Compare commits
38 commits
Author | SHA1 | Date | |
---|---|---|---|
c45ac84334 | |||
9d8d0776d7 | |||
63d12e4dcf | |||
e1aee69c9d | |||
6e64e6498f | |||
19962e2ac9 | |||
72a387ade4 | |||
c63bb0c49c | |||
eed3c01b6c | |||
92775ddc6c | |||
4fa1023780 | |||
eac096fd0b | |||
Jérémy Lecour | 6f07c77f10 | ||
Jérémy Lecour | efa7e44fe0 | ||
cba87f594c | |||
ff9e1e80aa | |||
8d352f100e | |||
5385db2b16 | |||
Jérémy Lecour | af5573980d | ||
Eric Morino | 148a383cf1 | ||
Ludovic Poujol | eeffa69c9d | ||
Jérémy Lecour | b439aeb739 | ||
Jérémy Lecour | e27fb3cee7 | ||
Jérémy Lecour | 98cf6446d7 | ||
Jérémy Lecour | bf9f28dc9f | ||
Jérémy Lecour | bd3c864ba4 | ||
Jérémy Lecour | 08c5d8d427 | ||
Jérémy Lecour | aec0ecea99 | ||
Jérémy Lecour | 5bca101457 | ||
Jérémy Lecour | 02e50580e2 | ||
Jérémy Lecour | 124af46b7f | ||
8918f0ecec | |||
74adcb08e8 | |||
99e8e74db8 | |||
bd821b7a06 | |||
Benoît S. | b459eab77a | ||
Benoît S. | 682191889f | ||
Benoît S. | ac66ede677 |
28
CHANGELOG.md
28
CHANGELOG.md
|
@ -10,19 +10,39 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
* Ubuntu 18.04 support
|
||||
|
||||
### Added
|
||||
|
||||
### Changed
|
||||
* elasticsearch: listen on local interface only by default
|
||||
|
||||
### Fixed
|
||||
* lxc-php: Don't remove the default pool
|
||||
|
||||
### Security
|
||||
|
||||
## [9.10.1] - 2019-06-21
|
||||
|
||||
### Changed
|
||||
* evocheck : update (version 19.06) from upstream
|
||||
|
||||
## [9.10.0] - 2019-06-21
|
||||
|
||||
### Added
|
||||
* apache: add server status suffix in VHost (and default site) if missing
|
||||
* apache: add a variable to customize the server-status host
|
||||
* apt: add a script to manage packages with "hold" mark
|
||||
* etc-git: gitignore /etc/letsencrypt/.certbot.lock
|
||||
* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later)
|
||||
* evomaintenance: make hooks configurable
|
||||
* nginx: add server status suffix in VHost (and default site) if missing
|
||||
* redmine: enable gzip compression in nginx vhost
|
||||
|
||||
### Changed
|
||||
* evocheck : version 19.04 from upstream
|
||||
* evocheck : update (unreleased) from upstream
|
||||
* evomaintenance : use the web API instead of PG Insert
|
||||
* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5
|
||||
* fluentd: store gpg key locally
|
||||
* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3
|
||||
* redmine: update default version to 4.0.3
|
||||
* nagios-nrpe: change required status code for http and https check
|
||||
* redmine: use custom errors-pages in Nginx vhost
|
||||
|
@ -39,8 +59,6 @@ The **patch** part changes incrementally at each release.
|
|||
* evolinux-users: Validate sshd config with "-t" instead of "-T"
|
||||
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
|
||||
|
||||
### Security
|
||||
|
||||
## [9.9.0] - 2019-04-16
|
||||
|
||||
### Added
|
||||
|
|
|
@ -19,3 +19,5 @@ apache_munin_include: True
|
|||
|
||||
general_alert_email: "root@localhost"
|
||||
log2mail_alert_email: Null
|
||||
|
||||
apache_serverstatus_host: 127.0.0.1
|
||||
|
|
|
@ -62,7 +62,8 @@
|
|||
- name: apache-status URL is configured for Munin
|
||||
lineinfile:
|
||||
dest: /etc/munin/plugin-conf.d/munin-node
|
||||
line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto"
|
||||
regexp: "env.url http://127.0.0.1/server-status"
|
||||
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
|
||||
regexp: 'env.url http://[^\\/]+/server-status'
|
||||
insertafter: "[apache_*]"
|
||||
create: no
|
||||
notify: restart munin-node
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
regexp: "backports"
|
||||
state: absent
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Backports sources list is installed
|
||||
template:
|
||||
|
@ -15,7 +15,7 @@
|
|||
mode: "0640"
|
||||
register: apt_backports_list
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Backports configuration
|
||||
copy:
|
||||
|
@ -25,7 +25,7 @@
|
|||
mode: "0640"
|
||||
register: apt_backports_config
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Archived backport are accepted (jessie)
|
||||
lineinfile:
|
||||
|
@ -34,10 +34,12 @@
|
|||
create: yes
|
||||
state: present
|
||||
when: ansible_lsb.codename == "jessie"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Apt update
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: apt_backports_list | changed or apt_backports_config | changed
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -8,21 +8,23 @@
|
|||
force: yes
|
||||
register: apt_basic_list
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Clean GANDI sources.list.d/debian-security.list
|
||||
file:
|
||||
path: '{{ item }}'
|
||||
state: absent
|
||||
with_items:
|
||||
- /etc/apt/sources.list.d/debian-security.list
|
||||
- /etc/apt/sources.list.d/debian-stretch.list
|
||||
- /etc/apt/sources.list.d/debian-update.list
|
||||
- /etc/apt/sources.list.d/debian-security.list
|
||||
- /etc/apt/sources.list.d/debian-stretch.list
|
||||
- /etc/apt/sources.list.d/debian-update.list
|
||||
when: apt_clean_gandi_sourceslist
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Apt update
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: apt_basic_list | changed
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -9,9 +9,11 @@
|
|||
state: present
|
||||
mode: "0640"
|
||||
with_items:
|
||||
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
||||
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
||||
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
||||
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
||||
when: apt_evolinux_config
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: DPkg invoke hooks
|
||||
lineinfile:
|
||||
|
@ -21,24 +23,32 @@
|
|||
state: present
|
||||
mode: "0640"
|
||||
with_items:
|
||||
- "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
|
||||
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
|
||||
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
|
||||
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
|
||||
- "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
|
||||
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
|
||||
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
|
||||
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
|
||||
when: apt_hooks
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Remove Aptitude
|
||||
apt:
|
||||
name: aptitude
|
||||
state: absent
|
||||
when: apt_remove_aptitude
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Updating APT cache
|
||||
apt:
|
||||
update_cache: yes
|
||||
changed_when: False
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Upgrading system
|
||||
apt:
|
||||
upgrade: dist
|
||||
when: apt_upgrade
|
||||
tags:
|
||||
- apt
|
||||
|
|
|
@ -12,8 +12,10 @@
|
|||
apt_key:
|
||||
#url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D
|
||||
data: "{{ lookup('file', 'reg.gpg') }}"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Evolix public list is installed
|
||||
- name: Evolix public list is installed (only for Debian)
|
||||
template:
|
||||
src: evolix_public.list.j2
|
||||
dest: /etc/apt/sources.list.d/evolix_public.list
|
||||
|
@ -21,11 +23,12 @@
|
|||
mode: "0640"
|
||||
register: apt_evolix_public
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
when: ansible_distribution == "Debian"
|
||||
|
||||
- name: Apt update
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: apt_evolix_public | changed
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -5,6 +5,8 @@
|
|||
register: apt_mark
|
||||
changed_when: "'{{ item }} set on hold.' in apt_mark.stdout"
|
||||
with_items: "{{ apt_hold_packages }}"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: "hold packages (config)"
|
||||
lineinfile:
|
||||
|
@ -13,12 +15,16 @@
|
|||
create: True
|
||||
state: present
|
||||
with_items: "{{ apt_hold_packages }}"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: "unhold packages (apt)"
|
||||
shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}"
|
||||
register: apt_mark
|
||||
changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout"
|
||||
with_items: "{{ apt_unhold_packages }}"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: "unhold packages (config)"
|
||||
lineinfile:
|
||||
|
@ -27,6 +33,8 @@
|
|||
create: True
|
||||
state: absent
|
||||
with_items: "{{ apt_unhold_packages }}"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: /usr/share/scripts exists
|
||||
file:
|
||||
|
@ -35,6 +43,8 @@
|
|||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Check scripts is installed
|
||||
copy:
|
||||
|
@ -42,6 +52,8 @@
|
|||
dest: /usr/share/scripts/check_held_packages.sh
|
||||
force: yes
|
||||
mode: "0755"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Check for held packages (script)
|
||||
cron:
|
||||
|
@ -55,3 +67,5 @@
|
|||
day: "{{ apt_check_hold_cron_day }}"
|
||||
month: "{{ apt_check_hold_cron_month }}"
|
||||
state: "present"
|
||||
tags:
|
||||
- apt
|
||||
|
|
|
@ -2,38 +2,38 @@
|
|||
|
||||
- name: "Compatibility check"
|
||||
fail:
|
||||
msg: only compatible with Debian >= 8
|
||||
msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
|
||||
when:
|
||||
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
|
||||
- (ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')) and (ansible_distribution != "Ubuntu" or ansible_distribution_major_version | version_compare('18', '<'))
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Custom configuration
|
||||
include: config.yml
|
||||
when: apt_config
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Install basics repositories
|
||||
include: basics.yml
|
||||
when: apt_install_basics
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Install APT Backports repository
|
||||
include: backports.yml
|
||||
when: apt_install_backports
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Install Evolix Public APT repository
|
||||
include: evolix_public.yml
|
||||
when: apt_install_evolix_public
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Install check for packages marked hold
|
||||
include: hold_packages.yml
|
||||
when: apt_install_hold_packages
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
5
apt/templates/bionic_basics.list.j2
Normal file
5
apt/templates/bionic_basics.list.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://archive.ubuntu.com/ubuntu/ bionic {{ apt_basics_components | mandatory }}
|
||||
deb http://archive.ubuntu.com/ubuntu/ bionic-updates {{ apt_basics_components | mandatory }}
|
||||
deb http://security.ubuntu.com/ubuntu bionic-security {{ apt_basics_components | mandatory }}
|
|
@ -27,7 +27,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
|
|||
* `elasticsearch_jvm_xmx`: maximum heap size reserved for the JVM (default: `2g`).
|
||||
* `elasticsearch_restart_on_upgrade`: restart the service after package upgrade (default: `true`)
|
||||
|
||||
By default, Elasticsearch will listen to the public interfaces (`_site_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host), so you will have to secure it, with firewall rules for example.
|
||||
By default, Elasticsearch will listen to the local interface (`_local_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host).
|
||||
|
||||
## Curator
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ elasticsearch_cluster_name: Null
|
|||
elasticsearch_cluster_members: Null
|
||||
elasticsearch_minimum_master_nodes: Null
|
||||
elasticsearch_node_name: "${HOSTNAME}"
|
||||
elasticsearch_network_host: "[_site_, _local_]"
|
||||
elasticsearch_network_host: "[_local_]"
|
||||
elasticsearch_network_publish_host: Null
|
||||
elasticsearch_http_publish_host: Null
|
||||
elasticsearch_custom_datadir: Null
|
||||
|
|
|
@ -315,7 +315,7 @@ check_nrpeperms() {
|
|||
}
|
||||
check_minifwperms() {
|
||||
if [ -f "$MINIFW_FILE" ]; then
|
||||
actual=$(stat --format "%a" $MINIFW_FILE)
|
||||
actual=$(stat --format "%a" "$MINIFW_FILE")
|
||||
expected="600"
|
||||
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
|
||||
fi
|
||||
|
@ -386,7 +386,7 @@ check_raidsoft() {
|
|||
}
|
||||
# Verification du LogFormat de AWStats
|
||||
check_awstatslogformat() {
|
||||
if is_installed apache2.2-common awstats; then
|
||||
if is_installed apache2 awstats; then
|
||||
grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
|
||||
|| failed "IS_AWSTATSLOGFORMAT"
|
||||
fi
|
||||
|
@ -531,20 +531,30 @@ check_userlogrotate() {
|
|||
}
|
||||
# Verification de la syntaxe de la conf d'Apache
|
||||
check_apachectl() {
|
||||
if is_installed apache2.2-common; then
|
||||
if is_installed apache2; then
|
||||
/usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
|
||||
fi
|
||||
}
|
||||
# Check if there is regular files in Apache sites-enabled.
|
||||
check_apachesymlink() {
|
||||
if is_installed apache2.2-common; then
|
||||
stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK"
|
||||
if is_installed apache2; then
|
||||
apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print)
|
||||
nbApacheFind=$(wc -m <<< "$apacheFind")
|
||||
if [[ $nbApacheFind -gt 1 ]]; then
|
||||
if [[ $VERBOSE == 1 ]]; then
|
||||
while read -r line; do
|
||||
failed "IS_APACHESYMLINK" "Not a symlink: $line"
|
||||
done <<< "$apacheFind"
|
||||
else
|
||||
failed "IS_APACHESYMLINK"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
|
||||
check_apacheipinallow() {
|
||||
# Note: Replace "exit 1" by "print" in Perl code to debug it.
|
||||
if is_installed apache2.2-common; then
|
||||
if is_installed apache2; then
|
||||
grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
|
||||
| grep -iv "from all" \
|
||||
| grep -iv "env=" \
|
||||
|
@ -559,7 +569,7 @@ check_muninapacheconf() {
|
|||
else
|
||||
muninconf="/etc/apache2/conf-available/munin.conf"
|
||||
fi
|
||||
if is_installed apache2.2-common; then
|
||||
if is_installed apache2; then
|
||||
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
|
||||
fi
|
||||
}
|
||||
|
@ -881,12 +891,17 @@ check_mysqlmunin() {
|
|||
}
|
||||
check_mysqlnrpe() {
|
||||
if is_debian_stretch && is_installed mariadb-server; then
|
||||
nagios_file="~nagios/.my.cnf"
|
||||
{ test -f $nagios_file \
|
||||
&& [ "$(stat -c %U $nagios_file)" = "nagios" ] \
|
||||
&& [ "$(stat -c %a $nagios_file)" = "600" ] \
|
||||
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file";
|
||||
} || failed "IS_MYSQLNRPE"
|
||||
nagios_file=~nagios/.my.cnf
|
||||
|
||||
if ! test -f ${nagios_file}; then
|
||||
failed "IS_MYSQLNRPE" "${nagios_file} is missing"
|
||||
elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \
|
||||
|| [ "$(stat -c %a ${nagios_file})" != "600" ]; then
|
||||
failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions"
|
||||
else
|
||||
grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \
|
||||
|| failed "IS_MYSQLNRPE" "check_mysql is missing"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
check_phpevolinuxconf() {
|
||||
|
@ -1078,9 +1093,7 @@ check_evomaintenanceconf() {
|
|||
&& grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
|
||||
&& grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
|
||||
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
|
||||
&& grep "^REALM" $f | grep -qv "example.com" \
|
||||
&& grep "^API_ENDPOINT" $f | grep -qv "https://example.com/api/" \
|
||||
&& grep "^API_KEY" $f | grep -qv "secretkey";
|
||||
&& grep "^REALM" $f | grep -qv "example.com"
|
||||
} || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
|
||||
else
|
||||
failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
|
||||
|
@ -1102,7 +1115,7 @@ check_evobackup_incs() {
|
|||
if is_installed bkctld; then
|
||||
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
|
||||
if [ -f "${bkctld_cron_file}" ]; then
|
||||
root_crontab=$(grep -v "^#" ${bkctld_cron_file})
|
||||
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
|
||||
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
|
||||
echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
|
||||
else
|
||||
|
@ -1111,6 +1124,12 @@ check_evobackup_incs() {
|
|||
fi
|
||||
}
|
||||
|
||||
check_osprober() {
|
||||
if is_installed os-prober qemu-kvm; then
|
||||
failed "IS_OSPROBER" "Removal of os-prober package is recommended as it can cause serious issue on KVM server"
|
||||
fi
|
||||
}
|
||||
|
||||
main() {
|
||||
# Default return code : 0 = no error
|
||||
RC=0
|
||||
|
@ -1158,7 +1177,7 @@ main() {
|
|||
test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
|
||||
test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
|
||||
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
|
||||
test "${IS_DISKPERF:=1}" = 1 && check_diskperf
|
||||
test "${IS_DISKPERF:=0}" = 1 && check_diskperf
|
||||
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
|
||||
test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
|
||||
test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
|
||||
|
@ -1231,6 +1250,7 @@ main() {
|
|||
test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre
|
||||
test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir
|
||||
test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs
|
||||
test "${IS_OSPROBER:=1}" = 1 && check_osprober
|
||||
fi
|
||||
|
||||
#-----------------------------------------------------------
|
||||
|
@ -1343,7 +1363,7 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
|
|||
# shellcheck disable=2124
|
||||
readonly ARGS=$@
|
||||
|
||||
readonly VERSION="19.04"
|
||||
readonly VERSION="19.06"
|
||||
|
||||
# Disable LANG*
|
||||
export LANG=C
|
||||
|
@ -1396,4 +1416,5 @@ while :; do
|
|||
shift
|
||||
done
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
main ${ARGS}
|
||||
|
|
|
@ -3,9 +3,9 @@
|
|||
- name: "System compatibility checks"
|
||||
assert:
|
||||
that:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version | version_compare('8', '>=')
|
||||
msg: only compatible with Debian >= 8
|
||||
- (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu")
|
||||
- (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>='))
|
||||
msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
|
||||
|
||||
- name: Apt configuration
|
||||
include_role:
|
||||
|
|
|
@ -80,11 +80,20 @@
|
|||
- mlocate
|
||||
when: evolinux_packages_purge_locate
|
||||
|
||||
- name: Install/Update serveur-base meta-package
|
||||
- name: Install/Update serveur-base meta-package on debian
|
||||
apt:
|
||||
name: serveur-base
|
||||
allow_unauthenticated: yes
|
||||
when: evolinux_packages_serveur_base
|
||||
when: evolinux_packages_serveur_base and (ansible_distribution == "Debian")
|
||||
|
||||
- name: Install/Update serveur-base meta-package on ubuntu
|
||||
apt:
|
||||
deb: "{{ item }}"
|
||||
with_items:
|
||||
- 'http://pub.evolix.net/stretch/log2mail_0.3.0-2_amd64.deb'
|
||||
- 'http://pub.evolix.net/stretch/evocheck_0.10-1_all.deb'
|
||||
- 'http://pub.evolix.net/stretch/serveur-base_0.4.0_all.deb'
|
||||
when: evolinux_packages_serveur_base and (ansible_distribution == "Ubuntu")
|
||||
|
||||
- name: Install/Update packages for Stretch and later
|
||||
apt:
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
# We want to allow any user from a list of IP addresses to login with password,
|
||||
# but users of the "evolix" group can't login with password from other IP addresses
|
||||
|
||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||
- name: "Security directives for Evolinux (Debian 10 and Ubuntu 18.04 or later)"
|
||||
blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||
|
@ -27,7 +27,7 @@
|
|||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_ssh_password_auth_addresses != []
|
||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||
blockinfile:
|
||||
|
|
|
@ -125,7 +125,7 @@
|
|||
mode: "0755"
|
||||
when:
|
||||
- evolinux_system_alert5_init
|
||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
|
||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
|
||||
|
||||
- name: Enable alert5 init script (jessie/stretch)
|
||||
service:
|
||||
|
@ -134,7 +134,7 @@
|
|||
when:
|
||||
- evolinux_system_alert5_init
|
||||
- evolinux_system_alert5_enable
|
||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
|
||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -3,9 +3,9 @@
|
|||
- name: "System compatibility checks"
|
||||
assert:
|
||||
that:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version | version_compare('8', '>=')
|
||||
msg: only compatible with Debian >= 8
|
||||
- (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu")
|
||||
- (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>='))
|
||||
msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
|
||||
|
||||
- debug:
|
||||
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
||||
|
|
|
@ -28,9 +28,9 @@
|
|||
|
||||
- set_fact:
|
||||
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
|
||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and ((ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | version_compare('18', '>=')))) }}"
|
||||
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
||||
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
||||
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
||||
|
||||
- debug:
|
||||
var: ssh_allowgroups
|
||||
|
|
|
@ -4,6 +4,6 @@
|
|||
when: ansible_lsb.codename == "jessie"
|
||||
|
||||
- include: sudo_stretch.yml
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
- meta: flush_handlers
|
||||
|
|
|
@ -59,31 +59,32 @@
|
|||
|
||||
## Group for SSH authorizations
|
||||
|
||||
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
|
||||
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 and Ubuntu 18 or later)"
|
||||
group:
|
||||
name: "{{ evolinux_ssh_group }}"
|
||||
state: present
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
|
||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 and Ubuntu 18 or later)"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: "{{ evolinux_ssh_group }}"
|
||||
append: yes
|
||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
## Optional group for all evolinux users
|
||||
|
||||
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
|
||||
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 and Ubuntu 18 or later)"
|
||||
group:
|
||||
name: "{{ evolinux_internal_group }}"
|
||||
state: present
|
||||
when:
|
||||
- evolinux_internal_group is defined
|
||||
- evolinux_internal_group != ""
|
||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
||||
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
|
||||
|
||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 and Ubuntu 18 or later)"
|
||||
user:
|
||||
name: '{{ user.name }}'
|
||||
groups: "{{ evolinux_internal_group }}"
|
||||
|
@ -91,7 +92,8 @@
|
|||
when:
|
||||
- evolinux_internal_group is defined
|
||||
- evolinux_internal_group != ""
|
||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
||||
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||
|
||||
|
||||
## Optional secondary groups, defined per user
|
||||
|
||||
|
|
18
evomaintenance/tasks/install_package_ubuntu.yml
Normal file
18
evomaintenance/tasks/install_package_ubuntu.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
|
||||
- name: Package is installed
|
||||
apt:
|
||||
deb: 'http://pub.evolix.net/stretch/evomaintenance_0.2.9-1_all.deb'
|
||||
tags:
|
||||
- evomaintenance
|
||||
|
||||
- name: Configuration is installed
|
||||
template:
|
||||
src: evomaintenance.j2
|
||||
dest: /etc/evomaintenance.cf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
force: "{{ evomaintenance_force_config | bool }}"
|
||||
tags:
|
||||
- evomaintenance
|
|
@ -9,15 +9,20 @@
|
|||
- evomaintenance_api_key is not none
|
||||
msg: evomaintenance api variables must be set
|
||||
|
||||
- include: install_package_ubuntu.yml
|
||||
when:
|
||||
- not evomaintenance_install_vendor
|
||||
- ansible_distribution == "Ubuntu"
|
||||
|
||||
- include: install_package_debian.yml
|
||||
when:
|
||||
- not evomaintenance_install_vendor
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
|
||||
|
||||
- include: install_vendor_debian.yml
|
||||
when:
|
||||
- evomaintenance_install_vendor
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
|
||||
|
||||
- include: install_vendor_openbsd.yml
|
||||
when:
|
||||
|
@ -25,4 +30,4 @@
|
|||
|
||||
- include: minifirewall.yml
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
|
||||
|
|
53
fluentd/files/fluentd.gpg
Normal file
53
fluentd/files/fluentd.gpg
Normal file
|
@ -0,0 +1,53 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v2
|
||||
|
||||
mQINBFhiI8wBEADThWLNd8IKPRw7Ygu3DHS4Sb/Yc6vSZSaMGJ6Wkj245jScvI+C
|
||||
nG4C4rtO/8ObUj5cUpb4CyfYZX8W4tp9x+W68c4paXevG4s+X4EE3uUsgdwTnFXi
|
||||
GMa57QDzR4p/JvjUjfGJ2UAr4Bfj8Q2S54LmIu6UAe82ce2B4tEHCeYSxkmVUDAZ
|
||||
utfmgKoVTbnceTemU0m5ANS6IC1/53KEhgB1sKm5G/FjRJGslHWb3mf+bLrhmlkP
|
||||
pA4BOKF2w3eFYH3LhWskxMS0SPM7J6aq+6LyNNqtlKL6lUS7qVjRQ6PlgFcmtG4J
|
||||
tijsZI62bDn1f44DmeLY+LMS/nM0xyIx94lYumGH5EYmjUECagqMool98/+Wx79A
|
||||
Thtg/1pYNzo8Z76qr0i3xLSRtsQ2Om2Rfal7VGadOrx4sqlkSaUaGI+hBc1r4tNy
|
||||
tERvBEMGSf78bWDbdzxSNEW4LUDUpniNQb0DrURfWkqRa3q4WcTJr8lpQM/NmAru
|
||||
owayAXQwKob+OIZ09/O69EaqVJ9MqsM3keQouSHShKvzNrppuo3D3z+Dpy05FsYw
|
||||
MAiIN7auXxy+XQwCVsKF083YaDHcC0I22GReEgt43yZXQ/b/J9QNrm5nJ+3Cpso3
|
||||
jJnMzubuniSOOdd3mXQ6MwgZvWgtH/nPF8oUX9VSGwqNohiKWcxQDxW7qQARAQAB
|
||||
tFRUcmVhc3VyZSBEYXRhLCBJbmMgKFRyZWFzdXJlIEFnZW50IE9mZmljaWFsIFNp
|
||||
Z25pbmcga2V5KSA8c3VwcG9ydEB0cmVhc3VyZS1kYXRhLmNvbT6JAjcEEwEIACEF
|
||||
AlhiI8wCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQkB+Rd6uXrL5GrhAA
|
||||
nh82+caSu9Qu/LW256gN5UjPUFhph66ElT1OVyAR2FoOmz2pJH3t8YYD5cUV2W6/
|
||||
xqJDmjl+vnL2HBgxjHKRCo2K3hrq6z4LoU7SpWDI1cZ03lkjh1yNx13S+9JvZNlp
|
||||
jit0WRIspke0n0vWSpNo4nh19Yg3EA1c+vGeHnmlYo6xwRHu6XOhhCwywtFRGC3a
|
||||
iMJzAV4N69ZU6P5VZZkC6LjYYQtF4aI10COLZ4AcObH2htGAZTj2KlZfdJHmr+Oa
|
||||
wY57giUYz7OF45LLCuqe+VwpGp2d3UK/MtCnXRLi5InMVJKDvyt18MzRDFuyA27e
|
||||
WSt+JumVqhEjawh3hmdzIS1cHKmv19gdeE8On2i2Lf8lyek8fsB/YPgADAmp2oSe
|
||||
cjLu0ocGbgxRjuCR29+6IG+DiUDFCkqFZNdLiGVqzjpjpYHaPhVe77ciwA8TCPru
|
||||
3dh5t/qv2HglSd7lj95IApZBtny5AK8NS4qtaOeZbBbbDRuOPL0c7fU3bqyIPy57
|
||||
zvdYi3KdjWZVCawcAmk3ILP83eFSivCRPRoyCqO+HX8U647BBWvlFuEbPa+Y1sgE
|
||||
12MEF/Y6VVJh3Ptw+h/qKRbra4LdA+5Y30q/9l6WGgbO/4h3NKmGeVCrAFvS3h92
|
||||
fS0ABYD1nAP7fSNS9RfYIqfBXtJem+tJ14YKJwWiAYW5Ag0EWGIjzAEQAMw5EMJu
|
||||
RBFRdhXD5UeA7I7wwkql/iYof8ydUALBxh9NSpmwaACkb4Me6h/rHdVsPRO3vIoo
|
||||
uXftSjkRk2frjziihfEdeYxYU5PPawZxwCRDInr/OLZmcCCA2yCkRnFBhZxQy8NW
|
||||
iJz0tlJtohhuJ7NRK7+HVJ3rPrtoV1lZVricDrB7DdVySp+7VciEM/XQhKKlesyd
|
||||
gYXic4fx7xvPS6hRmH/fNVdvFobIhQBNUuPfKJeKpeJqPHeqkCNRz1Kl6NW9XXBq
|
||||
hNyAlC7SPdKmjsv4UVIcFLUXP5wv7nprtEh15LoDlJCvFEF/iDJzaWI3QeVqY8XS
|
||||
EI77WNsA/w7nlVNO3lGOPMjW8cxn4Jd2s4lpNa/e+RfrG/PD+ODSS92ISkuihBIU
|
||||
Z2XeFa1xjQ1ayint4lVe3FGWTBJjqK8qX3JaOVeUD0AlSWqFcJzI7KxfNtVZCOaZ
|
||||
WL/PVG124A118AUMFEWfb3r2Le8ddl+AKFP5Etsb+00VEWL06VPDampJIHanGjyX
|
||||
h3dZkzORO3l3dt/P6embimic2QDOmO5x+wESnD8spITPKDl9OuqebCB8Z2oShnnG
|
||||
+xhKDl045UFCPMVOXLb4kHonBmN2wBT/GIh4qqZj/7mm6r4P194HzN8LQuZsloJs
|
||||
A6tnEpEmSe33xBDfGAeS0eNxFiATGwAcCRyRABEBAAGJAh8EGAEIAAkFAlhiI8wC
|
||||
GwwACgkQkB+Rd6uXrL559w/9GfoTxZS+VJQsQc1inW9YKZaWl99Hd4u8CGhE057S
|
||||
zvzMnIH6fcgib3m+TelevplSEN1QN1GGTvn95n8JQ8RX36xy8SQVzrPIlO4gXGAF
|
||||
J1uHmSp3SSplrwKIBQk3MORrfbTg78CN9527GCQHih8+qgB3IYe23NhsKLre3mbZ
|
||||
h9NAWOeMsBF0jG0c0Cu3/F8muY2XSTqENB8R263YJsQSC3qaiaq9TtstisOe/HWK
|
||||
yQix2Hofg3H96dZXsqbQEvxgyema+A6ptCm7S66eSYoPPeXQaraTsz6nLlVtvhSD
|
||||
kll2axjAK4NDbSjJuZI/54CkO+FB00bkXDxPFgnfDPWgvPMF1cBuuX0QN1BO8n4C
|
||||
eA9zyBBdTw9bbzO1kRdeBHLa7n845ecVbEh15Hvtf20/CJB9ua+qRlcXtgxhUf3+
|
||||
pm/xbAM22z/F3+RsLwGOG8T0Vy2q//VVqLxSFlawiZW9RkClKyV6A1KH0EA6W84d
|
||||
GcxiDgwrBHd+d40s3VDE/Wlmj0w73xeebEaXCmaTO/Hp5DIA64LfXHB2ckvwv15I
|
||||
ISQV2g55+ghnwaD/02uGCGpJl0zJgQ+PKvrFAz+wIUqrQJxXP4epqWycmzG98T7g
|
||||
pi20lwzO87S6b1GIL9t6Q/Zge8bbB7lG5mBR2U5XyGhfHXGaHTb6nQQYh3hCet8G
|
||||
5Ow=
|
||||
=Me4L
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -2,7 +2,8 @@
|
|||
|
||||
- name: Fluentd GPG key is installed
|
||||
apt_key:
|
||||
url: https://packages.treasuredata.com/GPG-KEY-td-agent
|
||||
# url: https://packages.treasuredata.com/GPG-KEY-td-agent
|
||||
data: "{{ lookup('file', 'fluentd.gpg') }}"
|
||||
tags:
|
||||
- packages
|
||||
- fluentd
|
||||
|
|
23
lxc-php/README.md
Normal file
23
lxc-php/README.md
Normal file
|
@ -0,0 +1,23 @@
|
|||
# lxc-php
|
||||
|
||||
Create LXC containers and install all the required PHP packages as a way to use multiple PHP version on Debian.
|
||||
|
||||
*note : this role depend on the lxc role.*
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
As this role depend on the lxc role, please refer to it for a variable exhaustive list.
|
||||
|
||||
Here is the list of available variables for the PHP part:
|
||||
|
||||
* `php_conf_short_open_tag` Default: `"Off"`
|
||||
* `php_conf_expose_php` Default: `"Off"`
|
||||
* `php_conf_display_errors` Default: `"Off"`
|
||||
* `php_conf_log_errors` Default: `"On"`
|
||||
* `php_conf_html_errors` Default: `"Off"`
|
||||
* `php_conf_allow_url_fopen` Default: `"Off"`
|
||||
* `php_conf_disable_functions` Default: `"exec,shell-exec,system,passthru,putenv,popen"`
|
|
@ -46,27 +46,6 @@
|
|||
command: "lxc-attach -n {{name}} -- apt-get install -y php7.3 php7.3-fpm php7.3-cli php7.3-curl php7.3-mysql php7.3-pgsql php7.3-ldap php7.3-imap php7.3-gd php-ssh2 php-gettext composer libphp-phpmailer ssmtp git zip unzip php7.3-zip"
|
||||
when: name == 'php73'
|
||||
|
||||
- name: Remove default FPM 5.6 pool
|
||||
file:
|
||||
name: "/var/lib/lxc/{{name}}/rootfs/etc/php5/fpm/pool.d/www.conf"
|
||||
state: absent
|
||||
notify: "Reload {{name}}-fpm"
|
||||
when: name == 'php56'
|
||||
|
||||
- name: Remove default FPM 7.0 pool
|
||||
file:
|
||||
name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.0/fpm/pool.d/www.conf"
|
||||
state: absent
|
||||
notify: "Reload {{name}}-fpm"
|
||||
when: name == 'php70'
|
||||
|
||||
- name: Remove default FPM 7.3 pool
|
||||
file:
|
||||
name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.3/fpm/pool.d/www.conf"
|
||||
state: absent
|
||||
notify: "Reload {{name}}-fpm"
|
||||
when: name == 'php73'
|
||||
|
||||
- name: Copy evolinux PHP 5.6 configuration
|
||||
template:
|
||||
src: z-evolinux-defaults.ini.j2
|
||||
|
|
27
lxc-solr/README.md
Normal file
27
lxc-solr/README.md
Normal file
|
@ -0,0 +1,27 @@
|
|||
# lxc-solr
|
||||
|
||||
Create one or more LXC containers with Solr in the version of your choice.
|
||||
|
||||
*note : this role depend on the lxc role.*
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
Since this role depend on the lxc role, please refer to it for a full variable list related to the lxc containers setup.
|
||||
|
||||
* `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
|
||||
* `name`: name of the LXC container to create.
|
||||
* `release`: Debian version to install
|
||||
* `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)*
|
||||
* `solr_port`: port for Solr to listen on
|
||||
Eg.:
|
||||
```
|
||||
lxc_containers:
|
||||
- name: solr8
|
||||
release: stretch
|
||||
solr_version: 6.6.6
|
||||
solr_port: 8983
|
||||
```
|
18
lxc-solr/defaults/main.yml
Normal file
18
lxc-solr/defaults/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
# List of LXC containers to create alongside with the version of Solr to install for each of them
|
||||
# Eg.:
|
||||
# lxc_containers:
|
||||
# - name: solr6
|
||||
# release: stretch
|
||||
# solr_version: 6.6.6
|
||||
# solr_port: 8983
|
||||
# - name: solr7
|
||||
# release: stretch
|
||||
# solr_version: 7.7.2
|
||||
# solr_port: 8984
|
||||
# - name: solr8
|
||||
# release: stretch
|
||||
# solr_version: 8.1.1
|
||||
# solr_port: 8985
|
||||
lxc_containers: []
|
||||
|
16
lxc-solr/tasks/main.yml
Normal file
16
lxc-solr/tasks/main.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
- name: LXC configuration
|
||||
include_role:
|
||||
name: lxc
|
||||
|
||||
- name: Ensure containers root directory is 755
|
||||
file:
|
||||
path: "/var/lib/lxc/{{ item.name }}/rootfs"
|
||||
state: directory
|
||||
mode: '0755'
|
||||
with_items:
|
||||
- "{{ lxc_containers }}"
|
||||
|
||||
- include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}"
|
||||
with_items:
|
||||
- "{{ lxc_containers }}"
|
42
lxc-solr/tasks/solr.yml
Normal file
42
lxc-solr/tasks/solr.yml
Normal file
|
@ -0,0 +1,42 @@
|
|||
---
|
||||
- name: Install openjdk-8-jre-headless and lsof packages
|
||||
command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless lsof"
|
||||
|
||||
- name: "Download Solr {{ solr_version }}"
|
||||
get_url:
|
||||
url: "https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz"
|
||||
dest: "/var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz"
|
||||
mode: '0644'
|
||||
|
||||
- name: "Extract solr-{{ solr_version }}.tgz"
|
||||
unarchive:
|
||||
src: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz
|
||||
dest: /var/lib/lxc/{{ name }}/rootfs/root/
|
||||
remote_src: yes
|
||||
|
||||
- name: "Install Solr {{ solr_version }}"
|
||||
command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz"
|
||||
|
||||
- name: "Stop Solr"
|
||||
command: "lxc-attach -n {{name}} -- /etc/init.d/solr stop"
|
||||
ignore_errors: True
|
||||
|
||||
- name: "Make sure /home/solr exists"
|
||||
file:
|
||||
path: /home/solr
|
||||
state: directory
|
||||
mode: '0755'
|
||||
|
||||
- name: "Move Solr data directory to /home/solr/{{name}}"
|
||||
command: "lxc-attach -n {{name}} -- mv /var/solr /home/solr/{{name}}"
|
||||
|
||||
- name: "Create a symbolic link to /home/solr/{{name}}"
|
||||
command: "lxc-attach -n {{name}} -- ln -s /home/solr/{{name}} /var/solr"
|
||||
|
||||
- name: "Set Solr port to {{ solr_port }}"
|
||||
lineinfile:
|
||||
dest: /var/lib/lxc/{{ name }}/rootfs/etc/default/solr.in.sh
|
||||
line: "SOLR_PORT={{ solr_port }}"
|
||||
|
||||
- name: "Start Solr"
|
||||
command: "lxc-attach -n {{name}} -- /etc/init.d/solr start"
|
3
lxc-solr/templates/rc.local.j2
Normal file
3
lxc-solr/templates/rc.local.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/bash
|
||||
/opt/solr-{{ solr_version }}/bin/solr start -p {{ solr_port }} -force
|
||||
exit 0
|
|
@ -3,9 +3,9 @@
|
|||
apt:
|
||||
name: '{{ item }}'
|
||||
with_items:
|
||||
- lxc
|
||||
- debootstrap
|
||||
- xz-utils
|
||||
- lxc
|
||||
- debootstrap
|
||||
- xz-utils
|
||||
|
||||
- name: Copy LXC default containers configuration
|
||||
template:
|
||||
|
@ -21,8 +21,13 @@
|
|||
|
||||
- name: Add subuid and subgid ranges to root
|
||||
command: usermod -v 100000-199999 -w 100000-109999 root
|
||||
when: lxc_unprivilegied_containers and root_subuids.rc
|
||||
when:
|
||||
- lxc_unprivilegied_containers
|
||||
- root_subuids.rc
|
||||
|
||||
- name: Create containers
|
||||
include: "create-container.yml name={{item.name}} release={{item.release}}"
|
||||
include: create-container.yml
|
||||
vars:
|
||||
name: "{{ item.name }}"
|
||||
release: "{{item.release}}"
|
||||
with_items: "{{lxc_containers}}"
|
||||
|
|
|
@ -29,7 +29,18 @@ minifirewall_private_ports_udp: []
|
|||
# Keep a null value to leave the setting as is
|
||||
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
|
||||
minifirewall_dns_servers: Null
|
||||
minifirewall_http_sites: Null
|
||||
|
||||
minifirewall_http_sites:
|
||||
- pub.evolix.net
|
||||
- mirror.evolix.org
|
||||
- hwraid.le-vert.net
|
||||
- antispam00.evolix.org
|
||||
- spamassassin.apache.org
|
||||
- sa-update.space-pro.be
|
||||
- sa-update.secnap.net
|
||||
- www.sa-update.pccc.com
|
||||
- sa-update.dnswl.org
|
||||
|
||||
minifirewall_https_sites: Null
|
||||
minifirewall_ftp_sites: Null
|
||||
minifirewall_ssh_ok: Null
|
||||
|
@ -37,6 +48,16 @@ minifirewall_smtp_ok: Null
|
|||
minifirewall_smtp_secure_ok: Null
|
||||
minifirewall_ntp_ok: Null
|
||||
|
||||
minifirewall_default_debian_http_sites:
|
||||
- security.debian.org
|
||||
- security-cdn.debian.org
|
||||
- volatile.debian.org
|
||||
- backports.debian.org
|
||||
|
||||
minifirewall_default_ubuntu_http_sites:
|
||||
- archive.ubuntu.com
|
||||
- security.ubuntu.com
|
||||
|
||||
minifirewall_autostart: False
|
||||
minifirewall_restart_if_needed: True
|
||||
minifirewall_restart_force: False
|
||||
|
|
|
@ -50,7 +50,7 @@ DNSSERVEURS='0.0.0.0/0'
|
|||
# HTTP authorizations
|
||||
# (you can use DNS names but set cron to reload minifirewall regularly)
|
||||
# (if you have HTTP proxy, set 0.0.0.0/0)
|
||||
HTTPSITES='security.debian.org security-cdn.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
|
||||
HTTPSITES=''
|
||||
|
||||
# HTTPS authorizations
|
||||
HTTPSSITES='0.0.0.0/0'
|
||||
|
|
|
@ -120,7 +120,22 @@
|
|||
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
||||
regexp: "HTTPSITES='.*'"
|
||||
create: no
|
||||
when: minifirewall_http_sites is not none
|
||||
|
||||
- name: Configure HTTPSITES for debian
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'"
|
||||
regexp: "HTTPSITES='.*'"
|
||||
create: no
|
||||
when: ansible_distribution == "Debian"
|
||||
|
||||
- name: Configure HTTPSITES for ubuntu
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'"
|
||||
regexp: "HTTPSITES='.*'"
|
||||
create: no
|
||||
when: ansible_distribution == "Ubuntu"
|
||||
|
||||
- name: Configure HTTPSSITES
|
||||
lineinfile:
|
||||
|
|
|
@ -75,6 +75,18 @@
|
|||
tags:
|
||||
- mysql
|
||||
|
||||
# Percona Toolkit
|
||||
|
||||
- name: "Install percona-toolkit (Debian 9 or later)"
|
||||
apt:
|
||||
name: percona-toolkit
|
||||
state: present
|
||||
tags:
|
||||
- packages
|
||||
- percona-toolkit
|
||||
- mysql
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
# automatic optimizations
|
||||
|
||||
- include_role:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
rbenv_version: v1.1.2
|
||||
rbenv_ruby_version: 2.5.5
|
||||
rbenv_ruby_version: 2.6.3
|
||||
rbenv_root: "~/.rbenv"
|
||||
rbenv_repo: "https://github.com/rbenv/rbenv.git"
|
||||
rbenv_plugins:
|
||||
|
|
|
@ -5,5 +5,10 @@
|
|||
name: apache2
|
||||
state: reloaded
|
||||
|
||||
- name: restart apache2
|
||||
service:
|
||||
name: apache2
|
||||
state: restarted
|
||||
|
||||
- name: newaliases
|
||||
command: newaliases
|
||||
|
|
|
@ -46,3 +46,10 @@
|
|||
owner: evoadmin
|
||||
group: evoadmin
|
||||
force: no
|
||||
|
||||
- name: Enable proxy_fcgi
|
||||
apache2_module:
|
||||
state: present
|
||||
name: proxy_fcgi
|
||||
notify: restart apache2
|
||||
when: evoadmin_multi_php == True
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
|
||||
WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
|
||||
{% if evoadmin_multi_php == "True" %}
|
||||
{% if evoadmin_multi_php == True %}
|
||||
PHP_VERSIONS=(56 70 73)
|
||||
{% endif %}
|
||||
|
|
Loading…
Reference in a new issue