Release 22.01 #142

Merged

jlecour merged 189 commits from unstable into stable 2022-01-25 18:30:09 +01:00

Conversation 0 Commits 189 Files Changed 201 +5250 -871

jlecour commented 2022-01-25 18:28:51 +01:00

Owner

Copy Link

Added

• Support for Debian 11 « Bullseye » (with possible remaining blind spots)
• apache: new variable for MPM mode (+ updated default config accordingly)
• apache: prevent accessing Git or "env" related files
• certbot: add script for manual deploy hooks execution
• docker-host: install additional dependencies
• dovecot: switch to TLS 1.2+ and external DH params
• etc-git: centralize cron jobs in dedicated crontab
• etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
• evolinux-base: add script backup-server-state
• evolinux-base: configure top and htop to display the swap column
• evolinux-base: install molly-guard by default
• generate-ldif: detect RAID controller
• generate-ldif: detect mdadm
• listupgrade: crontab is configurable
• logstash: logging to syslog is configurable (default: True)
• mongodb: create munin plugins directory if missing
• munin: systemd override to unprotect home directory
• mysql: add evomariabackup 21.11
• mysql: improve Bullseye compatibility
• mysql: script "mysql_connections" to display a compact list of connections
• mysql: script "mysql-queries-killer.sh" to kill MySQL queries
• nagios-nrpe + evolinux-users: new check for ipmi
• nagios-nrpe + evolinux-users: new check for RAID (soft + hard)
• nagios-nrpe + evolinux-users: new checks for bkctld
• nagios-nrpe: new check influxdb
• openvpn: new role (beta)
• redis: instance service for Debian 11
• squid: add *.o.lencr.org to default whitelist

Changed

• Change version pattern
• Install python 2 or 3 libraries according to running python version
• Remove embedded GPG keys only if legacy keyring is present
• apt: remove workaround for Evolix public repositories with Debian 11
• apt: upgrade packages after all the configuration is done
• apt: use the new security repository for Bullseye
• certbot: silence letsencrypt deprecation warnings
• elasticsearch: elastic_stack_version = 7.x
• evoacme: exclude renewal-hooks directory from cron
• evoadmin-web: simpler PHP packages lists
• evocheck: upstream release 21.10.4
• evolinux-base: alert5 comes after the network
• evolinux-base: force Debian version to buster for Evolix repository (temporary)
• evolinux-base: install freeipmi by default on dedicated hw
• evolinux-base: logs are rotated with dateext by default
• evolinux-base: split dpkg logrotate configuration
• evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
• evomaintenance: extract a config.yml tasks file
• evomaintenance: upstream release 22.01
• filebeat/metricbeat: elastic_stack_version = 7.x
• kibana: elastic_stack_version = 7.x
• listupgrade: old-kernel-removal version 21.10
• listupgrade: upstream release 21.06.3
• logstash: elastic_stack_version = 7.x
• mongodb: Allow to specify a mongodb version for buster & bullseye
• mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
• mongodb: Support version 5.0 (for buster)
• mysql: use python3 and mariadb-client-10.5 with Debian 11 and later
• nodejs: default to version 16 LTS
• php: enforce Debian version with assert instead of fail
• squid: improve default whitelist (more specific patterns)
• squid: must be started in foreground mode for systemd
• squid: remove obsolete variable on Squid 4

Fixed

• evolinux-base: fix alert5.service dependency syntax
• certbot: sync_remote excludes itself
• lxc-php: fix config for opensmtpd on bullseye containers
• mysql : Create a default ~root/.my.cnf for compatibility reasons
• nginx : fix variable name and debug to actually use nginx-light
• packweb-apache : Support php 8.0
• nagios-nrpe: Fix check_nfsserver for buster and bullseye

Removed

• evocheck: package install is not supported anymore
• logstash: no more dependency on Java
• php: remove php-gettext for 7.4

### Added * Support for Debian 11 « Bullseye » (with possible remaining blind spots) * apache: new variable for MPM mode (+ updated default config accordingly) * apache: prevent accessing Git or "env" related files * certbot: add script for manual deploy hooks execution * docker-host: install additional dependencies * dovecot: switch to TLS 1.2+ and external DH params * etc-git: centralize cron jobs in dedicated crontab * etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks * evolinux-base: add script backup-server-state * evolinux-base: configure top and htop to display the swap column * evolinux-base: install molly-guard by default * generate-ldif: detect RAID controller * generate-ldif: detect mdadm * listupgrade: crontab is configurable * logstash: logging to syslog is configurable (default: True) * mongodb: create munin plugins directory if missing * munin: systemd override to unprotect home directory * mysql: add evomariabackup 21.11 * mysql: improve Bullseye compatibility * mysql: script "mysql_connections" to display a compact list of connections * mysql: script "mysql-queries-killer.sh" to kill MySQL queries * nagios-nrpe + evolinux-users: new check for ipmi * nagios-nrpe + evolinux-users: new check for RAID (soft + hard) * nagios-nrpe + evolinux-users: new checks for bkctld * nagios-nrpe: new check influxdb * openvpn: new role (beta) * redis: instance service for Debian 11 * squid: add *.o.lencr.org to default whitelist ### Changed * Change version pattern * Install python 2 or 3 libraries according to running python version * Remove embedded GPG keys only if legacy keyring is present * apt: remove workaround for Evolix public repositories with Debian 11 * apt: upgrade packages after all the configuration is done * apt: use the new security repository for Bullseye * certbot: silence letsencrypt deprecation warnings * elasticsearch: elastic_stack_version = 7.x * evoacme: exclude renewal-hooks directory from cron * evoadmin-web: simpler PHP packages lists * evocheck: upstream release 21.10.4 * evolinux-base: alert5 comes after the network * evolinux-base: force Debian version to buster for Evolix repository (temporary) * evolinux-base: install freeipmi by default on dedicated hw * evolinux-base: logs are rotated with dateext by default * evolinux-base: split dpkg logrotate configuration * evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc * evomaintenance: extract a config.yml tasks file * evomaintenance: upstream release 22.01 * filebeat/metricbeat: elastic_stack_version = 7.x * kibana: elastic_stack_version = 7.x * listupgrade: old-kernel-removal version 21.10 * listupgrade: upstream release 21.06.3 * logstash: elastic_stack_version = 7.x * mongodb: Allow to specify a mongodb version for buster & bullseye * mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported * mongodb: Support version 5.0 (for buster) * mysql: use python3 and mariadb-client-10.5 with Debian 11 and later * nodejs: default to version 16 LTS * php: enforce Debian version with assert instead of fail * squid: improve default whitelist (more specific patterns) * squid: must be started in foreground mode for systemd * squid: remove obsolete variable on Squid 4 ### Fixed * evolinux-base: fix alert5.service dependency syntax * certbot: sync_remote excludes itself * lxc-php: fix config for opensmtpd on bullseye containers * mysql : Create a default ~root/.my.cnf for compatibility reasons * nginx : fix variable name and debug to actually use nginx-light * packweb-apache : Support php 8.0 * nagios-nrpe: Fix check_nfsserver for buster and bullseye ### Removed * evocheck: package install is not supported anymore * logstash: no more dependency on Java * php: remove php-gettext for 7.4

jlecour added 189 commits 2022-01-25 18:28:53 +01:00

51462c724c certbot: sync_remote excludes itself

11813c31a4 certbot: add script for manual deploy hooks execution

b0b24744d6 listupgrade: upstream release 21.06.3

90cbd17f9b listupgrade: crontab is configurable

27a09ce682 listupgrade: update old-kernel-removal.sh from upstream

83e8a3d75a listupgrade: add repository URL

b8ac36e673 Fake « testing » as Deban 11 « Bullseye »

6bfef35729 Add bullseye APT repositories

2f68ae5339 Preliminary support for Bullseye

4a158ac819 Reduce verbosity

52d06a3987 temporary bulseye-detect role ...

Overrides some facts to add compatibility with unreleased Debian version

008cb6a3c9 quote numeric values

380c50b999 evolinux-base: increase minimum Ansible version to 2.9

5e09906c8f fixup! temporary bulseye-detect role

51d4ec1bb2 php: remove php-gettext for 7.4

c5bb8f06ae mysql: use python3 with Debian 11 and later

2c441f176a mysql: mariadb-client-10.5 on Debian 11

f673ea85d1 Force Debian version to buster for Evolix repository

c5ab0c0ff9 squid: remove obsolete variable on Squid 4

e8a8e85819 redis: instance service for Debian 11

c80c354d65 fix keyrings permissions

a60189eb3e better bullseye compatibility workaround

613a11d119 elasticsearch: 7.x by default

d40fad662f kibana: 7.x by default

6b87ead5b4 update changelog

9c8dd743c8 Use python3 packages on Debian 11 and later

8a784c39ab mongodb: create munin plugins directory if missing

5c1ae6ed0c spamassassin: change dependency on evomaintenance ...

Fail with an error if evomaintenance config is missing
instead of trying to install a package that doesn't exist anymore.

a5658b7f26 packweb-apache: install phpMyAdmin from buster-backports

58cd1fedfa fix path for first_found lookup

b5bcd666c6 fix apt gpg keys after rebase from unstable

5905751a82 squid: must be started in foreground mode for systemd

04e41b5dc9 squid: improve default whitelist

3721c2ab38 squid: improve default whitelist

4167b6d2a9 fix CHANGELOG

d1829e7000 metricbeat: fix indentation

ba3ed5e903 Merge branch 'bullseye' into unstable

6f66ab8e93 Merge branch 'unstable' into bullseye

ffd7d0e504 evolinux-base: alert5 comes after the network

29ec7bdcf2 Remove embedded GPG keys only if legacy keyring is present

c77e0d73f8 Merge branch 'bullseye' into unstable

49cb5adf92 evolinux-base: Fix hw card detect ...

Run the shell command as bash instead of sh; otherwise it will fail because of the set -o pipefail

7a089f88af Correct typo in var name ...

trusted_gpg_keyring.stat.present instead of _trusted_gpg_keyring.stat.present

8e6c08b81b evolinux-base: Change the pattern of MegaRAID detect ...

Seems the card names may somethings between 'MegaRAID' and 'SAS'
I'll take the short and easy path as I think MegaRAID is enough in most cases

b362fadc80 typo (again) + not using trusted.gpg isn't restricted to debian 9+

73352f55d7 evolinux-base: add tags to hardawre tasks

32b5efa30e evocheck: upstream release 21.07

bf49ec8df5 mysql: script "mysql_connections" to display a compact list of connections

491407953c We want LDAP listen on ldapi:/// by default

139b342fbd certbot: silence letsencrypt deprecation warnings

c9f25f4638 bullseye-detect: this role is obsolete, Debian 11 has been fully released

d186e21239 evoadmin-web: simpler PHP packages lists

969a5bce7d apt: remove workaround for Evolix public repositories with Debian 11

ad457dd7ba apt: use the new security repository for Bullseye

ca7d8e9739 Add variable mysql_performance_schema and configuration in evolinux_custom template

066baf3538 Revert "bullseye-detect: this role is obsolete, Debian 11 has been fully released" ...

This reverts commit c9f25f4638.

42189ba613 Configure php7.4 for evoadmin-web on bullseye

2448168008 evolinux-base: Add swap column to htop and top

bd92ff95c8 use absolute path in evacme cron

5a83a30a4c whitespace

916138575a Add generate dhparam and update variables for dovecot 2.3

999efb3983 Add "may take several minutes" for task generate dhparam

2c7380240c nagios-nrpe + evolinux-users: new checks for bkctld

ecba57ad75 evolinux-base: install molly-guard by default

6c21c3b505 Add configuration for listener stats write and read with correct right

5e794cd2b6 commit whitespace

d2ef3fe27f Fix syntax on task "plugins are installed for"

74ab96d67f loop syntax and whitespaces

65750d2aa6 evomaintenance: extract a config.yyml tasks file

73f55a42fa forgotten file

e45ee59801 mysql: script "mysql-queries-killer.sh" to kill MySQL queries

887c1552cb certbot: sync_remote.sh uses quotes for variable export

51e414df31 certbot: syntax for "no-self-upgrade" variable

b908fc6cee certbot: don't install legacy Certbot on Debian 9

e76f2fe448 mysql-queries-killer: use a config file

0cab062431 kill/list all queries at once

e429f7aecb squid: add *.o.lencr.org to default whitelist

2b549af7d9 evolinux-base: split dpkg logrotate configuration

45b7ce3486 lxc-php: Use Debian bullseye package for php74

fa0c668cec evolinux-base: install freeipmi by default on dedicated hw

51fd2337f0 nagios-nrpe + evolinux-users: new check raid (soft + hard)

6a2cd59e6d nagios-nrpe + evolinux-users: new check ipmi

de4d814d74 generate-ldif: detect hardware raid card

f75354bb84 generate-ldif: detect mdadm

ef1472cbba logstash: elastic_stack_version = 7.x

8233264d2a logstash: logging to syslog is configurable (default: True)

1d55965527 logstash: no more dependency on Java

ae2be6a009 Fix indent for generate dh_param

3fcb79a3a3 Fix path to dhparam certificate

73efee9caa etc-git: purge old .git/index.lock (default: True)

e130728034 evolix-users: Add missing sudo auth for check_raid for HP hardware

febc76b26c php: fix tasks names

0eb7332a34 php: enforce Debian version with assert instead of fail

437d2986ae better python3 modules management

4c52719561 php: fix assert condition

3de5de5304 mysql: improve Bullseye compatibility

4a035d248d evocheck: upstream release 21.09

9b479f9c05 evolinux-base: logs are rotated with dateext by default

b2f8095d14 mysql: fix task settings temporary mistake

5cbfda8f52 docker-host: install additional dependencies

dc1a01ce37 lxc: fix dependencies

b293cf2cf9 Install python 2 or 3 libraries according to running python version

6cb2c66924 mysql: fix task settings temporary mistake

de843cb91f mysql: fix task settings temporary mistake

e089ddf091 evocheck: upstream release 21.10

37cb18f676 nginx: improve tasks naiming

7b14296503 etc-git: optimize maintenance tasks ...

* manage commits with an optimized shell script instead of many slow Ansible tasks
* centralize cron jobs in dedicated crontab

86e5df9c16 etc-git: simplify commit tasks

7d63f20336 evoacme: exclude renewal-hooks directory from cron

a6fe0397a6 etc-git: back to 2 tasks for each commit ...

"test X && git commit" generates a failure and a lot of noise.

616ead41d5 lxc-php: Add php 8.0 support

73d6979e72 Various changes on mongodb (support 5.0) + fixes & compatibility ...

* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
* mongodb: Support version 5.0 (for buster)
* mongodb: Allow to specify a mongodb version for buster & bullseye
* mongodb: Add missing remount-usr for munin plugins

679875d00b mysql: install python dependencies earlier

dfd6aa0315 evocheck: minifirewall is not ready yet

2d11580a6e forgotten file

3e80c98a05 etc-git: evocommit should be present

2dfd0c0706 Add squid logrotate

9aff38c0a7 squid: add ZeroSSL to default whitelist

520cba9c5b etc-git: evocommit has an Ansible mode to report changes

6a4b250b5d etc-git: better output detection

33cb1dd8ef certbot: detect domains for SAN certificates

bbd16dc5b4 evolinux-base: add script backup-server-state

7586881f4d fix module name

d38119eb0f nginx : fix variable name and debug ...

nginx_minimal defined the nginx_package_name_default variable which was not
used instead of the nginx_default_package_name variable

also fixed debug which was reversed, and add another one to be sure which mode
is used

a9d0d0958d packweb-apache : Support php 8.0

be5bb73675 Include role remount-usr to backup-state-server

b120a92203 evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc

9b3bb39bd0 mysql : Create a default ~root/.my.cnf for compatibility reasons

dcdde5f7f6 evocheck: upstream release 21.10.1

7cb6dffd6f add internal VERSION variable to kvmstats and add-vm

03f846b94b remount before the task

72e8200d5b kvm-host: reorganize code for kvmstats ...

* add -V|--version flag
* add -h|--help flag
* normalize options parsing

1706361e8d evocheck: upstream release 21.10.2

ca28df1b75 evocheck: upstream release 21.10.3

90acb99c2a nagios-nrpe: new check influxdb

0e2b43a1e9 backup-server-state: add virsh and lxc lists

dd53c01027 evocheck: upstream release 21.10.4

646a7b1813 evocheck: package install is not supported anymore

dcfea674a4 listupgrade: old-kernel-removal version 21.10

b9c1e9eafe Fix missing quote, option createhome -> create_home in Ansible 3.10, no mode option in user module (fix error introduced in e75eeb8c3f)

2ea8d279d5 Add replication graph for mysql

0247216429 [kvmstats] Sort domain list

6cf8195744 evolinux-base: fix alert5.service dependency syntax

51aaac0cbc Fix evocheck_force_install VARIABLE IS NOT DEFINED (validé par jlecour)

039c740ef3 mysql: add evomariabackup 21.11

e4bb0c6f55 filebeat/metricbeat: version 7.x y default

4fb885a33b Fix right for redis log dir and log file

21bd4021d3 add virsh list --all on kvm host and this neighbor

c9af7db827 re-activation task ssh.yml + modify crontab for sync list of running vm + add tags

8dca949564 Add *xml to crontab for sync libvirt xml file

a35139fcee Add missing sudoers line (for old debian 9)

82694ef5e9 generate-ldif: Don't miss detect deb11 as VM

d3eef71127

nagios-nrpe: Fix check_nfsserver for buster and bullseye ...

From buster onward the nfs server doesn't run NFSv4 over UDP (it is out
of spec, see RFC 7530). As such the check broke as it attempt to check
the availability of NFSv4 over UDP.

Right now the check doesn't check for NFSv2 over UDP as it would need to
check if it exist first, as on bullseye it isn't supported by default
anymore.

53cd3ba342 Merge pull request 'nagios-nrpe: Fix check_nfsserver for buster and bullseye' (#138) from mtrossevin/ansible-roles:check_nfsserver-buster into unstable ...

Reviewed-on: #138

2ec026c2b3 Change variable item by kvm_pair and disable loop on all 'hypervisor' group

7e36d03804 Add new location by default for /.well-know, fix some warning in Nextcloud check setup

cd7c488713 Add rule .well-know to allow letsencrypt challenge

bd429275d1 generate-ldif: properly flag virtual machines on vmware as virtual machines

d27d6b69cd evolinux-base: Add missing dependency dmidecode

8b701e615f evolinux-base: Donner le choix de changer (ou non) le motd

64b632c000 evolinux-base: Donner le choix (ou non) de virer apt-listchanges

7c7ccf07eb generate-ldif: fix typo in var name (cap)

7bb7b22d1f Add redirectMath 404 on http request /.git by default

1c754f7eb0 Fix Filebeat role for --check mode.

ec346a42a5 munin: systemd override to unprotect home directory

1893b6dea5 don't enable alert5 service in check mode

4c6d30a52c apache: block access to .git* and .env* files

14883aa95e Ensure that /var is mounted with dev and exec options prior to LXC container creation.

bd39adaf68 Fail if /var has nodev or noexec option enabled.

ca1f465aaa nodejs: default to version 16 LTS

ea382a1686 varnish: add additional options

c8a862c5e7 nagios-nrpe: Amélioration du check phpfpm_status et phpfpm_multi ...

Pour phpfpm_status > Ajout de la possibilité d'avoir un seuil de max procs actifs
Pour phpfpm_multi > Utilisation des seuils max (calculé sur le pm.max_children) + timeout

c4fab71d7a evolinux-base: add new states to backup-server-states

168b0fa9b7 nginx: Add snippet for custom server block config.

4effe91b9f Write an openvpn role

3822696db6 Update CHANGELOG for new openvpn role

fec9e49c18

Repair munin role

1902c40c3c

lxc-php: Fix config for opensmtpd on bullseye

7a969a0be2 Merge pull request 'lxc-php: Fix config for opensmtpd on bullseye' (#137) from mtrossevin/ansible-roles:opensmtpd-bullseye into unstable ...

Reviewed-on: #137

51bc48623b dovecot: switch to TLS 1.2+ and external DH params

266289c72e whitespaces

544b213529 evomaintenance: Upstream release 22.01

0fce412cf5 add WIP warning to check_async

1f4ee2de79 Prepare CHANGELOG for 22.01 release

8f8c024163 Merge branch 'unstable' into bullseye-swap-top

0e34d4cd4b Merge remote-tracking branch 'origin/bullseye-swap-top' into unstable

52fff750df evolinux-base: move "/sbin/deny" install to utils.yml tasks file

93929864be lxc-php: use bullseye-php80 for php80 container

bff8fcfebb apt: upgrade packages after all the configuration is done

jlecour referenced this issue from a commit 2022-01-25 18:30:08 +01:00

Merge pull request 'Release 22.01' (#142) from unstable into stable

jlecour merged commit 2c6a3601de into stable 2022-01-25 18:30:09 +01:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

security

Concern a security issue

  

wontfix

This won't be fixed

No Label

bug

duplicate

enhancement

help wanted

invalid

question

security

wontfix

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: evolix/ansible-roles#142

No description provided.