Adds a bunch of checks for ubuntu to evolinux-base and evolinux-users

This feels a bit hacky, but it's the best I could come up with on
short order

CHANGELOG.md

@@ -10,19 +10,39 @@ The **patch** part changes incrementally at each release.
 
 ## [Unreleased]
 
+* Ubuntu 18.04 support
+
+### Added
+
+### Changed
+* elasticsearch: listen on local interface only by default
+
+### Fixed
+* lxc-php: Don't remove the default pool
+
+### Security
+
+## [9.10.1] - 2019-06-21
+
+### Changed
+* evocheck : update (version 19.06) from upstream
+
+## [9.10.0] - 2019-06-21
+
 ### Added
 * apache: add server status suffix in VHost (and default site) if missing
+* apache: add a variable to customize the server-status host
 * apt: add a script to manage packages with "hold" mark
 * etc-git: gitignore /etc/letsencrypt/.certbot.lock
-* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later)
 * evomaintenance: make hooks configurable
 * nginx: add server status suffix in VHost (and default site) if missing
 * redmine: enable gzip compression in nginx vhost
 
 ### Changed
-* evocheck : version 19.04 from upstream
+* evocheck : update (unreleased) from upstream
 * evomaintenance : use the web API instead of PG Insert
-* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5
+* fluentd: store gpg key locally
+* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3
 * redmine: update default version to 4.0.3
 * nagios-nrpe: change required status code for http and https check
 * redmine: use custom errors-pages in Nginx vhost
@@ -39,8 +59,6 @@ The **patch** part changes incrementally at each release.
 * evolinux-users: Validate sshd config with "-t" instead of "-T"
 * nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
 
-### Security
-
 ## [9.9.0] - 2019-04-16
 
 ### Added

apache/defaults/main.yml

@@ -19,3 +19,5 @@ apache_munin_include: True
 
 general_alert_email: "root@localhost"
 log2mail_alert_email: Null
+
+apache_serverstatus_host: 127.0.0.1

apache/tasks/server_status.yml

@@ -62,7 +62,8 @@
 - name: apache-status URL is configured for Munin
   lineinfile:
     dest: /etc/munin/plugin-conf.d/munin-node
-    line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto"
-    regexp: "env.url http://127.0.0.1/server-status"
+    line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
+    regexp: 'env.url http://[^\\/]+/server-status'
     insertafter: "[apache_*]"
     create: no
+  notify: restart munin-node

apt/tasks/backports.yml

@@ -5,7 +5,7 @@
     regexp: "backports"
     state: absent
   tags:
-  - apt
+    - apt
 
 - name: Backports sources list is installed
   template:
@@ -15,7 +15,7 @@
     mode: "0640"
   register: apt_backports_list
   tags:
-  - apt
+    - apt
 
 - name: Backports configuration
   copy:
@@ -25,7 +25,7 @@
     mode: "0640"
   register: apt_backports_config
   tags:
-  - apt
+    - apt
 
 - name: Archived backport are accepted (jessie)
   lineinfile:
@@ -34,10 +34,12 @@
     create: yes
     state: present
   when: ansible_lsb.codename == "jessie"
+  tags:
+    - apt
 
 - name: Apt update
   apt:
     update_cache: yes
   when: apt_backports_list | changed or apt_backports_config | changed
   tags:
-  - apt
+    - apt

apt/tasks/basics.yml

@@ -8,21 +8,23 @@
     force: yes
   register: apt_basic_list
   tags:
-  - apt
+    - apt
 
 - name: Clean GANDI sources.list.d/debian-security.list
   file:
     path: '{{ item }}'
     state: absent
   with_items:
-  - /etc/apt/sources.list.d/debian-security.list
-  - /etc/apt/sources.list.d/debian-stretch.list
-  - /etc/apt/sources.list.d/debian-update.list
+    - /etc/apt/sources.list.d/debian-security.list
+    - /etc/apt/sources.list.d/debian-stretch.list
+    - /etc/apt/sources.list.d/debian-update.list
   when: apt_clean_gandi_sourceslist
+  tags:
+    - apt
 
 - name: Apt update
   apt:
     update_cache: yes
   when: apt_basic_list | changed
   tags:
-  - apt
+    - apt

apt/tasks/config.yml

@@ -9,9 +9,11 @@
     state: present
     mode: "0640"
   with_items:
-  - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
-  - { line: "APT::Install-Suggests \"false\";",   regexp: 'APT::Install-Suggests' }
+    - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
+    - { line: "APT::Install-Suggests \"false\";",   regexp: 'APT::Install-Suggests' }
   when: apt_evolinux_config
+  tags:
+    - apt
 
 - name: DPkg invoke hooks
   lineinfile:
@@ -21,24 +23,32 @@
     state: present
     mode: "0640"
   with_items:
-  - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
-  - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
-  - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
-  - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
+    - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
+    - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
+    - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
+    - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
   when: apt_hooks
+  tags:
+    - apt
 
 - name: Remove Aptitude
   apt:
     name: aptitude
     state: absent
   when: apt_remove_aptitude
+  tags:
+    - apt
 
 - name: Updating APT cache
   apt:
     update_cache: yes
   changed_when: False
+  tags:
+    - apt
 
 - name: Upgrading system
   apt:
     upgrade: dist
   when: apt_upgrade
+  tags:
+    - apt

apt/tasks/evolix_public.yml

@@ -12,8 +12,10 @@
   apt_key:
     #url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D
     data: "{{ lookup('file', 'reg.gpg') }}"
+  tags:
+    - apt
 
-- name: Evolix public list is installed
+- name: Evolix public list is installed (only for Debian)
   template:
     src: evolix_public.list.j2
     dest: /etc/apt/sources.list.d/evolix_public.list
@@ -21,11 +23,12 @@
     mode: "0640"
   register: apt_evolix_public
   tags:
-  - apt
+    - apt
+  when: ansible_distribution == "Debian"
 
 - name: Apt update
   apt:
     update_cache: yes
   when: apt_evolix_public | changed
   tags:
-  - apt
+    - apt

apt/tasks/hold_packages.yml

@@ -5,6 +5,8 @@
   register: apt_mark
   changed_when: "'{{ item }} set on hold.' in apt_mark.stdout"
   with_items: "{{ apt_hold_packages }}"
+  tags:
+    - apt
 
 - name: "hold packages (config)"
   lineinfile:
@@ -13,12 +15,16 @@
     create: True
     state: present
   with_items: "{{ apt_hold_packages }}"
+  tags:
+    - apt
 
 - name: "unhold packages (apt)"
   shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}"
   register: apt_mark
   changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout"
   with_items: "{{ apt_unhold_packages }}"
+  tags:
+    - apt
 
 - name: "unhold packages (config)"
   lineinfile:
@@ -27,6 +33,8 @@
     create: True
     state: absent
   with_items: "{{ apt_unhold_packages }}"
+  tags:
+    - apt
 
 - name: /usr/share/scripts exists
   file:
@@ -35,6 +43,8 @@
     owner: root
     group: root
     state: directory
+  tags:
+    - apt
 
 - name: Check scripts is installed
   copy:
@@ -42,6 +52,8 @@
     dest: /usr/share/scripts/check_held_packages.sh
     force: yes
     mode: "0755"
+  tags:
+    - apt
 
 - name: Check for held packages (script)
   cron:
@@ -55,3 +67,5 @@
     day: "{{ apt_check_hold_cron_day }}"
     month: "{{ apt_check_hold_cron_month }}"
     state: "present"
+  tags:
+    - apt

apt/tasks/main.yml

@@ -2,38 +2,38 @@
 
 - name: "Compatibility check"
   fail:
-    msg: only compatible with Debian >= 8
+    msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
   when:
-  - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
+  - (ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')) and (ansible_distribution != "Ubuntu" or ansible_distribution_major_version | version_compare('18', '<'))
   tags:
-  - apt
+    - apt
 
 - name: Custom configuration
   include: config.yml
   when: apt_config
   tags:
-  - apt
+    - apt
 
 - name: Install basics repositories
   include: basics.yml
   when: apt_install_basics
   tags:
-  - apt
+    - apt
 
 - name: Install APT Backports repository
   include: backports.yml
   when: apt_install_backports
   tags:
-  - apt
+    - apt
 
 - name: Install Evolix Public APT repository
   include: evolix_public.yml
   when: apt_install_evolix_public
   tags:
-  - apt
+    - apt
 
 - name: Install check for packages marked hold
   include: hold_packages.yml
   when: apt_install_hold_packages
   tags:
-  - apt
+    - apt

apt/templates/bionic_basics.list.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+deb http://archive.ubuntu.com/ubuntu/ bionic {{ apt_basics_components | mandatory }}
+deb http://archive.ubuntu.com/ubuntu/ bionic-updates {{ apt_basics_components | mandatory }}
+deb http://security.ubuntu.com/ubuntu bionic-security {{ apt_basics_components | mandatory }}

elasticsearch/README.md

@@ -27,7 +27,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
 * `elasticsearch_jvm_xmx`: maximum heap size reserved for the JVM (default: `2g`).
 * `elasticsearch_restart_on_upgrade`: restart the service after package upgrade (default: `true`)
 
-By default, Elasticsearch will listen to the public interfaces (`_site_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host), so you will have to secure it, with firewall rules for example.
+By default, Elasticsearch will listen to the local interface (`_local_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host).
 
 ## Curator
 

elasticsearch/defaults/main.yml

@@ -5,7 +5,7 @@ elasticsearch_cluster_name: Null
 elasticsearch_cluster_members: Null
 elasticsearch_minimum_master_nodes: Null
 elasticsearch_node_name: "${HOSTNAME}"
-elasticsearch_network_host: "[_site_, _local_]"
+elasticsearch_network_host: "[_local_]"
 elasticsearch_network_publish_host: Null
 elasticsearch_http_publish_host: Null
 elasticsearch_custom_datadir: Null

evocheck/files/evocheck.sh

@@ -315,7 +315,7 @@ check_nrpeperms() {
 }
 check_minifwperms() {
     if [ -f "$MINIFW_FILE" ]; then
-        actual=$(stat --format "%a" $MINIFW_FILE)
+        actual=$(stat --format "%a" "$MINIFW_FILE")
         expected="600"
         test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
     fi
@@ -386,7 +386,7 @@ check_raidsoft() {
 }
 # Verification du LogFormat de AWStats
 check_awstatslogformat() {
-    if is_installed apache2.2-common awstats; then
+    if is_installed apache2 awstats; then
         grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
             || failed "IS_AWSTATSLOGFORMAT"
     fi
@@ -531,20 +531,30 @@ check_userlogrotate() {
 }
 # Verification de la syntaxe de la conf d'Apache
 check_apachectl() {
-    if is_installed apache2.2-common; then
+    if is_installed apache2; then
         /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
     fi
 }
 # Check if there is regular files in Apache sites-enabled.
 check_apachesymlink() {
-    if is_installed apache2.2-common; then
-        stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK"
+    if is_installed apache2; then
+        apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print)
+        nbApacheFind=$(wc -m <<< "$apacheFind")
+        if [[ $nbApacheFind -gt 1 ]]; then
+            if [[ $VERBOSE == 1 ]]; then
+                while read -r line; do
+                    failed "IS_APACHESYMLINK" "Not a symlink: $line"
+                done <<< "$apacheFind"
+            else
+                failed "IS_APACHESYMLINK"
+            fi
+        fi
     fi
 }
 # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
 check_apacheipinallow() {
     # Note: Replace "exit 1" by "print" in Perl code to debug it.
-    if is_installed apache2.2-common; then
+    if is_installed apache2; then
         grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
             | grep -iv "from all" \
             | grep -iv "env=" \
@@ -559,7 +569,7 @@ check_muninapacheconf() {
     else
         muninconf="/etc/apache2/conf-available/munin.conf"
     fi
-    if is_installed apache2.2-common; then
+    if is_installed apache2; then
         test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
     fi
 }
@@ -881,12 +891,17 @@ check_mysqlmunin() {
 }
 check_mysqlnrpe() {
     if is_debian_stretch && is_installed mariadb-server; then
-        nagios_file="~nagios/.my.cnf"
-        { test -f $nagios_file \
-            && [ "$(stat -c %U $nagios_file)" = "nagios" ] \
-            && [ "$(stat -c %a $nagios_file)" = "600" ] \
-            && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost  -f $nagios_file";
-        } || failed "IS_MYSQLNRPE"
+        nagios_file=~nagios/.my.cnf
+
+        if ! test -f ${nagios_file}; then
+            failed "IS_MYSQLNRPE" "${nagios_file} is missing"
+        elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \
+             || [ "$(stat -c %a ${nagios_file})" != "600" ]; then
+            failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions"
+        else
+            grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \
+            || failed "IS_MYSQLNRPE" "check_mysql is missing"
+        fi
     fi
 }
 check_phpevolinuxconf() {
@@ -1078,9 +1093,7 @@ check_evomaintenanceconf() {
             && grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
             && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
             && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
-            && grep "^REALM" $f | grep -qv "example.com" \
-            && grep "^API_ENDPOINT" $f | grep -qv "https://example.com/api/" \
-            && grep "^API_KEY" $f | grep -qv "secretkey";
+            && grep "^REALM" $f | grep -qv "example.com"
         } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
     else
         failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
@@ -1102,7 +1115,7 @@ check_evobackup_incs() {
     if is_installed bkctld; then
         bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
         if [ -f "${bkctld_cron_file}" ]; then
-            root_crontab=$(grep -v "^#" ${bkctld_cron_file})
+            root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
             echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
             echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
         else
@@ -1111,6 +1124,12 @@ check_evobackup_incs() {
     fi
 }
 
+check_osprober() {
+    if is_installed os-prober qemu-kvm; then
+        failed "IS_OSPROBER" "Removal of os-prober package is recommended as it can cause serious issue on KVM server"
+    fi
+}
+
 main() {
     # Default return code : 0 = no error
     RC=0
@@ -1158,7 +1177,7 @@ main() {
         test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
         test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
         test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
-        test "${IS_DISKPERF:=1}" = 1 && check_diskperf
+        test "${IS_DISKPERF:=0}" = 1 && check_diskperf
         test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
         test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
         test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
@@ -1231,6 +1250,7 @@ main() {
         test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre
         test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir
         test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs
+        test "${IS_OSPROBER:=1}" = 1 && check_osprober
     fi
 
     #-----------------------------------------------------------
@@ -1343,7 +1363,7 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
 # shellcheck disable=2124
 readonly ARGS=$@
 
-readonly VERSION="19.04"
+readonly VERSION="19.06"
 
 # Disable LANG*
 export LANG=C
@@ -1396,4 +1416,5 @@ while :; do
     shift
 done
 
+# shellcheck disable=SC2086
 main ${ARGS}

evolinux-base/tasks/main.yml

@@ -3,9 +3,9 @@
 - name: "System compatibility checks"
   assert:
     that:
-      - ansible_distribution == "Debian"
-      - ansible_distribution_major_version | version_compare('8', '>=')
-    msg: only compatible with Debian >= 8
+      - (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu")
+      - (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>='))
+    msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
 
 - name: Apt configuration
   include_role:

evolinux-base/tasks/packages.yml

@@ -80,11 +80,20 @@
   - mlocate
   when: evolinux_packages_purge_locate
 
-- name: Install/Update serveur-base meta-package
+- name: Install/Update serveur-base meta-package on debian
   apt:
     name: serveur-base
     allow_unauthenticated: yes
-  when: evolinux_packages_serveur_base
+  when: evolinux_packages_serveur_base and (ansible_distribution == "Debian")
+
+- name: Install/Update serveur-base meta-package on ubuntu
+  apt:
+    deb: "{{ item }}"
+  with_items:
+  - 'http://pub.evolix.net/stretch/log2mail_0.3.0-2_amd64.deb'
+  - 'http://pub.evolix.net/stretch/evocheck_0.10-1_all.deb'
+  - 'http://pub.evolix.net/stretch/serveur-base_0.4.0_all.deb'
+  when: evolinux_packages_serveur_base and (ansible_distribution == "Ubuntu")
 
 - name: Install/Update packages for Stretch and later
   apt:

evolinux-base/tasks/ssh.yml

@@ -13,7 +13,7 @@
 # We want to allow any user from a list of IP addresses to login with password,
 # but users of the "evolix" group can't login with password from other IP addresses
 
-- name: "Security directives for Evolinux (Debian 10 or later)"
+- name: "Security directives for Evolinux (Debian 10 and Ubuntu 18.04 or later)"
   blockinfile:
     dest: /etc/ssh/sshd_config
     marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
@@ -27,7 +27,7 @@
   notify: reload sshd
   when:
     - evolinux_ssh_password_auth_addresses != []
-    - ansible_distribution_major_version | version_compare('10', '>=')
+    - (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
 
 - name: Security directives for Evolinux (Jessie/Stretch)
   blockinfile:

evolinux-base/tasks/system.yml

@@ -125,7 +125,7 @@
     mode: "0755"
   when:
     - evolinux_system_alert5_init
-    - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
+    - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
 
 - name: Enable alert5 init script (jessie/stretch)
   service:
@@ -134,7 +134,7 @@
   when:
     - evolinux_system_alert5_init
     - evolinux_system_alert5_enable
-    - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
+    - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
 
 
 

evolinux-users/tasks/main.yml

@@ -3,9 +3,9 @@
 - name: "System compatibility checks"
   assert:
     that:
-      - ansible_distribution == "Debian"
-      - ansible_distribution_major_version | version_compare('8', '>=')
-    msg: only compatible with Debian >= 8
+      - (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu")
+      - (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>='))
+    msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
 
 - debug:
     msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"

evolinux-users/tasks/ssh.yml

@@ -28,9 +28,9 @@
 
 - set_fact:
     # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
-    ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
+    ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and ((ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | version_compare('18', '>=')))) }}"
     # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
-    ssh_allowusers:  "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
+    ssh_allowusers:  "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '<'))) }}"
 
 - debug:
     var: ssh_allowgroups

evolinux-users/tasks/sudo.yml

@@ -4,6 +4,6 @@
   when: ansible_lsb.codename == "jessie"
 
 - include: sudo_stretch.yml
-  when: ansible_distribution_major_version | version_compare('9', '>=')
+  when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
 
 - meta: flush_handlers

evolinux-users/tasks/user.yml

@@ -59,31 +59,32 @@
 
 ## Group for SSH authorizations
 
-- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
+- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 and Ubuntu 18 or later)"
   group:
     name: "{{ evolinux_ssh_group }}"
     state: present
-  when: ansible_distribution_major_version | version_compare('10', '>=')
+  when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
 
-- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
+- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 and Ubuntu 18 or later)"
   user:
     name: '{{ user.name }}'
     groups: "{{ evolinux_ssh_group }}"
     append: yes
-  when: ansible_distribution_major_version | version_compare('10', '>=')
+  when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
 
 ## Optional group for all evolinux users
 
-- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
+- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 and Ubuntu 18 or later)"
   group:
     name: "{{ evolinux_internal_group }}"
     state: present
   when:
     - evolinux_internal_group is defined
     - evolinux_internal_group != ""
-    - ansible_distribution_major_version | version_compare('9', '>=')
+    - (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
 
-- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
+
+- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 and Ubuntu 18 or later)"
   user:
     name: '{{ user.name }}'
     groups: "{{ evolinux_internal_group }}"
@@ -91,7 +92,8 @@
   when:
     - evolinux_internal_group is defined
     - evolinux_internal_group != ""
-    - ansible_distribution_major_version | version_compare('9', '>=')
+    - (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
+
 
 ## Optional secondary groups, defined per user
 

evomaintenance/tasks/install_package_ubuntu.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Package is installed
+  apt:
+    deb: 'http://pub.evolix.net/stretch/evomaintenance_0.2.9-1_all.deb'
+  tags:
+    - evomaintenance
+
+- name: Configuration is installed
+  template:
+    src: evomaintenance.j2
+    dest: /etc/evomaintenance.cf
+    owner: root
+    group: root
+    mode: "0600"
+    force: "{{ evomaintenance_force_config | bool }}"
+  tags:
+    - evomaintenance

evomaintenance/tasks/main.yml

@@ -9,15 +9,20 @@
       - evomaintenance_api_key is not none
     msg: evomaintenance api variables must be set
 
+- include: install_package_ubuntu.yml
+  when:
+    - not evomaintenance_install_vendor
+    - ansible_distribution == "Ubuntu"
+
 - include: install_package_debian.yml
   when:
     - not evomaintenance_install_vendor
-    - ansible_distribution == "Debian"
+    - ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
 
 - include: install_vendor_debian.yml
   when:
     - evomaintenance_install_vendor
-    - ansible_distribution == "Debian"
+    - ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
 
 - include: install_vendor_openbsd.yml
   when:
@@ -25,4 +30,4 @@
 
 - include: minifirewall.yml
   when:
-    - ansible_distribution == "Debian"
+    - ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"

fluentd/files/fluentd.gpg

@@ -0,0 +1,53 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBFhiI8wBEADThWLNd8IKPRw7Ygu3DHS4Sb/Yc6vSZSaMGJ6Wkj245jScvI+C
+nG4C4rtO/8ObUj5cUpb4CyfYZX8W4tp9x+W68c4paXevG4s+X4EE3uUsgdwTnFXi
+GMa57QDzR4p/JvjUjfGJ2UAr4Bfj8Q2S54LmIu6UAe82ce2B4tEHCeYSxkmVUDAZ
+utfmgKoVTbnceTemU0m5ANS6IC1/53KEhgB1sKm5G/FjRJGslHWb3mf+bLrhmlkP
+pA4BOKF2w3eFYH3LhWskxMS0SPM7J6aq+6LyNNqtlKL6lUS7qVjRQ6PlgFcmtG4J
+tijsZI62bDn1f44DmeLY+LMS/nM0xyIx94lYumGH5EYmjUECagqMool98/+Wx79A
+Thtg/1pYNzo8Z76qr0i3xLSRtsQ2Om2Rfal7VGadOrx4sqlkSaUaGI+hBc1r4tNy
+tERvBEMGSf78bWDbdzxSNEW4LUDUpniNQb0DrURfWkqRa3q4WcTJr8lpQM/NmAru
+owayAXQwKob+OIZ09/O69EaqVJ9MqsM3keQouSHShKvzNrppuo3D3z+Dpy05FsYw
+MAiIN7auXxy+XQwCVsKF083YaDHcC0I22GReEgt43yZXQ/b/J9QNrm5nJ+3Cpso3
+jJnMzubuniSOOdd3mXQ6MwgZvWgtH/nPF8oUX9VSGwqNohiKWcxQDxW7qQARAQAB
+tFRUcmVhc3VyZSBEYXRhLCBJbmMgKFRyZWFzdXJlIEFnZW50IE9mZmljaWFsIFNp
+Z25pbmcga2V5KSA8c3VwcG9ydEB0cmVhc3VyZS1kYXRhLmNvbT6JAjcEEwEIACEF
+AlhiI8wCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQkB+Rd6uXrL5GrhAA
+nh82+caSu9Qu/LW256gN5UjPUFhph66ElT1OVyAR2FoOmz2pJH3t8YYD5cUV2W6/
+xqJDmjl+vnL2HBgxjHKRCo2K3hrq6z4LoU7SpWDI1cZ03lkjh1yNx13S+9JvZNlp
+jit0WRIspke0n0vWSpNo4nh19Yg3EA1c+vGeHnmlYo6xwRHu6XOhhCwywtFRGC3a
+iMJzAV4N69ZU6P5VZZkC6LjYYQtF4aI10COLZ4AcObH2htGAZTj2KlZfdJHmr+Oa
+wY57giUYz7OF45LLCuqe+VwpGp2d3UK/MtCnXRLi5InMVJKDvyt18MzRDFuyA27e
+WSt+JumVqhEjawh3hmdzIS1cHKmv19gdeE8On2i2Lf8lyek8fsB/YPgADAmp2oSe
+cjLu0ocGbgxRjuCR29+6IG+DiUDFCkqFZNdLiGVqzjpjpYHaPhVe77ciwA8TCPru
+3dh5t/qv2HglSd7lj95IApZBtny5AK8NS4qtaOeZbBbbDRuOPL0c7fU3bqyIPy57
+zvdYi3KdjWZVCawcAmk3ILP83eFSivCRPRoyCqO+HX8U647BBWvlFuEbPa+Y1sgE
+12MEF/Y6VVJh3Ptw+h/qKRbra4LdA+5Y30q/9l6WGgbO/4h3NKmGeVCrAFvS3h92
+fS0ABYD1nAP7fSNS9RfYIqfBXtJem+tJ14YKJwWiAYW5Ag0EWGIjzAEQAMw5EMJu
+RBFRdhXD5UeA7I7wwkql/iYof8ydUALBxh9NSpmwaACkb4Me6h/rHdVsPRO3vIoo
+uXftSjkRk2frjziihfEdeYxYU5PPawZxwCRDInr/OLZmcCCA2yCkRnFBhZxQy8NW
+iJz0tlJtohhuJ7NRK7+HVJ3rPrtoV1lZVricDrB7DdVySp+7VciEM/XQhKKlesyd
+gYXic4fx7xvPS6hRmH/fNVdvFobIhQBNUuPfKJeKpeJqPHeqkCNRz1Kl6NW9XXBq
+hNyAlC7SPdKmjsv4UVIcFLUXP5wv7nprtEh15LoDlJCvFEF/iDJzaWI3QeVqY8XS
+EI77WNsA/w7nlVNO3lGOPMjW8cxn4Jd2s4lpNa/e+RfrG/PD+ODSS92ISkuihBIU
+Z2XeFa1xjQ1ayint4lVe3FGWTBJjqK8qX3JaOVeUD0AlSWqFcJzI7KxfNtVZCOaZ
+WL/PVG124A118AUMFEWfb3r2Le8ddl+AKFP5Etsb+00VEWL06VPDampJIHanGjyX
+h3dZkzORO3l3dt/P6embimic2QDOmO5x+wESnD8spITPKDl9OuqebCB8Z2oShnnG
++xhKDl045UFCPMVOXLb4kHonBmN2wBT/GIh4qqZj/7mm6r4P194HzN8LQuZsloJs
+A6tnEpEmSe33xBDfGAeS0eNxFiATGwAcCRyRABEBAAGJAh8EGAEIAAkFAlhiI8wC
+GwwACgkQkB+Rd6uXrL559w/9GfoTxZS+VJQsQc1inW9YKZaWl99Hd4u8CGhE057S
+zvzMnIH6fcgib3m+TelevplSEN1QN1GGTvn95n8JQ8RX36xy8SQVzrPIlO4gXGAF
+J1uHmSp3SSplrwKIBQk3MORrfbTg78CN9527GCQHih8+qgB3IYe23NhsKLre3mbZ
+h9NAWOeMsBF0jG0c0Cu3/F8muY2XSTqENB8R263YJsQSC3qaiaq9TtstisOe/HWK
+yQix2Hofg3H96dZXsqbQEvxgyema+A6ptCm7S66eSYoPPeXQaraTsz6nLlVtvhSD
+kll2axjAK4NDbSjJuZI/54CkO+FB00bkXDxPFgnfDPWgvPMF1cBuuX0QN1BO8n4C
+eA9zyBBdTw9bbzO1kRdeBHLa7n845ecVbEh15Hvtf20/CJB9ua+qRlcXtgxhUf3+
+pm/xbAM22z/F3+RsLwGOG8T0Vy2q//VVqLxSFlawiZW9RkClKyV6A1KH0EA6W84d
+GcxiDgwrBHd+d40s3VDE/Wlmj0w73xeebEaXCmaTO/Hp5DIA64LfXHB2ckvwv15I
+ISQV2g55+ghnwaD/02uGCGpJl0zJgQ+PKvrFAz+wIUqrQJxXP4epqWycmzG98T7g
+pi20lwzO87S6b1GIL9t6Q/Zge8bbB7lG5mBR2U5XyGhfHXGaHTb6nQQYh3hCet8G
+5Ow=
+=Me4L
+-----END PGP PUBLIC KEY BLOCK-----

fluentd/tasks/main.yml

@@ -2,7 +2,8 @@
 
 - name: Fluentd GPG key is installed
   apt_key:
-    url: https://packages.treasuredata.com/GPG-KEY-td-agent
+    # url: https://packages.treasuredata.com/GPG-KEY-td-agent
+    data: "{{ lookup('file', 'fluentd.gpg') }}"
   tags:
     - packages
     - fluentd

lxc-php/README.md

@@ -0,0 +1,23 @@
+# lxc-php
+
+Create LXC containers and install all the required PHP packages as a way to use multiple PHP version on Debian.
+
+*note : this role depend on the lxc role.*
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+As this role depend on the lxc role, please refer to it for a variable exhaustive list.
+
+Here is the list of available variables for the PHP part:
+
+* `php_conf_short_open_tag` Default: `"Off"`
+* `php_conf_expose_php` Default: `"Off"`
+* `php_conf_display_errors` Default: `"Off"`
+* `php_conf_log_errors` Default: `"On"`
+* `php_conf_html_errors` Default: `"Off"`
+* `php_conf_allow_url_fopen` Default: `"Off"`
+* `php_conf_disable_functions` Default: `"exec,shell-exec,system,passthru,putenv,popen"`

lxc-php/tasks/php.yml

@@ -46,27 +46,6 @@
   command: "lxc-attach -n {{name}} -- apt-get install -y php7.3 php7.3-fpm php7.3-cli php7.3-curl php7.3-mysql php7.3-pgsql php7.3-ldap php7.3-imap php7.3-gd php-ssh2 php-gettext composer libphp-phpmailer ssmtp git zip unzip php7.3-zip"
   when: name == 'php73'
 
-- name: Remove default FPM 5.6 pool
-  file:
-    name: "/var/lib/lxc/{{name}}/rootfs/etc/php5/fpm/pool.d/www.conf"
-    state: absent
-  notify: "Reload {{name}}-fpm"
-  when: name == 'php56'
-
-- name: Remove default FPM 7.0 pool
-  file:
-    name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.0/fpm/pool.d/www.conf"
-    state: absent
-  notify: "Reload {{name}}-fpm"
-  when: name == 'php70'
-
-- name: Remove default FPM 7.3 pool
-  file:
-    name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.3/fpm/pool.d/www.conf"
-    state: absent
-  notify: "Reload {{name}}-fpm"
-  when: name == 'php73'
-
 - name: Copy evolinux PHP 5.6 configuration
   template:
     src: z-evolinux-defaults.ini.j2

lxc-solr/README.md

@@ -0,0 +1,27 @@
+# lxc-solr
+  
+Create one or more LXC containers with Solr in the version of your choice.
+
+*note : this role depend on the lxc role.*
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+Since this role depend on the lxc role, please refer to it for a full variable list related to the lxc containers setup.
+
+* `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
+  * `name`: name of the LXC container to create.
+  * `release`: Debian version to install
+  * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)*
+  * `solr_port`: port for Solr to listen on
+  Eg.:
+  ```
+  lxc_containers:
+    - name: solr8
+      release: stretch
+      solr_version: 6.6.6
+      solr_port: 8983
+   ```

lxc-solr/defaults/main.yml

@@ -0,0 +1,18 @@
+---
+# List of LXC containers to create alongside with the version of Solr to install for each of them
+# Eg.:
+# lxc_containers:
+#   - name: solr6
+#     release: stretch
+#     solr_version: 6.6.6
+#     solr_port: 8983
+#   - name: solr7
+#     release: stretch
+#     solr_version: 7.7.2
+#     solr_port: 8984
+#   - name: solr8
+#     release: stretch
+#     solr_version: 8.1.1
+#     solr_port: 8985
+lxc_containers: []
+

lxc-solr/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: LXC configuration
+  include_role:
+    name: lxc
+
+- name: Ensure containers root directory is 755
+  file:
+    path: "/var/lib/lxc/{{ item.name }}/rootfs"
+    state: directory
+    mode: '0755'
+  with_items:
+    - "{{ lxc_containers }}"
+
+- include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}"
+  with_items:
+    - "{{ lxc_containers }}"

lxc-solr/tasks/solr.yml

@@ -0,0 +1,42 @@
+---
+- name: Install openjdk-8-jre-headless and lsof packages
+  command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless lsof"
+
+- name: "Download Solr {{ solr_version }}"
+  get_url:
+    url: "https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz"
+    dest: "/var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz"
+    mode: '0644'
+
+- name: "Extract solr-{{ solr_version }}.tgz"
+  unarchive:
+    src: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz
+    dest: /var/lib/lxc/{{ name }}/rootfs/root/
+    remote_src: yes
+
+- name: "Install Solr {{ solr_version }}"
+  command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz"
+
+- name: "Stop Solr"
+  command: "lxc-attach -n {{name}} -- /etc/init.d/solr stop"
+  ignore_errors: True
+
+- name: "Make sure /home/solr exists"
+  file:
+    path: /home/solr
+    state: directory
+    mode: '0755'
+
+- name: "Move Solr data directory to /home/solr/{{name}}"
+  command: "lxc-attach -n {{name}} -- mv /var/solr /home/solr/{{name}}"
+
+- name: "Create a symbolic link to /home/solr/{{name}}"
+  command: "lxc-attach -n {{name}} -- ln -s /home/solr/{{name}} /var/solr"
+
+- name: "Set Solr port to {{ solr_port }}"
+  lineinfile:
+    dest: /var/lib/lxc/{{ name }}/rootfs/etc/default/solr.in.sh
+    line: "SOLR_PORT={{ solr_port }}"
+
+- name: "Start Solr"
+  command: "lxc-attach -n {{name}} -- /etc/init.d/solr start"

lxc-solr/templates/rc.local.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+/opt/solr-{{ solr_version }}/bin/solr start -p {{ solr_port }} -force
+exit 0

lxc/tasks/main.yml

@@ -3,9 +3,9 @@
   apt:
     name: '{{ item }}'
   with_items:
-  - lxc
-  - debootstrap
-  - xz-utils
+    - lxc
+    - debootstrap
+    - xz-utils
 
 - name: Copy LXC default containers configuration
   template:
@@ -21,8 +21,13 @@
 
 - name: Add subuid and subgid ranges to root
   command: usermod -v 100000-199999 -w 100000-109999 root
-  when: lxc_unprivilegied_containers and root_subuids.rc
+  when:
+    - lxc_unprivilegied_containers
+    - root_subuids.rc
 
 - name: Create containers
-  include: "create-container.yml name={{item.name}} release={{item.release}}"
+  include: create-container.yml
+  vars:
+    name: "{{ item.name }}"
+    release: "{{item.release}}"
   with_items: "{{lxc_containers}}"

minifirewall/defaults/main.yml

@@ -29,7 +29,18 @@ minifirewall_private_ports_udp: []
 # Keep a null value to leave the setting as is
 # otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
 minifirewall_dns_servers: Null
-minifirewall_http_sites: Null
+
+minifirewall_http_sites: 
+  - pub.evolix.net 
+  - mirror.evolix.org 
+  - hwraid.le-vert.net 
+  - antispam00.evolix.org 
+  - spamassassin.apache.org 
+  - sa-update.space-pro.be 
+  - sa-update.secnap.net 
+  - www.sa-update.pccc.com 
+  - sa-update.dnswl.org
+  
 minifirewall_https_sites: Null
 minifirewall_ftp_sites: Null
 minifirewall_ssh_ok: Null
@@ -37,6 +48,16 @@ minifirewall_smtp_ok: Null
 minifirewall_smtp_secure_ok: Null
 minifirewall_ntp_ok: Null
 
+minifirewall_default_debian_http_sites:
+  - security.debian.org
+  - security-cdn.debian.org 
+  - volatile.debian.org
+  - backports.debian.org
+
+minifirewall_default_ubuntu_http_sites:
+  - archive.ubuntu.com
+  - security.ubuntu.com
+
 minifirewall_autostart: False
 minifirewall_restart_if_needed: True
 minifirewall_restart_force: False

minifirewall/files/minifirewall.conf

@@ -50,7 +50,7 @@ DNSSERVEURS='0.0.0.0/0'
 # HTTP authorizations
 # (you can use DNS names but set cron to reload minifirewall regularly)
 # (if you have HTTP proxy, set 0.0.0.0/0)
-HTTPSITES='security.debian.org security-cdn.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
+HTTPSITES=''
 
 # HTTPS authorizations
 HTTPSSITES='0.0.0.0/0'

minifirewall/tasks/config.yml

@@ -120,7 +120,22 @@
     line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
     regexp: "HTTPSITES='.*'"
     create: no
-  when: minifirewall_http_sites is not none
+
+- name: Configure HTTPSITES for debian
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'"
+    regexp: "HTTPSITES='.*'"
+    create: no
+  when: ansible_distribution == "Debian"
+
+- name: Configure HTTPSITES for ubuntu
+  lineinfile:
+    dest: "{{ minifirewall_main_file }}"
+    line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'"
+    regexp: "HTTPSITES='.*'"
+    create: no
+  when: ansible_distribution == "Ubuntu"
 
 - name: Configure HTTPSSITES
   lineinfile:

mysql/tasks/utils.yml

@@ -75,6 +75,18 @@
   tags:
     - mysql
 
+# Percona Toolkit
+
+- name: "Install percona-toolkit (Debian 9 or later)"
+  apt:
+    name: percona-toolkit
+    state: present
+  tags:
+    - packages
+    - percona-toolkit
+    - mysql
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
 # automatic optimizations
 
 - include_role:

rbenv/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 rbenv_version: v1.1.2
-rbenv_ruby_version: 2.5.5
+rbenv_ruby_version: 2.6.3
 rbenv_root: "~/.rbenv"
 rbenv_repo: "https://github.com/rbenv/rbenv.git"
 rbenv_plugins:

webapps/evoadmin-web/handlers/main.yml

@@ -5,5 +5,10 @@
     name: apache2
     state: reloaded
 
+- name: restart apache2
+  service:
+    name: apache2
+    state: restarted
+
 - name: newaliases
   command: newaliases

webapps/evoadmin-web/tasks/web.yml

@@ -46,3 +46,10 @@
     owner: evoadmin
     group: evoadmin
     force: no
+
+- name: Enable proxy_fcgi
+  apache2_module:
+    state: present
+    name: proxy_fcgi
+  notify: restart apache2
+  when: evoadmin_multi_php == True

webapps/evoadmin-web/templates/web-add.conf.j2

@@ -1,5 +1,5 @@
 CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
 WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
-{% if evoadmin_multi_php == "True" %}
+{% if evoadmin_multi_php == True %}
 PHP_VERSIONS=(56 70 73)
 {% endif %}