Compare commits
8 commits
stable
...
sshd_modul
Author | SHA1 | Date | |
---|---|---|---|
Jérémy Lecour | b986763c62 | ||
Jérémy Lecour | 71ec63739d | ||
Jérémy Lecour | 24def5374f | ||
Jérémy Lecour | fcda84be4f | ||
Jérémy Lecour | 27a91e69f5 | ||
Jérémy Lecour | 4275cab72a | ||
Jérémy Lecour | c99ba0de82 | ||
Jérémy Lecour | fac6e15633 |
|
@ -17,17 +17,20 @@ The **patch** part changes incrementally at each release.
|
||||||
* certbot: add script for manual deploy hooks execution
|
* certbot: add script for manual deploy hooks execution
|
||||||
* evolinux-base: install molly-guard by default
|
* evolinux-base: install molly-guard by default
|
||||||
* listupgrade: crontab is configurable
|
* listupgrade: crontab is configurable
|
||||||
|
* logstash: logging to syslog is configurable (default: True)
|
||||||
* mongodb: create munin plugins directory if missing
|
* mongodb: create munin plugins directory if missing
|
||||||
* mysql: script "mysql_connections" to display a compact list of connections
|
* mysql: script "mysql_connections" to display a compact list of connections
|
||||||
* mysql: script "mysql-queries-killer.sh" to kill MySQL queries
|
* mysql: script "mysql-queries-killer.sh" to kill MySQL queries
|
||||||
* nagios-nrpe + evolinux-users: new checks for bkctld
|
* nagios-nrpe + evolinux-users: new checks for bkctld
|
||||||
* redis: instance service for Debian 11
|
* redis: instance service for Debian 11
|
||||||
* squid: add *.o.lencr.org to default whitelist
|
* squid: add *.o.lencr.org to default whitelist
|
||||||
|
* varnish: validate configuration
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* Use python3 modules for Debian 11 and later
|
* Use python3 modules for Debian 11 and later
|
||||||
* Remove embedded GPG keys only if legacy keyring is present
|
* Remove embedded GPG keys only if legacy keyring is present
|
||||||
|
* systemd files : 644 permissions and owner/group
|
||||||
* apt: remove workaround for Evolix public repositories with Debian 11
|
* apt: remove workaround for Evolix public repositories with Debian 11
|
||||||
* apt: use the new security repository for Bullseye
|
* apt: use the new security repository for Bullseye
|
||||||
* certbot: silence letsencrypt deprecation warnings
|
* certbot: silence letsencrypt deprecation warnings
|
||||||
|
@ -40,11 +43,13 @@ The **patch** part changes incrementally at each release.
|
||||||
* evolinux-base: split dpkg logrotate configuration
|
* evolinux-base: split dpkg logrotate configuration
|
||||||
* kibana: 7.x by default
|
* kibana: 7.x by default
|
||||||
* listupgrade: upstream release 21.06.3
|
* listupgrade: upstream release 21.06.3
|
||||||
|
* logstash: elastic_stack_version = 7.x
|
||||||
* mysql: mariadb-client-10.5 on Debian 11
|
* mysql: mariadb-client-10.5 on Debian 11
|
||||||
* mysql: use python3 with Debian 11 and later
|
* mysql: use python3 with Debian 11 and later
|
||||||
* squid: improve default whitelist (more specific patterns)
|
* squid: improve default whitelist (more specific patterns)
|
||||||
* squid: must be started in foreground mode for systemd
|
* squid: must be started in foreground mode for systemd
|
||||||
* squid: remove obsolete variable on Squid 4
|
* squid: remove obsolete variable on Squid 4
|
||||||
|
* squid: remove custom systemd unit if present
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
@ -53,6 +58,7 @@ The **patch** part changes incrementally at each release.
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
* php: remove php-gettext for 7.4
|
* php: remove php-gettext for 7.4
|
||||||
|
* logstash: no more dependency on Java
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
|
|
@ -70,6 +70,8 @@
|
||||||
copy:
|
copy:
|
||||||
src: docker.conf
|
src: docker.conf
|
||||||
dest: /etc/systemd/system/docker.service.d/
|
dest: /etc/systemd/system/docker.service.d/
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: reload systemd
|
notify: reload systemd
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Maximum map count check
|
- name: Maximum map count check
|
||||||
sysctl:
|
sysctl:
|
||||||
|
@ -15,7 +15,7 @@
|
||||||
sysctl_file: /etc/sysctl.d/elasticsearch.conf
|
sysctl_file: /etc/sysctl.d/elasticsearch.conf
|
||||||
when: max_map_count | int < 262144
|
when: max_map_count | int < 262144
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: bootstrap.memory_lock
|
- name: bootstrap.memory_lock
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -24,7 +24,7 @@
|
||||||
regexp: "^bootstrap.memory_lock:"
|
regexp: "^bootstrap.memory_lock:"
|
||||||
insertafter: "^# *bootstrap.memory_lock:"
|
insertafter: "^# *bootstrap.memory_lock:"
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Create a system config directory for systemd overrides
|
- name: Create a system config directory for systemd overrides
|
||||||
file:
|
file:
|
||||||
|
@ -38,6 +38,6 @@
|
||||||
option: "LimitMEMLOCK"
|
option: "LimitMEMLOCK"
|
||||||
value: "infinity"
|
value: "infinity"
|
||||||
notify:
|
notify:
|
||||||
- restart elasticsearch
|
- restart elasticsearch
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
|
@ -60,6 +60,9 @@
|
||||||
template:
|
template:
|
||||||
src: elasticsearch-head.service.j2
|
src: elasticsearch-head.service.j2
|
||||||
dest: /etc/systemd/system/elasticsearch-head.service
|
dest: /etc/systemd/system/elasticsearch-head.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
tags:
|
tags:
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
- systemd
|
- systemd
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
copy:
|
copy:
|
||||||
src: log2mail.service
|
src: log2mail.service
|
||||||
dest: /etc/systemd/system/log2mail.service
|
dest: /etc/systemd/system/log2mail.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
||||||
- name: Remove log2mail sysvinit service
|
- name: Remove log2mail sysvinit service
|
||||||
|
|
|
@ -168,6 +168,8 @@
|
||||||
src: alert5.service
|
src: alert5.service
|
||||||
dest: /etc/systemd/system/alert5.service
|
dest: /etc/systemd/system/alert5.service
|
||||||
force: yes
|
force: yes
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
when:
|
when:
|
||||||
- evolinux_system_alert5_init | bool
|
- evolinux_system_alert5_init | bool
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "6.x"
|
elastic_stack_version: "7.x"
|
||||||
|
|
||||||
logstash_jvm_xms: 256m
|
logstash_jvm_xms: 256m
|
||||||
logstash_jvm_xmx: 512g
|
logstash_jvm_xmx: 512g
|
||||||
logstash_log_rotate_days: 365
|
logstash_log_rotate_days: 365
|
||||||
logstash_custom_tmpdir: Null
|
logstash_custom_tmpdir: Null
|
||||||
logstash_default_tmpdir: /var/lib/logstash/tmp
|
logstash_default_tmpdir: /var/lib/logstash/tmp
|
||||||
|
logstash_log_syslog_enabled: True
|
||||||
|
logstash_config_force: True
|
10
logstash/handlers/main.yml
Normal file
10
logstash/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: restart logstash
|
||||||
|
systemd:
|
||||||
|
name: logstash
|
||||||
|
state: restarted
|
||||||
|
daemon_reload: yes
|
||||||
|
|
||||||
|
- name: reload systemd
|
||||||
|
command: systemctl daemon-reload
|
|
@ -24,5 +24,4 @@ galaxy_info:
|
||||||
# NOTE: A tag is limited to a single word comprised of
|
# NOTE: A tag is limited to a single word comprised of
|
||||||
# alphanumeric characters. Maximum 20 tags per role.
|
# alphanumeric characters. Maximum 20 tags per role.
|
||||||
|
|
||||||
dependencies:
|
dependencies: []
|
||||||
- { role: evolix/java, java_alternative: 'openjdk', java_version: 8 }
|
|
||||||
|
|
|
@ -16,3 +16,26 @@
|
||||||
group: root
|
group: root
|
||||||
mode: "0750"
|
mode: "0750"
|
||||||
when: is_cron_installed.rc == 0
|
when: is_cron_installed.rc == 0
|
||||||
|
|
||||||
|
- name: "Create a system config directory for systemd overrides"
|
||||||
|
file:
|
||||||
|
path: /etc/systemd/system/logstash.service.d
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: "disable syslog"
|
||||||
|
ini_file:
|
||||||
|
path: /etc/systemd/system/logstash.service.d/override.conf
|
||||||
|
section: Service
|
||||||
|
option: "{{ item.option }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
create: yes
|
||||||
|
no_extra_spaces: yes
|
||||||
|
state: "{{ logstash_log_syslog_enabled | bool | ternary('absent','present') }}"
|
||||||
|
loop:
|
||||||
|
- { option: "StandardOutput", value: "null" }
|
||||||
|
- { option: "StandardError", value: "null" }
|
||||||
|
notify:
|
||||||
|
- restart logstash
|
|
@ -88,7 +88,7 @@
|
||||||
owner: logstash
|
owner: logstash
|
||||||
group: logstash
|
group: logstash
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
force: yes
|
force: "{{ logstash_config_force | bool }}"
|
||||||
loop: "{{ query('first_found', templates) }}"
|
loop: "{{ query('first_found', templates) }}"
|
||||||
vars:
|
vars:
|
||||||
templates:
|
templates:
|
||||||
|
|
|
@ -28,6 +28,9 @@
|
||||||
copy:
|
copy:
|
||||||
src: memcached@.service
|
src: memcached@.service
|
||||||
dest: /etc/systemd/system/memcached@.service
|
dest: /etc/systemd/system/memcached@.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
tags:
|
tags:
|
||||||
- memcached
|
- memcached
|
||||||
when: memcached_instance_name | length > 0
|
when: memcached_instance_name | length > 0
|
||||||
|
|
|
@ -35,6 +35,9 @@
|
||||||
src: mariadb.systemd.j2
|
src: mariadb.systemd.j2
|
||||||
dest: /etc/systemd/system/mariadb.service.d/evolinux.conf
|
dest: /etc/systemd/system/mariadb.service.d/evolinux.conf
|
||||||
force: yes
|
force: yes
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
register: mariadb_systemd_override
|
register: mariadb_systemd_override
|
||||||
|
|
||||||
- name: reload systemd and restart MariaDB
|
- name: reload systemd and restart MariaDB
|
||||||
|
|
|
@ -32,6 +32,9 @@
|
||||||
copy:
|
copy:
|
||||||
src: systemd/spawn-fcgi-munin-graph.service
|
src: systemd/spawn-fcgi-munin-graph.service
|
||||||
dest: /etc/systemd/system/spawn-fcgi-munin-graph.service
|
dest: /etc/systemd/system/spawn-fcgi-munin-graph.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
|
||||||
- name: Enable and start Munin-fcgi
|
- name: Enable and start Munin-fcgi
|
||||||
systemd:
|
systemd:
|
||||||
|
|
|
@ -10,6 +10,9 @@
|
||||||
src: postgresql.service.override.conf
|
src: postgresql.service.override.conf
|
||||||
dest: /etc/systemd/system/postgresql@.service.d/override.conf
|
dest: /etc/systemd/system/postgresql@.service.d/override.conf
|
||||||
force: yes
|
force: yes
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
notify:
|
notify:
|
||||||
- reload systemd
|
- reload systemd
|
||||||
- restart postgresql
|
- restart postgresql
|
||||||
|
|
|
@ -19,9 +19,18 @@
|
||||||
template:
|
template:
|
||||||
src: systemd-override.conf.j2
|
src: systemd-override.conf.j2
|
||||||
dest: /etc/systemd/system/squid.service.d/override.conf
|
dest: /etc/systemd/system/squid.service.d/override.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
force: yes
|
force: yes
|
||||||
register: _squid_systemd_override
|
register: _squid_systemd_override
|
||||||
|
|
||||||
|
- name: Disable custom systemd unit if present
|
||||||
|
file:
|
||||||
|
path: /etc/systemd/system/squid.service
|
||||||
|
state: absent
|
||||||
|
register: _squid_systemd_etc
|
||||||
|
|
||||||
- name: "Systemd daemon is reloaded and Squid restarted"
|
- name: "Systemd daemon is reloaded and Squid restarted"
|
||||||
systemd:
|
systemd:
|
||||||
name: squid
|
name: squid
|
||||||
|
@ -29,4 +38,4 @@
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
when:
|
when:
|
||||||
- _squid_systemd_active.rc == 0
|
- _squid_systemd_active.rc == 0
|
||||||
- _squid_systemd_override is changed
|
- _squid_systemd_override is changed or _squid_systemd_etc is changed
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
varnish_user: vcache
|
||||||
|
varnish_group: varnish
|
||||||
|
|
||||||
varnish_addresses:
|
varnish_addresses:
|
||||||
- 0.0.0.0:80
|
- 0.0.0.0:80
|
||||||
|
|
||||||
|
@ -13,7 +16,7 @@ varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}"
|
||||||
varnish_thread_pool_add_delay: 0
|
varnish_thread_pool_add_delay: 0
|
||||||
varnish_thread_pool_min: 500
|
varnish_thread_pool_min: 500
|
||||||
varnish_thread_pool_max: 5000
|
varnish_thread_pool_max: 5000
|
||||||
varnish_jail: "unix,user=vcache"
|
varnish_jail: "unix,user={{ varnish_user }}"
|
||||||
|
|
||||||
varnish_config_file: /etc/varnish/default.vcl
|
varnish_config_file: /etc/varnish/default.vcl
|
||||||
varnish_secret_file: /etc/varnish/secret
|
varnish_secret_file: /etc/varnish/secret
|
||||||
|
|
|
@ -43,6 +43,9 @@
|
||||||
src: varnish.conf.jessie.j2
|
src: varnish.conf.jessie.j2
|
||||||
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
||||||
force: yes
|
force: yes
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
when: ansible_distribution_major_version is version('10', '<')
|
when: ansible_distribution_major_version is version('10', '<')
|
||||||
notify:
|
notify:
|
||||||
- reload systemd
|
- reload systemd
|
||||||
|
@ -58,6 +61,9 @@
|
||||||
src: varnish.conf.buster.j2
|
src: varnish.conf.buster.j2
|
||||||
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
||||||
force: yes
|
force: yes
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
when: ansible_distribution_major_version is version('10', '>=')
|
when: ansible_distribution_major_version is version('10', '>=')
|
||||||
notify:
|
notify:
|
||||||
- reload systemd
|
- reload systemd
|
||||||
|
@ -79,12 +85,50 @@
|
||||||
- varnish
|
- varnish
|
||||||
- logrotate
|
- logrotate
|
||||||
|
|
||||||
|
- name: Special tmp directory for config validations
|
||||||
|
file:
|
||||||
|
path: /var/tmp-vcache
|
||||||
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
owner: "{{ varnish_user }}"
|
||||||
|
group: "{{ varnish_group }}"
|
||||||
|
tags:
|
||||||
|
- varnish
|
||||||
|
- config
|
||||||
|
|
||||||
|
- name: Create Varnish config dir
|
||||||
|
file:
|
||||||
|
path: /etc/varnish/conf.d
|
||||||
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
tags:
|
||||||
|
- varnish
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
# First, copy included files
|
||||||
|
- name: Copy included Varnish config
|
||||||
|
template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /etc/varnish/conf.d/
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
with_fileglob:
|
||||||
|
- "templates/varnish/conf.d/*.vcl"
|
||||||
|
notify: reload varnish
|
||||||
|
tags:
|
||||||
|
- varnish
|
||||||
|
- config
|
||||||
|
- update-config
|
||||||
|
|
||||||
|
# Then, copy main configuration
|
||||||
- name: Copy Varnish configuration
|
- name: Copy Varnish configuration
|
||||||
template:
|
template:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: "{{ varnish_config_file }}"
|
dest: "{{ varnish_config_file }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: yes
|
||||||
|
validate: "sudo -u {{ varnish_user }} TMPDIR=/var/tmp-vcache varnishd -Cf %s > /dev/null"
|
||||||
loop: "{{ query('first_found', templates) }}"
|
loop: "{{ query('first_found', templates) }}"
|
||||||
vars:
|
vars:
|
||||||
templates:
|
templates:
|
||||||
|
@ -102,28 +146,4 @@
|
||||||
- config
|
- config
|
||||||
- update-config
|
- update-config
|
||||||
|
|
||||||
- name: Create Varnish config dir
|
|
||||||
file:
|
|
||||||
path: /etc/varnish/conf.d
|
|
||||||
state: directory
|
|
||||||
mode: "0755"
|
|
||||||
tags:
|
|
||||||
- varnish
|
|
||||||
- config
|
|
||||||
- update-config
|
|
||||||
|
|
||||||
- name: Copy included Varnish config
|
|
||||||
template:
|
|
||||||
src: "{{ item }}"
|
|
||||||
dest: /etc/varnish/conf.d/
|
|
||||||
force: yes
|
|
||||||
mode: "0644"
|
|
||||||
with_fileglob:
|
|
||||||
- "templates/varnish/conf.d/*.vcl"
|
|
||||||
notify: reload varnish
|
|
||||||
tags:
|
|
||||||
- varnish
|
|
||||||
- config
|
|
||||||
- update-config
|
|
||||||
|
|
||||||
- include: munin.yml
|
- include: munin.yml
|
||||||
|
|
Loading…
Reference in a new issue