Release 10.3.0 #119
25
CHANGELOG.md
25
CHANGELOG.md
|
@ -12,10 +12,35 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Added
|
||||
|
||||
* dovecot: Update munin plugin & configure it
|
||||
* dovecot: vmail uid/gid are configurable
|
||||
* evoacme: variable to disable Debian version check (default: False)
|
||||
* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
|
||||
* minifirewall: upstream release 20.12
|
||||
* minifirewall: add variables to force upgrade the script and the config (default: False)
|
||||
* mysql: install save_mysql_processlist script
|
||||
* nextcloud: New role to setup a nextcloud instance
|
||||
* redis: variable to force use of port 6379 in instances mode
|
||||
* redis: check maxmemory in NRPE check
|
||||
* lxc-php: Allow php containers to contact local MySQL with localhost
|
||||
* varnish: config file name is configurable
|
||||
|
||||
### Changed
|
||||
|
||||
* Create system users for vmail (dovecot) and evoadmin
|
||||
* apt: disable APT Periodic
|
||||
* evoacme: upstream release 20.12
|
||||
* evocheck: upstream release 20.12
|
||||
* evolinux-users: improve uid/login checks
|
||||
* tomcat-instance: fail if uid already exists
|
||||
* varnish: change template name for better readability
|
||||
* varnish: no threadpool delay by default
|
||||
* varnish: no custom reload script for Debian 10 and later
|
||||
|
||||
### Fixed
|
||||
|
||||
* cerbot: parse HAProxy config file only if HAProxy is found
|
||||
|
||||
### Removed
|
||||
|
||||
### Security
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
with_items:
|
||||
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
||||
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
||||
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
|
||||
when: apt_evolinux_config
|
||||
tags:
|
||||
- apt
|
||||
|
|
|
@ -56,6 +56,9 @@ main() {
|
|||
fi
|
||||
|
||||
if daemon_found_and_running; then
|
||||
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
|
||||
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
|
||||
|
||||
if found_renewed_lineage; then
|
||||
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
|
||||
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
||||
|
@ -86,7 +89,5 @@ readonly VERBOSE=${VERBOSE:-"0"}
|
|||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly haproxy_bin=$(command -v haproxy)
|
||||
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
|
||||
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
|
||||
|
||||
main
|
||||
|
|
|
@ -1,2 +1,4 @@
|
|||
---
|
||||
dovecot_foo: bar
|
||||
|
||||
dovecot_vmail_uid: 5000
|
||||
dovecot_vmail_gid: 5000
|
||||
|
|
2
dovecot/files/munin_config
Normal file
2
dovecot/files/munin_config
Normal file
|
@ -0,0 +1,2 @@
|
|||
[dovecot]
|
||||
group adm
|
|
@ -2,21 +2,22 @@
|
|||
#
|
||||
# Munin Plugin
|
||||
# to count logins to your dovecot mailserver
|
||||
#
|
||||
#
|
||||
# Created by Dominik Schulz <lkml@ds.gauner.org>
|
||||
# http://developer.gauner.org/munin/
|
||||
# Contributions by:
|
||||
# - Stephane Enten <tuf@delyth.net>
|
||||
# - Steve Schnepp <steve.schnepp@pwkf.org>
|
||||
#
|
||||
# - pcy <pcy@ulyssis.org> (make 'Connected Users' DERIVE, check existence of logfile in autoconf)
|
||||
#
|
||||
# Parameters understood:
|
||||
#
|
||||
# config (required)
|
||||
# autoconf (optional - used by munin-config)
|
||||
#
|
||||
#
|
||||
# Config variables:
|
||||
#
|
||||
# logfile - Where to find the syslog file
|
||||
# logfile - Where to find the syslog file
|
||||
#
|
||||
# Add the following line to a file in /etc/munin/plugin-conf.d:
|
||||
# env.logfile /var/log/your/logfile.log
|
||||
|
@ -34,13 +35,13 @@ LOGFILE=${logfile:-/var/log/mail.log}
|
|||
######################
|
||||
|
||||
if [ "$1" = "autoconf" ]; then
|
||||
echo yes
|
||||
[ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$1" = "config" ]; then
|
||||
echo 'graph_title Dovecot Logins'
|
||||
echo 'graph_category Mail'
|
||||
echo 'graph_category mail'
|
||||
echo 'graph_args --base 1000 -l 0'
|
||||
echo 'graph_vlabel Login Counters'
|
||||
|
||||
|
@ -53,6 +54,7 @@ if [ "$1" = "config" ]; then
|
|||
done
|
||||
|
||||
echo 'connected.label Connected Users'
|
||||
echo "connected.type DERIVE"
|
||||
|
||||
exit 0
|
||||
fi
|
||||
|
@ -86,7 +88,7 @@ echo -n
|
|||
echo -en "login_tls.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
|
@ -97,7 +99,7 @@ echo -n
|
|||
echo -en "login_ssl.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
|
@ -108,7 +110,7 @@ echo -n
|
|||
echo -en "login_imap.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
|
@ -119,7 +121,7 @@ echo -n
|
|||
echo -en "login_pop3.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
|
|
|
@ -40,7 +40,8 @@
|
|||
- name: create vmail group
|
||||
group:
|
||||
name: vmail
|
||||
gid: 5000
|
||||
gid: "{{ dovecot_vmail_gid }}"
|
||||
system: True
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
|
@ -48,8 +49,9 @@
|
|||
user:
|
||||
name: vmail
|
||||
group: vmail
|
||||
uid: 5000
|
||||
uid: "{{ dovecot_vmail_uid }}"
|
||||
shell: /bin/false
|
||||
system: True
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
|
|
|
@ -14,8 +14,10 @@
|
|||
dest: /etc/munin/plugins/dovecot
|
||||
mode: "0755"
|
||||
|
||||
# TODO : add in /etc/munin/plugin-conf.d/munin-node
|
||||
# [dovecot]
|
||||
# group adm
|
||||
- name: Install munin config
|
||||
copy:
|
||||
src: munin_config
|
||||
dest: /etc/munin/plugin-conf.d/dovecot
|
||||
mode: "0644"
|
||||
|
||||
when: munin_node_plugins_config.stat.exists
|
||||
|
|
|
@ -14,3 +14,5 @@ evoacme_ssl_loc: 'Marseille'
|
|||
evoacme_ssl_org: 'Evolix'
|
||||
evoacme_ssl_ou: 'Security'
|
||||
evoacme_ssl_email: 'security@evolix.net'
|
||||
|
||||
evoacme_disable_debian_check: False
|
||||
|
|
|
@ -14,7 +14,7 @@ show_version() {
|
|||
cat <<END
|
||||
evoacme version ${VERSION}
|
||||
|
||||
Copyright 2009-2019 Evolix <info@evolix.fr>,
|
||||
Copyright 2009-2020 Evolix <info@evolix.fr>,
|
||||
Victor Laborie <vlaborie@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Benoit Série <bserie@evolix.fr>
|
||||
|
@ -284,13 +284,19 @@ main() {
|
|||
export EVOACME_CHAIN="${LIVE_CHAIN}"
|
||||
export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}"
|
||||
|
||||
# emulate certbot hooks environment variables
|
||||
export RENEWED_LINEAGE="${LIVE_DIR}"
|
||||
export RENEWED_DOMAINS="${VHOST}"
|
||||
|
||||
# search for files in hooks directory
|
||||
for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do
|
||||
set +e
|
||||
# keep only executables files, not containing a "."
|
||||
if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF "."); then
|
||||
if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then
|
||||
debug "Executing ${hook}"
|
||||
${hook}
|
||||
fi
|
||||
set -e
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -303,7 +309,7 @@ readonly QUIET=${QUIET:-"0"}
|
|||
readonly TEST=${TEST:-"0"}
|
||||
readonly DRY_RUN=${DRY_RUN:-"0"}
|
||||
|
||||
readonly VERSION="20.08"
|
||||
readonly VERSION="20.12"
|
||||
|
||||
# Read configuration file, if it exists
|
||||
[ -r /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
|
|
|
@ -13,7 +13,7 @@ show_version() {
|
|||
cat <<END
|
||||
make-csr version ${VERSION}
|
||||
|
||||
Copyright 2009-2019 Evolix <info@evolix.fr>,
|
||||
Copyright 2009-2020 Evolix <info@evolix.fr>,
|
||||
Victor Laborie <vlaborie@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Benoit Série <bserie@evolix.fr>
|
||||
|
@ -265,7 +265,7 @@ readonly ARGS=$@
|
|||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly VERSION="20.08"
|
||||
readonly VERSION="20.12"
|
||||
|
||||
# Read configuration file, if it exists
|
||||
[ -r /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
|
|
|
@ -13,7 +13,7 @@ show_version() {
|
|||
cat <<END
|
||||
vhost-domains version ${VERSION}
|
||||
|
||||
Copyright 2009-2019 Evolix <info@evolix.fr>,
|
||||
Copyright 2009-2020 Evolix <info@evolix.fr>,
|
||||
Victor Laborie <vlaborie@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Benoit Série <bserie@evolix.fr>
|
||||
|
@ -170,7 +170,7 @@ readonly ARGS=$@
|
|||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly VERSION="20.08"
|
||||
readonly VERSION="20.12"
|
||||
|
||||
readonly SRV_IP=${SRV_IP:-""}
|
||||
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('9', '>=')
|
||||
msg: only compatible with Debian >= 9
|
||||
when: not evoacme_disable_debian_check
|
||||
|
||||
- include: certbot.yml
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Debian/OpenBSD server
|
||||
# powered by Evolix
|
||||
|
||||
readonly VERSION="20.04.3"
|
||||
readonly VERSION="20.12"
|
||||
|
||||
# base functions
|
||||
|
||||
|
@ -205,10 +205,13 @@ check_customsudoers() {
|
|||
grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file"
|
||||
}
|
||||
check_vartmpfs() {
|
||||
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
||||
}
|
||||
check_vartmpfs() {
|
||||
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
||||
FINDMNT_BIN=$(command -v findmnt)
|
||||
if [ -x "${FINDMNT_BIN}" ]; then
|
||||
${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
||||
else
|
||||
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
||||
fi
|
||||
|
||||
}
|
||||
check_serveurbase() {
|
||||
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
|
||||
|
@ -559,7 +562,7 @@ check_evobackup_exclude_mount() {
|
|||
# shellcheck disable=SC2064
|
||||
trap "rm -f ${excludes_file}" 0
|
||||
# shellcheck disable=SC2044
|
||||
for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do
|
||||
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
|
||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
|
||||
for mount in ${not_excluded}; do
|
||||
|
@ -878,15 +881,25 @@ check_sql_backup() {
|
|||
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
|
||||
# You could change the default path in /etc/evocheck.cf
|
||||
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
|
||||
test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})"
|
||||
for backup_path in ${SQL_BACKUP_PATH}; do
|
||||
if [ ! -f "${backup_path}" ]; then
|
||||
failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})"
|
||||
test "${VERBOSE}" = 1 || break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
check_postgres_backup() {
|
||||
if is_installed "postgresql-9*"; then
|
||||
if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then
|
||||
# If you use something like barman, you should disable this check
|
||||
# You could change the default path in /etc/evocheck.cf
|
||||
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
|
||||
test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})"
|
||||
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"}
|
||||
for backup_path in ${POSTGRES_BACKUP_PATH}; do
|
||||
if [ ! -f "${backup_path}" ]; then
|
||||
failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})"
|
||||
test "${VERBOSE}" = 1 || break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
check_mongo_backup() {
|
||||
|
@ -1013,7 +1026,7 @@ check_duplicate_fs_label() {
|
|||
BLKID_BIN=$(command -v blkid)
|
||||
if [ -x "$BLKID_BIN" ]; then
|
||||
tmpFile=$(mktemp -p /tmp)
|
||||
parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
|
||||
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
|
||||
for part in $parts; do
|
||||
echo "$part" >> "$tmpFile"
|
||||
done
|
||||
|
@ -1517,8 +1530,6 @@ main() {
|
|||
|
||||
# shellcheck disable=SC2034
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
# shellcheck disable=SC2034
|
||||
readonly PROGDIR=$(realpath -m "$(dirname "$0")")
|
||||
# shellcheck disable=2124
|
||||
readonly ARGS=$@
|
||||
|
||||
|
|
|
@ -4,6 +4,6 @@
|
|||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: sudo_stretch.yml
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
when: ansible_distribution_major_version is defined and ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- meta: flush_handlers
|
||||
|
|
|
@ -2,20 +2,41 @@
|
|||
|
||||
# Unix account
|
||||
|
||||
- fail:
|
||||
msg: "You must provide a value for the 'user.name ' variable."
|
||||
when: user.name is not defined or user.name == ''
|
||||
|
||||
- fail:
|
||||
msg: "You must provide a value for the 'user.uid ' variable."
|
||||
when: user.uid is not defined or user.uid == ''
|
||||
|
||||
- name: "Test if '{{ user.name }}' exists"
|
||||
command: 'getent passwd {{ user.name }}'
|
||||
register: loginisbusy
|
||||
command: 'id -u "{{ user.name }}"'
|
||||
register: get_id_from_login
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
|
||||
- name: "Test if uid exists for '{{ user.name }}'"
|
||||
command: 'getent passwd {{ user.uid }}'
|
||||
register: uidisbusy
|
||||
- name: "Test if uid '{{ user.uid }}' exists"
|
||||
command: 'id -un -- "{{ user.uid }}"'
|
||||
register: get_login_from_id
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
|
||||
# Error if
|
||||
# the uid already exists
|
||||
# and the user associated with this uid is not the desired user
|
||||
- name: "Fail if uid already exists for another user"
|
||||
fail:
|
||||
msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'"
|
||||
when:
|
||||
- get_login_from_id.rc == 0
|
||||
- get_login_from_id.stdout != user.name
|
||||
|
||||
# Create/Update the user account with defined uid if
|
||||
# the user doesn't already exist and the uid isn't already used
|
||||
# or the user exists with the defined uid
|
||||
- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
|
||||
user:
|
||||
state: present
|
||||
|
@ -24,11 +45,13 @@
|
|||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
update_password: "on_create"
|
||||
when:
|
||||
- loginisbusy.rc != 0
|
||||
- uidisbusy.rc != 0
|
||||
- (get_id_from_login.rc != 0 and get_login_from_id.rc != 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout == user.name)
|
||||
|
||||
# Create/Update the user account without defined uid if
|
||||
# the user doesn't already exist but the defined uid is already used
|
||||
# or another user already exists with a the same uid
|
||||
- name: "Unix account for '{{ user.name }}' is present (with random uid)"
|
||||
user:
|
||||
state: present
|
||||
|
@ -36,10 +59,9 @@
|
|||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
update_password: "on_create"
|
||||
when:
|
||||
- loginisbusy.rc != 0
|
||||
- uidisbusy.rc == 0
|
||||
- (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name)
|
||||
|
||||
- name: Is /etc/aliases present?
|
||||
stat:
|
||||
|
|
|
@ -12,6 +12,12 @@ filebeat_elasticsearch_auth_api_key: ""
|
|||
filebeat_elasticsearch_auth_username: ""
|
||||
filebeat_elasticsearch_auth_password: ""
|
||||
|
||||
filebeat_logstash_hosts: []
|
||||
filebeat_logstash_protocol: "http"
|
||||
filebeat_logstash_auth_api_key: ""
|
||||
filebeat_logstash_auth_username: ""
|
||||
filebeat_logstash_auth_password: ""
|
||||
|
||||
filebeat_use_config_template: False
|
||||
filebeat_update_config: True
|
||||
filebeat_force_config: True
|
||||
|
|
|
@ -143,15 +143,11 @@ setup.kibana:
|
|||
|
||||
# Configure what output to use when sending the data collected by the beat.
|
||||
|
||||
{% if filebeat_elasticsearch_hosts %}
|
||||
# ---------------------------- Elasticsearch Output ----------------------------
|
||||
output.elasticsearch:
|
||||
# Array of hosts to connect to.
|
||||
hosts: ["{{ filebeat_elasticsearch_hosts | join('", "') }}"]
|
||||
|
||||
# Protocol - either `http` (default) or `https`.
|
||||
protocol: "{{ filebeat_elasticsearch_protocol | default('http') }}"
|
||||
|
||||
# Authentication credentials - either API key or username/password.
|
||||
{% if filebeat_elasticsearch_auth_api_key %}
|
||||
api_key: "{{ filebeat_elasticsearch_auth_api_key }}"
|
||||
{% endif %}
|
||||
|
@ -161,11 +157,22 @@ output.elasticsearch:
|
|||
{% if filebeat_elasticsearch_auth_password %}
|
||||
password: "{{ filebeat_elasticsearch_auth_password }}"
|
||||
{% endif %}
|
||||
|
||||
# ------------------------------ Logstash Output -------------------------------
|
||||
#output.logstash:
|
||||
# The Logstash hosts
|
||||
#hosts: ["localhost:5044"]
|
||||
{% endif %}
|
||||
{% if filebeat_logstash_hosts %}
|
||||
# ---------------------------- Logstash Output ---------------------------------
|
||||
output.logstash:
|
||||
hosts: ["{{ filebeat_logstash_hosts | join('", "') }}"]
|
||||
protocol: "{{ filebeat_logstash_protocol | default('http') }}"
|
||||
{% if filebeat_logstash_auth_api_key %}
|
||||
api_key: "{{ filebeat_logstash_auth_api_key }}"
|
||||
{% endif %}
|
||||
{% if filebeat_logstash_auth_username %}
|
||||
username: "{{ filebeat_logstash_auth_username }}"
|
||||
{% endif %}
|
||||
{% if filebeat_logstash_auth_password %}
|
||||
password: "{{ filebeat_logstash_auth_password }}"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# Optional SSL. By default is off.
|
||||
# List of root certificates for HTTPS server verifications
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
---
|
||||
kvm_custom_libvirt_images_path: ''
|
||||
kvm_install_drbd: True
|
||||
|
|
|
@ -12,8 +12,8 @@ galaxy_info:
|
|||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
||||
dependencies:
|
||||
- { role: evolix/drbd, when: kvm_install_drbd }
|
||||
|
|
|
@ -7,6 +7,10 @@ php_conf_html_errors: "Off"
|
|||
php_conf_allow_url_fopen: "Off"
|
||||
php_conf_disable_functions: "exec,shell-exec,system,passthru,popen"
|
||||
|
||||
# Allows accessing a local mysql database using localhost
|
||||
php_conf_mysql_socket_dir: /mysqld
|
||||
php_conf_mysql_default_socket: "{{ php_conf_mysql_socket_dir }}/mysqld.sock"
|
||||
|
||||
lxc_php_version: Null
|
||||
|
||||
lxc_php_container_releases:
|
||||
|
|
|
@ -18,3 +18,9 @@
|
|||
lxc_container:
|
||||
name: "{{ lxc_php_version }}"
|
||||
container_command: "systemctl restart opensmtpd"
|
||||
|
||||
- name: Restart container
|
||||
lxc_container:
|
||||
name: "{{ lxc_php_version }}"
|
||||
state: restarted
|
||||
|
||||
|
|
|
@ -18,8 +18,16 @@
|
|||
dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/mailname"
|
||||
notify: "Restart opensmtpd"
|
||||
|
||||
|
||||
- name: "{{ lxc_php_version }} - Install misc packages"
|
||||
lxc_container:
|
||||
name: "{{ lxc_php_version }}"
|
||||
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y cron logrotate git zip unzip"
|
||||
|
||||
- name: "{{ lxc_php_version }} - Add MySQL socket to container default mounts"
|
||||
lxc_container:
|
||||
name: "{{ lxc_php_version }}"
|
||||
container_config:
|
||||
- "lxc.mount.entry = /run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0"
|
||||
when: php_conf_mysql_socket_dir is string
|
||||
notify: "Restart container"
|
||||
|
||||
|
|
|
@ -6,3 +6,11 @@ log_errors = {{ php_conf_log_errors }}
|
|||
html_errors = {{ php_conf_html_errors }}
|
||||
allow_url_fopen = {{ php_conf_allow_url_fopen }}
|
||||
disable_functions = {{ php_conf_disable_functions }}
|
||||
|
||||
{% if php_conf_mysql_socket_dir %}
|
||||
[Pdo_mysql]
|
||||
pdo_mysql.default_socket = {{ php_conf_mysql_default_socket }}
|
||||
|
||||
[MySQLi]
|
||||
mysqli.default_socket = {{ php_conf_mysql_default_socket }}
|
||||
{% endif %}
|
||||
|
|
|
@ -5,11 +5,15 @@ minifirewall_tail_file: /etc/default/minifirewall.tail
|
|||
minifirewall_tail_included: False
|
||||
minifirewall_tail_force: True
|
||||
|
||||
minifirewall_force_upgrade_script: False
|
||||
minifirewall_force_upgrade_config: False
|
||||
|
||||
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
|
||||
minifirewall_checkout_path: "/tmp/minifirewall"
|
||||
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
|
||||
minifirewall_ipv6: "on"
|
||||
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
||||
minifirewall_docker: "off"
|
||||
|
||||
minifirewall_default_trusted_ips: []
|
||||
minifirewall_additional_trusted_ips: []
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
|
||||
# For fun, we keep last change from first CVS repository:
|
||||
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
|
||||
# Version 20.12 — 2020-12-01 22:55:35
|
||||
|
||||
# Main interface
|
||||
INT='eth0'
|
||||
|
@ -8,6 +7,12 @@ INT='eth0'
|
|||
# IPv6
|
||||
IPV6=on
|
||||
|
||||
# Docker Mode
|
||||
# Changes the behaviour of minifirewall to not break the containers' network
|
||||
# For instance, turning it on will disable nat table purge
|
||||
# Also, we'll add the DOCKER-USER chain, in iptable
|
||||
DOCKER='off'
|
||||
|
||||
# Trusted IPv4 local network
|
||||
# ...will be often IP/32 if you don't trust anything
|
||||
INTLAN='192.168.0.2/32'
|
||||
|
|
|
@ -51,13 +51,19 @@
|
|||
blockinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
content: |
|
||||
block: |
|
||||
# Main interface
|
||||
INT='{{ minifirewall_int }}'
|
||||
|
||||
# IPv6
|
||||
IPV6='{{ minifirewall_ipv6 }}'
|
||||
|
||||
# Docker Mode
|
||||
# Changes the behaviour of minifirewall to not break the containers' network
|
||||
# For instance, turning it on will disable nat table purge
|
||||
# Also, we'll add the DOCKER-USER chain, in iptable
|
||||
DOCKER='{{ minifirewall_docker }}'
|
||||
|
||||
# Trusted IPv4 local network
|
||||
# ...will be often IP/32 if you don't trust anything
|
||||
INTLAN='{{ minifirewall_intlan }}'
|
||||
|
@ -89,7 +95,7 @@
|
|||
blockinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
content: |
|
||||
block: |
|
||||
# Protected services
|
||||
# (add also in Public services if needed)
|
||||
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
template:
|
||||
src: minifirewall.j2
|
||||
dest: /etc/init.d/minifirewall
|
||||
force: no
|
||||
force: "{{ minifirewall_force_upgrade_script | default('no') }}"
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -18,7 +18,7 @@
|
|||
copy:
|
||||
src: minifirewall.conf
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
force: no
|
||||
force: "{{ minifirewall_force_upgrade_config | default('no') }}"
|
||||
mode: "0600"
|
||||
owner: root
|
||||
group: root
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
||||
# See https://gitea.evolix.org/evolix/minifirewall
|
||||
|
||||
# Copyright (c) 2007-2015 Evolix
|
||||
# Copyright (c) 2007-2020 Evolix
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 3
|
||||
|
@ -51,6 +51,20 @@ BROAD='255.255.255.255'
|
|||
PORTSROOT='0:1023'
|
||||
PORTSUSER='1024:65535'
|
||||
|
||||
chain_exists()
|
||||
{
|
||||
local chain_name="$1" ; shift
|
||||
[ $# -eq 1 ] && local intable="--table $1"
|
||||
iptables $intable -nL "$chain_name" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
# Configuration
|
||||
oldconfigfile="/etc/firewall.rc"
|
||||
configfile="{{ minifirewall_main_file }}"
|
||||
|
||||
IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||
DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||
INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
|
@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT
|
|||
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||
$IPT -A LOG_ACCEPT -j ACCEPT
|
||||
|
||||
# Configuration
|
||||
oldconfigfile="/etc/firewall.rc"
|
||||
configfile="{{ minifirewall_main_file }}"
|
||||
|
||||
if test -f $oldconfigfile; then
|
||||
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
||||
exit 1
|
||||
|
@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
|
|||
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
||||
|
||||
|
||||
if [ "$DOCKER" = "on" ]; then
|
||||
|
||||
$IPT -N MINIFW-DOCKER-TRUSTED
|
||||
$IPT -A MINIFW-DOCKER-TRUSTED -j DROP
|
||||
|
||||
$IPT -N MINIFW-DOCKER-PRIVILEGED
|
||||
$IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
|
||||
$IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
|
||||
|
||||
$IPT -N MINIFW-DOCKER-PUB
|
||||
$IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
|
||||
$IPT -A MINIFW-DOCKER-PUB -j RETURN
|
||||
|
||||
# Flush DOCKER-USER if exist, create it if absent
|
||||
if chain_exists 'DOCKER-USER'; then
|
||||
$IPT -F DOCKER-USER
|
||||
else
|
||||
$IPT -N DOCKER-USER
|
||||
fi;
|
||||
|
||||
# Pipe new connection through MINIFW-DOCKER-PUB
|
||||
$IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
|
||||
$IPT -A DOCKER-USER -j RETURN
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# Local services restrictions
|
||||
#############################
|
||||
|
||||
|
@ -218,6 +255,64 @@ for x in $SERVICESUDP3
|
|||
done
|
||||
|
||||
|
||||
if [ "$DOCKER" = "on" ]; then
|
||||
|
||||
# Public services defined in SERVICESTCP1 & SERVICESUDP1
|
||||
for dstport in $SERVICESTCP1
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
|
||||
done
|
||||
|
||||
for dstport in $SERVICESUDP1
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
|
||||
done
|
||||
|
||||
# Privileged services (accessible from privileged & trusted IPs)
|
||||
for dstport in $SERVICESTCP2
|
||||
do
|
||||
for srcip in $PRIVILEGIEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
|
||||
for srcip in $TRUSTEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
done
|
||||
|
||||
for dstport in $SERVICESUDP2
|
||||
do
|
||||
for srcip in $PRIVILEGIEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
|
||||
for srcip in $TRUSTEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
done
|
||||
|
||||
# Trusted services (accessible from trusted IPs)
|
||||
for dstport in $SERVICESTCP3
|
||||
do
|
||||
for srcip in $TRUSTEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
done
|
||||
|
||||
for dstport in $SERVICESUDP3
|
||||
do
|
||||
for srcip in $TRUSTEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
# External services
|
||||
###################
|
||||
|
||||
|
@ -323,11 +418,24 @@ trap - INT TERM EXIT
|
|||
$IPT -F ONLYTRUSTED
|
||||
$IPT -F ONLYPRIVILEGIED
|
||||
$IPT -F NEEDRESTRICT
|
||||
$IPT -t nat -F
|
||||
[ "$DOCKER" = "off" ] && $IPT -t nat -F
|
||||
$IPT -t mangle -F
|
||||
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
||||
|
||||
if [ "$DOCKER" = "on" ]; then
|
||||
$IPT -F DOCKER-USER
|
||||
$IPT -A DOCKER-USER -j RETURN
|
||||
|
||||
$IPT -F MINIFW-DOCKER-PUB
|
||||
$IPT -X MINIFW-DOCKER-PUB
|
||||
$IPT -F MINIFW-DOCKER-PRIVILEGED
|
||||
$IPT -X MINIFW-DOCKER-PRIVILEGED
|
||||
$IPT -F MINIFW-DOCKER-TRUSTED
|
||||
$IPT -X MINIFW-DOCKER-TRUSTED
|
||||
|
||||
fi
|
||||
|
||||
# Accept all
|
||||
$IPT -P INPUT ACCEPT
|
||||
$IPT -P OUTPUT ACCEPT
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
[mysqld]
|
||||
|
||||
###### Connexions
|
||||
# Path to socket
|
||||
socket = /run/mysqld/mysqld.sock
|
||||
# Maximum de connexions concurrentes (defaut = 100)... provoque un "Too many connections"
|
||||
max_connections = 250
|
||||
# Maximum de connexions en attente en cas de max_connections atteint (defaut = 50)
|
||||
|
@ -60,3 +62,6 @@ character-set-server=utf8
|
|||
collation-server=utf8_general_ci
|
||||
# Patch MySQL 5.5.53
|
||||
secure-file-priv = ""
|
||||
|
||||
[client]
|
||||
socket = /run/mysqld/mysqld.sock
|
||||
|
|
25
mysql/files/save_mysql_processlist.sh
Normal file
25
mysql/files/save_mysql_processlist.sh
Normal file
|
@ -0,0 +1,25 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
processlist() {
|
||||
mysqladmin --verbose --vertical processlist
|
||||
}
|
||||
|
||||
DIR="/var/log/mysql-processlist"
|
||||
TS=`date +%Y%m%d%H%M%S`
|
||||
FILE="${DIR}/${TS}"
|
||||
|
||||
if [ ! -d "${DIR}" ]; then
|
||||
mkdir -p "${DIR}"
|
||||
chown root:adm "${DIR}"
|
||||
chmod 750 "${DIR}"
|
||||
fi
|
||||
|
||||
processlist > "${FILE}"
|
||||
chmod 640 "${FILE}"
|
||||
chown root:adm "${FILE}"
|
||||
|
||||
find "${DIR}" -type f -mtime +1 -delete
|
||||
|
||||
exit 0
|
|
@ -22,4 +22,4 @@
|
|||
- name: 'restart xinetd'
|
||||
service:
|
||||
name: 'xinetd'
|
||||
state: 'restart'
|
||||
state: 'restarted'
|
||||
|
|
|
@ -178,3 +178,12 @@
|
|||
tags:
|
||||
- mysql
|
||||
- packages
|
||||
|
||||
- name: "Install save_mysql_processlist.sh"
|
||||
copy:
|
||||
src: save_mysql_processlist.sh
|
||||
dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}/save_mysql_processlist.sh"
|
||||
mode: "0755"
|
||||
force: no
|
||||
tags:
|
||||
- mysql
|
||||
|
|
|
@ -21,11 +21,11 @@ dependencies:
|
|||
- { role: evolix/apache }
|
||||
- { role: evolix/php, php_apache_enable: True, when: packweb_apache_modphp }
|
||||
- { role: evolix/php, php_fpm_enable: True, when: packweb_apache_fpm }
|
||||
- { role: evolix/lxc-php, lxc_php_version: php56, when: "'php56' in packweb_multiphp_versions" }
|
||||
- { role: evolix/lxc-php, lxc_php_version: php70, when: "'php70' in packweb_multiphp_versions" }
|
||||
- { role: evolix/lxc-php, lxc_php_version: php73, when: "'php73' in packweb_multiphp_versions" }
|
||||
- { role: evolix/squid, squid_localproxy_enable: True }
|
||||
- { role: evolix/mysql, when: packweb_mysql_variant == "debian" }
|
||||
- { role: evolix/mysql-oracle, when: packweb_mysql_variant == "oracle" }
|
||||
- { role: evolix/lxc-php, lxc_php_version: php56, when: "'php56' in packweb_multiphp_versions" }
|
||||
- { role: evolix/lxc-php, lxc_php_version: php70, when: "'php70' in packweb_multiphp_versions" }
|
||||
- { role: evolix/lxc-php, lxc_php_version: php73, when: "'php73' in packweb_multiphp_versions" }
|
||||
- { role: evolix/webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}", evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" }
|
||||
- { role: evolix/evoacme }
|
||||
|
|
|
@ -9,7 +9,7 @@ postgresql_random_page_cost: 1.5
|
|||
postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
|
||||
|
||||
# PostgreSQL version
|
||||
postgresql_version: '9.6'
|
||||
postgresql_version: ''
|
||||
|
||||
# Set locales
|
||||
locales_default: fr_FR.UTF-8
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
---
|
||||
|
||||
- name: "Set variables (Debian 10)"
|
||||
set_fact:
|
||||
postgresql_version: '11'
|
||||
when: postgresql_version == ""
|
||||
|
||||
- include: pgdg-repo.yml
|
||||
when: postgresql_version != '11'
|
||||
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
---
|
||||
|
||||
- name: "Set variables (Debian 8)"
|
||||
set_fact:
|
||||
postgresql_version: '9.4'
|
||||
when: postgresql_version == ""
|
||||
|
||||
- include: pgdg-repo.yml
|
||||
when: postgresql_version != '9.4'
|
||||
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
---
|
||||
|
||||
- name: "Set variables (Debian 9)"
|
||||
set_fact:
|
||||
postgresql_version: '9.6'
|
||||
when: postgresql_version == ""
|
||||
|
||||
- include: pgdg-repo.yml
|
||||
when: postgresql_version != '9.6'
|
||||
|
||||
|
|
|
@ -18,8 +18,13 @@
|
|||
#url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc
|
||||
data: "{{ lookup('file', 'ACCC4CF8.asc') }}"
|
||||
|
||||
- name: Update and upgrade apt packages for PGDG repository
|
||||
apt:
|
||||
upgrade: yes
|
||||
update_cache: yes
|
||||
|
||||
- name: Add APT preference file
|
||||
template:
|
||||
src: postgresql.pref.j2
|
||||
dest: /etc/apt/preferences.d/
|
||||
dest: /etc/apt/preferences.d/postgresql.pref
|
||||
mode: "0644"
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
DefaultRoot ~
|
||||
|
||||
PassivePorts 60000 61000
|
||||
TransferLog /var/log/proftpd/xferlog
|
||||
|
||||
<Limit LOGIN>
|
||||
AllowGroup ftpusers
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
DefaultRoot ~
|
||||
|
||||
SFTPLog /var/log/proftpd/sftp.log
|
||||
TransferLog /var/log/proftpd/xferlog
|
||||
|
||||
SFTPAuthMethods password
|
||||
SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
|
|
|
@ -3,6 +3,8 @@ redis_systemd_name: redis-server
|
|||
|
||||
redis_conf_dir_prefix: /etc/redis
|
||||
|
||||
redis_force_instance_port: False
|
||||
|
||||
redis_port: 6379
|
||||
redis_bind_interface: 127.0.0.1
|
||||
|
||||
|
|
|
@ -30,11 +30,21 @@ check_server() {
|
|||
host=$(config_var "bind" "${conf_file}")
|
||||
port=$(config_var "port" "${conf_file}")
|
||||
pass=$(config_var "requirepass" "${conf_file}")
|
||||
maxmemory=$(config_var "maxmemory" "${conf_file}")
|
||||
maxmemory_policy=$(config_var "maxmemory-policy" "${conf_file}")
|
||||
|
||||
cmd="${check_bin} -H ${host} -p ${port}"
|
||||
# If "requirepass" is set we add the password to the check
|
||||
if [ -n "${pass}" ]; then
|
||||
cmd="${cmd} -x ${pass}"
|
||||
fi
|
||||
# If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction"
|
||||
# then we enforce the "maxmemory" limit
|
||||
if [ -n "${maxmemory}" ]; then
|
||||
if [ -z "${maxmemory_policy}" ] || [ "${maxmemory_policy}" = "noeviction" ]; then
|
||||
cmd="${cmd} --total_memory ${maxmemory} --memory_utilization 80,90"
|
||||
fi
|
||||
fi
|
||||
result=$($cmd)
|
||||
ret="${?}"
|
||||
if [ "${ret}" -ge 2 ]; then
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
mode: "0640"
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
|
||||
content: |
|
||||
block: |
|
||||
file = {{ redis_log_dir }}/redis-server.log
|
||||
pattern = "Cannot allocate memory"
|
||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
that:
|
||||
- redis_port != 6379
|
||||
msg: "If you want to use port 6379, use the default instance, not a named instance."
|
||||
when: not redis_force_instance_port
|
||||
|
||||
- name: "Instance '{{ redis_instance_name }}' group is present"
|
||||
group:
|
||||
|
|
|
@ -1,4 +1,24 @@
|
|||
---
|
||||
|
||||
- fail:
|
||||
msg: "You must provide a value for the 'tomcat_instance_port' variable."
|
||||
when: tomcat_instance_port is not defined or tomcat_instance_port == ''
|
||||
|
||||
|
||||
- name: "Test if uid '{{ tomcat_instance_port }}' exists"
|
||||
command: 'id -un -- "{{ tomcat_instance_port }}"'
|
||||
register: get_login_from_id
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
|
||||
- name: "Fail if uid already exists for another user"
|
||||
fail:
|
||||
msg: "Uid '{{ tomcat_instance_port }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ tomcat_instance_name }}'"
|
||||
when:
|
||||
- get_login_from_id.rc == 0
|
||||
- get_login_from_id.stdout != tomcat_instance_name
|
||||
|
||||
- name: Create group instance
|
||||
group:
|
||||
name: "{{ tomcat_instance_name }}"
|
||||
|
|
|
@ -10,7 +10,7 @@ varnish_malloc_size: "2G"
|
|||
varnish_storage: malloc,{{ varnish_malloc_size }}
|
||||
|
||||
varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}"
|
||||
varnish_thread_pool_add_delay: 2
|
||||
varnish_thread_pool_add_delay: 0
|
||||
varnish_thread_pool_min: 500
|
||||
varnish_thread_pool_max: 5000
|
||||
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
#!/bin/sh
|
||||
UUID=`cat /proc/sys/kernel/random/uuid`
|
||||
/usr/sbin/varnishd -C -f /etc/varnish/default.vcl >/dev/null \
|
||||
&&/usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.load vcl_$UUID /etc/varnish/default.vcl" \
|
||||
&& /usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.use vcl_$UUID"
|
|
@ -4,49 +4,62 @@
|
|||
name: varnish
|
||||
state: present
|
||||
tags:
|
||||
- varnish
|
||||
- varnish
|
||||
|
||||
- name: Remove default varnish configuration files
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- /etc/default/varnish
|
||||
- /etc/default/varnishncsa
|
||||
- /etc/default/varnishlog
|
||||
- /etc/default/varnish
|
||||
- /etc/default/varnishncsa
|
||||
- /etc/default/varnishlog
|
||||
notify: reload varnish
|
||||
tags:
|
||||
- varnish
|
||||
- varnish
|
||||
|
||||
- name: Copy Custom Varnish ExecReload script (Debian <=9)
|
||||
copy:
|
||||
src: "reload-vcl.sh"
|
||||
- name: Copy Custom Varnish ExecReload script (Debian <10)
|
||||
template:
|
||||
src: "reload-vcl.sh.j2"
|
||||
dest: "/etc/varnish/reload-vcl.sh"
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
when: ansible_distribution_major_version is version('9', '<=')
|
||||
when: ansible_distribution_major_version is version('10', '<')
|
||||
notify: reload varnish
|
||||
tags:
|
||||
- varnish
|
||||
- varnish
|
||||
|
||||
- name: Create a system config directory for systemd overrides
|
||||
file:
|
||||
path: /etc/systemd/system/varnish.service.d
|
||||
state: directory
|
||||
tags:
|
||||
- varnish
|
||||
- varnish
|
||||
|
||||
- name: Override Varnish systemd unit
|
||||
- name: Override Varnish systemd unit (Stretch and before)
|
||||
template:
|
||||
src: varnish.conf.j2
|
||||
src: varnish.conf.jessie.j2
|
||||
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
||||
force: yes
|
||||
when: ansible_distribution_major_version is version('10', '<')
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart varnish
|
||||
tags:
|
||||
- varnish
|
||||
- varnish
|
||||
|
||||
- name: Override Varnish systemd unit (Buster and later)
|
||||
template:
|
||||
src: varnish.conf.buster.j2
|
||||
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
||||
force: yes
|
||||
when: ansible_distribution_major_version is version('10', '>=')
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart varnish
|
||||
tags:
|
||||
- varnish
|
||||
|
||||
- name: Patch logrotate conf
|
||||
replace:
|
||||
|
@ -57,22 +70,26 @@
|
|||
- varnishlog
|
||||
- varnishncsa
|
||||
tags:
|
||||
- varnish
|
||||
- varnish
|
||||
|
||||
- name: Copy Varnish configuration
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /etc/varnish/default.vcl
|
||||
dest: "{{ varnish_config_file }}"
|
||||
mode: "0644"
|
||||
force: yes
|
||||
with_first_found:
|
||||
- "templates/varnish/default.{{ inventory_hostname }}.vcl.j2"
|
||||
- "templates/varnish/default.{{ host_group }}.vcl.j2"
|
||||
- "templates/varnish/default.default.vcl.j2"
|
||||
- "default.vcl.j2"
|
||||
- "templates/varnish/varnish.{{ inventory_hostname }}.vcl.j2"
|
||||
- "templates/varnish/default.{{ inventory_hostname }}.vcl.j2"
|
||||
- "templates/varnish/varnish.{{ host_group }}.vcl.j2"
|
||||
- "templates/varnish/default.{{ host_group }}.vcl.j2"
|
||||
- "templates/varnish/varnish.default.vcl.j2"
|
||||
- "templates/varnish/default.default.vcl.j2"
|
||||
- "varnish.vcl.j2"
|
||||
- "default.vcl.j2"
|
||||
notify: reload varnish
|
||||
tags:
|
||||
- varnish
|
||||
- varnish
|
||||
|
||||
- name: Create Varnish config dir
|
||||
file:
|
||||
|
@ -80,7 +97,7 @@
|
|||
state: directory
|
||||
mode: "0755"
|
||||
tags:
|
||||
- varnish
|
||||
- varnish
|
||||
|
||||
- name: Copy included Varnish config
|
||||
template:
|
||||
|
@ -92,6 +109,6 @@
|
|||
- "templates/varnish/conf.d/*.vcl"
|
||||
notify: reload varnish
|
||||
tags:
|
||||
- varnish
|
||||
- varnish
|
||||
|
||||
- include: munin.yml
|
||||
|
|
5
varnish/templates/reload-vcl.sh.j2
Normal file
5
varnish/templates/reload-vcl.sh.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
#!/bin/sh
|
||||
UUID=`cat /proc/sys/kernel/random/uuid`
|
||||
/usr/sbin/varnishd -C -f {{ varnish_config_file }} >/dev/null \
|
||||
&& /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.load vcl_$UUID {{ varnish_config_file }}" \
|
||||
&& /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.use vcl_$UUID"
|
5
varnish/templates/varnish.conf.buster.j2
Normal file
5
varnish/templates/varnish.conf.buster.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
|
|
@ -1,7 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/sbin/varnishd -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
|
||||
ExecReload=
|
||||
ExecReload=/etc/varnish/reload-vcl.sh
|
7
varnish/templates/varnish.conf.jessie.j2
Normal file
7
varnish/templates/varnish.conf.jessie.j2
Normal file
|
@ -0,0 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
|
||||
ExecReload=
|
||||
ExecReload=/etc/varnish/reload-vcl.sh
|
|
@ -6,6 +6,7 @@
|
|||
comment: "Evoadmin Web Account"
|
||||
home: "{{ evoadmin_home_dir }}"
|
||||
password: "!"
|
||||
system: yes
|
||||
|
||||
- name: Create www-evoadmin group
|
||||
group:
|
||||
|
@ -22,6 +23,7 @@
|
|||
- name: "Create www-evoadmin (Debian 9 or later)"
|
||||
user:
|
||||
name: www-evoadmin
|
||||
system: yes
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- name: Is /etc/aliases present?
|
||||
|
|
19
webapps/nextcloud/defaults/main.yml
Normal file
19
webapps/nextcloud/defaults/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
nextcloud_webserver: 'nginx'
|
||||
nextcloud_version: "20.0.0"
|
||||
nextcloud_archive_name: "nextcloud-{{ nextcloud_version }}.tar.bz2"
|
||||
nextcloud_releases_baseurl: "https://download.nextcloud.com/server/releases/"
|
||||
|
||||
nextcloud_instance_name: "nextcloud"
|
||||
nextcloud_user: "{{ nextcloud_instance_name }}"
|
||||
nextcloud_domains: []
|
||||
|
||||
nextcloud_home: "/home/{{ nextcloud_user }}"
|
||||
nextcloud_webroot: "{{ nextcloud_home }}/nextcloud"
|
||||
nextcloud_data: "{{ nextcloud_webroot }}/data"
|
||||
|
||||
nextcloud_db_user: "{{ nextcloud_user }}"
|
||||
nextcloud_db_name: "{{ nextcloud_instance_name }}"
|
||||
|
||||
nextcloud_admin_login: "admin"
|
||||
nextcloud_admin_password: ""
|
10
webapps/nextcloud/handlers/main.yml
Normal file
10
webapps/nextcloud/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: reload php-fpm
|
||||
service:
|
||||
name: php7.3-fpm
|
||||
state: reloaded
|
||||
|
||||
- name: reload nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
4
webapps/nextcloud/meta/main.yml
Normal file
4
webapps/nextcloud/meta/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
# dependencies:
|
||||
# - { role: nginx, when: nextcloud_webserver == 'nginx' }
|
||||
# - { role: php, php_fpm_enable: True }
|
37
webapps/nextcloud/tasks/archive.yml
Normal file
37
webapps/nextcloud/tasks/archive.yml
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
|
||||
- name: Retrieve Nextcloud archive
|
||||
get_url:
|
||||
url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}"
|
||||
dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}"
|
||||
force: no
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Retrieve Nextcloud sha256 checksum
|
||||
get_url:
|
||||
url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}.sha256"
|
||||
dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}.sha256"
|
||||
force: no
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Verify Nextcloud sha256 checksum
|
||||
command: "sha256sum -c {{ nextcloud_archive_name }}.sha256"
|
||||
changed_when: "False"
|
||||
args:
|
||||
chdir: "{{ nextcloud_home }}"
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Extract Nextcloud archive
|
||||
unarchive:
|
||||
src: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}"
|
||||
dest: "{{ nextcloud_home }}"
|
||||
creates: "{{ nextcloud_home }}/nextcloud"
|
||||
remote_src: True
|
||||
mode: "0750"
|
||||
owner: "{{ nextcloud_user }}"
|
||||
group: "{{ nextcloud_user }}"
|
||||
tags:
|
||||
- nextcloud
|
81
webapps/nextcloud/tasks/config.yml
Normal file
81
webapps/nextcloud/tasks/config.yml
Normal file
|
@ -0,0 +1,81 @@
|
|||
---
|
||||
|
||||
- block:
|
||||
- name: Generate admin password
|
||||
command: 'apg -n 1 -m 16 -M lcN'
|
||||
register: nextcloud_admin_password_apg
|
||||
check_mode: no
|
||||
changed_when: False
|
||||
|
||||
- debug:
|
||||
var: nextcloud_admin_password_apg
|
||||
|
||||
- set_fact:
|
||||
nextcloud_admin_password: "{{ nextcloud_admin_password_apg.stdout }}"
|
||||
|
||||
tags:
|
||||
- nextcloud
|
||||
when: nextcloud_admin_password == ""
|
||||
|
||||
- name: Get Nextcloud Status
|
||||
shell: "php ./occ status --output json | grep -v 'Nextcloud is not installed'"
|
||||
args:
|
||||
chdir: "{{ nextcloud_webroot }}"
|
||||
become_user: "{{ nextcloud_user }}"
|
||||
register: nc_status
|
||||
check_mode: no
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Install Nextcloud
|
||||
command: "php ./occ maintenance:install --database mysql --database-name {{ nextcloud_db_name | mandatory }} --database-user {{ nextcloud_db_user | mandatory }} --database-pass {{ nextcloud_db_pass | mandatory }} --admin-user {{ nextcloud_admin_login | mandatory }} --admin-pass {{ nextcloud_admin_password | mandatory }} --data-dir {{ nextcloud_data | mandatory }}"
|
||||
args:
|
||||
chdir: "{{ nextcloud_webroot }}"
|
||||
creates: "{{ nextcloud_home }}/config/config.php"
|
||||
become_user: "{{ nextcloud_user }}"
|
||||
when: (nc_status.stdout | from_json).installed == false
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Configure Nextcloud Mysql password
|
||||
replace:
|
||||
dest: "{{ nextcloud_home }}/nextcloud/config/config.php"
|
||||
regexp: "'dbpassword' => '([^']*)',"
|
||||
replace: "'dbpassword' => '{{ nextcloud_db_pass }}',"
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Configure Nextcloud cron
|
||||
cron:
|
||||
name: 'Nextcloud'
|
||||
minute: "*/5"
|
||||
job: "php -f {{ nextcloud_webroot }}/cron.php"
|
||||
user: "{{ nextcloud_user }}"
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Erase previously trusted domains config
|
||||
command: "php ./occ config:system:set trusted_domains"
|
||||
args:
|
||||
chdir: "{{ nextcloud_webroot }}"
|
||||
become_user: "{{ nextcloud_user }}"
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Configure trusted domains
|
||||
command: "php ./occ config:system:set trusted_domains {{ item.0 }} --value {{ item.1 }}"
|
||||
args:
|
||||
chdir: "{{ nextcloud_webroot }}"
|
||||
with_indexed_items:
|
||||
- "{{ nextcloud_domains }}"
|
||||
become_user: "{{ nextcloud_user }}"
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
#- name: Configure memcache local to APCu
|
||||
# command: "php ./occ config:system:set memcache.local --value '\\OC\\Memcache\\APCu'"
|
||||
# args:
|
||||
# chdir: "{{ nextcloud_webroot }}"
|
||||
# become_user: "{{ nextcloud_user }}"
|
||||
# tags:
|
||||
# - nextcloud
|
31
webapps/nextcloud/tasks/main.yml
Normal file
31
webapps/nextcloud/tasks/main.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
- name: Install dependencies
|
||||
apt:
|
||||
state: present
|
||||
name:
|
||||
- bzip2
|
||||
- php-gd
|
||||
- php-json
|
||||
- php-xml
|
||||
- php-mbstring
|
||||
- php-zip
|
||||
- php-curl
|
||||
- php-bz2
|
||||
- php-intl
|
||||
- php-gmp
|
||||
- php-apcu
|
||||
- php-redis
|
||||
- php-bcmath
|
||||
- python-mysqldb
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- include: user.yml
|
||||
|
||||
- include: archive.yml
|
||||
|
||||
- include: vhost.yml
|
||||
|
||||
- include: mysql.yml
|
||||
|
||||
- include: config.yml
|
62
webapps/nextcloud/tasks/mysql.yml
Normal file
62
webapps/nextcloud/tasks/mysql.yml
Normal file
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
- name: Get actual Mysql password
|
||||
shell: "grep password {{ nextcloud_home }}/.my.cnf | awk '{ print $3 }'"
|
||||
register: nextcloud_db_pass_grep
|
||||
check_mode: no
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Generate Mysql password
|
||||
command: 'apg -n 1 -m 16 -M lcN'
|
||||
register: nextcloud_db_pass_apg
|
||||
check_mode: no
|
||||
changed_when: False
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Set Mysql password
|
||||
set_fact:
|
||||
nextcloud_db_pass: "{{ nextcloud_db_pass_grep.stdout | default(nextcloud_db_pass_apg.stdout, True) }}"
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- debug:
|
||||
var: nextcloud_db_pass
|
||||
verbosity: 1
|
||||
|
||||
- name: Create Mysql database
|
||||
mysql_db:
|
||||
name: "{{ nextcloud_db_name }}"
|
||||
config_file: "/root/.my.cnf"
|
||||
state: present
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Create Mysql user
|
||||
mysql_user:
|
||||
name: "{{ nextcloud_db_user }}"
|
||||
password: '{{ nextcloud_db_pass }}'
|
||||
priv: "{{ nextcloud_db_name }}.*:ALL"
|
||||
config_file: "/root/.my.cnf"
|
||||
update_password: always
|
||||
state: present
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Store credentials in my.cnf
|
||||
ini_file:
|
||||
dest: "{{ nextcloud_home }}/.my.cnf"
|
||||
owner: "{{ nextcloud_user }}"
|
||||
group: "{{ nextcloud_user }}"
|
||||
mode: "0600"
|
||||
section: client
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value }}"
|
||||
with_items:
|
||||
- { option: "user", value: "{{ nextcloud_db_user }}" }
|
||||
- { option: "database", value: "{{ nextcloud_db_name }}" }
|
||||
- { option: "password", value: "{{ nextcloud_db_pass }}" }
|
||||
tags:
|
||||
- nextcloud
|
38
webapps/nextcloud/tasks/user.yml
Normal file
38
webapps/nextcloud/tasks/user.yml
Normal file
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
- name: Create Nextcloud group
|
||||
group:
|
||||
name: "{{ nextcloud_instance_name | mandatory }}"
|
||||
state: present
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Create Nextcloud user
|
||||
user:
|
||||
name: "{{ nextcloud_user | mandatory }}"
|
||||
group: "{{ nextcloud_user }}"
|
||||
home: "{{ nextcloud_home | mandatory }}"
|
||||
shell: '/bin/bash'
|
||||
createhome: True
|
||||
state: present
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Add the user 'www-data' to Nextcloud group
|
||||
user:
|
||||
name: www-data
|
||||
groups: "{{ nextcloud_user | mandatory }}"
|
||||
append: yes
|
||||
|
||||
- name: Create top-level directories
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
state: directory
|
||||
mode: "0770"
|
||||
owner: "{{ nextcloud_user }}"
|
||||
group: "{{ nextcloud_user }}"
|
||||
with_items:
|
||||
- "{{ nextcloud_home }}/log"
|
||||
- "{{ nextcloud_home }}/tmp"
|
||||
- "{{ nextcloud_home }}/data"
|
||||
tags:
|
||||
- nextcloud
|
34
webapps/nextcloud/tasks/vhost.yml
Normal file
34
webapps/nextcloud/tasks/vhost.yml
Normal file
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
- block:
|
||||
- name: Copy Nginx vhost
|
||||
template:
|
||||
src: nginx.conf.j2
|
||||
dest: "/etc/nginx/sites-available/{{ nextcloud_instance_name }}.conf"
|
||||
mode: "0640"
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Enable Nginx vhost
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ nextcloud_instance_name }}.conf"
|
||||
dest: "/etc/nginx/sites-enabled/{{ nextcloud_instance_name }}.conf"
|
||||
state: link
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nextcloud
|
||||
|
||||
- name: Generate ssl config
|
||||
shell:
|
||||
cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}"
|
||||
creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf"
|
||||
|
||||
- name: Copy PHP-FPM pool
|
||||
template:
|
||||
src: php-fpm.conf.j2
|
||||
dest: "/etc/php/7.3/fpm/pool.d/{{ nextcloud_instance_name }}.conf"
|
||||
mode: "0640"
|
||||
notify: reload php-fpm
|
||||
tags:
|
||||
- nextcloud
|
||||
when: nextcloud_webserver == 'nginx'
|
134
webapps/nextcloud/templates/nginx.conf.j2
Normal file
134
webapps/nextcloud/templates/nginx.conf.j2
Normal file
|
@ -0,0 +1,134 @@
|
|||
upstream php-handler-{{ nextcloud_instance_name }} {
|
||||
server unix:/var/run/php/php-fpm-{{ nextcloud_instance_name }}.sock;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ nextcloud_domains | join(' ') }};
|
||||
|
||||
access_log {{ nextcloud_home }}/log/access.log;
|
||||
error_log {{ nextcloud_home }}/log/error.log;
|
||||
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
include /etc/nginx/ssl/{{ nextcloud_instance_name }}.conf;
|
||||
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
||||
root {{ nextcloud_webroot }};
|
||||
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# The following 2 rules are only needed for the user_webfinger app.
|
||||
# Uncomment it if you're planning to use this app.
|
||||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
||||
|
||||
# The following rule is only needed for the Social app.
|
||||
# Uncomment it if you're planning to use this app.
|
||||
rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
|
||||
|
||||
location = /.well-known/carddav {
|
||||
return 301 $scheme://$host:$server_port/remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 $scheme://$host:$server_port/remote.php/dav;
|
||||
}
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size 512M;
|
||||
fastcgi_buffers 64 4K;
|
||||
|
||||
# Enable gzip but do not remove ETag headers
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||
|
||||
|
||||
location / {
|
||||
rewrite ^ /index.php;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
|
||||
deny all;
|
||||
}
|
||||
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
|
||||
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
|
||||
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
try_files $fastcgi_script_name =404;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param HTTPS on;
|
||||
# Avoid sending the security headers twice
|
||||
fastcgi_param modHeadersAvailable true;
|
||||
# Enable pretty urls
|
||||
fastcgi_param front_controller_active true;
|
||||
fastcgi_pass php-handler-{{ nextcloud_instance_name }};
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
|
||||
try_files $uri/ =404;
|
||||
index index.php;
|
||||
}
|
||||
|
||||
# Adding the cache control header for js, css and map files
|
||||
# Make sure it is BELOW the PHP block
|
||||
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
add_header Cache-Control "public, max-age=15778463";
|
||||
# Add headers to serve security related headers (It is intended to
|
||||
# have those duplicated to the ones above)
|
||||
# Before enabling Strict-Transport-Security headers please read into
|
||||
# this topic first.
|
||||
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|
||||
#
|
||||
# WARNING: Only add the preload option once you read about
|
||||
# the consequences in https://hstspreload.org/. This option
|
||||
# will add the domain to a hardcoded list that is shipped
|
||||
# in all major browsers and getting removed from this list
|
||||
# could take several months.
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
# Optional: Don't log access to assets
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
# Optional: Don't log access to other assets
|
||||
access_log off;
|
||||
}
|
||||
}
|
17
webapps/nextcloud/templates/php-fpm.conf.j2
Normal file
17
webapps/nextcloud/templates/php-fpm.conf.j2
Normal file
|
@ -0,0 +1,17 @@
|
|||
[{{ nextcloud_instance_name }}]
|
||||
user = {{ nextcloud_user }}
|
||||
group = {{ nextcloud_user }}
|
||||
listen = /run/php/php-fpm-{{ nextcloud_instance_name }}.sock
|
||||
listen.owner = {{ nextcloud_user }}
|
||||
listen.group = {{ nextcloud_user }}
|
||||
|
||||
pm = ondemand
|
||||
pm.max_children = 50
|
||||
pm.process_idle_timeout = 120s
|
||||
pm.status_path = /fpm_status
|
||||
|
||||
env[HOSTNAME] = $HOSTNAME
|
||||
env[PATH] = /usr/local/bin:/usr/bin:/bin
|
||||
env[TMP] = {{ nextcloud_home }}/tmp
|
||||
env[TMPDIR] = {{ nextcloud_home }}/tmp
|
||||
env[TEMP] = {{ nextcloud_home }}/tmp
|
Loading…
Reference in a new issue