evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Compare commits

base: evolix:stable
Branches Tags
evolix:stable
evolix:unstable
evolix:patroni
evolix:etcd
evolix:jitsimeet
evolix:monitoringctl
evolix:bind
evolix:peertube
evolix:wip_10691
evolix:multi-php-v2
evolix:etherpad
evolix:gitea
evolix:add-drbd-firewall-rule
evolix:backports_preferences
evolix:migrate-vm-error-handling
evolix:evofs
evolix:goto-postfix-role
evolix:lxc-php82
evolix:timesyncd
evolix:noopensshinlxc
evolix:ssh-split
evolix:rsyslog-remote
evolix:emorino/patroni-etcd
evolix:jitsimeet_docker
evolix:hedgedoc
evolix:privatebin
evolix:mattermost
evolix:p10166-mastodon
evolix:replace_include
evolix:when-not-check
evolix:fix_lxc_php56_debian10
evolix:debian12
evolix:boost-proxy
evolix:debian12-keyring
evolix:evodomains
evolix:vrrp-addresses
evolix:lxc_etc-git
evolix:lxc_etc-commit
evolix:evoacme-v2
evolix:sshd_modular_config
evolix:exclusion_images_evobackup
evolix:rotate_elasticsearch_logs
evolix:evobackup_tags_redux
evolix:log2mail-beats
evolix:T47076
evolix:kvm-guest
evolix:lpoujol/fpm-php
evolix:lxc-php-buster
evolix:simplify-evolinux-users
evolix:openvpn
evolix:newkernel
evolix:etc-git-status-script
evolix:ubuntu
evolix:nagios-sudoers
evolix:configurable-swapiness
evolix:alert5-minifirewall-restart
evolix:fail2ban_ips_tag
evolix:audit-ftpadmin
evolix:projet6062
evolix:whitelisting-changes
evolix:uvrrpd
evolix:packweb-apache-lxc
evolix:backup/jlecour/ssh-groups
evolix:nextcloud
evolix:backup/jlecour/nextcloud
evolix:evoadmin-mail
evolix:haproxy_munin
evolix:evolinux-users
evolix:ansible-log
evolix:ansible-managed
evolix:apache-fix-default-vhost
evolix:ipsec
evolix:courier
evolix:spamassassin
evolix:samba
evolix:munin-openbsd
evolix:24.03
evolix:24.02.1
evolix:24.02
evolix:23.10
evolix:23.04
evolix:23.03.1
evolix:23.03
evolix:22.12
evolix:22.09
evolix:22.07.1
evolix:22.07
evolix:22.06.3
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.05.1
evolix:22.05
evolix:22.03
evolix:22.01.3
evolix:22.01.2
evolix:22.01.1
evolix:22.01
evolix:10.6.0
evolix:10.5.1
evolix:10.5.0
evolix:10.4.0
evolix:10.3.0
evolix:10.2.0
evolix:10.1.0
evolix:10.0.0
evolix:9.10.1
evolix:9.10.0
evolix:9.9.0
evolix:9.8.0
evolix:9.7.0
evolix:9.6.0
evolix:9.5.0
evolix:9.4.2
evolix:9.4.1
evolix:9.4.0
evolix:9.3.2
evolix:9.3.1
evolix:9.3.0
evolix:9.2.0
evolix:9.1.9
evolix:9.1.8
evolix:9.1.7
evolix:9.1.6
evolix:9.1.5
evolix:9.1.4
evolix:9.1.3
evolix:9.1.2
evolix:9.1.1
evolix:9.1.0
evolix:9.0.1
evolix:9.0.0
..
compare: evolix:lpoujol/fpm-php
Branches Tags
evolix:unstable
evolix:patroni
evolix:etcd
evolix:jitsimeet
evolix:monitoringctl
evolix:bind
evolix:stable
evolix:peertube
evolix:wip_10691
evolix:multi-php-v2
evolix:etherpad
evolix:gitea
evolix:add-drbd-firewall-rule
evolix:backports_preferences
evolix:migrate-vm-error-handling
evolix:evofs
evolix:goto-postfix-role
evolix:lxc-php82
evolix:timesyncd
evolix:noopensshinlxc
evolix:ssh-split
evolix:rsyslog-remote
evolix:emorino/patroni-etcd
evolix:jitsimeet_docker
evolix:hedgedoc
evolix:privatebin
evolix:mattermost
evolix:p10166-mastodon
evolix:replace_include
evolix:when-not-check
evolix:fix_lxc_php56_debian10
evolix:debian12
evolix:boost-proxy
evolix:debian12-keyring
evolix:evodomains
evolix:vrrp-addresses
evolix:lxc_etc-git
evolix:lxc_etc-commit
evolix:evoacme-v2
evolix:sshd_modular_config
evolix:exclusion_images_evobackup
evolix:rotate_elasticsearch_logs
evolix:evobackup_tags_redux
evolix:log2mail-beats
evolix:T47076
evolix:kvm-guest
evolix:lpoujol/fpm-php
evolix:lxc-php-buster
evolix:simplify-evolinux-users
evolix:openvpn
evolix:newkernel
evolix:etc-git-status-script
evolix:ubuntu
evolix:nagios-sudoers
evolix:configurable-swapiness
evolix:alert5-minifirewall-restart
evolix:fail2ban_ips_tag
evolix:audit-ftpadmin
evolix:projet6062
evolix:whitelisting-changes
evolix:uvrrpd
evolix:packweb-apache-lxc
evolix:backup/jlecour/ssh-groups
evolix:nextcloud
evolix:backup/jlecour/nextcloud
evolix:evoadmin-mail
evolix:haproxy_munin
evolix:evolinux-users
evolix:ansible-log
evolix:ansible-managed
evolix:apache-fix-default-vhost
evolix:ipsec
evolix:courier
evolix:spamassassin
evolix:samba
evolix:munin-openbsd
evolix:24.03
evolix:24.02.1
evolix:24.02
evolix:23.10
evolix:23.04
evolix:23.03.1
evolix:23.03
evolix:22.12
evolix:22.09
evolix:22.07.1
evolix:22.07
evolix:22.06.3
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.05.1
evolix:22.05
evolix:22.03
evolix:22.01.3
evolix:22.01.2
evolix:22.01.1
evolix:22.01
evolix:10.6.0
evolix:10.5.1
evolix:10.5.0
evolix:10.4.0
evolix:10.3.0
evolix:10.2.0
evolix:10.1.0
evolix:10.0.0
evolix:9.10.1
evolix:9.10.0
evolix:9.9.0
evolix:9.8.0
evolix:9.7.0
evolix:9.6.0
evolix:9.5.0
evolix:9.4.2
evolix:9.4.1
evolix:9.4.0
evolix:9.3.2
evolix:9.3.1
evolix:9.3.0
evolix:9.2.0
evolix:9.1.9
evolix:9.1.8
evolix:9.1.7
evolix:9.1.6
evolix:9.1.5
evolix:9.1.4
evolix:9.1.3
evolix:9.1.2
evolix:9.1.1
evolix:9.1.0
evolix:9.0.1
evolix:9.0.0

3 commits
stable ... lpoujol/fp

Author SHA1 Message Date
Ludovic Poujol 79386d4a9e php: Add a task to remove Debian's default FPM pool file (off by default)
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details 
Can be triggered by switching php_fpm_remove_default_pool to True.
 2019-11-12 12:28:31 +01:00
Ludovic Poujol 585a8d04ac php: Change the default pool names to something more explicit (and same for the variables names) 
Because it's more than just pure configuration, but a fpm pool 
definition, I've changed the following variables in Ansible :
- php_fpm_defaults_conf_file to replaced by php_fpm_default_pool_file
- php_fpm_custom_conf_file to php_fpm_default_pool_custom_file.

On the FPM side, I've also changed the files names of the pool to make 
them more explicit. No more z and zzz. It's the www pool, so let's put 
www in the file name for coherence : 
- z-evolinux-defaults.conf changes to www-evolinux-defaults.conf 
- zzz-evolinux-custom.conf changes to www-evolinux-zcustom.conf
 2019-11-12 12:28:08 +01:00
Ludovic Poujol 7d794af1fd php: Make sure the default pool we define can be fully functionnal witout debian's default pool file 2019-11-12 12:27:37 +01:00
995 changed files with 9728 additions and 50772 deletions
Show stats Expand all files Collapse all files

64
.Jenkinsfile
View file

@ -1,64 +0,0 @@
pipeline {
agent { label 'docker' }
environment {
ROLES_VERSION = "${env.GIT_COMMIT}"
}
stages {
stage('Anible Lint') {
agent {
docker {
image 'evolix/ansible-lint:latest'
}
}
steps {
script {
sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir || : ; done'
recordIssues(tools: [ansibleLint()])
}
}
}
stage('Build tagged docker image') {
when {
buildingTag()
}
steps {
script {
def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}")
im.inside {
sh 'echo Test needed'
}
def version = TAG_NAME
def versions = version.split('\\.')
def major = versions[0]
def minor = versions[0] + '.' + versions[1]
def patch = version.trim()
docker.withRegistry('', 'hub.docker') {
im.push(major)
im.push(minor)
im.push(patch)
}
}
}
}
stage('Build latest docker image') {
when {
branch 'unstable'
}
steps {
script {
def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}")
im.inside {
sh 'echo Test needed'
}
docker.withRegistry('', 'hub.docker') {
im.push('latest')
}
}
}
}
}
}

36
.drone.yml Normal file
View file

@ -0,0 +1,36 @@
kind: pipeline
name: default
steps:
- name: build tagged docker image
image: plugins/docker
settings:
username:
from_secret: docker_username
password:
from_secret: docker_password
dockerfile: Dockerfile
repo: evolix/ansible-roles
auto_tag: true
environment:
ROLES_VERSION: $DRONE_COMMIT_SHA
when:
event:
- tag
- name: build latest docker image
image: plugins/docker
settings:
username:
from_secret: docker_username
password:
from_secret: docker_password
dockerfile: Dockerfile
repo: evolix/ansible-roles
tags: latest
environment:
ROLES_VERSION: $DRONE_COMMIT_SHA
when:
branch:
- unstable

1
.gitignore vendored
View file

@ -2,4 +2,3 @@
.kateproject.d
.vagrant/
*.swp
.vscode

4
.markdownlint.json
View file

@ -1,4 +0,0 @@
{
"MD013": false,
"MD024": false
}

8
.vscode/settings.json vendored
View file

@ -1,8 +0,0 @@
{
"files.associations": {
"*.yml": "ansible",
"*.yaml": "ansible"
},
"yaml.format.enable": false,
"ansible.python.interpreterPath": "/bin/python"
}

1047
CHANGELOG.md
View file

@ -1,1037 +1,79 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
This project does not follow semantic versioning.
The **major** part of the version is the year
The **minor** part changes is the month
The **patch** part changes is incremented if multiple releases happen the same month
The **major** part of the version is aligned with the stable version of Debian.
The **minor** part changes with big changes (probably incompatible).
The **patch** part changes incrementally at each release.
## [Unreleased]
### Added
### Changed
### Fixed
### Removed
### Security
## [24.03] 2024-03-01
### Added
* autosysadmin-agent: upstream release 24.03
* autosysadmin-restart_nrpe: add role
* certbot: Renewal hook for NRPE
* kvm-host: add minifirewall rules if DRBD interface is configured
### Changed
* apt: add ftp.evolix.org as recognized system source
* autosysadmin-agent: logs clearing is done weekly
* autosysadmin-agent: rename /usr/share/scripts/autosysadmin/{auto,restart}
* certbot: use pkey to test the key
* evolinux-base: execute autosysadmin-agent and autosysadmin-restart_nrpe roles
* lxc-php, php: Update sury PGP key
* openvpn: earlier alert for CA expiration
* redis: create sysfs config file if missing
### Removed
* autosysadmin: replaced by autosysadmin-agent
## [24.02.1] 2024-02-08
### Fixed
* fail2ban: fix Ansible syntax
## [24.02] 2024-02-08
### Added
* Support for PHP 8.3 with bookworm LXC containers
* apt: add task file to install ELTS repository (default: False)
* autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation
* check_free_space: added role
* etc-git: add /var/chroot-bind/etc/bind repo
* fail2ban: add script unban_ip
* generateldif: new Services for check_pressure_{cpu,io,mem}
* kvm-host: Automatically add an LVM filter when LVM is present
* lxc-php: Allow one to install php83 on Bookworm container
* minifirewall: Fix nagios check for old versions of minifirewall
* mongodb: add gpg key for 7.0
* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
* nagios-nrpe: new check_pressure_{cpu,io,mem}
* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
* vrrpd: configure minifirewall
* vrrpd: test if interface exists before deleting it
* webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm
* webapps/nextcloud: Add condition for archive tasks
* webapps/nextcloud: Add condition for config tasks
* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
* webapps/nextcloud: Set ownership and permissions of data directory
### Changed
* add-vm.sh: allow VM name max length > 20
* amavis: make ldap_suffix mandatory
* apache : fix goaway pattern for bad bots
* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
* apache: use backward compatible Redirect directive
* apt: Disable archive repository for Debian 8
* apt: Use the GPG version of the key for Debian 8-9
* bind: Update role for Buster, Bullseye and Bookworm support
* dovecot: add variables for LDAP
* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
* evocheck: upstream release 24.01
* evolinux-base: dump-server-state upstream release 23.11
* evolinux-base: use separate default config file for rsyslog
* kvmstats: use .capacity instead of .physical for disk size
* ldap: make ldap_suffix mandatory
* listupgrade : old-kernel-removal.sh upstream release 24.01
* log2mail: move custom config in separate file
* lxc: init /etc git repository in lxc container
* mysql: disable performance schema for Debian 8
* nagios: add dockerd check in nrpe check template
* nagios: cleaning nrpe check template
* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
* nagios: add option --full to check pressure IO and mem to avoid flaps
* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
* redis: manage config template inside a block, to allow custom modifications outside
* spamassassin: Use spamd starting with Bookworm
* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
* unbound: Add config file to allow configuration reload on Debian 11 and lower
* unbound: Add munin configuration & setup plugin
* unbound: Big cleanup
* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf`
* unbound: Use root hints provided by debian package dns-root-data instead of downloading them
* vrrpd: replace switch script with custom one (fix MAC issue, use `ip(8)`, shell cleanup…)
* vrrpd: variable to force update the switch script (default: false)
* webapps/nextcloud: Add Ceph volume to fstab
* webapps/nextcloud: Set home directory's mode
### Fixed
* Add php-fpm82 to LDAP when relevant
* Check stat.exists before stat.isdir
* apache: fix MaxRequestsPerChild value to be sync with wiki.e.o
* apt: use archive.debian.org with Stretch
* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
* dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »).
* dovecot: fix missing default mails
* dovecot: fix plugin dovecot1
* evoadmin-web: Fix PHP version for Bookworm
* evolinux-base: fix hardware.yml (wrong repo, missing update cache)
* evolinux-base: start to install linux-image-cloud-amd64 with Buster
* fail2ban: fix template marker
* minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore.
* nagios: fix default file to monitor for check_clamav_db
* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode
* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
* nginx: keep indentation
* nginx: take care of « already defined » and « not yet defined » server status suffix in check mode
* php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository
* php: drop apt_preferences(5) file for sury
* postfix: remove dependency on evolinux_fqdn var
* proftpd: set missing default listen IP for SFTP
* roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL)
* ssl: no not execute haproxy tasks and reload if haproxy is disabled
* unbound: Add a apt cache validity to enforce an apt update if needed
* webapps/nextcloud: added check that nextcloud uid is over 3000
* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
* webapps/nextcloud: fix misplaced gid attribute
* webapps/nextcloud: fix missing gid
* webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice)
* amavis: Add variables for generate "ldap_suffix"
* proftpd: fix error when no SSH key is provided
### Removed
* evolinux-base: no need to remove update-evobackup-canary from sbin anymore
* evolinux-base: no need to symlink backup-server-state to dump-server-state anymore
## [23.10] 2023-10-14
### Added
* apt: disable `NonFreeFirmware` warning for VM on Debian 12+
* apt: explicit `signed-by` directives for official sources
* bind: add reload-zone helper
* certbot: deploy-hook for proftpd
* docker-host: added var for user namespace setting
* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
* dovecot: fix old_stats plugin for Dovecot 2.3
* evocheck: add support for Debian >= 12 split SSH configuration
* evolinux-base: add split SSH configuration for Debian >= 12
* evolinux-base: configure `.bashrc` for all users
* evolinux-base: New variable `evolinux_system_include_ntpd` to chose wether or not to include `ntpd` role
* evolinux-base: reboot the server if the Cloud kernel has been installed
* evolinux-users: add split SSH configuration for Debian >= 12
* evolinux: install HPE Agentless Management Service (amsd)
* fail2ban: add default variable fail2ban_dbpurgeage_default
* fail2ban: add `fail2ban_sshd_port` variable to configure sshd port
* kvm-host: release 23.10 for migrate-vm.sh
* metricbeat/logstash: fix Ansible syntax
* mysql: new munin graph to follow binlog_days over time
* nagios-nrpe: add a NRPE check-local command with completion.
* nagios-nrpe: add a proper monitoring plugin for GlusterFS (on servers, not for clients)
* php: add new variable to disable overriding settings of php-fpm default pool (www)
* policy_pam: New role to manage password policy with `pam_pwquality` & `pam_pwhistory`
* userlogrotate: add a `userlogpurge` script disabled by default
* userlogrotate: new version, with separate conf file
* userlogrotate: rotate also php.log
* java: allow version 17
* timesyncd: new role, used instead of ntpd by default starting with Debian 12
### Changed
* all: change syntax "become: [yes,no]" → "become: [true,false]"
* all: change syntax "force: [yes,no]" → "force: [true,false]"
* elasticsearch: improve networking configuration
* evolinux-base: include files under `sshd_config.d`
* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
* evomaintenance: upstream release 23.10.1
* lxc-php: change LXC container in bookworm for php82
* minifirewall: update nrpe script to check active configuration
* minifirewall: upstream release 23.07
* mysql: improve shell syntax for mysql_skip script
* nagios-nrpe: set default check_load --per-cpu for BSD
* pgbouncer: minor fixes
* postfix (packmail or when postfix_slow_transport_include is True): change `miniprofmal_backoff_time` from 2h to 15m (see HowtoPostfix)
* postfix (packmail) : optimize Amavis integration
* postfix: disable sending mails via IPv6
* postfix: new spam.sh update script that avoids reloading if files did not change.
* postgresql: fix file `postgresql.pref.j2` for exclude package
* postgresql: fix task `update apt cache` for PGDG repo
* redis: standardize plugins path from `/usr/local/share/munin/` to `/usr/local/lib/munin/plugins/`
* varnish: allow the systemd template to be overridden with a template outside of the role
* lxc: purge openssh-server from container on install
### Fixed
* elasticsearch: comment the `Xlog:gc` line instead of changing it completely
* evocheck: fix IS_SSHALLOWUSERS condition
* evolinux-base, evolinux-users: Fix files mode under `/etc/ssh/sshd_config.d`
* evolinux-base: fix file extension
* fail2ban: fix cron `fail2ban_dbpurge` (should be bash instead of sh)
* lxc-php: fix APT keyring path inside containers
* nagios-nrpe: `check_ssl_local` now has an output that nrpe can understand when it isn't OK
* nagios-nrpe: remount `/usr` **after** installing the packages
* nagios-nrpe: sync Redis check from redis roles
* nginx: set default server directive in default vhost
* opendkim: update apt cache before install
* packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container
* postfix: add missing `localhost.$mydomain` to `mydestination`
* redis: replace erroneous `ini_file` module for Munin config, fix dedicated Munin config filename (z-XXX).
* evolinux-base: use lineinfile instead of replace under root task
* evolinux-base: Corriger autorisation pour evolinux_user
* docker-host: Retirer directive state en trop
* rbenv: Installer libyaml-dev
### Removed
* dovecot: remove Munin plugin dovecot (not working)
## [23.04] 2023-04-23
### Added
* graylog: new role
* lxc-php: add support for PHP 8.2 container
### Changed
* Use FQCN (Fully Qualified Collection Name)
* apt: with Debian 12, backports are installed but disabled by default
* openvpn: updated the README file
* pgbouncer: add handler to restart the service
### Fixed
* generate-ldif: Support for Debian 12
## [23.03.1] 2023-03-16
### Added
* pgbouncer: new role
### Changed
* apt: deb822 migration python script is looked relative to shell script
* listupgrade: remove old typo version of the cron task
* minifirewall: support protocols in numeric form
## [23.03] 2023-03-16
### Added
* apache: add task to enable mailgraph on default vhost and index.html
* apt: add move-apt-keyrings script/tasks
* apt: add tools to migrate sources to deb822 format
* fail2ban: add "Internal login failure" to Dovecot filter
* lxc: copy `/etc/profile.d/evolinux.sh` from host into container
* nagios-nrpe: add tasks/files for a wrapper
* nagios-nrpe: Print pool config path in check_phpfpm_multi output
* php: add `php_version` variable when sury is activated for each Debian version
* php: add a way to choose which version to install using sury repository
* postfix: Add task to enable mailgraph on packmail
* postgresql: configure max_connections
* userlogrotate: create dedicated role, separated from packweb-apache
* varnish: add `varnish_update_config` variable to disable configuration update
### Changed
* Use systemd module instead of command
* Removed all `warn: False` args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
* apt: Use pub.evolix.org instead of pub.evolix.net
* bind: refactor role
* elasticsearch: Disable garabge collector logging (JDK >= 9)
* evolinux-users: Update sudoers template to remove commands allowed without password
* listupgrade: upstream release 23.03.3
* kvmstats: use virsh domstats | awk to get guests informations
* nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …)
* openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change
* postfix: come back to default value of `notify_classes` for pack mails.
* userlogrotate: set rotate date format in right order (YYYY-MM-DD)!
* webapps/nextcloud : Change default data directory to be outside web root
* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
* yarn: update apt key
### Fixed
* Proper jinja spacing
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurring failures in Postfix.
* docker-host: fix type in `daemon.json` and remove host configuration that is already in the systemd service by default
* evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
* haproxy: fix missing admin ACL in stats module access permissions
* openvpn: fix the client cipher configuration to match the server cipher configuration
* php: fix error introduced in #33503e4538 (`False` evaluated as a String instead of Boolean)
* php: install using Sury repositories on Bullseye
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
* postfix: avoid Amavis transport to be considered dead when restarted.
* postfix: remove unused `aliases_scope=sub` from virtual_aliases.cf (it generated warnings)
* userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped)
* userlogrotate: skip zipping if .gz log already exists (prevents interactive question)
### Removed
* evolinux-base: subversion is not installed anymore
## [22.12] 2022-12-14
### Added
* all: add signed-by option for additional APT sources
* all: preliminary work to support Debian 12
* all: use proper keyrings directory for APT version
* evolinux-base: replace regular kernel by cloud kernel on virtual servers
* lxc-php: set php-fpm umask to `007`
* nagios-nrpe: `check_ceph_*`
* nagios-nrpe: `check_haproxy_stats` supports DRAIN status
* packweb-apache: enable `log_forensic` module
* rabbitmq: add link in default page
* varnish: create special tmp directory for syntax validation
* postfix: add localhost.$mydomain to mydestination
### Changed
* certbot: auto-detect HAPEE version in renewal hook
* evocheck: install script according to Debian version
* evolinux-base: `utils.yml` can be excluded
* evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions)
* evolinux-user: add sudoers privilege for check `php_fpm81`
* evomaintenance: allow missing API endpoint if APi is disabled
* java: use default JRE package when version is not specified
* keepalived: change exit code (_warning_ if running but not on expected state ; _critical_ if not running)
* listupgrade: better detection for PostgreSQL
* listupgrade: sort/uniq of packages/services lists in email template
* lxc-solr: detect the real partition options
* lxc-solr: download URL according to Solr Version
* lxc-solr: set homedir and port at install
* minifirewall: whitelist deb.freexian.com
* openvpn: shellpki upstream release 22.12.2
* openvpn: specifies that the mail for expirations is for OpenVPN
* packweb-apache: manual dependencies resolution
* redis: some values should be quoted
* redis: variable to disable transparent hugepage (default: do nothing)
* squid: whitelist `deb.freexian.com`
* varnish: better package facts usage with check mode and tags
* varnish: systemd override depends on Varnish version instead of Debian version
### Fixed
* evolinux-user: Fix sudoers privilege for check `php_fpm80`
* nagios-nrpe: Fix check opendkim for recent change in listening port
* openvpn: Fix mode of shellpki script
* proftpd: Fix format of public key files controlled by Ansible
* proftpd: Fix mode of public key directory and files (they have to be accessible by `proftpd:nobody`)
* varnish: fix missing state, that blocked the task
### Removed
* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
## [22.09] 2022-09-19
### Added
* evolinux_users: create only users who have a certain value for the `create` key (default: `always`).
* php: install php-xml with recent PHP versions
* vrrp: add an `ip.yml` task file to help create VRRP addresses
* webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php.
* memcached: NRPE check for multi-instance setup
* munin: Add ipmi_ plugins on dedicated hardware
* proftpd: Add options to override configs (and add a warning if file was overriden)
* proftpd: Allow user auth with ssh keys
### Changed
* evocheck: upstream release 22.09
* evolinux-base: update-evobackup-canary upstream release 22.06
* generate-ldif: Support any MariaDB version
* minifirewall: use handlers to restart minifirewall
* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
* openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS
* nagios-nrpe: Upgrade check_mongo
### Fixed
* fail2ban: fix dovecot-evolix regex syntax
* haproxy: make it so that munin doesn't break if there is a non default `haproxy_stats_path`
* mysql: Add missing Munin conf for Debian 11
* redis: config directory must be owned by the user that runs the service (to be able to write tmp config files in it)
* varnish: make `-j <jail_config>` the first argument on jessie/stretch as it has to be the first argument there.
* webapps/nextcloud: Add missing dependencies for imagick
### Removed
* evocheck: remove failure if deprecated variable is used
* webapps/nextcloud: Drop support for Nginx
## [22.07.1] 2022-07-28
### Changed
* evocheck: upstream release 22.07
* evomaintenance: upstream release 22.07
* mongodb: replace version_compare() with version()
* nagios-nrpe: check_disk1 returns only alerts
* nagios-nrpe: use regexp to exclude paths/devices in check_disk1
## [22.07] 2022-07-08
### Added
* fail2ban: Ensure apply dbpurgeage from stretch and buster
## [22.07] 2022-07-06
### Added
* evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours)
* haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
* kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
* openvpn: configure logrotate
### Changed
* openvpn: minimal rights on /etc/shellpki/ and crl.pem
### Fixed
* evolinux-base: Update PermitRootLogin task to work on Debian 11
* evolinux-user: Update PermitRootLogin task to work on Debian 11
* minifirewall: docker mode is configurable
## [22.06.3] 2022-06-17
### Changed
* evolinux-base: blacklist and do not install megaclisas-status package on incompatible servers
## [22.06.2] 2022-06-10
### Added
* postgresql: add variable to configure binding addresses (default: 127.0.0.1)
### Changed
* evocheck: upstream release 22.06.2
* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal)
* fail2ban: If jail.local was overriden, add a warning
* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
* fail2ban: Allow to tune the default action with ansible
* fail2ban: Change default action to ban only (instead of ban + mail with whois report)
* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage
* redis: binding is possible on multiple interfaces (breaking change)
### Fixed
* Enforce String notation for mode
* postgresql: fix nested loop for Munin plugins
* postgresql: Fix task order when using pgdg repo
* postgresql: Install the right pg version
## [22.06.1] 2022-06-06
### Changed
* evocheck: upstream release 22.06.1
* minifirewall: upstream release 22.06
* mysql: evomariabackup release 22.06.1
* mysql: reorganize evomariabackup to use mtree instead of our own dir-check
## [22.06] 2022-06-03
### Added
* certbot: add hapee (HAProxy Enterprise Edition) deploy hook
* evolinux-base: add dir-check script
* evolinux-base: add update-evobackup-canary script
* mysql: add post-backup-hook to evomariabackup
* mysql: use dir-check inside evomariabackup
### Changed
* docker: Allow "live-restore" to be toggled with docker_conf_live_restore
* evocheck: upstream release 22.06
* evolinux-base: Replacement of variable `evolinux_packages_hardware` by `ansible_virtualization_role == "host"` automatize host type detection and avoids installing smartd & other on VM.
* minifirewall: tail template follows symlinks
* mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner
### Fixed
* Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails.
## [22.05.1] 2022-05-12
### Added
* docker: Introduce new default settings + allow to change the docker data directory
* docker: Introduce new variables to tweak daemon settings
### Changed
* evocheck: Upstream release 22.05
### Removed
* docker: Removed Debian Jessie support
## [22.05] 2022-05-10
### Added
* etc-git: use "ansible-commit" to efficiently commit all available repositories (including /etc inside LXC) from Ansible
* minifirewall: compatibility with "legacy" version of minifirewall
* minifirewall: configure proxy/backup/sysctl values
* munin: Add possibility to install local plugins, and install dhcp_pool plugin
* nagios-nrpe: Add a check dhcp_pool
* redis: Activate overcommit sysctl
* redis: Add log2mail user to redis group
### Changed
* dump-server-state: upstream release 22.04.3
* evocheck: upstream release 22.04.1
* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
* evolinux-base: rename backup-server-state to dump-server-state
* generate-ldif: Add services check for bkctld
* minifirewall: restore "force-restart" and fix "restart-if-needed"
* minifirewall: tail template follows symlinks
* minifirewall: upstream release 22.05
* opendkim : add generate opendkim-genkey in sha256 and key 4096
* openvpn: use a local copy of files instead of cloning an external git repository
* openvpn: use a subnet topology instead of the net30 default topology
* tomcat: Tomcat 9 by default with Debian 11
* vrrpd: Store sysctl values in specific file
### Fixed
* etc-git : Remount /usr in rw for git gc in in /usr/share/scripts/
* etc-git: Make evocommit fully compatible with OpenBSD
* generate-ldif: Correct generated entries for php-fpm in containers
* keepalived: repair broken role
* minifirewall: fix `failed_when` condition on restart
* postfix: Do not send mails through milters a second time after amavis (in packmail)
* redis: Remount /usr with RW before adding nagios plugin
## [22.03] 2022-03-02
### Added
* apt: apt_hold_packages: broadcast message with wall, if present
* evolinux-base: option to bypass raid-related tasks
* Explicit permissions for systemd overrides
* generate-ldif: Add support for php-fpm in containers
* kvm-host: add missing default value
* lxc-php: preliminary support for PHP 8.1 container
* openvpn: now check that openvpn has been restarted since last certificates renewal
* redis: always install check_redis_instances
* redis: check_redis_instances tolerates absence of instances
### Changed
* elasticsearch: Use `/etc/elasticsearch/jvm.options.d/evolinux` instead of default `/etc/elasticsearch/jvm.options`
* evolinux-users: check permissions for /etc/sudoers.d
* evolinux-users: optimize sudo configuration
* lxc: Fail if /var is nosuid
* openvpn: make it compatible with OpenBSD and add some improvements
## [22.01.3] 2022-01-31
### Changed
* rbenv: install Ruby 3.1.0 by default
* evolinux-base: backup-server-state: add "force" mode
### Fixed
* evolinux-base: backup-server-state: fix systemctl invocation
* varnish: update munin plugin to work with recent varnish versions
## [22.01.2] 2022-01-27
### Changed
* evolinux-base: many improvements for backup-server-state script
* remount-usr: use findmnt to find if usr is a readonly partition
## [22.01] 2022-01-25
### Added
* Support for Debian 11 « Bullseye » (with possible remaining blind spots)
* apache: new variable for MPM mode (+ updated default config accordingly)
* apache: prevent accessing Git or "env" related files
* certbot: add script for manual deploy hooks execution
* docker-host: install additional dependencies
* dovecot: switch to TLS 1.2+ and external DH params
* etc-git: centralize cron jobs in dedicated crontab
* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
* evolinux-base: add script backup-server-state
* evolinux-base: configure top and htop to display the swap column
* evolinux-base: install molly-guard by default
* generate-ldif: detect RAID controller
* generate-ldif: detect mdadm
* listupgrade: crontab is configurable
* logstash: logging to syslog is configurable (default: True)
* mongodb: create munin plugins directory if missing
* munin: systemd override to unprotect home directory
* mysql: add evomariabackup 21.11
* mysql: improve Bullseye compatibility
* mysql: script "mysql_connections" to display a compact list of connections
* mysql: script "mysql-queries-killer.sh" to kill MySQL queries
* nagios-nrpe + evolinux-users: new check for ipmi
* nagios-nrpe + evolinux-users: new check for RAID (soft + hard)
* nagios-nrpe + evolinux-users: new checks for bkctld
* nagios-nrpe: new check influxdb
* openvpn: new role (beta)
* redis: instance service for Debian 11
* squid: add *.o.lencr.org to default whitelist
### Changed
* Change version pattern
* Install python 2 or 3 libraries according to running python version
* Remove embedded GPG keys only if legacy keyring is present
* apt: remove workaround for Evolix public repositories with Debian 11
* apt: upgrade packages after all the configuration is done
* apt: use the new security repository for Bullseye
* certbot: silence letsencrypt deprecation warnings
* elasticsearch: elastic_stack_version = 7.x
* evoacme: exclude renewal-hooks directory from cron
* evoadmin-web: simpler PHP packages lists
* evocheck: upstream release 21.10.4
* evolinux-base: alert5 comes after the network
* evolinux-base: force Debian version to buster for Evolix repository (temporary)
* evolinux-base: install freeipmi by default on dedicated hw
* evolinux-base: logs are rotated with dateext by default
* evolinux-base: split dpkg logrotate configuration
* evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
* evomaintenance: extract a config.yml tasks file
* evomaintenance: upstream release 22.01
* filebeat/metricbeat: elastic_stack_version = 7.x
* kibana: elastic_stack_version = 7.x
* listupgrade: old-kernel-removal version 21.10
* listupgrade: upstream release 21.06.3
* logstash: elastic_stack_version = 7.x
* mongodb: Allow to specify a mongodb version for buster & bullseye
* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
* mongodb: Support version 5.0 (for buster)
* mysql: use python3 and mariadb-client-10.5 with Debian 11 and later
* nodejs: default to version 16 LTS
* php: enforce Debian version with assert instead of fail
* squid: improve default whitelist (more specific patterns)
* squid: must be started in foreground mode for systemd
* squid: remove obsolete variable on Squid 4
### Fixed
* evolinux-base: fix alert5.service dependency syntax
* certbot: sync_remote excludes itself
* lxc-php: fix config for opensmtpd on bullseye containers
* mysql : Create a default ~root/.my.cnf for compatibility reasons
* nginx : fix variable name and debug to actually use nginx-light
* packweb-apache : Support php 8.0
* nagios-nrpe: Fix check_nfsserver for buster and bullseye
### Removed
* evocheck: package install is not supported anymore
* logstash: no more dependency on Java
* php: remove php-gettext for 7.4
## [10.6.0] 2021-06-28
### Added
* Add Elastic GPG key to kibana, filebeat, logstash, metricbeat roles
* apache: new variable for mpm mode (+ updated default config accordingly)
* evolinux-base: add default motd template
* kvm-host: add migrate-vm script
* mysql: variable to disable myadd script overwrite (default: True)
* nodejs: update apt cache before installing the package
* squid: add Yarn apt repository in default whitelist
### Changed
* Update Galaxy metadata (company, platforms and galaxy_tags)
* Use 'loop' syntax instead of 'with_first_found/with_items/with_dict/with_nested/with_list'
* Use Ansible syntax used in Ansible 2.8+
* apt: store keys in /etc/apt/trusted.gpg.d in ascii format
* certbot: sync_remote.sh is configurable
* evolinux-base: copy GPG key instead of using apt-key
* evomaintenance: upstream release 0.6.4
* kvm-host: replace the "kvm-tools" package with scripts deployed by Ansible
* listupgrade: upstream release 21.06.2
* nodejs: change GPG key name
* ntpd: Add leapfile configuration setting to ntpd on debian 10+
* packweb-apache: install phpMyAdmin from buster-backports
* spamassassin: change dependency on evomaintenance
* squid: remove obsolete variable on Squid 4
### Fixed
* add default (useless) value for file lookup (first_found)
* fix pipefail option for shell invocations
* elasticsearch: inline YAML formatting of seed_hosts and initial_master_nodes
* evolinux-base: fix motd lookup path
* ldap: fix edge cases where passwords were not set/get properly
* listupgrade: fix wget error + shellcheck cleanup
### Removed
* elasticsearch: recent versiond don't depend on external JRE
## [10.5.1] 2021-04-13
### Added
* haproxy: dedicated internal address/binding (without SSL)
### Changed
* etc-git: commit in /usr/share/scripts when there's an active repository
## [10.5.0] 2021-04-01
### Added
* apache: new variables for logrotate + server-status
* filebeat: package can be upgraded to latest (default: False)
* haproxy: possible admin access with login/pass
* lxc-php: Add PHP 7.4 support
* metricbeat: package can be upgraded to latest (default: False)
* metricbeat: new variables to configure SSL mode
* nagios-nrpe: new script check_phpfpm_multi
* nginx: add access to server status on default VHost
* postfix: add smtpd_relay_restrictions in configuration
### Changed
* apache: rotate logs daily instead of weekly
* apache: deny requests to ^/evolinux_fpm_status-.*
* certbot: use a fixed 1.9.0 version of the certbot-auto script (renamed "letsencrypt-auto")
* certbot: use the legacy script on Debian 8 and 9
* elasticsearch: log rotation is more readable/maintainable
* evoacme: upstream release 21.01
* evolinux-users: Add sudo rights for nagios for multi-php lxc
* listupgrade: update script from upstream
* minifirewall: change some defaults
* nagios-nrpe: update check_phpfpm_status.pl & install perl dependencies
* redis: use /run instead or /var/run
* redis: escape password in Munin configuration
### Fixed
* bind9: added log files to apparmor definition so bind can run
* filebeat: fix Ansible syntax error
* nagios-nrpe: libfcgi-client-perl is not available before Debian 10
* redis: socket/pid directories have the correct permissions
### Removed
* nginx: no more "minimal" mode, but the package remains customizable.
## [10.4.0] 2020-12-24
### Added
* certbot: detect domains if missing
* certbot: new "sync_remote.sh" hook to sync certificates and execute hooks on remote servers
* varnish: variable for jail configuration
### Changed
* certbot: disable auth for Let's Encrypt challenge
* nginx: change from "nginx_status-XXX" to "server-status-XXX"
## [10.3.0] 2020-12-21
### Added
* bookworm-detect: transitional role to help dealing with unreleased bookworm version
* dovecot: Update munin plugin & configure it
* dovecot: vmail uid/gid are configurable
* evoacme: variable to disable Debian version check (default: False)
* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
* minifirewall: upstream release 20.12
* minifirewall: add variables to force upgrade the script and the config (default: False)
* mysql: install save_mysql_processlist script
* nextcloud: New role to setup a nextcloud instance
* redis: variable to force use of port 6379 in instances mode
* redis: check maxmemory in NRPE check
* lxc-php: Allow php containers to contact local MySQL with localhost
* varnish: config file name is configurable
### Changed
* Create system users for vmail (dovecot) and evoadmin
* apt: disable APT Periodic
* evoacme: upstream release 20.12
* evocheck: upstream release 20.12
* evolinux-users: improve uid/login checks
* tomcat-instance: fail if uid already exists
* varnish: change template name for better readability
* varnish: no threadpool delay by default
* varnish: no custom reload script for Debian 10 and later
### Fixed
* cerbot: parse HAProxy config file only if HAProxy is found
## [10.2.0] 2020-09-17
### Added
* evoacme: remount /usr if necessary
* evolinux-base: swappiness is customizable
* evolinux-base: install wget
* tomcat: root directory owner/group are configurable
### Changed
* Change default public SSH/SFTP port from 2222 to 22222
### Fixed
* certbot: an empty change shouldn't raise an exception
* certbot: fix "no-self-upgrade" option
### Removed
* evoacme: remove Debian 9 support
## [10.1.0] 2020-08-21
### Added
* certbot: detect HAProxy cert directory
* filebeat: allow using a template
* generate-ldif: add NVMe disk support
* haproxy: add deny_ips file to reject connections
* haproxy: add some comments to default config
* haproxy: enable stats frontend with access lists
* haproxy: preconfigure SSL with defaults
* lxc-php: Don't disable putenv() by default in PHP settings
* lxc-php: Install php-sqlite by default
* metricbeat: allow using a template
* mysql: activate binary logs by specifying log_bin path
* mysql: option to define as read only
* mysql: specify a custom server_id
* nagios-nrpe/evolinux-base: brand new check for hardware raid on HP servers gen 10
* nginx: make default vhost configurable
* packweb-apache: Install zip & unzip by default
* php: Don't disable putenv() by default in PHP settings
* php: Install php-sqlite by default
### Changed
* certbot: fix haproxy hook (ssl cert directory detection)
* certbot: install certbot dependencies non-interactively for jessie
* elasticsearch: configure cluster with seed hosts and initial masters
* elasticsearch: set tmpdir before datadir
* evoacme: read values from environment before defaults file
* evoacme: update for new certbot role
* evoacme: upstream release 20.08
* haproxy: adapt backports installed package list to distibution
* haproxy: chroot and socket path are configurable
* haproxy: deport SSL tuning to Mozilla SSL generator
* haproxy: rotate logs with date extension and immediate compression
* haproxy: split stats variables
* lxc-php: Do --no-install-recommends for ssmtp/opensmtpd
* mongodb: install custom munin plugins
* nginx: read server-status values before changing the config
* packweb-apache: Don't turn on mod-evasive emails by default
* redis: create sudoers file if missing
* redis: new syntax for match filter
* redis: raise an error is port 6379 is used in "instance" mode
### Fixed
* certbot: restore compatibility with old Nginx
* evobackup-client: fixed the ssh connection test
* generate-ldif: better detection of computerOS field
* generate-ldif: skip some odd ethernet devices
* lxc-php: Install opensmtpd as intended
* mongodb: fix logrotate patterm on Debian buster
* nagios-nrpe: check_amavis: updated regex
* squid: better regex to match sa-update domains
* varnish: fix start command when multiple addresses are present
## [10.0.0] - 2020-05-13
### Added
* apache: the default VHost doesn't redirect to https for ".well-known" paths
* apt: added buster backports prerferences
* apt: check if cron is installed before adding a cron job
* apt: remove jessie/buster sources from Gandi servers
* apt: verify that /etc/evolinux is present
* certbot : new role to install and configure certbot
* etc-git: add versioning for /usr/share/scripts on Debian 10+
* evoacme: upstream version 19.11
* evolinux-base: default value for "evolinux_ssh_group"
* evolinux-base: install /sbin/deny
* evolinux-base: install Evocheck (default: `True`)
* evolinux-base: on debian 10 and later, add noexec on /dev/shm
* evolinux-base: on debian 10 and later, add /usr/share/scripts in root's PATH
* evolinux-base: remove the chrony package
* evomaintenance: don't configure firewall for database if not necessary
* generate-ldif: support MariaDB 10.3
* haproxy: add a variable to keep the existing configuration
* java: add Java 11 as possible version to install
* listupgrade: install old-kernel-autoremoval script
* minifirewall: add a variable to force the check scripts update
* mongodb: mongodb: compatibility with Debian 10
* mysql-oracle: backport tasks from mysql role
* networkd-to-ifconfig: add variables for configuration by variables
* mysql: activate binary logs by specifying log_bin path
* mysql: specify a custom server_id
* packweb-apache: Deploy opcache.php to give some insights on PHP's opcache status
* php: variable to install the mysqlnd module instead of the default mysql module
* postgresql : variable to install PostGIS (default: `False`)
* redis: rewrite of the role (separate instances, better systemd units…)
* webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist
* webapps/evoadmin-web Overload templates if needed
* evolinux-base: install ssacli for HP Smart Array
* evobackup-client role to configure a machine for backups with bkctld(8)
* bind: enable query logging for recursive resolvers
* bind: enable logrotate for recursive resolvers
* bind: enable bind9 munin plugin for recursive resolvers
### Changed
* replace version_compare() with version()s
* removed some deprecations for Ansible 2.7
* apache: improve permissions in save_apache_status script
* apt: hold packages only if package is installed
* bind: the munin task was present, but not included
* bind: change name of logrotate file to bind9
* certbot: commit hook must be executed at the end
* elasticsearch: listen on local interface only by default
* evocheck: upstream version 20.04.4
* evocheck: upstream version 19.11.1
* evocheck: cron jobs execute in verbose
* evolinux-base: use "evolinux_internal_group" for SSH authentication
* evolinux-base: Don't customize the logcheck recipient by default.
* evolinux-base: configure cciss-vol-statusd in the proper file
* evomaintenance: upstream release 0.6.3
* evomaintenance: Turn on API by default (instead of DB)
* evomaintenance: install PG dependencies only when needed
* listupgrade: update from upstream
* evomaintenance: upstream version 0.6.0
* lxc-php: refactor tasks for better maintainability
* lxc: rely on lxc_container module instead of command module
* lxc: remove useless loop in apt execution
* lxc: update our default template to be compatible with Debian 10
* lxc-php: refactor tasks for better maintainability
* lxc-php: Use OpenSMTPD for Stretch/Buster containers, and ssmtp for Jessie containers
* lxc-solr: changed default Solr version to 8.4.1
* minifirewall: better alert5 activation
* minifirewall: no http filtering by default
* minifirewall: /bin/true command doesn't report "changed" anymore
* nagios-nrpe: update check_redis_instances (same as redis role)
* nagios-nrpe: change default haproxy socket path
* nagios-nrpe: check_mode per cpu dynamically
* nodejs: change default version to 12 (new LTS)
* packweb-apache: Do the install & conffigure phpContainer script (instead of evoadmin-web role)
* php: By default, allow 128M for OpCache (instead of 64M)
* php: Don't set a chroot for the default fpm pool
* php: Make sure the default pool we define can be fully functionnal witout debian's default pool file
* php: Change the default pool names to something more explicit (and same for the variables names)
* php: Add a task to remove Debian's default FPM pool file (off by default)
* php: Cleanup CLI Settings. Also, allow url fopen and don't disable functions (in CLI only)
* postgresql : changed logrotate config to 10 days (and fixed permissions)
* rbenv: changed default Ruby version to 2.7.0
* rbenv: install Ruby 2.6.5 by default
* squid: Remove wait time when we turn off squid
* squid: compatibility wit Debian 10
* tomcat: package version derived from Debian version if missing
* varnish: remove custom ExecReload= script for Debian 10+
### Fixed
* etc-git: fix warnings ansible-lint
* evoadmin-web: Put the php config at the right place for Buster
* lxc: Don't stop the container if it already exists
* lxc: Fix container existance check to be able to run in check_mode
* lxc-php: Don't remove the default pool
* minifirewall: fix warnings ansible-lint
* nginx: fix munin fcgi not working (missing chmod 660 on logs)
* php: add missing handler for php7.3-fpm
* roundcube: fix typo for roundcube vhost
* tomcat: fix typo for default tomcat_version
* evolinux-base: Fix our zsyslog rotate config that doesn't work on Debian 10
* certbot: Properly evaluate when apache is installed
* evolinux-base: Don't make alert5.service executable as systemd will complain
* webapps/evoadmin-web: Set default evoadmin_mail_tpl_force to True to fix a regression where the mail template would not get updated because the file is created before the role is first run.
* minifirewall: Backport changes from minifirewall (properly open outgoing smtp(s))
* minifirewall: Properly detect alert5.sh to turn on firewall at boot
* packweb-apache: Add missing dependency to evoacme role
* php: Chose the debian version repo archive for packages.sury.org
* php: update surry_post.yml to match current latest PHP release
* packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available
### Removed
* clamav : do not install the zoo package anymore
### Security
## [9.10.1] - 2019-06-21
### Changed
* evocheck : update (version 19.06) from upstream
## [9.10.0] - 2019-06-21
### Added
* apache: add server status suffix in VHost (and default site) if missing
* apache: add a variable to customize the server-status host
* apt: add a script to manage packages with "hold" mark
@ -1042,7 +84,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redmine: enable gzip compression in nginx vhost
### Changed
* evocheck : update (unreleased) from upstream
* evomaintenance : use the web API instead of PG Insert
* fluentd: store gpg key locally
@ -1055,26 +96,23 @@ The **patch** part changes is incremented if multiple releases happen the same m
* apt: Add Debian Buster repositories
### Fixed
* rbenv: add check_mode for check rbenv and ruby versions
* nagios-nrpe: fix redis_instances check when Redis port equal 0
* redmine: fix 500 error on logging
* evolinux-base: Validate sshd config with "-t" instead of "-T"
* evolinux-base: Ensure rename is present
* evolinux-users: Validate sshd config with "-t" instead of "-T"
* nagios-nrpe: Replace the dummy packages nagios-plugins-*with monitoring-plugins-*
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
## [9.9.0] - 2019-04-16
### Added
* etc-git: ignore evobackup/.keep-* files
* lxc: /home is mounted in the container by default
* nginx : add "x-frame-options: sameorigin" for Munin
### Changed
* changed remote repository to <https://gitea.evolix.org/evolix/ansible-roles>
* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
* apt: Ensure jessie-backport from archives.debian.org is accepted
* apt: Remove jessie-update suite as it's no longer exists
* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
@ -1087,8 +125,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
* tomcat: better tomcat version management
* webapps/evoadmin-web: add dbadmin.sh to sudoers file
### Fixed
### Fixed
* spamassasin: fix sa-update.sh and ensure service is started and enabled
* tomcat-instance: deploy correct version of config files
* tomcat-instance: deploy correct version of server.xml
@ -1096,24 +134,20 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.8.0] - 2019-01-31
### Added
* filebeat: disable cloud_metadata processor by default
* metricbeat: disable cloud_metadata processor by default
* percona : new role to install Percona repositories and tools
* redis: add variable for configure unixsocketperm
### Changed
* redmine: refactoring of redmine role with use of rbenv
### Fixed
* ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config
## [9.7.0] - 2019-01-17
### Added
* apache: add Munin configuration for Apache server-status URL
* evomaintenance: database variables must be set or the task fails
* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
@ -1126,7 +160,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* proftpd: add FTPS and SFTP support
### Changed
* redis: distinction between main and master password
* evocheck: update evocheck.sh for source install
* php: added php-zip in the installed package list for debian 9 (and later)
@ -1134,7 +167,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* java: update Oracle java package to 8u192
### Fixed
* fail2ban: fix "ignoreip" update
* metricbeat: fix username/password replacement
* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
@ -1143,17 +175,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
## [9.6.0] - 2018-12-04
### Added
* evolinux-base: deploy custom motd if template are present
* minifirewall: all variables are configurable (untouched by default)
* minifirewall: main file is configurable
* squid: minifirewall main file is configurable
### Changed
* minifirewall: compare config before/after (for restart condition)
* squid: better replacement in minifirewall config
* evoadmin-mail: complete refactoring, use Debian Package
@ -1161,7 +192,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.5.0] - 2018-11-14
### Added
* apache: separate task to update IP whitelist
* evolinux-base: install man package
* evolinux-users: add newaliases handler
@ -1175,13 +205,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
* mysql: logdir can be customized
### Changed
* evocheck: update script from upstream
* evomaintenance: update script from upstream
* mysql: restart service if systemd unit has been patched
### Fixed
* packweb-apache: mod-security config is already included elsewhere
* redis: for permissions on log and lib directories
* redis: fix shell for instance users
@ -1190,16 +218,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.4.2] - 2018-10-12
### Added
* evomaintenance: install dependencies manually when installing vendored version
* nagios-nrpe: add an option to ignore servers in NOLB status
### Changed
* haproxy: move check_haproxy_stats to nagios-nrpe role
### Fixed
* evoacme: better error when apache2ctl fails
* evomaintenance: fix role compatibility with OpenBSD
* spamassassin: add missing right for amavis
@ -1208,19 +233,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.4.1] - 2018-09-28
### Added
* redis: set masterauth when redis_password is defined
* evomaintenance: variable to install a vendored version
* evomaintenance: tasks/variables to handle minifirewall restarts
### Changed
* mysql-oracle: better handle packages and users
## [9.4.0] - 2018-09-20
### Added
* etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
* evolinux-base: better shell history
* evolinux-users: add user to /etc/aliases
@ -1235,11 +257,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
* nagios-nrpe: add check_redis_instances
### Changed
* dovecot: stronger TLS configuration
### Fixed
* apache: cleaner way to overwrite the server status suffix
* packweb-apache: don't regenerate phpMyAdmin suffix each time
* nginx: cleaner way to overwrite the server status suffix
@ -1248,13 +268,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.3.2] - 2018-09-06
### Added
* minifirewall: add a variable to disable the restart handler
* minifirewall: add a variable to force a restart of the firewall (even with no change)
* minifirewall: improve variables values and documentation
### Changed
* dovecot: enable SSL/TLS by default with snakeoil certificate
### Fixed
@ -1264,13 +282,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.3.1] - 2018-08-30
### Added
* metricbeat: new variables to configure elasticsearch hosts and auth
## [9.3.0] - 2018-08-24
### Added
* elasticsearch: tmpdir configuration compatible with 5.x also
* elasticsearch: add http.publish_host variable
* evoacme: disable old certbot cron also in cron.daily
@ -1291,7 +307,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* nagios-nrpe: add check_postgrey
### Changed
* etc-git: some entries of .gitignore are mandatory
* evocheck: update upstream script
* evolinux-base: improve hostname configuration (real vs. internal)
@ -1310,7 +325,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* kvm-host: install kvm-tools package instead of copying add-vm.sh
### Fixed
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
* bind: chroot-bind.sh must not be executed in check mode
* evoacme: fix module detection in apache config
@ -1322,14 +336,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.2.0] - 2018-05-16
### Changed
* filebeat: install version 6.x by default
* filebeat: cleanup unused code
* squid: add some domaine and fix broken restrictions
* elasticsearch: defaults to version 6.x
### Fixed
* evolinux-users: secondary groups are comma-separated
* ntpd: fix configuration (server and ACL)
* varnish: don't fork the process on startup with systemd
@ -1339,7 +351,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
### Changed
* apache: customize logrotate (52 weeks)
* evolinux: groups for SSH configuration are used with Debian 10 and later
* evolinux-base: fail2ban is not enabled by default
@ -1351,11 +362,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.8] - 2018-04-16
### Changed
* packweb-apache: use dependencies instead of include_role for apache and php roles
### Fixed
* mysql: use check_mode for apg command (Fix --check)
* mysql/mysql-oracle: properly reload systemd
* packweb-apache: use check_mode for apg command (Fix --check)
@ -1363,7 +372,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.7] - 2018-04-06
### Added
* added a few become attributes where missing
* etc-git: add tags for Ansible
* evolinux-base: install ncurses-term package
@ -1381,7 +389,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redmine: added missing tags
### Changed
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
@ -1397,7 +404,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
### Fixed
* dovecot: fix support of plus sign
* mysql/mysql-oracle: mysqltuner cron task is executable
* nginx: fix basic auth for default vhost
@ -1406,25 +412,21 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.6] - 2018-02-02
### Added
* mongodb: install python-pymongo for monitoring
* nagios-nrpe: allowed_hosts can be updated
### Changed
* Changelog: explain the versioning scheme
* Changelog: add a release date for 9.1.5
* evoacme: exclude typical certbot directories
### Fixed
* fail2ban: fix horrible typo, Python is not Ruby
* nginx: fix servers status dirname
## [9.1.5] - 2018-01-18
### Added
* There is a changelog!
* redis: configuration variable for protected mode (v3.2+)
* evolinux-users: users are in "adm" group for Debian 9 or later
@ -1436,49 +438,41 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redmine: ability to install themes and plugins
### Changed
* rbenv: Ruby 2.5 becomes the default version
* evocheck: update upstream version embedded in role (c993244)
* bind: keep 52 weeks of logs
### Fixed
* squid: different logrotate file for Jessie or Stretch+
* evoacme: don't invoke evoacme if no vhost is found
* evomaintenance: explicit quotes in config file
* redmine: force xpath gem < 3.0.0
### Security
* evomaintenance: fix permissions for config file
## [9.1.4] - 2017-12-20
### Added
* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
* mysql: add a check_mysql_slave in nrpe configuration
* ldap: slapd tcp port is configurable
* elasticsearch: broader patterns for log rotation
### Changed
* split IP lists in 2 – default and additional – for easier customization.
### Fixed
* minifirewall: allow outgoing SSH connections over IPv6
* nodejs: rename source.list file
### Security
* evoadmin-web: change config.local.php file permissions
* evolinux-base: change default_www file permissions
## [9.1.3] 2017-12-08
### Added
* evolinux-base: install traceroute package
* evolinux-base/ntpd: purge openntpd
* tomcat: add Tomcat 8 cmpatibility
@ -1490,7 +484,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* elastic: option for stack main version
### Changed
* nginx: rename Let's Encrypt snippet
* nginx: simpler apt preferences for backports
* generate-ldif: add clamd service instead of clamav_db
@ -1502,12 +495,10 @@ The **patch** part changes is incremented if multiple releases happen the same m
* mongodb: comatible with Stretch
### Removed
* mongodb: logfile/pidfile are not configurable on Jessie
* minifirewall: remove zidane.evolix.net from HTTPSITES
### Fixed
* nginx: fix munin CGI graphs
* ntpd: fix default configuration (localhost only)
* logstash: fix permissions on pipeline configuration
@ -1518,17 +509,14 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.2] 2017-12-05
### Fixed
* listupgrade: remount /usr as rw
## [9.1.1] 2017-11-21
### Added
* amazon-ec2: add egress rules
### Fixed
* evoacme: fix multiple bugs
## [9.1.0] 2017-11-19
@ -1536,7 +524,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
_Warning: huge release, many entries are missing below._
### Added
* amazon-ec2: new role, for EC2 instances creation
* Move /usr rw remount into remount-usr role
* kibana: host and basepath configuration
@ -1547,7 +534,6 @@ _Warning: huge release, many entries are missing below._
* nagios-nrpe: add opendkim check
### Changed
* Combine evolix and additional trusted IP addresses
* amazon-ec2: split tasks
* apt: don't upgrade by default
@ -1558,7 +544,6 @@ _Warning: huge release, many entries are missing below._
* ldap: better variables
### Fixed
* fail2ban: create config hierarchy beforehand
* elasticsearch: fix datadir/tmpdir conditions
* elastic: remove double ".list" suffix
@ -1569,10 +554,10 @@ _Warning: huge release, many entries are missing below._
### Security
## [9.0.1] 2017-10-02
### Added
* haproxy: add a Nagios check
* php: add "sury" mode for PHP 7.1 on Stretch
* minifirewall: explicit dependency on iptables
@ -1580,11 +565,9 @@ _Warning: huge release, many entries are missing below._
* docker-host: new variable for docker home
### Changed
* php: install php5/php package after fpm/libapache2-mod-php
### Fixed
* mysql: add "REPLICATION CLIENT" privilege for nrpe
* evoadmin-web: revert from variables to keywords in the templates
* evoacme: many fixes

2
README.md
View file

@ -50,8 +50,6 @@ Before starting anything of importance, we suggest contacting us to discuss what
Our conventions are available in the "ansible-public":https://gitea.evolix.org/evolix/ansible-public repository, in the CONVENTIONS.md file.
All modifications should be documented in the CHANGELOG file, to help review releases. We encourage atomic commits, on a single role, and with the CHANGELOG in the same commit.
## Workflow
The ideal and most typical workflow is to create a branch, based on the "unstable" branch. The branch should have a descriptive name (a ticket/issue number is great). The branch can be treated as a pull-request or merge-request. It should be propery tested and reviewed before merging into "unstable".

5
amavis/defaults/main.yml
View file

@ -1,5 +0,0 @@
---
ldap_hostname: "{{ ansible_hostname }}"
ldap_domain: "{{ ansible_domain }}"
ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"

2
amavis/files/amavis_purge_virusmails
View file

@ -1,2 +0,0 @@
#!/bin/bash
find /var/lib/amavis/virusmails/ -type f -mtime +30 -delete

2
amavis/handlers/main.yml
View file

@ -1,5 +1,5 @@
---
- name: restart amavis
ansible.builtin.service:
service:
name: amavis
state: restarted

24
amavis/tasks/main.yml
View file

@ -1,27 +1,19 @@
---
- name: install Amavis
ansible.builtin.apt:
name:
- postgrey
- amavisd-new
apt:
name: "{{ item }}"
state: present
with_items:
- postgrey
- amavisd-new
tags:
- amavis
- amavis
- name: configure Amavis
ansible.builtin.template:
template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults
mode: "0644"
notify: restart amavis
tags:
- amavis
- name: Install purge custom cron
ansible.builtin.copy:
src: amavis_purge_virusmails
dest: /etc/cron.daily/amavis_purge_virusmails
mode: "0755"
tags:
- amavis
- amavis_purge_cron
- amavis

2
amavis/templates/amavis.conf.j2
View file

@ -44,7 +44,7 @@ $max_servers = 2;
$enable_ldap = 1;
$default_ldap = {
hostname => '127.0.0.1', tls => 0,
base => '{{ ldap_suffix | mandatory }}', scope => 'sub',
base => '{{ ldap_suffix }}', scope => 'sub',
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
};

2
amazon-ec2/README
View file

@ -52,7 +52,7 @@ In your main evolinux playbook put this play before Evolinux one:
tasks:
- include_role:
name: evolix/amazon-ec2
name: amazon-ec2
tasks_from: create-instance.yml
```

16
amazon-ec2/amazon-ec2-evolinux.yml
View file

@ -9,16 +9,16 @@
aws_region: ca-central-1
tasks:
- ansible.builtin.include_role:
name: evolix/amazon-ec2
- include_role:
name: amazon-ec2
tasks_from: setup.yml
- ansible.builtin.include_role:
name: evolix/amazon-ec2
- include_role:
name: amazon-ec2
tasks_from: create-instance.yml
- name: Install Evolinux
hosts: launched-instances
become: true
become: yes
vars_files:
- 'vars/secrets.yml'
@ -51,12 +51,12 @@
- mysql
post_tasks:
- ansible.builtin.include_role:
name: evolix/etc-git
- include_role:
name: etc-git
tasks_from: commit.yml
vars:
commit_message: "Ansible post-run Evolinux playbook"
- include_role:
name: evolix/evocheck
name: evocheck
tasks_from: exec.yml

4
amazon-ec2/defaults/main.yml
View file

@ -122,10 +122,6 @@ ec2_evolinux_security_group:
from_port: 2222
to_port: 2222
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 22222
to_port: 22222
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 2223
to_port: 2223

38
amazon-ec2/tasks/create-instance.yml
View file

@ -1,36 +1,36 @@
---
- name: Launch new instance(s)
amazon.aws.ec2:
ec2:
state: present
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
region: "{{ aws_region }}"
image: "{{ ec2_base_ami }}"
instance_type: "{{ ec2_instance_type }}"
count: "{{ ec2_instance_count }}"
assign_public_ip: "{{ ec2_public_ip }}"
group: "{{ ec2_security_group.name }}"
key_name: "{{ ec2_keyname }}"
aws_access_key: "{{aws_access_key}}"
aws_secret_key: "{{aws_secret_key}}"
region: "{{aws_region}}"
image: "{{ec2_base_ami}}"
instance_type: "{{ec2_instance_type}}"
count: "{{ec2_instance_count}}"
assign_public_ip: "{{ec2_public_ip}}"
group: "{{ec2_security_group.name}}"
key_name: "{{ec2_keyname}}"
wait: yes
register: ec2
- name: Add newly created instance(s) to inventory
ansible.builtin.add_host:
hostname: "{{ item.public_dns_name }}"
add_host:
hostname: "{{item.public_dns_name}}"
groupname: launched-instances
ansible_user: admin
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
loop: "{{ ec2.instances }}"
with_items: "{{ec2.instances}}"
- ansible.builtin.debug:
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
loop: "{{ ec2.instances }}"
- debug:
msg: "Your newly created instance is reachable at: {{item.public_dns_name}}"
with_items: "{{ec2.instances}}"
- name: Wait for SSH to come up on all instances (give up after 2m)
ansible.builtin.wait_for:
wait_for:
state: started
host: "{{ item.public_dns_name }}"
host: "{{item.public_dns_name}}"
port: 22
timeout: 120
loop: "{{ ec2.instances }}"
with_items: "{{ec2.instances}}"

2
amazon-ec2/tasks/post-install.yml
View file

@ -1,5 +1,5 @@
---
- name: Remove admin user
ansible.builtin.user:
user:
name: admin
state: absent

4
amazon-ec2/tasks/setup.yml
View file

@ -1,7 +1,7 @@
---
- name: Create default security group
amazon.aws.ec2_group:
ec2_group:
name: "{{ ec2_security_group.name }}"
state: present
aws_access_key: "{{ aws_access_key }}"
@ -12,7 +12,7 @@
rules_egress: "{{ ec2_security_group.rules_egress }}"
- name: Create key pair
amazon.aws.ec2_key:
ec2_key:
name: "{{ ec2_keyname }}"
state: present
aws_access_key: "{{ aws_access_key }}"

6
apache/defaults/main.yml
View file

@ -11,7 +11,6 @@ apache_evolinux_default_enabled: True
apache_evolinux_default_ssl_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
apache_evolinux_default_ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key
apache_serverstatus_host: 127.0.0.1
apache_serverstatus_suffix: ""
apache_serverstatus_suffix_file: "/etc/evolinux/apache_serverstatus_suffix"
@ -21,7 +20,4 @@ apache_munin_include: True
general_alert_email: "root@localhost"
log2mail_alert_email: Null
apache_logrotate_frequency: daily
apache_logrotate_rotate: 365
apache_mpm: "itk"
apache_serverstatus_host: 127.0.0.1

3
apache/files/evolinux-custom.conf
View file

@ -24,6 +24,3 @@ SetEnvIf User-Agent "ApacheBench" GoAway=1
#<FilesMatch ".(eot|ttf|otf|woff)">
# Header set Access-Control-Allow-Origin "*"
#</FilesMatch>
# you need disable EnableCapabilities to use data on NFS mounts
#EnableCapabilities off

79
apache/files/evolinux-defaults.conf
View file

@ -3,65 +3,34 @@ Timeout 10
KeepAliveTimeout 2
MaxKeepAliveRequests 10
#MaxClients 250
<IfModule mpm_prefork_module>
MaxRequestWorkers 250
ServerLimit 250
StartServers 50
MinSpareServers 20
MaxSpareServers 30
MaxConnectionsPerChild 100
MaxRequestWorkers 250
ServerLimit 250
StartServers 50
MinSpareServers 20
MaxSpareServers 30
MaxRequestsPerChild 0
<Directory /home/>
AllowOverride None
Require all granted
# "Require not env XXX" is not supported :(
Deny from env=GoAway
</Directory>
<IfModule mod_ssl.c>
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
</IfModule>
<Files ~ "\.(inc|bak)$">
Require all denied
</Files>
<IfModule mpm_worker_module>
StartServers 3
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 150
MaxConnectionsPerChild 100
</IfModule>
<IfModule mpm_itk_module>
LimitUIDRange 0 6000
LimitGIDRange 0 6000
</IfModule>
<IfModule ssl_module>
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
</IfModule>
<IfModule status_module>
<IfModule mod_status.c>
ExtendedStatus On
<IfModule proxy_module>
<IfModule mod_proxy.c>
ProxyStatus On
</IfModule>
</IfModule>
# Go away bad bots (define "bad bots" in zzz-evolinux-custom.conf)
<If "reqenv('GoAway') -eq 1">
Require all denied
</If>
<DirectoryMatch "/\.git">
# We don't want to let the client know a file exist on the server,
# so we return 404 "Not found" instead of 403 "Forbidden".
Redirect 404 "-"
</DirectoryMatch>
# File names starting with
<FilesMatch "^\.(git|env)">
Redirect 404 "-"
</FilesMatch>
# File names ending with
<FilesMatch "\.(inc|bak)$">
Redirect 404 "-"
</FilesMatch>
<LocationMatch "^/evolinux_fpm_status-.*">
Require all denied
</LocationMatch>
<IfModule mpm_itk.c>
LimitUIDRange 0 6000
LimitGIDRange 0 6000
</IfModule>

12
apache/files/save_apache_status.sh
View file

@ -4,18 +4,14 @@ set -e
DIR="/var/log/apache-status"
URL="http://127.0.0.1/server-status"
TS=$(date +%Y%m%d%H%M%S)
TS=`date +%Y%m%d%H%M%S`
FILE="${DIR}/${TS}.html"
if [ ! -d "${DIR}" ]; then
mkdir -p "${DIR}"
chown root:adm "${DIR}"
chmod 750 "${DIR}"
fi
mkdir -p "${DIR}"
wget -q -O "${FILE}" "${URL}"
wget -q -U "save_apache_status" -O "${FILE}" "${URL}"
chmod 640 "${FILE}"
chown root:adm "${FILE}"
find "${DIR}" -type f -mtime +1 -delete

6
apache/handlers/main.yml
View file

@ -1,15 +1,15 @@
---
- name: restart apache
ansible.builtin.service:
service:
name: apache2
state: restarted
- name: reload apache
ansible.builtin.service:
service:
name: apache2
state: reloaded
- name: restart munin-node
ansible.builtin.service:
service:
name: munin-node
state: restarted

18
apache/meta/main.yml
View file

@ -1,24 +1,18 @@
---
galaxy_info:
company: Evolix
author: Evolix
description: Installation and basic configuration of Apache
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
license: GPLv2
min_ansible_version: "2.2"
min_ansible_version: 2.2
platforms:
- name: Debian
versions:
- jessie
- stretch
- buster
galaxy_tags: []
# Be sure to remove the '[]' above if you add dependencies
# to this list.
- name: Debian
versions:
- jessie
- stretch
dependencies: []
# List your role dependencies here, one per line.

22
apache/tasks/auth.yml
View file

@ -1,21 +1,21 @@
---
- name: Init ipaddr_whitelist.conf file
ansible.builtin.copy:
copy:
src: ipaddr_whitelist.conf
dest: /etc/apache2/ipaddr_whitelist.conf
owner: root
group: root
mode: "0640"
force: false
force: no
tags:
- apache
- name: Load IP whitelist task
ansible.builtin.import_tasks: ip_whitelist.yml
include: ip_whitelist.yml
- name: include private IP whitelist for server-status
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/mods-available/status.conf
line: " include /etc/apache2/ipaddr_whitelist.conf"
insertafter: 'SetHandler server-status'
@ -24,33 +24,33 @@
- apache
- name: Copy private_htpasswd
ansible.builtin.copy:
copy:
src: private_htpasswd
dest: /etc/apache2/private_htpasswd
owner: root
group: root
mode: "0640"
force: false
force: no
notify: reload apache
tags:
- apache
- name: add user:pwd to private htpasswd
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: present
loop: "{{ apache_private_htpasswd_present }}"
with_items: "{{ apache_private_htpasswd_present }}"
notify: reload apache
tags:
- apache
- name: remove user:pwd from private htpasswd
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: absent
loop: "{{ apache_private_htpasswd_absent }}"
with_items: "{{ apache_private_htpasswd_absent }}"
notify: reload apache
tags:
- apache

9
apache/tasks/ip_whitelist.yml
View file

@ -1,23 +1,22 @@
---
- name: add IP addresses to private IP whitelist
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
create: yes
loop: "{{ apache_ipaddr_whitelist_present }}"
with_items: "{{ apache_ipaddr_whitelist_present }}"
notify: reload apache
tags:
- apache
- ips
- name: remove IP addresses from private IP whitelist
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: absent
loop: "{{ apache_ipaddr_whitelist_absent }}"
with_items: "{{ apache_ipaddr_whitelist_absent }}"
notify: reload apache
tags:
- apache

6
apache/tasks/log2mail.yml
View file

@ -1,19 +1,19 @@
---
- name: log2mail is installed
ansible.builtin.apt:
apt:
name: log2mail
state: present
tags:
- apache
- name: Add log2mail config for Apache segfaults
ansible.builtin.template:
template:
src: log2mail-apache.j2
dest: "/etc/log2mail/config/apache"
owner: log2mail
group: adm
mode: "0644"
force: false
force: no
tags:
- apache

120
apache/tasks/main.yml
View file

@ -1,51 +1,43 @@
---
- name: packages are installed (Debian 9 or later)
ansible.builtin.apt:
name:
- apache2
- libapache2-mod-evasive
- apachetop
- libwww-perl
apt:
name: '{{ item }}'
state: present
with_items:
- apache2
- libapache2-mpm-itk
- libapache2-mod-evasive
- apachetop
- libwww-perl
tags:
- apache
- packages
when: ansible_distribution_major_version is version('9', '>=')
- name: itk package is installed if required (Debian 9 or later)
ansible.builtin.apt:
name:
- libapache2-mpm-itk
state: present
tags:
- apache
- packages
when:
- ansible_distribution_major_version is version('9', '>=')
- apache_mpm == "itk"
when: ansible_distribution_major_version | version_compare('9', '>=')
- name: packages are installed (jessie)
ansible.builtin.apt:
name:
- apache2-mpm-itk
- libapache2-mod-evasive
- apachetop
- libwww-perl
apt:
name: '{{ item }}'
state: present
with_items:
- apache2-mpm-itk
- libapache2-mod-evasive
- apachetop
- libwww-perl
tags:
- apache
- packages
when: ansible_distribution_release == "jessie"
- name: basic modules are enabled
community.general.apache2_module:
apache2_module:
name: '{{ item }}'
state: present
loop:
with_items:
- rewrite
- expires
- headers
- cgi
- ssl
- include
- negotiation
@ -54,44 +46,32 @@
tags:
- apache
- name: basic modules are enabled
community.general.apache2_module:
name: '{{ item }}'
state: present
loop:
- cgi
notify: reload apache
when: apache_mpm == "prefork" or apache_mpm == "itk"
tags:
- apache
- name: Copy Apache defaults config file
ansible.builtin.copy:
copy:
src: evolinux-defaults.conf
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
owner: root
group: root
mode: "0640"
force: true
force: yes
notify: reload apache
tags:
- apache
- name: Copy Apache custom config file
ansible.builtin.copy:
copy:
src: evolinux-custom.conf
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
owner: root
group: root
mode: "0640"
force: false
force: no
notify: reload apache
tags:
- apache
- name: disable status.conf
ansible.builtin.file:
file:
dest: /etc/apache2/mods-enabled/status.conf
state: absent
notify: reload apache
@ -99,49 +79,47 @@
- apache
- name: Ensure Apache config files are enabled
ansible.builtin.command:
cmd: "a2enconf {{ item }}"
command: "a2enconf {{ item }}"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
loop:
with_items:
- z-evolinux-defaults.conf
- zzz-evolinux-custom.conf
notify: reload apache
tags:
- apache
- ansible.builtin.include: auth.yml
- include: auth.yml
tags:
- apache
- name: default vhost is installed
ansible.builtin.template:
template:
src: evolinux-default.conf.j2
dest: /etc/apache2/sites-available/000-evolinux-default.conf
mode: "0640"
force: false
force: no
notify: reload apache
tags:
- apache
- name: default vhost is enabled
ansible.builtin.file:
file:
src: /etc/apache2/sites-available/000-evolinux-default.conf
dest: /etc/apache2/sites-enabled/000-default.conf
state: link
force: true
force: yes
notify: reload apache
when: apache_evolinux_default_enabled | bool
when: apache_evolinux_default_enabled
tags:
- apache
- ansible.builtin.include: server_status.yml
- include: server_status.yml
tags:
- apache
- name: is umask already present?
ansible.builtin.command:
cmd: "grep -E '^umask ' /etc/apache2/envvars"
command: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False
changed_when: False
register: envvar_grep_umask
@ -150,7 +128,7 @@
- apache
- name: Add a mark in envvars for umask
ansible.builtin.blockinfile:
blockinfile:
dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK"
block: |
@ -161,13 +139,13 @@
tags:
- apache
- ansible.builtin.include_role:
name: evolix/remount-usr
- include_role:
name: remount-usr
tags:
- apache
- name: /usr/share/scripts exists
ansible.builtin.file:
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -177,36 +155,36 @@
- apache
- name: "Install save_apache_status.sh"
ansible.builtin.copy:
copy:
src: save_apache_status.sh
dest: /usr/share/scripts/save_apache_status.sh
mode: "0755"
force: false
force: no
tags:
- apache
- name: "logrotate: {{ apache_logrotate_frequency }}"
ansible.builtin.replace:
- name: "logrotate: rotate weekly"
replace:
dest: /etc/logrotate.d/apache2
regexp: "(daily|weekly|monthly)"
replace: "{{ apache_logrotate_frequency }}"
replace: "weekly"
tags:
- apache
- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
ansible.builtin.replace:
- name: "logrotate: keep 52 files"
replace:
dest: /etc/logrotate.d/apache2
regexp: '^(\s+rotate) \d+$'
replace: '\1 {{ apache_logrotate_rotate }}'
replace: '\1 52'
tags:
- apache
- ansible.builtin.include: log2mail.yml
- include: log2mail.yml
when: apache_log2mail_include
tags:
- apache
- ansible.builtin.include: munin.yml
when: apache_munin_include | bool
- include: munin.yml
when: apache_munin_include
tags:
- apache

27
apache/tasks/munin.yml
View file

@ -1,21 +1,22 @@
---
- name: "Install munin-node and core plugins packages"
ansible.builtin.apt:
name:
- munin-node
- munin-plugins-core
apt:
name: "{{ item }}"
state: present
with_items:
- munin-node
- munin-plugins-core
tags:
- apache
- munin
- name: "Enable Munin plugins"
ansible.builtin.file:
file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
loop:
with_items:
- apache_accesses
- apache_processes
- apache_volume
@ -25,19 +26,19 @@
- munin
- name: "Install fcgi packages for Munin graphs"
ansible.builtin.apt:
name:
- libapache2-mod-fcgid
- libcgi-fast-perl
apt:
name: "{{ item }}"
state: present
with_items:
- libapache2-mod-fcgid
- libcgi-fast-perl
notify: reload apache
tags:
- apache
- munin
- name: "Enable libapache2-mod-fcgid"
ansible.builtin.command:
cmd: a2enmod fcgid
command: a2enmod fcgid
register: cmd_enable_fcgid
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
notify: restart apache
@ -46,7 +47,7 @@
- munin
- name: "Apache has access to /var/log/munin/"
ansible.builtin.file:
file:
path: /var/log/munin/
group: www-data
tags:

36
apache/tasks/server_status.yml
View file

@ -1,7 +1,7 @@
---
- name: server status dirname exists
ansible.builtin.file:
file:
dest: "{{ apache_serverstatus_suffix_file | dirname }}"
mode: "0700"
owner: root
@ -9,71 +9,61 @@
state: directory
- name: set apache serverstatus suffix if provided
ansible.builtin.copy:
copy:
dest: "{{ apache_serverstatus_suffix_file }}"
# The last character "\u000A" is a line feed (LF), it's better to keep it
content: "{{ apache_serverstatus_suffix }}\u000A"
force: true
when: apache_serverstatus_suffix | length > 0
force: yes
when: apache_serverstatus_suffix != ""
- name: generate random string for server-status suffix
ansible.builtin.shell:
cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
args:
creates: "{{ apache_serverstatus_suffix_file }}"
- name: read apache server status suffix
ansible.builtin.command:
cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
command: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
changed_when: False
check_mode: no
register: new_apache_serverstatus_suffix
- name: overwrite apache_serverstatus_suffix
ansible.builtin.set_fact:
set_fact:
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
- ansible.builtin.debug:
- debug:
var: apache_serverstatus_suffix
verbosity: 1
- name: replace server-status suffix in default site index
ansible.builtin.replace:
replace:
dest: /var/www/index.html
regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ apache_serverstatus_suffix }}"
- name: add server-status suffix in default site index if missing
ansible.builtin.replace:
replace:
dest: /var/www/index.html
regexp: '"/server-status-?"'
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
- name: add server-status suffix in default VHost
ansible.builtin.replace:
replace:
dest: /etc/apache2/sites-available/000-evolinux-default.conf
regexp: '<Location /server-status-?>'
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
notify: reload apache
- name: Munin configuration has a section for apache
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "[apache_*]"
create: no
- name: apache-status URL is configured for Munin
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
regexp: 'env.url http://[^\\/]+/server-status'
insertafter: "[apache_*]"
create: no
notify: restart munin-node
- name: add mailgraph URL in index.html
ansible.builtin.lineinfile:
dest: /var/www/index.html
state: present
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'
insertbefore: "</ul>"

19
apache/templates/evolinux-default.conf.j2
View file

@ -35,15 +35,6 @@
Include /etc/apache2/ipaddr_whitelist.conf
</Directory>
# Mailgraph configuration
Alias /mailgraph /usr/share/mailgraph
<Directory /usr/share/mailgraph>
DirectoryIndex mailgraph.cgi
Require all granted
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>
CustomLog /var/log/apache2/access.log vhost_combined
ErrorLog /var/log/apache2/error.log
LogLevel warn
@ -52,7 +43,6 @@
RewriteEngine on
# Redirect to HTTPS, execpt for munin, because some plugins
# can't handle HTTPS! :(
RewriteCond %{REQUEST_URI} !^/.well-known.*$ [NC] [OR]
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
@ -127,15 +117,6 @@
Include /etc/apache2/ipaddr_whitelist.conf
</Location>
# Mailgraph configuration
Alias /mailgraph /usr/share/mailgraph
<Directory /usr/share/mailgraph>
DirectoryIndex mailgraph.cgi
Require all granted
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>
# BEGIN phpMyAdmin section
# END phpMyAdmin section

5
apt/defaults/main.yml
View file

@ -8,13 +8,10 @@ apt_upgrade: False
apt_install_basics: True
apt_basics_components: "main"
# With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports`
apt_install_backports: False
apt_backports_components: "main"
apt_install_evolix_public: True
apt_install_extended_lts: False
apt_clean_gandi_sourceslist: False
@ -28,5 +25,3 @@ apt_check_hold_cron_hour: "*/4"
apt_check_hold_cron_weekday: "*"
apt_check_hold_cron_day: "*"
apt_check_hold_cron_month: "*"
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"

7
apt/files/check_held_packages.sh
View file

@ -21,12 +21,7 @@ if [ -f ${config_file} ]; then
if [ -n "${package}" ]; then
if is_installed ${package} && ! is_held ${package}; then
apt-mark hold ${package}
msg="Package \`${package}' has been marked \`hold'."
>&2 echo "${msg}"
wall_bin=$(command -v wall)
if [ -n "${wall_bin}" ]; then
"${wall_bin}" --timeout 5 "${msg}"
fi
>&2 echo "Package \`${package}' has been marked \`hold'."
return_code=1
fi
fi

168
apt/files/deb822-migration.py
View file

@ -1,168 +0,0 @@
#!/usr/bin/env python3
##########
# This script takes a multi-lines input of "oneliner-style" APT sources definitions.
# It converts them into "deb822-style" sources.
# Each generated file will have only one stanza, possibly with multiple Types/Suites/Components
##########
import re
import sys
import os
import select
import apt
import apt_pkg
# Order matters !
destinations = {
"debian-security": "security.sources",
".*-backports": "backports.sources",
".debian.org": "system.sources",
"mirror.evolix.org": "system.sources",
"ftp.evolix.org": "system.sources",
"pub.evolix.net": "evolix_public_old.sources.bak",
"pub.evolix.org": "evolix_public.sources",
"artifacts.elastic.co": "elastic.sources",
"download.docker.com": "docker.sources",
"downloads.linux.hpe.com": "hp.sources",
"pkg.jenkins-ci.org": "jenkins.sources",
"packages.sury.org": "sury.sources",
"repo.mongodb.org": "mongodb.sources",
"apt.newrelic.com": "newrelic.sources",
"deb.nodesource.com": "nodesource.sources",
"dl.yarnpkg.com": "yarn.sources",
"apt.postgresql.org": "postgresql.sources",
"packages.microsoft.com/repos/vscode": "microsoft-vscode.sources",
"packages.microsoft.com/repos/ms-teams": "microsoft-teams.sources",
"updates.signal.org": "signal.sources",
"downloads.1password.com/linux/debian": "1password.sources",
"download.virtualbox.org": "virtualbox.sources"
}
sources_parts = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
def split_options(raw):
table = str.maketrans({
"[": None,
"]": None
})
options = raw.translate(table).split(' ')
return options
def auto_destination(uri):
basename = uri
basename = re.sub('\[[^\]]+\]', '', basename)
basename = re.sub('\w+://', '', basename)
basename = '_'.join(re.sub('[^a-zA-Z0-9]', ' ', basename).split())
return '%s.sources' % basename
def destination(matches):
for search_str in destinations.keys():
search_pattern = re.compile(f'{search_str}(/|\s|$)')
if re.search(search_pattern, matches['uri']) or re.search(search_pattern, matches["suite"]):
return destinations[search_str]
# fallback if nothing matches
return auto_destination(matches['uri'])
def prepare_sources(lines):
sources = {}
pattern = re.compile('^(?: *(?P<type>deb|deb-src)) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
for line in lines:
matches = re.match(pattern, line)
if matches is not None:
dest = destination(matches)
options = {}
if matches.group('options'):
for option in split_options(matches['options']):
if "=" in option:
key, value = option.split("=")
options[key] = value
### WARNING ###
# if there are multiple lines with different URIS for a given destination (eg. "system")
# each one will overwrite the previous one
# and the last evaluated will be what remains.
if dest in sources:
sources[dest]["Types"].add(matches["type"])
sources[dest]["URIs"] = matches["uri"]
sources[dest]["Suites"].add(matches["suite"])
sources[dest]["Components"].update(matches["components"].split(' '))
else:
source = {
"Types": {matches['type']},
"URIs": matches['uri'],
"Enabled": "yes",
}
if matches.group('suite'):
source["Suites"] = set(matches['suite'].split(' '))
if matches.group('components'):
source["Components"] = set(matches['components'].split(' '))
if "arch" in options:
if "Architectures" in source:
source["Architectures"].append(options["arch"])
else:
source["Architectures"] = {options["arch"]}
if "signed-by" in options:
if "Signed-by" in source:
source["Signed-by"].append(options["signed-by"])
else:
source["Signed-by"] = {options["signed-by"]}
if "lang" in options:
if "Languages" in source:
source["Languages"].append(options["lang"])
else:
source["Languages"] = {options["lang"]}
if "target" in options:
if "Targets" in source:
source["Targets"].append(options["target"])
else:
source["Targets"] = {options["target"]}
sources[dest] = source
return sources
def save_sources(sources, output_dir):
# print(output_dir)
# print(sources)
for dest, source in sources.items():
source_path = output_dir + dest
with open(source_path, 'w') as file:
for key, value in source.items():
if isinstance(value, str):
file.write("{}: {}\n".format(key, value))
else:
file.write("{}: {}\n".format(key, ' '.join(value)))
def main():
if select.select([sys.stdin, ], [], [], 0.0)[0]:
sources = prepare_sources(sys.stdin)
# elif len(sys.argv) > 1:
# sources = prepare_sources([sys.argv[1]])
else:
print("You must provide source lines to stdin", file=sys.stderr)
sys.exit(1)
output_dir = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
save_sources(sources, output_dir)
if __name__ == "__main__":
main()
sys.exit(0)

55
apt/files/deb822-migration.sh
View file

@ -1,55 +0,0 @@
#!/bin/sh
##########
# This script changes all "one-line" APT sources into "deb822" sources.
# It is responsible for searching and processing the files.
# The actual format migration is done by a python script.
##########
deb822_migrate_script=$(command -v deb822-migration.py)
if [ -z "${deb822_migrate_script}" ]; then
deb822_migrate_script="$(dirname "$0")/deb822-migration.py"
fi
if [ ! -x "${deb822_migrate_script}" ]; then
>&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"
exit 1
fi
sources_from_file() {
grep --extended-regexp "^\s*(deb|deb-src) " $1
}
rc=0
count=0
if [ -f /etc/apt/sources.list ]; then
sources_from_file /etc/apt/sources.list | ${deb822_migrate_script}
python_rc=$?
if [ ${python_rc} -eq 0 ]; then
mv /etc/apt/sources.list /etc/apt/sources.list.bak
echo "OK: /etc/apt/sources.list"
count=$(( count + 1 ))
else
>&2 echo "ERROR: failed migration for /etc/apt/sources.list"
rc=1
fi
fi
for file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
sources_from_file "${file}" | ${deb822_migrate_script}
python_rc=$?
if [ ${python_rc} -eq 0 ]; then
mv "${file}" "${file}.bak"
echo "OK: ${file}"
count=$(( count + 1 ))
else
>&2 echo "ERROR: failed migration for ${file}"
rc=1
fi
done
echo "${count} file(s) migrated"
exit ${rc}

BIN
apt/files/freexian-archive-extended-lts.gpg
View file

Binary file not shown.

3
apt/files/jessie_backports_preferences Normal file
View file

@ -0,0 +1,3 @@
Package: *
Pin: release a=jessie-backports
Pin-Priority: 50

32
apt/files/move-apt-keyrings.sh
View file

@ -1,32 +0,0 @@
#!/bin/sh
# Move apt repository key from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ and add "signed-by" tag in source list
#
# Example: move-apt-keyrings.sh http://repo.mongodb.org/apt/debian mongodb-server-[0-9\\.]+.asc
repository_pattern=$1
key=$2
found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/*.list")
old_key_file="/etc/apt/trusted.gpg.d/${key}"
new_key_file="/etc/apt/keyrings/${key}"
for file in ${found_files}; do
if ! grep --quiet "signed-by" "${file}"; then
signed_by="signed-by=${new_key_file}"
if grep --quiet "deb(-src)? \[" "${file}"; then
sed -i "s@deb\(-src\)\? \[\([^]]\+\)\]@deb\1 [\2 ${signed_by}]@" "${file}"
else
sed -i "s@deb\(-src\)\? @deb\1 [${signed_by}] @" "${file}"
fi
fi
done
if [ -f "${old_key_file}" ] && [ ! -f "${new_key_file}" ]; then
mv "${old_key_file}" "${new_key_file}"
fi
if [ -f "${new_key_file}" ]; then
chmod 644 "${new_key_file}"
chown root: "${new_key_file}"
fi

87
apt/files/pub_evolix.asc
View file

@ -1,87 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N
YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN
OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV
Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw
ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7
7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11
mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma
dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3
huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm
vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk
+XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB
tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy
PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy
x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq
yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7
D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt
c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N
q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F
btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ
ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa
C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D
jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp
5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo
JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3
Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F
5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o
aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba
mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp
g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs
h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M
Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb
sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A
5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A
etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8
smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ
Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX
mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F
V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT
foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7
b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5
FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI
7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb
+dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc
fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF
bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR
Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+
7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/
RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc
8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX
fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd
gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/
YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1
4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL
1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK
3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj
9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB
jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC
LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG
j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H
BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M
jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q
BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym
Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6
lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH
El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV
sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp
IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz
DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM
G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0
IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs
UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac
lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm
AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r
adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf
SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v
2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz
kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg
2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad
OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf
nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk
jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH
oA9QflpnDubMnCve
=ZCml
-----END PGP PUBLIC KEY BLOCK-----

BIN
apt/files/pub_evolix.gpg
View file

Binary file not shown.

920
apt/files/reg.asc
View file

@ -1,920 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: keyserver.ubuntu.com
mQINBEoHZ5kBEAC680PjynWTcP3ZtVfWWL6zQAcD8JoC+c5MbnpFScqtBc2MdlVZu6zED+B5
sw2SSLf1EZlfbTPc3GcWTwdiXj2GQKzjMra1MZKUnVOD/uMVkj0ZTszUQziW01O9sWPhxbMu
Qr7OD04jQ7TjtBBEJD+yf0HJsDVC7TCbpcNNtmhXByXqw7bgo0rzxeOB3hL88I7AcC7ve5iR
xwXoXJYs1hgJMPmZXJmhKb0a3pVk075yMsXnxlOqM7XBk++zodDR03Ym21GLFOu+3DLTX9aC
aU/AjXb/udtEBAHv+iVxZChzka/KkYMY+KX8A7niE/UN2PIfhWDTmLLcTyBAOuis6cUqDm2a
w0IbXh359dfBbgV4/QLoafcM841W47Menp9tb0Qz1uHYwV6jjDEmbpGgEJRGIqd143j/zGBP
xffmtPq1zn/QFVBQNltLiMyclAR1Yb4fksDkt8JGmvI+FwaHdx3dn1VU0hbdYR/5CHtsxN4V
P/juUOrjbagp5zBBXLlVIVceGoD0mNkNWPyZh8C3SHg2Y+Q7t+cz4xysQN5BUHL4DX6nEIJA
u0cZdBtr8dtkJToYlhSFaLFwZh/XmOgOndSNmeJz4ll29Xc3V2/hCQlllHXux5E79rRNRKK/
rSydUzYir755udPWw18+6mPUzT6NDaVDDAwSOLOn99OUJt6bBQARAQABtB9HcmVnb3J5IENv
bHBhcnQgPHJlZ0Bldm9saXguY2E+iQI3BBMBCAAhBQJWEagEAhsDBQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAAAoJEESXUni4YStdYDAQAKuwOHT+wDS6vL6Xqp/59eKLaB02lTQuTDFq55K4
dK9TNYOTmPoxvgeJigT3pHHfKQFS/wwigkOfv8VebBZAcjY03N+Joau1Vi+Er2VNR5Pt0jAf
ApwZqe+8NMAfefculZvO0g91g2lcqJoMUIaUemAqOD/CoAMMXGQSNlX4BLsI7dbvkLLjbPSa
wEODAMvuSLilI38dj7wBC30IAOQkOdkB34I/eL/sGruOxYSK7UFJfNU1aD2oQhTkYEQ5cgNK
vE325fOx7m/sZ5aAlNvtZ3jS4ym45feT9xrbG2qHTbJiVAhdtfHMXGOU6/0UHJ3+YHHdzZhu
0NCWinu18nDVeDWLmkqkZd77QtTpC/zw5s3+t8lpyqUAF+bN80ZHbB47bFphIupmWGDP2ihM
NBWBwwFZb7ry27mLyyXKVOFWrYZPrdlNheEjUP7x0GzEO0kuxYO4fyTic5lu594hxwt/LWV1
s48SV95dXqpQIRroV8ePZoJxlD4hXh1x23AgkWgG+SS3perIGypmouOdl9CQ3yAYSCfcTKw2
dOWOxGubseyBWw3EDlWKZLkrqbBGxfBz8XJ92iCJ27rRhtpd6XEbqhRfPR9TGTliIfaruTLp
MPrKZh74Hs7LAhHo0nkwcOoE/iYHhQpNXHMnj0hqMcwzzf6MlSrgJ/VPgQ721d5nTwrjtCBH
cmVnb3J5IENvbHBhcnQgPHJlZ0BkZWJpYW4ub3JnPohGBBARAgAGBQJMa+/FAAoJENXKmwTy
xCO8ggsAnAzhqo1IQ+3qwCWD9ifx4niyPiAFAKCo1ou0sB38EuQXnWCyp1ajblx37ohGBBAR
AgAGBQJQn+UPAAoJEHDzXiRtUx5z2B0An3U1rm/gCkoWtAcsC/IYQ2hMVaMDAJ9ddV8IywsM
vnKJ35rfg1PLT4KNFohGBBARCAAGBQJKB3HmAAoJEDIXXA3BAnoOiOgAn2tHyIuAGEY2ctJC
yM+C7hmyMNMKAJ9asA/uRkG4wiJwEP8DCnNB7Obfq4hGBBARCAAGBQJMXHEgAAoJEOFVF/Ir
CSDAnq0An2xcCMh6H6vIT9rmbxHgGbc8VfTEAKCopbM+QMAGQvOROMfqWJhiCB0fHIhGBBAR
CAAGBQJMXT8rAAoJENTl7azAFD0tTz4AmwaE8zBHaUWbUnsYwWXqxavmf8BCAKC1hL9GKk60
yXTEW1W1QUm8jIYILIhGBBARCAAGBQJMXzSgAAoJEPmF40AK/HR2eqoAni/Hvg2M4e4vrju5
wPT+dONsA9/vAKC1X1c4YL1XiJ0fXpT02U13r9e8AIhGBBARCAAGBQJMZ0yhAAoJEJ94+Dzo
xDRhLFYAnihJShfS/zRoG7iTNhgwqyLxGqczAJ0WIP7yfVZbP1N5oe6LwhQsZ1BdVohGBBAR
CgAGBQJMXlHCAAoJENoZYjcCOz9Pjd8AoMdNUjbpkScdndClI4EqT7tn6PI/AJ9Luiw8fIEs
iD5yM8NOkdykX1LPyYkBHAQTAQgABgUCSttnewAKCRAtDVq4fCU9UlJJCACTQKre8pA3ud/V
esa7/TmJI1S1cVWj8FlS/gatvLJndd90i50p9uGm1yA4g8iwMnGdcIWCuRfBlhjUnUJnTX4B
QdnUU6HCv9RQ/OlJ99k7vNhswtgoEGQWq1mH1opSviZ3xhMwFTiXISQ12i4TiGSiUfbXItzq
yxOf/gtjAMGrfnNB4MUYPrHL/lSMs24evYFR5DgOKDwVE3vVY2Wf2ytWKZJQNvKcm7sxIxKq
W3OlW4wzG2IMxMSTl6SHYOqIhRGS9xAj9hpIfD5XzZjl/iHmMZMcuRA1LPxQjqdZ5CeF391P
p6vEobkSyX0LyDvqcvy//VHn0l8cRuyEmgrTpdmTiQGcBBABCAAGBQJMdo7oAAoJECI64FW9
lOFUIpkMAJ/obi1HblArRgKmxiCIMD2/nTcj/ML3tL9HfZ8bpWZ6YJIUsFRcmHCVWaOaCBMJ
omiICZbcot3v7/1p0D/AE57i0IFPZpXXu4utC8B70JjWaMJT22kVi3hvhrChxlZYNZlkXr8G
mKhGJpzEfVlg3hp26jbj3jEEGmjJlii7uuSrV1VJjyZaDfTNbgXMbUL/3sISsKODINCLlgCG
iVqa6Xc8bIo54zQ1Rx30Ijn/6ElFvBMSdZPu4wQ9hKrJGhrqY9FZ/U0xfaawEzxbmdZKDxVO
Xdd/qD3lNAi8Jg6m6qQO9/A4c/Ln80ll8St6MrfLwJ58QRWawTQcl8wSTxouC/ag85VwW1lX
FfnulWVjqRAY41gVY2SaBb78A8pwuwy+ixBWGqAyGRVjahNj/uznD3kwQh1DUwjyDe9lV0TV
5IpQy4YfXjkukwt8kVvQUL/p9w3/gmPZ2lXBuEgMT/NKZWKszgp/JZ45qDUD8hgPlK9bICRm
iQ1KjcAV3mh6dYLwJ4kBnAQTAQIABgUCUipIgwAKCRDvc+baWDa4Gqa8C/9aWvMONUnoDGjS
H6gIsnJn0pGQ4zx/SU+Bt8MG0SPbtv8Zu1twofiX7xSV8p7/RmESaQyjbzOD9mMvXwl5mF2N
q8IbDhvJmEcCCgVolhM1g1YtF8uM/Az74tNLmI8gsIiX/Er8045jMANp+UozOLvrzx9NpVBj
InDRhXt5ZF4YeMdB44cZL2OH8juSbpZAPFAi3Lm39gSMj3eUiUavT6r0Ok7AC3qMiaTvvtb1
VU5vl/CcevaFE0DfZQ3+1iXsshnUu6ql2NvFPSn0tR1S8Ekk8NfItbAGComC4BF71MXxY9Af
RW21ROLzRR5Szm93E5DirjTC+vfxQYwEmemn9v8KWxMlmFTu08GbBhi54bBb0iuaRc9lf5E2
dixJqLU4JVUPxjOk6tFvQHtZQRj7e5fu/lusZ++WKXnZsH0AiRekbN/j1Qh65aDi17w0ebXX
lsKc1kqryHNTq4PBrhrKbNBa+tlFDcmn3yUReIxfcZ1Bm3N6PxNiQSxx9Wf6LL/1rPuJAhwE
EAECAAYFAkxccZ8ACgkQ8aab5CnA/+7HvQ//dhkVGegUq2TyePOTWBxK7EyLVEZEBr2HXa+y
Xqg2i8Fdou5smHNEd0q8dz9oMBEWcZtRYmGKzinGcmxzArdmVyXV4fEkUab9zfL8g6dGxo+N
wqoHt9DteuJEURwakSJ7oDW+DlfzxMJ924sg5cuUtqcnZwy73a58Y5fkPaZVf+/HrkadZT3f
7fM8pb7JgJSRhgmdi3MfbUQcDgbZ604MifdEVIbXX56ex/9OuthbQ3lp6jHsvHcXPG5qt9th
RXkztoyKcArSimHcOFrLqWAQsF8u8PIYNaTKyJO8uRDYjMGcJQv6B8HqV2eiLCZtIEdcoWev
Y/oeflGDh0PbGpswAiQzoSxjvVdPgPUTqNnsl/eWvup4govByKV4y8dxgyM5a68a2N2t4ki2
TwVu8LpCRzuiin0EvgkM4jKSFU/KPiZemdLq31D6o0dQorx+Im31XWv/H8XoI2jGbNeMVWHq
5WumzPhTfgFVajQEc94Te29vea9OV+mlgIDuTzqLD2Je5G6BDqu5EmTlO5sPDJAwM1c2ckJb
fHjtUih3Vw2B339NqF+aneOX9MH4blAlX2V5vuz0xtmEcd7Dy6wKjzmX1Tcec4VjDDgtCoH7
vWzCeQmlWLzf1tF9keUvRn7eUktyAqozvNdE4fs6+3igdFKoI1RHNkFO45AuFe1goN+uDFOJ
AhwEEAECAAYFAkxgK4sACgkQHnWacmqf3XRTUBAAtb4DXxkzn14Qo9JME9KfZ3QA1ZfoNffR
PgxHkLX3q/KzGvbQYQc86kh6b/19aV1ahcUBrpABOkV/0k6tASrs9N6V6KBcIQbJwRETyWU6
G/rG47h+4fWIMew5XwCzUzvqAD5GDp2XfivDQuVt1Ta2WcEAmKVYNlHYowpnEqxvLNSSbXuX
Afe+OK4XxaFr7i4zr8zS6S7NRigAdENCt2Mr4slo0ldnRn6uQ57ixfs23g8LO4/89zW+GxKG
PPUQbo9epE4hCewTAyWwrpVz9NxrodvDL6D1W7kY6caiOd5tArNKpwF/GCH/vsGPU3NsFISI
+P8GJUwtmM/47xgcteHthx2yC0HUArTV0w4+PnAaelpxzAyqd3KxLLUNJ3vjv3xpwV3eGWSG
zd3UZ4AYTJmSlbgzuJzQIwwyxHsA7ypUUsbdrsoQaTkACUOsHO1l/oT4P+z3/tWPuXqUmO+D
Ly/pBiCRrV7c4cHMzud/dKBXuAK/gS7VD4Is+K8/srdEJTrPB88zleiLOdffymHtCAmZPn93
bvPXUcJk1PiNQYRwQIuIjHJbbZL8rxqVo4NCmi2HwjqMaow4GLEPSEdqEu83LpSU0Ts0BJvF
/6UTUEs04zDjSXpAGrPhWoom2jxUllAJq5Aek+f662dZpxVLxzMHWrLly7Fb1WPLbCrWhqIl
k+SJAhwEEAECAAYFAkxgNzgACgkQ14hMRxjhj0QJqg/+LKFGM1orBnYv+DZeVGbcPrBJVkeK
nAVgX+HpIo9uY7F6rRMZU8BHmxqM66k/tPwwrVzrgrLScK6spQTUjxKbjGkktT+LPVdFdB9F
2QdEYCwX1AB+0InLVtrXF/yFFTqlxxgLCRamRziO6w/1QDFMsDdNbIgxErjMb7d0MqRFNlvR
fO/ElovAPWlf+4zA0xiCRVbV3tbNl1/ILh41C8gc1VoTYdmUP7W3F6xCpy4MirSkY8LLDcax
wF9blsfc+gj8mW5yegBZnEoZchasl1thZ7Jt05tMkcEFTVYMfeReo/5Ww/dEpSfhjhryq5MH
0sSBT/1YGwbdgBRVzmocrWtQJ9i22MY3RboKNeAFs/wx9L38z570rOdemtfuXzKmI8jlcfQI
BIrE0p1zHE0OzgdfAI/uiJMZ3dRZJXsr8iVWuER97QqYZZkgDMaSHxvuKcNKQol9AbnDWbpl
q0J7CBo5si41rXpUIb/18FydC3k2KzjkCAaZs7VUCguWU/YKVw68kfrksJB0gIGqh66wYda9
dpJVmjVNTR5bWbo8//ZHQXFfGccWoRImEZ7dD4xKTl1B1ihmgad0H7Bynd0IiORVs5zbdbIE
FCwnMjjB5nr4teU0wq20H8CaR36Rw38KgRrcJdSrJVDrmg+A4PPsW3aA1K3oCvREoR2+p322
8j2c0pyJAhwEEAECAAYFAkxljxgACgkQE8C1Zno4sLCijQ//VodIvktCD/rmvxmbby+tjTFp
yNPRgiIdLyXU0Wfoi0TqzLsATfOluWVpJqSqIQ36g0wYc9T8BemqcBepDhj5e9NpYe4oq5kF
IxIJHzH5jHSM32vPVxJU4PzYcZzAMEVWCEBx0CHgW2cYc/Sq+YNq8Y/c69R8WNjse0qOZP7g
zTInr4JqL181TVvGHt9Ak4KNakxEVLXGIXVSV9QDDGCpYMkfpEy7pwvtV68DFVj2nHHetzCp
3gYi90nsVvk3t8iowNUTlKkxnj4dZ2lFMJfZBBeNev31JLkhyqExUoBzZMDmW+c58nye8Ode
hXnvZ9nc0pe2Z6XWLuraYDqNDKGMWsOTG8gCPVrZL5BtHr4Qh5uuAwT44PzkdPCdw9NaHw1n
0s47Uuailgg+ZuZgFXxNcRD5A93Ovl6/skln7KyTr+kJ6BsDcdWzcXpgQ62/3ayxgaOEZlKE
VLJsngKhcjlINiIXc6t0AVZhAlgLrLAvi1G19ISqNPNBRGUWeCYjC++RCaC7i/vAFWIQOTLA
NfCtzwhF+kopF2tmmt0ubapaH2CycmWLr0EIvPUIJ7GAW6tkjjv8tfkn2VtT59+gE1WmwR4q
55XkJ8zbX9tJx62w84zkQA6nMnbBQ9nfWY1eThRk5IOXKElyk8cNIZlqIPPH8RVP/Ng9Pjj4
+vSOAjkT8LyJAhwEEAECAAYFAkxmx/gACgkQHAH0Q8nJPFo1uw/+Nu1AJqt6ifpA/EaWoDnU
9hSYcpVq3mGivwEE08U5/2trXl5fcAe8qvdPB8JIYRROTLSUIsTkERftzxMzsCIb+iMj7bKx
5Ip18GSmTOcJU32hin/l/DZlDxB9/bo8LqCurbpEDeZ84zV//F6AqMc0mUyxhdVA/y8gEp6x
YNnVHU+AmIxzHkE4n+Rrc6JdGUODOL4iZcewBl2IKcYzRzcELIFMzjnSNbA/uxKE9g1kTa0F
QUTTpy/y5f36ykfWWdrz9OZFR81/UlZ//gv+sr1UHs6uMs0QayF2QJW4iF0KX4IQWCcbSRyn
iHuOzpmJuTFu0KNmU2cfRFLgyer80glsqicj0MwI9shdtpp2+ulfi2itC/gGM00cynt2WP3d
arrohFDOwCuAVWjp5dtENk8LNCK2aYEXlHiW10kaGi9k67AVfrV55p8WVTWcpT9oQ76wafnp
jUb6XPou4DM0Z5ItJqvDQv8823b5BCnMeyG61x9qCTMhGMEzDLFFkXalViQtIjsS0tzF+S1I
B+dVVvCC0tMnPWoyyqYNqtC0rIS0I+89uQuDD/4jAf6hL7sKLUzdLs8NByjQoV9nIaXEHzp7
jBlgAZgx2SX+eK8wF/Lo4d0a0jddX8PRZEjkx0HOhaYcW59tui/ZXr2UDwlTTuyfsSpo35K0
+VdJ+mtz8gHZ2lCJAhwEEAECAAYFAkx25QoACgkQryKDqnbirHtS6w//Xt2HPPu9r9Lp4Z7C
U1EtWEDzBHZoiYrX8GBjfx7XJqX0kJWAXTHoN9HtGDwCil2bTb3WwopNrFUShR2yEs2Tbo8I
j1n4veQxx5japTb9b3gwh/8lRRPCfF++jn9q6927D+0jJde7hx3G/o0OoJP2H04kEM5wrzup
1nOkH/L5+bFerw4eYir+hl0oVfrnK40RKSnzy+6sD+FCFwLipOofDX+qVp1VguzwkfAwLTSD
PVxsjfvxKdRCj49RbI0Q1svMu8iS0Hu+i6e+pPVgvy2Bh9iPQiPNaGG9IeHy5mnq9T8yxKd3
KY0mj6ipuHm3c1HPJln5bFlt1K6mrysbZtxafo+O6XeIUoRNqKi9eyA9udgIdHPuMAypsYFq
M1Pn7TLdSnRCyuhG0UFlr/nx3VVH7PLOerxMCZf7ApfcWA/s/iBG2DLpeB698UKOSfogcbWO
JW7Dteg4ZCL9zLxRiTZHLsMHnW/aZAAwoh/zV2Kpd6qbrZSyqgn3Pys8kwiFnnf9aWdqXmls
oNswHZeh3JvMOgs2QyY9X/+Bz3k1vf4a2aU2gINvL55aRmtgd3VDvWVk41WcRAvOfBPCC9TL
0UKbIBT+/rxuse6UiS/lVRNngvOpuUBmd0Zo/PiXxsxq+aKX6FQzZs0HsqAR/Ov7bmbh7Z+c
WwE0ZEogPivsD97qv2aJAhwEEAECAAYFAlVxpVAACgkQ2oKDDjzMOjq1exAAo41+8W0VSibl
OmQWDesxI8T+Qlw1v3Luf1CexMx9UsEktH5yP+guCeVpADMupSeKis8q0ayOgqXim6gyRjHS
1HklDGwUnhUyfDu5VNqy7BOrbUKq32TOqudwtq5PEyohof89/hR0UwfC18hBkumW7NfCmEY+
kUkvlAVzVwbSAm1bjkFu3DLD3RKN4d4UG3kFc4tqY0BweC85UvJaFFnY362RLCBV4gTjXVgl
UIHXpDSt863NBTtbNJUTIf1tt5sFqknZh2N5UzgtkTz6t4N47+k0VZfxuk/f9MmuDEHAEBBp
lj4X+ofPXbxbr2iaAZjT/LjU76tYq7thkbU2NRB6RtDv+Tqfib5z5ecwNEKIgQ6BelCh7pRI
wnMYhx3wj2aeY28vJ9vE76NizPWiZpYzD3MHyWfN+kIuSDRZPBhSNLnfA5uUuBQNjS1Ad+QR
Xo6CtWZ1cE/7Xv6DCKmk0ThbGrvwkHKJGrpJeaaf8lP0fo0L9cIipqx3NSSKHGe+B7zhQZO0
QBlTfXRlErjuZ/j+V8MTZqsmlhdVi+hElTioj24MQJiXfB956RuOM+g4P9v2QT5RRD0C4XaS
+KSC3eejZGYEeJAmB0uRztsRntyryw2LF6WxcSyEg0pY+/SLFxMfRIPlcAxMM0SB7HSAFZ5V
nQJHc7bBkNpw179YqexsIKaJAhwEEAEIAAYFAkxccTMACgkQ8RQITAhhERF8zQ//R2Bls2xP
vxotETrAPF5MOjDqlK6aeOnSyI7shiWWXL+7ds52SWsmD7IL+7XW0t+fwvfEVOb+qNWIiVaS
Yg4nvZQnTkCqTnDxTzdxipEaiK0MC0bXmAikBQjZ0iiveOMYOeRx2PWuUOHrymcvJ+atlkq6
pk/mycZGpVitnO9crTb17SLsm71k5aV2u7EBCEUcbakmrx1mDvBoi/tSns5y9YEPTc6JcKtz
VqbyiSAY5dZSaLc8IW9Aqn533kPyIwYXnbxd8cPFDxDLhIeBmZnVTLURE3517RXZu1ngZEFh
pSoT3w0Xg0cgh7eJ4Vmo8MnW3p33+dSHbWRlgrNZcB0PBWZrByS/iS1b9REgFTyU4UeI7lH5
zLgPdxPKBvCNObRhKg/dAmqSDq5EHYgWxn50p3TCfhrDrkoD+3seeee+mNARjLP4EDyBF4/k
57SqT7ytj9TWQoQuGAodQqNXwMKNcldz4FRZ3rMFrUpJj3uD9x2tlT/3bCVKQ1QcPSzKcEcq
zq9AZzjH7cVEbgpKI5zBJlejWB6aGvHLIhYZb4EYuO03OgEDDj9AUvIBFBxKdRvCzeTZOCTM
/8oAgSSVmFewEI4E0yNxvZu7wjSV5LI0AiyhwnCWlfYM9Hgxbai3cv2osIK2p5GXbaRykhwc
jc4lPrIsEE3At2UzlzO4TTI202GJAhwEEAEIAAYFAkxdPzMACgkQhy9wLE1uJahHJA//a9iV
wDsx+OxFu8+vPEXmJCKt1o17+PyhskIvNSXlVPvpYIpqNKUJQXpqBkiNASrCOQSHrQtw6p28
9i011TMqmMZsUkjqk/Y3Yzx+SPT6KUfny7qQzGW2DpHL1qILDFMywzvt9djzWT6hmH5LCLSB
3aWMHIwPDvtvylzHPIN2XIABSBxnHgeEi+2ZZoLZE7HlQbwsAU7Xguj0K1DHe+urOBYvU0rq
ceqiJhnY8b71bwQRhFqVhoFkW/IPp7dujQxeJVvHZQLLNkB4RMqG+kR2Ku04U1Fxbh7oc0vr
e8EAYdMfutU3ZRWZ4D8Ltr+q/hxy6dm/bHrpFu6NIxox6KrR8zewcoGDQKI9BlQn8mrIof0W
YWNUusb//Vbz58iOh3POcjs7VkD7aPo9R/TaruBIWv77kbjszlQaKKHWV4aIVS9EXW0cPpeF
OQUaq91aAxB8Tw0Clx1TfVc/QZJB7/l6k8deXgo/+4JCU/BBmsplR6mG5mhY1Iq5PnuutU+W
+sHQRYSiq0EKdwmAaq3AIz7D+rWafv83Ea1cZaMph23ChqVX/e+YVI7rxxYCY1bubd7TtYWb
VG2W8ufTwemZBxWFq8HXc9d+Qm3LHV20Qxp5fAoYr6O67XYgQicIFW7f0lJ54igqH67wFjOf
zOTHfWK0izIeLVtp8xmj7hbFrXXd46+JAhwEEAEIAAYFAkxdRNoACgkQU5RHndNSTFGQ7Q//
YTQ8KFH7n9MYRpb83fTRfkyreyQyTdbcBsQw7R8Tksx/qbidiZZfI2cILweIqsumN2bF+ibQ
VYx/PpKEStaW1VQI5Crx/kSRmBaOlipbbfO+A3sbp98hpKMmaIxvV7IhN9qKhjcQR0YGXcam
5oVVwjIb2n89nqiS0qnGIUSTLzK5IR8Chob6tpnD3jQAnxE96wyhADedhCVMf799HSoQiiAH
TUarSv/HMIws34LRgZ2voFXADq+CE1Q2rBEapwrcDSkEQEZ79LImeuS/S1Be2ritRO+TFLzc
982LuHBxUa4MlcwWtWaQQ6PW/c5J7QJz0RiqaaL0DZxCw/Cr2e3MIfTCdK0zPg4A9BrNsQkR
/zYmePPTejvbsYpsWbpOknwZNqoYRc4cEaukAtdhZhFUDfL7jfh5HppCIM6EN3ovmTsRhauv
LeAI3J7JqrPp2yLDbL43U+1ejsD22+l2rmJQcQpRsdD8KlJX8bD3J0fCRhhIFNABjMmy3e4T
bij7ZM3ovNZLCgjHmNa5ASMyS3l/T2Rqu9rh/pZbPWS2hPTlmYTStpb2T+Ax/anpXSW3ZiAW
fHGOSjNrl9+LFqCdjyzvk/u2kbgd9VtjjFfpPS8xS1dGk7iIHHQQ1GZXc8s2WB9XkGGpD/j3
8bvLJG9EXtqVWwJLo6t/PMOgnHK9dneq4I+JAhwEEAEIAAYFAkxfI2cACgkQeo9J6LY0gL4z
KQ//YgbbsU+C4e9A4L+b9lOTh4ICrmYg0jD86oBtjTsomMO+UP3T+mVH/meHWTzr+6ib1vsu
Nz85E5OWHeHL1Mzj60gbZSn/PMcfL++kKVCMhJs/HN6z4t/hY+GkafkeZgglnqItkZGK85ME
SmpoecuYsExEj9fQaNjHuCOrp3c+B0PJ3PSQ3qTknsOnUwkOgAhgeni1RusUqckryre1pPrb
Oy9RrTroHGsbvzfbYEYS8IVoaMP1AJj6o1kb6vomTmWlh7r5UM5iZRcFrKK3qjQaTYr9f8vf
vpJZ0GlWT6T4szOmekTnYuZJGOumkLScn66qSihvxXXlurPP0XzVObz7YrZ+GEDNJxXwPJpw
fpYZHsuSXv9Pu8S1wjbvL1xq8WEjwd9q4kgch6r5SD4+syLydwLHiBXTc5dfVO5Xs6KzWtXE
MNsFBrDO3pgHtWvS2V6peL/yG7RJJztzZUc/IYZWuEJIU76rzU4YK/SC2Vse9lVA3I4s0knw
5TCFvZHTV9KIjqT95xOgdlZKmQc0uXSPNrVfoi28JOfcAGnSnRX52KFt6yBrhCBCWuVTZTgk
hKSIktI9PPC/C3xyLwxJjz1jPwEomhtnNx9B04W17G5c8nW1yCjxPxY4Q9LCYpMYXGB2Nena
YydDbgfA6ua1exRQ+ZkWpnHqsmCLL7B0C/7oTOeJAhwEEAEIAAYFAkxfNK8ACgkQ0V0xOIIA
QXMoXhAAs79q+JHo7ulKZvKDkh+OVOXrSh5eKGUmuqK4RJuxrHmthUFkNTsyNBEZc2+QWw4B
8q8ka0x2/1eIDqwsKwHOfcQdyMepGiKnGWm58vL5CeoV/pZW/Yzrs6Q13o6/mm02bcxiVlqs
ZGFiRaueY2QJ66viPY0TJPlK3CavKKgZQ4xQtfQ/MDg8sdEnu3G/1PWyyHfMVsq7fG6MXCdY
TisgHAEyQJXgpCnk1YIuwxZQPKbMhcjiGbkKBMeQi9uZDiDUtY6s6S5MZGsG5v0KTuoBt2Kw
XHbTgkFT9wKaQnK4rfMjGtZFuwiZw8MPsFgz2QAR+1s4mIkCbLPPl+jwL+F4UkEUJvpKWcPI
AHnDe2q82vOc5ToWfm/C1cSf7cuLi2hGuSKw8JHuJ4hBF5NaMhmsrBOxjS9BC1OrutNvjoa/
bBihJxX6pyz6Fhd3wnjtF8f+H2pxu9/9M6bv6lkHZDQxfnt2+muwsRncx/wU5JJcxzxUzcLl
wctSMFHmNU2egx6Kw+vPgPdkthrOZjkLQZZj9DZxHK2j2ENAm4jVF2Z6cUHHm5tVTsR7XF5t
CeFRNPUlhoEz4zdJiN2qflMY0pm9MjBpF44O8usWrEpUiPN53bIOpbPM08zYZ+BBGPOgxZbh
6Y68YUAq9XfVn9okE73HeyLLS/bpBj1QSe6QapV7sg+JAhwEEAEIAAYFAkxh7k8ACgkQcDc8
8SkNuc7NWg/+It0T/mHuye7+PG1kQbutyVw69/C7yyZkoICrcQQ+Oh81Ba+DENSKrPVkmt2o
U3HR1bL+QbFDjUa+hnLHXh4N9hlREDbsaYdYz3xLbXeGOPDt0QrLn3mdZ2cZrZwLjcqsu+bz
5sRZMbKKTXqKkMQaDcJa2CU60aEoH9d+QJkIhOHiqkNvVyrKbiMoGnJoKDppwG1e3+Ri/oXA
6Sx3cWwmdVrNlwNAKraTFlw5Xh0RUQ5NJstxX56PN7tMm+PEnY94bPTJHiyzG1obm2Ona7sg
+P3DIvqMFIkldhNz/DdeCjSN4qrB2u71tC7xwAneqqLpPuYhpMpFtD/JX2lOhoOvo43n+atM
jqIU7xhZ2W0L7n64Ym31+wqqz6NEx+aVp+OgYVJPH6MA6jel3/KFhHoWpdnLJIL3XLq3Op4U
tCio5JfouHfuHVdslmKlH/6rO8SFY4VZGF+RZURMze0I6b3HN3WQb9Qv78hg0ZrI4E7JIbhc
oQQDIXgASS575vjK63/WRuMDxEpLEUflESKBsG02GJWe6knx5lACdIyD/8kZ6MIV9mE31Nqd
zVKv+i7BBomu+ci/4B4LXn5LcPphmGPAvL1aabC7D/9lxLPA5Ur6LHDU08LA7S3j5Z7Iob4m
KbS7pKaBdYPLm+kfAlw88bDnPioZwkWSggD5/6iwEN2XseeJAhwEEAEIAAYFAkxh9TkACgkQ
dzH8zGPk4neH6A/+PTNKtYOQmFxM+1QJEqK8+4ZOyeIB74wHGI0VyFWRb6Bt6K7OIYAfp8Vr
F4kH3DYPqRYWZLyG8Krkff3HUwdgBdrsRRQKN5Q1YwpwpofCcdDY9l3fmlUNx4MQN4Cx9uBT
XY1OGTOMHHCog2eIOIkc3sT4xZ/zIcgFKM245lXl+fLvbJId8jZjYFwefNerUX1bucNoaloC
drmbUN2OItXISlczLhSZlXcOyxU2Q1DICK4EksZy0y6XRnYA4/7JK209AS5jIZb6UvV4kMGU
y0/CBTW9fJx1jZthN4bLxHMSVFHvG8oqRPmr7bO6KyvnxeGY/0bd30nA0hoVyDtKuIAuBYXL
nrnjHogjF5sl4LCXLNDmIqbYoXMCAuYrlGaGsLzqGqjPX22yb+5B3zYCB17nCP4/l84auAJL
6/EOrkOjTRPWIqsRO+dK8QENfp2zYfWmr0G7xBQPdeDvyFHbY6LO+PwzVfzESGranmiliTDq
fGUGT/F6F3eBhKb392zDllJgfeKLt8V00vqaY8jqXS4AB6ze7XkcEXKsshN2atVsstUmjLKZ
iSO73irt1X/Cg6SrKkjDgUhwTmOxywkHBYjsot2NSYcrdkYEfK3nPpesB19dgJYzPn0Mborc
vJ3ixf5c2mjT1GHIdrp6XEjqLs2zu8dKLDiTJPSV/Q1H1nEasMKJAhwEEAEIAAYFAkxi3k8A
CgkQd8b7Q+PTCCRE8A/+OY2000flzIxhqxc23BzEOXWxwZ+tH2r0UQTq8kwZiSsva+NIjN5G
bx3MMcT4IyGF3VaxKZRJDPGcK3ByJS8HnCv58OE2iF9sUT2BZJEIfgniHgDA6iLyyQDmM9N6
9UVoYYqIWff6Ve+4gPYebafy3UAgUJLHdrknfhE2fseE3jEtdsn9AizP7hc46xPkeuaAD474
4jtM8h0zVk36l3gdRwFZEWMsxATskct3hLjKv4R/EFdEgIo8x7hK0uxvc6JyyguOznrwAgP4
0LgXv+Ci2BWrf0awhOyuDJ+BiViKtEuzcqgwPR4GgOKkvzti8jkPNAvjCEIHTpWJwkIZ+SNW
aaIZVfbZdSTMf3tfVkUJ8tLImtfHwJ9b+BPxpiP1DENZtxmbOsKPKeH1SIGO2BUt/Y+i0KYM
rJmhQiL4k62PIRRhMKuYjQ5sasa9oyAACxg6nJMJoeJalJtcE0ZynCwdCFIkhYLXVPAgHCUo
/c5Wq20YMW0sqerdf/oLwTHe8Gyru8JfcRS1mLBuTPWQUGIt2h37WMysv4hCHT29N98w6zJL
jIGHH6Sd8PBw+WBxg6rpeGH8VVuLfHerB6XEMxoQM7FVAefDUCrHzWUrNHgSl5qG14HQ+46y
xxegb5XNGM+ku721W/t7YsA15ASgZi8ehaQ7iSl56TGu8vQCTaDqPmqJAhwEEAEIAAYFAkxn
Ti8ACgkQs0ZPiWqhWUgz+BAArOWNP1VqUSh1LpZ2mgjMLCW8cPChtEKI4/RHUElI9r6BVMGR
/35Ww1HMcayD+H7WZDXXiBqG/yPJJtmMfBW0xWH3dbo1pEn8IUZd6mWSlbhzxRkVr6AFhDKo
4T6QVQQ6nwJg9aBveBAXGnsr9/PieQNsp9IyACxZCvjoEh+2TV6xE4r0WaPKGLai5qPuvzSN
2efP1Fl6gtmoxgI0yiLDyMlQZPi+/jXC7qcae74qYFUqih1hAq3EaCfiUNCVCulAEYnzhu+Y
qJorF+Xl3vV/i/NT09k7GwvxLy1waPAi93yekg/QwkJMSrvehxXJlPdkUXUKCsgE9o+1CztW
iIK37utWFTnkApQaKUyHJA8T++ReyRXDCEq3Mu82ZMQDzsWRhJuWmX7/5MAw/1H6yG0HLxC8
sGH64oduKWZIlWwjkox0pUrA/ZkEDaznUxUK0ay0exYtcPJ9uUcmXsFvxCe0SOGwarNKbEjs
FkZ/lelB2LZprKk/10BqRg3AzPEix8IK9hRRM5jXK1ZDEYRGYw/c9VoQPf7eMpF52zAZ45h8
UjL/q6oAg3egW+ddbsEEXzsAgpcfNKhN/edoUKhQd5d2h0S8IpmPMrwvqrRaRSlOrqMhbqro
GQhFOV4+fO6zwkV0P6Y9QSIKibjZDS+QUZPXCLfpKRSYVQlkFwGVeVUcZzqJAhwEEAEIAAYF
Akxsv4oACgkQ5E+AFtNjD4l5ohAAtgotU7QYfbvY/6b2DKShrm0guTeROOi1imRMfMD5Nvy4
CazA7qm07G9Jxo/yFYHMaXXeG02vx0pSb6Gbx9Z/jtwrOALmtIUAajTFmcC1Koshn1KAlqtV
FriWzwAz/jYIK8BL8Db3LCgGP0SSyIaD86x3VXm4JE04AJeAtFUikQwBU6iNA8Mue0rmdIgz
vQ2Fg7qk11Nafx4xT7XU/K4BAy8U+6Ai4F8VPxdh94zc+Z5qVd5lRZ9fYsdzztYoc8xtOzjJ
YzDACo6j6covoSD56gQi9htJzraPtKaWu+gz4P0ijZ/naX/hsXlOnZ7IQzaByetVgXoU2Hg5
D6UN7YCrQ75TB+Q7Mh702dvihXCr2smUkBOBnEqKoxrLqLtrDYPLw7ELuM+bRzZb2nfBYzh7
/o5hEG3NO1rXIQ21cYvfPSggkI1fq8kOsWbd9uIXR4iHycohZ9DsSW4iQ7+IwVu1Giypf/R2
Fpz+cL6aGI5DKFRBuz5ucjyhJrl9wes8v1hsTDNAPSbOyd3I4PHa3N4gxWbFvV6TZfSwHKm2
fot2bglB+n9otZaPBVnHdsntQsRnS6K7Ptft/EZ1zJvWJcOnAjZEtj62mbrP2bQ48r+wkWy0
LbOoQZ20auH/YaqOO8ZdA3QGpvK2GCfYB6JzD3bQomsQWMlaAkx1wfFQUBQ5xtOJAhwEEAEI
AAYFAkxvKsUACgkQfFas/pR4l9iqyQ//el6hebIh5S7ekU/6R/msFAmuluGh03OAMYa+JwUm
YqXR6iGf0Ftw7XgYJt2NiY5ZtaOULtZe3zOslFio4KRAwjKgEOzSzEDc0wFtZnj0/LlSTk9c
zrrymcJQCAgKKV4WTffgiPpzDM1ajaHxY0WQfYJng/5pVxWb6QXjtB5mupf4T1Yv2blWAKpK
Fw67Fz/iN4DlWil21vx3FgpAHY+7JVB/129BnbdHtbzP2CiQxZ9PoQt40bhrinI4cHyPHcHk
EPKBD6GnyuyIoPGYRsILp76rH9vWQJWtY71DQwlB9+w/JTVP3TRinXJ0BSBvFGNcP4hqY5b+
8tKmSBPJM0umER6Q16HosZtI+8rY+4yvaHjtEIqau/AdBnCW/EBeG1YyjDOQAQzVdOR84PLf
Nyz+eqeZI17fZtokRjTg41J2b1+F0GbUOTQueqzlTK3spWYrPgDe54luHoYmgVqlsj71Zv7F
cWEf7L9RdcA7sqCQXpDggcOTRDVg+eR6eCLGJetBfq4fsX0ae10TRh/pGut8Vu6NTcFGw5c8
vt74h+WFIXPknpBeKl1HcKUXTLJxQP5CDrZF/HzUaLYI1SaKv1jVm36gV2YZvuZQyim4vBgg
V1/9K1EMgUW7GRnQoOpQP6zxFWnpPXPY3TDvdleaqeET3xET75mGgD0WIUreBaKjp+CJAhwE
EAEIAAYFAkxv+OAACgkQnQteWx7sjw4tUw/9FgAffwwit35JdS4S0LQqmkmGXlMvfZEkfezj
GH6ITG/YWri9QE0ktGJqyCbP9tnL3WCno8bs90tmrQyagjbp7EsADz8L36vbYrOU72mNHaeL
qbJcCoztUSWAe9aPJ4ESwTXbXCkl8xE0fm1zTF0MLq3T40Qqw67oMTBygYqhb8zeY43bKOzZ
f0fBLqFE8+LTZDEk00Ucc72M+W+J87rdiHUuJDFdAZbuAvBGT9p1YNkcqaRWSmgRddJ9nBTD
a/Qe9IBnAXBblouKiVvSTGpcyAyGKJ9cPtaviCLRXk17rGli43AymorBdGPpliZmMtrInMm4
FAhSoU3nwB6b8oI5gMh46Dze05PYkVVZylO4Vo2AILUkeo6tagy3t+BEFAmonnpluJKZkfcY
/FvvoaT8oej2U13tXStA0FXMOJd9fGLruJ+yZnAFPrVHZWA3ziyO/u9iprB7ZjqrT1OM1Nob
ZP7NwGxdqED3AYJAb3H97s4dMGAJO3WzGgHOfuZEMsH0/vIc3nWAkj9jsFcDxJ8uTVM6uy2R
oIfBM3/XspyZvm2MBTuEJvwhXW7JTnxsUEpZ7aJQVJLT9Z8PPj7rPLJCkDQsdwBw+e0heTl+
BspMqppnKw0mXmrRfnqGGxgLtlIRn8bNEp4K3AVuNP2iWp9rMSVPg0qLGSFgEH1DtoN2DsiJ
AhwEEAEIAAYFAlWS7hEACgkQ66DGxxwAJW8VIhAAtBkHOqKPOA4A5MKAzWSIYAfX6FiUfFaI
Edwqm5ZmxHItPQk+Ze8VN8jUEzzArrvGOZnctSZy7dMgT4WY+CNy3FUtg4WbmuvflcvCHlSr
ontSVeFjxL8qhkBgUzaxqohesB899mszzDyaM0GMD7FKt4UisOV4K9VqhXKHBhcKi0foQKgx
+VMD35N4+SqgSUF4+td913DNxdxvF5BKICwp9edYv6NpP/u9DMqG3lceVCy+rR3VEGTsFGNa
HpJI0Sny797FR3w4k18wKQGaGwUtdMz6GcmhnDxgiV2V1StLloK6wbAVA4YY3BfE4l7XmJZS
bStlL54h9tffDi0Dj1oJkSKXMdnI8FdpQEvGTGP9ARUz7MCxwiRzcJfOpfxATt3793o6fMLU
2dOzrCCl+09bgG5+wls8nda2RB2RE1EHksoaNyz4OGpq9seYGe0qhNLN+lvIJsv1BaZNdD0s
CaF+xbUGCoYQgvOh3DCiZbg+Ao138YEQw9eKE+Xifi8M36IeBTdq7S1OcRCwaDMmVchLFT5X
AHmFeO3L3zCO1C95WmNsFg04+4avHqgOp5MolLSrOEvKTnFW1Ebv2BJizs45d28VAI/JhgPx
T0w69M9Jpybd+Cbg93fHTXclLAPyQWXzhlfDPmKhukhSsG5JXIt0gyBUsq6lUygyWZcewBwa
uy2JAhwEEAEKAAYFAkxdthEACgkQXTKNCCqqsUB3ZA//S25k6cAkZpIddDahnJxDIon8VWhe
JzGmOMfb+hMbQ0y7xeCKRdNBa5yw3LKttLugofqcrGV3V6lmE9jWz5hK2we+ZAdCo/wXUWuL
FJQW8WKY7hmDBwxROJ4jgC0LTgeRZhYEvhKpCH/rtSQuymstcTJd+5jkEE2FU1AOsoAOsaPx
1DAb+uqSv2VefP/TG4sZ2vg0fdEuJd1+SiuTTLLEAnsG2yQT9brcXDvXPOckawFAM1KOwk7S
fkYekg0iSA4Ii9RlXOhpxNcW/zZf3WuS/wrCCVYoY6OgH/+rp8LkBG7hdeAfRsMjozqtBYUE
JwPSvLfRnG76neTa0DSi1bigpOMvHDIeATuS/hR7UdmTkSMwZ8AvQBOaSRHobjQwjfDY7WYM
kvErANQkevWiWA4WshsS/MpEKxiUe6SGlLVeJZfX1dy6Jmh1WzswqoQ9eXQXX8zBltPAfKFs
KRmf+OpHT94qYZsMhqAXOd51joUtCBmqeuzvdp9KM+R8cmuoPVqmZ8ZMdMbD2dQUap5yVxw5
yO3CfGMXGPGfvA/8fOav/3MwWXUL5Zqv/ZhdjpP/ZNEB4txLJk1rIg4kjKrZxz2PggbMcCGQ
0uf3SBZa6qXPVT0KbMjzvRKao473eNX2OPqk+K2hIYuZTVhAcKKuvN8qQu+o003Kzw1SWlLj
1zrwaX+JAhwEEAEKAAYFAkxeUcQACgkQORS1MvTfvpmBNg//eJFnqXakbedse6wPpmk56CxU
47abeG6ZCu/0FTwhwnagYfGXUKGTCepVjI/wLpevVeoXDbYmrUOT9zxqIL2Xssp/wz3Qb+HX
deft/drFmb4XMrdUGwi+N1nhvPCXjWOtyUrzuYXnpCz8e0vjSfn6RpJ6qdgTs3Psyca9kPPo
1Zgx29sumQMx7b0hcmRbSxNOmm/vGCpJKb43sHsYN2ESMCNzazQtpbt/HZ/xA/HqJCfEiKJm
GUQ5rboqvhpruhbUFnuLIpGRvLJqE3kRm2iq1XfnfjXqUVbX2aHxNXcNKa601Yla3HGisEAB
ILGvCRa12hrmh43EPpwLCnTOIB3Sejndl+8waKd0smV7Ox0oT1nSo5MHl/VtVLJzPnCX+EfB
bzOepXJ5HRRsX5sHOTPHjJTOUuQvzfKen5nAu6iKsQnawpwQvIN1C7/OtEhqDAjWFr+eqG49
bqN9a+EKu53bnXqM46N0/kRWXJAsHKfllki9e0bRKV5rIH0grsCN8P8qq5003cp/owAyySX+
Pu9jFs9Hw4nGmEkuZPYXkjg3wTYClaPjrmbKfWXgVl2BjW+N7xU1yJZaAJSpd8vqGtLK4qz4
wk0CrGr59EHPeAE9fAxNg+oonDQ7YcuDnHkVY7LNpIGXQkChrv1YgBzzAN6CFBI8GgG3C5Gv
bYCj+NsHFyaJAhwEEAEKAAYFAkxlr5QACgkQMiR/u0CtH6b0ZA//atTqqwPfQWupcXoA/doN
nXnBZDHUePFkCBan7YHitR0kPBVPP10dRfyd9ShKs25+DgAFTr2JKKk4ofc8ib+2SB4rTPIf
gvc1h3GgtI7CXzuwKdcHojmOYXQQsLaxcQDNqEJqS6oGh1oHd8DQJTn/OiARVUvxi6LkioOp
eE0KAkUOfZfnROz5E7ox2ImvMNvhy6VcD6q2q4E4nuWXaSVw13/MqZ8lGHRhytdrVLvVndSK
U9EP79Tm+nIRwgqeJ0CttcSESoKLngTAvHSwVpiMcO9rLfWqYZB6FmhEjCyPl7hV1e9jXf80
PLDihKscVEroxww4nflbIFOPsKP12vXuQs7cQr3BFE9yCowLz0X961WM2V4Cc6o6txY1MzU7
FY7mFrwIy9b/WNLBXJUB+dpnKzmY38ECLJQ+gTxahgumxaNe0wQclIrkrnGLszOrIgLyVAL6
/qD2qUywoNb3WWOHg6fOabKfTF3zBdzSYPNRXbhWNxt05EXARXRwYR/mkwpAdT3TUgbGlOcU
hNAqmtzEvT/Q/Cu0nPvwXnJ1Foix6S+zrFAM8gs6zeUc8Q3k0EQvi8m54jILnt5QqYFSGM40
FLgryKBF9hjwcPN1Hu1Qij8Z3H9MllV6Df36YSgKN1XpG3Jy9ktJcHvQPgHYVmXNsmQlmQxE
ei/ZYehdgLeU0Q+JAhwEEAEKAAYFAkxsD/QACgkQeFPaTUmIGtMxgw//TrRErKK8vl8VnvHO
8TK8KAMFi/GaRM0RKze4nJp72CGSrY5/bg2jAlS0hEKmSirlbLD8+U5/wWa5SrQT36AcyXYm
I3weWgzNSvbCS3N1WnefhlUhkaC1PRMX3AI7EqwyTUX7o8Q8A/HVTgbgHnIKxO1y1EhcfY1I
WEvA1wTR29928n63dmy03rKB2cJvQupGd/xRPXBx55h79NlLOJOadlYsUrk3B+RWBZHsn7xp
wWXn+38fwuIFs7DJye3Eh1ceDootTd6wlI7Km8Nh0+bCCVbeInxp3THavrz1ohGhQ8O6AmPx
wX7TN2EakX5mrwePFgHasLpgciOVRpDsaoQPF7taQg+d7knrrgbD9Xf6JkDl9/sxnlZ//t72
eQR3X+CGQFmfhl5rw+h28FkPxrFO+n6nk6opm1z1n8FFjQnTzFxp2taqVs3s58ondUiPWb2p
E8HOHQX9b4iYY5x6hrZehkSwoJOlwGssiJZSa9eCWs+yvJoJOG8yHunh48o91gY7kaqxGT9o
K+2MzW/uwh7ztZ/ElJj4Vg4XTOqHgSDmUKZjA6e8Z1xuXoVT7D7axP0NvgIj1jjeCD1ncQsf
Ay6tynZm/+Mz/PLwfe9uYGt5ZncwY9aKZRr8a9sUnaaIjeq7ywugKfQyxr1v4sjcQqELKfsM
NLrvOMjw2eLg+3UC9p6JAiIEEAEKAAwFAkxi3T4FgwlmAYAACgkQzNLtlNIXOemGQhAAo5Zp
Oa83tEIyfPOcj7HkQPTutAs8H+kgxzPMLYFhXSYKLPMsoH1TGMFC1JH6PjrzRdk6g7jmoUEK
2F6EL5QpFFKFNVWahRWY49F67jryslVdeZKvFMEY0qjqsJ9nEBIZW8wJ/7BNvYmZxBlWq7PU
0SKbbGNVexMagwctygY+mdnknS6vI3aom/yFByVcVXIdF52GJiAWA9nIx/poKS0ecCd4UuZr
eQd+d+x/z4Bww5E62k2mB9d+VDik1kjzL7bXfPV3+bWoyBmfl9zEYgNnQ3ICurKztkRmu1/k
1+68wHfU/0MR/1nJ9DkEfBi9Z7T3shtCiU+993wSHPeKgurkQwn+wzkthCNRNs3kOwee5Whs
/zD/dyZgH+lrJDHmW6C8zaa/K6Om9+AacXLId1xjQpmmkO83Tkf9qQvtC/UlocllGxHo3hAJ
dfxONF/jwY6Zs8NvRWPuswTEQOLCLeww5AhVfapOLBhcG7xZEye6VLArPNq4OsD2b8NyCd39
GxtBdxR6/8OQbGoEmrYf7aGS+ga6oygj/+ut1M6w4YkQCbLd+OjL2ZUG85tALP/1KdCp1pTg
YW/TmF0BeT7ICa/MmZeYyO0DUKqvsbH7Dyk0aiYgu+Gm3ob6JNC7MGadUkWIyjLUHkPNmnXV
rGT4KAkRtX+cQl/R+rR+ewB6RErUtCmJAjcEEwEIACECGwMCHgECF4AFAkoHaOQFCwkIBwMF
FQoJCAsFFgIDAQAACgkQRJdSeLhhK13PHBAAiyiTX8GMp3CgLyIiieHJnBIQS5fxBICbsSrO
j8OHWnNAVwkiRbtXZQ2g4D4NvyGBuPN2hskjuGOj7aCsqpE4Ln23RfBTAI3fF3JgMGwkqWh3
9a7Sjnw8DwxqaHB3zfs2AvPnolSUNyzc45VslNsE2j359UmvwZAGpqN0A1GfobFMWjmt3QoD
q58C8EyFOWx/Mzcl0qUrvGRbQjQ8najAYugpBjdRZ0MzGfro/pmoETJnTgrZimHNXvDtSTmZ
HTVYYbxj/99Iw5DeYschcK0yvbPFXGo12ndRrEs270LpOMmBpdBaW8bCj2uzATQLZbuaM/je
py3bzEFcCHUMkF+ekIf9zp6IUkSc2B3kkbQmVJKxOeiKWzCXvuu6pU1nRqrG/565CRkwWWol
p4TvlktQgHSZ6CoIxzDnYRE0eiGpsLxA10nE9VrUCjME5a+AYLQxj7ztDdDfb5r9Lq+1/bUN
gtiiQ0fbaNVXXe14+daezFw0sCGB14MWSPQz62rkG6piKB4ZMilRijiicWg/k/Rvlbi+QzH3
PGhqaVOV0JpCTfh3rolf54x3JN3bdlW8wcev0DLPJOAuhv8nXoBBdilH999RH0lGv1NzbAIy
7goaG+XOe/fmxiZwhUQhmTdfFnXEtR8UL9/7+dv9nfVY+kIZIdSN+Sa5+pGs7bik8dfi1xy0
IkdyZWdvcnkgQ29scGFydCA8cmVnQGdjb2xwYXJ0LmNvbT6IRgQQEQIABgUCTGvvxQAKCRDV
ypsE8sQjvNDlAKC18LdtboThQEnkx1lTvZZSZfApWgCfdj0UAdJxB9OLNqm3L8ukPYl8DW6I
RgQQEQIABgUCUJ/lDwAKCRBw814kbVMecylQAKCzW0oYdLbYjN2+VkMFlr9WWoeWugCfTyfX
Czqy8U9NJX0KMsEsVBmwB7yIRgQQEQgABgUCSgdx3wAKCRAyF1wNwQJ6DvPzAKCBblkNp8NA
k+lQwKAeqyjGAr+kawCfXlAQCvjXpRb6fYYu9X0S4r3gdfiIRgQQEQgABgUCTFxxIAAKCRDh
VRfyKwkgwGBWAKCXP+R5VvROrrh366WPoeX552dN6QCbB8aK562QKVhd4OGwbqhHAJzpE7KI
RgQQEQgABgUCTF0/KwAKCRDU5e2swBQ9LSl6AKCpl0Sd/zaVE+rXCmCg9lF4Z/DyJACfVE+x
FXdayyRPKh6cy6g1x+KeMQCIRgQQEQgABgUCTF80oAAKCRD5heNACvx0dlAxAJ9JA62AWyTp
1xpVLyxGchSp7G1I3ACeIJGHywtqpfbJfG6YiFjt2C5uVVeIRgQQEQgABgUCTGdMoQAKCRCf
ePg86MQ0YfqTAJ9hOim0VRfs5+pf6rsMNStUWZXksACeODXRe1BY90f2o28VOFpxoDQMhZmI
RgQQEQoABgUCTF5RwgAKCRDaGWI3Ajs/T8IZAKDCaii1ecrI+HP8NT7zero94/RE5QCdH9zl
k7ui4NR8EuEegYPvqFw7cI+JARwEEwEIAAYFAkrbZ3sACgkQLQ1auHwlPVLxQgf/Y5PQaqBd
FXEs9QkD2Ei7WaD1AZkGwpICpVmV1kA724sJ0uXgLavd1E9NtjhMVKWYwdjEl2556oZL2i/H
XfRz+VgRcysjLM/ICcGDxy6OygziguJRpwBWk0xMowNgWFGIDvTt+Hlc7f5UnBrSE4hGmWHQ
9Vxc4qFiADKL5IuiLssYgJY31xkwSyWcEnUe8WolOb4BOX7SLuuTIO6u/Ud+Zh+N3o2amWBn
3l/OBfi2lM/TTrjFEiJ0KOfyutiGV6a6/SkfGKBzhgdzWj4M8vIMthxFAapU++3WXF7qNQAX
f50EN2TKXKHgmidfpWFqmbPhIkEaoheUYYOCaiaXY/IKgIkBnAQQAQgABgUCTHaO6AAKCRAi
OuBVvZThVI98DACKydotmw0GE4sNu7CHhGMZJqvSu2MSMK7IyjoShr/JU9PO9yXEB6TQpfLw
E5b9bso87SouahOJV+bYvBaLx7JTT0awNSMRxlGnf4il8F0FOcl3RgXpgv14YxXxs8KJHLV4
GhHRwVxzJu8hdNltsTJ7JjJQS3kUYjBpIfJlyp4yNvZvUeRQJWTs1l31CkPwU6fXP6pxCP7s
loh/zL1zVGY2q0GrTkFlrCJIxceiPNll44Rl4PrIMTmBQHVipToRinsrFbyD5QTAjiorVol2
il078fK2IeavCxtRUR6jTiHx4/IWqt+kPycq11EK4bFMKQIAJeF0aBoAX4fWOoSPIFWI/Nz4
m+EecHCk5frctfxNV6VAB5Lf4XwjEho9HFZwqmSQ9snMi3zrEZnhnrCJ1/Gs/ALt9vu0Z6d2
ZoLFgxW2hdOyaXrE54rMKillYoTLZ5d8+uTQVoN8XFz5SliSNb1tu1//i8U9Y1tpSUUTD87G
SuNV6q49gYSeDqZ54EZEiHeJAZwEEwECAAYFAlIqSIMACgkQ73Pm2lg2uBpHzAv/dOSlPdQx
6o4MrM1lB6imRf4KPTmjkIwnO4N5iFrsZch+BNJ64PdGukhuAi1EXY7LBJlXRO9BPxdJI6IF
R91ELvM5VzNzZDdwZVPDV8wJwkpBTQTgNJXCjETePf6adpQ1ORMm6Kg40WIH67BLBN993Bfz
dQbskas89BxmEdqaz1eGDaBTHO2N39jOG4vTNouatsTsUlDxCxNW/razg0uLgMPpL8dJpZ0B
4cCi7z/+r+OYrV2DQlJo6Cc/vieROA2ElFa3p9unYRcuY4Mcn6Hl4gA3QnuQDsn00GPDTqBG
OEvhjcrHghhB0WzxAu+lc6te4vOTS0OCVTWMNU/ROaG7x8vQSFqaNWxEigkVlRDofxsyGQw7
CxNS1mwsYAc2kbA84N4OxMZ4sHkLnheoVjUYaXz3JmLMnlA0AerkZVQRfzm/+rlEwLW79G1G
tsVaRP0WmG9/nNZXAr2wfD8menJAIV1lB/pCSkNlHmEM4uGFAb1lA/EENQS8sz8NvvdvLNYs
iQIcBBABAgAGBQJMXHGfAAoJEPGmm+QpwP/ujggP/1V5FTQ8rwB8uw4u7Zg5EEta/aM4E8Pb
idUJ8KDr6p5Zad+hGWCPKT3nloPbN3iaYXblmxDuAYhHl1neH96tWYU6vygmiR2Xo53y06tY
EKQbdIF3+pfOCSFh9NnFlAqw72cMWsL0VqSoZL+SgY4IojwupFWPNIJbB0JaOSW21kFf6/U1
juAbtat4J8+l4j8mNgWCUeHBENN78lYD506VIuuJRlsWiUBhH0unzY33A1BoJwyXo0TmL3wd
0g2JIGT5sJmpeMkMlKminVjZCcY7AzoTS60QrCj2FCGBtfbUOH9OQvBojWOPz7ALmKj/aOl7
3UtGnvlscJPeilteNQFWEib1e85ufAG0Ry1AEDtR0GsdARJhqiG6jRn3v0lBxfG2dVWbHrFq
a5FkUm73c9r+xjDC5NquWhd4GHyG3IgVPMvkw8sciL33o9A/XhNdjQiZmpok77nswvbuNOEX
diQVnHcylh7bNaoXR6+3R8FVA/TThpW2EjxIg9TwAPfJFKWV0SWfyJSOZLFOiEYDEqBI190j
3WSJNV+p0+lN8CDu8jFHxehsTGOAALCSQq0mZTKJJh0GH7d2YD5BV9isUvsfne52GLx/xmoJ
+cKJfszaWq2FoMhIPD/tnVYA/LPodylTRC6/8C0WIMR0eAaF+ByCoU7aEMWJDEJfX2MoyQHa
fBV8iQIcBBABAgAGBQJMYCuLAAoJEB51mnJqn910WK8QAOJQVb/ihBQC0IsBpJwKyOH5B/XI
jwE6BeErvO0rnmcYTr57AXwKNYxOvtIV8uS8gFzfaZJM4YHsF5BNToT3l2UIrWGK+O5nUL7S
UM32plf7QPI/NSfyCtBxKWfXgbFQ8X/oNdwq7HMzCtRqZDoYv5btUajFsTP8gykqXqH9Ry4G
hCFmnP0UNUWwTq4D2/bImt+iOOw4C7MXyROQ8aZd69aUsAln340L7rXz/yGTGvabdLXKuVDE
QJtiZ1m/bewAw3A7zw3mKtMAA8Em8EJuTfmFvVQEpBBdacjwIn+ZpSzuY11arLIWNp78Yegp
mFsuCANZDr/V33Xxo2Bb+4cbuOzSlXw+mOx1WYo1Fkj5Ga2IGkTbijqByIPwnCB03T/3nG/u
hde1SS9YGGNL17Z2qDOlNtufKsbfPJf9xtiEN1vJ2cbOEDD+WbC2nvJQju4t4WaX06Kyok6b
HPqupuGSOaa9VMYk6TzPAOG9hzcD8SBjO6S59z/qtGNqKZOcTWpeXWI/4qdvWtAPmafB4fVt
2XS+vOwn1c4gNQFK+nCatlYywfuKxoQqGC+i/ld8wuniugtOjX4XbK2HzvuKMuCo0z6x/7Nx
pOJAOf1jgWuQWruIt5VEULh56mhglEV1vL93aCUxOE7kKAcas7Ojbve/EQruWlFbzxJW6VgE
1ncxHX5yiQIcBBABAgAGBQJMYDc4AAoJENeITEcY4Y9ExdYQANMHDBB1HSdVXEmkfVjMgW5O
BF0AphUt1r9ptI6NvzcuJ5lFTIXHDa263UBRpHb65EgaHYqKC5LKLSXmUoKXcTU9fBLWFRYG
N11qVpdoO1WSD7R7U7ZDbix76ujLCfOtPlqrh0TzHEzE3U22X3hxL+rHjDbvrLQuEhKbVYaB
WaY1THCJjB4SA4YcWOXUNNA1i+baXlDw2XKqZrEriv+zARTxlF1GzpXBoh9ymH9TsyPg1dg9
BbzzGy6r99LMMHmt/kB8BrOX6BfnzeLwSmg4VZ/aUWSAKK2cxbvmQFA5HkuFJ2sUc2VXmuPR
DRY+vurz9PHMF5WZI8ait4/2m+W4zvsYZdgOPPkGr63+DVKssczpZWSq4zX5Ykmd9e+bsCUn
E9jAI0iH4P4SKyFt1IkRWMAaUxQjN2v5/CIyydaavQGKM7AB0CjZL2835LwqiboOmptxzuWJ
5HJM5JSqr1HMHP8vokNKcbrU0taV9IuTuBjPl198TR1vxPhHYcACIt6TP4wr1ApAsax3yoDd
T/KrmCaczIeX6BmFFqXjDM/azhpQKIyFGgbDzrRAQ/CatG8Vy1baA5uJIsmiLxc7imwtUf5r
uJOlXSi72uQd9eBx55mlt+zNHbrxULPYBIL4zOe3g1SXb0leZsvPjVAWcj21AgH2QJx1IoV0
POwfFLEVCjTxiQIcBBABAgAGBQJMZY8YAAoJEBPAtWZ6OLCw8NEQALA9UfSTm/Zqc2pJn+nN
q4sfhPUhYlTUxE1D49FzF4GmUHDYzMlU8VVZub5LahrITDINOIidmf49wXc3BcjcEKCUjND2
aL/0JMtyMMORH+3g/Vz8HvktL3EnOiTw+Z9p1GNbEROI195VIWwNRjU/EYv78ErcrQ99MzJu
O5yz+Qibp6JUSIzMGVTAiGIPzdJvnbd9JQXfg+fhanWKIIzj0dqNmH7tqYuld0K1nD/5cf5j
o8Gc2L8GQgIStjUF5OwkElnO45iSYz4rgw2PfHVQBX8GsLBGRhKcxUK9psNBHIP0eWUk7sTG
4/cbLgkQow+u0ryitmu+IJ/Q79NUiRNrw6a0rf2FUY3Nh/AbVqLVdQChKrxGtDQuJtpwh+uV
RYTmc1rPmyPbsWj6xmgfvkLgX14E+5EPx8H1wyRsRpBPEW+Wb397I5eEt+gCEjfjrCprD/xX
eNSRMdOT9NVG1HJ3wmeTEddkpbDNhtY09ydMzS1O3auJReh0L7ZRn8gPmnXk4EPamDNzY8N2
OVByXKEPhb3bHD9RCHEaSe02BDcR1nbpbVAX3onquvK4ejZMuZIXXktbBcnqHz+zbRGRyoQO
Jsgh6bv3qun3fer12w22PJ8Q8ifhAmcS+Lhadvq4hskVprr5tRmvxHRKPgZF0ZqGOmqvikyV
YhFvZabdkKACAYCZiQIcBBABAgAGBQJMZsf4AAoJEBwB9EPJyTxaJbQP/1OgrWHtcJ39T7gf
wh+3lbFvmcQ4ggc45PfnM7jM+OZbkPZOMnTmXgDXIz+0SKbPUVH86XPbeZAXHXavtIFvqbPC
yC284oQeG0gzwS5yxygry5jj0fZmw2W0MfSQWEuUkj4HBkqEhgXGmbsYhCbbN6+O8XvBvIvY
EIYO5a7wSzi/21NPuG3hcGMFV2yzr6p2FtvXfO5biWGcf0yvkj0YeBzaCwdty4F+1qGAIHcH
oPhXCEggJKZtOYVZmsHz6/6RYghmRaSoGoG7Jj9+6udgZCycn6EKPVTE+p3tMiHxJzviEFRD
Ov6iNBC55cFhSbMplkW7fH/M6rkW/e6+1zhxP1K11gwNTtoMJelrePLRpf/w12lNJl9jhe6h
fw07mluEogjhXLVOQWSFjz3Y1Tfb0ez53ev/ooucvk9XT/svl2UM/K6RqyWYl1A8KCp5OgW5
nXzRZ6fc4Ht9OY0sxMNLTLZ3enwrVa857n2VrnOgRTe8bFqNSMcR39QMAD6h9qmJR7cNbFKn
IyQQiOtKCDFbZ7wyMroepw8wNLXPlvtMvS2zSBmMC/gJsdZVHK0u3O1Rpp1Jhq/qsve7D/fE
NhHih8FBKPH1YXUOILdR0zDkyBUdXHBUpZlcRovaznkigKX6LL7f2SbXZo/jO0L1FHDhYQs7
kl7OmWIXh8XW4m0ocB3IiQIcBBABAgAGBQJMduUKAAoJEK8ig6p24qx7z1gP/3wRRaEX7n5p
oZUnpEcNy3ZRQPAfVAAX07aBSnTuHzuphX0smAfJu5fqEuYP1XzBUV/WSxuQ6nGtFoVSLEpg
W3EX+KgLUGEv7Y4NI9LUNd47CNcZ3Fo26hQ1ur66c0asuLjseHbHl1aYwRgOarMy3X8JO1b8
x3z9edPan11kBIeLpjlBnnScZVB9EB2ezptxaXvyvyq/+SAfRMnGKKO6qx5vG9uK2g7GOPJk
dzS5LGeguixNjh7pN1ewiSHO/AqPyywVGYiYB9dnVWT0RwCZMXs3YmytZHfc58EpmKDoI19W
MFA4Hsdgwp9ucXJMfZZ1Xw0i02fJQKs911aw0dF/hVjHSOQfVAiNvBFn8u5l4hgFG3JkZ6Yl
rktrC6HThK3mo+KUNlynB70xSLXwxIHYkQUTxGr0HqZgRQJL03pPqk2Y+Lx4ndu4g0YwnInv
1arb5Yfg/y4IJ6GDY6W6gvPP4wUrxue1w6BwqRwO0rD0vRMJtJqzoIRNCE8aqtQP96OmH5iy
xAQo39Mvz5cntzaNMV9LOm7RgSaBvt/hLwxfhG2KX6Fca8hAXo0Q9dg5FbHSyLxF0mSZTRpO
NPFzMz5zc2yUpjW3Holt9+5n9pzi8EUVwfNnFzijagzbL9bwuyc37M9wnPp5x2wLx3MF2o/3
fNzpyo5Lh+IH7efZcG4XnUsYiQIcBBABAgAGBQJVcaVQAAoJENqCgw48zDo65e0P/2RDhlCL
zEUuut3KmGhBmPbiTX7CnpwFhatNFIb+C1EJ2giPmmrwn0O25ED8dJFC0GhZrwNatuRzSefI
yc75hGrTr/BFqRLAOD4xfMqOE5U4+z0frVTyuxB9Gdr31EmZ9miykKnfzcz1YY4MpQtzQOWj
SiYFgjofwcpI+b5MjnqG3T8q1PzONnvvx7BrXt0lRNqL5MyByaV51CPbENyhWeJMu5tX3hAR
rsuWoBP3kw6Df/ij5I71EfO4vD8C8F6AKWt8mBjyOfIpDmHkxNU0HYrmOnxzqXGqHTu+II83
vgJOurjZ7TnqEe9jB4XMNF7w6+SPL6u3bNfzH0KPpEjzBV7jQKFUhllkRbcf2PeLnmzex3+U
pEJjS5HLOkJt3B8wyANnZB358921snsv4LVJmgx1aVpeYWNo8vRgzKRMZT5Qk3ckXmuzHN3O
FGKwLJnHmnha6rXG0ShlYjNY2wJjfmwaed4wU9k7T73tFbzoWJ1NXP37iQuEnOINVbNCQdfK
cvL/82Q3LcpiapN1E/QYdfYjNju9NVpnSFICDEEYOfvodDlxbEQegZdd8zVHayYQJuc62sUd
zPvMYLvQTq+x5tk1vJD+VSJ1sAbVZ3gzAANyMyYQ4670RK9H8z4ygxa09lAunkcJ3cUHRFat
JyRM/u5NYxmCxxL5l0/UqOJg775tiQIcBBABCAAGBQJMXHEzAAoJEPEUCEwIYRERgesP/1xd
2SPeYmC5X4OpUDsbqQoe79ojCbmd+2CoFHm+GM0WbtJHFi3BEJcVW//QNQJRSE5dKXCHtIDb
jDhzlTKYT4q0f0p25mWMJFOXqb8sNiorXXdDz7k7GwrRZFsi/XlyiIrCwVHwLpyDGkY5IPBz
p5JMXuxViM/TYn9BIX58rP7eVwAcazSBIs+QpAvUi4pfxNdPhrHh3Pczllxg6DamsEPBZsjM
fz7pJxiddkJgAlDpIa8C3ZX4HdMnoPZhMh3JHxry4CIceMC8BOuX4c3GyXuFkKTMJSlRViKG
57WyN7eQe17UZni23QLifLYD7V1r4cY7cWj1s/qsGtLsvtuVL2brOvHeHVEE7s6dWpQea6lo
jLtlWjNXvb7WQ6XNFqpal5x7MG95QbBKWGHfifhVt7WrDSW6kbouXYYEgRhSZBkPPjSZXTEv
54YkBVwCsb9fykKLOTy+wyJ5Ttj1kxtrMWsaofhDYOo9OtywwKL4AnfBMhE3NcrZ5Yf5MHHx
NK/A95j9p8/HY1dKSHNDRub7PMM73Xp0fc/6cCyl9sTM9SFymKvvcMFChRcy1ZF9kVkXP3w4
ZzoJz2YSTK4zIRY/Qqc+Z+BhX/rRuhwiILuCH9hXhhvBx9rKBxxKcTw1Gl5hZ8nP2CGXNkAV
qSXL/0H8hschAtxw203KMvqbpSq7bYkniQIcBBABCAAGBQJMXT8zAAoJEIcvcCxNbiWo+oQP
/2mKGGHKVA63SdyOkyAaz+mV2y9jIw+0hf2D6eoQ/OJ2l6vQqc4atQ9NsMBH5SKo+kPLhfof
NcO6axy4ngb27YK1czUS0oyF+Vv618k+1WePw4Kh4afVZGrGsHBiv8DcKbeAoEn3gVORu5UY
ElINIsW9ZIuIypyFXhV/zf30zR8MOd1uuJjif4ac7V+n+O0GpBgzCkKZoCdO7NJ3QH7RmpJ/
TYAug0UMY9YvU1P2ffTvZuHxdY8adJGnieFnsLrO7yYHlva6Y2T47m0QwM6BXe673hj45H7s
rZpbvNIEyRiXpucEm7YBCboiA8vBTjXOo8D27Aa5MoZUHF+znB9gRKWKUnkCyCT409yo8qJI
5uSm5LWOa3Dsje3jlzfQh0BVLbq2f/g/kgm06Sb8jWzLYHUvA/+K774sOQu2gSG0FkV8BQJc
M9RMdImzIMpNpV9JYOWZCzVbTe2ZzzZuNXQJFG7reuZ8SoB8JyrLEqNbfzJ4G+pNbXZbrSA3
ybMgkaIvt5xDujQSwH/we/V3W296WHmVbU1U1W6lfW43KbOXriCrLl/j6qiy9ln/gkVc/Amx
Mh2RC5bKOCTRJ2TgPms2+a4tSpOrqapcpa0OnZJJTG/sifz9/3eDGPTKoVkN1fYZqTp+0s8m
NohYO6YMJsuqkYNr7UAHOTE1p8nhrq4RQlaIiQIcBBABCAAGBQJMXUTaAAoJEFOUR53TUkxR
rf4P/jp1G3yjSGwglzqEbvu4rzO6LrC8ZqnxOSWjKd8xN/CIje6naB5P3gRFLphJaDUgnlpx
nQYODkDZlMPsSmUY6+GrM+XDPIEnw2Yp2Vb6OVTSeDzgpjgNsdKptNGR2ENFpC5ReAKEKAUy
7bLcraD04IV35hnuHNevjq86VO+Dev/SQ2NJf0NrOuC3iW2YA5SEXcJYGp1vXAZjRUprOnxK
n/e04kTTA4b3cKzoEo/bQqk7C+7fLG1vHziDDPszsZ09G7eAhnhZmFVTk/jvBxJ9ra56Bo8l
ArknJ7A/LHvGe2SEd9MVcoKIHGpM3IPhJldZiXNeyz/HuUA+xKAY2Ox+p0vDlKUAF/koME7u
2wwx4ncMnRdbVOGNGDJTJhJGWk3VIUsicbQQ8M+wKnkJmLNI0ZGWdoNADdIR/xSIhL8bUaVu
PC8amQwK3VD7iNRcbNnIw0+Xbzev892lbBvav1Y/V6G9lBeS4KrLu1s5h+cmCq84RlW3xCzY
B3yZhWUeojvuplyNKPApJwkjWXGC1LK6VldZzYksXMb+9JxtoE6A/9F++NKqEmDilKl15YFV
Dy/beTjoSK1+6T6RrTKOPt6kFu2460PTa9KOqjpQ60hxOn/YpyAeEK/MtRuBjAT+wBCIX+NY
UIxHNX3mcl35l6Gb1nYtL4CxBG4h557CGM4s65IJiQIcBBABCAAGBQJMXyNnAAoJEHqPSei2
NIC+Za4P+gLihkZlHwFEM0pNSR9GoL6OsaEnsUebefwcLSrX10Ee+5mpODki11Sf1flIWJ7J
I+2Gj7U2NtFFXBvzNCUDN30Xb+QJBSU+pgJERtXThl8hKYuot79wg7FclsIo9P/NEQ60/tji
2iSQ/w12NIApczn6FmX/xVaKafJyf/QRnI0mxQvd5w7JEoeIKvaUVjt5Zz9fUhTiM/9kDCv7
E4a+PuVP7nyQdSCoduhFYQwLf+727mxtdLjK5OHXl1jYx5tcFdTyumZpB7bG/R6U2wb55kxd
iAltk4U+59p7NG7JSu5Lnexq+p5/281vVH33PrIINuZUhmpPovFNeDz6lFqEICQvaiS2STte
/BY6yBwIDx/1nUhiBF3yUU1TOQrtQUfRjox4QRj1g8YpGspsUXagBltN04l4tev6Hw8tCn7A
/f/RkdQ/7U6N24ZP3BdBx1R9nKvksE+C+v5QwlqpufU8Zaj1YpmPBn/yfSzSCvd9cE8pa4zO
KujACMEsPh0c/BDoiWsmxKLTzOoeKGwl15x6x1Y1yTKOLD0wXXvEM0TVF3x3RJgvpdnvonN6
c7URWq31zKcISwLOKCK1c0UK7hyD8zFISiPChiUUdGicZ1Jo0me+xp7R9b2QQnwVj4kO94gY
maw/3ouaDqOrU80N5pVC5vC8XSp/iGAY8wR0fc0qsPY6iQIcBBABCAAGBQJMXzSvAAoJENFd
MTiCAEFz+XAQAJo4XauT6qsxxS3i4ADlzeesoE5g+QPzg5mpVP8NA+kEXqLuvW7ZZjDzMClh
bpnhT9L6lgMdKOzODa8PzMMe8lMlQtGQsfby9Jy7c15wFwO3YLr0OesnS0gGMV0cxpu7XVmZ
ROPqOn1eVk25eaZHO3dHrc4ve2OMP3ZG+df3+kwQpiMgrl5x+9UHOWfqEtyT590yzofK3FCj
qHZwMUt2pYeCksErljI2hmrKDqp1zVcjE7OoQwc6M14i2HvhYwAtvEJTuqyIjFZL/XzGS4La
2q43fiLlAJalwlvIBEtRH7E5qWJEiS8gs47+Qcwigw16RhVp0FxhD7kT1vHrCoqwMFh5ULQB
fEYVQVbfVaXU9vL61LOvPfnE7QVCMnREwzCyYlD+FonI/LK1pqbzXgEJjh48rXEVuzic1G3Z
zipxiAbJNattO5aWuQjlEQv1ykWGIwh5Fa+LEQ6Idcxi32CsD7FFCYI4dg9GpZwM0NjJYrYN
sN+Nl8/o96LBGzCsminV+M+jXyGN7S08DoEyuuoAwmiY/48lAQJQChMH+M0M/UthALdcTooe
epFC3AiHiIaKUouRyqo60vNbAixbv1olxZpu12KlgCAg/ra9VcYjvt48msQTtmDQLz8/aY2L
eoFLm4L4NMqIQ5Dxywqen1MTKkk6GIx+7pAJH5Z3izmQJEYpiQIcBBABCAAGBQJMYe5MAAoJ
EHA3PPEpDbnOyQgQAJcCcEi6GZBjFHjNE3N2iLVUMItWSEdx93NabuJi7FpuhorwaJphZiYY
3ehgSa4t0/gNzkRkscCmbzjAr/auQsS+iSpINgCKUJ+dwOO7t03owH7ARXb4gmWY58poL+J5
ZgkqDok7ZtW09G+OenTaAccIpmb1IaGHDASwZ74EuH5M2P3iP42h7Q7Slhxer1GVloLD4SPs
8W/3Rslwh+/ccYfweNC3gLvU1q50bj6kvO6OWemcI1NAWtxEDTGjsS+BsXBPlYQRF3tqtoQF
Ht3xUKlGjHBO0DYymOMAlQzXfW7uqUYenrOXmOV048rqZxRtSdQwlXUHyaGIuyCRWqzzqYip
ArtquhHSSKedxe5wltdqeB9G/D/zwHR1fz4VFkECxRp0rWnnOnWJEp6+uxYPiIV/36qB7X9d
NFxlt0Vu3vZZiXgo9RMLjdQdYuBBJrshlwKkOlYPDzpYjHWmXJjKUIhDTqD5Kr2CTw3TrRyu
mHevt0nbqlnzoHd935ZssJdbYGDC+F9aUfcyzwJN+CH34zKz5gtteGP48DewptBF61Dyl0Pa
rHthrkwMqdZBA6cHE4lGpvrGh3GXASqf/rtAHwLM4brOhtH/LYYjvO81wThRmtjyjmSsokSl
0p496fHxPDuGr7kbBDMtdfVdty8zJ8IaWI11wTYExu/6VgY9dlhuiQIcBBABCAAGBQJMYfU5
AAoJEHcx/Mxj5OJ3X+MQAIdfUJP5Pmxv6T+yNRYSZ44Kx6cJJVvPtWkV+h5gx2sY/uTAS4/y
oiBrtnxilEr1D3MbWyElI6jZPlDXxl/Jx42kEEur5BkVOFmAmAJYRork7qCds2RAWGnhqlNH
vuMIz1/PfJlcB2hS5qo+JZLxTFk4ltOTUT6W8ENacKzcpzWGeQvqG/dY8H8FL2hnvNLiGITY
XZY6hWGvW5Ti5xzIBXj7QN1C3WZAmxTOt9C/t6PHHktfC+MNGN9zQEBAn9MLkE80oSwEX38q
/ukX1RpXCUTZmxIbXOaLc6deaTcxjJbBOX+YE1dSXrg3KxhXg1IUsMVBhQx96p+yhTUwznfE
F3pZQiWZhVP9/qGa56tR6pejRM8nfgZaLNcT7nVibIk/7Js+fXRYp5nWUKf3f0BoymQss9MU
cQLFs2Dm/l6iX1gFUgqoiOVIAX8DRc7MfJ+UTlHBOMGDKVok9nVsZegQYe6P/C88vfFlI1Qy
fV4KAdAb4YwD2HatpcjDcX5TRX49mD+pmK0bx4+L3toRG6W3OPvTcsaubE9peNfjwS5L6CF/
M0Fq6IhIUobcDRjmUNtiXk77WmI0ZM1RiaaknHHCHXGQgS+QPd82Htox2ndOwP0ScgbqlL4D
LT3ZJqRJVWgnWK/n2BrctT63KFAZa68Epm4v0GZtTjpJpL1DYnUd/J6OiQIcBBABCAAGBQJM
Yt5PAAoJEHfG+0Pj0wgkbVQP/1NGXS+oar0Y3GuQZ+HwYq4t7Sh8CbCIZlei01oDcC95Fl65
HtTZJcd8RTPCkTilZV4orC+gHppLVGi2GQdSJ6C4whlnliwDtgU6uJ9uuP6EKTsGh1jAoTlq
eSDx1n8/F4JG6A1xVOekZ8NzTIfpfdFlAYANe+z674ZrRPi6tL5euQ9/iJpi//bZJMVvmttM
2QJ+XxNn/CrGKGZbA1PjBYYol3s7DjZLhR3IhgK/rvmVCo+0waZzPqI0CD/axU2OXT8B4lIG
WvDcccX/8p1tzIjlXNNsDV804c+VtUVX3jZMISmVMWLfkShhnUEhfwi5CUNtctL1SPlqwvbK
q3bxZjol/OFu2KbW1IjhZ2dJ2e1hQ1V8jUjSYQ4xdDDwzS/Z6EWWn7cLycAR8xF4CQd92hCx
o5AIgkQGG1R6iraztY5H/fdhXjzySby6q9Zvfa+rw0GkXpJzffKwrjZu27+QCqvNGX/3b1f2
s0eZ3EkFam9cMD3df8PCPU7Wt/IN8Sxv7JQqkb6StQF3NjI/lnFLcb7qf4dhZItGZBbkWfwj
M2PMEIbCl66bi8XqviJUUskn2XWfhaodv13VyXGeGzVEw4+N4auDM1w3WZ5SnSXWrFazIXCw
IBWYFSyHlKawy+Rd3I9ueYyA7PqgwdczNxTwILXhB0+pBd0Z9FMxjL85C1N7iQIcBBABCAAG
BQJMZ04vAAoJELNGT4lqoVlI9tEP/0yGcqKoQuNUIsuMasD3zVuh5j77i4wo/FCqQvMQIlzd
PWl+gC9W0xDA7vILOcqZEErIi4PPGwqpQYGUgh9KynP4HQau+43qe2BrvdauFCIJPsmuwfER
OwrgdSkKyvdXA08WG77v0a1V+u6nsnmbXg5/xZZdwCAKt+kILPVemxeIy+f1AAHj2zLnDGfy
0JE1jN4w+JZrhdWtsYXWMnfRFQQqPbnVqi5BkFDeRalBn0R4mLTCCOZn/fGodA7EdmRL1dLN
X9FbnfD8AWMDEPMDZ/h8HdK7dD16XxW7i5o6ZbVvftyf/yaF+bhtOyTHabkdSlMJXHzl5mnW
mH8NVlTTQt05SJ86NhOjr98dhSvcQOxFT/fVajDcXAQbdKnylAWHEjnejGgt9QwpM99l/Mp4
8j2rLgqfexF54y53km5ssTub3QJ19FG0FPLvRB5fnXfzOvn8iDhcC5V7dA7q08afUjaLDTVG
6byCHe8TR9weCaCrV7vvGHzmEEPRNzu02C86SXGZw05eRMWFKJL0AG1avj6k24hsnatuoUke
6IA5zcx81GbkqPDiOiiYJOEZFY1Eokm6MhIQ30HwUO0TQ93TdNgD0pJdAiElPyhs6csf6/Jr
ijOSajEDcEOuKzqYnrmY2AmDgfyOrjoW44ADKOcRTnnhAF26ljBzwqa4xguz9HEUiQIcBBAB
CAAGBQJMbL+KAAoJEORPgBbTYw+Jb74QAIQ2ADLJSvn+c5MBWYwc2NcFrRHIc0JXwmn+wzG+
QLeFDGO9SV//LM9L0XIIbsFFn71Rv+/KqyFLn9SyeGdJakuL/AMC4qF1m6bCzwSMdoZeYBwK
2r3bgPU4xW94O8zKOfRF9kwxP+QK2adfR1y7j3X70rICZYAua2ugkZcIDkN549PBze+2LYnR
3CIhyOV6nYTArKhYuaDiNnS822l8VThOgk/Dmdof0+ExQfl7Nc2oAk7wljhmLX7nMonNZcDI
ct+fDsVS856UYg3aJR8EuDCAayZHZvo24/bKPwroxl26+tEEfsqks7epWZZRGY0lH+IY2qoP
oFhHPodpAw+faiafD5/06Vo3SzH2i/btYQEwwCCA21cRLwpv9432Ia4ekvjPQ2E3fjBWGyNs
UA49MYhtllX/8jk6LE+AIU43PFit6ZB2BzVBunsy/LH4ZLxdi5sLTA1f0dO9jNkqf3xGbRIp
PVXtQ6t/9PUXAy1evqWBQgRNHVScKL6pjuoLurSIenQCbcNQo1iNLB9DuenAHNUBP6Ny3cby
hqMpazBoCIb4HqtdeUBmzdDZ3okIdjXQaxsHZhDsLNQM1ggj9mu0vJWSkXfdXpew2Z/J3Cco
lOuTcTqfGi5kdoDHPLvFDEYyrGKiHTV6P7TxoIxml4A0rY6gHFYlF1b5SXmUiCt+cKMgiQIc
BBABCAAGBQJMbyrFAAoJEHxWrP6UeJfYj6EP/0SlRe8esTX01wSot7D9mZfjK/yvpA3g2YQi
3U86Nb2vvLvJAamLzV+Ka5GL34lPASAIgwfilQyVhmAsyTOQ1sIU+rPav4olOoUTBaORlzL6
1AmhtI5N0HpjgnIDLmtKF5F/kRxm7JmcgnHgiKoSZCzZH2tomVVIGA9/aSDznr4N/uJZ0yWT
6MxKbmS3udM8WAgKxNN8IB2Z/xVDJ2dXMt0a4IgHNAn7wgfaizOiOKaJ77c4c/LNRiyhomA3
VgHDBTP+WgDwEcJupo6RiXWyvd1yDTEsHCApieODSIlniWUePiuwjBPNNKwH0/yRo1fkK6cY
kqbCD8Dk10p7HUr1+BEGW2fns45mpwJH9PvbJ7e7VldPs7AKmEKC0HHKZ9BNa3AJiujwnaUj
EYt6hq+/DRUQp6iqTPDAKE1bNTA4JD55zd1gGthsGHKfTSAydT/kdvxWH8fK6F0vOssQy7iD
o+8VVoVpbl3qJ1MtvbJTxum4ElFhPYaG4Oh/JPK1vhWVXva9T1PX6sGskdC9DPgDLStCweq3
RqzAhjPvcqgpx39mZGU/SQzwVUFN7aqASNl0ZFUMmnZ/4aNNYXY9yEAvx8GetdZm8s+0gw4O
zecerDlVf6xykodTT9sK3qiiRF53P5A8HlgyXoewut6MyKGEwhItfUshFSp7MMMJcycl+I8Y
iQIcBBABCAAGBQJMb/jgAAoJEJ0LXlse7I8OrucP/jRV886elnIly0yuYX3ALXDPgGKFwbRZ
GWC1qjf3ESdrqjC+On7jMLnT3/A4l03F23bpHEAOnTl5Ounb1PrhDnvo7msJUH1ZdtqsoT16
sAPbq14Rsg4+n7f72KYKwcQaNVkgizg/W6a8VJDOxQQgkrZh3Lp90O8krIp6MDgd+XKEQRjV
HxyhzpHHyqAaY+/nhRY3VXATZ/5K4+pdyRt0aWlpvftYTvX/iZnGBrsfjgYkBZnix/+PfFtF
A2p0AXfiFfFuU3BlE/kG35gGDgbYf9SouHuYeR6TLgEMOekxeqPacbTTpM051Mq4tewfFQHM
raLLSMCucl+duu7kyDRXfwZ+zoQ7I74UT9gRkI/jSYecRKAoSYnoewDo2bNMEsnYjFwyf+Zt
MEV3glEDcE7FXgm20YYjFb7uMQIVbiuXnFho9RQFyu6z67cfIcJzEn1pttMdV0vmMfi872Cr
BKGHxYu4gP1a+yQWx6N4Xgm1eJVdAdzhmkX7mH5C2GKLPIWzwT+onyi3qCCUWp4NL+2QescH
IVkc8daU0AH4IGp0A83dpRDb91vYWFImVW2brurAsBwNtKRhpd6yG+ufE8+9PBzQ+hZD4+C0
jyR/T5HAsuMQNSfcDDEi70E6wRLEd/KYp0YePkoAKES5CB3n46XS+WESddBXfeK0OZpAbXye
45lyiQIcBBABCAAGBQJVku4RAAoJEOugxsccACVvHtQP/1218tsrXF0nLofFs9edddWw4NLo
ZYc3HvELTHfyq4/41ERGOQoevO5/3tMzSyAG5C2lmKOz8SDHjAwkLmbqiYI2EbwYxLg1lTzw
1jZGpjzBfKm+dll3SWroKiyesv/iPrExc6fJ1mxLWtP6G7R4m6ibmz46uywwreT6WvhKRKzs
IPQdf84W13y2ItpFe9n2U3/Sy50brOnqAiLj/zIP5PIaaHzrqUIevdINFgyIWee2s7tTDcNm
zV8TV6+cMs4jT8nqguNy0lBGjMsSm4BviQRZJON7h/v3/yf67TctHMWJxeD62STnXS6wjEIk
TTYSNSEZGvMw6Ti3lVB4nlx7WW8wLX9X5/1QdPc9jZyVpsh8QzqUtp+jDo6dfXPBYfUlwm1v
Q84BVfcknpMkVMDLX9EMS8M2HLWBGCOEa2/n88ocUnjX2ZL5C2MGlK1TTyxSWCA8D9beVpKa
PdYP8JfUiZpC5nLKKBvyEGJhUa2dOY6jdbPRZX+V2TWMIwGWq03kSv4VBHdErK+HUXXcFvue
OdQBEOcN4H78RPd20CNTEIE4bsxgT+riXcjUDDrfIH4EQsA4oh1Z5fXpE47y3ZMMJuWfRzrg
es5QTKNFKDfLsDwPvgyJV3iLbJeKp3G/Te+scm3UDYi9dCB0eu1MiKM6SIxrJIGzl068Xndh
QNLOTpCjiQIcBBABCgAGBQJMXbYRAAoJEF0yjQgqqrFAvAsQALNsAqgOJrnudiKERxnGU8dD
YlxWPADlESd/DfsoEFkyd87GXVzfOE3ZaGKW66PB/D8eEfiT3wWVNpmAfIoHePXkPsA7NSyD
CORROlpxXE9zFaiRYMzY3EdCsvSjSn2F3K7pymCC5yuYFXTW1J6x+CS8YCEautV5h6oIsGsD
4zqXyHLWM6Htm1J1Rk0vW9tJqtfO39CFD/McuOUC6QMNLeBlWri8VDFmdGixOmLNAtBoZkPv
i7AE3BFa4utWcLLjm5gMDsPW2xag21LAwX+xiZ/G0xkDfwKM6w01KcIp03wVzWBwtaUApsmu
6fsH6gFPFuqrAKadAJY/L/U0A5QI8Lw8joq152skYYwzwC0INYTw+gst4IJDWPtjd5sK80Q9
NJpnqLJv91KAn5+Ya/i+K3jjFQLwII8x1rX+B+hxsbofh95VdfPJW7W2ZMFAc5kpiN6Vmw6O
X5i0x407cMV2TslvGI5L0aQ1T9mnMipqMnQNX9sMjCUSRNVa1DTYPr4ANkPy4ssXxenRN6Y6
J1Y2KORYgm93FfUpQaUUHOPzBT8PlfuTn1rNZpIABEl7RB2qpsJIWytQjZ8U/9epUiiChMXk
1zmB8izRWAoX9NtLM7KttiFht1nRYgB+8Q9/Ta5mros/htAW4slcFzNwEqFFEYNpgdtfh+S5
50o9SeOpmQQqiQIcBBABCgAGBQJMXlHEAAoJEDkUtTL0376Zk/AP/2NHH69E18cRAOuET57I
oRZmJqa+a+cIdmXFIhWlxUtQfEBdXwSDDcCNVZCWWabiHieSEahXSbCQIpjsjfTLHVVmBBCY
a1XFHixF3tnR8auN/KONFQ5tl5IViAw0tYBX1zbx3FqZf/XMqzOr/twpKrbI2VaslvjPpu1E
sZ7KiXnqjWU1Dp9ydwK7sdb34V6w/N/uonaulFq6IZ4GzQzIaF7/SkOwm9am9TKON/OmE9HL
hz4kGimtnvztfaGQANF/YxBdjXEvtUp76y8QwXrxOD8f7EFQmascGPIJqgR9KLYp1Tsw6EFJ
eKpDGJjzevkBN8eeIDLOWfcG+qlhNHHtnbfXnv9Ojr8b1idvSsdqvwFBAjw2svZAK5f0wkrx
KU3U5/hTIz89EQuT0o/oJWBj67ONQYHyh4CYMZi3oTiqFWQH10utKi4kGnM8jaDA2No4q4xk
n6L99QIU+RClkamJVBQdmzoSYpjiFoAlXDIhwQGt+QmhbizZLp6NqxXJOOHJ8ictRpRlzHOq
ERlLNkmaaf4YTyBeEIH+GYad/xiqDQqm5NQHFBira2dZskxKC3SND1e5sTd0nYIur09wbJG+
z72oKoiPMCf4Lzawpi83Yz3Swks8hZ32fbObhuiAmfXqEfDlhbf6Hz9NqTxE57faXm8pWrRy
o1QgHe7WNpM8vth/iQIcBBABCgAGBQJMZa+UAAoJEDIkf7tArR+mQ54P/j192Qx1SS9xW+Ao
2V6IdWidRtV25Pkt4LckZAIJHfVEvjpM8z1uuY34YacjFeZWtfI3mpM9JUQ2Zx854oSX9z0S
iQ0u5XnPNBavYZ+DKgGygOyDQdNdjvdzR13IT3RIu+OAnAFkBfwS2r8i2rrWpeZxltPR1Uc8
J0ZtJ+DLgdbtWZxCGIl5eupdbf03oNQ0GHP/h4W9Ls2kvJOzILQx24+9tCZBIi6ZuHjlawhV
uZwTvhuc9HNhl5knHeyOZCFfBcNTWFnxuHIzYq0AU/12+WYuZ+SLll7+yA1yHpP7tQrz6oSY
rQGLzsBq0/kONM4WYmhMQVtgxuxjZV7DK8+1f1YlbKCGrk/R4lZ2JklJ2+qI2WMiiW4BdZ3o
CkEi8z5Z2vISsbTe9LujYnEbiTyCiEZlrz5bkavOgMP8T/0NlA0GSUt1Jo4hkLG9eWUfYgq/
7N9vMQd0ihpUVKciJyqaSixVZVX2OdUW0nCh2ftwOzfvjhBG3GydQDb6Q8tdiOeLL4kB/zpO
VfZu3UydE7CAtqzvNj9DRR6hfyuELHULoxkP7DHCJIx2k4ZZwgUmLHYIyni8ITsRUnapzqwO
Gy4wmQM9ZGvI1vFXINsV8FUKg55scO7baXwizGX6UQ4jwvCBkt7i/1lYhY5udn8vmQ0cRf9Z
HjKhTYfZ05hp1dAc9Z7piQIcBBABCgAGBQJMbA/0AAoJEHhT2k1JiBrTtIEP+wRhrJcz3w7K
y8F8xF7+ihU9k/lvDjqZLlYKuX6kJsTupTygmC7bNVw4uBfGzlujY5kroa375kGK0Q6Uh4PT
ffiySDUmKj4ap29rlLT3JzFuu5CIH2jskPEAYhqgaf1NZUKAcIncDtVGZWi5J/Gi8faVyRnn
tE86gVvHzlgsDoz4WLE/Wer/LUkotK66I9sn6t877lm948GIrJ0pknNHB1bCcR6YhNRS6fI5
n9W3bkHBBs+ilCd1GlWKl+a/NmBnr3yMKEYrM8hdh8RVJlHW1puyLruumoxolSToGvhAIPV5
E8D8dc92Pa5N0tELtw4a1Ao9zl4X980QQ9XPqp19LdgrN4ipqxgaxlVywzSq1fObqtSd5IYo
NuLz3PvoFeoDyP0degy+4PxXX+hERcpe224No/Oo6cPvyxblgftFpMlRVuxLJx79m2B0db/A
lIEN4RAa6mO77ZcJnAeInD6ZWnHw+bVPTbGnsz/9L8EJA/SjILpBcG9UO9pqUYu+aL80AgDF
FoWlq/Oy5YOjTIBBMcE9iN4V7RV0S7ygA7xXQ8JEon3lrgVNRQ3tyrqclXKw90ehPS8ntYJe
8rr7M7hw9SGC/UwLlZctG0BO/Le1aoRI7U6NTnfKgdhfn2UAPX7tgSAX/xgZDcuF3T8KeTwH
/GYjjUzgeoKuZMtfMjXtEOfxiQIiBBABCgAMBQJMYt0+BYMJZgGAAAoJEMzS7ZTSFznpEuUP
/ih8u8cHaYsnA0vQnfXUB3NDtKpwPA39yTh12Em2QWP9ezw9CizD9VRBmR3kksbxvFI7lNHF
bBR26jzHvz5wh0OFAoL0QpnwqO6YVDYAnDbwU+9Gyk9zFz5WAiTaj1AFMA2Y6tfq9M6eYOG8
7eNVVdRI6NOwmjO5cO1NNFO6fo4zxa93VLX8CS+4Xgt+qYnJc6bZDbwUPdmfSr0UgRVVbZAO
CGE4f2tSeLQwEOkO44XB1rgRilyGu9dRShgxLQoauAXzsQvqMzaNwjal2bz+yunhj14Q81xk
xJZ96I0w7IzMPmu5tjyPa/1Bhn+f8cHkqQQKcu4Bf2OEtANNU6M98reiS/K4cHEj0ChdFiHX
l2z4WxSsihbC3megEX96l9A2uVgJK0VsSPQQkGKzVsJkEAsld8tC4XK4OzukpXB184h68huy
TL1jdJkYcZoBQ/3Lo6Z7TJ5ZvnUhdpuvQdRfmBYK1AuRuNuhmPDYV2/qqmFOYBrpUY2/qv0k
xOYUduergCG6cI8zFK+KWn3S3sfxVt/032qe7oa9/VsloGBRwiaLl7MAwzHJfUgZCMIcfJgx
6sQRhrvZbwWg64UyG+xFuocSqTRkcCU2fezMZHhLA6B6CZgk0sY/VBQLBBOy4bmtb54AslmW
f39NNnD/VzkSqURypo3aDKn/f/v9+JNBfcCJiQI3BBMBCAAhAhsDAh4BAheABQJKB2jkBQsJ
CAcDBRUKCQgLBRYCAwEAAAoJEESXUni4YStd9mcP/AtRNozdY/n06hAVJCnI2W0U0/BknKBd
z8SXGItd3Mb++tWs8tMvZw40hB3C6oQJu9CdZ4tzZtf1jSUxoAJjGTGOiz0pooeINAuN0xRa
eLzUPyQNJpd1/CsZPFgtn4FeUa/T9WwHxZn/XzDBPd+N3uKzM63ZRpKU2lkSvSrh7fvqP13A
h8Zq/quMgOsCbQR6Dp1swJIm0s9gPfN4mEVXeknXnd2vRGrblJYL3u8V7cfjUjnCUlFmB7U5
TiROYZYeP3OIuDsAqv8+xweBswWxCxX0LYsuRHRxmLKWEYHAV6e0czRSJYKQdV90+URoOZin
Qdeo24cWK6caJEavAHFnDcKP5aMCrCtp9hM9EB1J5/w0zOEXLotwhD3cWVDv1k2s0w9wkNZp
PJKRdXL9f0en47MpqJqR9/8U9X9j8t8tTUbo9PcUcf3YB4hvmEBauBHrCBNslMx58uPYOFjV
YqbwHUzhTKHhUGVHbCkQrUOjD0z3sjKlzXFqO8Ba3sDAP+hs9+g3YUQX+A403rYJoI/b4Bvy
eZ4ryKanz4/zhskMDdSBZ/UvduPm+gHEyq8Xtj/jxRDX0EqLvkphDdUgZqnmanx3FkkH9EOx
fUxnqpdwJvAj6k3diWEuei7pSbTBlqi80fLRUm43135UP6AryHtUnraBSsaGskH4pznmwUfW
Kh5WtChHcmVnb3J5IENvbHBhcnQgKEV2b2xpeCkgPHJlZ0Bldm9saXguZnI+iEYEEBECAAYF
Akxr78UACgkQ1cqbBPLEI7xL7ACghnGFWacQR2ySOwHGcuP3y2NepV8AoLz9sWYoqYd0SL5T
192WWkJWAboKiEYEEBECAAYFAlCf5Q8ACgkQcPNeJG1THnOB7QCghdTeFj/8kaopb1WjUCof
BrrhzNQAnjYiGUchyKzDS++2vV4VPwxvMZZIiEYEEBEIAAYFAkoHceYACgkQMhdcDcECeg7B
0gCfXpPTRYvu8+YGBrnl3ryzbBrYCiIAnRMek3cGNpJrDT76nPCVkp9J7zqjiEYEEBEIAAYF
AkxccSAACgkQ4VUX8isJIMAYjQCfRZD7k69DKbhcMYOYWt5paHpg6SMAoIPdjQhnId+yPSTL
h05O6LtJU7XOiEYEEBEIAAYFAkxdPysACgkQ1OXtrMAUPS2JYACeP1vgz920Qbq9CMig1p7V
9Bve+7sAn0FIeNCiAGp7owWq6mZX4BOD0o/IiEYEEBEIAAYFAkxfNKAACgkQ+YXjQAr8dHYl
2QCfa1lGYuTcxswPc6nqR8P9G1KoS5gAoNsq+dtZCJmYMIflfGNOxlzLUsNziEYEEBEIAAYF
AkxnTKEACgkQn3j4POjENGFPMQCeNYzQIXlYtcurpdjQru//evWc084AnA4MQEEKUkVvRLOl
PvkCi847vss1iEYEEBEKAAYFAkxeUcIACgkQ2hliNwI7P0846ACgm2JlzfNk5w49MB4cGDwy
Aodz+MQAnjanm/JlttRZCU+zLaxHxEj4JovdiQEcBBMBCAAGBQJK22d7AAoJEC0NWrh8JT1S
LqwIAKQmrdBXWS2UmANTYLBfDuytJJm+mHj1YSJ8ro92xzst6WBmqxMwQ2EscOv7S0rI/LGr
8PfXBnpp7Mf3zhwEXeUts0ZUt/Vy6s8UAVPTGPSQlj/Ya8u0mFfXkdGsLMgMdds9Cz8fLbZr
SycslmVmLtK4S+rhjQhJ0vXt2sL5VJ3HRznCpmSP5+ZQOlH/PenHLmV0kC9KcOsrxgvV6Rls
HIZ7oiATogYm/kuwXwQ+0qQAMsTY3AGwE0yuMXvDuDUnGdUBzaZJJZ/wodDFYlDxTJb9NOh5
P7PDBQghiR0LrnU+Y4b4Oh6ne61EyGRhP5ULvZ8RZsvDCO27gjNxRH1nJkmJAZwEEAEIAAYF
Akx2jugACgkQIjrgVb2U4VSOeAwAsBhm8cj/o2YZPP0gFdUCUyr6ecydoD1d0ER8wwvOci64
bA6Xeu+i8LtcAHKowj0h1uVye9SXK7FpfyPlD3j6hbikG5CKXSwwEfEOUHmBIdY+UarL2Att
791yM3hADK/LjKObU/hEFs+b50xsug4pbYGbnDgitj4AG7mrqLLReCAV708jbizQyxizDl2w
/aXbgRvjjVczuxFeFYGlkIFv+da3NoeYCV1oH7Wcg2vrBb+TrxgIbAMW4V36v+fIPaTsderL
QQTv86Rq5Uv+FvZaoA1y7rXMpDbD8OJ1DdRv5BeDAGOAWUFYj+XDDdpfKt91zOlzfr74hikP
1NWx0NEyG09wxvkV/6P1zjbv8NVedwhDBs6QQsco/oYx25Pqsin+x0mnc1NiDpR+9Oe7c4ha
6JzzN3ufllxydLpK4D1RC/ITKhNhIrG26qSEtk9K6zM4QQbD/Ngh/hztcHMObLYv4MIz/Uus
K+CoJDI9kPAISK7zKTHfGTbM4O+gST0gqcFSiQGcBBMBAgAGBQJSKkiDAAoJEO9z5tpYNrga
fAoL/0E2pxy8oF9vH2d87G/tYfJB1sndWixltZtLYJMZ6HVAwYBsq6ju02893SllpZ6xp99x
xAss+xeJF8PlpH5nauQOn07IyUNTytxa6kJ/xHcIuVEVFEBU5SUaXStqfugM/EE/V8pbW5di
oIILQx52NKli/JhrBWlW4/1k8moyuCkZqYsdwwp2QgLrJhcTNB1nWx4DBgonAL7GOGy7s2DP
6zoQT2rDmlMY+Y0GrYkt6dwwed0y8mP/6c1ayLP/5E7ZlJK7Lj/3WFxYXeOOP3rU2xm+Brym
u1ND4gGC9P+p3rlEBJ/loSruk9bbviULqiO5s7dB4Xzr2joED4u0suutYtSPnuY1fNV0DGxG
qgYvhwxcuOHVD3zBMuAfYoGSRQNsMrpzBnfytP2pF2CcS9L7maaTBxyKF7UbpqdvDDh74i+A
/J2O0TmMuraSX6r/szqCS8B5UdetjxWHpaEViIy4TiFBMIzkhhJIn4nngn8lHniRT6ex+TWp
dM/vkeO5f9ea24kCHAQQAQIABgUCTFxxnwAKCRDxppvkKcD/7nyjD/wIQDebpZRkWpthmHaP
NtpU8vn2WWtxigo4D/crBIrhWCvJGqm9P9n33AXpGGc3T6VEJGyq4lxdwBP/K5FC8a3hgCXr
dXAA+V5knfURy8kya5FBGK34YtrGXBcNv77I9GdGdum+tooYNnNJERueRkBLA4aIImB/W3NL
eL1f8vWVi4vys8Utpj8+5pg5GLstbpmzewtc2LQFstMDeCjBsrDiuZZrsp3fO6zKnizg0SOS
jTkSdXwvCma9j4mlmU2Ry9QJf3EBqyDwhe5Rcrl8TopaP75wOKD3r5npo+e95Wjvxy06PjjK
1ntAYLMuEODWiKAhQ31YYYg8v0yMvBRFLfFmtgmSoFcIiGJw7azkxJefqIhQr6SWUF2G3keQ
iD3qNjrriIqxdJQqj1XZjbwwHMKlvtvokf0xCWltpqzgW9YBcKwqr80Sp5Z2M5wjeB9TWhSu
uoG44r8dtz7GEVllGwGd+hRYbyhdaEjdgFjZtJ/T2n5ESYQ5h3V3vjJbbxVZ3fOE4ksVNEkR
5cv/h1x631SuU/287bb/ObGieYIbaIxpaQPedcPuX1+hHbLCrtZ9FAx1COzhIJbXG/2mS+2b
hTUyax9RQ4n01fgsU/C6FPeGqfyrrfijS2XKQAGsigRGm7rIjENjXM2fGqNsWGEPt9v3YoAl
vVv216XE3sCRMz4Ua4kCHAQQAQIABgUCTGAriwAKCRAedZpyap/ddM2HEADRXZZx9vRiIKFC
taquk6DZB15B+CTJSe+rhtiiRiSH8GZcifbF2ARqZF00OctbKkbBNycNV8FuxRiaZZSZN1fu
ZckgOKwMK83Llj0tHd+BTrjmOiZqrZ20l9j4CMfvoTQZLOqxbf0XKpfkx+WEf8HaJ59+2GDy
CvqYrzYW4oQLdc1wwQ1mI/6XcP5YyTPaOai7WzrRhL0ClYj6/kKrcyzUm3G91SuC/AXPGs5n
8QVINq1hidCyEjuRO29Pi9YjOIRA0YSmWwmF1Jq0CAWDlSeWZf6oZZq232UM4OnDosjp58pj
ldIf8YS8TcNLjFZUSq3ilfIJgTLZIfMj0H+YZyBRvHL8071X6xmqcQXmZb2xGOJHu/Zn1qrq
BjN7HIOrohVvVqccR5rbmQp2m763vqGCPL8nxZszGvH7v5PFCTdrfa8tlqiugadUvYW+SCn7
RI1QMijJJjrlWolD6ZJLSiA21a9B/y8XmUluedCQ+RiJLzYBVSZhHI4j6EdavCKbTZfeUZEW
PiYbpjltZ5oOjoTzI/C7GKn/btPdY298tHPIRPJP2P4Ybi0Xzx1tsZIApFEn/uHxzxndigef
Q0EtTz/ikmVN3CAPo2i9dj1urBixB2QuoESumF2hjUHs9rZDtug6CuskojI0GAb2wPNf/U6x
ugU3APwb6c8O+66de8wHNYkCHAQQAQIABgUCTGA3OAAKCRDXiExHGOGPRLxnEADsBFKXFFK9
8wUfiWk8b5ov+XJRvYhrOQZz7fX0iIxUaZCLaSIViyOD8RYFXr9KKuhGc7pcEvU71ccRdmN3
SoHz+RQDrCJlRgBosEAY5hfIuqtuCEF/njo1cNSR7kjkYc5PKXpbHL2G+15X8aOBdsd/Wa0W
E6vLxMerhS5ILRbRs30W/VzcNnlb/3dhHSvJPVF9FGBeZuOahY1edZKU7xu8k+udND6lV1Xy
j25Ty0mb1WfQ6ORuqLhXPbfIycqLD2sNmpFBNVlRkRejEhJU9IiOrqkgECPjqKUMo9cnCCt1
rVO0EZYvJGD75wl1PySqbQus1MMLep6FJsqvnUpEh/HzS6+Q3/2AL3a9JLITDm2h0TkCeX6q
o7b27aoe+J4cjiApF5E643OduBA6Ox2iauEr1t5d1J8ewFWx929EQYHnLgHtBx0CzZGUAZqU
NJEqLwfgxZaN86Kdw1xP6qKCuCdkhrsLt7gsACvSpkIEEhVxoAHqJleWF4MqozwfpsEO9BSg
L071pyc0Czw0XJlNNq2sn/GomNRvXLbYeSpqzsLdOAYxsG2l7aNRHVb81ml/OEvIuxHZE4Ae
cjxfsvnONarc5jWIA7iFgk3sLaTVejP4Y8cbn4rXn+98QwseRPBMHRPx84W0Rx+YUXQSAvVG
2GboFMP1PvnEEv0Qqq6JsdMmZYkCHAQQAQIABgUCTGWPGAAKCRATwLVmejiwsLktD/9ALTT3
VOyGLPKCdTYn+kXo/R4x1+VpRdoLLkUnxKBzfTVqtHg6X9GAqMn4b8PIgIh+9ULPiK9OLV5k
bdko3T/cbP+Cl2iqSbVZoKuYpf/xd49oIdiJm/omruVotTDbz5vOHwxzmrSRcxXNzKrnmptr
f48dZjoDdrirUJNDlPE7yvM0IvBSwPv5R+t7gcti0/ZZFWDSEQ1fphx5q5fD47+t2Oqeyq9s
oIC1uO9xnzB7tTmQ4m1Up0mwRsf/r0JdTkcT2Q1PNOttWUY4aDncF+d8wCraPW7715C7iP/U
saAW2h+MwAVC3yMT6iu1dcufRJsgFg0iEd7G4Uxp4IcCfwSLWD1mh4NEXZ8Tis4hTnfpbICs
Go7qPAFDdPhWRw7ZGs/aLV0+E6hu0t5hE2CWaOCS7hfx8Z9W1heEuMBqDXZeSEfkiA6/sNHW
ocgNXiDXVMdyHm53xlswdbSDxDT6CPcdvzHsyNP9/pYd6+CFgTBAw60XqLrjYPr3tyTHBWgt
vFS0tmSq2h6zMht+yMu0WCoZgw4iTYKtwoE+8RE0aaqwxUcNw1w5h8TTFY0b0NyfD16pHX94
TruaZnlnpNWZtHgYEqtobMH6SKyOsy0G+BJ/XM3jLKczi1U5osqH0yBRCWxVk0uUAOT7Y8fi
wkUSNQl8wnUbDoRSOtwCn1AQ0LRgOokCHAQQAQIABgUCTGbH+AAKCRAcAfRDyck8Wux1D/4y
7uso609rTdbQTInHqA2XUshIOCgsk9aW9Vphgs4hY0VEhhfRyajEa6RrjdYs68BuWUWO8qs8
PKe3LhgTDv2ZmSBMdXEowYVY0CvvHhyHHZwdMl+6vRZX1uI3SHf3TKqT0eci7gNNvYnCbdMO
nXiBCM8nYUbbPOzSBKFEq3CE7EhNOvSMZwTu6pnOdH0qiVUvqNTx/hEo9qg+brPrPcLho7Yp
cGu/Kuqp30r2b/HVv4U5X5mOy/OebqzCAb8WEdWoY9V9sDo0bf4or5DZaY/JB6tozg7bQ4Zv
CTwyu4x9D1SqnySE9/wsu9xSlhni8e43o9ujv3jxABpbbOPqt00wA43wSoCbdfv4mWLsbGk4
byKR3eWEh1XcUwRfaPk08fh0ssskKBk8C4sUMIk5oTiT+VU7IZ50gh8+XgMxrwdMcWAQH/Qs
VtsYhDGA0UTw7C1Qp8mCmeqLVw9RA11d/S47UgYlXBQiv+3LXuYfmz/sALy/ktIpz/tp5CtY
PeP3CPuFMTlKpVScL7+DbeW4pwwR3pkm1QAVaG/lb3Dqc4QpYcucetSyfdof1E7ZQtCRTR+L
BXBHkfqQT4xnqYOU8ULraaLaUGOd3y17rlYUXlHijhNtytzSbn+GPDnbteQYqZPx16IS1H/6
buaSwB5ZRHBbfsF9O8JP9+ldLkbjaodxpIkCHAQQAQIABgUCTHblCgAKCRCvIoOqduKse+8L
EACKRmLci/pI12k8kF81SrF1TEZG4Mlqtij0vFQNTvaLJW9PSX5xE9ln/WcsLwUPf0ciV7bF
M92bdaPiiEDOzpC3MFEV8Kx/cBGPdGNx42SHbOrxzbriIt+OCFxylsqlElW+Wbo8chPtXWzi
/G39v1a/xHVxzBg4uUPFRL6zOOZ12M+l+TCijja4EKgctCb63t+x82GCW8UspmTTaEn8UT5F
STK+qp4+cQeIYBRBcHAGKyfzKJ6Chbv3MlNq+zhmg3b8NYLTKWOgpP4th1v44EeO/R8Oibnt
KJ9hqQF7a58hb2JLuoEmXXBJVk552hKD5UjKm1DrfZAapUTbWvVv9L5IdozaDph+GZzpXQ4C
Mxlwil3JVEe9sWPoT35iApFSgoWbDNYGW8M/CRiyLzYtCqcAzExJbU9KnKOV9kbebiZ8J7CZ
gxot5en0OaXrc/ALPHjYKrNmZEQ+B7dlUcN7KzFMEJHPC5Jb9xsV3Jje6T17lA+W4skejqPC
ZB1mi9D6SHTN0MYajeRLasFq7F1Vytd0H09MLkQ3i2lymE50Su7cOsMk1+KjA63C0JmMquMp
4rvuBt6Sh3qVaXDTPEUV5ZT5by7z6KCb4iYg7AB3IsCTsP9njUCZh19YE8IKxd4y1XXD+ymW
FwxcQs8Fak4HdGfmXLf7G55wI1E4GHFEwWMJ1YkCHAQQAQIABgUCVXGlUAAKCRDagoMOPMw6
OpY6D/9xPI7IEHZCcGdZV1C5JH93KmiqARv45K0p36nAxmGH16mpFYtTOuK9oJ3ZSAZtbGp2
oppbQX5AZHhRUvHcjwv33ME0RduosJqeMA8GT/xZKfXNGvQpn/ZG/pDyDLbL0LyEngRR1R+E
JCPNAna+op7ULQSQ/gf/HSwPI6ImnirMwXFAGOBSW0s29z0ilC/BYRlr4xt5uGwWugYnyhJK
/SSwrGBaDxB7hakk2LTeVOe18etFCno07VPoI8pUtNLBiLmySM2aK2Muy4NR+jZjU9x6oDoB
tTq40fkFln64nK82hqFoJP6kDPkzdQx5NaRiH4PAr1DOydHyXofs0MghS0UKlCZR6rkyAR2k
9r+b9+KUDEQYrHXXDqhpeCunQv9LGzTi9GmaCatNHJTwTmVk1+oydWiruYLQCQHETCzQrK2Y
FEonJnwJO8XremTXw+V3jyKZLee311I+ggQmtI5StRF7fFh7OGzdJXBVw5hI1VlISketFvAz
rllAI8Txt59l45NFNkZDZlJlJeadffen6GOXsWr5q5JfS9XlfLbGlzlrcZCG0uxGfKoYaUJM
0SNa5rvWO04pEK6AjBufkinWJBIJ1l9bz1uSkDY8g2tQWvdZrqGgih2DAXDhv+lu96U62fn6
k+UtKx1D2Y6JI+KEdeGffuVp+4SnydvYIAH4GgSaN4kCHAQQAQgABgUCTFxxMwAKCRDxFAhM
CGEREQw7EADTPt7E7JjfPg5B5r8xEQwvWnQ09/dE9xie4ohfzCOfGVpvTquyG3xKrbw9SKhh
akS8HPLGgBvvodqvZOqPGP6eZKfAAZmlER5fAEtw42deAGhL074S4XOeuPmRPnYlzPZW8cy8
HhcmjbuwXbhC7SJs1KtQ+sHZ6ihtTqXoqjsC1ArMOuA0Lsw9d4IOT5sXILtqnk92ynkX420i
yAiRU5RXlASnBNg5fAmMGZbW2/EGrHtfE+zzpqX0N38qKmBnE7kRgPM8OGYxYGpUl8x+M1zz
KY8BLhJx+gwCzI4L22uKwqv8dz3kzdWD1RBUUKJycCDzwrR+RI+xO9cQzaU/HOykH3HoRfIG
TmaewYDxl2vsVeHVDbGdZOmhVRzLqQIS259eRjQe6ZjdMiRJe15j+udFF/iVMgSgq93vWWNF
WB9Q7dKRZyPHjBuFuL9YP1VmxiNELX/BkQlDXcnlXHvK+KSFuEgV8RgQenmFtHy64YBC0MoS
ka4NtWkPl9EimPn3iAHNLBCfqqs83TaG9Fl8+V9se/B//AcsNoM0/3vBU/L/5F0PppPVO6fk
ELDY2V11zy7L5KcLJWm8f4YwOKCdyDYPYVTpl7xGM+30n5h3xto8Mz6f5NWVZbfxfErLU5iK
aeDdSebdqns+FUXmZYUlWJGCXEnY1aAzy/9MpRSz+mtXAokCHAQQAQgABgUCTF0/MwAKCRCH
L3AsTW4lqMf4D/9oxFxZbLh/kRIjys0wNgeiq0oBLh+KgN83Rf+vc74A2q2T9/XiopuEtk0T
ywbz3Xw9KlidyGr9Rrbl6O6aWpy0csxUOWvprE7jaTwjqZxqISNCcsPFbsWQieJ1bVv6upjE
j/wrTRh4IEC/P+K1OU0lWblbeDDEv2K8aj2uiO8g5Ckp9X8Y47Lh9VMPvSOPN6aFyX0s1DDV
fweQtoYGQOmteY/pFDP+K+FV8iBw/wjEVEWflqWUCIOAWBT4w2sJ49KDdi3RGmFk6PSp/JsU
SLGrwUU3YnRiVh2vsK0X5nukWk41jm/1XdvPzEEpMK/RYiSAzGXKvs+UUWFi8g7AHQNfJOl0
hmB8LYFV7mQOLdbNIVTRB/ImbexKtuLDxU35CIxrJFvg7Ry3ulIZgDgFZEM0D/xu+2tBd28X
GjppOjqp2W6Zwnn4uwqBXMrggtNRVSeGASTDs8WPdwR3PxYKxx237f8J/aC3o2k08q8KbjmR
QVRLlOo1huZxmXpn+SUUKUJ0dqrrQHIEyzGtS/VSRRI+Kj4wiThPOS6zmc/vFaLjl5T69sOA
LS5TJqoGZz7j+GDK2MINkWWNM61SNyzomtdQc2PIICR7TP9zJbOvad1QDfT7kyM1JuhpvV/6
7XIP/oxk6OfgMT7yHTF6rh+G8UUNt/ZBCYAipcFByCKDwNB5sIkCHAQQAQgABgUCTF1E2gAK
CRBTlEed01JMUcebD/9aEHlc3TtXSGHF/gxVl0zsi3mFM/wibd2n/2Zv2gRrL0Su7BunKEMc
l+7SECKbDzWC3LYucKhjgVuPHSgGakk3ANiXiDw4qFqiYil1Prf/MK8F6RWye00IIG7yZamG
+1kLA5ft7sjO/emappGvW7bicXqgoEsazImSi9ekfYhLFKHn64IR4UjynHibKjoXA+EatPnN
pT+IHnBRRHRq2uaU8ycQoxiwUT8WMPyjlIg7NT+IIYqQm7DRjSTsUoTwhdaMlH7YCbi/dX0y
SlfG0LF/5fdg+MV0h/hPqy6gq2oRouILZlfEGtvv0vBmqagmPP+m4KJ/6/Ikf5ysMtC/NlN7
exkyj4M8Nl1U07ijha5CQCvn6DyQmy7xT/rmbJ0i1zjZauFmPf1ZaqennMkz2ndC0glSAYIh
d76mDDWGjvszrYpbO7KdJJeiO0LkoSW7fKxgabNm6x5MaPVhcynmjlC8BFbn8xuZQst13Pit
VmFtIDX+SJVFQCK0Ypuw0NhkXx4sRqkBukASSwCRrDxPPWqlg9/Ji9uKjInS7M/y3RDZqwJK
UZqLw2pdlzdAStExWfA3YAX6lI7IrpHMuoPUt+aKNyO6XBLMOGmAGo6LUP8vOvwfkFI72nWL
IgHSbB7MzHLFcMxyb4CvGjpZQzu3VDt7sDIweT4ZqWMuMIxreik+M4kCHAQQAQgABgUCTF8j
ZwAKCRB6j0notjSAvpDND/4nzSbiS1pMCum5H8dhR6odBPIRanEa8fLaltUQCfwG+CXBfuH0
nguvR07j3oMWLZJ0YqZIfGWy+FRMAqFjkY9Wm35ddEO4fm5O7j662mJn32S7ouAWvMXeZa7i
uhz7pe5o5hxoN9dzr/jD0qNIUwWzCl8C1KC6Gm2Szhnzr4jMM6fxol3i1TIjzqcRACqIFM9k
rJdpHe18XEE0Ao/cNC4bPdPFEqFdDi+zoYXNrHqyCl0FqnWOkq9IVa6Sizy/8+ncgLt7mxpR
CeA6v/N4w55AGlxfS284QzDWUDzAoMzMibhnqoY/3p9xup1tMtOZe+2R6/AOfSa7nB3BSGDi
g3INNT37Xh3OiwYtiGoAPGnBvMdVQYeLd0ySC1cTls+HsXuhfediraNnzRRgioi+r7Ew29Dj
H4O0gWhunw0gqn5NO/0sqQyN5cW70iIjhJlXA2pJYXSLvONRzQ9GmvhYIq+UA89UmriycCBd
u12zi0NfEY85B8qqzFP1c0EJrHclHNm4SuSh/cXFlejRbIiSejp9uCHXQqELSRWzxRWOSy9T
4iARC/twBSE+rJYfCrTMLKZznBzz+FgY/NU91w+teGbKanrKLKjRJtlXanm5kMSVXpmeTnc4
x46OO8QjHGto4hyaILX+H0+jYcTFZXV1wXPqgevaGLL5fZ2EwfdURZOMI4kCHAQQAQgABgUC
TF80rwAKCRDRXTE4ggBBc1JWD/9xj+Vpx8DaFRrmDwND90I7bFDux0MrxxGZ1NJc0WhF03+t
1rqP5aoqgXTx6UxMHTTQXRk6dNKpqRdWCiacxd9LUpUIFj8QrSE6zwWweW+5e1lCa4cIC69y
AHRN7LwdWV/s8dTbBWxPuCspDXrb3wPNmNaouw76T2Ny5Qwt13PnkaHmoNGIDju8yOpVhcAM
mRIeAHgJn5X3WkMPi9dGfKr94Vv+K1dAKzl1VQ2DHUcS8dVUTqugYcaq1NXeZ8ipacQtTy6o
4+aiY1iBJDvKdH1MxJGsS2EvcXT14r5YzOz+KTwIExlrKK98+3XI/u1L3VkUHqY9rILN03Q+
cKxX/3dV3j9YDu3mUNL9at+cZ4FjZG/rJ0B/7frBxf9fy+7RnqKHsrr5H7jFK+mZlqyAWqLn
Lxi1kW9tliiEZ5RgqLsYQk/nvvA/hr01rAI/todTvFHV7RIByNQVrp8zBbpmSUhyGaycc3q0
aNStTXoy6dFS5WLAirq5o0W2zKRbWF6RAZLCwYAz8BAvKfbdDNAjTeXQ1X6kEYxEmsOJL3UQ
UYLUHm8Ko8pPeaFLjMfRNZYVdQhpyLQbKxEDWwmzuAxODTHPa+bWmD2QRP6g/be8ff43L+zW
Ti+1bglSk5xCncsGp5ydPfxYhAQiizIySbmVGV0u+hVPSB+vGJTelgw8p0PMeokCHAQQAQgA
BgUCTGHuTwAKCRBwNzzxKQ25zl+FD/0TkiEx7eq83NaPbkxw4fQGgIfV+ZQHHZPHZxQmWQe5
Nw+o6jBv4spK4iTQOgfcyZQ9vcNoxDyvFXTPxD1SA9VhJKY/pvZYgFk4chfIAwqsuLhL2B4x
fL7XRU044MIy12YG24mQ6wq4Yp4CLX0J7XTkqF4o5gZ53W2lZ8IBhGee13vY658Ie7OmSwXd
HZwLABOIck59PBOnDQmbIWHw2nO8esxPuCG7A1vJ9oX71PRYGe53310L/vqRWliGwgINI+Lc
ghnn/GIxdBNAQzvn1vrBtLvZB50Ck5WxRZdRyAh29i8IQKVt43X3CeXatFqPke30n1hudgXN
f5zu7aJAHA3TvIghig9L9uZtHUMIZzxSovTF75ACmxfqiCXxS2pxqzJacDpahog4rJ/AZbsG
3787vyhM2zjCiSZIrA2GE53M4M3TQpV8gKAZy54Gdjy2S8FcOiFARFGXVu/l6j3vf2dDrTdI
Hlr+Ta/f2eKfKhyCLT5ShZwem9O10mpDfP/Lznb4kPKygCjT24t/UdY21mvVKwAiXDtkeeSI
LhXVj+I4ddyx4xf5mrH7khCxwDiYKr/sPmzFUg6gHHPsxIMoV/8+DA/VU+x/r2thuSH2rdKp
IuPcN1fLI3R/Buy2Pv3KGHzzOHQyHv2UbfGK5ijKY/lF5Y3RWYynInUcjQLbx9g+V4kCHAQQ
AQgABgUCTGH1OQAKCRB3MfzMY+Tid/cSD/0XD2h3/YcPxSfN1Wc+CRkbtw/14V3lgDOa83Q1
Gr6GySQZMeZ9NeBIeC03fvlfmQl4EwFebqGR7jsuRRVZ03P9I9fKoPXJhlx/hpbavP8mkAAd
Ye/ziA5xjzIi6j7GIpID9ULMvAW9nwPtL6p0ritjvkfx7EOJ1D30ID5Gn0BzyhgPUKiqLsR9
zdP11Z4u85ja1cgkVXMl6IEMflMJ/qUonGX51sEGvAC9OfbshoASv9g1cohRJe0MAVG0arWj
KkxekFXTaChVOSuzfavExtlW2eCHy2IH4LVRT2VlOiPA+dyRZuhjBMaRr9raeYnNtB+7SLWu
XeRgMcAiwWdvKSJRIS1H1sVAlP02APy67wBeHEcMrURx0NzAZaw/7XeyPAt7+S00LJNp6qNQ
fnecBTF5LZkfKGIentqjKKN0Ns20lyMuo5TGb2mZSdhlYRixsY/z95STNhsGe3SNzgdSpbG1
2eB8j+uaoLj9Gjd4UF0uAhfS/xqDXF3MONZX+IjKbGnVx1MMwg/ECPjtfRu0nzm2o3jpYQgU
XlnM/kAjGDcHgWsWyWdKVeMB+bXOwGPl6wDmcAkaj2GoUJP2B2bDnd6QHmtBQSD0jiRmqoXb
ARisPDuTJ7VywYSND/zTkYfBpXh9YLikxYS+Vl+NtLuvILXsyOt9FV5pxNOoWKVbj3X03okC
HAQQAQgABgUCTGdOLwAKCRCzRk+JaqFZSNlnEADIAMz9GZZwdKchx9VqWzsHKetF7ASrZuv0
5DSzfPH9lxJQZskWDRnLLtTzpSkrMDqueu7bgKE5XIoRcPgIfKoBI/iJBZPQaoxN9aRyxrNa
HM/F3AF2H0hc3fqUyi5+s58C5/El8Bc8oq1ePKGrOWFAFoNTYIvQJ3CNbXfw3tm56TGVKKws
SMiH+9xk2fIBj1m8mSpAwZKo6CMjlVU3Mz3h7DNiEa0yCiESl3USCIBO1dmIRs08DNn+MZyE
oeXSXM+eJtw+GpWGwDflnwOlKDlDj42y4K6pH6BubyfXe9ylb5DI19TV1X3wtvsqyhE+nPuT
4V6j8Bli1YKm/KhwjkXw7KggkStS+6TMlT6EF9f7JiLbDjAqhCZ0eBvgCm/p0/TNL0lBwrf5
90vD8QpXfnxAprdGR8O9ZEyviUqpw4JRnlRiH7TMBHVDiNCJ0eX53oyFd/TuDSTcvfyp3i2J
GO38NQfoO0u880bpRbCiBsLcZfEAByaXp2hV/9oPEvBP+95GwbnMAR8PlmL8EDzygDElweDc
F11FvcD6pgKQdXPubxeM6vJgcrFEozzW0mLZxXLUlv0n64YUMy/7JVoETPIEFJqAKwsMvaJy
OHJH7ycbs2dTeWNT3KDigSM49VE8ERd7XzyncZUbRk3ZkhGgRAE0Fe1prHPDx86PClBV76hm
hIkCHAQQAQgABgUCTGy/igAKCRDkT4AW02MPibaTD/442P0Qwf27NHs5RV+n/M2CKeG4sZmB
epDU0XjnqjTZJYYcMtKvVJ3EPvB8qh3Y69d+pCy92pE9x+4TXj+59pSYxSaZFacW+3s1884K
BQYe4256NjbVnxQEIStYtS4wRL1xjYBoNnPu1hq+vj+zArQ1pCWjCcM9Wzpl2tUPu7Lat7Os
qB7HnDvgDB/HUbNgpni6EmfrWN3YlbGthnBXfGvAf3nyPwuM++GKs7a7R/6+it/dnPdke3Tb
/aJKAC8YXlUSo4mEqpuBzz4Sk+5wBv+xS0h2GF4z+mnwsMY7ChqlyX1eLqfx+WWdO7V5CuPM
sHMp0WxsCw4x8NPhzBzEPFlYSvYlS2z5M/RMie0g5JuXvs/ajDHZItZYJoVbeRAIVZ5q3ru4
jR2tuSLQNo8qoqll+u7qA01zeEh3heov+FZXqoe8I1z7XOS6i7ZP745+zdbyRhi2beqEQ6XB
7ub3jSSOUPM+x+LKxXC7bbhKLlAat5256wZnTTKRVNEUuoCFPtUR8FwzwRXl9AOl1Ekmqdfq
M1F9TKYq3dPATHCxw/vV1QrCaIbqdJBAtf7ZLHH9B0sAZ8kudVPQeB+Ghr4KYaSPyX8Vstx6
tl+qTyuVlkWd26OZo1mFUc9kPej7cjiXtf/XOp2mI73piU4bfTAOBHAopiNiKe25M/75bGso
bAWSh4kCHAQQAQgABgUCTG8qxQAKCRB8Vqz+lHiX2Nc0EACkkjvmLuJz2Wp9Lq0fvdjBhGCp
95dZFpvcBFJfX0rzifUEmbWRp9fiU9P2SJaCy392PL0gEhEi4P7Aos1rRfyXjGhxcy+TYSUA
HaP/jQF59XED6t2ElW8+NnZNQ3NE1NnZ2ivcig09GdxvfV/Ivi3dAjYXslsd0um4pVCEEBlc
lWw9lWRfm1V9/Zmz+/83CNuc6yVGmch9lckcq/1zxqcBE38WyP/cR6nvvuiC4NY9W6e3LobD
eLkagJqFtsThM06Hy2mI3pDsC33nu0Za1tOV1ihJCUTxArZBDqUYWBN7C7hfx6/+IO+as+2Z
hi8bav8mjY9j7chXREqnmJq5uTXGyI0LDuTABn+Sfr8861zPeev56GhS3/gBIsvhEik+Hym1
1qnvlFhICo6Gq8qtXiJ9KQE+XI/bWZgFuflJdDLWT7V+DUw5+Rdqo3Qay0vHvsto+EMQLCiL
8qLdw3eE5/lVOn9vHPccypGq5saMyS2hdS7yF8x+laj9xfIwMyp3CKTJ892K/NOh+dEhAo4J
ZNw5tHCviE2KVRxDWNjjBOcrpONkp8o/OPe5bxCXVnV5F9oZqHCfWtXc+MTlI4dkk2dPRB3P
JNUnKbSgX4x63th/m6oAB1JJ5DE1iT+fdDre4zBpSI3ILCxegWL4ve+hLHUWS/ubfkJtlO5z
4w4wiLmfPokCHAQQAQgABgUCTG/44AAKCRCdC15bHuyPDso6EADTyj6fKEvSzHFo4caqYOVX
d5kZir9ss0hzplt/csBDosMdW+wO+wxzt7jXXtfPlA0OGoFqCVEtxUGQG4qYHSbCKPd9PEHS
ruWlcqNFAqRBi6k0phM8GeKbE0+B1u0qiyEvuG8IuP+1DlXla3yG4yEUWqprBMjl46OnTd7u
ZKS24zOqnS4Hx9fId3s7bW1JwrVmodbx2rdHDyZKXqCpwXFJsVWe3cbh/h2lXYalDKzwbdcm
rgDZUJp75YxlxerMiTG9Xc/4e+XOs30DKGy2cHAMitswtjXm7ZKZ8yL5pmbmDeP99XASwByB
7Mm6KuvQSA+8ByLmkvu9XBrRq5WUG9Cx3m0Shxy7e74w5/u4LJkqrmr1wdw+gZIvWG3UuTWR
kqJw6rEoiv8WTjJSWE5rTFVaN6YH2OuOFsTWNaUH1bc01HpEKivhk3ZiOOg2Bhxbt7i7oYJc
Y+UHCbC3PwwktM3wEnANz9UMoIFxn/2OHdIWl09t50iaDErTmtgbfkENDdsXEcLA7qs+8vpr
8qY+M7ycCuRat7Vu2dqopwpkhRpKtddoMNYZ5/51vFcSuz9BdCk+y+q06Ri494UPVFJsHTvn
gjtEcxsJopZn4pddzk8g2z69BBWRv31c8xiV5X5QTf9zmRUFD06pux6dn1CUI4zoul5kW0ah
LwQysmqgG40apYkCHAQQAQgABgUCVZLuEQAKCRDroMbHHAAlb97dEAC8oQamwtIj/SWT2PJS
Kl3bdPdQaYI8+9ZL9xXLYyhOl8aduFVMlJ7rqkWSdwg/AGnp8nh/pQiaGsnRweqFoSte3poC
QkNmRR3pgsZ1qqWMxqVrE37R51MSGRBEZq50diQ0sG63tzX7GSnsHXyxDjVfR4J0/ohZzyXn
UubBB8X/C72E8CaxrFAzyrLY0zqJBMzub+b2zg5Ac0V+GK45Iz4duftmvnWf6d9aOvXsPqe9
/BPbix8l8lCWUjfAPh0sSskI48mIi+jK6rm7+JmsF+9zIoVxlnnlFcmDxMGtapUl73BzpCKI
tbplOogAKpA9/2pcSvf2JO26cjQm2gN7BHGfApB4qYFHb90fmSt7XUQEwxyCbsQyhS7Tb6bN
wI8mTqajGoRZydB8WZVjRgsnnCHa9ecY3Hs1IrTMKM3gl7Kmm1tzbtAK+NMSH0mxPG3dmTbv
NIkjOcgGTYo4r9Qt4Q6rV0zfm43dZs7AP6nECRYyMggEoHHBDh1PaPUjoUsJ4Q/b0R8yvNNC
8defastUYtUkepBJ90FzlIJeMLf/1t/1cYX0or5wfp7DPAGxTx3+5EtyKC2Vk3JltR5QkLaj
blZ2PIq8TTtdDprXJuOtucF33p3SwXRjA59DrxEofOf1B2cAcxvb42QgZ0ToJmfeTz9TfGDS
adTRh+oqbbjogv0A8okCHAQQAQoABgUCTF22EQAKCRBdMo0IKqqxQBAND/sHFnas21+PsxN5
Uo2Gr6ieI6NqP2347xT3ZAugQFDhobNJkdXexShpW/PAAxN8/JdndFtuF3nNCy6gSt9c+eLx
uZ1srzyE9nZeXne59TDI4+ubXhuu/oXIfj0n2j7m53st6+RI5JJ3SuI9kJTOhIYA+7AHBpZp
XUu+m8sS+Jhyy3h7tqJw4IrwwOfW9/WEwhp3Yb2zDoEBe2Na5whcjFRtCJkJub4YwL3L/D5G
w31dFnTFQV9C8BNmyPfoHiTWRQovejmORLdNOzaHKy9a0c4fF6C92j4s9wR3KM/eaVJxM5bD
NvP78usX8LQY5A6C/3+e7kRo1gzDoDhgYii3gDm5hItXXU0V6sTcFWWVSPGwrm+628G3VWmm
1b57mxWn6+7Yzw01R/CyqEzovFG+M1BZrJn2JqJ8Y4pM7T0oRpi0/Ee9Dqiw4+v5I8wKCTag
713ZLx2IdMQxIsMnmBq/819ZqjKkYpAbgteov/foku+Y8RvymE+afjxcE+aYQpYOyMPNRMRp
Dq6CKkVErPNpI758Eav7UqUi5KyfMQ6tMh09F+mKBZvAVE7AGIbrQWhHlTCOYdSRA7uFtgSX
TUQlMSsj/2xkorXaPoFqShOr1hiWIG78zduIGT5FxSG06j8h7j2h6W7nCj0rYaOzDNOBM9yt
3il8eu9SeAgl2cEosRL/4IkCHAQQAQoABgUCTF5RxAAKCRA5FLUy9N++mdKJD/9Lclk6nEQu
xlcgA/0ugEKmWn5JsNnq8ZUl78nZP6fKY0syx9v4bMA+ICQrokfwY4o6dMxcj2Us6JUp/FBV
Z5lo2T2iPE+ucxobFslNdpZtzOQGOsOJ0N7qirafFXJ7ACtydbnCUaPfzkPYwwplHFqT+yQH
k4RxBysHWw9a9YoBMl9KFjIwZ7Q8v0x4ywySwfRAKEzFp+ESP+hDwhlOqTBKFL1/P54lmbhG
JHDCNbwxGLIjiAeCjomyoxpg5YdSZVyWttmsy1rxMV+ndERK5vELfZYqdlhL0quVPzd1L+g0
m2iA4QdeGfqrCxex7olq1su60PFrMee2wFzH8YEYY70nCi6/JRTb/Vk0wNqgyNjKY434EzHn
liuyhFvsTkQy+ciegx1lQixRxJfVnyz1BkHNDd37qL9lbzPwVqLhhh7jkjW8koPbExQGjVcH
St2HCGDcAxyOJK9sG5a2GxPn1K/SzHXWwhVCSQN7sJSkpNmRNgjpJdOTnEtsfRC7keUEG853
cKtWtqJw38/ye6RbXXHM9y4oiLkSWLneGH3sQFtbmdtjubLQNXE7rfuUHarwCnVHV5FaeAn9
FNBoo9MCAZL1cuxe7CR/awAuH/JAkuZOanj2jFwvqeyfNgsB/LIlHIBTLPwVXDOZ3E7+KUMJ
lQ45DOfhGPOSzv3QTL4gP6lcvIkCHAQQAQoABgUCTGWvlAAKCRAyJH+7QK0fpgPsD/9gJRwY
37FXgq6tqiUO+q8H1m+VQ4y64cKNA/SMOGxV04h7o5tC3B9D/ZghAyfQ71Li88PIk8n7PAV0
Wnbv+V/9kawa7C7Bfq4OJOGzMU0Y0JPd6LnupBtq+jtE9H1TLneCiBu05bjeLSQde438Or9w
SV0sLwqKncwqRJY8iIjz9O44X+6+6p4CqdMYmsZV9nGM+cES6uytQ/sB/mh5PutZahslWurz
ouec1uqTY4uuGNwOz+MJvYUNPyajcgtpH8JNQ0phlUvV+nAOJuiNXBHw8MbxNzTdLfsdtdpy
zRH6NAMN3QHrtEGAQ8XgFnCtu6BEPpgOQIB1pMw9OiRMhkcu9uCNCY5p9NMhL1tEx92DkSyW
lmFIF/h1Ohd4yaxnn9jwTVxxhdAxqK0rIORy+sHUSuc5LrtItNe+AnTvQeY7MRgZwJuCCohQ
L3OLXULZajB98g6cZQJmNmtdUeqMY/QymIOH8IoY3SCOws4h4QZSSVxNczo2Ag5R5QKSpBA6
jjsFo/VHUX0wB/KbJTb1Hl2vtID20kR7MfzACFTI9AEbwvG6CX7oWsnciom7bHEiyHWR4Olp
tlpQk2RQ4T3RG8r9kDgJuX6KmDH6uI9CdYTuBxQgIfpEm+tfSki3LVfnOKgkRDqAJciBv+ua
qeW7KSjNDpBC4u8pn9tyX8RhpYUP7IkCHAQQAQoABgUCTGwP9AAKCRB4U9pNSYga09OUD/9X
xTiFFzcuev5k8MtYx7+T30Z549gFnOx6GdFgCK7GzW7ZjnofKt8e0NIQmzzCf0g1vxdulqeZ
7Oh8iFrxpPZyOKJoO2BDKS9VnYEANQf+quUJPTdyhGqdMSDQGbSEqjLF3oNp/+jdIIMjuo3Q
nShdK/BJPcluN7AoOFLQ3QH4Q5fEbtwc+bEJL9TfFqAhUhcY3TYnqWtsMRW3tkrgCvcp0Bo7
LMSJB6jH4Dx5q60Am4V1Zz7C9wxtZeZP+P0h0YYWCbOmQWhzT2aCRYDrp1o3SsuatHm/bPkv
rliBzslW8i5Hh3gv5Atn/P5bhMaXtJiGepkat/MGw1hP8BYaSb/mmy9XbdMlfDijcsAF2+w6
w1b782oCGXgz2ISqPLsFYWccS4GOAwSytep22iwsWpIx2JNNndg4GVfgBxx3QIhci7EVN5Pv
/586PwxTetIZmQ+FNNHcAzqBzi3oe6J8o7HlMEHjG6Dps/D2clTNHtD0vSk5ECfhSC3W8OAD
VSuB8NxZVfI2UfnyCsdjyDLUu06fMR4gNW+zlSHI1FJBSVuU8CCQOtMPJ5fHPq3hEc0DFyLx
8fPE02n8It0wm5RrdUkgOjiVK2n251SyAwSM6zATCFOIt6zdZWx6T/HrJw5wzI+wgsZHibVt
i0vOA0GsAXzobE5yyhhWTnhqJgW2vKNHjYkCIgQQAQoADAUCTGLdPgWDCWYBgAAKCRDM0u2U
0hc56aYKD/4gPLkcER4nlKdsMN5x4MuUjBbv/+Hab1+hSDxEiA0Ya2Lt3J64y03fz7J1RzIB
djH2QGhdvuZtEohiad44DUdLNGJ98q7PPll2KPeuuth+bDa3P4h8ynVbCJRSmIkSVCRG90eE
AibHWOgTNOmn48Rwq5zMEgwNvmgsX7ZRm7Mwggt24LIK93iBMqH7WqS1CujF+WqQygpk671e
GUIWSUc/iBmaHZ/yoElL5cSBSPHm+ePyQsPSN7ooaWfodXXTADpQN4d5Tl1WzwZT8G5cRVLP
4CZ4sqbzJ9EKWFMlohcf3ibT4r8H5ij8btgq0TvNcoMvCbO2P94KChQWxQSwJRftJ9/GPPo1
7zK7pXGK1QMZNMYhvbYSdcbxG/AsmC4qJb4NVdrrxBiEye41+M+nQiT7g2GbbJ9gBCv8k7lH
iw3B+KfNoAkQ2v2CaVMrguQuzxCs8Zpl7iKuFG+d3SGqnn8rRrRPE5AOlSk6bOr22jLyGsns
URt6Mvh5QyVrk0G/6YW/5IMIVNuS/i12m6ireKvpPBkUIkNlS938vNqZ4LnsZ/+gBlZqmY8H
sZEt6Wfq7efDBw8z1FLRW58xOqCY0vh4tteFJkcY1LgzK5GUddIHfYcO/Y6p/3/Vq1/ao4VJ
Jq+HSIsqrdW1nF3EDSbwyy96uAdxuhfZLxSgRugCKyyOk4kCNwQTAQgAIQIbAwIeAQIXgAUC
Sgdo4AULCQgHAwUVCgkICwUWAgMBAAAKCRBEl1J4uGErXaQAD/9wcX8JM24NI9mCjnHOGOuV
eo/1Z9sefzYvhlbbTWvJsEdt5eaL0FRl+kErHtwNyEqvOTAmt860GrpekjkFYQObCsmDOiEy
i+vJBScub9YK6TJSOQJ7f7zyIwzHgvilktujiS+/YDqd1IEyxD3QxQ9PTdjcQX/Z7enfBeei
sBFfgRwbH32p5EtdwovrmBYtgyXUqp+lSg9kG3vvdj0bt/Fkq7Es1eEW8Sp9QqaBpo2fuzNS
rojYfZu68coreRIV/nhuA7/ehjiVXlvzi3su+0ybJwGZXLXaM7kxXoYm5i8NDxp4p+7laXe2
J6HUuIQM5ea4NuPu9BKIpKGxqNXQE+n4tmX3lp6QwXuZShwOXjSFsKxXvipKI4sAkxPfrPFa
xzz/EDqUf9lzCBZ5nl6+OLv+GyTz6Meq1NGIX1N7u6XBPtdCujVbKzXd5PbEk0Y00skLFcQ4
9FwAwDFw1XIPljQ6WttsQlV6k0yoVJZc6HHovnV1zGDviSyUdegDX9uKBmgGG8ApliPLvZ6r
haU4yHykFHBMPfwBNBwrmthTShdPS7xh4bz5xYlay9wm2CzIVB6muK8PIyTrRfouuFivJuYA
zoEcPBbubalC3OCocLl2xv+Qb5G7cz2hTDx9JZXUD18IeG2A2mcLeGp1zTc1qz/7h9qa0TLe
fWpC75exhIgXVrkCDQRKB2tdARAAqsQbw2Qd1WfbJr9U1KRdwTKm2OsDODftgNv0zmfaiYCN
iOKEsrsJdtonmaisMi+Z+5/wrf3Q0bV54qmwOMTlCVvqnpxwbVik8VVGWgUcLJYYK5Lkn0dz
rtZs6AaT/sbFewir8q6m3ADbq9hTXxt9uUfe5Z/D4sdbhgbWtQa/DeJwWZr6VeyCHcY8BhR0
FXYmYDZ0c1rmbZZBt+vIF4UNTNU4x6me9va6QPW0nWTEjae9ExGSPwm1B4hQd63Nop6E2Vqu
ahdJqKVRYYmD/IqVXOxAhFRA/w9vqF95aV2BB/ZrF0FTA8iCEbFy3oNrZfq8KlJRCtcUH2qf
igMndOt8P65omM1DQhlvterVgm2PCb1GmwLEbMi+HtLntziFozYGLTlAMcUJt7Pyu/iinzx6
Sc4U108dmNTJLxqSZtvJFaRyHml9x7oP2gWjpuyVgo1KuEXKq2Z96S+sxE/YtPyB/cBpazZ+
+o/i7PLhxKa1RTIA8NgkDelWeNalvYzjNkB+tXeH0UnxtBTC+PW8dyUP8OmmM/2V1Dzcj9Tm
Ky/G04TFQyL1NjvFjzXyIUO5WpdEbSs04h5J3KM6YZJlicqB2aKAUslOi9wUIpKRK+UZBTSj
886jynsu+HA1Ob6tcTSlwtj95RV7nBTiTM6MpPuxTmZ2DR/vLE6c7yE+XgrOx9EAEQEAAYkC
HwQYAQgACQUCSgdrXQIbDAAKCRBEl1J4uGErXVFeD/9Q2vtN0FeOiveLwN4KAFbMLZP97bT/
sRJkQQUZoawfbINwzGDuFrZSsWipoBLam6BnMH6OfHkUOrCToZROHYagW/nv/WTjBTX8lJt8
SFhHh4ONPBaxF90z/YrpWlNcs/z/rqu+sm1KgCA9mkheENGOj3t97udZNfA1N4NZu67Lo6HZ
yUUCK+eJtX6BS2HgMGokHuGha/LokTor1lkl52Y3CVfds9YDrJmlSQVhxI/S6/IajLwKFyHd
pMiK/o8q3mYuZ7JKCBOooNnRpa4myUrBetf1p6xZqbhEAALMFJc7/8NXxesqvG7RQJ7VWyYO
5BhgzPutqTUOVZskc3r4cvaB7CT1CsKPdW+af/I8q/C7dhTWWthirPN4DCdcTIlK9ECpba+m
S7MQG/3ta7+/3lT3yyMKlhLkAaUlUNa/VbzUHOlVA1txJk6jcuEzWIzebEtoT/aYJZwNE+jL
CFOC75HTGlxp7/8ngHCXn1rcBS9TQJ7CGX31HhbmNak0LtzhAS4B+fWQLrFfShTREcYD+31z
yLns4jIKY8dehPner0Y8RX31/0eQOknRwRSl6uceu/6liJT23KHYzT3FPGHuK2QH6AHnORGS
g6FmBsbXSzosQOKWE3sO0dzjPIE6DRKwZIJmqQKvHqeAvPsC0U7JBWlKl0eMoIuDjp9qFDKz
BWcdiQ==
=iUyJ
-----END PGP PUBLIC KEY BLOCK-----

BIN
apt/files/reg.gpg
View file

Binary file not shown.

3
apt/files/stretch_backports_preferences Normal file
View file

@ -0,0 +1,3 @@
Package: *
Pin: release a=stretch-backports
Pin-Priority: 50

16
apt/meta/main.yml
View file

@ -1,23 +1,17 @@
galaxy_info:
company: Evolix
author: Evolix
description: Add repositories to APT sources list.
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
license: GPLv2
min_ansible_version: "2.2"
min_ansible_version: 2.2
platforms:
- name: Debian
versions:
- jessie
- stretch
- buster
galaxy_tags: []
# Be sure to remove the '[]' above if you add dependencies
# to this list.
- name: Debian
versions:
- jessie
dependencies: []
# List your role dependencies here, one per line.

18
apt/tasks/backports.deb822.yml
View file

@ -1,18 +0,0 @@
---
- name: Backports deb822 sources list is installed
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.sources.j2'
dest: /etc/apt/sources.list.d/backports.sources
force: true
mode: "0640"
register: apt_backports_sources
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
when: apt_backports_sources is changed
tags:
- apt

35
apt/tasks/backports.oneline.yml
View file

@ -1,35 +0,0 @@
---
- name: No backports config in default sources.list
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
tags:
- apt
- name: Backports sources list is installed
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: true
mode: "0640"
register: apt_backports_list
tags:
- apt
- name: Archived backport are accepted (jessie)
ansible.builtin.lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
state: present
tags:
- apt
when: ansible_distribution_release == "jessie"
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_backports_list is changed

50
apt/tasks/backports.yml
View file

@ -1,13 +1,45 @@
---
- name: No backports config in default sources.list
lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
tags:
- apt
# Backward compatibility task file
- name: Backports sources list is installed
template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: yes
mode: "0640"
register: apt_backports_list
tags:
- apt
- name: Install backports repositories (Debian <12)
ansible.builtin.import_tasks: backports.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Backports configuration
copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
mode: "0640"
register: apt_backports_config
tags:
- apt
- name: Install backports repositories (Debian >=12)
ansible.builtin.import_tasks: backports.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')
- name: Archived backport are accepted (jessie)
lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
state: present
when: ansible_distribution_release == "jessie"
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_backports_list | changed or apt_backports_config | changed
tags:
- apt

45
apt/tasks/basics.deb822.yml
View file

@ -1,45 +0,0 @@
---
- name: Change basics repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.sources.j2"
dest: /etc/apt/sources.list.d/system.sources
mode: "0644"
force: true
register: apt_basic_sources
tags:
- apt
- name: Change security repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_security.sources.j2"
dest: /etc/apt/sources.list.d/security.sources
mode: "0644"
force: true
register: apt_security_sources
tags:
- apt
- name: Find one-line APT sources
ansible.builtin.find:
paths: /etc/apt
patterns: '*.list'
register: list_files
- name: Disable one-line-formatted sources
ansible.builtin.command:
cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak"
environment:
LC_ALL: C
loop: "{{ list_files.files }}"
register: rename_cmd
changed_when: "'renamed' in rename_cmd.stdout"
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_basic_list is changed or apt_security_sources is changed

18
apt/tasks/basics.oneline.yml
View file

@ -1,18 +0,0 @@
---
- name: Change basics repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
force: true
register: apt_basic_list
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_basic_list is changed

37
apt/tasks/basics.yml
View file

@ -1,13 +1,32 @@
---
# Backward compatibility task file
- name: Change basics repositories
template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
force: yes
register: apt_basic_list
tags:
- apt
- name: Install basics repositories (Debian <12)
ansible.builtin.import_tasks: basics.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Clean GANDI sources.list.d/debian-security.list
file:
path: '{{ item }}'
state: absent
with_items:
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-jessie.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-buster.list
- /etc/apt/sources.list.d/debian-update.list
when: apt_clean_gandi_sourceslist
tags:
- apt
- name: Install basics repositories (Debian >=12)
ansible.builtin.import_tasks: basics.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')
- name: Apt update
apt:
update_cache: yes
when: apt_basic_list | changed
tags:
- apt

31
apt/tasks/config.yml
View file

@ -1,41 +1,54 @@
---
- name: Evolinux config for APT
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
create: yes
state: present
mode: "0640"
loop:
with_items:
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
when: apt_evolinux_config
tags:
- apt
when: apt_evolinux_config | bool
- name: DPkg invoke hooks
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item }}"
create: yes
state: present
mode: "0640"
loop:
with_items:
- "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
when: apt_hooks
tags:
- apt
when: apt_hooks | bool
- name: Remove Aptitude
ansible.builtin.apt:
apt:
name: aptitude
state: absent
when: apt_remove_aptitude
tags:
- apt
- name: Updating APT cache
apt:
update_cache: yes
changed_when: False
tags:
- apt
- name: Upgrading system
apt:
upgrade: dist
when: apt_upgrade
tags:
- apt
when: apt_remove_aptitude | bool

59
apt/tasks/evolix_public.deb822.yml
View file

@ -1,59 +0,0 @@
---
- name: Look for legacy apt keyring
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
tags:
- apt
when: _trusted_gpg_keyring.stat.exists
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Set Evolix GPG key format to ASC
set_fact:
apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc"
tags:
- apt
- name: Add Evolix GPG key
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_evolix_public_key }}"
force: true
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
ansible.builtin.template:
src: evolix_public.sources.j2
dest: /etc/apt/sources.list.d/evolix_public.sources
force: true
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_evolix_public is changed

69
apt/tasks/evolix_public.oneline.yml
View file

@ -1,69 +0,0 @@
---
- name: Look for legacy apt keyring
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
tags:
- apt
when: _trusted_gpg_keyring.stat.exists
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Set Evolix GPG key format to GPG (Debian < 9)
set_fact:
apt_evolix_public_key: "pub_evolix.gpg"
when:
- ansible_distribution_major_version is version('9', '<')
tags:
- apt
- name: Set Evolix GPG key format to ASC (Debian >= 9)
set_fact:
apt_evolix_public_key: "pub_evolix.asc"
when:
- ansible_distribution_major_version is version('9', '>=')
tags:
- apt
- name: Add Evolix GPG key
ansible.builtin.copy:
src: "{{ apt_evolix_public_key }}"
dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}"
force: true
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
ansible.builtin.template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: true
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_evolix_public is changed

38
apt/tasks/evolix_public.yml
View file

@ -1,13 +1,33 @@
---
# Backward compatibility task file
# - name: Fail if distribution is not supported
# fail:
# msg: "Error: Evolix public repository is not compatble with 'Debian Stretch' yet."
# when: ansible_distribution_release == "stretch"
# tags:
# - apt
- name: Install Evolix Public repositories (Debian <12)
ansible.builtin.import_tasks: evolix_public.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12)
ansible.builtin.import_tasks: evolix_public.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')
- name: Add Evolix GPG key
apt_key:
#url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D
data: "{{ lookup('file', 'reg.gpg') }}"
tags:
- apt
- name: Evolix public list is installed
template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_evolix_public | changed
tags:
- apt

37
apt/tasks/extended-lts.oneline.yml
View file

@ -1,37 +0,0 @@
---
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Add Evolix GPG key
ansible.builtin.copy:
src: "freexian-archive-extended-lts.gpg"
dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"
force: true
mode: "0644"
owner: root
group: root
tags:
- apt
- name: ELTS list is installed
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_extended-lts.list.j2"
dest: /etc/apt/sources.list.d/extended-lts.list
force: true
mode: "0640"
register: apt_extended_lts
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_extended_lts is changed

60
apt/tasks/hold_packages.yml
View file

@ -1,64 +1,43 @@
---
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: "hold packages (apt)"
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
executable: /bin/bash
check_mode: no
shell: "(apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }}"
register: apt_mark
changed_when: "item + ' set on hold.' in apt_mark.stdout"
failed_when:
- apt_mark.rc != 0
- apt_mark.stdout | length > 0
loop: "{{ apt_hold_packages }}"
tags:
- apt
- name: "/etc/evolinux is present"
ansible.builtin.file:
dest: /etc/evolinux
mode: "0700"
state: directory
changed_when: "'{{ item }} set on hold.' in apt_mark.stdout"
with_items: "{{ apt_hold_packages }}"
tags:
- apt
- name: "hold packages (config)"
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
state: present
loop: "{{ apt_hold_packages }}"
with_items: "{{ apt_hold_packages }}"
tags:
- apt
- name: "unhold packages (apt)"
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
executable: /bin/bash
check_mode: no
shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}"
register: apt_mark
changed_when: "'Canceled hold on' + item in apt_mark.stdout"
failed_when: apt_mark.rc != 0 and not apt_mark.stdout = ''
loop: "{{ apt_unhold_packages }}"
changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout"
with_items: "{{ apt_unhold_packages }}"
tags:
- apt
- name: "unhold packages (config)"
ansible.builtin.lineinfile:
lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
state: absent
loop: "{{ apt_unhold_packages }}"
with_items: "{{ apt_unhold_packages }}"
tags:
- apt
- name: /usr/share/scripts exists
ansible.builtin.file:
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -68,26 +47,23 @@
- apt
- name: Check scripts is installed
ansible.builtin.copy:
copy:
src: check_held_packages.sh
dest: /usr/share/scripts/check_held_packages.sh
force: true
force: yes
mode: "0755"
tags:
- apt
- name: Check if Cron is installed
ansible.builtin.shell:
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
register: is_cron
changed_when: False
failed_when: False
changed_when: false
failed_when: false
check_mode: no
tags:
- apt
- name: Check for held packages (script)
ansible.builtin.cron:
cron:
cron_file: apt-hold-packages
name: check_held_packages
job: "/usr/share/scripts/check_held_packages.sh"
@ -98,6 +74,6 @@
day: "{{ apt_check_hold_cron_day }}"
month: "{{ apt_check_hold_cron_month }}"
state: "present"
when: is_cron.rc == 0
tags:
- apt
when: is_cron.rc == 0

132
apt/tasks/main.yml
View file

@ -1,137 +1,39 @@
---
- name: "Compatibility check"
ansible.builtin.assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=')
msg: Only compatible with Debian >= 8
tags:
- apt
- name: "apt-transport-https is installed for https repositories (before Buster)"
ansible.builtin.apt:
name:
- apt-transport-https
tags:
- apt
when: ansible_distribution_major_version is version('10', '<')
- name: "certificates are installed for https repositories"
ansible.builtin.apt:
name:
- ca-certificates
fail:
msg: only compatible with Debian >= 8
when:
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
tags:
- apt
- name: Custom configuration
ansible.builtin.import_tasks: config.yml
when: apt_config | bool
include: config.yml
when: apt_config
tags:
- apt
- name: Install basics repositories (Debian <12)
ansible.builtin.import_tasks: basics.oneline.yml
- name: Install basics repositories
include: basics.yml
when: apt_install_basics
tags:
- apt
when:
- apt_install_basics | bool
- ansible_distribution_major_version is version('12', '<')
- name: Install basics repositories (Debian >=12)
ansible.builtin.import_tasks: basics.deb822.yml
- name: Install APT Backports repository
include: backports.yml
when: apt_install_backports
tags:
- apt
when:
- apt_install_basics | bool
- ansible_distribution_major_version is version('12', '>=')
- name: Install backports repositories (Debian <12)
ansible.builtin.import_tasks: backports.oneline.yml
- name: Install Evolix Public APT repository
include: evolix_public.yml
when: apt_install_evolix_public
tags:
- apt
when:
- apt_install_backports | bool
- ansible_distribution_major_version is version('12', '<')
# With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports`
- name: Install backports repositories (Debian >=12)
ansible.builtin.import_tasks: backports.deb822.yml
tags:
- apt
when:
- ansible_distribution_major_version is version('12', '>=')
- name: Install Evolix Public repositories (Debian <12)
ansible.builtin.import_tasks: evolix_public.oneline.yml
tags:
- apt
when:
- apt_install_evolix_public | bool
- ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12)
ansible.builtin.import_tasks: evolix_public.deb822.yml
tags:
- apt
when:
- apt_install_evolix_public | bool
- ansible_distribution_major_version is version('12', '>=')
- name: Install Extended-LTS repositories (Debian < 10)
ansible.builtin.import_tasks: extended-lts.oneline.yml
tags:
- apt
when:
- apt_install_extended_lts | bool
- ansible_distribution_major_version is version('10', '<')
- name: Clean GANDI sources
ansible.builtin.file:
path: '{{ item }}'
state: absent
loop:
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-jessie.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-buster.list
- /etc/apt/sources.list.d/debian-bullseye.list
- /etc/apt/sources.list.d/debian-update.list
tags:
- apt
when: apt_clean_gandi_sourceslist | bool
- name: "Disable NonFreeFirmware warning for VM on Debian 12+"
ansible.builtin.lineinfile:
path: /etc/apt/apt.conf.d/no-bookworm-firmware.conf
create: yes
line: "APT::Get::Update::SourceListWarnings::NonFreeFirmware \"false\";"
tags:
- apt
when:
- ansible_distribution_major_version is version('12', '>=')
- ansible_virtualization_role == "guest"
- name: Install check for packages marked hold
ansible.builtin.import_tasks: hold_packages.yml
when: apt_install_hold_packages | bool
tags:
- apt
- name: Updating APT cache
ansible.builtin.apt:
update_cache: yes
changed_when: False
tags:
- apt
- name: Upgrading system
ansible.builtin.apt:
upgrade: dist
when: apt_upgrade | bool
include: hold_packages.yml
when: apt_install_hold_packages
tags:
- apt

62
apt/tasks/migrate-to-deb822.yml
View file

@ -1,62 +0,0 @@
---
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- apt
- name: Migration scripts are installed
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/share/scripts/{{ item }}"
force: true
mode: "0755"
loop:
- deb822-migration.py
- deb822-migration.sh
tags:
- apt
- name: Exec migration script
ansible.builtin.command:
cmd: /usr/share/scripts/deb822-migration.sh
ignore_errors: yes
tags:
- apt
- name: Is system.sources present?
ansible.builtin.stat:
path: /etc/apt/sources.list.d/system.sources
register: _system_sources
- name: Add signed-by when relevant for bookworm
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list.d/system.sources
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
insertafter: "Suites: bookworm bookworm-updates"
state: present
tags:
- apt
when: _system_sources.stat.exists or not ansible_check_mode
- name: Is security.sources present?
ansible.builtin.stat:
path: /etc/apt/sources.list.d/security.sources
register: _security_sources
- name: Add signed-by when relevant for bookworm-security
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list.d/security.sources
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
insertafter: "Suites: bookworm-security"
state: present
tags:
- apt
when: _security_sources.stat.exists or not ansible_check_mode

53
apt/tasks/move-apt-keyring.yml
View file

@ -1,53 +0,0 @@
---
- name: New APT keyrings directory is present
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
owner: root
group: root
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- apt
- name: migration script is present
ansible.builtin.copy:
src: move-apt-keyrings.sh
dest: /usr/share/scripts/move-apt-keyrings.sh
mode: "0755"
owner: root
group: root
- name: Move repository signing key
ansible.builtin.command:
cmd: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
loop:
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
- { repository_pattern: "https://pub.evolix.org/evolix", key: "pub_evolix.asc" }
- { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" }
- { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" }
- { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" }
- { repository_pattern: "http://pkg.jenkins-ci.org/debian-stable", key: "jenkins.asc" }
- { repository_pattern: "https://packages.sury.org/php/", key: "sury.gpg" }
- { repository_pattern: "http://repo.mongodb.org/apt/debian", key: "mongodb-server-[0-9\\.]+.asc" }
- { repository_pattern: "http://apt.newrelic.com/debian/", key: "newrelic.asc" }
- { repository_pattern: "https://deb.nodesource.com/", key: "nodesource.asc" }
- { repository_pattern: "https://dl.yarnpkg.com/debian/", key: "yarn.asc" }
- { repository_pattern: "http://apt.postgresql.org/pub/repos/apt/", key: "postgresql.asc" }
register: _cmd
- name: Debug command
ansible.builtin.debug:
var: _cmd

7
apt/templates/bookworm_backports.sources.j2
View file

@ -1,7 +0,0 @@
# {{ ansible_managed }}
Types: deb
URIs: http://mirror.evolix.org/debian
Suites: bullseye-backports
Components: {{ apt_backports_components | mandatory }}
Enabled: {{ apt_install_backports | bool | ternary('yes', 'no') }}

8
apt/templates/bookworm_basics.sources.j2
View file

@ -1,8 +0,0 @@
# {{ ansible_managed }}
Types: deb
URIs: http://mirror.evolix.org/debian
Suites: bookworm bookworm-updates
Components: {{ apt_basics_components | mandatory }}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg

8
apt/templates/bookworm_security.sources.j2
View file

@ -1,8 +0,0 @@
# {{ ansible_managed }}
Types: deb
URIs: https://security.debian.org/debian-security
Suites: bookworm-security
Components: {{ apt_basics_components | mandatory }}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg

3
apt/templates/bullseye_backports.list.j2
View file

@ -1,3 +0,0 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components | mandatory }}

5
apt/templates/bullseye_basics.list.j2
View file

@ -1,5 +0,0 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian bullseye-updates {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}

2
apt/templates/buster_basics.list.j2
View file

@ -1,5 +1,5 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian buster-updates {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ buster-updates {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}

2
apt/templates/evolix_public.list.j2
View file

@ -1,3 +1,3 @@
# {{ ansible_managed }}
deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
deb http://pub.evolix.net/ {{ ansible_distribution_release }}/

8
apt/templates/evolix_public.sources.j2
View file

@ -1,8 +0,0 @@
# {{ ansible_managed }}
Types: deb
URIs: http://pub.evolix.org/evolix
Suites: {{ ansible_distribution_release }}
Components: main
Signed-by: {{ apt_keyring_dir }}/pub_evolix.asc
Enabled: yes

5
apt/templates/jessie_basics.list.j2
View file

@ -1,5 +1,4 @@
# {{ ansible_managed }}
### Those repositories are unusable. Move to ELTS (manually).
# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }}
# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }}
deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }}

4
apt/templates/jessie_extended-lts.list.j2
View file

@ -1,4 +0,0 @@
# {{ ansible_managed }}
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main

2
apt/templates/stretch_backports.list.j2
View file

@ -1,3 +1,3 @@
# {{ ansible_managed }}
deb http://archive.debian.org/debian stretch-backports {{ apt_backports_components | mandatory }}
deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }}

5
apt/templates/stretch_basics.list.j2
View file

@ -1,4 +1,5 @@
# {{ ansible_managed }}
deb http://archive.debian.org/debian stretch {{ apt_basics_components | mandatory }}
deb http://archive.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian stretch {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ stretch-updates {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}

4
apt/templates/stretch_extended-lts.list.j2
View file

@ -1,4 +0,0 @@
# {{ ansible_managed }}
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main

17
autosysadmin-agent/defaults/main.yml
View file

@ -1,17 +0,0 @@
---
general_scripts_dir: "/usr/share/scripts"
autosysadmin_agent_bin_dir: "/usr/local/bin/autosysadmin"
autosysadmin_agent_lib_dir: "/usr/local/lib/autosysadmin"
autosysadmin_agent_auto_dir: "{{ general_scripts_dir }}/autosysadmin/restart"
autosysadmin_agent_crontab_enabled: true
autosysadmin_agent_log_retention_days: 365
autosysadmin_config: []
### All repair are disabled if set to 'off'
### even if a specific repair value is 'on'
# repair_all: 'on'
### Default values for checks
# repair_foo: 'off'

13
autosysadmin-agent/files/autosysadmin.logrotate.conf
View file

@ -1,13 +0,0 @@
/var/log/autosysadmin.log {
daily
missingok
rotate 365
compress
nodelaycompress
notifempty
dateext
dateformat .%Y-%m-%d
dateyesterday
copytruncate
create 0640 root adm
}

3
autosysadmin-agent/files/autosysadmin.rsyslog.conf
View file

@ -1,3 +0,0 @@
$template autosysadmin, "/var/log/autosysadmin.log"
if $programname contains 'autosysadmin' then ?autosysadmin
& stop

25
autosysadmin-agent/files/upstream/bin/delete_old_logs.sh
View file

@ -1,25 +0,0 @@
#!/bin/bash
days=${1:-365}
log_dir="/var/log/autosysadmin/"
if [ -d "${log_dir}" ]; then
find_run_dirs() {
find "${log_dir}" \
-mindepth 1 \
-maxdepth 1 \
-type d \
-ctime "+${days}" \
-print0
}
log() {
/usr/bin/logger -p local0.notice -t autosysadmin "${1}"
}
while IFS= read -r -d '' run_dir; do
rm --recursive --force "${run_dir}"
log "Delete ${run_dir} (older than ${days} days)"
done < <(find_run_dirs)
fi
exit 0

907
autosysadmin-agent/files/upstream/lib/common.sh
View file

@ -1,907 +0,0 @@
#!/bin/bash
VERSION="24.03"
# Common functions for "repair" and "restart" scripts
set -u
# Initializes the program, context, configuration…
initialize() {
PATH="${PATH}":/usr/sbin:/sbin
# Used in many places to refer to the program name.
# Examples: repair_mysql, restart_nrpe…
PROGNAME=$(basename "${0}")
# find out if running in interactive mode, or not
if [ -t 0 ]; then
INTERACTIVE=1
else
INTERACTIVE=0
fi
readonly INTERACTIVE
# Default empty value for Debug mode
DEBUG="${DEBUG:-""}"
# Repair scripts obey to the value of a variable named after the script
# You can set the value ("on" or "off") in /etc/evolinux/autosysadmin
# Here we set the default value to "on".
declare -g "${PROGNAME}"=on # dynamic variable assignment ($PROGNAME == repair_*)
PID=$$
readonly PID
# Each execution (run) gets a unique ID
RUN_ID="$(date +"%Y-%m-%d_%H-%M")_${PROGNAME}_${PID}"
readonly RUN_ID
# Main log directory
MAIN_LOG_DIR="/var/log/autosysadmin"
readonly MAIN_LOG_DIR
# shellcheck disable=SC2174
mkdir --mode=750 --parents "${MAIN_LOG_DIR}"
chgrp adm "${MAIN_LOG_DIR}"
# Each execution store some information
# in a unique directory based on the RUN_ID
RUN_LOG_DIR="${MAIN_LOG_DIR}/${RUN_ID}"
readonly RUN_LOG_DIR
# shellcheck disable=SC2174
mkdir --mode=750 --parents "${RUN_LOG_DIR}"
chgrp adm "${RUN_LOG_DIR}"
# This log file contains all events
RUN_LOG_FILE="${RUN_LOG_DIR}/autosysadmin.log"
readonly RUN_LOG_FILE
# This log file contains notable actions
ACTIONS_FILE="${RUN_LOG_DIR}/actions.log"
readonly ACTIONS_FILE
touch "${ACTIONS_FILE}"
# This log file contains abort reasons (if any)
ABORT_FILE="${RUN_LOG_DIR}/abort.log"
readonly ABORT_FILE
# touch "${ABORT_FILE}"
# Date format for log messages
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
# This will contain lock, last-run markers…
# It's ok to lose the content after a reboot
RUN_DIR="/run/autosysadmin"
readonly RUN_DIR
mkdir -p "${RUN_DIR}"
# Only a singe instace of each script can run simultaneously
# We use a customizable lock name for this.
# By default it's the script's name
LOCK_NAME=${LOCK_NAME:-${PROGNAME}}
# If a lock is found, we can wait for it to disappear.
# The value must be understood by sleep(1)
LOCK_WAIT="0"
# Default values for email headers
EMAIL_FROM="equipe+autosysadmin@evolix.fr"
EMAIL_INTERNAL="autosysadmin@evolix.fr"
LOCK_FILE="${RUN_DIR}/${LOCK_NAME}.lock"
readonly LOCK_FILE
# Remove lock file at exit
cleanup() {
# shellcheck disable=SC2317
rm -f "${LOCK_FILE}"
}
trap 'cleanup' 0
# Load configuration
# shellcheck disable=SC1091
test -f /etc/evolinux/autosysadmin && source /etc/evolinux/autosysadmin
log_all "Begin ${PROGNAME} RUN_ID: ${RUN_ID}"
log_all "Log directory is ${RUN_LOG_DIR}"
}
# Executes a list of tasks before exiting:
# * prepare a summary of actions and possible abort reasons
# * send emails
# * do some cleanup
quit() {
log_all "End ${PROGNAME} RUN_ID: ${RUN_ID}"
summary="RUN_ID: ${RUN_ID}"
if [ -s "${ABORT_FILE}" ]; then
# Add abort reasons to summary
summary="${summary}\n$(print_abort_reasons)"
hook_mail "abort"
return_code=1
else
if [ -s "${ACTIONS_FILE}" ]; then
# Add notable actions to summary
summary="${summary}\n$(print_actions "Aucune action")"
hook_mail "success"
fi
return_code=0
fi
hook_mail "internal"
if is_interactive; then
# shellcheck disable=SC2001
echo "${summary}" | sed -e 's/\\n/\n/g'
else
/usr/share/scripts/evomaintenance.sh --auto --user autosysadmin --message "${summary}" --no-commit --no-mail
fi
teardown
# shellcheck disable=SC2086
exit ${return_code}
}
teardown() {
:
}
# Return true/false
is_interactive() {
test "${INTERACTIVE}" -eq "1"
}
save_server_state() {
DUMP_SERVER_STATE_BIN="$(command -v dump-server-state || command -v backup-server-state)"
if [ -z "${DUMP_SERVER_STATE_BIN}" ]; then
log_all "Warning: dump-server-state is not present. No server state recorded."
fi
if [ -x "${DUMP_SERVER_STATE_BIN}" ]; then
DUMP_DIR=$(file_path_in_log_dir "server-state")
# We don't want the logging to take too much time,
# so we kill it if it takes more than 20 seconds.
timeout --signal 9 20 \
"${DUMP_SERVER_STATE_BIN}" \
--dump-dir="${DUMP_DIR}" \
--df \
--dmesg \
--iptables \
--lxc \
--netcfg \
--netstat \
--uname \
--processes \
--systemctl \
--uptime \
--virsh \
--disks \
--mysql-processes \
--no-apt-states \
--no-apt-config \
--no-dpkg-full \
--no-dpkg-status \
--no-mount \
--no-packages \
--no-sysctl \
--no-etc
log_run "Server state saved in \`server-state' directory."
fi
}
is_debug() {
# first time: do the check…
# other times: pass
if [ -z "${DEBUG:-""}" ]; then
debug_file="/etc/evolinux/autosysadmin.debug"
if [ -e "${debug_file}" ]; then
last_change=$(stat -c %Z "${debug_file}")
limit_date=$(date --date "14400 seconds ago" +"%s")
if [ $(( last_change - limit_date )) -le "0" ]; then
log_run "Debug mode disabled; file is too old (%{last_change} seconds)."
rm "${debug_file}"
# Debug mode disabled
DEBUG="0"
else
log_run "Debug mode enabled."
# Debug mode enabled
DEBUG="1"
fi
else
# log_run "Debug mode disabled; file is absent."
# Debug mode disabled
DEBUG="0"
fi
fi
# return the value
test "${DEBUG}" -eq "1"
}
# Uses the who(1) definition of "active"
currently_active_users() {
LC_ALL=C who --users | grep --extended-regexp "\s+\.\s+" | awk '{print $1}' | sort --human-numeric-sort | uniq
}
# Users active in the last 29 minutes
recently_active_users() {
LC_ALL=C who --users | grep --extended-regexp "\s+00:(0|1|2)[0-9]\s+" | awk --field-separator ' ' '{print $1,$6}'
}
# Save the list of users to a file in the log directory
save_active_users() {
LC_ALL=C who --users | save_in_log_dir "who-users"
}
# An autosysadmin must not perform actions if a user is active or was active recently.
#
# This can by bypassed in interactive mode.
# It's OK to lose this data after a reboot.
ensure_no_active_users_or_exit() {
# Save all active users
save_active_users
if is_debug; then
log_run "Debug mode enabled: continue without checking active users."
return 0;
fi
# Is there any currently active user?
currently_active_users=$(currently_active_users)
if [ -n "${currently_active_users}" ]; then
# shellcheck disable=SC2001
users_oneliner=$(echo "${currently_active_users}" | sed -e 's/\n/ /')
log_run "Currently active users: ${users_oneliner}"
if is_interactive; then
echo "Some users are currently active:"
# shellcheck disable=SC2001
echo "${currently_active_users}" | sed -e 's/\(.\+\)/* \1/'
answer=""
while :; do
printf "> Continue? [Y,n,?] "
read -r answer
case ${answer} in
[Yy]|"" )
log_run "Active users check bypassed manually in interactive mode."
return
;;
[Nn] )
log_run "Active users check confirmed manually in interactive mode."
log_abort_and_quit "Active users detected: ${users_oneliner}"
;;
* )
printf "y - yes, continue\n"
printf "n - no, exit\n"
printf "? - print this help\n"
;;
esac
done
else
log_abort_and_quit "Currently active users detected: ${users_oneliner}."
fi
else
# or recently (the last 30 minutes) active user?
recently_active_users=$(recently_active_users)
if [ -n "${recently_active_users}" ]; then
# shellcheck disable=SC2001
users_oneliner=$(echo "${recently_active_users}" | sed -e 's/\n/ /')
log_run "Recently active users: ${users_oneliner}"
if is_interactive; then
echo "Some users were recently active:"
# shellcheck disable=SC2001
echo "${recently_active_users}" | sed -e 's/\(.\+\)/* \1/'
answer=""
while :; do
printf "> Continue? [Y,n,?] "
read -r answer
case ${answer} in
[Yy]|"" )
log_run "Active users check bypassed manually in interactive mode."
return
;;
[Nn] )
log_run "Active users check confirmed manually in interactive mode."
log_abort_and_quit "Recently active users detected: ${users_oneliner}."
;;
* )
printf "y - yes, continue\n"
printf "n - no, exit\n"
printf "? - print this help\n"
;;
esac
done
else
log_abort_and_quit "Recently active users detected: ${users_oneliner}."
fi
fi
fi
}
# Takes an NRPE command name as 1st parameter,
# and executes the full command if found in the configuration.
# Return the result and the return code of the command.
check_nrpe() {
check="$1"
nrpe_files=""
# Check if NRPE config is found
if [ -f "/etc/nagios/nrpe.cfg" ]; then
nrpe_files="${nrpe_files} /etc/nagios/nrpe.cfg"
else
msg="NRPE configuration not found: /etc/nagios/nrpe.cfg"
log_run "${msg}"
echo "${msg}"
return 3
fi
# Search for included files
# shellcheck disable=SC2086
while IFS= read -r include_file; do
nrpe_files="${nrpe_files} ${include_file}"
done < <(grep --extended-regexp '^\s*include=.+' ${nrpe_files} | cut -d = -f 2)
# Search for files in included directories
# shellcheck disable=SC2086
while IFS= read -r include_dir; do
nrpe_files="${nrpe_files} ${include_dir}/*.cfg"
done < <(grep --extended-regexp '^\s*include_dir=.+' ${nrpe_files} | cut -d = -f 2)
# Fetch uncommented commands in (sorted) config files
# shellcheck disable=SC2086
nrpe_commands=$(grep --no-filename --exclude=*~ --fixed-strings "[${check}]" ${nrpe_files} | grep --invert-match --extended-regexp '^\s*#\s*command' | cut -d = -f 2)
nrpe_commands_count=$(echo "${nrpe_commands}" | wc -l)
if is_debian_version "9" "<=" && [ "${nrpe_commands_count}" -gt "1" ]; then
# On Debian <= 9, NRPE loading was not sorted
# we need to raise an error if we have multiple defined commands
msg="Unable to determine which NRPE command to run"
log_run "${msg}"
echo "${msg}"
return 3
else
# On Debian > 9, use the last command
nrpe_command=$(echo "${nrpe_commands}" | tail -n 1)
nrpe_result=$(${nrpe_command})
nrpe_rc=$?
log_run "NRPE command (exited with ${nrpe_rc}): ${nrpe_command}"
log_run "${nrpe_result}"
echo "${nrpe_result}"
return "${nrpe_rc}"
fi
}
# An autosysadmin script must not run twice (or more) simultaneously.
# We use a customizable (with LOCK_NAME) lock file to keep track of this.
# A wait time can be configured.
#
# This can by bypassed in interactive mode.
# It's OK to lose this data after a reboot.
acquire_lock_or_exit() {
lock_file="${1:-${LOCK_FILE}}"
lock_wait="${2:-${LOCK_WAIT}}"
# lock_wait must be compatible with sleep(1), otherwise fallback to 0
if ! echo "${lock_wait}" | grep -Eq '^[0-9]+[smhd]?$'; then
log_run "Lock wait: incorrect value '${lock_wait}', fallback to 0."
lock_wait=0
fi
if [ "${lock_wait}" != "0" ] && [ -f "${lock_file}" ]; then
log_run "Lock file present. Let's wait ${lock_wait} and check again."
sleep "${lock_wait}"
fi
if [ -f "${lock_file}" ]; then
log_abort_and_quit "Lock file still present."
else
log_run "Lock file absent. Let's put one."
touch "${lock_file}"
fi
}
# If a script has been run in the ast 30 minutes, running it again won't fix the issue.
# We use a /run/ausosysadmin/${PROGNAME}_lastrun file to keep track of this.
#
# This can by bypassed in interactive mode.
# This is bypassed in debug mode.
# It's OK to lose this data after a reboot.
ensure_not_too_soon_or_exit() {
if is_debug; then
log_run "Debug mode enabled: continue without checking when was the last run."
return 0;
fi
lastrun_file="${RUN_DIR}/${PROGNAME}_lastrun"
if [ -f "${lastrun_file}" ]; then
lastrun_age="$(($(date +%s)-$(stat -c "%Y" "${lastrun_file}")))"
log_run "Last run was ${lastrun_age} seconds ago."
if [ "${lastrun_age}" -lt 1800 ]; then
if is_interactive; then
echo "${PROGNAME} was run ${lastrun_age} seconds ago."
answer=""
while :; do
printf "> Continue? [Y,n,?] "
read -r answer
case ${answer} in
[Yy]|"" )
log_run "Last run check bypassed manually in interactive mode."
break
;;
[Nn] )
log_run "Last run check confirmed manually in interactive mode."
log_abort_and_quit 'Last run too recent.'
;;
* )
printf "y - yes, continue\n"
printf "n - no, exit\n"
printf "? - print this help\n"
;;
esac
done
else
log_abort_and_quit "Last run too recent."
fi
fi
fi
touch "${lastrun_file}"
}
# Populate DEBIAN_VERSION and DEBIAN_RELEASE variables
# based on gathered information about the operating system
detect_os() {
DEBIAN_RELEASE="unknown"
DEBIAN_VERSION="unknown"
LSB_RELEASE_BIN="$(command -v lsb_release)"
if [ -e /etc/debian_version ]; then
DEBIAN_VERSION="$(cut -d "." -f 1 < /etc/debian_version)"
if [ -x "${LSB_RELEASE_BIN}" ]; then
DEBIAN_RELEASE="$("${LSB_RELEASE_BIN}" --codename --short)"
else
case "${DEBIAN_VERSION}" in
7) DEBIAN_RELEASE="wheezy" ;;
8) DEBIAN_RELEASE="jessie" ;;
9) DEBIAN_RELEASE="stretch" ;;
10) DEBIAN_RELEASE="buster" ;;
11) DEBIAN_RELEASE="bullseye" ;;
12) DEBIAN_RELEASE="bookworm" ;;
13) DEBIAN_RELEASE="trixie" ;;
esac
fi
# log_run "Detected OS: Debian version=${DEBIAN_VERSION} release=${DEBIAN_RELEASE}"
# else
# log_run "Detected OS: unknown (missing /etc/debian_version)"
fi
}
is_debian_wheezy() {
test "${DEBIAN_RELEASE}" = "wheezy"
}
is_debian_jessie() {
test "${DEBIAN_RELEASE}" = "jessie"
}
is_debian_stretch() {
test "${DEBIAN_RELEASE}" = "stretch"
}
is_debian_buster() {
test "${DEBIAN_RELEASE}" = "buster"
}
is_debian_bullseye() {
test "${DEBIAN_RELEASE}" = "bullseye"
}
is_debian_bookworm() {
test "${DEBIAN_RELEASE}" = "bookworm"
}
is_debian_trixie() {
test "${DEBIAN_RELEASE}" = "trixie"
}
is_debian_version() {
local version=$1
local relation=${2:-"eq"}
if [ -z "${DEBIAN_VERSION:-""}" ]; then
detect_os
fi
dpkg --compare-versions "${DEBIAN_VERSION}" "${relation}" "${version}"
}
# List systemd services (only names), even if stopped
systemd_list_services() {
pattern=$1
systemctl list-units --all --no-legend --type=service "${pattern}" | grep --only-matching --extended-regexp '\S+\.service'
}
is_systemd_enabled() {
systemctl --quiet is-enabled "$1" 2> /dev/null
}
is_systemd_active() {
systemctl --quiet is-active "$1" 2> /dev/null
}
is_sysvinit_enabled() {
find /etc/rc2.d/ -name "$1" > /dev/null
}
get_fqdn() {
# shellcheck disable=SC2155
local system=$(uname -s)
if [ "${system}" = "Linux" ]; then
hostname --fqdn
elif [ "${system}" = "OpenBSD" ]; then
hostname
else
log_abort_and_quit "System '${system}' not recognized."
fi
}
get_complete_hostname() {
REAL_HOSTNAME="$(get_fqdn)"
if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
echo "${HOSTNAME}"
else
echo "${HOSTNAME} (${REAL_HOSTNAME})"
fi
}
# Fetch values from evomaintenance configuration
get_evomaintenance_mail() {
grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2
}
get_evomaintenance_emergency_mail() {
grep "URGENCYFROM=" /etc/evomaintenance.cf | cut -d '=' -f2
}
get_evomaintenance_emergency_tel() {
grep "URGENCYTEL=" /etc/evomaintenance.cf | cut -d '=' -f2
}
# Log a message to the log file in the log directory
log_run() {
local msg="${1:-$(cat /dev/stdin)}"
# shellcheck disable=SC2155
local date=$(/bin/date +"${DATE_FORMAT}")
printf "[%s] %s[%s]: %s\\n" \
"${date}" "${PROGNAME}" "${PID}" "${msg}" \
>> "${RUN_LOG_FILE}"
}
# Log a message in the system log file (syslog or journald)
log_global() {
local msg="${1:-$(cat /dev/stdin)}"
echo "${msg}" \
| /usr/bin/logger -p local0.notice -t autosysadmin
}
# Log a message in both places
log_all() {
local msg="${1:-$(cat /dev/stdin)}"
log_global "${msg}"
log_run "${msg}"
}
# Log a notable action in regular places
# and append it to the dedicated list
log_action() {
log_all "$*"
append_action "$*"
}
# Append a line in the actions.log file in the log directory
append_action() {
echo "$*" >> "${ACTIONS_FILE}"
}
# Print the content of the actions.log file
# or a fallback content (1st parameter) if empty
# shellcheck disable=SC2120
print_actions() {
local fallback=${1:-""}
if [ -s "${ACTIONS_FILE}" ]; then
cat "${ACTIONS_FILE}"
elif [ -n "${fallback}" ]; then
echo "${fallback}"
fi
}
# Log a an abort reason in regular places
# and append it to the dedicated list
log_abort() {
log_all "$*"
append_abort_reason "$*"
}
# Append a line in the abort.log file in the log directory
append_abort_reason() {
echo "$*" >> "${ABORT_FILE}"
}
# Print the content of the abort.log file
# or a fallback content (1st parameter) if empty
# shellcheck disable=SC2120
print_abort_reasons() {
local fallback=${1:-""}
if [ -s "${ABORT_FILE}" ]; then
cat "${ABORT_FILE}"
elif [ -n "${fallback}" ]; then
echo "${fallback}"
fi
}
# Print the content of the main log from the log directory
print_main_log() {
cat "${RUN_LOG_FILE}"
}
# Log an abort reason and quit the script
log_abort_and_quit() {
log_abort "$*"
quit
}
# Store the content from standard inpu
# into a file in the log directory named after the 1st parameter
save_in_log_dir() {
local file_name=$1
local file_path="${RUN_LOG_DIR}/${file_name}"
cat /dev/stdin > "${file_path}"
log_run "Saved \`${file_name}' file."
}
# Return the full path of the file in log directory
# based on the name in the 1st parameter
file_path_in_log_dir() {
echo "${RUN_LOG_DIR}/${1}"
}
format_mail_success() {
cat <<EOTEMPLATE
From: AutoSysadmin Evolix <${EMAIL_FROM}>
Content-Type: text/plain; charset=UTF-8
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Script: ${PROGNAME}
X-RunId: ${RUN_ID}
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
Cc: ${EMAIL_INTERNAL}
Subject: [autosysadmin] Intervention automatisée sur ${HOSTNAME_TEXT}
Bonjour,
Une intervention automatisée vient de se terminer.
Nom du serveur : ${HOSTNAME_TEXT}
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
Script déclenché : ${PROGNAME}
### Actions réalisées
$(print_actions "Aucune")
### RĂ©agir Ă  cette intervention
Vous pouvez répondre à ce message (${EMAIL_FROM}).
En cas d'urgence, utilisez l'adresse ${EMERGENCY_MAIL}
ou notre ligne d'astreinte (${EMERGENCY_TEL})
--
Votre AutoSysadmin
EOTEMPLATE
}
format_mail_abort() {
cat <<EOTEMPLATE
From: AutoSysadmin Evolix <${EMAIL_FROM}>
Content-Type: text/plain; charset=UTF-8
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Script: ${PROGNAME}
X-RunId: ${RUN_ID}
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
Cc: ${EMAIL_INTERNAL}
Subject: [autosysadmin] Intervention automatisée interrompue sur ${HOSTNAME_TEXT}
Bonjour,
Une intervention automatisée a été déclenchée mais s'est interrompue.
Nom du serveur : ${HOSTNAME_TEXT}
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
Script déclenché : ${PROGNAME}
### Actions réalisées
$(print_actions "Aucune")
### Raison(s) de l'interruption
$(print_abort_reasons "Inconnue")
### RĂ©agir Ă  cette intervention
Vous pouvez répondre à ce message (${EMAIL_FROM}).
En cas d'urgence, utilisez l'adresse ${EMERGENCY_MAIL}
ou notre ligne d'astreinte (${EMERGENCY_TEL})
--
Votre AutoSysadmin
EOTEMPLATE
}
# shellcheck disable=SC2028
print_report_information() {
echo "**Uptime**"
echo ""
uptime
echo ""
echo "**Utilisateurs récents**"
echo ""
who_file=$(file_path_in_log_dir "who-users")
if [ -s "${who_file}" ]; then
cat "${who_file}"
else
who --users
fi
echo ""
echo "**Espace disque**"
echo ""
df_file=$(file_path_in_log_dir "server-state/df.txt")
if [ -s "${df_file}" ]; then
cat "${df_file}"
else
df -h
fi
echo ""
echo "**Dmesg**"
echo ""
dmesg_file=$(file_path_in_log_dir "server-state/dmesg.txt")
if [ -s "${dmesg_file}" ]; then
tail -n 5 "${dmesg_file}"
else
dmesg | tail -n 5
fi
echo ""
echo "**systemd failed services**"
echo ""
failed_services_file=$(file_path_in_log_dir "server-state/systemctl-failed-services.txt")
if [ -s "${failed_services_file}" ]; then
cat "${failed_services_file}"
else
systemctl --no-legend --state=failed --type=service
fi
if command -v lxc-ls > /dev/null 2>&1; then
echo ""
echo "**LXC containers**"
echo ""
lxc_ls_file=$(file_path_in_log_dir "server-state/lxc-list.txt")
if [ -s "${lxc_ls_file}" ]; then
cat "${lxc_ls_file}"
else
lxc-ls --fancy
fi
fi
apache_errors_file=$(file_path_in_log_dir "apache-errors.log")
if [ -f "${apache_errors_file}" ]; then
echo ""
echo "**Apache errors**"
echo ""
cat "${apache_errors_file}"
fi
nginx_errors_file=$(file_path_in_log_dir "nginx-errors.log")
if [ -f "${nginx_errors_file}" ]; then
echo ""
echo "**Nginx errors**"
echo ""
cat "${nginx_errors_file}"
fi
}
format_mail_internal() {
cat <<EOTEMPLATE
From: AutoSysadmin Evolix <${EMAIL_FROM}>
Content-Type: text/plain; charset=UTF-8
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Script: ${PROGNAME}
X-RunId: ${RUN_ID}
To: ${EMAIL_INTERNAL}
Subject: [autosysadmin] Rapport interne d'intervention sur ${HOSTNAME_TEXT}
Bonjour,
Une intervention automatique vient de se terminer.
Nom du serveur : ${HOSTNAME_TEXT}
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
Script déclenché : ${PROGNAME}
### Actions réalisées
$(print_actions "Aucune")
### Raison(s) de l'interruption
$(print_abort_reasons "Aucune")
### Log autosysadmin
$(print_main_log)
### Informations additionnelles
$(print_report_information)
--
Votre AutoSysadmin
EOTEMPLATE
}
# Generic function to send emails at the end of the script.
# Takes a template as 1st parameter
hook_mail() {
if is_debug; then
log_run "Debug mode enabled: continue without sending mail."
return 0;
fi
HOSTNAME="${HOSTNAME:-"$(get_fqdn)"}"
HOSTNAME_TEXT="$(get_complete_hostname)"
EMAIL_CLIENT="$(get_evomaintenance_mail)"
EMERGENCY_MAIL="$(get_evomaintenance_emergency_mail)"
EMERGENCY_TEL="$(get_evomaintenance_emergency_tel)"
MAIL_CONTENT="$(format_mail_"$1")"
SENDMAIL_BIN="$(command -v sendmail)"
if [ -z "${SENDMAIL_BIN}" ]; then
log_global "ERROR: No \`sendmail' command has been found, can't send mail."
fi
if [ -x "${SENDMAIL_BIN}" ]; then
echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.fr"
log_global "Sent '$1' mail for RUN_ID: ${RUN_ID}"
fi
}
is_holiday() {
# gcal mark today as a holiday by surrounding with < and > the day
# of the month of that holiday line. For example if today is 2022-05-01 we'll
# get among other lines:
# FĂŞte du Travail (FR) + Di, < 1>Mai 2022
# Jour de la Victoire (FR) + Di, : 8:Mai 2022 = +7 jours
LANGUAGE=fr_FR.UTF-8 TZ=Europe/Paris gcal --cc-holidays=fr --holiday-list=short | grep -E '<[0-9 ]{2}>' --quiet
}
is_weekend() {
day_of_week=$(date +%u)
if [ "${day_of_week}" != 6 ] && [ "${day_of_week}" != 7 ]; then
return 1
fi
}
is_workday() {
if is_holiday || is_weekend; then
return 1
fi
}
is_worktime() {
if ! is_workday; then
return 1
fi
hour=$(date +%H)
if [ "${hour}" -lt 9 ] || { [ "${hour}" -ge 12 ] && [ "${hour}" -lt 14 ] ; } || [ "${hour}" -ge 18 ]; then
return 1
fi
}

112
autosysadmin-agent/files/upstream/lib/repair.sh
View file

@ -1,112 +0,0 @@
#!/bin/bash
# Specific functions for "repair" scripts
is_all_repair_disabled() {
# Fetch values from the config
# and if it is not defined or has no value, then assign "on"
local status=${repair_all:=on}
test "${status}" = "off" || test "${status}" = "0"
}
is_current_repair_disabled() {
# Fetch values from the config
# and if it is not defined or has no value, then assign "on"
local status=${!PROGNAME:=on}
test "${status}" = "off" || test "${status}" = "0"
}
ensure_not_disabled_or_exit() {
if is_all_repair_disabled; then
log_global 'All repair scripts are disabled.'
exit 0
fi
if is_current_repair_disabled; then
log_global "Current repair script (${PROGNAME}) is disabled."
exit 0
fi
}
# Set of actions to do at the begining of a "repair" script
pre_repair() {
initialize
# Are we supposed to run?
ensure_not_disabled_or_exit
# Has it recently been run?
ensure_not_too_soon_or_exit
# Can we acquire a lock?
acquire_lock_or_exit
# Is there any active user?
ensure_no_active_users_or_exit
# Save important information
save_server_state
}
# Set of actions to do at the end of a "repair" script
post_repair() {
quit
}
repair_lxc_php() {
container_name=$1
if is_systemd_enabled 'lxc.service'; then
lxc_path=$(lxc-config lxc.lxcpath)
if lxc-info --name "${container_name}" > /dev/null; then
rootfs="${lxc_path}/${container_name}/rootfs"
case "${container_name}" in
php56) fpm_log_file="${rootfs}/var/log/php5-fpm.log" ;;
php70) fpm_log_file="${rootfs}/var/log/php7.0-fpm.log" ;;
php73) fpm_log_file="${rootfs}/var/log/php7.3-fpm.log" ;;
php74) fpm_log_file="${rootfs}/var/log/php7.4-fpm.log" ;;
php80) fpm_log_file="${rootfs}/var/log/php8.0-fpm.log" ;;
php81) fpm_log_file="${rootfs}/var/log/php8.1-fpm.log" ;;
php82) fpm_log_file="${rootfs}/var/log/php8.2-fpm.log" ;;
php83) fpm_log_file="${rootfs}/var/log/php8.3-fpm.log" ;;
*)
log_abort_and_quit "Unknown container '${container_name}'"
;;
esac
# Determine FPM Pool path
php_path_pool=$(find "${lxc_path}/${container_name}/" -type d -name "pool.d")
# Save LXC info (before restart)
lxc-info --name "${container_name}" | save_in_log_dir "lxc-${container_name}.before.status"
# Save last lines of FPM log (before restart)
tail "${fpm_log_file}" | save_in_log_dir "$(basename "${fpm_log_file}" | sed -e 's/.log/.before.log/')"
# Save NRPE check (before restart)
/usr/local/lib/nagios/plugins/check_phpfpm_multi "${php_path_pool}" | save_in_log_dir "check_fpm_${container_name}.before.out"
lxc-stop --timeout 20 --name "${container_name}"
lxc-start --daemon --name "${container_name}"
rc=$?
if [ "${rc}" -eq "0" ]; then
log_all "Restart LXC container '${container_name}: OK"
else
log_all "Restart LXC container '${container_name}: failed"
fi
# Save LXC info (after restart)
lxc-info --name "${container_name}" | save_in_log_dir "lxc-${container_name}.after.status"
# Save last lines of FPM log (after restart)
tail "${fpm_log_file}" | save_in_log_dir "$(basename "${fpm_log_file}" | sed -e 's/.log/.after.log/')"
# Save NRPE check (after restart)
/usr/local/lib/nagios/plugins/check_phpfpm_multi "${php_path_pool}" | save_in_log_dir "check_fpm_${container_name}.after.out"
else
log_abort_and_quit "LXC container '${container_name}' doesn't exist."
fi
else
log_abort_and_quit 'LXC not found.'
fi
}

76
autosysadmin-agent/files/upstream/lib/restart.sh
View file

@ -1,76 +0,0 @@
#!/bin/bash
# Specific functions for "restart" scripts
running_custom() {
# Placeholder that returns 1, to prevent running if not redefined
log_global "running_custom() function has not been redefined! Let's quit."
return 1
}
# Examine RUNNING variable and decide if the script should run or not
is_supposed_to_run() {
if is_debug; then return 0; fi
case ${RUNNING} in
never)
# log_global "is_supposed_to_run: no (never)"
return 1
;;
always)
# log_global "is_supposed_to_run: yes (always)"
return 0
;;
nwh-fr)
! is_worktime
rc=$?
# if [ ${rc} -eq 0 ]; then
# log_global "is_supposed_to_run: yes (nwh-fr returned ${rc})"
# else
# log_global "is_supposed_to_run: no (nwh-fr returned ${rc})"
# fi
return ${rc}
;;
nwh-ca)
# Not implemented yet
return 0
;;
custom)
running_custom
rc=$?
# if [ ${rc} -eq 0 ]; then
# log_global "is_supposed_to_run: yes (custom returned ${rc})"
# else
# log_global "is_supposed_to_run: no (custom returned ${rc})"
# fi
return ${rc}
;;
esac
}
ensure_supposed_to_run_or_exit() {
if ! is_supposed_to_run; then
# simply quit (no logging, no notifications…)
# log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
exit 0
fi
}
# Set of actions to do at the begining of a "restart" script
pre_restart() {
initialize
# Has it recently been run?
ensure_not_too_soon_or_exit
# Can we acquire a lock?
acquire_lock_or_exit
# Save important information
save_server_state
}
# Set of actions to do at the end of a "restart" script
post_restart() {
quit
}

157
autosysadmin-agent/files/upstream/repair/repair_disk
View file

@ -1,157 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
# We always keep some reserved blocks to avoid missing some logs
# https://gitea.evolix.org/evolix/autosysadmin/issues/22
RESERVED_BLOCKS_MIN=1
get_mountpoints() {
# the $(...) get the check_disk1 command
# the cut command selects the critical part of the check_disk1 output
# the grep command extracts the mountpoints and available disk space
# the last cut command selects the mountpoints
check_disk1_command=$(grep check_disk1 /etc/nagios/nrpe.d/evolix.cfg | cut -d'=' -f2-)
${check_disk1_command} -e | cut -d'|' -f1 | grep --extended-regexp --only-matching '/[[:graph:]]* [0-9]+ [A-Z][A-Z]' | cut -d' ' -f1
}
is_reserved_blocks_nominal() {
partition=${1}
fs_type="$(findmnt -n --output=fstype "${partition}")"
if [ "${fs_type}" = "ext4" ]; then
device="$(findmnt -n --output=source "${partition}")"
reserved_block_count="$(tune2fs -l "${device}" | grep 'Reserved block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
block_count="$(tune2fs -l "${device}" | grep 'Block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
percentage=$(awk "BEGIN { pc=100*${reserved_block_count}/${block_count}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
log_run "Reserved blocks for ${partition} is currently at ${percentage}%"
if [ "${percentage}" -gt "${RESERVED_BLOCKS_MIN}" ]; then
log_run "Allowing tune2fs action to reduce the number of reserved blocks"
return 0
else
log_run "Reserved blocks already at or bellow ${RESERVED_BLOCKS_MIN}%, no automatic action possible"
return 1
fi
else
log_run "Filesystem for ${partition} (${fs_type}) is incompatible with reserved block reduction."
return 1
fi
}
reduce_reserved_blocks() {
partition=${1}
device=$(findmnt -n --output=source "${partition}")
tune2fs -m "${RESERVED_BLOCKS_MIN}" "${device}"
log_action "Reserved blocks for ${partition} changed to ${RESERVED_BLOCKS_MIN} percent"
}
is_tmp_to_delete() {
size="$(find /var/log/ -type f -ctime +1 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
if [ -n "${size}" ]; then
return 0
else
return 1
fi
}
is_log_to_delete() {
size="$(find /var/log/ -type f -mtime +365 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
if [ -n "${size}" ]; then
return 0
else
return 1
fi
}
clean_apt_cache() {
for container in $(lxc-ls -1); do
if [ -e "$(lxc-config lxc.lxcpath)/${container}/rootfs/var/cache" ]; then
lxc-attach --name "${container}" -- apt-get clean
log_action "Clean apt cache in LXC container ${container}";
fi
done
# NOTE: "head -n 1" might be superfluous, but let's be sure to have only the first returned value
biggest_subdir=$(du --summarize --one-file-system "/var/*" | sort --numeric-sort --reverse | sed 's/^[0-9]\+[[:space:]]\+//;q' | head -n 1)
case "${biggest_subdir}" in
'/var/cache')
apt-get clean
log_action 'Clean apt cache'
;;
esac
}
clean_amavis_virusmails() {
if du --inodes /var/lib/* | sort --numeric-sort | tail -n 3 | grep --quiet 'virusmails$'; then
find /var/lib/amavis/virusmails/ -type f -atime +30 -delete
log_action 'Clean amavis infected mails'
fi
}
critical_mountpoints=$(get_mountpoints)
if [ -z "${critical_mountpoints}" ]; then
log_abort_and_quit "No partition is in critical state, nothing left to do."
else
for mountpoint in ${critical_mountpoints}; do
case "${mountpoint}" in
/var)
#if is_log_to_delete
#then
# find /var/log/ -type f -mtime +365 -delete
# log_action "$size Mo of disk space freed in /var"
#fi
if is_reserved_blocks_nominal /var; then
reduce_reserved_blocks /var
clean_apt_cache
clean_amavis_virusmails
fi
;;
/tmp)
#if is_tmp_to_delete
#then
# find /tmp/ -type f -ctime +1 -delete
# log_action "$size Mo of disk space freed in /tmp"
#fi
if is_reserved_blocks_nominal /tmp; then
reduce_reserved_blocks /tmp
fi
;;
/home)
if is_reserved_blocks_nominal /home; then
reduce_reserved_blocks /home
fi
;;
/srv)
if is_reserved_blocks_nominal /srv; then
reduce_reserved_blocks /srv
fi
;;
/filer)
if is_reserved_blocks_nominal /filer; then
reduce_reserved_blocks /filer
fi
;;
/)
if is_reserved_blocks_nominal /; then
reduce_reserved_blocks /
# Suggest remove old kernel ?
fi
;;
*)
# unknown
log_run 'Unknown partition (or weird case) or nothing to do'
;;
esac
done
fi
post_repair

35
autosysadmin-agent/files/upstream/repair/repair_elasticsearch
View file

@ -1,35 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
service="elasticsearch.service"
service_name="elasticsearch"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_abort_and_quit "${service} is active, nothing left to do."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_abort_and_quit "${service} is disabled (or missing), nothing left to do."
fi
post_repair

131
autosysadmin-agent/files/upstream/repair/repair_http
View file

@ -1,131 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
## Apache
service="apache2.service"
service_name="apache2"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_all "${service} is active. Skip."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# check syntax
if apache2ctl -t > /dev/null 2>&1; then
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
# Save error logs
date=$(LANG=en_US.UTF-8 date '+%b %d')
grep "${date}" /home/*/log/error.log /var/log/apache2/*error.log \
| grep -v \
-e "Got error 'PHP message:" \
-e "No matching DirectoryIndex" \
-e "client denied by server configuration" \
-e "server certificate does NOT include an ID which matches the server name" \
| save_in_log_dir "apache-errors.log"
else
log_action "Restart ${service_name}: skip (invalid configuration)"
fi
fi
else
log_all "${service} is disabled (or missing). Skip."
fi
## Nginx
service="nginx.service"
service_name="nginx"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_all "${service} is active. Skip."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# check syntax
if nginx -t > /dev/null 2>&1; then
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
# Save error logs
### Consider doing for Nginx the same as Apache
else
log_action "Restart ${service_name}: skip (invalid configuration)"
fi
fi
else
log_all "${service} is disabled (or missing). Skip."
fi
## LXC
if is_systemd_enabled 'lxc.service'; then
for container in $(lxc-ls -1 | grep --fixed-strings 'php' | grep --extended-regexp --invert-match --regexp '\bold\b' --regexp '\bdisabled\b'); do
repair_lxc_php "${container}"
done
else
log_all "LXC is disabled (or missing). Skip."
fi
## FPM
fpm_services=$(systemd_list_services 'php*-fpm*')
if [ -n "${fpm_services}" ]; then
for service in ${fpm_services}; do
service_name="${service//.service/}"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_all "${service} is active. Skip."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_all "${service} is disabled (or missing). Skip."
fi
done
else
log_all "PHP FPM not found. Skip."
fi
post_repair

69
autosysadmin-agent/files/upstream/repair/repair_mysql
View file

@ -1,69 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
if is_debian_version "8" "<="; then
if is_sysvinit_enabled '*mysql*'; then
if ! pgrep -u mysql mysqld > /dev/null; then
# Save service status before restart
timeout 2 mysqladmin status 2>&1 | save_in_log_dir "mysql.before.status"
timeout 20 /etc/init.d/mysql restart > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart mysql: OK"
else
log_action "Restart mysql: failed"
fi
# Save service status after restart
timeout 2 mysqladmin status 2>&1 | save_in_log_dir "mysql.after.status"
else
log_abort_and_quit "mysqld process alive. Aborting"
fi
else
log_abort_and_quit "MySQL not enabled. Aborting"
fi
else
if is_debian_version "12" ">="; then
service="mariadb.service"
service_name="mariadb"
else
service="mysql.service"
service_name="mysql"
fi
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_abort_and_quit "${service} is active, nothing left to do."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_abort_and_quit "${service} is disabled (or missing), nothing left to do."
fi
fi
post_repair

35
autosysadmin-agent/files/upstream/repair/repair_opendkim
View file

@ -1,35 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
service="opendkim.service"
service_name="opendkim"
if is_systemd_enabled "${service}"; then
if is_systemd_active "${service}"; then
log_abort_and_quit "${service} is active, nothing left to do."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_abort_and_quit "${service} is disabled (or missing). Abort."
fi
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm56
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php56
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm70
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php70
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm73
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php73
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm74
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php74
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm80
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php80
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm81
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php81
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm82
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php82
post_repair

14
autosysadmin-agent/files/upstream/repair/repair_php_fpm83
View file

@ -1,14 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
LOCK_WAIT="15s"
LOCK_NAME="repair_http"
pre_repair
repair_lxc_php php83
post_repair

32
autosysadmin-agent/files/upstream/repair/repair_redis
View file

@ -1,32 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
for service in $(systemd_list_services 'redis-server*'); do
service_name="${service//.service/}"
if is_systemd_active "${service}"; then
log_all "${service} is active. Skip."
else
# Save service status before restart
systemctl status "${service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK."
else
log_action "Restart ${service_name}: failed."
fi
# Save service status after restart
systemctl status "${service}" | save_in_log_dir "${service_name}.after.status"
fi
done
post_repair

34
autosysadmin-agent/files/upstream/repair/repair_tomcat_instance
View file

@ -1,34 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
pre_repair
repair_tomcat_instance_handle_tomcat() {
if /bin/su - "${1}" -c "/bin/systemctl --quiet --user is-active tomcat.service" ; then
if ! /bin/su - "${1}" -c "/usr/bin/timeout 20 /bin/systemctl --quiet --user restart tomcat.service"
then
log_abort_and_quit "Echec de redémarrage instance tomcat utilisateur ${1}"
else
log_action "Redémarrage instance tomcat utilisateur ${1}"
fi
elif /bin/systemctl --quiet is-active "${1}".service ; then
if ! /usr/bin/timeout 20 systemctl --quiet restart "${1}".service
then
log_abort_and_quit "Echec de redémarrage instance tomcat ${1}"
else
log_action "Redémarrage instance tomcat ${1}"
fi
fi
}
for instance in $( /usr/local/lib/nagios/plugins/check_tomcat_instance.sh |grep CRITICAL |awk '{print $3}' |sed '1d') ;
do
repair_tomcat_instance_handle_tomcat "${instance}"
done
post_repair

41
autosysadmin-agent/files/upstream/repair/zzz-repair_example.template
View file

@ -1,41 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/repair.sh" || exit 1
## Custom lock wait and/or lock name
# LOCK_WAIT="15s"
# LOCK_NAME="repair_http"
pre_repair
## The name of the service, mainly for logging
service_name="example"
## The systemd service name
systemd_service="${service_name}.service"
if is_systemd_enabled "${systemd_service}"; then
if is_systemd_active "${systemd_service}"; then
log_abort_and_quit "${systemd_service} is active, nothing left to do."
else
# Save service status before restart
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 systemctl restart "${systemd_service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
fi
else
log_abort_and_quit "${service_name} is disabled (or missing), nothing left to do."
fi
post_repair

19
autosysadmin-agent/files/upstream/restart/README
View file

@ -1,19 +0,0 @@
Autosysadmin "restart auto" scripts
===================================
In this directory you can place scripts that will be executed automatically by a cron job (stored in `/etc/cron.d/autosysadmin`).
They must satisfy the default `run-parts(8)` constraints :
* be "executable"
* belong to the Debian cron script namespace (`^[a-zA-Z0-9_-]+$`), example: `restart_amavis`
Warning: scripts that do not satisfy those criteria will NOT be run (silently)!
You can print the names of the scripts which would be run, without actually running them, with this command :
```
$ run-parts --test /usr/share/scripts/autosysadmin/restart
```
You can use `zzz-restart_example.template` as boilerplate code to make your own "restart" script.

120
autosysadmin-agent/files/upstream/restart/zzz-restart_example.template
View file

@ -1,120 +0,0 @@
#!/bin/bash
: "${AUTOSYSADMIN_LIB:=/usr/local/lib/autosysadmin}"
source "${AUTOSYSADMIN_LIB}/common.sh" || exit 1
source "${AUTOSYSADMIN_LIB}/restart.sh" || exit 1
# shellcheck disable=SC2034
RUNNING="nwh-fr"
## Possible values for RUNNING :
## never => disabled
## always => enabled
## nwh-fr => enabled during non-working-hours in France
## nwh-ca => enabled during non-working-hours in Canada (not supported yet)
## custom => enabled if `running_custom()` function returns 0, otherwise disabled.
## Uncomment and customize this method if you want to have a special logic :
##
## return 1 if we should not run
## return 0 if we should run
##
## Some available functions :
## is_weekend() : Saturday or Sunday
## is_holiday() : holiday in France (based on `gcal(1)`)
## is_workday() : not weekend and not holiday
## is_worktime() : work day between 9-12h and 14-18h
#
# running_custom() {
# # implement your own custom method to decide if we should run or not
# }
## The name of the service, mainly for logging
service_name="example"
## The SysVinit script name
sysvinit_script="${service_name}"
## The systemd service name
systemd_service="${service_name}.service"
is_service_alive() {
## this must return 0 if the service is alive, otherwise return 1
## Example:
pgrep -u USER PROCESS_NAME > /dev/null
}
## Action for SysVinit system
sysvinit_action() {
# Save service status before restart
timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.before.status"
# Try to restart
timeout 20 "/etc/init.d/${sysvinit_script}" restart > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
timeout 2 "/etc/init.d/${sysvinit_script}" status | save_in_log_dir "${service_name}.after.status"
}
## Action for systemd system
systemd_action() {
# Save service status before restart
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.before.status"
# Try to restart
# systemctl (only for NRPE ?) sometimes returns 0 even if the service has failed to start
# so we check the status explicitly
timeout 20 systemctl restart "${systemd_service}" > /dev/null \
&& sleep 1 \
&& systemctl status "${systemd_service}" > /dev/null
rc=$?
if [ "${rc}" -eq "0" ]; then
log_action "Restart ${service_name}: OK"
else
log_action "Restart ${service_name}: failed"
fi
# Save service status after restart
systemctl status "${systemd_service}" | save_in_log_dir "${service_name}.after.status"
}
# Should we run?
if ! is_supposed_to_run; then
# log_global "${PROGNAME} is not supposed to run (RUNNING=${RUNNING})."
exit 0
fi
if is_service_alive; then
# log_global "${service_name} process alive. Aborting"
exit 0
fi
# Yes we do, so check for sysvinit or systemd
if is_debian_version "8" "<="; then
if ! is_sysvinit_enabled "*${sysvinit_script}*"; then
# log_global "${service_name} not enabled. Aborting"
exit 0
fi
# Let's finally do the action
pre_restart
sysvinit_action
post_restart
else
if ! is_systemd_enabled "${systemd_service}"; then
# log_global "${service_name} is disabled (or missing), nothing left to do."
exit 0
fi
if is_systemd_active "${systemd_service}"; then
# log_global "${service_name} is active, nothing left to do."
exit 0
fi
# Let's finally do the action
pre_restart
systemd_action
post_restart
fi

16
autosysadmin-agent/handlers/main.yml
View file

@ -1,16 +0,0 @@
---
- name: restart nagios-nrpe-server
service:
name: nagios-nrpe-server
state: restarted
- name: restart nrpe
service:
name: nrpe
state: restarted
- name: restart rsyslog
service:
name: rsyslog
state: restarted

25
autosysadmin-agent/tasks/crontab.yml
View file

@ -1,25 +0,0 @@
---
- name: "Add begin marker if missing"
ansible.builtin.lineinfile:
path: "/etc/cron.d/autosysadmin"
line: "# BEGIN ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
insertbefore: BOF
create: yes
- name: "Add end marker if missing"
ansible.builtin.lineinfile:
path: "/etc/cron.d/autosysadmin"
line: "# END ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
insertbefore: "EOF"
create: yes
- name: "Create config if missing"
ansible.builtin.blockinfile:
path: "/etc/cron.d/autosysadmin"
marker: "# {mark} ANSIBLE MANAGED SECTION FOR AUTOSYSADMIN"
block: "{{ lookup('ansible.builtin.template', '../templates/autosysadmin.cron.j2') }}"
owner: root
group: root
mode: "0750"
create: yes

4
autosysadmin-agent/tasks/dependencies.yml
View file

@ -1,4 +0,0 @@
---
- name: Install gcal
ansible.builtin.apt:
name: gcal

Some files were not shown because too many files have changed in this diff Show more