||||
lineinfile:
|
||||
|
@ -24,7 +24,7 @@
|
|||
regexp: "^bootstrap.memory_lock:"
|
||||
insertafter: "^# *bootstrap.memory_lock:"
|
||||
tags:
|
||||
- config
|
||||
- config
|
||||
|
||||
- name: Create a system config directory for systemd overrides
|
||||
file:
|
||||
|
@ -38,6 +38,6 @@
|
|||
option: "LimitMEMLOCK"
|
||||
value: "infinity"
|
||||
notify:
|
||||
- restart elasticsearch
|
||||
- restart elasticsearch
|
||||
tags:
|
||||
- config
|
||||
- config
|
||||
|
|
|
@ -60,6 +60,9 @@
|
|||
template:
|
||||
src: elasticsearch-head.service.j2
|
||||
dest: /etc/systemd/system/elasticsearch-head.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
tags:
|
||||
- elasticsearch
|
||||
- systemd
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
copy:
|
||||
src: log2mail.service
|
||||
dest: /etc/systemd/system/log2mail.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
- name: Remove log2mail sysvinit service
|
||||
|
|
|
@ -168,6 +168,8 @@
|
|||
src: alert5.service
|
||||
dest: /etc/systemd/system/alert5.service
|
||||
force: yes
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
when:
|
||||
- evolinux_system_alert5_init | bool
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
---
|
||||
elastic_stack_version: "6.x"
|
||||
elastic_stack_version: "7.x"
|
||||
|
||||
logstash_jvm_xms: 256m
|
||||
logstash_jvm_xmx: 512g
|
||||
logstash_log_rotate_days: 365
|
||||
logstash_custom_tmpdir: Null
|
||||
logstash_default_tmpdir: /var/lib/logstash/tmp
|
||||
logstash_log_syslog_enabled: True
|
||||
logstash_config_force: True
|
10
logstash/handlers/main.yml
Normal file
10
logstash/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
|
||||
- name: restart logstash
|
||||
systemd:
|
||||
name: logstash
|
||||
state: restarted
|
||||
daemon_reload: yes
|
||||
|
||||
- name: reload systemd
|
||||
command: systemctl daemon-reload
|
|
@ -24,5 +24,4 @@ galaxy_info:
|
|||
# NOTE: A tag is limited to a single word comprised of
|
||||
# alphanumeric characters. Maximum 20 tags per role.
|
||||
|
||||
dependencies:
|
||||
- { role: evolix/java, java_alternative: 'openjdk', java_version: 8 }
|
||||
dependencies: []
|
||||
|
|
|
@ -16,3 +16,26 @@
|
|||
group: root
|
||||
mode: "0750"
|
||||
when: is_cron_installed.rc == 0
|
||||
|
||||
- name: "Create a system config directory for systemd overrides"
|
||||
file:
|
||||
path: /etc/systemd/system/logstash.service.d
|
||||
state: directory
|
||||
|
||||
- name: "disable syslog"
|
||||
ini_file:
|
||||
path: /etc/systemd/system/logstash.service.d/override.conf
|
||||
section: Service
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
create: yes
|
||||
no_extra_spaces: yes
|
||||
state: "{{ logstash_log_syslog_enabled | bool | ternary('absent','present') }}"
|
||||
loop:
|
||||
- { option: "StandardOutput", value: "null" }
|
||||
- { option: "StandardError", value: "null" }
|
||||
notify:
|
||||
- restart logstash
|
|
@ -88,7 +88,7 @@
|
|||
owner: logstash
|
||||
group: logstash
|
||||
mode: "0640"
|
||||
force: yes
|
||||
force: "{{ logstash_config_force | bool }}"
|
||||
loop: "{{ query('first_found', templates) }}"
|
||||
vars:
|
||||
templates:
|
||||
|
|
|
@ -28,6 +28,9 @@
|
|||
copy:
|
||||
src: memcached@.service
|
||||
dest: /etc/systemd/system/memcached@.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
tags:
|
||||
- memcached
|
||||
when: memcached_instance_name | length > 0
|
||||
|
|
|
@ -35,6 +35,9 @@
|
|||
src: mariadb.systemd.j2
|
||||
dest: /etc/systemd/system/mariadb.service.d/evolinux.conf
|
||||
force: yes
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
register: mariadb_systemd_override
|
||||
|
||||
- name: reload systemd and restart MariaDB
|
||||
|
|
|
@ -32,6 +32,9 @@
|
|||
copy:
|
||||
src: systemd/spawn-fcgi-munin-graph.service
|
||||
dest: /etc/systemd/system/spawn-fcgi-munin-graph.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
- name: Enable and start Munin-fcgi
|
||||
systemd:
|
||||
|
|
|
@ -10,6 +10,9 @@
|
|||
src: postgresql.service.override.conf
|
||||
dest: /etc/systemd/system/postgresql@.service.d/override.conf
|
||||
force: yes
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart postgresql
|
||||
|
|
|
@ -19,9 +19,18 @@
|
|||
template:
|
||||
src: systemd-override.conf.j2
|
||||
dest: /etc/systemd/system/squid.service.d/override.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
register: _squid_systemd_override
|
||||
|
||||
- name: Disable custom systemd unit if present
|
||||
file:
|
||||
path: /etc/systemd/system/squid.service
|
||||
state: absent
|
||||
register: _squid_systemd_etc
|
||||
|
||||
- name: "Systemd daemon is reloaded and Squid restarted"
|
||||
systemd:
|
||||
name: squid
|
||||
|
@ -29,4 +38,4 @@
|
|||
daemon_reload: yes
|
||||
when:
|
||||
- _squid_systemd_active.rc == 0
|
||||
- _squid_systemd_override is changed
|
||||
- _squid_systemd_override is changed or _squid_systemd_etc is changed
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
---
|
||||
|
||||
varnish_user: vcache
|
||||
varnish_group: varnish
|
||||
|
||||
varnish_addresses:
|
||||
- 0.0.0.0:80
|
||||
|
||||
|
@ -13,7 +16,7 @@ varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}"
|
|||
varnish_thread_pool_add_delay: 0
|
||||
varnish_thread_pool_min: 500
|
||||
varnish_thread_pool_max: 5000
|
||||
varnish_jail: "unix,user=vcache"
|
||||
varnish_jail: "unix,user={{ varnish_user }}"
|
||||
|
||||
varnish_config_file: /etc/varnish/default.vcl
|
||||
varnish_secret_file: /etc/varnish/secret
|
||||
|
|
|
@ -43,6 +43,9 @@
|
|||
src: varnish.conf.jessie.j2
|
||||
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
||||
force: yes
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
when: ansible_distribution_major_version is version('10', '<')
|
||||
notify:
|
||||
- reload systemd
|
||||
|
@ -58,6 +61,9 @@
|
|||
src: varnish.conf.buster.j2
|
||||
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
||||
force: yes
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
when: ansible_distribution_major_version is version('10', '>=')
|
||||
notify:
|
||||
- reload systemd
|
||||
|
@ -79,12 +85,50 @@
|
|||
- varnish
|
||||
- logrotate
|
||||
|
||||
- name: Special tmp directory for config validations
|
||||
file:
|
||||
path: /var/tmp-vcache
|
||||
state: directory
|
||||
mode: "0755"
|
||||
owner: "{{ varnish_user }}"
|
||||
group: "{{ varnish_group }}"
|
||||
tags:
|
||||
- varnish
|
||||
- config
|
||||
|
||||
- name: Create Varnish config dir
|
||||
file:
|
||||
path: /etc/varnish/conf.d
|
||||
state: directory
|
||||
mode: "0755"
|
||||
tags:
|
||||
- varnish
|
||||
- config
|
||||
- update-config
|
||||
|
||||
# First, copy included files
|
||||
- name: Copy included Varnish config
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/varnish/conf.d/
|
||||
mode: "0644"
|
||||
force: yes
|
||||
with_fileglob:
|
||||
- "templates/varnish/conf.d/*.vcl"
|
||||
notify: reload varnish
|
||||
tags:
|
||||
- varnish
|
||||
- config
|
||||
- update-config
|
||||
|
||||
# Then, copy main configuration
|
||||
- name: Copy Varnish configuration
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ varnish_config_file }}"
|
||||
mode: "0644"
|
||||
force: yes
|
||||
validate: "sudo -u {{ varnish_user }} TMPDIR=/var/tmp-vcache varnishd -Cf %s > /dev/null"
|
||||
loop: "{{ query('first_found', templates) }}"
|
||||
vars:
|
||||
templates:
|
||||
|
@ -102,28 +146,4 @@
|
|||
- config
|
||||
- update-config
|
||||
|
||||
- name: Create Varnish config dir
|
||||
file:
|
||||
path: /etc/varnish/conf.d
|
||||
state: directory
|
||||
mode: "0755"
|
||||
tags:
|
||||
- varnish
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- name: Copy included Varnish config
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/varnish/conf.d/
|
||||
force: yes
|
||||
mode: "0644"
|
||||
with_fileglob:
|
||||
- "templates/varnish/conf.d/*.vcl"
|
||||
notify: reload varnish
|
||||
tags:
|
||||
- varnish
|
||||
- config
|
||||
- update-config
|
||||
|
||||
- include: munin.yml
|
||||
|
|
Loading…
Reference in a new issue