evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Compare commits

base: evolix:stable
Branches Tags
evolix:stable
evolix:unstable
evolix:patroni
evolix:etcd
evolix:jitsimeet
evolix:monitoringctl
evolix:bind
evolix:peertube
evolix:wip_10691
evolix:multi-php-v2
evolix:etherpad
evolix:gitea
evolix:add-drbd-firewall-rule
evolix:backports_preferences
evolix:migrate-vm-error-handling
evolix:evofs
evolix:goto-postfix-role
evolix:lxc-php82
evolix:timesyncd
evolix:noopensshinlxc
evolix:ssh-split
evolix:rsyslog-remote
evolix:emorino/patroni-etcd
evolix:jitsimeet_docker
evolix:hedgedoc
evolix:privatebin
evolix:mattermost
evolix:p10166-mastodon
evolix:replace_include
evolix:when-not-check
evolix:fix_lxc_php56_debian10
evolix:debian12
evolix:boost-proxy
evolix:debian12-keyring
evolix:evodomains
evolix:vrrp-addresses
evolix:lxc_etc-git
evolix:lxc_etc-commit
evolix:evoacme-v2
evolix:sshd_modular_config
evolix:exclusion_images_evobackup
evolix:rotate_elasticsearch_logs
evolix:evobackup_tags_redux
evolix:log2mail-beats
evolix:T47076
evolix:kvm-guest
evolix:lpoujol/fpm-php
evolix:lxc-php-buster
evolix:simplify-evolinux-users
evolix:openvpn
evolix:newkernel
evolix:etc-git-status-script
evolix:ubuntu
evolix:nagios-sudoers
evolix:configurable-swapiness
evolix:alert5-minifirewall-restart
evolix:fail2ban_ips_tag
evolix:audit-ftpadmin
evolix:projet6062
evolix:whitelisting-changes
evolix:uvrrpd
evolix:packweb-apache-lxc
evolix:backup/jlecour/ssh-groups
evolix:nextcloud
evolix:backup/jlecour/nextcloud
evolix:evoadmin-mail
evolix:haproxy_munin
evolix:evolinux-users
evolix:ansible-log
evolix:ansible-managed
evolix:apache-fix-default-vhost
evolix:ipsec
evolix:courier
evolix:spamassassin
evolix:samba
evolix:munin-openbsd
evolix:24.03
evolix:24.02.1
evolix:24.02
evolix:23.10
evolix:23.04
evolix:23.03.1
evolix:23.03
evolix:22.12
evolix:22.09
evolix:22.07.1
evolix:22.07
evolix:22.06.3
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.05.1
evolix:22.05
evolix:22.03
evolix:22.01.3
evolix:22.01.2
evolix:22.01.1
evolix:22.01
evolix:10.6.0
evolix:10.5.1
evolix:10.5.0
evolix:10.4.0
evolix:10.3.0
evolix:10.2.0
evolix:10.1.0
evolix:10.0.0
evolix:9.10.1
evolix:9.10.0
evolix:9.9.0
evolix:9.8.0
evolix:9.7.0
evolix:9.6.0
evolix:9.5.0
evolix:9.4.2
evolix:9.4.1
evolix:9.4.0
evolix:9.3.2
evolix:9.3.1
evolix:9.3.0
evolix:9.2.0
evolix:9.1.9
evolix:9.1.8
evolix:9.1.7
evolix:9.1.6
evolix:9.1.5
evolix:9.1.4
evolix:9.1.3
evolix:9.1.2
evolix:9.1.1
evolix:9.1.0
evolix:9.0.1
evolix:9.0.0
..
compare: evolix:22.12
Branches Tags
evolix:unstable
evolix:patroni
evolix:etcd
evolix:jitsimeet
evolix:monitoringctl
evolix:bind
evolix:stable
evolix:peertube
evolix:wip_10691
evolix:multi-php-v2
evolix:etherpad
evolix:gitea
evolix:add-drbd-firewall-rule
evolix:backports_preferences
evolix:migrate-vm-error-handling
evolix:evofs
evolix:goto-postfix-role
evolix:lxc-php82
evolix:timesyncd
evolix:noopensshinlxc
evolix:ssh-split
evolix:rsyslog-remote
evolix:emorino/patroni-etcd
evolix:jitsimeet_docker
evolix:hedgedoc
evolix:privatebin
evolix:mattermost
evolix:p10166-mastodon
evolix:replace_include
evolix:when-not-check
evolix:fix_lxc_php56_debian10
evolix:debian12
evolix:boost-proxy
evolix:debian12-keyring
evolix:evodomains
evolix:vrrp-addresses
evolix:lxc_etc-git
evolix:lxc_etc-commit
evolix:evoacme-v2
evolix:sshd_modular_config
evolix:exclusion_images_evobackup
evolix:rotate_elasticsearch_logs
evolix:evobackup_tags_redux
evolix:log2mail-beats
evolix:T47076
evolix:kvm-guest
evolix:lpoujol/fpm-php
evolix:lxc-php-buster
evolix:simplify-evolinux-users
evolix:openvpn
evolix:newkernel
evolix:etc-git-status-script
evolix:ubuntu
evolix:nagios-sudoers
evolix:configurable-swapiness
evolix:alert5-minifirewall-restart
evolix:fail2ban_ips_tag
evolix:audit-ftpadmin
evolix:projet6062
evolix:whitelisting-changes
evolix:uvrrpd
evolix:packweb-apache-lxc
evolix:backup/jlecour/ssh-groups
evolix:nextcloud
evolix:backup/jlecour/nextcloud
evolix:evoadmin-mail
evolix:haproxy_munin
evolix:evolinux-users
evolix:ansible-log
evolix:ansible-managed
evolix:apache-fix-default-vhost
evolix:ipsec
evolix:courier
evolix:spamassassin
evolix:samba
evolix:munin-openbsd
evolix:24.03
evolix:24.02.1
evolix:24.02
evolix:23.10
evolix:23.04
evolix:23.03.1
evolix:23.03
evolix:22.12
evolix:22.09
evolix:22.07.1
evolix:22.07
evolix:22.06.3
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.05.1
evolix:22.05
evolix:22.03
evolix:22.01.3
evolix:22.01.2
evolix:22.01.1
evolix:22.01
evolix:10.6.0
evolix:10.5.1
evolix:10.5.0
evolix:10.4.0
evolix:10.3.0
evolix:10.2.0
evolix:10.1.0
evolix:10.0.0
evolix:9.10.1
evolix:9.10.0
evolix:9.9.0
evolix:9.8.0
evolix:9.7.0
evolix:9.6.0
evolix:9.5.0
evolix:9.4.2
evolix:9.4.1
evolix:9.4.0
evolix:9.3.2
evolix:9.3.1
evolix:9.3.0
evolix:9.2.0
evolix:9.1.9
evolix:9.1.8
evolix:9.1.7
evolix:9.1.6
evolix:9.1.5
evolix:9.1.4
evolix:9.1.3
evolix:9.1.2
evolix:9.1.1
evolix:9.1.0
evolix:9.0.1
evolix:9.0.0

No commits in common. "stable" and "22.12" have entirely different histories.
stable ... 22.12

697 changed files with 5584 additions and 15333 deletions
Show stats Expand all files Collapse all files

14
.Jenkinsfile
View file

@ -6,20 +6,6 @@ pipeline {
}
stages {
stage('Anible Lint') {
agent {
docker {
image 'evolix/ansible-lint:latest'
}
}
steps {
script {
sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir || : ; done'
recordIssues(tools: [ansibleLint()])
}
}
}
stage('Build tagged docker image') {
when {
buildingTag()

1
.gitignore vendored
View file

@ -2,4 +2,3 @@
.kateproject.d
.vagrant/
*.swp
.vscode

4
.markdownlint.json
View file

@ -1,4 +0,0 @@
{
"MD013": false,
"MD024": false
}

8
.vscode/settings.json vendored
View file

@ -1,8 +0,0 @@
{
"files.associations": {
"*.yml": "ansible",
"*.yaml": "ansible"
},
"yaml.format.enable": false,
"ansible.python.interpreterPath": "/bin/python"
}

395
CHANGELOG.md
View file

@ -1,5 +1,4 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
@ -21,310 +20,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Security
## [24.03] 2024-03-01
### Added
* autosysadmin-agent: upstream release 24.03
* autosysadmin-restart_nrpe: add role
* certbot: Renewal hook for NRPE
* kvm-host: add minifirewall rules if DRBD interface is configured
### Changed
* apt: add ftp.evolix.org as recognized system source
* autosysadmin-agent: logs clearing is done weekly
* autosysadmin-agent: rename /usr/share/scripts/autosysadmin/{auto,restart}
* certbot: use pkey to test the key
* evolinux-base: execute autosysadmin-agent and autosysadmin-restart_nrpe roles
* lxc-php, php: Update sury PGP key
* openvpn: earlier alert for CA expiration
* redis: create sysfs config file if missing
### Removed
* autosysadmin: replaced by autosysadmin-agent
## [24.02.1] 2024-02-08
### Fixed
* fail2ban: fix Ansible syntax
## [24.02] 2024-02-08
### Added
* Support for PHP 8.3 with bookworm LXC containers
* apt: add task file to install ELTS repository (default: False)
* autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation
* check_free_space: added role
* etc-git: add /var/chroot-bind/etc/bind repo
* fail2ban: add script unban_ip
* generateldif: new Services for check_pressure_{cpu,io,mem}
* kvm-host: Automatically add an LVM filter when LVM is present
* lxc-php: Allow one to install php83 on Bookworm container
* minifirewall: Fix nagios check for old versions of minifirewall
* mongodb: add gpg key for 7.0
* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
* nagios-nrpe: new check_pressure_{cpu,io,mem}
* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
* vrrpd: configure minifirewall
* vrrpd: test if interface exists before deleting it
* webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm
* webapps/nextcloud: Add condition for archive tasks
* webapps/nextcloud: Add condition for config tasks
* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
* webapps/nextcloud: Set ownership and permissions of data directory
### Changed
* add-vm.sh: allow VM name max length > 20
* amavis: make ldap_suffix mandatory
* apache : fix goaway pattern for bad bots
* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
* apache: use backward compatible Redirect directive
* apt: Disable archive repository for Debian 8
* apt: Use the GPG version of the key for Debian 8-9
* bind: Update role for Buster, Bullseye and Bookworm support
* dovecot: add variables for LDAP
* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
* evocheck: upstream release 24.01
* evolinux-base: dump-server-state upstream release 23.11
* evolinux-base: use separate default config file for rsyslog
* kvmstats: use .capacity instead of .physical for disk size
* ldap: make ldap_suffix mandatory
* listupgrade : old-kernel-removal.sh upstream release 24.01
* log2mail: move custom config in separate file
* lxc: init /etc git repository in lxc container
* mysql: disable performance schema for Debian 8
* nagios: add dockerd check in nrpe check template
* nagios: cleaning nrpe check template
* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
* nagios: add option --full to check pressure IO and mem to avoid flaps
* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
* redis: manage config template inside a block, to allow custom modifications outside
* spamassassin: Use spamd starting with Bookworm
* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
* unbound: Add config file to allow configuration reload on Debian 11 and lower
* unbound: Add munin configuration & setup plugin
* unbound: Big cleanup
* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf`
* unbound: Use root hints provided by debian package dns-root-data instead of downloading them
* vrrpd: replace switch script with custom one (fix MAC issue, use `ip(8)`, shell cleanup…)
* vrrpd: variable to force update the switch script (default: false)
* webapps/nextcloud: Add Ceph volume to fstab
* webapps/nextcloud: Set home directory's mode
### Fixed
* Add php-fpm82 to LDAP when relevant
* Check stat.exists before stat.isdir
* apache: fix MaxRequestsPerChild value to be sync with wiki.e.o
* apt: use archive.debian.org with Stretch
* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
* dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »).
* dovecot: fix missing default mails
* dovecot: fix plugin dovecot1
* evoadmin-web: Fix PHP version for Bookworm
* evolinux-base: fix hardware.yml (wrong repo, missing update cache)
* evolinux-base: start to install linux-image-cloud-amd64 with Buster
* fail2ban: fix template marker
* minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore.
* nagios: fix default file to monitor for check_clamav_db
* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode
* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
* nginx: keep indentation
* nginx: take care of « already defined » and « not yet defined » server status suffix in check mode
* php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository
* php: drop apt_preferences(5) file for sury
* postfix: remove dependency on evolinux_fqdn var
* proftpd: set missing default listen IP for SFTP
* roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL)
* ssl: no not execute haproxy tasks and reload if haproxy is disabled
* unbound: Add a apt cache validity to enforce an apt update if needed
* webapps/nextcloud: added check that nextcloud uid is over 3000
* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
* webapps/nextcloud: fix misplaced gid attribute
* webapps/nextcloud: fix missing gid
* webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice)
* amavis: Add variables for generate "ldap_suffix"
* proftpd: fix error when no SSH key is provided
### Removed
* evolinux-base: no need to remove update-evobackup-canary from sbin anymore
* evolinux-base: no need to symlink backup-server-state to dump-server-state anymore
## [23.10] 2023-10-14
### Added
* apt: disable `NonFreeFirmware` warning for VM on Debian 12+
* apt: explicit `signed-by` directives for official sources
* bind: add reload-zone helper
* certbot: deploy-hook for proftpd
* docker-host: added var for user namespace setting
* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
* dovecot: fix old_stats plugin for Dovecot 2.3
* evocheck: add support for Debian >= 12 split SSH configuration
* evolinux-base: add split SSH configuration for Debian >= 12
* evolinux-base: configure `.bashrc` for all users
* evolinux-base: New variable `evolinux_system_include_ntpd` to chose wether or not to include `ntpd` role
* evolinux-base: reboot the server if the Cloud kernel has been installed
* evolinux-users: add split SSH configuration for Debian >= 12
* evolinux: install HPE Agentless Management Service (amsd)
* fail2ban: add default variable fail2ban_dbpurgeage_default
* fail2ban: add `fail2ban_sshd_port` variable to configure sshd port
* kvm-host: release 23.10 for migrate-vm.sh
* metricbeat/logstash: fix Ansible syntax
* mysql: new munin graph to follow binlog_days over time
* nagios-nrpe: add a NRPE check-local command with completion.
* nagios-nrpe: add a proper monitoring plugin for GlusterFS (on servers, not for clients)
* php: add new variable to disable overriding settings of php-fpm default pool (www)
* policy_pam: New role to manage password policy with `pam_pwquality` & `pam_pwhistory`
* userlogrotate: add a `userlogpurge` script disabled by default
* userlogrotate: new version, with separate conf file
* userlogrotate: rotate also php.log
* java: allow version 17
* timesyncd: new role, used instead of ntpd by default starting with Debian 12
### Changed
* all: change syntax "become: [yes,no]" → "become: [true,false]"
* all: change syntax "force: [yes,no]" → "force: [true,false]"
* elasticsearch: improve networking configuration
* evolinux-base: include files under `sshd_config.d`
* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
* evomaintenance: upstream release 23.10.1
* lxc-php: change LXC container in bookworm for php82
* minifirewall: update nrpe script to check active configuration
* minifirewall: upstream release 23.07
* mysql: improve shell syntax for mysql_skip script
* nagios-nrpe: set default check_load --per-cpu for BSD
* pgbouncer: minor fixes
* postfix (packmail or when postfix_slow_transport_include is True): change `miniprofmal_backoff_time` from 2h to 15m (see HowtoPostfix)
* postfix (packmail) : optimize Amavis integration
* postfix: disable sending mails via IPv6
* postfix: new spam.sh update script that avoids reloading if files did not change.
* postgresql: fix file `postgresql.pref.j2` for exclude package
* postgresql: fix task `update apt cache` for PGDG repo
* redis: standardize plugins path from `/usr/local/share/munin/` to `/usr/local/lib/munin/plugins/`
* varnish: allow the systemd template to be overridden with a template outside of the role
* lxc: purge openssh-server from container on install
### Fixed
* elasticsearch: comment the `Xlog:gc` line instead of changing it completely
* evocheck: fix IS_SSHALLOWUSERS condition
* evolinux-base, evolinux-users: Fix files mode under `/etc/ssh/sshd_config.d`
* evolinux-base: fix file extension
* fail2ban: fix cron `fail2ban_dbpurge` (should be bash instead of sh)
* lxc-php: fix APT keyring path inside containers
* nagios-nrpe: `check_ssl_local` now has an output that nrpe can understand when it isn't OK
* nagios-nrpe: remount `/usr` **after** installing the packages
* nagios-nrpe: sync Redis check from redis roles
* nginx: set default server directive in default vhost
* opendkim: update apt cache before install
* packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container
* postfix: add missing `localhost.$mydomain` to `mydestination`
* redis: replace erroneous `ini_file` module for Munin config, fix dedicated Munin config filename (z-XXX).
* evolinux-base: use lineinfile instead of replace under root task
* evolinux-base: Corriger autorisation pour evolinux_user
* docker-host: Retirer directive state en trop
* rbenv: Installer libyaml-dev
### Removed
* dovecot: remove Munin plugin dovecot (not working)
## [23.04] 2023-04-23
### Added
* graylog: new role
* lxc-php: add support for PHP 8.2 container
### Changed
* Use FQCN (Fully Qualified Collection Name)
* apt: with Debian 12, backports are installed but disabled by default
* openvpn: updated the README file
* pgbouncer: add handler to restart the service
### Fixed
* generate-ldif: Support for Debian 12
## [23.03.1] 2023-03-16
### Added
* pgbouncer: new role
### Changed
* apt: deb822 migration python script is looked relative to shell script
* listupgrade: remove old typo version of the cron task
* minifirewall: support protocols in numeric form
## [23.03] 2023-03-16
### Added
* apache: add task to enable mailgraph on default vhost and index.html
* apt: add move-apt-keyrings script/tasks
* apt: add tools to migrate sources to deb822 format
* fail2ban: add "Internal login failure" to Dovecot filter
* lxc: copy `/etc/profile.d/evolinux.sh` from host into container
* nagios-nrpe: add tasks/files for a wrapper
* nagios-nrpe: Print pool config path in check_phpfpm_multi output
* php: add `php_version` variable when sury is activated for each Debian version
* php: add a way to choose which version to install using sury repository
* postfix: Add task to enable mailgraph on packmail
* postgresql: configure max_connections
* userlogrotate: create dedicated role, separated from packweb-apache
* varnish: add `varnish_update_config` variable to disable configuration update
### Changed
* Use systemd module instead of command
* Removed all `warn: False` args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
* apt: Use pub.evolix.org instead of pub.evolix.net
* bind: refactor role
* elasticsearch: Disable garabge collector logging (JDK >= 9)
* evolinux-users: Update sudoers template to remove commands allowed without password
* listupgrade: upstream release 23.03.3
* kvmstats: use virsh domstats | awk to get guests informations
* nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …)
* openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change
* postfix: come back to default value of `notify_classes` for pack mails.
* userlogrotate: set rotate date format in right order (YYYY-MM-DD)!
* webapps/nextcloud : Change default data directory to be outside web root
* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
* yarn: update apt key
### Fixed
* Proper jinja spacing
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurring failures in Postfix.
* docker-host: fix type in `daemon.json` and remove host configuration that is already in the systemd service by default
* evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
* haproxy: fix missing admin ACL in stats module access permissions
* openvpn: fix the client cipher configuration to match the server cipher configuration
* php: fix error introduced in #33503e4538 (`False` evaluated as a String instead of Boolean)
* php: install using Sury repositories on Bullseye
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
* postfix: avoid Amavis transport to be considered dead when restarted.
* postfix: remove unused `aliases_scope=sub` from virtual_aliases.cf (it generated warnings)
* userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped)
* userlogrotate: skip zipping if .gz log already exists (prevents interactive question)
### Removed
* evolinux-base: subversion is not installed anymore
## [22.12] 2022-12-14
### Added
@ -339,7 +34,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* packweb-apache: enable `log_forensic` module
* rabbitmq: add link in default page
* varnish: create special tmp directory for syntax validation
* postfix: add localhost.$mydomain to mydestination
### Changed
@ -379,6 +73,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
## [22.09] 2022-09-19
### Added
@ -392,6 +87,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* proftpd: Add options to override configs (and add a warning if file was overriden)
* proftpd: Allow user auth with ssh keys
### Changed
* evocheck: upstream release 22.09
@ -399,7 +95,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* generate-ldif: Support any MariaDB version
* minifirewall: use handlers to restart minifirewall
* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
* openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS
* nagios-nrpe: Upgrade check_mongo
@ -517,16 +213,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
* docker: Introduce new default settings + allow to change the docker data directory
* docker: Introduce new variables to tweak daemon settings
* docker : Introduce new default settings + allow to change the docker data directory
* docker : Introduce new variables to tweak daemon settings
### Changed
* evocheck: Upstream release 22.05
* evocheck: upstream release 22.05
### Removed
* docker: Removed Debian Jessie support
* docker : Removed Debian Jessie support
## [22.05] 2022-05-10
@ -550,7 +246,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* minifirewall: restore "force-restart" and fix "restart-if-needed"
* minifirewall: tail template follows symlinks
* minifirewall: upstream release 22.05
* opendkim : add generate opendkim-genkey in sha256 and key 4096
* opendkim : add generate opendkim-genkey in sha256 and key 4096
* openvpn: use a local copy of files instead of cloning an external git repository
* openvpn: use a subnet topology instead of the net30 default topology
* tomcat: Tomcat 9 by default with Debian 11
@ -913,7 +609,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [10.0.0] - 2020-05-13
### Added
* apache: the default VHost doesn't redirect to https for ".well-known" paths
* apt: added buster backports prerferences
* apt: check if cron is installed before adding a cron job
@ -950,7 +645,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* bind: enable bind9 munin plugin for recursive resolvers
### Changed
* replace version_compare() with version()s
* removed some deprecations for Ansible 2.7
* apache: improve permissions in save_apache_status script
@ -996,7 +690,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* varnish: remove custom ExecReload= script for Debian 10+
### Fixed
* etc-git: fix warnings ansible-lint
* evoadmin-web: Put the php config at the right place for Buster
* lxc: Don't stop the container if it already exists
@ -1019,19 +712,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
* packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available
### Removed
* clamav : do not install the zoo package anymore
## [9.10.1] - 2019-06-21
### Changed
* evocheck : update (version 19.06) from upstream
## [9.10.0] - 2019-06-21
### Added
* apache: add server status suffix in VHost (and default site) if missing
* apache: add a variable to customize the server-status host
* apt: add a script to manage packages with "hold" mark
@ -1042,7 +732,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redmine: enable gzip compression in nginx vhost
### Changed
* evocheck : update (unreleased) from upstream
* evomaintenance : use the web API instead of PG Insert
* fluentd: store gpg key locally
@ -1055,26 +744,23 @@ The **patch** part changes is incremented if multiple releases happen the same m
* apt: Add Debian Buster repositories
### Fixed
* rbenv: add check_mode for check rbenv and ruby versions
* nagios-nrpe: fix redis_instances check when Redis port equal 0
* redmine: fix 500 error on logging
* evolinux-base: Validate sshd config with "-t" instead of "-T"
* evolinux-base: Ensure rename is present
* evolinux-users: Validate sshd config with "-t" instead of "-T"
* nagios-nrpe: Replace the dummy packages nagios-plugins-*with monitoring-plugins-*
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
## [9.9.0] - 2019-04-16
### Added
* etc-git: ignore evobackup/.keep-* files
* lxc: /home is mounted in the container by default
* nginx : add "x-frame-options: sameorigin" for Munin
### Changed
* changed remote repository to <https://gitea.evolix.org/evolix/ansible-roles>
* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
* apt: Ensure jessie-backport from archives.debian.org is accepted
* apt: Remove jessie-update suite as it's no longer exists
* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
@ -1087,8 +773,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
* tomcat: better tomcat version management
* webapps/evoadmin-web: add dbadmin.sh to sudoers file
### Fixed
### Fixed
* spamassasin: fix sa-update.sh and ensure service is started and enabled
* tomcat-instance: deploy correct version of config files
* tomcat-instance: deploy correct version of server.xml
@ -1096,24 +782,20 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.8.0] - 2019-01-31
### Added
* filebeat: disable cloud_metadata processor by default
* metricbeat: disable cloud_metadata processor by default
* percona : new role to install Percona repositories and tools
* redis: add variable for configure unixsocketperm
### Changed
* redmine: refactoring of redmine role with use of rbenv
### Fixed
* ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config
## [9.7.0] - 2019-01-17
### Added
* apache: add Munin configuration for Apache server-status URL
* evomaintenance: database variables must be set or the task fails
* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
@ -1126,7 +808,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* proftpd: add FTPS and SFTP support
### Changed
* redis: distinction between main and master password
* evocheck: update evocheck.sh for source install
* php: added php-zip in the installed package list for debian 9 (and later)
@ -1134,7 +815,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* java: update Oracle java package to 8u192
### Fixed
* fail2ban: fix "ignoreip" update
* metricbeat: fix username/password replacement
* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
@ -1143,17 +823,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
## [9.6.0] - 2018-12-04
### Added
* evolinux-base: deploy custom motd if template are present
* minifirewall: all variables are configurable (untouched by default)
* minifirewall: main file is configurable
* squid: minifirewall main file is configurable
### Changed
* minifirewall: compare config before/after (for restart condition)
* squid: better replacement in minifirewall config
* evoadmin-mail: complete refactoring, use Debian Package
@ -1161,7 +840,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.5.0] - 2018-11-14
### Added
* apache: separate task to update IP whitelist
* evolinux-base: install man package
* evolinux-users: add newaliases handler
@ -1175,13 +853,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
* mysql: logdir can be customized
### Changed
* evocheck: update script from upstream
* evomaintenance: update script from upstream
* mysql: restart service if systemd unit has been patched
### Fixed
* packweb-apache: mod-security config is already included elsewhere
* redis: for permissions on log and lib directories
* redis: fix shell for instance users
@ -1190,16 +866,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.4.2] - 2018-10-12
### Added
* evomaintenance: install dependencies manually when installing vendored version
* nagios-nrpe: add an option to ignore servers in NOLB status
### Changed
* haproxy: move check_haproxy_stats to nagios-nrpe role
### Fixed
* evoacme: better error when apache2ctl fails
* evomaintenance: fix role compatibility with OpenBSD
* spamassassin: add missing right for amavis
@ -1208,19 +881,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.4.1] - 2018-09-28
### Added
* redis: set masterauth when redis_password is defined
* evomaintenance: variable to install a vendored version
* evomaintenance: tasks/variables to handle minifirewall restarts
### Changed
* mysql-oracle: better handle packages and users
## [9.4.0] - 2018-09-20
### Added
* etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
* evolinux-base: better shell history
* evolinux-users: add user to /etc/aliases
@ -1235,11 +905,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
* nagios-nrpe: add check_redis_instances
### Changed
* dovecot: stronger TLS configuration
### Fixed
* apache: cleaner way to overwrite the server status suffix
* packweb-apache: don't regenerate phpMyAdmin suffix each time
* nginx: cleaner way to overwrite the server status suffix
@ -1248,13 +916,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.3.2] - 2018-09-06
### Added
* minifirewall: add a variable to disable the restart handler
* minifirewall: add a variable to force a restart of the firewall (even with no change)
* minifirewall: improve variables values and documentation
### Changed
* dovecot: enable SSL/TLS by default with snakeoil certificate
### Fixed
@ -1264,13 +930,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.3.1] - 2018-08-30
### Added
* metricbeat: new variables to configure elasticsearch hosts and auth
## [9.3.0] - 2018-08-24
### Added
* elasticsearch: tmpdir configuration compatible with 5.x also
* elasticsearch: add http.publish_host variable
* evoacme: disable old certbot cron also in cron.daily
@ -1291,7 +955,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* nagios-nrpe: add check_postgrey
### Changed
* etc-git: some entries of .gitignore are mandatory
* evocheck: update upstream script
* evolinux-base: improve hostname configuration (real vs. internal)
@ -1310,7 +973,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* kvm-host: install kvm-tools package instead of copying add-vm.sh
### Fixed
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
* bind: chroot-bind.sh must not be executed in check mode
* evoacme: fix module detection in apache config
@ -1322,14 +984,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.2.0] - 2018-05-16
### Changed
* filebeat: install version 6.x by default
* filebeat: cleanup unused code
* squid: add some domaine and fix broken restrictions
* elasticsearch: defaults to version 6.x
### Fixed
* evolinux-users: secondary groups are comma-separated
* ntpd: fix configuration (server and ACL)
* varnish: don't fork the process on startup with systemd
@ -1339,7 +999,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
### Changed
* apache: customize logrotate (52 weeks)
* evolinux: groups for SSH configuration are used with Debian 10 and later
* evolinux-base: fail2ban is not enabled by default
@ -1351,11 +1010,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.8] - 2018-04-16
### Changed
* packweb-apache: use dependencies instead of include_role for apache and php roles
### Fixed
* mysql: use check_mode for apg command (Fix --check)
* mysql/mysql-oracle: properly reload systemd
* packweb-apache: use check_mode for apg command (Fix --check)
@ -1363,7 +1020,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.7] - 2018-04-06
### Added
* added a few become attributes where missing
* etc-git: add tags for Ansible
* evolinux-base: install ncurses-term package
@ -1381,7 +1037,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redmine: added missing tags
### Changed
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
@ -1397,7 +1052,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
### Fixed
* dovecot: fix support of plus sign
* mysql/mysql-oracle: mysqltuner cron task is executable
* nginx: fix basic auth for default vhost
@ -1406,25 +1060,21 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.6] - 2018-02-02
### Added
* mongodb: install python-pymongo for monitoring
* nagios-nrpe: allowed_hosts can be updated
### Changed
* Changelog: explain the versioning scheme
* Changelog: add a release date for 9.1.5
* evoacme: exclude typical certbot directories
### Fixed
* fail2ban: fix horrible typo, Python is not Ruby
* nginx: fix servers status dirname
## [9.1.5] - 2018-01-18
### Added
* There is a changelog!
* redis: configuration variable for protected mode (v3.2+)
* evolinux-users: users are in "adm" group for Debian 9 or later
@ -1436,49 +1086,41 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redmine: ability to install themes and plugins
### Changed
* rbenv: Ruby 2.5 becomes the default version
* evocheck: update upstream version embedded in role (c993244)
* bind: keep 52 weeks of logs
### Fixed
* squid: different logrotate file for Jessie or Stretch+
* evoacme: don't invoke evoacme if no vhost is found
* evomaintenance: explicit quotes in config file
* redmine: force xpath gem < 3.0.0
### Security
* evomaintenance: fix permissions for config file
## [9.1.4] - 2017-12-20
### Added
* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
* mysql: add a check_mysql_slave in nrpe configuration
* ldap: slapd tcp port is configurable
* elasticsearch: broader patterns for log rotation
### Changed
* split IP lists in 2 – default and additional – for easier customization.
### Fixed
* minifirewall: allow outgoing SSH connections over IPv6
* nodejs: rename source.list file
### Security
* evoadmin-web: change config.local.php file permissions
* evolinux-base: change default_www file permissions
## [9.1.3] 2017-12-08
### Added
* evolinux-base: install traceroute package
* evolinux-base/ntpd: purge openntpd
* tomcat: add Tomcat 8 cmpatibility
@ -1490,7 +1132,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* elastic: option for stack main version
### Changed
* nginx: rename Let's Encrypt snippet
* nginx: simpler apt preferences for backports
* generate-ldif: add clamd service instead of clamav_db
@ -1502,12 +1143,10 @@ The **patch** part changes is incremented if multiple releases happen the same m
* mongodb: comatible with Stretch
### Removed
* mongodb: logfile/pidfile are not configurable on Jessie
* minifirewall: remove zidane.evolix.net from HTTPSITES
### Fixed
* nginx: fix munin CGI graphs
* ntpd: fix default configuration (localhost only)
* logstash: fix permissions on pipeline configuration
@ -1518,17 +1157,14 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.2] 2017-12-05
### Fixed
* listupgrade: remount /usr as rw
## [9.1.1] 2017-11-21
### Added
* amazon-ec2: add egress rules
### Fixed
* evoacme: fix multiple bugs
## [9.1.0] 2017-11-19
@ -1536,7 +1172,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
_Warning: huge release, many entries are missing below._
### Added
* amazon-ec2: new role, for EC2 instances creation
* Move /usr rw remount into remount-usr role
* kibana: host and basepath configuration
@ -1547,7 +1182,6 @@ _Warning: huge release, many entries are missing below._
* nagios-nrpe: add opendkim check
### Changed
* Combine evolix and additional trusted IP addresses
* amazon-ec2: split tasks
* apt: don't upgrade by default
@ -1558,7 +1192,6 @@ _Warning: huge release, many entries are missing below._
* ldap: better variables
### Fixed
* fail2ban: create config hierarchy beforehand
* elasticsearch: fix datadir/tmpdir conditions
* elastic: remove double ".list" suffix
@ -1569,10 +1202,10 @@ _Warning: huge release, many entries are missing below._
### Security
## [9.0.1] 2017-10-02
### Added
* haproxy: add a Nagios check
* php: add "sury" mode for PHP 7.1 on Stretch
* minifirewall: explicit dependency on iptables
@ -1580,11 +1213,9 @@ _Warning: huge release, many entries are missing below._
* docker-host: new variable for docker home
### Changed
* php: install php5/php package after fpm/libapache2-mod-php
### Fixed
* mysql: add "REPLICATION CLIENT" privilege for nrpe
* evoadmin-web: revert from variables to keywords in the templates
* evoacme: many fixes

5
amavis/defaults/main.yml
View file

@ -1,5 +0,0 @@
---
ldap_hostname: "{{ ansible_hostname }}"
ldap_domain: "{{ ansible_domain }}"
ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"

2
amavis/files/amavis_purge_virusmails
View file

@ -1,2 +0,0 @@
#!/bin/bash
find /var/lib/amavis/virusmails/ -type f -mtime +30 -delete

2
amavis/handlers/main.yml
View file

@ -1,5 +1,5 @@
---
- name: restart amavis
ansible.builtin.service:
service:
name: amavis
state: restarted

17
amavis/tasks/main.yml
View file

@ -1,27 +1,18 @@
---
- name: install Amavis
ansible.builtin.apt:
apt:
name:
- postgrey
- amavisd-new
state: present
tags:
- amavis
- amavis
- name: configure Amavis
ansible.builtin.template:
template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults
mode: "0644"
notify: restart amavis
tags:
- amavis
- name: Install purge custom cron
ansible.builtin.copy:
src: amavis_purge_virusmails
dest: /etc/cron.daily/amavis_purge_virusmails
mode: "0755"
tags:
- amavis
- amavis_purge_cron
- amavis

2
amavis/templates/amavis.conf.j2
View file

@ -44,7 +44,7 @@ $max_servers = 2;
$enable_ldap = 1;
$default_ldap = {
hostname => '127.0.0.1', tls => 0,
base => '{{ ldap_suffix | mandatory }}', scope => 'sub',
base => '{{ ldap_suffix }}', scope => 'sub',
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
};

8
amazon-ec2/amazon-ec2-evolinux.yml
View file

@ -9,16 +9,16 @@
aws_region: ca-central-1
tasks:
- ansible.builtin.include_role:
- include_role:
name: evolix/amazon-ec2
tasks_from: setup.yml
- ansible.builtin.include_role:
- include_role:
name: evolix/amazon-ec2
tasks_from: create-instance.yml
- name: Install Evolinux
hosts: launched-instances
become: true
become: yes
vars_files:
- 'vars/secrets.yml'
@ -51,7 +51,7 @@
- mysql
post_tasks:
- ansible.builtin.include_role:
- include_role:
name: evolix/etc-git
tasks_from: commit.yml
vars:

38
amazon-ec2/tasks/create-instance.yml
View file

@ -1,36 +1,36 @@
---
- name: Launch new instance(s)
amazon.aws.ec2:
ec2:
state: present
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
region: "{{ aws_region }}"
image: "{{ ec2_base_ami }}"
instance_type: "{{ ec2_instance_type }}"
count: "{{ ec2_instance_count }}"
assign_public_ip: "{{ ec2_public_ip }}"
group: "{{ ec2_security_group.name }}"
key_name: "{{ ec2_keyname }}"
aws_access_key: "{{aws_access_key}}"
aws_secret_key: "{{aws_secret_key}}"
region: "{{aws_region}}"
image: "{{ec2_base_ami}}"
instance_type: "{{ec2_instance_type}}"
count: "{{ec2_instance_count}}"
assign_public_ip: "{{ec2_public_ip}}"
group: "{{ec2_security_group.name}}"
key_name: "{{ec2_keyname}}"
wait: yes
register: ec2
- name: Add newly created instance(s) to inventory
ansible.builtin.add_host:
hostname: "{{ item.public_dns_name }}"
add_host:
hostname: "{{item.public_dns_name}}"
groupname: launched-instances
ansible_user: admin
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
loop: "{{ ec2.instances }}"
loop: "{{ec2.instances}}"
- ansible.builtin.debug:
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
loop: "{{ ec2.instances }}"
- debug:
msg: "Your newly created instance is reachable at: {{item.public_dns_name}}"
loop: "{{ec2.instances}}"
- name: Wait for SSH to come up on all instances (give up after 2m)
ansible.builtin.wait_for:
wait_for:
state: started
host: "{{ item.public_dns_name }}"
host: "{{item.public_dns_name}}"
port: 22
timeout: 120
loop: "{{ ec2.instances }}"
loop: "{{ec2.instances}}"

2
amazon-ec2/tasks/post-install.yml
View file

@ -1,5 +1,5 @@
---
- name: Remove admin user
ansible.builtin.user:
user:
name: admin
state: absent

4
amazon-ec2/tasks/setup.yml
View file

@ -1,7 +1,7 @@
---
- name: Create default security group
amazon.aws.ec2_group:
ec2_group:
name: "{{ ec2_security_group.name }}"
state: present
aws_access_key: "{{ aws_access_key }}"
@ -12,7 +12,7 @@
rules_egress: "{{ ec2_security_group.rules_egress }}"
- name: Create key pair
amazon.aws.ec2_key:
ec2_key:
name: "{{ ec2_keyname }}"
state: present
aws_access_key: "{{ aws_access_key }}"

21
apache/files/evolinux-defaults.conf
View file

@ -10,7 +10,7 @@ MaxKeepAliveRequests 10
StartServers 50
MinSpareServers 20
MaxSpareServers 30
MaxConnectionsPerChild 100
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_worker_module>
@ -20,7 +20,7 @@ MaxKeepAliveRequests 10
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 150
MaxConnectionsPerChild 100
MaxConnectionsPerChild 0
</IfModule>
<IfModule mpm_itk_module>
@ -40,25 +40,28 @@ MaxKeepAliveRequests 10
</IfModule>
</IfModule>
# Go away bad bots (define "bad bots" in zzz-evolinux-custom.conf)
<If "reqenv('GoAway') -eq 1">
Require all denied
</If>
<Directory /home/>
AllowOverride None
Require all granted
# "Require not env XXX" is not supported :(
Deny from env=GoAway
</Directory>
<DirectoryMatch "/\.git">
# We don't want to let the client know a file exist on the server,
# so we return 404 "Not found" instead of 403 "Forbidden".
Redirect 404 "-"
Redirect 404
</DirectoryMatch>
# File names starting with
<FilesMatch "^\.(git|env)">
Redirect 404 "-"
Redirect 404
</FilesMatch>
# File names ending with
<FilesMatch "\.(inc|bak)$">
Redirect 404 "-"
Redirect 404
</FilesMatch>
<LocationMatch "^/evolinux_fpm_status-.*">

6
apache/handlers/main.yml
View file

@ -1,15 +1,15 @@
---
- name: restart apache
ansible.builtin.service:
service:
name: apache2
state: restarted
- name: reload apache
ansible.builtin.service:
service:
name: apache2
state: reloaded
- name: restart munin-node
ansible.builtin.service:
service:
name: munin-node
state: restarted

16
apache/tasks/auth.yml
View file

@ -1,21 +1,21 @@
---
- name: Init ipaddr_whitelist.conf file
ansible.builtin.copy:
copy:
src: ipaddr_whitelist.conf
dest: /etc/apache2/ipaddr_whitelist.conf
owner: root
group: root
mode: "0640"
force: false
force: no
tags:
- apache
- name: Load IP whitelist task
ansible.builtin.import_tasks: ip_whitelist.yml
include: ip_whitelist.yml
- name: include private IP whitelist for server-status
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/mods-available/status.conf
line: " include /etc/apache2/ipaddr_whitelist.conf"
insertafter: 'SetHandler server-status'
@ -24,19 +24,19 @@
- apache
- name: Copy private_htpasswd
ansible.builtin.copy:
copy:
src: private_htpasswd
dest: /etc/apache2/private_htpasswd
owner: root
group: root
mode: "0640"
force: false
force: no
notify: reload apache
tags:
- apache
- name: add user:pwd to private htpasswd
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: present
@ -46,7 +46,7 @@
- apache
- name: remove user:pwd from private htpasswd
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: absent

5
apache/tasks/ip_whitelist.yml
View file

@ -1,11 +1,10 @@
---
- name: add IP addresses to private IP whitelist
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
create: yes
loop: "{{ apache_ipaddr_whitelist_present }}"
notify: reload apache
tags:
@ -13,7 +12,7 @@
- ips
- name: remove IP addresses from private IP whitelist
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: absent

6
apache/tasks/log2mail.yml
View file

@ -1,19 +1,19 @@
---
- name: log2mail is installed
ansible.builtin.apt:
apt:
name: log2mail
state: present
tags:
- apache
- name: Add log2mail config for Apache segfaults
ansible.builtin.template:
template:
src: log2mail-apache.j2
dest: "/etc/log2mail/config/apache"
owner: log2mail
group: adm
mode: "0644"
force: false
force: no
tags:
- apache

56
apache/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: packages are installed (Debian 9 or later)
ansible.builtin.apt:
apt:
name:
- apache2
- libapache2-mod-evasive
@ -14,7 +14,7 @@
when: ansible_distribution_major_version is version('9', '>=')
- name: itk package is installed if required (Debian 9 or later)
ansible.builtin.apt:
apt:
name:
- libapache2-mpm-itk
state: present
@ -26,7 +26,7 @@
- apache_mpm == "itk"
- name: packages are installed (jessie)
ansible.builtin.apt:
apt:
name:
- apache2-mpm-itk
- libapache2-mod-evasive
@ -39,7 +39,7 @@
when: ansible_distribution_release == "jessie"
- name: basic modules are enabled
community.general.apache2_module:
apache2_module:
name: '{{ item }}'
state: present
loop:
@ -55,7 +55,7 @@
- apache
- name: basic modules are enabled
community.general.apache2_module:
apache2_module:
name: '{{ item }}'
state: present
loop:
@ -67,31 +67,31 @@
- name: Copy Apache defaults config file
ansible.builtin.copy:
copy:
src: evolinux-defaults.conf
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
owner: root
group: root
mode: "0640"
force: true
force: yes
notify: reload apache
tags:
- apache
- name: Copy Apache custom config file
ansible.builtin.copy:
copy:
src: evolinux-custom.conf
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
owner: root
group: root
mode: "0640"
force: false
force: no
notify: reload apache
tags:
- apache
- name: disable status.conf
ansible.builtin.file:
file:
dest: /etc/apache2/mods-enabled/status.conf
state: absent
notify: reload apache
@ -99,8 +99,7 @@
- apache
- name: Ensure Apache config files are enabled
ansible.builtin.command:
cmd: "a2enconf {{ item }}"
command: "a2enconf {{ item }}"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
loop:
@ -110,38 +109,37 @@
tags:
- apache
- ansible.builtin.include: auth.yml
- include: auth.yml
tags:
- apache
- name: default vhost is installed
ansible.builtin.template:
template:
src: evolinux-default.conf.j2
dest: /etc/apache2/sites-available/000-evolinux-default.conf
mode: "0640"
force: false
force: no
notify: reload apache
tags:
- apache
- name: default vhost is enabled
ansible.builtin.file:
file:
src: /etc/apache2/sites-available/000-evolinux-default.conf
dest: /etc/apache2/sites-enabled/000-default.conf
state: link
force: true
force: yes
notify: reload apache
when: apache_evolinux_default_enabled | bool
tags:
- apache
- ansible.builtin.include: server_status.yml
- include: server_status.yml
tags:
- apache
- name: is umask already present?
ansible.builtin.command:
cmd: "grep -E '^umask ' /etc/apache2/envvars"
command: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False
changed_when: False
register: envvar_grep_umask
@ -150,7 +148,7 @@
- apache
- name: Add a mark in envvars for umask
ansible.builtin.blockinfile:
blockinfile:
dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK"
block: |
@ -161,13 +159,13 @@
tags:
- apache
- ansible.builtin.include_role:
- include_role:
name: evolix/remount-usr
tags:
- apache
- name: /usr/share/scripts exists
ansible.builtin.file:
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -177,16 +175,16 @@
- apache
- name: "Install save_apache_status.sh"
ansible.builtin.copy:
copy:
src: save_apache_status.sh
dest: /usr/share/scripts/save_apache_status.sh
mode: "0755"
force: false
force: no
tags:
- apache
- name: "logrotate: {{ apache_logrotate_frequency }}"
ansible.builtin.replace:
replace:
dest: /etc/logrotate.d/apache2
regexp: "(daily|weekly|monthly)"
replace: "{{ apache_logrotate_frequency }}"
@ -194,19 +192,19 @@
- apache
- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
ansible.builtin.replace:
replace:
dest: /etc/logrotate.d/apache2
regexp: '^(\s+rotate) \d+$'
replace: '\1 {{ apache_logrotate_rotate }}'
tags:
- apache
- ansible.builtin.include: log2mail.yml
- include: log2mail.yml
when: apache_log2mail_include
tags:
- apache
- ansible.builtin.include: munin.yml
- include: munin.yml
when: apache_munin_include | bool
tags:
- apache

11
apache/tasks/munin.yml
View file

@ -1,7 +1,7 @@
---
- name: "Install munin-node and core plugins packages"
ansible.builtin.apt:
apt:
name:
- munin-node
- munin-plugins-core
@ -11,7 +11,7 @@
- munin
- name: "Enable Munin plugins"
ansible.builtin.file:
file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
@ -25,7 +25,7 @@
- munin
- name: "Install fcgi packages for Munin graphs"
ansible.builtin.apt:
apt:
name:
- libapache2-mod-fcgid
- libcgi-fast-perl
@ -36,8 +36,7 @@
- munin
- name: "Enable libapache2-mod-fcgid"
ansible.builtin.command:
cmd: a2enmod fcgid
command: a2enmod fcgid
register: cmd_enable_fcgid
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
notify: restart apache
@ -46,7 +45,7 @@
- munin
- name: "Apache has access to /var/log/munin/"
ansible.builtin.file:
file:
path: /var/log/munin/
group: www-data
tags:

33
apache/tasks/server_status.yml
View file

@ -1,7 +1,7 @@
---
- name: server status dirname exists
ansible.builtin.file:
file:
dest: "{{ apache_serverstatus_suffix_file | dirname }}"
mode: "0700"
owner: root
@ -9,71 +9,62 @@
state: directory
- name: set apache serverstatus suffix if provided
ansible.builtin.copy:
copy:
dest: "{{ apache_serverstatus_suffix_file }}"
# The last character "\u000A" is a line feed (LF), it's better to keep it
content: "{{ apache_serverstatus_suffix }}\u000A"
force: true
force: yes
when: apache_serverstatus_suffix | length > 0
- name: generate random string for server-status suffix
ansible.builtin.shell:
cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
args:
creates: "{{ apache_serverstatus_suffix_file }}"
- name: read apache server status suffix
ansible.builtin.command:
cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
command: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
changed_when: False
check_mode: no
register: new_apache_serverstatus_suffix
- name: overwrite apache_serverstatus_suffix
ansible.builtin.set_fact:
set_fact:
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
- ansible.builtin.debug:
- debug:
var: apache_serverstatus_suffix
verbosity: 1
- name: replace server-status suffix in default site index
ansible.builtin.replace:
replace:
dest: /var/www/index.html
regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ apache_serverstatus_suffix }}"
- name: add server-status suffix in default site index if missing
ansible.builtin.replace:
replace:
dest: /var/www/index.html
regexp: '"/server-status-?"'
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
- name: add server-status suffix in default VHost
ansible.builtin.replace:
replace:
dest: /etc/apache2/sites-available/000-evolinux-default.conf
regexp: '<Location /server-status-?>'
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
notify: reload apache
- name: Munin configuration has a section for apache
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "[apache_*]"
create: no
- name: apache-status URL is configured for Munin
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
regexp: 'env.url http://[^\\/]+/server-status'
insertafter: "[apache_*]"
create: no
notify: restart munin-node
- name: add mailgraph URL in index.html
ansible.builtin.lineinfile:
dest: /var/www/index.html
state: present
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'
insertbefore: "</ul>"

18
apache/templates/evolinux-default.conf.j2
View file

@ -35,15 +35,6 @@
Include /etc/apache2/ipaddr_whitelist.conf
</Directory>
# Mailgraph configuration
Alias /mailgraph /usr/share/mailgraph
<Directory /usr/share/mailgraph>
DirectoryIndex mailgraph.cgi
Require all granted
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>
CustomLog /var/log/apache2/access.log vhost_combined
ErrorLog /var/log/apache2/error.log
LogLevel warn
@ -127,15 +118,6 @@
Include /etc/apache2/ipaddr_whitelist.conf
</Location>
# Mailgraph configuration
Alias /mailgraph /usr/share/mailgraph
<Directory /usr/share/mailgraph>
DirectoryIndex mailgraph.cgi
Require all granted
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>
# BEGIN phpMyAdmin section
# END phpMyAdmin section

5
apt/defaults/main.yml
View file

@ -8,13 +8,10 @@ apt_upgrade: False
apt_install_basics: True
apt_basics_components: "main"
# With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports`
apt_install_backports: False
apt_backports_components: "main"
apt_install_evolix_public: True
apt_install_extended_lts: False
apt_clean_gandi_sourceslist: False
@ -29,4 +26,4 @@ apt_check_hold_cron_weekday: "*"
apt_check_hold_cron_day: "*"
apt_check_hold_cron_month: "*"
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"

3
apt/files/bullseye_backports_preferences Normal file
View file

@ -0,0 +1,3 @@
Package: *
Pin: release a=bullseye-backports
Pin-Priority: 50

3
apt/files/buster_backports_preferences Normal file
View file

@ -0,0 +1,3 @@
Package: *
Pin: release a=buster-backports
Pin-Priority: 50

168
apt/files/deb822-migration.py
View file

@ -1,168 +0,0 @@
#!/usr/bin/env python3
##########
# This script takes a multi-lines input of "oneliner-style" APT sources definitions.
# It converts them into "deb822-style" sources.
# Each generated file will have only one stanza, possibly with multiple Types/Suites/Components
##########
import re
import sys
import os
import select
import apt
import apt_pkg
# Order matters !
destinations = {
"debian-security": "security.sources",
".*-backports": "backports.sources",
".debian.org": "system.sources",
"mirror.evolix.org": "system.sources",
"ftp.evolix.org": "system.sources",
"pub.evolix.net": "evolix_public_old.sources.bak",
"pub.evolix.org": "evolix_public.sources",
"artifacts.elastic.co": "elastic.sources",
"download.docker.com": "docker.sources",
"downloads.linux.hpe.com": "hp.sources",
"pkg.jenkins-ci.org": "jenkins.sources",
"packages.sury.org": "sury.sources",
"repo.mongodb.org": "mongodb.sources",
"apt.newrelic.com": "newrelic.sources",
"deb.nodesource.com": "nodesource.sources",
"dl.yarnpkg.com": "yarn.sources",
"apt.postgresql.org": "postgresql.sources",
"packages.microsoft.com/repos/vscode": "microsoft-vscode.sources",
"packages.microsoft.com/repos/ms-teams": "microsoft-teams.sources",
"updates.signal.org": "signal.sources",
"downloads.1password.com/linux/debian": "1password.sources",
"download.virtualbox.org": "virtualbox.sources"
}
sources_parts = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
def split_options(raw):
table = str.maketrans({
"[": None,
"]": None
})
options = raw.translate(table).split(' ')
return options
def auto_destination(uri):
basename = uri
basename = re.sub('\[[^\]]+\]', '', basename)
basename = re.sub('\w+://', '', basename)
basename = '_'.join(re.sub('[^a-zA-Z0-9]', ' ', basename).split())
return '%s.sources' % basename
def destination(matches):
for search_str in destinations.keys():
search_pattern = re.compile(f'{search_str}(/|\s|$)')
if re.search(search_pattern, matches['uri']) or re.search(search_pattern, matches["suite"]):
return destinations[search_str]
# fallback if nothing matches
return auto_destination(matches['uri'])
def prepare_sources(lines):
sources = {}
pattern = re.compile('^(?: *(?P<type>deb|deb-src)) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
for line in lines:
matches = re.match(pattern, line)
if matches is not None:
dest = destination(matches)
options = {}
if matches.group('options'):
for option in split_options(matches['options']):
if "=" in option:
key, value = option.split("=")
options[key] = value
### WARNING ###
# if there are multiple lines with different URIS for a given destination (eg. "system")
# each one will overwrite the previous one
# and the last evaluated will be what remains.
if dest in sources:
sources[dest]["Types"].add(matches["type"])
sources[dest]["URIs"] = matches["uri"]
sources[dest]["Suites"].add(matches["suite"])
sources[dest]["Components"].update(matches["components"].split(' '))
else:
source = {
"Types": {matches['type']},
"URIs": matches['uri'],
"Enabled": "yes",
}
if matches.group('suite'):
source["Suites"] = set(matches['suite'].split(' '))
if matches.group('components'):
source["Components"] = set(matches['components'].split(' '))
if "arch" in options:
if "Architectures" in source:
source["Architectures"].append(options["arch"])
else:
source["Architectures"] = {options["arch"]}
if "signed-by" in options:
if "Signed-by" in source:
source["Signed-by"].append(options["signed-by"])
else:
source["Signed-by"] = {options["signed-by"]}
if "lang" in options:
if "Languages" in source:
source["Languages"].append(options["lang"])
else:
source["Languages"] = {options["lang"]}
if "target" in options:
if "Targets" in source:
source["Targets"].append(options["target"])
else:
source["Targets"] = {options["target"]}
sources[dest] = source
return sources
def save_sources(sources, output_dir):
# print(output_dir)
# print(sources)
for dest, source in sources.items():
source_path = output_dir + dest
with open(source_path, 'w') as file:
for key, value in source.items():
if isinstance(value, str):
file.write("{}: {}\n".format(key, value))
else:
file.write("{}: {}\n".format(key, ' '.join(value)))
def main():
if select.select([sys.stdin, ], [], [], 0.0)[0]:
sources = prepare_sources(sys.stdin)
# elif len(sys.argv) > 1:
# sources = prepare_sources([sys.argv[1]])
else:
print("You must provide source lines to stdin", file=sys.stderr)
sys.exit(1)
output_dir = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
save_sources(sources, output_dir)
if __name__ == "__main__":
main()
sys.exit(0)

55
apt/files/deb822-migration.sh
View file

@ -1,55 +0,0 @@
#!/bin/sh
##########
# This script changes all "one-line" APT sources into "deb822" sources.
# It is responsible for searching and processing the files.
# The actual format migration is done by a python script.
##########
deb822_migrate_script=$(command -v deb822-migration.py)
if [ -z "${deb822_migrate_script}" ]; then
deb822_migrate_script="$(dirname "$0")/deb822-migration.py"
fi
if [ ! -x "${deb822_migrate_script}" ]; then
>&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"
exit 1
fi
sources_from_file() {
grep --extended-regexp "^\s*(deb|deb-src) " $1
}
rc=0
count=0
if [ -f /etc/apt/sources.list ]; then
sources_from_file /etc/apt/sources.list | ${deb822_migrate_script}
python_rc=$?
if [ ${python_rc} -eq 0 ]; then
mv /etc/apt/sources.list /etc/apt/sources.list.bak
echo "OK: /etc/apt/sources.list"
count=$(( count + 1 ))
else
>&2 echo "ERROR: failed migration for /etc/apt/sources.list"
rc=1
fi
fi
for file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
sources_from_file "${file}" | ${deb822_migrate_script}
python_rc=$?
if [ ${python_rc} -eq 0 ]; then
mv "${file}" "${file}.bak"
echo "OK: ${file}"
count=$(( count + 1 ))
else
>&2 echo "ERROR: failed migration for ${file}"
rc=1
fi
done
echo "${count} file(s) migrated"
exit ${rc}

BIN
apt/files/freexian-archive-extended-lts.gpg
View file

Binary file not shown.

3
apt/files/jessie_backports_preferences Normal file
View file

@ -0,0 +1,3 @@
Package: *
Pin: release a=jessie-backports
Pin-Priority: 50

32
apt/files/move-apt-keyrings.sh
View file

@ -1,32 +0,0 @@
#!/bin/sh
# Move apt repository key from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ and add "signed-by" tag in source list
#
# Example: move-apt-keyrings.sh http://repo.mongodb.org/apt/debian mongodb-server-[0-9\\.]+.asc
repository_pattern=$1
key=$2
found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/*.list")
old_key_file="/etc/apt/trusted.gpg.d/${key}"
new_key_file="/etc/apt/keyrings/${key}"
for file in ${found_files}; do
if ! grep --quiet "signed-by" "${file}"; then
signed_by="signed-by=${new_key_file}"
if grep --quiet "deb(-src)? \[" "${file}"; then
sed -i "s@deb\(-src\)\? \[\([^]]\+\)\]@deb\1 [\2 ${signed_by}]@" "${file}"
else
sed -i "s@deb\(-src\)\? @deb\1 [${signed_by}] @" "${file}"
fi
fi
done
if [ -f "${old_key_file}" ] && [ ! -f "${new_key_file}" ]; then
mv "${old_key_file}" "${new_key_file}"
fi
if [ -f "${new_key_file}" ]; then
chmod 644 "${new_key_file}"
chown root: "${new_key_file}"
fi

87
apt/files/pub_evolix.asc
View file

@ -1,87 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N
YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN
OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV
Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw
ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7
7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11
mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma
dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3
huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm
vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk
+XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB
tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy
PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy
x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq
yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7
D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt
c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N
q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F
btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ
ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa
C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D
jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp
5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo
JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3
Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F
5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o
aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba
mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp
g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs
h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M
Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb
sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A
5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A
etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8
smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ
Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX
mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F
V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT
foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7
b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5
FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI
7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb
+dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc
fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF
bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR
Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+
7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/
RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc
8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX
fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd
gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/
YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1
4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL
1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK
3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj
9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB
jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC
LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG
j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H
BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M
jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q
BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym
Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6
lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH
El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV
sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp
IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz
DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM
G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0
IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs
UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac
lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm
AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r
adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf
SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v
2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz
kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg
2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad
OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf
nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk
jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH
oA9QflpnDubMnCve
=ZCml
-----END PGP PUBLIC KEY BLOCK-----

BIN
apt/files/pub_evolix.gpg
View file

Binary file not shown.

3
apt/files/stretch_backports_preferences Normal file
View file

@ -0,0 +1,3 @@
Package: *
Pin: release a=stretch-backports
Pin-Priority: 50

18
apt/tasks/backports.deb822.yml
View file

@ -1,18 +0,0 @@
---
- name: Backports deb822 sources list is installed
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.sources.j2'
dest: /etc/apt/sources.list.d/backports.sources
force: true
mode: "0640"
register: apt_backports_sources
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
when: apt_backports_sources is changed
tags:
- apt

35
apt/tasks/backports.oneline.yml
View file

@ -1,35 +0,0 @@
---
- name: No backports config in default sources.list
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
tags:
- apt
- name: Backports sources list is installed
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: true
mode: "0640"
register: apt_backports_list
tags:
- apt
- name: Archived backport are accepted (jessie)
ansible.builtin.lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
state: present
tags:
- apt
when: ansible_distribution_release == "jessie"
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_backports_list is changed

50
apt/tasks/backports.yml
View file

@ -1,13 +1,45 @@
---
- name: No backports config in default sources.list
lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
tags:
- apt
# Backward compatibility task file
- name: Backports sources list is installed
template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: yes
mode: "0640"
register: apt_backports_list
tags:
- apt
- name: Install backports repositories (Debian <12)
ansible.builtin.import_tasks: backports.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Backports configuration
copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
mode: "0640"
register: apt_backports_config
tags:
- apt
- name: Install backports repositories (Debian >=12)
ansible.builtin.import_tasks: backports.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')
- name: Archived backport are accepted (jessie)
lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
state: present
when: ansible_distribution_release == "jessie"
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_backports_list is changed or apt_backports_config is changed
tags:
- apt

45
apt/tasks/basics.deb822.yml
View file

@ -1,45 +0,0 @@
---
- name: Change basics repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.sources.j2"
dest: /etc/apt/sources.list.d/system.sources
mode: "0644"
force: true
register: apt_basic_sources
tags:
- apt
- name: Change security repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_security.sources.j2"
dest: /etc/apt/sources.list.d/security.sources
mode: "0644"
force: true
register: apt_security_sources
tags:
- apt
- name: Find one-line APT sources
ansible.builtin.find:
paths: /etc/apt
patterns: '*.list'
register: list_files
- name: Disable one-line-formatted sources
ansible.builtin.command:
cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak"
environment:
LC_ALL: C
loop: "{{ list_files.files }}"
register: rename_cmd
changed_when: "'renamed' in rename_cmd.stdout"
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_basic_list is changed or apt_security_sources is changed

18
apt/tasks/basics.oneline.yml
View file

@ -1,18 +0,0 @@
---
- name: Change basics repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
force: true
register: apt_basic_list
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_basic_list is changed

38
apt/tasks/basics.yml
View file

@ -1,13 +1,33 @@
---
# Backward compatibility task file
- name: Change basics repositories
template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
force: yes
register: apt_basic_list
tags:
- apt
- name: Install basics repositories (Debian <12)
ansible.builtin.import_tasks: basics.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Clean GANDI sources.list.d/debian-security.list
file:
path: '{{ item }}'
state: absent
loop:
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-jessie.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-buster.list
- /etc/apt/sources.list.d/debian-bullseye.list
- /etc/apt/sources.list.d/debian-update.list
when: apt_clean_gandi_sourceslist | bool
tags:
- apt
- name: Install basics repositories (Debian >=12)
ansible.builtin.import_tasks: basics.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')
- name: Apt update
apt:
update_cache: yes
when: apt_basic_list is changed
tags:
- apt

12
apt/tasks/config.yml
View file

@ -1,7 +1,7 @@
---
- name: Evolinux config for APT
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
@ -12,12 +12,12 @@
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
when: apt_evolinux_config | bool
tags:
- apt
when: apt_evolinux_config | bool
- name: DPkg invoke hooks
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item }}"
create: yes
@ -28,14 +28,14 @@
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
when: apt_hooks | bool
tags:
- apt
when: apt_hooks | bool
- name: Remove Aptitude
ansible.builtin.apt:
apt:
name: aptitude
state: absent
when: apt_remove_aptitude | bool
tags:
- apt
when: apt_remove_aptitude | bool

59
apt/tasks/evolix_public.deb822.yml
View file

@ -1,59 +0,0 @@
---
- name: Look for legacy apt keyring
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
tags:
- apt
when: _trusted_gpg_keyring.stat.exists
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Set Evolix GPG key format to ASC
set_fact:
apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc"
tags:
- apt
- name: Add Evolix GPG key
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_evolix_public_key }}"
force: true
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
ansible.builtin.template:
src: evolix_public.sources.j2
dest: /etc/apt/sources.list.d/evolix_public.sources
force: true
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_evolix_public is changed

69
apt/tasks/evolix_public.oneline.yml
View file

@ -1,69 +0,0 @@
---
- name: Look for legacy apt keyring
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
tags:
- apt
when: _trusted_gpg_keyring.stat.exists
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Set Evolix GPG key format to GPG (Debian < 9)
set_fact:
apt_evolix_public_key: "pub_evolix.gpg"
when:
- ansible_distribution_major_version is version('9', '<')
tags:
- apt
- name: Set Evolix GPG key format to ASC (Debian >= 9)
set_fact:
apt_evolix_public_key: "pub_evolix.asc"
when:
- ansible_distribution_major_version is version('9', '>=')
tags:
- apt
- name: Add Evolix GPG key
ansible.builtin.copy:
src: "{{ apt_evolix_public_key }}"
dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}"
force: true
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
ansible.builtin.template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: true
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_evolix_public is changed

50
apt/tasks/evolix_public.yml
View file

@ -1,13 +1,45 @@
---
# Backward compatibility task file
- name: Look for legacy apt keyring
stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Install Evolix Public repositories (Debian <12)
ansible.builtin.import_tasks: evolix_public.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Evolix embedded GPG key is absent
apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
when: _trusted_gpg_keyring.stat.exists
tags:
- apt
- name: Install Evolix Public repositories (Debian >=12)
ansible.builtin.import_tasks: evolix_public.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')
- name: Add Evolix GPG key
copy:
src: reg.asc
dest: "{{ apt_keyring_dir }}/reg.asc"
force: yes
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_evolix_public is changed
tags:
- apt

37
apt/tasks/extended-lts.oneline.yml
View file

@ -1,37 +0,0 @@
---
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Add Evolix GPG key
ansible.builtin.copy:
src: "freexian-archive-extended-lts.gpg"
dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"
force: true
mode: "0644"
owner: root
group: root
tags:
- apt
- name: ELTS list is installed
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_extended-lts.list.j2"
dest: /etc/apt/sources.list.d/extended-lts.list
force: true
mode: "0640"
register: apt_extended_lts
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_extended_lts is changed

34
apt/tasks/hold_packages.yml
View file

@ -1,11 +1,8 @@
---
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: "hold packages (apt)"
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
args:
executable: /bin/bash
check_mode: no
register: apt_mark
@ -18,7 +15,7 @@
- apt
- name: "/etc/evolinux is present"
ansible.builtin.file:
file:
dest: /etc/evolinux
mode: "0700"
state: directory
@ -26,7 +23,7 @@
- apt
- name: "hold packages (config)"
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -36,8 +33,8 @@
- apt
- name: "unhold packages (apt)"
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
args:
executable: /bin/bash
check_mode: no
register: apt_mark
@ -48,7 +45,7 @@
- apt
- name: "unhold packages (config)"
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -58,7 +55,7 @@
- apt
- name: /usr/share/scripts exists
ansible.builtin.file:
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -68,26 +65,25 @@
- apt
- name: Check scripts is installed
ansible.builtin.copy:
copy:
src: check_held_packages.sh
dest: /usr/share/scripts/check_held_packages.sh
force: true
force: yes
mode: "0755"
tags:
- apt
- name: Check if Cron is installed
ansible.builtin.shell:
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
register: is_cron
changed_when: False
failed_when: False
changed_when: false
failed_when: false
check_mode: no
tags:
- apt
- name: Check for held packages (script)
ansible.builtin.cron:
cron:
cron_file: apt-hold-packages
name: check_held_packages
job: "/usr/share/scripts/check_held_packages.sh"
@ -98,6 +94,6 @@
day: "{{ apt_check_hold_cron_day }}"
month: "{{ apt_check_hold_cron_month }}"
state: "present"
when: is_cron.rc == 0
tags:
- apt
when: is_cron.rc == 0

120
apt/tasks/main.yml
View file

@ -1,137 +1,53 @@
---
- name: "Compatibility check"
ansible.builtin.assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=')
msg: Only compatible with Debian >= 8
tags:
- apt
- name: "apt-transport-https is installed for https repositories (before Buster)"
ansible.builtin.apt:
name:
- apt-transport-https
tags:
- apt
when: ansible_distribution_major_version is version('10', '<')
- name: "certificates are installed for https repositories"
ansible.builtin.apt:
name:
- ca-certificates
fail:
msg: only compatible with Debian >= 8
when:
- ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
tags:
- apt
- name: Custom configuration
ansible.builtin.import_tasks: config.yml
include: config.yml
when: apt_config | bool
tags:
- apt
- name: Install basics repositories (Debian <12)
ansible.builtin.import_tasks: basics.oneline.yml
- name: Install basics repositories
include: basics.yml
when: apt_install_basics | bool
tags:
- apt
when:
- apt_install_basics | bool
- ansible_distribution_major_version is version('12', '<')
- name: Install basics repositories (Debian >=12)
ansible.builtin.import_tasks: basics.deb822.yml
- name: Install APT Backports repository
include: backports.yml
when: apt_install_backports | bool
tags:
- apt
when:
- apt_install_basics | bool
- ansible_distribution_major_version is version('12', '>=')
- name: Install backports repositories (Debian <12)
ansible.builtin.import_tasks: backports.oneline.yml
- name: Install Evolix Public APT repository
include: evolix_public.yml
when: apt_install_evolix_public | bool
tags:
- apt
when:
- apt_install_backports | bool
- ansible_distribution_major_version is version('12', '<')
# With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports`
- name: Install backports repositories (Debian >=12)
ansible.builtin.import_tasks: backports.deb822.yml
tags:
- apt
when:
- ansible_distribution_major_version is version('12', '>=')
- name: Install Evolix Public repositories (Debian <12)
ansible.builtin.import_tasks: evolix_public.oneline.yml
tags:
- apt
when:
- apt_install_evolix_public | bool
- ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12)
ansible.builtin.import_tasks: evolix_public.deb822.yml
tags:
- apt
when:
- apt_install_evolix_public | bool
- ansible_distribution_major_version is version('12', '>=')
- name: Install Extended-LTS repositories (Debian < 10)
ansible.builtin.import_tasks: extended-lts.oneline.yml
tags:
- apt
when:
- apt_install_extended_lts | bool
- ansible_distribution_major_version is version('10', '<')
- name: Clean GANDI sources
ansible.builtin.file:
path: '{{ item }}'
state: absent
loop:
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-jessie.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-buster.list
- /etc/apt/sources.list.d/debian-bullseye.list
- /etc/apt/sources.list.d/debian-update.list
tags:
- apt
when: apt_clean_gandi_sourceslist | bool
- name: "Disable NonFreeFirmware warning for VM on Debian 12+"
ansible.builtin.lineinfile:
path: /etc/apt/apt.conf.d/no-bookworm-firmware.conf
create: yes
line: "APT::Get::Update::SourceListWarnings::NonFreeFirmware \"false\";"
tags:
- apt
when:
- ansible_distribution_major_version is version('12', '>=')
- ansible_virtualization_role == "guest"
- name: Install check for packages marked hold
ansible.builtin.import_tasks: hold_packages.yml
include: hold_packages.yml
when: apt_install_hold_packages | bool
tags:
- apt
- name: Updating APT cache
ansible.builtin.apt:
apt:
update_cache: yes
changed_when: False
tags:
- apt
- name: Upgrading system
ansible.builtin.apt:
apt:
upgrade: dist
when: apt_upgrade | bool
tags:
- apt
- apt

62
apt/tasks/migrate-to-deb822.yml
View file

@ -1,62 +0,0 @@
---
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- apt
- name: Migration scripts are installed
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/share/scripts/{{ item }}"
force: true
mode: "0755"
loop:
- deb822-migration.py
- deb822-migration.sh
tags:
- apt
- name: Exec migration script
ansible.builtin.command:
cmd: /usr/share/scripts/deb822-migration.sh
ignore_errors: yes
tags:
- apt
- name: Is system.sources present?
ansible.builtin.stat:
path: /etc/apt/sources.list.d/system.sources
register: _system_sources
- name: Add signed-by when relevant for bookworm
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list.d/system.sources
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
insertafter: "Suites: bookworm bookworm-updates"
state: present
tags:
- apt
when: _system_sources.stat.exists or not ansible_check_mode
- name: Is security.sources present?
ansible.builtin.stat:
path: /etc/apt/sources.list.d/security.sources
register: _security_sources
- name: Add signed-by when relevant for bookworm-security
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list.d/security.sources
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
insertafter: "Suites: bookworm-security"
state: present
tags:
- apt
when: _security_sources.stat.exists or not ansible_check_mode

53
apt/tasks/move-apt-keyring.yml
View file

@ -1,53 +0,0 @@
---
- name: New APT keyrings directory is present
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
owner: root
group: root
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- apt
- name: migration script is present
ansible.builtin.copy:
src: move-apt-keyrings.sh
dest: /usr/share/scripts/move-apt-keyrings.sh
mode: "0755"
owner: root
group: root
- name: Move repository signing key
ansible.builtin.command:
cmd: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
loop:
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
- { repository_pattern: "https://pub.evolix.org/evolix", key: "pub_evolix.asc" }
- { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" }
- { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" }
- { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" }
- { repository_pattern: "http://pkg.jenkins-ci.org/debian-stable", key: "jenkins.asc" }
- { repository_pattern: "https://packages.sury.org/php/", key: "sury.gpg" }
- { repository_pattern: "http://repo.mongodb.org/apt/debian", key: "mongodb-server-[0-9\\.]+.asc" }
- { repository_pattern: "http://apt.newrelic.com/debian/", key: "newrelic.asc" }
- { repository_pattern: "https://deb.nodesource.com/", key: "nodesource.asc" }
- { repository_pattern: "https://dl.yarnpkg.com/debian/", key: "yarn.asc" }
- { repository_pattern: "http://apt.postgresql.org/pub/repos/apt/", key: "postgresql.asc" }
register: _cmd
- name: Debug command
ansible.builtin.debug:
var: _cmd

7
apt/templates/bookworm_backports.sources.j2
View file

@ -1,7 +0,0 @@
# {{ ansible_managed }}
Types: deb
URIs: http://mirror.evolix.org/debian
Suites: bullseye-backports
Components: {{ apt_backports_components | mandatory }}
Enabled: {{ apt_install_backports | bool | ternary('yes', 'no') }}

5
apt/templates/bookworm_basics.list.j2 Normal file
View file

@ -0,0 +1,5 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian bookworm {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ bookworm-updates {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }}

8
apt/templates/bookworm_basics.sources.j2
View file

@ -1,8 +0,0 @@
# {{ ansible_managed }}
Types: deb
URIs: http://mirror.evolix.org/debian
Suites: bookworm bookworm-updates
Components: {{ apt_basics_components | mandatory }}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg

8
apt/templates/bookworm_security.sources.j2
View file

@ -1,8 +0,0 @@
# {{ ansible_managed }}
Types: deb
URIs: https://security.debian.org/debian-security
Suites: bookworm-security
Components: {{ apt_basics_components | mandatory }}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg

2
apt/templates/bullseye_basics.list.j2
View file

@ -1,5 +1,5 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian bullseye-updates {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}

2
apt/templates/buster_basics.list.j2
View file

@ -1,5 +1,5 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian buster-updates {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ buster-updates {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}

6
apt/templates/evolix_public.list.j2
View file

@ -1,3 +1,7 @@
# {{ ansible_managed }}
deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
{% if ansible_distribution_release == "bookworm" %}
deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/
{% else %}
deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/
{% endif %}

8
apt/templates/evolix_public.sources.j2
View file

@ -1,8 +0,0 @@
# {{ ansible_managed }}
Types: deb
URIs: http://pub.evolix.org/evolix
Suites: {{ ansible_distribution_release }}
Components: main
Signed-by: {{ apt_keyring_dir }}/pub_evolix.asc
Enabled: yes

5
apt/templates/jessie_basics.list.j2
View file

@ -1,5 +1,4 @@
# {{ ansible_managed }}
### Those repositories are unusable. Move to ELTS (manually).
# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }}
# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }}
deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }}

4
apt/templates/jessie_extended-lts.list.j2
View file

@ -1,4 +0,0 @@
# {{ ansible_managed }}
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main

2
apt/templates/stretch_backports.list.j2
View file

@ -1,3 +1,3 @@
# {{ ansible_managed }}
deb http://archive.debian.org/debian stretch-backports {{ apt_backports_components | mandatory }}
deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }}

5
apt/templates/stretch_basics.list.j2
View file

@ -1,4 +1,5 @@
# {{ ansible_managed }}
deb http://archive.debian.org/debian stretch {{ apt_basics_components | mandatory }}
deb http://archive.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian stretch {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ stretch-updates {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}

4
apt/templates/stretch_extended-lts.list.j2
View file

@ -1,4 +0,0 @@
# {{ ansible_managed }}
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main

17
autosysadmin-agent/defaults/main.yml
View file

@ -1,17 +0,0 @@
---
general_scripts_dir: "/usr/share/scripts"
autosysadmin_agent_bin_dir: "/usr/local/bin/autosysadmin"
autosysadmin_agent_lib_dir: "/usr/local/lib/autosysadmin"
autosysadmin_agent_auto_dir: "{{ general_scripts_dir }}/autosysadmin/restart"
autosysadmin_agent_crontab_enabled: true
autosysadmin_agent_log_retention_days: 365
autosysadmin_config: []
### All repair are disabled if set to 'off'
### even if a specific repair value is 'on'
# repair_all: 'on'
### Default values for checks
# repair_foo: 'off'

13
autosysadmin-agent/files/autosysadmin.logrotate.conf
View file

@ -1,13 +0,0 @@
/var/log/autosysadmin.log {
daily
missingok
rotate 365
compress
nodelaycompress
notifempty
dateext
dateformat .%Y-%m-%d
dateyesterday
copytruncate
create 0640 root adm
}

3
autosysadmin-agent/files/autosysadmin.rsyslog.conf
View file

@ -1,3 +0,0 @@
$template autosysadmin, "/var/log/autosysadmin.log"
if $programname contains 'autosysadmin' then ?autosysadmin
& stop

25
autosysadmin-agent/files/upstream/bin/delete_old_logs.sh
View file

@ -1,25 +0,0 @@
#!/bin/bash
days=${1:-365}
log_dir="/var/log/autosysadmin/"
if [ -d "${log_dir}" ]; then
find_run_dirs() {
find "${log_dir}" \
-mindepth 1 \
-maxdepth 1 \
-type d \
-ctime "+${days}" \
-print0
}
log() {
/usr/bin/logger -p local0.notice -t autosysadmin "${1}"
}
while IFS= read -r -d '' run_dir; do
rm --recursive --force "${run_dir}"
log "Delete ${run_dir} (older than ${days} days)"
done < <(find_run_dirs)
fi
exit 0

907
autosysadmin-agent/files/upstream/lib/common.sh
View file

@ -1,907 +0,0 @@
#!/bin/bash
VERSION="24.03"
# Common functions for "repair" and "restart" scripts
set -u
# Initializes the program, context, configuration…
initialize() {
PATH="${PATH}":/usr/sbin:/sbin
# Used in many places to refer to the program name.
# Examples: repair_mysql, restart_nrpe…
PROGNAME=$(basename "${0}")
# find out if running in interactive mode, or not
if [ -t 0 ]; then
INTERACTIVE=1
else
INTERACTIVE=0
fi
readonly INTERACTIVE
# Default empty value for Debug mode
DEBUG="${DEBUG:-""}"
# Repair scripts obey to the value of a variable named after the script
# You can set the value ("on" or "off") in /etc/evolinux/autosysadmin
# Here we set the default value to "on".
declare -g "${PROGNAME}"=on # dynamic variable assignment ($PROGNAME == repair_*)
PID=$$
readonly PID
# Each execution (run) gets a unique ID
RUN_ID="$(date +"%Y-%m-%d_%H-%M")_${PROGNAME}_${PID}"
readonly RUN_ID
# Main log directory
MAIN_LOG_DIR="/var/log/autosysadmin"
readonly MAIN_LOG_DIR
# shellcheck disable=SC2174
mkdir --mode=750 --parents "${MAIN_LOG_DIR}"
chgrp adm "${MAIN_LOG_DIR}"
# Each execution store some information
# in a unique directory based on the RUN_ID
RUN_LOG_DIR="${MAIN_LOG_DIR}/${RUN_ID}"
readonly RUN_LOG_DIR
# shellcheck disable=SC2174
mkdir --mode=750 --parents "${RUN_LOG_DIR}"
chgrp adm "${RUN_LOG_DIR}"
# This log file contains all events
RUN_LOG_FILE="${RUN_LOG_DIR}/autosysadmin.log"
readonly RUN_LOG_FILE
# This log file contains notable actions
ACTIONS_FILE="${RUN_LOG_DIR}/actions.log"
readonly ACTIONS_FILE
touch "${ACTIONS_FILE}"
# This log file contains abort reasons (if any)
ABORT_FILE="${RUN_LOG_DIR}/abort.log"
readonly ABORT_FILE
# touch "${ABORT_FILE}"
# Date format for log messages
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
# This will contain lock, last-run markers…
# It's ok to lose the content after a reboot
RUN_DIR="/run/autosysadmin"
readonly RUN_DIR
mkdir -p "${RUN_DIR}"
# Only a singe instace of each script can run simultaneously
# We use a customizable lock name for this.
# By default it's the script's name
LOCK_NAME=${LOCK_NAME:-${PROGNAME}}
# If a lock is found, we can wait for it to disappear.
# The value must be understood by sleep(1)
LOCK_WAIT="0"
# Default values for email headers
EMAIL_FROM="equipe+autosysadmin@evolix.fr"
EMAIL_INTERNAL="autosysadmin@evolix.fr"
LOCK_FILE="${RUN_DIR}/${LOCK_NAME}.lock"
readonly LOCK_FILE
# Remove lock file at exit
cleanup() {
# shellcheck disable=SC2317
rm -f "${LOCK_FILE}"
}
trap 'cleanup' 0
# Load configuration
# shellcheck disable=SC1091
test -f /etc/evolinux/autosysadmin && source /etc/evolinux/autosysadmin
log_all "Begin ${PROGNAME} RUN_ID: ${RUN_ID}"
log_all "Log directory is ${RUN_LOG_DIR}"
}
# Executes a list of tasks before exiting:
# * prepare a summary of actions and possible abort reasons
# * send emails
# * do some cleanup
quit() {
log_all "End ${PROGNAME} RUN_ID: ${RUN_ID}"
summary="RUN_ID: ${RUN_ID}"
if [ -s "${ABORT_FILE}" ]; then
# Add abort reasons to summary
summary="${summary}\n$(print_abort_reasons)"
hook_mail "abort"
return_code=1
else
if [ -s "${ACTIONS_FILE}" ]; then
# Add notable actions to summary
summary="${summary}\n$(print_actions "Aucune action")"
hook_mail "success"
fi
return_code=0
fi
hook_mail "internal"
if is_interactive; then
# shellcheck disable=SC2001
echo "${summary}" | sed -e 's/\\n/\n/g'
else
/usr/share/scripts/evomaintenance.sh --auto --user autosysadmin --message "${summary}" --no-commit --no-mail
fi
teardown
# shellcheck disable=SC2086
exit ${return_code}
}
teardown() {
:
}
# Return true/false
is_interactive() {
test "${INTERACTIVE}" -eq "1"
}
save_server_state() {
DUMP_SERVER_STATE_BIN="$(command -v dump-server-state || command -v backup-server-state)"
if [ -z "${DUMP_SERVER_STATE_BIN}" ]; then
log_all "Warning: dump-server-state is not present. No server state recorded."
fi
if [ -x "${DUMP_SERVER_STATE_BIN}" ]; then
DUMP_DIR=$(file_path_in_log_dir "server-state")
# We don't want the logging to take too much time,
# so we kill it if it takes more than 20 seconds.
timeout --signal 9 20 \
"${DUMP_SERVER_STATE_BIN}" \
--dump-dir="${DUMP_DIR}" \
--df \
--dmesg \
--iptables \
--lxc \
--netcfg \
--netstat \
--uname \
--processes \
--systemctl \
--uptime \
--virsh \
--disks \
--mysql-processes \
--no-apt-states \
--no-apt-config \
--no-dpkg-full \
--no-dpkg-status \
--no-mount \
--no-packages \
--no-sysctl \
--no-etc
log_run "Server state saved in \`server-state' directory."
fi
}
is_debug() {
# first time: do the check…
# other times: pass
if [ -z "${DEBUG:-""}" ]; then
debug_file="/etc/evolinux/autosysadmin.debug"
if [ -e "${debug_file}" ]; then
last_change=$(stat -c %Z "${debug_file}")
limit_date=$(date --date "14400 seconds ago" +"%s")
if [ $(( last_change - limit_date )) -le "0" ]; then
log_run "Debug mode disabled; file is too old (%{last_change} seconds)."
rm "${debug_file}"
# Debug mode disabled
DEBUG="0"
else
log_run "Debug mode enabled."
# Debug mode enabled
DEBUG="1"
fi
else
# log_run "Debug mode disabled; file is absent."
# Debug mode disabled
DEBUG="0"
fi
fi
# return the value
test "${DEBUG}" -eq "1"
}
# Uses the who(1) definition of "active"
currently_active_users() {
LC_ALL=C who --users | grep --extended-regexp "\s+\.\s+" | awk '{print $1}' | sort --human-numeric-sort | uniq
}
# Users active in the last 29 minutes
recently_active_users() {
LC_ALL=C who --users | grep --extended-regexp "\s+00:(0|1|2)[0-9]\s+" | awk --field-separator ' ' '{print $1,$6}'
}
# Save the list of users to a file in the log directory
save_active_users() {
LC_ALL=C who --users | save_in_log_dir "who-users"
}
# An autosysadmin must not perform actions if a user is active or was active recently.
#
# This can by bypassed in interactive mode.
# It's OK to lose this data after a reboot.
ensure_no_active_users_or_exit() {
# Save all active users
save_active_users
if is_debug; then
log_run "Debug mode enabled: continue without checking active users."
return 0;
fi
# Is there any currently active user?
currently_active_users=$(currently_active_users)
if [ -n "${currently_active_users}" ]; then
# shellcheck disable=SC2001
users_oneliner=$(echo "${currently_active_users}" | sed -e 's/\n/ /')
log_run "Currently active users: ${users_oneliner}"
if is_interactive; then
echo "Some users are currently active:"
# shellcheck disable=SC2001
echo "${currently_active_users}" | sed -e 's/\(.\+\)/* \1/'
answer=""
while :; do
printf "> Continue? [Y,n,?] "
read -r answer
case ${answer} in
[Yy]|"" )
log_run "Active users check bypassed manually in interactive mode."
return
;;
[Nn] )
log_run "Active users check confirmed manually in interactive mode."
log_abort_and_quit "Active users detected: ${users_oneliner}"
;;
* )
printf "y - yes, continue\n"
printf "n - no, exit\n"
printf "? - print this help\n"
;;
esac
done
else
log_abort_and_quit "Currently active users detected: ${users_oneliner}."
fi
else
# or recently (the last 30 minutes) active user?
recently_active_users=$(recently_active_users)
if [ -n "${recently_active_users}" ]; then
# shellcheck disable=SC2001
users_oneliner=$(echo "${recently_active_users}" | sed -e 's/\n/ /')
log_run "Recently active users: ${users_oneliner}"
if is_interactive; then
echo "Some users were recently active:"
# shellcheck disable=SC2001
echo "${recently_active_users}" | sed -e 's/\(.\+\)/* \1/'
answer=""
while :; do
printf "> Continue? [Y,n,?] "
read -r answer
case ${answer} in
[Yy]|"" )
log_run "Active users check bypassed manually in interactive mode."
return
;;
[Nn] )
log_run "Active users check confirmed manually in interactive mode."
log_abort_and_quit "Recently active users detected: ${users_oneliner}."
;;
* )
printf "y - yes, continue\n"
printf "n - no, exit\n"
printf "? - print this help\n"
;;
esac
done
else
log_abort_and_quit "Recently active users detected: ${users_oneliner}."
fi
fi
fi
}
# Takes an NRPE command name as 1st parameter,
# and executes the full command if found in the configuration.
# Return the result and the return code of the command.
check_nrpe() {
check="$1"
nrpe_files=""
# Check if NRPE config is found
if [ -f "/etc/nagios/nrpe.cfg" ]; then
nrpe_files="${nrpe_files} /etc/nagios/nrpe.cfg"
else
msg="NRPE configuration not found: /etc/nagios/nrpe.cfg"
log_run "${msg}"
echo "${msg}"
return 3
fi
# Search for included files
# shellcheck disable=SC2086
while IFS= read -r include_file; do
nrpe_files="${nrpe_files} ${include_file}"
done < <(grep --extended-regexp '^\s*include=.+' ${nrpe_files} | cut -d = -f 2)
# Search for files in included directories
# shellcheck disable=SC2086
while IFS= read -r include_dir; do
nrpe_files="${nrpe_files} ${include_dir}/*.cfg"
done < <(grep --extended-regexp '^\s*include_dir=.+' ${nrpe_files} | cut -d = -f 2)
# Fetch uncommented commands in (sorted) config files
# shellcheck disable=SC2086
nrpe_commands=$(grep --no-filename --exclude=*~ --fixed-strings "[${check}]" ${nrpe_files} | grep --invert-match --extended-regexp '^\s*#\s*command' | cut -d = -f 2)
nrpe_commands_count=$(echo "${nrpe_commands}" | wc -l)
if is_debian_version "9" "<=" && [ "${nrpe_commands_count}" -gt "1" ]; then
# On Debian <= 9, NRPE loading was not sorted
# we need to raise an error if we have multiple defined commands
msg="Unable to determine which NRPE command to run"
log_run "${msg}"
echo "${msg}"
return 3
else
# On Debian > 9, use the last command
nrpe_command=$(echo "${nrpe_commands}" | tail -n 1)
nrpe_result=$(${nrpe_command})
nrpe_rc=$?
log_run "NRPE command (exited with ${nrpe_rc}): ${nrpe_command}"
log_run "${nrpe_result}"
echo "${nrpe_result}"
return "${nrpe_rc}"
fi
}
# An autosysadmin script must not run twice (or more) simultaneously.
# We use a customizable (with LOCK_NAME) lock file to keep track of this.
# A wait time can be configured.
#
# This can by bypassed in interactive mode.
# It's OK to lose this data after a reboot.
acquire_lock_or_exit() {
lock_file="${1:-${LOCK_FILE}}"
lock_wait="${2:-${LOCK_WAIT}}"
# lock_wait must be compatible with sleep(1), otherwise fallback to 0
if ! echo "${lock_wait}" | grep -Eq '^[0-9]+[smhd]?$'; then
log_run "Lock wait: incorrect value '${lock_wait}', fallback to 0."
lock_wait=0
fi
if [ "${lock_wait}" != "0" ] && [ -f "${lock_file}" ]; then
log_run "Lock file present. Let's wait ${lock_wait} and check again."
sleep "${lock_wait}"
fi
if [ -f "${lock_file}" ]; then
log_abort_and_quit "Lock file still present."
else
log_run "Lock file absent. Let's put one."
touch "${lock_file}"
fi
}
# If a script has been run in the ast 30 minutes, running it again won't fix the issue.
# We use a /run/ausosysadmin/${PROGNAME}_lastrun file to keep track of this.
#
# This can by bypassed in interactive mode.
# This is bypassed in debug mode.
# It's OK to lose this data after a reboot.
ensure_not_too_soon_or_exit() {
if is_debug; then
log_run "Debug mode enabled: continue without checking when was the last run."
return 0;
fi
lastrun_file="${RUN_DIR}/${PROGNAME}_lastrun"
if [ -f "${lastrun_file}" ]; then
lastrun_age="$(($(date +%s)-$(stat -c "%Y" "${lastrun_file}")))"
log_run "Last run was ${lastrun_age} seconds ago."
if [ "${lastrun_age}" -lt 1800 ]; then
if is_interactive; then
echo "${PROGNAME} was run ${lastrun_age} seconds ago."
answer=""
while :; do
printf "> Continue? [Y,n,?] "
read -r answer
case ${answer} in
[Yy]|"" )
log_run "Last run check bypassed manually in interactive mode."
break
;;
[Nn] )
log_run "Last run check confirmed manually in interactive mode."
log_abort_and_quit 'Last run too recent.'
;;
* )
printf "y - yes, continue\n"
printf "n - no, exit\n"
printf "? - print this help\n"
;;
esac
done
else
log_abort_and_quit "Last run too recent."
fi
fi
fi
touch "${lastrun_file}"
}
# Populate DEBIAN_VERSION and DEBIAN_RELEASE variables
# based on gathered information about the operating system
detect_os() {
DEBIAN_RELEASE="unknown"
DEBIAN_VERSION="unknown"
LSB_RELEASE_BIN="$(command -v lsb_release)"
if [ -e /etc/debian_version ]; then
DEBIAN_VERSION="$(cut -d "." -f 1 < /etc/debian_version)"
if [ -x "${LSB_RELEASE_BIN}" ]; then
DEBIAN_RELEASE="$("${LSB_RELEASE_BIN}" --codename --short)"
else
case "${DEBIAN_VERSION}" in
7) DEBIAN_RELEASE="wheezy" ;;
8) DEBIAN_RELEASE="jessie" ;;
9) DEBIAN_RELEASE="stretch" ;;
10) DEBIAN_RELEASE="buster" ;;
11) DEBIAN_RELEASE="bullseye" ;;
12) DEBIAN_RELEASE="bookworm" ;;
13) DEBIAN_RELEASE="trixie" ;;
esac
fi
# log_run "Detected OS: Debian version=${DEBIAN_VERSION} release=${DEBIAN_RELEASE}"
# else
# log_run "Detected OS: unknown (missing /etc/debian_version)"
fi
}
is_debian_wheezy() {
test "${DEBIAN_RELEASE}" = "wheezy"
}
is_debian_jessie() {
test "${DEBIAN_RELEASE}" = "jessie"
}
is_debian_stretch() {
test "${DEBIAN_RELEASE}" = "stretch"
}
is_debian_buster() {
test "${DEBIAN_RELEASE}" = "buster"
}
is_debian_bullseye() {
test "${DEBIAN_RELEASE}" = "bullseye"
}
is_debian_bookworm() {
test "${DEBIAN_RELEASE}" = "bookworm"
}
is_debian_trixie() {
test "${DEBIAN_RELEASE}" = "trixie"
}
is_debian_version() {
local version=$1
local relation=${2:-"eq"}
if [ -z "${DEBIAN_VERSION:-""}" ]; then
detect_os
fi
dpkg --compare-versions "${DEBIAN_VERSION}" "${relation}" "${version}"
}
# List systemd services (only names), even if stopped
systemd_list_services() {
pattern=$1
systemctl list-units --all --no-legend --type=service "${pattern}" | grep --only-matching --extended-regexp '\S+\.service'
}
is_systemd_enabled() {
systemctl --quiet is-enabled "$1" 2> /dev/null
}
is_systemd_active() {
systemctl --quiet is-active "$1" 2> /dev/null
}
is_sysvinit_enabled() {
find /etc/rc2.d/ -name "$1" > /dev/null
}
get_fqdn() {
# shellcheck disable=SC2155
local system=$(uname -s)
if [ "${system}" = "Linux" ]; then
hostname --fqdn
elif [ "${system}" = "OpenBSD" ]; then
hostname
else
log_abort_and_quit "System '${system}' not recognized."
fi
}
get_complete_hostname() {
REAL_HOSTNAME="$(get_fqdn)"
if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
echo "${HOSTNAME}"
else
echo "${HOSTNAME} (${REAL_HOSTNAME})"
fi
}
# Fetch values from evomaintenance configuration
get_evomaintenance_mail() {
grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2
}
get_evomaintenance_emergency_mail() {
grep "URGENCYFROM=" /etc/evomaintenance.cf | cut -d '=' -f2
}
get_evomaintenance_emergency_tel() {
grep "URGENCYTEL=" /etc/evomaintenance.cf | cut -d '=' -f2
}
# Log a message to the log file in the log directory
log_run() {
local msg="${1:-$(cat /dev/stdin)}"
# shellcheck disable=SC2155
local date=$(/bin/date +"${DATE_FORMAT}")
printf "[%s] %s[%s]: %s\\n" \
"${date}" "${PROGNAME}" "${PID}" "${msg}" \
>> "${RUN_LOG_FILE}"
}
# Log a message in the system log file (syslog or journald)
log_global() {
local msg="${1:-$(cat /dev/stdin)}"
echo "${msg}" \
| /usr/bin/logger -p local0.notice -t autosysadmin
}
# Log a message in both places
log_all() {
local msg="${1:-$(cat /dev/stdin)}"
log_global "${msg}"
log_run "${msg}"
}
# Log a notable action in regular places
# and append it to the dedicated list
log_action() {
log_all "$*"
append_action "$*"
}
# Append a line in the actions.log file in the log directory
append_action() {
echo "$*" >> "${ACTIONS_FILE}"
}
# Print the content of the actions.log file
# or a fallback content (1st parameter) if empty
# shellcheck disable=SC2120
print_actions() {
local fallback=${1:-""}
if [ -s "${ACTIONS_FILE}" ]; then
cat "${ACTIONS_FILE}"
elif [ -n "${fallback}" ]; then
echo "${fallback}"
fi
}
# Log a an abort reason in regular places
# and append it to the dedicated list
log_abort() {
log_all "$*"
append_abort_reason "$*"
}
# Append a line in the abort.log file in the log directory
append_abort_reason() {
echo "$*" >> "${ABORT_FILE}"
}
# Print the content of the abort.log file
# or a fallback content (1st parameter) if empty
# shellcheck disable=SC2120
print_abort_reasons() {
local fallback=${1:-""}
if [ -s "${ABORT_FILE}" ]; then
cat "${ABORT_FILE}"
elif [ -n "${fallback}" ]; then
echo "${fallback}"
fi
}
# Print the content of the main log from the log directory
print_main_log() {
cat "${RUN_LOG_FILE}"
}
# Log an abort reason and quit the script
log_abort_and_quit() {
log_abort "$*"
quit
}
# Store the content from standard inpu
# into a file in the log directory named after the 1st parameter
save_in_log_dir() {
local file_name=$1
local file_path="${RUN_LOG_DIR}/${file_name}"
cat /dev/stdin > "${file_path}"
log_run "Saved \`${file_name}' file."
}
# Return the full path of the file in log directory
# based on the name in the 1st parameter
file_path_in_log_dir() {
echo "${RUN_LOG_DIR}/${1}"
}
format_mail_success() {
cat <<EOTEMPLATE
From: AutoSysadmin Evolix <${EMAIL_FROM}>
Content-Type: text/plain; charset=UTF-8
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Script: ${PROGNAME}
X-RunId: ${RUN_ID}
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
Cc: ${EMAIL_INTERNAL}
Subject: [autosysadmin] Intervention automatisée sur ${HOSTNAME_TEXT}
Bonjour,
Une intervention automatisée vient de se terminer.
Nom du serveur : ${HOSTNAME_TEXT}
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
Script déclenché : ${PROGNAME}
### Actions réalisées
$(print_actions "Aucune")
### RĂ©agir Ă  cette intervention
Vous pouvez répondre à ce message (${EMAIL_FROM}).
En cas d'urgence, utilisez l'adresse ${EMERGENCY_MAIL}
ou notre ligne d'astreinte (${EMERGENCY_TEL})
--
Votre AutoSysadmin
EOTEMPLATE
}
format_mail_abort() {
cat <<EOTEMPLATE
From: AutoSysadmin Evolix <${EMAIL_FROM}>
Content-Type: text/plain; charset=UTF-8
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Script: ${PROGNAME}
X-RunId: ${RUN_ID}
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
Cc: ${EMAIL_INTERNAL}
Subject: [autosysadmin] Intervention automatisée interrompue sur ${HOSTNAME_TEXT}
Bonjour,
Une intervention automatisée a été déclenchée mais s'est interrompue.
Nom du serveur : ${HOSTNAME_TEXT}
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
Script déclenché : ${PROGNAME}
### Actions réalisées
$(print_actions "Aucune")
### Raison(s) de l'interruption
$(print_abort_reasons "Inconnue")
### RĂ©agir Ă  cette intervention
Vous pouvez répondre à ce message (${EMAIL_FROM}).
En cas d'urgence, utilisez l'adresse ${EMERGENCY_MAIL}
ou notre ligne d'astreinte (${EMERGENCY_TEL})
--
Votre AutoSysadmin
EOTEMPLATE
}
# shellcheck disable=SC2028
print_report_information() {
echo "**Uptime**"
echo ""
uptime
echo ""
echo "**Utilisateurs récents**"
echo ""
who_file=$(file_path_in_log_dir "who-users")
if [ -s "${who_file}" ]; then
cat "${who_file}"
else
who --users
fi
echo ""
echo "**Espace disque**"
echo ""
df_file=$(file_path_in_log_dir "server-state/df.txt")
if [ -s "${df_file}" ]; then
cat "${df_file}"
else
df -h
fi
echo ""
echo "**Dmesg**"
echo ""
dmesg_file=$(file_path_in_log_dir "server-state/dmesg.txt")
if [ -s "${dmesg_file}" ]; then
tail -n 5 "${dmesg_file}"
else
dmesg | tail -n 5
fi
echo ""
echo "**systemd failed services**"
echo ""
failed_services_file=$(file_path_in_log_dir "server-state/systemctl-failed-services.txt")
if [ -s "${failed_services_file}" ]; then
cat "${failed_services_file}"
else
systemctl --no-legend --state=failed --type=service
fi
if command -v lxc-ls > /dev/null 2>&1; then
echo ""
echo "**LXC containers**"
echo ""
lxc_ls_file=$(file_path_in_log_dir "server-state/lxc-list.txt")
if [ -s "${lxc_ls_file}" ]; then
cat "${lxc_ls_file}"
else
lxc-ls --fancy
fi
fi
apache_errors_file=$(file_path_in_log_dir "apache-errors.log")
if [ -f "${apache_errors_file}" ]; then
echo ""
echo "**Apache errors**"
echo ""
cat "${apache_errors_file}"
fi
nginx_errors_file=$(file_path_in_log_dir "nginx-errors.log")
if [ -f "${nginx_errors_file}" ]; then
echo ""
echo "**Nginx errors**"
echo ""
cat "${nginx_errors_file}"
fi
}
format_mail_internal() {
cat <<EOTEMPLATE
From: AutoSysadmin Evolix <${EMAIL_FROM}>
Content-Type: text/plain; charset=UTF-8
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Script: ${PROGNAME}
X-RunId: ${RUN_ID}
To: ${EMAIL_INTERNAL}
Subject: [autosysadmin] Rapport interne d'intervention sur ${HOSTNAME_TEXT}
Bonjour,
Une intervention automatique vient de se terminer.
Nom du serveur : ${HOSTNAME_TEXT}
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
Script déclenché : ${PROGNAME}
### Actions réalisées
$(print_actions "Aucune")
### Raison(s) de l'interruption
$(print_abort_reasons "Aucune")
### Log autosysadmin
$(print_main_log)
### Informations additionnelles
$(print_report_information)
--
Votre AutoSysadmin
EOTEMPLATE
}
# Generic function to send emails at the end of the script.
# Takes a template as 1st parameter
hook_mail() {
if is_debug; then
log_run "Debug mode enabled: continue without sending mail."
return 0;
fi
HOSTNAME="${HOSTNAME:-"$(get_fqdn)"}"
HOSTNAME_TEXT="$(get_complete_hostname)"
EMAIL_CLIENT="$(get_evomaintenance_mail)"
EMERGENCY_MAIL="$(get_evomaintenance_emergency_mail)"
EMERGENCY_TEL="$(get_evomaintenance_emergency_tel)"
MAIL_CONTENT="$(format_mail_"$1")"
SENDMAIL_BIN="$(command -v sendmail)"
if [ -z "${SENDMAIL_BIN}" ]; then
log_global "ERROR: No \`sendmail' command has been found, can't send mail."
fi
if [ -x "${SENDMAIL_BIN}" ]; then
echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.fr"
log_global "Sent '$1' mail for RUN_ID: ${RUN_ID}"
fi
}
is_holiday() {
# gcal mark today as a holiday by surrounding with < and > the day
# of the month of that holiday line. For example if today is 2022-05-01 we'll
# get among other lines:
# FĂŞte du Travail (FR) + Di, < 1>Mai 2022
# Jour de la Victoire (FR) + Di, : 8:Mai 2022 = +7 jours
LANGUAGE=fr_FR.UTF-8 TZ=Europe/Paris gcal --cc-holidays=fr --holiday-list=short | grep -E '<[0-9 ]{2}>' --quiet
}
is_weekend() {
day_of_week=$(date +%u)
if [ "${day_of_week}" != 6 ] && [ "${day_of_week}" != 7 ]; then
return 1
fi
}
is_workday() {
if is_holiday || is_weekend; then
return 1
fi
}
is_worktime() {
if ! is_workday; then
return 1
fi
hour=$(date +%H)
if [ "${hour}" -lt 9 ] || { [ "${hour}" -ge 12 ] && [ "${hour}" -lt 14 ] ; } || [ "${hour}" -ge 18 ]; then
return 1
fi
}

112
autosysadmin-agent/files/upstream/lib/repair.sh
View file

@ -1,112 +0,0 @@
#!/bin/bash
# Specific functions for "repair" scripts
is_all_repair_disabled() {
# Fetch values from the config
# and if it is not defined or has no value, then assign "on"
local status=${repair_all:=on}
test "${status}" = "off" || test "${status}" = "0"
}
is_current_repair_disabled() {
# Fetch values from the config
# and if it is not defined or has no value, then assign "on"
local status=${!PROGNAME:=on}
test "${status}" = "off" || test "${status}" = "0"
}
ensure_not_disabled_or_exit() {
if is_all_repair_disabled; then
log_global 'All repair scripts are disabled.'
exit 0
fi
if is_current_repair_disabled; then
log_global "Current repair script (${PROGNAME}) is disabled."
exit 0
fi
}
# Set of actions to do at the begining of a "repair" script
pre_repair() {
initialize
# Are we supposed to run?
ensure_not_disabled_or_exit
# Has it recently been run?
ensure_not_too_soon_or_exit
# Can we acquire a lock?
acquire_lock_or_exit
# Is there any active user?
ensure_no_active_users_or_exit
# Save important information
save_server_state
}
# Set of actions to do at the end of a "repair" script
post_repair() {
quit
}
repair_lxc_php() {
container_name=$1
if is_systemd_enabled 'lxc.service'; then
lxc_path=$(lxc-config lxc.lxcpath)
if lxc-info --name "${container_name}" > /dev/null; then
rootfs="${lxc_path}/${container_name}/rootfs"
case "${container_name}" in
php56) fpm_log_file="${rootfs}/var/log/php5-fpm.log" ;;
php70) fpm_log_file="${rootfs}/var/log/php7.0-fpm.log" ;;
php73) fpm_log_file="${rootfs}/var/log/php7.3-fpm.log" ;;
php74) fpm_log_file="${rootfs}/var/log/php7.4-fpm.log" ;;
php80) fpm_log_file="${rootfs}/var/log/php8.0-fpm.log" ;;
php81) fpm_log_file="${rootfs}/var/log/php8.1-fpm.log" ;;
php82) fpm_log_file="${rootfs}/var/log/php8.2-fpm.log" ;;
php83) fpm_log_file="${rootfs}/var/log/php8.3-fpm.log" ;;
*)
log_abort_and_quit "Unknown container '${container_name}'"
;;
esac
# Determine FPM Pool path
php_path_pool=$(find "${lxc_path}/${container_name}/" -type d -name "pool.d")
# Save LXC info (before restart)
lxc-info --name "${container_name}" | save_in_log_dir "lxc-${container_name}.before.status"
# Save last lines of FPM log (before restart)
tail "${fpm_log_file}" | save_in_log_dir "$(basename "${fpm_log_file}" | sed -e 's/.log/.before.log/')"
# Save NRPE check (before restart)
/usr/local/lib/nagios/plugins/check_phpfpm_multi "${php_path_pool}" | save_in_log_dir "check_fpm_${container_name}.before.out"
lxc-stop --timeout 20 --name "${container_name}"
lxc-start --daemon --name "${container_name}"
rc=$?
if [ "${rc}" -eq "0" ]; then
log_all "Restart LXC container '${container_name}: OK"
else
log_all "Restart LXC container '${container_name}: failed"
fi
# Save LXC info (after restart)
lxc-info --name "${container_name}" | save_in_log_dir "lxc-${container_name}.after.status"
# Save last lines of FPM log (after restart)
tail "${fpm_log_file}" | save_in_log_dir "$(basename "${fpm_log_file}" | sed -e 's/.log/.after.log/')"
# Save NRPE check (after restart)
/usr/local/lib/nagios/plugins/check_phpfpm_multi "${php_path_pool}" | save_in_log_dir "check_fpm_${container_name}.after.out"
else
log_abort_and_quit "LXC container '${container_name}' doesn't exist."
fi
else
log_abort_and_quit 'LXC not found.'
fi
}

76
autosysadmin-agent/files/upstream/lib/restart.sh
View file

@ -1,76 +0,0 @@
#!/bin/bash
# Specific functions for "restart" scripts
running_custom() {
# Placeholder that returns 1, to prevent running if not redefined
log_global "running_custom() function has not been redefined! Let's quit."
return 1
}
# Examine RUNNING variable and decide if the script should run or not
is_supposed_to_run() {
if is_debug; then return 0; fi
case ${RUNNING} in
never)
# log_global "is_supposed_to_run: no (never)"
return 1
;;
always)
# log_global "is_supposed_to_run: yes (always)"
return 0
;;
nwh-fr)
! is_worktime
rc=$?
# if [ ${rc} -eq 0 ]; then
# log_global "is_supposed_to_run: yes (nwh-fr returned ${rc})"
# else
# log_global "is_supposed_to_run: no (nwh-fr returned ${rc})"
# fi
return ${rc}
;;
nwh-ca)
# Not implemented yet
return 0
;;
custom)
running_custom
rc=$?
# if [ ${rc} -eq 0 ]; then
# log_global "is_supposed_to_run: yes (custom returned ${rc})"
# else
# log_global "is_supposed_to_run: no (custom returned ${rc})"
# fi
return ${rc}
;;
esac
}
ensure_supposed_to_run_or_exit() {
if ! is_supposed_to_run; then
# simply quit (no logging, no notifications…)
# log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
exit 0
fi
}
# Set of actions to do at the begining of a "restart" script
pre_restart() {
initialize
# Has it recently been run?
ensure_not_too_soon_or_exit
# Can we acquire a lock?
acquire_lock_or_exit
# Save important information
save_server_state
}
# Set of actions to do at the end of a "restart" script
post_restart() {
quit
}

157
autosysadmin-agent/files/upstream/repair/repair_disk
View file

@ -1,157 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
# We always keep some reserved blocks to avoid missing some logs
# https://gitea.evolix.org/evolix/autosysadmin/issues/22
RESERVED_BLOCKS_MIN=1
get_mountpoints() {
# the $(...) get the check_disk1 command
# the cut command selects the critical part of the check_disk1 output
# the grep command extracts the mountpoints and available disk space
# the last cut command selects the mountpoints
check_disk1_command=$(grep check_disk1 /etc/nagios/nrpe.d/evolix.cfg | cut -d'=' -f2-)
${check_disk1_command} -e | cut -d'|' -f1 | grep --extended-regexp --only-matching '/[[:graph:]]* [0-9]+ [A-Z][A-Z]' | cut -d' ' -f1
}
is_reserved_blocks_nominal() {
partition=${1}
fs_type="$(findmnt -n --output=fstype "${partition}")"
if [ "${fs_type}" = "ext4" ]; then
device="$(findmnt -n --output=source "${partition}")"
reserved_block_count="$(tune2fs -l "${device}" | grep 'Reserved block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
block_count="$(tune2fs -l "${device}" | grep 'Block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
percentage=$(awk "BEGIN { pc=100*${reserved_block_count}/${block_count}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
log_run "Reserved blocks for ${partition} is currently at ${percentage}%"
if [ "${percentage}" -gt "${RESERVED_BLOCKS_MIN}" ]; then
log_run "Allowing tune2fs action to reduce the number of reserved blocks"
return 0
else
log_run "Reserved blocks already at or bellow ${RESERVED_BLOCKS_MIN}%, no automatic action possible"
return 1
fi
else
log_run "Filesystem for ${partition} (${fs_type}) is incompatible with reserved block reduction."
return 1
fi
}
reduce_reserved_blocks() {
partition=${1}
device=$(findmnt -n --output=source "${partition}")
tune2fs -m "${RESERVED_BLOCKS_MIN}" "${device}"
log_action "Reserved blocks for ${partition} changed to ${RESERVED_BLOCKS_MIN} percent"
}
is_tmp_to_delete() {
size="$(find /var/log/ -type f -ctime +1 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
if [ -n "${size}" ]; then
return 0
else
return 1
fi
}
is_log_to_delete() {
size="$(find /var/log/ -type f -mtime +365 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
if [ -n "${size}" ]; then
return 0
else
return 1
fi
}
clean_apt_cache() {
for container in $(lxc-ls -1); do
if [ -e "$(lxc-config lxc.lxcpath)/${container}/rootfs/var/cache" ]; then
lxc-attach --name "${container}" -- apt-get clean
log_action "Clean apt cache in LXC container ${container}";
fi
done
# NOTE: "head -n 1" might be superfluous, but let's be sure to have only the first returned value
biggest_subdir=$(du --summarize --one-file-system "/var/*" | sort --numeric-sort --reverse | sed 's/^[0-9]\+[[:space:]]\+//;q' | head -n 1)
case "${biggest_subdir}" in
'/var/cache')
apt-get clean
log_action 'Clean apt cache'
;;
esac
}
clean_amavis_virusmails() {
if du --inodes /var/lib/* | sort --numeric-sort | tail -n 3 | grep --quiet 'virusmails$'; then
find /var/lib/amavis/virusmails/ -type f -atime +30 -delete
log_action 'Clean amavis infected mails'
fi
}
critical_mountpoints=$(get_mountpoints)
if [ -z "${critical_mountpoints}" ]; then
log_abort_and_quit "No partition is in critical state, nothing left to do."
else
for mountpoint in ${critical_mountpoints}; do
case "${mountpoint}" in
/var)
#if is_log_to_delete
#then
# find /var/log/ -type f -mtime +365 -delete
# log_action "$size Mo of disk space freed in /var"
#fi
if is_reserved_blocks_nominal /var; then
reduce_reserved_blocks /var
clean_apt_cache
clean_amavis_virusmails
fi
;;
/tmp)
#if is_tmp_to_delete
#then
# find /tmp/ -type f -ctime +1 -delete
# log_action "$size Mo of disk space freed in /tmp"
#fi
if is_reserved_blocks_nominal /tmp; then
reduce_reserved_blocks /tmp
fi
;;
/home)
if is_reserved_blocks_nominal /home; then
reduce_reserved_blocks /home
fi
;;
/srv)
if is_reserved_blocks_nominal /srv; then
reduce_reserved_blocks /srv
fi
;;
/filer)
if is_reserved_blocks_nominal /filer; then
reduce_reserved_blocks /filer
fi
;;
/)
if is_reserved_blocks_nominal /; then
reduce_reserved_blocks /
# Suggest remove old kernel ?
fi
;;
*)
# unknown
log_run 'Unknown partition (or weird case) or nothing to do'
;;
esac
done
fi
post_repair

35
autosysadmin-agent/files/upstream/repair/repair_elasticsearch
View file

@ -1,35 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
service="elasticsearch.service"
service_name="elasticsearch"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_abort_and_quit "${service} is active, nothing left to do."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_abort_and_quit "${service} is disabled (or missing), nothing left to do."
fi
post_repair

131
autosysadmin-agent/files/upstream/repair/repair_http
View file

@ -1,131 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
## Apache
service="apache2.service"
service_name="apache2"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_all "${service} is active. Skip."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# check syntax
if apache2ctl -t > /dev/null 2>&1; then
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
# Save error logs
date=$(LANG=en_US.UTF-8 date '+%b %d')
grep "${date}" /home/*/log/error.log /var/log/apache2/*error.log \
| grep -v \
-e "Got error 'PHP message:" \
-e "No matching DirectoryIndex" \
-e "client denied by server configuration" \
-e "server certificate does NOT include an ID which matches the server name" \
| save_in_log_dir "apache-errors.log"
else
log_action "Restart ${service_name}: skip (invalid configuration)"
fi
fi
else
log_all "${service} is disabled (or missing). Skip."
fi
## Nginx
service="nginx.service"
service_name="nginx"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_all "${service} is active. Skip."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# check syntax
if nginx -t > /dev/null 2>&1; then
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
# Save error logs
### Consider doing for Nginx the same as Apache
else
log_action "Restart ${service_name}: skip (invalid configuration)"
fi
fi
else
log_all "${service} is disabled (or missing). Skip."
fi
## LXC
if is_systemd_enabled 'lxc.service'; then
for container in $(lxc-ls -1 | grep --fixed-strings 'php' | grep --extended-regexp --invert-match --regexp '\bold\b' --regexp '\bdisabled\b'); do
repair_lxc_php "${container}"
done
else
log_all "LXC is disabled (or missing). Skip."
fi
## FPM
fpm_services=$(systemd_list_services 'php*-fpm*')
if [ -n "${fpm_services}" ]; then
for service in ${fpm_services}; do
service_name="${service//.service/}"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_all "${service} is active. Skip."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_all "${service} is disabled (or missing). Skip."
fi
done
else
log_all "PHP FPM not found. Skip."
fi
post_repair

69
autosysadmin-agent/files/upstream/repair/repair_mysql
View file

@ -1,69 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
if is_debian_version "8" "<="; then
if is_sysvinit_enabled '*mysql*'; then
if ! pgrep -u mysql mysqld > /dev/null; then
# Save service status before restart
timeout 2 mysqladmin status 2>&1 | save_in_log_dir "mysql.before.status"
timeout 20 /etc/init.d/mysql restart > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart mysql: OK"
else
log_action "Restart mysql: failed"
fi
# Save service status after restart
timeout 2 mysqladmin status 2>&1 | save_in_log_dir "mysql.after.status"
else
log_abort_and_quit "mysqld process alive. Aborting"
fi
else
log_abort_and_quit "MySQL not enabled. Aborting"
fi
else
if is_debian_version "12" ">="; then
service="mariadb.service"
service_name="mariadb"
else
service="mysql.service"
service_name="mysql"
fi
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_abort_and_quit "${service} is active, nothing left to do."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_abort_and_quit "${service} is disabled (or missing), nothing left to do."
fi
fi
post_repair

35
autosysadmin-agent/files/upstream/repair/repair_opendkim
View file

@ -1,35 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
service="opendkim.service"
service_name="opendkim"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_abort_and_quit "${service} is active, nothing left to do."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_abort_and_quit "${service} is disabled (or missing). Abort."
fi
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm56
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php56
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm70
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php70
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm73
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php73
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm74
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php74
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm80
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php80
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm81
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php81
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm82
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php82
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm83
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php83
post_repair

32
autosysadmin-agent/files/upstream/repair/repair_redis
View file

@ -1,32 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
for service in $(systemd_list_services 'redis-server*'); do
service_name="${service//.service/}"
if is_systemd_active "${service}"; then
log_all "${service} is active. Skip."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK."
else
log_action "Restart ${service_name}: failed."
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
done
post_repair

34
autosysadmin-agent/files/upstream/repair/repair_tomcat_instance
View file

@ -1,34 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
repair_tomcat_instance_handle_tomcat() {
if /bin/su - "${1}" -c "/bin/systemctl --quiet --user is-active tomcat.service" ; then
if ! /bin/su - "${1}" -c "/usr/bin/timeout 20 /bin/systemctl --quiet --user restart tomcat.service"
then
log_abort_and_quit "Echec de redémarrage instance tomcat utilisateur ${1}"
else
log_action "Redémarrage instance tomcat utilisateur ${1}"
fi
elif /bin/systemctl --quiet is-active "${1}".service ; then
if ! /usr/bin/timeout 20 systemctl --quiet restart "${1}".service
then
log_abort_and_quit "Echec de redémarrage instance tomcat ${1}"
else
log_action "Redémarrage instance tomcat ${1}"
fi
fi
}
for instance in $( /usr/local/lib/nagios/plugins/check_tomcat_instance.sh |grep CRITICAL |awk '{print $3}' |sed '1d') ;
do
repair_tomcat_instance_handle_tomcat "${instance}"
done
post_repair

41
autosysadmin-agent/files/upstream/repair/zzz-repair_example.template
View file

@ -1,41 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
## Custom lock wait and/or lock name
# LOCK_WAIT="15s"
# LOCK_NAME="repair_http"
pre_repair
## The name of the service, mainly for logging
service_name="example"
## The systemd service name
systemd_service="${service_name}.service"
if is_systemd_enabled "${systemd_service}"; then
if is_systemd_active "${systemd_service}"; then
log_abort_and_quit "${systemd_service} is active, nothing left to do."
else
# Save service status before restart
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${systemd_service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_abort_and_quit "${service_name} is disabled (or missing), nothing left to do."
fi
post_repair

19
autosysadmin-agent/files/upstream/restart/README
View file

@ -1,19 +0,0 @@
Autosysadmin "restart auto" scripts
===================================
In this directory you can place scripts that will be executed automatically by a cron job (stored in `/etc/cron.d/autosysadmin`).
They must satisfy the default `run-parts(8)` constraints :
* be "executable"
* belong to the Debian cron script namespace (`^[a-zA-Z0-9_-]+$`), example: `restart_amavis`
Warning: scripts that do not satisfy those criteria will NOT be run (silently)!
You can print the names of the scripts which would be run, without actually running them, with this command :
```
$ run-parts --test /usr/share/scripts/autosysadmin/restart
```
You can use `zzz-restart_example.template` as boilerplate code to make your own "restart" script.

120
autosysadmin-agent/files/upstream/restart/zzz-restart_example.template
View file

@ -1,120 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/restart.sh" || exit 1
# shellcheck disable=SC2034
RUNNING="nwh-fr"
## Possible values for RUNNING :
## never => disabled
## always => enabled
## nwh-fr => enabled during non-working-hours in France
## nwh-ca => enabled during non-working-hours in Canada (not supported yet)
## custom => enabled if `running_custom()` function returns 0, otherwise disabled.
## Uncomment and customize this method if you want to have a special logic :
##
## return 1 if we should not run
## return 0 if we should run
##
## Some available functions :
## is_weekend() : Saturday or Sunday
## is_holiday() : holiday in France (based on `gcal(1)`)
## is_workday() : not weekend and not holiday
## is_worktime() : work day between 9-12h and 14-18h
#
# running_custom() {
# # implement your own custom method to decide if we should run or not
# }
## The name of the service, mainly for logging
service_name="example"
## The SysVinit script name
sysvinit_script="${service_name}"
## The systemd service name
systemd_service="${service_name}.service"
is_service_alive() {
## this must return 0 if the service is alive, otherwise return 1
## Example:
pgrep -u USER PROCESS_NAME > /dev/null
}
## Action for SysVinit system
sysvinit_action() {
# Save service status before restart
timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 "/etc/init.d/${sysvinit_script}" restart > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.after.status"
}
## Action for systemd system
systemd_action() {
# Save service status before restart
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
# systemctl (only for NRPE ?) sometimes returns 0 even if the service has failed to start
# so we check the status explicitly
timeout 20 systemctl restart "${systemd_service}" > /dev/null \
&& sleep 1 \
&& systemctl status "${systemd_service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
}
# Should we run?
if ! is_supposed_to_run; then
# log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
exit 0
fi
if is_service_alive; then
# log_global "${service_name} process alive. Aborting"
exit 0
fi
# Yes we do, so check for sysvinit or systemd
if is_debian_version "8" "<="; then
if ! is_sysvinit_enabled "*${sysvinit_script}*"; then
# log_global "${service_name} not enabled. Aborting"
exit 0
fi
# Let's finally do the action
pre_restart
sysvinit_action
post_restart
else
if ! is_systemd_enabled "${systemd_service}"; then
# log_global "${service_name} is disabled (or missing), nothing left to do."
exit 0
fi
if is_systemd_active "${systemd_service}"; then
# log_global "${service_name} is active, nothing left to do."
exit 0
fi
# Let's finally do the action
pre_restart
systemd_action
post_restart
fi

16
autosysadmin-agent/handlers/main.yml
View file

@ -1,16 +0,0 @@
---
- name: restart nagios-nrpe-server
service:
name: nagios-nrpe-server
state: restarted
- name: restart nrpe
service:
name: nrpe
state: restarted
- name: restart rsyslog
service:
name: rsyslog
state: restarted

25
autosysadmin-agent/tasks/crontab.yml
View file

@ -1,25 +0,0 @@
---
- name: "Add begin marker if missing"
ansible.builtin.lineinfile:
path: "/etc/cron.d/autosysadmin"
line: "# BEGIN ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
insertbefore: BOF
create: yes
- name: "Add end marker if missing"
ansible.builtin.lineinfile:
path: "/etc/cron.d/autosysadmin"
line: "# END ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
insertbefore: "EOF"
create: yes
- name: "Create config if missing"
ansible.builtin.blockinfile:
path: "/etc/cron.d/autosysadmin"
marker: "# {mark} ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
block: "{{ lookup('ansible.builtin.template', '../templates/autosysadmin.cron.j2') }}"
owner: root
group: root
mode: "0750"
create: yes

4
autosysadmin-agent/tasks/dependencies.yml
View file

@ -1,4 +0,0 @@
---
- name: Install gcal
ansible.builtin.apt:
name: gcal

114
autosysadmin-agent/tasks/install.yml
View file

@ -1,114 +0,0 @@
---
- name: "Remount /usr if needed"
ansible.builtin.include_role:
name: remount-usr
- name: Previous autosysadmin restart directory is renamed
command:
cmd: mv "/usr/share/scripts/autosysadmin/auto" "{{ autosysadmin_agent_auto_dir }}"
removes: "/usr/share/scripts/autosysadmin/auto"
creates: "{{ autosysadmin_agent_auto_dir }}"
- name: Create autosysadmin directories
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "root"
group: "root"
mode: "0750"
loop:
- "{{ autosysadmin_agent_bin_dir }}"
- "{{ autosysadmin_agent_lib_dir }}"
- "{{ autosysadmin_agent_auto_dir }}"
- name: Copy libraries
ansible.builtin.copy:
src: "upstream/lib/"
dest: "{{ autosysadmin_agent_lib_dir }}/"
owner: root
group: root
mode: "0750"
- name: Copy repair scripts
ansible.builtin.copy:
src: "upstream/repair/"
dest: "{{ autosysadmin_agent_bin_dir }}/"
owner: root
group: root
mode: "0750"
- name: Copy other utilities
ansible.builtin.copy:
src: "upstream/bin/"
dest: "{{ autosysadmin_agent_bin_dir }}/"
owner: root
group: root
mode: "0750"
### WARNING: thos files are explicitly marked as non-executable
### to prevent them from being run automatically by run-parts
- name: Copy restart scripts
ansible.builtin.copy:
src: "upstream/restart/"
dest: "{{ autosysadmin_agent_auto_dir }}/"
owner: root
group: root
mode: "0640"
- name: Ensure /etc/evolinux folder exists
ansible.builtin.file:
path: "/etc/evolinux"
state: directory
owner: "root"
group: "root"
mode: "0700"
- name: Copy the configuration file if missing
ansible.builtin.template:
src: "autosysadmin.cf.j2"
dest: "/etc/evolinux/autosysadmin"
owner: root
group: root
mode: "0640"
force: no
# Repair scripts are supposed to be 'on' by default
# A line "repair_XXX=off" is added to the file only if the script is to be disabled.
# That's why all the ternary logic for the state is reversed.
- name: Update value per variable
ansible.builtin.lineinfile:
dest: "/etc/evolinux/autosysadmin"
line: "{{ item }}={{ autosysadmin_config[item] | default(true) | bool | ternary('on', 'off') }}"
regexp: '^(#\s*)?{{ item }}=.*'
state: "{{ autosysadmin_config[item] | default(true) | bool | ternary('absent', 'present') }}"
register: _line
loop: "{{ autosysadmin_repair_scripts | union(['repair_all']) }}"
- name: Ensure restart folder exists
ansible.builtin.file:
path: "auto"
state: directory
owner: "root"
group: "root"
mode: "0700"
- name: Legacy scripts are removed
ansible.builtin.file:
path: "{{ general_scripts_dir }}/autosysadmin/{{ item }}"
state: absent
loop:
- repair_amavis.sh
- repair_disk.sh
- repair_elasticsearch.sh
- repair_http.sh
- repair_mysql.sh
- repair_opendkim.sh
- repair_php_fpm56.sh
- repair_php_fpm70.sh
- repair_php_fpm73.sh
- repair_php_fpm74.sh
- repair_php_fpm80.sh
- repair_php_fpm81.sh
- repair_redis.sh
- repair_tomcat_instance.sh

8
autosysadmin-agent/tasks/logrotate.yml
View file

@ -1,8 +0,0 @@
---
- name: Copy logrotate configuration for autosysadmin
ansible.builtin.copy:
src: "files/autosysadmin.logrotate.conf"
dest: "/etc/logrotate.d/autosysadmin"
owner: root
group: root
mode: "0644"

31
autosysadmin-agent/tasks/main.yml
View file

@ -1,31 +0,0 @@
---
- name: The list of all repair scripts is composed.
set_fact:
autosysadmin_repair_scripts: "{{ lookup('ansible.builtin.fileglob', '../../../autosysadmin/agent/repair/repair_*', wantlist=True) | map('basename') | sort }}"
- name: Install dependencies
ansible.builtin.include_tasks: dependencies.yml
- name: Install autosysadmin
ansible.builtin.include_tasks: install.yml
- name: Crontab configuration
ansible.builtin.include_tasks: crontab.yml
- name: NRPE configuration
ansible.builtin.include_tasks: nrpe.yml
- name: sudo configuration
ansible.builtin.include_tasks: sudo.yml
- name: rsyslog configuration
ansible.builtin.include_tasks: rsyslog.yml
- name: logrotate configuration
ansible.builtin.include_tasks: logrotate.yml
- name: Install latest version of dump-server-state
ansible.builtin.include_role:
name: evolinux-base
tasks_from: dump-server-state.yml

9
autosysadmin-agent/tasks/nrpe.yml
View file

@ -1,9 +0,0 @@
---
- name: custom configuration is present
ansible.builtin.template:
src: autosysadmin.nrpe.cfg.j2
dest: /etc/nagios/nrpe.d/autosysadmin.cfg
group: nagios
mode: "0640"
force: yes
notify: restart nagios-nrpe-server

9
autosysadmin-agent/tasks/rsyslog.yml
View file

@ -1,9 +0,0 @@
---
- name: Copy rsyslog configuration for autosysadmin
ansible.builtin.copy:
src: "files/autosysadmin.rsyslog.conf"
dest: "/etc/rsyslog.d/autosysadmin.conf"
owner: root
group: root
mode: "0644"
notify: restart rsyslog

7
autosysadmin-agent/tasks/sudo.yml
View file

@ -1,7 +0,0 @@
---
- name: Add autosysadmin sudoers file
ansible.builtin.template:
src: autosysadmin.sudoers.j2
dest: /etc/sudoers.d/autosysadmin
mode: "0600"
validate: "visudo -cf %s"

12
autosysadmin-agent/templates/autosysadmin.cf.j2
View file

@ -1,12 +0,0 @@
# This configuration is partially managed by Ansible
# You can change specific values manually, but they may be overridden by Ansible
#
# To be safe, update the hosts_vars/group_vars in the autosysadmin project
# https://gitea.evolix.org/evolix/autosysadmin/src/branch/master
# then use the "agent" playbook to deploy.
#
# Configuration for autosysadmin
# Use this file to change configuration values defined in repair scripts
# To disable all repair scripts : repair_all=off
# To disable "repair_http" : repair_http=off
#

7
autosysadmin-agent/templates/autosysadmin.cron.j2
View file

@ -1,7 +0,0 @@
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Run each enabled script
*/5 * * * * root run-parts /usr/share/scripts/autosysadmin/restart
# Clean run log files
@weekly root {{ autosysadmin_agent_bin_dir | mandatory }}/delete_old_logs.sh {{ autosysadmin_agent_log_retention_days | default('365') }}

8
autosysadmin-agent/templates/autosysadmin.nrpe.cfg.j2
View file

@ -1,8 +0,0 @@
#
# Ansible managed - DO NOT MODIFY, your changes will be overwritten !
#
# Autosysadmin repair commands
{% for script in lookup('ansible.builtin.fileglob', '../../../autosysadmin/agent/repair/repair_*', wantlist=True) | map("basename") | sort %}
command[{{ script }}]=sudo {{ autosysadmin_agent_bin_dir }}/{{ script }}
{% endfor %}

7
autosysadmin-agent/templates/autosysadmin.sudoers.j2
View file

@ -1,7 +0,0 @@
#
# Ansible managed - DO NOT MODIFY, your changes will be overwritten !
#
{% for script in lookup('ansible.builtin.fileglob', '../../../autosysadmin/agent/repair/repair_*', wantlist=True) | map("basename") | sort %}
nagios ALL = NOPASSWD: {{ autosysadmin_agent_bin_dir }}/{{ script }}
{% endfor %}

Some files were not shown because too many files have changed in this diff Show more