logstash: no more dependency on Java

CHANGELOG.md

@@ -17,17 +17,20 @@ The **patch** part changes incrementally at each release.
 * certbot: add script for manual deploy hooks execution
 * evolinux-base: install molly-guard by default
 * listupgrade: crontab is configurable
+* logstash: logging to syslog is configurable (default: True)
 * mongodb: create munin plugins directory if missing
 * mysql: script "mysql_connections" to display a compact list of connections
 * mysql: script "mysql-queries-killer.sh" to kill MySQL queries
 * nagios-nrpe + evolinux-users: new checks for bkctld
 * redis: instance service for Debian 11
 * squid: add *.o.lencr.org to default whitelist
+* varnish: validate configuration
 
 ### Changed
 
 * Use python3 modules for Debian 11 and later
 * Remove embedded GPG keys only if legacy keyring is present
+* systemd files : 644 permissions and owner/group
 * apt: remove workaround for Evolix public repositories with Debian 11
 * apt: use the new security repository for Bullseye
 * certbot: silence letsencrypt deprecation warnings
@@ -40,11 +43,13 @@ The **patch** part changes incrementally at each release.
 * evolinux-base: split dpkg logrotate configuration
 * kibana: 7.x by default
 * listupgrade: upstream release 21.06.3
+* logstash: elastic_stack_version = 7.x
 * mysql: mariadb-client-10.5 on Debian 11
 * mysql: use python3 with Debian 11 and later
 * squid: improve default whitelist (more specific patterns)
 * squid: must be started in foreground mode for systemd
 * squid: remove obsolete variable on Squid 4
+* squid: remove custom systemd unit if present
 
 ### Fixed
 
@@ -53,6 +58,7 @@ The **patch** part changes incrementally at each release.
 ### Removed
 
 * php: remove php-gettext for 7.4
+* logstash: no more dependency on Java
 
 ### Security
 

docker-host/tasks/main.yml

@@ -70,6 +70,8 @@
   copy:
     src: docker.conf
     dest: /etc/systemd/system/docker.service.d/
+    owner: root
+    group: root
     mode: "0644"
   notify: reload systemd
 

elasticsearch/tasks/bootstrap_checks.yml

@@ -6,7 +6,7 @@
   failed_when: False
   changed_when: False
   tags:
-  - config
+    - config
 
 - name: Maximum map count check
   sysctl:
@@ -15,7 +15,7 @@
     sysctl_file: /etc/sysctl.d/elasticsearch.conf
   when: max_map_count | int < 262144
   tags:
-  - config
+    - config
 
 - name: bootstrap.memory_lock
   lineinfile:
@@ -24,7 +24,7 @@
     regexp: "^bootstrap.memory_lock:"
     insertafter: "^# *bootstrap.memory_lock:"
   tags:
-  - config
+    - config
 
 - name: Create a system config directory for systemd overrides
   file:
@@ -38,6 +38,6 @@
     option: "LimitMEMLOCK"
     value: "infinity"
   notify:
-  - restart elasticsearch
+    - restart elasticsearch
   tags:
-  - config
+    - config

elasticsearch/tasks/plugin_head.yml

@@ -60,6 +60,9 @@
   template:
     src: elasticsearch-head.service.j2
     dest: /etc/systemd/system/elasticsearch-head.service
+    owner: root
+    group: root
+    mode: "0644"
   tags:
     - elasticsearch
     - systemd

evolinux-base/tasks/log2mail.yml

@@ -3,6 +3,8 @@
   copy:
     src: log2mail.service
     dest: /etc/systemd/system/log2mail.service
+    owner: root
+    group: root
     mode: "0644"
 
 - name: Remove log2mail sysvinit service

evolinux-base/tasks/system.yml

@@ -168,6 +168,8 @@
     src: alert5.service
     dest: /etc/systemd/system/alert5.service
     force: yes
+    owner: root
+    group: root
     mode: "0644"
   when:
     - evolinux_system_alert5_init | bool

logstash/defaults/main.yml

@@ -1,8 +1,10 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 
 logstash_jvm_xms: 256m
 logstash_jvm_xmx: 512g
 logstash_log_rotate_days: 365
 logstash_custom_tmpdir: Null
 logstash_default_tmpdir: /var/lib/logstash/tmp
+logstash_log_syslog_enabled: True
+logstash_config_force: True

logstash/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: restart logstash
+  systemd:
+    name: logstash
+    state: restarted
+    daemon_reload: yes
+
+- name: reload systemd
+  command: systemctl daemon-reload

logstash/meta/main.yml

@@ -24,5 +24,4 @@ galaxy_info:
     # NOTE: A tag is limited to a single word comprised of
     # alphanumeric characters. Maximum 20 tags per role.
 
-dependencies:
+dependencies: []
-  - { role: evolix/java, java_alternative: 'openjdk', java_version: 8 }

logstash/tasks/logs.yml

@@ -16,3 +16,26 @@
     group: root
     mode: "0750"
   when: is_cron_installed.rc == 0
+
+- name: "Create a system config directory for systemd overrides"
+  file:
+    path: /etc/systemd/system/logstash.service.d
+    state: directory
+
+- name: "disable syslog"
+  ini_file:
+    path: /etc/systemd/system/logstash.service.d/override.conf
+    section: Service
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    owner: root
+    group: root
+    mode: "0644"
+    create: yes
+    no_extra_spaces: yes
+    state: "{{ logstash_log_syslog_enabled | bool | ternary('absent','present') }}"
+  loop:
+    - { option: "StandardOutput", value: "null" }
+    - { option: "StandardError",  value: "null" }
+  notify:
+    - restart logstash

logstash/tasks/main.yml

@@ -88,7 +88,7 @@
     owner: logstash
     group: logstash
     mode: "0640"
-    force: yes
+    force: "{{ logstash_config_force | bool }}"
   loop: "{{ query('first_found', templates) }}"
   vars:
     templates:

memcached/tasks/main.yml

@@ -28,6 +28,9 @@
   copy:
     src: memcached@.service
     dest: /etc/systemd/system/memcached@.service
+    owner: root
+    group: root
+    mode: "0644"
   tags:
     - memcached
   when: memcached_instance_name | length > 0

mysql/tasks/config_stretch.yml

@@ -35,6 +35,9 @@
     src: mariadb.systemd.j2
     dest: /etc/systemd/system/mariadb.service.d/evolinux.conf
     force: yes
+    owner: root
+    group: root
+    mode: "0644"
   register: mariadb_systemd_override
 
 - name: reload systemd and restart MariaDB

nginx/tasks/munin_vhost.yml

@@ -32,6 +32,9 @@
   copy:
     src: systemd/spawn-fcgi-munin-graph.service
     dest: /etc/systemd/system/spawn-fcgi-munin-graph.service
+    owner: root
+    group: root
+    mode: "0644"
 
 - name: Enable and start Munin-fcgi
   systemd:

postgresql/tasks/config.yml

@@ -10,6 +10,9 @@
     src: postgresql.service.override.conf
     dest: /etc/systemd/system/postgresql@.service.d/override.conf
     force: yes
+    owner: root
+    group: root
+    mode: "0644"
   notify:
     - reload systemd
     - restart postgresql

squid/tasks/systemd.yml

@@ -19,9 +19,18 @@
   template:
     src: systemd-override.conf.j2
     dest: /etc/systemd/system/squid.service.d/override.conf
+    owner: root
+    group: root
+    mode: "0644"
     force: yes
   register: _squid_systemd_override
 
+- name: Disable custom systemd unit if present
+  file:
+    path: /etc/systemd/system/squid.service
+  state: absent
+  register: _squid_systemd_etc
+
 - name: "Systemd daemon is reloaded and Squid restarted"
   systemd:
     name: squid
@@ -29,4 +38,4 @@
     daemon_reload: yes
   when:
     - _squid_systemd_active.rc == 0
-    - _squid_systemd_override is changed
+    - _squid_systemd_override is changed or _squid_systemd_etc is changed

varnish/defaults/main.yml

@@ -1,5 +1,8 @@
 ---
 
+varnish_user: vcache
+varnish_group: varnish
+
 varnish_addresses:
   - 0.0.0.0:80
 
@@ -13,7 +16,7 @@ varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}"
 varnish_thread_pool_add_delay: 0
 varnish_thread_pool_min: 500
 varnish_thread_pool_max: 5000
-varnish_jail: "unix,user=vcache"
+varnish_jail: "unix,user={{ varnish_user }}"
 
 varnish_config_file: /etc/varnish/default.vcl
 varnish_secret_file: /etc/varnish/secret

varnish/tasks/main.yml

@@ -43,6 +43,9 @@
     src: varnish.conf.jessie.j2
     dest: /etc/systemd/system/varnish.service.d/evolinux.conf
     force: yes
+    owner: root
+    group: root
+    mode: "0644"
   when: ansible_distribution_major_version is version('10', '<')
   notify:
     - reload systemd
@@ -58,6 +61,9 @@
     src: varnish.conf.buster.j2
     dest: /etc/systemd/system/varnish.service.d/evolinux.conf
     force: yes
+    owner: root
+    group: root
+    mode: "0644"
   when: ansible_distribution_major_version is version('10', '>=')
   notify:
     - reload systemd
@@ -79,12 +85,50 @@
     - varnish
     - logrotate
 
+- name: Special tmp directory for config validations
+  file:
+    path: /var/tmp-vcache
+    state: directory
+    mode: "0755"
+    owner: "{{ varnish_user }}"
+    group: "{{ varnish_group }}"
+  tags:
+    - varnish
+    - config
+
+- name: Create Varnish config dir
+  file:
+    path: /etc/varnish/conf.d
+    state: directory
+    mode: "0755"
+  tags:
+    - varnish
+    - config
+    - update-config
+
+# First, copy included files
+- name: Copy included Varnish config
+  template:
+    src: "{{ item }}"
+    dest: /etc/varnish/conf.d/
+    mode: "0644"
+    force: yes
+  with_fileglob:
+    - "templates/varnish/conf.d/*.vcl"
+  notify: reload varnish
+  tags:
+    - varnish
+    - config
+    - update-config
+
+# Then, copy main configuration
 - name: Copy Varnish configuration
   template:
     src: "{{ item }}"
     dest: "{{ varnish_config_file }}"
     mode: "0644"
     force: yes
+    validate: "sudo -u {{ varnish_user }} TMPDIR=/var/tmp-vcache varnishd -Cf %s > /dev/null"
   loop: "{{ query('first_found', templates) }}"
   vars:
     templates:
@@ -102,28 +146,4 @@
     - config
     - update-config
 
-- name: Create Varnish config dir
-  file:
-    path: /etc/varnish/conf.d
-    state: directory
-    mode: "0755"
-  tags:
-    - varnish
-    - config
-    - update-config
-
-- name: Copy included Varnish config
-  template:
-    src: "{{ item }}"
-    dest: /etc/varnish/conf.d/
-    force: yes
-    mode: "0644"
-  with_fileglob:
-    - "templates/varnish/conf.d/*.vcl"
-  notify: reload varnish
-  tags:
-    - varnish
-    - config
-    - update-config
-
 - include: munin.yml