From 1646cc99bf460cef8d1634d576682233d4a6a79f Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Wed, 23 Mar 2022 13:55:54 +0100 Subject: [PATCH 001/497] redis: Remount /usr with RW when adding nagios plugin --- CHANGELOG.md | 1 + redis/tasks/nrpe.yml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3423f57e..e6a0941d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Repair keepalived role * generate-ldif: Correct generated entries for php-fpm in containers +* redis: Remount /usr with RW before adding nagios plugin ### Removed diff --git a/redis/tasks/nrpe.yml b/redis/tasks/nrpe.yml index b317c4e6..9e042479 100644 --- a/redis/tasks/nrpe.yml +++ b/redis/tasks/nrpe.yml @@ -79,6 +79,10 @@ - redis - nrpe +- name: "Remount /usr with RW for 'install check_redis instance'" + include_role: + name: evolix/remount-usr + - name: install check_redis_instances copy: src: check_redis_instances.sh -- 2.39.2 From 42782b7f3d8f3a93fc396489adeda5ccb1a2167d Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 24 Mar 2022 17:57:58 +0100 Subject: [PATCH 002/497] evolinux-base: fix show_help in backup-server-state.sh * --uname and --no-uname options were not in help * --services and --no-services were in help whereas --systemctl and --no-systemctl are used in options parsing --- CHANGELOG.md | 1 + evolinux-base/files/backup-server-state.sh | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6a0941d..6500c19b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Repair keepalived role * generate-ldif: Correct generated entries for php-fpm in containers * redis: Remount /usr with RW before adding nagios plugin +* evolinux-base: fix show_help in backup-server-state.sh ### Removed diff --git a/evolinux-base/files/backup-server-state.sh b/evolinux-base/files/backup-server-state.sh index 3c42695d..bc0eedd7 100644 --- a/evolinux-base/files/backup-server-state.sh +++ b/evolinux-base/files/backup-server-state.sh @@ -2,7 +2,7 @@ PROGNAME="backup-server-state" -VERSION="22.03.4" +VERSION="22.03.5" readonly VERSION backup_dir= @@ -46,6 +46,8 @@ Options --no-packages no backup copy of dpkg selections --processes backup copy of process list (default) --no-processes no backup copy of process list + --uname backup copy of uname (default) + --no-uname no backup copy of uname --uptime backup of uptime value (default) --no-uptime no backup of uptime value --netstat backup copy of netstat (default) @@ -70,8 +72,8 @@ Options --no-dmesg no backup copy of dmesg --mysql backup copy of mysql processes (default) --no-mysql no backup copy of mysql processes - --services backup copy of services states (default) - --no-services no backup copy of services states + --systemctl backup copy of services states (default) + --no-systemctl no backup copy of services states -v, --verbose print details about backup steps -V, --version print version and exit -h, --help print this message and exit -- 2.39.2 From d2fa14fb4f0d565c0ff31b80aeb0f5dbf6bd95be Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 24 Mar 2022 18:15:56 +0100 Subject: [PATCH 003/497] backup-server-state: release 22.03.5 --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6500c19b..1afc4f9f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evocheck: upstream release 22.03.1 -* evolinux-base: backup-server-state release 22.03.3 +* evolinux-base: backup-server-state release 22.03.5 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * generate-ldif: Add services check for bkctld * minifirewall: upstream release 22.03.3 and use includes directory @@ -26,7 +26,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * Repair keepalived role * generate-ldif: Correct generated entries for php-fpm in containers * redis: Remount /usr with RW before adding nagios plugin -* evolinux-base: fix show_help in backup-server-state.sh ### Removed -- 2.39.2 From bbc1bae43754ede8882c95d81c92c6b4a6fdba55 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 25 Mar 2022 14:57:10 +0100 Subject: [PATCH 004/497] minifirewall: upstream release 22.03.4 --- CHANGELOG.md | 2 +- minifirewall/files/minifirewall | 42 ++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1afc4f9f..42247241 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,7 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: backup-server-state release 22.03.5 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * generate-ldif: Add services check for bkctld -* minifirewall: upstream release 22.03.3 and use includes directory +* minifirewall: upstream release 22.03.4 * openvpn: use a subnet topology instead of the net30 default topology ### Fixed diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall index 9e8ff67f..cb707673 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/files/minifirewall @@ -28,7 +28,7 @@ # Description: Firewall designed for standalone server ### END INIT INFO -VERSION="22.03.3" +VERSION="22.03.4" NAME="minifirewall" # shellcheck disable=SC2034 @@ -97,6 +97,21 @@ BACKUPSERVERS='' LEGACY_CONFIG='off' +## pseudo dry-run : +## Uncomment and call these functions instead of the real iptables and ip6tables commands +# IPT="fake_iptables" +# IPT6="fake_ip6tables" +# fake_iptables() { +# printf "DRY-RUN iptables %s\n" "$*" +# } +# fake_ip6tables() { +# printf "DRY-RUN ip6tables %s\n" "$*" +# } +## Beware that commands executed from included files are not modified by this trick. + +sort_values() { + echo "$*" | tr ' ' '\n' | sort -h +} is_ipv6_enabled() { test "${IPV6}" != "off" } @@ -303,6 +318,31 @@ start() { # * from configuration directory (/etc/minifirewall.d/*) source_includes + # IP/ports lists are sorted to have consistent ordering + # You can disable this feature by simply commenting the following lines + LOOPBACK=$(sort_values ${LOOPBACK}) + INTLAN=$(sort_values ${INTLAN}) + TRUSTEDIPS=$(sort_values ${TRUSTEDIPS}) + PRIVILEGIEDIPS=$(sort_values ${PRIVILEGIEDIPS}) + SERVICESTCP1p=$(sort_values ${SERVICESTCP1p}) + SERVICESUDP1p=$(sort_values ${SERVICESUDP1p}) + SERVICESTCP1=$(sort_values ${SERVICESTCP1}) + SERVICESUDP1=$(sort_values ${SERVICESUDP1}) + SERVICESTCP2=$(sort_values ${SERVICESTCP2}) + SERVICESUDP2=$(sort_values ${SERVICESUDP2}) + SERVICESTCP3=$(sort_values ${SERVICESTCP3}) + SERVICESUDP3=$(sort_values ${SERVICESUDP3}) + DNSSERVEURS=$(sort_values ${DNSSERVEURS}) + HTTPSITES=$(sort_values ${HTTPSITES}) + HTTPSSITES=$(sort_values ${HTTPSSITES}) + FTPSITES=$(sort_values ${FTPSITES}) + SSHOK=$(sort_values ${SSHOK}) + SMTPOK=$(sort_values ${SMTPOK}) + SMTPSECUREOK=$(sort_values ${SMTPSECUREOK}) + NTPOK=$(sort_values ${NTPOK}) + PROXYBYPASS=$(sort_values ${PROXYBYPASS}) + BACKUPSERVERS=$(sort_values ${BACKUPSERVERS}) + # Trusted ip addresses ${IPT} -N ONLYTRUSTED ${IPT} -A ONLYTRUSTED -j LOG_DROP -- 2.39.2 From 85d429295ff2abe231772ec61547a36cc97197a2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 25 Mar 2022 18:12:24 +0100 Subject: [PATCH 005/497] minifirewall: tail template follows symlinks --- CHANGELOG.md | 1 + minifirewall/tasks/tail.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42247241..1bccf9ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * generate-ldif: Add services check for bkctld * minifirewall: upstream release 22.03.4 +* minifirewall: tail template follows symlinks * openvpn: use a subnet topology instead of the net30 default topology ### Fixed diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index 199b4c7a..a1bfba64 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -4,6 +4,7 @@ src: "{{ item }}" dest: "/etc/minifirewall.d/{{ minifirewall_tail_file }}" force: "{{ minifirewall_tail_force | bool }}" + follow: yes loop: "{{ query('first_found', templates) }}" vars: templates: -- 2.39.2 From c17bb035355cabc302ef2be4b7290b9bc722e4e3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 25 Mar 2022 18:16:36 +0100 Subject: [PATCH 006/497] minifirewall: tail template follows symlinks --- CHANGELOG.md | 2 ++ minifirewall/tasks/tail.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 216de3dd..3f8f3596 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* minifirewall: tail template follows symlinks + ### Fixed ### Removed diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index c8c4440e..0af9925d 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -4,6 +4,7 @@ src: "{{ item }}" dest: "{{ minifirewall_tail_file }}" force: "{{ minifirewall_tail_force | bool }}" + follow: yes loop: "{{ query('first_found', templates) }}" vars: templates: -- 2.39.2 From 54bf9c1854f46dcf481f907ad4e3e57feb61642a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 27 Mar 2022 09:18:15 +0200 Subject: [PATCH 007/497] evolinux-base: rename backup-server-state to dump-server-state --- CHANGELOG.md | 2 +- ...p-server-state.sh => dump-server-state.sh} | 312 +++++++++--------- evolinux-base/tasks/utils.yml | 18 +- 3 files changed, 163 insertions(+), 169 deletions(-) rename evolinux-base/files/{backup-server-state.sh => dump-server-state.sh} (70%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1bccf9ef..c1c90020 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evocheck: upstream release 22.03.1 -* evolinux-base: backup-server-state release 22.03.5 +* evolinux-base: rename backup-server-state to dump-server-state * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * generate-ldif: Add services check for bkctld * minifirewall: upstream release 22.03.4 diff --git a/evolinux-base/files/backup-server-state.sh b/evolinux-base/files/dump-server-state.sh similarity index 70% rename from evolinux-base/files/backup-server-state.sh rename to evolinux-base/files/dump-server-state.sh index bc0eedd7..bdc1e301 100644 --- a/evolinux-base/files/backup-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -1,11 +1,11 @@ #!/bin/sh -PROGNAME="backup-server-state" +PROGNAME="dump-server-state" -VERSION="22.03.5" +VERSION="22.03.6" readonly VERSION -backup_dir= +dump_dir= rc=0 # base functions @@ -15,7 +15,9 @@ show_version() { ${PROGNAME} version ${VERSION} Copyright 2018-2022 Evolix , - Jérémy Lecour + Jérémy Lecour , + Éric Morino , + Brice Waegeneire and others. ${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software, @@ -25,58 +27,38 @@ END } show_help() { cat < "${backup_dir}/apt-config.txt") + last_result=$(${apt_config_bin} dump > "${dump_dir}/apt-config.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -182,8 +164,8 @@ backup_apt_config() { fi } -backup_dpkg_full() { - debug "Backup DPkg full state" +do_dpkg_full() { + debug "## DPkg full state" dir_state_status="/var/lib/dpkg/status" @@ -195,7 +177,7 @@ backup_dpkg_full() { dpkg_dir=$(dirname "${dir_state_status}") - last_result=$(mkdir -p "${backup_dir}${dpkg_dir}" && chmod -R 755 "${backup_dir}${dpkg_dir}") + last_result=$(mkdir -p "${dump_dir}${dpkg_dir}" && chmod -R 755 "${dump_dir}${dpkg_dir}") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -209,7 +191,7 @@ backup_dpkg_full() { rsync_bin=$(command -v rsync) if [ -n "${rsync_bin}" ]; then - last_result=$(${rsync_bin} -ah --itemize-changes --exclude='*-old' "${dpkg_dir}/" "${backup_dir}${dpkg_dir}/") + last_result=$(${rsync_bin} -ah --itemize-changes --exclude='*-old' "${dpkg_dir}/" "${dump_dir}${dpkg_dir}/") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -222,7 +204,7 @@ backup_dpkg_full() { else debug "* rsync not found" - last_result=$(cp -r "${dpkg_dir}/*" "${backup_dir}${dpkg_dir}/" && rm -rf "${backup_dir}${dpkg_dir}/*-old") + last_result=$(cp -r "${dpkg_dir}/*" "${dump_dir}${dpkg_dir}/" && rm -rf "${dump_dir}${dpkg_dir}/*-old") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -235,8 +217,8 @@ backup_dpkg_full() { fi } -backup_dpkg_status() { - debug "Backup DPkg status" +do_dpkg_status() { + debug "## DPkg status" dir_state_status="/var/lib/dpkg/status" @@ -246,7 +228,7 @@ backup_dpkg_status() { eval "$(${apt_config_bin} shell dir_state_status Dir::State::status)" fi - last_result=$(cp "${dir_state_status}" "${backup_dir}/dpkg-status.txt") + last_result=$(cp "${dir_state_status}" "${dump_dir}/dpkg-status.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -258,13 +240,13 @@ backup_dpkg_status() { fi } -backup_packages() { - debug "Backup list of installed package" +do_packages() { + debug "## List of installed package" dpkg_bin=$(command -v dpkg) if [ -n "${dpkg_bin}" ]; then - last_result=$(${dpkg_bin} --get-selections "*" > "${backup_dir}/current_packages.txt") + last_result=$(${dpkg_bin} --get-selections "*" > "${dump_dir}/current_packages.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -279,10 +261,10 @@ backup_packages() { fi } -backup_uname() { - debug "Backup uname" +do_uname() { + debug "## uname" - last_result=$(uname -a > "${backup_dir}/uname.txt") + last_result=$(uname -a > "${dump_dir}/uname.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -294,10 +276,10 @@ backup_uname() { fi } -backup_uptime() { - debug "Backup uptime" +do_uptime() { + debug "## uptime" - last_result=$(uptime > "${backup_dir}/uptime.txt") + last_result=$(uptime > "${dump_dir}/uptime.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -309,10 +291,10 @@ backup_uptime() { fi } -backup_processes() { - debug "Backup process list" +do_processes() { + debug "## Process list" - last_result=$(ps fauxw > "${backup_dir}/ps.txt") + last_result=$(ps fauxw > "${dump_dir}/ps.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -326,7 +308,7 @@ backup_processes() { pstree_bin=$(command -v pstree) if [ -n "${pstree_bin}" ]; then - last_result=$(${pstree_bin} -pan > "${backup_dir}/pstree.txt") + last_result=$(${pstree_bin} -pan > "${dump_dir}/pstree.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -339,13 +321,13 @@ backup_processes() { fi } -backup_netstat() { - debug "Backup network status" +do_netstat() { + debug "## Network status" ss_bin=$(command -v ss) if [ -n "${ss_bin}" ]; then - last_result=$(${ss_bin} -tanpul > "${backup_dir}/netstat-ss.txt") + last_result=$(${ss_bin} -tanpul > "${dump_dir}/netstat-ss.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -362,7 +344,7 @@ backup_netstat() { netstat_bin=$(command -v netstat) if [ -n "${netstat_bin}" ]; then - last_result=$(netstat -laputen > "${backup_dir}/netstat-legacy.txt") + last_result=$(netstat -laputen > "${dump_dir}/netstat-legacy.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -377,13 +359,13 @@ backup_netstat() { fi } -backup_netcfg() { - debug "Backup network configuration" +do_netcfg() { + debug "## Network configuration" ip_bin=$(command -v ip) if [ -n "${ip_bin}" ]; then - last_result=$(${ip_bin} address show > "${backup_dir}/ip-address.txt") + last_result=$(${ip_bin} address show > "${dump_dir}/ip-address.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -394,7 +376,7 @@ backup_netcfg() { rc=10 fi - last_result=$(${ip_bin} route show > "${backup_dir}/ip-route.txt") + last_result=$(${ip_bin} route show > "${dump_dir}/ip-route.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -410,7 +392,7 @@ backup_netcfg() { ifconfig_bin=$(command -v ifconfig) if [ -n "${ifconfig_bin}" ]; then - last_result=$(${ifconfig_bin} > "${backup_dir}/ifconfig.txt") + last_result=$(${ifconfig_bin} > "${dump_dir}/ifconfig.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -426,8 +408,8 @@ backup_netcfg() { fi } -backup_iptables() { - debug "Backup iptables" +do_iptables() { + debug "## iptables" iptables_bin=$(command -v iptables) nft_bin=$(command -v nft) @@ -436,7 +418,7 @@ backup_iptables() { debug "* nft found, skip iptables" else if [ -n "${iptables_bin}" ]; then - last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } >> "${backup_dir}/iptables-v.txt") + last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } >> "${dump_dir}/iptables-v.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -447,7 +429,7 @@ backup_iptables() { rc=10 fi - last_result=$({ ${iptables_bin} -L -n; ${iptables_bin} -t filter -L -n; } >> "${backup_dir}/iptables.txt") + last_result=$({ ${iptables_bin} -L -n; ${iptables_bin} -t filter -L -n; } >> "${dump_dir}/iptables.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -464,7 +446,7 @@ backup_iptables() { iptables_save_bin=$(command -v iptables-save) if [ -n "${iptables_save_bin}" ]; then - last_result=$(${iptables_save_bin} > "${backup_dir}/iptables-save.txt") + last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -480,13 +462,13 @@ backup_iptables() { fi } -backup_sysctl() { - debug "Backup sysctl values" +do_sysctl() { + debug "## sysctl values" sysctl_bin=$(command -v sysctl) if [ -n "${sysctl_bin}" ]; then - last_result=$(${sysctl_bin} -a --ignore 2>/dev/null | sort -h > "${backup_dir}/sysctl.txt") + last_result=$(${sysctl_bin} -a --ignore 2>/dev/null | sort -h > "${dump_dir}/sysctl.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -501,13 +483,13 @@ backup_sysctl() { fi } -backup_virsh() { - debug "Backup virsh list" +do_virsh() { + debug "## virsh list" virsh_bin=$(command -v virsh) if [ -n "${virsh_bin}" ]; then - last_result=$(${virsh_bin} list --all > "${backup_dir}/virsh-list.txt") + last_result=$(${virsh_bin} list --all > "${dump_dir}/virsh-list.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -522,13 +504,13 @@ backup_virsh() { fi } -backup_lxc() { - debug "Backup lxc list" +do_lxc() { + debug "## lxc list" lxc_ls_bin=$(command -v lxc-ls) if [ -n "${lxc_ls_bin}" ]; then - last_result=$(${lxc_ls_bin} --fancy > "${backup_dir}/lxc-list.txt") + last_result=$(${lxc_ls_bin} --fancy > "${dump_dir}/lxc-list.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -543,8 +525,8 @@ backup_lxc() { fi } -backup_disks() { - debug "Backup disks" +do_disks() { + debug "## Disks" lsblk_bin=$(command -v lsblk) awk_bin=$(command -v awk) @@ -554,7 +536,7 @@ backup_disks() { for disk in ${disks}; do dd_bin=$(command -v dd) if [ -n "${dd_bin}" ]; then - last_result=$(${dd_bin} if="/dev/${disk}" of="${backup_dir}/MBR-${disk}" bs=512 count=1 2>&1) + last_result=$(${dd_bin} if="/dev/${disk}" of="${dump_dir}/MBR-${disk}" bs=512 count=1 2>&1) last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -569,7 +551,7 @@ backup_disks() { fi fdisk_bin=$(command -v fdisk) if [ -n "${fdisk_bin}" ]; then - last_result=$(${fdisk_bin} -l "/dev/${disk}" > "${backup_dir}/partitions-${disk}" 2>&1) + last_result=$(${fdisk_bin} -l "/dev/${disk}" > "${dump_dir}/partitions-${disk}" 2>&1) last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -583,7 +565,7 @@ backup_disks() { debug "* fdisk not found" fi done - cat "${backup_dir}"/partitions-* > "${backup_dir}/partitions" + cat "${dump_dir}"/partitions-* > "${dump_dir}/partitions" else if [ -n "${lsblk_bin}" ]; then debug "* lsblk not found" @@ -594,13 +576,13 @@ backup_disks() { fi } -backup_mount() { - debug "Backup mount points" +do_mount() { + debug "## Mount points" findmnt_bin=$(command -v findmnt) if [ -n "${findmnt_bin}" ]; then - last_result=$(${findmnt_bin} > "${backup_dir}/mount.txt") + last_result=$(${findmnt_bin} > "${dump_dir}/mount.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -616,7 +598,7 @@ backup_mount() { mount_bin=$(command -v mount) if [ -n "${mount_bin}" ]; then - last_result=$(${mount_bin} > "${backup_dir}/mount.txt") + last_result=$(${mount_bin} > "${dump_dir}/mount.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -632,13 +614,13 @@ backup_mount() { fi } -backup_df() { - debug "Backup df" +do_df() { + debug "## df" df_bin=$(command -v df) if [ -n "${df_bin}" ]; then - last_result=$(${df_bin} --portability > "${backup_dir}/df.txt") + last_result=$(${df_bin} --portability > "${dump_dir}/df.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -653,13 +635,13 @@ backup_df() { fi } -backup_dmesg() { - debug "Backup dmesg" +do_dmesg() { + debug "## dmesg" dmesg_bin=$(command -v dmesg) if [ -n "${dmesg_bin}" ]; then - last_result=$(${dmesg_bin} > "${backup_dir}/dmesg.txt") + last_result=$(${dmesg_bin} > "${dump_dir}/dmesg.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -674,15 +656,15 @@ backup_dmesg() { fi } -backup_mysql_processes() { - debug "Backup mysql processes" +do_mysql_processes() { + debug "## MySQL processes" mysqladmin_bin=$(command -v mysqladmin) if [ -n "${mysqladmin_bin}" ]; then # Look for local MySQL or MariaDB process if pgrep mysqld > /dev/null || pgrep mariadbd > /dev/null; then - last_result=$(${mysqladmin_bin} --verbose processlist > "${backup_dir}/mysql-processlist.txt") + last_result=$(${mysqladmin_bin} --verbose processlist > "${dump_dir}/mysql-processlist.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -700,13 +682,13 @@ backup_mysql_processes() { fi } -backup_systemctl() { - debug "Backup services" +do_systemctl() { + debug "## Systemd services" systemctl_bin=$(command -v systemctl) if [ -n "${systemctl_bin}" ]; then - last_result=$(${systemctl_bin} --no-legend --state=failed --type=service > "${backup_dir}/systemctl-failed-services.txt") + last_result=$(${systemctl_bin} --no-legend --state=failed --type=service > "${dump_dir}/systemctl-failed-services.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -723,86 +705,86 @@ backup_systemctl() { main() { - if [ -z "${backup_dir}" ]; then - echo "ERROR: You must provide the --backup-dir argument" >&2 + if [ -z "${dump_dir}" ]; then + echo "ERROR: You must provide the --dump-dir argument" >&2 exit 1 fi - if [ -d "${backup_dir}" ]; then + if [ -d "${dump_dir}" ]; then if [ "${FORCE}" != "1" ]; then - echo "ERROR: The backup directory ${backup_dir} already exists. Delete it first." >&2 + echo "ERROR: The dump directory ${dump_dir} already exists. Delete it first." >&2 exit 2 fi else - create_backup_dir + create_dump_dir fi if [ "${DO_ETC}" -eq 1 ]; then - backup_etc + do_etc fi if [ "${DO_DPKG_FULL}" -eq 1 ]; then - backup_dpkg_full + do_dpkg_full fi if [ "${DO_DPKG_STATUS}" -eq 1 ]; then - backup_dpkg_status + do_dpkg_status fi if [ "${DO_APT_STATES}" -eq 1 ]; then - backup_apt_states + do_apt_states fi if [ "${DO_APT_CONFIG}" -eq 1 ]; then - backup_apt_config + do_apt_config fi if [ "${DO_PACKAGES}" -eq 1 ]; then - backup_packages + do_packages fi if [ "${DO_PROCESSES}" -eq 1 ]; then - backup_processes + do_processes fi if [ "${DO_UPTIME}" -eq 1 ]; then - backup_uptime + do_uptime fi if [ "${DO_UNAME}" -eq 1 ]; then - backup_uname + do_uname fi if [ "${DO_NETSTAT}" -eq 1 ]; then - backup_netstat + do_netstat fi if [ "${DO_NETCFG}" -eq 1 ]; then - backup_netcfg + do_netcfg fi if [ "${DO_IPTABLES}" -eq 1 ]; then - backup_iptables + do_iptables fi if [ "${DO_SYSCTL}" -eq 1 ]; then - backup_sysctl + do_sysctl fi if [ "${DO_VIRSH}" -eq 1 ]; then - backup_virsh + do_virsh fi if [ "${DO_LXC}" -eq 1 ]; then - backup_lxc + do_lxc fi if [ "${DO_DISKS}" -eq 1 ]; then - backup_disks + do_disks fi if [ "${DO_MOUNT}" -eq 1 ]; then - backup_mount + do_mount fi if [ "${DO_DF}" -eq 1 ]; then - backup_df + do_df fi if [ "${DO_DMESG}" -eq 1 ]; then - backup_dmesg + do_dmesg fi if [ "${DO_MYSQL_PROCESSES}" -eq 1 ]; then - backup_mysql_processes + do_mysql_processes fi if [ "${DO_SYSTEMCTL}" -eq 1 ]; then - backup_systemctl + do_systemctl fi - debug "=> Your backup is available at ${backup_dir}" + debug "=> Your dump is available at ${dump_dir}" exit ${rc} } @@ -826,23 +808,23 @@ while :; do FORCE=1 ;; - -d|--backup-dir) + -d|--dump-dir|--backup-dir) # with value separated by space if [ -n "$2" ]; then - backup_dir=$2 + dump_dir=$2 shift else - printf 'ERROR: "-d|--backup-dir" requires a non-empty option argument.\n' >&2 + printf 'ERROR: "-d|--dump-dir|--backup-dir" requires a non-empty option argument.\n' >&2 exit 1 fi ;; - --backup-dir=?*) + --dump-dir=?*|--backup-dir=?*) # with value speparated by = - backup_dir=${1#*=} + dump_dir=${1#*=} ;; - --backup-dir=) + --dump-dir=|--backup-dir=) # without value - printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2 + printf 'ERROR: "--dump-dir|--backup-dir" requires a non-empty option argument.\n' >&2 exit 1 ;; diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index a5ff56fa..bf1ef7db 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -3,10 +3,22 @@ - include_role: name: evolix/remount-usr -- name: backup-server-state script is present - copy: - src: "backup-server-state.sh" +- name: move backup-server-state to dump-server-state if present + command: mv /usr/local/sbin/backup-server-state /usr/local/sbin/dump-server-state + args: + creates: /usr/local/sbin/dump-server-state + +- name: symlink backup-server-state to dump-server-state + file: + src: /usr/local/sbin/dump-server-state dest: /usr/local/sbin/backup-server-state + state: link + force: yes + +- name: dump-server-state script is present + copy: + src: "dump-server-state.sh" + dest: /usr/local/sbin/dump-server-state force: True owner: root group: root -- 2.39.2 From f0b23ffa504bc2860de5383d1fb5fea0b22c6fa7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 27 Mar 2022 09:31:06 +0200 Subject: [PATCH 008/497] dump-server-state: split backup-dir and dump-dir options parsing --- evolinux-base/files/dump-server-state.sh | 49 +++++++++++++++++++++--- 1 file changed, 43 insertions(+), 6 deletions(-) diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index bdc1e301..45db7788 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -2,7 +2,7 @@ PROGNAME="dump-server-state" -VERSION="22.03.6" +VERSION="22.03.7" readonly VERSION dump_dir= @@ -808,26 +808,63 @@ while :; do FORCE=1 ;; - -d|--dump-dir|--backup-dir) + -d|--dump-dir) # with value separated by space if [ -n "$2" ]; then dump_dir=$2 shift else - printf 'ERROR: "-d|--dump-dir|--backup-dir" requires a non-empty option argument.\n' >&2 + printf 'ERROR: "-d|--dump-dir" requires a non-empty option argument.\n' >&2 exit 1 fi ;; - --dump-dir=?*|--backup-dir=?*) + --dump-dir=?*) # with value speparated by = dump_dir=${1#*=} ;; - --dump-dir=|--backup-dir=) + --dump-dir=) # without value - printf 'ERROR: "--dump-dir|--backup-dir" requires a non-empty option argument.\n' >&2 + printf 'ERROR: "--dump-dir" requires a non-empty option argument.\n' >&2 exit 1 ;; + --backup-dir) + printf 'WARNING: "--backup-dir" is deprecated in favor of "--dump-dir".\n' + if [ -n "${dump_dir}" ]; then + debug "Dump directory is already set, let's ignore this one." + else + debug "Dump directory is not set already, let's stay backward compatible." + # with value separated by space + if [ -n "$2" ]; then + dump_dir=$2 + shift + else + printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2 + exit 1 + fi + fi + ;; + --backup-dir=?*) + # with value speparated by = + printf 'WARNING: "--backup-dir" is deprecated in favor of "--dump-dir".\n' + if [ -n "${dump_dir}" ]; then + debug "Dump directory is already set, let's ignore this one." + else + debug "Dump directory is not set already, let's stay backward compatible." + dump_dir=${1#*=} + fi + ;; + --backup-dir=) + # without value + printf 'WARNING: "--backup-dir" is deprecated in favor of "--dump-dir".\n' + if [ -n "${dump_dir}" ]; then + debug "Dump directory is already set, let's ignore this one." + else + printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --etc) DO_ETC=1 ;; -- 2.39.2 From d0f8e6c75364e1d2fcedaae4c2219f5a8f9448fd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 27 Mar 2022 10:08:20 +0200 Subject: [PATCH 009/497] dump-server-state: upstream release 22.03.8 --- evolinux-base/files/dump-server-state.sh | 63 +++++++++++++----------- 1 file changed, 34 insertions(+), 29 deletions(-) diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index 45db7788..7adde4e4 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -1,8 +1,9 @@ #!/bin/sh PROGNAME="dump-server-state" +REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state" -VERSION="22.03.7" +VERSION="22.03.8" readonly VERSION dump_dir= @@ -20,6 +21,8 @@ Copyright 2018-2022 Evolix , Brice Waegeneire and others. +${REPOSITORY} + ${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software, and you are welcome to redistribute it under certain conditions. See the GNU General Public License v3.0 for details. @@ -31,34 +34,36 @@ ${PROGNAME} is dumping information related to the state of the server. Usage: ${PROGNAME} --dump-dir=/path/to/dump/directory [OPTIONS] -Options - -d, --dump-dir path to the directory where data will be stored - --backup-dir legacy option for dump directory - -f, --force keep existing dump directory and its content - --[no-]etc copy of /etc (default: no) - --[no-]dpkg-full copy of /var/lib/dpkg (default: no) - --[no-]dpkg-status copy of /var/lib/dpkg/status (default: yes) - --[no-]apt-states copy of apt extended states (default: yes) - --[no-]apt-config copy of apt configuration (default: yes) - --[no-]packages copy of dpkg selections (default: yes) - --[no-]processes copy of process list (default: yes) - --[no-]uname copy of uname value (default: yes) - --[no-]uptime copy of uptime value (default: yes) - --[no-]netstat copy of netstat (default: yes) - --[no-]netcfg copy of network configuration (default: yes) - --[no-]iptables copy of iptables (default: yes) - --[no-]sysctl copy of sysctl values (default: yes) - --[no-]virsh copy of virsh list (default: yes) - --[no-]lxc copy of lxc list (default: yes) - --[no-]disks copy of MBR and partitions (default: yes) - --[no-]mount copy of mount points (default: yes) - --[no-]df copy of disk usage (default: yes) - --[no-]dmesg copy of dmesg (default: yes) - --[no-]mysql copy of mysql processes (default: yes) - --[no-]systemctl copy of systemd services states (default: yes) - -v, --verbose print details about each step - -V, --version print version and exit - -h, --help print this message and exit +Main options + -d, --dump-dir path to the directory where data will be stored + --backup-dir legacy option for dump directory + -f, --force keep existing dump directory and its content + -v, --verbose print details about each step + -V, --version print version and exit + -h, --help print this message and exit + +Dump options + --[no-]etc copy of /etc (default: no) + --[no-]dpkg-full copy of /var/lib/dpkg (default: no) + --[no-]dpkg-status copy of /var/lib/dpkg/status (default: yes) + --[no-]apt-states copy of apt extended states (default: yes) + --[no-]apt-config copy of apt configuration (default: yes) + --[no-]packages copy of dpkg selections (default: yes) + --[no-]processes copy of process list (default: yes) + --[no-]uname copy of uname value (default: yes) + --[no-]uptime copy of uptime value (default: yes) + --[no-]netstat copy of netstat (default: yes) + --[no-]netcfg copy of network configuration (default: yes) + --[no-]iptables copy of iptables (default: yes) + --[no-]sysctl copy of sysctl values (default: yes) + --[no-]virsh copy of virsh list (default: yes) + --[no-]lxc copy of lxc list (default: yes) + --[no-]disks copy of MBR and partitions (default: yes) + --[no-]mount copy of mount points (default: yes) + --[no-]df copy of disk usage (default: yes) + --[no-]dmesg copy of dmesg (default: yes) + --[no-]mysql copy of mysql processes (default: yes) + --[no-]systemctl copy of systemd services states (default: yes) END } debug() { -- 2.39.2 From 214b6e0d6a342b11d610f03e763b19eed31c28dd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 27 Mar 2022 10:40:52 +0200 Subject: [PATCH 010/497] dump-server-state: upstream release 22.03.9 --- evolinux-base/files/dump-server-state.sh | 367 +++++++++++++---------- 1 file changed, 215 insertions(+), 152 deletions(-) diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index 7adde4e4..0a779d3a 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -3,7 +3,7 @@ PROGNAME="dump-server-state" REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state" -VERSION="22.03.8" +VERSION="22.03.9" readonly VERSION dump_dir= @@ -38,11 +38,13 @@ Main options -d, --dump-dir path to the directory where data will be stored --backup-dir legacy option for dump directory -f, --force keep existing dump directory and its content - -v, --verbose print details about each step + -v, --verbose print details about each task -V, --version print version and exit -h, --help print this message and exit -Dump options +Tasks options + --all reset options to execute all tasks + --none reset options to execute no task --[no-]etc copy of /etc (default: no) --[no-]dpkg-full copy of /var/lib/dpkg (default: no) --[no-]dpkg-status copy of /var/lib/dpkg/status (default: yes) @@ -64,6 +66,12 @@ Dump options --[no-]dmesg copy of dmesg (default: yes) --[no-]mysql copy of mysql processes (default: yes) --[no-]systemctl copy of systemd services states (default: yes) + +Tasks options order matters. They are evaluated from left to right. +Examples : +* "[…] --none --uname" will do only the uname task +* "[…] --all --no-etc" will do everything but the etc task +* "[…] --etc --none --mysql" will do only the mysql task END } debug() { @@ -73,7 +81,7 @@ debug() { } create_dump_dir() { - debug "## Create ${dump_dir}" + debug "Task: Create ${dump_dir}" last_result=$(mkdir -p "${dump_dir}" && chmod -R 755 "${dump_dir}") last_rc=$? @@ -87,8 +95,8 @@ create_dump_dir() { fi } -do_etc() { - debug "## /etc" +task_etc() { + debug "Task: /etc" rsync_bin=$(command -v rsync) @@ -118,7 +126,7 @@ do_etc() { fi } -do_apt_states() { +task_apt_states() { apt_dir="/" apt_dir_state="var/lib/apt" apt_dir_state_extended_states="extended_states" @@ -133,7 +141,7 @@ do_apt_states() { extended_states="${apt_dir}/${apt_dir_state}/${apt_dir_state_extended_states}" if [ -f "${extended_states}" ]; then - debug "## APT states" + debug "Task: APT states" last_result=$(cp -r "${extended_states}" "${dump_dir}/apt-extended-states.txt") last_rc=$? @@ -148,8 +156,8 @@ do_apt_states() { fi } -do_apt_config() { - debug "## APT config" +task_apt_config() { + debug "Task: APT config" apt_config_bin=$(command -v apt-config) @@ -169,8 +177,8 @@ do_apt_config() { fi } -do_dpkg_full() { - debug "## DPkg full state" +task_dpkg_full() { + debug "Task: DPkg full state" dir_state_status="/var/lib/dpkg/status" @@ -222,8 +230,8 @@ do_dpkg_full() { fi } -do_dpkg_status() { - debug "## DPkg status" +task_dpkg_status() { + debug "Task: DPkg status" dir_state_status="/var/lib/dpkg/status" @@ -245,8 +253,8 @@ do_dpkg_status() { fi } -do_packages() { - debug "## List of installed package" +task_packages() { + debug "Task: List of installed package" dpkg_bin=$(command -v dpkg) @@ -266,8 +274,8 @@ do_packages() { fi } -do_uname() { - debug "## uname" +task_uname() { + debug "Task: uname" last_result=$(uname -a > "${dump_dir}/uname.txt") last_rc=$? @@ -281,8 +289,8 @@ do_uname() { fi } -do_uptime() { - debug "## uptime" +task_uptime() { + debug "Task: uptime" last_result=$(uptime > "${dump_dir}/uptime.txt") last_rc=$? @@ -296,8 +304,8 @@ do_uptime() { fi } -do_processes() { - debug "## Process list" +task_processes() { + debug "Task: Process list" last_result=$(ps fauxw > "${dump_dir}/ps.txt") last_rc=$? @@ -326,8 +334,8 @@ do_processes() { fi } -do_netstat() { - debug "## Network status" +task_netstat() { + debug "Task: Network status" ss_bin=$(command -v ss) @@ -364,8 +372,8 @@ do_netstat() { fi } -do_netcfg() { - debug "## Network configuration" +task_netcfg() { + debug "Task: Network configuration" ip_bin=$(command -v ip) @@ -413,8 +421,8 @@ do_netcfg() { fi } -do_iptables() { - debug "## iptables" +task_iptables() { + debug "Task: iptables" iptables_bin=$(command -v iptables) nft_bin=$(command -v nft) @@ -467,8 +475,8 @@ do_iptables() { fi } -do_sysctl() { - debug "## sysctl values" +task_sysctl() { + debug "Task: sysctl values" sysctl_bin=$(command -v sysctl) @@ -488,8 +496,8 @@ do_sysctl() { fi } -do_virsh() { - debug "## virsh list" +task_virsh() { + debug "Task: virsh list" virsh_bin=$(command -v virsh) @@ -509,8 +517,8 @@ do_virsh() { fi } -do_lxc() { - debug "## lxc list" +task_lxc() { + debug "Task: lxc list" lxc_ls_bin=$(command -v lxc-ls) @@ -530,8 +538,8 @@ do_lxc() { fi } -do_disks() { - debug "## Disks" +task_disks() { + debug "Task: Disks" lsblk_bin=$(command -v lsblk) awk_bin=$(command -v awk) @@ -581,8 +589,8 @@ do_disks() { fi } -do_mount() { - debug "## Mount points" +task_mount() { + debug "Task: Mount points" findmnt_bin=$(command -v findmnt) @@ -619,8 +627,8 @@ do_mount() { fi } -do_df() { - debug "## df" +task_df() { + debug "Task: df" df_bin=$(command -v df) @@ -640,8 +648,8 @@ do_df() { fi } -do_dmesg() { - debug "## dmesg" +task_dmesg() { + debug "Task: dmesg" dmesg_bin=$(command -v dmesg) @@ -661,8 +669,8 @@ do_dmesg() { fi } -do_mysql_processes() { - debug "## MySQL processes" +task_mysql_processes() { + debug "Task: MySQL processes" mysqladmin_bin=$(command -v mysqladmin) @@ -687,8 +695,8 @@ do_mysql_processes() { fi } -do_systemctl() { - debug "## Systemd services" +task_systemctl() { + debug "Task: Systemd services" systemctl_bin=$(command -v systemctl) @@ -708,7 +716,6 @@ do_systemctl() { fi } - main() { if [ -z "${dump_dir}" ]; then echo "ERROR: You must provide the --dump-dir argument" >&2 @@ -724,68 +731,68 @@ main() { create_dump_dir fi - if [ "${DO_ETC}" -eq 1 ]; then - do_etc + if [ "${TASK_ETC}" -eq 1 ]; then + task_etc fi - if [ "${DO_DPKG_FULL}" -eq 1 ]; then - do_dpkg_full + if [ "${TASK_DPKG_FULL}" -eq 1 ]; then + task_dpkg_full fi - if [ "${DO_DPKG_STATUS}" -eq 1 ]; then - do_dpkg_status + if [ "${TASK_DPKG_STATUS}" -eq 1 ]; then + task_dpkg_status fi - if [ "${DO_APT_STATES}" -eq 1 ]; then - do_apt_states + if [ "${TASK_APT_STATES}" -eq 1 ]; then + task_apt_states fi - if [ "${DO_APT_CONFIG}" -eq 1 ]; then - do_apt_config + if [ "${TASK_APT_CONFIG}" -eq 1 ]; then + task_apt_config fi - if [ "${DO_PACKAGES}" -eq 1 ]; then - do_packages + if [ "${TASK_PACKAGES}" -eq 1 ]; then + task_packages fi - if [ "${DO_PROCESSES}" -eq 1 ]; then - do_processes + if [ "${TASK_PROCESSES}" -eq 1 ]; then + task_processes fi - if [ "${DO_UPTIME}" -eq 1 ]; then - do_uptime + if [ "${TASK_UPTIME}" -eq 1 ]; then + task_uptime fi - if [ "${DO_UNAME}" -eq 1 ]; then - do_uname + if [ "${TASK_UNAME}" -eq 1 ]; then + task_uname fi - if [ "${DO_NETSTAT}" -eq 1 ]; then - do_netstat + if [ "${TASK_NETSTAT}" -eq 1 ]; then + task_netstat fi - if [ "${DO_NETCFG}" -eq 1 ]; then - do_netcfg + if [ "${TASK_NETCFG}" -eq 1 ]; then + task_netcfg fi - if [ "${DO_IPTABLES}" -eq 1 ]; then - do_iptables + if [ "${TASK_IPTABLES}" -eq 1 ]; then + task_iptables fi - if [ "${DO_SYSCTL}" -eq 1 ]; then - do_sysctl + if [ "${TASK_SYSCTL}" -eq 1 ]; then + task_sysctl fi - if [ "${DO_VIRSH}" -eq 1 ]; then - do_virsh + if [ "${TASK_VIRSH}" -eq 1 ]; then + task_virsh fi - if [ "${DO_LXC}" -eq 1 ]; then - do_lxc + if [ "${TASK_LXC}" -eq 1 ]; then + task_lxc fi - if [ "${DO_DISKS}" -eq 1 ]; then - do_disks + if [ "${TASK_DISKS}" -eq 1 ]; then + task_disks fi - if [ "${DO_MOUNT}" -eq 1 ]; then - do_mount + if [ "${TASK_MOUNT}" -eq 1 ]; then + task_mount fi - if [ "${DO_DF}" -eq 1 ]; then - do_df + if [ "${TASK_DF}" -eq 1 ]; then + task_df fi - if [ "${DO_DMESG}" -eq 1 ]; then - do_dmesg + if [ "${TASK_DMESG}" -eq 1 ]; then + task_dmesg fi - if [ "${DO_MYSQL_PROCESSES}" -eq 1 ]; then - do_mysql_processes + if [ "${TASK_MYSQL_PROCESSES}" -eq 1 ]; then + task_mysql_processes fi - if [ "${DO_SYSTEMCTL}" -eq 1 ]; then - do_systemctl + if [ "${TASK_SYSTEMCTL}" -eq 1 ]; then + task_systemctl fi @@ -870,151 +877,207 @@ while :; do fi ;; + --all) + for option in \ + TASK_ETC \ + TASK_DPKG_FULL \ + TASK_DPKG_STATUS \ + TASK_APT_STATES \ + TASK_APT_CONFIG \ + TASK_PACKAGES \ + TASK_PROCESSES \ + TASK_UNAME \ + TASK_UPTIME \ + TASK_NETSTAT \ + TASK_NETCFG \ + TASK_IPTABLES \ + TASK_SYSCTL \ + TASK_VIRSH \ + TASK_LXC \ + TASK_DISKS \ + TASK_MOUNT \ + TASK_DF \ + TASK_DMESG \ + TASK_MYSQL_PROCESSES \ + TASK_SYSTEMCTL + do + eval "${option}=1" + done + ;; + + --none) + for option in \ + TASK_ETC \ + TASK_DPKG_FULL \ + TASK_DPKG_STATUS \ + TASK_APT_STATES \ + TASK_APT_CONFIG \ + TASK_PACKAGES \ + TASK_PROCESSES \ + TASK_UNAME \ + TASK_UPTIME \ + TASK_NETSTAT \ + TASK_NETCFG \ + TASK_IPTABLES \ + TASK_SYSCTL \ + TASK_VIRSH \ + TASK_LXC \ + TASK_DISKS \ + TASK_MOUNT \ + TASK_DF \ + TASK_DMESG \ + TASK_MYSQL_PROCESSES \ + TASK_SYSTEMCTL + do + eval "${option}=0" + done + ;; + --etc) - DO_ETC=1 + TASK_ETC=1 ;; --no-etc) - DO_ETC=0 + TASK_ETC=0 ;; --dpkg-full) - DO_DPKG_FULL=1 + TASK_DPKG_FULL=1 ;; --no-dpkg-full) - DO_DPKG_FULL=0 + TASK_DPKG_FULL=0 ;; --dpkg-status) - DO_DPKG_STATUS=1 + TASK_DPKG_STATUS=1 ;; --no-dpkg-status) - DO_DPKG_STATUS=0 + TASK_DPKG_STATUS=0 ;; --apt-states) - DO_APT_STATES=1 + TASK_APT_STATES=1 ;; --no-apt-states) - DO_APT_STATES=0 + TASK_APT_STATES=0 ;; --apt-config) - DO_APT_CONFIG=1 + TASK_APT_CONFIG=1 ;; --no-apt-config) - DO_APT_CONFIG=0 + TASK_APT_CONFIG=0 ;; --packages) - DO_PACKAGES=1 + TASK_PACKAGES=1 ;; --no-packages) - DO_PACKAGES=0 + TASK_PACKAGES=0 ;; --processes) - DO_PROCESSES=1 + TASK_PROCESSES=1 ;; --no-processes) - DO_PROCESSES=0 + TASK_PROCESSES=0 ;; --uptime) - DO_UPTIME=1 + TASK_UPTIME=1 ;; --no-uptime) - DO_UPTIME=0 + TASK_UPTIME=0 ;; --uname) - DO_UNAME=1 + TASK_UNAME=1 ;; --no-uname) - DO_UNAME=0 + TASK_UNAME=0 ;; --netstat) - DO_NETSTAT=1 + TASK_NETSTAT=1 ;; --no-netstat) - DO_NETSTAT=0 + TASK_NETSTAT=0 ;; --netcfg) - DO_NETCFG=1 + TASK_NETCFG=1 ;; --no-netcfg) - DO_NETCFG=0 + TASK_NETCFG=0 ;; --iptables) - DO_IPTABLES=1 + TASK_IPTABLES=1 ;; --no-iptables) - DO_IPTABLES=0 + TASK_IPTABLES=0 ;; --sysctl) - DO_SYSCTL=1 + TASK_SYSCTL=1 ;; --no-sysctl) - DO_SYSCTL=0 + TASK_SYSCTL=0 ;; --virsh) - DO_VIRSH=1 + TASK_VIRSH=1 ;; --no-virsh) - DO_VIRSH=0 + TASK_VIRSH=0 ;; --lxc) - DO_LXC=1 + TASK_LXC=1 ;; --no-lxc) - DO_LXC=0 + TASK_LXC=0 ;; --disks) - DO_DISKS=1 + TASK_DISKS=1 ;; --no-disks) - DO_DISKS=0 + TASK_DISKS=0 ;; --mount) - DO_MOUNT=1 + TASK_MOUNT=1 ;; --no-mount) - DO_MOUNT=0 + TASK_MOUNT=0 ;; --df) - DO_DF=1 + TASK_DF=1 ;; --no-df) - DO_DF=0 + TASK_DF=0 ;; --dmesg) - DO_DMESG=1 + TASK_DMESG=1 ;; --no-dmesg) - DO_DMESG=0 + TASK_DMESG=0 ;; --mysql-processes) - DO_MYSQL_PROCESSES=1 + TASK_MYSQL_PROCESSES=1 ;; --no-mysql-processes) - DO_MYSQL_PROCESSES=0 + TASK_MYSQL_PROCESSES=0 ;; --systemctl) - DO_SYSTEMCTL=1 + TASK_SYSTEMCTL=1 ;; --no-systemctl) - DO_SYSTEMCTL=0 + TASK_SYSTEMCTL=0 ;; --) @@ -1039,27 +1102,27 @@ done # Default values : "${VERBOSE:=0}" : "${FORCE:=0}" -: "${DO_ETC:=0}" -: "${DO_DPKG_FULL:=0}" -: "${DO_DPKG_STATUS:=1}" -: "${DO_APT_STATES:=1}" -: "${DO_APT_CONFIG:=1}" -: "${DO_PACKAGES:=1}" -: "${DO_PROCESSES:=1}" -: "${DO_UNAME:=1}" -: "${DO_UPTIME:=1}" -: "${DO_NETSTAT:=1}" -: "${DO_NETCFG:=1}" -: "${DO_IPTABLES:=1}" -: "${DO_SYSCTL:=1}" -: "${DO_VIRSH:=1}" -: "${DO_LXC:=1}" -: "${DO_DISKS:=1}" -: "${DO_MOUNT:=1}" -: "${DO_DF:=1}" -: "${DO_DMESG:=1}" -: "${DO_MYSQL_PROCESSES:=1}" -: "${DO_SYSTEMCTL:=1}" +: "${TASK_ETC:=0}" +: "${TASK_DPKG_FULL:=0}" +: "${TASK_DPKG_STATUS:=1}" +: "${TASK_APT_STATES:=1}" +: "${TASK_APT_CONFIG:=1}" +: "${TASK_PACKAGES:=1}" +: "${TASK_PROCESSES:=1}" +: "${TASK_UNAME:=1}" +: "${TASK_UPTIME:=1}" +: "${TASK_NETSTAT:=1}" +: "${TASK_NETCFG:=1}" +: "${TASK_IPTABLES:=1}" +: "${TASK_SYSCTL:=1}" +: "${TASK_VIRSH:=1}" +: "${TASK_LXC:=1}" +: "${TASK_DISKS:=1}" +: "${TASK_MOUNT:=1}" +: "${TASK_DF:=1}" +: "${TASK_DMESG:=1}" +: "${TASK_MYSQL_PROCESSES:=1}" +: "${TASK_SYSTEMCTL:=1}" export LC_ALL=C -- 2.39.2 From 6ab0cb4fd1b3a044207c8b6bbd2b92636f5ef20c Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 28 Mar 2022 11:56:03 +0200 Subject: [PATCH 011/497] =?UTF-8?q?evolinux-base:=20Fix=20utils.yml=20->?= =?UTF-8?q?=20Ne=20pas=20d=C3=A9placer=20inutilement=20le=20script=20qu'on?= =?UTF-8?q?=20va=20de=20toute=20fa=C3=A7on=20=C3=A9craser?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit + Correction du cas d'une machine n'ayant pas le script (fail du mv initial) --- evolinux-base/tasks/utils.yml | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index bf1ef7db..084f8b35 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -3,18 +3,6 @@ - include_role: name: evolix/remount-usr -- name: move backup-server-state to dump-server-state if present - command: mv /usr/local/sbin/backup-server-state /usr/local/sbin/dump-server-state - args: - creates: /usr/local/sbin/dump-server-state - -- name: symlink backup-server-state to dump-server-state - file: - src: /usr/local/sbin/dump-server-state - dest: /usr/local/sbin/backup-server-state - state: link - force: yes - - name: dump-server-state script is present copy: src: "dump-server-state.sh" @@ -24,6 +12,13 @@ group: root mode: "0750" +- name: symlink backup-server-state to dump-server-state + file: + src: /usr/local/sbin/dump-server-state + dest: /usr/local/sbin/backup-server-state + state: link + force: yes + - name: "/sbin/deny script is present" copy: src: deny.sh -- 2.39.2 From 1ae978c74a06f14426ccd192776bbe12850a5404 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 28 Mar 2022 13:27:19 +0200 Subject: [PATCH 012/497] minifirewall: restore "force-restart" and fix "restart-if-needed" --- minifirewall/tasks/config.yml | 13 +------------ minifirewall/tasks/install.yml | 2 ++ minifirewall/tasks/main.yml | 8 ++++---- 3 files changed, 7 insertions(+), 16 deletions(-) diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index c0afd2b1..57fea0f1 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -193,24 +193,13 @@ register: minifirewall_after - name: restart minifirewall - # service: - # name: minifirewall - # state: restarted command: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" when: - minifirewall_restart_if_needed | bool - minifirewall_is_running.rc == 0 - - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum - -- name: restart minifirewall (noop) - meta: noop - register: minifirewall_init_restart - failed_when: False - changed_when: False - when: not (minifirewall_restart_if_needed | bool) + - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed - debug: var: minifirewall_init_restart diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index 5eeed116..9c0483b9 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -13,6 +13,7 @@ mode: "0700" owner: root group: root + register: minifirewall_upgrade_script - name: configuration is copied copy: @@ -22,6 +23,7 @@ mode: "0600" owner: root group: root + register: minifirewall_upgrade_config - name: includes directory is present file: diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 5f442eb1..0fbb3ad6 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -22,7 +22,7 @@ when: minifirewall_tail_included | bool - name: Force restart minifirewall - command: /bin/true - notify: restart minifirewall - changed_when: False - when: minifirewall_restart_force | bool + command: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + when: minifirewall_restart_force | bool \ No newline at end of file -- 2.39.2 From 3feacd0c6d7748ef108413d9704722ea41b3003a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 28 Mar 2022 13:28:48 +0200 Subject: [PATCH 013/497] update CHANGELOG --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c1c90020..b5c3aa01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,11 +15,12 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evocheck: upstream release 22.03.1 -* evolinux-base: rename backup-server-state to dump-server-state * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware +* evolinux-base: rename backup-server-state to dump-server-state * generate-ldif: Add services check for bkctld -* minifirewall: upstream release 22.03.4 +* minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks +* minifirewall: upstream release 22.03.4 * openvpn: use a subnet topology instead of the net30 default topology ### Fixed -- 2.39.2 From 75459baa35499591e80daa5005c35af46d653ade Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 29 Mar 2022 09:11:35 +0200 Subject: [PATCH 014/497] dump-server-state: upstream release 22.03.10 --- CHANGELOG.md | 1 + evolinux-base/files/dump-server-state.sh | 97 ++++++++++++++---------- 2 files changed, 56 insertions(+), 42 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b5c3aa01..7243ecf6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 22.03.1 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * evolinux-base: rename backup-server-state to dump-server-state +* dump-server-state: upstream release 22.03.10 * generate-ldif: Add services check for bkctld * minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index 0a779d3a..1da5bf2f 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -3,7 +3,7 @@ PROGNAME="dump-server-state" REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state" -VERSION="22.03.9" +VERSION="22.03.10" readonly VERSION dump_dir= @@ -425,52 +425,65 @@ task_iptables() { debug "Task: iptables" iptables_bin=$(command -v iptables) + + if [ -n "${iptables_bin}" ]; then + last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } > "${dump_dir}/iptables-v.txt") + last_rc=$? + + if [ ${last_rc} -eq 0 ]; then + debug "* iptables -v OK" + else + debug "* iptables -v ERROR" + debug "${last_result}" + # Ignore errors because we don't know if this is nft related or a real error + # rc=10 + fi + + last_result=$({ ${iptables_bin} -L -n; ${iptables_bin} -t filter -L -n; } > "${dump_dir}/iptables.txt") + last_rc=$? + + if [ ${last_rc} -eq 0 ]; then + debug "* iptables OK" + else + debug "* iptables ERROR" + debug "${last_result}" + # Ignore errors because we don't know if this is nft related or a real error + # rc=10 + fi + else + debug "* iptables not found" + fi + + iptables_save_bin=$(command -v iptables-save) + + if [ -n "${iptables_save_bin}" ]; then + last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt") + last_rc=$? + + if [ ${last_rc} -eq 0 ]; then + debug "* iptables-save OK" + else + debug "* iptables-save ERROR" + debug "${last_result}" + # Ignore errors because we don't know if this is nft related or a real error + # rc=10 + fi + else + debug "* iptables-save not found" + fi + nft_bin=$(command -v nft) if [ -n "${nft_bin}" ]; then - debug "* nft found, skip iptables" - else - if [ -n "${iptables_bin}" ]; then - last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } >> "${dump_dir}/iptables-v.txt") - last_rc=$? + last_result=$(${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt") + last_rc=$? - if [ ${last_rc} -eq 0 ]; then - debug "* iptables -v OK" - else - debug "* iptables -v ERROR" - debug "${last_result}" - rc=10 - fi - - last_result=$({ ${iptables_bin} -L -n; ${iptables_bin} -t filter -L -n; } >> "${dump_dir}/iptables.txt") - last_rc=$? - - if [ ${last_rc} -eq 0 ]; then - debug "* iptables OK" - else - debug "* iptables ERROR" - debug "${last_result}" - rc=10 - fi + if [ ${last_rc} -eq 0 ]; then + debug "* nft ruleset OK" else - debug "* iptables not found" - fi - - iptables_save_bin=$(command -v iptables-save) - - if [ -n "${iptables_save_bin}" ]; then - last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt") - last_rc=$? - - if [ ${last_rc} -eq 0 ]; then - debug "* iptables-save OK" - else - debug "* iptables-save ERROR" - debug "${last_result}" - rc=10 - fi - else - debug "* iptables-save not found" + debug "* nft ruleset ERROR" + debug "${last_result}" + rc=10 fi fi } -- 2.39.2 From 20abe0e09aa43bbe6385a6592bb3e3cc367a0889 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Tue, 29 Mar 2022 16:06:12 +0200 Subject: [PATCH 015/497] postfix: Skip milters after amavis (in packmail) Otherwise opendkim will sign local mails twice AND sign external mails (pretending to be) from local domains as if they were local mails. --- CHANGELOG.md | 1 + postfix/templates/packmail_master.cf.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7243ecf6..9ce3eaf0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Repair keepalived role * generate-ldif: Correct generated entries for php-fpm in containers * redis: Remount /usr with RW before adding nagios plugin +* postfix: Do not send mails through milters a second time after amavis (in packmail) ### Removed diff --git a/postfix/templates/packmail_master.cf.j2 b/postfix/templates/packmail_master.cf.j2 index 50aeeec4..9627fcb3 100644 --- a/postfix/templates/packmail_master.cf.j2 +++ b/postfix/templates/packmail_master.cf.j2 @@ -158,7 +158,7 @@ smtp-amavis unix - - y - 2 lmtp -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 - -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters pre-cleanup unix n - n - 0 cleanup -o virtual_alias_maps= -- 2.39.2 From 31c2629d313889fb91f86169772fe4d7125367c2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 30 Mar 2022 09:42:54 +0200 Subject: [PATCH 016/497] minifirewall: configure proxy/backup/sysctl values --- CHANGELOG.md | 2 + minifirewall/defaults/main.yml | 16 +++++ minifirewall/tasks/config.yml | 106 ++++++++++++++++++++++++++++++--- 3 files changed, 116 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ce3eaf0..49307328 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* minifirewall: configure proxy/backup/sysctl values + ### Changed * evocheck: upstream release 22.03.1 diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 51d169cb..faedfa6b 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -47,6 +47,22 @@ minifirewall_smtp_ok: Null minifirewall_smtp_secure_ok: Null minifirewall_ntp_ok: Null +minifirewall_proxy: "off" +minifirewall_proxyport: 8888 +minifirewall_proxybypass: + - "${INTLAN}" + - "127.0.0.0/8" + - "::1/128" +minifirewall_backupservers: Null + +minifirewall_sysctl_icmp_echo_ignore_broadcasts : Null +minifirewall_sysctl_icmp_ignore_bogus_error_responses : Null +minifirewall_sysctl_accept_source_route : Null +minifirewall_sysctl_tcp_syncookies : Null +minifirewall_sysctl_icmp_redirects : Null +minifirewall_sysctl_rp_filter : Null +minifirewall_sysctl_log_martians : Null + minifirewall_autostart: False minifirewall_restart_if_needed: True minifirewall_restart_force: False diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 57fea0f1..82b5263a 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -127,7 +127,7 @@ lineinfile: dest: "/etc/default/minifirewall" line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" - regexp: "DNSSERVEURS='.*'" + regexp: "DNSSERVEURS=('|\").*('|\")" create: no when: minifirewall_dns_servers is not none @@ -135,7 +135,7 @@ lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" - regexp: "HTTPSITES='.*'" + regexp: "HTTPSITES=('|\").*('|\")" create: no when: minifirewall_http_sites is not none @@ -143,7 +143,7 @@ lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" - regexp: "HTTPSSITES='.*'" + regexp: "HTTPSSITES=('|\").*('|\")" create: no when: minifirewall_https_sites is not none @@ -151,7 +151,7 @@ lineinfile: dest: "/etc/default/minifirewall" line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" - regexp: "FTPSITES='.*'" + regexp: "FTPSITES=('|\").*('|\")" create: no when: minifirewall_ftp_sites is not none @@ -159,7 +159,7 @@ lineinfile: dest: "/etc/default/minifirewall" line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" - regexp: "SSHOK='.*'" + regexp: "SSHOK=('|\").*('|\")" create: no when: minifirewall_ssh_ok is not none @@ -167,7 +167,7 @@ lineinfile: dest: "/etc/default/minifirewall" line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" - regexp: "SMTPOK='.*'" + regexp: "SMTPOK=('|\").*('|\")" create: no when: minifirewall_smtp_ok is not none @@ -175,7 +175,7 @@ lineinfile: dest: "/etc/default/minifirewall" line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" - regexp: "SMTPSECUREOK='.*'" + regexp: "SMTPSECUREOK=('|\").*('|\")" create: no when: minifirewall_smtp_secure_ok is not none @@ -183,10 +183,100 @@ lineinfile: dest: "/etc/default/minifirewall" line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" - regexp: "NTPOK='.*'" + regexp: "NTPOK=('|\").*('|\")" create: no when: minifirewall_ntp_ok is not none +- name: Configure PROXY + lineinfile: + dest: "/etc/default/minifirewall" + line: "PROXY='{{ minifirewall_proxy }}'" + regexp: "PROXY=('|\").*('|\")" + create: no + when: minifirewall_proxy is not none + +- name: Configure PROXYPORT + lineinfile: + dest: "/etc/default/minifirewall" + line: "PROXYPORT='{{ minifirewall_proxyport }}'" + regexp: "PROXYPORT=('|\").*('|\")" + create: no + when: minifirewall_proxyport is not none + +# Warning: keep double quotes for the value, +# since we often reference a shell variable that needs to be interpolated +- name: Configure PROXYBYPASS + lineinfile: + dest: "/etc/default/minifirewall" + line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\"" + regexp: "PROXYBYPASS=('|\").*('|\")" + create: no + when: minifirewall_proxybypass is not none + +- name: Configure BACKUPSERVERS + lineinfile: + dest: "/etc/default/minifirewall" + line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'" + regexp: "BACKUPSERVERS=('|\").*('|\")" + create: no + when: minifirewall_backupservers is not none + +- name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS + lineinfile: + dest: "/etc/default/minifirewall" + line: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='{{ minifirewall_sysctl_icmp_echo_ignore_broadcasts }}'" + regexp: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS=('|\").*('|\")" + create: no + when: minifirewall_sysctl_icmp_echo_ignore_broadcasts is not none + +- name: Configure SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES + lineinfile: + dest: "/etc/default/minifirewall" + line: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='{{ minifirewall_sysctl_icmp_ignore_bogus_error_responses }}'" + regexp: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=('|\").*('|\")" + create: no + when: minifirewall_sysctl_icmp_ignore_bogus_error_responses is not none + +- name: Configure SYSCTL_ACCEPT_SOURCE_ROUTE + lineinfile: + dest: "/etc/default/minifirewall" + line: "SYSCTL_ACCEPT_SOURCE_ROUTE='{{ minifirewall_sysctl_accept_source_route }}'" + regexp: "SYSCTL_ACCEPT_SOURCE_ROUTE=('|\").*('|\")" + create: no + when: minifirewall_sysctl_accept_source_route is not none + +- name: Configure SYSCTL_TCP_SYNCOOKIES + lineinfile: + dest: "/etc/default/minifirewall" + line: "SYSCTL_TCP_SYNCOOKIES='{{ minifirewall_sysctl_tcp_syncookies }}'" + regexp: "SYSCTL_TCP_SYNCOOKIES=('|\").*('|\")" + create: no + when: minifirewall_sysctl_tcp_syncookies is not none + +- name: Configure SYSCTL_ICMP_REDIRECTS + lineinfile: + dest: "/etc/default/minifirewall" + line: "SYSCTL_ICMP_REDIRECTS='{{ minifirewall_sysctl_icmp_redirects }}'" + regexp: "SYSCTL_ICMP_REDIRECTS=('|\").*('|\")" + create: no + when: minifirewall_sysctl_icmp_redirects is not none + +- name: Configure SYSCTL_RP_FILTER + lineinfile: + dest: "/etc/default/minifirewall" + line: "SYSCTL_RP_FILTER='{{ minifirewall_sysctl_rp_filter }}'" + regexp: "SYSCTL_RP_FILTER=('|\").*('|\")" + create: no + when: minifirewall_sysctl_rp_filter is not none + +- name: Configure SYSCTL_LOG_MARTIANS + lineinfile: + dest: "/etc/default/minifirewall" + line: "SYSCTL_LOG_MARTIANS='{{ minifirewall_sysctl_log_martians }}'" + regexp: "SYSCTL_LOG_MARTIANS=('|\").*('|\")" + create: no + when: minifirewall_sysctl_log_martians is not none + - name: Stat minifirewall config file (after) stat: path: "/etc/default/minifirewall" -- 2.39.2 From 5dc6a1d36b15bd126d9bbf793c559c8035ea10a1 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Wed, 23 Mar 2022 15:07:32 +0100 Subject: [PATCH 017/497] etc-git: Commit changes to /etc in containers --- CHANGELOG.md | 1 + etc-git/tasks/commit.yml | 27 +++++++++++++++++++++++++++ etc-git/tasks/lxc_commit.yml | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 etc-git/tasks/lxc_commit.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 49307328..379c0c10 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * minifirewall: configure proxy/backup/sysctl values +* etc-git: Commit /etc in lxc containers when they are git repositories ### Changed diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index 3f993771..2098aeeb 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -50,3 +50,30 @@ when: - _usr_share_scripts_git.stat.exists - _usr_share_scripts_git.stat.isdir + +- name: Check if there are lxc containers + stat: + path: /var/lib/lxc + get_attributes: no + get_checksum: no + get_mime: no + register: _var_lib_lxc + +- name: Get lxc containers and commit their /etc when needed + block: + - name: Get all lxc containers + find: + paths: /var/lib/lxc + recurse: no + file_type: directory + register: _lxc_containers + + - name: "Commit /etc in all containers" + include_tasks: + file: lxc_commit.yml + loop: "{{ _lxc_containers.files | map(attribute='path') | map('basename') }}" + loop_control: + loop_var: container + when: + - _var_lib_lxc.stat.exists + - _var_lib_lxc.stat.isdir or _var_lib_lxc.stat.islnk diff --git a/etc-git/tasks/lxc_commit.yml b/etc-git/tasks/lxc_commit.yml new file mode 100644 index 00000000..26fc8738 --- /dev/null +++ b/etc-git/tasks/lxc_commit.yml @@ -0,0 +1,35 @@ +--- +- name: "Assert that we have been called with `container` defined" + assert: + that: + - container is defined + +- name: "Define path to /etc in {{ container }} container" + set_fact: + container_etc: "{{ ('/var/lib/lxc', container, 'rootfs/etc') | path_join }}" + +- name: "Check if /etc is a git repository in {{ container }}" + stat: + path: "{{ (container_etc, '.git') | path_join }}" + get_attributes: no + get_checksum: no + get_mime: no + register: "container_etc_git" + +- name: "Evocommit /etc of {{ container }}" + command: + argv: + - /usr/local/bin/evocommit + - '--ansible' + - '--repository' + - "{{ container_etc }}" + - '--message' + - "{{ commit_message | mandatory }}" + changed_when: + - "container_etc_git_commit.stdout" + - "'CHANGED:' in container_etc_git_commit.stdout" + ignore_errors: yes + register: "container_etc_git_commit" + when: + - "container_etc_git.stat.exists" + - "container_etc_git.stat.isdir" -- 2.39.2 From ed6ca9a85a924a9cdc2429783c51bf09ccb2f47c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 30 Mar 2022 22:45:09 +0200 Subject: [PATCH 018/497] minifirewall: upstream release 22.03.5 --- CHANGELOG.md | 2 +- minifirewall/files/minifirewall | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 379c0c10..9d1ca0d5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * generate-ldif: Add services check for bkctld * minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks -* minifirewall: upstream release 22.03.4 +* minifirewall: upstream release 22.03.5 * openvpn: use a subnet topology instead of the net30 default topology ### Fixed diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall index cb707673..f8729f79 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/files/minifirewall @@ -28,7 +28,7 @@ # Description: Firewall designed for standalone server ### END INIT INFO -VERSION="22.03.4" +VERSION="22.03.5" NAME="minifirewall" # shellcheck disable=SC2034 @@ -251,7 +251,7 @@ start() { if [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "1" ] || [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "0" ]; then for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_source_route; do - echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = > "${proc_sys_file}" + echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" > "${proc_sys_file}" done else echo "Invalid SYSCTL_ACCEPT_SOURCE_ROUTE value '${SYSCTL_ACCEPT_SOURCE_ROUTE}', must be '0' or '1'." >&2 -- 2.39.2 From f8a146d3ac4b9ca677836cfb9c62110d9c275809 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 31 Mar 2022 09:50:31 +0200 Subject: [PATCH 019/497] =?UTF-8?q?ajout=20IPv6=20par=20d=C3=A9faut?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- minifirewall/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index faedfa6b..4c084154 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -23,8 +23,8 @@ minifirewall_docker: "off" minifirewall_default_trusted_ips: [] minifirewall_additional_trusted_ips: [] -# and default to ['0.0.0.0/0'] if the result is still empty -minifirewall_trusted_ips: "{{ minifirewall_default_trusted_ips | union(minifirewall_additional_trusted_ips) | unique | default(['0.0.0.0/0'], true) }}" +# and default to ['0.0.0.0/0', '::/0'] if the result is still empty +minifirewall_trusted_ips: "{{ minifirewall_default_trusted_ips | union(minifirewall_additional_trusted_ips) | unique | default(['0.0.0.0/0', '::/0'], true) }}" minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] -- 2.39.2 From 6434adcc62b62b8edd8e208793282c097cbb0170 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 31 Mar 2022 15:59:38 +0200 Subject: [PATCH 020/497] nagios-nrpe: Add a check dhcp_pool --- CHANGELOG.md | 1 + nagios-nrpe/files/plugins/check_dhcp_pool | 223 ++++++++++++++++++++++ nagios-nrpe/templates/evolix.cfg.j2 | 3 +- 3 files changed, 226 insertions(+), 1 deletion(-) create mode 100755 nagios-nrpe/files/plugins/check_dhcp_pool diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d1ca0d5..2c22a6fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: configure proxy/backup/sysctl values * etc-git: Commit /etc in lxc containers when they are git repositories +* nagios-nrpe: Add a check dhcp_pool ### Changed diff --git a/nagios-nrpe/files/plugins/check_dhcp_pool b/nagios-nrpe/files/plugins/check_dhcp_pool new file mode 100755 index 00000000..29157c2e --- /dev/null +++ b/nagios-nrpe/files/plugins/check_dhcp_pool @@ -0,0 +1,223 @@ +#!/usr/bin/perl -w +# +# Copyright (C) 2008 Rien Broekstra +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; version 2 dated June, +# 1991. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# +# Configuration variables: +# +# conffile - path to dhcpd's configuration file (default "/etc/dhcpd.conf") +# leasefile - path to dhcpd's leases file (default "/var/lib/dhcp/dhcpd.leases") +# + +use POSIX; +use Time::Local; +use strict; + +my $CONFFILE = exists $ENV{'conffile'} ? $ENV{'conffile'} : "/etc/dhcp/dhcpd.conf"; +my $LEASEFILE = exists $ENV{'leasefile'} ? $ENV{'leasefile'} : "/var/lib/dhcp/dhcpd.leases"; +my $WARNING_LEVEL = 70; +my $CRITICAL_LEVEL = 90; + +my (@activeleases, %dhcp_pools, $pool_start, $pool_end, $pool_size, $pool_free, $pool_usage, $pool_status, $label, $lease, $nagios_return_code, $nagios_ok, $nagios_warning, $nagios_critical, @nagios_text, @nagios_perfdata); + +# Determine all leased IP addresses +@activeleases = determine_active_leases(); + +# Determine the available IP pools +%dhcp_pools = determine_pools(); + +# Nagios return code +$nagios_return_code = 0; +$nagios_ok = 0; +$nagios_warning = 0; +$nagios_critical = 0; + +# For each pool, count how many leases from that pool are currently active +foreach $pool_start (keys %dhcp_pools) { + $pool_size = $dhcp_pools{$pool_start}; + $pool_end = $pool_start+$pool_size-1; + $pool_free = $pool_size; + + foreach $lease (@activeleases) { + if ($lease >= $pool_start && $lease <= $pool_end) { + $pool_free--; + } + } + + $label = ip2string($pool_start)."-".ip2string($pool_end); + $pool_usage = sprintf("%.1f", 100*($pool_size-$pool_free)/$pool_size); + + if ($pool_usage >= $CRITICAL_LEVEL) { + $nagios_return_code = 2; + $nagios_critical++; + $pool_status = "CRITICAL"; + } elsif ($pool_usage >= $WARNING_LEVEL) { + if ($nagios_return_code == 0 ) { + $nagios_return_code = 1; + } + $nagios_warning++; + $pool_status = "WARNING"; + } + else { + $nagios_ok++; + $pool_status = "OK"; + } + + push(@nagios_text, "$pool_status : $label - $pool_usage \n"); + push(@nagios_perfdata, "$label=$pool_usage%;$WARNING_LEVEL%;$CRITICAL_LEVEL%;;" ); + # 'label'=value[UOM];[warn];[crit];; + +} + + +print nagios_code_2_txt($nagios_return_code)." - ".$nagios_critical." CRIT / ".$nagios_warning." WARN / ".$nagios_ok." OK \n\n"; + +print grep(/CRITICAL/, @nagios_text); +print grep(/WARNING/, @nagios_text); +print grep(/OK/, @nagios_text); + +print "|@nagios_perfdata"; + +exit $nagios_return_code; + + +################ +###### FUNCTIONS + +# Parse dhcpd.conf for range statements. +# +# Returns a hash with start IP -> size +sub determine_pools { + my (%pools, @conffile, $line, $start, $end, $size); + + open(CONFFILE, "<${CONFFILE}") || exit -1; + @conffile = ; + close (CONFFILE); + + foreach $line (@conffile) { + next if $line =~ /^\s*#/; + + if ($line =~ /range[\s]+([\d]+\.[\d]+\.[\d]+\.[\d]+)[\s]+([\d]+\.[\d]+\.[\d]+\.[\d]+)/) { + $start = string2ip($1); + $end = string2ip($2); + + defined($start) || next; + defined($end) || next; + + # The range statement gives the lowest and highest IP addresses in a range. + $size = $end - $start + 1; + + $pools{$start} = $size; + } + } + return %pools; +} + +# Very simple parser for dhcpd.leases. This will break very easily if dhcpd decides to +# format the file differently. Ideally a simple recursive-descent parser should be used. +# +# Returns an array with currently leased IP's +sub determine_active_leases { + my (@leasefile, $startdate, $enddate, $lease, @activeleases, $mytz, $line, %saw); + + open(LEASEFILE, "<${LEASEFILE}") || exit -1; + @leasefile = ; + close (LEASEFILE); + + @activeleases = (); + + # Portable way of converting a GMT date/time string to timestamp is setting TZ to UTC, and then calling mktime() + $mytz = $ENV{'TZ'}; + $ENV{'TZ'} = 'UTC 0'; + tzset(); + + foreach $line (@leasefile) { + if ($line =~ /lease ([\d]+\.[\d]+\.[\d]+\.[\d]+)/) { + $lease = string2ip($1); + defined($lease) || next; + + undef $startdate; + undef $enddate; + } + elsif ($line =~ /starts \d ([\d]{4})\/([\d]{2})\/([\d]{2}) ([\d]{2}):([\d]{2}):([\d]{2})/) { + $startdate = mktime($6, $5, $4, $3, $2-1, $1-1900, 0, 0); + } + elsif ($line =~ /ends \d ([\d]{4})\/([\d]{2})\/([\d]{2}) ([\d]{2}):([\d]{2}):([\d]{2})/) { + $enddate = mktime($6, $5, $4, $3, $2-1, $1-1900, 0, 0); + } + elsif ($line =~ /binding state active/) { + if (defined($enddate) && defined($startdate) && defined($lease)) { + if ($startdate < time() && $enddate > time()) { + push (@activeleases, $lease); + } + } + } + + } + + # Set TZ back to its original setting + if (defined($mytz)) { + $ENV{'TZ'} = $mytz; + } + else { + delete $ENV{'TZ'}; + } + tzset(); + + # Sort the array, strip doubles, and return + return grep(!$saw{$_}++, @activeleases); +} + +# +# Helper routine to convert an IP address a.b.c.d into an integer +# +# Returns an integer representation of an IP address +sub string2ip { + my $string = shift; + defined($string) || return undef; + if ($string =~ /([\d]+)\.([\d]+)\.([\d]+)\.([\d]+)/) { + if ($1 < 0 || $1 > 255 || $2 < 0 || $2 > 255 || $3 < 0 || $3 > 255 || $4 < 0 || $4 > 255) { + return undef; + } + else { + return $1 << 24 | $2 << 16 | $3 << 8 | $4; + } + } + return undef; +} + +# +# Returns a dotted quad notation of an +# +sub ip2string { + my $ip = shift; + defined ($ip) || return undef; + return sprintf ("%d.%d.%d.%d", ($ip >> 24) & 0xff, ($ip >> 16) & 0xff, ($ip >> 8) & 0xff, $ip & 0xff); +} + + +# +# Return textual status of return code +# +sub nagios_code_2_txt{ + my $code = shift; + defined ($code) || return undef; + + if($code == 0 ) { return "OK" } + elsif( $code == 1 ) { return "WARNING" } + elsif( $code == 2 ) { return "CRITICAL" } +} diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 80eaaaf2..be42c97a 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -57,6 +57,7 @@ command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails command[check_bkctld]=sudo /usr/sbin/bkctld check command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023 command[check_influxdb]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"' +command[check_dhcpd]=/usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60 # Local checks (not packaged) command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10 @@ -82,7 +83,7 @@ command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor -command[check_raid_status]=/usr/lib/nagios/plugins/check_raid +command[check_raid_status]={{ nagios_plugins_directory }}/check_dhcp_pool # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates). # Beware! All checks must not take more than 10s! -- 2.39.2 From 726735d269e11212bd0a1b51bb14162877935c75 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 1 Apr 2022 15:47:44 +0200 Subject: [PATCH 021/497] etc-git : Remount /usr in rw for git gc in in /usr/share/scripts/ --- CHANGELOG.md | 1 + etc-git/files/etc-git-optimize | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c22a6fd..65b32df0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * generate-ldif: Correct generated entries for php-fpm in containers * redis: Remount /usr with RW before adding nagios plugin * postfix: Do not send mails through milters a second time after amavis (in packmail) +* etc-git : Remount /usr in rw for git gc in in /usr/share/scripts/ ### Removed diff --git a/etc-git/files/etc-git-optimize b/etc-git/files/etc-git-optimize index 3d4932ee..56967e8f 100644 --- a/etc-git/files/etc-git-optimize +++ b/etc-git/files/etc-git-optimize @@ -6,6 +6,12 @@ repositories="/etc /etc/bind/ /usr/share/scripts" for repository in ${repositories}; do if [ -d "${repository}/.git" ]; then + if [ ${repository} = "/usr/share/scripts" ]; then + mount -o remount,rw /usr + fi git --git-dir="${repository}/.git" gc --quiet + if [ ${repository} = "/usr/share/scripts" ]; then + mount -o remount /usr + fi fi done -- 2.39.2 From e71201ab46339aa26919936bbe23e06900bcaadd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 3 Apr 2022 11:18:41 +0200 Subject: [PATCH 022/497] dump-server-state: upstream release 22.04 --- CHANGELOG.md | 2 +- evolinux-base/files/dump-server-state.sh | 33 +++++++++++++++++++++--- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65b32df0..70600d04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,7 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 22.03.1 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * evolinux-base: rename backup-server-state to dump-server-state -* dump-server-state: upstream release 22.03.10 +* dump-server-state: upstream release 22.04 * generate-ldif: Add services check for bkctld * minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index 1da5bf2f..3b66f230 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -3,7 +3,7 @@ PROGNAME="dump-server-state" REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state" -VERSION="22.03.10" +VERSION="22.04" readonly VERSION dump_dir= @@ -425,9 +425,23 @@ task_iptables() { debug "Task: iptables" iptables_bin=$(command -v iptables) + ip6tables_bin=$(command -v ip6tables) if [ -n "${iptables_bin}" ]; then - last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } > "${dump_dir}/iptables-v.txt") + last_result=$({ + printf "#### iptables --list ###############################\n" + ${iptables_bin} --list --numeric --verbose --line-numbers + printf "\n### iptables --table nat --list ####################\n" + ${iptables_bin} --table nat --list --numeric --verbose --line-numbers + printf "\n#### iptables --table mangle --list ################\n" + ${iptables_bin} --table mangle --list --numeric --verbose --line-numbers + if [ -n "${ip6tables_bin}" ]; then + printf "\n#### ip6tables --list ##############################\n" + ${ip6tables_bin} --list --numeric --verbose --line-numbers + printf "\n#### ip6tables --table mangle --list ###############\n" + ${ip6tables_bin} --table mangle --list --numeric --verbose --line-numbers + fi + } > "${dump_dir}/iptables-v.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then @@ -439,7 +453,20 @@ task_iptables() { # rc=10 fi - last_result=$({ ${iptables_bin} -L -n; ${iptables_bin} -t filter -L -n; } > "${dump_dir}/iptables.txt") + last_result=$({ + printf "#### iptables --list ###############################\n" + ${iptables_bin} --list --numeric + printf "\n### iptables --table nat --list ####################\n" + ${iptables_bin} --table nat --list --numeric + printf "\n#### iptables --table mangle --list ################\n" + ${iptables_bin} --table mangle --list --numeric + if [ -n "${ip6tables_bin}" ]; then + printf "\n#### ip6tables --list ##############################\n" + ${ip6tables_bin} --list --numeric + printf "\n#### ip6tables --table mangle --list ###############\n" + ${ip6tables_bin} --table mangle --list --numeric + fi + } > "${dump_dir}/iptables.txt") last_rc=$? if [ ${last_rc} -eq 0 ]; then -- 2.39.2 From 5b2fecb49cb0a26aba71cceb91766ddfda540b89 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 7 Apr 2022 10:18:08 +0200 Subject: [PATCH 023/497] Make evocommit fully compatible with OpenBSD --- CHANGELOG.md | 1 + etc-git/files/evocommit | 14 ++++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70600d04..58426028 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * redis: Remount /usr with RW before adding nagios plugin * postfix: Do not send mails through milters a second time after amavis (in packmail) * etc-git : Remount /usr in rw for git gc in in /usr/share/scripts/ +* etc-git: Make evocommit fully compatible with OpenBSD ### Removed diff --git a/etc-git/files/evocommit b/etc-git/files/evocommit index 36050d02..0053784b 100644 --- a/etc-git/files/evocommit +++ b/etc-git/files/evocommit @@ -2,7 +2,7 @@ set -u -VERSION="21.10" +VERSION="22.04" show_version() { cat </dev/null + syslog "Re-mount ${mountpoint} as read-write to commit in repository $1" else mountpoint=$(stat -c '%m' $1) mount -o remount,rw ${mountpoint} @@ -73,6 +74,7 @@ remount_repository_readonly() { if [ "$(get_system)" = "OpenBSD" ]; then partition=$(stat -f '%Sd' $1) mount -u -r /dev/${partition} 2>/dev/null + syslog "Re-mount ${mountpoint} as read-only after commit to repository $1" else mountpoint=$(stat -c '%m' $1) mount -o remount,ro ${mountpoint} 2>/dev/null @@ -92,8 +94,12 @@ main() { rc=0 lock="${GIT_DIR}/index.lock" if [ -f "${lock}" ]; then - limit=$(date +"%s" -d "now - 1 hour") - updated_at=$(stat -c "%Y" "${lock}") + limit=$(($(date +"%s") - (1 * 60 * 60))) + if [ "$(get_system)" = "OpenBSD" ]; then + updated_at=$(stat -f "%m" "${lock}") + else + updated_at=$(stat -c "%Y" "${lock}") + fi if [ "$updated_at" -lt "$limit" ]; then rm -f "${lock}" fi @@ -262,4 +268,4 @@ if [ -d "${GIT_DIR}" ]; then else echo "There is no Git repository in '${REPOSITORY}'" >&2 exit 1 -fi \ No newline at end of file +fi -- 2.39.2 From fca895a231be0572a3d77aec7df9e3afd053d55c Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 8 Apr 2022 11:05:46 +0200 Subject: [PATCH 024/497] nagios-nrpe: fix copy/paste error --- nagios-nrpe/templates/evolix.cfg.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index be42c97a..d3d102f0 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -83,7 +83,8 @@ command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor -command[check_raid_status]={{ nagios_plugins_directory }}/check_dhcp_pool +command[check_raid_status]=/usr/lib/nagios/plugins/check_raid +command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates). # Beware! All checks must not take more than 10s! -- 2.39.2 From 84178d6b24225acf9d3965e0adcb03f76f526bc8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 8 Apr 2022 11:57:33 +0200 Subject: [PATCH 025/497] Tomcat 9 by default with Debian 11 --- CHANGELOG.md | 1 + tomcat/tasks/packages.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58426028..2251ea66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: tail template follows symlinks * minifirewall: upstream release 22.03.5 * openvpn: use a subnet topology instead of the net30 default topology +* tomcat: Tomcat 9 by default with Debian 11 ### Fixed diff --git a/tomcat/tasks/packages.yml b/tomcat/tasks/packages.yml index 9b7995cc..f1b968cc 100644 --- a/tomcat/tasks/packages.yml +++ b/tomcat/tasks/packages.yml @@ -21,9 +21,9 @@ - ansible_distribution_release == "buster" - tomcat_version is not defined -- name: Set Tomcat version to 10 on Debian 11 if missing +- name: Set Tomcat version to 9 on Debian 11 if missing set_fact: - tomcat_version: 10 + tomcat_version: 9 when: - ansible_distribution_release == "bullseye" - tomcat_version is not defined -- 2.39.2 From e3a75b9584a663607eef45730cd7450f4b22ade4 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 11 Apr 2022 16:34:39 +0200 Subject: [PATCH 026/497] detect OOM --- evolinux-base/handlers/main.yml | 5 +++++ evolinux-base/tasks/log2mail.yml | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index 80b7378e..7331a245 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -72,3 +72,8 @@ name: postfix state: reloaded +- name: restart log2mail + service: + name: log2mail + state: restarted + diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index e6f624c1..35ce19cf 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -16,3 +16,20 @@ daemon-reload: yes state: started enabled: yes + +- name: log2mail config is present + blockinfile: + dest: /etc/log2mail/config/default + owner: log2mail + group: adm + mode: "0640" + marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE" + block: | + file = /var/log/syslog + pattern = "Out of memory: Kill" + mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} + template = /etc/log2mail/mail + notify: restart log2mail + tags: + - log2mail + -- 2.39.2 From 959d6a857986678972c2da8778d057875d0efff9 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 12 Apr 2022 11:27:46 +0200 Subject: [PATCH 027/497] redis : Activate overcommit sysctl --- CHANGELOG.md | 3 ++- redis/tasks/main.yml | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2251ea66..ba1a6561 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,9 +12,10 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* minifirewall: configure proxy/backup/sysctl values * etc-git: Commit /etc in lxc containers when they are git repositories +* minifirewall: configure proxy/backup/sysctl values * nagios-nrpe: Add a check dhcp_pool +* redis : Activate overcommit sysctl ### Changed diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 90f0aa12..10598aa6 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -22,6 +22,14 @@ - packages when: redis_sentinel_install | bool +- name: Linux kernel overcommit memory setting is enabled + sysctl: + name: "vm.overcommit_memory" + value: "1" + sysctl_file: "/etc/sysctl.d/evolinux-redis.conf" + state: present + reload: yes + - name: Get Redis version shell: "redis-server -v | grep -Eo '(v=\\S+)' | cut -d'=' -f 2 | grep -E '^([0-9]|\\.)+$'" changed_when: false -- 2.39.2 From 4bf14b9a2292acb51cd37e7492837cbd81188ad0 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 14 Apr 2022 10:45:24 +0200 Subject: [PATCH 028/497] munin: Add possibility to install local plugins, and install dhcp_pool plugin --- CHANGELOG.md | 1 + munin/files/plugins/dhcp_pool | 213 ++++++++++++++++++++++++++++++++++ munin/tasks/main.yml | 9 ++ 3 files changed, 223 insertions(+) create mode 100644 munin/files/plugins/dhcp_pool diff --git a/CHANGELOG.md b/CHANGELOG.md index ba1a6561..4c4f480d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: configure proxy/backup/sysctl values * nagios-nrpe: Add a check dhcp_pool * redis : Activate overcommit sysctl +* munin: Add possibility to install local plugins, and install dhcp_pool plugin ### Changed diff --git a/munin/files/plugins/dhcp_pool b/munin/files/plugins/dhcp_pool new file mode 100644 index 00000000..c33da5a7 --- /dev/null +++ b/munin/files/plugins/dhcp_pool @@ -0,0 +1,213 @@ +#!/usr/bin/perl -w +# +# Copyright (C) 2008 Rien Broekstra +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; version 2 dated June, +# 1991. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# +# Munin plugin to measure saturation of DHCP pools. +# +# Configuration variables: +# +# conffile - path to dhcpd's configuration file (default "/etc/dhcpd.conf") +# leasefile - path to dhcpd's leases file (default "/var/lib/dhcp/dhcpd.leases") +# +# Parameters: +# +# config (required) +# +# Version 1.0, 2-12-2008 +# +#%# family=auto +#%# capabilities=autoconf + +use POSIX; +use Time::Local; +use strict; + +my $CONFFILE = exists $ENV{'conffile'} ? $ENV{'conffile'} : "/etc/dhcp/dhcpd.conf"; +my $LEASEFILE = exists $ENV{'leasefile'} ? $ENV{'leasefile'} : "/var/lib/dhcp/dhcpd.leases"; + +if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) { + if (-e ${CONFFILE} and -e ${LEASEFILE}) { + my %pools; + %pools = determine_pools(); + if (%pools) { + print "yes\n"; + } else { + print "no (no pools defined in config)\n"; + } + } else { + print "no (no config or lease file)\n"; + } +} +elsif ( defined $ARGV[0] and $ARGV[0] eq "config" ) { + my (%pools, $start, $label); + + # Print general information + print "graph_title DHCP pool usage (in %)\n"; + print "graph_args --upper-limit 100 -l 0\n"; + print "graph_vlabel %\n"; +#___ORI___# print "graph_category network\n"; + print "graph_category dhcpd\n"; + + # Determine the available IP pools + %pools = determine_pools(); + + # Print a label for each pool + foreach $start (sort (keys %pools)) { + $label = ip2string($start); + $label =~ s/\./\_/g; + print "_$label.label Pool " . ip2string($start) . " - " . ip2string($start + $pools{$start} - 1) . "\n"; + print "_$label.warning 90\n"; + print "_$label.critical 100\n"; + } +} +else { + my (@activeleases, %pools, $start, $end, $size, $free, $label, $lease); + + # Determine all leased IP addresses + @activeleases = determine_active_leases(); + + # Determine the available IP pools + %pools = determine_pools(); + + # For each pool, count how many leases from that pool are currently active + foreach $start (keys %pools) { + $size = $pools{$start}; + $end = $start+$size-1; + $free = $size; + + foreach $lease (@activeleases) { + if ($lease >= $start && $lease <= $end) { + $free--; + } + } + $label = ip2string($start); + $label =~ s/\./\_/g; + print "_$label.value ".sprintf("%.1f", 100*($size-$free)/$size)."\n"; + } +} + +# Parse dhcpd.conf for range statements. +# +# Returns a hash with start IP -> size +sub determine_pools { + my (%pools, @conffile, $line, $start, $end, $size); + + open(CONFFILE, "<${CONFFILE}") || exit -1; + @conffile = ; + close (CONFFILE); + + foreach $line (@conffile) { + next if $line =~ /^\s*#/; + + if ($line =~ /range[\s]+([\d]+\.[\d]+\.[\d]+\.[\d]+)[\s]+([\d]+\.[\d]+\.[\d]+\.[\d]+)/) { + $start = string2ip($1); + $end = string2ip($2); + + defined($start) || next; + defined($end) || next; + + # The range statement gives the lowest and highest IP addresses in a range. + $size = $end - $start + 1; + + $pools{$start} = $size; + } + } + return %pools; +} + +# Very simple parser for dhcpd.leases. This will break very easily if dhcpd decides to +# format the file differently. Ideally a simple recursive-descent parser should be used. +# +# Returns an array with currently leased IP's +sub determine_active_leases { + my (@leasefile, $startdate, $enddate, $lease, @activeleases, $mytz, $line, %saw); + + open(LEASEFILE, "<${LEASEFILE}") || exit -1; + @leasefile = ; + close (LEASEFILE); + + @activeleases = (); + + # Portable way of converting a GMT date/time string to timestamp is setting TZ to UTC, and then calling mktime() + $mytz = $ENV{'TZ'}; + $ENV{'TZ'} = 'UTC 0'; + tzset(); + + foreach $line (@leasefile) { + if ($line =~ /lease ([\d]+\.[\d]+\.[\d]+\.[\d]+)/) { + $lease = string2ip($1); + defined($lease) || next; + + undef $startdate; + undef $enddate; + } + elsif ($line =~ /starts \d ([\d]{4})\/([\d]{2})\/([\d]{2}) ([\d]{2}):([\d]{2}):([\d]{2})/) { + $startdate = mktime($6, $5, $4, $3, $2-1, $1-1900, 0, 0); + } + elsif ($line =~ /ends \d ([\d]{4})\/([\d]{2})\/([\d]{2}) ([\d]{2}):([\d]{2}):([\d]{2})/) { + $enddate = mktime($6, $5, $4, $3, $2-1, $1-1900, 0, 0); + } + elsif ($line =~ /binding state active/) { + if (defined($enddate) && defined($startdate) && defined($lease)) { + if ($startdate < time() && $enddate > time()) { + push (@activeleases, $lease); + } + } + } + + } + + # Set TZ back to its original setting + if (defined($mytz)) { + $ENV{'TZ'} = $mytz; + } + else { + delete $ENV{'TZ'}; + } + tzset(); + + # Sort the array, strip doubles, and return + return grep(!$saw{$_}++, @activeleases); +} + +# +# Helper routine to convert an IP address a.b.c.d into an integer +# +# Returns an integer representation of an IP address +sub string2ip { + my $string = shift; + defined($string) || return undef; + if ($string =~ /([\d]+)\.([\d]+)\.([\d]+)\.([\d]+)/) { + if ($1 < 0 || $1 > 255 || $2 < 0 || $2 > 255 || $3 < 0 || $3 > 255 || $4 < 0 || $4 > 255) { + return undef; + } + else { + return $1 << 24 | $2 << 16 | $3 << 8 | $4; + } + } + return undef; +} + +# +# Returns a dotted quad notation of an +# +sub ip2string { + my $ip = shift; + defined ($ip) || return undef; + return sprintf ("%d.%d.%d.%d", ($ip >> 24) & 0xff, ($ip >> 16) & 0xff, ($ip >> 8) & 0xff, $ip & 0xff); +} diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index d7cf8e2a..c4eee575 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -31,6 +31,15 @@ tags: - munin +- name: Install some Munin plugins (disabled) + copy: + src: 'plugins/{{ item }}' + dest: '/usr/share/munin/plugins/{{ item }}' + loop: + - dhcp_pool + tags: + - munin + - name: Ensure some Munin plugins are disabled file: path: '/etc/munin/plugins/{{ item }}' -- 2.39.2 From 9161fae0c415ae3a912baf162e94478d4a385acf Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 14 Apr 2022 16:34:43 +0200 Subject: [PATCH 029/497] openvpn: use a local copy of files instead of cloning an external git repository --- CHANGELOG.md | 1 + openvpn/files/shellpki/cert-expirations.sh | 26 + openvpn/files/shellpki/openssl.cnf | 58 + openvpn/files/shellpki/shellpki | 1106 ++++++++++++++++++++ openvpn/tasks/debian.yml | 43 +- openvpn/tasks/openbsd.yml | 40 +- 6 files changed, 1199 insertions(+), 75 deletions(-) create mode 100644 openvpn/files/shellpki/cert-expirations.sh create mode 100644 openvpn/files/shellpki/openssl.cnf create mode 100755 openvpn/files/shellpki/shellpki diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c4f480d..15d5e347 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: upstream release 22.03.5 * openvpn: use a subnet topology instead of the net30 default topology * tomcat: Tomcat 9 by default with Debian 11 +* openvpn: use a local copy of files instead of cloning an external git repository ### Fixed diff --git a/openvpn/files/shellpki/cert-expirations.sh b/openvpn/files/shellpki/cert-expirations.sh new file mode 100644 index 00000000..9e27dcc7 --- /dev/null +++ b/openvpn/files/shellpki/cert-expirations.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2) + +if [ "$carp" = "backup" ]; then + exit 0 +fi + +echo "Warning : all times are in UTC !\n" + +echo "CA certificate:" +openssl x509 -enddate -noout -in /etc/shellpki/cacert.pem \ + | cut -d '=' -f 2 \ + | sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/" + +echo "" + +echo "Client certificates:" +cat /etc/shellpki/index.txt \ + | grep ^V \ + | awk -F "/" '{print $1,$5}' \ + | awk '{print $2,$5}' \ + | sed 's/CN=//' \ + | sed -E 's/([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})Z (.*)/- 20\1 \2 \3 \4:\5:\6 \7/' \ + | awk '{if ($3 == "01") $3="Jan"; else if ($3 == "02") $3="Feb"; else if ($3 == "03") $3="Mar"; else if ($3 == "04") $3="Apr"; else if ($3 == "05") $3="May"; else if ($3 == "06") $3="Jun"; else if ($3 == "07") $3="Jul"; else if ($3 == "08") $3="Aug"; else if ($3 == "09") $3="Sep"; else if ($3 == "10") $3="Oct"; else if ($3 == "11") $3="Nov"; else if ($3 == "12") $3="Dec"; print $0;}' \ + | sort -n -k 2 -k 3M -k 4 diff --git a/openvpn/files/shellpki/openssl.cnf b/openvpn/files/shellpki/openssl.cnf new file mode 100644 index 00000000..2c87f10d --- /dev/null +++ b/openvpn/files/shellpki/openssl.cnf @@ -0,0 +1,58 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = /etc/shellpki +certs = $dir/certs +new_certs_dir = $dir/tmp +database = $dir/index.txt +certificate = $dir/cacert.pem +serial = $dir/serial +crl = $dir/crl.pem +private_key = $dir/cakey.key +RANDFILE = $dir/.rand +default_days = 365 +default_crl_days= 365 +default_md = sha256 +preserve = no +policy = policy_match + +[ policy_match ] +countryName = supplied +stateOrProvinceName = supplied +organizationName = supplied +organizationalUnitName = optional +commonName = supplied +emailAddress = supplied + +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true + +[ v3_ocsp ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = OCSPSigning + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = FR +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province +stateOrProvinceName_default = 13 +localityName = Locality Name (eg, city) +localityName_default = Marseille +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Evolix +organizationalUnitName = Organizational Unit Name (eg, section) +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 +emailAddress = Email Address +emailAddress_default = security@evolix.net +emailAddress_max = 40 diff --git a/openvpn/files/shellpki/shellpki b/openvpn/files/shellpki/shellpki new file mode 100755 index 00000000..5d139866 --- /dev/null +++ b/openvpn/files/shellpki/shellpki @@ -0,0 +1,1106 @@ +#!/bin/sh +# +# shellpki is a wrapper around OpenSSL to manage a small PKI +# + +set -u + +VERSION="22.04" + +show_version() { + cat <, + Thomas Martin , + Gregory Colpart , + Romain Dessort , + Benoit Série , + Victor Laborie , + Daniel Jakots , + Patrick Marchand , + Jérémy Lecour , + Jérémy Dubois + and others. + +shellpki comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the MIT Licence for details. +END +} + +show_usage() { + cat < [options] [CommonName] +Warning: [options] always must be before [CommonName] and after + +EOF +show_usage_init +show_usage_create +show_usage_revoke +show_usage_list +show_usage_check +show_usage_ocsp + + cat < + + Options + --non-interactive do not prompt the user, and exit if an error occurs + +EOF +} + +show_usage_create() { + cat < + + Options + -f, --file, --csr-file create a client certificate from a CSR (doesn't need key) + -p, --password prompt the user for a password to set on the client key + --password-file if provided with a path to a readable file, the first line is read and set as password on the client key + --days specify how many days the certificate should be valid + --end-date specify until which date the certificate should be valid, in "YYYY/MM/DD hh:mm:ss" format, UTC +0 + --non-interactive do not prompt the user, and exit if an error occurs + --replace-existing if the certificate already exists, revoke it before creating a new one + +EOF +} + +show_usage_revoke() { + cat < + + Options + --non-interactive do not prompt the user, and exit if an error occurs + +EOF +} + +show_usage_list() { + cat < + + Options + -a, --all list all certificates: valid and revoked ones + -v, --valid list all valid certificates + -r, --revoked list all revoked certificates + +EOF +} + +show_usage_check() { + cat < + +EOF +} + +error() { + echo "${1}" >&2 + exit 1 +} + +warning() { + echo "${1}" >&2 +} + +verify_ca_password() { + "${OPENSSL_BIN}" rsa \ + -in "${CA_KEY}" \ + -passin pass:"${CA_PASSWORD}" \ + >/dev/null 2>&1 +} +get_real_path() { + # --canonicalize is supported on Linux + # -f is supported on Linux and OpenBSD + readlink -f -- "${1}" +} + +ask_ca_password() { + attempt=${1:-0} + max_attempts=3 + + trap 'unset CA_PASSWORD' 0 + + if [ ! -f "${CA_KEY}" ]; then + error "You must initialize your PKI with \`shellpki init' !" + fi + if [ "${attempt}" -gt 0 ]; then + warning "Invalid password, retry." + fi + if [ "${attempt}" -ge "${max_attempts}" ]; then + error "Maximum number of attempts reached (${max_attempts})." + fi + if [ -z "${CA_PASSWORD:-}" ]; then + if [ "${non_interactive}" -eq 1 ]; then + error "In non-interactive mode, you must pass CA_PASSWORD as environment variable" + fi + stty -echo + printf "Password for CA key: " + read -r CA_PASSWORD + stty echo + printf "\n" + fi + if [ -z "${CA_PASSWORD:-}" ] || ! verify_ca_password; then + unset CA_PASSWORD + attempt=$(( attempt + 1 )) + ask_ca_password "${attempt}" + fi +} +ask_user_password() { + trap 'unset PASSWORD' 0 + + if [ -z "${PASSWORD:-}" ]; then + if [ "${non_interactive}" -eq 1 ]; then + error "In non-interactive mode, you must pass PASSWORD as environment variable or use --password-file" + fi + stty -echo + printf "Password for user key: " + read -r PASSWORD + stty echo + printf "\n" + fi + if [ -z "${PASSWORD:-}" ]; then + warning "Warning: empty password from input" + fi +} +replace_existing_or_abort() { + cn=${1:?} + if [ "${non_interactive}" -eq 1 ]; then + if [ "${replace_existing}" -eq 1 ]; then + revoke --non-interactive "${cn}" + else + error "${cn} already exists, use \`--replace-existing' to force" + fi + else + if [ "${replace_existing}" -eq 1 ]; then + revoke "${cn}" + else + printf "%s already exists, do you want to revoke and recreate it ? [y/N] " "${cn}" + read -r REPLY + resp=$(echo "${REPLY}" | tr 'Y' 'y') + + if [ "${resp}" = "y" ]; then + revoke "${cn}" + else + error "Aborted" + fi + fi + fi +} + +init() { + umask 0177 + + [ -d "${CA_DIR}" ] || mkdir -m 0750 "${CA_DIR}" + [ -d "${CRT_DIR}" ] || mkdir -m 0750 "${CRT_DIR}" + [ -f "${INDEX_FILE}" ] || touch "${INDEX_FILE}" + [ -f "${CRL}" ] || touch "${CRL}" + [ -f "${SERIAL}" ] || echo "01" > "${SERIAL}" + + non_interactive=0 + + # Parse options + # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a + while :; do + case ${1:-} in + --non-interactive) + non_interactive=1 + ;; + --) + # End of all options. + shift + break + ;; + -?*) + # ignore unknown options + warning "Warning: unknown option (ignored): \`$1'" + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift + done + + cn="${1:-}" + if [ -z "${cn}" ]; then + show_usage_init >&2 + exit 1 + fi + + if [ -f "${CA_KEY}" ]; then + if [ "${non_interactive}" -eq 1 ]; then + error "${CA_KEY} already exists, erase it manually if you want to start over." + else + printf "%s already exists, do you really want to erase it ? [y/N] " "${CA_KEY}" + read -r REPLY + resp=$(echo "${REPLY}" | tr 'Y' 'y') + if [ "${resp}" = "y" ]; then + rm -f "${CA_KEY}" "${CA_CERT}" + fi + fi + fi + + passout_arg="" + if [ -n "${CA_PASSWORD:-}" ]; then + passout_arg="-passout pass:${CA_PASSWORD}" + elif [ "${non_interactive}" -eq 1 ]; then + error "In non-interactive mode, you must pass CA_PASSWORD as environment variable." + fi + + if [ ! -f "${CA_KEY}" ]; then + "${OPENSSL_BIN}" genrsa \ + -out "${CA_KEY}" \ + ${passout_arg} \ + -aes256 \ + "${CA_KEY_LENGTH}" \ + >/dev/null 2>&1 + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + error "Error generating the CA key" + fi + fi + + if [ -f "${CA_CERT}" ]; then + if [ "${non_interactive}" -eq 1 ]; then + error "${CA_CERT} already exists, erase it manually if you want to start over." + else + printf "%s already exists, do you really want to erase it ? [y/N] " "${CA_CERT}" + read -r REPLY + resp=$(echo "${REPLY}" | tr 'Y' 'y') + if [ "${resp}" = "y" ]; then + rm "${CA_CERT}" + fi + fi + fi + + if [ ! -f "${CA_CERT}" ]; then + ask_ca_password 0 + fi + + if [ ! -f "${CA_CERT}" ]; then + "${OPENSSL_BIN}" req \ + -new \ + -batch \ + -sha512 \ + -x509 \ + -days 3650 \ + -extensions v3_ca \ + -passin pass:"${CA_PASSWORD}" \ + -key "${CA_KEY}" \ + -out "${CA_CERT}" \ + -config /dev/stdin <&2 + exit 1 + fi + ocsp_csr_file="${CSR_DIR}/ocsp.csr" + + url=$(echo "${ocsp_uri}" | cut -d':' -f1) + port=$(echo "${ocsp_uri}" | cut -d':' -f2) + + if [ ! -f "${OCSP_KEY}" ]; then + "${OPENSSL_BIN}" genrsa \ + -out "${OCSP_KEY}" \ + "${KEY_LENGTH}" \ + >/dev/null 2>&1 + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + error "Error generating the OCSP key" + fi + fi + + "${OPENSSL_BIN}" req \ + -batch \ + -new \ + -key "${OCSP_KEY}" \ + -out "${ocsp_csr_file}" \ + -config /dev/stdin < /dev/null) + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + error "Invalid end date format: \`${end_date}' can't be parsed by date(1). Expected format: YYYY/MM/DD [hh[:mm[:ss]]]." + else + crt_expiration_arg="-enddate ${cert_end_date}" + fi + elif [ "${SYSTEM}" = "openbsd" ]; then + cert_end_date=$(TZ=:Zulu date -f "%C%y/%m/%d %H:%M:%S" -j "${end_date}" +"%Y%m%d%H%M%SZ" 2> /dev/null) + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + error "Invalid end date format: \`${end_date}' can't be parsed by date(1). Expected format: YYYY/MM/DD hh:mm:ss." + else + crt_expiration_arg="-enddate ${cert_end_date}" + fi + else + error "System ${SYSTEM} not supported." + fi + fi + if [ "${non_interactive}" -eq 1 ]; then + batch_arg="-batch" + else + batch_arg="" + fi + + if [ "${from_csr}" -eq 1 ]; then + if [ "${ask_pass}" -eq 1 ]; then + warning "Warning: -p|--password is ignored with -f|--file|--crt-file" + fi + if [ -n "${password_file:-}" ]; then + warning "Warning: --password-file is ignored with -f|--file|--crt-file" + fi + + crt_file="${CRT_DIR}/${cn}.crt" + + # ask for CA passphrase + ask_ca_password 0 + + # check if csr_file is a CSR + "${OPENSSL_BIN}" req \ + -noout \ + -subject \ + -in "${csr_file}" \ + >/dev/null 2>&1 + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + error "${csr_file} is not a valid CSR !" + fi + + # check if csr_file contain a CN + "${OPENSSL_BIN}" req \ + -noout \ + -subject \ + -in "${csr_file}" \ + | grep -Eo "CN\s*=[^,/]*" \ + >/dev/null 2>&1 + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + error "${csr_file} doesn't contain a CommonName !" + fi + + # get CN from CSR + cn=$("${OPENSSL_BIN}" req -noout -subject -in "${csr_file}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs) + + # check if CN already exists + if [ -f "${crt_file}" ]; then + replace_existing_or_abort "${cn}" + fi + + # ca sign and generate cert + if [ "${non_interactive}" -eq 1 ]; then + batch_arg="-batch" + else + batch_arg="" + fi + "${OPENSSL_BIN}" ca \ + ${batch_arg} \ + -config "${CONF_FILE}" \ + -in "${csr_file}" \ + -passin pass:"${CA_PASSWORD}" \ + -out "${crt_file}" \ + ${crt_expiration_arg} + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + error "Error generating the certificate" + else + echo "The certificate file is available at \`${crt_file}'" + fi + else + if [ -z "${cn}" ]; then + show_usage_create >&2 + exit 1 + fi + csr_file="${CSR_DIR}/${cn}-${SUFFIX}.csr" + crt_file="${CRT_DIR}/${cn}.crt" + key_file="${KEY_DIR}/${cn}-${SUFFIX}.key" + ovpn_file="${OVPN_DIR}/${cn}-${SUFFIX}.ovpn" + pkcs12_file="${PKCS12_DIR}/${cn}-${SUFFIX}.p12" + + # ask for CA passphrase + ask_ca_password 0 + + if [ "${ask_pass}" -eq 1 ]; then + ask_user_password + fi + + # check if CN already exists + if [ -f "${crt_file}" ]; then + replace_existing_or_abort "${cn}" + fi + + # generate private key + pass_args="" + if [ -n "${password_file:-}" ]; then + pass_args="-aes256 -passout file:${password_file}" + elif [ -n "${PASSWORD:-}" ]; then + pass_args="-aes256 -passout pass:${PASSWORD}" + fi + "${OPENSSL_BIN}" genrsa \ + -out "${key_file}" \ + ${pass_args} \ + "${KEY_LENGTH}" \ + >/dev/null 2>&1 + # shellcheck disable=SC2181 + if [ "$?" -eq 0 ]; then + echo "The KEY file is available at \`${key_file}'" + else + error "Error generating the private key" + fi + + # generate csr req + pass_args="" + if [ -n "${password_file:-}" ]; then + pass_args="-passin file:${password_file}" + elif [ -n "${PASSWORD:-}" ]; then + pass_args="-passin pass:${PASSWORD}" + fi + "${OPENSSL_BIN}" req \ + -batch \ + -new \ + -key "${key_file}" \ + -out "${csr_file}" \ + ${pass_args} \ + -config /dev/stdin </dev/null 2>&1 + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + rm -f "${crt_file}" + fi + if [ ! -f "${crt_file}" ]; then + error "Error in CSR creation" + fi + + chmod 640 "${crt_file}" + + echo "The CRT file is available in ${crt_file}" + + # generate pkcs12 format + pass_args="" + if [ -n "${password_file:-}" ]; then + # Hack for pkcs12 : + # If passin and passout files are the same path, it expects 2 lines + # so we make a temporary copy of the password file + password_file_out=$(mktemp) + cp "${password_file}" "${password_file_out}" + pass_args="-passin file:${password_file} -passout file:${password_file_out}" + elif [ -n "${PASSWORD:-}" ]; then + pass_args="-passin pass:${PASSWORD} -passout pass:${PASSWORD}" + else + pass_args="-passout pass:" + fi + "${OPENSSL_BIN}" pkcs12 \ + -export \ + -nodes \ + -inkey "${key_file}" \ + -in "${crt_file}" \ + -out "${pkcs12_file}" \ + ${pass_args} + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + error "Error generating the pkcs12 file" + fi + + if [ -n "${password_file_out:-}" ]; then + # Hack for pkcs12 : + # Destroy the temporary file + rm -f "${password_file_out}" + fi + + chmod 640 "${pkcs12_file}" + echo "The PKCS12 config file is available at \`${pkcs12_file}'" + + # generate openvpn format + if [ -e "${CA_DIR}/ovpn.conf" ]; then + cat "${CA_DIR}/ovpn.conf" - > "${ovpn_file}" < +$(cat "${CA_CERT}") + + + +$(cat "${crt_file}") + + + +$(cat "${key_file}") + +EOF + chmod 640 "${ovpn_file}" + echo "The OpenVPN config file is available at \`${ovpn_file}'" + fi + + # Copy files if destination exists + if [ -d "${COPY_DIR}" ]; then + for file in "${crt_file}" "${key_file}" "${pkcs12_file}" "${ovpn_file}"; do + if [ -f "${file}" ]; then + new_file="${COPY_DIR}/$(basename "${file}")" + if [ "${replace_existing}" -eq 1 ]; then + cp -f "${file}" "${COPY_DIR}/" + else + if [ "${non_interactive}" -eq 1 ]; then + if [ -f "${new_file}" ]; then + echo "File \`${file}' has not been copied to \`${new_file}', it already exists" >&2 + continue + else + cp "${file}" "${COPY_DIR}/" + fi + else + cp -i "${file}" "${COPY_DIR}/" + fi + fi + echo "File \`${file}' has been copied to \`${new_file}'" + fi + done + + # shellcheck disable=SC2086 + chown -R ${PKI_USER}:${PKI_USER} "${COPY_DIR}/" + chmod -R u=rwX,g=rwX,o= "${COPY_DIR}/" + fi + fi +} + +revoke() { + non_interactive=0 + + # Parse options + # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a + while :; do + case ${1:-} in + --non-interactive) + non_interactive=1 + ;; + --) + # End of all options. + shift + break + ;; + -?*) + # ignore unknown options + warning "Warning: unknown option (ignored): \`$1'" + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift + done + + # The name of the certificate + cn="${1:-}" + + if [ -z "${cn}" ]; then + show_usage_revoke >&2 + exit 1 + fi + + crt_file="${CRT_DIR}/${cn}.crt" + # check if CRT exists + if [ ! -f "${crt_file}" ]; then + error "Unknow CN: ${cn} (\`${crt_file}' not found)" + fi + + # check if CRT is a valid + "${OPENSSL_BIN}" x509 \ + -noout \ + -subject \ + -in "${crt_file}" \ + >/dev/null 2>&1 + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + error "${crt_file} is not a valid CRT, you must delete it !" + fi + + # ask for CA passphrase + ask_ca_password 0 + + echo "Revoke certificate ${crt_file} :" + "${OPENSSL_BIN}" ca \ + -config "${CONF_FILE}" \ + -passin pass:"${CA_PASSWORD}" \ + -revoke "${crt_file}" + # shellcheck disable=SC2181 + if [ "$?" -eq 0 ]; then + rm "${crt_file}" + fi + + "${OPENSSL_BIN}" ca \ + -config "${CONF_FILE}" \ + -passin pass:"${CA_PASSWORD}" \ + -gencrl \ + -out "${CRL}" +} + +list() { + if [ ! -f "${INDEX_FILE}" ]; then + exit 0 + fi + + if [ -z "${1:-}" ]; then + show_usage_list >&2 + exit 1 + fi + + while :; do + case "${1:-}" in + -a|--all) + list_valid=0 + list_revoked=0 + ;; + -v|--valid) + list_valid=0 + list_revoked=1 + ;; + -r|--revoked) + list_valid=1 + list_revoked=0 + ;; + -?*) + warning "unknow option ${1} (ignored)" + ;; + *) + break + ;; + esac + shift + done + + if [ "${list_valid}" -eq 0 ]; then + certs=$(grep "^V" "${INDEX_FILE}") + fi + + if [ "${list_revoked}" -eq 0 ]; then + certs=$(grep "^R" "${INDEX_FILE}") + fi + + if [ "${list_valid}" -eq 0 ] && [ "${list_revoked}" -eq 0 ]; then + certs=$(cat "${INDEX_FILE}") + fi + + echo "${certs}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs -n1 +} + +cert_end_date() { + "${OPENSSL_BIN}" x509 -noout -enddate -in "${1}" | cut -d'=' -f2 +} + +check() { + # default expiration alert + # TODO: permit override with parameters + min_day=90 + cur_epoch=$(date -u +'%s') + + for cert in "${CRT_DIR}"/*; do + end_date=$(cert_end_date "${cert}") + end_epoch=$(date -ud "${end_date}" +'%s') + diff_epoch=$(( end_epoch - cur_epoch )) + diff_day=$(( diff_epoch / 60 / 60 / 24 )) + if [ "${diff_day}" -lt "${min_day}" ]; then + if [ "${diff_day}" -le 0 ]; then + echo "${cert} has expired" + else + echo "${cert} expire in ${diff_day} days" + fi + fi + done +} + +is_user() { + getent passwd "${1}" >/dev/null +} +is_group() { + getent group "${1}" >/dev/null +} + +main() { + # Know what system we are on, because OpenBSD and Linux do not implement date(1) in the same way + SYSTEM=$(uname | tr '[:upper:]' '[:lower:]') + + # default config + # TODO: override with /etc/default/shellpki + CONF_FILE="/etc/shellpki/openssl.cnf" + + if [ "$(uname)" = "OpenBSD" ]; then + PKI_USER="_shellpki" + else + PKI_USER="shellpki" + fi + + if [ "${USER}" != "root" ] && [ "${USER}" != "${PKI_USER}" ]; then + error "Please become root before running ${0} !" + fi + + # retrieve CA path from config file + CA_DIR=$(grep -E "^dir" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1) + CA_KEY=$(grep -E "^private_key" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~") + CA_CERT=$(grep -E "^certificate" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~") + OCSP_KEY="${CA_DIR}/ocsp.key" + OCSP_CERT="${CA_DIR}/ocsp.pem" + CRT_DIR=$(grep -E "^certs" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~") + TMP_DIR=$(grep -E "^new_certs_dir" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~") + INDEX_FILE=$(grep -E "^database" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~") + SERIAL=$(grep -E "^serial" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~") + CRL=$(grep -E "^crl" "${CONF_FILE}" | cut -d'=' -f2 | xargs -n1 | sed "s~\$dir~${CA_DIR}~") + + # directories for clients key, csr, crt + KEY_DIR="${CA_DIR}/private" + CSR_DIR="${CA_DIR}/requests" + PKCS12_DIR="${CA_DIR}/pkcs12" + OVPN_DIR="${CA_DIR}/openvpn" + + COPY_DIR="$(dirname "${CONF_FILE}")/copy_output" + + CA_KEY_LENGTH=4096 + if [ "${CA_KEY_LENGTH}" -lt 4096 ]; then + error "CA key must be at least 4096 bits long." + fi + KEY_LENGTH=2048 + if [ "${KEY_LENGTH}" -lt 2048 ]; then + error "User key must be at least 2048 bits long." + fi + + OPENSSL_BIN=$(command -v openssl) + SUFFIX=$(TZ=:Zulu /bin/date +"%Y%m%d%H%M%SZ") + + if ! is_user "${PKI_USER}" || ! is_group "${PKI_USER}"; then + error "You must create ${PKI_USER} user and group !" + fi + + if [ ! -e "${CONF_FILE}" ]; then + error "${CONF_FILE} is missing" + fi + + mkdir -p "${CA_DIR}" "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}" + + command=${1:-help} + + case "${command}" in + init) + shift + init "$@" + ;; + + ocsp) + shift + ocsp "$@" + ;; + + create) + shift + create "$@" + ;; + + revoke) + shift + revoke "$@" + ;; + + list) + shift + list "$@" + ;; + + check) + shift + check "$@" + ;; + + version|--version) + show_version + exit 0 + ;; + + help|--help) + show_usage + exit 0 + ;; + + *) + show_usage >&2 + exit 1 + ;; + esac + + # fix right + chown -R "${PKI_USER}":"${PKI_USER}" "${CA_DIR}" + chmod 750 "${CA_DIR}" "${CRT_DIR}" "${KEY_DIR}" "${CSR_DIR}" "${PKCS12_DIR}" "${OVPN_DIR}" "${TMP_DIR}" + chmod 600 "${INDEX_FILE}"* "${SERIAL}"* "${CA_KEY}" "${CRL}" + chmod 640 "${CA_CERT}" +} + +main "$@" diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index f94e19b6..3ace1f4c 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -12,11 +12,6 @@ - client - server -- name: Clone shellpki repo - git: - repo: "https://gitea.evolix.org/evolix/shellpki.git" - dest: /root/shellpki - - name: Create the shellpki user user: name: shellpki @@ -38,30 +33,14 @@ - name: Copy shellpki files copy: - src: "{{ item.source }}" + src: "shellpki/{{ item.source }}" dest: "{{ item.destination }}" - remote_src: yes - with_items: - - { source: "/root/shellpki/openssl.cnf", destination: "/etc/shellpki/openssl.cnf" } - - { source: "/root/shellpki/shellpki", destination: "/usr/local/sbin/shellpki" } - -- include_role: - name: evolix/remount-usr - -- name: Change files permissions - file: - dest: "{{ item.dest }}" mode: "{{ item.mode }}" owner: "{{ item.owner }}" group: "{{ item.group }}" with_items: - - { dest: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "shellpki", group: "shellpki" } - - { dest: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "root" } - -- name: Delete local shellpki repo - file: - state: absent - dest: "/root/shellpki" + - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "shellpki", group: "shellpki" } + - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "root" } - name: Add sudo rights lineinfile: @@ -251,30 +230,16 @@ notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists -# BEGIN TODO : Get this script from master branch when cloning it at the beginning when dev branch is merged with master (this script is currently not available on master branch) -- name: Clone dev branch of shellpki repo - git: - repo: "https://gitea.evolix.org/evolix/shellpki.git" - dest: /root/shellpki-dev - version: dev - - include_role: name: evolix/remount-usr - name: Copy shellpki script copy: - src: "/root/shellpki-dev/cert-expirations.sh" + src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" mode: "0700" owner: root group: root - remote_src: yes - -- name: Delete local shellpki-dev repo - file: - state: absent - dest: "/root/shellpki-dev" -# END TODO - name: Install cron to warn about certificates expiration cron: diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index 2edbec70..18cd0156 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -13,11 +13,6 @@ group: wheel mode: "0755" -- name: Clone shellpki repo - git: - repo: "https://gitea.evolix.org/evolix/shellpki.git" - dest: /root/shellpki - - name: Create the shellpki user user: name: _shellpki @@ -36,27 +31,14 @@ - name: Copy shellpki files copy: - src: "{{ item.source }}" + src: "shellpki/{{ item.source }}" dest: "{{ item.destination }}" - remote_src: yes - with_items: - - { source: "/root/shellpki/openssl.cnf", destination: "/etc/shellpki/openssl.cnf" } - - { source: "/root/shellpki/shellpki", destination: "/usr/local/sbin/shellpki" } - -- name: Change files permissions - file: - dest: "{{ item.dest }}" mode: "{{ item.mode }}" owner: "{{ item.owner }}" group: "{{ item.group }}" with_items: - - { dest: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "_shellpki", group: "_shellpki"} - - { dest: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "wheel" } - -- name: Delete local shellpki repo - file: - state: absent - dest: "/root/shellpki" + - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "_shellpki", group: "_shellpki" } + - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "wheel" } - name: Add sudo rights lineinfile: @@ -193,27 +175,13 @@ notify: restart nrpe when: nrpe_evolix_config.stat.exists -# BEGIN TODO : Get this script from master branch when cloning it at the beginning when dev branch is merged with master (this script is currently not available on master branch) -- name: Clone dev branch of shellpki repo - git: - repo: "https://gitea.evolix.org/evolix/shellpki.git" - dest: /root/shellpki-dev - version: dev - - name: Copy shellpki script copy: - src: "/root/shellpki-dev/cert-expirations.sh" + src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" mode: "0700" owner: root group: wheel - remote_src: yes - -- name: Delete local shellpki-dev repo - file: - state: absent - dest: "/root/shellpki-dev" -# END TODO - name: Install cron to warn about certificates expiration cron: -- 2.39.2 From d66248e9f0bf4bbf8ae992b94d4ff05fec77e6ea Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 14 Apr 2022 16:38:43 +0200 Subject: [PATCH 030/497] openvpn: update README --- openvpn/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn/README.md b/openvpn/README.md index 27b507d4..ddaffcce 100644 --- a/openvpn/README.md +++ b/openvpn/README.md @@ -23,6 +23,6 @@ Then, you can use `shellpki` to generate client certificates. * `openvpn_netmask`: netmask of the network to use for OpenVPN * `openvpn_netmask_cidr`: automatically generated prefix length of the netmask, in CIDR notation -## TODO +## Dependencies -* See TODO tasks in tasks/*.yml +* Files in `files/shellpki/*` are gotten from the upstream [shellpki](https://gitea.evolix.org/evolix/shellpki) and must be updated when the upstream is. -- 2.39.2 From 5f4f885556868075f5b2a5427d0c2181636c912c Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 19 Apr 2022 16:47:22 +0200 Subject: [PATCH 031/497] munin: Ensure /usr is writable --- munin/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index c4eee575..8c6ec525 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -12,6 +12,10 @@ - munin - packages +- name: Ensure /usr is still writable + include_role: + name: evolix/remount-usr + - block: - name: Replace localdomain in Munin config replace: -- 2.39.2 From a5bae6645e10126b9c862cab87e8f10de95a5647 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Apr 2022 11:07:20 +0200 Subject: [PATCH 032/497] dump-server-state: upstream release 22.04.1 --- CHANGELOG.md | 2 +- evolinux-base/files/dump-server-state.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 15d5e347..8582054f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 22.03.1 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * evolinux-base: rename backup-server-state to dump-server-state -* dump-server-state: upstream release 22.04 +* dump-server-state: upstream release 22.04.1 * generate-ldif: Add services check for bkctld * minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index 3b66f230..b2560e20 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -3,7 +3,7 @@ PROGNAME="dump-server-state" REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state" -VERSION="22.04" +VERSION="22.04.1" readonly VERSION dump_dir= @@ -673,7 +673,7 @@ task_df() { df_bin=$(command -v df) if [ -n "${df_bin}" ]; then - last_result=$(${df_bin} --portability > "${dump_dir}/df.txt") + last_result=$(${df_bin} --portability > "${dump_dir}/df.txt 2>&1") last_rc=$? if [ ${last_rc} -eq 0 ]; then -- 2.39.2 From 4214db4ad6e4a3e717a3ee6d5a66741b32c1a0c8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Apr 2022 11:14:02 +0200 Subject: [PATCH 033/497] fix dump-server-state quote error --- evolinux-base/files/dump-server-state.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index b2560e20..1b80bd0a 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -673,7 +673,7 @@ task_df() { df_bin=$(command -v df) if [ -n "${df_bin}" ]; then - last_result=$(${df_bin} --portability > "${dump_dir}/df.txt 2>&1") + last_result=$(${df_bin} --portability > "${dump_dir}/df.txt" 2>&1) last_rc=$? if [ ${last_rc} -eq 0 ]; then -- 2.39.2 From 381acc830dbc8a139a3fd0a66681a354599305bb Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Thu, 21 Apr 2022 11:28:32 +0200 Subject: [PATCH 034/497] Add nagios check for Redis Sentinel synchro --- .../files/plugins/check_redis_sentinel_sync | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 nagios-nrpe/files/plugins/check_redis_sentinel_sync diff --git a/nagios-nrpe/files/plugins/check_redis_sentinel_sync b/nagios-nrpe/files/plugins/check_redis_sentinel_sync new file mode 100755 index 00000000..e8f217aa --- /dev/null +++ b/nagios-nrpe/files/plugins/check_redis_sentinel_sync @@ -0,0 +1,46 @@ +#!/bin/sh +# +# Verify the synchroniation of Redis Sentinel slaves. + +output=$(mktemp --tmpdir $(basename "$0").XXXXXXXXXX) +critical_count=0 +ok_count=0 + +trap "rm -f $output" EXIT + +input=$(redis-cli -p 6380 sentinel slaves redis | sed 'N;s/\n/=/') + +#while read -r line; do +for line in $input; do + case "$line" in + name=*) name=${line#name=} ;; + master-link-status=*) status=${line#master-link-status=} ;; + esac + if [ -n "$name" ] && [ -n "$status" ]; then + if [ "$status" = ok ]; then + echo "OK - $name" >> "$output" + ok_count=$(( ok_count + 1)) + else + echo "CRITICAL - $name" >> "$output" + critical_count=$(( critical_count + 1)) + fi + unset name status + fi +done + +total_count=$(( ok_count + critical_count )) + +plural='' +test "$total_count" -gt 1 && plural='s' + +if [ $ok_count -eq $total_count ]; then + printf "OK - %d/%d Redis Sentinel slave%s are in sync\n\n" \ + "$ok_count" "$total_count" "$plural" + cat "$output" + exit 0 +else + printf "CRITICAL - %d/%d Redis Sentinal slave%s aren't in sync\n\n" \ + "$critical_count" "$total_count" "$plural" + cat "$output" + exit 2 +fi -- 2.39.2 From 58909bc3956dbf0f5b51bd0dc2b5dd59ef24977e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 22 Apr 2022 09:32:37 +0200 Subject: [PATCH 035/497] vrrpd: Store sysctl values in specific file --- CHANGELOG.md | 1 + vrrpd/tasks/main.yml | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8582054f..ddaa426f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * openvpn: use a subnet topology instead of the net30 default topology * tomcat: Tomcat 9 by default with Debian 11 * openvpn: use a local copy of files instead of cloning an external git repository +* vrrpd: Store sysctl values in specific file ### Fixed diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index 74dfa5c2..5804cb39 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -3,6 +3,8 @@ include_role: name: evolix/apt tasks_from: evolix_public.yml + tags: + - vrrpd - name: Install vrrpd packages apt: @@ -10,12 +12,13 @@ allow_unauthenticated: yes state: present tags: - - vrrpd + - vrrpd - name: Adjust sysctl config sysctl: name: "{{ item.name }}" value: "{{ item.value }}" + sysctl_file: /etc/sysctl.d/vrrpd.conf sysctl_set: yes state: present loop: @@ -26,4 +29,4 @@ - { name: 'net.ipv4.conf.all.arp_announce', value: 2 } - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 } tags: - - vrrpd + - vrrpd -- 2.39.2 From 5935d9d4a3c82d12891da3063507ad5518f2178a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 25 Apr 2022 09:58:07 +0200 Subject: [PATCH 036/497] evocheck: upstream release 22.04 --- CHANGELOG.md | 2 +- evocheck/files/evocheck.sh | 25 +++++++++++++++---------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ddaa426f..383e021b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evocheck: upstream release 22.03.1 +* evocheck: upstream release 22.04 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * evolinux-base: rename backup-server-state to dump-server-state * dump-server-state: upstream release 22.04.1 diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 2f01afae..07ec97f7 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.03.1" +VERSION="22.04" readonly VERSION # base functions @@ -234,7 +234,8 @@ check_syslogconf() { check_debiansecurity() { if is_debian_bullseye; then # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive - pattern="^deb https://deb\.debian\.org/debian-security/? bullseye-security main" + # https://www.debian.org/security/ + pattern="^deb https://(deb|security)\.debian\.org/debian-security/? bullseye-security main" elif is_debian_buster; then pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main" elif is_debian_stretch; then @@ -600,7 +601,11 @@ check_evobackup_exclude_mount() { # shellcheck disable=SC2044 for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do - grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + # If rsync is not limited by "one-file-system" + # then we verify that every mount is excluded + grep -q -- "^\s*--one-file-system" "${evobackup_file}" \ + || grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' \ + > "${excludes_file}" not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") for mount in ${not_excluded}; do failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" @@ -1374,7 +1379,7 @@ download_versions() { elif is_openbsd; then versions_url="https://upgrades.evolix.org/versions-${OPENBSD_RELEASE}" else - failed "IS_VERSIONS_CHECK" "error determining os release" + failed "IS_CHECK_VERSIONS" "error determining os release" fi # fetch timeout, in seconds @@ -1387,9 +1392,9 @@ download_versions() { elif command -v GET; then GET -t ${timeout}s "${versions_url}" > "${versions_file}" else - failed "IS_VERSIONS_CHECK" "failed to find curl, wget or GET" + failed "IS_CHECK_VERSIONS" "failed to find curl, wget or GET" fi - test "$?" -eq 0 || failed "IS_VERSIONS_CHECK" "failed to download ${versions_url} to ${versions_file}" + test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}" } get_command() { local program @@ -1451,11 +1456,11 @@ check_version() { actual_version=$(get_version "${program}" "${command}") # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}" if [ -z "${actual_version}" ]; then - failed "IS_VERSIONS_CHECK" "failed to lookup actual version of ${program}" + failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}" elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then - failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is older than expected version ${expected_version}" + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}" elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then - failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update tour index." + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index." else : # Version check OK fi @@ -1484,7 +1489,7 @@ check_versions() { if [ -n "${version}" ]; then check_version "${program}" "${version}" else - failed "IS_VERSIONS_CHECK" "failed to lookup expected version for ${program}" + failed "IS_CHECK_VERSIONS" "failed to lookup expected version for ${program}" fi fi done -- 2.39.2 From daa54cac8fe03d69ed41e1bafbe90f34f7f58a6d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 25 Apr 2022 10:33:33 +0200 Subject: [PATCH 037/497] evocheck: upstream release 22.04.1 --- CHANGELOG.md | 2 +- evocheck/files/evocheck.sh | 28 +++++++++++++++------------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 383e021b..0626cd38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evocheck: upstream release 22.04 +* evocheck: upstream release 22.04.1 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * evolinux-base: rename backup-server-state to dump-server-state * dump-server-state: upstream release 22.04.1 diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 07ec97f7..4f24ae79 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.04" +VERSION="22.04.1" readonly VERSION # base functions @@ -596,20 +596,20 @@ check_evobackup() { } # Vérification de l'exclusion des montages (NFS) dans les sauvegardes check_evobackup_exclude_mount() { - excludes_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.evobackup_exclude_mount.XXXXX") + excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX") files_to_cleanup="${files_to_cleanup} ${excludes_file}" # shellcheck disable=SC2044 for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do # If rsync is not limited by "one-file-system" # then we verify that every mount is excluded - grep -q -- "^\s*--one-file-system" "${evobackup_file}" \ - || grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' \ - > "${excludes_file}" - not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") - for mount in ${not_excluded}; do - failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" - done + if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + fi done } # Verification de la presence du userlogrotate @@ -1074,7 +1074,7 @@ check_duplicate_fs_label() { # Do it only if thereis blkid binary BLKID_BIN=$(command -v blkid) if [ -n "$BLKID_BIN" ]; then - tmpFile=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.duplicate_fs_label.XXXXX") + tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX") files_to_cleanup="${files_to_cleanup} ${tmpFile}" parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) @@ -1473,7 +1473,7 @@ add_to_path() { echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}" } check_versions() { - versions_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.versions.XXXXX") + versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX") files_to_cleanup="${files_to_cleanup} ${versions_file}" download_versions "${versions_file}" @@ -1501,7 +1501,7 @@ main() { # Detect operating system name, version and release detect_os - main_output_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.main.XXXXX") + main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") files_to_cleanup="${files_to_cleanup} ${main_output_file}" #----------------------------------------------------------- @@ -1733,7 +1733,9 @@ main() { fi if [ -f "${main_output_file}" ]; then - if [ $(cat "${main_output_file}" | wc -l) -gt 0 ]; then + lines_found=$(wc -l < "${main_output_file}") + # shellcheck disable=SC2086 + if [ ${lines_found} -gt 0 ]; then cat "${main_output_file}" 2>&1 fi -- 2.39.2 From 55356857b2228e3f7c334c574146533e2eb4c10e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 26 Apr 2022 09:56:47 +0200 Subject: [PATCH 038/497] dump-server-state: upstream release 22.04.2 --- CHANGELOG.md | 2 +- evolinux-base/files/dump-server-state.sh | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0626cd38..6dd72cf3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 22.04.1 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * evolinux-base: rename backup-server-state to dump-server-state -* dump-server-state: upstream release 22.04.1 +* dump-server-state: upstream release 22.04.2 * generate-ldif: Add services check for bkctld * minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index 1b80bd0a..5bb3cd4e 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -3,7 +3,7 @@ PROGNAME="dump-server-state" REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state" -VERSION="22.04.1" +VERSION="22.04.2" readonly VERSION dump_dir= @@ -725,7 +725,8 @@ task_mysql_processes() { else debug "* mysqladmin ERROR" debug "${last_result}" - rc=10 + # Ignore errors because we don't know how to deal with multiple instances + # rc=10 fi else debug "* no mysqld or mariadbd process is running" -- 2.39.2 From 49e4e67c2c5401274a33fa432b37f4c7582e39fc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 26 Apr 2022 11:26:15 +0200 Subject: [PATCH 039/497] fix copyright evocommit --- etc-git/files/evocommit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc-git/files/evocommit b/etc-git/files/evocommit index 0053784b..5a7f798b 100644 --- a/etc-git/files/evocommit +++ b/etc-git/files/evocommit @@ -8,7 +8,7 @@ show_version() { cat <, +Copyright 2022 Evolix , Jérémy Lecour and others. -- 2.39.2 From 381a71aca1648a76f590f67e7aeb08e663c5cbcd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 26 Apr 2022 18:21:42 +0200 Subject: [PATCH 040/497] dump-server-state: upstream release 22.04.3 --- CHANGELOG.md | 2 +- evolinux-base/files/dump-server-state.sh | 25 ++++++++++++++---------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6dd72cf3..4735e3cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 22.04.1 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * evolinux-base: rename backup-server-state to dump-server-state -* dump-server-state: upstream release 22.04.2 +* dump-server-state: upstream release 22.04.3 * generate-ldif: Add services check for bkctld * minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index 5bb3cd4e..5f76413f 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -3,7 +3,7 @@ PROGNAME="dump-server-state" REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state" -VERSION="22.04.2" +VERSION="22.04.3" readonly VERSION dump_dir= @@ -76,7 +76,8 @@ END } debug() { if [ "${VERBOSE}" = "1" ]; then - echo "$1" + msg="${1:-$(cat /dev/stdin)}" + echo "${msg}" fi } @@ -717,16 +718,20 @@ task_mysql_processes() { if [ -n "${mysqladmin_bin}" ]; then # Look for local MySQL or MariaDB process if pgrep mysqld > /dev/null || pgrep mariadbd > /dev/null; then - last_result=$(${mysqladmin_bin} --verbose processlist > "${dump_dir}/mysql-processlist.txt") - last_rc=$? + if ${mysqladmin_bin} ping > /dev/null 2>&1; then + ${mysqladmin_bin} --verbose processlist > "${dump_dir}/mysql-processlist.txt" 2> "${dump_dir}/mysql-processlist.err" + last_rc=$? - if [ ${last_rc} -eq 0 ]; then - debug "* mysqladmin OK" + if [ ${last_rc} -eq 0 ]; then + debug "* mysqladmin OK" + else + debug "* mysqladmin ERROR" + debug < "${dump_dir}/mysql-processlist.err" + rm "${dump_dir}/mysql-processlist.err" + rc=10 + fi else - debug "* mysqladmin ERROR" - debug "${last_result}" - # Ignore errors because we don't know how to deal with multiple instances - # rc=10 + debug "* unable to ping with mysqladmin" fi else debug "* no mysqld or mariadbd process is running" -- 2.39.2 From 805a8ecb3ab644d3dcd7cd8af5ac55a791117c61 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 27 Apr 2022 14:22:59 +0200 Subject: [PATCH 041/497] etc-git: use "ansible-commit" to efficiently commit all available repositories (including /etc inside LXC) from Ansible --- CHANGELOG.md | 2 +- etc-git/defaults/main.yml | 1 + etc-git/files/ansible-commit | 183 +++++++++++++++++++++++++++++++++ etc-git/tasks/commit.yml | 82 ++------------- etc-git/tasks/main.yml | 105 +------------------ etc-git/tasks/repositories.yml | 37 +++++++ etc-git/tasks/utils.yml | 93 +++++++++++++++++ 7 files changed, 326 insertions(+), 177 deletions(-) create mode 100644 etc-git/files/ansible-commit create mode 100644 etc-git/tasks/repositories.yml create mode 100644 etc-git/tasks/utils.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4735e3cc..7b6bb7f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* etc-git: Commit /etc in lxc containers when they are git repositories +* etc-git: use "ansible-commit" to efficiently commit all available repositories (including /etc inside LXC) from Ansible * minifirewall: configure proxy/backup/sysctl values * nagios-nrpe: Add a check dhcp_pool * redis : Activate overcommit sysctl diff --git a/etc-git/defaults/main.yml b/etc-git/defaults/main.yml index d0da5e7d..01b83bfd 100644 --- a/etc-git/defaults/main.yml +++ b/etc-git/defaults/main.yml @@ -4,3 +4,4 @@ etc_git_default_commit_message: Ansible run etc_git_monitor_status: True etc_git_purge_index_lock_enabled: True etc_git_purge_index_lock_age: 86400 +etc_git_config_repositories: True diff --git a/etc-git/files/ansible-commit b/etc-git/files/ansible-commit new file mode 100644 index 00000000..c47375f8 --- /dev/null +++ b/etc-git/files/ansible-commit @@ -0,0 +1,183 @@ +#!/bin/sh + +set -u + +VERSION="22.04" + +show_version() { + cat <, + Jérémy Lecour + and others. + +ansible-commit comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public Licence for details. +END +} + +show_help() { + cat <&2 + exit 1 + fi + ;; + --message=?*) + # message options, with value speparated by = + MESSAGE=${1#*=} + ;; + --message=) + # message options, without value + printf 'FAILED: "--message" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + -n|--dry-run) + # disable actual commands + DRY_RUN=1 + ;; + -v|--verbose) + # print verbose information + VERBOSE=1 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + printf 'FAILED: Unknown option (ignored): %s\n' "$1" >&2 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +if [ -z "${MESSAGE}" ]; then + echo "FAILED: missing message parameter" >&2 + show_usage + exit 1 +fi +DRY_RUN=${DRY_RUN:-0} +VERBOSE=${VERBOSE:-0} + +evocommit_bin=$(command -v evocommit) +if [ -z "${evocommit_bin}" ]; then + echo "FAILED: evocommit not found" >&2 + exit 1 +fi + +lxc_ls_bin=$(command -v lxc-ls) +lxc_config_bin=$(command -v lxc-config) + +main \ No newline at end of file diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index 2098aeeb..c92e3c6a 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -1,79 +1,9 @@ --- -# /etc -- name: Is /etc a git repository - stat: - path: /etc/.git - register: _etc_git - -- name: "evocommit /etc" - command: "/usr/local/bin/evocommit --ansible --repository /etc --message \"{{ commit_message | mandatory }}\"" +- name: "Execute ansible-commit" + command: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\"" changed_when: - - _etc_git_commit.stdout - - "'CHANGED:' in _etc_git_commit.stdout" - ignore_errors: yes - register: _etc_git_commit - when: - - _etc_git.stat.exists - - _etc_git.stat.isdir - -# /etc/bind -- name: Is /etc/bind a git repository - stat: - path: /etc/bind/.git - register: _etc_bind_git - -- name: "evocommit /etc/bind" - command: "/usr/local/bin/evocommit --ansible --repository /etc/bind --message \"{{ commit_message | mandatory }}\"" - changed_when: - - _etc_bind_git_commit.stdout - - "'CHANGED:' in _etc_bind_git_commit.stdout" - ignore_errors: yes - register: _etc_bind_git_commit - when: - - _etc_bind_git.stat.exists - - _etc_bind_git.stat.isdir - -# /usr/share/scripts -- name: Is /usr/share/scripts a git repository - stat: - path: /usr/share/scripts/.git - register: _usr_share_scripts_git - -- name: "evocommit /usr/share/scripts" - command: "/usr/local/bin/evocommit --ansible --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\"" - changed_when: - - _usr_share_scripts_git_commit.stdout - - "'CHANGED:' in _usr_share_scripts_git_commit.stdout" - ignore_errors: yes - register: _usr_share_scripts_git_commit - when: - - _usr_share_scripts_git.stat.exists - - _usr_share_scripts_git.stat.isdir - -- name: Check if there are lxc containers - stat: - path: /var/lib/lxc - get_attributes: no - get_checksum: no - get_mime: no - register: _var_lib_lxc - -- name: Get lxc containers and commit their /etc when needed - block: - - name: Get all lxc containers - find: - paths: /var/lib/lxc - recurse: no - file_type: directory - register: _lxc_containers - - - name: "Commit /etc in all containers" - include_tasks: - file: lxc_commit.yml - loop: "{{ _lxc_containers.files | map(attribute='path') | map('basename') }}" - loop_control: - loop_var: container - when: - - _var_lib_lxc.stat.exists - - _var_lib_lxc.stat.isdir or _var_lib_lxc.stat.islnk + - _ansible_commit.stdout + - "'CHANGED:' in _ansible_commit.stdout" + ignore_errors: True + register: _ansible_commit \ No newline at end of file diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index 34c4a1ca..f71ba552 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -9,108 +9,13 @@ when: - ansible_distribution == "Debian" -- include_role: - name: evolix/remount-usr - -- name: "evocommit script is installed" - copy: - src: evocommit - dest: /usr/local/bin/evocommit - mode: "0755" - force: yes +- name: Install and configure utilities + include: utils.yml tags: - etc-git -- include: repository.yml - vars: - repository_path: "/etc" - gitignore_items: - - "aliases.db" - - "*.swp" - - "postfix/sa-blacklist.access" - - "postfix/*.db" - - "postfix/spamd.cidr" - - "evobackup/.keep-*" - - "letsencrypt/.certbot.lock" - -- name: verify /usr/share/scripts presence - stat: - path: /usr/share/scripts - register: _usr_share_scripts - -- include: repository.yml - vars: - repository_path: "/usr/share/scripts" - gitignore_items: [] - when: - - _usr_share_scripts.stat.isdir - - ansible_distribution_major_version is version('10', '>=') - -- name: "etc-git-optimize script is installed" - copy: - src: etc-git-optimize - dest: /usr/share/scripts/etc-git-optimize - mode: "0755" - force: yes +- name: Configure repositories + include: repositories.yml tags: - etc-git - -- name: "etc-git-status script is installed" - copy: - src: etc-git-status - dest: /usr/share/scripts/etc-git-status - mode: "0755" - force: yes - tags: - - etc-git - -- name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: - executable: /bin/bash - failed_when: False - changed_when: False - check_mode: no - register: is_cron_installed - -- block: - - name: Legacy cron jobs for /etc/.git status are absent - file: - dest: "{{ item }}" - state: absent - loop: - - /etc/cron.monthly/optimize-etc-git - - /etc/cron.d/etc-git-status - - - name: Cron job for monthly git optimization - cron: - name: "Monthly optimization" - cron_file: etc-git - special_time: "monthly" - user: root - job: "/usr/share/scripts/etc-git-optimize" - - - name: Cron job for hourly git status - cron: - name: "Hourly warning for unclean Git repository if nobody is connected" - cron_file: etc-git - special_time: "hourly" - user: root - job: "who > /dev/null || /usr/share/scripts/etc-git-status" - state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}" - - - name: Cron job for daily git status - cron: - name: "Daily warning for unclean Git repository" - cron_file: etc-git - user: root - job: "/usr/share/scripts/etc-git-status" - minute: "21" - hour: "21" - weekday: "*" - day: "*" - month: "*" - state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}" - when: is_cron_installed.rc == 0 - tags: - - etc-git \ No newline at end of file + when: etc_git_config_repositories | bool \ No newline at end of file diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml new file mode 100644 index 00000000..71ff0665 --- /dev/null +++ b/etc-git/tasks/repositories.yml @@ -0,0 +1,37 @@ +--- + +- include: repository.yml + vars: + repository_path: "/etc" + gitignore_items: + - "aliases.db" + - "*.swp" + - "postfix/sa-blacklist.access" + - "postfix/*.db" + - "postfix/spamd.cidr" + - "evobackup/.keep-*" + - "letsencrypt/.certbot.lock" + tags: + - etc-git + +- name: verify /usr/share/scripts presence + stat: + path: /usr/share/scripts + register: _usr_share_scripts + tags: + - etc-git + +- include_role: + name: evolix/remount-usr + when: + - _usr_share_scripts.stat.isdir + +- include: repository.yml + vars: + repository_path: "/usr/share/scripts" + gitignore_items: [] + when: + - _usr_share_scripts.stat.isdir + - ansible_distribution_major_version is version('10', '>=') + tags: + - etc-git \ No newline at end of file diff --git a/etc-git/tasks/utils.yml b/etc-git/tasks/utils.yml new file mode 100644 index 00000000..cd060de1 --- /dev/null +++ b/etc-git/tasks/utils.yml @@ -0,0 +1,93 @@ +--- + +- include_role: + name: evolix/remount-usr + tags: + - etc-git + +- name: "evocommit script is installed" + copy: + src: evocommit + dest: /usr/local/bin/evocommit + mode: "0755" + force: yes + tags: + - etc-git + +- name: "ansible-commit script is installed" + copy: + src: ansible-commit + dest: /usr/local/bin/ansible-commit + mode: "0755" + force: yes + tags: + - etc-git + +- name: "etc-git-optimize script is installed" + copy: + src: etc-git-optimize + dest: /usr/share/scripts/etc-git-optimize + mode: "0755" + force: yes + tags: + - etc-git + +- name: "etc-git-status script is installed" + copy: + src: etc-git-status + dest: /usr/share/scripts/etc-git-status + mode: "0755" + force: yes + tags: + - etc-git + +- name: Check if cron is installed + shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" + args: + executable: /bin/bash + failed_when: False + changed_when: False + check_mode: no + register: is_cron_installed + +- block: + - name: Legacy cron jobs for /etc/.git status are absent + file: + dest: "{{ item }}" + state: absent + loop: + - /etc/cron.monthly/optimize-etc-git + - /etc/cron.d/etc-git-status + + - name: Cron job for monthly git optimization + cron: + name: "Monthly optimization" + cron_file: etc-git + special_time: "monthly" + user: root + job: "/usr/share/scripts/etc-git-optimize" + + - name: Cron job for hourly git status + cron: + name: "Hourly warning for unclean Git repository if nobody is connected" + cron_file: etc-git + special_time: "hourly" + user: root + job: "who > /dev/null || /usr/share/scripts/etc-git-status" + state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}" + + - name: Cron job for daily git status + cron: + name: "Daily warning for unclean Git repository" + cron_file: etc-git + user: root + job: "/usr/share/scripts/etc-git-status" + minute: "21" + hour: "21" + weekday: "*" + day: "*" + month: "*" + state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}" + when: is_cron_installed.rc == 0 + tags: + - etc-git \ No newline at end of file -- 2.39.2 From 666487e00c9e822b385fec3166a0f3a36ecee02f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 27 Apr 2022 15:12:02 +0200 Subject: [PATCH 042/497] fix ansible-commit --help --- etc-git/files/ansible-commit | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/etc-git/files/ansible-commit b/etc-git/files/ansible-commit index c47375f8..20ab3a92 100644 --- a/etc-git/files/ansible-commit +++ b/etc-git/files/ansible-commit @@ -2,7 +2,7 @@ set -u -VERSION="22.04" +VERSION="22.04.1" show_version() { cat < Date: Wed, 27 Apr 2022 18:00:18 +0200 Subject: [PATCH 043/497] munin: remount /usr before writing --- munin/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index 8c6ec525..4720fbe5 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -35,6 +35,9 @@ tags: - munin +- include_role: + name: evolix/remount-usr + - name: Install some Munin plugins (disabled) copy: src: 'plugins/{{ item }}' -- 2.39.2 From a53159c93b0a38fa31920816019e6183b4385dfb Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Apr 2022 12:40:02 +0200 Subject: [PATCH 044/497] minifirewall: compatibility with "legacy" version of minifirewall --- CHANGELOG.md | 1 + minifirewall/defaults/main.yml | 17 +- minifirewall/files/minifirewall.legacy.conf | 106 ++++ minifirewall/tasks/config.legacy.yml | 218 ++++++++ minifirewall/tasks/install.legacy.yml | 24 + minifirewall/tasks/install.yml | 20 - minifirewall/tasks/main.yml | 104 +++- minifirewall/tasks/tail.legacy.yml | 50 ++ minifirewall/tasks/tail.yml | 5 +- minifirewall/tasks/utils.yml | 21 + minifirewall/templates/minifirewall.legacy.j2 | 492 ++++++++++++++++++ squid/defaults/main.yml | 1 - squid/tasks/minifirewall.legacy.yml | 43 ++ squid/tasks/minifirewall.yml | 32 +- 14 files changed, 1085 insertions(+), 49 deletions(-) create mode 100644 minifirewall/files/minifirewall.legacy.conf create mode 100644 minifirewall/tasks/config.legacy.yml create mode 100644 minifirewall/tasks/install.legacy.yml create mode 100644 minifirewall/tasks/tail.legacy.yml create mode 100644 minifirewall/tasks/utils.yml create mode 100644 minifirewall/templates/minifirewall.legacy.j2 create mode 100644 squid/tasks/minifirewall.legacy.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b6bb7f8..70e058ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * etc-git: use "ansible-commit" to efficiently commit all available repositories (including /etc inside LXC) from Ansible * minifirewall: configure proxy/backup/sysctl values +* minifirewall: compatibility with "legacy" version of minifirewall * nagios-nrpe: Add a check dhcp_pool * redis : Activate overcommit sysctl * munin: Add possibility to install local plugins, and install dhcp_pool plugin diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 4c084154..18d7d5b3 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -1,9 +1,14 @@ --- -# Deprecated variable -# minifirewall_main_file: /etc/default/minifirewall +# possible values: Null (default), modern or legacy +minifirewall_install_mode: Null -minifirewall_tail_file: zzz-tail +# BEGIN legacy variables +minifirewall_legacy_main_file: /etc/default/minifirewall +minifirewall_legacy_tail_file: /etc/default/minifirewall.tail +# END legacy variabes + +minifirewall_tail_file: /etc/minifirewall.d/zzz-tail minifirewall_tail_included: False minifirewall_tail_force: True @@ -14,17 +19,17 @@ minifirewall_force_upgrade_config: False # Update specific values in configuration minifirewall_update_config: True -minifirewall_git_url: "https://forge.evolix.org/minifirewall.git" -minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" minifirewall_ipv6: "on" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" minifirewall_docker: "off" minifirewall_default_trusted_ips: [] +minifirewall_legacy_fallback_trusted_ips: ['0.0.0.0/0'] +minifirewall_fallback_trusted_ips: ['0.0.0.0/0', '::/0'] minifirewall_additional_trusted_ips: [] # and default to ['0.0.0.0/0', '::/0'] if the result is still empty -minifirewall_trusted_ips: "{{ minifirewall_default_trusted_ips | union(minifirewall_additional_trusted_ips) | unique | default(['0.0.0.0/0', '::/0'], true) }}" +minifirewall_trusted_ips: "{{ minifirewall_default_trusted_ips | union(minifirewall_additional_trusted_ips) | unique }}" minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] diff --git a/minifirewall/files/minifirewall.legacy.conf b/minifirewall/files/minifirewall.legacy.conf new file mode 100644 index 00000000..47be78bf --- /dev/null +++ b/minifirewall/files/minifirewall.legacy.conf @@ -0,0 +1,106 @@ +# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall +# Version 20.12 — 2020-12-01 22:55:35 + +# Main interface +INT='eth0' + +# IPv6 +IPV6=on + +# Docker Mode +# Changes the behaviour of minifirewall to not break the containers' network +# For instance, turning it on will disable nat table purge +# Also, we'll add the DOCKER-USER chain, in iptable +DOCKER='off' + +# Trusted IPv4 local network +# ...will be often IP/32 if you don't trust anything +INTLAN='192.168.0.2/32' + +# Trusted IPv4 addresses for private and semi-public services +TRUSTEDIPS='31.170.9.129 62.212.121.90 31.170.8.4 82.65.34.85 54.37.106.210 51.210.84.146' + +# Privilegied IPv4 addresses for semi-public services +# (no need to add again TRUSTEDIPS) +PRIVILEGIEDIPS='' + + +# Local services IPv4/IPv6 restrictions +####################################### + +# Protected services +# (add also in Public services if needed) +SERVICESTCP1p='22222' +SERVICESUDP1p='' + +# Public services (IPv4/IPv6) +SERVICESTCP1='22222' +SERVICESUDP1='' + +# Semi-public services (IPv4) +SERVICESTCP2='22' +SERVICESUDP2='' + +# Private services (IPv4) +SERVICESTCP3='5666' +SERVICESUDP3='' + +# Standard output IPv4 access restrictions +########################################## + +# DNS authorizations +# (if you have local DNS server, set 0.0.0.0/0) +DNSSERVEURS='0.0.0.0/0' + +# HTTP authorizations +# (you can use DNS names but set cron to reload minifirewall regularly) +# (if you have HTTP proxy, set 0.0.0.0/0) +# HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org' +HTTPSITES='0.0.0.0/0' + +# HTTPS authorizations +HTTPSSITES='0.0.0.0/0' + +# FTP authorizations +FTPSITES='' + +# SSH authorizations +SSHOK='0.0.0.0/0' + +# SMTP authorizations +SMTPOK='0.0.0.0/0' + +# SMTP secure authorizations (ports TCP/465 and TCP/587) +SMTPSECUREOK='' + +# NTP authorizations +NTPOK='0.0.0.0/0' + + +# IPv6 Specific rules +##################### + +# Example: allow SSH from Trusted IPv6 addresses +/sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT + +# Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT + +# Example: allow output DNS, NTP and traceroute traffic +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT +#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT + +# Example: allow DHCPv6 +/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT + +# IPv4 Specific rules +##################### + +# /sbin/iptables ... diff --git a/minifirewall/tasks/config.legacy.yml b/minifirewall/tasks/config.legacy.yml new file mode 100644 index 00000000..8a7f5990 --- /dev/null +++ b/minifirewall/tasks/config.legacy.yml @@ -0,0 +1,218 @@ +--- + +- debug: + var: minifirewall_trusted_ips + verbosity: 1 +- debug: + var: minifirewall_privilegied_ips + verbosity: 1 + +- name: Stat minifirewall config file (before) + stat: + path: "{{ minifirewall_main_file }}" + register: minifirewall_before + +- name: Check if minifirewall is running + shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + changed_when: False + failed_when: False + check_mode: no + register: minifirewall_is_running + +- debug: + var: minifirewall_is_running + verbosity: 1 + +- name: Begin marker for IP addresses + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" + insertbefore: '^# Main interface' + create: no + +- name: End marker for IP addresses + lineinfile: + dest: "{{ minifirewall_main_file }}" + create: no + line: "# END ANSIBLE MANAGED BLOCK FOR IPS" + insertafter: '^PRIVILEGIEDIPS=' + +- name: Verify that at least 1 trusted IP is provided + assert: + that: minifirewall_trusted_ips | length > 0 + msg: You must provide at least 1 trusted IP + +- debug: + msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!" + when: minifirewall_trusted_ips == ["0.0.0.0/0"] + +- name: Configure IP addresses + blockinfile: + dest: "{{ minifirewall_main_file }}" + marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" + block: | + # Main interface + INT='{{ minifirewall_int }}' + + # IPv6 + IPV6='{{ minifirewall_ipv6 }}' + + # Docker Mode + # Changes the behaviour of minifirewall to not break the containers' network + # For instance, turning it on will disable nat table purge + # Also, we'll add the DOCKER-USER chain, in iptable + DOCKER='{{ minifirewall_docker }}' + + # Trusted IPv4 local network + # ...will be often IP/32 if you don't trust anything + INTLAN='{{ minifirewall_intlan }}' + + # Trusted IPv4 addresses for private and semi-public services + TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}' + + # Privilegied IPv4 addresses for semi-public services + # (no need to add again TRUSTEDIPS) + PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' + create: no + register: minifirewall_config_ips + +- name: Begin marker for ports + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" + insertbefore: '^# Protected services' + create: no + +- name: End marker for ports + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" + insertafter: '^SERVICESUDP3=' + create: no + +- name: Configure ports + blockinfile: + dest: "{{ minifirewall_main_file }}" + marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" + block: | + # Protected services + # (add also in Public services if needed) + SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}' + SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}' + + # Public services (IPv4/IPv6) + SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}' + SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}' + + # Semi-public services (IPv4) + SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}' + SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}' + + # Private services (IPv4) + SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}' + SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' + create: no + register: minifirewall_config_ports + +- name: Configure DNSSERVEURS + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" + regexp: "DNSSERVEURS='.*'" + create: no + when: minifirewall_dns_servers is not none + +- name: Configure HTTPSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" + regexp: "HTTPSITES='.*'" + create: no + when: minifirewall_http_sites is not none + +- name: Configure HTTPSSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" + regexp: "HTTPSSITES='.*'" + create: no + when: minifirewall_https_sites is not none + +- name: Configure FTPSITES + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" + regexp: "FTPSITES='.*'" + create: no + when: minifirewall_ftp_sites is not none + +- name: Configure SSHOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" + regexp: "SSHOK='.*'" + create: no + when: minifirewall_ssh_ok is not none + +- name: Configure SMTPOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" + regexp: "SMTPOK='.*'" + create: no + when: minifirewall_smtp_ok is not none + +- name: Configure SMTPSECUREOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" + regexp: "SMTPSECUREOK='.*'" + create: no + when: minifirewall_smtp_secure_ok is not none + +- name: Configure NTPOK + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" + regexp: "NTPOK='.*'" + create: no + when: minifirewall_ntp_ok is not none + +- name: evomaintenance + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" + insertafter: "^# EvoMaintenance" + loop: "{{ evomaintenance_hosts }}" + +- name: remove minifirewall example rule for the evomaintenance + lineinfile: + dest: "{{ minifirewall_main_file }}" + regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' + state: absent + when: evomaintenance_hosts | length > 0 + +- name: Stat minifirewall config file (after) + stat: + path: "{{ minifirewall_main_file }}" + register: minifirewall_after + +- name: restart minifirewall + command: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + when: + - minifirewall_restart_if_needed | bool + - minifirewall_is_running.rc == 0 + - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum + +- name: restart minifirewall (noop) + meta: noop + register: minifirewall_init_restart + failed_when: False + changed_when: False + when: not (minifirewall_restart_if_needed | bool) + +- debug: + var: minifirewall_init_restart + verbosity: 2 diff --git a/minifirewall/tasks/install.legacy.yml b/minifirewall/tasks/install.legacy.yml new file mode 100644 index 00000000..323426b5 --- /dev/null +++ b/minifirewall/tasks/install.legacy.yml @@ -0,0 +1,24 @@ +--- + +- name: dependencies are satisfied + apt: + name: iptables + state: present + +- name: init script is copied + template: + src: minifirewall.legacy.j2 + dest: /etc/init.d/minifirewall + force: "{{ minifirewall_force_upgrade_script | default('no') }}" + mode: "0700" + owner: root + group: root + +- name: configuration is copied + copy: + src: minifirewall.legacy.conf + dest: "{{ minifirewall_main_file }}" + force: "{{ minifirewall_force_upgrade_config | default('no') }}" + mode: "0600" + owner: root + group: root diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index 9c0483b9..daac6f81 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -41,23 +41,3 @@ mode: "0600" owner: root group: root - -- include_role: - name: evolix/remount-usr - -- name: /usr/share/scripts exists - file: - dest: /usr/share/scripts - mode: "0700" - owner: root - group: root - state: directory - -- name: blacklist-countries.sh is copied - copy: - src: blacklist-countries.sh - dest: /usr/share/scripts/blacklist-countries.sh - force: "no" - mode: "0700" - owner: root - group: root diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 0fbb3ad6..e8355ceb 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -4,25 +4,107 @@ set_fact: minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" -- name: Fail if minifirewall_main_file is defined +# Legacy or modern mode? ############################################## + +- name: Check minifirewall + stat: + path: /etc/init.d/minifirewall + register: _minifirewall_check + +# Legacy versions of minifirewall don't define the VERSION variable +- name: Look for minifirewall version + shell: "grep -E '^\\s*VERSION=' /etc/init.d/minifirewall" + failed_when: False + changed_when: False + check_mode: False + register: _minifirewall_version_check + +- name: Set install mode to legacy if needed + set_fact: + minifirewall_install_mode: legacy + minifirewall_main_file: "{{ minifirewall_legacy_main_file }}" + minifirewall_tail_file: "{{ minifirewall_legacy_tail_file }}" + when: + - minifirewall_install_mode != 'modern' + - not (minifirewall_force_upgrade_script | bool) + - _minifirewall_version_check.rc == 1 # grep didn't find but the file exists + +- name: Set install mode to modern if not legacy + set_fact: + minifirewall_install_mode: modern + when: minifirewall_install_mode != 'legacy' + +- name: Debug install mode + debug: + var: minifirewall_install_mode + verbosity: 1 + +####################################################################### + +- name: Fail if minifirewall_main_file is defined (legacy mode) fail: msg: "Variable minifirewall_main_file is deprecated and not configurable anymore." - when: minifirewall_main_file is defined + when: + - minifirewall_install_mode != 'legacy' + - minifirewall_main_file is defined -- include: install.yml +- name: Install tasks (modern mode) + include: install.yml + when: minifirewall_install_mode != 'legacy' -- include: config.yml - when: minifirewall_update_config | bool +- name: Install tasks (legacy mode) + include: install.legacy.yml + when: minifirewall_install_mode == 'legacy' -- include: nrpe.yml +- name: Config tasks (modern mode) + include: config.yml + when: + - minifirewall_install_mode != 'legacy' + - minifirewall_update_config | bool -- include: activate.yml +- name: Config tasks (legacy mode) + include: config.legacy.yml + when: + - minifirewall_install_mode == 'legacy' + - minifirewall_update_config | bool -- include: tail.yml - when: minifirewall_tail_included | bool +- name: Utils tasks + include: utils.yml -- name: Force restart minifirewall +- name: NRPE tasks + include: nrpe.yml + +- name: Activation tasks + include: activate.yml + +- name: Tail tasks (modern mode) + include: tail.yml + when: + - minifirewall_install_mode != 'legacy' + - minifirewall_tail_included | bool + +- name: Tail tasks (legacy mode) + include: tail.legacy.yml + when: + - minifirewall_install_mode == 'legacy' + - minifirewall_tail_included | bool + +# Restart? + +- name: Force restart minifirewall (modern mode) command: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - when: minifirewall_restart_force | bool \ No newline at end of file + changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" + when: + - minifirewall_install_mode != 'legacy' + - minifirewall_restart_force | bool + +- name: Force restart minifirewall (legacy mode) + command: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" + when: + - minifirewall_install_mode == 'legacy' + - minifirewall_restart_force | bool \ No newline at end of file diff --git a/minifirewall/tasks/tail.legacy.yml b/minifirewall/tasks/tail.legacy.yml new file mode 100644 index 00000000..7a13eefa --- /dev/null +++ b/minifirewall/tasks/tail.legacy.yml @@ -0,0 +1,50 @@ +--- +- name: Add some rules at the end of minifirewall file + template: + src: "{{ item }}" + dest: "{{ minifirewall_tail_file }}" + force: "{{ minifirewall_tail_force | bool }}" + follow: yes + loop: "{{ query('first_found', templates) }}" + vars: + templates: + - "templates/minifirewall-tail/minifirewall.{{ inventory_hostname }}.tail.j2" + - "templates/minifirewall-tail/minifirewall.{{ host_group | default('all') }}.tail.j2" + - "templates/minifirewall-tail/minifirewall.default.tail.j2" + - "templates/minifirewall.default.tail.j2" + register: minifirewall_tail_template + +- debug: + var: minifirewall_tail_template + verbosity: 1 + +- name: source minifirewall.tail at the end of the main file + blockinfile: + dest: "{{ minifirewall_main_file }}" + marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES" + block: ". {{ minifirewall_tail_file }}" + insertbefore: EOF + register: minifirewall_tail_source + +- debug: + var: minifirewall_tail_source + verbosity: 1 + +- name: restart minifirewall + command: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + when: + - minifirewall_tail_template is changed + - minifirewall_restart_if_needed | bool + +- name: restart minifirewall (noop) + meta: noop + register: minifirewall_init_restart + failed_when: False + changed_when: False + when: not (minifirewall_restart_if_needed | bool) + +- debug: + var: minifirewall_init_restart + verbosity: 1 diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index a1bfba64..ae771017 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -2,7 +2,7 @@ - name: Add some rules at the end of minifirewall file template: src: "{{ item }}" - dest: "/etc/minifirewall.d/{{ minifirewall_tail_file }}" + dest: "{{ minifirewall_tail_file }}" force: "{{ minifirewall_tail_force | bool }}" follow: yes loop: "{{ query('first_found', templates) }}" @@ -19,9 +19,6 @@ verbosity: 1 - name: restart minifirewall - # service: - # name: minifirewall - # state: restarted command: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" diff --git a/minifirewall/tasks/utils.yml b/minifirewall/tasks/utils.yml new file mode 100644 index 00000000..775bdd95 --- /dev/null +++ b/minifirewall/tasks/utils.yml @@ -0,0 +1,21 @@ +--- + +- include_role: + name: evolix/remount-usr + +- name: /usr/share/scripts exists + file: + dest: /usr/share/scripts + mode: "0700" + owner: root + group: root + state: directory + +- name: blacklist-countries.sh is copied + copy: + src: blacklist-countries.sh + dest: /usr/share/scripts/blacklist-countries.sh + force: "no" + mode: "0700" + owner: root + group: root \ No newline at end of file diff --git a/minifirewall/templates/minifirewall.legacy.j2 b/minifirewall/templates/minifirewall.legacy.j2 new file mode 100644 index 00000000..13b5130d --- /dev/null +++ b/minifirewall/templates/minifirewall.legacy.j2 @@ -0,0 +1,492 @@ +#!/bin/sh + +# minifirewall is shellscripts for easy firewalling on a standalone server +# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel +# See https://gitea.evolix.org/evolix/minifirewall + +# Copyright (c) 2007-2020 Evolix +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 3 +# of the License. + +# Description +# script for standalone server + +# Start or stop minifirewall +# + +### BEGIN INIT INFO +# Provides: minfirewall +# Required-Start: +# Required-Stop: +# Should-Start: $network $syslog $named +# Should-Stop: $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop the firewall +# Description: Firewall designed for standalone server +### END INIT INFO + +DESC="minifirewall" +NAME="minifirewall" + + +# Variables configuration +######################### + +# iptables paths +IPT=/sbin/iptables +IPT6=/sbin/ip6tables + +# TCP/IP variables +LOOPBACK='127.0.0.0/8' +CLASSA='10.0.0.0/8' +CLASSB='172.16.0.0/12' +CLASSC='192.168.0.0/16' +CLASSD='224.0.0.0/4' +CLASSE='240.0.0.0/5' +ALL='0.0.0.0' +BROAD='255.255.255.255' +PORTSROOT='0:1023' +PORTSUSER='1024:65535' + +chain_exists() +{ + local chain_name="$1" ; shift + [ $# -eq 1 ] && local intable="--table $1" + iptables $intable -nL "$chain_name" >/dev/null 2>&1 +} + +# Configuration +oldconfigfile="/etc/firewall.rc" +configfile="{{ minifirewall_main_file }}" + +IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') +DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') +INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') + +case "$1" in + start) + + echo "Start IPTables rules..." + +# Stop and warn if error! +set -e +trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT + + +# sysctl network security settings +################################## + +# Don't answer to broadcast pings +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + +# Ignore bogus ICMP responses +echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + +# Disable Source Routing +for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do +echo 0 > $i +done + +# Enable TCP SYN cookies to avoid TCP-SYN-FLOOD attacks +# cf http://cr.yp.to/syncookies.html +echo 1 > /proc/sys/net/ipv4/tcp_syncookies + +# Disable ICMP redirects +for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do +echo 0 > $i +done + +for i in /proc/sys/net/ipv4/conf/*/send_redirects; do +echo 0 > $i +done + +# Enable Reverse Path filtering : verify if responses use same network interface +for i in /proc/sys/net/ipv4/conf/*/rp_filter; do +echo 1 > $i +done + +# log des paquets avec adresse incoherente +for i in /proc/sys/net/ipv4/conf/*/log_martians; do +echo 1 > $i +done + +# IPTables configuration +######################## + +$IPT -N LOG_DROP +$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : ' +$IPT -A LOG_DROP -j DROP +$IPT -N LOG_ACCEPT +$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' +$IPT -A LOG_ACCEPT -j ACCEPT + +if test -f $oldconfigfile; then + echo "$oldconfigfile is deprecated, rename to $configfile" >&2 + exit 1 +fi + +if ! test -f $configfile; then + echo "$configfile does not exist" >&2 + exit 1 +fi + +tmpfile=`mktemp` +. $configfile 2>$tmpfile >&2 +if [ -s $tmpfile ]; then + echo "$configfile returns standard or error output (see below). Stopping." >&2 + cat $tmpfile + exit 1 +fi +rm $tmpfile + +# Trusted ip addresses +$IPT -N ONLYTRUSTED +$IPT -A ONLYTRUSTED -j LOG_DROP +for x in $TRUSTEDIPS + do + $IPT -I ONLYTRUSTED -s $x -j ACCEPT + done + +# Privilegied ip addresses +# (trusted ip addresses *are* privilegied) +$IPT -N ONLYPRIVILEGIED +$IPT -A ONLYPRIVILEGIED -j ONLYTRUSTED +for x in $PRIVILEGIEDIPS + do + $IPT -I ONLYPRIVILEGIED -s $x -j ACCEPT + done + +# Chain for restrictions (blacklist IPs/ranges) +$IPT -N NEEDRESTRICT + +# We allow all on loopback interface +$IPT -A INPUT -i lo -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A INPUT -i lo -j ACCEPT +# if OUTPUTDROP +$IPT -A OUTPUT -o lo -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o lo -j ACCEPT + +# We avoid "martians" packets, typical when W32/Blaster virus +# attacked windowsupdate.com and DNS was changed to 127.0.0.1 +# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP +$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP + + +if [ "$DOCKER" = "on" ]; then + + $IPT -N MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-TRUSTED -j DROP + + $IPT -N MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN + + $IPT -N MINIFW-DOCKER-PUB + $IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PUB -j RETURN + + # Flush DOCKER-USER if exist, create it if absent + if chain_exists 'DOCKER-USER'; then + $IPT -F DOCKER-USER + else + $IPT -N DOCKER-USER + fi; + + # Pipe new connection through MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -j RETURN + +fi + + +# Local services restrictions +############################# + +# Allow services for $INTLAN (local server or local network) +$IPT -A INPUT -s $INTLAN -j ACCEPT + +# Enable protection chain for sensible services +for x in $SERVICESTCP1p + do + $IPT -A INPUT -p tcp --dport $x -j NEEDRESTRICT + done + +for x in $SERVICESUDP1p + do + $IPT -A INPUT -p udp --dport $x -j NEEDRESTRICT + done + +# Public service +for x in $SERVICESTCP1 + do + $IPT -A INPUT -p tcp --dport $x -j ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT + done + +for x in $SERVICESUDP1 + do + $IPT -A INPUT -p udp --dport $x -j ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p udp --dport $x -j ACCEPT + done + +# Privilegied services +for x in $SERVICESTCP2 + do + $IPT -A INPUT -p tcp --dport $x -j ONLYPRIVILEGIED + done + +for x in $SERVICESUDP2 + do + $IPT -A INPUT -p udp --dport $x -j ONLYPRIVILEGIED + done + +# Private services +for x in $SERVICESTCP3 + do + $IPT -A INPUT -p tcp --dport $x -j ONLYTRUSTED + done + +for x in $SERVICESUDP3 + do + $IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED + done + + +if [ "$DOCKER" = "on" ]; then + + # Public services defined in SERVICESTCP1 & SERVICESUDP1 + for dstport in $SERVICESTCP1 + do + $IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN + done + + for dstport in $SERVICESUDP1 + do + $IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN + done + + # Privileged services (accessible from privileged & trusted IPs) + for dstport in $SERVICESTCP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + # Trusted services (accessible from trusted IPs) + for dstport in $SERVICESTCP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done +fi + +# External services +################### + +# DNS authorizations +for x in $DNSSERVEURS + do + $IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT + $IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPT -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT + done + +# HTTP (TCP/80) authorizations +for x in $HTTPSITES + do + $IPT -A INPUT -p tcp ! --syn --sport 80 --dport $PORTSUSER -s $x -j ACCEPT + done + +# HTTPS (TCP/443) authorizations +for x in $HTTPSSITES + do + $IPT -A INPUT -p tcp ! --syn --sport 443 --dport $PORTSUSER -s $x -j ACCEPT + done + +# FTP (so complex protocol...) authorizations +for x in $FTPSITES + do + # requests on Control connection + $IPT -A INPUT -p tcp ! --syn --sport 21 --dport $PORTSUSER -s $x -j ACCEPT + # FTP port-mode on Data Connection + $IPT -A INPUT -p tcp --sport 20 --dport $PORTSUSER -s $x -j ACCEPT + # FTP passive-mode on Data Connection + # WARNING, this allow all connections on TCP ports > 1024 + $IPT -A INPUT -p tcp ! --syn --sport $PORTSUSER --dport $PORTSUSER -s $x -j ACCEPT + done + +# SSH authorizations +for x in $SSHOK + do + $IPT -A INPUT -p tcp ! --syn --sport 22 -s $x -j ACCEPT + done + +# SMTP authorizations +for x in $SMTPOK + do + $IPT -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -s $x -j ACCEPT + done + +# secure SMTP (TCP/465 et TCP/587) authorizations +for x in $SMTPSECUREOK + do + $IPT -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -s $x -j ACCEPT + $IPT -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -s $x -j ACCEPT + done + +# NTP authorizations +for x in $NTPOK + do + $IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT + $IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT + done + +# Always allow ICMP +$IPT -A INPUT -p icmp -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT + + +# IPTables policy +################# + +# by default DROP INPUT packets +$IPT -P INPUT DROP +[ "$IPV6" != "off" ] && $IPT6 -P INPUT DROP + +# by default, no FORWARING (deprecated for Virtual Machines) +#echo 0 > /proc/sys/net/ipv4/ip_forward +#$IPT -P FORWARD DROP +#$IPT6 -P FORWARD DROP + +# by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets) +$IPT -P OUTPUT ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT +$IPT -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT +$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A OUTPUT -p udp -j DROP +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp -j DROP + +trap - INT TERM EXIT + + echo "...starting IPTables rules is now finish : OK" + ;; + + stop) + + echo "Flush all rules and accept everything..." + + # Delete all rules + $IPT -F INPUT + $IPT -F OUTPUT + $IPT -F LOG_DROP + $IPT -F LOG_ACCEPT + $IPT -F ONLYTRUSTED + $IPT -F ONLYPRIVILEGIED + $IPT -F NEEDRESTRICT + [ "$DOCKER" = "off" ] && $IPT -t nat -F + $IPT -t mangle -F + [ "$IPV6" != "off" ] && $IPT6 -F INPUT + [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT + + if [ "$DOCKER" = "on" ]; then + $IPT -F DOCKER-USER + $IPT -A DOCKER-USER -j RETURN + + $IPT -F MINIFW-DOCKER-PUB + $IPT -X MINIFW-DOCKER-PUB + $IPT -F MINIFW-DOCKER-PRIVILEGED + $IPT -X MINIFW-DOCKER-PRIVILEGED + $IPT -F MINIFW-DOCKER-TRUSTED + $IPT -X MINIFW-DOCKER-TRUSTED + + fi + + # Accept all + $IPT -P INPUT ACCEPT + $IPT -P OUTPUT ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -P INPUT ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT + #$IPT -P FORWARD ACCEPT + #$IPT -t nat -P PREROUTING ACCEPT + #$IPT -t nat -P POSTROUTING ACCEPT + + # Delete non-standard chains + $IPT -X LOG_DROP + $IPT -X LOG_ACCEPT + $IPT -X ONLYPRIVILEGIED + $IPT -X ONLYTRUSTED + $IPT -X NEEDRESTRICT + + echo "...flushing IPTables rules is now finish : OK" + ;; + + status) + + $IPT -L -n -v --line-numbers + $IPT -t nat -L -n -v --line-numbers + $IPT -t mangle -L -n -v --line-numbers + $IPT6 -L -n -v --line-numbers + $IPT6 -t mangle -L -n -v --line-numbers + ;; + + reset) + + echo "Reset all IPTables counters..." + + $IPT -Z + $IPT -t nat -Z + $IPT -t mangle -Z + [ "$IPV6" != "off" ] && $IPT6 -Z + [ "$IPV6" != "off" ] && $IPT6 -t mangle -Z + + echo "...reseting IPTables counters is now finish : OK" + ;; + + restart) + + $0 stop + $0 start + ;; + + *) + + echo "Usage: $0 {start|stop|restart|status|reset|squid}" + exit 1 +esac + +exit 0 diff --git a/squid/defaults/main.yml b/squid/defaults/main.yml index 2188d606..8cbf43d4 100644 --- a/squid/defaults/main.yml +++ b/squid/defaults/main.yml @@ -7,4 +7,3 @@ squid_whitelist_items: [] squid_localproxy_enable: False -minifirewall_main_file: /etc/default/minifirewall diff --git a/squid/tasks/minifirewall.legacy.yml b/squid/tasks/minifirewall.legacy.yml new file mode 100644 index 00000000..f7e78ee5 --- /dev/null +++ b/squid/tasks/minifirewall.legacy.yml @@ -0,0 +1,43 @@ +--- +- name: Check if Minifirewall is present + stat: + path: "/etc/default/minifirewall" + check_mode: no + register: minifirewall_test + +- block: + - name: HTTPSITES list is commented in minifirewall + replace: + dest: "/etc/default/minifirewall" + regexp: "^(HTTPSITES='[^0-9])" + replace: '#\1' + notify: restart minifirewall + + - name: all HTTPSITES are authorized in minifirewall + lineinfile: + dest: "/etc/default/minifirewall" + line: "HTTPSITES='0.0.0.0/0'" + regexp: "HTTPSITES='.*'" + insertafter: "^#HTTPSITES=" + notify: restart minifirewall + + - name: add iptables rules for the proxy + lineinfile: + dest: "/etc/default/minifirewall" + regexp: "^#? *{{ item }}" + line: "{{ item }}" + insertafter: "^# Proxy" + loop: + - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" + - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d {{ squid_address }} -j ACCEPT" + - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.0/8 -j ACCEPT" + - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8888" + notify: restart minifirewall + + - name: remove minifirewall example rule for the proxy + lineinfile: + dest: "/etc/default/minifirewall" + regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)' + state: absent + notify: restart minifirewall + when: minifirewall_test.stat.exists diff --git a/squid/tasks/minifirewall.yml b/squid/tasks/minifirewall.yml index e878b0a8..5abdf9df 100644 --- a/squid/tasks/minifirewall.yml +++ b/squid/tasks/minifirewall.yml @@ -1,29 +1,37 @@ --- - name: Check if Minifirewall is present stat: - path: "{{ minifirewall_main_file }}" + path: "/etc/default/minifirewall" check_mode: no register: minifirewall_test - block: - name: HTTPSITES list is commented in minifirewall replace: - dest: "{{ minifirewall_main_file }}" + dest: "/etc/default/minifirewall" regexp: "^(HTTPSITES='[^0-9])" replace: '#\1' notify: restart minifirewall - name: all HTTPSITES are authorized in minifirewall lineinfile: - dest: "{{ minifirewall_main_file }}" + dest: "/etc/default/minifirewall" line: "HTTPSITES='0.0.0.0/0'" regexp: "HTTPSITES='.*'" insertafter: "^#HTTPSITES=" notify: restart minifirewall - - name: add iptables rules for the proxy + # The PROXY variable means that minifirewall is "modern" + - name: Look for PROXY variable + shell: "grep -E '^\\s*PROXY=' /etc/default/minifirewall" + failed_when: False + changed_when: False + check_mode: False + register: _minifirewall_proxy_var_check + + - name: Set proxy configuration for minifirewall (legacy mode) lineinfile: - dest: "{{ minifirewall_main_file }}" + dest: "/etc/default/minifirewall" regexp: "^#? *{{ item }}" line: "{{ item }}" insertafter: "^# Proxy" @@ -33,11 +41,21 @@ - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.0/8 -j ACCEPT" - "/sbin/iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8888" notify: restart minifirewall + when: _minifirewall_proxy_var_check.rc == 1 - - name: remove minifirewall example rule for the proxy + - name: remove minifirewall example rule for the proxy (legacy mode) lineinfile: - dest: "{{ minifirewall_main_file }}" + dest: "/etc/default/minifirewall" regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)' state: absent notify: restart minifirewall + when: _minifirewall_proxy_var_check.rc == 1 + + - name: Set proxy configuration for minifirewall (modern mode) + replace: + dest: "/etc/default/minifirewall" + replace: "PROXY='on'" + regexp: "PROXY='.*'" + notify: restart minifirewall + when: _minifirewall_proxy_var_check.rc == 0 when: minifirewall_test.stat.exists -- 2.39.2 From 61cd2b742886461f16d88e1b601d85b417bab62f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Apr 2022 19:14:31 +0200 Subject: [PATCH 045/497] minifirewall: upstream release 22.04 --- CHANGELOG.md | 2 +- minifirewall/files/minifirewall | 273 +++++++++++++++++++++++++++----- minifirewall/tasks/main.yml | 4 +- 3 files changed, 238 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70e058ca..8e77c681 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * generate-ldif: Add services check for bkctld * minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks -* minifirewall: upstream release 22.03.5 +* minifirewall: upstream release 22.04 * openvpn: use a subnet topology instead of the net30 default topology * tomcat: Tomcat 9 by default with Debian 11 * openvpn: use a local copy of files instead of cloning an external git repository diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall index f8729f79..f383d87c 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/files/minifirewall @@ -1,7 +1,8 @@ #!/bin/sh +# shellcheck disable=SC2059 -# minifirewall is shellscripts for easy firewalling on a standalone server -# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel +# minifirewall is a shell script for easy firewalling on a standalone server +# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel # See https://gitea.evolix.org/evolix/minifirewall # Copyright (c) 2007-2022 Evolix @@ -28,7 +29,7 @@ # Description: Firewall designed for standalone server ### END INIT INFO -VERSION="22.03.5" +VERSION="22.04" NAME="minifirewall" # shellcheck disable=SC2034 @@ -97,6 +98,42 @@ BACKUPSERVERS='' LEGACY_CONFIG='off' +STATE_FILE_LATEST='/var/run/minifirewall_state_latest' +STATE_FILE_CURRENT='/var/run/minifirewall_state_current' +STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous' +STATE_FILE_DIFF='/var/run/minifirewall_state_diff' + +LOGGER_BIN=$(command -v logger) + +# No colors by default +RED='' +GREEN='' +YELLOW='' +BLUE='' +MAGENTA='' +CYAN='' +WHITE='' +BOLD='' +RESET='' +# check if stdout is a terminal... +if [ -t 1 ]; then + + # see if it supports colors... + ncolors=$(tput colors) + + if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then + RED=$(tput setaf 1) + GREEN=$(tput setaf 2) + YELLOW=$(tput setaf 3) + BLUE=$(tput setaf 4) + MAGENTA=$(tput setaf 5) + CYAN=$(tput setaf 6) + WHITE=$(tput setaf 7) + BOLD=$(tput bold) + RESET='\e[m' + fi +fi + ## pseudo dry-run : ## Uncomment and call these functions instead of the real iptables and ip6tables commands # IPT="fake_iptables" @@ -109,6 +146,16 @@ LEGACY_CONFIG='off' # } ## Beware that commands executed from included files are not modified by this trick. +syslog_info() { + if [ -x "${LOGGER_BIN}" ]; then + ${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1" + fi +} +syslog_error() { + if [ -x "${LOGGER_BIN}" ]; then + ${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1" + fi +} sort_values() { echo "$*" | tr ' ' '\n' | sort -h } @@ -139,37 +186,40 @@ chain_exists() { } source_file_or_error() { file=$1 - echo "...sourcing '${file}\`" + syslog_info "sourcing \`${file}'" + printf "${BLUE}sourcing \`%s'${RESET}\n" "${file}" tmpfile=$(mktemp --tmpdir=/tmp minifirewall.XXX) . "${file}" 2>"${tmpfile}" >&2 if [ -s "${tmpfile}" ]; then - echo "${file} returns standard or error output (see below). Stopping." >&2 + syslog_error "Error while sourcing ${file}" + printf "${RED}%s returns standard or error output (see below). Stopping.${RESET}\n" ${file} >&2 cat "${tmpfile}" exit 1 fi - rm "${tmpfile}" + rm -f "${tmpfile}" } source_configuration() { if ! test -f ${config_file}; then - echo "${config_file} does not exist" >&2 + printf "${RED}%s does not exist${RESET}\n" "${config_file}" >&2 ## We still want to deal with this really old configuration file ## even if it has been deprecated since Debian 8 old_config_file="/etc/firewall.rc" if test -f ${old_config_file}; then - echo "${old_config_file} is deprecated. Rename it to ${config_file}" >&2 + printf "${YELLOW}%s is deprecated and ignored. Rename it to %s${RESET}\n" "${old_config_file}" "${config_file}" >&2 fi exit 1 fi - if grep -e "iptables" -e "ip6tables" "${config_file}" | grep -qvE "^#"; then + # If we find something other than a blank line, a comment or a variable assignment + if grep --quiet --extended-regexp --invert-match "^\s*(#|$|\w+=)" "${config_file}"; then # Backward compatible mode ########################### - echo "Legacy config detected" + printf "${YELLOW}legacy config detected${RESET}\n" LEGACY_CONFIG='on' # Non-backward compatible mode @@ -191,10 +241,11 @@ source_configuration() { # and not interfere with the configuration step. tmp_config_file=$(mktemp --tmpdir=/tmp minifirewall.XXX) - grep -E "^\s*[_a-zA-Z0-9]+=" "${config_file}" > "${tmp_config_file}" + # get only variable assignments + grep -E "^\s*\w+=" "${config_file}" > "${tmp_config_file}" source_file_or_error "${tmp_config_file}" - rm "${tmp_config_file}" + rm -f "${tmp_config_file}" else source_file_or_error "${config_file}" fi @@ -207,13 +258,88 @@ source_includes() { done fi } +check_unpersisted_state() { + cmp_bin=$(command -v cmp) + diff_bin=$(command -v diff) + + if [ -z "${cmp_bin}" ]; then + printf "${YELLOW}skip state comparison (Can't find cmp command)${RESET}\n" >&2 + elif [ -z "${diff_bin}" ]; then + printf "${YELLOW}skip state comparison (Can't find diff command)${RESET}\n" >&2 + else + # store current state + mkdir -p "$(dirname "${STATE_FILE_CURRENT}")" + status_without_numbers > "${STATE_FILE_CURRENT}" + + # clean previous diff file + rm -f "${STATE_FILE_DIFF}" + + if [ -f "${STATE_FILE_LATEST}" ]; then + cmp_result=$(cmp "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}") + cmp_rc=$? + + if [ ${cmp_rc} -eq 0 ]; then + # echo " rules have not changed since latest start" + : + elif [ ${cmp_rc} -eq 1 ]; then + diff -u "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" > "${STATE_FILE_DIFF}" + printf "${YELLOW}WARNING: current state is different than persisted state, check %s${RESET}\n" "${STATE_FILE_DIFF}" >&2 + else + printf "${RED}ERROR comparing rules:${RESET}\n" >&2 + echo "${cmp_result}" >&2 + fi + fi + # cleanup + rm -f "${STATE_FILE_CURRENT}" + fi +} +report_state_changes() { + cmp_bin=$(command -v cmp) + diff_bin=$(command -v diff) + + if [ -z "${cmp_bin}" ]; then + printf "${YELLOW}skip state comparison (Can't find cmp command)${RESET}\n" >&2 + return + elif [ -z "${diff_bin}" ]; then + printf "${YELLOW}skip state comparison (Can't find diff command)${RESET}\n" >&2 + else + # If there is a known state + # let's compare it with the current state + if [ -f "${STATE_FILE_LATEST}" ]; then + check_unpersisted_state + fi + + # Then reset the known state + mkdir -p "$(dirname "${STATE_FILE_LATEST}")" + status_without_numbers > "${STATE_FILE_LATEST}" + + # But if there is a previous known state + # let's compare with the new known state + if [ -f "${STATE_FILE_PREVIOUS}" ]; then + cmp_result=$(cmp "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}") + cmp_rc=$? + + if [ ${cmp_rc} -eq 0 ]; then + # echo "Rules have not changed since previous start" + : + elif [ ${cmp_rc} -eq 1 ]; then + diff -u "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}" > "${STATE_FILE_DIFF}" + printf "${YELLOW}INFO: rules have changed since latest start, check %s${RESET}\n" "${STATE_FILE_DIFF}" >&2 + else + printf "${RED}ERROR comparing rules:${RESET}\n" >&2 + echo "${cmp_result}" >&2 + fi + fi + fi +} start() { - echo "Start IPTables rules..." + syslog_info "starting" + printf "${BOLD}${NAME} starting${RESET}\n" # Stop and warn if error! set -e - trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT + trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT # sysctl network security settings ################################## @@ -238,14 +364,14 @@ start() { if [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "1" ] || [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "0" ]; then echo "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts else - echo "Invalid SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS value '${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}', must be '0' or '1'." >&2 + printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS" "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" >&2 exit 1 fi if [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "1" ] || [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "0" ]; then echo "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses else - echo "Invalid SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES value '${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}', must be '0' or '1'." >&2 + printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES" "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" >&2 exit 1 fi @@ -254,14 +380,14 @@ start() { echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" > "${proc_sys_file}" done else - echo "Invalid SYSCTL_ACCEPT_SOURCE_ROUTE value '${SYSCTL_ACCEPT_SOURCE_ROUTE}', must be '0' or '1'." >&2 + printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ACCEPT_SOURCE_ROUTE" "${SYSCTL_ACCEPT_SOURCE_ROUTE}" >&2 exit 1 fi if [ "${SYSCTL_TCP_SYNCOOKIES}" = "1" ] || [ "${SYSCTL_TCP_SYNCOOKIES}" = "0" ]; then echo "${SYSCTL_TCP_SYNCOOKIES}" > /proc/sys/net/ipv4/tcp_syncookies else - echo "Invalid SYSCTL_TCP_SYNCOOKIES value '${SYSCTL_TCP_SYNCOOKIES}', must be '0' or '1'." >&2 + printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_TCP_SYNCOOKIES" "${SYSCTL_TCP_SYNCOOKIES}" >&2 exit 1 fi @@ -273,7 +399,7 @@ start() { echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}" done else - echo "Invalid SYSCTL_ICMP_REDIRECTS value '${SYSCTL_ICMP_REDIRECTS}', must be '0' or '1'." >&2 + printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_REDIRECTS" "${SYSCTL_ICMP_REDIRECTS}" >&2 exit 1 fi @@ -282,7 +408,7 @@ start() { echo "${SYSCTL_RP_FILTER}" > "${proc_sys_file}" done else - echo "Invalid SYSCTL_RP_FILTER value '${SYSCTL_RP_FILTER}', must be '0' or '1'." >&2 + printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_RP_FILTER" "${SYSCTL_RP_FILTER}" >&2 exit 1 fi @@ -291,7 +417,7 @@ start() { echo "${SYSCTL_LOG_MARTIANS}" > "${proc_sys_file}" done else - echo "Invalid SYSCTL_LOG_MARTIANS value '${SYSCTL_LOG_MARTIANS}', must be '0' or '1'." >&2 + printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_LOG_MARTIANS" "${SYSCTL_LOG_MARTIANS}" >&2 exit 1 fi @@ -707,7 +833,7 @@ start() { ${IPT} -A INPUT -p tcp --sport "${server_port}" --dport 1024:65535 -s "${server_ip}" -m state --state ESTABLISHED,RELATED -j ACCEPT fi else - echo "Unrecognized syntax for BACKUPSERVERS '${server}\`. Use space-separated IP:PORT tuples." >&2 + printf "${RED}ERROR: unrecognized syntax for BACKUPSERVERS '%s\`. Use space-separated IP:PORT tuples.${RESET}\n" "${server}" >&2 exit 1 fi done @@ -718,6 +844,10 @@ start() { ${IPT6} -A INPUT -p icmpv6 -j ACCEPT fi + # source config file for remaining commands + if is_legacy_config; then + source_file_or_error "${config_file}" + fi # IPTables policy ################# @@ -754,17 +884,28 @@ start() { ${IPT6} -A OUTPUT -p udp -j DROP fi - if is_legacy_config; then - source_file_or_error "${config_file}" - fi + # Finish + ######################## trap - INT TERM EXIT - echo "...starting IPTables rules is now finish : OK" + syslog_info "started" + printf "${GREEN}${BOLD}${NAME} started${RESET}\n" + + # No need to exit on error anymore + set +e + + report_state_changes } stop() { - echo "Flush all rules and accept everything..." + syslog_info "stopping" + printf "${BOLD}${NAME} stopping${RESET}\n" + + printf "${BLUE}flushing all rules and accepting everything${RESET}\n" + + mkdir -p "$(dirname "${STATE_FILE_PREVIOUS}")" + status_without_numbers > "${STATE_FILE_PREVIOUS}" # Delete all rules ${IPT} -F INPUT @@ -839,19 +980,45 @@ stop() { ${IPT6} -X NEEDRESTRICT fi - echo "...flushing IPTables rules is now finish : OK" + rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" + + syslog_info "stopped" + printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n" } status() { - ${IPT} -L -n -v --line-numbers - ${IPT} -t nat -L -n -v --line-numbers - ${IPT} -t mangle -L -n -v --line-numbers - ${IPT6} -L -n -v --line-numbers - ${IPT6} -t mangle -L -n -v --line-numbers + printf "${BLUE}#### iptables --list ###############################${RESET}\n" + ${IPT} --list --numeric --verbose --line-numbers + printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" + ${IPT} --table nat --list --numeric --verbose --line-numbers + printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" + ${IPT} --table mangle --list --numeric --verbose --line-numbers + if is_ipv6_enabled; then + printf "\n${BLUE}#### ip6tables --list ##############################${RESET}\n" + ${IPT6} --list --numeric --verbose --line-numbers + printf "\n${BLUE}#### ip6tables --table mangle --list ###############${RESET}\n" + ${IPT6} --table mangle --list --numeric --verbose --line-numbers + fi +} + +status_without_numbers() { + printf "${BLUE}#### iptables --list ###############################${RESET}\n" + ${IPT} --list --numeric + printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" + ${IPT} --table nat --list --numeric + printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" + ${IPT} --table mangle --list --numeric + if is_ipv6_enabled; then + printf "\n${BLUE}#### ip6tables --list ##############################${RESET}\n" + ${IPT6} --list --numeric + printf "\n${BLUE}#### ip6tables --table mangle --list ###############${RESET}\n" + ${IPT6} --table mangle --list --numeric + fi } reset() { - echo "Reset all IPTables counters..." + syslog_info "resetting" + printf "${BOLD}${NAME} resetting${RESET}\n" ${IPT} -Z if is_ipv6_enabled; then @@ -865,36 +1032,66 @@ reset() { ${IPT6} -t mangle -Z fi - echo "...reseting IPTables counters is now finish : OK" + syslog_info "reset" + printf "${GREEN}${BOLD}${NAME} reset${RESET}\n" } +show_version() { + cat <. + +${NAME} comes with ABSOLUTELY NO WARRANTY. +This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License +as published by the Free Software Foundation; either version 3 +of the License. +END +} case "${1:-''}" in start) + source_configuration + check_unpersisted_state + start ;; stop) + source_configuration + check_unpersisted_state + stop ;; status) + source_configuration + check_unpersisted_state + status ;; reset) + source_configuration + check_unpersisted_state + reset ;; restart) + source_configuration + check_unpersisted_state + stop start ;; + version) + show_version + ;; + *) - echo "Usage: $0 {start|stop|restart|status|reset}" + echo "Usage: $0 {start|stop|restart|status|reset|version}" exit 1 ;; esac diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index e8355ceb..f5eb9ea4 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -94,8 +94,8 @@ - name: Force restart minifirewall (modern mode) command: /etc/init.d/minifirewall restart register: minifirewall_init_restart - failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" + failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" + changed_when: "'minifirewall started' in minifirewall_init_restart.stdout" when: - minifirewall_install_mode != 'legacy' - minifirewall_restart_force | bool -- 2.39.2 From 749d6a78cdb4259af2d510cf6a5ba99194be9abd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 5 May 2022 09:40:30 +0200 Subject: [PATCH 046/497] redis: Add log2mail user to redis group --- CHANGELOG.md | 3 ++- redis/tasks/default-log2mail.yml | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e77c681..eef50ca2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: configure proxy/backup/sysctl values * minifirewall: compatibility with "legacy" version of minifirewall * nagios-nrpe: Add a check dhcp_pool -* redis : Activate overcommit sysctl +* redis: Activate overcommit sysctl +* redis: Add log2mail user to redis group * munin: Add possibility to install local plugins, and install dhcp_pool plugin ### Changed diff --git a/redis/tasks/default-log2mail.yml b/redis/tasks/default-log2mail.yml index 21628b0c..3c50cab7 100644 --- a/redis/tasks/default-log2mail.yml +++ b/redis/tasks/default-log2mail.yml @@ -17,3 +17,14 @@ tags: - redis - log2mail + +- name: log2mail user is in redis group + user: + name: log2mail + groups: redis + append: yes + state: present + notify: restart log2mail + tags: + - redis + - log2mail \ No newline at end of file -- 2.39.2 From a93c1a9141d26eabba8c06dced56d28041705be9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 5 May 2022 09:41:27 +0200 Subject: [PATCH 047/497] redis: Don't enable plugins in check mode (prevents errors) --- redis/tasks/default-munin.yml | 1 + redis/tasks/instance-munin.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/redis/tasks/default-munin.yml b/redis/tasks/default-munin.yml index 3f0fe6f4..7856741e 100644 --- a/redis/tasks/default-munin.yml +++ b/redis/tasks/default-munin.yml @@ -49,6 +49,7 @@ - used_keys - used_memory notify: restart munin-node + when: not ansible_check_mode tags: - redis diff --git a/redis/tasks/instance-munin.yml b/redis/tasks/instance-munin.yml index 80c67c6f..bc8d8e9a 100644 --- a/redis/tasks/instance-munin.yml +++ b/redis/tasks/instance-munin.yml @@ -49,6 +49,7 @@ - used_keys - used_memory notify: restart munin-node + when: not ansible_check_mode tags: - redis -- 2.39.2 From 1c6561e6f57d0658bb4937ff621298aec6e00cab Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 6 May 2022 18:09:33 +0200 Subject: [PATCH 048/497] ansible-commit: add --no-lxc flag --- etc-git/files/ansible-commit | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc-git/files/ansible-commit b/etc-git/files/ansible-commit index 20ab3a92..892aa418 100644 --- a/etc-git/files/ansible-commit +++ b/etc-git/files/ansible-commit @@ -31,6 +31,7 @@ Usage: ansible-commit --message "add new host" Options --message MESSAGE set the commit message + --no-lxc disable commit inside LXC containers -V, --version print version number -v, --verbose increase verbosity -n, --dry-run actions are not executed @@ -81,7 +82,7 @@ main() { fi fi - if [ -n "${lxc_ls_bin}" ]; then + if [ "${LXC}" = "1" ] && [ -n "${lxc_ls_bin}" ]; then for container in $(${lxc_ls_bin} -1); do if [ -n "${lxc_config_bin}" ]; then # discovered path @@ -136,6 +137,9 @@ while :; do printf 'FAILED: "--message" requires a non-empty option argument.\n' >&2 exit 1 ;; + --no-lxc) + LXC=0 + ;; -n|--dry-run) # disable actual commands DRY_RUN=1 @@ -169,6 +173,7 @@ if [ -z "${MESSAGE}" ]; then fi DRY_RUN=${DRY_RUN:-0} VERBOSE=${VERBOSE:-0} +LXC=${LXC:-1} evocommit_bin=$(command -v evocommit) if [ -z "${evocommit_bin}" ]; then -- 2.39.2 From 4f4c2229e853e1baa444704beada8ca60e302d78 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 6 May 2022 18:10:01 +0200 Subject: [PATCH 049/497] etc-git: release 22.05 of ansible-commit --- etc-git/files/ansible-commit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc-git/files/ansible-commit b/etc-git/files/ansible-commit index 892aa418..d22f4a6a 100644 --- a/etc-git/files/ansible-commit +++ b/etc-git/files/ansible-commit @@ -2,7 +2,7 @@ set -u -VERSION="22.04.1" +VERSION="22.05" show_version() { cat < Date: Mon, 9 May 2022 10:14:33 +0200 Subject: [PATCH 050/497] =?UTF-8?q?Ajout=20opendkim-genkey=20en=20sha256?= =?UTF-8?q?=20et=20taille=20cl=C3=A9=204096?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- opendkim/files/opendkim-add.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opendkim/files/opendkim-add.sh b/opendkim/files/opendkim-add.sh index 4e11f8cc..d70fdd4b 100644 --- a/opendkim/files/opendkim-add.sh +++ b/opendkim/files/opendkim-add.sh @@ -10,7 +10,7 @@ domain="$(echo "$1"|xargs)" if [ ! -f "/etc/ssl/private/dkim-${servername}.private" ]; then echo "Generate DKIM keys ..." - opendkim-genkey -D /etc/ssl/private/ -r -d "${domain}" -s "dkim-${servername}" + opendkim-genkey -h sha256 -b 4096 -D /etc/ssl/private/ -r -d "${domain}" -s "dkim-${servername}" chown opendkim:opendkim "/etc/ssl/private/dkim-${servername}.private" chmod 640 "/etc/ssl/private/dkim-${servername}.private" mv "/etc/ssl/private/dkim-${servername}.txt" "/etc/ssl/certs/" -- 2.39.2 From 3663783509bbd988835cf6aef006588452aa1a18 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 9 May 2022 10:19:18 +0200 Subject: [PATCH 051/497] add change in opendkim role --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eef50ca2..9b2b2046 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * tomcat: Tomcat 9 by default with Debian 11 * openvpn: use a local copy of files instead of cloning an external git repository * vrrpd: Store sysctl values in specific file +* opendkim : add generate opendkim-genkey in sha256 and key 4096 ### Fixed -- 2.39.2 From 378ee04c82c950570cdaf957a43298e67f4892fd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 10 May 2022 15:55:08 +0200 Subject: [PATCH 052/497] minifirewall: upstream release 22.05 --- CHANGELOG.md | 2 +- minifirewall/files/minifirewall | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b2b2046..c19d0455 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,7 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * generate-ldif: Add services check for bkctld * minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks -* minifirewall: upstream release 22.04 +* minifirewall: upstream release 22.05 * openvpn: use a subnet topology instead of the net30 default topology * tomcat: Tomcat 9 by default with Debian 11 * openvpn: use a local copy of files instead of cloning an external git repository diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall index f383d87c..7dae5787 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/files/minifirewall @@ -29,7 +29,7 @@ # Description: Firewall designed for standalone server ### END INIT INFO -VERSION="22.04" +VERSION="22.05" NAME="minifirewall" # shellcheck disable=SC2034 @@ -989,7 +989,7 @@ stop() { status() { printf "${BLUE}#### iptables --list ###############################${RESET}\n" ${IPT} --list --numeric --verbose --line-numbers - printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" + printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n" ${IPT} --table nat --list --numeric --verbose --line-numbers printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" ${IPT} --table mangle --list --numeric --verbose --line-numbers @@ -1004,7 +1004,7 @@ status() { status_without_numbers() { printf "${BLUE}#### iptables --list ###############################${RESET}\n" ${IPT} --list --numeric - printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" + printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n" ${IPT} --table nat --list --numeric printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" ${IPT} --table mangle --list --numeric -- 2.39.2 From dd2072b86b34c92026ae081874d055f00f1e2941 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 10 May 2022 16:39:44 +0200 Subject: [PATCH 053/497] minifirewall: fix failed_when conditions on restart --- CHANGELOG.md | 1 + evobackup-client/handlers/main.yml | 5 +++-- evomaintenance/handlers/main.yml | 5 +++-- minifirewall/tasks/config.yml | 2 +- minifirewall/tasks/main.yml | 2 -- minifirewall/tasks/tail.yml | 3 +-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c19d0455..6defc87c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,6 +44,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * postfix: Do not send mails through milters a second time after amavis (in packmail) * etc-git : Remount /usr in rw for git gc in in /usr/share/scripts/ * etc-git: Make evocommit fully compatible with OpenBSD +* minifirewall: fix `failed_when` condition on restart ### Removed diff --git a/evobackup-client/handlers/main.yml b/evobackup-client/handlers/main.yml index fc1b7739..de71f634 100644 --- a/evobackup-client/handlers/main.yml +++ b/evobackup-client/handlers/main.yml @@ -2,8 +2,9 @@ - name: restart minifirewall command: /etc/init.d/minifirewall restart register: minifirewall_init_restart - failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" + failed_when: + - "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + - "'minifirewall started' not in minifirewall_init_restart.stdout" - name: 'created new jail' command: "bkctld restart {{ evolinux_hostname }}" diff --git a/evomaintenance/handlers/main.yml b/evomaintenance/handlers/main.yml index 85884f73..37c9af95 100644 --- a/evomaintenance/handlers/main.yml +++ b/evomaintenance/handlers/main.yml @@ -3,8 +3,9 @@ - name: restart minifirewall command: /etc/init.d/minifirewall restart register: minifirewall_init_restart - failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" + failed_when: + - "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + - "'minifirewall started' not in minifirewall_init_restart.stdout" - name: restart minifirewall (noop) meta: noop diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 82b5263a..1ddb9695 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -285,7 +285,7 @@ - name: restart minifirewall command: /etc/init.d/minifirewall restart register: minifirewall_init_restart - failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" when: - minifirewall_restart_if_needed | bool - minifirewall_is_running.rc == 0 diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index f5eb9ea4..4a838ee9 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -95,7 +95,6 @@ command: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" - changed_when: "'minifirewall started' in minifirewall_init_restart.stdout" when: - minifirewall_install_mode != 'legacy' - minifirewall_restart_force | bool @@ -104,7 +103,6 @@ command: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" when: - minifirewall_install_mode == 'legacy' - minifirewall_restart_force | bool \ No newline at end of file diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index ae771017..1d708fa4 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -21,8 +21,7 @@ - name: restart minifirewall command: /etc/init.d/minifirewall restart register: minifirewall_init_restart - failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" + failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" when: - minifirewall_tail_template is changed - minifirewall_restart_if_needed | bool -- 2.39.2 From 09872fa4ad1a2262ce2296a5caf80e19a5cd0cb9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 10 May 2022 16:58:32 +0200 Subject: [PATCH 054/497] Release 22.05 --- CHANGELOG.md | 70 ++++++++++++++++++++++++++++------------------------ 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6defc87c..0b1e59f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,44 +12,52 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* etc-git: use "ansible-commit" to efficiently commit all available repositories (including /etc inside LXC) from Ansible -* minifirewall: configure proxy/backup/sysctl values -* minifirewall: compatibility with "legacy" version of minifirewall -* nagios-nrpe: Add a check dhcp_pool -* redis: Activate overcommit sysctl -* redis: Add log2mail user to redis group -* munin: Add possibility to install local plugins, and install dhcp_pool plugin - ### Changed -* evocheck: upstream release 22.04.1 -* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware -* evolinux-base: rename backup-server-state to dump-server-state -* dump-server-state: upstream release 22.04.3 -* generate-ldif: Add services check for bkctld -* minifirewall: restore "force-restart" and fix "restart-if-needed" -* minifirewall: tail template follows symlinks -* minifirewall: upstream release 22.05 -* openvpn: use a subnet topology instead of the net30 default topology -* tomcat: Tomcat 9 by default with Debian 11 -* openvpn: use a local copy of files instead of cloning an external git repository -* vrrpd: Store sysctl values in specific file -* opendkim : add generate opendkim-genkey in sha256 and key 4096 - ### Fixed -* Repair keepalived role -* generate-ldif: Correct generated entries for php-fpm in containers -* redis: Remount /usr with RW before adding nagios plugin -* postfix: Do not send mails through milters a second time after amavis (in packmail) -* etc-git : Remount /usr in rw for git gc in in /usr/share/scripts/ -* etc-git: Make evocommit fully compatible with OpenBSD -* minifirewall: fix `failed_when` condition on restart - ### Removed ### Security +## [22.05] 2022-05-10 + +### Added + +* etc-git: use "ansible-commit" to efficiently commit all available repositories (including /etc inside LXC) from Ansible +* minifirewall: compatibility with "legacy" version of minifirewall +* minifirewall: configure proxy/backup/sysctl values +* munin: Add possibility to install local plugins, and install dhcp_pool plugin +* nagios-nrpe: Add a check dhcp_pool +* redis: Activate overcommit sysctl +* redis: Add log2mail user to redis group + +### Changed + +* dump-server-state: upstream release 22.04.3 +* evocheck: upstream release 22.04.1 +* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware +* evolinux-base: rename backup-server-state to dump-server-state +* generate-ldif: Add services check for bkctld +* minifirewall: restore "force-restart" and fix "restart-if-needed" +* minifirewall: tail template follows symlinks +* minifirewall: upstream release 22.05 +* opendkim : add generate opendkim-genkey in sha256 and key 4096 +* openvpn: use a local copy of files instead of cloning an external git repository +* openvpn: use a subnet topology instead of the net30 default topology +* tomcat: Tomcat 9 by default with Debian 11 +* vrrpd: Store sysctl values in specific file + +### Fixed + +* etc-git : Remount /usr in rw for git gc in in /usr/share/scripts/ +* etc-git: Make evocommit fully compatible with OpenBSD +* generate-ldif: Correct generated entries for php-fpm in containers +* keepalived: repair broken role +* minifirewall: fix `failed_when` condition on restart +* postfix: Do not send mails through milters a second time after amavis (in packmail) +* redis: Remount /usr with RW before adding nagios plugin + ## [22.03] 2022-03-02 ### Added @@ -72,8 +80,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc: Fail if /var is nosuid * openvpn: make it compatible with OpenBSD and add some improvements - - ## [22.01.3] 2022-01-31 ### Changed -- 2.39.2 From 1b4d4c98fe87bdc506442f04bc44142a6d988909 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 10 May 2022 17:39:45 +0200 Subject: [PATCH 055/497] docker : Removed Debian Jessie support --- CHANGELOG.md | 2 ++ docker-host/files/docker_preferences | 3 --- docker-host/tasks/jessie_backports.yml | 23 ----------------------- docker-host/tasks/main.yml | 3 --- 4 files changed, 2 insertions(+), 29 deletions(-) delete mode 100644 docker-host/files/docker_preferences delete mode 100644 docker-host/tasks/jessie_backports.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b1e59f1..bd84b198 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed +* docker : Removed Debian Jessie support + ### Security ## [22.05] 2022-05-10 diff --git a/docker-host/files/docker_preferences b/docker-host/files/docker_preferences deleted file mode 100644 index 1a68427d..00000000 --- a/docker-host/files/docker_preferences +++ /dev/null @@ -1,3 +0,0 @@ -Package: python-docker -Pin: release a=jessie-backports -Pin-Priority: 999 diff --git a/docker-host/tasks/jessie_backports.yml b/docker-host/tasks/jessie_backports.yml deleted file mode 100644 index e7c7e94f..00000000 --- a/docker-host/tasks/jessie_backports.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- include_role: - name: evolix/apt - tasks_from: backports.yml - tags: - - packages - -- name: Prefer python-docker package from jessie-backports - copy: - src: docker_preferences - dest: /etc/apt/preferences.d/999-docker - force: yes - mode: "0640" - register: docker_apt_preferences - tags: - - packages - -- name: update apt - apt: - update_cache: yes - when: docker_apt_preferences is changed - tags: - - packages diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 026181f6..732c3233 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -24,9 +24,6 @@ update_cache: no filename: docker.list -- include: jessie_backports.yml - when: ansible_distribution_release == 'jessie' - - name: Add Docker's official GPG key copy: src: docker-debian.asc -- 2.39.2 From 7762ae64b32974a45f999bd723b3fbbf4792a591 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 10 May 2022 17:40:27 +0200 Subject: [PATCH 056/497] docker: Remove (broken?) systemd override --- docker-host/tasks/main.yml | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 732c3233..b430de6f 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -15,14 +15,6 @@ - ca-certificates - gnupg2 state: present - update_cache: yes - -- name: Add Docker repository - apt_repository: - repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' - state: present - update_cache: no - filename: docker.list - name: Add Docker's official GPG key copy: @@ -33,6 +25,12 @@ owner: root group: root +- name: Add Docker repository + apt_repository: + repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + state: present + filename: docker.list + - name: Install Docker apt: name: @@ -59,19 +57,6 @@ dest: /etc/docker/daemon.json notify: restart docker -- name: Create override directory for docker unit - file: - name: /etc/systemd/system/docker.service.d/ - state: directory - mode: "0755" - -- name: Remove options in ExecStart from docker unit - copy: - src: docker.conf - dest: /etc/systemd/system/docker.service.d/ - mode: "0644" - notify: reload systemd - - name: Creating Docker tmp directory file: path: "{{ docker_tmpdir }}" -- 2.39.2 From 6aa7b89b7868528ba47cade1431203e199063c2c Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 10 May 2022 18:21:59 +0200 Subject: [PATCH 057/497] docker : Introduce new default settings + allow to change the docker data directory --- CHANGELOG.md | 1 + docker-host/defaults/main.yml | 4 ++-- docker-host/templates/daemon.json.j2 | 17 +++++++++++++---- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd84b198..383965e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed * docker : Removed Debian Jessie support +* docker : Introduce new default settings + allow to change the docker data directory ### Security diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 6393a962..913da884 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -1,14 +1,14 @@ --- # If docher_home sets to /home/, the partition should be mounted with exec # option. -docker_home: /srv/docker +docker_home: /var/lib/docker docker_tmpdir: "{{docker_home}}/tmp" docker_remote_access_enabled: True docker_daemon_port: 2376 docker_daemon_listening_ip: 0.0.0.0 -docker_tls_enabled: True +docker_tls_enabled: False docker_tls_path: "{{docker_home}}/tls" docker_tls_ca: ca/ca.pem docker_tls_ca_key: ca/ca-key.pem diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index ab6cac19..ee9be3c8 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -1,13 +1,22 @@ { - "debug": false + "debug": false, + + {# Docker data-dir (default to /var/lib/docker) #} + "data-root": "{{ docker_home }}", + + {# Keep containers running while docker daemon downtime #} + "live-restore": true, + + {# Turn on user namespace remaping #} + "userns-remap": "default", + {% if docker_tls_enabled %} - , "tls": true, "tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}", "tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}", - "tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}" + "tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}", {% endif %} - , + {% if docker_remote_access_enabled %} "hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"] {% else %} -- 2.39.2 From 9973a62c1685a0043fba44c1eba708884d8f9789 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 10 May 2022 19:04:58 +0200 Subject: [PATCH 058/497] docker : Introduce new variables to tweak daemon settings --- CHANGELOG.md | 4 +++- docker-host/defaults/main.yml | 16 +++++++++++++--- docker-host/templates/daemon.json.j2 | 15 +++++++++++++++ 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 383965e1..a2c6da45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,9 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* docker : Introduce new default settings + allow to change the docker data directory +* docker : Introduce new variables to tweak daemon settings + ### Changed ### Fixed @@ -19,7 +22,6 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed * docker : Removed Debian Jessie support -* docker : Introduce new default settings + allow to change the docker data directory ### Security diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 913da884..5b64f342 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -1,13 +1,23 @@ --- -# If docher_home sets to /home/, the partition should be mounted with exec -# option. +# If docher_home sets to /home/, the partition should be mounted with exec option. docker_home: /var/lib/docker docker_tmpdir: "{{docker_home}}/tmp" -docker_remote_access_enabled: True +# Chose to use iptables instead of docker-proxy userland process +docker_conf_use_iptables: False + +# Disable the possibility for containers processes to gain new privileges +docker_conf_no_newprivileges: False + +# Disable all default network connectivity +docker_conf_disable_default_networking: False + +# Remote access +docker_remote_access_enabled: False docker_daemon_port: 2376 docker_daemon_listening_ip: 0.0.0.0 +# TLS docker_tls_enabled: False docker_tls_path: "{{docker_home}}/tls" docker_tls_ca: ca/ca.pem diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index ee9be3c8..c73268d9 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -10,6 +10,21 @@ {# Turn on user namespace remaping #} "userns-remap": "default", + {% if docker_conf_use_iptables %} + {# Use iptables instead of docker-proxy #} + "userland-proxy": false, + "iptables": true, + {% endif %} + + {# Disable the possibility for containers processes to gain new privileges #} + "no-new-privileges": {{ docker_conf_no_newprivileges | to_json }}, + + {% if docker_conf_disable_default_networking %} + {# Disable all default network connectivity #} + "bridge": "none", + "icc": false, + {% endif %} + {% if docker_tls_enabled %} "tls": true, "tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}", -- 2.39.2 From 36ed916b96cadd052526e92864213e5aee4f3b0f Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 11 May 2022 17:46:08 +0200 Subject: [PATCH 059/497] Adapte le check minifirewall pour le cas systemd --- minifirewall/files/check_minifirewall | 30 +++++++++++++++++---------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index 17943994..6588c469 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -10,29 +10,37 @@ is_alert5_enabled() { if test -f /etc/init.d/alert5; then test -f /etc/rc2.d/S*alert5 else - systemctl is-enabled alert5 -q + systemctl is-active alert5 | grep -q "^active$" fi } is_minifirewall_enabled() { # TODO: instead of nested conditionals, we could loop with many possible paths # and grep the first found, or error if none is found - if test -f /etc/rc2.d/S*alert5; then - grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 + if [ -f /etc/systemd/system/minifirewall.service ]; then + systemctl is-enabled minifirewall 2>&1 > /dev/null else - if test -f /usr/share/scripts/alert5.sh; then - grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh + if test -f /etc/rc2.d/S*alert5; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 else - return_critical "No Alert5 scripts has been found." + if test -f /usr/share/scripts/alert5.sh; then + grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh + else + return_critical "No Alert5 scripts has been found." + fi fi fi } is_minifirewall_started() { - if test -x /usr/share/scripts/minifirewall_status; then - /usr/share/scripts/minifirewall_status > /dev/null + if [ -f /etc/systemd/system/minifirewall.service ]; then + systemctl is-active minifirewall 2>&1 > /dev/null else - /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + if test -x /usr/share/scripts/minifirewall_status; then + /usr/share/scripts/minifirewall_status > /dev/null + else + /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + fi fi } @@ -61,9 +69,9 @@ main() { fi else if is_minifirewall_started; then - return_warning "Minifirewall is started, but disabled in alert5." + return_warning "Minifirewall is started, but disabled in alert5 or systemd." else - return_ok "Minifirewall is not started, but disabled in alert5." + return_ok "Minifirewall is not started, but disabled in alert5 or systemd." fi fi else -- 2.39.2 From f82a81844dee30e07b157823974e5c16eb22c528 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 12 May 2022 15:47:37 +0200 Subject: [PATCH 060/497] evocheck: upstream release 22.05 --- CHANGELOG.md | 2 ++ evocheck/files/evocheck.sh | 23 +++++++++++++---------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a2c6da45..8c66b469 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.05 + ### Fixed ### Removed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 4f24ae79..cf901bb0 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.04.1" +VERSION="22.05" readonly VERSION # base functions @@ -601,14 +601,17 @@ check_evobackup_exclude_mount() { # shellcheck disable=SC2044 for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do - # If rsync is not limited by "one-file-system" - # then we verify that every mount is excluded - if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then - grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" - not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") - for mount in ${not_excluded}; do - failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" - done + # if the file seems to be a backup script, with an Rsync invocation + if grep -q "^\s*rsync" "${evobackup_file}"; then + # If rsync is not limited by "one-file-system" + # then we verify that every mount is excluded + if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + fi fi done } @@ -1429,7 +1432,7 @@ get_version() { grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 ;; minifirewall) - ${command} status | head -1 | cut -d ' ' -f 3 + ${command} version | head -1 | cut -d ' ' -f 3 ;; ## Let's try the --version flag before falling back to grep for the constant kvmstats) -- 2.39.2 From 1a9c219c5bae914e7140fe3e9dededeb6ad7fd1c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 12 May 2022 15:49:18 +0200 Subject: [PATCH 061/497] Release 22.05.1 --- CHANGELOG.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c66b469..67315979 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [22.05.1] 2022-05-12 + +### Added + * docker : Introduce new default settings + allow to change the docker data directory * docker : Introduce new variables to tweak daemon settings @@ -19,14 +31,10 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 22.05 -### Fixed - ### Removed * docker : Removed Debian Jessie support -### Security - ## [22.05] 2022-05-10 ### Added -- 2.39.2 From f01f4dece6ce64a3b7ee45cae7f3b42e9f8184dc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 17 May 2022 11:19:13 +0200 Subject: [PATCH 062/497] minifirewall: add debug for variables --- minifirewall/tasks/main.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 4a838ee9..483f8715 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -56,6 +56,11 @@ include: install.legacy.yml when: minifirewall_install_mode == 'legacy' +- name: Debug minifirewall_update_config + debug: + var: minifirewall_update_config | bool + verbosity: 1 + - name: Config tasks (modern mode) include: config.yml when: @@ -77,6 +82,11 @@ - name: Activation tasks include: activate.yml +- name: Debug minifirewall_tail_included + debug: + var: minifirewall_tail_included | bool + verbosity: 1 + - name: Tail tasks (modern mode) include: tail.yml when: @@ -91,6 +101,11 @@ # Restart? +- name: Debug minifirewall_restart_force + debug: + var: minifirewall_restart_force | bool + verbosity: 1 + - name: Force restart minifirewall (modern mode) command: /etc/init.d/minifirewall restart register: minifirewall_init_restart -- 2.39.2 From 19ca65f55fb07c5dffe6569c0d85da7351719633 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 17 May 2022 15:05:20 +0200 Subject: [PATCH 063/497] Add task for VMware provider for install open-vm-tools --- evolinux-base/tasks/provider_vmware.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 evolinux-base/tasks/provider_vmware.yml diff --git a/evolinux-base/tasks/provider_vmware.yml b/evolinux-base/tasks/provider_vmware.yml new file mode 100644 index 00000000..1249d6fb --- /dev/null +++ b/evolinux-base/tasks/provider_vmware.yml @@ -0,0 +1,17 @@ +--- +- name: Check if the virtual machine on VMWare Host + shell: "dmidecode | grep -q 'VMware'" + check_mode: no + register: vmware_provider + failed_when: False + changed_when: False + tags: + - packages + +- name: OpenVM Tools are installed for vmware + apt: + state: present + name: open-vm-tools + tags: + - packages + when: vmware_provider == 0 -- 2.39.2 From c6dec34f10c0d175a84f0834e5446cee63cf3126 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 17 May 2022 15:09:16 +0200 Subject: [PATCH 064/497] Add wmware_provider.rc variable --- evolinux-base/tasks/provider_vmware.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/provider_vmware.yml b/evolinux-base/tasks/provider_vmware.yml index 1249d6fb..dbf93d0e 100644 --- a/evolinux-base/tasks/provider_vmware.yml +++ b/evolinux-base/tasks/provider_vmware.yml @@ -14,4 +14,4 @@ name: open-vm-tools tags: - packages - when: vmware_provider == 0 + when: vmware_provider.rc == 0 -- 2.39.2 From 134355d1903b01ed189c87486a557715fcae1649 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 24 May 2022 16:22:49 +0200 Subject: [PATCH 065/497] docker: Allow live-restore to be toggled with docker_conf_live_restore --- CHANGELOG.md | 2 ++ docker-host/defaults/main.yml | 3 +++ docker-host/templates/daemon.json.j2 | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67315979..d9cd0803 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* docker: Allow "live-restore" to be toggled with docker_conf_live_restore + ### Fixed ### Removed diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 5b64f342..3f713930 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -9,6 +9,9 @@ docker_conf_use_iptables: False # Disable the possibility for containers processes to gain new privileges docker_conf_no_newprivileges: False +# Toggle live restore (need to be disabled in swarm mode) +docker_conf_live_restore: True + # Disable all default network connectivity docker_conf_disable_default_networking: False diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index c73268d9..08dcb1b2 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -5,7 +5,7 @@ "data-root": "{{ docker_home }}", {# Keep containers running while docker daemon downtime #} - "live-restore": true, + "live-restore": {{ docker_conf_live_restore | to_json }},, {# Turn on user namespace remaping #} "userns-remap": "default", -- 2.39.2 From 145edbd3f70bb02814982744f476362420720dba Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 24 May 2022 18:04:55 +0200 Subject: [PATCH 066/497] Use is-enabled to check if alert5 is enabled --- minifirewall/files/check_minifirewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index 6588c469..e14d73f2 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -10,7 +10,7 @@ is_alert5_enabled() { if test -f /etc/init.d/alert5; then test -f /etc/rc2.d/S*alert5 else - systemctl is-active alert5 | grep -q "^active$" + systemctl is-enabled alert5 | grep -q "^enabled$" fi } -- 2.39.2 From c1f0178daa54ccca4329ea43a333b4c788862d70 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 25 May 2022 09:31:34 +0200 Subject: [PATCH 067/497] =?UTF-8?q?Suppression=20lien=20symbolique=20boucl?= =?UTF-8?q?e=20r=C3=A9cursive=20(cr=C3=A9=C3=A9=20par=20Victor=20en=20mars?= =?UTF-8?q?=202018)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- evolix | 1 - 1 file changed, 1 deletion(-) delete mode 120000 evolix diff --git a/evolix b/evolix deleted file mode 120000 index 945c9b46..00000000 --- a/evolix +++ /dev/null @@ -1 +0,0 @@ -. \ No newline at end of file -- 2.39.2 From 852ed38b56dc384f0d5871c684f4ab232a54c51d Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 25 May 2022 09:37:46 +0200 Subject: [PATCH 068/497] =?UTF-8?q?Revert=20"Suppression=20lien=20symboliq?= =?UTF-8?q?ue=20boucle=20r=C3=A9cursive=20(cr=C3=A9=C3=A9=20par=20Victor?= =?UTF-8?q?=20en=20mars=202018)"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit c1f0178daa54ccca4329ea43a333b4c788862d70. --- evolix | 1 + 1 file changed, 1 insertion(+) create mode 120000 evolix diff --git a/evolix b/evolix new file mode 120000 index 00000000..945c9b46 --- /dev/null +++ b/evolix @@ -0,0 +1 @@ +. \ No newline at end of file -- 2.39.2 From 2d98d50943a127e12c307cbe5bc6163a74c5c405 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 25 May 2022 17:48:46 +0200 Subject: [PATCH 069/497] Fix le chemin du paquet .deb d'Evoadmin-mail --- webapps/evoadmin-mail/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index e5af6a7f..7f94281b 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install evoadmin-mail package apt: - name: evoadmin-mail + deb: /tmp/evoadmin-mail.deb state: present tags: - evoadmin-mail -- 2.39.2 From 269c7242a55c751e68ac6bf0b51144e613897d53 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 27 May 2022 23:05:07 +0200 Subject: [PATCH 070/497] correction du depot security pour Debian 11 --- apt/templates/bullseye_basics.list.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apt/templates/bullseye_basics.list.j2 b/apt/templates/bullseye_basics.list.j2 index 94b0995d..55f32b8d 100644 --- a/apt/templates/bullseye_basics.list.j2 +++ b/apt/templates/bullseye_basics.list.j2 @@ -2,4 +2,4 @@ deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }} deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} -deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }} \ No newline at end of file +deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }} -- 2.39.2 From b3dbcb082fdc7e1b637ac5fd1fa5eb85d0d198fe Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 31 May 2022 14:06:15 +0200 Subject: [PATCH 071/497] certbot: add hapee (HAProxy Enterprise Edition) deploy hook --- CHANGELOG.md | 2 + certbot/files/hooks/deploy/hapee.sh | 93 +++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 certbot/files/hooks/deploy/hapee.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index d9cd0803..a080d0df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +certbot: add hapee (HAProxy Enterprise Edition) deploy hook + ### Changed * docker: Allow "live-restore" to be toggled with docker_conf_live_restore diff --git a/certbot/files/hooks/deploy/hapee.sh b/certbot/files/hooks/deploy/hapee.sh new file mode 100644 index 00000000..a8acdea9 --- /dev/null +++ b/certbot/files/hooks/deploy/hapee.sh @@ -0,0 +1,93 @@ +#!/bin/sh + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} +daemon_found_and_running() { + test -n "$(pidof hapee-lb)" && test -n "${hapee_bin}" +} +found_renewed_lineage() { + test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem" +} +config_check() { + ${hapee_bin} -c -f "${hapee_config_file}" > /dev/null 2>&1 +} +concat_files() { + # shellcheck disable=SC2174 + mkdir --mode=700 --parents "${hapee_cert_dir}" + chown root: "${hapee_cert_dir}" + + debug "Concatenating certificate files to ${hapee_cert_file}" + cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${hapee_cert_file}" + chmod 600 "${hapee_cert_file}" + chown root: "${hapee_cert_file}" +} +cert_and_key_mismatch() { + hapee_cert_md5=$(openssl x509 -noout -modulus -in "${hapee_cert_file}" | openssl md5) + hapee_key_md5=$(openssl rsa -noout -modulus -in "${hapee_cert_file}" | openssl md5) + + test "${hapee_cert_md5}" != "${hapee_key_md5}" +} +detect_hapee_cert_dir() { + # get last field or line wich defines the crt directory + config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/\S+' "${hapee_config_file}" | head -1 | awk '{ print $(NF)}') + if [ -n "${config_cert_dir}" ]; then + debug "Cert directory is configured with ${config_cert_dir}" + echo "${config_cert_dir}" + elif [ -d "/etc/haproxy/ssl" ]; then + debug "No configured cert directory found, but /etc/haproxy/ssl exists" + echo "/etc/haproxy/ssl" + elif [ -d "/etc/ssl/haproxy" ]; then + debug "No configured cert directory found, but /etc/ssl/haproxy exists" + echo "/etc/ssl/haproxy" + else + error "Cert directory not found." + fi +} +main() { + if [ -z "${RENEWED_LINEAGE}" ]; then + error "This script must be called only by certbot!" + fi + + if daemon_found_and_running; then + readonly hapee_config_file="/etc/hapee-2.4/hapee-lb.cfg" + readonly hapee_cert_dir=$(detect_hapee_cert_dir) + + if found_renewed_lineage; then + hapee_cert_file="${hapee_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" + failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" + + concat_files + + if cert_and_key_mismatch; then + mv "${hapee_cert_file}" "${failed_cert_file}" + error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection" + fi + + if config_check; then + debug "HAPEE detected... reloading" + systemctl reload hapee-2.4-lb.service + else + error "HAPEE config is broken, you must fix it !" + fi + else + error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem" + fi + else + debug "HAPEE is not running or missing. Skip." + fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly hapee_bin="/opt/hapee-2.4/sbin/hapee-lb" + +main -- 2.39.2 From e50fbdd2b842fb5edbd04dbf52f5bc6fe63cf530 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Tue, 31 May 2022 14:13:09 +0200 Subject: [PATCH 072/497] #66153 : fix missing locahost and localhost.localdomain in postfix main.cf mydestination --- postfix/templates/packmail_main.cf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 397abc0d..d9d90836 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -74,7 +74,7 @@ myhostname = {{ ansible_fqdn }} # Liste des noms de domaine (ou IP) consideres comme local #par defaut, = $myhostname, localhost.$mydomain, localhost -mydestination = $myhostname +mydestination = $myhostname localhost.localdomain localhost # Indique le domaine apparaissant dans le courrier envoye #par defaut, = $myhostname -- 2.39.2 From 17a2032a10d5b2df3789869718ac31eae889e983 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 10:46:11 +0200 Subject: [PATCH 073/497] evolinux-base: add update-evobackup-canary script --- CHANGELOG.md | 1 + .../files/update-evobackup-canary.sh | 129 ++++++++++++++++++ evolinux-base/tasks/utils.yml | 17 ++- 3 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 evolinux-base/files/update-evobackup-canary.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index a080d0df..62cf1215 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added certbot: add hapee (HAProxy Enterprise Edition) deploy hook +evolinux-base: add update-evobackup-canary script ### Changed diff --git a/evolinux-base/files/update-evobackup-canary.sh b/evolinux-base/files/update-evobackup-canary.sh new file mode 100644 index 00000000..20fc1a57 --- /dev/null +++ b/evolinux-base/files/update-evobackup-canary.sh @@ -0,0 +1,129 @@ +#!/bin/sh + +PROGNAME="update-evobackup-canary" +REPOSITORY="https://gitea.evolix.org/evolix/evobackup" + +VERSION="22.05" +readonly VERSION + +# base functions + +show_version() { + cat <, + Jérémy Lecour , + and others. + +${REPOSITORY} + +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat <> "${canary_file}" +} + +# parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + -V|--version) + show_version + exit 0 + ;; + + -w|--who) + # with value separated by space + if [ -n "$2" ]; then + who=$2 + shift + else + printf 'ERROR: "-w|--who" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --who=?*) + # with value speparated by = + who=${1#*=} + ;; + --who=) + # without value + printf 'ERROR: "--who" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + -f|--file) + # with value separated by space + if [ -n "$2" ]; then + canary_file=$2 + shift + else + printf 'ERROR: "-f|--file" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --file=?*) + # with value speparated by = + canary_file=${1#*=} + ;; + --file=) + # without value + printf 'ERROR: "--file" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + --) + # End of all options. + shift + break + ;; + -?*) + # ignore unknown options + printf 'WARN: Unknown option : %s\n' "$1" >&2 + exit 1 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +export LC_ALL=C + +set -u + +main diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 084f8b35..0dabc3dc 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -26,4 +26,19 @@ mode: "0700" owner: root group: root - force: no \ No newline at end of file + force: no + +- name: update-evobackup-canary script is present + copy: + src: "update-evobackup-canary.sh" + dest: /usr/local/bin/update-evobackup-canary + force: True + owner: root + group: root + mode: "0750" + +# TODO: delete when this has been run once on all our servers +- name: update-evobackup-canary is removed from sbin + file: + path: /usr/local/sbin/update-evobackup-canary + state: absent \ No newline at end of file -- 2.39.2 From e9bc035fb9a1ba258813fbb9470d55c80c784a8c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 1 Jun 2022 15:24:47 +0200 Subject: [PATCH 074/497] add set crypt_use_gpgme=no Mutt option --- mysql-oracle/files/mysqltuner.cron.sh | 2 +- mysql/files/mysqltuner.cron.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mysql-oracle/files/mysqltuner.cron.sh b/mysql-oracle/files/mysqltuner.cron.sh index 5424aa90..ada4a0f8 100644 --- a/mysql-oracle/files/mysqltuner.cron.sh +++ b/mysql-oracle/files/mysqltuner.cron.sh @@ -44,7 +44,7 @@ Bien à vous, -- Rapport automatique Evolix EOT - mutt -x -e 'set send_charset="utf-8"' -H $template \ + mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \ -a /var/www/mysqlreport_${instance}.html < $body done chmod 644 /var/www/mysqlreport*html diff --git a/mysql/files/mysqltuner.cron.sh b/mysql/files/mysqltuner.cron.sh index 5424aa90..ada4a0f8 100644 --- a/mysql/files/mysqltuner.cron.sh +++ b/mysql/files/mysqltuner.cron.sh @@ -44,7 +44,7 @@ Bien à vous, -- Rapport automatique Evolix EOT - mutt -x -e 'set send_charset="utf-8"' -H $template \ + mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \ -a /var/www/mysqlreport_${instance}.html < $body done chmod 644 /var/www/mysqlreport*html -- 2.39.2 From 249e53fc211fae08ec05d44d9eae8212f4477818 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 17:23:56 +0200 Subject: [PATCH 075/497] evolinux-base: add dir-check script --- CHANGELOG.md | 5 +- evolinux-base/files/dir-check.sh | 299 +++++++++++++++++++++++++++++++ evolinux-base/tasks/utils.yml | 13 +- 3 files changed, 313 insertions(+), 4 deletions(-) create mode 100644 evolinux-base/files/dir-check.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 62cf1215..f6dffaa9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,8 +12,9 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -certbot: add hapee (HAProxy Enterprise Edition) deploy hook -evolinux-base: add update-evobackup-canary script +* certbot: add hapee (HAProxy Enterprise Edition) deploy hook +* evolinux-base: add dir-check script +* evolinux-base: add update-evobackup-canary script ### Changed diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh new file mode 100644 index 00000000..b82ca939 --- /dev/null +++ b/evolinux-base/files/dir-check.sh @@ -0,0 +1,299 @@ +#!/bin/sh + +PROGNAME="dir-check" +REPOSITORY="https://gitea.evolix.org/evolix/ansible-roles" + +VERSION="22.06" +readonly VERSION + +show_version() { + cat <, + Jérémy Lecour + +${REPOSITORY} + +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU Affero General Public License v3.0 for details. +END +} +show_help() { + cat <> "${log_file}" + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_info() { + level="INFO" + msg=$1 + if ! is_quiet; then + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_warning() { + level="WARNING" + msg=$1 + if ! is_quiet; then + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_error() { + level="ERROR" + msg=$1 + if ! is_quiet; then + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + if tty -s; then + printf "%s\n" "${msg}" >&2 + fi + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_fatal() { + level="FATAL" + msg=$1 + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + if tty -s; then + printf "%s\n" "${msg}" >&2 + fi + else + log_line "${level}" "${msg}" >&2 + fi +} + +metadata_algorithm() { + echo "du --bytes" +} +list_files_with_size() { + path=$1 + find "${path}" -type f -exec $(metadata_algorithm) {} \; | sort -k2 +} +prepare_metadata() { + list_files_with_size "${final_dir}" > "${metadata_file}" + "${checksum_bin}" "${metadata_file}" > "${checksum_file}" +} +check_metadata() { + if [ -f "${checksum_file}" ]; then + # subshell to scope the commands to "parent_dir" + "${checksum_bin}" --status --check "${checksum_file}" + last_rc=$? + if [ ${last_rc} -ne 0 ]; then + log_error "Verification failed with checksum file ${checksum_file}." + exit 1 + fi + else + log_warning "Couldn't find checksum file ${checksum_file}. Skip verification." + fi + if [ -f "${metadata_file}" ]; then + while read metadata_line; do + expected_size=$(echo "${metadata_line}" | cut -f1) + file=$(echo "${metadata_line}" | cut -f2) + + if [ -f "${file}" ]; then + actual_size=$($(metadata_algorithm) "${file}" | cut -f1) + + if [ "${actual_size}" != "${expected_size}" ]; then + log_error "File ${file} has actual size of ${actual_size} instead of ${expected_size}." + rc=1 + fi + else + log_error "Couldn't find file ${file}." + rc=1 + fi + done < "${metadata_file}" + if [ ${rc} -eq 0 ]; then + log_info "Directory is consistent with metadata stored in metadata file ${metadata_file}." + fi + else + log_fatal "Couldn't find metadata file ${metadata_file}." + exit 1 + fi +} + +main() { + if [ -z "${dir}" ]; then + log_fatal "dir option is empty" + exit 1 + elif [ -e "${dir}" ] && [ ! -d "${dir}" ]; then + log_fatal "directory '${dir}' exists but is not a directory" + exit 1 + fi + + checksum_cmd="sha256sum" + checksum_bin=$(command -v ${checksum_cmd}) + if [ -z "${checksum_bin}" ]; then + log_fatal "Couldn't find ${checksum_cmd}.\nUse 'apt install ${checksum_cmd}'." + exit 1 + fi + + parent_dir=$(dirname "${dir}") + final_dir=$(basename "${dir}") + + metadata_file="${final_dir}.metadata" + checksum_file="${metadata_file}.${checksum_cmd}" + + cwd=${PWD} + cd "${parent_dir}" || log_error "Impossible to change to ${parent_dir}" + + case ${action} in + check) + check_metadata + ;; + prepare) + prepare_metadata + ;; + *) + log_fatal "Unknown action ${action}." + rc=1 + ;; + esac + + cd "${cwd}" || log_error "Impossible to change back to ${cwd}" +} + +# Declare variables + +verbose="" +quiet="" +action="" +dir="" +rc=0 + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + -V|--version) + show_version + exit 0 + ;; + + --dir) + # with value separated by space + if [ -n "$2" ]; then + dir="$2" + shift + else + log_fatal 'ERROR: "--dir" requires a non-empty option argument.' + fi + ;; + --dir=?*) + # with value speparated by = + dir=${1#*=} + ;; + --dir=) + # without value + log_fatal '"--dir" requires a non-empty option argument.' + ;; + + --prepare) + action="prepare" + ;; + + --check) + action="check" + ;; + + -v|--verbose) + verbose=1 + ;; + + --quiet) + quiet=1 + verbose=0 + ;; + + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + if tty -s; then + printf 'Unknown option : %s\n' "$1" >&2 + echo "" >&2 + show_usage >&2 + exit 1 + else + log_fatal "Unknown option : $1" + fi + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +# Default values + +verbose=${verbose:-0} +quiet=${quiet:-0} +action=${action:-} +log_file=${log_file:-} + +set -u + +main + +exit ${rc} \ No newline at end of file diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 0dabc3dc..6c9e27b0 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -35,10 +35,19 @@ force: True owner: root group: root - mode: "0750" + mode: "0755" # TODO: delete when this has been run once on all our servers - name: update-evobackup-canary is removed from sbin file: path: /usr/local/sbin/update-evobackup-canary - state: absent \ No newline at end of file + state: absent + +- name: dir-check script is present + copy: + src: "dir-check.sh" + dest: /usr/local/bin/dir-check + force: True + owner: root + group: root + mode: "0755" \ No newline at end of file -- 2.39.2 From b8b96bb5b7d2cc954fe33a53a0db9e114c5f44dd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 17:24:51 +0200 Subject: [PATCH 076/497] mysql: use dir-check inside evomariabackup --- CHANGELOG.md | 1 + mysql/files/evomariabackup.sh | 50 +++++++++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6dffaa9..d9edccd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * certbot: add hapee (HAProxy Enterprise Edition) deploy hook * evolinux-base: add dir-check script * evolinux-base: add update-evobackup-canary script +* mysql: use dir-check inside evomariabackup ### Changed diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 0e3de84b..f90debf2 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -301,6 +301,38 @@ backup() { log_info "END mariabackup prepare phase" fi } +list_files_with_size() { + path=$1 + find "${path}" -type f -exec du --bytes {} \; | sort -k2 +} +dircheck_prepare() { + if [ -z "${backup_dir}" ]; then + log_fatal "backup-dir option is empty" + exit 1 + elif [ -e "${backup_dir}" ] && [ ! -d "${backup_dir}" ]; then + log_fatal "backup directory '${backup_dir}' exists but is not a directory" + exit 1 + fi + + dircheck_cmd="dir-check" + dircheck_bin=$(command -v ${dircheck_cmd}) + if [ -z "${dircheck_bin}" ]; then + log_fatal "Couldn't find ${dircheck_cmd}." + exit 1 + fi + + backup_parent_dir=$(dirname "${backup_dir}") + backup_final_dir=$(basename "${backup_dir}") + + log_info "BEGIN dir-check phase" + cwd=${PWD} + cd "${backup_parent_dir}" || log_fatal "Impossible to change to ${backup_parent_dir}" + + "${dircheck_bin}" --prepare --dir "${backup_final_dir}" + + cd ${cwd} || log_fatal "Impossible to change back to ${cwd}" + log_info "END dir-check phase" +} compress() { compress_dir=$(dirname "${compress_file}") @@ -362,11 +394,15 @@ main() { new_lock_file "${lock_file}" if [ "${do_backup}" = "1" ] && [ -n "${backup_dir}" ]; then - backup "${backup_dir}" + backup + fi + + if [ "${do_dircheck}" = "1" ] && [ -n "${backup_dir}" ]; then + dircheck_prepare fi if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then - compress "${backup_dir}" "${compress_file}" + compress fi } @@ -380,6 +416,7 @@ max_age="" max_age="" do_backup="" backup_dir="" +do_dircheck="" do_compress="" compress_file="" @@ -440,6 +477,14 @@ while :; do log_fatal '"--backup-dir" requires a non-empty option argument.' ;; + --dir-check) + do_dircheck=1 + ;; + + --no-dir-check) + do_dircheck=0 + ;; + --compress) do_compress=1 ;; @@ -549,6 +594,7 @@ verbose=${verbose:-0} quiet=${quiet:-0} max_age="${max_age:-86400}" do_backup="${do_backup:-1}" +do_dircheck="${do_dircheck:-0}" do_compress="${do_compress:-0}" main \ No newline at end of file -- 2.39.2 From f0e967518ba5446caa8b49a9b71b72ee307b0081 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 17:38:45 +0200 Subject: [PATCH 077/497] small fixes to dir-check --- evolinux-base/files/dir-check.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index b82ca939..4a346c92 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -131,11 +131,11 @@ check_metadata() { "${checksum_bin}" --status --check "${checksum_file}" last_rc=$? if [ ${last_rc} -ne 0 ]; then - log_error "Verification failed with checksum file ${checksum_file}." + log_error "Verification failed with checksum file \`${checksum_file}' (inside \`${parent_dir}')." exit 1 fi else - log_warning "Couldn't find checksum file ${checksum_file}. Skip verification." + log_warning "Couldn't find checksum file \`${checksum_file}' (inside \`${parent_dir}'). Skip verification." fi if [ -f "${metadata_file}" ]; then while read metadata_line; do @@ -146,19 +146,19 @@ check_metadata() { actual_size=$($(metadata_algorithm) "${file}" | cut -f1) if [ "${actual_size}" != "${expected_size}" ]; then - log_error "File ${file} has actual size of ${actual_size} instead of ${expected_size}." + log_error "File ${file}' has actual size of ${actual_size} instead of ${expected_size}." rc=1 fi else - log_error "Couldn't find file ${file}." + log_error "Couldn't find file \`${file}'." rc=1 fi done < "${metadata_file}" if [ ${rc} -eq 0 ]; then - log_info "Directory is consistent with metadata stored in metadata file ${metadata_file}." + log_info "Directory \`${final_dir}' is consistent with metadata stored in \`${metadata_file}' (inside \`${parent_dir}')." fi else - log_fatal "Couldn't find metadata file ${metadata_file}." + log_fatal "Couldn't find metadata file \`${metadata_file}' (inside \`${parent_dir}')." exit 1 fi } @@ -168,14 +168,14 @@ main() { log_fatal "dir option is empty" exit 1 elif [ -e "${dir}" ] && [ ! -d "${dir}" ]; then - log_fatal "directory '${dir}' exists but is not a directory" + log_fatal "Directory \`${dir}' exists but is not a directory" exit 1 fi checksum_cmd="sha256sum" checksum_bin=$(command -v ${checksum_cmd}) if [ -z "${checksum_bin}" ]; then - log_fatal "Couldn't find ${checksum_cmd}.\nUse 'apt install ${checksum_cmd}'." + log_fatal "Couldn't find \`${checksum_cmd}'.\nUse 'apt install ${checksum_cmd}'." exit 1 fi @@ -186,7 +186,7 @@ main() { checksum_file="${metadata_file}.${checksum_cmd}" cwd=${PWD} - cd "${parent_dir}" || log_error "Impossible to change to ${parent_dir}" + cd "${parent_dir}" || log_error "Impossible to change to \`${parent_dir}'" case ${action} in check) @@ -196,12 +196,12 @@ main() { prepare_metadata ;; *) - log_fatal "Unknown action ${action}." + log_fatal "Unknown action \`${action}'." rc=1 ;; esac - cd "${cwd}" || log_error "Impossible to change back to ${cwd}" + cd "${cwd}" || log_error "Impossible to change back to \`${cwd}'" } # Declare variables -- 2.39.2 From df0c850ceb4f6ad2227afe0318ad11e1a0b90590 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Jun 2022 17:49:28 +0200 Subject: [PATCH 078/497] dir-check: mandatory action parameter --- evolinux-base/files/dir-check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index 4a346c92..869ad2ad 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -22,13 +22,16 @@ END } show_help() { cat <&2 + show_help >&2 + exit 1 + fi + case ${action} in check) check_metadata -- 2.39.2 From db28f0c47dc8664c25c12afb8b4e12e291bd0b88 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Jun 2022 18:23:40 +0200 Subject: [PATCH 079/497] dir-check: change naming and add log file --- evolinux-base/files/dir-check.sh | 70 ++++++++++++++++++++------------ 1 file changed, 45 insertions(+), 25 deletions(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index 869ad2ad..9d586cef 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -3,7 +3,7 @@ PROGNAME="dir-check" REPOSITORY="https://gitea.evolix.org/evolix/ansible-roles" -VERSION="22.06" +VERSION="22.06.1" readonly VERSION show_version() { @@ -48,9 +48,6 @@ is_verbose() { is_quiet() { test "${quiet}" = "1" } -is_check() { - test "${check}" = "1" -} log_line() { level=$1 msg=$2 @@ -117,18 +114,19 @@ log_fatal() { fi } -metadata_algorithm() { +data_command() { echo "du --bytes" } list_files_with_size() { path=$1 - find "${path}" -type f -exec $(metadata_algorithm) {} \; | sort -k2 + # shellcheck disable=SC2014,SC2046 + find "${path}" -type f -exec $(data_command) {} \; | sort -k2 } -prepare_metadata() { - list_files_with_size "${final_dir}" > "${metadata_file}" - "${checksum_bin}" "${metadata_file}" > "${checksum_file}" +prepare_data() { + list_files_with_size "${final_dir}" > "${data_file}" + "${checksum_bin}" "${data_file}" > "${checksum_file}" } -check_metadata() { +check_data() { if [ -f "${checksum_file}" ]; then # subshell to scope the commands to "parent_dir" "${checksum_bin}" --status --check "${checksum_file}" @@ -140,28 +138,28 @@ check_metadata() { else log_warning "Couldn't find checksum file \`${checksum_file}' (inside \`${parent_dir}'). Skip verification." fi - if [ -f "${metadata_file}" ]; then - while read metadata_line; do - expected_size=$(echo "${metadata_line}" | cut -f1) - file=$(echo "${metadata_line}" | cut -f2) + if [ -f "${data_file}" ]; then + while read -r data_line; do + expected_size=$(echo "${data_line}" | cut -f1) + file=$(echo "${data_line}" | cut -f2) if [ -f "${file}" ]; then - actual_size=$($(metadata_algorithm) "${file}" | cut -f1) + actual_size=$($(data_command) "${file}" | cut -f1) if [ "${actual_size}" != "${expected_size}" ]; then - log_error "File ${file}' has actual size of ${actual_size} instead of ${expected_size}." + log_error "File \`${file}' has actual size of ${actual_size} instead of ${expected_size}." rc=1 fi else log_error "Couldn't find file \`${file}'." rc=1 fi - done < "${metadata_file}" + done < "${data_file}" if [ ${rc} -eq 0 ]; then - log_info "Directory \`${final_dir}' is consistent with metadata stored in \`${metadata_file}' (inside \`${parent_dir}')." + log_info "Directory \`${final_dir}' is consistent with data stored in \`${data_file}' (inside \`${parent_dir}')." fi else - log_fatal "Couldn't find metadata file \`${metadata_file}' (inside \`${parent_dir}')." + log_fatal "Couldn't find data file \`${data_file}' (inside \`${parent_dir}')." exit 1 fi } @@ -185,8 +183,8 @@ main() { parent_dir=$(dirname "${dir}") final_dir=$(basename "${dir}") - metadata_file="${final_dir}.metadata" - checksum_file="${metadata_file}.${checksum_cmd}" + data_file="${PROGNAME}.db" + checksum_file="${data_file}.${checksum_cmd}" cwd=${PWD} cd "${parent_dir}" || log_error "Impossible to change to \`${parent_dir}'" @@ -200,10 +198,10 @@ main() { case ${action} in check) - check_metadata + check_data ;; prepare) - prepare_metadata + prepare_data ;; *) log_fatal "Unknown action \`${action}'." @@ -211,7 +209,11 @@ main() { ;; esac - cd "${cwd}" || log_error "Impossible to change back to \`${cwd}'" + if [ -d "${cwd}" ]; then + cd "${cwd}" || log_error "Impossible to change back to \`${cwd}'" + else + log_error "Previous working directory \`${cwd}' is not a directory." + fi } # Declare variables @@ -235,7 +237,7 @@ while :; do exit 0 ;; - --dir) + -d|--dir) # with value separated by space if [ -n "$2" ]; then dir="$2" @@ -253,6 +255,24 @@ while :; do log_fatal '"--dir" requires a non-empty option argument.' ;; + -l|--log) + # with value separated by space + if [ -n "$2" ]; then + log_file="$2" + shift + else + log_fatal 'ERROR: "--log" requires a non-empty option argument.' + fi + ;; + --log=?*) + # with value speparated by = + log_file=${1#*=} + ;; + --log=) + # without value + log_fatal '"--log" requires a non-empty option argument.' + ;; + --prepare) action="prepare" ;; -- 2.39.2 From 9af289b2a9e1e447cd1bb94905f786fc75e6aaa1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Jun 2022 18:25:12 +0200 Subject: [PATCH 080/497] evomariabackup: reorder log lines --- mysql/files/evomariabackup.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index f90debf2..ec202d1f 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -248,10 +248,9 @@ backup() { backup_command="${mariabackup_bin} --backup --slave-info --target-dir=${backup_dir:?}" - if ! is_quiet; then - log_debug "${backup_command}" log_info "BEGIN mariabackup backup phase" + log_debug "${backup_command}" fi if is_quiet || ! is_verbose ; then @@ -277,8 +276,8 @@ backup() { prepare_command="${mariabackup_bin} --prepare --target-dir=${backup_dir:?}" if ! is_quiet; then - log_debug "${prepare_command}" log_info "BEGIN mariabackup prepare phase" + log_debug "${prepare_command}" fi if is_quiet || ! is_verbose ; then @@ -364,8 +363,8 @@ compress() { fi if ! is_quiet; then - log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'" log_info "BEGIN compression phase" + log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'" fi if is_quiet || ! is_verbose ; then tar --use-compress-program="${compress_program}" -cf "${compress_file}" "${backup_dir}" >/dev/null 2>&1 -- 2.39.2 From 586aa206a8d1534d7428b9bff3059a7b04d18063 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Jun 2022 18:26:23 +0200 Subject: [PATCH 081/497] mysql: add post-backup-hook to evomariabackup --- CHANGELOG.md | 1 + mysql/files/evomariabackup.sh | 53 ++++++++++++++++++++++++++++++++++- 2 files changed, 53 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9edccd9..f199e913 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * certbot: add hapee (HAProxy Enterprise Edition) deploy hook * evolinux-base: add dir-check script * evolinux-base: add update-evobackup-canary script +* mysql: add post-backup-hook to evomariabackup * mysql: use dir-check inside evomariabackup ### Changed diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index ec202d1f..eae23436 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -386,6 +386,35 @@ compress() { log_info "END compression phase" fi } +post_backup_hook() { + if [ -x "${post_backup_hook}" ]; then + + if ! is_quiet; then + log_debug "Execution of \`${post_backup_hook}'" + log_info "BEGIN hook phase" + fi + + ( + export BACKUP_DIR="${backup_dir}" + if is_log_file; then + export LOG_FILE="${log_file}" + fi + "${post_backup_hook}" + ) + hook_rc=$? + + if [ ${hook_rc} -ne 0 ]; then + log_fatal "An error occured while executing post backup hook \`${post_backup_hook}'" + exit 1 + elif ! is_quiet; then + log_info "END hook phase" + fi + else + log_fatal "Post backup hook \`${post_backup_hook}' is missing or not executable" + exit 1 + fi +} + main() { kill_or_clean_lockfile "${lock_file}" # shellcheck disable=SC2064 @@ -403,6 +432,10 @@ main() { if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then compress fi + + if [ -n "${post_backup_hook}" ]; then + post_backup_hook + fi } # Declare variables @@ -412,12 +445,12 @@ log_file="" verbose="" quiet="" max_age="" -max_age="" do_backup="" backup_dir="" do_dircheck="" do_compress="" compress_file="" +post_backup_hook="" # Parse options # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a @@ -552,6 +585,24 @@ while :; do log_fatal '"--log-file" requires a non-empty option argument.' ;; + --post-backup-hook) + # with value separated by space + if [ -n "$2" ]; then + post_backup_hook="$2" + shift + else + log_fatal '"--post-backup-hook" requires a non-empty option argument.' + fi + ;; + --post-backup-hook=?*) + # with value speparated by = + post_backup_hook=${1#*=} + ;; + --post-backup-hook=) + # without value + log_fatal '"--post-backup-hook" requires a non-empty option argument.' + ;; + -v|--verbose) verbose=1 ;; -- 2.39.2 From c4f279cf8e495dfc5e6cd21d417b40d30564c7cc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Jun 2022 18:27:59 +0200 Subject: [PATCH 082/497] evomariabackup: release 22.06 --- mysql/files/evomariabackup.sh | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index eae23436..dd46a9ec 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -1,12 +1,12 @@ #!/bin/sh -VERSION="21.11" +VERSION="22.06" show_version() { cat <, +Copyright 2004-2022 Evolix , Éric Morino , Jérémy Lecour and others. @@ -20,19 +20,20 @@ show_help() { cat < Date: Fri, 3 Jun 2022 09:15:04 +0200 Subject: [PATCH 083/497] evocheck: upstream release 22.06 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 27 ++++++++++++++++++++++----- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f199e913..4bea0b2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * docker: Allow "live-restore" to be toggled with docker_conf_live_restore +* evocheck: upstream release 22.06 ### Fixed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index cf901bb0..6bba06c1 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.05" +VERSION="22.06" readonly VERSION # base functions @@ -19,7 +19,8 @@ Copyright 2009-2022 Evolix , Gregory Colpart , Jérémy Lecour , Tristan Pilat , - Victor Laborie + Victor Laborie , + Alexis Ben Miloud--Josselin , and others. evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, @@ -235,7 +236,7 @@ check_debiansecurity() { if is_debian_bullseye; then # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive # https://www.debian.org/security/ - pattern="^deb https://(deb|security)\.debian\.org/debian-security/? bullseye-security main" + pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main" elif is_debian_buster; then pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main" elif is_debian_stretch; then @@ -337,6 +338,8 @@ check_alert5boot() { else if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script" else failed "IS_ALERT5BOOT" "alert5 init script is missing" fi @@ -350,6 +353,9 @@ check_alert5minifw() { if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" else failed "IS_ALERT5MINIFW" "alert5 init script is missing" fi @@ -571,7 +577,7 @@ check_network_interfaces() { # Verify if all if are in auto check_autoif() { if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") else interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") fi @@ -589,6 +595,16 @@ check_interfacesgw() { number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway" } +# Verification de l’état du service networking +check_networking_service() { + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then + if systemctl is-enabled networking.service > /dev/null; then + if ! systemctl is-active networking.service > /dev/null; then + failed "IS_NETWORKING_SERVICE" "networking.service is not active" + fi + fi + fi +} # Verification de la mise en place d'evobackup check_evobackup() { evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) @@ -955,7 +971,7 @@ check_mongo_backup() { # You could change the default path in /etc/evocheck.cf MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} if [ -d "$MONGO_BACKUP_PATH" ]; then - for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then limit=$(date +"%s" -d "now - 2 day") @@ -1577,6 +1593,7 @@ main() { test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces test "${IS_AUTOIF:=1}" = 1 && check_autoif test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw + test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate -- 2.39.2 From 9378f5634c26d71d069e92e852c78ceb4fad6109 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 09:26:07 +0200 Subject: [PATCH 084/497] add missing entry in CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4bea0b2b..12fae39c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker: Allow "live-restore" to be toggled with docker_conf_live_restore * evocheck: upstream release 22.06 +* mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner ### Fixed -- 2.39.2 From e8e99bb9b6e765d2a519d5de52f1a153f609f692 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 09:27:01 +0200 Subject: [PATCH 085/497] Release 22.06 --- CHANGELOG.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12fae39c..c58739a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [22.06] 2022-06-03 + +### Added + * certbot: add hapee (HAProxy Enterprise Edition) deploy hook * evolinux-base: add dir-check script * evolinux-base: add update-evobackup-canary script @@ -24,12 +36,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 22.06 * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner -### Fixed - -### Removed - -### Security - ## [22.05.1] 2022-05-12 ### Added -- 2.39.2 From 96493675b6eabc1f3b60cf53abeb6056cf2d5733 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 10:17:20 +0200 Subject: [PATCH 086/497] fix changelog --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e50f96b8..227adc5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,8 +14,6 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* minifirewall: tail template follows symlinks - ### Fixed ### Removed @@ -36,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker: Allow "live-restore" to be toggled with docker_conf_live_restore * evocheck: upstream release 22.06 +* minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner ## [22.05.1] 2022-05-12 -- 2.39.2 From e718156f86e6c0bf992613018e85c5d032c1d68f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 10:19:35 +0200 Subject: [PATCH 087/497] fix CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c58739a5..227adc5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker: Allow "live-restore" to be toggled with docker_conf_live_restore * evocheck: upstream release 22.06 +* minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner ## [22.05.1] 2022-05-12 -- 2.39.2 From b9f0e0d06187ddae97ba5aa840eaa0fe30bf7cf9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:09:38 +0200 Subject: [PATCH 088/497] Log BEGIN/END of main action --- mysql/files/evomariabackup.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index dd46a9ec..85b32168 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -417,6 +417,10 @@ post_backup_hook() { } main() { + if ! is_quiet; then + log_info "BEGIN evomariabackup" + fi + kill_or_clean_lockfile "${lock_file}" # shellcheck disable=SC2064 trap "rm -f ${lock_file};" 0 @@ -437,6 +441,10 @@ main() { if [ -n "${post_backup_hook}" ]; then post_backup_hook fi + + if ! is_quiet; then + log_info "END evomariabackup" + fi } # Declare variables -- 2.39.2 From 8753f598235eaf45c86853315aead23981aa8c63 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:12:47 +0200 Subject: [PATCH 089/497] mysql: fix comment for evomariabackup --- mysql/files/evomariabackup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 85b32168..6e3bbe72 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -38,7 +38,7 @@ Options Example usage for a backup then compress : # /usr/local/bin/evomariabackup --verbose \ --backup-dir /backup/mariabackup/current \ - --compress-file /backup/mariabackup/compressed/$(date +%H).tgz \ + --compress-file /backup/mariabackup/compressed/$(date +\%H).tgz \ --log-file /var/log/evomariabackup.log max-age possible values: -- 2.39.2 From 3e4c851c3e5c51c78060ae3718c3d3174aa2c69f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:13:36 +0200 Subject: [PATCH 090/497] mysql: match default value to documentation, in evomariabackup --- mysql/files/evomariabackup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 6e3bbe72..37343f0f 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -651,7 +651,7 @@ done lock_file="${lock_file:-/run/lock/evomariabackup.lock}" verbose=${verbose:-0} quiet=${quiet:-0} -max_age="${max_age:-86400}" +max_age="${max_age:-1d}" do_backup="${do_backup:-1}" do_dircheck="${do_dircheck:-0}" do_compress="${do_compress:-0}" -- 2.39.2 From 6c7108a35aa6e2616bb209c950ca35675eb9cda4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:14:09 +0200 Subject: [PATCH 091/497] mysql: add --force-unlock option to evomariabackup --- mysql/files/evomariabackup.sh | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 37343f0f..f91c24b0 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -32,6 +32,7 @@ Options --quiet Ouput only the most critical information --lock-file Specify which lock file to use (default: /run/lock/mariabackup.lock) --max-age Lock file is ignored if older than this (default: 1d) + --force-unlock If a lock is present, do as if it has expired -h|--help|-? Display help -V|--version Display version, authors and license @@ -152,6 +153,9 @@ lock_file_age() { echo "${created_at}" } +is_force_unlock() { + test "${force_unlock}" = "1" +} is_lock_file_too_old() { test "$(lock_file_age)" -ge "${max_age}" } @@ -168,13 +172,20 @@ kill_or_clean_lockfile() { log_debug "Found process with pid ${pid}" lock_file_created_at_human=$(date --date "@$(lock_file_created_at)" +"%Y-%m-%d %H:%M:%S") - if is_lock_file_too_old ; then + if is_lock_file_too_old || is_force_unlock ; then # Kill the children pkill -9 --parent "${pid}" # Kill the parent kill -9 "${pid}" # Only one process can run in parallel - log_warning "Process \`${pid}' (started at ${lock_file_created_at_human}) has been killed by \`$$'" + if is_lock_file_too_old; then + unlock_reason="lock is older than ${max_age}" + elif is_force_unlock; then + unlock_reason="--force-unlock was used" + else + unlock_reason="unknown reason" + fi + log_warning "Process \`${pid}' (started at ${lock_file_created_at_human}) has been killed by \`$$' (${unlock_reason})." else log_info "Process \`${pid}' (started at ${lock_file_created_at_human}) has precedence. Let's leave it work." # make sure that this exit doesn't remove the existing lockfile !! @@ -454,6 +465,7 @@ log_file="" verbose="" quiet="" max_age="" +force_unlock="" do_backup="" backup_dir="" do_dircheck="" @@ -576,6 +588,10 @@ while :; do log_fatal '"--lock-file" requires a non-empty option argument.' ;; + --force-unlock) + force_unlock=1 + ;; + --log-file) # with value separated by space if [ -n "$2" ]; then @@ -652,6 +668,7 @@ lock_file="${lock_file:-/run/lock/evomariabackup.lock}" verbose=${verbose:-0} quiet=${quiet:-0} max_age="${max_age:-1d}" +force_unlock=${force_unlock:-0} do_backup="${do_backup:-1}" do_dircheck="${do_dircheck:-0}" do_compress="${do_compress:-0}" -- 2.39.2 From 36b11c4455634a607e9d18b31fbf17ab479b3669 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Jun 2022 11:26:13 +0200 Subject: [PATCH 092/497] evolinux-base: improve dir-check logging --- evolinux-base/files/dir-check.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index 9d586cef..f5c8944b 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -131,7 +131,9 @@ check_data() { # subshell to scope the commands to "parent_dir" "${checksum_bin}" --status --check "${checksum_file}" last_rc=$? - if [ ${last_rc} -ne 0 ]; then + if [ ${last_rc} -eq 0 ]; then + log_debug "Verification succeeded with checksum file \`${checksum_file}' (inside \`${parent_dir}')." + else log_error "Verification failed with checksum file \`${checksum_file}' (inside \`${parent_dir}')." exit 1 fi @@ -146,8 +148,10 @@ check_data() { if [ -f "${file}" ]; then actual_size=$($(data_command) "${file}" | cut -f1) - if [ "${actual_size}" != "${expected_size}" ]; then - log_error "File \`${file}' has actual size of ${actual_size} instead of ${expected_size}." + if [ "${actual_size}" = "${expected_size}" ]; then + log_debug "File \`${file}' has a consistent size of ${actual_size}." + else + log_error "File \`${file}' has an actual size of ${actual_size} instead of ${expected_size}." rc=1 fi else @@ -157,6 +161,8 @@ check_data() { done < "${data_file}" if [ ${rc} -eq 0 ]; then log_info "Directory \`${final_dir}' is consistent with data stored in \`${data_file}' (inside \`${parent_dir}')." + else + log_error "Directory \`${final_dir}' is not consistent with data stored in \`${data_file}' (inside \`${parent_dir}')." fi else log_fatal "Couldn't find data file \`${data_file}' (inside \`${parent_dir}')." -- 2.39.2 From c4023a4f496e714879137b8020caec515eba7773 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Fri, 3 Jun 2022 14:32:32 +0200 Subject: [PATCH 093/497] =?UTF-8?q?D=C3=A9tecte=20automatiquement=20si=20l?= =?UTF-8?q?e=20serveur=20est=20baremetal=20pour=20installer=20les=20outils?= =?UTF-8?q?=20hw,=20suppression=20de=20la=20variable=20evolinux=5Fpackages?= =?UTF-8?q?=5Fhardware=20inutile?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- evolinux-base/defaults/main.yml | 3 +-- evolinux-base/tasks/packages.yml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 9debc8ab..6f28fd5e 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -77,7 +77,6 @@ evolinux_packages_include: True evolinux_packages_system: True evolinux_packages_diagnostic: True -evolinux_packages_hardware: True evolinux_packages_hardware_raid: True evolinux_packages_common: True evolinux_packages_stretch: True @@ -223,4 +222,4 @@ evolinux_generateldif_include: True evolinux_cron_checkhpraid_frequency: daily # Motd -evolinux_motd_include: True \ No newline at end of file +evolinux_motd_include: True diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index f4eafc6c..b4a1d666 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -44,7 +44,7 @@ - hdparm - smartmontools - lm-sensors - when: evolinux_packages_hardware | bool + when: ansible_virtualization_role == "host" - name: Install/Update common tools apt: -- 2.39.2 From 6d0e49ba9015821948c87a6e50797f2cf5e38ccc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 5 Jun 2022 21:48:01 +0200 Subject: [PATCH 094/497] mysql: reorganize evomariabackup to use mtree instead of our own dir-check --- CHANGELOG.md | 2 + mysql/files/evomariabackup.sh | 155 +++++++++++++++++++++------------- 2 files changed, 99 insertions(+), 58 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 227adc5e..b7393a42 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* mysql: reorganize evomariabackup to use mtree instead of our own dir-check + ### Fixed ### Removed diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index f91c24b0..6aac0f05 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -20,12 +20,18 @@ show_help() { cat < "${lock_file}" - log_debug "Lock file '${lock_file}' has been created" + log_debug "Lock file \`${lock_file}' has been created" else - log_fatal "Failed to acquire lock file '${lock_file}'. Abort." + log_fatal "Failed to acquire lock file \`${lock_file}'. Abort." exit 1 fi } @@ -222,30 +229,30 @@ check_backup_dir() { if [ -d "${backup_dir:?}" ]; then if [ "$(ls -A "${backup_dir:?}")" ]; then if is_mariabackup_directory "${backup_dir:?}"; then - log_debug "The backup directory ${backup_dir:?} is not empty but looks like a mariabackup target. Let's clear it." + log_debug "The backup directory \`${backup_dir:?}' is not empty but looks like a mariabackup target. Let's clear it." rm -rf "${backup_dir:?}" else - log_fatal "The backup directory ${backup_dir:?} is not empty and doesn't look like a mariabackup target. Please verify and clear the directory if you are sure." + log_fatal "The backup directory \`${backup_dir:?}' is not empty and doesn't look like a mariabackup target. Please verify and clear the directory if you are sure." exit 1 fi else - log_debug "The backup directory ${backup_dir:?} exists but is empty. Let's proceed." + log_debug "The backup directory \`${backup_dir:?}' exists but is empty. Let's proceed." fi else - log_debug "The backup directory ${backup_dir:?} doesn't exist. Let's proceed." + log_debug "The backup directory \`${backup_dir:?}' doesn't exist. Let's proceed." fi mkdir -p "${backup_dir:?}" } check_compress_dir() { if [ -d "${compress_dir:?}" ]; then - log_debug "The compress_dir directory ${compress_dir:?} exists. Let's proceed." + log_debug "The compress_dir directory \`${compress_dir:?}' exists. Let's proceed." else - log_debug "The compress_dir directory ${compress_dir:?} doesn't exist. Let's proceed." + log_debug "The compress_dir directory \`${compress_dir:?}' doesn't exist. Let's proceed." fi mkdir -p "${compress_dir:?}" } -backup() { +backup_phase() { if [ -z "${backup_dir}" ]; then log_fatal "backup-dir option is empty" else @@ -254,7 +261,7 @@ backup() { mariabackup_bin=$(command -v mariabackup) if [ -z "${mariabackup_bin}" ]; then - log_fatal "Couldn't find mariabackup.\nUse 'apt install mariadb-backup'." + log_fatal "Couldn't find mariabackup.\nYou can install it with 'apt install mariadb-backup'." exit 1 fi @@ -312,46 +319,44 @@ backup() { log_info "END mariabackup prepare phase" fi } -list_files_with_size() { - path=$1 - find "${path}" -type f -exec du --bytes {} \; | sort -k2 -} -dircheck_prepare() { +mtree_phase() { if [ -z "${backup_dir}" ]; then log_fatal "backup-dir option is empty" exit 1 elif [ -e "${backup_dir}" ] && [ ! -d "${backup_dir}" ]; then - log_fatal "backup directory '${backup_dir}' exists but is not a directory" + log_fatal "backup directory \`${backup_dir}' exists but is not a directory" exit 1 fi - dircheck_cmd="dir-check" - dircheck_bin=$(command -v ${dircheck_cmd}) - if [ -z "${dircheck_bin}" ]; then - log_fatal "Couldn't find ${dircheck_cmd}." + if [ -z "${mtree_file}" ]; then + mtree_file="${backup_dir}.mtree" + fi + + mtree_cmd="mtree" + mtree_bin=$(command -v ${mtree_cmd}) + if [ -z "${mtree_bin}" ]; then + log_fatal "Couldn't find ${mtree_cmd}.\nYou can install it with 'apt install mtree-netbsd'." exit 1 fi backup_parent_dir=$(dirname "${backup_dir}") backup_final_dir=$(basename "${backup_dir}") - log_info "BEGIN dir-check phase" - cwd=${PWD} - cd "${backup_parent_dir}" || log_fatal "Impossible to change to ${backup_parent_dir}" + log_info "BEGIN mtree phase" + log_debug "Store mtree specification of \`${backup_dir}' to \`${mtree_file}' using \`${mtree_bin}'" - "${dircheck_bin}" --prepare --dir "${backup_final_dir}" + "${mtree_bin}" -x -c -p "${backup_dir}" > "${mtree_file}" - cd ${cwd} || log_fatal "Impossible to change back to ${cwd}" - log_info "END dir-check phase" + log_info "END mtree phase" } -compress() { +compress_phase() { compress_dir=$(dirname "${compress_file}") if [ -z "${backup_dir}" ]; then log_fatal "backup-dir option is empty" exit 1 elif [ -e "${backup_dir}" ] && [ ! -d "${backup_dir}" ]; then - log_fatal "backup directory '${backup_dir}' exists but is not a directory" + log_fatal "backup directory \`${backup_dir}' exists but is not a directory" exit 1 fi if [ -z "${compress_file}" ]; then @@ -370,13 +375,13 @@ compress() { elif [ -n "${gzip_bin}" ]; then compress_program="${gzip_bin} -6" else - log_fatal "Couldn't find pigz nor gzip.\nUse 'apt install pigz' or 'apt install gzip'." + log_fatal "Couldn't find pigz nor gzip.\nYou can install it with 'apt install pigz' or 'apt install gzip'." exit 1 fi if ! is_quiet; then log_info "BEGIN compression phase" - log_debug "Compression of ${backup_dir} to ${compress_file} using \`${compress_program}'" + log_debug "Compression of \`${backup_dir}' to \`${compress_file}' using \`${compress_program}'" fi if is_quiet || ! is_verbose ; then tar --use-compress-program="${compress_program}" -cf "${compress_file}" "${backup_dir}" >/dev/null 2>&1 @@ -392,13 +397,13 @@ compress() { fi if [ ${tar_rc} -ne 0 ]; then - log_fatal "An error occured while compressing ${backup_dir} to ${compress_file}" + log_fatal "An error occured while compressing \`${backup_dir}' to \`${compress_file}'" exit 1 elif ! is_quiet; then log_info "END compression phase" fi } -post_backup_hook() { +post_backup_hook_phase() { if [ -x "${post_backup_hook}" ]; then if ! is_quiet; then @@ -438,19 +443,19 @@ main() { new_lock_file "${lock_file}" if [ "${do_backup}" = "1" ] && [ -n "${backup_dir}" ]; then - backup + backup_phase fi - if [ "${do_dircheck}" = "1" ] && [ -n "${backup_dir}" ]; then - dircheck_prepare + if [ "${do_mtree}" = "1" ] && [ -n "${backup_dir}" ]; then + mtree_phase fi if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then - compress + compress_phase fi if [ -n "${post_backup_hook}" ]; then - post_backup_hook + post_backup_hook_phase fi if ! is_quiet; then @@ -468,7 +473,8 @@ max_age="" force_unlock="" do_backup="" backup_dir="" -do_dircheck="" +do_mtree="" +mtree_file="" do_compress="" compress_file="" post_backup_hook="" @@ -530,14 +536,6 @@ while :; do log_fatal '"--backup-dir" requires a non-empty option argument.' ;; - --dir-check) - do_dircheck=1 - ;; - - --no-dir-check) - do_dircheck=0 - ;; - --compress) do_compress=1 ;; @@ -570,6 +568,38 @@ while :; do log_fatal '"--compress-file" requires a non-empty option argument.' ;; + --mtree) + do_mtree=1 + ;; + + --no-mtree) + do_mtree=0 + ;; + + --mtree-file) + # with value separated by space + if [ -n "$2" ]; then + mtree_file="$2" + if [ -z "${do_mtree}" ]; then + do_mtree=1 + fi + shift + else + log_fatal '"--mtree-file" requires a non-empty option argument.' + fi + ;; + --mtree-file=?*) + # with value speparated by = + mtree_file=${1#*=} + if [ -z "${do_mtree}" ]; then + do_mtree=1 + fi + ;; + --mtree-file=) + # without value + log_fatal '"--mtree-file" requires a non-empty option argument.' + ;; + --lock-file) # with value separated by space if [ -n "$2" ]; then @@ -647,7 +677,7 @@ while :; do if tty -s; then printf 'Unknown option : %s\n' "$1" >&2 echo "" >&2 - show_usage >&2 + show_help >&2 exit 1 else log_fatal 'Unknown option : %s\n' "$1" >&2 @@ -669,8 +699,17 @@ verbose=${verbose:-0} quiet=${quiet:-0} max_age="${max_age:-1d}" force_unlock=${force_unlock:-0} -do_backup="${do_backup:-1}" -do_dircheck="${do_dircheck:-0}" -do_compress="${do_compress:-0}" +# Enable backup phase if not disabled and backup_dir is set +if [ -z "${do_backup}" ] && [ -n "${backup_dir}" ]; then + do_backup="1" +fi +# Enable mtree phase if not disabled and mtree_file is set +if [ -z "${do_mtree}" ] && [ -n "${mtree_file}" ]; then + do_mtree="1" +fi +# Enable compress phase if not disabled and compress_file is set +if [ -z "${do_compress}" ] && [ -n "${compress_file}" ]; then + do_compress="1" +fi main \ No newline at end of file -- 2.39.2 From 56c2c19d613da54a07a03882701b3ee470b7c29b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 5 Jun 2022 21:49:23 +0200 Subject: [PATCH 095/497] evomariabackup: release 22.06.1 --- CHANGELOG.md | 1 + mysql/files/evomariabackup.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7393a42..f2388301 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* mysql: evomariabackup release 22.06.1 * mysql: reorganize evomariabackup to use mtree instead of our own dir-check ### Fixed diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 6aac0f05..df8a3884 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -1,6 +1,6 @@ #!/bin/sh -VERSION="22.06" +VERSION="22.06.1" show_version() { cat < Date: Mon, 6 Jun 2022 14:42:22 +0200 Subject: [PATCH 096/497] minifirewall: upstream release 22.06 --- CHANGELOG.md | 1 + minifirewall/files/minifirewall | 18 +++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2388301..069514cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* minifirewall: upstream release 22.06 * mysql: evomariabackup release 22.06.1 * mysql: reorganize evomariabackup to use mtree instead of our own dir-check diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall index 7dae5787..4beeaf7d 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/files/minifirewall @@ -29,7 +29,7 @@ # Description: Firewall designed for standalone server ### END INIT INFO -VERSION="22.05" +VERSION="22.06" NAME="minifirewall" # shellcheck disable=SC2034 @@ -121,6 +121,7 @@ if [ -t 1 ]; then # see if it supports colors... ncolors=$(tput colors) + # shellcheck disable=SC2086 if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then RED=$(tput setaf 1) GREEN=$(tput setaf 2) @@ -363,6 +364,7 @@ start() { if [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "1" ] || [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "0" ]; then echo "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS" "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" >&2 exit 1 @@ -370,6 +372,7 @@ start() { if [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "1" ] || [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "0" ]; then echo "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES" "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" >&2 exit 1 @@ -379,6 +382,11 @@ start() { for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" > "${proc_sys_file}" done + if is_ipv6_enabled; then + for proc_sys_file in /proc/sys/net/ipv6/conf/*/accept_source_route; do + echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" > "${proc_sys_file}" + done + fi else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ACCEPT_SOURCE_ROUTE" "${SYSCTL_ACCEPT_SOURCE_ROUTE}" >&2 exit 1 @@ -386,6 +394,7 @@ start() { if [ "${SYSCTL_TCP_SYNCOOKIES}" = "1" ] || [ "${SYSCTL_TCP_SYNCOOKIES}" = "0" ]; then echo "${SYSCTL_TCP_SYNCOOKIES}" > /proc/sys/net/ipv4/tcp_syncookies + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_TCP_SYNCOOKIES" "${SYSCTL_TCP_SYNCOOKIES}" >&2 exit 1 @@ -398,6 +407,11 @@ start() { for proc_sys_file in /proc/sys/net/ipv4/conf/*/send_redirects; do echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}" done + if is_ipv6_enabled; then + for proc_sys_file in /proc/sys/net/ipv6/conf/*/accept_redirects; do + echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}" + done + fi else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_ICMP_REDIRECTS" "${SYSCTL_ICMP_REDIRECTS}" >&2 exit 1 @@ -407,6 +421,7 @@ start() { for proc_sys_file in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "${SYSCTL_RP_FILTER}" > "${proc_sys_file}" done + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_RP_FILTER" "${SYSCTL_RP_FILTER}" >&2 exit 1 @@ -416,6 +431,7 @@ start() { for proc_sys_file in /proc/sys/net/ipv4/conf/*/log_martians; do echo "${SYSCTL_LOG_MARTIANS}" > "${proc_sys_file}" done + # Apparently not applicable to IPv6 else printf "${RED}ERROR: invalid %s value '%s', must be '0' or '1'.\n" "SYSCTL_LOG_MARTIANS" "${SYSCTL_LOG_MARTIANS}" >&2 exit 1 -- 2.39.2 From 16cdd6b3260a49a7b8423f586c754653d5df14ea Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 6 Jun 2022 14:43:18 +0200 Subject: [PATCH 097/497] evolinux-base: dir-check makes a file named after the reference directory --- evolinux-base/files/dir-check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh index f5c8944b..d127632d 100644 --- a/evolinux-base/files/dir-check.sh +++ b/evolinux-base/files/dir-check.sh @@ -189,7 +189,7 @@ main() { parent_dir=$(dirname "${dir}") final_dir=$(basename "${dir}") - data_file="${PROGNAME}.db" + data_file="${final_dir}.${PROGNAME}.db" checksum_file="${data_file}.${checksum_cmd}" cwd=${PWD} -- 2.39.2 From 3d70438f7e22e01e478ba9b9fa7ef59145905005 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 6 Jun 2022 15:05:59 +0200 Subject: [PATCH 098/497] evocheck: upstream release 22.06.1 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 37 ++++++++++++++++++++++--------------- 2 files changed, 23 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 069514cd..86fccbe2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.06.1 * minifirewall: upstream release 22.06 * mysql: evomariabackup release 22.06.1 * mysql: reorganize evomariabackup to use mtree instead of our own dir-check diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 6bba06c1..5b1afb09 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.06" +VERSION="22.06.1" readonly VERSION # base functions @@ -236,11 +236,11 @@ check_debiansecurity() { if is_debian_bullseye; then # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive # https://www.debian.org/security/ - pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main" + pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main" elif is_debian_buster; then - pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main" + pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main" elif is_debian_stretch; then - pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main" + pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main" else pattern="^deb.*security" fi @@ -363,7 +363,7 @@ check_alert5minifw() { } check_minifw() { /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ - || failed "IS_MINIFW" "minifirewall seems not starded" + || failed "IS_MINIFW" "minifirewall seems not started" } check_minifw_includes() { if is_debian_bullseye; then @@ -742,12 +742,13 @@ check_backupuptodate() { backup_dir="/home/backup" if [ -d "${backup_dir}" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then - # shellcheck disable=SC2231 - for file in ${backup_dir}/*; do + # Look for all files, including subdirectories. + # If this turns out to be problematic, we can go back to first level only, with --max-depth=1 + find "${backup_dir}" -type f | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") - if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + if [ "$limit" -gt "$updated_at" ]; then failed "IS_BACKUPUPTODATE" "$file has not been backed up" test "${VERBOSE}" = 1 || break; fi @@ -1217,14 +1218,20 @@ check_usrsharescripts() { test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" } check_sshpermitrootno() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if grep -q "^PermitRoot" /etc/ssh/sshd_config; then - grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ - || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no" - fi + sshd_args="-C addr=,user=,host=,laddr=,lport=0" + if is_debian_jessie || is_debian_stretch; then + # Noop, we'll use the default $sshd_args + : + elif is_debian_buster; then + sshd_args="${sshd_args},rdomain=" else - grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ - || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no" + # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument + # -T doesn't require the additional -C. + sshd_args= + fi + # XXX: We want parameter expension here + if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then + failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" fi } check_evomaintenanceusers() { -- 2.39.2 From 1895c549d4eac89c82a300761f73cfc5fb35efab Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 6 Jun 2022 15:07:10 +0200 Subject: [PATCH 099/497] Release 22.06.1 --- CHANGELOG.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86fccbe2..7033e693 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,17 +14,21 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evocheck: upstream release 22.06.1 -* minifirewall: upstream release 22.06 -* mysql: evomariabackup release 22.06.1 -* mysql: reorganize evomariabackup to use mtree instead of our own dir-check - ### Fixed ### Removed ### Security +## [22.06.1] 2022-06-06 + +### Changed + +* evocheck: upstream release 22.06.1 +* minifirewall: upstream release 22.06 +* mysql: evomariabackup release 22.06.1 +* mysql: reorganize evomariabackup to use mtree instead of our own dir-check + ## [22.06] 2022-06-03 ### Added -- 2.39.2 From b677defd972f1c5d131ac33e250b83d95c5578c7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 15:36:47 +0200 Subject: [PATCH 100/497] redis: binding is possible on multiple interfaces --- CHANGELOG.md | 2 ++ redis/README.md | 2 +- redis/defaults/main.yml | 3 ++- redis/tasks/main.yml | 8 ++++++++ redis/tasks/nrpe.yml | 2 +- redis/templates/redis.conf.j2 | 2 +- 6 files changed, 15 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7033e693..8ad2a22c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* redis: binding is possible on multiple interfaces (breaking change) + ### Fixed ### Removed diff --git a/redis/README.md b/redis/README.md index 850af13a..57aa4f41 100644 --- a/redis/README.md +++ b/redis/README.md @@ -14,7 +14,7 @@ Main variables are : * `redis_conf_dir`: config directory ; * `redis_port`: listening TCP port ; -* `redis_bind_interface`: listening IP address ; +* `redis_bind_interfaces`: listening IP addresses (array) ; * `redis_password`: password for redis. Empty means no password ; * `redis_socket_dir`: Unix socket directory ; * `redis_log_level`: log verbosity ; diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 93bbc741..1a86c95c 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -6,7 +6,8 @@ redis_conf_dir_prefix: /etc/redis redis_force_instance_port: False redis_port: 6379 -redis_bind_interface: 127.0.0.1 +redis_bind_interfaces: + - 127.0.0.1 redis_socket_enabled: True redis_socket_dir_prefix: '/run/redis' diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 10598aa6..871ab3eb 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -63,6 +63,14 @@ redis_data_dir: "{{ redis_data_dir_prefix }}-{{ redis_instance_name }}" when: redis_instance_name is defined +- name: Fail if redis_bind_interface is set + fail: + msg: "Please change 'redis_bind_interface' (String) to 'redis_bind_interfaces' (List)" + when: + - redis_bind_interface is defined + - redis_bind_interface is not none + - redis_bind_interface | length > 0 + - name: configure Redis for default mode include: default-server.yml when: redis_instance_name is not defined diff --git a/redis/tasks/nrpe.yml b/redis/tasks/nrpe.yml index 9e042479..b42e2da2 100644 --- a/redis/tasks/nrpe.yml +++ b/redis/tasks/nrpe.yml @@ -60,7 +60,7 @@ replace: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_redis\]=.+' - replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interface }} -p {{ redis_port }}' + replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}' when: redis_instance_name is undefined notify: restart nagios-nrpe-server tags: diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index b10a11b9..720f724f 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -1,7 +1,7 @@ daemonize yes pidfile {{ redis_pid_dir }}/redis-server.pid port {{ redis_port }} -bind {{ redis_bind_interface }} +bind {{ redis_bind_interfaces | join(' ') }} {% if redis_socket_enabled %} unixsocket {{ redis_socket_dir }}/redis.sock -- 2.39.2 From cbe79858145422f8fd44a2ef288da98cebfcf038 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 15:38:21 +0200 Subject: [PATCH 101/497] Enforce String notation for mode --- CHANGELOG.md | 2 ++ elasticsearch/tasks/configuration.yml | 4 ++-- elasticsearch/tasks/tmpdir.yml | 2 +- evobackup-client/tasks/upload_scripts.yml | 2 +- keepalived/tasks/main.yml | 2 +- packweb-apache/tasks/multiphp.yml | 4 ++-- redis/tasks/instance-munin.yml | 2 +- 7 files changed, 10 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ad2a22c..e54372b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* Enforce String notation for mode + ### Removed ### Security diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index 83dd130a..99c311c2 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -102,7 +102,7 @@ create: yes owner: root group: elasticsearch - mode: 0640 + mode: "0640" tags: - config @@ -114,7 +114,7 @@ create: yes owner: root group: elasticsearch - mode: 0640 + mode: "0640" tags: - config diff --git a/elasticsearch/tasks/tmpdir.yml b/elasticsearch/tasks/tmpdir.yml index c9ad3c19..30375af1 100644 --- a/elasticsearch/tasks/tmpdir.yml +++ b/elasticsearch/tasks/tmpdir.yml @@ -32,7 +32,7 @@ create: yes owner: root group: elasticsearch - mode: 0640 + mode: "0640" notify: - restart elasticsearch tags: diff --git a/evobackup-client/tasks/upload_scripts.yml b/evobackup-client/tasks/upload_scripts.yml index 79e5d7db..1ef4a74f 100644 --- a/evobackup-client/tasks/upload_scripts.yml +++ b/evobackup-client/tasks/upload_scripts.yml @@ -5,7 +5,7 @@ src: "{{ item }}" dest: "{{ evobackup_client__cron_path }}" force: true - mode: 0755 + mode: "0755" loop: "{{ query('first_found', templates) }}" vars: templates: diff --git a/keepalived/tasks/main.yml b/keepalived/tasks/main.yml index e468da58..b98ff1ae 100644 --- a/keepalived/tasks/main.yml +++ b/keepalived/tasks/main.yml @@ -46,7 +46,7 @@ template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf - mode: 0644 + mode: "0644" notify: restart keepalived tags: - keepalived diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 01f0b130..8a7c9613 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -13,13 +13,13 @@ copy: src: phpContainer dest: /usr/local/bin/phpContainer - mode: 0755 + mode: "0755" # - name: Copy php shim to call phpContainer when the user is a web user # copy: # src: multiphp-shim # dest: /usr/local/bin/php -# mode: 0755 +# mode: "0755" # - name: Modify bashrc skel file # lineinfile: diff --git a/redis/tasks/instance-munin.yml b/redis/tasks/instance-munin.yml index bc8d8e9a..2b664092 100644 --- a/redis/tasks/instance-munin.yml +++ b/redis/tasks/instance-munin.yml @@ -57,6 +57,6 @@ template: src: templates/munin-plugin-instances.conf.j2 dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}' - mode: 0740 + mode: "0740" notify: restart munin-node tags: redis -- 2.39.2 From e6ea44ff29087898aa3854946a8b6e3ef73d9d8a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 15:38:48 +0200 Subject: [PATCH 102/497] Explicit loop variable names --- kvm-host/tasks/munin.yml | 8 +++++--- redis/tasks/default-munin.yml | 4 +++- redis/tasks/instance-munin.yml | 4 +++- redis/tasks/instance-server.yml | 18 +++++++++++++----- 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/kvm-host/tasks/munin.yml b/kvm-host/tasks/munin.yml index d0bf1b0a..d16bcfd9 100644 --- a/kvm-host/tasks/munin.yml +++ b/kvm-host/tasks/munin.yml @@ -27,16 +27,18 @@ - kvm_mem notify: restart munin-node -- name: Enable redis munin plugin +- name: Enable Munin plugins file: - src: "/usr/local/share/munin/plugins/{{item}}" - dest: "/etc/munin/plugins/{{item}}" + src: "/usr/local/share/munin/plugins/{{ plugin_name }}" + dest: "/etc/munin/plugins/{{ plugin_name }}" state: link force: yes loop: - kvm_cpu - kvm_io - kvm_mem + loop_control: + loop_var: plugin_name notify: restart munin-node - name: Copy Munin plugins conf diff --git a/redis/tasks/default-munin.yml b/redis/tasks/default-munin.yml index 7856741e..1c9ab759 100644 --- a/redis/tasks/default-munin.yml +++ b/redis/tasks/default-munin.yml @@ -39,7 +39,7 @@ - name: Enable redis munin plugin file: src: /usr/local/share/munin/plugins/redis_ - dest: "/etc/munin/plugins/redis_{{item}}" + dest: "/etc/munin/plugins/redis_{{ plugin_name }}" state: link loop: - connected_clients @@ -48,6 +48,8 @@ - per_sec - used_keys - used_memory + loop_control: + loop_var: plugin_name notify: restart munin-node when: not ansible_check_mode tags: diff --git a/redis/tasks/instance-munin.yml b/redis/tasks/instance-munin.yml index 2b664092..72865e98 100644 --- a/redis/tasks/instance-munin.yml +++ b/redis/tasks/instance-munin.yml @@ -39,7 +39,7 @@ - name: Enable redis munin plugin file: src: /usr/local/share/munin/plugins/redis_ - dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{item}}" + dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{ plugin_name }}" state: link loop: - connected_clients @@ -48,6 +48,8 @@ - per_sec - used_keys - used_memory + loop_control: + loop_var: plugin_name notify: restart munin-node when: not ansible_check_mode tags: diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml index 462ee8f4..3e6af623 100644 --- a/redis/tasks/instance-server.yml +++ b/redis/tasks/instance-server.yml @@ -38,7 +38,7 @@ - name: "Instance '{{ redis_instance_name }}' config hooks directories are present" file: - dest: "{{ item }}" + dest: "{{ _dir }}" mode: "0755" owner: "root" group: "root" @@ -49,6 +49,8 @@ - "{{ redis_conf_dir }}/redis-server.post-up.d" - "{{ redis_conf_dir }}/redis-server.pre-down.d" - "{{ redis_conf_dir }}/redis-server.post-down.d" + loop_control: + loop_var: _dir when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '=') @@ -56,14 +58,16 @@ - redis - name: "Instance '{{ redis_instance_name }}' hooks examples are present" - command: "cp -a /etc/redis/{{ item }}/00_example {{ redis_conf_dir }}/{{ item }}" + command: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}" args: - creates: "{{ redis_conf_dir }}/{{ item }}/00_example" + creates: "{{ redis_conf_dir }}/{{ _dir }}/00_example" loop: - "redis-server.pre-up.d" - "redis-server.post-up.d" - "redis-server.pre-down.d" - "redis-server.post-down.d" + loop_control: + loop_var: _dir when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '=') @@ -72,7 +76,7 @@ - name: "Instance '{{ redis_instance_name }}' socket/pid directories are present" file: - dest: "{{ item }}" + dest: "{{ _dir }}" mode: "0755" owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" @@ -81,12 +85,14 @@ loop: - "{{ redis_pid_dir }}" - "{{ redis_socket_dir }}" + loop_control: + loop_var: _dir tags: - redis - name: "Instance '{{ redis_instance_name }}' data/log directories are present" file: - dest: "{{ item }}" + dest: "{{ _dir }}" mode: "0751" owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" @@ -95,6 +101,8 @@ loop: - "{{ redis_data_dir }}" - "{{ redis_log_dir }}" + loop_control: + loop_var: _dir tags: - redis -- 2.39.2 From bcaacdf57f6156e68dc8c5632031d7ee726b44df Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 15:39:34 +0200 Subject: [PATCH 103/497] postgresql: fix nested loop for Munin plugins --- CHANGELOG.md | 1 + postgresql/tasks/munin.yml | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e54372b7..ad5eecd5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed * Enforce String notation for mode +* postgresql: fix nested loop for Munin plugins ### Removed diff --git a/postgresql/tasks/munin.yml b/postgresql/tasks/munin.yml index ed2cc883..227304c8 100644 --- a/postgresql/tasks/munin.yml +++ b/postgresql/tasks/munin.yml @@ -30,7 +30,15 @@ dest: '/etc/munin/plugins/{{item[0]}}{{item[1]}}' loop: "{{ _plugins | product(_databases) | list }}" vars: - _plugins: ['postgres_cache_', 'postgres_connections_', 'postgres_locks_', 'postgres_querylength_', 'postgres_scans_', 'postgres_size_', 'postgres_transactions_', 'postgres_tuples_'] - _databases: postgresql_databases + _plugins: + - 'postgres_cache_' + - 'postgres_connections_' + - 'postgres_locks_' + - 'postgres_querylength_' + - 'postgres_scans_' + - 'postgres_size_' + - 'postgres_transactions_' + - 'postgres_tuples_' + _databases: "{{ postgresql_databases }}" notify: restart munin-node when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists -- 2.39.2 From 1e19418fb0d26b45000794b6148201d94392f403 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 8 Jun 2022 17:55:58 +0200 Subject: [PATCH 104/497] Fail2ban: Multiple changes & improvements : * Give the possibility to override jail.local (with fail2ban_override_jaillocal) * If jail.local was overriden, add a warning * Allow to tune some jail settings (maxretry, bantime, findtime) with ansible * Allow to tune the default action with ansible * Change default action to ban only (instead of ban + mail with whois report) * Configure recidive jail (off by default) + extend dbpurgeage --- CHANGELOG.md | 6 +++ fail2ban/defaults/main.yml | 39 ++++++++++++++++-- fail2ban/tasks/main.yml | 30 ++++++++------ fail2ban/templates/jail.local.j2 | 70 +++++++++++++++++--------------- 4 files changed, 96 insertions(+), 49 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad5eecd5..2798b03e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,12 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal) +* fail2ban: If jail.local was overriden, add a warning +* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible +* fail2ban: Allow to tune the default action with ansible +* fail2ban: Change default action to ban only (instead of ban + mail with whois report) +* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage * redis: binding is possible on multiple interfaces (breaking change) ### Fixed diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index d983b32a..098a550a 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -6,10 +6,43 @@ fail2ban_alert_email: Null # "127.0.0.1/8" is always added to the list, even if the following lists are empty. fail2ban_default_ignore_ips: [] fail2ban_additional_ignore_ips: [] + # WARN: setting this to True will overwrite the list of ignored IP fail2ban_force_update_ignore_ips: False -fail2ban_wordpress: False -fail2ban_roundcube: False +fail2ban_override_jaillocal: False -fail2ban_disable_ssh: False +fail2ban_default_maxretry: 5 +fail2ban_default_bantime: 10m +fail2ban_default_findtime: 10m + +# Default fail2ban action. Chose beetween : +# - "action_" : (default) - ban only (following banaction) +# - "action_mw" : ban & send an email with whois report +# - "action_mwl" : ban & send an email with whois and log lines +fail2ban_default_action: "action_" + +fail2ban_sshd: True +fail2ban_sshd_maxretry: 10 +fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_recidive: False +fail2ban_recidive_maxretry: 3 +fail2ban_recidive_bantime: 1w +fail2ban_recidive_findtime: 1d + +fail2ban_wordpress_hard: False +fail2ban_wordpress_hard_maxretry: 1 +fail2ban_wordpress_hard_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_wordpress_hard_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_wordpress_soft: False +fail2ban_wordpress_soft_maxretry: 5 +fail2ban_wordpress_soft_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_roundcube: False +fail2ban_roundcube_maxretry: 5 +fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}" +fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}" \ No newline at end of file diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 30c795c9..56378c9b 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -12,6 +12,7 @@ loop: - "/etc/fail2ban" - "/etc/fail2ban/filter.d" + - "/etc/fail2ban/fail2ban.d" tags: - fail2ban @@ -25,7 +26,7 @@ src: jail.local.j2 dest: /etc/fail2ban/jail.local mode: "0644" - force: no + force: "{{ fail2ban_override_jaillocal }}" notify: restart fail2ban tags: - fail2ban @@ -36,17 +37,6 @@ tags: - fail2ban -- name: Disable SSH filter - ini_file: - dest: /etc/fail2ban/jail.local - section: sshd - option: enabled - value: false - notify: restart fail2ban - when: fail2ban_disable_ssh | bool - tags: - - fail2ban - - name: custom filters are installed copy: src: "{{ item }}" @@ -62,7 +52,7 @@ tags: - fail2ban -- name: package is installed +- name: package fail2ban is installed apt: name: fail2ban state: present @@ -100,3 +90,17 @@ tags: - fail2ban - munin + +- name: "Extend dbpurgeage if recidive jail is enabled" + blockinfile: + dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage + marker: "# ANSIBLE MANAGED" + block: | + [DEFAULT] + dbpurgeage = {{ fail2ban_recidive_bantime}} + insertafter: EOF + create: yes + mode: "0644" + notify: restart fail2ban + when: + - fail2ban_recidive \ No newline at end of file diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 7e097e4f..19c4f35b 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -1,61 +1,65 @@ # EvoLinux Fail2Ban config. +{% if fail2ban_override_jaillocal %} +# WARNING : THIS FILE IS (PROBABLY) ANSIBLE MANAGED AS IT WAS OVERWRITTEN BY ANSIBLE +{% endif %} + [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = {{ ['127.0.0.1/8'] | union(fail2ban_ignore_ips) | unique | join(' ') }} -bantime = 600 -maxretry = 3 - -# "backend" specifies the backend used to get files modification. Available -# options are "gamin", "polling" and "auto". -# yoh: For some reason Debian shipped python-gamin didn't work as expected -# This issue left ToDo, so polling is default backend for now -backend = auto +bantime = {{ fail2ban_default_bantime }} +maxretry = {{ fail2ban_default_maxretry }} destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }} # ACTIONS - banaction = iptables-multiport -mta = sendmail -protocol = tcp -chain = INPUT -action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] +action = %({{fail2ban_default_action}})s -action = %(action_mwl)s [sshd] +enabled = {{ fail2ban_sshd }} port = ssh,2222,22222 -logpath = %(sshd_log)s -backend = %(sshd_backend)s -maxretry = 10 -{% if fail2ban_wordpress %} +maxretry = {{ fail2ban_sshd_maxretry }} +findtime = {{ fail2ban_sshd_findtime }} +bantime = {{ fail2ban_sshd_bantime }} + +[recidive] +enabled = {{ fail2ban_recidive }} + +maxretry = {{ fail2ban_recidive_maxretry }} +findtime = {{ fail2ban_recidive_findtime }} +bantime = {{ fail2ban_recidive_bantime }} + + +# Evolix custom jails + [wordpress-hard] -enabled = true -port = http,https +enabled = {{ fail2ban_wordpress_hard }} +port = http, https filter = wordpress-hard logpath = /var/log/auth.log -maxretry = 1 -findtime = 300 +maxretry = {{ fail2ban_wordpress_hard_maxretry }} +findtime = {{ fail2ban_wordpress_hard_findtime }} +bantime = {{ fail2ban_wordpress_hard_bantime }} [wordpress-soft] -enabled = true -port = http,https +enabled = {{ fail2ban_wordpress_soft }} +port = http, https filter = wordpress-soft logpath = /var/log/auth.log -maxretry = 5 -findtime = 300 -{% endif %} +maxretry = {{ fail2ban_wordpress_soft_maxretry }} +findtime = {{ fail2ban_wordpress_soft_findtime }} +bantime = {{ fail2ban_wordpress_soft_bantime }} -{% if fail2ban_roundcube %} [roundcube] -enabled = true -port = http,https +enabled = {{ fail2ban_roundcube }} +port = http, https filter = roundcube logpath = /var/lib/roundcube/logs/errors -maxretry = 5 -{% endif %} +maxretry = {{ fail2ban_roundcube_maxretry }} +findtime = {{ fail2ban_roundcube_findtime }} +bantime = {{ fail2ban_roundcube_bantime }} -- 2.39.2 From 4d1d77faaf3c68740ac0d3b9d1445be5511ed964 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 8 Jun 2022 16:45:41 +0200 Subject: [PATCH 105/497] postgresql: add variable to configure binding addresses (default: 127.0.0.1) --- CHANGELOG.md | 2 ++ postgresql/defaults/main.yml | 4 ++++ postgresql/templates/postgresql.conf.j2 | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2798b03e..dc3a5840 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* postgresql: add variable to configure binding addresses (default: 127.0.0.1) + ### Changed * fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal) diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index 7b2b3734..dcdffb05 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -8,6 +8,10 @@ postgresql_work_mem: 8MB postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" +# Binding +postgresql_listen_addresses: + - "127.0.0.1" + # PostgreSQL version postgresql_version: '' diff --git a/postgresql/templates/postgresql.conf.j2 b/postgresql/templates/postgresql.conf.j2 index 25597519..9adce0b4 100644 --- a/postgresql/templates/postgresql.conf.j2 +++ b/postgresql/templates/postgresql.conf.j2 @@ -1,6 +1,7 @@ # Tuning shared_buffers = {{ postgresql_shared_buffers }} work_mem = {{ postgresql_work_mem }} +listen_addresses = '{{ postgresql_listen_addresses | join(',') }}' #shared_preload_libraries = 'pg_stat_statements' #synchronous_commit = off {% if postgresql_version is version('9.5', '<') %} @@ -13,7 +14,7 @@ checkpoint_completion_target = 0.9 random_page_cost = {{ postgresql_random_page_cost }} effective_cache_size = {{ postgresql_effective_cache_size }} -# Loging +# Logging log_min_duration_statement = 1s log_checkpoints = on log_lock_waits = on -- 2.39.2 From cea1408bba937656c504fd691e22c023b1198ebf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 9 Jun 2022 07:41:49 +0200 Subject: [PATCH 106/497] evocheck: upstream release 22.06.2 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc3a5840..07847f87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.06.2 * fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal) * fail2ban: If jail.local was overriden, add a warning * fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 5b1afb09..87d9e3e3 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.06.1" +VERSION="22.06.2" readonly VERSION # base functions @@ -744,7 +744,7 @@ check_backupuptodate() { if [ -n "$(ls -A ${backup_dir})" ]; then # Look for all files, including subdirectories. # If this turns out to be problematic, we can go back to first level only, with --max-depth=1 - find "${backup_dir}" -type f | while read -r file; do + find "${backup_dir}" -type f --max-depth=1 | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") -- 2.39.2 From 31c49a125b9ad8f9dcdf61c9714ca810f058712b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 9 Jun 2022 07:47:00 +0200 Subject: [PATCH 107/497] evocheck: manual fix of find syntax --- evocheck/files/evocheck.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 87d9e3e3..9391f119 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -742,9 +742,7 @@ check_backupuptodate() { backup_dir="/home/backup" if [ -d "${backup_dir}" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then - # Look for all files, including subdirectories. - # If this turns out to be problematic, we can go back to first level only, with --max-depth=1 - find "${backup_dir}" -type f --max-depth=1 | while read -r file; do + find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") -- 2.39.2 From b3ac39decdb734655a1b17cb71f059b7bc2c8b31 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 9 Jun 2022 10:33:28 +0200 Subject: [PATCH 108/497] postgresql: Fix task order when using pgdg repo & Install the right pg version --- CHANGELOG.md | 2 ++ postgresql/tasks/packages_bullseye.yml | 2 +- postgresql/tasks/packages_buster.yml | 2 +- postgresql/tasks/packages_stretch.yml | 2 +- postgresql/tasks/pgdg-repo.yml | 13 ++++--------- 5 files changed, 9 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 07847f87..8a00a318 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * Enforce String notation for mode * postgresql: fix nested loop for Munin plugins +* postgresql: Fix task order when using pgdg repo +* postgresql: Install the right pg version ### Removed diff --git a/postgresql/tasks/packages_bullseye.yml b/postgresql/tasks/packages_bullseye.yml index 558578f2..1b4cb0ac 100644 --- a/postgresql/tasks/packages_bullseye.yml +++ b/postgresql/tasks/packages_bullseye.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - postgresql + - "postgresql-{{postgresql_version}}" - pgtop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 76017545..815e741d 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - postgresql + - "postgresql-{{postgresql_version}}" - pgtop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index d8ebb9e4..a43c313b 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - postgresql + - "postgresql-{{postgresql_version}}" - ptop - libdbd-pg-perl diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index a13b7469..38f21079 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -2,17 +2,12 @@ - name: Open firewall for PGDG repository replace: name: /etc/default/minifirewall - regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org).)*)'$" + regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org|0\\.0\\.0\\.0).)*)'$" replace: "\\1 apt.postgresql.org'" notify: Restart minifirewall - meta: flush_handlers -- name: Add PGDG repository - apt_repository: - repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" - update_cache: yes - - name: Look for legacy apt keyring stat: path: /etc/apt/trusted.gpg @@ -34,9 +29,9 @@ owner: root group: root -- name: Update and upgrade apt packages for PGDG repository - apt: - upgrade: yes +- name: Add PGDG repository + apt_repository: + repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" update_cache: yes - name: Add APT preference file -- 2.39.2 From 556719bbf257a583e20b398aee28d40772cd9eef Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 10 Jun 2022 11:11:44 +0200 Subject: [PATCH 109/497] Release 22.06.2 --- CHANGELOG.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a00a318..6d85ed31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [22.06.2] 2022-06-10 + +### Added + * postgresql: add variable to configure binding addresses (default: 127.0.0.1) ### Changed @@ -32,10 +44,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * postgresql: Fix task order when using pgdg repo * postgresql: Install the right pg version -### Removed - -### Security - ## [22.06.1] 2022-06-06 ### Changed -- 2.39.2 From 3623363b9451481d94e890ca2717c54a4449fbbd Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Mon, 13 Jun 2022 17:35:31 +0200 Subject: [PATCH 110/497] Update changelog for version 22.06 --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d85ed31..88e45d00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,9 +67,14 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker: Allow "live-restore" to be toggled with docker_conf_live_restore * evocheck: upstream release 22.06 +* evolinux-base: Replacement of variable `evolinux_packages_hardware` by `ansible_virtualization_role == "host"` automatize host type detection and avoids installing smartd & other on VM. * minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner +### Fixed + +* Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails. + ## [22.05.1] 2022-05-12 ### Added -- 2.39.2 From dd990fe6d57f9fe582473abc207d9fce8b6c4476 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Mon, 13 Jun 2022 17:37:47 +0200 Subject: [PATCH 111/497] Update changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d85ed31..88e45d00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,9 +67,14 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker: Allow "live-restore" to be toggled with docker_conf_live_restore * evocheck: upstream release 22.06 +* evolinux-base: Replacement of variable `evolinux_packages_hardware` by `ansible_virtualization_role == "host"` automatize host type detection and avoids installing smartd & other on VM. * minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner +### Fixed + +* Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails. + ## [22.05.1] 2022-05-12 ### Added -- 2.39.2 From 57ecac01ba7fcc79167b00d15c33fab674db1428 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Jun 2022 15:19:44 +0200 Subject: [PATCH 112/497] evolinux-base: blacklist and do not install megaclisas-status package on incompatible servers --- CHANGELOG.md | 2 ++ evolinux-base/tasks/hardware.yml | 36 ++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88e45d00..e9831dbf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evolinux-base: blacklist and do not install megaclisas-status package on incompatible servers + ### Fixed ### Removed diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 2e68cc36..55427082 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -157,6 +157,42 @@ - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool +## LSI MegaRAID 12GSAS/PCIe Secure SAS39xx +# This is still incompatible with Debian + +- name: Check if PERC HBA11 device is present + shell: "lspci | grep -qE 'MegaRAID.*SAS39xx'" + check_mode: no + register: perc_hba11_search + failed_when: False + changed_when: False + tags: + - packages + +- name: MegaCLI SAS package must not be installed if PERC HBA11 is present + block: + - name: Disable harware RAID tasks + set_fact: + evolinux_packages_hardware_raid: False + + - name: blacklist mageclisas-status package + blockinfile: + dest: /etc/apt/preferences.d/0-blacklist + marker: "## {mark} MEGACLISAS-STATUS BLACKLIST" + block: | + # DO NOT INSTALL THESE PACKAGES ON THIS SERVER + Package: megacli megaclisas-status + Pin: version * + Pin-Priority: -100 + + - name: Remove MegaCLI packages + apt: + name: + - megacli + - megaclisas-status + state: absent + when: perc_hba11_search.rc == 0 + - name: MegaCLI SAS package is present block: - name: HWRaid embedded GPG key is absent -- 2.39.2 From a38a174b83e82682160bb50aff1f1a86ba1ab506 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 16 Jun 2022 16:08:10 +0200 Subject: [PATCH 113/497] Add create: yes for file 0-blacklist --- evolinux-base/tasks/hardware.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 55427082..fefb8177 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -178,6 +178,7 @@ - name: blacklist mageclisas-status package blockinfile: dest: /etc/apt/preferences.d/0-blacklist + create: yes marker: "## {mark} MEGACLISAS-STATUS BLACKLIST" block: | # DO NOT INSTALL THESE PACKAGES ON THIS SERVER -- 2.39.2 From a1995f0e74d282b9496bb0a7ce7cc22a57792fe5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 17 Jun 2022 10:54:26 +0200 Subject: [PATCH 114/497] WIP: add vrrp addresses via Ansible --- vrrpd/defaults/main.yml | 13 ++++++++++ vrrpd/tasks/ip.yml | 20 ++++++++++++++++ vrrpd/tasks/main.yml | 42 +++++++++++++++++++++++++++++---- vrrpd/templates/vrrp.service.j2 | 11 +++++++++ 4 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 vrrpd/defaults/main.yml create mode 100644 vrrpd/tasks/ip.yml create mode 100644 vrrpd/templates/vrrp.service.j2 diff --git a/vrrpd/defaults/main.yml b/vrrpd/defaults/main.yml new file mode 100644 index 00000000..f5950a14 --- /dev/null +++ b/vrrpd/defaults/main.yml @@ -0,0 +1,13 @@ +--- + +vrrp_addresses: [] +# - { +# interface: Null # the interface name to run on +# delay: 10 # the advertisement interval (in sec) (default: 1) +# id: Null # the id of the virtual server [1-255] +# priority: Null # the priority of this host in the virtual server (default: 100) +# authentication: Null # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+ +# label: Null # use this name is syslog messages (helps when several vrid are running) +# ip: Null # the ip address(es) (and optionnaly subnet mask) of the virtual server +# state: Null # 'started' or 'stopped' +# } \ No newline at end of file diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml new file mode 100644 index 00000000..38d75ccb --- /dev/null +++ b/vrrpd/tasks/ip.yml @@ -0,0 +1,20 @@ +--- + +- name: set unit name + set_fact: + vrrp_systemd_unit_name: "vrrp-{{ vrrp_address.id }}.service" + +- name: add systemd unit + template: + src: vrrp.service.j2 + dest: "/etc/systemd/system/vrrp-{{ vrrp_systemd_unit_name }}" + force: yes + register: vrrp_systemd_unit + +- name: enable and start systemd unit + systemd: + name: "{{ vrrp_systemd_unit_name }}" + daemon_reload: yes + enabled: yes + state: "{{ vrrp_address.state }}" + when: vrrp_systemd_unit is changed \ No newline at end of file diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index 5804cb39..44ebe65a 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -14,7 +14,36 @@ tags: - vrrpd -- name: Adjust sysctl config +- name: Adjust sysctl config (except rp_filter) + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + sysctl_file: /etc/sysctl.d/vrrpd.conf + sysctl_set: yes + state: present + loop: + - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 } + - { name: 'net.ipv4.conf.all.arp_announce', value: 2 } + - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 } + tags: + - vrrpd + +- name: look if rp_filter is managed by minifirewall + command: grep "SYSCTL_RP_FILTER=" /etc/default/minifirewall + failed_when: False + changed_when: False + check_mode: no + register: grep_sysctl_rp_filter_minifirewall + +- name: Configure SYSCTL_RP_FILTER in minifirewall + lineinfile: + dest: "/etc/default/minifirewall" + line: "SYSCTL_RP_FILTER='0'" + regexp: "SYSCTL_RP_FILTER=('|\").*('|\")" + create: no + when: grep_sysctl_rp_filter_minifirewall.rc == 0 + +- name: Adjust sysctl config (only rp_filter) sysctl: name: "{{ item.name }}" value: "{{ item.value }}" @@ -23,10 +52,13 @@ state: present loop: - { name: 'net.ipv4.conf.default.rp_filter', value: 0 } - - { name: 'net.ipv4.conf.eth0.rp_filter', value: 0 } - { name: 'net.ipv4.conf.all.rp_filter', value: 0 } - - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 } - - { name: 'net.ipv4.conf.all.arp_announce', value: 2 } - - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 } + when: grep_sysctl_rp_filter_minifirewall.rc != 0 tags: - vrrpd + +- name: Create VRRP address + include: ip.yml + loop: "{{ vrrp_addresses }}" + loop_control: + loop_var: "vrrp_address" \ No newline at end of file diff --git a/vrrpd/templates/vrrp.service.j2 b/vrrpd/templates/vrrp.service.j2 new file mode 100644 index 00000000..7bd588d7 --- /dev/null +++ b/vrrpd/templates/vrrp.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=VRRP Daemon for IP {{ vrrp_address.ip }} on {{ vrrp_address.interface }} +After=network.target + +[Service] +ExecStart=/usr/sbin/vrrpd -i {{ vrrp_address.interface | mandatory }} -x -D -d {{ vrrp_address.delay | mandatory }} -v {{ vrrp_address.id | mandatory }} -p {{ vrrp_address.priority | mandatory }} -a {{ vrrp_address.authentication | mandatory }} -l {{ vrrp_address.label | mandatory }} {{ vrrp_address.ip | mandatory }} + +Type=forking + +[Install] +WantedBy=default.target \ No newline at end of file -- 2.39.2 From adc89a1b65e61112e7ad5828c1066a3423ae9afb Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Thu, 21 Apr 2022 11:28:32 +0200 Subject: [PATCH 115/497] Add nagios check for Redis Sentinel synchro --- .../files/plugins/check_redis_sentinel_sync | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 nagios-nrpe/files/plugins/check_redis_sentinel_sync diff --git a/nagios-nrpe/files/plugins/check_redis_sentinel_sync b/nagios-nrpe/files/plugins/check_redis_sentinel_sync new file mode 100755 index 00000000..e8f217aa --- /dev/null +++ b/nagios-nrpe/files/plugins/check_redis_sentinel_sync @@ -0,0 +1,46 @@ +#!/bin/sh +# +# Verify the synchroniation of Redis Sentinel slaves. + +output=$(mktemp --tmpdir $(basename "$0").XXXXXXXXXX) +critical_count=0 +ok_count=0 + +trap "rm -f $output" EXIT + +input=$(redis-cli -p 6380 sentinel slaves redis | sed 'N;s/\n/=/') + +#while read -r line; do +for line in $input; do + case "$line" in + name=*) name=${line#name=} ;; + master-link-status=*) status=${line#master-link-status=} ;; + esac + if [ -n "$name" ] && [ -n "$status" ]; then + if [ "$status" = ok ]; then + echo "OK - $name" >> "$output" + ok_count=$(( ok_count + 1)) + else + echo "CRITICAL - $name" >> "$output" + critical_count=$(( critical_count + 1)) + fi + unset name status + fi +done + +total_count=$(( ok_count + critical_count )) + +plural='' +test "$total_count" -gt 1 && plural='s' + +if [ $ok_count -eq $total_count ]; then + printf "OK - %d/%d Redis Sentinel slave%s are in sync\n\n" \ + "$ok_count" "$total_count" "$plural" + cat "$output" + exit 0 +else + printf "CRITICAL - %d/%d Redis Sentinal slave%s aren't in sync\n\n" \ + "$critical_count" "$total_count" "$plural" + cat "$output" + exit 2 +fi -- 2.39.2 From 050c61c220eed35086815d540a6236479fa32233 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 17 Jun 2022 11:00:51 +0200 Subject: [PATCH 116/497] Release 22.06.3 --- CHANGELOG.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9831dbf..66f33653 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,14 +14,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evolinux-base: blacklist and do not install megaclisas-status package on incompatible servers - ### Fixed ### Removed ### Security +## [22.06.3] 2022-06-17 + +### Changed + +* evolinux-base: blacklist and do not install megaclisas-status package on incompatible servers + ## [22.06.2] 2022-06-10 ### Added -- 2.39.2 From 519ef930df2525ac8fdb7beda350b11c4a299986 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 21 Jun 2022 15:13:33 +0200 Subject: [PATCH 117/497] Update PermitRootLogin task to work on Debian 11 --- CHANGELOG.md | 3 +++ evolinux-base/tasks/root.yml | 2 +- evolinux-users/tasks/ssh.yml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 66f33653..deb6642c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,9 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* evolinux-base : Update PermitRootLogin task to work on Debian 11 +* evolinux-user : Update PermitRootLogin task to work on Debian 11 + ### Removed ### Security diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index df50d977..3e3d6add 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -91,7 +91,7 @@ - name: disable SSH access for root replace: dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' + regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index ac2fdf12..b0bf8b58 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -56,7 +56,7 @@ - name: disable root login replace: dest: /etc/ssh/sshd_config - regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' + regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd when: evolinux_root_disable_ssh | bool -- 2.39.2 From abb14e5b52fd2e83bef96e7727b63b7ed95a7d4d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 22 Jun 2022 15:32:10 +0200 Subject: [PATCH 118/497] haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value --- CHANGELOG.md | 2 ++ haproxy/defaults/main.yml | 2 ++ haproxy/tasks/main.yml | 13 +++++++++++++ 3 files changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index deb6642c..9c4b3dd5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional) + ### Changed ### Fixed diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml index 0745f1a9..50f6bb48 100644 --- a/haproxy/defaults/main.yml +++ b/haproxy/defaults/main.yml @@ -35,3 +35,5 @@ haproxy_deny_ips: [] haproxy_backports_packages_stretch: haproxy libssl1.0.0 haproxy_backports_packages_buster: haproxy haproxy_backports_packages_bullseye: haproxy + +haproxy_allow_ip_nonlocal_bind: Null \ No newline at end of file diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index d29e3cbc..d38e83af 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -134,4 +134,17 @@ - haproxy - logrotate +- name: Set net.ipv4.ip_nonlocal_bind + sysctl: + name: net.ipv4.ip_nonlocal_bind + value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}" + sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}" + state: present + reload: yes + tags: + - haproxy + when: + - haproxy_allow_ip_nonlocal_bind is defined + - haproxy_allow_ip_nonlocal_bind is not none + - include: munin.yml -- 2.39.2 From 205e69935598ff544fcf628218641ca5a2f4e829 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 22 Jun 2022 17:20:15 +0200 Subject: [PATCH 119/497] minifirewall: docker mode is configurable --- CHANGELOG.md | 5 +++-- minifirewall/tasks/config.yml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c4b3dd5..c280565b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,8 +18,9 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed -* evolinux-base : Update PermitRootLogin task to work on Debian 11 -* evolinux-user : Update PermitRootLogin task to work on Debian 11 +* evolinux-base: Update PermitRootLogin task to work on Debian 11 +* evolinux-user: Update PermitRootLogin task to work on Debian 11 +* minifirewall: docker mode is configurable ### Removed diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 1ddb9695..c11b83e8 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -70,7 +70,7 @@ # WARNING : If the port mapping is different between the host and the container # (ie: Listen on :8090 on host, but :8080 in container) # then you need to give the port used inside the container - DOCKER='off' + DOCKER='{{ minifirewall_docker }}' # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything -- 2.39.2 From 835072c1e2cde8240d65a8fa3105f5476c3f9b15 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 2 May 2022 10:27:32 +0200 Subject: [PATCH 120/497] CI: Support Jenkins --- .Jenkinsfile | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .Jenkinsfile diff --git a/.Jenkinsfile b/.Jenkinsfile new file mode 100644 index 00000000..3f488638 --- /dev/null +++ b/.Jenkinsfile @@ -0,0 +1,50 @@ +pipeline { + agent { label 'docker' } + + environment { + ROLES_VERSION = "${env.GIT_COMMIT}" + } + + stages { + stage('Build tagged docker image') { + when { + buildingTag() + } + steps { + script { + def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}") + im.inside { + sh 'echo Test needed' + } + def version = TAG_NAME + def versions = version.split('\\.') + def major = versions[0] + def minor = versions[0] + '.' + versions[1] + def patch = version.trim() + /* No crendentials yet + im.push(major) + im.push(minor) + im.push(patch) + */ + } + } + } + + stage('Build latest docker image') { + when { + branch 'unstable' + } + steps { + script { + def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}") + im.inside { + sh 'echo Test needed' + } + /* No crendentials yet + im.push('latest') + */ + } + } + } + } +} -- 2.39.2 From 07c3c0226f86205c16405472cfffdb7765bbf0a7 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 29 Jun 2022 16:09:04 +0200 Subject: [PATCH 121/497] openvpn: minimal rights on /etc/shellpki/ and crl.pem --- CHANGELOG.md | 2 ++ openvpn/tasks/debian.yml | 4 ++-- openvpn/tasks/openbsd.yml | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c280565b..ea992fc6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* openvpn: minimal rights on /etc/shellpki/ and crl.pem + ### Fixed * evolinux-base: Update PermitRootLogin task to work on Debian 11 diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 3ace1f4c..8a9978d9 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -74,8 +74,8 @@ insertafter: "{{ item.insertafter }}" line: "{{ item.line }}" with_items: - - { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' } + - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } + - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - name: Deploy OpenVPN server config template: diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index 18cd0156..d3238cea 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -65,8 +65,8 @@ insertafter: "{{ item.insertafter }}" line: "{{ item.line }}" with_items: - - { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' } + - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } + - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - name: Deploy OpenVPN server config template: -- 2.39.2 From 68ac8fc058e077f3c678a89a323b020c1d650612 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 30 Jun 2022 10:11:12 +0200 Subject: [PATCH 122/497] openvpn: configure logrotate --- CHANGELOG.md | 1 + openvpn/files/logrotate_openvpn | 10 ++++++++++ openvpn/tasks/debian.yml | 6 ++++++ 3 files changed, 17 insertions(+) create mode 100644 openvpn/files/logrotate_openvpn diff --git a/CHANGELOG.md b/CHANGELOG.md index ea992fc6..d2a42256 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional) +* openvpn: configure logrotate ### Changed diff --git a/openvpn/files/logrotate_openvpn b/openvpn/files/logrotate_openvpn new file mode 100644 index 00000000..e240faf6 --- /dev/null +++ b/openvpn/files/logrotate_openvpn @@ -0,0 +1,10 @@ +/var/log/openvpn.log +{ + weekly + rotate 52 + missingok + notifempty + delaycompress + compress + copytruncate +} diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 8a9978d9..4c2f6c5d 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -149,6 +149,12 @@ value: "1" sysctl_file: "/etc/sysctl.d/openvpn.conf" +- name: Configure logrotate for OpenVPN + copy: + src: logrotate_openvpn + dest: /etc/logrotate.d/openvpn + force: no + - name: Generate a password for the management interface set_fact: management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}" -- 2.39.2 From 34a3591192eec1b3c4a358f0e925661d117c1723 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 5 Jul 2022 10:16:47 +0200 Subject: [PATCH 123/497] Fix depreciation of drbd-overview by drbdadm status --- kvm-host/files/add-vm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh index 51b5c737..78acfe1c 100755 --- a/kvm-host/files/add-vm.sh +++ b/kvm-host/files/add-vm.sh @@ -219,7 +219,7 @@ ${drbdadm} -- --overwrite-data-of-peer primary "${vmName}" if ! isDryRun; then sleep 5 - drbd-overview | tail -4 + drbdadm status | tail -4 drbdDiskPath="/dev/drbd/by-res/${vmName}/0" if ! [ -b "${drbdDiskPath}" ]; then -- 2.39.2 From 028bfe209a88ad88bf166b0c298c9a3bc742dcdd Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 5 Jul 2022 10:18:49 +0200 Subject: [PATCH 124/497] Add change in kvm-host --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d2a42256..5f430136 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional) * openvpn: configure logrotate +* kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh ### Changed -- 2.39.2 From e198cf67dc4e06ca7320ad924d29621b300fa703 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 5 Jul 2022 11:26:36 +0200 Subject: [PATCH 125/497] evoadmin-web: Update comment in template on how password hashes should be generated --- webapps/evoadmin-web/templates/config.local.php.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webapps/evoadmin-web/templates/config.local.php.j2 b/webapps/evoadmin-web/templates/config.local.php.j2 index d4cd4903..335bc34b 100644 --- a/webapps/evoadmin-web/templates/config.local.php.j2 +++ b/webapps/evoadmin-web/templates/config.local.php.j2 @@ -6,11 +6,11 @@ $localconf['debug'] = FALSE; $localconf['superadmin'] = array(); $localconf['script_path'] = '{{ evoadmin_scripts_dir }}'; $localconf['cluster'] = FALSE; -// auth (sha256 hashs) / echo -n YourPass | sha256sum -$oriconf['logins'] = array(); -//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477'; -//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303'; +// Generate password hashes : mkpasswd --method=sha-512 (cli) or with PHP's password_hash() +$localconf['logins'] = array(); +//$localconf['logins']['foo'] = '$6$X0jqa/ausLSBkj4m$dLMMcPGVxak.aDPo4V/GJLm2d8vU8/QA5LbGTuqXCdxSNYU0kRKBgDl16GAyp0GqXXZ5wwDEJKQ1npgFwiuV81'; +//$localconf['logins']['bar'] = '$6$Q6233S6mlWAF6p.j$LtzwG02YucozwqjAgSpeldh24Mnz7lBuVSbOQYbKKh9FiUx3tMVl6kJZkmrNdPqeadFXKAYXrqn.gy8KposF5.'; {% if evoadmin_multiphp_versions != [] %} $localconf['php_versions'] = array( {{ evoadmin_multiphp_versions | join(', ') | replace('php', '') }} ); -- 2.39.2 From 71879b999c22b47927ac7fab6c588d3571263b08 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Wed, 1 Jun 2022 16:42:36 +0200 Subject: [PATCH 126/497] nginx: Start server once. Nginx is already started at the end of the main task. Starting the service before we configure it correctly can put the role as failed if the default configuration don't work on the host. --- evolinux-base/tasks/top.yml | 8 +++----- nginx/tasks/packages.yml | 9 --------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/evolinux-base/tasks/top.yml b/evolinux-base/tasks/top.yml index 64fdf6b6..367791e7 100644 --- a/evolinux-base/tasks/top.yml +++ b/evolinux-base/tasks/top.yml @@ -1,7 +1,5 @@ --- - name: Deploy top configuration file - copy: - # The config format is unredable; ATM it only add the SWAP column - src: topdefaultrc - dest: /etc/topdefaultrc - mode: "0644" + file: + path: /etc/topdefaultrc + state: absent diff --git a/nginx/tasks/packages.yml b/nginx/tasks/packages.yml index f9a500c0..f2c0596f 100644 --- a/nginx/tasks/packages.yml +++ b/nginx/tasks/packages.yml @@ -16,12 +16,3 @@ tags: - nginx - packages - -- name: Service is running as configured. - service: - name: nginx - state: "{{ nginx_service_state }}" - enabled: "{{ nginx_service_enabled }}" - tags: - - nginx - - packages -- 2.39.2 From 4d50bab03bd4aace1a9e281069f1b05af38af955 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Tue, 5 Jul 2022 15:55:47 +0200 Subject: [PATCH 127/497] base: Extract dump-server-state in task file --- evolinux-base/tasks/dump-server-state.yml | 15 +++++++++++++++ evolinux-base/tasks/utils.yml | 17 ++--------------- 2 files changed, 17 insertions(+), 15 deletions(-) create mode 100644 evolinux-base/tasks/dump-server-state.yml diff --git a/evolinux-base/tasks/dump-server-state.yml b/evolinux-base/tasks/dump-server-state.yml new file mode 100644 index 00000000..7d4a55cd --- /dev/null +++ b/evolinux-base/tasks/dump-server-state.yml @@ -0,0 +1,15 @@ +- name: dump-server-state script is present + copy: + src: "dump-server-state.sh" + dest: /usr/local/sbin/dump-server-state + force: True + owner: root + group: root + mode: "0750" + +- name: symlink backup-server-state to dump-server-state + file: + src: /usr/local/sbin/dump-server-state + dest: /usr/local/sbin/backup-server-state + state: link + force: yes diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 6c9e27b0..8236bd92 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -3,21 +3,8 @@ - include_role: name: evolix/remount-usr -- name: dump-server-state script is present - copy: - src: "dump-server-state.sh" - dest: /usr/local/sbin/dump-server-state - force: True - owner: root - group: root - mode: "0750" - -- name: symlink backup-server-state to dump-server-state - file: - src: /usr/local/sbin/dump-server-state - dest: /usr/local/sbin/backup-server-state - state: link - force: yes +- include_tasks: + file: dump-server-state.yml - name: "/sbin/deny script is present" copy: -- 2.39.2 From 6d73acc866f1c33a82cfe3b3b67836a363954c60 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Tue, 5 Jul 2022 16:00:22 +0200 Subject: [PATCH 128/497] Add nagios check mount rw --- nagios-nrpe/files/plugins/check_readwrite | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100755 nagios-nrpe/files/plugins/check_readwrite diff --git a/nagios-nrpe/files/plugins/check_readwrite b/nagios-nrpe/files/plugins/check_readwrite new file mode 100755 index 00000000..578d9740 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_readwrite @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Verify mounted filesystems are readable and writable. + +filesystems=$* + +exit_code=0 +for filesystem in $filesystems; do + if findmnt --options ro --noheadings "${filesystem}"; then + exit_code=2 + fi +done + +if [ $exit_code != 0 ]; then + echo "CRITICAL - Above filesystems aren't monted in read and write mode" +else + echo "OK - All fine" +fi + +exit "${exit_code}" -- 2.39.2 From 0a3bfd7f270763b6883ff07a43acab2fa5ecb5d0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 6 Jul 2022 14:24:38 +0200 Subject: [PATCH 129/497] evolinux-base: session timeout is configurable --- CHANGELOG.md | 1 + evolinux-base/defaults/main.yml | 1 + evolinux-base/tasks/system.yml | 3 ++- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f430136..43aa9b9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours) * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional) * openvpn: configure logrotate * kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 6f28fd5e..ee307015 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -107,6 +107,7 @@ evolinux_system_profile: True evolinux_system_dirmode_adduser: True evolinux_system_restrict_securetty: False evolinux_system_set_timeout: True +evolinux_system_timeout: 36000 evolinux_system_cron_verboselog: True evolinux_system_cron_umask: True evolinux_system_cron_random: True diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index e5363fed..5d71e827 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -77,7 +77,8 @@ - name: Setting TMOUT to disconnect inactive users lineinfile: dest: /etc/profile.d/evolinux.sh - line: "export TMOUT=36000" + line: "export TMOUT={{ evolinux_system_timeout }}" + regexp: "^export TMOUT=" create: yes state: present when: evolinux_system_set_timeout | bool -- 2.39.2 From a3873044837fada56403446c48c575032a8a5efe Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 6 Jul 2022 14:26:13 +0200 Subject: [PATCH 130/497] Fix CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43aa9b9b..9201a629 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,8 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours) * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional) -* openvpn: configure logrotate * kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh +* openvpn: configure logrotate ### Changed -- 2.39.2 From 53847d99195aa6d35a5f64dda988b2c2ae3b625b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 6 Jul 2022 18:02:42 +0200 Subject: [PATCH 131/497] Release 22.07 --- CHANGELOG.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9201a629..2429f2fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [22.07] 2022-07-06 + +### Added + * evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours) * haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional) * kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh @@ -27,10 +39,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-user: Update PermitRootLogin task to work on Debian 11 * minifirewall: docker mode is configurable -### Removed - -### Security - ## [22.06.3] 2022-06-17 ### Changed -- 2.39.2 From e0c95b4c7868dafebcf64c09155ba13daea19b95 Mon Sep 17 00:00:00 2001 From: Bruno TATU Date: Fri, 8 Jul 2022 11:26:00 +0200 Subject: [PATCH 132/497] Ensure apply dbpurgeage from stretch and buster for fail2ban --- fail2ban/tasks/fix-dbpurgeage.yml | 19 +++++++++++++++++++ fail2ban/tasks/main.yml | 9 ++++++++- fail2ban/templates/fail2ban_dbpurge.j2 | 3 +++ fail2ban/tests/test.yml | 4 +++- 4 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 fail2ban/tasks/fix-dbpurgeage.yml create mode 100644 fail2ban/templates/fail2ban_dbpurge.j2 diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml new file mode 100644 index 00000000..67819a3f --- /dev/null +++ b/fail2ban/tasks/fix-dbpurgeage.yml @@ -0,0 +1,19 @@ +- name: Sqlite needed + ansible.builtin.apt: + name: + - sqlite3 + state: present + +- name: Register bantime from default config from package + shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1" + register: default_dbpurgeage + changed_when: false + check_mode: false + +- name: Add crontab + template: + src: fail2ban_dbpurge.j2 + dest: /etc/cron.daily/fail2ban_dbpurge + mode: 0700 + owner: root + group: root diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 56378c9b..08478112 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -103,4 +103,11 @@ mode: "0644" notify: restart fail2ban when: - - fail2ban_recidive \ No newline at end of file + - fail2ban_recidive + +- name: Fix dbpurgeage for stretch and buster + include: fix-dbpurgeage.yml + when: + - ansible_distribution_release == "stretch" or ansible_distribution_release == "buster" + tags: + - fail2ban diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 new file mode 100644 index 00000000..1611bcbd --- /dev/null +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -0,0 +1,3 @@ +#!/bin/sh +# Juin 2022 : #64088 +/usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE date('now', '-{{ fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }}') > datetime(timeofban, 'unixepoch'); VACUUM;" diff --git a/fail2ban/tests/test.yml b/fail2ban/tests/test.yml index 67c6e10c..59e70a73 100644 --- a/fail2ban/tests/test.yml +++ b/fail2ban/tests/test.yml @@ -1,4 +1,6 @@ --- -- hosts: test-kitchen +- hosts: all + become: yes +# gather_facts: no roles: - role: fail2ban -- 2.39.2 From 213c6dd6ac2a52a004ad633d3d7c4c4aedc8b82d Mon Sep 17 00:00:00 2001 From: Bruno TATU Date: Fri, 8 Jul 2022 11:28:29 +0200 Subject: [PATCH 133/497] Add change for fail2ban role --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2429f2fe..9b2ccee7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,12 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Security +## [22.07] 2022-07-08 + +### Added + +* fail2ban: Ensure apply dbpurgeage from stretch and buster + ## [22.07] 2022-07-06 ### Added -- 2.39.2 From 0b41efd188e07f369b004b52cb83ffabaf9ee343 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 18 Jul 2022 15:54:42 +0200 Subject: [PATCH 134/497] mongodb: replace version_compare() with version() --- CHANGELOG.md | 2 ++ mongodb/tasks/main_bullseye.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b2ccee7..82e65832 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* mongodb: replace version_compare() with version() + ### Fixed ### Removed diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index e31ffed3..78459863 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -4,7 +4,7 @@ msg: Not compatible with Debian 11 (Bullseye) when: - ansible_distribution_release == "bullseye" - - mongodb_version is version_compare('5.0', '<=') + - mongodb_version is version('5.0', '<=') - name: MongoDB embedded GPG key is absent -- 2.39.2 From 2e54944a246e21c56eaba0a8ee77cc71aec6b647 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Tue, 19 Jul 2022 15:01:20 +0200 Subject: [PATCH 135/497] [packweb-apache] Do gzip logs after web server reload instead of before to address 'file size changed while zipping' error. --- packweb-apache/files/userlogrotate | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate index 897c077b..deaf850a 100644 --- a/packweb-apache/files/userlogrotate +++ b/packweb-apache/files/userlogrotate @@ -5,7 +5,6 @@ HOMEPREFIX="/home" rotate () { mv $1 $1.$DATE - gzip $1.$DATE touch $1 chown $2 $1 chmod g+r $1 @@ -36,5 +35,21 @@ fi; test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 +# Zipping is done after web serveur reload, so that the file descriptor is released. +# Else, an error is raised (gzip file size changed while zipping) +# and logs written buring the zipping process might be lost. + +for log in access.log access-*.log error.log; do + for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do + gzip $i + done +done + +for log in production.log delayed_job.log development.log test.log; do + for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do + gzip $i + done +done + # we want exit 0 true -- 2.39.2 From 9742ec078e20313fd23e0a7bf012ba12e2409ebf Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Tue, 19 Jul 2022 15:04:25 +0200 Subject: [PATCH 136/497] [packweb-apache] Fix unsecable spaces --- packweb-apache/files/userlogrotate | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate index deaf850a..2656f55d 100644 --- a/packweb-apache/files/userlogrotate +++ b/packweb-apache/files/userlogrotate @@ -35,8 +35,8 @@ fi; test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 -# Zipping is done after web serveur reload, so that the file descriptor is released. -# Else, an error is raised (gzip file size changed while zipping) +# Zipping is done after web serveur reload, so that the file descriptor is released. +# Else, an error is raised (gzip file size changed while zipping) # and logs written buring the zipping process might be lost. for log in access.log access-*.log error.log; do -- 2.39.2 From 8cdaee9658ff80810949dd10a4251bd6a3e6084d Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 19 Jul 2022 15:49:25 +0200 Subject: [PATCH 137/497] [php] Corriger installation sury pour les packweb en bullseye --- php/files/sury.preferences | 2 +- php/tasks/sury_pre.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/php/files/sury.preferences b/php/files/sury.preferences index cc4901c2..15aa9c16 100644 --- a/php/files/sury.preferences +++ b/php/files/sury.preferences @@ -1,4 +1,4 @@ -Package: php* libapache2-mod-php* libpcre2* libzip4* +Package: php* libapache2-mod-php* libpcre2* libzip4* libgd* Pin: origin packages.sury.org Pin-Priority: 999 diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index c421fe04..13dcc4ec 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -40,3 +40,4 @@ - php-ssh2 - composer - libphp-phpmailer + when: ansible_distribution_release != "bullseye" -- 2.39.2 From 66563d0bf3893f2207bb7bd83cf0dc42f91bb42a Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Tue, 19 Jul 2022 17:19:58 +0200 Subject: [PATCH 138/497] =?UTF-8?q?[packweb-apache]=20#66841=20:=20ajout?= =?UTF-8?q?=20t=C3=A2che=20update=5Fuserlogrotate.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packweb-apache/tasks/update_userlogrotate.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 packweb-apache/tasks/update_userlogrotate.yml diff --git a/packweb-apache/tasks/update_userlogrotate.yml b/packweb-apache/tasks/update_userlogrotate.yml new file mode 100644 index 00000000..a94080b0 --- /dev/null +++ b/packweb-apache/tasks/update_userlogrotate.yml @@ -0,0 +1,16 @@ +--- + +- name: "Cherche l'emplacement de userlogrotate" + ansible.builtin.find: + path: /etc + patterns: userlogrotate + register: find_logrotate + +- name: "Met-à-jour userlogrotate" + ansible.builtin.copy: + src: userlogrotate + dest: "{{ item }}" + mode: "0755" + loop: "{{ find_logrotate.files }}" + when: find_logrotate.files | length>0 + -- 2.39.2 From d67e03e5a23fb368125023932522864c77f13740 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 19 Jul 2022 17:23:37 +0200 Subject: [PATCH 139/497] packweb-apache/files/userlogrotate: tfix (comments). --- packweb-apache/files/userlogrotate | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate index 2656f55d..7ed42668 100644 --- a/packweb-apache/files/userlogrotate +++ b/packweb-apache/files/userlogrotate @@ -35,9 +35,9 @@ fi; test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 -# Zipping is done after web serveur reload, so that the file descriptor is released. +# Zipping is done after web server reload, so that the file descriptor is released. # Else, an error is raised (gzip file size changed while zipping) -# and logs written buring the zipping process might be lost. +# and logs written during the zipping process might be lost. for log in access.log access-*.log error.log; do for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do -- 2.39.2 From fa5eb5aa5c04f69becc4c11103ab3c217e94d140 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 20 Jul 2022 11:02:44 +0200 Subject: [PATCH 140/497] Avoid find warning global options are not positional (-maxdepth after the argument -type) --- evocheck/files/evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 9391f119..81c18061 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -742,7 +742,7 @@ check_backupuptodate() { backup_dir="/home/backup" if [ -d "${backup_dir}" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then - find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do + find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") -- 2.39.2 From 3f9ac05b1304154afcc692bdcc0cad241668f201 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Mon, 25 Jul 2022 17:29:19 +0200 Subject: [PATCH 141/497] =?UTF-8?q?Homog=C3=A9n=C3=A9isation=20du=20port?= =?UTF-8?q?=20OpenDKIM=20par=20d=C3=A9faut=20du=20r=C3=B4le=20postfix=20av?= =?UTF-8?q?ec=20celui=20du=20r=C3=B4le=20OpenDKIM?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- postfix/templates/packmail_main.cf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index d9d90836..82b94afa 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -412,8 +412,8 @@ smtpd_sasl_path = private/auth-client # Amavis and OpenDKIM content_filter = smtp-amavis:[127.0.0.1]:10024 -smtpd_milters = inet:[127.0.0.1]:54321 -non_smtpd_milters = inet:[127.0.0.1]:54321 +smtpd_milters = inet:[127.0.0.1]:8891 +non_smtpd_milters = inet:[127.0.0.1]:8891 {% if postfix_slow_transport_include == True %} # Slow transports configuration -- 2.39.2 From 4b39f5a9986d28d8e5f0b51246ea7b5233f35e28 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Mon, 25 Jul 2022 17:58:51 +0200 Subject: [PATCH 142/497] [webapps/evoadmin-mail] Ajout remount RW manquant --- webapps/evoadmin-mail/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index 7f94281b..88f2dbb6 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -1,4 +1,9 @@ --- + +- name: Remount /usr RW + include_role: + name: evolix/remount-usr + - name: Install evoadmin-mail package apt: deb: /tmp/evoadmin-mail.deb -- 2.39.2 From b453321b3d6e84dd9bf3a77d66fea2437b46c075 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 27 Jul 2022 09:23:55 +0200 Subject: [PATCH 143/497] nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 --- CHANGELOG.md | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82e65832..3e118e3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * mongodb: replace version_compare() with version() +* nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 ### Fixed diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index d3d102f0..e7ae1876 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} # System checks command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20% -command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home +command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /run/lock -x /run/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 -- 2.39.2 From f7edd565a391f8af435bb6e13c6e20441f9ecaf9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 27 Jul 2022 09:24:44 +0200 Subject: [PATCH 144/497] nagios-nrpe: check_disk1 returns only alerts --- CHANGELOG.md | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e118e3c..7ea9174d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * mongodb: replace version_compare() with version() * nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 +* nagios-nrpe: check_disk1 returns only alerts ### Fixed diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index e7ae1876..d4b301af 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} # System checks command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20% -command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /run/lock -x /run/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home +command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -x /lib/init/rw -x /dev -x /dev/shm -x /run/lock -x /run/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 -- 2.39.2 From a8c117146c9592ee5f590e7887387b6a106bd282 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 27 Jul 2022 09:34:30 +0200 Subject: [PATCH 145/497] =?UTF-8?q?[webapps/roundcube]=C2=A0Corrige=20le?= =?UTF-8?q?=20DocumentRoot?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- webapps/roundcube/templates/apache2.conf.j2 | 2 +- webapps/roundcube/templates/nginx.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/roundcube/templates/apache2.conf.j2 b/webapps/roundcube/templates/apache2.conf.j2 index 01c25f3a..87bdf79e 100644 --- a/webapps/roundcube/templates/apache2.conf.j2 +++ b/webapps/roundcube/templates/apache2.conf.j2 @@ -9,7 +9,7 @@ ServerName {{ roundcube_host }} # Repertoire principal - DocumentRoot /var/lib/roundcube/ + DocumentRoot /var/lib/roundcube/public_html # Return 503 if imapproxy doesn't run diff --git a/webapps/roundcube/templates/nginx.conf.j2 b/webapps/roundcube/templates/nginx.conf.j2 index 1719c407..66dcb8a5 100644 --- a/webapps/roundcube/templates/nginx.conf.j2 +++ b/webapps/roundcube/templates/nginx.conf.j2 @@ -10,7 +10,7 @@ server { access_log /var/log/nginx/.{{ roundcube_host }}.access.log; error_log /var/log/nginx/.{{ roundcube_host }}.error.log; - root /var/lib/roundcube/; + root /var/lib/roundcube/public_html; index index.php; location / { -- 2.39.2 From 0d086731ae02e3a054486b017354dca9d44f0c01 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 27 Jul 2022 15:49:41 +0200 Subject: [PATCH 146/497] evomaintenance: upstream release 22.07 --- CHANGELOG.md | 1 + evomaintenance/files/evomaintenance.sh | 38 ++++++++++++++++++++++---- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ea9174d..9cefcee0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evomaintenance: upstream release 22.07 * mongodb: replace version_compare() with version() * nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 * nagios-nrpe: check_disk1 returns only alerts diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh index 3903f2ef..bce0e562 100644 --- a/evomaintenance/files/evomaintenance.sh +++ b/evomaintenance/files/evomaintenance.sh @@ -7,7 +7,7 @@ # Copyright 2007-2022 Evolix , Gregory Colpart , # Jérémy Lecour and others. -VERSION="22.01" +VERSION="22.07" show_version() { cat < Date: Wed, 27 Jul 2022 18:51:24 +0200 Subject: [PATCH 147/497] =?UTF-8?q?[generate-ldif]=C2=A0Fix=20package=20co?= =?UTF-8?q?ndition=20to=20have=20IMAP=20and=20POP=20checks=20added=20to=20?= =?UTF-8?q?ldif.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- generate-ldif/templates/generateldif.sh.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 86bfc0eb..17ff759a 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -488,8 +488,8 @@ EOT fi # Dovecot -if is_pkg_installed dovecot-common; then - dovecot_version=$(get_pkg_version dovecot-common) +if is_pkg_installed dovecot-core; then + dovecot_version=$(get_pkg_version dovecot-core) fi if [ -n "${dovecot_version}" ]; then cat <> "${ldif_file}" -- 2.39.2 From c8898a3d1053c269c0f236524b584d91a1273412 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Jul 2022 13:25:51 +0200 Subject: [PATCH 148/497] nagios-nrpe: use regexp to exclude paths/devices in check_disk1 --- CHANGELOG.md | 2 +- nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9cefcee0..627bbd3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,8 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * evomaintenance: upstream release 22.07 * mongodb: replace version_compare() with version() -* nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 * nagios-nrpe: check_disk1 returns only alerts +* nagios-nrpe: use regexp to exclude paths/devices in check_disk1 ### Fixed diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index d4b301af..b007b3a8 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} # System checks command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20% -command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -x /lib/init/rw -x /dev -x /dev/shm -x /run/lock -x /run/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home +command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 -- 2.39.2 From f10ebe8cd6e9cf9079f8a49849cb1c6fedf9a592 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Jul 2022 13:38:33 +0200 Subject: [PATCH 149/497] evocheck: upstream release 22.07 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 17 +++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 627bbd3a..21319b1a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.07 * evomaintenance: upstream release 22.07 * mongodb: replace version_compare() with version() * nagios-nrpe: check_disk1 returns only alerts diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 81c18061..1bc54d79 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.06.2" +VERSION="22.07" readonly VERSION # base functions @@ -610,6 +610,14 @@ check_evobackup() { evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron" } +# Vérification de la mise en place de la purge pour fail2ban +check_purge_fail2ban() { + if is_debian_stretch || is_debian_buster; then + if is_installed fail2ban; then + test -f /etc/cron.daily/fail2ban_dbpurge || failed "IS_FAIL2BAN_PURGE" "missing script fail2ban_dbpurge cron" + fi + fi +} # Vérification de l'exclusion des montages (NFS) dans les sauvegardes check_evobackup_exclude_mount() { excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX") @@ -970,7 +978,7 @@ check_mongo_backup() { # You could change the default path in /etc/evocheck.cf MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} if [ -d "$MONGO_BACKUP_PATH" ]; then - for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}*; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then limit=$(date +"%s" -d "now - 2 day") @@ -1227,8 +1235,8 @@ check_sshpermitrootno() { # -T doesn't require the additional -C. sshd_args= fi - # XXX: We want parameter expension here - if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then + # shellcheck disable=SC2086 + if ! (sshd -T ${sshd_args} | grep -q 'permitrootlogin no'); then failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" fi } @@ -1810,6 +1818,7 @@ while :; do IS_UPTIME=0 IS_MELTDOWN_SPECTRE=0 IS_CHECK_VERSIONS=0 + IS_NETWORKING_SERVICE=0 ;; -v|--verbose) VERBOSE=1 -- 2.39.2 From 25b96c3283471b3130b0d77369e2ff20d98efed9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Jul 2022 13:49:57 +0200 Subject: [PATCH 150/497] Release 22.07.1 --- CHANGELOG.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 21319b1a..2a162ae9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,18 +14,22 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evocheck: upstream release 22.07 -* evomaintenance: upstream release 22.07 -* mongodb: replace version_compare() with version() -* nagios-nrpe: check_disk1 returns only alerts -* nagios-nrpe: use regexp to exclude paths/devices in check_disk1 - ### Fixed ### Removed ### Security +## [22.07.1] 2022-07-28 + +### Changed + +* evocheck: upstream release 22.07 +* evomaintenance: upstream release 22.07 +* mongodb: replace version_compare() with version() +* nagios-nrpe: check_disk1 returns only alerts +* nagios-nrpe: use regexp to exclude paths/devices in check_disk1 + ## [22.07] 2022-07-08 ### Added -- 2.39.2 From 0f899dcd09f384d348b36eb357221e3e8c227536 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Jul 2022 13:58:09 +0200 Subject: [PATCH 151/497] evocheck: remove failure if deprecated variable is used --- CHANGELOG.md | 2 ++ evocheck/tasks/main.yml | 7 ------- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a162ae9..9761cf5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed +* evocheck: remove failure if deprecated variable is used + ### Security ## [22.07.1] 2022-07-28 diff --git a/evocheck/tasks/main.yml b/evocheck/tasks/main.yml index 2032740b..14c6988f 100644 --- a/evocheck/tasks/main.yml +++ b/evocheck/tasks/main.yml @@ -1,12 +1,5 @@ --- -- name: Package install is not supported anymore - fail: - msg: Package install is not supported anymore - when: - - evocheck_force_install is defined - - evocheck_force_install == "package" - - include: install.yml - include: cron.yml -- 2.39.2 From 6c33e11d5fd46e21a2d48406d74d89068c15ed15 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Jul 2022 14:18:12 +0200 Subject: [PATCH 152/497] evocheck: upstream release 22.07.1 --- CHANGELOG.md | 2 ++ evocheck/files/evocheck.sh | 12 ++++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9761cf5e..502ee302 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.07.1 + ### Fixed ### Removed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 1bc54d79..8468c5cb 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -1226,18 +1226,18 @@ check_usrsharescripts() { check_sshpermitrootno() { sshd_args="-C addr=,user=,host=,laddr=,lport=0" if is_debian_jessie || is_debian_stretch; then - # Noop, we'll use the default $sshd_args + # Noop, we'll use the default $sshd_args : elif is_debian_buster; then - sshd_args="${sshd_args},rdomain=" + sshd_args="${sshd_args},rdomain=" else - # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument + # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument # -T doesn't require the additional -C. - sshd_args= + sshd_args= fi # shellcheck disable=SC2086 - if ! (sshd -T ${sshd_args} | grep -q 'permitrootlogin no'); then - failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" + if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then + failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" fi } check_evomaintenanceusers() { -- 2.39.2 From 9aa043d1abe315162788616a2bdc7bb5d5b4f535 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 28 Jul 2022 17:24:43 +0200 Subject: [PATCH 153/497] CI: Use Jenkins only --- .Jenkinsfile | 4 ---- .drone.yml | 36 ------------------------------------ 2 files changed, 40 deletions(-) delete mode 100644 .drone.yml diff --git a/.Jenkinsfile b/.Jenkinsfile index 3f488638..67f84d95 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -21,11 +21,9 @@ pipeline { def major = versions[0] def minor = versions[0] + '.' + versions[1] def patch = version.trim() - /* No crendentials yet im.push(major) im.push(minor) im.push(patch) - */ } } } @@ -40,9 +38,7 @@ pipeline { im.inside { sh 'echo Test needed' } - /* No crendentials yet im.push('latest') - */ } } } diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 514a8b3f..00000000 --- a/.drone.yml +++ /dev/null @@ -1,36 +0,0 @@ -kind: pipeline -name: default - -steps: -- name: build tagged docker image - image: plugins/docker - settings: - username: - from_secret: docker_username - password: - from_secret: docker_password - dockerfile: Dockerfile - repo: evolix/ansible-roles - auto_tag: true - environment: - ROLES_VERSION: $DRONE_COMMIT_SHA - when: - event: - - tag - -- name: build latest docker image - image: plugins/docker - settings: - username: - from_secret: docker_username - password: - from_secret: docker_password - dockerfile: Dockerfile - repo: evolix/ansible-roles - tags: latest - environment: - ROLES_VERSION: $DRONE_COMMIT_SHA - when: - branch: - - unstable - -- 2.39.2 From 7e21b13d6a6de56709e18eed86e97d1128a27997 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 29 Jul 2022 08:33:51 +0200 Subject: [PATCH 154/497] CI: Explicit registry credentials --- .Jenkinsfile | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.Jenkinsfile b/.Jenkinsfile index 67f84d95..3f591b98 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -21,9 +21,11 @@ pipeline { def major = versions[0] def minor = versions[0] + '.' + versions[1] def patch = version.trim() - im.push(major) - im.push(minor) - im.push(patch) + docker.withRegistry('', 'hub.docker') { + im.push(major) + im.push(minor) + im.push(patch) + } } } } @@ -38,7 +40,9 @@ pipeline { im.inside { sh 'echo Test needed' } - im.push('latest') + docker.withRegistry('', 'hub.docker') { + im.push('latest') + } } } } -- 2.39.2 From 2ec3c91ed9b81f43933b609b4e8c1f5c2b1c0415 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Fri, 29 Jul 2022 16:33:03 +0200 Subject: [PATCH 155/497] [nagios-nrpe] Add check_ssl_local script --- nagios-nrpe/files/plugins/check_ssl_local | 69 +++++++++++++++++++++++ nagios-nrpe/templates/evolix.cfg.j2 | 1 + 2 files changed, 70 insertions(+) create mode 100755 nagios-nrpe/files/plugins/check_ssl_local diff --git a/nagios-nrpe/files/plugins/check_ssl_local b/nagios-nrpe/files/plugins/check_ssl_local new file mode 100755 index 00000000..d32cc40b --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ssl_local @@ -0,0 +1,69 @@ +#!/bin/bash + +# Check permettant de monitorer une liste de certificats +# /etc/nagios/ssl_local.cfg +# +# Développé par Will (2022) +# + +certs_list_path=/etc/nagios/check_ssl_local_list.cfg + +# Dates in seconds +_10_days="864000" +_15_days="1296000" + +critical=0 +warning=0 + + +if [[ ! -f "$certs_list_path" ]]; then + touch "$certs_list_path" +fi + +certs_list=$(cat "$certs_list_path" | sed -E 's/(.*)#.*/\1/g' | grep -v -E '^$') + +for cert_path in $certs_list; do + + if [ ! -f "$cert_path" ]; then + >&2 echo "Warning: Cert file '$cert_path' does not exist." + warning=1 + continue + fi + + enddate=$(openssl x509 -noout -enddate -in "$cert_path" | cut -d'=' -f2) + + # Check cert expiré (critique) + if ! openssl x509 -checkend 0 -in "$cert_path" &> /dev/null; then + critical=1 + >&2 echo "Critical: Cert '$cert_path' has expired on $enddate." + continue + fi + + # Check cert expire < 10 jours (critique) + if ! openssl x509 -checkend "$_10_days" -in "$cert_path" &> /dev/null; then + critical=1 + >&2 echo "Critical: Cert '$cert_path' will expire on $enddate." + continue + fi + + # Check cert expire < 15 jours (warning) + if ! openssl x509 -checkend "$_15_days" -in "$cert_path" &> /dev/null; then + warning=1 + >&2 echo "Warning: Cert '$cert_path' will expire on $enddate." + continue + fi + + # Cert expire > 15 jours (OK) + echo "Cert '$cert_path' OK." + +done + +if [ $critical -eq 1 ]; then + exit 2 +elif [ $warning -eq 1 ]; then + exit 1 +else + exit 0 +fi + + diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index b007b3a8..5b8c1d28 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -48,6 +48,7 @@ command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/evolix.ndb command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 +command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211 command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321 -- 2.39.2 From a91479a1b00962bf6f195d0fe5a2f3086a1401d2 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Fri, 29 Jul 2022 16:34:48 +0200 Subject: [PATCH 156/497] [nagios-nrpe] Fix unsecable space --- nagios-nrpe/files/plugins/check_ssl_local | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/files/plugins/check_ssl_local b/nagios-nrpe/files/plugins/check_ssl_local index d32cc40b..7c8d241e 100755 --- a/nagios-nrpe/files/plugins/check_ssl_local +++ b/nagios-nrpe/files/plugins/check_ssl_local @@ -1,7 +1,7 @@ #!/bin/bash # Check permettant de monitorer une liste de certificats -# /etc/nagios/ssl_local.cfg +# /etc/nagios/ssl_local.cfg # # Développé par Will (2022) # -- 2.39.2 From 70225180eb0e7f843873b8f987633f677625c48b Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 1 Aug 2022 10:33:18 +0200 Subject: [PATCH 157/497] CI: Handle [ci skip] keyword --- .Jenkinsfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.Jenkinsfile b/.Jenkinsfile index 3f591b98..70cbc06a 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -6,6 +6,12 @@ pipeline { } stages { + stage('Check commit message') { + steps { + scmSkip(deleteBuild: true, skipPattern:'.*\\[ci skip\\].*') + } + } + stage('Build tagged docker image') { when { buildingTag() -- 2.39.2 From 644793d2ecf4e202fc522ff80c7d184671ddb31e Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Mon, 1 Aug 2022 17:43:00 +0200 Subject: [PATCH 158/497] Ajouter check_rabbitmq pour Python 3 --- rabbitmq/files/check_rabbitmq.python3 | 226 ++++++++++++++++++++++++++ rabbitmq/tasks/nrpe.yml | 11 ++ 2 files changed, 237 insertions(+) create mode 100644 rabbitmq/files/check_rabbitmq.python3 diff --git a/rabbitmq/files/check_rabbitmq.python3 b/rabbitmq/files/check_rabbitmq.python3 new file mode 100644 index 00000000..0a941dd4 --- /dev/null +++ b/rabbitmq/files/check_rabbitmq.python3 @@ -0,0 +1,226 @@ +#!/usr/bin/env python3 +from optparse import OptionParser +import shlex +import subprocess +import sys +import requests +import json + +if "check_output" not in dir( subprocess ): # duck punch it in! + def f(*popenargs, **kwargs): + if 'stdout' in kwargs: + raise ValueError('stdout argument not allowed, it will be overridden.') + process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, **kwargs) + output, unused_err = process.communicate() + retcode = process.poll() + if retcode: + cmd = kwargs.get("args") + if cmd is None: + cmd = popenargs[0] + raise subprocess.CalledProcessError(retcode, cmd) + return output + subprocess.check_output = f + + +class RabbitCmdWrapper(object): + """So basically this just runs rabbitmqctl commands and returns parsed output. + Typically this means you need root privs for this to work. + Made this it's own class so it could be used in other monitoring tools + if desired.""" + + @classmethod + def list_connections(cls): + args = shlex.split("sudo rabbitmqctl list_connections") + cmd_result = subprocess.check_output(args, text=True).strip() + results = cls._parse_list_results(cmd_result) + return results + + @classmethod + def list_queues(cls): + args = shlex.split('sudo rabbitmqctl list_queues') + cmd_result = subprocess.check_output(args, text=True).strip() + results = cls._parse_list_results(cmd_result) + return results + + @classmethod + def status(cls): + args = shlex.split('sudo rabbitmqctl status') + cmd_result = subprocess.check_output(args, text=True).strip() + results = cls._parse_list_results(cmd_result) + return results + + @classmethod + def _parse_list_results(cls, result_string): + results = result_string.strip().split('\n') + #remove text fluff + if "Listing connections ..." in results: results.remove("Listing connections ...") + if "Listing queues ..." in results: results.remove("Listing queues ...") + return_data = [] + for row in results: + return_data.append(row.split('\t')) + return return_data + + +def check_connection_count(critical=0, warning=0): + """Checks to make sure the numbers of connections are within parameters.""" + try: + count = len(RabbitCmdWrapper.list_connections()) + if count >= critical: + print("CRITICAL - Connection Count %d" % count) + sys.exit(2) + elif count >= warning: + print("WARNING - Connection Count %d" % count) + sys.exit(1) + else: + print("OK - Connection Count %d" % count) + except Exception as err: + print("CRITICAL - %s" % err) + + +def check_queues_count(critical=1000, warning=1000): + """ + A blanket check to make sure all queues are within count parameters. + TODO: Possibly break this out so test can be done on individual queues. + """ + try: + critical_q = [] + warning_q = [] + results = RabbitCmdWrapper.list_queues() + for queue in results: + if queue.count == 2: + count = int(queue[1]) + if count >= critical: + critical_q.append("%s: %s" % (queue[0], count)) + elif count >= warning: + warning_q.append("%s: %s" % (queue[0], count)) + if critical_q: + print("CRITICAL - %s" % ", ".join(critical_q)) + sys.exit(2) + elif warning_q: + print("WARNING - %s" % ", ".join(warning_q)) + sys.exit(1) + else: + print("OK - NO QUEUES EXCEED THRESHOLDS") + sys.exit(0) + except Exception as err: + print("CRITICAL - %s" % err) + sys.exit(2) + +def check_mem_usage(critical=75, warning=50): + """Check to make sure the RAM usage of rabbitmq process does not exceed 50%% of its max""" + try: + results = RabbitCmdWrapper.status() + + for idx,val in enumerate(results): + if "memory," in str(val): + mem_used_raw = str(results[idx + 1]) + if "vm_memory_limit" in str(val): + mem_limit_raw = str(val) + + memory_used = float(filter(str.isdigit, mem_used_raw)) + memory_limit = float(filter(str.isdigit, mem_limit_raw)) + percent_usage = int(memory_used/memory_limit * 100) + + if percent_usage > critical: + print("CRITICAL - RABBITMQ RAM USAGE at %s%% of max" % percent_usage) + sys.exit(2) + elif percent_usage > warning: + print("WARNING - RABBITMQ RAM USAGE at %s%% of max" % percent_usage) + sys.exit(1) + else: + print("OK - RABBITMQ RAM USAGE OK at %s%% of max" % percent_usage) + sys.exit(0) + except Exception as err: + print("Critical - %s" % err) + sys.exit(2) + +def check_aliveness(username, password, timeout, cluster): + """Declares a test queue, then publishes and consumes a message. Intended for use by monitoring tools. If everything is working correctly, will return HTTP status 200 with body""" + try: + r = requests.get("http://%s:15672/api/aliveness-test/%%2F" % cluster, auth=(username, password), timeout=timeout) + except requests.exceptions.RequestException as e: # Throw error if rabbitmq is down + print("Critical - %s" % e) + sys.exit(2) + if r.status_code == 200: + print("OK - RABBITMQ Aliveness Test Returns: %s" % r) + sys.exit(0) + elif r.status_code != 200: + print("CRITICAL - RabbitMQ Error: %s" % r.content) + sys.exit(2) + else: + print("UNKNOWN - RABBITMQ Aliveness Test") + sys.ext(1) + +def check_cluster(username, password, timeout, cluster): + """Checks the health of a cluster, if a node is not running mark as offline """ + try: + url = "http://%s:15672/api/nodes" % cluster + r = requests.get(url, auth=(username, password), timeout=timeout) + except requests.exceptions.RequestException as e: # Throw error if no response + print("Critical - %s" % e) + sys.exit(2) + text = r.text + nodes = json.loads(text) + + running_nodes = [] + failed_nodes = [] + for node in nodes: + if not node['running']: + failed_nodes.append(node['name']) + if node['running']: + running_nodes.append(node['name']) + if len(failed_nodes) == 1: + print("WARNING: RabbitMQ cluster is degraged: Not running %s" % failed_nodes[0]) + sys.exit(1) + elif len(failed_nodes) >= 2: + print("CRITICAL: RabbitMQ cluster is critical: Not running %s" % failed_nodes) + sys.exit(2) + else: + print("OK: RabbitMQ cluster members: %s" % (" ".join(running_nodes))) + sys.exit(0) + + +USAGE = """Usage: ./check_rabbitmq -a [action] -C [critical] -W [warning] + Actions: + - connection_count + checks the number of connection in rabbitmq's list_connections + - queues_count + checks the count in each of the queues in rabbitmq's list_queues + - mem_usage + checks to ensure mem usage of rabbitmq process does not exceed 50% + - aliveness + Use the /api/aliveness-test API to send/receive a message. (requires -u username -p password args) + - cluster_status + Parse /api/nodes to check the cluster status. (requires -u username -p password""" + +if __name__ == "__main__": + parser = OptionParser(USAGE) + parser.add_option("-a", "--action", dest="action", + help="Action to Check") + parser.add_option("-C", "--critical", dest="critical", + type="int", help="Critical Threshold") + parser.add_option("-W", "--warning", dest="warning", + type="int", help="Warning Threshold") + parser.add_option("-u", "--username", dest="username", default="guest", + type="string", help="RabbitMQ username, Default guest") + parser.add_option("-p", "--password", dest="password", default="guest", + type="string", help="RabbitMQ password, Default guest") + parser.add_option("-t", "--timeout", dest="timeout", default=1, + type="int", help="Request Timeout, defaults to 1 second") + parser.add_option("-c", "--cluster", dest="cluster", default="localhost", + type="string", help="Cluster IP/DNS name, defaults to localhost") + (options, args) = parser.parse_args() + + if options.action == "connection_count": + check_connection_count(options.critical, options.warning) + elif options.action == "queues_count": + check_queues_count(options.critical, options.warning) + elif options.action == "mem_usage": + check_mem_usage(options.critical, options.warning) + elif options.action == "aliveness": + check_aliveness(options.username, options.password, options.timeout, options.cluster) + elif options.action == "cluster_status": + check_cluster(options.username, options.password, options.timeout, options.cluster) + else: + print("Invalid action: %s" % options.action) + print(USAGE) diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index 4272f57b..ba6b8d47 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -24,6 +24,17 @@ group: root mode: "0755" force: yes + when: ansible_distribution_major_version is version('11', '<=') + +- name: check_rabbitmq (Python 3 version) is installed + copy: + src: check_rabbitmq.python3 + dest: /usr/local/lib/nagios/plugins/check_rabbitmq + owner: root + group: root + mode: "0755" + force: yes + when: ansible_distribution_major_version is version('11', '==') - name: check_rabbitmq is available for NRPE lineinfile: -- 2.39.2 From 6f5bad4a443159355d8bfc4eb107d06da7ee3747 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Tue, 2 Aug 2022 16:44:08 +0200 Subject: [PATCH 159/497] [nagios-nrpe] Add 401 error i expected default HTTP code of check_https --- nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 5b8c1d28..ae0e0abd 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -34,7 +34,7 @@ command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995 command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost command[check_http]=/usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost -command[check_https]=/usr/lib/nagios/plugins/check_http -e 403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net +command[check_https]=/usr/lib/nagios/plugins/check_http -e 401,403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net command[check_bind]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost command[check_unbound]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost command[check_smb]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445 -- 2.39.2 From f78e60d72af0506998e2670ffeaeb276a9788f18 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 3 Aug 2022 13:55:39 +0200 Subject: [PATCH 160/497] Revert "CI: Handle [ci skip] keyword" This reverts commit 70225180eb0e7f843873b8f987633f677625c48b. --- .Jenkinsfile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.Jenkinsfile b/.Jenkinsfile index 70cbc06a..3f591b98 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -6,12 +6,6 @@ pipeline { } stages { - stage('Check commit message') { - steps { - scmSkip(deleteBuild: true, skipPattern:'.*\\[ci skip\\].*') - } - } - stage('Build tagged docker image') { when { buildingTag() -- 2.39.2 From 0748a090c34f68275a1d85b2c57a782c725d9539 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Fri, 5 Aug 2022 09:26:01 +0200 Subject: [PATCH 161/497] [evocheck] Add /etc/network/interfaces.d support --- evocheck/files/evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 8468c5cb..ee1ee439 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -582,7 +582,7 @@ check_autoif() { interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") fi for interface in $interfaces; do - if ! grep -q "^auto $interface" /etc/network/interfaces; then + if ! grep -Rq "^auto $interface" /etc/network/interfaces*; then failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto" test "${VERBOSE}" = 1 || break fi -- 2.39.2 From 141423f966815ce42af1a42889e76180603dbec8 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Wed, 10 Aug 2022 10:24:55 +0200 Subject: [PATCH 162/497] haproxy: Take into account haproxy_stats_path for munin --- haproxy/templates/munin.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/haproxy/templates/munin.conf.j2 b/haproxy/templates/munin.conf.j2 index 24042f66..149896b2 100644 --- a/haproxy/templates/munin.conf.j2 +++ b/haproxy/templates/munin.conf.j2 @@ -1,4 +1,4 @@ [haproxy_*] {% if haproxy_stats_internal_enable %} -env.url http://{{ haproxy_stats_internal_host }}:{{ haproxy_stats_internal_port }}/;csv;norefresh +env.url http://{{ haproxy_stats_internal_host }}:{{ haproxy_stats_internal_port }}{{ haproxy_stats_path }};csv;norefresh {% endif %} -- 2.39.2 From 08a4f1ed5f710d7ea2642dd13cd5ccbd54971ba0 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Wed, 10 Aug 2022 10:26:37 +0200 Subject: [PATCH 163/497] Document previous change --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 502ee302..b27b7ff7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* haproxy: make it so that munin doesn't break if there is a non default `haproxy_stats_path` + ### Removed * evocheck: remove failure if deprecated variable is used -- 2.39.2 From 78dcec8656b2c24257a700152e0f1d078e3db52f Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Wed, 10 Aug 2022 11:18:23 +0200 Subject: [PATCH 164/497] varnish: Repair systemd unit for jessie/stretch --- CHANGELOG.md | 1 + varnish/templates/varnish.conf.jessie.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b27b7ff7..b367df0b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed * haproxy: make it so that munin doesn't break if there is a non default `haproxy_stats_path` +* varnish: make `-j ` the first argument on jessie/stretch as it has to be the first argument there. ### Removed diff --git a/varnish/templates/varnish.conf.jessie.j2 b/varnish/templates/varnish.conf.jessie.j2 index f340323d..c3653708 100644 --- a/varnish/templates/varnish.conf.jessie.j2 +++ b/varnish/templates/varnish.conf.jessie.j2 @@ -2,6 +2,6 @@ [Service] ExecStart= -ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} +ExecStart=/usr/sbin/varnishd -j {{ varnish_jail }} -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} ExecReload= ExecReload=/etc/varnish/reload-vcl.sh -- 2.39.2 From de0c4fd31469d526b3d306bbe8ecaa7b5cda62b3 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 10 Aug 2022 17:23:47 +0200 Subject: [PATCH 165/497] openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command --- CHANGELOG.md | 1 + openvpn/tasks/debian.yml | 46 ++++++++++++++++++++++++++++++++------- openvpn/tasks/openbsd.yml | 46 ++++++++++++++++++++++++++++++++------- 3 files changed, 77 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b367df0b..d5203bc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evocheck: upstream release 22.07.1 +* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command ### Fixed diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 4c2f6c5d..d6b03ac9 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -62,7 +62,9 @@ group: shellpki - name: Generate dhparam - command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048" + openssl_dhparam: + path: /etc/shellpki/dh2048.pem + size: 2048 - include_role: name: evolix/remount-usr @@ -239,7 +241,7 @@ - include_role: name: evolix/remount-usr -- name: Copy shellpki script +- name: Copy script to check expirations copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" @@ -253,15 +255,43 @@ special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' -- name: Warn the user about command to execute manually +- name: Generate the CA password + set_fact: + ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" + check_mode: no + changed_when: no + +- name: Initialization of the CA + shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' + +- name: Creation of the server's certificate + shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' + +- name: Get the server key + shell: 'ls -tr /etc/shellpki/private/ | tail -1' + register: ca_key + check_mode: no + changed_when: no + +- name: Configure the server key + replace: + path: /etc/openvpn/server.conf + regexp: 'key /etc/shellpki/private/TO_COMPLETE' + replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' + +- name: Restart OpenVPN + systemd: + name: "openvpn@server.service" + state: restarted + +- name: Warn the user about manual checks pause: prompt: | /!\ WARNING /!\ - You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times. - You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked. - You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}". - You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed). - Finally, you can (re)start the OpenVPN service with "systemctl restart openvpn@server.service". + You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "systemctl restart openvpn@server.service". + The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN. + + Take note of the generated CA password and store it in your password manager : {{ ca_pwd }} Press enter to exit when it's done. diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index d3238cea..f5d9e4ff 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -56,7 +56,9 @@ group: _shellpki - name: Generate dhparam - command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048" + openssl_dhparam: + path: /etc/shellpki/dh2048.pem + size: 2048 - name: Fix CRL rights in shellpki command lineinfile: @@ -175,7 +177,7 @@ notify: restart nrpe when: nrpe_evolix_config.stat.exists -- name: Copy shellpki script +- name: Copy script to check expirations copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" @@ -189,15 +191,43 @@ special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' -- name: Warn the user about command to execute manually +- name: Generate the CA password + set_fact: + ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" + check_mode: no + changed_when: no + +- name: Initialization of the CA + shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' + +- name: Creation of the server's certificate + shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' + +- name: Get the server key + shell: 'ls -tr /etc/shellpki/private/ | tail -1' + register: ca_key + check_mode: no + changed_when: no + +- name: Configure the server key + replace: + path: /etc/openvpn/server.conf + regexp: 'key /etc/shellpki/private/TO_COMPLETE' + replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' + +- name: Restart OpenVPN + service: + name: openvpn + state: restarted + +- name: Warn the user about manual checks pause: prompt: | /!\ WARNING /!\ - You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times. - You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked. - You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}". - You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed). - Finally, you can (re)start the OpenVPN service with "rcctl restart openvpn". + You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn". + The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN. + + Take note of the generated CA password and store it in your password manager : {{ ca_pwd }} Press enter to exit when it's done. -- 2.39.2 From b47a2e46d935df6c987be391c5cad07edbeabbe1 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Thu, 11 Aug 2022 15:08:07 +0200 Subject: [PATCH 166/497] [nagios-nrpe] Ajout check_ssl_local --- nagios-nrpe/files/plugins/check_ssl_local | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nagios-nrpe/files/plugins/check_ssl_local b/nagios-nrpe/files/plugins/check_ssl_local index 7c8d241e..f3d10ced 100755 --- a/nagios-nrpe/files/plugins/check_ssl_local +++ b/nagios-nrpe/files/plugins/check_ssl_local @@ -24,8 +24,8 @@ certs_list=$(cat "$certs_list_path" | sed -E 's/(.*)#.*/\1/g' | grep -v -E '^$') for cert_path in $certs_list; do - if [ ! -f "$cert_path" ]; then - >&2 echo "Warning: Cert file '$cert_path' does not exist." + if [ ! -f "$cert_path" ] && [ ! -d "$cert_path" ]; then + >&2 echo "Warning: path '$cert_path' is not a file or a directory." warning=1 continue fi -- 2.39.2 From 541efa78a3d538cd3414a4832e7307e5ee2ff5b3 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Thu, 11 Aug 2022 15:08:16 +0200 Subject: [PATCH 167/497] [nagios-nrpe] Ajout check_ssl_local --- nagios-nrpe/files/plugins/check_ssl_local | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nagios-nrpe/files/plugins/check_ssl_local b/nagios-nrpe/files/plugins/check_ssl_local index f3d10ced..860ed676 100755 --- a/nagios-nrpe/files/plugins/check_ssl_local +++ b/nagios-nrpe/files/plugins/check_ssl_local @@ -1,12 +1,12 @@ #!/bin/bash -# Check permettant de monitorer une liste de certificats +# Check permettant de monitorer une liste de certificats se trouvant dans # /etc/nagios/ssl_local.cfg # # Développé par Will (2022) # -certs_list_path=/etc/nagios/check_ssl_local_list.cfg +certs_list_path="/etc/nagios/check_ssl_local_list.cfg" # Dates in seconds _10_days="864000" -- 2.39.2 From a55d06f58e7df9382a021c3534a39a5051febcee Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 17 Aug 2022 16:25:48 +0200 Subject: [PATCH 168/497] PHP: Install php-xml now that it has been split off --- lxc-php/tasks/php74.yml | 2 +- lxc-php/tasks/php80.yml | 2 +- lxc-php/tasks/php81.yml | 2 +- php/tasks/main_bullseye.yml | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index eaae77fd..64677009 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -3,7 +3,7 @@ - name: "{{ lxc_php_version }} - Install PHP packages" lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - fix bullseye repository" replace: diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 4f725f0b..47039fe7 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -46,7 +46,7 @@ - name: "{{ lxc_php_version }} - Install PHP packages" lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index f4498dd2..8883cbcc 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -46,7 +46,7 @@ - name: "{{ lxc_php_version }} - Install PHP packages" lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index a1f7d5f5..403a7b76 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -30,6 +30,7 @@ - php-sqlite3 - php-curl - php-ssh2 + - php-xml - php-zip - composer - libphp-phpmailer -- 2.39.2 From d0abfa985cc21b6d21819b7a007e4e64fc99ce9d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 17 Aug 2022 16:53:05 +0200 Subject: [PATCH 169/497] redis: config directory must be owned by the user that runs the service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit … to be able to write tmp config files in it --- CHANGELOG.md | 1 + redis/tasks/default-server.yml | 9 +++++++++ redis/tasks/instance-server.yml | 12 ++++++------ 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5203bc7..4852a591 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * haproxy: make it so that munin doesn't break if there is a non default `haproxy_stats_path` * varnish: make `-j ` the first argument on jessie/stretch as it has to be the first argument there. +* redis: config directory must be owned by the user that runs the service (to be able to write tmp config files in it) ### Removed diff --git a/redis/tasks/default-server.yml b/redis/tasks/default-server.yml index 08653cfa..10b4d382 100644 --- a/redis/tasks/default-server.yml +++ b/redis/tasks/default-server.yml @@ -11,6 +11,15 @@ tags: - redis +- name: Config directory permissions are set + file: + dest: "{{ redis_conf_dir }}" + mode: "0750" + owner: redis + group: redis + tags: + - redis + - name: Redis is running and enabled on boot. systemd: name: "{{ redis_systemd_name }}" diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml index 3e6af623..3f70733e 100644 --- a/redis/tasks/instance-server.yml +++ b/redis/tasks/instance-server.yml @@ -28,9 +28,9 @@ - name: "Instance '{{ redis_instance_name }}' config directory is present" file: dest: "{{ redis_conf_dir }}" - mode: "0755" - owner: "root" - group: "root" + mode: "0750" + owner: "redis-{{ redis_instance_name }}" + group: "redis-{{ redis_instance_name }}" follow: yes state: directory tags: @@ -39,9 +39,9 @@ - name: "Instance '{{ redis_instance_name }}' config hooks directories are present" file: dest: "{{ _dir }}" - mode: "0755" - owner: "root" - group: "root" + mode: "0750" + owner: "redis-{{ redis_instance_name }}" + group: "redis-{{ redis_instance_name }}" follow: yes state: directory loop: -- 2.39.2 From 3bd4b9242520db21cd5d585cf91f4ad8fe7b67f4 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 18 Aug 2022 10:27:08 +0200 Subject: [PATCH 170/497] CHANGELOG: Document previous ($self) change --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4852a591..a4d0f3a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* php: install php-xml with recent PHP versions + ### Changed * evocheck: upstream release 22.07.1 -- 2.39.2 From 1972826c79286d4ead1ac6b7756761673a905cc6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 19 Aug 2022 12:03:34 +0200 Subject: [PATCH 171/497] vrrpd: better process management in systemd unit --- vrrpd/templates/vrrp.service.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/vrrpd/templates/vrrp.service.j2 b/vrrpd/templates/vrrp.service.j2 index 7bd588d7..4db5d7a9 100644 --- a/vrrpd/templates/vrrp.service.j2 +++ b/vrrpd/templates/vrrp.service.j2 @@ -4,8 +4,12 @@ After=network.target [Service] ExecStart=/usr/sbin/vrrpd -i {{ vrrp_address.interface | mandatory }} -x -D -d {{ vrrp_address.delay | mandatory }} -v {{ vrrp_address.id | mandatory }} -p {{ vrrp_address.priority | mandatory }} -a {{ vrrp_address.authentication | mandatory }} -l {{ vrrp_address.label | mandatory }} {{ vrrp_address.ip | mandatory }} - +# PIDFile=/var/run/vrrpd_{{ vrrp_address.label }}_{{ vrrp_address.id }}.pid +Restart=on-failure Type=forking +IgnoreSIGPIPE=no +KillMode=process +RemainAfterExit=yes [Install] WantedBy=default.target \ No newline at end of file -- 2.39.2 From 9dfcfe1ef36afe920b06a87f6e97808018c81068 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 23 Aug 2022 17:45:19 -0400 Subject: [PATCH 172/497] Made it possible to only create a subset of users The evolinux_users_create variable is a list of tags that defaults to ['active']. Only the users that have one of the tags in the evolinux_users_create list will be created. --- CHANGELOG.md | 1 + evolinux-users/defaults/main.yml | 4 ++++ evolinux-users/tasks/main.yml | 4 +++- evolinux-users/tasks/ssh.yml | 1 + evolinux-users/tasks/sudo.yml | 4 ++++ 5 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4d0f3a6..b01a2bb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * php: install php-xml with recent PHP versions +* evolinux_user_create variable for evolinux-users that allows creating only a subset of users, defaults to active ### Changed diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml index 8ff94551..cbe6bca4 100644 --- a/evolinux-users/defaults/main.yml +++ b/evolinux-users/defaults/main.yml @@ -6,3 +6,7 @@ evolinux_ssh_group: "evolinux-ssh" evolinux_internal_group: "" evolinux_root_disable_ssh: True + +# Defines which groups of users are created +evolinux_users_create: + - active \ No newline at end of file diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index 1b838e01..e8c52408 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -16,7 +16,9 @@ vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" - when: evolinux_users | length > 0 + when: + - user.create | intersect(evolinux_users_create) | length > 0 + - evolinux_users | length > 0 - name: Configure sudo include: sudo.yml diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index b0bf8b58..16c4eb67 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -50,6 +50,7 @@ user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" when: + - user.create | intersect(evolinux_users_create) | length > 0 - ssh_allowusers - not ssh_allowgroups diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index 4056e7ad..fa537079 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -6,6 +6,7 @@ loop: "{{ evolinux_users | dict2items }}" when: - evolinux_users | length > 0 + - user.create | intersect(evolinux_users_create) | length > 0 - ansible_distribution_release == "jessie" @@ -16,6 +17,9 @@ vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" + when: + - evolinux_users | length > 0 + - user.create | intersect(evolinux_users_create) | length > 0 when: - ansible_distribution_major_version is defined - ansible_distribution_major_version is version('9', '>=') -- 2.39.2 From 2c1ec040d18ba3c7b3417e421b3fbfcf848d6e18 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 24 Aug 2022 09:05:29 -0400 Subject: [PATCH 173/497] Simplify user subset creation Instead of tags, allow only one subset of users to be created at a time. --- CHANGELOG.md | 2 +- evolinux-users/defaults/main.yml | 3 +-- evolinux-users/tasks/main.yml | 2 +- evolinux-users/tasks/ssh.yml | 2 +- evolinux-users/tasks/sudo.yml | 4 ++-- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b01a2bb1..d4405a2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * php: install php-xml with recent PHP versions -* evolinux_user_create variable for evolinux-users that allows creating only a subset of users, defaults to active +* evolinux_user_create variable for evolinux-users that allows creating only a subset of users, defaults to always ### Changed diff --git a/evolinux-users/defaults/main.yml b/evolinux-users/defaults/main.yml index cbe6bca4..658e4a31 100644 --- a/evolinux-users/defaults/main.yml +++ b/evolinux-users/defaults/main.yml @@ -8,5 +8,4 @@ evolinux_internal_group: "" evolinux_root_disable_ssh: True # Defines which groups of users are created -evolinux_users_create: - - active \ No newline at end of file +evolinux_users_create: always \ No newline at end of file diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index e8c52408..d105aefe 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -17,7 +17,7 @@ user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" when: - - user.create | intersect(evolinux_users_create) | length > 0 + - user.create == evolinux_users_create - evolinux_users | length > 0 - name: Configure sudo diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 16c4eb67..25a08297 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -50,7 +50,7 @@ user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" when: - - user.create | intersect(evolinux_users_create) | length > 0 + - user.create == evolinux_users_create - ssh_allowusers - not ssh_allowgroups diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index fa537079..769e7a4e 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -6,7 +6,7 @@ loop: "{{ evolinux_users | dict2items }}" when: - evolinux_users | length > 0 - - user.create | intersect(evolinux_users_create) | length > 0 + - user.create == evolinux_users_create - ansible_distribution_release == "jessie" @@ -19,7 +19,7 @@ loop: "{{ evolinux_users | dict2items }}" when: - evolinux_users | length > 0 - - user.create | intersect(evolinux_users_create) | length > 0 + - user.create == evolinux_users_create when: - ansible_distribution_major_version is defined - ansible_distribution_major_version is version('9', '>=') -- 2.39.2 From 018eee7ea088464aa67316c65dac56dfead0fe1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 24 Aug 2022 15:22:25 +0200 Subject: [PATCH 174/497] Update 'CHANGELOG.md' * use role name * more descriptive message * order items alphabetically --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4405a2b..09d25126 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,8 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* evolinux_users: create only users who have a certain value for the `create` key (default: `always`). * php: install php-xml with recent PHP versions -* evolinux_user_create variable for evolinux-users that allows creating only a subset of users, defaults to always ### Changed -- 2.39.2 From 8e7c3a47aa52a950bae6bcbf2e80a7ba27c93c08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 24 Aug 2022 15:24:54 +0200 Subject: [PATCH 175/497] Update 'evolinux-users/README.md' Add a `create` key in examples --- evolinux-users/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/evolinux-users/README.md b/evolinux-users/README.md index c0f6e9ef..9c7beab4 100644 --- a/evolinux-users/README.md +++ b/evolinux-users/README.md @@ -19,6 +19,7 @@ evolinux_users: groups: "baz" password_hash: 'sdfgsdfgsdfgsdfg' ssh_key: 'ssh-rsa AZERTYXYZ' + create: always bar: name: bar uid: 1002 @@ -30,6 +31,7 @@ evolinux_users: ssh_keys: - 'ssh-rsa QWERTYUIOP' - 'ssh-ed25519 QWERTYUIOP' + create: on_demand ``` * `evolinux_sudo_group`: which group to use for sudo (default: `evolinux-sudo`) -- 2.39.2 From bd6c7792a84f85ddedbf5243ac65dfa544c5321f Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 24 Aug 2022 17:57:27 +0200 Subject: [PATCH 176/497] vrrpd: Fix systemd service name file --- vrrpd/tasks/ip.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index 38d75ccb..59594395 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -7,7 +7,7 @@ - name: add systemd unit template: src: vrrp.service.j2 - dest: "/etc/systemd/system/vrrp-{{ vrrp_systemd_unit_name }}" + dest: "/etc/systemd/system/{{ vrrp_systemd_unit_name }}" force: yes register: vrrp_systemd_unit -- 2.39.2 From 5fa7f4809c6ea7c238a92ed2315e780d69a9d5b2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 24 Aug 2022 17:58:44 +0200 Subject: [PATCH 177/497] vrrp: fix systemd unit name --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 09d25126..92e9da42 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux_users: create only users who have a certain value for the `create` key (default: `always`). * php: install php-xml with recent PHP versions +* vrrp: add an `ip.yml` task file to help create VRRP addresses ### Changed -- 2.39.2 From f1485451ef23c5c7aee17b54d6750c0e578149ca Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 25 Aug 2022 17:35:10 +0200 Subject: [PATCH 178/497] =?UTF-8?q?rendu=20compatible=20le=20r=C3=B4le=20a?= =?UTF-8?q?vec=20apache=20pour=20nextcloud01?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- webapps/nextcloud/handlers/main.yml | 5 +++ webapps/nextcloud/tasks/main.yml | 9 +++- webapps/nextcloud/tasks/vhost-apache.yml | 24 ++++++++++ .../tasks/{vhost.yml => vhost-nginx.yml} | 0 webapps/nextcloud/templates/apache.conf.j2 | 44 +++++++++++++++++++ 5 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 webapps/nextcloud/tasks/vhost-apache.yml rename webapps/nextcloud/tasks/{vhost.yml => vhost-nginx.yml} (100%) create mode 100644 webapps/nextcloud/templates/apache.conf.j2 diff --git a/webapps/nextcloud/handlers/main.yml b/webapps/nextcloud/handlers/main.yml index 2db4770d..46b3b014 100644 --- a/webapps/nextcloud/handlers/main.yml +++ b/webapps/nextcloud/handlers/main.yml @@ -8,3 +8,8 @@ service: name: nginx state: reloaded + +- name: reload apache + service: + name: apache2 + state: reloaded \ No newline at end of file diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index a6d39b4b..7ce81693 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -45,7 +45,14 @@ - include: archive.yml -- include: vhost.yml +- name: Check if Apache or Nginx + service_facts: + +- include: vhost-nginx.yml + when: "'nginx.service' in services" + +- include: vhost-apache.yml + when: "'apache2.service' in services" - include: mysql.yml diff --git a/webapps/nextcloud/tasks/vhost-apache.yml b/webapps/nextcloud/tasks/vhost-apache.yml new file mode 100644 index 00000000..595c283b --- /dev/null +++ b/webapps/nextcloud/tasks/vhost-apache.yml @@ -0,0 +1,24 @@ +--- +- block: + - name: Copy Apache vhost + template: + src: apache.conf.j2 + dest: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" + mode: "0640" + notify: reload apache + tags: + - nextcloud + + - name: Enable Apache vhost + file: + src: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" + dest: "/etc/apache2/sites-enabled/{{ nextcloud_instance_name }}.conf" + state: link + notify: reload apache + tags: + - nextcloud + + # - name: Generate ssl config + # shell: + # cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}" + # creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf" \ No newline at end of file diff --git a/webapps/nextcloud/tasks/vhost.yml b/webapps/nextcloud/tasks/vhost-nginx.yml similarity index 100% rename from webapps/nextcloud/tasks/vhost.yml rename to webapps/nextcloud/tasks/vhost-nginx.yml diff --git a/webapps/nextcloud/templates/apache.conf.j2 b/webapps/nextcloud/templates/apache.conf.j2 new file mode 100644 index 00000000..bb41efab --- /dev/null +++ b/webapps/nextcloud/templates/apache.conf.j2 @@ -0,0 +1,44 @@ + + ServerName {{ nextcloud_domains | join(' ') }} + + DocumentRoot {{ nextcloud_webroot }}/ + + + Require all granted + AllowOverride All + Options FollowSymLinks MultiViews + + + Dav off + + + + # user - group (thanks to sesse@debian.org) + AssignUserID {{ nextcloud_instance_name }} {{ nextcloud_instance_name }} + + # LOG + CustomLog /var/log/apache2/access.log vhost_combined + CustomLog /home/{{ nextcloud_instance_name }}/log/access.log combined + ErrorLog /home/{{ nextcloud_instance_name }}/log/error.log + + # REWRITE + UseCanonicalName On + RewriteEngine On + RewriteCond %{HTTP_HOST} !^{{ nextcloud_domains | join(' ') }}$ + RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R] + + # PHP + #php_admin_flag engine off + #AddType text/html .html + #php_admin_flag display_errors On + #php_flag short_open_tag On + #php_flag register_globals On + #php_admin_value memory_limit 256M + #php_admin_value max_execution_time 60 + #php_admin_value upload_max_filesize 8M + #php_admin_flag allow_url_fopen Off + #php_value default_charset ISO-8859-15 + php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f {{ nextcloud_instance_name }}" + php_admin_value open_basedir "/usr/share/php:/home/{{ nextcloud_instance_name }}:/tmp" + + \ No newline at end of file -- 2.39.2 From aee925d667d19277e8ac9d134644223fb5b6d7ec Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 26 Aug 2022 16:28:30 +0200 Subject: [PATCH 179/497] Add php configuration for apache and cli globaly --- .../files/zzz-apache2-evolinux-custom.ini | 20 ++++++++++++++++ .../files/zzz-cli-evolinux-custom.ini | 4 ++++ webapps/nextcloud/tasks/vhost-apache.yml | 24 +++++++++++++++++++ webapps/nextcloud/templates/apache.conf.j2 | 10 -------- 4 files changed, 48 insertions(+), 10 deletions(-) create mode 100644 webapps/nextcloud/files/zzz-apache2-evolinux-custom.ini create mode 100644 webapps/nextcloud/files/zzz-cli-evolinux-custom.ini diff --git a/webapps/nextcloud/files/zzz-apache2-evolinux-custom.ini b/webapps/nextcloud/files/zzz-apache2-evolinux-custom.ini new file mode 100644 index 00000000..361628c2 --- /dev/null +++ b/webapps/nextcloud/files/zzz-apache2-evolinux-custom.ini @@ -0,0 +1,20 @@ +; Put customized values here. +allow_url_fopen = On +disable_functions = exec,shell-exec,system,passthru,popen +disable_functions = +user_ini.filename = ".user.ini" +max_execution_time = 300 + +memory_limit = 512M + +opcache.enable=1 +opcache.enable_cli=1 +opcache.interned_strings_buffer=24 +opcache.max_accelerated_files=60000 +opcache.memory_consumption=512 +opcache.save_comments=1 +opcache.revalidate_freq=1 + + +upload_max_filesize = 2G +post_max_size = 2G \ No newline at end of file diff --git a/webapps/nextcloud/files/zzz-cli-evolinux-custom.ini b/webapps/nextcloud/files/zzz-cli-evolinux-custom.ini new file mode 100644 index 00000000..f6785459 --- /dev/null +++ b/webapps/nextcloud/files/zzz-cli-evolinux-custom.ini @@ -0,0 +1,4 @@ +; Put customized values here. +; default_charset = "ISO-8859-1" +allow_url_fopen = On +apc.enable_cli=1 \ No newline at end of file diff --git a/webapps/nextcloud/tasks/vhost-apache.yml b/webapps/nextcloud/tasks/vhost-apache.yml index 595c283b..b710b07a 100644 --- a/webapps/nextcloud/tasks/vhost-apache.yml +++ b/webapps/nextcloud/tasks/vhost-apache.yml @@ -17,6 +17,30 @@ notify: reload apache tags: - nextcloud + + - name: Enable apache2 php configuration + copy: + src: "zzz-apache2-evolinux-custom.ini" + dest: "/etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini" + mode: "0644" + owner: root + group: root + force: yes + notify: reload apache + tags: + - nextcloud + + - name: Enable cli php configuration + copy: + src: "zzz-cli-evolinux-custom.ini" + dest: "/etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini" + mode: "0644" + owner: root + group: root + force: yes + notify: reload apache + tags: + - nextcloud # - name: Generate ssl config # shell: diff --git a/webapps/nextcloud/templates/apache.conf.j2 b/webapps/nextcloud/templates/apache.conf.j2 index bb41efab..20a4d2eb 100644 --- a/webapps/nextcloud/templates/apache.conf.j2 +++ b/webapps/nextcloud/templates/apache.conf.j2 @@ -28,16 +28,6 @@ RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R] # PHP - #php_admin_flag engine off - #AddType text/html .html - #php_admin_flag display_errors On - #php_flag short_open_tag On - #php_flag register_globals On - #php_admin_value memory_limit 256M - #php_admin_value max_execution_time 60 - #php_admin_value upload_max_filesize 8M - #php_admin_flag allow_url_fopen Off - #php_value default_charset ISO-8859-15 php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f {{ nextcloud_instance_name }}" php_admin_value open_basedir "/usr/share/php:/home/{{ nextcloud_instance_name }}:/tmp" -- 2.39.2 From 9a25d5981f1f669e78265d141dd1ba92ef80a167 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 26 Aug 2022 16:34:19 +0200 Subject: [PATCH 180/497] add webapps/nextcloud changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 92e9da42..eb9a8ce2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux_users: create only users who have a certain value for the `create` key (default: `always`). * php: install php-xml with recent PHP versions * vrrp: add an `ip.yml` task file to help create VRRP addresses +* webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php. ### Changed -- 2.39.2 From 71aafe161ce52b748c0b6a5eebd24afde6b5bd28 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 29 Aug 2022 16:47:12 +0200 Subject: [PATCH 181/497] evocheck: upstream release 22.08 --- CHANGELOG.md | 2 +- evocheck/files/evocheck.sh | 339 ++++++++++++------------------------- 2 files changed, 109 insertions(+), 232 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb9a8ce2..323f0c13 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evocheck: upstream release 22.07.1 +* evocheck: upstream release 22.08 * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command ### Fixed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index ee1ee439..e924debd 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -1,10 +1,10 @@ #!/bin/bash # EvoCheck -# Script to verify compliance of a Debian/OpenBSD server +# Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.07" +VERSION="22.08" readonly VERSION # base functions @@ -30,7 +30,7 @@ END } show_help() { cat < /dev/null 2>&1 || failed "IS_VIM" - fi - - if [ "${IS_TTYC0SECURE:=1}" = 1 ]; then - grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE" - fi - - if [ "${IS_CUSTOMSYSLOG:=1}" = 1 ]; then - grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" - fi - - if [ "${IS_NOINETD:=1}" = 1 ]; then - grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD" - fi - - if [ "${IS_SUDOMAINT:=1}" = 1 ]; then - f=/etc/sudoers - { grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \ - && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f; - } || failed "IS_SUDOMAINT" - fi - - if [ "${IS_POSTGRESQL:=1}" = 1 ]; then - pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed" - fi - - if [ "${IS_NRPE:=1}" = 1 ]; then - { pkg info | grep -qE "nagios-plugins-[0-9.]" \ - && pkg info | grep -q nagios-plugins-ntp \ - && pkg info | grep -q nrpe; - } || failed "IS_NRPE" "NRPE is not installed" - fi - - # if [ "${IS_NRPEDISKS:=1}" = 1 ]; then - # NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) - # DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) - # [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS" - # fi - - # Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix) - # - # if [ "${IS_NRPEPOSTFIX:=1}" = 1 ]; then - # pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || failed "IS_NRPEPOSTFIX" ) - # fi - - if [ "${IS_NRPEDAEMON:=1}" = 1 ]; then - grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local \ - || failed "IS_NREPEDAEMON" - fi - - if [ "${IS_ALERTBOOT:=1}" = 1 ]; then - grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \ - || failed "IS_ALERTBOOT" - fi - - if [ "${IS_RSYNC:=1}" = 1 ]; then - pkg info | grep -q rsync || failed "IS_RSYNC" - fi - - if [ "${IS_CRONPATH:=1}" = 1 ]; then - grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \ - || failed "IS_CRONPATH" - fi - - #TODO - # - Check en profondeur de postfix - # - NRPEDISK et NRPEPOSTFIX - fi + test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease + test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning + test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers + test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix + test "${IS_MODSECURITY:=1}" = 1 && check_modsecurity + test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers + test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs + test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase + test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf + test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf + test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity + test "${IS_APTITUDEONLY:=1}" = 1 && check_aptitudeonly + test "${IS_APTITUDE:=1}" = 1 && check_aptitude + test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak + test "${IS_APTICRON:=0}" = 1 && check_apticron + test "${IS_USRRO:=1}" = 1 && check_usrro + test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec + test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab + test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf + test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab + test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers + test "${IS_DISKPERF:=0}" = 1 && check_diskperf + test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile + test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot + test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw + test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw + test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms + test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms + # Enable when minifirewall is released + test "${IS_MINIFWINCLUDES:=0}" = 1 && check_minifw_includes + test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks + test "${IS_NRPEPID:=1}" = 1 && check_nrpepid + test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs + test "${IS_APACHEMUNIN:=1}" = 1 && check_apachemunin + test "${IS_MYSQLUTILS:=1}" = 1 && check_mysqlutils + test "${IS_RAIDSOFT:=1}" = 1 && check_raidsoft + test "${IS_AWSTATSLOGFORMAT:=1}" = 1 && check_awstatslogformat + test "${IS_MUNINLOGROTATE:=1}" = 1 && check_muninlogrotate + test "${IS_SQUID:=1}" = 1 && check_squid + test "${IS_EVOMAINTENANCE_FW:=1}" = 1 && check_evomaintenance_fw + test "${IS_MODDEFLATE:=1}" = 1 && check_moddeflate + test "${IS_LOG2MAILRUNNING:=1}" = 1 && check_log2mailrunning + test "${IS_LOG2MAILAPACHE:=1}" = 1 && check_log2mailapache + test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql + test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid + test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot + test "${IS_REPVOLATILE:=1}" = 1 && check_repvolatile + test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces + test "${IS_AUTOIF:=1}" = 1 && check_autoif + test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw + test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service + test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup + test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount + test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate + test "${IS_APACHECTL:=1}" = 1 && check_apachectl + test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink + test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow + test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf + test "${IS_SAMBAPINPRIORITY:=1}" = 1 && check_sambainpriority + test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate + test "${IS_UPTIME:=1}" = 1 && check_uptime + test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning + test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate + test "${IS_ETCGIT:=1}" = 1 && check_etcgit + test "${IS_GITPERMS:=1}" = 1 && check_gitperms + test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded + test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5 + test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup + test "${IS_USERINADMGROUP:=1}" = 1 && check_userinadmgroup + test "${IS_APACHE2EVOLINUXCONF:=1}" = 1 && check_apache2evolinuxconf + test "${IS_BACKPORTSCONF:=1}" = 1 && check_backportsconf + test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin + test "${IS_BIND9LOGROTATE:=1}" = 1 && check_bind9logrotate + test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware + test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool + test "${IS_LOG2MAILSYSTEMDUNIT:=1}" = 1 && check_log2mailsystemdunit + test "${IS_LISTUPGRADE:=1}" = 1 && check_listupgrade + test "${IS_MARIADBEVOLINUXCONF:=0}" = 1 && check_mariadbevolinuxconf + test "${IS_SQL_BACKUP:=1}" = 1 && check_sql_backup + test "${IS_POSTGRES_BACKUP:=1}" = 1 && check_postgres_backup + test "${IS_MONGO_BACKUP:=1}" = 1 && check_mongo_backup + test "${IS_LDAP_BACKUP:=1}" = 1 && check_ldap_backup + test "${IS_REDIS_BACKUP:=1}" = 1 && check_redis_backup + test "${IS_ELASTIC_BACKUP:=1}" = 1 && check_elastic_backup + test "${IS_MARIADBSYSTEMDUNIT:=1}" = 1 && check_mariadbsystemdunit + test "${IS_MYSQLMUNIN:=1}" = 1 && check_mysqlmunin + test "${IS_MYSQLNRPE:=1}" = 1 && check_mysqlnrpe + test "${IS_PHPEVOLINUXCONF:=0}" = 1 && check_phpevolinuxconf + test "${IS_SQUIDLOGROTATE:=1}" = 1 && check_squidlogrotate + test "${IS_SQUIDEVOLINUXCONF:=1}" = 1 && check_squidevolinuxconf + test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label + test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user + test "${IS_EVOACME_CRON:=1}" = 1 && check_evoacme_cron + test "${IS_EVOACME_LIVELINKS:=1}" = 1 && check_evoacme_livelinks + test "${IS_APACHE_CONFENABLED:=1}" = 1 && check_apache_confenabled + test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre + test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir + test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs + test "${IS_OSPROBER:=1}" = 1 && check_osprober + test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports + test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until + test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate + test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate + test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf + test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions if [ -f "${main_output_file}" ]; then lines_found=$(wc -l < "${main_output_file}") -- 2.39.2 From c7a6b3e6945f839aeac26b87c1d8fa6db22afe88 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 29 Aug 2022 17:03:29 +0200 Subject: [PATCH 182/497] evocheck: upstream release 22.08.1 --- CHANGELOG.md | 2 +- evocheck/files/evocheck.sh | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 323f0c13..1587a7fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evocheck: upstream release 22.08 +* evocheck: upstream release 22.08.1 * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command ### Fixed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index e924debd..2771c904 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.08" +VERSION="22.08.1" readonly VERSION # base functions @@ -575,8 +575,8 @@ check_autoif() { interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") fi for interface in $interfaces; do - if ! grep -Rq "^auto $interface" /etc/network/interfaces*; then - failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto" + if grep -Rq "^iface $interface" /etc/network/interfaces* && ! grep -Rq "^auto $interface" /etc/network/interfaces*; then + failed "IS_AUTOIF" "Network interface \`${interface}' is statically defined but not set to auto" test "${VERBOSE}" = 1 || break fi done -- 2.39.2 From efdbdee6a194ba85d8f25dd216a0047c35b566b6 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 29 Aug 2022 17:28:57 +0200 Subject: [PATCH 183/497] =?UTF-8?q?[generate-ldif]=C2=A0Make=20MariaDB=20v?= =?UTF-8?q?ersion=20detection=20more=20generic.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- generate-ldif/templates/generateldif.sh.j2 | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 17ff759a..229c1443 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -408,12 +408,8 @@ EOT fi # MariaDB -if is_pkg_installed mariadb-server-10.3; then - mariadb_version=$(get_pkg_version mariadb-server-10.3) -elif is_pkg_installed mariadb-server-10.1; then - mariadb_version=$(get_pkg_version mariadb-server-10.1) -elif is_pkg_installed mariadb-server-10.0; then - mariadb_version=$(get_pkg_version mariadb-server-10.0) +if is_pkg_installed mariadb-server; then + mariadb_version=$(get_pkg_version mariadb-server) fi if [ -n "${mariadb_version}" ]; then cat <> "${ldif_file}" -- 2.39.2 From 4a3b40d986bc0adde7f96785239233a1d5ab788b Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 29 Aug 2022 17:29:09 +0200 Subject: [PATCH 184/497] generate-ldif: Support any MariaDB version --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1587a7fe..1bc2e240 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evocheck: upstream release 22.08.1 +* generate-ldif: Support any MariaDB version * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command ### Fixed -- 2.39.2 From f2e49d7b121b526a27b38726c8fbe038a695bfdd Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 29 Aug 2022 18:05:57 +0200 Subject: [PATCH 185/497] mysql: support for new Debian 11 conf for Munin --- mysql/tasks/munin.yml | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/mysql/tasks/munin.yml b/mysql/tasks/munin.yml index 9ee8f95f..7d67065f 100644 --- a/mysql/tasks/munin.yml +++ b/mysql/tasks/munin.yml @@ -66,13 +66,42 @@ - replication notify: restart munin-node - - name: verify Munin configuration for mysql + - name: verify Munin configuration for mysql < Debian 11 replace: dest: /etc/munin/plugin-conf.d/munin-node after: '\[mysql\*\]' regexp: '^env.mysqluser (.+)$' replace: 'env.mysqluser debian-sys-maint' notify: restart munin-node + when: ansible_distribution_major_version is version_compare('11', '<') + + - name: set Munin env.mysqluser option for mysql >= Debian 11 + replace: + dest: /etc/munin/plugin-conf.d/munin-node + after: '\[mysql\*\]' + regexp: '^env.mysqluser (.+)$' + replace: 'env.mysqluser root' + notify: restart munin-node + when: ansible_distribution_major_version is version_compare('11', '>=') + + - name: set Munin env.mysqlopts option for mysql >= Debian 11 + replace: + dest: /etc/munin/plugin-conf.d/munin-node + after: '\[mysql\*\]' + regexp: '^env.mysqlopts (.+)$' + replace: 'env.mysqlopts --defaults-file=/root/.my.cnf' + notify: restart munin-node + when: ansible_distribution_major_version is version_compare('11', '>=') + + - name: set Munin env.mysqlconnection option for mysql >= Debian 11 + replace: + dest: /etc/munin/plugin-conf.d/munin-node + after: '\[mysql\*\]' + regexp: '^env.mysqlconnection (.+)$' + replace: 'env.mysqlconnection DBI:mysql:mysql;mysql_read_default_file=/root/.my.cnf' + notify: restart munin-node + when: ansible_distribution_major_version is version_compare('11', '>=') + when: munin_node_plugins_config.stat.exists tags: -- 2.39.2 From 18dd64df50fba229448f74e19af0e5246ddb362c Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Wed, 31 Aug 2022 16:52:25 +0200 Subject: [PATCH 186/497] Add load module mod_ident --- proftpd/templates/evolinux.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/proftpd/templates/evolinux.conf.j2 b/proftpd/templates/evolinux.conf.j2 index 8a810a99..08484714 100644 --- a/proftpd/templates/evolinux.conf.j2 +++ b/proftpd/templates/evolinux.conf.j2 @@ -1,5 +1,9 @@ # Evolix's specific configuration + + LoadModule mod_ident.c + + ServerName "{{ proftpd_hostname }} FTP Server" ServerIdent on "FTP Server Ready" AccessGrantMsg "Hey, bienvenue %u sur le serveur FTP {{ proftpd_fqdn }} !" -- 2.39.2 From 3a59f5b7ca020ac9fc1701491676ce564c438710 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Wed, 31 Aug 2022 17:03:02 +0200 Subject: [PATCH 187/497] Add variable 'proftpd_default_address' on virtualhost --- proftpd/templates/ftps.conf.j2 | 2 +- proftpd/templates/sftp.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/proftpd/templates/ftps.conf.j2 b/proftpd/templates/ftps.conf.j2 index 33a2cff3..2db74b37 100644 --- a/proftpd/templates/ftps.conf.j2 +++ b/proftpd/templates/ftps.conf.j2 @@ -2,7 +2,7 @@ LoadModule mod_tls.c - + TLSEngine on TLSLog /var/log/proftpd/ftps.log TLSProtocol TLSv1 diff --git a/proftpd/templates/sftp.conf.j2 b/proftpd/templates/sftp.conf.j2 index 9a96e5ef..432e9ba8 100644 --- a/proftpd/templates/sftp.conf.j2 +++ b/proftpd/templates/sftp.conf.j2 @@ -6,7 +6,7 @@ LoadModule mod_sftp.c - + SFTPEngine on Port {{ proftpd_sftp_port }} DefaultRoot ~ -- 2.39.2 From d165a104f214667939457022246752f787b9f4f1 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 11:28:08 +0200 Subject: [PATCH 188/497] * webapps/nextcloud: Add missing dependencies for imagick --- CHANGELOG.md | 1 + webapps/nextcloud/tasks/main.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1bc2e240..154b8175 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * haproxy: make it so that munin doesn't break if there is a non default `haproxy_stats_path` * varnish: make `-j ` the first argument on jessie/stretch as it has to be the first argument there. * redis: config directory must be owned by the user that runs the service (to be able to write tmp config files in it) +* webapps/nextcloud: Add missing dependencies for imagick ### Removed diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 7ce81693..95269246 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -16,6 +16,8 @@ - php-apcu - php-redis - php-bcmath + - php-imagick + - libmagickcore-6.q16-6-extra tags: - nextcloud -- 2.39.2 From f74b6f394bbdf2feab5131838683ce978a1b5e7b Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 1 Sep 2022 12:05:14 +0200 Subject: [PATCH 189/497] nagios-nrpe: add heck_domains --- nagios-nrpe/README.md | 6 +++++ nagios-nrpe/files/plugins/check_domains | 14 +++++++++++ nagios-nrpe/tasks/configure_check_domains.yml | 25 +++++++++++++++++++ nagios-nrpe/tasks/main.yml | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 1 + 5 files changed, 47 insertions(+) create mode 100755 nagios-nrpe/files/plugins/check_domains create mode 100644 nagios-nrpe/tasks/configure_check_domains.yml diff --git a/nagios-nrpe/README.md b/nagios-nrpe/README.md index 6d72920e..c52cab05 100644 --- a/nagios-nrpe/README.md +++ b/nagios-nrpe/README.md @@ -12,3 +12,9 @@ Everything is in the `tasks/main.yml` file. * `nagios_nrpe_force_update_allowed_hosts` : force update list of allowed hosts (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. + +## Available tags + +* `nagios-nrpe` : install Nagios and plugins (idempotent) +* `nagios-plugins` : install only plugins (idempotent) + diff --git a/nagios-nrpe/files/plugins/check_domains b/nagios-nrpe/files/plugins/check_domains new file mode 100755 index 00000000..23f48022 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_domains @@ -0,0 +1,14 @@ +#!/usr/bin/bash +# +# Check domains using script inspect-domains. +# +# Written by Will +# + +if ! command -v inspect-domains >/dev/null; then + echo 'UNKNOWN - Missing dependency inspect-domains.' + exit 3 +fi + +inspect-domains -o nrpe -a check-dns + diff --git a/nagios-nrpe/tasks/configure_check_domains.yml b/nagios-nrpe/tasks/configure_check_domains.yml new file mode 100644 index 00000000..0d81b652 --- /dev/null +++ b/nagios-nrpe/tasks/configure_check_domains.yml @@ -0,0 +1,25 @@ +- name: Install check_domains dependency + include_role: + name: inspect-domains + +- name: Configure check_domains in /etc/nagios/nrpe.d/evolix.cfg + ansible.builtin.lineinfile: + path: /etc/nagios/nrpe.d/evolix.cfg + regexp: '^command\[check_domains\]=' + line: command[check_domains]=sudo {{ nagios_plugins_directory }}/check_domains + notify: restart nagios-nrpe-server + +- name: Is evolinux sudoers installed? + ansible.builtin.stat: + path: /etc/sudoers.d/evolinux + register: sudoers_evolinux + +- name: Allow nagios user to execute check_domains without sudo password + ansible.builtin.lineinfile: + path: /etc/sudoers.d/evolinux + regexp: 'check_domains' + line: 'nagios ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_domains' + insertafter: '^nagios' + validate: "visudo -cf %s" + when: sudoers_evolinux.stat.exists + diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index 77770020..28ab11a9 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -22,6 +22,7 @@ - ansible_distribution == "Debian" - ansible_distribution_major_version is version('10', '>=') tags: + - nagios-nrpe - nagios-plugins - name: custom configuration is present diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index ae0e0abd..7546f2bc 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -47,6 +47,7 @@ command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_ command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/evolix.ndb +command[check_domains]=sudo {{ nagios_plugins_directory }}/check_domains command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex -- 2.39.2 From 46eab710ee92caf0741e0591df8727264fd40018 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 1 Sep 2022 12:05:44 +0200 Subject: [PATCH 190/497] inspect-domains: add role --- inspect-domains/files/inspect-domains.py | 254 +++++++++++++++++++++++ inspect-domains/tasks/main.yml | 8 + 2 files changed, 262 insertions(+) create mode 100755 inspect-domains/files/inspect-domains.py create mode 100644 inspect-domains/tasks/main.yml diff --git a/inspect-domains/files/inspect-domains.py b/inspect-domains/files/inspect-domains.py new file mode 100755 index 00000000..35f7e410 --- /dev/null +++ b/inspect-domains/files/inspect-domains.py @@ -0,0 +1,254 @@ +#!/usr/bin/python3 +# +# Vérifie si les domaines listés dans les configurations de Apache, +# Nginx et Haproxy pointent bien sur le serveur. +# +# Développé par Will +# + +list_domains_path = '/usr/local/sbin/list_domains.py' +excludes_path = '/etc/nagios/domains_exclude.list' +includes_path = '/etc/nagios/domains_include.list' + +import os +import sys +import re +import subprocess +import threading +import time +import argparse + +#import importlib.machinery +#list_domains = importlib.machinery.SourceFileLoader('list_domains.py', list_domains_path).load_module() + + +def execute(cmd): + """Execute Bash command cmd. + Return stdout and stderr as arrays of UTF-8 strings.""" + + proc = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = proc.communicate() + + stdout_lines = stdout.decode('utf-8').splitlines() + stderr_lines = stderr.decode('utf-8').splitlines() + + return stdout_lines, stderr_lines + + +def get_my_ips(): + """Return localhost IPs.""" + stdout, stderr = execute('hostname -I') + if not stdout: + return [] + return stdout[0].strip().split() + + +def dig(domain): + """Return dig +short result on domain as a list.""" + stdout, stderr = execute('dig +short {}'.format(domain)) + return stdout + +def list_apache_domains(): + """Return a dict containing : + - key: Apache domain (from command "apache2ctl -D DUMP_VHOSTS"). + - value: a list of strings "apache::" + """ + domains = {} + + try: + stdout, stderr = execute("apache2ctl -D DUMP_VHOSTS") + except: + # Apache is not on the server + return domains + + vhost_infos = "" + for line in stdout: + dom = "" + words = line.strip().split() + + if "namevhost" in line and len(words) >= 5: + # line format: port namevhost (:) + dom = words[3] + vhost_infos = "apache:" + words[4].strip('()') + + elif "alias" in line and len(words) >= 2: + # line format: alias + dom = words[1] # vhost_infos defined in previous lines + + if dom: + if dom not in domains: + domains[dom] = [] + if vhost_infos not in domains[dom]: + domains[dom].append(vhost_infos) + + return domains + + +class ResolutionThread(threading.Thread): + + def __init__(self, domain): + threading.Thread.__init__(self, daemon=True) + self.domain = domain + self.ips = [] + + def run(self): + """Resolve domain with dig.""" + try: + dig_results = dig(self.domain) + + if not dig_results: + return + + for line in dig_results: + match = re.search('^([0-9abcdef\.:]+)$', line) + if match: + ip = match.group(1) + if ip not in self.ips: + self.ips.append(ip) + + except Exception as e: + #print(e) + return + + +def run_check_domains(domains): + """Check resolution of domains (list).""" + + excludes = ['_'] + timeout = 5 + + my_ips = get_my_ips() + + domains_noexcludes = [dom for dom in domains if dom not in excludes] + + jobs = [] + for dom in domains_noexcludes: + #print(d) + t = ResolutionThread(dom) + t.start() + jobs.append(t) + + # Let secs to DNS servers to answer in jobs threads + time.sleep(timeout) + + timeout_domains = [] + none_domains = [] + outside_ips = {} + ok_domains = [] + + for j in jobs: + if j.is_alive(): + timeout_domains.append(j.domain) + continue + + if not j.ips: + none_domains.append(j.domain) + continue + + is_outside = False + for ip in j.ips: + if ip not in my_ips: + is_outside = True + break + if is_outside: + outside_ips[j.domain] = j.ips + else: + ok_domains.append(j.domain) + + return timeout_domains, none_domains, outside_ips, ok_domains + + +def output_check_mode(timeout_domains, none_domains, outside_ips, ok_domains): + """Output result for check mode. + For now, consider everyting as warnings to avoid too much alerts. + """ + + n_ok = len(ok_domains) + n_warnings = len(timeout_domains) + len(none_domains) + len(outside_ips) + + msg = 'WARNING' if n_warnings else 'OK' + + print('{} - 0 UNK / 0 CRIT / {} WARN / {} OK \n'.format(msg, n_warnings, n_ok)) + + if timeout_domains or none_domains or outside_ips: + for d in timeout_domains: + print('WARNING - timeout resolving {}'.format(d)) + for d in none_domains: + print('WARNING - no resolution for {}'.format(d)) + for d in outside_ips: + print('WARNING - {} pointing elsewhere ({})'.format(d, ' '.join(outside_ips[d]))) + + sys.exit(1) if n_warnings else sys.exit(0) + + +def output_friendly_mode(doms, timeout_domains, none_domains, outside_ips): + if timeout_domains or none_domains or outside_ips: + if timeout_domains: print('\nTimeouts:') + for d in timeout_domains: + print('\t{} {}'.format(d, ' '.join(doms[d]))) + if none_domains: print('\nNo resolution:') + for d in none_domains: + print('\t{} {}'.format(d, ' '.join(doms[d]))) + if outside_ips: print('\nPointing elsewhere:') + for d in outside_ips: + print('\t{} {} -> [{}]'.format(d, ' '.join(doms[d]), ' '.join(outside_ips[d]))) + + sys.exit(1) + + print('Domains resolve to right IPs !') + + +def main(argv): + parser = argparse.ArgumentParser() + parser.add_argument('action', metavar='ACTION', help='Values: check-dns, list') + parser.add_argument('-o', '--output-style', help='Values: stdout (default), nrpe') + parser.add_argument('-a', '--all-domains', action='store_true', help='Include all domains (default).') + parser.add_argument('-ap', '--apache-domains', action='store_true', help='Include Apache domains.') + parser.add_argument('-ng', '--nginx-domains', action='store_true', help='Include Nginx domains.') + parser.add_argument('-ha', '--haproxy-domains', action='store_true', help='Include HaProxy domains.') + args = parser.parse_args() + + if args.action not in ['check-dns', 'list']: + if args.output_style == 'nrpe': + print('UNKNOWN - unkown {} action, use -h option for help.'.format(args.action)) + sys.exit(3) + else: + print('Unkown {} action, use -h option for help.'.format(args.action)) + sys.exit(1) + + if not (args.all_domains or args.apache_domains or args.nginx_domains or args.haproxy_domains): + print('Domains not specified, looking for all domains (default).') + args.all_domains = True + + doms = [] + + if args.all_domains: + doms.extend(list_apache_domains()) + + else: + if args.apache_domains: + doms.extend(list_apache_domains()) + if args.nginx_domains: + print("Option --nginx-domains not supported yet.") + if args.haproxy_domains: + print("Option --haproxy-domains not supported yet.") + + if not doms: + if args.output_style == 'nrpe': + print('UNKNOWN - No domain found on this server.') + sys.exit(3) + else: + print('No domain found on this server.') + sys.exit(1) + + timeout_domains, none_domains, outside_ips, ok_domains = run_check_domains(doms.keys()) + + if args.check: + output_check_mode(timeout_domains, none_domains, outside_ips, ok_domains) + + else: + output_friendly_mode(doms, timeout_domains, none_domains, outside_ips) + + +if __name__ == '__main__': + main(sys.argv[1:]) diff --git a/inspect-domains/tasks/main.yml b/inspect-domains/tasks/main.yml new file mode 100644 index 00000000..f5d915fe --- /dev/null +++ b/inspect-domains/tasks/main.yml @@ -0,0 +1,8 @@ +- name: Copy inspect-domains script to local sbin + ansible.builtin.copy: + src: inspect-domains.py + dest: /usr/local/sbin/inspect-domains + mode: '0700' + + + -- 2.39.2 From 2bda54a7bdf2f4e80b2eb450e05d269468e21b29 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 1 Sep 2022 12:07:47 +0200 Subject: [PATCH 191/497] Update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 154b8175..5f2190ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,12 +16,14 @@ The **patch** part changes is incremented if multiple releases happen the same m * php: install php-xml with recent PHP versions * vrrp: add an `ip.yml` task file to help create VRRP addresses * webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php. +* inspect-domains: Add role ### Changed * evocheck: upstream release 22.08.1 * generate-ldif: Support any MariaDB version * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command +* nagios-nrpe: Add check_domains ### Fixed -- 2.39.2 From ee67ebca8b198b2d0ff09df094bdb3f20b163024 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 11:58:24 +0200 Subject: [PATCH 192/497] webapps/nextcloud: Drop support for Nginx --- CHANGELOG.md | 1 + webapps/nextcloud/defaults/main.yml | 1 - webapps/nextcloud/meta/main.yml | 3 - webapps/nextcloud/tasks/main.yml | 7 - webapps/nextcloud/tasks/vhost-nginx.yml | 34 ----- webapps/nextcloud/templates/nginx.conf.j2 | 134 -------------------- webapps/nextcloud/templates/php-fpm.conf.j2 | 17 --- 7 files changed, 1 insertion(+), 196 deletions(-) delete mode 100644 webapps/nextcloud/tasks/vhost-nginx.yml delete mode 100644 webapps/nextcloud/templates/nginx.conf.j2 delete mode 100644 webapps/nextcloud/templates/php-fpm.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f2190ec..4a56dbdb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed * evocheck: remove failure if deprecated variable is used +* webapps/nextcloud: Drop support for Nginx ### Security diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml index 3c1bf40a..574727de 100644 --- a/webapps/nextcloud/defaults/main.yml +++ b/webapps/nextcloud/defaults/main.yml @@ -1,5 +1,4 @@ --- -nextcloud_webserver: 'nginx' nextcloud_version: "21.0.0" nextcloud_archive_name: "nextcloud-{{ nextcloud_version }}.tar.bz2" nextcloud_releases_baseurl: "https://download.nextcloud.com/server/releases/" diff --git a/webapps/nextcloud/meta/main.yml b/webapps/nextcloud/meta/main.yml index d5852e32..ed97d539 100644 --- a/webapps/nextcloud/meta/main.yml +++ b/webapps/nextcloud/meta/main.yml @@ -1,4 +1 @@ --- -# dependencies: - # - { role: nginx, when: nextcloud_webserver == 'nginx' } - # - { role: php, php_fpm_enable: True } diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 95269246..f11d62fa 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -47,14 +47,7 @@ - include: archive.yml -- name: Check if Apache or Nginx - service_facts: - -- include: vhost-nginx.yml - when: "'nginx.service' in services" - - include: vhost-apache.yml - when: "'apache2.service' in services" - include: mysql.yml diff --git a/webapps/nextcloud/tasks/vhost-nginx.yml b/webapps/nextcloud/tasks/vhost-nginx.yml deleted file mode 100644 index 1f1592cc..00000000 --- a/webapps/nextcloud/tasks/vhost-nginx.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -- block: - - name: Copy Nginx vhost - template: - src: nginx.conf.j2 - dest: "/etc/nginx/sites-available/{{ nextcloud_instance_name }}.conf" - mode: "0640" - notify: reload nginx - tags: - - nextcloud - - - name: Enable Nginx vhost - file: - src: "/etc/nginx/sites-available/{{ nextcloud_instance_name }}.conf" - dest: "/etc/nginx/sites-enabled/{{ nextcloud_instance_name }}.conf" - state: link - notify: reload nginx - tags: - - nextcloud - - - name: Generate ssl config - shell: - cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}" - creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf" - - - name: Copy PHP-FPM pool - template: - src: php-fpm.conf.j2 - dest: "/etc/php/7.3/fpm/pool.d/{{ nextcloud_instance_name }}.conf" - mode: "0640" - notify: reload php-fpm - tags: - - nextcloud - when: nextcloud_webserver == 'nginx' diff --git a/webapps/nextcloud/templates/nginx.conf.j2 b/webapps/nextcloud/templates/nginx.conf.j2 deleted file mode 100644 index c2b7b7e3..00000000 --- a/webapps/nextcloud/templates/nginx.conf.j2 +++ /dev/null @@ -1,134 +0,0 @@ -upstream php-handler-{{ nextcloud_instance_name }} { - server unix:/var/run/php/php-fpm-{{ nextcloud_instance_name }}.sock; -} - -server { - listen 80; - listen [::]:80; - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name {{ nextcloud_domains | join(' ') }}; - - access_log {{ nextcloud_home }}/log/access.log; - error_log {{ nextcloud_home }}/log/error.log; - - include /etc/nginx/snippets/letsencrypt.conf; - include /etc/nginx/ssl/{{ nextcloud_instance_name }}.conf; - - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - root {{ nextcloud_webroot }}; - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 /index.php$uri; } - location ~ ^/.well-known/acme-challenge/* { allow all; } - - try_files $uri $uri/ =404; - } - - # set max upload size - client_max_body_size 512M; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - - location / { - rewrite ^ /index.php; - } - - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; - set $path_info $fastcgi_path_info; - try_files $fastcgi_script_name =404; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - # Enable pretty urls - fastcgi_param front_controller_active true; - fastcgi_pass php-handler-{{ nextcloud_instance_name }}; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } -} diff --git a/webapps/nextcloud/templates/php-fpm.conf.j2 b/webapps/nextcloud/templates/php-fpm.conf.j2 deleted file mode 100644 index 1b4c7861..00000000 --- a/webapps/nextcloud/templates/php-fpm.conf.j2 +++ /dev/null @@ -1,17 +0,0 @@ -[{{ nextcloud_instance_name }}] -user = {{ nextcloud_user }} -group = {{ nextcloud_user }} -listen = /run/php/php-fpm-{{ nextcloud_instance_name }}.sock -listen.owner = {{ nextcloud_user }} -listen.group = {{ nextcloud_user }} - -pm = ondemand -pm.max_children = 50 -pm.process_idle_timeout = 120s -pm.status_path = /fpm_status - -env[HOSTNAME] = $HOSTNAME -env[PATH] = /usr/local/bin:/usr/bin:/bin -env[TMP] = {{ nextcloud_home }}/tmp -env[TMPDIR] = {{ nextcloud_home }}/tmp -env[TEMP] = {{ nextcloud_home }}/tmp -- 2.39.2 From a03a338af94a406dbbd7b414d39fc83c2863effc Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 12:02:23 +0200 Subject: [PATCH 193/497] webapps/nextcloud: Use var nextcloud_user for unix group instead of instance_name to prevent mixup --- webapps/nextcloud/tasks/user.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index e89fe41a..dfe3a9cb 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -1,7 +1,7 @@ --- - name: Create Nextcloud group group: - name: "{{ nextcloud_instance_name | mandatory }}" + name: "{{ nextcloud_user | mandatory }}" state: present tags: - nextcloud @@ -9,7 +9,7 @@ - name: Create Nextcloud user user: name: "{{ nextcloud_user | mandatory }}" - group: "{{ nextcloud_user }}" + group: "{{ nextcloud_user | mandatory }}" home: "{{ nextcloud_home | mandatory }}" shell: '/bin/bash' create_home: True -- 2.39.2 From 2656b5fc519633472d63b11f9b99737eded49bf0 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 12:38:10 +0200 Subject: [PATCH 194/497] webapp/nextcloud: Change default folder mode to 0700 (+ better tasks name for user/group creation) --- webapps/nextcloud/tasks/user.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index dfe3a9cb..4df6737d 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -1,12 +1,12 @@ --- -- name: Create Nextcloud group +- name: Create {{ nextcloud_user }} unix group group: name: "{{ nextcloud_user | mandatory }}" state: present tags: - nextcloud -- name: Create Nextcloud user +- name: Create {{ nextcloud_user | mandatory }} unix user user: name: "{{ nextcloud_user | mandatory }}" group: "{{ nextcloud_user | mandatory }}" @@ -28,7 +28,7 @@ file: dest: "{{ item }}" state: directory - mode: "0770" + mode: "0700" owner: "{{ nextcloud_user }}" group: "{{ nextcloud_user }}" loop: -- 2.39.2 From 1ad3e0de37fa948a7bf8378eaf6d4f309f098c50 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 12:38:46 +0200 Subject: [PATCH 195/497] webapp/nextcloud: Dont add www-data to the application group --- webapps/nextcloud/tasks/user.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index 4df6737d..8fa3fee1 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -18,12 +18,6 @@ tags: - nextcloud -- name: Add the user 'www-data' to Nextcloud group - user: - name: www-data - groups: "{{ nextcloud_user | mandatory }}" - append: yes - - name: Create top-level directories file: dest: "{{ item }}" -- 2.39.2 From d5e34d0a7776569e4cd43e0aa2984ec23084b8f7 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 12:40:36 +0200 Subject: [PATCH 196/497] webapp/nextcloud: Multiple changes in vhost - Have only one domain as ServerName (otherwise you get an invalid apache config - Add all other domains as ServerAlias - Remove auto redirect vers ServerName - Correct indentation --- webapps/nextcloud/templates/apache.conf.j2 | 30 ++++++++++------------ 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/webapps/nextcloud/templates/apache.conf.j2 b/webapps/nextcloud/templates/apache.conf.j2 index 20a4d2eb..6844933d 100644 --- a/webapps/nextcloud/templates/apache.conf.j2 +++ b/webapps/nextcloud/templates/apache.conf.j2 @@ -1,5 +1,9 @@ - ServerName {{ nextcloud_domains | join(' ') }} + ServerName {{ nextcloud_domains[0] }} + + {% for domain_alias in nextcloud_domains[1:] %} + ServerAlias {{ domain_alias }} + {% endfor %} DocumentRoot {{ nextcloud_webroot }}/ @@ -13,22 +17,16 @@ - # user - group (thanks to sesse@debian.org) - AssignUserID {{ nextcloud_instance_name }} {{ nextcloud_instance_name }} + # user - group (thanks to sesse@debian.org) + AssignUserID {{ nextcloud_user }} {{ nextcloud_user }} - # LOG - CustomLog /var/log/apache2/access.log vhost_combined - CustomLog /home/{{ nextcloud_instance_name }}/log/access.log combined - ErrorLog /home/{{ nextcloud_instance_name }}/log/error.log + # LOG + CustomLog /var/log/apache2/access.log vhost_combined + CustomLog /home/{{ nextcloud_instance_name }}/log/access.log combined + ErrorLog /home/{{ nextcloud_instance_name }}/log/error.log - # REWRITE - UseCanonicalName On - RewriteEngine On - RewriteCond %{HTTP_HOST} !^{{ nextcloud_domains | join(' ') }}$ - RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R] - - # PHP - php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f {{ nextcloud_instance_name }}" - php_admin_value open_basedir "/usr/share/php:/home/{{ nextcloud_instance_name }}:/tmp" + # PHP + php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f {{ nextcloud_user }}" + php_admin_value open_basedir "/usr/share/php:{{ nextcloud_home }}:/tmp" \ No newline at end of file -- 2.39.2 From 5c7a7fe768e6139ae42cce142bd89cb64460412d Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 12:43:56 +0200 Subject: [PATCH 197/497] webapp/nextlcloud: Reorganize tasks files - Apache : Split system/vhost stuff - MySQL : Rename task file to follow same convention as apache --- webapps/nextcloud/tasks/apache-system.yml | 30 ++++++++++++ webapps/nextcloud/tasks/apache-vhost.yml | 23 +++++++++ webapps/nextcloud/tasks/main.yml | 10 ++-- .../tasks/{mysql.yml => mysql-user.yml} | 0 webapps/nextcloud/tasks/vhost-apache.yml | 48 ------------------- .../{apache.conf.j2 => apache-vhost.conf.j2} | 0 6 files changed, 59 insertions(+), 52 deletions(-) create mode 100644 webapps/nextcloud/tasks/apache-system.yml create mode 100644 webapps/nextcloud/tasks/apache-vhost.yml rename webapps/nextcloud/tasks/{mysql.yml => mysql-user.yml} (100%) delete mode 100644 webapps/nextcloud/tasks/vhost-apache.yml rename webapps/nextcloud/templates/{apache.conf.j2 => apache-vhost.conf.j2} (100%) diff --git a/webapps/nextcloud/tasks/apache-system.yml b/webapps/nextcloud/tasks/apache-system.yml new file mode 100644 index 00000000..38b85906 --- /dev/null +++ b/webapps/nextcloud/tasks/apache-system.yml @@ -0,0 +1,30 @@ +--- + +- name: Enable apache2 php configuration + copy: + src: "zzz-apache2-evolinux-custom.ini" + dest: "/etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini" + mode: "0644" + owner: root + group: root + force: yes + notify: reload apache + tags: + - nextcloud + +- name: Enable cli php configuration + copy: + src: "zzz-cli-evolinux-custom.ini" + dest: "/etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini" + mode: "0644" + owner: root + group: root + force: yes + notify: reload apache + tags: + - nextcloud + +# - name: Generate ssl config +# shell: +# cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}" +# creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf" \ No newline at end of file diff --git a/webapps/nextcloud/tasks/apache-vhost.yml b/webapps/nextcloud/tasks/apache-vhost.yml new file mode 100644 index 00000000..e3f213ca --- /dev/null +++ b/webapps/nextcloud/tasks/apache-vhost.yml @@ -0,0 +1,23 @@ +--- +- name: Copy Apache vhost + template: + src: apache-vhost.conf.j2 + dest: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" + mode: "0640" + notify: reload apache + tags: + - nextcloud + +- name: Enable Apache vhost + file: + src: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" + dest: "/etc/apache2/sites-enabled/{{ nextcloud_instance_name }}.conf" + state: link + notify: reload apache + tags: + - nextcloud + +# - name: Generate ssl config +# shell: +# cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}" +# creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf" \ No newline at end of file diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index f11d62fa..2823f8f5 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -21,7 +21,7 @@ tags: - nextcloud -# dependency for mysql_user and mysql_db +# dependency for mysql_user and mysql_db - python2 - name: python modules is installed (Ansible dependency) apt: name: @@ -32,7 +32,7 @@ - nextcloud when: ansible_python_version is version('3', '<') -# dependency for mysql_user and mysql_db +# dependency for mysql_user and mysql_db - python3 - name: python3 modules is installed (Ansible dependency) apt: name: @@ -43,12 +43,14 @@ - nextcloud when: ansible_python_version is version('3', '>=') +- include: apache-system.yml + - include: user.yml - include: archive.yml -- include: vhost-apache.yml +- include: apache-vhost.yml -- include: mysql.yml +- include: mysql-user.yml - include: config.yml diff --git a/webapps/nextcloud/tasks/mysql.yml b/webapps/nextcloud/tasks/mysql-user.yml similarity index 100% rename from webapps/nextcloud/tasks/mysql.yml rename to webapps/nextcloud/tasks/mysql-user.yml diff --git a/webapps/nextcloud/tasks/vhost-apache.yml b/webapps/nextcloud/tasks/vhost-apache.yml deleted file mode 100644 index b710b07a..00000000 --- a/webapps/nextcloud/tasks/vhost-apache.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -- block: - - name: Copy Apache vhost - template: - src: apache.conf.j2 - dest: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" - mode: "0640" - notify: reload apache - tags: - - nextcloud - - - name: Enable Apache vhost - file: - src: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" - dest: "/etc/apache2/sites-enabled/{{ nextcloud_instance_name }}.conf" - state: link - notify: reload apache - tags: - - nextcloud - - - name: Enable apache2 php configuration - copy: - src: "zzz-apache2-evolinux-custom.ini" - dest: "/etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini" - mode: "0644" - owner: root - group: root - force: yes - notify: reload apache - tags: - - nextcloud - - - name: Enable cli php configuration - copy: - src: "zzz-cli-evolinux-custom.ini" - dest: "/etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini" - mode: "0644" - owner: root - group: root - force: yes - notify: reload apache - tags: - - nextcloud - - # - name: Generate ssl config - # shell: - # cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}" - # creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf" \ No newline at end of file diff --git a/webapps/nextcloud/templates/apache.conf.j2 b/webapps/nextcloud/templates/apache-vhost.conf.j2 similarity index 100% rename from webapps/nextcloud/templates/apache.conf.j2 rename to webapps/nextcloud/templates/apache-vhost.conf.j2 -- 2.39.2 From 4bb2edae696aa7d228490a6dbbda5d9d44092b24 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 12:44:21 +0200 Subject: [PATCH 198/497] webapp/nextcloud: Use latest version of branch 24 --- webapps/nextcloud/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml index 574727de..5c586620 100644 --- a/webapps/nextcloud/defaults/main.yml +++ b/webapps/nextcloud/defaults/main.yml @@ -1,6 +1,6 @@ --- -nextcloud_version: "21.0.0" -nextcloud_archive_name: "nextcloud-{{ nextcloud_version }}.tar.bz2" +nextcloud_version: "latest-24" +nextcloud_archive_name: "{{ nextcloud_version }}.tar.bz2" nextcloud_releases_baseurl: "https://download.nextcloud.com/server/releases/" nextcloud_instance_name: "nextcloud" -- 2.39.2 From 16e0f923ef34dac850bf4ffe37c205f008879c3f Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 1 Sep 2022 14:58:35 +0200 Subject: [PATCH 199/497] check_domains: Fix script and check --- inspect-domains/files/inspect-domains.py | 8 ++++---- nagios-nrpe/files/plugins/check_domains | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inspect-domains/files/inspect-domains.py b/inspect-domains/files/inspect-domains.py index 35f7e410..e1120994 100755 --- a/inspect-domains/files/inspect-domains.py +++ b/inspect-domains/files/inspect-domains.py @@ -220,14 +220,14 @@ def main(argv): print('Domains not specified, looking for all domains (default).') args.all_domains = True - doms = [] + doms = {} if args.all_domains: - doms.extend(list_apache_domains()) + doms.update(list_apache_domains()) else: if args.apache_domains: - doms.extend(list_apache_domains()) + doms.update(list_apache_domains()) if args.nginx_domains: print("Option --nginx-domains not supported yet.") if args.haproxy_domains: @@ -243,7 +243,7 @@ def main(argv): timeout_domains, none_domains, outside_ips, ok_domains = run_check_domains(doms.keys()) - if args.check: + if args.output_style == 'nrpe': output_check_mode(timeout_domains, none_domains, outside_ips, ok_domains) else: diff --git a/nagios-nrpe/files/plugins/check_domains b/nagios-nrpe/files/plugins/check_domains index 23f48022..78db2914 100755 --- a/nagios-nrpe/files/plugins/check_domains +++ b/nagios-nrpe/files/plugins/check_domains @@ -1,4 +1,4 @@ -#!/usr/bin/bash +#!/bin/bash # # Check domains using script inspect-domains. # -- 2.39.2 From 1f52700b47587dfde4b84d21f51a2948478d5527 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 15:32:56 +0200 Subject: [PATCH 200/497] memcached: NRPE check for multi-instance setup Also some cleanup & split of tasks between single and multi instance Note: Munin part seems still broken at the time --- CHANGELOG.md | 1 + memcached/files/check_memcached_instances.sh | 82 ++++++++++++++++++++ memcached/tasks/instance-default.yml | 17 ++++ memcached/tasks/instance-multi.yml | 41 ++++++++++ memcached/tasks/main.yml | 68 ++-------------- memcached/tasks/munin.yml | 2 +- memcached/tasks/nrpe.yml | 29 +++++-- 7 files changed, 171 insertions(+), 69 deletions(-) create mode 100644 memcached/files/check_memcached_instances.sh create mode 100644 memcached/tasks/instance-default.yml create mode 100644 memcached/tasks/instance-multi.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a56dbdb..1b6ead1b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * vrrp: add an `ip.yml` task file to help create VRRP addresses * webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php. * inspect-domains: Add role +* memcached: NRPE check for multi-instance setup ### Changed diff --git a/memcached/files/check_memcached_instances.sh b/memcached/files/check_memcached_instances.sh new file mode 100644 index 00000000..9e468670 --- /dev/null +++ b/memcached/files/check_memcached_instances.sh @@ -0,0 +1,82 @@ +#!/bin/sh + +# {{ ansible_managed }} + +set -u + +return=0 +nb_crit=0 +nb_warn=0 +nb_ok=0 +nb_unchk=0 +output="" + +vendored_check=/usr/local/lib/nagios/plugins/check_memcached.pl + +if [ -x $vendored_check ]; then + check_bin=$vendored_check +else + echo "UNCHK - can't find check_memcached" + exit 3 +fi + +check_server() { + name=$1 + conf_file=$2 + + host=$(config_var "-l" "${conf_file}") + port=$(config_var "-p" "${conf_file}") + + cmd="${check_bin} -H ${host} -p ${port}" + + result=$($cmd) + ret="${?}" + if [ "${ret}" -ge 2 ]; then + nb_crit=$((nb_crit + 1)) + printf -v output "%s%s\n" "${output}" "${result}" + [ "${return}" -le 2 ] && return=2 + elif [ "${ret}" -ge 1 ]; then + nb_warn=$((nb_warn + 1)) + printf -v output "%s%s\n" "${output}" "${result}" + [ "${return}" -le 1 ] && return=1 + else + nb_ok=$((nb_ok + 1)) + printf -v output "%s%s\n" "${output}" "${result}" + [ "${return}" -le 0 ] && return=0 + fi +} +config_var() { + variable=$1 + file=$2 + test -f "${file}" && grep -E "^${variable}\s+.+$" "${file}" | awk '{ print $2 }' | sed -e "s/^[\"']//" -e "s/[\"']$//" +} + +# default instance +if systemctl is-enabled -q memcached; then + check_server "default" "/etc/memcached.conf" +fi + +# additional instances +conf_files=$(ls -1 /etc/memcached_*.conf 2> /dev/null) +for conf_file in ${conf_files}; do + name=$(basename "${conf_file}" | sed '{s|memcached_||;s|\.conf||}') + if systemctl is-enabled -q "memcached@${name}.service"; then + check_server "${name}" "${conf_file}" + else + nb_unchk=$((nb_unchk + 1)) + output="${output}UNCHK - ${name} (unit is disabled or missing)\n" + fi +done + +[ "${return}" -ge 0 ] && header="OK" +[ "${return}" -ge 1 ] && header="WARNING" +[ "${return}" -ge 2 ] && header="CRITICAL" + +printf "%s - %s UNCHK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unchk}" "${nb_crit}" "${nb_warn}" "${nb_ok}" + +printf "%s" "${output}" | grep -E "CRITICAL" +printf "%s" "${output}" | grep -E "WARNING" +printf "%s" "${output}" | grep -E "OK" +printf "%s" "${output}" | grep -E "UNCHK" + +exit "${return}" diff --git a/memcached/tasks/instance-default.yml b/memcached/tasks/instance-default.yml new file mode 100644 index 00000000..635b3576 --- /dev/null +++ b/memcached/tasks/instance-default.yml @@ -0,0 +1,17 @@ + +- name: Memcached is configured. + template: + src: memcached.conf.j2 + dest: /etc/memcached.conf + mode: "0644" + notify: restart memcached + tags: + - memcached + +- name: Memcached is running and enabled on boot. + service: + name: memcached + enabled: yes + state: started + tags: + - memcached diff --git a/memcached/tasks/instance-multi.yml b/memcached/tasks/instance-multi.yml new file mode 100644 index 00000000..61568a5d --- /dev/null +++ b/memcached/tasks/instance-multi.yml @@ -0,0 +1,41 @@ +--- + +- name: Add systemd unit template + copy: + src: memcached@.service + dest: /etc/systemd/system/memcached@.service + tags: + - memcached + +- name: Disable default memcached systemd unit + systemd: + name: memcached + enabled: false + state: stopped + tags: + - memcached + +- name: Make sure memcached.conf is absent + file: + path: /etc/memcached.conf + state: absent + tags: + - memcached + +- name: "Create a configuration file for instance ({{ memcached_instance_name }})" + template: + src: memcached.conf.j2 + dest: /etc/memcached_{{ memcached_instance_name }}.conf + mode: "0644" + tags: + - memcached + +- name: "Enable and start the memcached instance ({{ memcached_instance_name }})" + systemd: + name: memcached@{{ memcached_instance_name }} + enabled: yes + state: started + daemon_reload: yes + masked: no + tags: + - memcached diff --git a/memcached/tasks/main.yml b/memcached/tasks/main.yml index 0159f8d6..86d0aa40 100644 --- a/memcached/tasks/main.yml +++ b/memcached/tasks/main.yml @@ -1,73 +1,15 @@ -- name: ensure packages are installed +- name: Ensure memcached is installed apt: name: memcached state: present tags: - memcached -- name: Memcached is configured. - template: - src: memcached.conf.j2 - dest: /etc/memcached.conf - mode: "0644" - notify: restart memcached - tags: - - memcached - when: memcached_instance_name | length == 0 +- include: instance-default.yml + when: memcached_instance_name is undefined -- name: Memcached is running and enabled on boot. - service: - name: memcached - enabled: yes - state: started - tags: - - memcached - when: memcached_instance_name | length == 0 - -- name: Add systemd template - copy: - src: memcached@.service - dest: /etc/systemd/system/memcached@.service - tags: - - memcached - when: memcached_instance_name | length > 0 - -- name: Delete default memcached systemd configuration file - systemd: - name: memcached - enabled: false - state: stopped - tags: - - memcached - when: memcached_instance_name | length > 0 - -- name: Make sure memcached.conf is absent - file: - path: /etc/memcached.conf - state: absent - tags: - - memcached - when: memcached_instance_name | length > 0 - -- name: Create a configuration file - template: - src: memcached.conf.j2 - dest: /etc/memcached_{{ memcached_instance_name }}.conf - mode: "0644" - tags: - - memcached - when: memcached_instance_name | length > 0 - -- name: Enable and start the memcached instance - systemd: - name: memcached@{{ memcached_instance_name }} - enabled: yes - state: started - daemon_reload: yes - masked: no - tags: - - memcached - when: memcached_instance_name | length > 0 +- include: instance-multi.yml + when: memcached_instance_name is defined - include: munin.yml diff --git a/memcached/tasks/munin.yml b/memcached/tasks/munin.yml index 6e2f6d6f..f97962c4 100644 --- a/memcached/tasks/munin.yml +++ b/memcached/tasks/munin.yml @@ -2,7 +2,7 @@ - name: Choose packages (Oracle) set_fact: multi: "multi_" - when: memcached_instance_name | length > 0 + when: memcached_instance_name is defined - name: is Munin present ? stat: diff --git a/memcached/tasks/nrpe.yml b/memcached/tasks/nrpe.yml index 21070aec..ff0fc8b3 100644 --- a/memcached/tasks/nrpe.yml +++ b/memcached/tasks/nrpe.yml @@ -1,6 +1,4 @@ --- -- include_role: - name: evolix/remount-usr - name: Is nrpe present ? stat: @@ -10,7 +8,12 @@ - block: - name: Install dependencies apt: - name: libcache-memcached-perl + name: + - libcache-memcached-perl + - libmemcached11 + + - include_role: + name: evolix/remount-usr - name: Copy Nagios check for memcached copy: @@ -18,13 +21,29 @@ dest: /usr/local/lib/nagios/plugins/ mode: "0755" - # TODO: install a "multi-instances" check if the memcached_instance_name variable is not null + - name: install check_memcached_instances + copy: + src: check_memcached_instances.sh + dest: /usr/local/lib/nagios/plugins/check_memcached_instances + force: yes + mode: "0755" + owner: root + group: root - - name: Add NRPE check + - name: Add NRPE check (single instance) lineinfile: name: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_memcached\]=' line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}' notify: restart nagios-nrpe-server + when: memcached_instance_name is undefined + + - name: Add NRPE check (multi instance) + lineinfile: + name: /etc/nagios/nrpe.d/evolix.cfg + regexp: '^command\[check_memcached\]=' + line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached_instances' + notify: restart nagios-nrpe-server + when: memcached_instance_name is defined when: nrpe_evolix_config.stat.exists -- 2.39.2 From 0ec14fa2eb652fc8dac4149bacbeeb1a642f864c Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 15:48:15 +0200 Subject: [PATCH 201/497] memcached: multi instance check requires bash instead of sh --- memcached/files/check_memcached_instances.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memcached/files/check_memcached_instances.sh b/memcached/files/check_memcached_instances.sh index 9e468670..e97352f7 100644 --- a/memcached/files/check_memcached_instances.sh +++ b/memcached/files/check_memcached_instances.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # {{ ansible_managed }} -- 2.39.2 From 4f0553c057eb7655ba96486d5f16a1567087ae3d Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 2 Sep 2022 10:18:48 +0200 Subject: [PATCH 202/497] webapp/nextcloud: use ini_file for php settings to not destror our zzz-evolinux-custom.ini --- .../files/zzz-apache2-evolinux-custom.ini | 20 ------- .../files/zzz-cli-evolinux-custom.ini | 4 -- webapps/nextcloud/tasks/apache-system.yml | 55 ++++++++++--------- 3 files changed, 29 insertions(+), 50 deletions(-) delete mode 100644 webapps/nextcloud/files/zzz-apache2-evolinux-custom.ini delete mode 100644 webapps/nextcloud/files/zzz-cli-evolinux-custom.ini diff --git a/webapps/nextcloud/files/zzz-apache2-evolinux-custom.ini b/webapps/nextcloud/files/zzz-apache2-evolinux-custom.ini deleted file mode 100644 index 361628c2..00000000 --- a/webapps/nextcloud/files/zzz-apache2-evolinux-custom.ini +++ /dev/null @@ -1,20 +0,0 @@ -; Put customized values here. -allow_url_fopen = On -disable_functions = exec,shell-exec,system,passthru,popen -disable_functions = -user_ini.filename = ".user.ini" -max_execution_time = 300 - -memory_limit = 512M - -opcache.enable=1 -opcache.enable_cli=1 -opcache.interned_strings_buffer=24 -opcache.max_accelerated_files=60000 -opcache.memory_consumption=512 -opcache.save_comments=1 -opcache.revalidate_freq=1 - - -upload_max_filesize = 2G -post_max_size = 2G \ No newline at end of file diff --git a/webapps/nextcloud/files/zzz-cli-evolinux-custom.ini b/webapps/nextcloud/files/zzz-cli-evolinux-custom.ini deleted file mode 100644 index f6785459..00000000 --- a/webapps/nextcloud/files/zzz-cli-evolinux-custom.ini +++ /dev/null @@ -1,4 +0,0 @@ -; Put customized values here. -; default_charset = "ISO-8859-1" -allow_url_fopen = On -apc.enable_cli=1 \ No newline at end of file diff --git a/webapps/nextcloud/tasks/apache-system.yml b/webapps/nextcloud/tasks/apache-system.yml index 38b85906..490d2f8d 100644 --- a/webapps/nextcloud/tasks/apache-system.yml +++ b/webapps/nextcloud/tasks/apache-system.yml @@ -1,30 +1,33 @@ --- -- name: Enable apache2 php configuration - copy: - src: "zzz-apache2-evolinux-custom.ini" - dest: "/etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini" - mode: "0644" - owner: root - group: root - force: yes - notify: reload apache - tags: - - nextcloud +- name: "Get PHP Version" + shell: 'php -v | grep "PHP [0-9]." | sed -E "s/PHP ([0-9]\.[0-9]).*/\1/g;"' + register: shell_php + check_mode: no -- name: Enable cli php configuration - copy: - src: "zzz-cli-evolinux-custom.ini" - dest: "/etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini" - mode: "0644" - owner: root - group: root - force: yes - notify: reload apache - tags: - - nextcloud +- name: "Set variables" + set_fact: + php_version: "{{ shell_php.stdout }}" -# - name: Generate ssl config -# shell: -# cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}" -# creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf" \ No newline at end of file +- name: Apply specific PHP settings (apache) + ini_file: + path: "/etc/php/{{ php_version }}/apache2/conf.d/zzz-evolinux-custom.ini" + section: '' + option: "{{ item.option }}" + value: "{{ item.value }}" + notify: reload apache + with_items: + - {option: 'allow_url_fopen', value: 'On'} + - {option: 'disable_functions', value: ''} + - {option: 'max_execution_time', value: '300'} + - {option: 'memory_limit', value: '512M'} + +- name: Apply specific PHP settings (cli) + ini_file: + path: "/etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini" + section: '' + option: "{{ item.option }}" + value: "{{ item.value }}" + with_items: + - {option: 'allow_url_fopen', value: 'On'} + - {option: 'apc.enable_cli', value: 'On'} -- 2.39.2 From 18b450b8c3fbce34b68b6cdc54758a2dd76498f8 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 2 Sep 2022 10:25:22 +0200 Subject: [PATCH 203/497] webapp/nextcloud: Updates on vhost - Add comments for SSL settinfs - Remove userlog --- .../nextcloud/templates/apache-vhost.conf.j2 | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/webapps/nextcloud/templates/apache-vhost.conf.j2 b/webapps/nextcloud/templates/apache-vhost.conf.j2 index 6844933d..ff9f621c 100644 --- a/webapps/nextcloud/templates/apache-vhost.conf.j2 +++ b/webapps/nextcloud/templates/apache-vhost.conf.j2 @@ -1,10 +1,14 @@ - + ServerName {{ nextcloud_domains[0] }} {% for domain_alias in nextcloud_domains[1:] %} ServerAlias {{ domain_alias }} {% endfor %} + # SSLEngine on + # SSLCertificateFile /etc/letsencrypt/live/{{ nextcloud_instance_name }}/fullchain.pem + # SSLCertificateKeyFile /etc/letsencrypt/live/{{ nextcloud_instance_name }}/privkey.pem + DocumentRoot {{ nextcloud_webroot }}/ @@ -17,16 +21,21 @@ - # user - group (thanks to sesse@debian.org) + # SSL Redirect + # RewriteEngine On + # RewriteCond %{HTTPS} !=on + # RewriteCond %{HTTP:X-Forwarded-Proto} !=https + # RewriteRule ^ https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent] + + # ITK AssignUserID {{ nextcloud_user }} {{ nextcloud_user }} # LOG CustomLog /var/log/apache2/access.log vhost_combined - CustomLog /home/{{ nextcloud_instance_name }}/log/access.log combined - ErrorLog /home/{{ nextcloud_instance_name }}/log/error.log + ErrorLog /var/log/apache2/error.log # PHP php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f {{ nextcloud_user }}" php_admin_value open_basedir "/usr/share/php:{{ nextcloud_home }}:/tmp" - + \ No newline at end of file -- 2.39.2 From 6fa89e69a50d2bc86ace33d7e173dfa69331660b Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 2 Sep 2022 15:48:05 +0200 Subject: [PATCH 204/497] Update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b6ead1b..5042ef48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * generate-ldif: Support any MariaDB version * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command * nagios-nrpe: Add check_domains +* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) ### Fixed @@ -32,6 +33,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: make `-j ` the first argument on jessie/stretch as it has to be the first argument there. * redis: config directory must be owned by the user that runs the service (to be able to write tmp config files in it) * webapps/nextcloud: Add missing dependencies for imagick +* mysql: Add missing Munin conf for Debian 11 ### Removed -- 2.39.2 From c28ded807d3f61df561ad1c02a3fdd350fcb50e6 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 5 Sep 2022 11:42:49 +0200 Subject: [PATCH 205/497] Fix command for generate password with mkpasswd --- proftpd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proftpd/README.md b/proftpd/README.md index dae8abef..6e96e05a 100644 --- a/proftpd/README.md +++ b/proftpd/README.md @@ -41,5 +41,5 @@ proftpd_accounts: For generate the sha512 version of yours password : ~~~ -echo "test" | mkpasswd --method=sha-512 - +printf "test" | mkpasswd --stdin --method=sha-512 ~~~ -- 2.39.2 From 7e979132f798109f9ced5796b5cc94631816282a Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 5 Sep 2022 18:50:07 +0200 Subject: [PATCH 206/497] inspect-domains : add Nginx support --- inspect-domains/files/inspect-domains.py | 99 +++++++++++++++++++----- 1 file changed, 79 insertions(+), 20 deletions(-) diff --git a/inspect-domains/files/inspect-domains.py b/inspect-domains/files/inspect-domains.py index e1120994..8512b04c 100755 --- a/inspect-domains/files/inspect-domains.py +++ b/inspect-domains/files/inspect-domains.py @@ -17,6 +17,7 @@ import subprocess import threading import time import argparse +import json #import importlib.machinery #list_domains = importlib.machinery.SourceFileLoader('list_domains.py', list_domains_path).load_module() @@ -40,7 +41,7 @@ def get_my_ips(): stdout, stderr = execute('hostname -I') if not stdout: return [] - return stdout[0].strip().split() + return stdout[0].strip(' \t').split() def dig(domain): @@ -48,6 +49,12 @@ def dig(domain): stdout, stderr = execute('dig +short {}'.format(domain)) return stdout + +def strip_comments(string): + """Return string with any # comment removed.""" + return string.split('#')[0] + + def list_apache_domains(): """Return a dict containing : - key: Apache domain (from command "apache2ctl -D DUMP_VHOSTS"). @@ -56,24 +63,24 @@ def list_apache_domains(): domains = {} try: - stdout, stderr = execute("apache2ctl -D DUMP_VHOSTS") + stdout, stderr = execute('apache2ctl -D DUMP_VHOSTS') except: - # Apache is not on the server + # Apache is not present on the server return domains - vhost_infos = "" + vhost_infos = '' for line in stdout: - dom = "" - words = line.strip().split() + dom = '' + words = line.strip(' \t').split() - if "namevhost" in line and len(words) >= 5: + if 'namevhost' in line and len(words) >= 5: # line format: port namevhost (:) - dom = words[3] - vhost_infos = "apache:" + words[4].strip('()') + dom = words[3].strip() + vhost_infos = 'apache:' + words[4].strip('()') - elif "alias" in line and len(words) >= 2: + elif 'alias' in line and len(words) >= 2: # line format: alias - dom = words[1] # vhost_infos defined in previous lines + dom = words[1].strip() # vhost_infos defined in previous lines if dom: if dom not in domains: @@ -84,6 +91,54 @@ def list_apache_domains(): return domains +def list_nginx_domains(): + """Return a dict containing : + - key: Nginx domain (from command "nginx -T"). + - value: a list of strings "nginx::" + """ + domains = {} + + try: + stdout, stderr = execute('nginx -T') + except: + # Nginx is not present on the server + return domains + + line_number = 1 + config_file_path = '' + + for line in stdout: + if '# configuration file' in line: + # line format : # configuration file : + words = line.strip(' \t;').split() + config_file_path = words[3].strip(' :') + continue + + if 'server_name ' in line: + # TODO: améliorer le if (cas tabulation) + # line format : server_name [ Date: Tue, 6 Sep 2022 11:26:19 +0200 Subject: [PATCH 207/497] openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS --- CHANGELOG.md | 1 + openvpn/tasks/debian.yml | 8 ++++++++ openvpn/templates/server.conf.j2 | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5042ef48..4dcaa63d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command * nagios-nrpe: Add check_domains * generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) +* openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS ### Fixed diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index d6b03ac9..55ca2f8e 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -12,6 +12,14 @@ - client - server +- name: Create the _openvpn user + user: + name: _openvpn + system: yes + create_home: no + home: "/nonexistent" + shell: "/usr/sbin/nologin" + - name: Create the shellpki user user: name: shellpki diff --git a/openvpn/templates/server.conf.j2 b/openvpn/templates/server.conf.j2 index 23ce3e2b..a41b9b22 100644 --- a/openvpn/templates/server.conf.j2 +++ b/openvpn/templates/server.conf.j2 @@ -1,5 +1,5 @@ -user nobody -group nogroup +user _openvpn +group _openvpn local {{ ansible_default_ipv4.address }} port 1194 -- 2.39.2 From 3c1ec588fd3a5ec9e99bbda3b96545c47ab5fcfb Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 9 Sep 2022 16:09:45 +0200 Subject: [PATCH 208/497] minifirewall: use handlers to restart minifirewall --- CHANGELOG.md | 1 + minifirewall/handlers/main.yml | 16 ++++++++++ minifirewall/tasks/config.legacy.yml | 16 ++++------ minifirewall/tasks/config.yml | 8 ++--- minifirewall/tasks/main.yml | 45 ++++++++++++++++++---------- minifirewall/tasks/tail.legacy.yml | 36 ++++++++++++++-------- minifirewall/tasks/tail.yml | 36 ++++++++++++++-------- 7 files changed, 103 insertions(+), 55 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dcaa63d..c36e3de0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 22.08.1 * generate-ldif: Support any MariaDB version +* minifirewall: use handlers to restart minifirewall * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command * nagios-nrpe: Add check_domains * generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) diff --git a/minifirewall/handlers/main.yml b/minifirewall/handlers/main.yml index 5ba1926c..3c541de5 100644 --- a/minifirewall/handlers/main.yml +++ b/minifirewall/handlers/main.yml @@ -4,3 +4,19 @@ service: name: nagios-nrpe-server state: restarted + +- name: restart minifirewall (modern) + command: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" + +- name: restart minifirewall (legacy) + command: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + +- name: restart minifirewall (noop) + meta: noop + register: minifirewall_init_restart + failed_when: False + changed_when: False \ No newline at end of file diff --git a/minifirewall/tasks/config.legacy.yml b/minifirewall/tasks/config.legacy.yml index 8a7f5990..a151e76c 100644 --- a/minifirewall/tasks/config.legacy.yml +++ b/minifirewall/tasks/config.legacy.yml @@ -197,21 +197,15 @@ path: "{{ minifirewall_main_file }}" register: minifirewall_after -- name: restart minifirewall - command: /etc/init.d/minifirewall restart - register: minifirewall_init_restart - failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" +- name: Schedule minifirewall restart (legacy) + command: /bin/true + notify: "restart minifirewall (legacy)" when: + - minifirewall_install_mode == 'legacy' - minifirewall_restart_if_needed | bool - minifirewall_is_running.rc == 0 - - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum + - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed -- name: restart minifirewall (noop) - meta: noop - register: minifirewall_init_restart - failed_when: False - changed_when: False - when: not (minifirewall_restart_if_needed | bool) - debug: var: minifirewall_init_restart diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index c11b83e8..b0a1d7a6 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -282,11 +282,11 @@ path: "/etc/default/minifirewall" register: minifirewall_after -- name: restart minifirewall - command: /etc/init.d/minifirewall restart - register: minifirewall_init_restart - failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" +- name: Schedule minifirewall restart (modern) + command: /bin/true + notify: "restart minifirewall (modern)" when: + - minifirewall_install_mode != 'legacy' - minifirewall_restart_if_needed | bool - minifirewall_is_running.rc == 0 - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 483f8715..bc56b7dc 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -1,9 +1,5 @@ --- -- name: Compose minifirewall_restart_handler_name variable - set_fact: - minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" - # Legacy or modern mode? ############################################## - name: Check minifirewall @@ -39,6 +35,25 @@ var: minifirewall_install_mode verbosity: 1 +- name: 'Set minifirewall_restart_handler_name to "noop"' + set_fact: + minifirewall_restart_handler_name: "restart minifirewall (noop)" + when: not (minifirewall_restart_if_needed | bool) + +- name: 'Set minifirewall_restart_handler_name to "legacy"' + set_fact: + minifirewall_restart_handler_name: "restart minifirewall (legacy)" + when: + - minifirewall_restart_if_needed | bool + - minifirewall_install_mode == 'legacy' + +- name: 'Set minifirewall_restart_handler_name to "modern"' + set_fact: + minifirewall_restart_handler_name: "restart minifirewall (modern)" + when: + - minifirewall_restart_if_needed | bool + - minifirewall_install_mode != 'legacy' + ####################################################################### - name: Fail if minifirewall_main_file is defined (legacy mode) @@ -106,18 +121,16 @@ var: minifirewall_restart_force | bool verbosity: 1 -- name: Force restart minifirewall (modern mode) - command: /etc/init.d/minifirewall restart - register: minifirewall_init_restart - failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" - when: - - minifirewall_install_mode != 'legacy' - - minifirewall_restart_force | bool - -- name: Force restart minifirewall (legacy mode) - command: /etc/init.d/minifirewall restart - register: minifirewall_init_restart - failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" +- name: Force restart minifirewall (legacy) + command: /bin/true + notify: "restart minifirewall (legacy)" when: - minifirewall_install_mode == 'legacy' + - minifirewall_restart_force | bool + +- name: Force restart minifirewall (modern) + command: /bin/true + notify: "restart minifirewall (modern)" + when: + - minifirewall_install_mode != 'legacy' - minifirewall_restart_force | bool \ No newline at end of file diff --git a/minifirewall/tasks/tail.legacy.yml b/minifirewall/tasks/tail.legacy.yml index 7a13eefa..dc7fbdc9 100644 --- a/minifirewall/tasks/tail.legacy.yml +++ b/minifirewall/tasks/tail.legacy.yml @@ -1,4 +1,22 @@ --- + +- name: Stat minifirewall config file (before) + stat: + path: "/etc/default/minifirewall" + register: minifirewall_before + +- name: Check if minifirewall is running + shell: + cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + changed_when: False + failed_when: False + check_mode: no + register: minifirewall_is_running + +- debug: + var: minifirewall_is_running + verbosity: 1 + - name: Add some rules at the end of minifirewall file template: src: "{{ item }}" @@ -30,20 +48,14 @@ var: minifirewall_tail_source verbosity: 1 -- name: restart minifirewall - command: /etc/init.d/minifirewall restart - register: minifirewall_init_restart - failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" +- name: Schedule minifirewall restart (legacy) + command: /bin/true + notify: "restart minifirewall (legacy)" when: - - minifirewall_tail_template is changed + - minifirewall_install_mode == 'legacy' - minifirewall_restart_if_needed | bool - -- name: restart minifirewall (noop) - meta: noop - register: minifirewall_init_restart - failed_when: False - changed_when: False - when: not (minifirewall_restart_if_needed | bool) + - minifirewall_is_running.rc == 0 + - minifirewall_tail_template is changed - debug: var: minifirewall_init_restart diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index 1d708fa4..73d60d9c 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -1,4 +1,22 @@ --- + +- name: Stat minifirewall config file (before) + stat: + path: "/etc/default/minifirewall" + register: minifirewall_before + +- name: Check if minifirewall is running + shell: + cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + changed_when: False + failed_when: False + check_mode: no + register: minifirewall_is_running + +- debug: + var: minifirewall_is_running + verbosity: 1 + - name: Add some rules at the end of minifirewall file template: src: "{{ item }}" @@ -18,20 +36,14 @@ var: minifirewall_tail_template verbosity: 1 -- name: restart minifirewall - command: /etc/init.d/minifirewall restart - register: minifirewall_init_restart - failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" +- name: Schedule minifirewall restart (modern) + command: /bin/true + notify: "restart minifirewall (modern)" when: - - minifirewall_tail_template is changed + - minifirewall_install_mode != 'legacy' - minifirewall_restart_if_needed | bool - -- name: restart minifirewall (noop) - meta: noop - register: minifirewall_init_restart - failed_when: False - changed_when: False - when: not (minifirewall_restart_if_needed | bool) + - minifirewall_is_running.rc == 0 + - minifirewall_tail_template is changed - debug: var: minifirewall_init_restart -- 2.39.2 From 28276b5d6f739367d1c6cb4bd12f7d596665160b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 12 Sep 2022 13:54:57 +0200 Subject: [PATCH 209/497] evolinux-base: update-evobackup-canary upstream release 22.06 --- CHANGELOG.md | 1 + ...ackup-canary.sh => update-evobackup-canary} | 6 +++--- evolinux-base/tasks/utils.yml | 18 +++++++++--------- 3 files changed, 13 insertions(+), 12 deletions(-) rename evolinux-base/files/{update-evobackup-canary.sh => update-evobackup-canary} (95%) diff --git a/CHANGELOG.md b/CHANGELOG.md index c36e3de0..340bfb99 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evocheck: upstream release 22.08.1 +* evolinux-base: update-evobackup-canary upstream release 22.06 * generate-ldif: Support any MariaDB version * minifirewall: use handlers to restart minifirewall * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command diff --git a/evolinux-base/files/update-evobackup-canary.sh b/evolinux-base/files/update-evobackup-canary similarity index 95% rename from evolinux-base/files/update-evobackup-canary.sh rename to evolinux-base/files/update-evobackup-canary index 20fc1a57..868c3be6 100644 --- a/evolinux-base/files/update-evobackup-canary.sh +++ b/evolinux-base/files/update-evobackup-canary @@ -3,7 +3,7 @@ PROGNAME="update-evobackup-canary" REPOSITORY="https://gitea.evolix.org/evolix/evobackup" -VERSION="22.05" +VERSION="22.06" readonly VERSION # base functions @@ -44,8 +44,8 @@ main() { if [ -z "${canary_file:-}" ]; then canary_file="/zzz_evobackup_canary" fi - # This option is supported since (at least) Debian 8 - date=$(date --iso-8601=seconds) + # This option is supported both on OpenBSD which does not use GNU date and on Debian + date=$(date "+%FT%T%z") printf "%s %s\n" "${date}" "${who}" >> "${canary_file}" } diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 8236bd92..2fd4b0c1 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -17,7 +17,7 @@ - name: update-evobackup-canary script is present copy: - src: "update-evobackup-canary.sh" + src: update-evobackup-canary dest: /usr/local/bin/update-evobackup-canary force: True owner: root @@ -30,11 +30,11 @@ path: /usr/local/sbin/update-evobackup-canary state: absent -- name: dir-check script is present - copy: - src: "dir-check.sh" - dest: /usr/local/bin/dir-check - force: True - owner: root - group: root - mode: "0755" \ No newline at end of file +# - name: dir-check script is present +# copy: +# src: "dir-check.sh" +# dest: /usr/local/bin/dir-check +# force: True +# owner: root +# group: root +# mode: "0755" \ No newline at end of file -- 2.39.2 From 7c4a169fb8e276db0f3d8ff532609d82b192aabe Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 13 Sep 2022 16:26:10 +0200 Subject: [PATCH 210/497] proftpd: Add options to override configs --- CHANGELOG.md | 1 + proftpd/defaults/main.yml | 3 +++ proftpd/tasks/main.yml | 6 +++--- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 340bfb99..7064c1fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php. * inspect-domains: Add role * memcached: NRPE check for multi-instance setup +* proftpd: Add options to override configs ### Changed diff --git a/proftpd/defaults/main.yml b/proftpd/defaults/main.yml index 80edecd2..1f8cf006 100644 --- a/proftpd/defaults/main.yml +++ b/proftpd/defaults/main.yml @@ -3,12 +3,15 @@ proftpd_hostname: "{{ ansible_hostname }}" proftpd_fqdn: "{{ ansible_fqdn }}" proftpd_default_address: [] proftpd_ftp_enable: True +proftpd_ftp_override: False proftpd_port: 21 proftpd_ftps_enable: False +proftpd_ftps_override: False proftpd_ftps_port: 990 proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem" proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key" proftpd_sftp_enable: False +proftpd_sftp_override: False proftpd_sftp_port: 22222 proftpd_accounts: [] proftpd_accounts_final: [] diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 457887a1..ddb3faee 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -20,7 +20,7 @@ src: evolinux.conf.j2 dest: /etc/proftpd/conf.d/z-evolinux.conf mode: "0644" - force: no + force: "{{ proftpd_ftp_override }}" notify: restart proftpd when: proftpd_ftp_enable | bool tags: @@ -31,7 +31,7 @@ src: ftps.conf.j2 dest: /etc/proftpd/conf.d/ftps.conf mode: "0644" - force: no + force: "{{ proftpd_ftps_override }}" notify: restart proftpd when: proftpd_ftps_enable | bool tags: @@ -42,7 +42,7 @@ src: sftp.conf.j2 dest: /etc/proftpd/conf.d/sftp.conf mode: "0644" - force: no + force: "{{ proftpd_sftp_override }}" notify: restart proftpd when: proftpd_sftp_enable | bool tags: -- 2.39.2 From 9631476a06cc5d3cc91c76731be4bef07dd8d06e Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 13 Sep 2022 16:29:59 +0200 Subject: [PATCH 211/497] proftpd: Allow user auth with ssh keys --- CHANGELOG.md | 1 + proftpd/defaults/main.yml | 1 + proftpd/tasks/accounts.yml | 15 +++++++++++++++ proftpd/tasks/main.yml | 14 ++++++++++++++ proftpd/templates/sftp.conf.j2 | 8 +++++++- 5 files changed, 38 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7064c1fb..dce6bf3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * inspect-domains: Add role * memcached: NRPE check for multi-instance setup * proftpd: Add options to override configs +* proftpd: Allow user auth with ssh keys ### Changed diff --git a/proftpd/defaults/main.yml b/proftpd/defaults/main.yml index 1f8cf006..25d60d5b 100644 --- a/proftpd/defaults/main.yml +++ b/proftpd/defaults/main.yml @@ -12,6 +12,7 @@ proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem" proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key" proftpd_sftp_enable: False proftpd_sftp_override: False +proftpd_sftp_use_publickeys: False proftpd_sftp_port: 22222 proftpd_accounts: [] proftpd_accounts_final: [] diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml index 756e0ff0..0ff57272 100644 --- a/proftpd/tasks/accounts.yml +++ b/proftpd/tasks/accounts.yml @@ -60,3 +60,18 @@ when: proftpd_sftp_enable | bool tags: - proftpd + +- name: Allow keys for SFTP account + blockinfile: + dest: "/etc/proftpd/sftp.authorized_keys/{{ item.name }}" + state: present + block: "{{ item.sshkeys }}" + create: yes + mode: 0600 + loop: "{{ proftpd_accounts_final }}" + notify: restart proftpd + when: + - proftpd_sftp_enable | bool + - proftpd_sftp_use_publickeys | bool + tags: + - proftpd diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index ddb3faee..9ddb6273 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -48,6 +48,20 @@ tags: - proftpd +- name: SFTP key folder exists if needed + file: + path: /etc/proftpd/sftp.authorized_keys/ + state: directory + mode: "0700" + owner: root + group: root + notify: restart proftpd + when: + - proftpd_sftp_enable | bool + - proftpd_sftp_use_publickeys | bool + tags: + - proftpd + - name: mod_tls_memcache is disabled replace: dest: /etc/proftpd/modules.conf diff --git a/proftpd/templates/sftp.conf.j2 b/proftpd/templates/sftp.conf.j2 index 432e9ba8..f54746f8 100644 --- a/proftpd/templates/sftp.conf.j2 +++ b/proftpd/templates/sftp.conf.j2 @@ -13,8 +13,14 @@ SFTPLog /var/log/proftpd/sftp.log TransferLog /var/log/proftpd/xferlog - + +{% if proftpd_sftp_use_publickeys %} + SFTPAuthMethods publickey password + SFTPAuthorizedUserKeys file:/etc/proftpd/sftp.authorized_keys/%u +{% else %} SFTPAuthMethods password +{% endif %} + SFTPHostKey /etc/ssh/ssh_host_ecdsa_key SFTPHostKey /etc/ssh/ssh_host_rsa_key -- 2.39.2 From cd46dd8320fb50d61781748bf786c285d059050b Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 13 Sep 2022 16:31:03 +0200 Subject: [PATCH 212/497] proftpd: Add a warning if config file was overriden --- CHANGELOG.md | 2 +- proftpd/templates/evolinux.conf.j2 | 4 ++++ proftpd/templates/ftps.conf.j2 | 4 ++++ proftpd/templates/sftp.conf.j2 | 4 ++++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dce6bf3a..be884139 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,7 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php. * inspect-domains: Add role * memcached: NRPE check for multi-instance setup -* proftpd: Add options to override configs +* proftpd: Add options to override configs (and add a warning if file was overriden) * proftpd: Allow user auth with ssh keys ### Changed diff --git a/proftpd/templates/evolinux.conf.j2 b/proftpd/templates/evolinux.conf.j2 index 08484714..8ad06927 100644 --- a/proftpd/templates/evolinux.conf.j2 +++ b/proftpd/templates/evolinux.conf.j2 @@ -1,5 +1,9 @@ # Evolix's specific configuration +{% if proftpd_ftp_override %} +# WARNING : **Probably** ansible managed +{% endif %} + LoadModule mod_ident.c diff --git a/proftpd/templates/ftps.conf.j2 b/proftpd/templates/ftps.conf.j2 index 2db74b37..f9826989 100644 --- a/proftpd/templates/ftps.conf.j2 +++ b/proftpd/templates/ftps.conf.j2 @@ -1,3 +1,7 @@ +{% if proftpd_ftps_override %} +# WARNING : **Probably** ansible managed +{% endif %} + LoadModule mod_tls.c diff --git a/proftpd/templates/sftp.conf.j2 b/proftpd/templates/sftp.conf.j2 index f54746f8..457f638b 100644 --- a/proftpd/templates/sftp.conf.j2 +++ b/proftpd/templates/sftp.conf.j2 @@ -1,3 +1,7 @@ +{% if proftpd_sftp_override %} +# WARNING : **Probably** ansible managed +{% endif %} + LoadModule mod_tls.c -- 2.39.2 From 41e908da5c6e0304707cc82f88be8730ec522a4c Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 14 Sep 2022 10:44:12 +0200 Subject: [PATCH 213/497] inspect-domains: Renamme inspect-domains to domains --- .../files/inspect-domains.py => domains/files/domains.py | 0 {inspect-domains => domains}/tasks/main.yml | 2 +- nagios-nrpe/files/plugins/check_domains | 8 ++++---- nagios-nrpe/tasks/configure_check_domains.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) rename inspect-domains/files/inspect-domains.py => domains/files/domains.py (100%) rename {inspect-domains => domains}/tasks/main.yml (74%) diff --git a/inspect-domains/files/inspect-domains.py b/domains/files/domains.py similarity index 100% rename from inspect-domains/files/inspect-domains.py rename to domains/files/domains.py diff --git a/inspect-domains/tasks/main.yml b/domains/tasks/main.yml similarity index 74% rename from inspect-domains/tasks/main.yml rename to domains/tasks/main.yml index f5d915fe..388f75ee 100644 --- a/inspect-domains/tasks/main.yml +++ b/domains/tasks/main.yml @@ -1,7 +1,7 @@ - name: Copy inspect-domains script to local sbin ansible.builtin.copy: src: inspect-domains.py - dest: /usr/local/sbin/inspect-domains + dest: /usr/local/sbin/domains mode: '0700' diff --git a/nagios-nrpe/files/plugins/check_domains b/nagios-nrpe/files/plugins/check_domains index 78db2914..98068a0b 100755 --- a/nagios-nrpe/files/plugins/check_domains +++ b/nagios-nrpe/files/plugins/check_domains @@ -1,14 +1,14 @@ #!/bin/bash # -# Check domains using script inspect-domains. +# Check domains using script domains. # # Written by Will # -if ! command -v inspect-domains >/dev/null; then - echo 'UNKNOWN - Missing dependency inspect-domains.' +if ! command -v domains >/dev/null; then + echo 'UNKNOWN - Missing dependency domains.' exit 3 fi -inspect-domains -o nrpe -a check-dns +domains -o nrpe -a check-dns diff --git a/nagios-nrpe/tasks/configure_check_domains.yml b/nagios-nrpe/tasks/configure_check_domains.yml index 0d81b652..2d5dd2fd 100644 --- a/nagios-nrpe/tasks/configure_check_domains.yml +++ b/nagios-nrpe/tasks/configure_check_domains.yml @@ -1,6 +1,6 @@ - name: Install check_domains dependency include_role: - name: inspect-domains + name: domains - name: Configure check_domains in /etc/nagios/nrpe.d/evolix.cfg ansible.builtin.lineinfile: -- 2.39.2 From 25cedd2be9ba234972ee3286e39fb9e89c87a114 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 14 Sep 2022 10:47:52 +0200 Subject: [PATCH 214/497] domains: fix rename inspect-domains to domains --- domains/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/domains/tasks/main.yml b/domains/tasks/main.yml index 388f75ee..f2a1ddb3 100644 --- a/domains/tasks/main.yml +++ b/domains/tasks/main.yml @@ -1,6 +1,6 @@ - name: Copy inspect-domains script to local sbin ansible.builtin.copy: - src: inspect-domains.py + src: domains.py dest: /usr/local/sbin/domains mode: '0700' -- 2.39.2 From d8a2dccf36d5e20c8f0da17d381bce4a043f90f0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Sep 2022 10:55:00 +0200 Subject: [PATCH 215/497] evocheck: upstream release 22.09 --- CHANGELOG.md | 2 +- evocheck/files/evocheck.sh | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index be884139..2e46e8c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evocheck: upstream release 22.08.1 +* evocheck: upstream release 22.09 * evolinux-base: update-evobackup-canary upstream release 22.06 * generate-ldif: Support any MariaDB version * minifirewall: use handlers to restart minifirewall diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 2771c904..7c01da51 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.08.1" +VERSION="22.09" readonly VERSION # base functions @@ -1527,6 +1527,8 @@ main() { main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") files_to_cleanup="${files_to_cleanup} ${main_output_file}" + MINIFW_FILE=$(minifirewall_file) + test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777 test "${IS_ROOT_0700:=1}" = 1 && check_root_0700 test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts -- 2.39.2 From 6ce30048180eb68d8da73c941405aaaaa4cb94e6 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 14 Sep 2022 11:03:49 +0200 Subject: [PATCH 216/497] domains: improve CLI user interface (messages, option names...). --- domains/files/domains.py | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/domains/files/domains.py b/domains/files/domains.py index 8512b04c..23dd28ee 100755 --- a/domains/files/domains.py +++ b/domains/files/domains.py @@ -236,7 +236,7 @@ def output_check_mode(timeout_domains, none_domains, outside_ips, ok_domains): sys.exit(1) if n_warnings else sys.exit(0) -def output_friendly_mode(doms, timeout_domains, none_domains, outside_ips): +def output_human_mode(doms, timeout_domains, none_domains, outside_ips): if timeout_domains or none_domains or outside_ips: if timeout_domains: print('\nTimeouts:') for d in timeout_domains: @@ -256,23 +256,23 @@ def output_friendly_mode(doms, timeout_domains, none_domains, outside_ips): def main(argv): parser = argparse.ArgumentParser() parser.add_argument('action', metavar='ACTION', help='Values: check-dns, list') - parser.add_argument('-o', '--output-style', help='Values: stdout (default), nrpe') + parser.add_argument('-o', '--output-style', help='Values: json (default for action list), human (default for action check-dns), nrpe') parser.add_argument('-a', '--all-domains', action='store_true', help='Include all domains (default).') parser.add_argument('-ap', '--apache-domains', action='store_true', help='Include Apache domains.') parser.add_argument('-ng', '--nginx-domains', action='store_true', help='Include Nginx domains.') - parser.add_argument('-ha', '--haproxy-domains', action='store_true', help='Include HaProxy domains.') + parser.add_argument('-ha', '--haproxy-domains', action='store_true', help='Include HaProxy domains (not supported yet).') args = parser.parse_args() if args.action not in ['check-dns', 'list']: if args.output_style == 'nrpe': - print('UNKNOWN - unkown {} action, use -h option for help.'.format(args.action)) + print('UNKNOWN - unknown {} action, use -h option for help.'.format(args.action)) sys.exit(3) else: - print('Unkown {} action, use -h option for help.'.format(args.action)) + print('Unknown {} action, use -h option for help.'.format(args.action)) sys.exit(1) if not (args.all_domains or args.apache_domains or args.nginx_domains or args.haproxy_domains): - print('Domains scope not specified, looking for all domains (default).') + print('Domains scope not specified, looking for all domains.') args.all_domains = True doms = {} @@ -292,7 +292,7 @@ def main(argv): if args.output_style == 'nrpe': print('UNKNOWN - No domain found on this server.') sys.exit(3) - else: + else: # == 'json' or 'human' print('No domain found on this server.') sys.exit(1) @@ -302,11 +302,23 @@ def main(argv): if args.output_style == 'nrpe': output_check_mode(timeout_domains, none_domains, outside_ips, ok_domains) - else: - output_friendly_mode(doms, timeout_domains, none_domains, outside_ips) + elif args.output_style == 'json': + print('Option --output-style json not implemented yet for action check-dns.') + + else: # args.output_style == 'human' + output_human_mode(doms, timeout_domains, none_domains, outside_ips) elif args.action == 'list': - print(json.dumps(doms, sort_keys=True, indent=4)) + + if args.output_style == 'nrpe': + print('Action list is not for --output-style nrpe.') + + elif args.output_style == 'json': + print(json.dumps(doms, sort_keys=True, indent=4)) + + else: + print('Option --output-style human not implemented yet for action list, fallback to --output-style json.') + print(json.dumps(doms, sort_keys=True, indent=4)) if __name__ == '__main__': -- 2.39.2 From e0ba847e9cead9b40d80d28fe93a81c14acb2855 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 14 Sep 2022 12:19:55 +0200 Subject: [PATCH 217/497] nagios-nrpe: upgrade check_mongo --- nagios-nrpe/files/plugins/check_mongodb | 653 ++++++++++++++++-------- 1 file changed, 436 insertions(+), 217 deletions(-) mode change 100755 => 100644 nagios-nrpe/files/plugins/check_mongodb diff --git a/nagios-nrpe/files/plugins/check_mongodb b/nagios-nrpe/files/plugins/check_mongodb old mode 100755 new mode 100644 index bc6278ac..cce3a76d --- a/nagios-nrpe/files/plugins/check_mongodb +++ b/nagios-nrpe/files/plugins/check_mongodb @@ -17,24 +17,29 @@ # - Dag Stockstad # - @Andor on github # - Steven Richards - Captainkrtek on github -# - Max Vernimmen +# - Max Vernimmen - @mvernimmen-CG / @mvernimmen on github +# - Kris Nova - @kris@nivenly.com github.com/kris-nova +# - Jan Kantert - firstname@lastname.net # # USAGE # # See the README.md # +from __future__ import print_function +from __future__ import division import sys import time import optparse -import textwrap import re import os +import numbers +import socket try: import pymongo -except ImportError, e: - print e +except ImportError as e: + print(e) sys.exit(2) # As of pymongo v 1.9 the SON API is part of the BSON package, therefore attempt @@ -78,37 +83,35 @@ def performance_data(perf_data, params): def numeric_type(param): - if ((type(param) == float or type(param) == int or param == None)): - return True - return False + return param is None or isinstance(param, numbers.Real) def check_levels(param, warning, critical, message, ok=[]): if (numeric_type(critical) and numeric_type(warning)): if param >= critical: - print "CRITICAL - " + message + print("CRITICAL - " + message) sys.exit(2) elif param >= warning: - print "WARNING - " + message + print("WARNING - " + message) sys.exit(1) else: - print "OK - " + message + print("OK - " + message) sys.exit(0) else: if param in critical: - print "CRITICAL - " + message + print("CRITICAL - " + message) sys.exit(2) if param in warning: - print "WARNING - " + message + print("WARNING - " + message) sys.exit(1) if param in ok: - print "OK - " + message + print("OK - " + message) sys.exit(0) # unexpected param value - print "CRITICAL - Unexpected value : %d" % param + "; " + message + print("CRITICAL - Unexpected value : %d" % param + "; " + message) return 2 @@ -120,21 +123,32 @@ def get_server_status(con): data = con.admin.command(son.SON([('serverStatus', 1)])) return data +def split_host_port(string): + if not string.rsplit(':', 1)[-1].isdigit(): + return (string, None) + string = string.rsplit(':', 1) + host = string[0] # 1st index is always host + port = int(string[1]) + return (host, port) + def main(argv): p = optparse.OptionParser(conflict_handler="resolve", description="This Nagios plugin checks the health of mongodb.") p.add_option('-H', '--host', action='store', type='string', dest='host', default='127.0.0.1', help='The hostname you want to connect to') - p.add_option('-P', '--port', action='store', type='int', dest='port', default=27017, help='The port mongodb is runnung on') + p.add_option('-h', '--host-to-check', action='store', type='string', dest='host_to_check', default=None, help='The hostname you want to check (if this is different from the host you are connecting)') + p.add_option('--rdns-lookup', action='store_true', dest='rdns_lookup', default=False, help='RDNS(PTR) lookup on given host/host-to-check, to convert ip-address to fqdn') + p.add_option('-P', '--port', action='store', type='int', dest='port', default=27017, help='The port mongodb is running on') + p.add_option('--port-to-check', action='store', type='int', dest='port_to_check', default=None, help='The port you want to check (if this is different from the port you are connecting)') p.add_option('-u', '--user', action='store', type='string', dest='user', default=None, help='The username you want to login as') p.add_option('-p', '--pass', action='store', type='string', dest='passwd', default=None, help='The password you want to use for that user') - p.add_option('-W', '--warning', action='store', dest='warning', default=None, help='The warning threshold we want to set') - p.add_option('-C', '--critical', action='store', dest='critical', default=None, help='The critical threshold we want to set') + p.add_option('-W', '--warning', action='store', dest='warning', default=None, help='The warning threshold you want to set') + p.add_option('-C', '--critical', action='store', dest='critical', default=None, help='The critical threshold you want to set') p.add_option('-A', '--action', action='store', type='choice', dest='action', default='connect', help='The action you want to take', choices=['connect', 'connections', 'replication_lag', 'replication_lag_percent', 'replset_state', 'memory', 'memory_mapped', 'lock', - 'flushing', 'last_flush_time', 'index_miss_ratio', 'databases', 'collections', 'database_size', 'database_indexes', 'collection_indexes', 'collection_size', - 'queues', 'oplog', 'journal_commits_in_wl', 'write_data_files', 'journaled', 'opcounters', 'current_lock', 'replica_primary', 'page_faults', - 'asserts', 'queries_per_second', 'page_faults', 'chunks_balance', 'connect_primary', 'collection_state', 'row_count', 'replset_quorum']) + 'flushing', 'last_flush_time', 'index_miss_ratio', 'databases', 'collections', 'database_size', 'database_indexes', 'collection_documents', 'collection_indexes', 'collection_size', + 'collection_storageSize', 'queues', 'oplog', 'journal_commits_in_wl', 'write_data_files', 'journaled', 'opcounters', 'current_lock', 'replica_primary', + 'page_faults', 'asserts', 'queries_per_second', 'page_faults', 'chunks_balance', 'connect_primary', 'collection_state', 'row_count', 'replset_quorum']) p.add_option('--max-lag', action='store_true', dest='max_lag', default=False, help='Get max replication lag (for replication_lag action only)') p.add_option('--mapped-memory', action='store_true', dest='mapped_memory', default=False, help='Get mapped memory instead of resident (if resident memory can not be read)') p.add_option('-D', '--perf-data', action='store_true', dest='perf_data', default=False, help='Enable output of Nagios performance data') @@ -145,12 +159,28 @@ def main(argv): p.add_option('-q', '--querytype', action='store', dest='query_type', default='query', help='The query type to check [query|insert|update|delete|getmore|command] from queries_per_second') p.add_option('-c', '--collection', action='store', dest='collection', default='admin', help='Specify the collection to check') p.add_option('-T', '--time', action='store', type='int', dest='sample_time', default=1, help='Time used to sample number of pages faults') + p.add_option('-M', '--mongoversion', action='store', type='choice', dest='mongo_version', default='2', help='The MongoDB version you are talking with, either 2 or 3', + choices=['2','3']) + p.add_option('-a', '--authdb', action='store', type='string', dest='authdb', default='admin', help='The database you want to authenticate against') + p.add_option('--insecure', action='store_true', dest='insecure', default=False, help="Don't verify SSL/TLS certificates") + p.add_option('--ssl-ca-cert-file', action='store', type='string', dest='ssl_ca_cert_file', default=None, help='Path to Certificate Authority file for SSL') + p.add_option('-f', '--ssl-cert-file', action='store', type='string', dest='cert_file', default=None, help='Path to PEM encoded key and cert for client authentication') + p.add_option('-m','--auth-mechanism', action='store', type='choice', dest='auth_mechanism', default=None, help='Auth mechanism used for auth with mongodb', + choices=['MONGODB-X509','SCRAM-SHA-256','SCRAM-SHA-1']) + p.add_option('--disable_retry_writes', dest='retry_writes_disabled', default=False, action='callback', callback=optional_arg(True), help='Disable retryWrites feature') options, arguments = p.parse_args() host = options.host + host_to_check = options.host_to_check if options.host_to_check else options.host + rdns_lookup = options.rdns_lookup + if (rdns_lookup): + host_to_check = socket.getnameinfo((host_to_check, 0), 0)[0] port = options.port + port_to_check = options.port_to_check if options.port_to_check else options.port user = options.user passwd = options.passwd + authdb = options.authdb + query_type = options.query_type collection = options.collection sample_time = options.sample_time @@ -164,9 +194,15 @@ def main(argv): action = options.action perf_data = options.perf_data max_lag = options.max_lag + mongo_version = options.mongo_version database = options.database ssl = options.ssl replicaset = options.replicaset + insecure = options.insecure + ssl_ca_cert_file = options.ssl_ca_cert_file + cert_file = options.cert_file + auth_mechanism = options.auth_mechanism + retry_writes_disabled = options.retry_writes_disabled if action == 'replica_primary' and replicaset is None: return "replicaset must be passed in when using replica_primary check" @@ -177,31 +213,35 @@ def main(argv): # moving the login up here and passing in the connection # start = time.time() - err, con = mongo_connect(host, port, ssl, user, passwd, replicaset) + err, con = mongo_connect(host, port, ssl, user, passwd, replicaset, authdb, insecure, ssl_ca_cert_file, cert_file, auth_mechanism, retry_writes_disabled=retry_writes_disabled) + if err != 0: + return err + + # Autodetect mongo-version and force pymongo to let us know if it can connect or not. + err, mongo_version = check_version(con) if err != 0: return err conn_time = time.time() - start - conn_time = round(conn_time, 0) if action == "connections": return check_connections(con, warning, critical, perf_data) elif action == "replication_lag": - return check_rep_lag(con, host, port, warning, critical, False, perf_data, max_lag, user, passwd) + return check_rep_lag(con, host_to_check, port_to_check, rdns_lookup, warning, critical, False, perf_data, max_lag, ssl, user, passwd, replicaset, authdb, insecure, ssl_ca_cert_file, cert_file, auth_mechanism, retry_writes_disabled=retry_writes_disabled) elif action == "replication_lag_percent": - return check_rep_lag(con, host, port, warning, critical, True, perf_data, max_lag, user, passwd) + return check_rep_lag(con, host_to_check, port_to_check, rdns_lookup, warning, critical, True, perf_data, max_lag, ssl, user, passwd, replicaset, authdb, insecure, ssl_ca_cert_file, cert_file, auth_mechanism, retry_writes_disabled=retry_writes_disabled) elif action == "replset_state": return check_replset_state(con, perf_data, warning, critical) elif action == "memory": - return check_memory(con, warning, critical, perf_data, options.mapped_memory) + return check_memory(con, warning, critical, perf_data, options.mapped_memory, host) elif action == "memory_mapped": return check_memory_mapped(con, warning, critical, perf_data) elif action == "queues": return check_queues(con, warning, critical, perf_data) elif action == "lock": - return check_lock(con, warning, critical, perf_data) + return check_lock(con, warning, critical, perf_data, mongo_version) elif action == "current_lock": - return check_current_lock(con, host, warning, critical, perf_data) + return check_current_lock(con, host, port, warning, critical, perf_data) elif action == "flushing": return check_flushing(con, warning, critical, True, perf_data) elif action == "last_flush_time": @@ -223,22 +263,26 @@ def main(argv): return check_database_size(con, database, warning, critical, perf_data) elif action == "database_indexes": return check_database_indexes(con, database, warning, critical, perf_data) + elif action == "collection_documents": + return check_collection_documents(con, database, collection, warning, critical, perf_data) elif action == "collection_indexes": return check_collection_indexes(con, database, collection, warning, critical, perf_data) elif action == "collection_size": return check_collection_size(con, database, collection, warning, critical, perf_data) + elif action == "collection_storageSize": + return check_collection_storageSize(con, database, collection, warning, critical, perf_data) elif action == "journaled": return check_journaled(con, warning, critical, perf_data) elif action == "write_data_files": return check_write_to_datafiles(con, warning, critical, perf_data) elif action == "opcounters": - return check_opcounters(con, host, warning, critical, perf_data) + return check_opcounters(con, host, port, warning, critical, perf_data) elif action == "asserts": - return check_asserts(con, host, warning, critical, perf_data) + return check_asserts(con, host, port, warning, critical, perf_data) elif action == "replica_primary": - return check_replica_primary(con, host, warning, critical, perf_data, replicaset) + return check_replica_primary(con, host, warning, critical, perf_data, replicaset, mongo_version) elif action == "queries_per_second": - return check_queries_per_second(con, query_type, warning, critical, perf_data) + return check_queries_per_second(con, query_type, warning, critical, perf_data, mongo_version) elif action == "page_faults": check_page_faults(con, sample_time, warning, critical, perf_data) elif action == "chunks_balance": @@ -255,30 +299,73 @@ def main(argv): return check_connect(host, port, warning, critical, perf_data, user, passwd, conn_time) -def mongo_connect(host=None, port=None, ssl=False, user=None, passwd=None, replica=None): +def mongo_connect(host=None, port=None, ssl=False, user=None, passwd=None, replica=None, authdb="admin", insecure=False, ssl_ca_cert_file=None, ssl_cert=None, auth_mechanism=None, retry_writes_disabled=False): + from pymongo.errors import ConnectionFailure + from pymongo.errors import PyMongoError + import ssl as SSL + + con_args = dict() + + if ssl: + if insecure: + con_args['ssl_cert_reqs'] = SSL.CERT_NONE + else: + con_args['ssl_cert_reqs'] = SSL.CERT_REQUIRED + con_args['ssl'] = ssl + if ssl_ca_cert_file: + con_args['ssl_ca_certs'] = ssl_ca_cert_file + if ssl_cert: + con_args['ssl_certfile'] = ssl_cert + + if retry_writes_disabled: + con_args['retryWrites'] = False + try: # ssl connection for pymongo > 2.3 if pymongo.version >= "2.3": if replica is None: - con = pymongo.MongoClient(host, port) + con = pymongo.MongoClient(host, port, **con_args) else: - con = pymongo.Connection(host, port, read_preference=pymongo.ReadPreference.SECONDARY, ssl=ssl, replicaSet=replica, network_timeout=10) + con = pymongo.MongoClient(host, port, read_preference=pymongo.ReadPreference.SECONDARY, replicaSet=replica, **con_args) else: if replica is None: con = pymongo.Connection(host, port, slave_okay=True, network_timeout=10) else: con = pymongo.Connection(host, port, slave_okay=True, network_timeout=10) - #con = pymongo.Connection(host, port, slave_okay=True, replicaSet=replica, network_timeout=10) + + # we must authenticate the connection, otherwise we won't be able to perform certain operations + if ssl_cert and ssl_ca_cert_file and user and auth_mechanism == 'SCRAM-SHA-256': + con.the_database.authenticate(user, mechanism='SCRAM-SHA-256') + elif ssl_cert and ssl_ca_cert_file and user and auth_mechanism == 'SCRAM-SHA-1': + con.the_database.authenticate(user, mechanism='SCRAM-SHA-1') + elif ssl_cert and ssl_ca_cert_file and user and auth_mechanism == 'MONGODB-X509': + con.the_database.authenticate(user, mechanism='MONGODB-X509') + + try: + result = con.admin.command("ismaster") + except ConnectionFailure: + print("CRITICAL - Connection to Mongo server on %s:%s has failed" % (host, port) ) + sys.exit(2) + + if 'arbiterOnly' in result and result['arbiterOnly'] == True: + print("OK - State: 7 (Arbiter on port %s)" % (port)) + sys.exit(0) if user and passwd: - db = con["admin"] - if not db.authenticate(user, passwd): + db = con[authdb] + try: + db.authenticate(user, password=passwd) + except PyMongoError: sys.exit("Username/Password incorrect") - except Exception, e: + + # Ping to check that the server is responding. + con.admin.command("ping") + + except Exception as e: if isinstance(e, pymongo.errors.AutoReconnect) and str(e).find(" is an arbiter") != -1: # We got a pymongo AutoReconnect exception that tells us we connected to an Arbiter Server # This means: Arbiter is reachable and can answer requests/votes - this is all we need to know from an arbiter - print "OK - State: 7 (Arbiter)" + print("OK - State: 7 (Arbiter)") sys.exit(0) return exit_with_general_critical(e), None return 0, con @@ -288,7 +375,7 @@ def exit_with_general_warning(e): if isinstance(e, SystemExit): return e else: - print "WARNING - General MongoDB warning:", e + print("WARNING - General MongoDB warning:", e) return 1 @@ -296,19 +383,27 @@ def exit_with_general_critical(e): if isinstance(e, SystemExit): return e else: - print "CRITICAL - General MongoDB Error:", e + print("CRITICAL - General MongoDB Error:", e) return 2 def set_read_preference(db): - if pymongo.version >= "2.1": + if pymongo.version >= "2.2": + pymongo.read_preferences.Secondary + else: db.read_preference = pymongo.ReadPreference.SECONDARY +def check_version(con): + try: + server_info = con.server_info() + except Exception as e: + return exit_with_general_critical(e), None + return 0, int(server_info['version'].split('.')[0].strip()) def check_connect(host, port, warning, critical, perf_data, user, passwd, conn_time): warning = warning or 3 critical = critical or 6 - message = "Connection took %i seconds" % conn_time + message = "Connection took %.3f seconds" % conn_time message += performance_data(perf_data, [(conn_time, "connection_time", warning, critical)]) return check_levels(conn_time, warning, critical, message) @@ -330,13 +425,17 @@ def check_connections(con, warning, critical, perf_data): (available, "available_connections")]) return check_levels(used_percent, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) -def check_rep_lag(con, host, port, warning, critical, percent, perf_data, max_lag, user, passwd): +def check_rep_lag(con, host, port, rdns_lookup, warning, critical, percent, perf_data, max_lag, ssl=False, user=None, passwd=None, replicaset=None, authdb="admin", insecure=None, ssl_ca_cert_file=None, cert_file=None, auth_mechanism=None, retry_writes_disabled=False): # Get mongo to tell us replica set member name when connecting locally if "127.0.0.1" == host: + if not "me" in list(con.admin.command("ismaster","1").keys()): + print("UNKNOWN - This is not replicated MongoDB") + return 3 + host = con.admin.command("ismaster","1")["me"].split(':')[0] if percent: @@ -348,16 +447,15 @@ def check_rep_lag(con, host, port, warning, critical, percent, perf_data, max_la rs_status = {} slaveDelays = {} try: - set_read_preference(con.admin) + #set_read_preference(con.admin) # Get replica set status try: rs_status = con.admin.command("replSetGetStatus") - except pymongo.errors.OperationFailure, e: - if e.code == None and str(e).find('failed: not running with --replSet"'): - print "OK - Not running with replSet" - return 0 - + except pymongo.errors.OperationFailure as e: + if ((e.code == None and str(e).find('failed: not running with --replSet"')) or (e.code == 76 and str(e).find('not running with --replSet"'))): + print("UNKNOWN - Not running with replSet") + return 3 serverVersion = tuple(con.server_info()['version'].split('.')) if serverVersion >= tuple("2.0.0".split(".")): # @@ -377,24 +475,32 @@ def check_rep_lag(con, host, port, warning, critical, percent, perf_data, max_la for member in rs_status["members"]: if member["stateStr"] == "PRIMARY": primary_node = member - if member["name"].split(':')[0] == host and int(member["name"].split(':')[1]) == port: + + # if rdns_lookup is true then lookup both values back to their rdns value so we can compare hostname vs fqdn + if rdns_lookup: + member_host, member_port = split_host_port(member.get('name')) + member_host = "{0}:{1}".format(socket.getnameinfo((member_host, 0), 0)[0], member_port) + if member_host == "{0}:{1}".format(socket.getnameinfo((host, 0), 0)[0], port): + host_node = member + # Exact match + elif member.get('name') == "{0}:{1}".format(host, port): host_node = member # Check if we're in the middle of an election and don't have a primary if primary_node is None: - print "WARNING - No primary defined. In an election?" + print("WARNING - No primary defined. In an election?") return 1 # Check if we failed to find the current host # below should never happen if host_node is None: - print "CRITICAL - Unable to find host '" + host + "' in replica set." + print("CRITICAL - Unable to find host '" + host + "' in replica set.") return 2 # Is the specified host the primary? if host_node["stateStr"] == "PRIMARY": if max_lag == False: - print "OK - This is the primary." + print("OK - This is the primary.") return 0 else: #get the maximal replication lag @@ -407,7 +513,7 @@ def check_rep_lag(con, host, port, warning, critical, percent, perf_data, max_la data = data + member['name'] + " lag=%d;" % replicationLag maximal_lag = max(maximal_lag, replicationLag) if percent: - err, con = mongo_connect(primary_node['name'].split(':')[0], int(primary_node['name'].split(':')[1]), False, user, passwd) + err, con = mongo_connect(split_host_port(primary_node['name'])[0], int(split_host_port(primary_node['name'])[1]), ssl, user, passwd, replicaset, authdb, insecure, ssl_ca_cert_file, cert_file, auth_mechanism, retry_writes_disabled=retry_writes_disabled) if err != 0: return err primary_timediff = replication_get_time_diff(con) @@ -419,8 +525,8 @@ def check_rep_lag(con, host, port, warning, critical, percent, perf_data, max_la message += performance_data(perf_data, [(maximal_lag, "replication_lag", warning, critical)]) return check_levels(maximal_lag, warning, critical, message) elif host_node["stateStr"] == "ARBITER": - print "OK - This is an arbiter" - return 0 + print("UNKNOWN - This is an arbiter") + return 3 # Find the difference in optime between current node and PRIMARY @@ -439,7 +545,7 @@ def check_rep_lag(con, host, port, warning, critical, percent, perf_data, max_la lag = float(optime_lag.seconds + optime_lag.days * 24 * 3600) if percent: - err, con = mongo_connect(primary_node['name'].split(':')[0], int(primary_node['name'].split(':')[1]), False, user, passwd) + err, con = mongo_connect(split_host_port(primary_node['name'])[0], int(split_host_port(primary_node['name'])[1]), ssl, user, passwd, replicaset, authdb, insecure, ssl_ca_cert_file, cert_file, auth_mechanism, retry_writes_disabled=retry_writes_disabled) if err != 0: return err primary_timediff = replication_get_time_diff(con) @@ -471,19 +577,19 @@ def check_rep_lag(con, host, port, warning, critical, percent, perf_data, max_la # Check if we're in the middle of an election and don't have a primary if primary_node is None: - print "WARNING - No primary defined. In an election?" + print("WARNING - No primary defined. In an election?") sys.exit(1) # Is the specified host the primary? if host_node["stateStr"] == "PRIMARY": - print "OK - This is the primary." + print("OK - This is the primary.") sys.exit(0) # Find the difference in optime between current node and PRIMARY optime_lag = abs(primary_node[1] - host_node["optimeDate"]) lag = optime_lag.seconds if percent: - err, con = mongo_connect(primary_node['name'].split(':')[0], int(primary_node['name'].split(':')[1])) + err, con = mongo_connect(split_host_port(primary_node['name'])[0], int(split_host_port(primary_node['name'])[1]), ssl, user, passwd, replicaset, authdb, insecure, ssl_ca_cert_file, cert_file, auth_mechanism, retry_writes_disabled=retry_writes_disabled) if err != 0: return err primary_timediff = replication_get_time_diff(con) @@ -495,26 +601,34 @@ def check_rep_lag(con, host, port, warning, critical, percent, perf_data, max_la message += performance_data(perf_data, [(lag, "replication_lag", warning, critical)]) return check_levels(lag, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) - -def check_memory(con, warning, critical, perf_data, mapped_memory): - # - # These thresholds are basically meaningless, and must be customized to your system's ram - # - - # Get the total system merory and calculate based on that how much memory used by Mongodb is ok or not. +# +# Check the memory usage of mongo. Alerting on this may be hard to get right +# because it'll try to get as much memory as it can. And that's probably +# a good thing. +# +def check_memory(con, warning, critical, perf_data, mapped_memory, host): + # Get the total system memory of this system (This is totally bogus if you + # are running this command remotely) and calculate based on that how much + # memory used by Mongodb is ok or not. meminfo = open('/proc/meminfo').read() matched = re.search(r'^MemTotal:\s+(\d+)', meminfo) - if matched: + if matched: mem_total_kB = int(matched.groups()[0]) - # Old way - #critical = critical or 16 - # The new way. if using >80% then warn, if >90% then critical level - warning = warning or (mem_total_kB * 0.8) / 1024.0 / 1024.0 - critical = critical or (mem_total_kB * 0.9) / 1024.0 / 1024.0 + if host != "127.0.0.1" and not warning: + # Running remotely and value was not set by user, use hardcoded value + warning = 12 + else: + # running locally or user provided value + warning = warning or (mem_total_kB * 0.8) / 1024.0 / 1024.0 + + if host != "127.0.0.1" and not critical: + critical = 16 + else: + critical = critical or (mem_total_kB * 0.9) / 1024.0 / 1024.0 # debugging #print "mem total: {0}kb, warn: {1}GB, crit: {2}GB".format(mem_total_kB,warning, critical) @@ -522,7 +636,7 @@ def check_memory(con, warning, critical, perf_data, mapped_memory): try: data = get_server_status(con) if not data['mem']['supported'] and not mapped_memory: - print "OK - Platform not supported for memory info" + print("OK - Platform not supported for memory info") return 0 # # convert to gigs @@ -559,7 +673,7 @@ def check_memory(con, warning, critical, perf_data, mapped_memory): else: return check_levels(mem_resident, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -572,7 +686,7 @@ def check_memory_mapped(con, warning, critical, perf_data): try: data = get_server_status(con) if not data['mem']['supported']: - print "OK - Platform not supported for memory info" + print("OK - Platform not supported for memory info") return 0 # # convert to gigs @@ -589,38 +703,45 @@ def check_memory_mapped(con, warning, critical, perf_data): message += " %.2fGB mappedWithJournal" % mem_mapped_journal except: mem_mapped_journal = 0 - message += performance_data(perf_data, [("%.2f" % mem_mapped, "memory_mapped"), ("%.2f" % mem_mapped_journal, "mappedWithJournal")]) + message += performance_data(perf_data, [("%.2f" % mem_mapped, "memory_mapped", warning, critical), ("%.2f" % mem_mapped_journal, "mappedWithJournal")]) if not mem_mapped == -1: return check_levels(mem_mapped, warning, critical, message) else: - print "OK - Server does not provide mem.mapped info" + print("OK - Server does not provide mem.mapped info") return 0 - except Exception, e: + except Exception as e: return exit_with_general_critical(e) -def check_lock(con, warning, critical, perf_data): +# +# Return the percentage of the time there was a global Lock +# +def check_lock(con, warning, critical, perf_data, mongo_version): warning = warning or 10 critical = critical or 30 - try: - data = get_server_status(con) - # - # calculate percentage - # - lockTime = data['globalLock']['lockTime'] - totalTime = data['globalLock']['totalTime'] - if lockTime > totalTime: - lock_percentage = 0.00 - else: - lock_percentage = float(lockTime) / float(totalTime) * 100 - message = "Lock Percentage: %.2f%%" % lock_percentage - message += performance_data(perf_data, [("%.2f" % lock_percentage, "lock_percentage", warning, critical)]) - return check_levels(lock_percentage, warning, critical, message) - - except Exception, e: - return exit_with_general_critical(e) + if mongo_version == 2: + try: + data = get_server_status(con) + lockTime = data['globalLock']['lockTime'] + totalTime = data['globalLock']['totalTime'] + # + # calculate percentage + # + if lockTime > totalTime: + lock_percentage = 0.00 + else: + lock_percentage = float(lockTime) / float(totalTime) * 100 + message = "Lock Percentage: %.2f%%" % lock_percentage + message += performance_data(perf_data, [("%.2f" % lock_percentage, "lock_percentage", warning, critical)]) + return check_levels(lock_percentage, warning, critical, message) + except Exception as e: + print("Couldn't get globalLock lockTime info from mongo, are you sure you're not using version 3? See the -M option.") + return exit_with_general_critical(e) + else: + print("OK - MongoDB version 3 doesn't report on global locks") + return 0 def check_flushing(con, warning, critical, avg, perf_data): @@ -632,19 +753,24 @@ def check_flushing(con, warning, critical, avg, perf_data): critical = critical or 15000 try: data = get_server_status(con) - if avg: - flush_time = float(data['backgroundFlushing']['average_ms']) - stat_type = "Average" - else: - flush_time = float(data['backgroundFlushing']['last_ms']) - stat_type = "Last" + try: + data['backgroundFlushing'] + if avg: + flush_time = float(data['backgroundFlushing']['average_ms']) + stat_type = "Average" + else: + flush_time = float(data['backgroundFlushing']['last_ms']) + stat_type = "Last" - message = "%s Flush Time: %.2fms" % (stat_type, flush_time) - message += performance_data(perf_data, [("%.2fms" % flush_time, "%s_flush_time" % stat_type.lower(), warning, critical)]) + message = "%s Flush Time: %.2fms" % (stat_type, flush_time) + message += performance_data(perf_data, [("%.2fms" % flush_time, "%s_flush_time" % stat_type.lower(), warning, critical)]) - return check_levels(flush_time, warning, critical, message) + return check_levels(flush_time, warning, critical, message) + except Exception: + print("OK - flushing stats not available for this storage engine") + return 0 - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -655,6 +781,7 @@ def index_miss_ratio(con, warning, critical, perf_data): data = get_server_status(con) try: + data['indexCounters'] serverVersion = tuple(con.server_info()['version'].split('.')) if serverVersion >= tuple("2.4.0".split(".")): miss_ratio = float(data['indexCounters']['missRatio']) @@ -662,19 +789,24 @@ def index_miss_ratio(con, warning, critical, perf_data): miss_ratio = float(data['indexCounters']['btree']['missRatio']) except KeyError: not_supported_msg = "not supported on this platform" - if data['indexCounters'].has_key('note'): - print "OK - MongoDB says: " + not_supported_msg + try: + data['indexCounters'] + if 'note' in data['indexCounters']: + print("OK - MongoDB says: " + not_supported_msg) + return 0 + else: + print("WARNING - Can't get counter from MongoDB") + return 1 + except Exception: + print("OK - MongoDB says: " + not_supported_msg) return 0 - else: - print "WARNING - Can't get counter from MongoDB" - return 1 message = "Miss Ratio: %.2f" % miss_ratio message += performance_data(perf_data, [("%.2f" % miss_ratio, "index_miss_ratio", warning, critical)]) return check_levels(miss_ratio, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) def check_replset_quorum(con, perf_data): @@ -698,7 +830,7 @@ def check_replset_quorum(con, perf_data): message = "Cluster is not quorate and cannot operate" return check_levels(state, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -713,44 +845,63 @@ def check_replset_state(con, perf_data, warning="", critical=""): except: critical = [8, 4, -1] - ok = range(-1, 8) # should include the range of all posiible values + ok = list(range(-1, 8)) # should include the range of all posiible values try: + worst_state = -2 + message = "" try: try: set_read_preference(con.admin) data = con.admin.command(pymongo.son_manipulator.SON([('replSetGetStatus', 1)])) except: data = con.admin.command(son.SON([('replSetGetStatus', 1)])) - state = int(data['myState']) - except pymongo.errors.OperationFailure, e: - if e.code == None and str(e).find('failed: not running with --replSet"'): - state = -1 + members = data['members'] + my_state = int(data['myState']) + worst_state = my_state + for member in members: + their_state = int(member['state']) + message += " %s: %i (%s)" % (member['name'], their_state, state_text(their_state)) + if state_is_worse(their_state, worst_state, warning, critical): + worst_state = their_state + message += performance_data(perf_data, [(my_state, "state")]) - if state == 8: - message = "State: %i (Down)" % state - elif state == 4: - message = "State: %i (Fatal error)" % state - elif state == 0: - message = "State: %i (Starting up, phase1)" % state - elif state == 3: - message = "State: %i (Recovering)" % state - elif state == 5: - message = "State: %i (Starting up, phase2)" % state - elif state == 1: - message = "State: %i (Primary)" % state - elif state == 2: - message = "State: %i (Secondary)" % state - elif state == 7: - message = "State: %i (Arbiter)" % state - elif state == -1: - message = "Not running with replSet" - else: - message = "State: %i (Unknown state)" % state - message += performance_data(perf_data, [(state, "state")]) - return check_levels(state, warning, critical, message, ok) - except Exception, e: + except pymongo.errors.OperationFailure as e: + if ((e.code == None and str(e).find('failed: not running with --replSet"')) or (e.code == 76 and str(e).find('not running with --replSet"'))): + worst_state = -1 + + return check_levels(worst_state, warning, critical, message, ok) + except Exception as e: return exit_with_general_critical(e) +def state_is_worse(state, worst_state, warning, critical): + if worst_state in critical: + return False + if worst_state in warning: + return state in critical + return (state in warning) or (state in critical) + +def state_text(state): + if state == 8: + return "Down" + elif state == 4: + return "Fatal error" + elif state == 0: + return "Starting up, phase1" + elif state == 3: + return "Recovering" + elif state == 5: + return "Starting up, phase2" + elif state == 1: + return "Primary" + elif state == 2: + return "Secondary" + elif state == 7: + return "Arbiter" + elif state == -1: + return "Not running with replSet" + else: + return "Unknown state" + def check_databases(con, warning, critical, perf_data=None): try: @@ -764,7 +915,7 @@ def check_databases(con, warning, critical, perf_data=None): message = "Number of DBs: %.0f" % count message += performance_data(perf_data, [(count, "databases", warning, critical, message)]) return check_levels(count, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -786,7 +937,7 @@ def check_collections(con, warning, critical, perf_data=None): message += performance_data(perf_data, [(count, "collections", warning, critical, message)]) return check_levels(count, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -823,21 +974,21 @@ def check_database_size(con, database, warning, critical, perf_data): try: set_read_preference(con.admin) data = con[database].command('dbstats') - storage_size = data['storageSize'] / 1024 / 1024 + storage_size = data['storageSize'] // 1024 // 1024 if perf_data: perfdata += " | database_size=%i;%i;%i" % (storage_size, warning, critical) #perfdata += " database=%s" %(database) if storage_size >= critical: - print "CRITICAL - Database size: %.0f MB, Database: %s%s" % (storage_size, database, perfdata) + print("CRITICAL - Database size: %.0f MB, Database: %s%s" % (storage_size, database, perfdata)) return 2 elif storage_size >= warning: - print "WARNING - Database size: %.0f MB, Database: %s%s" % (storage_size, database, perfdata) + print("WARNING - Database size: %.0f MB, Database: %s%s" % (storage_size, database, perfdata)) return 1 else: - print "OK - Database size: %.0f MB, Database: %s%s" % (storage_size, database, perfdata) + print("OK - Database size: %.0f MB, Database: %s%s" % (storage_size, database, perfdata)) return 0 - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -851,20 +1002,42 @@ def check_database_indexes(con, database, warning, critical, perf_data): try: set_read_preference(con.admin) data = con[database].command('dbstats') - index_size = data['indexSize'] / 1024 / 1024 + index_size = data['indexSize'] / 1024 // 1024 if perf_data: perfdata += " | database_indexes=%i;%i;%i" % (index_size, warning, critical) if index_size >= critical: - print "CRITICAL - %s indexSize: %.0f MB %s" % (database, index_size, perfdata) + print("CRITICAL - %s indexSize: %.0f MB %s" % (database, index_size, perfdata)) return 2 elif index_size >= warning: - print "WARNING - %s indexSize: %.0f MB %s" % (database, index_size, perfdata) + print("WARNING - %s indexSize: %.0f MB %s" % (database, index_size, perfdata)) return 1 else: - print "OK - %s indexSize: %.0f MB %s" % (database, index_size, perfdata) + print("OK - %s indexSize: %.0f MB %s" % (database, index_size, perfdata)) return 0 - except Exception, e: + except Exception as e: + return exit_with_general_critical(e) + + +def check_collection_documents(con, database, collection, warning, critical, perf_data): + perfdata = "" + try: + set_read_preference(con.admin) + data = con[database].command('collstats', collection) + documents = data['count'] + if perf_data: + perfdata += " | collection_documents=%i;%i;%i" % (documents, warning, critical) + + if documents >= critical: + print("CRITICAL - %s.%s documents: %s %s" % (database, collection, documents, perfdata)) + return 2 + elif documents >= warning: + print("WARNING - %s.%s documents: %s %s" % (database, collection, documents, perfdata)) + return 1 + else: + print("OK - %s.%s documents: %s %s" % (database, collection, documents, perfdata)) + return 0 + except Exception as e: return exit_with_general_critical(e) @@ -883,15 +1056,15 @@ def check_collection_indexes(con, database, collection, warning, critical, perf_ perfdata += " | collection_indexes=%i;%i;%i" % (total_index_size, warning, critical) if total_index_size >= critical: - print "CRITICAL - %s.%s totalIndexSize: %.0f MB %s" % (database, collection, total_index_size, perfdata) + print("CRITICAL - %s.%s totalIndexSize: %.0f MB %s" % (database, collection, total_index_size, perfdata)) return 2 elif total_index_size >= warning: - print "WARNING - %s.%s totalIndexSize: %.0f MB %s" % (database, collection, total_index_size, perfdata) + print("WARNING - %s.%s totalIndexSize: %.0f MB %s" % (database, collection, total_index_size, perfdata)) return 1 else: - print "OK - %s.%s totalIndexSize: %.0f MB %s" % (database, collection, total_index_size, perfdata) + print("OK - %s.%s totalIndexSize: %.0f MB %s" % (database, collection, total_index_size, perfdata)) return 0 - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -908,7 +1081,7 @@ def check_queues(con, warning, critical, perf_data): message += performance_data(perf_data, [(total_queues, "total_queues", warning, critical), (readers_queues, "readers_queues"), (writers_queues, "writers_queues")]) return check_levels(total_queues, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) def check_collection_size(con, database, collection, warning, critical, perf_data): @@ -923,18 +1096,43 @@ def check_collection_size(con, database, collection, warning, critical, perf_dat perfdata += " | collection_size=%i;%i;%i" % (size, warning, critical) if size >= critical: - print "CRITICAL - %s.%s size: %.0f MB %s" % (database, collection, size, perfdata) + print("CRITICAL - %s.%s size: %.0f MB %s" % (database, collection, size, perfdata)) return 2 elif size >= warning: - print "WARNING - %s.%s size: %.0f MB %s" % (database, collection, size, perfdata) + print("WARNING - %s.%s size: %.0f MB %s" % (database, collection, size, perfdata)) return 1 else: - print "OK - %s.%s size: %.0f MB %s" % (database, collection, size, perfdata) + print("OK - %s.%s size: %.0f MB %s" % (database, collection, size, perfdata)) return 0 - except Exception, e: + except Exception as e: return exit_with_general_critical(e) -def check_queries_per_second(con, query_type, warning, critical, perf_data): + +def check_collection_storageSize(con, database, collection, warning, critical, perf_data): + warning = warning or 100 + critical = critical or 1000 + perfdata = "" + try: + set_read_preference(con.admin) + data = con[database].command('collstats', collection) + storageSize = data['storageSize'] / 1024 / 1024 + if perf_data: + perfdata += " | collection_storageSize=%i;%i;%i" % (storageSize, warning, critical) + + if storageSize >= critical: + print("CRITICAL - %s.%s storageSize: %.0f MB %s" % (database, collection, storageSize, perfdata)) + return 2 + elif storageSize >= warning: + print("WARNING - %s.%s storageSize: %.0f MB %s" % (database, collection, storageSize, perfdata)) + return 1 + else: + print("OK - %s.%s storageSize: %.0f MB %s" % (database, collection, storageSize, perfdata)) + return 0 + except Exception as e: + return exit_with_general_critical(e) + + +def check_queries_per_second(con, query_type, warning, critical, perf_data, mongo_version): warning = warning or 250 critical = critical or 500 @@ -955,10 +1153,17 @@ def check_queries_per_second(con, query_type, warning, critical, perf_data): diff_query = num - last_count['data'][query_type]['count'] diff_ts = ts - last_count['data'][query_type]['ts'] + if diff_ts == 0: + message = "diff_query = " + str(diff_query) + " diff_ts = " + str(diff_ts) + return check_levels(0, warning, critical, message) + query_per_sec = float(diff_query) / float(diff_ts) # update the count now - db.nagios_check.update({u'_id': last_count['_id']}, {'$set': {"data.%s" % query_type: {'count': num, 'ts': int(time.time())}}}) + if mongo_version == 2: + db.nagios_check.update({u'_id': last_count['_id']}, {'$set': {"data.%s" % query_type: {'count': num, 'ts': int(time.time())}}}) + else: + db.nagios_check.update_one({u'_id': last_count['_id']}, {'$set': {"data.%s" % query_type: {'count': num, 'ts': int(time.time())}}}) message = "Queries / Sec: %f" % query_per_sec message += performance_data(perf_data, [(query_per_sec, "%s_per_sec" % query_type, warning, critical, message)]) @@ -967,17 +1172,24 @@ def check_queries_per_second(con, query_type, warning, critical, perf_data): # since it is the first run insert it query_per_sec = 0 message = "First run of check.. no data" - db.nagios_check.update({u'_id': last_count['_id']}, {'$set': {"data.%s" % query_type: {'count': num, 'ts': int(time.time())}}}) + if mongo_version == 2: + db.nagios_check.update({u'_id': last_count['_id']}, {'$set': {"data.%s" % query_type: {'count': num, 'ts': int(time.time())}}}) + else: + db.nagios_check.update_one({u'_id': last_count['_id']}, {'$set': {"data.%s" % query_type: {'count': num, 'ts': int(time.time())}}}) + except TypeError: # # since it is the first run insert it query_per_sec = 0 message = "First run of check.. no data" - db.nagios_check.insert({'check': 'query_counts', 'data': {query_type: {'count': num, 'ts': int(time.time())}}}) + if mongo_version == 2: + db.nagios_check.insert({'check': 'query_counts', 'data': {query_type: {'count': num, 'ts': int(time.time())}}}) + else: + db.nagios_check.insert_one({'check': 'query_counts', 'data': {query_type: {'count': num, 'ts': int(time.time())}}}) return check_levels(query_per_sec, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -1024,7 +1236,7 @@ def check_oplog(con, warning, critical, perf_data): message += performance_data(perf_data, [("%.2f" % hours_in_oplog, 'oplog_time', warning, critical), ("%.2f " % approx_level, 'oplog_time_100_percent_used')]) return check_levels(-approx_level, -warning, -critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -1042,7 +1254,7 @@ Under very high write situations it is normal for this value to be nonzero. """ message += performance_data(perf_data, [(j_commits_in_wl, "j_commits_in_wl", warning, critical)]) return check_levels(j_commits_in_wl, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -1058,7 +1270,7 @@ def check_journaled(con, warning, critical, perf_data): message += performance_data(perf_data, [("%.2f" % journaled, "journaled", warning, critical)]) return check_levels(journaled, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -1075,11 +1287,11 @@ than the amount physically written to disk.""" message += performance_data(perf_data, [("%.2f" % writes, "write_to_data_files", warning, critical)]) return check_levels(writes, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) -def get_opcounters(data, opcounters_name, host): +def get_opcounters(data, opcounters_name, host, port): try: insert = data[opcounters_name]['insert'] query = data[opcounters_name]['query'] @@ -1087,21 +1299,21 @@ def get_opcounters(data, opcounters_name, host): delete = data[opcounters_name]['delete'] getmore = data[opcounters_name]['getmore'] command = data[opcounters_name]['command'] - except KeyError, e: + except KeyError as e: return 0, [0] * 100 total_commands = insert + query + update + delete + getmore + command new_vals = [total_commands, insert, query, update, delete, getmore, command] - return maintain_delta(new_vals, host, opcounters_name) + return maintain_delta(new_vals, host, port, opcounters_name) -def check_opcounters(con, host, warning, critical, perf_data): +def check_opcounters(con, host, port, warning, critical, perf_data): """ A function to get all opcounters delta per minute. In case of a replication - gets the opcounters+opcountersRepl""" warning = warning or 10000 critical = critical or 15000 data = get_server_status(con) - err1, delta_opcounters = get_opcounters(data, 'opcounters', host) - err2, delta_opcounters_repl = get_opcounters(data, 'opcountersRepl', host) + err1, delta_opcounters = get_opcounters(data, 'opcounters', host, port) + err2, delta_opcounters_repl = get_opcounters(data, 'opcountersRepl', host, port) if err1 == 0 and err2 == 0: delta = [(x + y) for x, y in zip(delta_opcounters, delta_opcounters_repl)] delta[0] = delta_opcounters[0] # only the time delta shouldn't be summarized @@ -1109,14 +1321,14 @@ def check_opcounters(con, host, warning, critical, perf_data): message = "Test succeeded , old values missing" message = "Opcounters: total=%d,insert=%d,query=%d,update=%d,delete=%d,getmore=%d,command=%d" % tuple(per_minute_delta) message += performance_data(perf_data, ([(per_minute_delta[0], "total", warning, critical), (per_minute_delta[1], "insert"), - (per_minute_delta[2], "query"), (per_minute_delta[3], "update"), (per_minute_delta[5], "delete"), + (per_minute_delta[2], "query"), (per_minute_delta[3], "update"), (per_minute_delta[4], "delete"), (per_minute_delta[5], "getmore"), (per_minute_delta[6], "command")])) return check_levels(per_minute_delta[0], warning, critical, message) else: return exit_with_general_critical("problem reading data from temp file") -def check_current_lock(con, host, warning, critical, perf_data): +def check_current_lock(con, host, port, warning, critical, perf_data): """ A function to get current lock percentage and not a global one, as check_lock function does""" warning = warning or 10 critical = critical or 30 @@ -1125,7 +1337,7 @@ def check_current_lock(con, host, warning, critical, perf_data): lockTime = float(data['globalLock']['lockTime']) totalTime = float(data['globalLock']['totalTime']) - err, delta = maintain_delta([totalTime, lockTime], host, "locktime") + err, delta = maintain_delta([totalTime, lockTime], host, port, "locktime") if err == 0: lock_percentage = delta[2] / delta[1] * 100 # lockTime/totalTime*100 message = "Current Lock Percentage: %.2f%%" % lock_percentage @@ -1135,7 +1347,7 @@ def check_current_lock(con, host, warning, critical, perf_data): return exit_with_general_warning("problem reading data from temp file") -def check_page_faults(con, host, warning, critical, perf_data): +def check_page_faults(con, host, port, warning, critical, perf_data): """ A function to get page_faults per second from the system""" warning = warning or 10 critical = critical or 30 @@ -1147,7 +1359,7 @@ def check_page_faults(con, host, warning, critical, perf_data): # page_faults unsupported on the underlaying system return exit_with_general_critical("page_faults unsupported on the underlaying system") - err, delta = maintain_delta([page_faults], host, "page_faults") + err, delta = maintain_delta([page_faults], host, port, "page_faults") if err == 0: page_faults_ps = delta[1] / delta[0] message = "Page faults : %.2f ps" % page_faults_ps @@ -1157,7 +1369,7 @@ def check_page_faults(con, host, warning, critical, perf_data): return exit_with_general_warning("problem reading data from temp file") -def check_asserts(con, host, warning, critical, perf_data): +def check_asserts(con, host, port, warning, critical, perf_data): """ A function to get asserts from the system""" warning = warning or 1 critical = critical or 10 @@ -1172,7 +1384,7 @@ def check_asserts(con, host, warning, critical, perf_data): user = asserts['user'] rollovers = asserts['rollovers'] - err, delta = maintain_delta([regular, warning_asserts, msg, user, rollovers], host, "asserts") + err, delta = maintain_delta([regular, warning_asserts, msg, user, rollovers], host, port, "asserts") if err == 0: if delta[5] != 0: @@ -1206,7 +1418,7 @@ def get_stored_primary_server_name(db): return stored_primary_server -def check_replica_primary(con, host, warning, critical, perf_data, replicaset): +def check_replica_primary(con, host, warning, critical, perf_data, replicaset, mongo_version): """ A function to check if the primary server of a replica set has changed """ if warning is None and critical is None: warning = 1 @@ -1229,7 +1441,10 @@ def check_replica_primary(con, host, warning, critical, perf_data, replicaset): saved_primary = "None" if current_primary != saved_primary: last_primary_server_record = {"server": current_primary} - db.last_primary_server.update({"_id": "last_primary"}, {"$set": last_primary_server_record}, upsert=True, safe=True) + if mongo_version == 2: + db.last_primary_server.update({"_id": "last_primary"}, {"$set": last_primary_server_record}, upsert=True) + else: + db.last_primary_server.update_one({"_id": "last_primary"}, {"$set": last_primary_server_record}, upsert=True) message = "Primary server has changed from %s to %s" % (saved_primary, current_primary) primary_status = 1 return check_levels(primary_status, warning, critical, message) @@ -1251,9 +1466,9 @@ def check_page_faults(con, sample_time, warning, critical, perf_data): try: #on linux servers only - page_faults = (int(data2['extra_info']['page_faults']) - int(data1['extra_info']['page_faults'])) / sample_time + page_faults = (int(data2['extra_info']['page_faults']) - int(data1['extra_info']['page_faults'])) // sample_time except KeyError: - print "WARNING - Can't get extra_info.page_faults counter from MongoDB" + print("WARNING - Can't get extra_info.page_faults counter from MongoDB") sys.exit(1) message = "Page Faults: %i" % (page_faults) @@ -1261,7 +1476,7 @@ def check_page_faults(con, sample_time, warning, critical, perf_data): message += performance_data(perf_data, [(page_faults, "page_faults", warning, critical)]) check_levels(page_faults, warning, critical, message) - except Exception, e: + except Exception as e: exit_with_general_critical(e) @@ -1277,35 +1492,35 @@ def chunks_balance(con, database, collection, warning, critical): shards = col.distinct("shard") except: - print "WARNING - Can't get chunks infos from MongoDB" + print("WARNING - Can't get chunks infos from MongoDB") sys.exit(1) if nscount == 0: - print "WARNING - Namespace %s is not sharded" % (nsfilter) + print("WARNING - Namespace %s is not sharded" % (nsfilter)) sys.exit(1) - avgchunksnb = nscount / len(shards) - warningnb = avgchunksnb * warning / 100 - criticalnb = avgchunksnb * critical / 100 + avgchunksnb = nscount // len(shards) + warningnb = avgchunksnb * warning // 100 + criticalnb = avgchunksnb * critical // 100 for shard in shards: delta = abs(avgchunksnb - col.find({"ns": nsfilter, "shard": shard}).count()) message = "Namespace: %s, Shard name: %s, Chunk delta: %i" % (nsfilter, shard, delta) if delta >= criticalnb and delta > 0: - print "CRITICAL - Chunks not well balanced " + message + print("CRITICAL - Chunks not well balanced " + message) sys.exit(2) elif delta >= warningnb and delta > 0: - print "WARNING - Chunks not well balanced " + message + print("WARNING - Chunks not well balanced " + message) sys.exit(1) - print "OK - Chunks well balanced across shards" + print("OK - Chunks well balanced across shards") sys.exit(0) - except Exception, e: + except Exception as e: exit_with_general_critical(e) - print "OK - Chunks well balanced across shards" + print("OK - Chunks well balanced across shards") sys.exit(0) @@ -1321,7 +1536,7 @@ def check_connect_primary(con, warning, critical, perf_data): data = con.admin.command(son.SON([('isMaster', 1)])) if data['ismaster'] == True: - print "OK - This server is primary" + print("OK - This server is primary") return 0 phost = data['primary'].split(':')[0] @@ -1339,17 +1554,17 @@ def check_connect_primary(con, warning, critical, perf_data): return check_levels(pconn_time, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) def check_collection_state(con, database, collection): try: con[database][collection].find_one() - print "OK - Collection %s.%s is reachable " % (database, collection) + print("OK - Collection %s.%s is reachable " % (database, collection)) return 0 - except Exception, e: + except Exception as e: return exit_with_general_critical(e) @@ -1361,14 +1576,18 @@ def check_row_count(con, database, collection, warning, critical, perf_data): return check_levels(count, warning, critical, message) - except Exception, e: + except Exception as e: return exit_with_general_critical(e) -def build_file_name(host, action): +def build_file_name(host, port, action): #done this way so it will work when run independently and from shell module_name = re.match('(.*//*)*(.*)\..*', __file__).group(2) - return "/tmp/" + module_name + "_data/" + host + "-" + action + ".data" + + if (port == 27017): + return "/tmp/" + module_name + "_data/" + host + "-" + action + ".data" + else: + return "/tmp/" + module_name + "_data/" + host + "-" + str(port) + "-" + action + ".data" def ensure_dir(f): @@ -1381,7 +1600,7 @@ def write_values(file_name, string): f = None try: f = open(file_name, 'w') - except IOError, e: + except IOError as e: #try creating if (e.errno == 2): ensure_dir(file_name) @@ -1400,11 +1619,11 @@ def read_values(file_name): data = f.read() f.close() return 0, data - except IOError, e: + except IOError as e: if (e.errno == 2): #no previous data return 1, '' - except Exception, e: + except Exception as e: return 2, None @@ -1420,8 +1639,8 @@ def calc_delta(old, new): return 0, delta -def maintain_delta(new_vals, host, action): - file_name = build_file_name(host, action) +def maintain_delta(new_vals, host, port, action): + file_name = build_file_name(host, port, action) err, data = read_values(file_name) old_vals = data.split(';') new_vals = [str(int(time.time()))] + new_vals @@ -1442,8 +1661,8 @@ def replication_get_time_diff(con): col = 'oplog.$main' firstc = local[col].find().sort("$natural", 1).limit(1) lastc = local[col].find().sort("$natural", -1).limit(1) - first = firstc.next() - last = lastc.next() + first = next(firstc) + last = next(lastc) tfirst = first["ts"] tlast = last["ts"] delta = tlast.time - tfirst.time -- 2.39.2 From 55f694f051221b75e606532315acfc2ea9dce2e8 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 14 Sep 2022 12:21:13 +0200 Subject: [PATCH 218/497] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e46e8c9..32c1bc6b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: Add check_domains * generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) * openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS +* nagios-nrpe: Upgrade check_mongo ### Fixed -- 2.39.2 From 6f04a4155783dd54461904d7d592170b8ca9cfdf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 15 Sep 2022 09:48:34 +0200 Subject: [PATCH 219/497] fail2ban: fix dovecot-evolix regex syntax --- CHANGELOG.md | 7 ++++--- fail2ban/files/dovecot-evolix.conf | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32c1bc6b..009f5625 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,11 +35,12 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* fail2ban: fix dovecot-evolix regex syntax * haproxy: make it so that munin doesn't break if there is a non default `haproxy_stats_path` -* varnish: make `-j ` the first argument on jessie/stretch as it has to be the first argument there. -* redis: config directory must be owned by the user that runs the service (to be able to write tmp config files in it) -* webapps/nextcloud: Add missing dependencies for imagick * mysql: Add missing Munin conf for Debian 11 +* redis: config directory must be owned by the user that runs the service (to be able to write tmp config files in it) +* varnish: make `-j ` the first argument on jessie/stretch as it has to be the first argument there. +* webapps/nextcloud: Add missing dependencies for imagick ### Removed diff --git a/fail2ban/files/dovecot-evolix.conf b/fail2ban/files/dovecot-evolix.conf index 5ca484af..e1ef1a3f 100644 --- a/fail2ban/files/dovecot-evolix.conf +++ b/fail2ban/files/dovecot-evolix.conf @@ -1,3 +1,3 @@ -[Definition] -failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P\S*),.* -ignoreregex = +[Definition] +failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=,.* +ignoreregex = -- 2.39.2 From 0964865c4cb5d6297582ffd6bc970adca3b28639 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 15 Sep 2022 10:14:45 +0200 Subject: [PATCH 220/497] domains: integrate role into evolinux-base --- {domains => evolinux-base}/files/domains.py | 0 domains/tasks/main.yml => evolinux-base/tasks/domains.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {domains => evolinux-base}/files/domains.py (100%) rename domains/tasks/main.yml => evolinux-base/tasks/domains.yml (100%) diff --git a/domains/files/domains.py b/evolinux-base/files/domains.py similarity index 100% rename from domains/files/domains.py rename to evolinux-base/files/domains.py diff --git a/domains/tasks/main.yml b/evolinux-base/tasks/domains.yml similarity index 100% rename from domains/tasks/main.yml rename to evolinux-base/tasks/domains.yml -- 2.39.2 From c310482ba6d3e948d963bb8c3cf7355291e1debc Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 15 Sep 2022 10:25:06 +0200 Subject: [PATCH 221/497] domains: revert commits moved to dev branch domains --- CHANGELOG.md | 2 - evolinux-base/files/domains.py | 325 ------------------ evolinux-base/tasks/domains.yml | 8 - nagios-nrpe/README.md | 6 - nagios-nrpe/files/plugins/check_domains | 14 - nagios-nrpe/tasks/configure_check_domains.yml | 25 -- nagios-nrpe/tasks/main.yml | 1 - nagios-nrpe/templates/evolix.cfg.j2 | 1 - 8 files changed, 382 deletions(-) delete mode 100755 evolinux-base/files/domains.py delete mode 100644 evolinux-base/tasks/domains.yml delete mode 100755 nagios-nrpe/files/plugins/check_domains delete mode 100644 nagios-nrpe/tasks/configure_check_domains.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 009f5625..067a2bf2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * php: install php-xml with recent PHP versions * vrrp: add an `ip.yml` task file to help create VRRP addresses * webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php. -* inspect-domains: Add role * memcached: NRPE check for multi-instance setup * proftpd: Add options to override configs (and add a warning if file was overriden) * proftpd: Allow user auth with ssh keys @@ -28,7 +27,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * generate-ldif: Support any MariaDB version * minifirewall: use handlers to restart minifirewall * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command -* nagios-nrpe: Add check_domains * generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) * openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS * nagios-nrpe: Upgrade check_mongo diff --git a/evolinux-base/files/domains.py b/evolinux-base/files/domains.py deleted file mode 100755 index 23dd28ee..00000000 --- a/evolinux-base/files/domains.py +++ /dev/null @@ -1,325 +0,0 @@ -#!/usr/bin/python3 -# -# Vérifie si les domaines listés dans les configurations de Apache, -# Nginx et Haproxy pointent bien sur le serveur. -# -# Développé par Will -# - -list_domains_path = '/usr/local/sbin/list_domains.py' -excludes_path = '/etc/nagios/domains_exclude.list' -includes_path = '/etc/nagios/domains_include.list' - -import os -import sys -import re -import subprocess -import threading -import time -import argparse -import json - -#import importlib.machinery -#list_domains = importlib.machinery.SourceFileLoader('list_domains.py', list_domains_path).load_module() - - -def execute(cmd): - """Execute Bash command cmd. - Return stdout and stderr as arrays of UTF-8 strings.""" - - proc = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, stderr = proc.communicate() - - stdout_lines = stdout.decode('utf-8').splitlines() - stderr_lines = stderr.decode('utf-8').splitlines() - - return stdout_lines, stderr_lines - - -def get_my_ips(): - """Return localhost IPs.""" - stdout, stderr = execute('hostname -I') - if not stdout: - return [] - return stdout[0].strip(' \t').split() - - -def dig(domain): - """Return dig +short result on domain as a list.""" - stdout, stderr = execute('dig +short {}'.format(domain)) - return stdout - - -def strip_comments(string): - """Return string with any # comment removed.""" - return string.split('#')[0] - - -def list_apache_domains(): - """Return a dict containing : - - key: Apache domain (from command "apache2ctl -D DUMP_VHOSTS"). - - value: a list of strings "apache::" - """ - domains = {} - - try: - stdout, stderr = execute('apache2ctl -D DUMP_VHOSTS') - except: - # Apache is not present on the server - return domains - - vhost_infos = '' - for line in stdout: - dom = '' - words = line.strip(' \t').split() - - if 'namevhost' in line and len(words) >= 5: - # line format: port namevhost (:) - dom = words[3].strip() - vhost_infos = 'apache:' + words[4].strip('()') - - elif 'alias' in line and len(words) >= 2: - # line format: alias - dom = words[1].strip() # vhost_infos defined in previous lines - - if dom: - if dom not in domains: - domains[dom] = [] - if vhost_infos not in domains[dom]: - domains[dom].append(vhost_infos) - - return domains - - -def list_nginx_domains(): - """Return a dict containing : - - key: Nginx domain (from command "nginx -T"). - - value: a list of strings "nginx::" - """ - domains = {} - - try: - stdout, stderr = execute('nginx -T') - except: - # Nginx is not present on the server - return domains - - line_number = 1 - config_file_path = '' - - for line in stdout: - if '# configuration file' in line: - # line format : # configuration file : - words = line.strip(' \t;').split() - config_file_path = words[3].strip(' :') - continue - - if 'server_name ' in line: - # TODO: améliorer le if (cas tabulation) - # line format : server_name [ secs to DNS servers to answer in jobs threads - time.sleep(timeout) - - timeout_domains = [] - none_domains = [] - outside_ips = {} - ok_domains = [] - - for j in jobs: - if j.is_alive(): - timeout_domains.append(j.domain) - continue - - if not j.ips: - none_domains.append(j.domain) - continue - - is_outside = False - for ip in j.ips: - if ip not in my_ips: - is_outside = True - break - if is_outside: - outside_ips[j.domain] = j.ips - else: - ok_domains.append(j.domain) - - return timeout_domains, none_domains, outside_ips, ok_domains - - -def output_check_mode(timeout_domains, none_domains, outside_ips, ok_domains): - """Output result for check mode. - For now, consider everyting as warnings to avoid too much alerts. - """ - - n_ok = len(ok_domains) - n_warnings = len(timeout_domains) + len(none_domains) + len(outside_ips) - - msg = 'WARNING' if n_warnings else 'OK' - - print('{} - 0 UNK / 0 CRIT / {} WARN / {} OK \n'.format(msg, n_warnings, n_ok)) - - if timeout_domains or none_domains or outside_ips: - for d in timeout_domains: - print('WARNING - timeout resolving {}'.format(d)) - for d in none_domains: - print('WARNING - no resolution for {}'.format(d)) - for d in outside_ips: - print('WARNING - {} pointing elsewhere ({})'.format(d, ' '.join(outside_ips[d]))) - - sys.exit(1) if n_warnings else sys.exit(0) - - -def output_human_mode(doms, timeout_domains, none_domains, outside_ips): - if timeout_domains or none_domains or outside_ips: - if timeout_domains: print('\nTimeouts:') - for d in timeout_domains: - print('\t{} {}'.format(d, ' '.join(doms[d]))) - if none_domains: print('\nNo resolution:') - for d in none_domains: - print('\t{} {}'.format(d, ' '.join(doms[d]))) - if outside_ips: print('\nPointing elsewhere:') - for d in outside_ips: - print('\t{} {} -> [{}]'.format(d, ' '.join(doms[d]), ' '.join(outside_ips[d]))) - - sys.exit(1) - - print('Domains resolve to right IPs !') - - -def main(argv): - parser = argparse.ArgumentParser() - parser.add_argument('action', metavar='ACTION', help='Values: check-dns, list') - parser.add_argument('-o', '--output-style', help='Values: json (default for action list), human (default for action check-dns), nrpe') - parser.add_argument('-a', '--all-domains', action='store_true', help='Include all domains (default).') - parser.add_argument('-ap', '--apache-domains', action='store_true', help='Include Apache domains.') - parser.add_argument('-ng', '--nginx-domains', action='store_true', help='Include Nginx domains.') - parser.add_argument('-ha', '--haproxy-domains', action='store_true', help='Include HaProxy domains (not supported yet).') - args = parser.parse_args() - - if args.action not in ['check-dns', 'list']: - if args.output_style == 'nrpe': - print('UNKNOWN - unknown {} action, use -h option for help.'.format(args.action)) - sys.exit(3) - else: - print('Unknown {} action, use -h option for help.'.format(args.action)) - sys.exit(1) - - if not (args.all_domains or args.apache_domains or args.nginx_domains or args.haproxy_domains): - print('Domains scope not specified, looking for all domains.') - args.all_domains = True - - doms = {} - - if args.all_domains: - doms.update(list_apache_domains()) - - else: - if args.apache_domains: - doms.update(list_apache_domains()) - if args.nginx_domains: - doms.update(list_nginx_domains()) - if args.haproxy_domains: - print('Option --haproxy-domains not supported yet.') - - if not doms: - if args.output_style == 'nrpe': - print('UNKNOWN - No domain found on this server.') - sys.exit(3) - else: # == 'json' or 'human' - print('No domain found on this server.') - sys.exit(1) - - if args.action == 'check-dns': - timeout_domains, none_domains, outside_ips, ok_domains = run_check_domains(doms.keys()) - - if args.output_style == 'nrpe': - output_check_mode(timeout_domains, none_domains, outside_ips, ok_domains) - - elif args.output_style == 'json': - print('Option --output-style json not implemented yet for action check-dns.') - - else: # args.output_style == 'human' - output_human_mode(doms, timeout_domains, none_domains, outside_ips) - - elif args.action == 'list': - - if args.output_style == 'nrpe': - print('Action list is not for --output-style nrpe.') - - elif args.output_style == 'json': - print(json.dumps(doms, sort_keys=True, indent=4)) - - else: - print('Option --output-style human not implemented yet for action list, fallback to --output-style json.') - print(json.dumps(doms, sort_keys=True, indent=4)) - - -if __name__ == '__main__': - main(sys.argv[1:]) diff --git a/evolinux-base/tasks/domains.yml b/evolinux-base/tasks/domains.yml deleted file mode 100644 index f2a1ddb3..00000000 --- a/evolinux-base/tasks/domains.yml +++ /dev/null @@ -1,8 +0,0 @@ -- name: Copy inspect-domains script to local sbin - ansible.builtin.copy: - src: domains.py - dest: /usr/local/sbin/domains - mode: '0700' - - - diff --git a/nagios-nrpe/README.md b/nagios-nrpe/README.md index c52cab05..6d72920e 100644 --- a/nagios-nrpe/README.md +++ b/nagios-nrpe/README.md @@ -12,9 +12,3 @@ Everything is in the `tasks/main.yml` file. * `nagios_nrpe_force_update_allowed_hosts` : force update list of allowed hosts (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. - -## Available tags - -* `nagios-nrpe` : install Nagios and plugins (idempotent) -* `nagios-plugins` : install only plugins (idempotent) - diff --git a/nagios-nrpe/files/plugins/check_domains b/nagios-nrpe/files/plugins/check_domains deleted file mode 100755 index 98068a0b..00000000 --- a/nagios-nrpe/files/plugins/check_domains +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -# -# Check domains using script domains. -# -# Written by Will -# - -if ! command -v domains >/dev/null; then - echo 'UNKNOWN - Missing dependency domains.' - exit 3 -fi - -domains -o nrpe -a check-dns - diff --git a/nagios-nrpe/tasks/configure_check_domains.yml b/nagios-nrpe/tasks/configure_check_domains.yml deleted file mode 100644 index 2d5dd2fd..00000000 --- a/nagios-nrpe/tasks/configure_check_domains.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: Install check_domains dependency - include_role: - name: domains - -- name: Configure check_domains in /etc/nagios/nrpe.d/evolix.cfg - ansible.builtin.lineinfile: - path: /etc/nagios/nrpe.d/evolix.cfg - regexp: '^command\[check_domains\]=' - line: command[check_domains]=sudo {{ nagios_plugins_directory }}/check_domains - notify: restart nagios-nrpe-server - -- name: Is evolinux sudoers installed? - ansible.builtin.stat: - path: /etc/sudoers.d/evolinux - register: sudoers_evolinux - -- name: Allow nagios user to execute check_domains without sudo password - ansible.builtin.lineinfile: - path: /etc/sudoers.d/evolinux - regexp: 'check_domains' - line: 'nagios ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_domains' - insertafter: '^nagios' - validate: "visudo -cf %s" - when: sudoers_evolinux.stat.exists - diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index 28ab11a9..77770020 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -22,7 +22,6 @@ - ansible_distribution == "Debian" - ansible_distribution_major_version is version('10', '>=') tags: - - nagios-nrpe - nagios-plugins - name: custom configuration is present diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 7546f2bc..ae0e0abd 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -47,7 +47,6 @@ command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_ command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/evolix.ndb -command[check_domains]=sudo {{ nagios_plugins_directory }}/check_domains command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex -- 2.39.2 From a5402350775abd2f0f6bd31eb9aa509d3085d1c9 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 15 Sep 2022 11:45:24 +0200 Subject: [PATCH 222/497] munin: Add ipmi_ plugins on dedicated hardware --- CHANGELOG.md | 2 ++ munin/tasks/main.yml | 25 +++++++++++++++++++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 067a2bf2..e76f05ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,9 +17,11 @@ The **patch** part changes is incremented if multiple releases happen the same m * vrrp: add an `ip.yml` task file to help create VRRP addresses * webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php. * memcached: NRPE check for multi-instance setup +* munin: Add ipmi_ plugins on dedicated hardware * proftpd: Add options to override configs (and add a warning if file was overriden) * proftpd: Allow user auth with ssh keys + ### Changed * evocheck: upstream release 22.09 diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index 4720fbe5..a4ea9a49 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -1,12 +1,13 @@ --- -- name: Ensure that Munin is installed +- name: Ensure that Munin (and useful dependencies) is installed apt: name: - munin - munin-node - munin-plugins-core - munin-plugins-extra + - gawk state: present tags: - munin @@ -79,16 +80,32 @@ tags: - munin -- name: Enable sensors plugin unless VM detected +- name: Enable sensors_ plugin on dedicated hardware file: src: /usr/share/munin/plugins/sensors_ - dest: /etc/munin/plugins/sensors_temp + dest: "/etc/munin/plugins/sensors_{{ item }}" state: link - when: ansible_virtualization_role != "guest" + with_items: + - fan + - temp + when: ansible_virtualization_role == "host" notify: restart munin-node tags: - munin +- name: Enable ipmi_ plugin on dedicated hardware + file: + src: /usr/share/munin/plugins/ipmi_ + dest: "/etc/munin/plugins/ipmi_{{ item }}" + state: link + when: ansible_virtualization_role == "host" + notify: restart munin-node + with_items: + - fans + - temp + - power + - volts + - name: adjustments for grsec kernel blockinfile: dest: /etc/munin/plugin-conf.d/munin-node -- 2.39.2 From 8089d90bd16e444afe490d2eac2f88ca6195e66c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 19 Sep 2022 17:06:25 +0200 Subject: [PATCH 223/497] Release 22.09 --- CHANGELOG.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e76f05ac..71f7be80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [22.09] 2022-09-19 + +### Added + * evolinux_users: create only users who have a certain value for the `create` key (default: `always`). * php: install php-xml with recent PHP versions * vrrp: add an `ip.yml` task file to help create VRRP addresses @@ -47,8 +59,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: remove failure if deprecated variable is used * webapps/nextcloud: Drop support for Nginx -### Security - ## [22.07.1] 2022-07-28 ### Changed -- 2.39.2 From 26f9d171a404b3d7dfcd9ea69b9df3a78c22284d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 26 Sep 2022 23:46:29 +0200 Subject: [PATCH 224/497] lxc-solr: detect the real partition options --- CHANGELOG.md | 2 ++ lxc/tasks/main.yml | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71f7be80..50ad3561 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* lxc-solr: detect the real partition options + ### Fixed ### Removed diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 70f5dc2b..3ec586bd 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -43,11 +43,19 @@ - lxc_unprivilegied_containers | bool - root_subuids.rc != 0 -- name: Check if /var has not mount options or nosuid or nodev or noexec - shell: findmnt | grep -E "/var[^/]" | grep -e nodev -e noexec -e nosuid - register: check_var +- name: Get filesystem options + command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS changed_when: false - failed_when: "check_var.rc == 0" + check_mode: no + register: check_fs_options + +- name: Check if options are correct + assert: + that: + - "'nodev' not in check_fs_options.stdout" + - "'noexec' not in check_fs_options.stdout" + - "'nosuid' not in check_fs_options.stdout" + msg: "LXC directory is in a filesystem with incompatible options" - name: Create containers include: create-container.yml -- 2.39.2 From 46deb04005449da75081ec18dfc22e84d7ad7530 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 26 Sep 2022 23:47:55 +0200 Subject: [PATCH 225/497] lxc-solr: choose java package and download URL according to Solr Version --- CHANGELOG.md | 1 + lxc-solr/tasks/solr.yml | 28 ++++++++++++++++++++++------ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50ad3561..09044345 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* lxc-solr: choose java package and download URL according to Solr Version * lxc-solr: detect the real partition options ### Fixed diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 4cf521ae..3a4baa1f 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -1,16 +1,31 @@ --- -- name: Install openjdk-8-jre-headless and lsof packages - command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless lsof" + +- name: "Set values for Solr < 9.0.0" + set_fact: + java_package: openjdk-8-jre-headless + tarball_url: https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz + tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + when: "solr_version is version('9.0.0', '<')" + +- name: "Set values for Solr >= 9.0.0" + set_fact: + java_package: openjdk-11-jre-headless + tarball_url: https://archive.apache.org/dist/solr/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz + tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + when: "solr_version is version('9.0.0', '>=')" + +- name: Install java and lsof packages + command: "lxc-attach -n {{ name }} -- apt-get install -y {{ java_package }} lsof" - name: "Download Solr {{ solr_version }}" get_url: - url: "https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz" - dest: "/var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz" + url: "{{ tarball_url }}" + dest: "{{ tarball_path }}" mode: '0644' - name: "Extract solr-{{ solr_version }}.tgz" unarchive: - src: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + src: "{{ tarball_path }}" dest: /var/lib/lxc/{{ name }}/rootfs/root/ remote_src: yes @@ -36,7 +51,8 @@ - name: "Set Solr port to {{ solr_port }}" lineinfile: dest: /var/lib/lxc/{{ name }}/rootfs/etc/default/solr.in.sh - line: "SOLR_PORT={{ solr_port }}" + line: "SOLR_PORT=\"{{ solr_port }}\"" + regexp: "^SOLR_PORT=" - name: "Start Solr" command: "lxc-attach -n {{name}} -- /etc/init.d/solr start" -- 2.39.2 From d52ab34f4f0159229f22d555f23e550ca8c599fa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 26 Sep 2022 23:48:05 +0200 Subject: [PATCH 226/497] * lxc-solr : add comments --- lxc-solr/defaults/main.yml | 4 ++++ lxc/defaults/main.yml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/lxc-solr/defaults/main.yml b/lxc-solr/defaults/main.yml index ad2a3e23..18144daa 100644 --- a/lxc-solr/defaults/main.yml +++ b/lxc-solr/defaults/main.yml @@ -14,5 +14,9 @@ # release: stretch # solr_version: 8.4.1 # solr_port: 8985 +# - name: solr9 +# release: bullseye +# solr_version: 9.0.0 +# solr_port: 8985 lxc_containers: [] diff --git a/lxc/defaults/main.yml b/lxc/defaults/main.yml index e7e1c1ff..d17e78a0 100644 --- a/lxc/defaults/main.yml +++ b/lxc/defaults/main.yml @@ -15,4 +15,6 @@ lxc_mount_part: "/home" # release: jessie # - name: php70 # release: stretch +# - name: php81 +# release: bullseye lxc_containers: [] -- 2.39.2 From 6aeaab078dbca907af509e7ea96ac739ff9d8614 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 27 Sep 2022 07:47:26 +0200 Subject: [PATCH 227/497] lxc-solr: set homedir and port at install --- CHANGELOG.md | 1 + lxc-solr/tasks/main.yml | 6 +++++- lxc-solr/tasks/solr.yml | 30 ++++++++---------------------- 3 files changed, 14 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 09044345..289ec68c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: choose java package and download URL according to Solr Version * lxc-solr: detect the real partition options +* lxc-solr: set homedir and port at install ### Fixed diff --git a/lxc-solr/tasks/main.yml b/lxc-solr/tasks/main.yml index d629bbf6..bc279a04 100644 --- a/lxc-solr/tasks/main.yml +++ b/lxc-solr/tasks/main.yml @@ -10,5 +10,9 @@ mode: '0755' loop: "{{ lxc_containers }}" -- include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}" +- include: solr.yml + args: + name: "{{ item.name }}" + solr_version: "{{ item.solr_version }}" + solr_port: "{{ item.solr_port }}" loop: "{{ lxc_containers }}" diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 3a4baa1f..8ded722e 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -5,6 +5,8 @@ java_package: openjdk-8-jre-headless tarball_url: https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + start_command: "/etc/init.d/solr start" + stop_command: "/etc/init.d/solr stop" when: "solr_version is version('9.0.0', '<')" - name: "Set values for Solr >= 9.0.0" @@ -12,6 +14,8 @@ java_package: openjdk-11-jre-headless tarball_url: https://archive.apache.org/dist/solr/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + start_command: "systemctl start solr" + stop_command: "systemctl stop solr" when: "solr_version is version('9.0.0', '>=')" - name: Install java and lsof packages @@ -29,30 +33,12 @@ dest: /var/lib/lxc/{{ name }}/rootfs/root/ remote_src: yes -- name: "Install Solr {{ solr_version }}" - command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz" - -- name: "Stop Solr" - command: "lxc-attach -n {{name}} -- /etc/init.d/solr stop" - ignore_errors: True - - name: "Make sure /home/solr exists" file: - path: /home/solr + path: /home/solr/{{ name }} + recurse: yes state: directory mode: '0755' -- name: "Move Solr data directory to /home/solr/{{name}}" - command: "lxc-attach -n {{name}} -- mv /var/solr /home/solr/{{name}}" - -- name: "Create a symbolic link to /home/solr/{{name}}" - command: "lxc-attach -n {{name}} -- ln -s /home/solr/{{name}} /var/solr" - -- name: "Set Solr port to {{ solr_port }}" - lineinfile: - dest: /var/lib/lxc/{{ name }}/rootfs/etc/default/solr.in.sh - line: "SOLR_PORT=\"{{ solr_port }}\"" - regexp: "^SOLR_PORT=" - -- name: "Start Solr" - command: "lxc-attach -n {{name}} -- /etc/init.d/solr start" +- name: "Install Solr {{ solr_version }}" + command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{name}} -p {{ solr_port }}" -- 2.39.2 From 792d1170ab128ef8d6c53641abf8c36ed81a8f7f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 30 Sep 2022 11:38:53 +0200 Subject: [PATCH 228/497] java: use default JRE when version is not specified --- CHANGELOG.md | 1 + java/defaults/main.yml | 2 +- java/tasks/openjdk.yml | 17 +++++++++++++++-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 289ec68c..ae69cce3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* java: use default JRE package when version is not specified * lxc-solr: choose java package and download URL according to Solr Version * lxc-solr: detect the real partition options * lxc-solr: set homedir and port at install diff --git a/java/defaults/main.yml b/java/defaults/main.yml index 89f5cdac..b28fd4a5 100644 --- a/java/defaults/main.yml +++ b/java/defaults/main.yml @@ -1,4 +1,4 @@ --- java_alternative: 'openjdk' -java_version: 8 +java_version: Null java_default_alternative: True diff --git a/java/tasks/openjdk.yml b/java/tasks/openjdk.yml index b41db0a7..4af3cec1 100644 --- a/java/tasks/openjdk.yml +++ b/java/tasks/openjdk.yml @@ -13,7 +13,17 @@ tags: - java -- name: Install openjdk package +- name: Install default openjdk package + apt: + name: "default-jre-headless" + default_release: "{{ java_apt_release }}" + state: present + tags: + - java + - packages + when: java_version is none + +- name: Install specific openjdk package apt: name: "openjdk-{{ java_version}}-jre-headless" default_release: "{{ java_apt_release }}" @@ -21,11 +31,14 @@ tags: - java - packages + when: java_version is not none - name: This openjdk version is the default alternative alternatives: name: java path: "{{ java_bin_path[java_version] }}" - when: java_default_alternative | bool tags: - java + when: + - java_default_alternative | bool + - java_version is not none -- 2.39.2 From c6fb24f7d871eb32644bb6dc1be12e5b7ffec8b1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 30 Sep 2022 11:39:50 +0200 Subject: [PATCH 229/497] lxc-solr: use default JRE package --- CHANGELOG.md | 2 +- lxc-solr/tasks/solr.yml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae69cce3..8520f9ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * java: use default JRE package when version is not specified -* lxc-solr: choose java package and download URL according to Solr Version +* lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options * lxc-solr: set homedir and port at install diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 8ded722e..9e37bf44 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -2,7 +2,6 @@ - name: "Set values for Solr < 9.0.0" set_fact: - java_package: openjdk-8-jre-headless tarball_url: https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz start_command: "/etc/init.d/solr start" @@ -11,7 +10,6 @@ - name: "Set values for Solr >= 9.0.0" set_fact: - java_package: openjdk-11-jre-headless tarball_url: https://archive.apache.org/dist/solr/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz start_command: "systemctl start solr" @@ -19,7 +17,7 @@ when: "solr_version is version('9.0.0', '>=')" - name: Install java and lsof packages - command: "lxc-attach -n {{ name }} -- apt-get install -y {{ java_package }} lsof" + command: "lxc-attach -n {{ name }} -- apt-get install -y default-jre-headless lsof" - name: "Download Solr {{ solr_version }}" get_url: -- 2.39.2 From 8e1b682ccc6838345b02237fd09eff00b33f6e46 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Oct 2022 18:53:19 +0200 Subject: [PATCH 230/497] squid: whitelist deb.freexian.com --- CHANGELOG.md | 1 + squid/files/evolinux-whitelist-defaults.conf | 1 + squid/files/whitelist-evolinux.conf | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8520f9ba..7f628094 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options * lxc-solr: set homedir and port at install +* squid: whitelist deb.freexian.com ### Fixed diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index fe9c0fb4..433b9ef8 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -11,6 +11,7 @@ ^repo\.mysql\.com$ ^deb\.nodesource\.com$ ^dl\.yarnpkg\.com$ +^deb\.freexian\.com$ # Let's Encrypt .+\.letsencrypt.org$ diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index 41b81221..c445e835 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -10,6 +10,7 @@ http://spamassassin.apache.org/.* http://.*sa-update.* http://pear.php.net/.* http://repo.mysql.com/.* +http://deb.freexian.com/.* # Let's Encrypt http://.*.letsencrypt.org/.* -- 2.39.2 From 15d77568812e05c99575c62fa9d70a954bc00903 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Oct 2022 18:54:29 +0200 Subject: [PATCH 231/497] minifirewall: whitelist deb.freexian.com --- CHANGELOG.md | 1 + minifirewall/files/minifirewall.legacy.conf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f628094..cab57c5d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options * lxc-solr: set homedir and port at install +* minifirewall: whitelist deb.freexian.com * squid: whitelist deb.freexian.com ### Fixed diff --git a/minifirewall/files/minifirewall.legacy.conf b/minifirewall/files/minifirewall.legacy.conf index 47be78bf..b63ad7d8 100644 --- a/minifirewall/files/minifirewall.legacy.conf +++ b/minifirewall/files/minifirewall.legacy.conf @@ -55,7 +55,7 @@ DNSSERVEURS='0.0.0.0/0' # HTTP authorizations # (you can use DNS names but set cron to reload minifirewall regularly) # (if you have HTTP proxy, set 0.0.0.0/0) -# HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org' +# HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org deb.freexian.com' HTTPSITES='0.0.0.0/0' # HTTPS authorizations -- 2.39.2 From 8114f7c89bef424aaeba68695f9487c068e5ca2c Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 4 Oct 2022 15:49:00 +0200 Subject: [PATCH 232/497] mongodb: Allow to install version 5.0 on Bullseye --- mongodb/tasks/main_bullseye.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index 78459863..f97016ec 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -4,8 +4,12 @@ msg: Not compatible with Debian 11 (Bullseye) when: - ansible_distribution_release == "bullseye" - - mongodb_version is version('5.0', '<=') + - mongodb_version is version('5.0', '<') +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring - name: MongoDB embedded GPG key is absent apt_key: @@ -25,7 +29,7 @@ - name: enable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{mongodb_version}} main" + repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes @@ -46,19 +50,19 @@ - name: install dependency for monitoring apt: - name: python-pymongo + name: python3-pymongo state: present - name: Custom configuration template: - src: mongodb_buster.conf.j2 + src: mongodb_bullseye.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate template: - src: logrotate_buster.j2 + src: logrotate_bullseye.j2 dest: /etc/logrotate.d/mongodb force: yes backup: no -- 2.39.2 From 4f9d6868e0db982e0e706bbe8f3afd78fd8e60ca Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Fri, 7 Oct 2022 14:16:32 +0200 Subject: [PATCH 233/497] evolinux-user: sudoers privileges for check php\fpm80 and 81 --- CHANGELOG.md | 3 +++ evolinux-users/templates/sudoers_stretch.j2 | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cab57c5d..dd4d1a33 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evolinux-user: Add sudoers privilege for chck php\_fpm81 * java: use default JRE package when version is not specified * lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options @@ -23,6 +24,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* evolinux-user: Fix sudoers privilege for chck php\_fpm80 + ### Removed ### Security diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 index 4a522e1b..8211f121 100644 --- a/evolinux-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -12,7 +12,8 @@ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/ -nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/8.0/fpm/pool.d/ +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush -- 2.39.2 From 2d16aeb41e9ec31288afbef25d75a49f7f78110d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 11 Oct 2022 13:37:21 +0200 Subject: [PATCH 234/497] evolinux-base: utils.yml can be excluded --- CHANGELOG.md | 1 + evolinux-base/defaults/main.yml | 3 +++ evolinux-base/tasks/main.yml | 5 +---- evolinux-base/tasks/utils.yml | 13 ++++++++++++- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd4d1a33..613439ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evolinux-base: utils.yml can be excluded * evolinux-user: Add sudoers privilege for chck php\_fpm81 * java: use default JRE package when version is not specified * lxc-solr: download URL according to Solr Version diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index ee307015..80db9d3b 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -224,3 +224,6 @@ evolinux_cron_checkhpraid_frequency: daily # Motd evolinux_motd_include: True + +# Utils +evolinux_utils_include: True \ No newline at end of file diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index dba5e97b..ecbfe069 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -102,6 +102,7 @@ when: evolinux_motd_include | bool - include: utils.yml + when: evolinux_utils_include | bool - name: Munin include_role: @@ -132,7 +133,3 @@ include_role: name: evolix/generate-ldif when: evolinux_generateldif_include | bool - -- include: top.yml - -- include: htop.yml diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 2fd4b0c1..c8aa58e8 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -37,4 +37,15 @@ # force: True # owner: root # group: root -# mode: "0755" \ No newline at end of file +# mode: "0755" + +- name: Deploy htop configuration + copy: + src: htoprc + dest: /etc/htoprc + mode: "0644" + +- name: Deploy top configuration file + file: + path: /etc/topdefaultrc + state: absent -- 2.39.2 From 05e782c6f81dc5bad83f014b1c0b8e0bdda22f0d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 11 Oct 2022 17:58:27 +0200 Subject: [PATCH 235/497] evolinux-base: remove deprecated tasks files --- evolinux-base/tasks/htop.yml | 6 ------ evolinux-base/tasks/top.yml | 5 ----- 2 files changed, 11 deletions(-) delete mode 100644 evolinux-base/tasks/htop.yml delete mode 100644 evolinux-base/tasks/top.yml diff --git a/evolinux-base/tasks/htop.yml b/evolinux-base/tasks/htop.yml deleted file mode 100644 index eeb59beb..00000000 --- a/evolinux-base/tasks/htop.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Deploy htop configuration - copy: - src: htoprc - dest: /etc/htoprc - mode: "0644" diff --git a/evolinux-base/tasks/top.yml b/evolinux-base/tasks/top.yml deleted file mode 100644 index 367791e7..00000000 --- a/evolinux-base/tasks/top.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Deploy top configuration file - file: - path: /etc/topdefaultrc - state: absent -- 2.39.2 From 6be2ff3b48da4a7ad7f42de3470d0ab453ecb3dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Mon, 17 Oct 2022 11:37:58 +0200 Subject: [PATCH 236/497] evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) --- CHANGELOG.md | 1 + evolinux-todo/tasks/main.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 613439ab..2260ee81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com * squid: whitelist deb.freexian.com +* evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) ### Fixed diff --git a/evolinux-todo/tasks/main.yml b/evolinux-todo/tasks/main.yml index bd098c72..8b5fa6b7 100644 --- a/evolinux-todo/tasks/main.yml +++ b/evolinux-todo/tasks/main.yml @@ -5,6 +5,7 @@ dest: /etc/evolinux mode: "0700" state: directory + when: ansible_distribution == "Debian" - name: /etc/evolinux/todo.txt is present copy: @@ -12,3 +13,4 @@ dest: /etc/evolinux/todo.txt mode: "0640" force: no + when: ansible_distribution == "Debian" -- 2.39.2 From f71075d4efae66d9677b6685ef6ca9e9f74f5ae6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Oct 2022 16:32:36 +0200 Subject: [PATCH 237/497] evolinux-base: replace regular kernel by cloud kernel on virtual servers --- CHANGELOG.md | 2 ++ evolinux-base/defaults/main.yml | 1 + evolinux-base/tasks/kernel.yml | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2260ee81..714e161e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* evolinux-base: replace regular kernel by cloud kernel on virtual servers + ### Changed * evolinux-base: utils.yml can be excluded diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 80db9d3b..d75a23bf 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -48,6 +48,7 @@ evolinux_internal_fqdn: "{{ evolinux_internal_hostname }}.{{ evolinux_intern evolinux_kernel_include: True +evolinux_kernel_cloud_auto: True evolinux_kernel_reboot_after_panic: True evolinux_kernel_disable_tcp_timestamps: True evolinux_kernel_customize_swappiness: True diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index 6ddeb57f..62569b08 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -1,5 +1,23 @@ --- +- name: "Use Cloud kernel on virtual servers" + apt: + name: "linux-image-cloud-amd64" + state: present + when: + - ansible_machine == "x86_64" + - ansible_virtualization_role == "guest" + - evolinux_kernel_cloud_auto | bool + +- name: "Remove non-Cloud kernel on virtual servers" + apt: + name: "linux-image-amd64" + state: absent + when: + - ansible_machine == "x86_64" + - ansible_virtualization_role == "guest" + - evolinux_kernel_cloud_auto | bool + - name: Reboot after panic sysctl: name: "{{ item.name }}" -- 2.39.2 From ed4fdce58cdcd1682ef973448e3715c91b7599c0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 19 Oct 2022 16:33:22 +0200 Subject: [PATCH 238/497] clean duplicate --- certbot/files/hooks/deploy/sync_remote.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/certbot/files/hooks/deploy/sync_remote.sh b/certbot/files/hooks/deploy/sync_remote.sh index 7fc3ecf4..bbbe6f5f 100644 --- a/certbot/files/hooks/deploy/sync_remote.sh +++ b/certbot/files/hooks/deploy/sync_remote.sh @@ -28,10 +28,6 @@ main() { if [ -z "${RENEWED_LINEAGE}" ]; then error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)." fi - if [ -z "${servers}" ]; then - debug "Empty server list, skip." - exit 0 - fi if found_renewed_lineage; then RENEWED_DOMAINS=${RENEWED_DOMAINS:-$(domain_from_cert)} -- 2.39.2 From fc52fbf4bcc78115440b783889379b71ff516f99 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 20 Oct 2022 14:36:47 +0200 Subject: [PATCH 239/497] redis: some values should be quoted When Redis overwrites its own config, it uses quoted string values, so it's better to do the same to avoid changes. --- CHANGELOG.md | 5 +++-- redis/templates/redis.conf.j2 | 14 +++++++------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 714e161e..da7c4dbc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,14 +17,15 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evolinux-base: utils.yml can be excluded +* evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) * evolinux-user: Add sudoers privilege for chck php\_fpm81 * java: use default JRE package when version is not specified -* lxc-solr: download URL according to Solr Version * lxc-solr: detect the real partition options +* lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com +* redis: some values should be quoted * squid: whitelist deb.freexian.com -* evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) ### Fixed diff --git a/redis/templates/redis.conf.j2 b/redis/templates/redis.conf.j2 index 720f724f..4afced22 100644 --- a/redis/templates/redis.conf.j2 +++ b/redis/templates/redis.conf.j2 @@ -1,24 +1,24 @@ daemonize yes -pidfile {{ redis_pid_dir }}/redis-server.pid +pidfile "{{ redis_pid_dir }}/redis-server.pid" port {{ redis_port }} bind {{ redis_bind_interfaces | join(' ') }} {% if redis_socket_enabled %} -unixsocket {{ redis_socket_dir }}/redis.sock +unixsocket "{{ redis_socket_dir }}/redis.sock" unixsocketperm {{ redis_socket_perms }} {% endif %} {% if redis_password %} -requirepass {{ redis_password }} +requirepass "{{ redis_password }}" {% endif %} {% if redis_password_master %} -masterauth {{ redis_password_master }} +masterauth "{{ redis_password_master }}" {% endif %} timeout {{ redis_timeout }} loglevel {{ redis_log_level }} -logfile {{ redis_log_dir }}/redis-server.log +logfile "{{ redis_log_dir }}/redis-server.log" # To enable logging to the system logger, just set 'syslog-enabled' to yes, # and optionally update the other syslog parameters to suit your needs. @@ -33,8 +33,8 @@ save {{ save }} {% endfor %} rdbcompression {{ redis_rdbcompression | bool | ternary('yes','no') }} -dbfilename {{ redis_data_file }} -dir {{ redis_data_dir }} +dbfilename "{{ redis_data_file }}" +dir "{{ redis_data_dir }}" {% if redis_installed_version is version('3.2', '>=') %} protected-mode {{ redis_protected_mode | bool | ternary('yes','no') }} -- 2.39.2 From 554c086b798755eeaec213cf4db05af178d39fa3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 20 Oct 2022 14:38:12 +0200 Subject: [PATCH 240/497] redis: variable to disable transparent hugepage (default: do nothing) --- CHANGELOG.md | 1 + redis/defaults/main.yml | 4 ++++ redis/handlers/main.yml | 5 +++++ redis/tasks/main.yml | 24 ++++++++++++++---------- redis/tasks/thp.yml | 34 ++++++++++++++++++++++++++++++++++ 5 files changed, 58 insertions(+), 10 deletions(-) create mode 100644 redis/tasks/thp.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index da7c4dbc..a7435530 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com * redis: some values should be quoted +* redis: variable to disable transparent hugepage (default: do nothing) * squid: whitelist deb.freexian.com ### Fixed diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 1a86c95c..b5547597 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -61,5 +61,9 @@ redis_sentinel_install: False redis_default_server_disabled: False +# Set to Null to leave as is +# Set to "always", "madvise" or "never" for custom value +redis_sysctl_transparent_hugepage_enabled: Null + general_alert_email: "root@localhost" log2mail_alert_email: Null diff --git a/redis/handlers/main.yml b/redis/handlers/main.yml index d85dcbf8..6d870b39 100644 --- a/redis/handlers/main.yml +++ b/redis/handlers/main.yml @@ -23,3 +23,8 @@ service: name: log2mail state: restarted + +- name: restart sysfsutils + service: + name: sysfsutils + state: restarted diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 871ab3eb..d9a57bb2 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -3,7 +3,19 @@ - set_fact: redis_restart_handler_name: "{{ redis_restart_if_needed | bool | ternary('restart redis', 'restart redis (noop)') }}" -- name: Redis is installed. +- name: Linux kernel overcommit memory setting is enabled + sysctl: + name: "vm.overcommit_memory" + value: "1" + sysctl_file: "/etc/sysctl.d/evolinux-redis.conf" + state: present + reload: yes + +- name: Customize Kernel Transparent Huge Page + include: thp.yml + when: redis_sysctl_transparent_hugepage_enabled is not none + +- name: Redis is installed apt: name: - redis-server @@ -13,7 +25,7 @@ - redis - packages -- name: Redis Sentinel is installed. +- name: Redis Sentinel is installed apt: name: "redis-sentinel" state: present @@ -22,14 +34,6 @@ - packages when: redis_sentinel_install | bool -- name: Linux kernel overcommit memory setting is enabled - sysctl: - name: "vm.overcommit_memory" - value: "1" - sysctl_file: "/etc/sysctl.d/evolinux-redis.conf" - state: present - reload: yes - - name: Get Redis version shell: "redis-server -v | grep -Eo '(v=\\S+)' | cut -d'=' -f 2 | grep -E '^([0-9]|\\.)+$'" changed_when: false diff --git a/redis/tasks/thp.yml b/redis/tasks/thp.yml new file mode 100644 index 00000000..7a0dce27 --- /dev/null +++ b/redis/tasks/thp.yml @@ -0,0 +1,34 @@ +--- + +- name: sysfsutils is installed + apt: + name: + - sysfsutils + state: present + tags: + - redis + - packages + - kernel + +- name: Check possible values for THP + assert: + that: redis_sysctl_transparent_hugepage_enabled is in ['always', 'madvise', 'never'] + msg: "redis_sysctl_transparent_hugepage_enabled has incorrect value : '{{ redis_sysctl_transparent_hugepage_enabled }}' not in ['always', 'madvise', 'never']" + tags: + - redis + - kernel + +- name: "Set THP to {{ redis_sysctl_transparent_hugepage_enabled }} at boot" + lineinfile: + path: /etc/sysfs.conf + line: kernel/mm/transparent_hugepage/enabled = {{ redis_sysctl_transparent_hugepage_enabled }} + regexp: "kernel/mm/transparent_hugepage/enabled" + tags: + - redis + - kernel + +- name: "Set THP to {{ redis_sysctl_transparent_hugepage_enabled }} for this boot" + shell: "echo '{{ redis_sysctl_transparent_hugepage_enabled }}' >> /sys/kernel/mm/transparent_hugepage/enabled" + tags: + - redis + - kernel \ No newline at end of file -- 2.39.2 From 857b3e0e450e9b93f1152169c8bc37cf525eb34b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 20 Oct 2022 15:46:04 +0200 Subject: [PATCH 241/497] nagios-nrpe: check_haproxy_stats supports DRAIN status --- CHANGELOG.md | 2 +- nagios-nrpe/files/plugins/check_haproxy_stats | 14 +++++++++++--- nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a7435530..7f4fc18f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * evolinux-base: replace regular kernel by cloud kernel on virtual servers - +* nagios-nrpe: check_haproxy_stats supports DRAIN status ### Changed * evolinux-base: utils.yml can be excluded diff --git a/nagios-nrpe/files/plugins/check_haproxy_stats b/nagios-nrpe/files/plugins/check_haproxy_stats index fc51938f..d08c4103 100755 --- a/nagios-nrpe/files/plugins/check_haproxy_stats +++ b/nagios-nrpe/files/plugins/check_haproxy_stats @@ -5,6 +5,7 @@ # Copyright (C) 2012, Giacomo Montagner # 2015, Yann Fertat, Romain Dessort, Jeff Palmer, # Christophe Drevet-Droguet +# 2022, Jérémy Lecour # # This program is free software; you can redistribute it and/or modify it # under the same terms as Perl 5.10.1. @@ -15,7 +16,7 @@ # warranty of merchantability or fitness for a particular purpose. # -our $VERSION = "1.2.0"; +our $VERSION = "1.3.1"; open(STDERR, ">&STDOUT"); @@ -29,6 +30,8 @@ open(STDERR, ">&STDOUT"); # 1.1.0 - support for HTTP interface # 1.1.1 - drop perl 5.10 requirement # 1.2.0 - add an option for ignore NOLB +# 1.3.0 - add an option for ignore DRAIN +# 1.3.1 - support DRAIN/MAINT when set by agent use strict; use warnings; @@ -64,6 +67,8 @@ DESCRIPTION Assume servers in MAINT state to be ok. -n, --ignore-nolb Assume servers in NOLB state to be ok. + --ignore-drain + Assume servers in DRAIN state to be ok. -p, --proxy Check only named proxies, not every one. Use comma to separate proxies in list. @@ -132,6 +137,7 @@ my $pass = ''; my $dump; my $ignore_maint; my $ignore_nolb; +my $ignore_drain; my $proxy; my $no_proxy; my $help; @@ -143,7 +149,8 @@ GetOptions ( "d|dump" => \$dump, "h|help" => \$help, "m|ignore-maint" => \$ignore_maint, - "n|ignore-nolb" => \$ignore_nolb, + "n|ignore-nolb" => \$ignore_nolb, + "ignore-drain" => \$ignore_drain, "p|proxy=s" => \$proxy, "P|no-proxy=s" => \$no_proxy, "s|sock|socket=s" => \$sock, @@ -267,8 +274,9 @@ foreach (@hastats) { # Check of servers } else { if ($data[$status] ne 'UP') { - next if ($ignore_maint && $data[$status] eq 'MAINT'); + next if ($ignore_maint && ($data[$status] eq 'MAINT' || $data[$status] eq 'MAINT (agent)')); next if ($ignore_nolb && $data[$status] eq 'NOLB'); + next if ($ignore_drain && ($data[$status] eq 'DRAIN' || $data[$status] eq 'DRAIN (agent)')); next if $data[$status] eq 'no check'; # Ignore server if no check is configured to be run next if $data[$svname] eq 'sock-1'; $exitcode = 2; diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index ae0e0abd..dc6d09db 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -72,7 +72,7 @@ command[check_mongodb_connect]={{ nagios_plugins_directory }}/check_mongodb -H l command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -n 0 command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4 -command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb +command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall command[check_redis_instances]={{ nagios_plugins_directory }}/check_redis_instances command[check_hpraid]={{ nagios_plugins_directory }}/check_hpraid -- 2.39.2 From 2692ac5661b8ababcfb85d5ba16ae2a6cdaf73b1 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Thu, 16 Jun 2022 17:58:34 +0200 Subject: [PATCH 242/497] Ajoute l'umask 0007 au service php-fpm --- lxc-php/defaults/main.yml | 10 ++++++++++ lxc-php/handlers/main.yml | 11 +++++++++++ lxc-php/tasks/main.yml | 2 ++ lxc-php/tasks/umask.yml | 31 +++++++++++++++++++++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 lxc-php/tasks/umask.yml diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 415d1c9e..5567c4d0 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -21,3 +21,13 @@ lxc_php_container_releases: php74: "bullseye" php80: "bullseye" php81: "bullseye" + +lxc_php_services: + php56: 'php5-fpm.service' + php70: 'php7.0-fpm.service' + php73: 'php7.3-fpm.service' + php74: 'php7.4-fpm.service' + php80: 'php8.0-fpm.service' + php81: 'php8.1-fpm.service' + + diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index a757a2d0..eb52e86d 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -1,4 +1,10 @@ --- + +- name: Reload PHP-FPM + lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl reload {{ lxc_php_services[lxc_php_version] }}" + - name: Reload php81-fpm lxc_container: name: "{{ lxc_php_version }}" @@ -34,6 +40,11 @@ name: "{{ lxc_php_version }}" container_command: "systemctl restart opensmtpd" +- name: Daemon reload + lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl daemon-reload" + - name: Restart container lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index c6d85fbe..4471a709 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -27,4 +27,6 @@ - include: "php81.yml" when: lxc_php_version == "php81" +- include: "umask.yml" + - include: "misc.yml" diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml new file mode 100644 index 00000000..5fca081a --- /dev/null +++ b/lxc-php/tasks/umask.yml @@ -0,0 +1,31 @@ +# Ajoute UMask=0007 à l'unité systemd PHP-FPM du conteneur LXC +# dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf +--- + +- name: "Définis le chemin du système de fichiers du conteneur LXC." + set_fact: + lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + +- name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." + ansible.builtin.file: + path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" + register: systemd_path + state: directory + +- name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC." + ansible.builtin.lineinfile: + path: "{{ systemd_path.path }}/evolinux.conf" + regex: "\\[Service\\]" + line: "[Service]" + create: yes + +- name: "UMask=0007 est présent dans la surchage des services PHP-FPM des conteneurs LXC." + ansible.builtin.lineinfile: + path: "{{ systemd_path.path }}/evolinux.conf" + regex: "^UMask=" + line: "UMask=0007" + insertafter: "\\[Service\\]" + notify: + - "Daemon reload" + - "Reload PHP-FPM" + -- 2.39.2 From 18fb89234c9f8bc0996d1f61164dca205ca2f5fb Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 26 Oct 2022 15:23:46 +0200 Subject: [PATCH 243/497] lxc-php: restart container instead of reload after php-fpm unit's umask change. --- lxc-php/handlers/main.yml | 5 +++++ lxc-php/tasks/umask.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index eb52e86d..0beaa055 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -5,6 +5,11 @@ name: "{{ lxc_php_version }}" container_command: "systemctl reload {{ lxc_php_services[lxc_php_version] }}" +- name: Restart PHP-FPM + lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl restart {{ lxc_php_services[lxc_php_version] }}" + - name: Reload php81-fpm lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 5fca081a..8d43fdcd 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -27,5 +27,5 @@ insertafter: "\\[Service\\]" notify: - "Daemon reload" - - "Reload PHP-FPM" + - "Restart PHP-FPM" -- 2.39.2 From 912cec5a7851aee393a5756f46c8be6d465a2e00 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 26 Oct 2022 15:25:22 +0200 Subject: [PATCH 244/497] lxc-php: update changelog. --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f4fc18f..704d9494 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status +* lxc-php: set php-fpm umask to 007 + ### Changed * evolinux-base: utils.yml can be excluded -- 2.39.2 From b1138c07eef190e522db6d2a0b300033b3a8c61e Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 2 Nov 2022 11:10:56 +0100 Subject: [PATCH 245/497] lxc-php: Fix register instruction in wrong order and indentation --- lxc-php/tasks/umask.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 8d43fdcd..4a2fde5d 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -9,8 +9,8 @@ - name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." ansible.builtin.file: path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" - register: systemd_path state: directory + register: systemd_path - name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC." ansible.builtin.lineinfile: -- 2.39.2 From 4d259d3c04a8a6cf272c56e62e9d3b3f6dc4125b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 13:29:58 +0100 Subject: [PATCH 246/497] varnish: systemd override depends on Varnish Use Varnish version instead of Debian version to choose systemd override template, to make it forward compatible --- CHANGELOG.md | 3 +- varnish/tasks/main.yml | 55 ++++++++++++++----- ...nf.jessie.j2 => override.conf.varnish4.j2} | 0 ...nf.buster.j2 => override.conf.varnish6.j2} | 0 varnish/templates/override.conf.varnish7.j2 | 18 ++++++ 5 files changed, 60 insertions(+), 16 deletions(-) rename varnish/templates/{varnish.conf.jessie.j2 => override.conf.varnish4.j2} (100%) rename varnish/templates/{varnish.conf.buster.j2 => override.conf.varnish6.j2} (100%) create mode 100644 varnish/templates/override.conf.varnish7.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 704d9494..dfece0b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,10 +29,11 @@ The **patch** part changes is incremented if multiple releases happen the same m * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) * squid: whitelist deb.freexian.com +* varnish: systemd override depends on Varnish version instead of Debian version ### Fixed -* evolinux-user: Fix sudoers privilege for chck php\_fpm80 +* evolinux-user: Fix sudoers privilege for check php\_fpm80 ### Removed diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 75268841..be518130 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -6,6 +6,17 @@ tags: - varnish +- name: Fetch packages + package_facts: + manager: auto + tags: + - varnish + +- set_fact: + varnish_package_facts: ansible_facts.packages['varnish'] | first + tags: + - varnish + - name: Remove default varnish configuration files file: path: "{{ item }}" @@ -19,7 +30,7 @@ - varnish - config -- name: Copy Custom Varnish ExecReload script (Debian <10) +- name: Copy Custom Varnish ExecReload script (Debian < 10) template: src: "reload-vcl.sh.j2" dest: "/etc/varnish/reload-vcl.sh" @@ -38,27 +49,41 @@ tags: - varnish -- name: Override Varnish systemd unit (Stretch and before) - template: - src: varnish.conf.jessie.j2 - dest: /etc/systemd/system/varnish.service.d/evolinux.conf - force: yes - when: ansible_distribution_major_version is version('10', '<') +- name: Rename legacy systemd override + command: mv /etc/systemd/system/varnish.service.d/evolinux.conf /etc/systemd/system/varnish.service.d/override.conf + args: + removes: /etc/systemd/system/varnish.service.d/evolinux.conf + creates: /etc/systemd/system/varnish.service.d/override.conf notify: - reload systemd - - restart varnish tags: - varnish - - config - - update-config -# TODO: verify if it's still necessary for Debian 11 -- name: Override Varnish systemd unit (Buster and later) +- name: Varnish systemd override template (Varnish 4 and 5) + set_fact: + varnish_systemd_override_template: override.conf.varnish4.j2 + when: + - varnish_package_facts['version'] is version('4', '>=') + - varnish_package_facts['version'] is version('6', '<') + +- name: Varnish systemd override template (Varnish 6) + set_fact: + varnish_systemd_override_template: override.conf.varnish6.j2 + when: + - varnish_package_facts['version'] is version('6', '>=') + - varnish_package_facts['version'] is version('7', '<') + +- name: Varnish systemd override template (Varnish 7 and later) + set_fact: + varnish_systemd_override_template: override.conf.varnish7.j2 + when: + - varnish_package_facts['version'] is version('7', '>=') + +- name: Override Varnish systemd unit template: - src: varnish.conf.buster.j2 - dest: /etc/systemd/system/varnish.service.d/evolinux.conf + src: "{{ varnish_systemd_override_template }}" + dest: /etc/systemd/system/varnish.service.d/override.conf force: yes - when: ansible_distribution_major_version is version('10', '>=') notify: - reload systemd - restart varnish diff --git a/varnish/templates/varnish.conf.jessie.j2 b/varnish/templates/override.conf.varnish4.j2 similarity index 100% rename from varnish/templates/varnish.conf.jessie.j2 rename to varnish/templates/override.conf.varnish4.j2 diff --git a/varnish/templates/varnish.conf.buster.j2 b/varnish/templates/override.conf.varnish6.j2 similarity index 100% rename from varnish/templates/varnish.conf.buster.j2 rename to varnish/templates/override.conf.varnish6.j2 diff --git a/varnish/templates/override.conf.varnish7.j2 b/varnish/templates/override.conf.varnish7.j2 new file mode 100644 index 00000000..14a0b315 --- /dev/null +++ b/varnish/templates/override.conf.varnish7.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} + +[Service] +ExecStart= +ExecStart=/usr/sbin/varnishd \ + -j {{ varnish_jail }} \ + {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} \ + -P %t/%N/varnishd.pid \ + -T {{ varnish_management_address }} \ + -f {{ varnish_config_file }} \ + -S {{ varnish_secret_file }} \ + -s {{ varnish_storage }} \ + -p feature=+http2 \ + -p thread_pools={{ varnish_thread_pools }} \ + -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} \ + -p thread_pool_min={{ varnish_thread_pool_min }} \ + -p thread_pool_max={{ varnish_thread_pool_max }} \ + {{ varnish_additional_options }} -- 2.39.2 From c9ccda227795073e466a077532ae4d3cc72168ab Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 19:45:15 +0100 Subject: [PATCH 247/497] varnish: create special tmp directory for syntax validation --- CHANGELOG.md | 1 + varnish/tasks/main.yml | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dfece0b1..4546d4da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 +* varnish: create special tmp directory for syntax validation ### Changed diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index be518130..286d49dd 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -151,4 +151,15 @@ - config - update-config +# To validate the configuration, we must use a tmp directory that is mounted as exec +# We usually use /vat/tmp-cache then validate the syntax with this command: +# sudo -u vcache TMPDIR=/var/tmp-vcache varnishd -Cf /etc/varnish/default.vcl > /dev/null +- name: Special tmp directory + file: + path: "{{ varnish_tmp_dir }}" + state: directory + owner: vcache + group: varnish + mode: "0750" + - include: munin.yml -- 2.39.2 From 7f3f7b3e04cd00f5635712bafff635371ec285a0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 22:30:09 +0100 Subject: [PATCH 248/497] varnish: fix tags and variables --- varnish/defaults/main.yml | 2 ++ varnish/tasks/main.yml | 22 +++++++++++++++++----- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml index 2de75a15..acc9b114 100644 --- a/varnish/defaults/main.yml +++ b/varnish/defaults/main.yml @@ -18,3 +18,5 @@ varnish_additional_options: "" varnish_config_file: /etc/varnish/default.vcl varnish_secret_file: /etc/varnish/secret + +varnish_tmp_dir: /var/tmp-vcache \ No newline at end of file diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 286d49dd..67fe2d6e 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -48,16 +48,16 @@ state: directory tags: - varnish + - config -- name: Rename legacy systemd override - command: mv /etc/systemd/system/varnish.service.d/evolinux.conf /etc/systemd/system/varnish.service.d/override.conf - args: - removes: /etc/systemd/system/varnish.service.d/evolinux.conf - creates: /etc/systemd/system/varnish.service.d/override.conf +- name: Remove legacy systemd override + file: + dest: /etc/systemd/system/varnish.service.d/evolinux.conf notify: - reload systemd tags: - varnish + - config - name: Varnish systemd override template (Varnish 4 and 5) set_fact: @@ -65,6 +65,10 @@ when: - varnish_package_facts['version'] is version('4', '>=') - varnish_package_facts['version'] is version('6', '<') + tags: + - varnish + - config + - update-config - name: Varnish systemd override template (Varnish 6) set_fact: @@ -72,12 +76,20 @@ when: - varnish_package_facts['version'] is version('6', '>=') - varnish_package_facts['version'] is version('7', '<') + tags: + - varnish + - config + - update-config - name: Varnish systemd override template (Varnish 7 and later) set_fact: varnish_systemd_override_template: override.conf.varnish7.j2 when: - varnish_package_facts['version'] is version('7', '>=') + tags: + - varnish + - config + - update-config - name: Override Varnish systemd unit template: -- 2.39.2 From f531460f49b662c35d0db82a67c775cdc53f6ccd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 23:15:17 +0100 Subject: [PATCH 249/497] Use proper keyrings directory for APT version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Debian 9 → 11 : /etc/apt/trusted.gpg.d Debian 12 : /etc/apt/keyrings --- CHANGELOG.md | 1 + apt/defaults/main.yml | 2 ++ apt/tasks/evolix_public.yml | 2 +- docker-host/defaults/main.yml | 2 ++ docker-host/tasks/main.yml | 2 +- elasticsearch/defaults/main.yml | 2 ++ elasticsearch/tasks/packages.yml | 2 +- evolinux-base/defaults/main.yml | 2 ++ evolinux-base/tasks/hardware.yml | 4 ++-- filebeat/defaults/main.yml | 2 ++ filebeat/tasks/main.yml | 2 +- fluentd/defaults/main.yml | 2 ++ fluentd/tasks/main.yml | 4 ++-- jenkins/defaults/main.yml | 3 +++ jenkins/tasks/main.yml | 2 +- kibana/defaults/main.yml | 2 ++ kibana/tasks/main.yml | 2 +- logstash/defaults/main.yml | 4 +++- logstash/tasks/main.yml | 2 +- lxc-php/defaults/main.yml | 2 +- lxc-php/tasks/php80.yml | 4 ++-- lxc-php/tasks/php81.yml | 4 ++-- metricbeat/defaults/main.yml | 2 ++ metricbeat/tasks/main.yml | 2 +- mongodb/defaults/main.yml | 4 +++- mongodb/tasks/main_bullseye.yml | 2 +- mongodb/tasks/main_buster.yml | 2 +- newrelic/defaults/main.yml | 2 ++ newrelic/tasks/sources.yml | 2 +- nodejs/defaults/main.yml | 2 ++ nodejs/tasks/main.yml | 2 +- nodejs/tasks/yarn.yml | 2 +- percona/defaults/main.yml | 2 ++ percona/tasks/main.yml | 2 +- php/defaults/main.yml | 2 ++ php/tasks/sury_pre.yml | 2 +- postgresql/defaults/main.yml | 2 ++ postgresql/tasks/pgdg-repo.yml | 2 +- 38 files changed, 61 insertions(+), 27 deletions(-) create mode 100644 jenkins/defaults/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4546d4da..0a9a7496 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* Use proper keyrings directory for APT version * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index e5093c6e..681f1d14 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -25,3 +25,5 @@ apt_check_hold_cron_hour: "*/4" apt_check_hold_cron_weekday: "*" apt_check_hold_cron_day: "*" apt_check_hold_cron_month: "*" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 8352e666..21062a32 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -19,7 +19,7 @@ - name: Add Evolix GPG key copy: src: reg.asc - dest: /etc/apt/trusted.gpg.d/reg.asc + dest: "{{ apt_keyring_dir }}/reg.asc" force: yes mode: "0644" owner: root diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 3f713930..44496203 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -28,3 +28,5 @@ docker_tls_ca_key: ca/ca-key.pem docker_tls_cert: server/cert.pem docker_tls_key: server/key.pem docker_tls_csr: server/server.csr + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index b430de6f..861a352d 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -19,7 +19,7 @@ - name: Add Docker's official GPG key copy: src: docker-debian.asc - dest: /etc/apt/trusted.gpg.d/docker-debian.asc + dest: "{{ apt_keyring_dir }}/docker-debian.asc" force: yes mode: "0644" owner: root diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 2b891953..98b1a646 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -29,3 +29,5 @@ elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www" elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp" elasticsearch_additional_scripts_dir: /usr/share/scripts + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 826fee1e..5070d554 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index d75a23bf..497a3d2b 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -21,6 +21,8 @@ evolinux_apt_public_sources: True evolinux_apt_upgrade: True evolinux_apt_remove_aptitude: True +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" + # etc-evolinux evolinux_etcevolinux_include: True diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index fefb8177..9762825b 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -81,7 +81,7 @@ - name: HPE GPG key is installed copy: src: hpePublicKey2048_key1.asc - dest: /etc/apt/trusted.gpg.d/hpePublicKey2048_key1.asc + dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" force: yes mode: "0644" owner: root @@ -208,7 +208,7 @@ - name: HWRaid GPG key is installed copy: src: hwraid.le-vert.net.asc - dest: /etc/apt/trusted.gpg.d/hwraid.le-vert.net.asc + dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" force: yes mode: "0644" owner: root diff --git a/filebeat/defaults/main.yml b/filebeat/defaults/main.yml index deed1508..6538aab5 100644 --- a/filebeat/defaults/main.yml +++ b/filebeat/defaults/main.yml @@ -22,3 +22,5 @@ filebeat_use_config_template: False filebeat_update_config: True filebeat_force_config: True filebeat_upgrade_package: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index dd326cc8..d312a3fb 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/fluentd/defaults/main.yml b/fluentd/defaults/main.yml index 86475f51..18d9b0c7 100644 --- a/fluentd/defaults/main.yml +++ b/fluentd/defaults/main.yml @@ -10,3 +10,5 @@ fluentd_host_port: fluentd_flush_interval: fluentd_heartbeat_type: + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 282accf2..9248db97 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -21,7 +21,7 @@ - name: Add Fluentd GPG key copy: src: fluentd.asc - dest: /etc/apt/trusted.gpg.d/fluentd.asc + dest: "{{ apt_keyring_dir }}/fluentd.asc" force: yes mode: "0644" owner: root @@ -32,7 +32,7 @@ - name: Fluentd sources list is available apt_repository: - repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" + repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" filename: treasuredata update_cache: yes state: present diff --git a/jenkins/defaults/main.yml b/jenkins/defaults/main.yml new file mode 100644 index 00000000..bf1296d7 --- /dev/null +++ b/jenkins/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 8ed3d38c..54f1987e 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -20,7 +20,7 @@ - name: Add Jenkins GPG key copy: src: jenkins.asc - dest: /etc/apt/trusted.gpg.d/jenkins.asc + dest: "{{ apt_keyring_dir }}/jenkins.asc" force: yes mode: "0644" owner: root diff --git a/kibana/defaults/main.yml b/kibana/defaults/main.yml index 7107398c..900e579c 100644 --- a/kibana/defaults/main.yml +++ b/kibana/defaults/main.yml @@ -9,3 +9,5 @@ kibana_proxy_nginx: False kibana_proxy_domain: "kibana.{{ ansible_fqdn }}" kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index d0694094..1978e90e 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/logstash/defaults/main.yml b/logstash/defaults/main.yml index 7cc40e49..b42fc347 100644 --- a/logstash/defaults/main.yml +++ b/logstash/defaults/main.yml @@ -7,4 +7,6 @@ logstash_log_rotate_days: 365 logstash_custom_tmpdir: Null logstash_default_tmpdir: /var/lib/logstash/tmp logstash_log_syslog_enabled: True -logstash_config_force: True \ No newline at end of file +logstash_config_force: True + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 856ceba1..ccb2a1bc 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 5567c4d0..9b501b6c 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -30,4 +30,4 @@ lxc_php_services: php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' - +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 47039fe7..a6539bff 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -25,7 +25,7 @@ - name: copy pub.evolix.net GPG key copy: src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg mode: "0644" owner: root group: root diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 8883cbcc..057f15fc 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -25,7 +25,7 @@ - name: copy pub.evolix.net GPG key copy: src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg mode: "0644" owner: root group: root diff --git a/metricbeat/defaults/main.yml b/metricbeat/defaults/main.yml index 780a4ffd..f6eb2a3e 100644 --- a/metricbeat/defaults/main.yml +++ b/metricbeat/defaults/main.yml @@ -28,3 +28,5 @@ metricbeat_tags: Null # metricbeat_fields: # - "env: staging" metricbeat_fields: Null + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 8a009f7f..9f432ffe 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root diff --git a/mongodb/defaults/main.yml b/mongodb/defaults/main.yml index c118f588..667d68d5 100644 --- a/mongodb/defaults/main.yml +++ b/mongodb/defaults/main.yml @@ -7,4 +7,6 @@ mongodb_bind: 127.0.0.1 # otherwise it can disable important settings, like authorization :/ mongodb_force_config: False -mongodb_version: 4.4 \ No newline at end of file +mongodb_version: 4.4 + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index f97016ec..2a9a1c3a 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -21,7 +21,7 @@ - name: Add MongoDB GPG key copy: src: "server-{{mongodb_version}}.asc" - dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc" force: yes mode: "0644" owner: root diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index cf5ce2ae..8de5e447 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -15,7 +15,7 @@ - name: Add MongoDB GPG key copy: src: "server-{{mongodb_version}}.asc" - dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes mode: "0644" owner: root diff --git a/newrelic/defaults/main.yml b/newrelic/defaults/main.yml index cddbcb0b..3205e53b 100644 --- a/newrelic/defaults/main.yml +++ b/newrelic/defaults/main.yml @@ -5,3 +5,5 @@ newrelic_php: False newrelic_license: "" newrelic_appname: "" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index c27de24d..bd674f11 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -15,7 +15,7 @@ - name: Add NewRelic GPG key copy: src: newrelic.asc - dest: /etc/apt/trusted.gpg.d/newrelic.asc + dest: "{{ apt_keyring_dir }}/newrelic.asc" force: yes mode: "0644" owner: root diff --git a/nodejs/defaults/main.yml b/nodejs/defaults/main.yml index 8f36de49..a8adbb47 100644 --- a/nodejs/defaults/main.yml +++ b/nodejs/defaults/main.yml @@ -4,3 +4,5 @@ nodejs_apt_version: 'node_16.x' nodejs_install_yarn: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index 5ab49e70..d127f44f 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -32,7 +32,7 @@ - name: NodeJS GPG key is installed copy: src: nodesource.asc - dest: /etc/apt/trusted.gpg.d/nodesource.asc + dest: "{{ apt_keyring_dir }}/nodesource.asc" mode: "0644" owner: root group: root diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index e3dfe1da..6e38f019 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -25,7 +25,7 @@ - name: Yarn GPG key is installed copy: src: yarn.asc - dest: /etc/apt/trusted.gpg.d/yarn.asc + dest: "{{ apt_keyring_dir }}/yarn.asc" mode: "0644" owner: root group: root diff --git a/percona/defaults/main.yml b/percona/defaults/main.yml index 46a86904..316eccc9 100644 --- a/percona/defaults/main.yml +++ b/percona/defaults/main.yml @@ -2,3 +2,5 @@ percona__install_xtrabackup: True percona__xtrabackup_package_name: percona-xtrabackup-24 + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml index 27544252..6dc319ff 100644 --- a/percona/tasks/main.yml +++ b/percona/tasks/main.yml @@ -18,7 +18,7 @@ - name: Add Percona GPG key copy: src: percona.asc - dest: /etc/apt/trusted.gpg.d/percona.asc + dest: "{{ apt_keyring_dir }}/percona.asc" force: yes mode: "0644" owner: root diff --git a/php/defaults/main.yml b/php/defaults/main.yml index 19040baf..2e633d0f 100644 --- a/php/defaults/main.yml +++ b/php/defaults/main.yml @@ -8,3 +8,5 @@ php_symfony_requirements: False php_modules_mysqlnd: False php_fpm_remove_default_pool: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 13dcc4ec..b528268a 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -3,7 +3,7 @@ - name: Setup deb.sury.org repository - Add GPG key copy: src: sury.gpg - dest: /etc/apt/trusted.gpg.d/sury.gpg + dest: "{{ apt_keyring_dir }}/sury.gpg" mode: "0644" owner: root group: root diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index dcdffb05..ffc3007c 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -20,3 +20,5 @@ locales_default: fr_FR.UTF-8 # PostGIS postgresql_install_postgis: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 38f21079..b6315f37 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -23,7 +23,7 @@ - name: Add PGDG GPG key copy: src: postgresql.asc - dest: /etc/apt/trusted.gpg.d/postgresql.asc + dest: "{{ apt_keyring_dir }}/postgresql.asc" force: yes mode: "0644" owner: root -- 2.39.2 From 28540247f080097d7201fd63d751033d03cad937 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Nov 2022 23:17:08 +0100 Subject: [PATCH 250/497] Add signed-by option for additional APT sources --- CHANGELOG.md | 3 ++- apt/templates/evolix_public.list.j2 | 2 +- docker-host/tasks/main.yml | 2 +- elasticsearch/tasks/packages.yml | 2 +- evolinux-base/tasks/hardware.yml | 4 ++-- filebeat/tasks/main.yml | 2 +- jenkins/tasks/main.yml | 2 +- kibana/tasks/main.yml | 2 +- logstash/tasks/main.yml | 2 +- lxc-php/tasks/php80.yml | 4 ++-- lxc-php/tasks/php81.yml | 4 ++-- metricbeat/tasks/main.yml | 2 +- mongodb/tasks/main_bullseye.yml | 2 +- mongodb/tasks/main_buster.yml | 2 +- newrelic/tasks/sources.yml | 2 +- nodejs/tasks/main.yml | 2 +- nodejs/tasks/yarn.yml | 2 +- php/tasks/sury_pre.yml | 2 +- postgresql/tasks/pgdg-repo.yml | 2 +- 19 files changed, 23 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a9a7496..be0903af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* Use proper keyrings directory for APT version +* all: Use proper keyrings directory for APT version +* all: Add signed-by option for additional APT sources * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index 06de99c0..be7b45e8 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,3 @@ # {{ ansible_managed }} -deb http://pub.evolix.net/ {{ ansible_distribution_release }}/ +deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/ diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 861a352d..1262dd03 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -27,7 +27,7 @@ - name: Add Docker repository apt_repository: - repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + repo: 'deb [arch=amd64 signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' state: present filename: docker.list diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 5070d554..bb5b99da 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 9762825b..146cf455 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -91,7 +91,7 @@ - name: Add HPE repository apt_repository: - repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' + repo: 'deb [signed-by={{ apt_keyring_dir }}/hpePublicKey2048_key1.asc] https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' state: present tags: - packages @@ -219,7 +219,7 @@ - name: Add HW tool repository apt_repository: - repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' + repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' state: present tags: - packages diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index d312a3fb..cde924b1 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 54f1987e..4346ef1e 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -28,7 +28,7 @@ - name: Add jenkins APT repository apt_repository: - repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ + repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/ filename: jenkins update_cache: yes diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 1978e90e..5e9b0016 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index ccb2a1bc..9ead6db2 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index a6539bff..b0ff90fe 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -19,8 +19,8 @@ create: yes mode: "0644" loop: - - "deb https://packages.sury.org/php/ bullseye main" - - "deb http://pub.evolix.net/ bullseye-php80/" + - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php80/" - name: copy pub.evolix.net GPG key copy: diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 057f15fc..91dc38e1 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -19,8 +19,8 @@ create: yes mode: "0644" loop: - - "deb https://packages.sury.org/php/ bullseye main" - - "deb http://pub.evolix.net/ bullseye-php81/" + - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php81/" - name: copy pub.evolix.net GPG key copy: diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 9f432ffe..021b4ae2 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index 2a9a1c3a..4c654ae6 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -29,7 +29,7 @@ - name: enable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index 8de5e447..d2d96a3f 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -23,7 +23,7 @@ - name: enable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{mongodb_version}} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index bd674f11..ad3545ae 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -23,7 +23,7 @@ - name: Install NewRelic repository apt_repository: - repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" + repo: "deb [signed-by={{ apt_keyring_dir }}/newrelic.asc] http://apt.newrelic.com/debian/ newrelic non-free" state: present filename: newrelic update_cache: yes diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index d127f44f..cdd733f2 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -43,7 +43,7 @@ - name: NodeJS sources list ({{ nodejs_apt_version }}) is available apt_repository: - repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" filename: nodesource update_cache: yes state: present diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index 6e38f019..f4f2dc37 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -37,7 +37,7 @@ - name: Yarn sources list is available apt_repository: - repo: "deb https://dl.yarnpkg.com/debian/ stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/yarn.asc] https://dl.yarnpkg.com/debian/ stable main" filename: yarn update_cache: yes state: present diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index b528268a..eca1d4d6 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -20,7 +20,7 @@ - name: Setup deb.sury.org repository - Add source list apt_repository: - repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main" filename: sury state: present diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index b6315f37..69374502 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -31,7 +31,7 @@ - name: Add PGDG repository apt_repository: - repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" + repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" update_cache: yes - name: Add APT preference file -- 2.39.2 From 573a6e1d97bb526b9285a4071d66e73b4c938972 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 3 Nov 2022 14:39:35 +0100 Subject: [PATCH 251/497] logstash: fix elastic signature --- logstash/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 9ead6db2..6b46ce69 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes -- 2.39.2 From a1bf300d54c5335af64073d8e89c6d7c53d014b3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 5 Nov 2022 21:15:21 +0100 Subject: [PATCH 252/497] bookworm-detect: transitional role to help dealing with unreleased bookworm version --- CHANGELOG.md | 1 + bookworm-detect/tasks/main.yml | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 bookworm-detect/tasks/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4546d4da..8b8f1bce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -463,6 +463,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* bookworm-detect: transitional role to help dealing with unreleased bookworm version * dovecot: Update munin plugin & configure it * dovecot: vmail uid/gid are configurable * evoacme: variable to disable Debian version check (default: False) diff --git a/bookworm-detect/tasks/main.yml b/bookworm-detect/tasks/main.yml new file mode 100644 index 00000000..47dfd623 --- /dev/null +++ b/bookworm-detect/tasks/main.yml @@ -0,0 +1,11 @@ +--- + +- debug: + var: ansible_lsb + +# Force facts until Debian 12 is released because Ansible is dumb +- set_fact: + ansible_distribution_major_version: 12 + ansible_distribution: "Debian" + ansible_distribution_release: "bookworm" + when: "ansible_lsb.codename == 'bookworm'" \ No newline at end of file -- 2.39.2 From b36d4c4766bd106d45ad7348ae44854444a079a5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:20:31 +0100 Subject: [PATCH 253/497] various fixes for Debian 12 --- CHANGELOG.md | 1 + apt/templates/bookworm_basics.list.j2 | 5 ++ mysql/tasks/main.yml | 36 ++++---- mysql/tasks/utils.yml | 15 +++- php/tasks/main.yml | 15 ++-- php/tasks/main_bookworm.yml | 108 ++++++++++++++++++++++++ postgresql/tasks/packages_bookworm.yml | 16 ++++ rabbitmq/tasks/nrpe.yml | 2 +- webapps/evoadmin-web/tasks/packages.yml | 8 ++ webapps/evoadmin-web/tasks/web.yml | 15 +++- 10 files changed, 190 insertions(+), 31 deletions(-) create mode 100644 apt/templates/bookworm_basics.list.j2 create mode 100644 php/tasks/main_bookworm.yml create mode 100644 postgresql/tasks/packages_bookworm.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 1bdfb87d..006d7a11 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * all: Use proper keyrings directory for APT version * all: Add signed-by option for additional APT sources +* all: preliminary work to support Debian 12 * evolinux-base: replace regular kernel by cloud kernel on virtual servers * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 diff --git a/apt/templates/bookworm_basics.list.j2 b/apt/templates/bookworm_basics.list.j2 new file mode 100644 index 00000000..1c6bc15b --- /dev/null +++ b/apt/templates/bookworm_basics.list.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian bookworm {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian/ bookworm-updates {{ apt_basics_components | mandatory }} +deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }} diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index a7c38808..70a972f3 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -4,44 +4,44 @@ set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" -- include: packages_stretch.yml +- include_tasks: packages_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include: packages_jessie.yml +- include_tasks: packages_jessie.yml when: ansible_distribution_release == "jessie" -## There is nothing to do with users on Debian 11 - yet we need a /root/.my.cnf for compatibility -- include: users_bullseye.yml - when: ansible_distribution_release == "bullseye" +## There is nothing to do with users on Debian 11+ - yet we need a /root/.my.cnf for compatibility +- include_tasks: users_bullseye.yml + when: ansible_distribution_major_version is version('11', '>=') -- include: users_buster.yml +- include_tasks: users_buster.yml when: ansible_distribution_release == "buster" -- include: users_stretch.yml +- include_tasks: users_stretch.yml when: ansible_distribution_release == "stretch" -- include: users_jessie.yml +- include_tasks: users_jessie.yml when: ansible_distribution_release == "jessie" -- include: config_stretch.yml +- include_tasks: config_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include: config_jessie.yml +- include_tasks: config_jessie.yml when: ansible_distribution_release == "jessie" -- include: replication.yml +- include_tasks: replication.yml when: mysql_replication | bool -- include: datadir.yml +- include_tasks: datadir.yml -- include: logdir.yml +- include_tasks: logdir.yml -- include: tmpdir.yml +- include_tasks: tmpdir.yml -- include: nrpe.yml +- include_tasks: nrpe.yml -- include: munin.yml +- include_tasks: munin.yml -- include: log2mail.yml +- include_tasks: log2mail.yml -- include: utils.yml +- include_tasks: utils.yml diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index e55b6361..1ac8f2df 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -17,7 +17,7 @@ # mytop -- name: "Install mytop (Debian 9)" +- name: "Install mytop (Debian 8)" apt: name: mytop state: present @@ -43,14 +43,23 @@ - libterm-readkey-perl when: ansible_distribution_release == "buster" -- name: "Install dependencies for mytop (Debian 11 or later)" +- name: "Install dependencies for mytop (Debian 11)" apt: name: - mariadb-client-10.5 - libconfig-inifiles-perl - libterm-readkey-perl - libdbd-mariadb-perl - when: ansible_distribution_major_version is version('11', '>=') + when: ansible_distribution_release == "bullseye" + +- name: "Install dependencies for mytop (Debian 12 or later)" + apt: + name: + - mariadb-client-10.6 + - libconfig-inifiles-perl + - libterm-readkey-perl + - libdbd-mariadb-perl + when: ansible_distribution_major_version is version('12', '=') - name: Read debian-sys-maint password (Debian < 11) shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' diff --git a/php/tasks/main.yml b/php/tasks/main.yml index 86bde74f..180712b2 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -4,17 +4,20 @@ that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') - - ansible_distribution_major_version is version('11', '<=') - msg: This is only compatible with Debian 8 → 11 + - ansible_distribution_major_version is version('12', '<=') + msg: This is only compatible with Debian 8 → 12 -- include: main_jessie.yml +- include_tasks: main_jessie.yml when: ansible_distribution_release == "jessie" -- include: main_stretch.yml +- include_tasks: main_stretch.yml when: ansible_distribution_release == "stretch" -- include: main_buster.yml +- include_tasks: main_buster.yml when: ansible_distribution_release == "buster" -- include: main_bullseye.yml +- include_tasks: main_bullseye.yml when: ansible_distribution_release == "bullseye" + +- include_tasks: main_bookworm.yml + when: ansible_distribution_release == "bookworm" diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml new file mode 100644 index 00000000..4dcde767 --- /dev/null +++ b/php/tasks/main_bookworm.yml @@ -0,0 +1,108 @@ +--- + +- name: "Set php version to 8.1 (Debian 12)" + set_fact: + php_version: "8.1" + +- name: "Set php config directories (Debian 12)" + set_fact: + php_cli_conf_dir: "/etc/php/{{ php_version }}/cli/conf.d" + php_apache_conf_dir: "/etc/php/{{ php_version }}/apache2/conf.d" + php_fpm_conf_dir: "/etc/php/{{ php_version }}/fpm/conf.d" + php_fpm_pool_dir: "/etc/php/{{ php_version }}/fpm/pool.d" + +- name: "Set php config files (Debian 12)" + set_fact: + php_cli_defaults_ini_file: "{{ php_cli_conf_dir }}/z-evolinux-defaults.ini" + php_cli_custom_ini_file: "{{ php_cli_conf_dir }}/zzz-evolinux-custom.ini" + php_apache_defaults_ini_file: "{{ php_apache_conf_dir }}/z-evolinux-defaults.ini" + php_apache_custom_ini_file: "{{ php_apache_conf_dir }}/zzz-evolinux-custom.ini" + php_fpm_defaults_ini_file: "{{ php_fpm_conf_dir }}/z-evolinux-defaults.ini" + php_fpm_custom_ini_file: "{{ php_fpm_conf_dir }}/zzz-evolinux-custom.ini" + php_fpm_debian_default_pool_file: "{{ php_fpm_pool_dir}}/www.conf" + php_fpm_default_pool_file: "{{ php_fpm_pool_dir}}/www-evolinux-defaults.conf" + php_fpm_default_pool_custom_file: "{{ php_fpm_pool_dir}}/www-evolinux-zcustom.conf" + php_fpm_default_pool_socket: "/var/run/php/php{{ php_version }}-fpm.sock" + php_fpm_service_name: "php{{ php_version }}-fpm" + +# Packages + +- name: "Set package list (Debian 12)" + set_fact: + php_stretch_packages: + - php-cli + - php-gd + - php-intl + - php-imap + - php-ldap + - php-mysql + # php-mcrypt is no longer packaged for PHP 7.2 + - php-pgsql + - php-sqlite3 + - php-curl + - php-ssh2 + - php-xml + - php-zip + - composer + - libphp-phpmailer + +- include: sury_pre.yml + when: php_sury_enable + +- name: "Install PHP packages (Debian 12)" + apt: + name: '{{ php_stretch_packages }}' + state: present + +- name: "Install mod_php packages (Debian 12)" + apt: + name: + - libapache2-mod-php + - php + state: present + when: php_apache_enable + +- name: "Install PHP FPM packages (Debian 12)" + apt: + name: + - php-fpm + - php + state: present + when: php_fpm_enable + +# Configuration + +- name: "Enforce permissions on PHP directory (Debian 12)" + file: + dest: "{{ item }}" + mode: "0755" + with_items: + - /etc/php + - /etc/php/{{ php_version }} + +- include: config_cli.yml +- name: "Enforce permissions on PHP cli directory (Debian 12)" + file: + dest: /etc/php/{{ php_version }}/cli + mode: "0755" + +- include: config_fpm.yml + when: php_fpm_enable + +- name: "Enforce permissions on PHP fpm directory (Debian 12)" + file: + dest: /etc/php/{{ php_version }}/fpm + mode: "0755" + when: php_fpm_enable + +- include: config_apache.yml + when: php_apache_enable + +- name: "Enforce permissions on PHP apache2 directory (Debian 12)" + file: + dest: /etc/php/{{ php_version }}/apache2 + mode: "0755" + when: php_apache_enable + +- include: sury_post.yml + when: php_sury_enable diff --git a/postgresql/tasks/packages_bookworm.yml b/postgresql/tasks/packages_bookworm.yml new file mode 100644 index 00000000..2a78b967 --- /dev/null +++ b/postgresql/tasks/packages_bookworm.yml @@ -0,0 +1,16 @@ +--- + +- name: "Set variables (Debian 12)" + set_fact: + postgresql_version: '15' + when: postgresql_version is none or postgresql_version | length == 0 + +- include: pgdg-repo.yml + when: postgresql_version != '15' + +- name: Install postgresql package + apt: + name: + - "postgresql-{{postgresql_version}}" + - pgtop + - libdbd-pg-perl diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index ba6b8d47..b2f2a3a8 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -34,7 +34,7 @@ group: root mode: "0755" force: yes - when: ansible_distribution_major_version is version('11', '==') + when: ansible_distribution_major_version is version('11', '>=') - name: check_rabbitmq is available for NRPE lineinfile: diff --git a/webapps/evoadmin-web/tasks/packages.yml b/webapps/evoadmin-web/tasks/packages.yml index e78f6c7b..1d0af87a 100644 --- a/webapps/evoadmin-web/tasks/packages.yml +++ b/webapps/evoadmin-web/tasks/packages.yml @@ -17,6 +17,14 @@ - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb' when: ansible_distribution_major_version is version('10', '=') +- name: Install PHP packages from sid (Debian 12) + apt: + deb: '{{ item }}' + state: present + loop: + - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.13.2-1_all.deb' + when: ansible_distribution_major_version is version('12', '=') + - name: Install PHP packages apt: name: diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 9778da4e..ea4019a3 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -16,7 +16,7 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache2 - when: ansible_distribution_major_version is version('9', '=') + when: ansible_distribution_release == "stretch" - name: "Set custom values for PHP config (Debian 10)" ini_file: @@ -25,7 +25,7 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache2 - when: ansible_distribution_major_version is version('10', '=') + when: ansible_distribution_release == "buster" - name: "Set custom values for PHP config (Debian 11)" ini_file: @@ -34,7 +34,16 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache2 - when: ansible_distribution_major_version is version('11', '=') + when: ansible_distribution_release == "bullseye" + +- name: "Set custom values for PHP config (Debian 11)" + ini_file: + dest: /etc/php/8.1/apache2/conf.d/zzz-evolinux-custom.ini + section: PHP + option: "disable_functions" + value: "shell-exec,system,passthru,putenv,popen" + notify: reload apache2 + when: ansible_distribution_release == "bookworm" - name: Install evoadmin VHost template: -- 2.39.2 From 1fae737ac4ff0291c002395cfca4f2d9f7e85ba8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:21:00 +0100 Subject: [PATCH 254/497] Use bullseye suite even for bookworm --- apt/templates/evolix_public.list.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index be7b45e8..e0bc0de7 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,7 @@ # {{ ansible_managed }} +{% if ansible_distribution_release == "bookworm" %} +deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/ +{% else %} deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/ +{% endif %} \ No newline at end of file -- 2.39.2 From 4050dbea7ae12f1e5c5f394505b489756df965ad Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:24:12 +0100 Subject: [PATCH 255/497] packweb-apache: enable log_forensic module --- CHANGELOG.md | 3 ++- packweb-apache/tasks/apache.yml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 006d7a11..fdcbe65e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,8 +16,9 @@ The **patch** part changes is incremented if multiple releases happen the same m * all: Add signed-by option for additional APT sources * all: preliminary work to support Debian 12 * evolinux-base: replace regular kernel by cloud kernel on virtual servers -* nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 +* nagios-nrpe: check_haproxy_stats supports DRAIN status +* packweb-apache: enable log_forensic module * varnish: create special tmp directory for syntax validation ### Changed diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 57b360ce..96c11e3a 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -33,6 +33,7 @@ - include - negotiation - alias + - log_forensic - name: Copy Apache settings for modules copy: -- 2.39.2 From faeb92230b679151cf0474756f19db63064191a9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:24:54 +0100 Subject: [PATCH 256/497] packweb-apache: manual dependencies resolution --- CHANGELOG.md | 1 + packweb-apache/meta/main.yml | 17 +----- packweb-apache/tasks/dependencies.yml | 80 +++++++++++++++++++++++++++ packweb-apache/tasks/main.yml | 3 + 4 files changed, 86 insertions(+), 15 deletions(-) create mode 100644 packweb-apache/tasks/dependencies.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index fdcbe65e..b9642581 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com +* packweb-apache: manual dependencies resolution * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) * squid: whitelist deb.freexian.com diff --git a/packweb-apache/meta/main.yml b/packweb-apache/meta/main.yml index bbf086ce..47d29159 100644 --- a/packweb-apache/meta/main.yml +++ b/packweb-apache/meta/main.yml @@ -26,18 +26,5 @@ galaxy_info: allow_duplicates: true -dependencies: - - { role: evolix/apache } - - { role: evolix/php, php_apache_enable: True, when: packweb_apache_modphp } - - { role: evolix/php, php_fpm_enable: True, when: packweb_apache_fpm } - - { role: evolix/squid, squid_localproxy_enable: True } - - { role: evolix/mysql, when: packweb_mysql_variant == "debian" } - - { role: evolix/mysql-oracle, when: packweb_mysql_variant == "oracle" } - - { role: evolix/lxc-php, lxc_php_version: php56, lxc_php_create_mysql_link: True, when: "'php56' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php70, lxc_php_create_mysql_link: True, when: "'php70' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php73, lxc_php_create_mysql_link: True, when: "'php73' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php74, lxc_php_create_mysql_link: True, when: "'php74' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php80, lxc_php_create_mysql_link: True, when: "'php80' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php81, lxc_php_create_mysql_link: True, when: "'php81' in packweb_multiphp_versions" } - - { role: evolix/webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}", evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" } - - { role: evolix/evoacme } +dependencies: [] + diff --git a/packweb-apache/tasks/dependencies.yml b/packweb-apache/tasks/dependencies.yml new file mode 100644 index 00000000..0182654c --- /dev/null +++ b/packweb-apache/tasks/dependencies.yml @@ -0,0 +1,80 @@ +--- + +- import_role: + name: evolix/apache + +- import_role: + name: evolix/php + vars: + php_apache_enable: True + when: packweb_apache_modphp + +- import_role: + name: evolix/php + vars: + php_fpm_enable: True + when: packweb_apache_fpm + +- import_role: + name: evolix/squid + vars: + squid_localproxy_enable: True + +- import_role: + name: evolix/mysql + when: packweb_mysql_variant == "debian" + +- import_role: + name: evolix/mysql-oracle + when: packweb_mysql_variant == "oracle" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php56 + lxc_php_create_mysql_link: True + when: "'php56' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php70 + lxc_php_create_mysql_link: True + when: "'php70' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php73 + lxc_php_create_mysql_link: True + when: "'php73' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php74 + lxc_php_create_mysql_link: True + when: "'php74' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php80 + lxc_php_create_mysql_link: True + when: "'php80' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php81 + lxc_php_create_mysql_link: True + when: "'php81' in packweb_multiphp_versions" + +- import_role: + name: evolix/webapps/evoadmin-web + vars: + evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" + evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" + +- import_role: + name: evolix/evoacme \ No newline at end of file diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 5e2f9e92..ff3cd9a7 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -1,5 +1,8 @@ --- +- name: Dependencies are satisfied + include_tasks: dependencies.yml + - fail: msg: only compatible with Debian >= 8 when: -- 2.39.2 From 9d120ee95818b2e9abfbff1bbd1e05ebf5d7ed1a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 6 Nov 2022 15:27:49 +0100 Subject: [PATCH 257/497] php: add restart handler for php8.1-fpm --- php/handlers/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 973c0069..079a14d5 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -19,3 +19,8 @@ service: name: php7.4-fpm state: restarted + +- name: restart php8.1-fpm + service: + name: php8.1-fpm + state: restarted -- 2.39.2 From 83138f0a0ba58049c58d0ccd8937bdab2ae3901e Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Wed, 9 Nov 2022 17:05:54 +0100 Subject: [PATCH 258/497] nagios-nrpe: Correct port for check_opendkim --- CHANGELOG.md | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b8f1bce..2f490d12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed * evolinux-user: Fix sudoers privilege for check php\_fpm80 +* nagios-nrpe: Fix check opendkim for recent change in listening port ### Removed diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index dc6d09db..263fde10 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -51,7 +51,7 @@ command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211 -command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321 +command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891 command[check_bkctld_setup]=sudo /usr/sbin/bkctld check-setup command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails # "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails" -- 2.39.2 From b797a5059a3202c8a0079103adfa6db9d11651b4 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 15 Nov 2022 11:06:47 +0100 Subject: [PATCH 259/497] nagios-nrpe: add ceph checks --- nagios-nrpe/files/plugins/check_ceph_df | 232 +++++++++++++++++++ nagios-nrpe/files/plugins/check_ceph_health | 200 ++++++++++++++++ nagios-nrpe/files/plugins/check_ceph_mds | 188 +++++++++++++++ nagios-nrpe/files/plugins/check_ceph_mgr | 188 +++++++++++++++ nagios-nrpe/files/plugins/check_ceph_mon | 163 +++++++++++++ nagios-nrpe/files/plugins/check_ceph_osd | 154 ++++++++++++ nagios-nrpe/files/plugins/check_ceph_osd_db | 152 ++++++++++++ nagios-nrpe/files/plugins/check_ceph_osd_df | 153 ++++++++++++ nagios-nrpe/files/plugins/check_ceph_rgw | 118 ++++++++++ nagios-nrpe/files/plugins/check_ceph_rgw_api | 116 ++++++++++ 10 files changed, 1664 insertions(+) create mode 100755 nagios-nrpe/files/plugins/check_ceph_df create mode 100755 nagios-nrpe/files/plugins/check_ceph_health create mode 100755 nagios-nrpe/files/plugins/check_ceph_mds create mode 100755 nagios-nrpe/files/plugins/check_ceph_mgr create mode 100755 nagios-nrpe/files/plugins/check_ceph_mon create mode 100755 nagios-nrpe/files/plugins/check_ceph_osd create mode 100755 nagios-nrpe/files/plugins/check_ceph_osd_db create mode 100755 nagios-nrpe/files/plugins/check_ceph_osd_df create mode 100755 nagios-nrpe/files/plugins/check_ceph_rgw create mode 100755 nagios-nrpe/files/plugins/check_ceph_rgw_api diff --git a/nagios-nrpe/files/plugins/check_ceph_df b/nagios-nrpe/files/plugins/check_ceph_df new file mode 100755 index 00000000..0f798aa1 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_df @@ -0,0 +1,232 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import os +import subprocess +import sys + +__version__ = '1.7.1' + +# default ceph values +CEPH_COMMAND = '/usr/bin/ceph' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph df' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-n','--name', help='ceph client name') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-p','--pool', help='ceph pool name') + parser.add_argument('-d','--detail', help="show pool details on warn and critical", action='store_true') + parser.add_argument('-W','--warn', help="warn above this percent RAW USED", type=float) + parser.add_argument('-C','--critical', help="critical alert above this percent RAW USED", type=float) + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + args = parser.parse_args() + + # validate args + ceph_exec = args.exe if args.exe else CEPH_COMMAND + if not os.path.exists(ceph_exec): + print("ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.warn or not args.critical or args.warn > args.critical: + print("ERROR: warn and critical level must be set and critical must be greater than warn") + return STATUS_UNKNOWN + + # build command + ceph_df = [ceph_exec] + if args.monaddress: + ceph_df.append('-m') + ceph_df.append(args.monaddress) + if args.conf: + ceph_df.append('-c') + ceph_df.append(args.conf) + if args.id: + ceph_df.append('--id') + ceph_df.append(args.id) + if args.name: + ceph_df.append('--name') + ceph_df.append(args.name) + if args.keyring: + ceph_df.append('--keyring') + ceph_df.append(args.keyring) + ceph_df.append('df') + + #print ceph_df + + # exec command + p = subprocess.Popen(ceph_df,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + # parse output + # print "DEBUG: output:", output + # print "DEBUG: err:", err + if output: + output = output.decode('utf-8') + # parse output + # if detail switch was not set only show global values and compare to warning and critical + # otherwise show space for pools too + result=output.splitlines() + # values for GLOBAL are in 3rd line of output + globalline = result[2] + globalvals = globalline.split() + # Luminous vs Minic output (27.3TiB vs 27.3 TiB) + if len(globalvals) == 7: + gv = [] + gv.append("{}{}".format(globalvals[0], globalvals[1])) + gv.append("{}{}".format(globalvals[2], globalvals[3])) + gv.append("{}{}".format(globalvals[4], globalvals[5])) + gv.append(globalvals[6]) + globalvals = gv + #print "XXX: globalvals: {} {}".format(len(globalvals), globalvals) + # Nautilus output + if len(globalvals) == 10: + gv = [] + gv.append("{}{}".format(globalvals[1], globalvals[2])) + gv.append("{}{}".format(globalvals[3], globalvals[4])) + gv.append("{}{}".format(globalvals[5], globalvals[6])) + gv.append(globalvals[9]) + globalvals = gv + #print "XXX: globalvals: {} {}".format(len(globalvals), globalvals) + + # prepare pool values + # pool output starts in line 4 with the bare word POOLS: followed by the output + poollines = result[3:] + + if args.pool: + for line in poollines: + if args.pool in line: + poolvals = line.split() + # Luminous vs Minic output (27.3TiB vs 27.3 TiB) + if len(poolvals) == 8: + pv = [] + pv.append(poolvals[0]) # NAME + pv.append(poolvals[1]) # ID + pv.append("{}{}".format(poolvals[2], poolvals[3])) # USED 27.3 TiB + pv.append(poolvals[4]) # %USED + pv.append("{}{}".format(poolvals[5], poolvals[6])) # MAX AVAIL 27.3 TiB + # pv.append(poolvals[7]) # OBJECTS + poolvals = pv + #print "XXX: poolvals: {} {}".format(len(poolvals), poolvals) + # Nautilus output + if len(poolvals) == 10: + pv = [] + pv.append(poolvals[0]) # NAME + pv.append(poolvals[1]) # ID + pv.append("{}{}".format(poolvals[2], poolvals[3])) # USED 27.3 TiB + pv.append(poolvals[7]) # %USED + pv.append("{}{}".format(poolvals[8], poolvals[9])) # MAX AVAIL 27.3 TiB + # pv.append(poolvals[7]) # OBJECTS, not used + poolvals = pv + #print "XXX: poolvals: {} {}".format(len(poolvals), poolvals) + # Octopus >= v15.2.8 (pgs added to ceph-df) + if len(poolvals) == 11: + pv = [] + pv.append(poolvals[0]) # NAME + pv.append(poolvals[1]) # ID + #pv.append(poolvals[2]) # PGS, not used + pv.append("{}{}".format(poolvals[3], poolvals[4])) # USED 27.3 TiB + pv.append(poolvals[8]) # %USED + pv.append("{}{}".format(poolvals[9], poolvals[10])) # MAX AVAIL 27.3 TiB + # pv.append(poolvals[7]) # OBJECTS, not used + poolvals = pv + #print "XXX: poolvals: {} {}".format(len(poolvals), poolvals) + + + pool_used = poolvals[2] + pool_usage_percent = float(poolvals[3]) + pool_available_space = poolvals[4] + # pool_objects = float(poolvals[5]) # not used + + if pool_usage_percent > args.critical: + print('CRITICAL: %s%% usage in Pool \'%s\' is above %s%% (%s used) | Usage=%s%%;%s;%s;;' % (pool_usage_percent, args.pool, args.critical, pool_used, pool_usage_percent, args.warn, args.critical)) + return STATUS_ERROR + if pool_usage_percent > args.warn: + print('WARNING: %s%% usage in Pool \'%s\' is above %s%% (%s used) | Usage=%s%%;%s;%s;;' % (pool_usage_percent, args.pool, args.warn, pool_used, pool_usage_percent, args.warn, args.critical)) + return STATUS_WARNING + else: + print('%s%% usage in Pool \'%s\' | Usage=%s%%;%s;%s;;' % (pool_usage_percent, args.pool, pool_usage_percent, args.warn, args.critical)) + return STATUS_OK + else: + # print 'DEBUG:', globalvals + # finally 4th element contains percentual value + # print 'DEBUG USAGE:', globalvals[3] + global_usage_percent = float(globalvals[3]) + global_available_space = globalvals[1] + global_total_space = globalvals[0] + # print 'DEBUG WARNLEVEL:', args.warn + # print 'DEBUG CRITICALLEVEL:', args.critical + if global_usage_percent > args.critical: + if args.detail: + poollines.insert(0, '\n') + poolout = '\n '.join(poollines) + else: + poolout = '' + print('CRITICAL: global RAW usage of %s%% is above %s%% (%s of %s free)%s | Usage=%s%%;%s;%s;;' % (global_usage_percent, args.critical, global_available_space, global_total_space, poolout, global_usage_percent, args.warn, args.critical)) + return STATUS_ERROR + elif global_usage_percent > args.warn: + if args.detail: + poollines.insert(0, '\n') + poolout = '\n '.join(poollines) + else: + poolout = '' + print('WARNING: global RAW usage of %s%% is above %s%% (%s of %s free)%s | Usage=%s%%;%s;%s;;' % (global_usage_percent, args.warn, global_available_space, global_total_space, poolout, global_usage_percent, args.warn, args.critical)) + return STATUS_WARNING + else: + print('RAW usage %s%% | Usage=%s%%;%s;%s;;' % (global_usage_percent, global_usage_percent, args.warn, args.critical)) + return STATUS_OK + + #for + elif err: + # read only first line of error + one_line = err.split('\n')[0] + if '-1 ' in one_line: + idx = one_line.rfind('-1 ') + print('ERROR: %s: %s' % (ceph_exec, one_line[idx+len('-1 '):])) + else: + print(one_line) + + return STATUS_UNKNOWN + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_health b/nagios-nrpe/files/plugins/check_ceph_health new file mode 100755 index 00000000..ede44914 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_health @@ -0,0 +1,200 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013-2016 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import os +import subprocess +import sys +import re +import json + +__version__ = '1.7.0' + +# default ceph values +CEPH_ADM_COMMAND = '/usr/sbin/cephadm' +CEPH_COMMAND = '/usr/bin/ceph' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph health' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-A','--admexe', help='cephadm executable [%s]' % CEPH_ADM_COMMAND) + parser.add_argument('--cluster', help='ceph cluster name') + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-n','--name', help='ceph client name') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('--check', help='regexp of which check(s) to check (luminous+) ' + "Can be inverted, e.g. '^((?!(PG_DEGRADED|OBJECT_MISPLACED)$).)*$'") + parser.add_argument('-w','--whitelist', help='whitelist regexp for ceph health warnings') + parser.add_argument('-d','--detail', help="exec 'ceph health detail'", action='store_true') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + parser.add_argument('-a','--cephadm', help='uses cephadm to execute the command', action='store_true') + parser.add_argument('-s','--skip-muted', help='skip muted checks', action='store_true') + args = parser.parse_args() + + # validate args + cephadm_exec = args.admexe if args.admexe else CEPH_ADM_COMMAND + ceph_exec = args.exe if args.exe else CEPH_COMMAND + + if args.cephadm: + if not os.path.exists(cephadm_exec): + print("ERROR: cephadm executable '%s' doesn't exist" % cephadm_exec) + return STATUS_UNKNOWN + else: + if not os.path.exists(ceph_exec): + print("ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + # build command + ceph_health = [ceph_exec] + + if args.cephadm: + # Prepend the command with the cephadm binary and the shell command + ceph_health = [cephadm_exec, 'shell'] + ceph_health + + if args.monaddress: + ceph_health.append('-m') + ceph_health.append(args.monaddress) + if args.cluster: + ceph_health.append('--cluster') + ceph_health.append(args.cluster) + if args.conf: + ceph_health.append('-c') + ceph_health.append(args.conf) + if args.id: + ceph_health.append('--id') + ceph_health.append(args.id) + if args.name: + ceph_health.append('--name') + ceph_health.append(args.name) + if args.keyring: + ceph_health.append('--keyring') + ceph_health.append(args.keyring) + ceph_health.append('health') + if args.detail: + ceph_health.append('detail') + + ceph_health.append('--format') + ceph_health.append('json') + #print(ceph_health) + + # exec command + p = subprocess.Popen(ceph_health,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + try: + output = json.loads(output) + except ValueError: + output = dict() + + # parse output + # print "output:", output + #print "err:", err + if output: + ret = STATUS_OK + msg = "" + extended = [] + if 'checks' in output: + #luminous + for check,status in output['checks'].items(): + # skip check if not selected + if args.check and not re.search(args.check, check): + continue + + if args.skip_muted and ('muted' in status and status['muted']): + continue + + check_detail = "%s( %s )" % (check, status['summary']['message']) + + if status["severity"] == "HEALTH_ERR": + extended.append(msg) + msg = "CRITICAL: %s" % check_detail + ret = STATUS_ERROR + continue + + if args.whitelist and re.search(args.whitelist,status['summary']['message']): + continue + + check_msg = "WARNING: %s" % check_detail + if not msg: + msg = check_msg + ret = STATUS_WARNING + else: + extended.append(check_msg) + else: + #pre-luminous + for status in output["summary"]: + if status != "HEALTH_OK": + if status == "HEALTH_ERROR": + msg = "CRITICAL: %s" % status['summary'] + ret = STATUS_ERROR + continue + + if args.whitelist and re.search(args.whitelist,status['summary']): + continue + + if not msg: + msg = "WARNING: %s" % status['summary'] + ret = STATUS_WARNING + else: + extended.append("WARNING: %s" % status['summary']) + + if msg: + print(msg) + else: + print("HEALTH OK") + if extended: print('\n'.join(extended)) + return ret + + + elif err: + # read only first line of error + one_line = err.split('\n')[0] + if '-1 ' in one_line: + idx = one_line.rfind('-1 ') + print('ERROR: %s: %s' % (ceph_exec, one_line[idx+len('-1 '):])) + else: + print(one_line) + + return STATUS_UNKNOWN + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_mds b/nagios-nrpe/files/plugins/check_ceph_mds new file mode 100755 index 00000000..4e654c05 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_mds @@ -0,0 +1,188 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013 Catalyst IT http://www.catalyst.net.nz +# Copyright (c) 2015 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +from __future__ import print_function +import argparse +import socket +import os +import re +import subprocess +import sys +import json + +__version__ = '1.6.0' + +# default ceph values +CEPH_EXEC = '/usr/bin/ceph' +CEPH_COMMAND = 'mds stat -f json' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + # parse args + parser = argparse.ArgumentParser(description="'ceph mds stat' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_EXEC) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor to use for queries (address[:port])') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + parser.add_argument('-n','--name', help='mds daemon name', required=True) + parser.add_argument('-f','--filesystem', help='mds filesystem name', required=True) + args = parser.parse_args() + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + # validate args + ceph_exec = args.exe if args.exe else CEPH_EXEC + if not os.path.exists(ceph_exec): + print("MDS ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.conf and not os.path.exists(args.conf): + print("MDS ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("MDS ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + # build command + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + ceph_cmd.extend(CEPH_COMMAND.split(' ')) + + # exec command + p = subprocess.Popen(ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if p.returncode != 0 or not output: + print("MDS ERROR: %s" % err) + return STATUS_ERROR + + # load json output and parse + mds_stat = None + try: + mds_stat = json.loads(output) + except Exception as e: + print("MDS ERROR: could not parse '%s' output: %s: %s" % (CEPH_COMMAND,output,e)) + return STATUS_UNKNOWN + + return check_target_mds(mds_stat, args.filesystem, args.name) + +def check_target_mds(mds_stat, fs_name, name): + # find mds from standby list + standby_mdss = _get_standby_mds(mds_stat) + for mds in standby_mdss: + if mds.get_name() == name: + print("MDS OK: %s" % (mds)) + return STATUS_OK + + # find mds from active list + active_mdss = _get_active_mds(mds_stat, fs_name) + + if active_mdss: + for mds in active_mdss: + if mds.get_name() != name: + continue + # target mds in active list + print("MDS %s: %s" % ("WARN" if mds.is_laggy() else "OK", mds)) + return STATUS_WARNING if mds.is_laggy() else STATUS_OK + + # mds not found + print("MDS ERROR: MDS '%s' is not found (offline?)" % (name)) + return STATUS_ERROR + else: + # fs not found in map, perhaps user input error + print("MDS ERROR: FS '%s' is not found in fsmap" % (fs_name)) + return STATUS_ERROR + +def _get_standby_mds(mds_stat): + mds_array = [] + for mds in mds_stat['fsmap']['standbys']: + name = mds['name'] + state = mds['state'] + laggy_since = mds['laggy_since'] if 'laggy_since' in mds else None + mds_array.append(MDS(name, state)) + + return mds_array + +def _get_active_mds(mds_stat, fs_name): + mds_fs = mds_stat['fsmap']['filesystems'] + + # find filesystem in stat + for i in range(len(mds_fs)): + mdsmap = mds_fs[i]['mdsmap'] + if mdsmap['fs_name'] != fs_name: + continue + # put mds to array + mds_array = [] + infos = mds_stat['fsmap']['filesystems'][i]['mdsmap']['info'] + for gid in infos: + name = infos[gid]['name'] + state = infos[gid]['state'] + laggy_since = infos[gid]['laggy_since'] if 'laggy_since' in infos[gid] else None + mds_array.append(MDS(name, state, laggy_since)) + + return mds_array + + # no fs found + return None + +class MDS(object): + def __init__(self, name, state, laggy_since=None): + self.name = name + self.state = state + self.laggy_since = laggy_since + + def get_name(self): + return self.name + + def get_state(self): + return self.state + + def is_laggy(self): + return self.laggy_since is not None + + def __str__(self): + msg = "MDS '%s' is %s" % (self.name, self.state) + if self.laggy_since is not None: + msg += " (laggy or crashed)" + return msg + +# main +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_mgr b/nagios-nrpe/files/plugins/check_ceph_mgr new file mode 100755 index 00000000..019e4a3f --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_mgr @@ -0,0 +1,188 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2018 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import os +import subprocess +import sys +import json + +__version__ = '1.0.0' + +# default ceph values +CEPH_EXEC = '/usr/bin/ceph' +CEPH_COMMAND = 'mgr dump -f json' + +CEPH_MGR_DUMP_EXAMPLE = ''' +$ ceph --version +ceph version 12.2.7 (3ec878d1e53e1aeb47a9f619c49d9e7c0aa384d5) luminous (stable) +$ ceph mgr dump -f json|jq . +{ + "epoch": 165, + "active_gid": 248001409, + "active_name": "zhdk0013", + "active_addr": "10.10.10.9:6800/810408", + "available": true, + "standbys": [ + { + "gid": 247991934, + "name": "zhdk0009", + "available_modules": [ + "balancer", + "dashboard", + "influx", + "localpool", + "prometheus", + "restful", + "selftest", + "status", + "zabbix" + ] + }, + { + "gid": 248011196, + "name": "zhdk0025", + "available_modules": [ + "balancer", + "dashboard", + "influx", + "localpool", + "prometheus", + "restful", + "selftest", + "status", + "zabbix" + ] + } + ], + "modules": [ + "balancer", + "restful", + "status" + ], + "available_modules": [ + "balancer", + "dashboard", + "influx", + "localpool", + "prometheus", + "restful", + "selftest", + "status", + "zabbix" + ], + "services": {} +} +''' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + + +def main(): + # parse args + parser = argparse.ArgumentParser(description="'ceph mgr dump' nagios plugin.") + parser.add_argument('-e', '--exe', help='ceph executable [%s]' % CEPH_EXEC) + parser.add_argument('-c', '--conf', help='alternative ceph conf file') + parser.add_argument('-m', '--monaddress', help='ceph monitor to use for queries (address[:port])') + parser.add_argument('-i', '--id', help='ceph client id') + parser.add_argument('-n', '--name', help='ceph client name') + parser.add_argument('-k', '--keyring', help='ceph client keyring file') + parser.add_argument('-V', '--version', help='show version and exit', action='store_true') + args = parser.parse_args() + + if args.version: + print("version {}".format(__version__)) + return STATUS_OK + + # validate args + ceph_exec = args.exe if args.exe else CEPH_EXEC + if not os.path.exists(ceph_exec): + print("MGR ERROR: ceph executable '{}' doesn't exist".format(ceph_exec)) + return STATUS_UNKNOWN + + if args.conf and not os.path.exists(args.conf): + print("MGR ERROR: ceph conf file '{}' doesn't exist".format(args.conf)) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("MGR ERROR: keyring file '{}' doesn't exist".format(args.keyring)) + return STATUS_UNKNOWN + + # build command + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.name: + ceph_cmd.append('--name') + ceph_cmd.append(args.name) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + ceph_cmd.extend(CEPH_COMMAND.split(' ')) + + # exec command + p = subprocess.Popen(ceph_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + output, err = p.communicate() + + if p.returncode != 0 or not output: + print("MGR ERROR: {}".format(err)) + return STATUS_UNKNOWN + + # load json output and parse + mgr_dump = None + try: + mgr_dump = json.loads(output) + except Exception as e: + print("MGR ERROR: could not parse '{}' output: {}: {}".format(ceph_cmd, output, e)) + return STATUS_UNKNOWN + + # check active + if 'active_name' not in mgr_dump: + print("MGR CRITICAL: not active mgr found") + print("JSON: {}".format(json.dumps(mgr_dump))) + return STATUS_ERROR + + active_mgr_name = mgr_dump['active_name'] + # check standby + standby_mgr_names = [] + for standby_mgr in mgr_dump['standbys']: + standby_mgr_names.append(standby_mgr['name']) + + if len(standby_mgr_names) <= 0: + print("MGR WARN: active: {} but no standbys".format(active_mgr_name)) + return STATUS_WARNING + else: + print("MGR OK: active: {}, standbys: {}".format(active_mgr_name, + ", ".join(standby_mgr_names))) + return STATUS_OK + +# main +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_mon b/nagios-nrpe/files/plugins/check_ceph_mon new file mode 100755 index 00000000..db417676 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_mon @@ -0,0 +1,163 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013 Catalyst IT http://www.catalyst.net.nz +# Copyright (c) 2015 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import socket +import os +import re +import subprocess +import sys +import json + +__version__ = '1.5.0' + +# default ceph values +CEPH_EXEC = '/usr/bin/ceph' +CEPH_COMMAND = 'quorum_status' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +## +# ceph quorum_status output example +## +ceph_quorum_status_output_example = '''{ + "quorum_leader_name" : "s0001", + "monmap" : { + "mons" : [ + { + "name" : "s0001", + "addr" : "[2001:620:5ca1:8000::1001]:6789/0", + "rank" : 0 + }, + { + "name" : "s0003", + "addr" : "[2001:620:5ca1:8000::1003]:6789/0", + "rank" : 1 + } + ], + "created" : "2014-12-15 08:28:35.153650", + "epoch" : 2, + "modified" : "2014-12-15 08:28:40.371878", + "fsid" : "22348d2b-b69d-46cc-9a79-ca93cd6bae84" + }, + "quorum_names" : [ + "s0001", + "s0003" + ], + "quorum" : [ + 0, + 1 + ], + "election_epoch" : 24 +}''' + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph quorum_status' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_EXEC) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor to use for queries (address[:port])') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + parser.add_argument('-I','--monid', help='mon ID to be checked for availability') + args = parser.parse_args() + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + # validate args + ceph_exec = args.exe if args.exe else CEPH_EXEC + if not os.path.exists(ceph_exec): + print("MON ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.conf and not os.path.exists(args.conf): + print("MON ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("MON ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.monid: + print("MON ERROR: no MON ID given, use -I/--monid parameter") + return STATUS_UNKNOWN + + # build command + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + ceph_cmd.append(CEPH_COMMAND) + + # exec command + p = subprocess.Popen(ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if p.returncode != 0 or not output: + print("MON ERROR: %s" % err) + return STATUS_ERROR + + # load json output and parse + quorum_status = False + try: + quorum_status = json.loads(output) + except Exception as e: + print("MON ERROR: could not parse '%s' output: %s: %s" % (CEPH_COMMAND,output,e)) + return STATUS_UNKNOWN + + #print "XXX: quorum_status['quorum_names']:", quorum_status['quorum_names'] + + # do our checks + is_monitor = False + for mon in quorum_status['monmap']['mons']: + if mon['name'] == args.monid: + is_monitor = True + if not is_monitor: + print("MON WARN: mon '%s' is not in monmap: %s" % (args.monid,quorum_status['monmap']['mons'])) + return STATUS_WARNING + + in_quorum = args.monid in quorum_status['quorum_names'] + if in_quorum: + print("MON OK") + return STATUS_OK + else: + print("MON WARN: no MON '%s' found in quorum" % args.monid) + return STATUS_WARNING + +# main +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_osd b/nagios-nrpe/files/plugins/check_ceph_osd new file mode 100755 index 00000000..88a37488 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_osd @@ -0,0 +1,154 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2013 Catalyst IT http://www.catalyst.net.nz +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# 1.5.2 (2019-06-16) Martin Seener: fixed regex to work with Ceph Nautilus (14.2.x) + +from __future__ import print_function +import argparse +import os +import re +import subprocess +import sys +import socket + +__version__ = '1.5.2' + +# default ceph values +CEPH_COMMAND = '/usr/bin/ceph' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph osd' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + parser.add_argument('-H','--host', help='osd host', required=True) + parser.add_argument('-I','--osdid', help='osd id', required=False) + parser.add_argument('-C','--crit', help='Number of failed OSDs to trigger critical (default=2)',type=int,default=2, required=False) + parser.add_argument('-o','--out', help='check osds that are set OUT', default=False, action='store_true', required=False) + args = parser.parse_args() + + # validate args + ceph_exec = args.exe if args.exe else CEPH_COMMAND + if not os.path.exists(ceph_exec): + print("OSD ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("OSD ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("OSD ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.osdid: + args.osdid = '[^ ]*' + + if not args.host: + print("OSD ERROR: no OSD hostname given") + return STATUS_UNKNOWN + + try: + addrinfo = socket.getaddrinfo(args.host, None, 0, socket.SOCK_STREAM) + args.host = addrinfo[0][-1][0] + if addrinfo[0][0] == socket.AF_INET6: + args.host = "[%s]" % args.host + except: + print('OSD ERROR: could not resolve %s' % args.host) + return STATUS_UNKNOWN + + + # build command + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + ceph_cmd.append('osd') + ceph_cmd.append('dump') + + # exec command + p = subprocess.Popen(ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + output = output.decode('utf8') + + if err or not output: + print("OSD ERROR: %s" % err) + return STATUS_ERROR + + # escape IPv4 host address + osd_host = args.host.replace('.', '\.') + # escape IPv6 host address + osd_host = osd_host.replace('[', '\[') + osd_host = osd_host.replace(']', '\]') + up = re.findall(r"^(osd\.%s) up.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + if args.out: + down = re.findall(r"^(osd\.%s) down.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + down_in = re.findall(r"^(osd\.%s) down[ ]+in.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + down_out = re.findall(r"^(osd\.%s) down[ ]+out.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + else: + down = re.findall(r"^(osd\.%s) down[ ]+in.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + down_in = down + down_out = re.findall(r"^(osd\.%s) down[ ]+out.*%s:" % (args.osdid, osd_host), output, re.MULTILINE) + + if down: + print("OSD %s: Down OSD%s on %s: %s" % ('CRITICAL' if len(down)>=args.crit else 'WARNING' ,'s' if len(down)>1 else '', args.host, " ".join(down))) + print("Up OSDs: " + " ".join(up)) + print("Down+In OSDs: " + " ".join(down_in)) + print("Down+Out OSDs: " + " ".join(down_out)) + print("| 'osd_up'=%d 'osd_down_in'=%d;;%d 'osd_down_out'=%d;;%d" % (len(up), len(down_in), args.crit, len(down_out), args.crit)) + if len(down)>=args.crit: + return STATUS_ERROR + else: + return STATUS_WARNING + + if up: + print("OSD OK") + print("Up OSDs: " + " ".join(up)) + print("Down+In OSDs: " + " ".join(down_in)) + print("Down+Out OSDs: " + " ".join(down_out)) + print("| 'osd_up'=%d 'osd_down_in'=%d;;%d 'osd_down_out'=%d;;%d" % (len(up), len(down_in), args.crit, len(down_out), args.crit)) + return STATUS_OK + + print("OSD WARN: no OSD.%s found on host %s" % (args.osdid, args.host)) + return STATUS_WARNING + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_osd_db b/nagios-nrpe/files/plugins/check_ceph_osd_db new file mode 100755 index 00000000..6a01836b --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_osd_db @@ -0,0 +1,152 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2020 Binero AB https://binero.com +# Copyright (c) 2013 Catalyst IT http://www.catalyst.net.nz +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import os +import re +import subprocess +import sys +import socket +import json + + +CEPH_COMMAND = '/usr/bin/ceph' + +STATUS_OK = 0 +STATUS_CRITICAL = 2 +STATUS_UNKNOWN = 3 + + +def main(): + parser = argparse.ArgumentParser(description="'ceph osd' nagios plugin.") + + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-H','--host', help='osd host', required=True) + parser.add_argument('-C','--critical', help='critical threshold', default=60) + + args = parser.parse_args() + + ceph_exec = args.exe if args.exe else CEPH_COMMAND + if not os.path.exists(ceph_exec): + print("UNKNOWN: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.conf and not os.path.exists(args.conf): + print("UNKNOWN: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("UNKNOWN: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.host: + print("UNKNOWN: no OSD hostname given") + return STATUS_UNKNOWN + + try: + addrinfo = socket.getaddrinfo(args.host, None, 0, socket.SOCK_STREAM) + args.host = addrinfo[0][-1][0] + if addrinfo[0][0] == socket.AF_INET6: + args.host = "[%s]" % args.host + except Exception: + print('UNKNOWN: could not resolve %s' % args.host) + return STATUS_UNKNOWN + + ceph_cmd = [ceph_exec] + if args.monaddress: + ceph_cmd.append('-m') + ceph_cmd.append(args.monaddress) + if args.conf: + ceph_cmd.append('-c') + ceph_cmd.append(args.conf) + if args.id: + ceph_cmd.append('--id') + ceph_cmd.append(args.id) + if args.keyring: + ceph_cmd.append('--keyring') + ceph_cmd.append(args.keyring) + + ceph_cmd.append('osd') + ceph_cmd.append('dump') + + p = subprocess.Popen(ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if err or not output: + print("CRITICAL: %s" % err) + return STATUS_CRITICAL + + # escape IPv4 host address + osd_host = args.host.replace('.', '\.') + # escape IPv6 host address + osd_host = osd_host.replace('[', '\[') + osd_host = osd_host.replace(']', '\]') + + osds_up = re.findall(r"^(osd\.[^ ]*) up.*%s:" % (osd_host), output, re.MULTILINE) + + final_status = STATUS_OK + lines = [] + + for osd in osds_up: + daemon_ceph_cmd = [ceph_exec, '--format', 'json'] + daemon_ceph_cmd.append('daemon') + daemon_ceph_cmd.append(osd) + daemon_ceph_cmd.append('perf') + daemon_ceph_cmd.append('dump') + + p = subprocess.Popen(daemon_ceph_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if err or not output: + print("CRITICAL: %s" % err) + return STATUS_CRITICAL + + try: + data = json.loads(output) + except Exception: + print("CRITICAL: failed to load json") + return STATUS_CRITICAL + + bluefs = data.get('bluefs', None) + + if not bluefs: + continue + + db_total_bytes = bluefs.get('db_total_bytes') + db_used_bytes = bluefs.get('db_used_bytes') + perc = (float(db_used_bytes) / float(db_total_bytes) * 100) + + if perc >= args.critical and final_status == STATUS_OK: + final_status = STATUS_CRITICAL + + lines.append("%s=%.2f%%" % (osd, perc)) + + if final_status == STATUS_OK: + print("OK: %s" % (' '.join(lines))) + else: + print("CRITICAL: %s" % (' '.join(lines))) + + return final_status + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_osd_df b/nagios-nrpe/files/plugins/check_ceph_osd_df new file mode 100755 index 00000000..fb1c2806 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_osd_df @@ -0,0 +1,153 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# check_ceph_osd_df - Check OSD DF output +# Copyright (c) 2020 noris network AG https://www.noris.de +# +# This plugin will not output perfdata as there is likely a lot of output +# which should be gathered using other tools. +# +# Parts based on code from check_ceph_df which is +# Copyright (c) 2013 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import print_function +import argparse +import os +import subprocess +import sys +import json +from operator import itemgetter + +# Semver +__version__ = '1.0.0' + +# default ceph values +CEPH_COMMAND = '/usr/bin/ceph' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'ceph osd df' nagios plugin.") + parser.add_argument('-e','--exe', help='ceph executable [%s]' % CEPH_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-m','--monaddress', help='ceph monitor address[:port]') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-n','--name', help='ceph client name') + parser.add_argument('-k','--keyring', help='ceph client keyring file') + parser.add_argument('-W','--warn', help="warn above this percent USED", type=float) + parser.add_argument('-C','--critical', help="critical alert above this percent USED", type=float) + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + args = parser.parse_args() + + # validate args + ceph_exec = args.exe if args.exe else CEPH_COMMAND + if not os.path.exists(ceph_exec): + print("ERROR: ceph executable '%s' doesn't exist" % ceph_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + if args.keyring and not os.path.exists(args.keyring): + print("ERROR: keyring file '%s' doesn't exist" % args.keyring) + return STATUS_UNKNOWN + + if not args.warn or not args.critical or args.warn > args.critical: + print("ERROR: warn and critical level must be set and critical must be greater than warn") + return STATUS_UNKNOWN + + # build command + ceph_osd_df = [ceph_exec] + if args.monaddress: + ceph_osd_df.append('-m') + ceph_osd_df.append(args.monaddress) + if args.conf: + ceph_osd_df.append('-c') + ceph_osd_df.append(args.conf) + if args.id: + ceph_osd_df.append('--id') + ceph_osd_df.append(args.id) + if args.name: + ceph_osd_df.append('--name') + ceph_osd_df.append(args.name) + if args.keyring: + ceph_osd_df.append('--keyring') + ceph_osd_df.append(args.keyring) + ceph_osd_df.append('osd') + ceph_osd_df.append('df') + ceph_osd_df.append('--format=json') + + # exec command + p = subprocess.Popen(ceph_osd_df,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + # parse output + # print "DEBUG: output:", output + # print "DEBUG: err:", err + if output: + # parse output + try: + result = json.loads(output) + check_return_value = STATUS_OK + nodes_sorted = sorted(result["nodes"], key=itemgetter('utilization','id')) + + warn_crit_osds = [] + + for node in reversed(nodes_sorted): + if node["utilization"] >= args.warn and check_return_value is not STATUS_ERROR: + check_return_value = STATUS_WARNING + warn_crit_osds.append("{}={:04.2f}".format(node["name"], node["utilization"])) + + if node["utilization"] >= args.critical: + check_return_value = STATUS_ERROR + warn_crit_osds.append("{}={:04.2f}".format(node["name"], node["utilization"])) + + if check_return_value == STATUS_OK: + print("OK: All OSDs within limits") + return STATUS_OK + elif check_return_value == STATUS_WARNING: + print("WARNING: OSD usage above warn threshold: {:.4054}".format(", ".join(warn_crit_osds))) + return STATUS_WARNING + elif check_return_value == STATUS_ERROR: + print("CRITICAL: OSD usage above critical or warn threshold: {:.4041}".format(", ".join(warn_crit_osds))) + return STATUS_ERROR + except: + print("ERROR: {}".format(sys.exc_info()[0])) + return STATUS_UNKNOWN + elif err: + # read only first line of error + one_line = err.split('\n')[0] + if '-1 ' in one_line: + idx = one_line.rfind('-1 ') + print('ERROR: %s: %s' % (ceph_exec, one_line[idx+len('-1 '):])) + else: + print(one_line) + + return STATUS_UNKNOWN + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_rgw b/nagios-nrpe/files/plugins/check_ceph_rgw new file mode 100755 index 00000000..39773f79 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_rgw @@ -0,0 +1,118 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2014 Catalyst IT http://www.catalyst.net.nz +# Copyright (c) 2015 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +from __future__ import print_function +import argparse +import os +import re +import subprocess +import sys +import json + +__version__ = '1.5.1' + +# default ceph values +RGW_COMMAND = '/usr/bin/radosgw-admin' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_ERROR = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'radosgw-admin bucket stats' nagios plugin.") + parser.add_argument('-d','--detail', help='output perf data for all buckets', action='store_true') + parser.add_argument('-B','--byte', help='output perf data in Byte instead of KB', action='store_true') + parser.add_argument('-e','--exe', help='radosgw-admin executable [%s]' % RGW_COMMAND) + parser.add_argument('-c','--conf', help='alternative ceph conf file') + parser.add_argument('-i','--id', help='ceph client id') + parser.add_argument('-n','--name', help='ceph client name (type.id)') + parser.add_argument('-V','--version', help='show version and exit', action='store_true') + args = parser.parse_args() + + # validate args + rgw_exec = args.exe if args.exe else RGW_COMMAND + if not os.path.exists(rgw_exec): + print("RGW ERROR: radosgw-admin executable '%s' doesn't exist" % rgw_exec) + return STATUS_UNKNOWN + + if args.version: + print('version %s' % __version__) + return STATUS_OK + + if args.conf and not os.path.exists(args.conf): + print("RGW ERROR: ceph conf file '%s' doesn't exist" % args.conf) + return STATUS_UNKNOWN + + # build command + rgw_cmd = [rgw_exec] + if args.conf: + rgw_cmd.append('-c') + rgw_cmd.append(args.conf) + if args.id: + rgw_cmd.append('--id') + rgw_cmd.append(args.id) + if args.name: + rgw_cmd.append('-n') + rgw_cmd.append(args.name) + rgw_cmd.append('bucket') + rgw_cmd.append('stats') + + # exec command + p = subprocess.Popen(rgw_cmd,stdout=subprocess.PIPE,stderr=subprocess.PIPE) + output, err = p.communicate() + + if p.returncode != 0 or not output: + print("RGW ERROR: %s :: %s" % (output, err)) + return STATUS_ERROR + + bucket_stats = json.loads(output) + #print bucket_stats + + buckets = [] + for i in bucket_stats: + if type(i) is dict: + bucket_name = i['bucket'] + usage_dict = i['usage'] + if usage_dict and 'rgw.main' in usage_dict: + bucket_usage_kb = usage_dict['rgw.main']['size_kb_actual'] + else: + bucket_usage_kb = 0 + buckets.append((bucket_name, bucket_usage_kb)) + buckets_total_kb = sum([b[1] for b in buckets]) + + if args.byte: + status = "RGW OK: {} buckets, {} KB total | /={}B ".format(len(buckets),buckets_total_kb,buckets_total_kb*1024) + else: + status = "RGW OK: {} buckets, {} KB total | /={}KB ".format(len(buckets),buckets_total_kb,buckets_total_kb) + #print buckets + if buckets and args.detail: + if args.byte: + status = status + " ".join(["{}={}B".format(b[0],b[1]*1024) for b in buckets]) + else: + status = status + " ".join(["{}={}KB".format(b[0],b[1]) for b in buckets]) + + print(status) + return STATUS_OK + +if __name__ == "__main__": + sys.exit(main()) diff --git a/nagios-nrpe/files/plugins/check_ceph_rgw_api b/nagios-nrpe/files/plugins/check_ceph_rgw_api new file mode 100755 index 00000000..1235f98d --- /dev/null +++ b/nagios-nrpe/files/plugins/check_ceph_rgw_api @@ -0,0 +1,116 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2014 Catalyst IT http://www.catalyst.net.nz +# Copyright (c) 2015 SWITCH http://www.switch.ch +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import print_function +import requests +import warnings +import json +import argparse +import sys +from awsauth import S3Auth + +__version__ = '1.7.2' + +# nagios exit code +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_CRITICAL = 2 +STATUS_UNKNOWN = 3 + +def main(): + + # parse args + parser = argparse.ArgumentParser(description="'radosgw api bucket stats' nagios plugin.") + parser.add_argument('-H', '--host', help="Server URL for the radosgw api (example: http://objects.dreamhost.com/)", required=True) + parser.add_argument('-k', '--insecure', help="Allow insecure server connections when using SSL", action="store_false") + parser.add_argument('-e', '--admin_entry', help="The entry point for an admin request URL [default is '%(default)s']", default="admin") + parser.add_argument('-a', '--access_key', help="S3 access key", required=True) + parser.add_argument('-s', '--secret_key', help="S3 secret key", required=True) + parser.add_argument('-d', '--detail', help="output perf data for all buckets", action="store_true") + parser.add_argument('-b', '--byte', help="output perf data in Byte instead of KB", action="store_true") + parser.add_argument('-v', '--version', help='show version and exit', action="store_true") + args = parser.parse_args() + + if args.version: + print("version {0}".format(__version__)) + return STATUS_OK + + # helpers for default schema + if not args.host.startswith("http"): + args.host = "http://{0}".format(args.host) + # and for request_uri + if not args.host.endswith("/"): + args.host = "{0}/".format(args.host) + + url = "{0}{1}/bucket?format=json&stats=True".format(args.host, + args.admin_entry) + + try: + # Inversion of condition, when '--insecure' is defined we disable + # requests warning about certificate hostname mismatch. + if not args.insecure: + warnings.filterwarnings('ignore', message='Unverified HTTPS request') + + response = requests.get(url, verify=args.insecure, + auth=S3Auth(args.access_key, args.secret_key, + args.host)) + + if response.status_code == requests.codes.ok: + bucket_stats = response.json() + else: + # no usage caps or wrong admin entry + print("RGW ERROR [{0}]: {1}".format(response.status_code, + response.content.decode('utf-8'))) + return STATUS_WARNING + +# DNS, connection errors, etc + except requests.exceptions.RequestException as e: + print("RGW ERROR: {0}".format(e)) + return STATUS_UNKNOWN + + #print(bucket_stats) + buckets = [] + for i in bucket_stats: + if type(i) is dict: + bucket_name = i['bucket'] + usage_dict = i['usage'] + if usage_dict and 'rgw.main' in usage_dict: + bucket_usage_kb = usage_dict['rgw.main']['size_kb_actual'] + else: + bucket_usage_kb = 0 + buckets.append((bucket_name, bucket_usage_kb)) + buckets_total_kb = sum([b[1] for b in buckets]) + + status = "RGW OK: {0} buckets, {1} KB total | /={2}{3} " + + if args.byte: + status = status.format(len(buckets), buckets_total_kb, buckets_total_kb*1024, "B") + else: + status = status.format(len(buckets), buckets_total_kb, buckets_total_kb, "KB") + #print(buckets) + if buckets and args.detail: + if args.byte: + status = status + " ".join(["{}={}B".format(b[0], b[1]*1024) for b in buckets]) + else: + status = status + " ".join(["{}={}KB".format(b[0], b[1]) for b in buckets]) + + print(status) + return STATUS_OK + +if __name__ == "__main__": + sys.exit(main()) -- 2.39.2 From 396afa0a75254b4847839ea98b8eb4a716139c3b Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 15 Nov 2022 11:08:01 +0100 Subject: [PATCH 260/497] nagios-nrpe: add ceph checks to changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f490d12..81a9ea7b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 * varnish: create special tmp directory for syntax validation +* nagios-nrpe: check_ceph_* ### Changed -- 2.39.2 From d289c769703c88aa67f862b4eaac609e95a92b3a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 21 Nov 2022 14:15:49 +0100 Subject: [PATCH 261/497] varnish: fix package facts --- varnish/tasks/main.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 67fe2d6e..663b6461 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -9,13 +9,27 @@ - name: Fetch packages package_facts: manager: auto + check_mode: no tags: - varnish + - config + - update-config - set_fact: - varnish_package_facts: ansible_facts.packages['varnish'] | first + varnish_package_facts: "{{ ansible_facts.packages['varnish'] | first }}" + check_mode: no tags: - varnish + - config + - update-config + +# - debug: +# var: varnish_package_facts +# check_mode: no +# tags: +# - varnish +# - config +# - update-config - name: Remove default varnish configuration files file: @@ -53,6 +67,7 @@ - name: Remove legacy systemd override file: dest: /etc/systemd/system/varnish.service.d/evolinux.conf + state: absent notify: - reload systemd tags: -- 2.39.2 From ecd9d1543fce0a7fff46ed55600ac66fbc23671c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 21 Nov 2022 15:46:46 +0100 Subject: [PATCH 262/497] varnish: better package facts usage with check mode and tags --- CHANGELOG.md | 1 + varnish/tasks/main.yml | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 81a9ea7b..dac275af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) * squid: whitelist deb.freexian.com +* varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version ### Fixed diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 67fe2d6e..f2545264 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -9,13 +9,27 @@ - name: Fetch packages package_facts: manager: auto + check_mode: no tags: - varnish + - config + - update-config - set_fact: - varnish_package_facts: ansible_facts.packages['varnish'] | first + varnish_package_facts: "{{ ansible_facts.packages['varnish'] | first }}" + check_mode: no tags: - varnish + - config + - update-config + +# - debug: +# var: varnish_package_facts +# check_mode: no +# tags: +# - varnish +# - config +# - update-config - name: Remove default varnish configuration files file: -- 2.39.2 From 171ece7bbad0b2ff2a160e1c00e36cc6e01fc3b8 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 24 Nov 2022 11:13:12 +0100 Subject: [PATCH 263/497] MongoDB: Dimiss apt-key use (#58271) and allow to choose mongodb_version on Jessie --- mongodb/tasks/main_jessie.yml | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml index db69c7c7..8c13e0e4 100644 --- a/mongodb/tasks/main_jessie.yml +++ b/mongodb/tasks/main_jessie.yml @@ -1,15 +1,31 @@ --- -- name: MongoDB public GPG Key +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + +- name: MongoDB embedded GPG key is absent apt_key: - # url: https://www.mongodb.org/static/pgp/server-3.4.asc - data: "{{ lookup('file', 'server-3.4.asc') }}" + id: "B8612B5D" + keyring: /etc/apt/trusted.gpg + state: absent + when: _trusted_gpg_keyring.stat.exists + +- name: Add MongoDB GPG key + copy: + src: "server-{{mongodb_version}}.asc" + dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + force: yes + mode: "0644" + owner: root + group: root - name: enable APT sources list apt_repository: - repo: deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 main + repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main" state: present - filename: mongodb + filename: "mongodb-org-{{mongodb_version}}" update_cache: yes - name: Install packages -- 2.39.2 From 057224fb38a1d73ba69b4da86c75cf9e83bced71 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 25 Nov 2022 15:56:19 +0100 Subject: [PATCH 264/497] Skip task in check_mode --- lxc-php/tasks/umask.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 4a2fde5d..170851ab 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -25,6 +25,7 @@ regex: "^UMask=" line: "UMask=0007" insertafter: "\\[Service\\]" + when: not ansible_check_mode notify: - "Daemon reload" - "Restart PHP-FPM" -- 2.39.2 From 665177556ed9acd69f038e4fb71d6f39f893a991 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 26 Nov 2022 19:09:05 +0100 Subject: [PATCH 265/497] evomaintenance: allow missing API endpoint if APi is disabled --- CHANGELOG.md | 1 + evomaintenance/tasks/config.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dac275af..47673655 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: utils.yml can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) * evolinux-user: Add sudoers privilege for chck php\_fpm81 +* evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified * lxc-solr: detect the real partition options * lxc-solr: download URL according to Solr Version diff --git a/evomaintenance/tasks/config.yml b/evomaintenance/tasks/config.yml index 097e9770..99339874 100644 --- a/evomaintenance/tasks/config.yml +++ b/evomaintenance/tasks/config.yml @@ -5,6 +5,7 @@ - evomaintenance_api_endpoint is not none - evomaintenance_api_key is not none msg: evomaintenance api variables must be set + when: evomaintenance_hook_api | bool - name: Configuration is installed template: -- 2.39.2 From 54dca82838d2d2d04bec5b13e100c219af15a020 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 26 Nov 2022 19:10:21 +0100 Subject: [PATCH 266/497] varnish: fix missing state, that blocked the task --- CHANGELOG.md | 1 + varnish/tasks/main.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47673655..e2b758ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-user: Fix sudoers privilege for check php\_fpm80 * nagios-nrpe: Fix check opendkim for recent change in listening port +* varnish: fix missing state, that blocked the task ### Removed diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index f2545264..43399f0d 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -66,7 +66,8 @@ - name: Remove legacy systemd override file: - dest: /etc/systemd/system/varnish.service.d/evolinux.conf + path: /etc/systemd/system/varnish.service.d/evolinux.conf + state: absent notify: - reload systemd tags: -- 2.39.2 From 4156142c856aa6cc90d7c77671b1118c9cf2a76b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 27 Nov 2022 18:07:30 +0100 Subject: [PATCH 267/497] docker: no need to specify the architecture We use only adm64 servers (for now) --- docker-host/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 1262dd03..c60763d8 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -27,7 +27,7 @@ - name: Add Docker repository apt_repository: - repo: 'deb [arch=amd64 signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' state: present filename: docker.list -- 2.39.2 From c96f28e47b6c6e48f77009bdd66d21bd007cf876 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 27 Nov 2022 22:14:39 +0100 Subject: [PATCH 268/497] evocheck: install script according to Debian version --- CHANGELOG.md | 1 + evocheck/files/evocheck.jessie.sh | 1307 +++++++++++++++++++++++++++++ evocheck/files/evocheck.sh | 570 ++++--------- evocheck/files/evocheck.wheezy.sh | 1252 +++++++++++++++++++++++++++ evocheck/tasks/install.yml | 17 +- 5 files changed, 2749 insertions(+), 398 deletions(-) create mode 100755 evocheck/files/evocheck.jessie.sh create mode 100755 evocheck/files/evocheck.wheezy.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index f0d8879a..6fa86d5d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: install script according to Debian version * evolinux-base: utils.yml can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) * evolinux-user: Add sudoers privilege for chck php\_fpm81 diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh new file mode 100755 index 00000000..a5a32a5a --- /dev/null +++ b/evocheck/files/evocheck.jessie.sh @@ -0,0 +1,1307 @@ +#!/bin/bash + +# EvoCheck +# Script to verify compliance of a Linux (Debian) server +# powered by Evolix + +VERSION="22.11" +readonly VERSION + +# base functions + +show_version() { + cat <, + Romain Dessort , + Benoit Série , + Gregory Colpart , + Jérémy Lecour , + Tristan Pilat , + Victor Laborie , + Alexis Ben Miloud--Josselin , + and others. + +evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat <&2 + echo "This version is built for Debian 8 only." >&2 + exit + fi + + DEBIAN_RELEASE="jessie" + fi +} + +is_pack_web(){ + test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh +} +is_pack_samba(){ + test -e /usr/share/scripts/add.pl +} +is_installed(){ + for pkg in "$@"; do + dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 + done +} + +# logging + +failed() { + check_name=$1 + shift + check_comments=$* + + RC=1 + if [ "${QUIET}" != 1 ]; then + if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then + printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" >> "${main_output_file}" + else + printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}" + fi + fi +} + +# check functions + +check_lsbrelease(){ + if [ -x "${LSB_RELEASE_BIN}" ]; then + ## only the major version matters + lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) + rhs=$(cut -d "." -f 1 < /etc/debian_version) + test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release (${lhs}) and /etc/debian_version (${rhs})" + else + failed "IS_LSBRELEASE" "lsb_release is missing or not executable" + fi +} + +# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) +check_nrpepostfix() { + if is_installed postfix; then + { test -e /etc/nagios/nrpe.cfg \ + && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; + } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" + fi +} +# Check if mod-security config file is present +check_customsudoers() { + grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file" +} +check_vartmpfs() { + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + ${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + else + df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + fi +} +check_serveurbase() { + is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed" +} +check_logrotateconf() { + test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" "missing zsyslog in logrotate.d" +} +check_syslogconf() { + grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \ + || failed "IS_SYSLOGCONF" "syslog evolix config file missing" +} +check_debiansecurity() { + # Look for enabled "Debian-Security" sources from the "Debian" origin + apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" + test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository" +} +check_aptitude() { + test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8" +} +check_aptgetbak() { + test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)" +} +check_usrro() { + grep /usr /etc/fstab | grep -qE "\bro\b" || failed "IS_USRRO" "missing ro directive on fstab for /usr" +} +check_tmpnoexec() { + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + options=$(${FINDMNT_BIN} --noheadings --first-only --output OPTIONS /tmp) + echo "${options}" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec'" + else + mount | grep "on /tmp" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec' (WARNING: findmnt(8) is not found)" + fi +} +check_mountfstab() { + # Test if lsblk available, if not skip this test... + LSBLK_BIN=$(command -v lsblk) + if test -x "${LSBLK_BIN}"; then + for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do + grep -Eq "$mountPoint\W" /etc/fstab \ + || failed "IS_MOUNT_FSTAB" "partition(s) detected mounted but no presence in fstab" + done + fi +} +check_listchangesconf() { + if [ -e "/etc/apt/listchanges.conf" ]; then + lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) + if [ "$lines" != 2 ]; then + failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect" + fi + else + failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing" + fi +} +check_customcrontab() { + found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab) + test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab" +} +check_sshallowusers() { + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" +} +check_diskperf() { + perfFile="/root/disk-perf.txt" + test -e $perfFile || failed "IS_DISKPERF" "missing ${perfFile}" +} +check_tmoutprofile() { + grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" +} +check_alert5boot() { + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script" + else + failed "IS_ALERT5BOOT" "alert5 init script is missing" + fi +} +check_alert5minifw() { + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + else + failed "IS_ALERT5MINIFW" "alert5 init script is missing" + fi +} +check_minifw() { + /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ + || failed "IS_MINIFW" "minifirewall seems not started" +} +check_nrpeperms() { + if [ -d /etc/nagios ]; then + nagiosDir="/etc/nagios" + actual=$(stat --format "%a" $nagiosDir) + expected="750" + test "$expected" = "$actual" || failed "IS_NRPEPERMS" "${nagiosDir} must be ${expected}" + fi +} +check_minifwperms() { + if [ -f "/etc/default/minifirewall" ]; then + actual=$(stat --format "%a" "/etc/default/minifirewall") + expected="600" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" "/etc/default/minifirewall must be ${expected}" + fi +} +check_nrpedisks() { + NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) + DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)") + test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg" +} +check_nrpepid() { + { test -e /etc/nagios/nrpe.cfg \ + && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; + } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" +} +check_grsecprocs() { + if uname -a | grep -q grsec; then + { grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \ + && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root"; + } || failed "IS_GRSECPROCS" "missing munin's plugin processes directive for grsec" + fi +} +check_apachemunin() { + if test -e /etc/apache2/apache2.conf; then + pattern="/server-status-[[:alnum:]]{4,}" + { grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \ + && { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \ + || grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf; + }; + } || failed "IS_APACHEMUNIN" "server status is not properly configured" + fi +} +# Verification mytop + Munin si MySQL +check_mysqlutils() { + MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin} + if is_installed mysql-server; then + # You can configure MYSQL_ADMIN in evocheck.cf + if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then + failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf" + fi + if ! test -x /usr/bin/mytop; then + if ! test -x /usr/local/bin/mytop; then + failed "IS_MYSQLUTILS" "mytop binary missing" + fi + fi + if ! grep -qs '^user *=' /root/.mytop; then + failed "IS_MYSQLUTILS" "credentials missing in /root/.mytop" + fi + fi +} +# Verification de la configuration du raid soft (mdadm) +check_raidsoft() { + if test -e /proc/mdstat && grep -q md /proc/mdstat; then + { grep -q "^AUTOCHECK=true" /etc/default/mdadm \ + && grep -q "^START_DAEMON=true" /etc/default/mdadm \ + && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf; + } || failed "IS_RAIDSOFT" "missing or wrong config for mdadm" + fi +} +# Verification du LogFormat de AWStats +check_awstatslogformat() { + if is_installed apache2 awstats; then + awstatsFile="/etc/awstats/awstats.conf.local" + grep -qE '^LogFormat=1' $awstatsFile \ + || failed "IS_AWSTATSLOGFORMAT" "missing or wrong LogFormat directive in $awstatsFile" + fi +} +# Verification de la présence de la config logrotate pour Munin +check_muninlogrotate() { + { test -e /etc/logrotate.d/munin-node \ + && test -e /etc/logrotate.d/munin; + } || failed "IS_MUNINLOGROTATE" "missing lorotate file for munin" +} +# Verification de l'activation de Squid dans le cas d'un pack mail +check_squid() { + squidconffile="/etc/squid*/squid.conf" + if is_pack_web && (is_installed squid || is_installed squid3); then + host=$(hostname -i) + # shellcheck disable=SC2086 + http_port=$(grep -E "^http_port\s+[0-9]+" $squidconffile | awk '{ print $2 }') + { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "/etc/default/minifirewall"; + } || grep -qE "^PROXY='?on'?" "/etc/default/minifirewall" \ + || failed "IS_SQUID" "missing squid rules in minifirewall" + fi +} +check_evomaintenance_fw() { + if [ -f "/etc/default/minifirewall" ]; then + hook_db=$(grep -E '^\s*HOOK_DB' /etc/evomaintenance.cf | tr -d ' ' | cut -d= -f2) + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "/etc/default/minifirewall") + if [ "$hook_db" = "1" ] && [ "$rulesNumber" -lt 2 ]; then + failed "IS_EVOMAINTENANCE_FW" "HOOK_DB is enabled but missing evomaintenance rules in minifirewall" + fi + fi +} +# Verification de la conf et de l'activation de mod-deflate +check_moddeflate() { + f=/etc/apache2/mods-enabled/deflate.conf + if is_installed apache2.2; then + { test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ + && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ + && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f; + } || failed "IS_MODDEFLATE" "missing AddOutputFilterByType directive for apache mod deflate" + fi +} +# Verification de la conf log2mail +check_log2mailrunning() { + if is_pack_web && is_installed log2mail; then + pgrep log2mail >/dev/null || failed "IS_LOG2MAILRUNNING" "log2mail is not running" + fi +} +check_log2mailapache() { + conf=/etc/log2mail/config/default + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/apache2/error.log" $conf \ + || failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache" + fi +} +check_log2mailmysql() { + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \ + || failed "IS_LOG2MAILMYSQL" "missing log2mail directive for mysql" + fi +} +check_log2mailsquid() { + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \ + || failed "IS_LOG2MAILSQUID" "missing log2mail directive for squid" + fi +} +# Verification si bind est chroote +check_bindchroot() { + if is_installed bind9; then + if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then + if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then + md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') + md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') + if [ "$md5_original" != "$md5_chrooted" ]; then + failed "IS_BINDCHROOT" "the chrooted bind binary is different than the original binary" + fi + else + failed "IS_BINDCHROOT" "bind process is not chrooted" + fi + fi + fi +} +# /etc/network/interfaces should be present, we don't manage systemd-network yet +check_network_interfaces() { + if ! test -f /etc/network/interfaces; then + IS_AUTOIF=0 + IS_INTERFACESGW=0 + failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet" + fi +} +# Verify if all if are in auto +check_autoif() { + interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") + for interface in $interfaces; do + if grep -Rq "^iface $interface" /etc/network/interfaces* && ! grep -Rq "^auto $interface" /etc/network/interfaces*; then + failed "IS_AUTOIF" "Network interface \`${interface}' is statically defined but not set to auto" + test "${VERBOSE}" = 1 || break + fi + done +} +# Network conf verification +check_interfacesgw() { + number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces) + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway" + number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway" +} +# Verification de la mise en place d'evobackup +check_evobackup() { + evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) + test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron" +} +# Vérification de l'exclusion des montages (NFS) dans les sauvegardes +check_evobackup_exclude_mount() { + excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX") + files_to_cleanup="${files_to_cleanup} ${excludes_file}" + + # shellcheck disable=SC2044 + for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do + # if the file seems to be a backup script, with an Rsync invocation + if grep -q "^\s*rsync" "${evobackup_file}"; then + # If rsync is not limited by "one-file-system" + # then we verify that every mount is excluded + if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + fi + fi + done +} +# Verification de la presence du userlogrotate +check_userlogrotate() { + if is_pack_web; then + test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE" "missing userlogrotate cron" + fi +} +# Verification de la syntaxe de la conf d'Apache +check_apachectl() { + if is_installed apache2; then + /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" \ + || failed "IS_APACHECTL" "apache errors detected, run a configtest" + fi +} +# Check if there is regular files in Apache sites-enabled. +check_apachesymlink() { + if is_installed apache2; then + apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print) + nbApacheFind=$(wc -m <<< "$apacheFind") + if [[ $nbApacheFind -gt 1 ]]; then + if [[ $VERBOSE == 1 ]]; then + while read -r line; do + failed "IS_APACHESYMLINK" "Not a symlink: $line" + done <<< "$apacheFind" + else + failed "IS_APACHESYMLINK" + fi + fi + fi +} +# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). +check_apacheipinallow() { + # Note: Replace "exit 1" by "print" in Perl code to debug it. + if is_installed apache2; then + grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ + | grep -iv "from all" \ + | grep -iv "env=" \ + | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \ + || failed "IS_APACHEIPINALLOW" "bad (Allow|Deny) directives in apache" + fi +} +# Check if default Apache configuration file for munin is absent (or empty or commented). +check_muninapacheconf() { + muninconf="/etc/apache2/conf-available/munin.conf" + if is_installed apache2; then + test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \ + && failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled" + fi +} +# Check if default Apache configuration file for phpMyAdmin is absent (or empty or commented). +check_phpmyadminapacheconf() { + phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf" + phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf" + if is_installed apache2; then + test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled" + test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled" + fi +} +# Verification si le système doit redémarrer suite màj kernel. +check_kerneluptodate() { + if is_installed linux-image*; then + # shellcheck disable=SC2012 + kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then + failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised" + fi + fi +} +# Check if the server is running for more than a year. +check_uptime() { + if is_installed linux-image*; then + limit=$(date -d "now - 2 year" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$limit" -gt "$last_reboot_at" ]; then + failed "IS_UPTIME" "machine has an uptime of more than 2 years, reboot on new kernel advised" + fi + fi +} +# Check if munin-node running and RRD files are up to date. +check_muninrunning() { + if ! pgrep munin-node >/dev/null; then + failed "IS_MUNINRUNNING" "Munin is not running" + elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then + limit=$(date +"%s" -d "now - 10 minutes") + + if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then + updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) + [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)" + fi + + if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then + updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) + grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)" + fi + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)" + fi +} +# Check if files in /home/backup/ are up-to-date +check_backupuptodate() { + backup_dir="/home/backup" + if [ -d "${backup_dir}" ]; then + if [ -n "$(ls -A ${backup_dir})" ]; then + find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + + if [ "$limit" -gt "$updated_at" ]; then + failed "IS_BACKUPUPTODATE" "$file has not been backed up" + test "${VERBOSE}" = 1 || break; + fi + done + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is empty" + fi + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is missing" + fi +} +check_etcgit() { + export GIT_DIR="/etc/.git" GIT_WORK_TREE="/etc" + git rev-parse --is-inside-work-tree > /dev/null 2>&1 \ + || failed "IS_ETCGIT" "/etc is not a git repository" +} +# Check if /etc/.git/ has read/write permissions for root only. +check_gitperms() { + GIT_DIR="/etc/.git" + if test -d $GIT_DIR; then + expected="700" + actual=$(stat -c "%a" $GIT_DIR) + [ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected" + fi +} +# Check if no package has been upgraded since $limit. +check_notupgraded() { + last_upgrade=0 + upgraded=false + for log in /var/log/dpkg.log*; do + if zgrep -qsm1 upgrade "$log"; then + # There is at least one upgrade + upgraded=true + break + fi + done + if $upgraded; then + last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')") + fi + if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ + || grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then + # Manual upgrade process + limit=$(date +%s -d "now - 180 days") + else + # Regular process + limit=$(date +%s -d "now - 90 days") + fi + install_date=0 + if [ -d /var/log/installer ]; then + install_date=$(stat -c %Z /var/log/installer) + fi + # Check install_date if the system never received an upgrade + if [ "$last_upgrade" -eq 0 ]; then + [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated" + else + [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long" + fi +} +# Check if reserved blocks for root is at least 5% on every mounted partitions. +check_tune2fs_m5() { + min=5 + parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ') + FINDMNT_BIN=$(command -v findmnt) + for part in $parts; do + blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") + # If buggy partition, skip it. + if [ -z "$blockCount" ]; then + continue + fi + reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") + # Use awk to have a rounded percentage + # python is slow, bash is unable and bc rounds weirdly + percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }") + + if [ "$percentage" -lt "${min}" ]; then + if [ -x "${FINDMNT_BIN}" ]; then + mount=$(${FINDMNT_BIN} --noheadings --first-only --output TARGET "${part}") + else + mount="unknown mount point" + fi + failed "IS_TUNE2FS_M5" "Partition ${part} (${mount}) has less than ${min}% reserved blocks (${percentage}%)" + fi + done +} +check_broadcomfirmware() { + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then + { is_installed firmware-bnx2 \ + && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list; + } || failed "IS_BROADCOMFIRMWARE" "missing non-free repository" + fi + else + failed "IS_BROADCOMFIRMWARE" "lspci not found in ${PATH}" + fi +} +check_hardwareraidtool() { + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'MegaRAID'; then + # shellcheck disable=SC2015 + is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ + || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" + fi + if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then + is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed" + fi + else + failed "IS_HARDWARERAIDTOOL" "lspci not found in ${PATH}" + fi +} +check_listupgrade() { + test -f /etc/cron.d/listupgrade \ + || failed "IS_LISTUPGRADE" "missing listupgrade cron" + test -x /usr/share/scripts/listupgrade.sh \ + || failed "IS_LISTUPGRADE" "missing listupgrade script or not executable" +} +check_sql_backup() { + if (is_installed "mysql-server" || is_installed "mariadb-server"); then + # You could change the default path in /etc/evocheck.cf + SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} + for backup_path in ${SQL_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_postgres_backup() { + if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then + # If you use something like barman, you should disable this check + # You could change the default path in /etc/evocheck.cf + POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"} + for backup_path in ${POSTGRES_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_mongo_backup() { + if is_installed "mongodb-org-server"; then + # You could change the default path in /etc/evocheck.cf + MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} + if [ -d "$MONGO_BACKUP_PATH" ]; then + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}*; do + # Skip indexes file. + if ! [[ "$file" =~ indexes ]]; then + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days" + break + fi + fi + done + else + failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})" + fi + fi +} +check_ldap_backup() { + if is_installed slapd; then + # You could change the default path in /etc/evocheck.cf + LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"} + test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})" + fi +} +check_redis_backup() { + if is_installed redis-server; then + # You could change the default path in /etc/evocheck.cf + # REDIS_BACKUP_PATH may contain space-separated paths, example: + # REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb' + REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"} + for file in ${REDIS_BACKUP_PATH}; do + test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})" + done + fi +} +check_elastic_backup() { + if is_installed elasticsearch; then + # You could change the default path in /etc/evocheck.cf + ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup-elasticsearch"} + test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})" + fi +} +check_duplicate_fs_label() { + # Do it only if thereis blkid binary + BLKID_BIN=$(command -v blkid) + if [ -n "$BLKID_BIN" ]; then + tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX") + files_to_cleanup="${files_to_cleanup} ${tmpFile}" + + parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + for part in $parts; do + echo "$part" >> "$tmpFile" + done + tmpOutput=$(sort < "$tmpFile" | uniq -d) + # If there is no duplicate, uniq will have no output + # So, if $tmpOutput is not null, there is a duplicate + if [ -n "$tmpOutput" ]; then + # shellcheck disable=SC2086 + labels=$(echo -n $tmpOutput | tr '\n' ' ') + failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" + fi + else + failed "IS_DUPLICATE_FS_LABEL" "blkid not found in ${PATH}" + fi +} +check_evolix_user() { + grep -q -E "^evolix:" /etc/passwd \ + && failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install" +} +check_evoacme_cron() { + if [ -f "/usr/local/sbin/evoacme" ]; then + # Old cron file, should be deleted + test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme" + # evoacme cron file should be present + test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing" + fi +} +check_evoacme_livelinks() { + EVOACME_BIN=$(command -v evoacme) + if [ -x "$EVOACME_BIN" ]; then + # Sometimes evoacme is installed but no certificates has been generated + numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) + if [ "$numberOfLinks" -gt 0 ]; then + for live in /etc/letsencrypt/*/live; do + actualLink=$(readlink -f "$live") + actualVersion=$(basename "$actualLink") + + certDir=$(dirname "$live") + certName=$(basename "$certDir") + # shellcheck disable=SC2012 + lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1) + lastVersion=$(basename "$lastCertDir") + + if [[ "$lastVersion" != "$actualVersion" ]]; then + failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated" + test "${VERBOSE}" = 1 || break + fi + done + fi + fi +} +check_apache_confenabled() { + # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ + # must be replaced by conf-available/ and config files symlinked + # to conf-enabled/ + if [ -f /etc/apache2/apache2.conf ]; then + test -d /etc/apache2/conf.d/ \ + && failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists" + grep -q 'Include conf.d' /etc/apache2/apache2.conf \ + && failed "IS_APACHE_CONFENABLED" "apache2.conf must not Include conf.d" + fi +} +check_meltdown_spectre() { + # For Jessie this is quite complicated to verify and we need to use kernel config file + if grep -q "BOOT_IMAGE=" /proc/cmdline; then + kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) + kernelVer=${kernelPath##*/vmlinuz-} + kernelConfig="config-${kernelVer}" + # Sometimes autodetection of kernel config file fail, so we test if the file really exists. + if [ -f "/boot/${kernelConfig}" ]; then + grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \ + || failed "IS_MELTDOWN_SPECTRE" \ + "PAGE_TABLE_ISOLATION must be enabled in kernel, outdated kernel?" + grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \ + || failed "IS_MELTDOWN_SPECTRE" \ + "RETPOLINE must be enabled in kernel, outdated kernel?" + fi + fi +} +check_old_home_dir() { + homeDir=${homeDir:-/home} + for dir in "$homeDir"/*; do + statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ + | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ + | grep "UNKNOWN") + # There is at least one dir matching + if [[ -n "$statResult" ]]; then + failed "IS_OLD_HOME_DIR" "$statResult" + test "${VERBOSE}" = 1 || break + fi + done +} +check_tmp_1777() { + actual=$(stat --format "%a" /tmp) + expected="1777" + test "$expected" = "$actual" || failed "IS_TMP_1777" "/tmp must be $expected" +} +check_root_0700() { + actual=$(stat --format "%a" /root) + expected="700" + test "$expected" = "$actual" || failed "IS_ROOT_0700" "/root must be $expected" +} +check_usrsharescripts() { + actual=$(stat --format "%a" /usr/share/scripts) + expected="700" + test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" +} +check_sshpermitrootno() { + sshd_args="-C addr=,user=,host=,laddr=,lport=0" + # shellcheck disable=SC2086 + if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then + failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" + fi +} +check_evomaintenanceusers() { + if [ -f /etc/sudoers.d/evolinux ]; then + sudoers="/etc/sudoers.d/evolinux" + else + sudoers="/etc/sudoers" + fi + # combine users from User_Alias and sudo group + users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) + for user in $users; do + user_home=$(getent passwd "$user" | cut -d: -f6) + if [ -n "$user_home" ] && [ -d "$user_home" ]; then + if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then + failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" + test "${VERBOSE}" = 1 || break + fi + fi + done +} +check_evomaintenanceconf() { + f=/etc/evomaintenance.cf + if [ -e "$f" ]; then + perms=$(stat -c "%a" $f) + test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)" + + { grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ + && grep "^PGDB" $f | grep -qv "your-db" \ + && grep "^PGTABLE" $f | grep -qv "your-table" \ + && grep "^PGHOST" $f | grep -qv "your-pg-host" \ + && grep "^FROM" $f | grep -qv "jdoe@example.com" \ + && grep "^FULLFROM" $f | grep -qv "John Doe " \ + && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ + && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ + && grep "^REALM" $f | grep -qv "example.com" + } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" + else + failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" + fi +} +check_privatekeyworldreadable() { + # a simple globbing fails if directory is empty + if [ -n "$(ls -A /etc/ssl/private/)" ]; then + for f in /etc/ssl/private/*; do + perms=$(stat -L -c "%a" "$f") + if [ "${perms: -1}" != 0 ]; then + failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_evobackup_incs() { + if is_installed bkctld; then + bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} + if [ -f "${bkctld_cron_file}" ]; then + root_crontab=$(grep -v "^#" "${bkctld_cron_file}") + echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" + echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" + else + failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing" + fi + fi +} + +check_osprober() { + if is_installed os-prober qemu-kvm; then + failed "IS_OSPROBER" \ + "Removal of os-prober package is recommended as it can cause serious issue on KVM server" + fi +} + +check_jessie_backports() { + jessieBackports=$(grep -hs "jessie-backports" /etc/apt/sources.list /etc/apt/sources.list.d/*) + if test -n "$jessieBackports"; then + if ! grep -q "archive.debian.org" <<< "$jessieBackports"; then + failed "IS_JESSIE_BACKPORTS" "You must use deb http://archive.debian.org/debian/ jessie-backports main" + fi + fi +} + +check_apt_valid_until() { + aptvalidFile="/etc/apt/apt.conf.d/99no-check-valid-until" + aptvalidText="Acquire::Check-Valid-Until no;" + if grep -qs "archive.debian.org" /etc/apt/sources.list /etc/apt/sources.list.d/*; then + if ! grep -qs "$aptvalidText" /etc/apt/apt.conf.d/*; then + failed "IS_APT_VALID_UNTIL" \ + "As you use archive.mirror.org you need ${aptvalidFile}: ${aptvalidText}" + fi + fi +} + +check_chrooted_binary_uptodate() { + # list of processes to check + process_list="sshd" + for process_name in ${process_list}; do + # what is the binary path? + original_bin=$(command -v "${process_name}") + for pid in $(pgrep ${process_name}); do + process_bin=$(realpath "/proc/${pid}/exe") + # Is the process chrooted? + real_root=$(realpath "/proc/${pid}/root") + if [ "${real_root}" != "/" ]; then + chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ') + original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ') + # compare md5 checksums + if [ "$original_md5" != "$chrooted_md5" ]; then + failed "IS_CHROOTED_BINARY_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}." + test "${VERBOSE}" = 1 || break + fi + fi + done + done +} +check_nginx_letsencrypt_uptodate() { + if [ -d /etc/nginx ]; then + snippets=$(find /etc/nginx -type f -name "letsencrypt.conf") + if [ -n "${snippets}" ]; then + while read -r snippet; do + if ! grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then + failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 8." + fi + done <<< "${snippets}" + fi + fi +} + +check_lxc_container_resolv_conf() { + if is_installed lxc; then + container_list=$(lxc-ls) + current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' ) + + for container in $container_list; do + if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then + + while read -r resolver; do + if ! grep -qE "^nameserver\s+${resolver}" "/var/lib/lxc/${container}/rootfs/etc/resolv.conf"; then + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf miss-match beween host and container : missing nameserver ${resolver} in container ${container} resolv.conf" + fi + done <<< "${current_resolvers}" + + else + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}" + fi + done + fi +} +download_versions() { + local file + file=${1:-} + + ## The file is supposed to list programs : each on a line, then its latest version number + ## Examples: + # evoacme 21.06 + # evomaintenance 0.6.4 + + versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}" + + # fetch timeout, in seconds + timeout=10 + + if command -v curl > /dev/null; then + curl --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}" + elif command -v wget > /dev/null; then + wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}" + elif command -v GET; then + GET -t ${timeout}s "${versions_url}" > "${versions_file}" + else + failed "IS_CHECK_VERSIONS" "failed to find curl, wget or GET" + fi + test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}" +} +get_command() { + local program + program=${1:-} + + case "${program}" in + ## Special cases where the program name is different than the command name + evocheck) echo "${0}" ;; + evomaintenance) command -v "evomaintenance.sh" ;; + listupgrade) command -v "evolistupgrade.sh" ;; + old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;; + mysql-queries-killer) command -v "mysql-queries-killer.sh" ;; + minifirewall) echo "/etc/init.d/minifirewall" ;; + + ## General case, where the program name is the same as the command name + *) command -v "${program}" ;; + esac +} +get_version() { + local program + local command + program=${1:-} + command=${2:-} + + case "${program}" in + ## Special case if `command --version => 'command` is not the standard way to get the version + # my_command) + # /path/to/my_command --get-version + # ;; + + add-vm) + grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 + ;; + minifirewall) + ${command} version | head -1 | cut -d ' ' -f 3 + ;; + ## Let's try the --version flag before falling back to grep for the constant + kvmstats) + if ${command} --version > /dev/null 2> /dev/null; then + ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 + else + grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 + fi + ;; + + ## General case to get the version + *) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;; + esac +} +check_version() { + local program + local expected_version + program=${1:-} + expected_version=${2:-} + + command=$(get_command "${program}") + if [ -n "${command}" ]; then + # shellcheck disable=SC2086 + actual_version=$(get_version "${program}" "${command}") + # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}" + if [ -z "${actual_version}" ]; then + failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}" + elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}" + elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index." + else + : # Version check OK + fi + fi +} +add_to_path() { + local new_path + new_path=${1:-} + + echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}" +} +check_versions() { + versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX") + files_to_cleanup="${files_to_cleanup} ${versions_file}" + + download_versions "${versions_file}" + add_to_path "/usr/share/scripts" + + grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do + local program + local version + program=$(echo "${line}" | cut -d ' ' -f 1) + version=$(echo "${line}" | cut -d ' ' -f 2) + + if [ -n "${program}" ]; then + if [ -n "${version}" ]; then + check_version "${program}" "${version}" + else + failed "IS_CHECK_VERSIONS" "failed to lookup expected version for ${program}" + fi + fi + done +} + +main() { + # Default return code : 0 = no error + RC=0 + # Detect operating system name, version and release + detect_os + + main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") + files_to_cleanup="${files_to_cleanup} ${main_output_file}" + + test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777 + test "${IS_ROOT_0700:=1}" = 1 && check_root_0700 + test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts + test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno + test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers + # Verification de la configuration d'evomaintenance + test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf + test "${IS_PRIVKEYWOLRDREADABLE:=1}" = 1 && check_privatekeyworldreadable + + test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease + test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix + test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers + test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs + test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase + test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf + test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf + test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity + test "${IS_APTITUDE:=1}" = 1 && check_aptitude + test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak + test "${IS_USRRO:=1}" = 1 && check_usrro + test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec + test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab + test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf + test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab + test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers + test "${IS_DISKPERF:=0}" = 1 && check_diskperf + test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile + test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot + test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw + test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw + test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms + test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms + test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks + test "${IS_NRPEPID:=1}" = 1 && check_nrpepid + test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs + test "${IS_APACHEMUNIN:=1}" = 1 && check_apachemunin + test "${IS_MYSQLUTILS:=1}" = 1 && check_mysqlutils + test "${IS_RAIDSOFT:=1}" = 1 && check_raidsoft + test "${IS_AWSTATSLOGFORMAT:=1}" = 1 && check_awstatslogformat + test "${IS_MUNINLOGROTATE:=1}" = 1 && check_muninlogrotate + test "${IS_SQUID:=1}" = 1 && check_squid + test "${IS_EVOMAINTENANCE_FW:=1}" = 1 && check_evomaintenance_fw + test "${IS_MODDEFLATE:=1}" = 1 && check_moddeflate + test "${IS_LOG2MAILRUNNING:=1}" = 1 && check_log2mailrunning + test "${IS_LOG2MAILAPACHE:=1}" = 1 && check_log2mailapache + test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql + test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid + test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot + test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces + test "${IS_AUTOIF:=1}" = 1 && check_autoif + test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw + test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup + test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount + test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate + test "${IS_APACHECTL:=1}" = 1 && check_apachectl + test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink + test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow + test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf + test "${IS_PHPMYADMINAPACHECONF:=1}" = 1 && check_phpmyadminapacheconf + test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate + test "${IS_UPTIME:=1}" = 1 && check_uptime + test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning + test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate + test "${IS_ETCGIT:=1}" = 1 && check_etcgit + test "${IS_GITPERMS:=1}" = 1 && check_gitperms + test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded + test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5 + test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware + test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool + test "${IS_LISTUPGRADE:=1}" = 1 && check_listupgrade + test "${IS_SQL_BACKUP:=1}" = 1 && check_sql_backup + test "${IS_POSTGRES_BACKUP:=1}" = 1 && check_postgres_backup + test "${IS_MONGO_BACKUP:=1}" = 1 && check_mongo_backup + test "${IS_LDAP_BACKUP:=1}" = 1 && check_ldap_backup + test "${IS_REDIS_BACKUP:=1}" = 1 && check_redis_backup + test "${IS_ELASTIC_BACKUP:=1}" = 1 && check_elastic_backup + test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label + test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user + test "${IS_EVOACME_CRON:=1}" = 1 && check_evoacme_cron + test "${IS_EVOACME_LIVELINKS:=1}" = 1 && check_evoacme_livelinks + test "${IS_APACHE_CONFENABLED:=1}" = 1 && check_apache_confenabled + test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre + test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir + test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs + test "${IS_OSPROBER:=1}" = 1 && check_osprober + test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports + test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until + test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate + test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate + test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf + test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions + + if [ -f "${main_output_file}" ]; then + lines_found=$(wc -l < "${main_output_file}") + # shellcheck disable=SC2086 + if [ ${lines_found} -gt 0 ]; then + + cat "${main_output_file}" 2>&1 + fi + fi + + exit ${RC} +} +cleanup_temp_files() { + # shellcheck disable=SC2086 + rm -f ${files_to_cleanup} +} + +PROGNAME=$(basename "$0") +# shellcheck disable=SC2034 +readonly PROGNAME + +# shellcheck disable=SC2124 +ARGS=$@ +readonly ARGS + +# Disable LANG* +export LANG=C +export LANGUAGE=C + +files_to_cleanup="" +# shellcheck disable=SC2064 +trap cleanup_temp_files 0 + +# Source configuration file +# shellcheck disable=SC1091 +test -f /etc/evocheck.cf && . /etc/evocheck.cf + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + --version) + show_version + exit 0 + ;; + --cron) + IS_KERNELUPTODATE=0 + IS_UPTIME=0 + IS_MELTDOWN_SPECTRE=0 + IS_CHECK_VERSIONS=0 + IS_NETWORKING_SERVICE=0 + ;; + -v|--verbose) + VERBOSE=1 + ;; + -q|--quiet) + QUIET=1 + VERBOSE=0 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + if [ "${QUIET}" != 1 ]; then + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + fi + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +# shellcheck disable=SC2086 +main ${ARGS} diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 7c01da51..c5cd8fbd 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.09" +VERSION="22.11" readonly VERSION # base functions @@ -52,16 +52,19 @@ detect_os() { LSB_RELEASE_BIN=$(command -v lsb_release) if [ -e /etc/debian_version ]; then - DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version) + DEBIAN_MAIN_VERSION=$(cut -d "." -f 1 < /etc/debian_version) + + if [ "${DEBIAN_MAIN_VERSION}" -lt "9" ]; then + echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2 + echo "This version is built for Debian 9 and later." >&2 + exit + fi + if [ -x "${LSB_RELEASE_BIN}" ]; then DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short) else - case ${DEBIAN_VERSION} in - 5) DEBIAN_RELEASE="lenny";; - 6) DEBIAN_RELEASE="squeeze";; - 7) DEBIAN_RELEASE="wheezy";; - 8) DEBIAN_RELEASE="jessie";; - 9) DEBIAN_RELEASE="stretch";; + case ${DEBIAN_MAIN_VERSION} in + 9) DEBIAN_RELEASE="stretch";; 10) DEBIAN_RELEASE="buster";; 11) DEBIAN_RELEASE="bullseye";; 12) DEBIAN_RELEASE="bookworm";; @@ -70,21 +73,6 @@ detect_os() { fi } -is_debian() { - test -n "${DEBIAN_RELEASE}" -} -is_debian_lenny() { - test "${DEBIAN_RELEASE}" = "lenny" -} -is_debian_squeeze() { - test "${DEBIAN_RELEASE}" = "squeeze" -} -is_debian_wheezy() { - test "${DEBIAN_RELEASE}" = "wheezy" -} -is_debian_jessie() { - test "${DEBIAN_RELEASE}" = "jessie" -} is_debian_stretch() { test "${DEBIAN_RELEASE}" = "stretch" } @@ -97,12 +85,6 @@ is_debian_bullseye() { is_debian_bookworm() { test "${DEBIAN_RELEASE}" = "bookworm" } -debian_release() { - printf "%s" "${DEBIAN_RELEASE}" -} -debian_version() { - printf "%s" "${DEBIAN_VERSION}" -} is_pack_web(){ test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh @@ -115,16 +97,6 @@ is_installed(){ dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 done } -minifirewall_file() { - case ${DEBIAN_RELEASE} in - lenny) echo "/etc/firewall.rc" ;; - squeeze) echo "/etc/firewall.rc" ;; - wheezy) echo "/etc/firewall.rc" ;; - jessie) echo "/etc/default/minifirewall" ;; - stretch) echo "/etc/default/minifirewall" ;; - *) echo "/etc/default/minifirewall" ;; - esac -} # logging @@ -156,54 +128,18 @@ check_lsbrelease(){ fi } check_dpkgwarning() { - if is_debian_squeeze; then - if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then - count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf) - test "$count" = 2 || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing." - fi - elif is_debian_wheezy; then - if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then - test -e /etc/apt/apt.conf.d/80evolinux \ - || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing" - test -e /etc/apt/apt.conf \ - && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing" - fi - elif is_debian_stretch || is_debian_buster || is_debian_bullseye; then - test -e /etc/apt/apt.conf.d/z-evolinux.conf \ - || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" - fi -} -check_umasksudoers(){ - if is_debian_squeeze; then - grep -q "^Defaults.*umask=0077" /etc/sudoers \ - || failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077" - fi + test -e /etc/apt/apt.conf.d/z-evolinux.conf \ + || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" } # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) check_nrpepostfix() { if is_installed postfix; then - if is_debian_squeeze; then - grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \ - || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" - else - { test -e /etc/nagios/nrpe.cfg \ - && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; - } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" - fi + { test -e /etc/nagios/nrpe.cfg \ + && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; + } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" fi } # Check if mod-security config file is present -check_modsecurity() { - if is_debian_squeeze; then - if is_installed libapache-mod-security; then - test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" - fi - elif is_debian_wheezy; then - if is_installed libapache2-modsecurity; then - test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" - fi - fi -} check_customsudoers() { grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file" } @@ -226,46 +162,15 @@ check_syslogconf() { || failed "IS_SYSLOGCONF" "syslog evolix config file missing" } check_debiansecurity() { - if is_debian_bullseye; then - # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive - # https://www.debian.org/security/ - pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main" - elif is_debian_buster; then - pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main" - elif is_debian_stretch; then - pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main" - else - pattern="^deb.*security" - fi - - source_file="/etc/apt/sources.list" - grep -qE "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository" -} -check_aptitudeonly() { - if is_debian_squeeze || is_debian_wheezy; then - test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" \ - "only aptitude may be enabled on Debian <=7, apt-get should be disabled" - fi + # Look for enabled "Debian-Security" sources from the "Debian" origin + apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" + test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository" } check_aptitude() { - if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then - test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8" - fi + test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8" } check_aptgetbak() { - if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then - test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)" - fi -} -check_apticron() { - status="OK" - test -e /etc/cron.d/apticron || status="fail" - test -e /etc/cron.daily/apticron && status="fail" - test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" - - if is_debian_squeeze || is_debian_wheezy; then - test "$status" = "fail" && failed "IS_APTICRON" "apticron must be in cron.d not cron.daily" - fi + test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)" } check_usrro() { grep /usr /etc/fstab | grep -qE "\bro\b" || failed "IS_USRRO" "missing ro directive on fstab for /usr" @@ -290,19 +195,8 @@ check_mountfstab() { fi } check_listchangesconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed apt-listchanges; then - failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9" - fi - else - if [ -e "/etc/apt/listchanges.conf" ]; then - lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) - if [ "$lines" != 2 ]; then - failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect" - fi - else - failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing" - fi + if is_installed apt-listchanges; then + failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9" fi } check_customcrontab() { @@ -321,14 +215,7 @@ check_tmoutprofile() { grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" } check_alert5boot() { - if is_debian_buster || is_debian_bullseye; then - grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" - if [ -f /etc/systemd/system/alert5.service ]; then - systemctl is-enabled alert5.service -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" - else - failed "IS_ALERT5BOOT" "alert5 unit file is missing" - fi - else + if is_debian_stretch; then if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then @@ -336,13 +223,17 @@ check_alert5boot() { else failed "IS_ALERT5BOOT" "alert5 init script is missing" fi + else + grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + if [ -f /etc/systemd/system/alert5.service ]; then + systemctl is-enabled alert5.service -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" + else + failed "IS_ALERT5BOOT" "alert5 unit file is missing" + fi fi } check_alert5minifw() { - if is_debian_buster || is_debian_bullseye; then - grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \ - || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing" - else + if is_debian_stretch; then if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" @@ -352,6 +243,9 @@ check_alert5minifw() { else failed "IS_ALERT5MINIFW" "alert5 init script is missing" fi + else + grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing" fi } check_minifw() { @@ -360,8 +254,8 @@ check_minifw() { } check_minifw_includes() { if is_debian_bullseye; then - if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "${MINIFW_FILE}"; then - failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in ${MINIFW_FILE} that should go in /etc/minifirewall.d/" + if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall"; then + failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/" fi fi } @@ -374,10 +268,10 @@ check_nrpeperms() { fi } check_minifwperms() { - if [ -f "$MINIFW_FILE" ]; then - actual=$(stat --format "%a" "$MINIFW_FILE") + if [ -f "/etc/default/minifirewall" ]; then + actual=$(stat --format "%a" "/etc/default/minifirewall") expected="600" - test "$expected" = "$actual" || failed "IS_MINIFWPERMS" "${MINIFW_FILE} must be ${expected}" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" "/etc/default/minifirewall must be ${expected}" fi } check_nrpedisks() { @@ -390,7 +284,7 @@ check_nrpepid() { { test -e /etc/nagios/nrpe.cfg \ && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" - elif ! is_debian_squeeze; then + else { test -e /etc/nagios/nrpe.cfg \ && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" @@ -405,20 +299,11 @@ check_grsecprocs() { } check_apachemunin() { if test -e /etc/apache2/apache2.conf; then - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - { test -h /etc/apache2/mods-enabled/status.load \ - && test -h /etc/munin/plugins/apache_accesses \ - && test -h /etc/munin/plugins/apache_processes \ - && test -h /etc/munin/plugins/apache_volume; - } || failed "IS_APACHEMUNIN" "missing munin plugins for Apache" - else - pattern="/server-status-[[:alnum:]]{4,}" - { grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \ - && { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \ - || grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf; - }; - } || failed "IS_APACHEMUNIN" "server status is not properly configured" - fi + { test -h /etc/apache2/mods-enabled/status.load \ + && test -h /etc/munin/plugins/apache_accesses \ + && test -h /etc/munin/plugins/apache_processes \ + && test -h /etc/munin/plugins/apache_volume; + } || failed "IS_APACHEMUNIN" "missing munin plugins for Apache" fi } # Verification mytop + Munin si MySQL @@ -426,7 +311,7 @@ check_mysqlutils() { MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin} if is_installed mysql-server; then # With Debian 11 and later, root can connect to MariaDB with the socket - if is_debian_wheezy || is_debian_jessie || is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster; then # You can configure MYSQL_ADMIN in evocheck.cf if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf" @@ -467,27 +352,23 @@ check_muninlogrotate() { } # Verification de l'activation de Squid dans le cas d'un pack mail check_squid() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - squidconffile="/etc/squid/evolinux-custom.conf" - else - squidconffile="/etc/squid*/squid.conf" - fi + squidconffile="/etc/squid/evolinux-custom.conf" if is_pack_web && (is_installed squid || is_installed squid3); then host=$(hostname -i) # shellcheck disable=SC2086 http_port=$(grep -E "^http_port\s+[0-9]+" $squidconffile | awk '{ print $2 }') - { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE"; - } || grep -qE "^PROXY='?on'?" "$MINIFW_FILE" \ + { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "/etc/default/minifirewall" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "/etc/default/minifirewall"; + } || grep -qE "^PROXY='?on'?" "/etc/default/minifirewall" \ || failed "IS_SQUID" "missing squid rules in minifirewall" fi } check_evomaintenance_fw() { - if [ -f "$MINIFW_FILE" ]; then + if [ -f "/etc/default/minifirewall" ]; then hook_db=$(grep -E '^\s*HOOK_DB' /etc/evomaintenance.cf | tr -d ' ' | cut -d= -f2) - rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "/etc/default/minifirewall") if [ "$hook_db" = "1" ] && [ "$rulesNumber" -lt 2 ]; then failed "IS_EVOMAINTENANCE_FW" "HOOK_DB is enabled but missing evomaintenance rules in minifirewall" fi @@ -510,11 +391,7 @@ check_log2mailrunning() { fi } check_log2mailapache() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - conf=/etc/log2mail/config/apache - else - conf=/etc/log2mail/config/default - fi + conf=/etc/log2mail/config/Apache if is_pack_web && is_installed log2mail; then grep -s -q "^file = /var/log/apache2/error.log" $conf \ || failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache" @@ -548,17 +425,6 @@ check_bindchroot() { fi fi } -# Verification de la présence du depot volatile -check_repvolatile() { - if is_debian_lenny; then - grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list \ - || failed "IS_REPVOLATILE" "missing debian-volatile repository" - fi - if is_debian_squeeze; then - grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list \ - || failed "IS_REPVOLATILE" "missing squeeze-updates repository" - fi -} # /etc/network/interfaces should be present, we don't manage systemd-network yet check_network_interfaces() { if ! test -f /etc/network/interfaces; then @@ -569,11 +435,7 @@ check_network_interfaces() { } # Verify if all if are in auto check_autoif() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") - else - interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") - fi + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") for interface in $interfaces; do if grep -Rq "^iface $interface" /etc/network/interfaces* && ! grep -Rq "^auto $interface" /etc/network/interfaces*; then failed "IS_AUTOIF" "Network interface \`${interface}' is statically defined but not set to auto" @@ -590,11 +452,9 @@ check_interfacesgw() { } # Verification de l’état du service networking check_networking_service() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if systemctl is-enabled networking.service > /dev/null; then - if ! systemctl is-active networking.service > /dev/null; then - failed "IS_NETWORKING_SERVICE" "networking.service is not active" - fi + if systemctl is-enabled networking.service > /dev/null; then + if ! systemctl is-active networking.service > /dev/null; then + failed "IS_NETWORKING_SERVICE" "networking.service is not active" fi fi } @@ -674,23 +534,21 @@ check_apacheipinallow() { } # Check if default Apache configuration file for munin is absent (or empty or commented). check_muninapacheconf() { - if is_debian_squeeze || is_debian_wheezy; then - muninconf="/etc/apache2/conf.d/munin" - else - muninconf="/etc/apache2/conf-available/munin.conf" - fi + muninconf="/etc/apache2/conf-available/munin.conf" if is_installed apache2; then test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \ && failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled" fi } -# Verification de la priorité du package samba si les backports sont utilisés -check_sambainpriority() { - if is_debian_lenny && is_pack_samba; then - if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then - priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ") - test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY" "bad pinning priority for samba" - fi +# Check if default Apache configuration file for phpMyAdmin is absent (or empty or commented). +check_phpmyadminapacheconf() { + phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf" + phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf" + if is_installed apache2; then + test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled" + test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled" fi } # Verification si le système doit redémarrer suite màj kernel. @@ -833,60 +691,48 @@ check_tune2fs_m5() { done } check_evolinuxsudogroup() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if grep -q "^evolinux-sudo:" /etc/group; then - if [ -f /etc/sudoers.d/evolinux ]; then - grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \ - || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file" - fi + if grep -q "^evolinux-sudo:" /etc/group; then + if [ -f /etc/sudoers.d/evolinux ]; then + grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \ + || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file" fi fi } check_userinadmgroup() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') - for user in $users; do - if ! groups "$user" | grep -q adm; then - failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" - test "${VERBOSE}" = 1 || break - fi - done - fi + users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') + for user in $users; do + if ! groups "$user" | grep -q adm; then + failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" + test "${VERBOSE}" = 1 || break + fi + done } check_apache2evolinuxconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed apache2; then - { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ - && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ - && test -f /etc/apache2/ipaddr_whitelist.conf; - } || failed "IS_APACHE2EVOLINUXCONF" "missing custom evolinux apache config" - fi + if is_installed apache2; then + { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ + && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ + && test -f /etc/apache2/ipaddr_whitelist.conf; + } || failed "IS_APACHE2EVOLINUXCONF" "missing custom evolinux apache config" fi } check_backportsconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - grep -qsE "^[^#].*backports" /etc/apt/sources.list \ - && failed "IS_BACKPORTSCONF" "backports can't be in main sources list" - if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then - grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ - || failed "IS_BACKPORTSCONF" "backports must have preferences" - fi + grep -qsE "^[^#].*backports" /etc/apt/sources.list \ + && failed "IS_BACKPORTSCONF" "backports can't be in main sources list" + if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then + grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ + || failed "IS_BACKPORTSCONF" "backports must have preferences" fi } check_bind9munin() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed bind9; then - { test -L /etc/munin/plugins/bind9 \ - && test -e /etc/munin/plugin-conf.d/bind9; - } || failed "IS_BIND9MUNIN" "missing bind plugin for munin" - fi + if is_installed bind9; then + { test -L /etc/munin/plugins/bind9 \ + && test -e /etc/munin/plugin-conf.d/bind9; + } || failed "IS_BIND9MUNIN" "missing bind plugin for munin" fi } check_bind9logrotate() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed bind9; then - test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file" - fi + if is_installed bind9; then + test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file" fi } check_broadcomfirmware() { @@ -917,14 +763,12 @@ check_hardwareraidtool() { fi } check_log2mailsystemdunit() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - systemctl -q is-active log2mail.service \ - || failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running" - test -f /etc/systemd/system/log2mail.service \ - || failed "IS_LOG2MAILSYSTEMDUNIT" "missing log2mail unit file" - test -f /etc/init.d/log2mail \ - && failed "IS_LOG2MAILSYSTEMDUNIT" "/etc/init.d/log2mail may be deleted (use systemd unit)" - fi + systemctl -q is-active log2mail.service \ + || failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running" + test -f /etc/systemd/system/log2mail.service \ + || failed "IS_LOG2MAILSYSTEMDUNIT" "missing log2mail unit file" + test -f /etc/init.d/log2mail \ + && failed "IS_LOG2MAILSYSTEMDUNIT" "/etc/init.d/log2mail may be deleted (use systemd unit)" } check_listupgrade() { test -f /etc/cron.d/listupgrade \ @@ -933,13 +777,11 @@ check_listupgrade() { || failed "IS_LISTUPGRADE" "missing listupgrade script or not executable" } check_mariadbevolinuxconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed mariadb-server; then - { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ - && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf; - } || failed "IS_MARIADBEVOLINUXCONF" "missing mariadb custom config" + if is_installed mariadb-server; then + { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ + && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf; + } || failed "IS_MARIADBEVOLINUXCONF" "missing mariadb custom config" fi - fi } check_sql_backup() { if (is_installed "mysql-server" || is_installed "mariadb-server"); then @@ -997,8 +839,12 @@ check_ldap_backup() { check_redis_backup() { if is_installed redis-server; then # You could change the default path in /etc/evocheck.cf - REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"} - test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})" + # REDIS_BACKUP_PATH may contain space-separated paths, example: + # REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb' + REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"} + for file in ${REDIS_BACKUP_PATH}; do + test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})" + done fi } check_elastic_backup() { @@ -1020,73 +866,63 @@ check_mariadbsystemdunit() { fi } check_mysqlmunin() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed mariadb-server; then - for file in mysql_bytes mysql_queries mysql_slowqueries \ - mysql_threads mysql_connections mysql_files_tables \ - mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ - mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ - mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ - mysql_sorts mysql_tmp_tables; do + if is_installed mariadb-server; then + for file in mysql_bytes mysql_queries mysql_slowqueries \ + mysql_threads mysql_connections mysql_files_tables \ + mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ + mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ + mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ + mysql_sorts mysql_tmp_tables; do - if [[ ! -L /etc/munin/plugins/$file ]]; then - failed "IS_MYSQLMUNIN" "missing munin plugin '$file'" - test "${VERBOSE}" = 1 || break - fi - done - munin-run mysql_commands 2> /dev/null > /dev/null - test $? -eq 0 || failed "IS_MYSQLMUNIN" "Munin plugin mysql_commands returned an error" - fi + if [[ ! -L /etc/munin/plugins/$file ]]; then + failed "IS_MYSQLMUNIN" "missing munin plugin '$file'" + test "${VERBOSE}" = 1 || break + fi + done + munin-run mysql_commands 2> /dev/null > /dev/null + test $? -eq 0 || failed "IS_MYSQLMUNIN" "Munin plugin mysql_commands returned an error" fi } check_mysqlnrpe() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed mariadb-server; then - nagios_file=~nagios/.my.cnf - if ! test -f ${nagios_file}; then - failed "IS_MYSQLNRPE" "${nagios_file} is missing" - elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ - || [ "$(stat -c %a ${nagios_file})" != "600" ]; then - failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" - else - grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ - || failed "IS_MYSQLNRPE" "check_mysql is missing" - fi + if is_installed mariadb-server; then + nagios_file=~nagios/.my.cnf + if ! test -f ${nagios_file}; then + failed "IS_MYSQLNRPE" "${nagios_file} is missing" + elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ + || [ "$(stat -c %a ${nagios_file})" != "600" ]; then + failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" + else + grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ + || failed "IS_MYSQLNRPE" "check_mysql is missing" + fi fi - fi } check_phpevolinuxconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - is_debian_stretch && phpVersion="7.0" - is_debian_buster && phpVersion="7.3" - is_debian_bullseye && phpVersion="7.4" - if is_installed php; then - { test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \ - && test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini - } || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config" - fi + is_debian_stretch && phpVersion="7.0" + is_debian_buster && phpVersion="7.3" + is_debian_bullseye && phpVersion="7.4" + if is_installed php; then + { test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \ + && test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini + } || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config" fi } check_squidlogrotate() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed squid; then - grep -q -e monthly -e daily /etc/logrotate.d/squid \ - || failed "IS_SQUIDLOGROTATE" "missing squid logrotate file" - fi + if is_installed squid; then + grep -q -e monthly -e daily /etc/logrotate.d/squid \ + || failed "IS_SQUIDLOGROTATE" "missing squid logrotate file" fi } check_squidevolinuxconf() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if is_installed squid; then - { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ - && test -f /etc/squid/evolinux-defaults.conf \ - && test -f /etc/squid/evolinux-whitelist-defaults.conf \ - && test -f /etc/squid/evolinux-whitelist-custom.conf \ - && test -f /etc/squid/evolinux-acl.conf \ - && test -f /etc/squid/evolinux-httpaccess.conf \ - && test -f /etc/squid/evolinux-custom.conf; - } || failed "IS_SQUIDEVOLINUXCONF" "missing squid evolinux config" - fi + if is_installed squid; then + { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ + && test -f /etc/squid/evolinux-defaults.conf \ + && test -f /etc/squid/evolinux-whitelist-defaults.conf \ + && test -f /etc/squid/evolinux-whitelist-custom.conf \ + && test -f /etc/squid/evolinux-acl.conf \ + && test -f /etc/squid/evolinux-httpaccess.conf \ + && test -f /etc/squid/evolinux-custom.conf; + } || failed "IS_SQUIDEVOLINUXCONF" "missing squid evolinux config" fi } check_duplicate_fs_label() { @@ -1152,41 +988,20 @@ check_apache_confenabled() { # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ # must be replaced by conf-available/ and config files symlinked # to conf-enabled/ - if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if [ -f /etc/apache2/apache2.conf ]; then - test -d /etc/apache2/conf.d/ \ - && failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists" - grep -q 'Include conf.d' /etc/apache2/apache2.conf \ - && failed "IS_APACHE_CONFENABLED" "apache2.conf must not Include conf.d" - fi + if [ -f /etc/apache2/apache2.conf ]; then + test -d /etc/apache2/conf.d/ \ + && failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists" + grep -q 'Include conf.d' /etc/apache2/apache2.conf \ + && failed "IS_APACHE_CONFENABLED" "apache2.conf must not Include conf.d" fi } check_meltdown_spectre() { - # For Stretch, detection is easy as the kernel use # /sys/devices/system/cpu/vulnerabilities/ - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - for vuln in meltdown spectre_v1 spectre_v2; do - test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \ - || failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln" - test "${VERBOSE}" = 1 || break - done - # For Jessie this is quite complicated to verify and we need to use kernel config file - elif is_debian_jessie; then - if grep -q "BOOT_IMAGE=" /proc/cmdline; then - kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) - kernelVer=${kernelPath##*/vmlinuz-} - kernelConfig="config-${kernelVer}" - # Sometimes autodetection of kernel config file fail, so we test if the file really exists. - if [ -f "/boot/${kernelConfig}" ]; then - grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \ - || failed "IS_MELTDOWN_SPECTRE" \ - "PAGE_TABLE_ISOLATION must be enabled in kernel, outdated kernel?" - grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \ - || failed "IS_MELTDOWN_SPECTRE" \ - "RETPOLINE must be enabled in kernel, outdated kernel?" - fi - fi - fi + for vuln in meltdown spectre_v1 spectre_v2; do + test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \ + || failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln" + test "${VERBOSE}" = 1 || break + done } check_old_home_dir() { homeDir=${homeDir:-/home} @@ -1218,7 +1033,7 @@ check_usrsharescripts() { } check_sshpermitrootno() { sshd_args="-C addr=,user=,host=,laddr=,lport=0" - if is_debian_jessie || is_debian_stretch; then + if is_debian_stretch; then # Noop, we'll use the default $sshd_args : elif is_debian_buster; then @@ -1234,17 +1049,7 @@ check_sshpermitrootno() { fi } check_evomaintenanceusers() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ') - else - if [ -f /etc/sudoers.d/evolinux ]; then - sudoers="/etc/sudoers.d/evolinux" - else - sudoers="/etc/sudoers" - fi - # combine users from User_Alias and sudo group - users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) - fi + users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ') for user in $users; do user_home=$(getent passwd "$user" | cut -d: -f6) if [ -n "$user_home" ] && [ -d "$user_home" ]; then @@ -1307,17 +1112,6 @@ check_osprober() { fi } -check_jessie_backports() { - if is_debian_jessie; then - jessieBackports=$(grep -hs "jessie-backports" /etc/apt/sources.list /etc/apt/sources.list.d/*) - if test -n "$jessieBackports"; then - if ! grep -q "archive.debian.org" <<< "$jessieBackports"; then - failed "IS_JESSIE_BACKPORTS" "You must use deb http://archive.debian.org/debian/ jessie-backports main" - fi - fi - fi -} - check_apt_valid_until() { aptvalidFile="/etc/apt/apt.conf.d/99no-check-valid-until" aptvalidText="Acquire::Check-Valid-Until no;" @@ -1356,14 +1150,8 @@ check_nginx_letsencrypt_uptodate() { snippets=$(find /etc/nginx -type f -name "letsencrypt.conf") if [ -n "${snippets}" ]; then while read -r snippet; do - if is_debian_jessie; then - if ! grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then - failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 8." - fi - else - if grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then - failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 9+." - fi + if grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then + failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 9+." fi done <<< "${snippets}" fi @@ -1399,11 +1187,7 @@ download_versions() { # evoacme 21.06 # evomaintenance 0.6.4 - if is_debian; then - versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}" - else - failed "IS_CHECK_VERSIONS" "error determining os release" - fi + versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}" # fetch timeout, in seconds timeout=10 @@ -1527,8 +1311,6 @@ main() { main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") files_to_cleanup="${files_to_cleanup} ${main_output_file}" - MINIFW_FILE=$(minifirewall_file) - test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777 test "${IS_ROOT_0700:=1}" = 1 && check_root_0700 test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts @@ -1540,19 +1322,15 @@ main() { test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning - test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix - test "${IS_MODSECURITY:=1}" = 1 && check_modsecurity test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity - test "${IS_APTITUDEONLY:=1}" = 1 && check_aptitudeonly test "${IS_APTITUDE:=1}" = 1 && check_aptitude test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak - test "${IS_APTICRON:=0}" = 1 && check_apticron test "${IS_USRRO:=1}" = 1 && check_usrro test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab @@ -1584,7 +1362,6 @@ main() { test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot - test "${IS_REPVOLATILE:=1}" = 1 && check_repvolatile test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces test "${IS_AUTOIF:=1}" = 1 && check_autoif test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw @@ -1596,7 +1373,7 @@ main() { test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf - test "${IS_SAMBAPINPRIORITY:=1}" = 1 && check_sambainpriority + test "${IS_PHPMYADMINAPACHECONF:=1}" = 1 && check_phpmyadminapacheconf test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate test "${IS_UPTIME:=1}" = 1 && check_uptime test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning @@ -1637,7 +1414,6 @@ main() { test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs test "${IS_OSPROBER:=1}" = 1 && check_osprober - test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh new file mode 100755 index 00000000..cd41cb50 --- /dev/null +++ b/evocheck/files/evocheck.wheezy.sh @@ -0,0 +1,1252 @@ +#!/bin/bash + +# EvoCheck +# Script to verify compliance of a Linux (Debian) server +# powered by Evolix + +VERSION="22.11" +readonly VERSION + +# base functions + +show_version() { + cat <, + Romain Dessort , + Benoit Série , + Gregory Colpart , + Jérémy Lecour , + Tristan Pilat , + Victor Laborie , + Alexis Ben Miloud--Josselin , + and others. + +evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat <&2 + echo "This version is built for Debian 7 only." >&2 + exit + fi + + if [ -x "${LSB_RELEASE_BIN}" ]; then + DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short) + else + case ${DEBIAN_MAIN_VERSION} in + 5) DEBIAN_RELEASE="lenny";; + 6) DEBIAN_RELEASE="squeeze";; + 7) DEBIAN_RELEASE="wheezy";; + esac + fi + fi +} + +is_debian_lenny() { + test "${DEBIAN_RELEASE}" = "lenny" +} +is_debian_squeeze() { + test "${DEBIAN_RELEASE}" = "squeeze" +} +is_debian_wheezy() { + test "${DEBIAN_RELEASE}" = "wheezy" +} + +is_pack_web(){ + test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh +} +is_pack_samba(){ + test -e /usr/share/scripts/add.pl +} +is_installed(){ + for pkg in "$@"; do + dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 + done +} + +# logging + +failed() { + check_name=$1 + shift + check_comments=$* + + RC=1 + if [ "${QUIET}" != 1 ]; then + if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then + printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" >> "${main_output_file}" + else + printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}" + fi + fi +} + +# check functions + +check_lsbrelease(){ + if [ -x "${LSB_RELEASE_BIN}" ]; then + ## only the major version matters + lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) + rhs=$(cut -d "." -f 1 < /etc/debian_version) + test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release (${lhs}) and /etc/debian_version (${rhs})" + else + failed "IS_LSBRELEASE" "lsb_release is missing or not executable" + fi +} +check_dpkgwarning() { + if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then + test -e /etc/apt/apt.conf.d/80evolinux \ + || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing" + test -e /etc/apt/apt.conf \ + && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing" + fi +} +# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) +check_nrpepostfix() { + if is_installed postfix; then + { test -e /etc/nagios/nrpe.cfg \ + && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; + } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" + fi +} +# Check if mod-security config file is present +check_modsecurity() { + if is_installed libapache2-modsecurity; then + test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" + fi +} +check_customsudoers() { + grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file" +} +check_vartmpfs() { + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + ${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + else + df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + fi +} +check_serveurbase() { + is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed" +} +check_logrotateconf() { + test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" "missing zsyslog in logrotate.d" +} +check_syslogconf() { + grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \ + || failed "IS_SYSLOGCONF" "syslog evolix config file missing" +} +check_debiansecurity() { + # Look for enabled "Debian-Security" sources from the "Debian" origin + apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" + test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository" +} +check_aptitudeonly() { + test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" \ + "only aptitude may be enabled on Debian <=7, apt-get should be disabled" +} + +check_apticron() { + status="OK" + test -e /etc/cron.d/apticron || status="fail" + test -e /etc/cron.daily/apticron && status="fail" + test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" + + test "$status" = "fail" && failed "IS_APTICRON" "apticron must be in cron.d not cron.daily" +} +check_usrro() { + grep /usr /etc/fstab | grep -qE "\bro\b" || failed "IS_USRRO" "missing ro directive on fstab for /usr" +} +check_tmpnoexec() { + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + options=$(${FINDMNT_BIN} --noheadings --first-only --output OPTIONS /tmp) + echo "${options}" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec'" + else + mount | grep "on /tmp" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec' (WARNING: findmnt(8) is not found)" + fi +} +check_mountfstab() { + # Test if lsblk available, if not skip this test... + LSBLK_BIN=$(command -v lsblk) + if test -x "${LSBLK_BIN}"; then + for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do + grep -Eq "$mountPoint\W" /etc/fstab \ + || failed "IS_MOUNT_FSTAB" "partition(s) detected mounted but no presence in fstab" + done + fi +} +check_listchangesconf() { + if [ -e "/etc/apt/listchanges.conf" ]; then + lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) + if [ "$lines" != 2 ]; then + failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect" + fi + else + failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing" + fi +} +check_customcrontab() { + found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab) + test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab" +} +check_sshallowusers() { + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" +} +check_diskperf() { + perfFile="/root/disk-perf.txt" + test -e $perfFile || failed "IS_DISKPERF" "missing ${perfFile}" +} +check_tmoutprofile() { + grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" +} +check_alert5boot() { + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script" + else + failed "IS_ALERT5BOOT" "alert5 init script is missing" + fi +} +check_alert5minifw() { + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + else + failed "IS_ALERT5MINIFW" "alert5 init script is missing" + fi +} +check_minifw() { + /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ + || failed "IS_MINIFW" "minifirewall seems not started" +} +check_nrpeperms() { + if [ -d /etc/nagios ]; then + nagiosDir="/etc/nagios" + actual=$(stat --format "%a" $nagiosDir) + expected="750" + test "$expected" = "$actual" || failed "IS_NRPEPERMS" "${nagiosDir} must be ${expected}" + fi +} +check_minifwperms() { + if [ -f "/etc/firewall.rc" ]; then + actual=$(stat --format "%a" "/etc/firewall.rc") + expected="600" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" "/etc/firewall.rc must be ${expected}" + fi +} +check_nrpedisks() { + NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) + DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)") + test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg" +} +check_nrpepid() { + { test -e /etc/nagios/nrpe.cfg \ + && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; + } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" +} +check_grsecprocs() { + if uname -a | grep -q grsec; then + { grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \ + && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root"; + } || failed "IS_GRSECPROCS" "missing munin's plugin processes directive for grsec" + fi +} +check_apachemunin() { + if test -e /etc/apache2/apache2.conf; then + pattern="/server-status-[[:alnum:]]{4,}" + { grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \ + && { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \ + || grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf; + }; + } || failed "IS_APACHEMUNIN" "server status is not properly configured" + fi +} +# Verification mytop + Munin si MySQL +check_mysqlutils() { + MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin} + if is_installed mysql-server; then + # You can configure MYSQL_ADMIN in evocheck.cf + if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then + failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf" + fi + if ! test -x /usr/bin/mytop; then + if ! test -x /usr/local/bin/mytop; then + failed "IS_MYSQLUTILS" "mytop binary missing" + fi + fi + if ! grep -qs '^user *=' /root/.mytop; then + failed "IS_MYSQLUTILS" "credentials missing in /root/.mytop" + fi + fi +} +# Verification de la configuration du raid soft (mdadm) +check_raidsoft() { + if test -e /proc/mdstat && grep -q md /proc/mdstat; then + { grep -q "^AUTOCHECK=true" /etc/default/mdadm \ + && grep -q "^START_DAEMON=true" /etc/default/mdadm \ + && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf; + } || failed "IS_RAIDSOFT" "missing or wrong config for mdadm" + fi +} +# Verification du LogFormat de AWStats +check_awstatslogformat() { + if is_installed apache2 awstats; then + awstatsFile="/etc/awstats/awstats.conf.local" + grep -qE '^LogFormat=1' $awstatsFile \ + || failed "IS_AWSTATSLOGFORMAT" "missing or wrong LogFormat directive in $awstatsFile" + fi +} +# Verification de la présence de la config logrotate pour Munin +check_muninlogrotate() { + { test -e /etc/logrotate.d/munin-node \ + && test -e /etc/logrotate.d/munin; + } || failed "IS_MUNINLOGROTATE" "missing lorotate file for munin" +} +# Verification de l'activation de Squid dans le cas d'un pack mail +check_squid() { + squidconffile="/etc/squid*/squid.conf" + if is_pack_web && (is_installed squid || is_installed squid3); then + host=$(hostname -i) + # shellcheck disable=SC2086 + http_port=$(grep -E "^http_port\s+[0-9]+" $squidconffile | awk '{ print $2 }') + { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "/etc/firewall.rc" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "/etc/firewall.rc" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "/etc/firewall.rc" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "/etc/firewall.rc"; + } || grep -qE "^PROXY='?on'?" "/etc/firewall.rc" \ + || failed "IS_SQUID" "missing squid rules in minifirewall" + fi +} +check_evomaintenance_fw() { + if [ -f "/etc/firewall.rc" ]; then + hook_db=$(grep -E '^\s*HOOK_DB' /etc/evomaintenance.cf | tr -d ' ' | cut -d= -f2) + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "/etc/firewall.rc") + if [ "$hook_db" = "1" ] && [ "$rulesNumber" -lt 2 ]; then + failed "IS_EVOMAINTENANCE_FW" "HOOK_DB is enabled but missing evomaintenance rules in minifirewall" + fi + fi +} +# Verification de la conf et de l'activation de mod-deflate +check_moddeflate() { + f=/etc/apache2/mods-enabled/deflate.conf + if is_installed apache2.2; then + { test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ + && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ + && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f; + } || failed "IS_MODDEFLATE" "missing AddOutputFilterByType directive for apache mod deflate" + fi +} +# Verification de la conf log2mail +check_log2mailrunning() { + if is_pack_web && is_installed log2mail; then + pgrep log2mail >/dev/null || failed "IS_LOG2MAILRUNNING" "log2mail is not running" + fi +} +check_log2mailapache() { + conf=/etc/log2mail/config/default + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/apache2/error.log" $conf \ + || failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache" + fi +} +check_log2mailmysql() { + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \ + || failed "IS_LOG2MAILMYSQL" "missing log2mail directive for mysql" + fi +} +check_log2mailsquid() { + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \ + || failed "IS_LOG2MAILSQUID" "missing log2mail directive for squid" + fi +} +# Verification si bind est chroote +check_bindchroot() { + if is_installed bind9; then + if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then + if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then + md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') + md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') + if [ "$md5_original" != "$md5_chrooted" ]; then + failed "IS_BINDCHROOT" "the chrooted bind binary is different than the original binary" + fi + else + failed "IS_BINDCHROOT" "bind process is not chrooted" + fi + fi + fi +} +# /etc/network/interfaces should be present, we don't manage systemd-network yet +check_network_interfaces() { + if ! test -f /etc/network/interfaces; then + IS_AUTOIF=0 + IS_INTERFACESGW=0 + failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet" + fi +} +# Verify if all if are in auto +check_autoif() { + interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") + for interface in $interfaces; do + if grep -Rq "^iface $interface" /etc/network/interfaces* && ! grep -Rq "^auto $interface" /etc/network/interfaces*; then + failed "IS_AUTOIF" "Network interface \`${interface}' is statically defined but not set to auto" + test "${VERBOSE}" = 1 || break + fi + done +} +# Network conf verification +check_interfacesgw() { + number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces) + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway" + number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway" +} +# Verification de la mise en place d'evobackup +check_evobackup() { + evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) + test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron" +} +# Vérification de l'exclusion des montages (NFS) dans les sauvegardes +check_evobackup_exclude_mount() { + excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX") + files_to_cleanup="${files_to_cleanup} ${excludes_file}" + + # shellcheck disable=SC2044 + for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do + # if the file seems to be a backup script, with an Rsync invocation + if grep -q "^\s*rsync" "${evobackup_file}"; then + # If rsync is not limited by "one-file-system" + # then we verify that every mount is excluded + if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + fi + fi + done +} +# Verification de la presence du userlogrotate +check_userlogrotate() { + if is_pack_web; then + test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE" "missing userlogrotate cron" + fi +} +# Verification de la syntaxe de la conf d'Apache +check_apachectl() { + if is_installed apache2; then + /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" \ + || failed "IS_APACHECTL" "apache errors detected, run a configtest" + fi +} +# Check if there is regular files in Apache sites-enabled. +check_apachesymlink() { + if is_installed apache2; then + apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print) + nbApacheFind=$(wc -m <<< "$apacheFind") + if [[ $nbApacheFind -gt 1 ]]; then + if [[ $VERBOSE == 1 ]]; then + while read -r line; do + failed "IS_APACHESYMLINK" "Not a symlink: $line" + done <<< "$apacheFind" + else + failed "IS_APACHESYMLINK" + fi + fi + fi +} +# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). +check_apacheipinallow() { + # Note: Replace "exit 1" by "print" in Perl code to debug it. + if is_installed apache2; then + grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ + | grep -iv "from all" \ + | grep -iv "env=" \ + | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \ + || failed "IS_APACHEIPINALLOW" "bad (Allow|Deny) directives in apache" + fi +} +# Check if default Apache configuration file for munin is absent (or empty or commented). +check_muninapacheconf() { + muninconf="/etc/apache2/conf.d/munin" + if is_installed apache2; then + test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \ + && failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled" + fi +} +# Check if default Apache configuration file for phpMyAdmin is absent (or empty or commented). +check_phpmyadminapacheconf() { + phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf" + phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf" + if is_installed apache2; then + test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled" + test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled" + fi +} +# Verification si le système doit redémarrer suite màj kernel. +check_kerneluptodate() { + if is_installed linux-image*; then + # shellcheck disable=SC2012 + kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then + failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised" + fi + fi +} +# Check if the server is running for more than a year. +check_uptime() { + if is_installed linux-image*; then + limit=$(date -d "now - 2 year" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$limit" -gt "$last_reboot_at" ]; then + failed "IS_UPTIME" "machine has an uptime of more than 2 years, reboot on new kernel advised" + fi + fi +} +# Check if munin-node running and RRD files are up to date. +check_muninrunning() { + if ! pgrep munin-node >/dev/null; then + failed "IS_MUNINRUNNING" "Munin is not running" + elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then + limit=$(date +"%s" -d "now - 10 minutes") + + if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then + updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) + [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)" + fi + + if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then + updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) + grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)" + fi + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)" + fi +} +# Check if files in /home/backup/ are up-to-date +check_backupuptodate() { + backup_dir="/home/backup" + if [ -d "${backup_dir}" ]; then + if [ -n "$(ls -A ${backup_dir})" ]; then + find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + + if [ "$limit" -gt "$updated_at" ]; then + failed "IS_BACKUPUPTODATE" "$file has not been backed up" + test "${VERBOSE}" = 1 || break; + fi + done + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is empty" + fi + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is missing" + fi +} +check_etcgit() { + export GIT_DIR="/etc/.git" GIT_WORK_TREE="/etc" + git rev-parse --is-inside-work-tree > /dev/null 2>&1 \ + || failed "IS_ETCGIT" "/etc is not a git repository" +} +# Check if /etc/.git/ has read/write permissions for root only. +check_gitperms() { + GIT_DIR="/etc/.git" + if test -d $GIT_DIR; then + expected="700" + actual=$(stat -c "%a" $GIT_DIR) + [ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected" + fi +} +# Check if no package has been upgraded since $limit. +check_notupgraded() { + last_upgrade=0 + upgraded=false + for log in /var/log/dpkg.log*; do + if zgrep -qsm1 upgrade "$log"; then + # There is at least one upgrade + upgraded=true + break + fi + done + if $upgraded; then + last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')") + fi + if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ + || grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then + # Manual upgrade process + limit=$(date +%s -d "now - 180 days") + else + # Regular process + limit=$(date +%s -d "now - 90 days") + fi + install_date=0 + if [ -d /var/log/installer ]; then + install_date=$(stat -c %Z /var/log/installer) + fi + # Check install_date if the system never received an upgrade + if [ "$last_upgrade" -eq 0 ]; then + [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated" + else + [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long" + fi +} +# Check if reserved blocks for root is at least 5% on every mounted partitions. +check_tune2fs_m5() { + min=5 + parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ') + FINDMNT_BIN=$(command -v findmnt) + for part in $parts; do + blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") + # If buggy partition, skip it. + if [ -z "$blockCount" ]; then + continue + fi + reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") + # Use awk to have a rounded percentage + # python is slow, bash is unable and bc rounds weirdly + percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }") + + if [ "$percentage" -lt "${min}" ]; then + if [ -x "${FINDMNT_BIN}" ]; then + mount=$(${FINDMNT_BIN} --noheadings --first-only --output TARGET "${part}") + else + mount="unknown mount point" + fi + failed "IS_TUNE2FS_M5" "Partition ${part} (${mount}) has less than ${min}% reserved blocks (${percentage}%)" + fi + done +} + +check_broadcomfirmware() { + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then + { is_installed firmware-bnx2 \ + && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list; + } || failed "IS_BROADCOMFIRMWARE" "missing non-free repository" + fi + else + failed "IS_BROADCOMFIRMWARE" "lspci not found in ${PATH}" + fi +} +check_hardwareraidtool() { + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'MegaRAID'; then + # shellcheck disable=SC2015 + is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ + || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" + fi + if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then + is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed" + fi + else + failed "IS_HARDWARERAIDTOOL" "lspci not found in ${PATH}" + fi +} +check_sql_backup() { + if (is_installed "mysql-server" || is_installed "mariadb-server"); then + # You could change the default path in /etc/evocheck.cf + SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} + for backup_path in ${SQL_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_postgres_backup() { + if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then + # If you use something like barman, you should disable this check + # You could change the default path in /etc/evocheck.cf + POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"} + for backup_path in ${POSTGRES_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_mongo_backup() { + if is_installed "mongodb-org-server"; then + # You could change the default path in /etc/evocheck.cf + MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} + if [ -d "$MONGO_BACKUP_PATH" ]; then + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}*; do + # Skip indexes file. + if ! [[ "$file" =~ indexes ]]; then + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days" + break + fi + fi + done + else + failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})" + fi + fi +} +check_ldap_backup() { + if is_installed slapd; then + # You could change the default path in /etc/evocheck.cf + LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"} + test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})" + fi +} +check_redis_backup() { + if is_installed redis-server; then + # You could change the default path in /etc/evocheck.cf + # REDIS_BACKUP_PATH may contain space-separated paths, example: + # REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb' + REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"} + for file in ${REDIS_BACKUP_PATH}; do + test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})" + done + fi +} +check_elastic_backup() { + if is_installed elasticsearch; then + # You could change the default path in /etc/evocheck.cf + ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup-elasticsearch"} + test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})" + fi +} +check_duplicate_fs_label() { + # Do it only if thereis blkid binary + BLKID_BIN=$(command -v blkid) + if [ -n "$BLKID_BIN" ]; then + tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX") + files_to_cleanup="${files_to_cleanup} ${tmpFile}" + + parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + for part in $parts; do + echo "$part" >> "$tmpFile" + done + tmpOutput=$(sort < "$tmpFile" | uniq -d) + # If there is no duplicate, uniq will have no output + # So, if $tmpOutput is not null, there is a duplicate + if [ -n "$tmpOutput" ]; then + # shellcheck disable=SC2086 + labels=$(echo -n $tmpOutput | tr '\n' ' ') + failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" + fi + else + failed "IS_DUPLICATE_FS_LABEL" "blkid not found in ${PATH}" + fi +} +check_evolix_user() { + grep -q -E "^evolix:" /etc/passwd \ + && failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install" +} +check_old_home_dir() { + homeDir=${homeDir:-/home} + for dir in "$homeDir"/*; do + statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ + | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ + | grep "UNKNOWN") + # There is at least one dir matching + if [[ -n "$statResult" ]]; then + failed "IS_OLD_HOME_DIR" "$statResult" + test "${VERBOSE}" = 1 || break + fi + done +} +check_tmp_1777() { + actual=$(stat --format "%a" /tmp) + expected="1777" + test "$expected" = "$actual" || failed "IS_TMP_1777" "/tmp must be $expected" +} +check_root_0700() { + actual=$(stat --format "%a" /root) + expected="700" + test "$expected" = "$actual" || failed "IS_ROOT_0700" "/root must be $expected" +} +check_usrsharescripts() { + actual=$(stat --format "%a" /usr/share/scripts) + expected="700" + test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" +} +check_sshpermitrootno() { + # shellcheck disable=SC2086 + if ! (sshd -T 2> /dev/null | grep -qi 'permitrootlogin no'); then + failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" + fi +} +check_evomaintenanceusers() { + if [ -f /etc/sudoers.d/evolinux ]; then + sudoers="/etc/sudoers.d/evolinux" + else + sudoers="/etc/sudoers" + fi + # combine users from User_Alias and sudo group + users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) + + for user in $users; do + user_home=$(getent passwd "$user" | cut -d: -f6) + if [ -n "$user_home" ] && [ -d "$user_home" ]; then + if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then + failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" + test "${VERBOSE}" = 1 || break + fi + fi + done +} +check_evomaintenanceconf() { + f=/etc/evomaintenance.cf + if [ -e "$f" ]; then + perms=$(stat -c "%a" $f) + test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)" + + { grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ + && grep "^PGDB" $f | grep -qv "your-db" \ + && grep "^PGTABLE" $f | grep -qv "your-table" \ + && grep "^PGHOST" $f | grep -qv "your-pg-host" \ + && grep "^FROM" $f | grep -qv "jdoe@example.com" \ + && grep "^FULLFROM" $f | grep -qv "John Doe " \ + && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ + && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ + && grep "^REALM" $f | grep -qv "example.com" + } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" + else + failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" + fi +} +check_privatekeyworldreadable() { + # a simple globbing fails if directory is empty + if [ -n "$(ls -A /etc/ssl/private/)" ]; then + for f in /etc/ssl/private/*; do + perms=$(stat -L -c "%a" "$f") + if [ "${perms: -1}" != 0 ]; then + failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" + test "${VERBOSE}" = 1 || break + fi + done + fi +} +check_evobackup_incs() { + if is_installed bkctld; then + bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} + if [ -f "${bkctld_cron_file}" ]; then + root_crontab=$(grep -v "^#" "${bkctld_cron_file}") + echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" + echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" + else + failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing" + fi + fi +} + +check_osprober() { + if is_installed os-prober qemu-kvm; then + failed "IS_OSPROBER" \ + "Removal of os-prober package is recommended as it can cause serious issue on KVM server" + fi +} + +check_apt_valid_until() { + aptvalidFile="/etc/apt/apt.conf.d/99no-check-valid-until" + aptvalidText="Acquire::Check-Valid-Until no;" + if grep -qs "archive.debian.org" /etc/apt/sources.list /etc/apt/sources.list.d/*; then + if ! grep -qs "$aptvalidText" /etc/apt/apt.conf.d/*; then + failed "IS_APT_VALID_UNTIL" \ + "As you use archive.mirror.org you need ${aptvalidFile}: ${aptvalidText}" + fi + fi +} + +check_chrooted_binary_uptodate() { + # list of processes to check + process_list="sshd" + for process_name in ${process_list}; do + # what is the binary path? + original_bin=$(command -v "${process_name}") + for pid in $(pgrep ${process_name}); do + process_bin=$(realpath "/proc/${pid}/exe") + # Is the process chrooted? + real_root=$(realpath "/proc/${pid}/root") + if [ "${real_root}" != "/" ]; then + chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ') + original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ') + # compare md5 checksums + if [ "$original_md5" != "$chrooted_md5" ]; then + failed "IS_CHROOTED_BINARY_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}." + test "${VERBOSE}" = 1 || break + fi + fi + done + done +} + +check_lxc_container_resolv_conf() { + if is_installed lxc; then + container_list=$(lxc-ls) + current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' ) + + for container in $container_list; do + if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then + + while read -r resolver; do + if ! grep -qE "^nameserver\s+${resolver}" "/var/lib/lxc/${container}/rootfs/etc/resolv.conf"; then + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf miss-match beween host and container : missing nameserver ${resolver} in container ${container} resolv.conf" + fi + done <<< "${current_resolvers}" + + else + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}" + fi + done + fi +} +download_versions() { + local file + file=${1:-} + + ## The file is supposed to list programs : each on a line, then its latest version number + ## Examples: + # evoacme 21.06 + # evomaintenance 0.6.4 + + versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}" + + # fetch timeout, in seconds + timeout=10 + + if command -v curl > /dev/null; then + curl --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}" + elif command -v wget > /dev/null; then + wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}" + elif command -v GET; then + GET -t ${timeout}s "${versions_url}" > "${versions_file}" + else + failed "IS_CHECK_VERSIONS" "failed to find curl, wget or GET" + fi + test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}" +} +get_command() { + local program + program=${1:-} + + case "${program}" in + ## Special cases where the program name is different than the command name + evocheck) echo "${0}" ;; + evomaintenance) command -v "evomaintenance.sh" ;; + listupgrade) command -v "evolistupgrade.sh" ;; + old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;; + mysql-queries-killer) command -v "mysql-queries-killer.sh" ;; + minifirewall) echo "/etc/init.d/minifirewall" ;; + + ## General case, where the program name is the same as the command name + *) command -v "${program}" ;; + esac +} +get_version() { + local program + local command + program=${1:-} + command=${2:-} + + case "${program}" in + ## Special case if `command --version => 'command` is not the standard way to get the version + # my_command) + # /path/to/my_command --get-version + # ;; + + add-vm) + grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 + ;; + minifirewall) + ${command} version | head -1 | cut -d ' ' -f 3 + ;; + ## Let's try the --version flag before falling back to grep for the constant + kvmstats) + if ${command} --version > /dev/null 2> /dev/null; then + ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 + else + grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 + fi + ;; + + ## General case to get the version + *) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;; + esac +} +check_version() { + local program + local expected_version + program=${1:-} + expected_version=${2:-} + + command=$(get_command "${program}") + if [ -n "${command}" ]; then + # shellcheck disable=SC2086 + actual_version=$(get_version "${program}" "${command}") + # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}" + if [ -z "${actual_version}" ]; then + failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}" + elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}" + elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index." + else + : # Version check OK + fi + fi +} +add_to_path() { + local new_path + new_path=${1:-} + + echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}" +} +check_versions() { + versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX") + files_to_cleanup="${files_to_cleanup} ${versions_file}" + + download_versions "${versions_file}" + add_to_path "/usr/share/scripts" + + grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do + local program + local version + program=$(echo "${line}" | cut -d ' ' -f 1) + version=$(echo "${line}" | cut -d ' ' -f 2) + + if [ -n "${program}" ]; then + if [ -n "${version}" ]; then + check_version "${program}" "${version}" + else + failed "IS_CHECK_VERSIONS" "failed to lookup expected version for ${program}" + fi + fi + done +} + +main() { + # Default return code : 0 = no error + RC=0 + # Detect operating system name, version and release + detect_os + + main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") + files_to_cleanup="${files_to_cleanup} ${main_output_file}" + + test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777 + test "${IS_ROOT_0700:=1}" = 1 && check_root_0700 + test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts + test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno + test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers + # Verification de la configuration d'evomaintenance + test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf + test "${IS_PRIVKEYWOLRDREADABLE:=1}" = 1 && check_privatekeyworldreadable + + test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease + test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning + test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix + test "${IS_MODSECURITY:=1}" = 1 && check_modsecurity + test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers + test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs + test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase + test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf + test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf + test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity + test "${IS_APTITUDEONLY:=1}" = 1 && check_aptitudeonly + test "${IS_APTICRON:=0}" = 1 && check_apticron + test "${IS_USRRO:=1}" = 1 && check_usrro + test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec + test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab + test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf + test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab + test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers + test "${IS_DISKPERF:=0}" = 1 && check_diskperf + test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile + test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot + test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw + test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw + test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms + test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms + test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks + test "${IS_NRPEPID:=1}" = 1 && check_nrpepid + test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs + test "${IS_APACHEMUNIN:=1}" = 1 && check_apachemunin + test "${IS_MYSQLUTILS:=1}" = 1 && check_mysqlutils + test "${IS_RAIDSOFT:=1}" = 1 && check_raidsoft + test "${IS_AWSTATSLOGFORMAT:=1}" = 1 && check_awstatslogformat + test "${IS_MUNINLOGROTATE:=1}" = 1 && check_muninlogrotate + test "${IS_SQUID:=1}" = 1 && check_squid + test "${IS_EVOMAINTENANCE_FW:=1}" = 1 && check_evomaintenance_fw + test "${IS_MODDEFLATE:=1}" = 1 && check_moddeflate + test "${IS_LOG2MAILRUNNING:=1}" = 1 && check_log2mailrunning + test "${IS_LOG2MAILAPACHE:=1}" = 1 && check_log2mailapache + test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql + test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid + test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot + test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces + test "${IS_AUTOIF:=1}" = 1 && check_autoif + test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw + test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup + test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount + test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate + test "${IS_APACHECTL:=1}" = 1 && check_apachectl + test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink + test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow + test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf + test "${IS_PHPMYADMINAPACHECONF:=1}" = 1 && check_phpmyadminapacheconf + test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate + test "${IS_UPTIME:=1}" = 1 && check_uptime + test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning + test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate + test "${IS_ETCGIT:=1}" = 1 && check_etcgit + test "${IS_GITPERMS:=1}" = 1 && check_gitperms + test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded + test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5 + test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware + test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool + test "${IS_SQL_BACKUP:=1}" = 1 && check_sql_backup + test "${IS_POSTGRES_BACKUP:=1}" = 1 && check_postgres_backup + test "${IS_MONGO_BACKUP:=1}" = 1 && check_mongo_backup + test "${IS_LDAP_BACKUP:=1}" = 1 && check_ldap_backup + test "${IS_REDIS_BACKUP:=1}" = 1 && check_redis_backup + test "${IS_ELASTIC_BACKUP:=1}" = 1 && check_elastic_backup + test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label + test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user + test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir + test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs + test "${IS_OSPROBER:=1}" = 1 && check_osprober + test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until + test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate + test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions + + if [ -f "${main_output_file}" ]; then + lines_found=$(wc -l < "${main_output_file}") + # shellcheck disable=SC2086 + if [ ${lines_found} -gt 0 ]; then + + cat "${main_output_file}" 2>&1 + fi + fi + + exit ${RC} +} +cleanup_temp_files() { + # shellcheck disable=SC2086 + rm -f ${files_to_cleanup} +} + +PROGNAME=$(basename "$0") +# shellcheck disable=SC2034 +readonly PROGNAME + +# shellcheck disable=SC2124 +ARGS=$@ +readonly ARGS + +# Disable LANG* +export LANG=C +export LANGUAGE=C + +files_to_cleanup="" +# shellcheck disable=SC2064 +trap cleanup_temp_files 0 + +# Source configuration file +# shellcheck disable=SC1091 +test -f /etc/evocheck.cf && . /etc/evocheck.cf + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + --version) + show_version + exit 0 + ;; + --cron) + IS_KERNELUPTODATE=0 + IS_UPTIME=0 + IS_MELTDOWN_SPECTRE=0 + IS_CHECK_VERSIONS=0 + IS_NETWORKING_SERVICE=0 + ;; + -v|--verbose) + VERBOSE=1 + ;; + -q|--quiet) + QUIET=1 + VERBOSE=0 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + if [ "${QUIET}" != 1 ]; then + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + fi + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +# shellcheck disable=SC2086 +main ${ARGS} diff --git a/evocheck/tasks/install.yml b/evocheck/tasks/install.yml index 7d4a0e6a..c996542e 100644 --- a/evocheck/tasks/install.yml +++ b/evocheck/tasks/install.yml @@ -15,9 +15,24 @@ tags: - evocheck +- name: Script for Debian 7 and earlier + set_fact: + evocheck_script_src: evocheck.wheezy.sh + when: ansible_distribution_major_version is version('7', '<=') + +- name: Script for Debian 8 + set_fact: + evocheck_script_src: evocheck.jessie.sh + when: ansible_distribution_major_version is version('8', '=') + +- name: Script for Debian 9 and later + set_fact: + evocheck_script_src: evocheck.sh + when: ansible_distribution_major_version is version('9', '>=') + - name: Copy evocheck.sh copy: - src: evocheck.sh + src: "{{ evocheck_script_src }}" dest: "{{ evocheck_bin_dir }}/evocheck.sh" mode: "0700" owner: root -- 2.39.2 From cd2c1931b154cfe7730e3867e9d28b66f815c9a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Mon, 28 Nov 2022 17:16:28 +0100 Subject: [PATCH 269/497] keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) --- CHANGELOG.md | 1 + keepalived/files/check_keepalived | 27 +++++++++++++++------------ 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6fa86d5d..e24bbd8e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,6 +40,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * squid: whitelist deb.freexian.com * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version +* keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) ### Fixed diff --git a/keepalived/files/check_keepalived b/keepalived/files/check_keepalived index e518e99e..a457551d 100644 --- a/keepalived/files/check_keepalived +++ b/keepalived/files/check_keepalived @@ -18,35 +18,38 @@ MASTER='true' # checking if there are alive keepalived processes so we can trust the content of the notify 'state' file KEEPALIVENUM=`ps uax|grep '/usr/sbin/keepalived'|grep -v grep|wc -l|tr -d "\n"` -if [ $KEEPALIVENUM -gt 0 ]; then +if [ ${KEEPALIVENUM} -gt 0 ]; then KEEPALIVESTATE=`cat /var/run/keepalive.state` - if [ "$MASTER" == "true" ]; then + if [ "${MASTER}" == "true" ]; then - if [[ $KEEPALIVESTATE == *"MASTER"* ]];then - echo $KEEPALIVESTATE + if [[ ${KEEPALIVESTATE} == *"MASTER"* ]];then + echo "OK - ${KEEPALIVESTATE}" exit 0 fi - if [[ $KEEPALIVESTATE == *"BACKUP"* ]];then - echo $KEEPALIVESTATE - exit 2 + if [[ ${KEEPALIVESTATE} == *"BACKUP"* ]];then + echo "WARNING - ${KEEPALIVESTATE}" + exit 1 fi else - if [[ $KEEPALIVESTATE == *"BACKUP"* ]];then - echo $KEEPALIVESTATE + if [[ ${KEEPALIVESTATE} == *"BACKUP"* ]];then + echo "OK - ${KEEPALIVESTATE}" exit 0 fi - if [[ $KEEPALIVESTATE == *"MASTER"* ]];then - echo $KEEPALIVESTATE - exit 2 + if [[ ${KEEPALIVESTATE} == *"MASTER"* ]];then + echo "WARNING - ${KEEPALIVESTATE}" + exit 1 fi fi +else + echo "CRITICAL - keepalived is not running" + exit 2 fi echo "Keepalived is in UNKNOWN state" -- 2.39.2 From cca072425b9f035afa4fd028e5233921d1c34db0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Thu, 1 Dec 2022 16:55:28 +0100 Subject: [PATCH 270/497] openvpn: shellpki upstream release 22.12 --- CHANGELOG.md | 1 + openvpn/files/shellpki/cert-expirations.sh | 136 ++++++++++++++++++--- openvpn/files/shellpki/openssl.cnf | 2 + openvpn/files/shellpki/shellpki | 29 +++-- 4 files changed, 137 insertions(+), 31 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e24bbd8e..089f1346 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,6 +41,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version * keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) +* openvpn: shellpki upstream release 22.12 ### Fixed diff --git a/openvpn/files/shellpki/cert-expirations.sh b/openvpn/files/shellpki/cert-expirations.sh index 9e27dcc7..dbb25357 100644 --- a/openvpn/files/shellpki/cert-expirations.sh +++ b/openvpn/files/shellpki/cert-expirations.sh @@ -1,26 +1,124 @@ #!/bin/sh -carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2) +VERSION="22.12" -if [ "$carp" = "backup" ]; then - exit 0 -fi +show_version() { + cat <, + Jérémy Lecour , + Jérémy Dubois + and others. -echo "CA certificate:" -openssl x509 -enddate -noout -in /etc/shellpki/cacert.pem \ - | cut -d '=' -f 2 \ - | sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/" +cert-expirations.sh comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the MIT Licence for details. +END +} -echo "" +show_usage() { + cat </dev/null | grep 'status' | cut -d' ' -f2) + + if [ "$carp" = "backup" ]; then + exit 0 + fi + fi + + cacert_path="/etc/openvpn/ssl/ca/cacert.pem" + index_path="/etc/openvpn/ssl/ca/index.txt" + somedays="3456000" # 40 days currently + expired_certs="" + expiring_soon_certs="" + still_valid_certs="" + + case "$1" in + version|--version) + show_version + exit 0 + ;; + + help|--help) + show_usage + exit 0 + ;; + + "") + echo "Warning : all times are in UTC !" + echo "" + check_ca_expiration + echo "" + check_certs_expiration + ;; + + *) + show_usage >&2 + exit 1 + ;; + esac +} + +main "$@" diff --git a/openvpn/files/shellpki/openssl.cnf b/openvpn/files/shellpki/openssl.cnf index 2c87f10d..5e1e3c83 100644 --- a/openvpn/files/shellpki/openssl.cnf +++ b/openvpn/files/shellpki/openssl.cnf @@ -1,3 +1,5 @@ +# VERSION="22.04" + [ ca ] default_ca = CA_default diff --git a/openvpn/files/shellpki/shellpki b/openvpn/files/shellpki/shellpki index 5d139866..5e7169c9 100755 --- a/openvpn/files/shellpki/shellpki +++ b/openvpn/files/shellpki/shellpki @@ -5,7 +5,7 @@ set -u -VERSION="22.04" +VERSION="22.12" show_version() { cat </dev/null 2>&1 } get_real_path() { # --canonicalize is supported on Linux - # -f is supported on Linux and OpenBSD + # -f is supported on Linux and OpenBSD readlink -f -- "${1}" } @@ -227,6 +227,7 @@ init() { [ -d "${CA_DIR}" ] || mkdir -m 0750 "${CA_DIR}" [ -d "${CRT_DIR}" ] || mkdir -m 0750 "${CRT_DIR}" [ -f "${INDEX_FILE}" ] || touch "${INDEX_FILE}" + [ -f "${INDEX_FILE}.attr" ] || touch "${INDEX_FILE}.attr" [ -f "${CRL}" ] || touch "${CRL}" [ -f "${SERIAL}" ] || echo "01" > "${SERIAL}" @@ -278,17 +279,18 @@ init() { passout_arg="" if [ -n "${CA_PASSWORD:-}" ]; then - passout_arg="-passout pass:${CA_PASSWORD}" + passout_arg="-pass pass:${CA_PASSWORD}" elif [ "${non_interactive}" -eq 1 ]; then error "In non-interactive mode, you must pass CA_PASSWORD as environment variable." fi if [ ! -f "${CA_KEY}" ]; then - "${OPENSSL_BIN}" genrsa \ + "${OPENSSL_BIN}" genpkey \ + -algorithm RSA \ -out "${CA_KEY}" \ ${passout_arg} \ -aes256 \ - "${CA_KEY_LENGTH}" \ + -pkeyopt "rsa_keygen_bits:${CA_KEY_LENGTH}" \ >/dev/null 2>&1 # shellcheck disable=SC2181 if [ "$?" -ne 0 ]; then @@ -355,9 +357,10 @@ ocsp() { port=$(echo "${ocsp_uri}" | cut -d':' -f2) if [ ! -f "${OCSP_KEY}" ]; then - "${OPENSSL_BIN}" genrsa \ + "${OPENSSL_BIN}" genpkey \ + -algorithm RSA \ -out "${OCSP_KEY}" \ - "${KEY_LENGTH}" \ + -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \ >/dev/null 2>&1 # shellcheck disable=SC2181 if [ "$?" -ne 0 ]; then @@ -680,17 +683,19 @@ create() { # generate private key pass_args="" if [ -n "${password_file:-}" ]; then - pass_args="-aes256 -passout file:${password_file}" + pass_args="-aes256 -pass file:${password_file}" elif [ -n "${PASSWORD:-}" ]; then - pass_args="-aes256 -passout pass:${PASSWORD}" + pass_args="-aes256 -pass pass:${PASSWORD}" fi - "${OPENSSL_BIN}" genrsa \ + "${OPENSSL_BIN}" genpkey \ + -algorithm RSA \ -out "${key_file}" \ ${pass_args} \ - "${KEY_LENGTH}" \ + -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \ >/dev/null 2>&1 # shellcheck disable=SC2181 if [ "$?" -eq 0 ]; then + chmod 600 "${key_file}" echo "The KEY file is available at \`${key_file}'" else error "Error generating the private key" -- 2.39.2 From a1bad43b252b0326dff91917a299533760fc52e7 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 2 Dec 2022 15:17:42 +0100 Subject: [PATCH 271/497] Drop unsigned repository when adding a signed one --- docker-host/tasks/main.yml | 6 ++++++ elasticsearch/tasks/packages.yml | 10 ++++++++++ evolinux-base/tasks/hardware.yml | 14 ++++++++++++++ filebeat/tasks/main.yml | 10 ++++++++++ fluentd/tasks/main.yml | 10 ++++++++++ jenkins/tasks/main.yml | 7 +++++++ kibana/tasks/main.yml | 10 ++++++++++ logstash/tasks/main.yml | 10 ++++++++++ metricbeat/tasks/main.yml | 10 ++++++++++ mongodb/tasks/main_bullseye.yml | 9 ++++++++- mongodb/tasks/main_buster.yml | 9 ++++++++- mongodb/tasks/main_jessie.yml | 9 ++++++++- newrelic/tasks/sources.yml | 7 +++++++ nodejs/tasks/main.yml | 11 +++++++++++ nodejs/tasks/yarn.yml | 12 ++++++++++++ php/tasks/sury_pre.yml | 6 ++++++ postgresql/tasks/pgdg-repo.yml | 6 ++++++ 17 files changed, 153 insertions(+), 3 deletions(-) diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index c60763d8..b73fde0b 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -31,6 +31,12 @@ state: present filename: docker.list +- name: Drop unsigned Docker repository + apt_repository: + repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + state: absent + filename: docker.list + - name: Install Docker apt: name: diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index bb5b99da..097d85e5 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -48,6 +48,16 @@ - elasticsearch - packages +- name: Unsigned Elastic sources list is not available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - elasticsearch + - packages + - name: Elasticsearch is installed apt: name: elasticsearch diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 146cf455..7ebecc82 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -96,6 +96,13 @@ tags: - packages + - name: Remove unsigned HPE repository + apt_repository: + repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' + state: absent + tags: + - packages + - name: Install HPE Smart Storage Administrator (ssacli) apt: name: ssacli @@ -224,6 +231,13 @@ tags: - packages + - name: Remove unsigned HW tool repository + apt_repository: + repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' + state: absent + tags: + - packages + - name: Install packages for DELL/LSI hardware apt: name: diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index cde924b1..fa24a893 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -48,6 +48,16 @@ - filebeat - packages +- name: Unsigned Elastic sources list is not available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - filebeat + - packages + - name: Filebeat is installed apt: name: filebeat diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 9248db97..09f93082 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -40,6 +40,16 @@ - packages - fluentd +- name: Unsigned Fluentd sources list is not available + apt_repository: + repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" + filename: treasuredata + update_cache: yes + state: absent + tags: + - packages + - fluentd + - name: Fluentd is installed. apt: name: td-agent diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 4346ef1e..956892f4 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -32,6 +32,13 @@ filename: jenkins update_cache: yes +- name: Remove unsigned jenkins APT repository + apt_repository: + repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ + filename: jenkins + update_cache: yes + state: absent + - name: Install Jenkins apt: name: jenkins diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 5e9b0016..e6377dde 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -48,6 +48,16 @@ - kibana - packages +- name: Unsigned Elastic sources list is not available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - kibana + - packages + - name: Kibana is installed apt: name: kibana diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 6b46ce69..d1f4b2da 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -48,6 +48,16 @@ - logstash - packages +- name: Unsigned Elastic sources list is not available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - logstash + - packages + - name: Logstash is installed apt: name: logstash diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 021b4ae2..71d65022 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -48,6 +48,16 @@ - metricbeat - packages +- name: Elastic sources list is available + apt_repository: + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: absent + update_cache: yes + tags: + - metricbeat + - packages + - name: Metricbeat is installed apt: name: metricbeat diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index 4c654ae6..cd8bb15f 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -27,13 +27,20 @@ owner: root group: root -- name: enable APT sources list +- name: Enable APT sources list apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes +- name: Disable unsigned APT sources list + apt_repository: + repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" + state: absent + filename: "mongodb-org-{{mongodb_version}}" + update_cache: yes + - name: Install packages apt: name: mongodb-org diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index d2d96a3f..5d2024c8 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -21,13 +21,20 @@ owner: root group: root -- name: enable APT sources list +- name: Enable APT sources list apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes +- name: Disable unsigned APT sources list + apt_repository: + repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" + state: absent + filename: "mongodb-org-{{mongodb_version}}" + update_cache: yes + - name: Install packages apt: name: mongodb-org diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml index 8c13e0e4..7fdb3df5 100644 --- a/mongodb/tasks/main_jessie.yml +++ b/mongodb/tasks/main_jessie.yml @@ -21,13 +21,20 @@ owner: root group: root -- name: enable APT sources list +- name: Enable APT sources list apt_repository: repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes +- name: Disable APT sources list + apt_repository: + repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main" + state: absent + filename: "mongodb-org-{{mongodb_version}}" + update_cache: yes + - name: Install packages apt: name: mongodb-org diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index ad3545ae..cda58a85 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -27,3 +27,10 @@ state: present filename: newrelic update_cache: yes + +- name: Desinstall unsigned NewRelic repository + apt_repository: + repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" + state: absent + filename: newrelic + update_cache: yes diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index cdd733f2..1bd6d38f 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -52,6 +52,17 @@ - packages - nodejs +- name: Unsigned NodeJS sources list ({{ nodejs_apt_version }}) is not available + apt_repository: + repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" + filename: nodesource + update_cache: yes + state: absent + tags: + - system + - packages + - nodejs + - name: NodeJS is installed apt: name: nodejs diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index f4f2dc37..5d585c42 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -47,6 +47,18 @@ - nodejs - yarn +- name: Unsigned Yarn sources list is not available + apt_repository: + repo: "deb https://dl.yarnpkg.com/debian/ stable main" + filename: yarn + update_cache: yes + state: absent + tags: + - system + - packages + - nodejs + - yarn + - name: Yarn is installed apt: name: yarn diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index eca1d4d6..a1dcbb0e 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -24,6 +24,12 @@ filename: sury state: present +- name: Setup deb.sury.org repository - Remove unsigned source list + apt_repository: + repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" + filename: sury + state: absent + - name: "Override package list for Sury (Debian 9 or later)" set_fact: php_stretch_packages: diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 69374502..f03ae52f 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -34,6 +34,12 @@ repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" update_cache: yes +- name: Remove unsigned PGDG repository + apt_repository: + repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" + update_cache: yes + state: absent + - name: Add APT preference file template: src: postgresql.pref.j2 -- 2.39.2 From fafff25c202095e7d140fb70ba6c4c7461bb1c05 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 1 Dec 2022 18:18:25 +0100 Subject: [PATCH 272/497] =?UTF-8?q?Add=20=E2=80=9Cwhen:=20not=20ansible=5F?= =?UTF-8?q?check=5Fmode=E2=80=9D=20to=20allow=20more=20--check?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apache/handlers/main.yml | 3 +++ apache/tasks/auth.yml | 3 +++ apache/tasks/ip_whitelist.yml | 1 + apache/tasks/log2mail.yml | 1 + apache/tasks/main.yml | 6 ++++++ apache/tasks/munin.yml | 3 +++ apache/tasks/server_status.yml | 7 +++++++ etc-git/tasks/main.yml | 5 ++++- etc-git/tasks/repositories.yml | 2 +- etc-git/tasks/repository.yml | 4 +++- evoacme/handlers/main.yml | 5 +++++ evocheck/tasks/exec.yml | 4 +++- evolinux-base/tasks/default_www.yml | 1 + evolinux-base/tasks/hardware.yml | 8 +++++++- evolinux-base/tasks/log2mail.yml | 2 ++ evolinux-base/tasks/packages.yml | 4 +++- evolinux-base/tasks/postfix.yml | 14 +++++++++++--- evolinux-users/tasks/user.yml | 2 ++ haproxy/handlers/main.yml | 3 +++ haproxy/tasks/main.yml | 2 ++ lxc-php/tasks/php74.yml | 1 + lxc-php/tasks/php80.yml | 1 + lxc-php/tasks/php81.yml | 1 + lxc/tasks/create-container.yml | 6 ++++++ lxc/tasks/main.yml | 2 ++ minifirewall/tasks/config.yml | 22 ++++++++++++++++++---- munin/handlers/main.yml | 4 +++- munin/tasks/main.yml | 4 ++++ mysql/tasks/datadir.yml | 1 + mysql/tasks/logdir.yml | 1 + mysql/tasks/packages_jessie.yml | 1 + mysql/tasks/packages_stretch.yml | 3 ++- mysql/tasks/utils.yml | 3 ++- nagios-nrpe/handlers/main.yml | 2 ++ ntpd/tasks/main.yml | 1 + packweb-apache/tasks/apache.yml | 6 +++++- packweb-apache/tasks/awstats.yml | 4 ++++ packweb-apache/tasks/main.yml | 3 +++ packweb-apache/tasks/multiphp.yml | 1 + packweb-apache/tasks/phpmyadmin.yml | 5 +++++ php/handlers/main.yml | 5 +++++ php/tasks/config_cli.yml | 2 ++ php/tasks/main_bookworm.yml | 4 ++++ php/tasks/main_bullseye.yml | 4 ++++ php/tasks/main_buster.yml | 4 ++++ php/tasks/main_jessie.yml | 4 ++++ php/tasks/main_stretch.yml | 4 ++++ php/tasks/sury_post.yml | 3 +++ proftpd/handlers/main.yml | 1 + proftpd/tasks/main.yml | 2 ++ squid/handlers/main.yml | 7 +++++++ squid/tasks/main.yml | 1 + webapps/evoadmin-web/tasks/ftp.yml | 1 + webapps/evoadmin-web/tasks/main.yml | 5 ++++- webapps/evoadmin-web/tasks/ssl.yml | 1 + webapps/evoadmin-web/tasks/user.yml | 8 ++++++-- 56 files changed, 188 insertions(+), 20 deletions(-) diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index 96daa368..931e9c94 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -3,13 +3,16 @@ service: name: apache2 state: restarted + when: not ansible_check_mode - name: reload apache service: name: apache2 state: reloaded + when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted + when: not ansible_check_mode diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index fd01517c..bebd39e9 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -22,6 +22,7 @@ state: present tags: - apache + when: not ansible_check_mode - name: Copy private_htpasswd copy: @@ -44,6 +45,7 @@ notify: reload apache tags: - apache + when: not ansible_check_mode - name: remove user:pwd from private htpasswd lineinfile: @@ -54,3 +56,4 @@ notify: reload apache tags: - apache + when: not ansible_check_mode diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index 18f4a681..a40d6075 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -10,6 +10,7 @@ tags: - apache - ips + when: not ansible_check_mode - name: remove IP addresses from private IP whitelist lineinfile: diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index 3b0650b7..daf59db9 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -6,6 +6,7 @@ state: present tags: - apache + when: not ansible_check_mode - name: Add log2mail config for Apache segfaults template: diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 1a028205..f6763278 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -53,6 +53,7 @@ notify: reload apache tags: - apache + when: not ansible_check_mode - name: basic modules are enabled apache2_module: @@ -64,6 +65,7 @@ when: apache_mpm == "prefork" or apache_mpm == "itk" tags: - apache + when: not ansible_check_mode - name: Copy Apache defaults config file @@ -133,6 +135,7 @@ when: apache_evolinux_default_enabled | bool tags: - apache + when: not ansible_check_mode - include: server_status.yml tags: @@ -158,6 +161,7 @@ when: envvar_grep_umask.rc != 0 tags: - apache + when: not ansible_check_mode - include_role: name: evolix/remount-usr @@ -190,6 +194,7 @@ replace: "{{ apache_logrotate_frequency }}" tags: - apache + when: not ansible_check_mode - name: "logrotate: rotate {{ apache_logrotate_rotate }}" replace: @@ -198,6 +203,7 @@ replace: '\1 {{ apache_logrotate_rotate }}' tags: - apache + when: not ansible_check_mode - include: log2mail.yml when: apache_log2mail_include diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index fe07a5cf..b9602511 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -23,6 +23,7 @@ tags: - apache - munin + when: not ansible_check_mode - name: "Install fcgi packages for Munin graphs" apt: @@ -43,6 +44,7 @@ tags: - apache - munin + when: not ansible_check_mode - name: "Apache has access to /var/log/munin/" file: @@ -51,3 +53,4 @@ tags: - apache - munin + when: not ansible_check_mode diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index efd2b00e..fa54090f 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -26,10 +26,12 @@ changed_when: False check_mode: no register: new_apache_serverstatus_suffix + when: not ansible_check_mode - name: overwrite apache_serverstatus_suffix set_fact: apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}" + when: not ansible_check_mode - debug: var: apache_serverstatus_suffix @@ -40,12 +42,14 @@ dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" + when: not ansible_check_mode - name: add server-status suffix in default site index if missing replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ apache_serverstatus_suffix }}"' + when: not ansible_check_mode - name: add server-status suffix in default VHost replace: @@ -53,12 +57,14 @@ regexp: '' replace: '' notify: reload apache + when: not ansible_check_mode - name: Munin configuration has a section for apache lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "[apache_*]" create: no + when: not ansible_check_mode - name: apache-status URL is configured for Munin lineinfile: @@ -68,3 +74,4 @@ insertafter: "[apache_*]" create: no notify: restart munin-node + when: not ansible_check_mode diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index f71ba552..e29d249f 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -8,6 +8,7 @@ - etc-git when: - ansible_distribution == "Debian" + - not ansible_check_mode - name: Install and configure utilities include: utils.yml @@ -18,4 +19,6 @@ include: repositories.yml tags: - etc-git - when: etc_git_config_repositories | bool \ No newline at end of file + when: + - etc_git_config_repositories | bool + - not ansible_check_mode diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index 71ff0665..27bba9c3 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -34,4 +34,4 @@ - _usr_share_scripts.stat.isdir - ansible_distribution_major_version is version('10', '>=') tags: - - etc-git \ No newline at end of file + - etc-git diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index 80987da2..b1619c03 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -22,6 +22,7 @@ value: "root@{{ ansible_fqdn | default('localhost') }}" tags: - etc-git + when: not ansible_check_mode - name: "{{ repository_path }}/.git is restricted to root" file: @@ -49,6 +50,7 @@ loop: "{{ gitignore_items | default([]) }}" tags: - etc-git + when: not ansible_check_mode - name: "does {{ repository_path }}/ have any commit?" command: "git log" @@ -70,4 +72,4 @@ register: git_commit when: git_log.rc != 0 or (git_init is defined and git_init is changed) tags: - - etc-git \ No newline at end of file + - etc-git diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index 1ea11783..fb817eb7 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -1,14 +1,17 @@ - name: newaliases command: newaliases + when: not ansible_check_mode - name: Test Apache conf command: apache2ctl -t notify: "Reload Apache conf" + when: not ansible_check_mode - name: reload apache2 service: name: apache2 state: reloaded + when: not ansible_check_mode - name: apt update apt: @@ -18,8 +21,10 @@ service: name: squid3 state: reloaded + when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded + when: not ansible_check_mode diff --git a/evocheck/tasks/exec.yml b/evocheck/tasks/exec.yml index 306cf019..1338a97b 100644 --- a/evocheck/tasks/exec.yml +++ b/evocheck/tasks/exec.yml @@ -10,6 +10,8 @@ - debug: var: evocheck_run.stdout_lines - when: evocheck_run.stdout | length > 0 + when: + - not ansible_check_mode + - evocheck_run.stdout | length > 0 tags: - evocheck-exec diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 84580b54..4d8905b5 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -38,6 +38,7 @@ owner: root group: ssl-cert mode: "0640" + when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 7ebecc82..d8a966d8 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -43,7 +43,9 @@ state: present tags: - packages - when: ansible_virtualization_role == "host" + when: + - ansible_virtualization_role == "host" + - not ansible_check_mode ## RAID # Dell and others: MegaRAID SAS @@ -108,6 +110,7 @@ name: ssacli tags: - packages + when: not ansible_check_mode when: - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - "'Adaptec Smart Storage PQI' in raidmodel.stdout" @@ -134,6 +137,7 @@ state: present tags: - packages + when: not ansible_check_mode - name: cciss-vol-statusd init script is present (HP gen <10) template: @@ -246,6 +250,7 @@ allow_unauthenticated: yes tags: - packages + when: not ansible_check_mode - name: Configure packages for DELL/LSI hardware template: @@ -263,6 +268,7 @@ tags: - packages - config + when: not ansible_check_mode when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 35ce19cf..25937b3e 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -16,6 +16,7 @@ daemon-reload: yes state: started enabled: yes + when: not ansible_check_mode - name: log2mail config is present blockinfile: @@ -32,4 +33,5 @@ notify: restart log2mail tags: - log2mail + when: not ansible_check_mode diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index b4a1d666..ad72ed55 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -89,7 +89,9 @@ apt: name: serveur-base allow_unauthenticated: yes - when: evolinux_packages_serveur_base | bool + when: + - evolinux_packages_serveur_base | bool + - not ansible_check_mode - name: Install/Update packages for Stretch and later apt: diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 6a46548b..53017d1f 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -20,6 +20,7 @@ notify: reload postfix tags: - postfix + when: not ansible_check_mode - name: configure postfix mynetworks lineinfile: @@ -30,6 +31,7 @@ notify: reload postfix tags: - postfix + when: not ansible_check_mode - name: fetch users list shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" @@ -48,7 +50,9 @@ line: "{{ item }}: root" loop: "{{ non_root_users_list.stdout_lines }}" notify: newaliases - when: evolinux_postfix_users_alias_root | bool + when: + - evolinux_postfix_users_alias_root | bool + - not ansible_check_mode tags: - postfix @@ -65,7 +69,9 @@ - error - bounce notify: newaliases - when: evolinux_postfix_mailer_alias_root | bool + when: + - evolinux_postfix_mailer_alias_root | bool + - not ansible_check_mode tags: - postfix @@ -75,7 +81,9 @@ regexp: "^root:" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" notify: newaliases - when: evolinux_postfix_root_alias | bool + when: + - evolinux_postfix_root_alias | bool + - not ansible_check_mode tags: - postfix diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 0f8bd480..50af1812 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -161,6 +161,7 @@ insertafter: EOF line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' when: grep_profile_evomaintenance.rc != 0 + when: not ansible_check_mode # SSH keys @@ -192,5 +193,6 @@ when: - user.ssh_keys is defined - user.ssh_keys | length > 0 + - not ansible_check_mode - meta: flush_handlers diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml index 9cf3b9cb..24378067 100644 --- a/haproxy/handlers/main.yml +++ b/haproxy/handlers/main.yml @@ -3,13 +3,16 @@ service: name: haproxy state: reloaded + when: not ansible_check_mode - name: restart haproxy service: name: haproxy state: restarted + when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted + when: not ansible_check_mode diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index d38e83af..62664415 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -123,6 +123,7 @@ tags: - haproxy - logrotate + when: not ansible_check_mode - name: Rotate logs with nodelaycompress lineinfile: @@ -133,6 +134,7 @@ tags: - haproxy - logrotate + when: not ansible_check_mode - name: Set net.ipv4.ip_nonlocal_bind sysctl: diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 64677009..85211747 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -10,6 +10,7 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' + when: not ansible_check_mode - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index b0ff90fe..98b2c4d8 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -10,6 +10,7 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' + when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 91dc38e1..6ca43148 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -10,6 +10,7 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' + when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index ad4f35d6..b841bb67 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -4,6 +4,7 @@ changed_when: false check_mode: no register: container_exists + when: not ansible_check_mode - name: "Create container {{ name }}" lxc_container: @@ -13,6 +14,7 @@ state: stopped template_options: "--arch amd64 --release {{ release }}" when: container_exists.stdout_lines | length == 0 + when: not ansible_check_mode - name: "Disable network configuration inside container {{ name }}" replace: @@ -20,12 +22,14 @@ regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no when: lxc_network_type == "none" + when: not ansible_check_mode - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" when: lxc_network_type == "none" and release == "jessie" + when: not ansible_check_mode - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" file: @@ -44,6 +48,7 @@ lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/hosts" line: "127.0.0.1 {{ name }}" + when: not ansible_check_mode - name: "Fix permission on /dev for container {{ name }}" lineinfile: @@ -51,6 +56,7 @@ line: "chmod 755 /dev" insertbefore: "^exit 0$" when: release == 'jessie' + when: not ansible_check_mode - name: "Ensure that {{ name }} container is running" lxc_container: diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 3ec586bd..6f9f0875 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -48,6 +48,7 @@ changed_when: false check_mode: no register: check_fs_options + when: not ansible_check_mode - name: Check if options are correct assert: @@ -56,6 +57,7 @@ - "'noexec' not in check_fs_options.stdout" - "'nosuid' not in check_fs_options.stdout" msg: "LXC directory is in a filesystem with incompatible options" + when: not ansible_check_mode - name: Create containers include: create-container.yml diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index b0a1d7a6..ae38ff4d 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -30,6 +30,7 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no + when: not ansible_check_mode - name: End marker for IP addresses lineinfile: @@ -37,6 +38,7 @@ create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' + when: not ansible_check_mode - name: Verify that at least 1 trusted IP is provided assert: @@ -84,6 +86,7 @@ PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' create: no register: minifirewall_config_ips + when: not ansible_check_mode - name: Begin marker for ports lineinfile: @@ -91,6 +94,7 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no + when: not ansible_check_mode - name: End marker for ports lineinfile: @@ -98,6 +102,7 @@ line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no + when: not ansible_check_mode - name: Configure ports blockinfile: @@ -122,6 +127,7 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' create: no register: minifirewall_config_ports + when: not ansible_check_mode - name: Configure DNSSERVEURS lineinfile: @@ -193,7 +199,9 @@ line: "PROXY='{{ minifirewall_proxy }}'" regexp: "PROXY=('|\").*('|\")" create: no - when: minifirewall_proxy is not none + when: + - minifirewall_proxy is not none + - not ansible_check_mode - name: Configure PROXYPORT lineinfile: @@ -201,7 +209,9 @@ line: "PROXYPORT='{{ minifirewall_proxyport }}'" regexp: "PROXYPORT=('|\").*('|\")" create: no - when: minifirewall_proxyport is not none + when: + - minifirewall_proxyport is not none + - not ansible_check_mode # Warning: keep double quotes for the value, # since we often reference a shell variable that needs to be interpolated @@ -211,7 +221,9 @@ line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\"" regexp: "PROXYBYPASS=('|\").*('|\")" create: no - when: minifirewall_proxybypass is not none + when: + - minifirewall_proxyport is not none + - not ansible_check_mode - name: Configure BACKUPSERVERS lineinfile: @@ -219,7 +231,9 @@ line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'" regexp: "BACKUPSERVERS=('|\").*('|\")" create: no - when: minifirewall_backupservers is not none + when: + - minifirewall_backupservers is not none + - not ansible_check_mode - name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS lineinfile: diff --git a/munin/handlers/main.yml b/munin/handlers/main.yml index 8654181d..6dcd127d 100644 --- a/munin/handlers/main.yml +++ b/munin/handlers/main.yml @@ -4,12 +4,14 @@ service: name: munin-node state: restarted + when: not ansible_check_mode - name: restart munin_node service: name: munin_node state: restarted + when: not ansible_check_mode - name: systemd daemon-reload systemd: - daemon_reload: yes \ No newline at end of file + daemon_reload: yes diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index a4ea9a49..f4aab7c6 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -33,6 +33,7 @@ notify: restart munin-node when: not ansible_hostname == "localdomain" + when: not ansible_check_mode tags: - munin @@ -79,6 +80,7 @@ notify: restart munin-node tags: - munin + when: not ansible_check_mode - name: Enable sensors_ plugin on dedicated hardware file: @@ -92,6 +94,7 @@ notify: restart munin-node tags: - munin + when: not ansible_check_mode - name: Enable ipmi_ plugin on dedicated hardware file: @@ -105,6 +108,7 @@ - temp - power - volts + when: not ansible_check_mode - name: adjustments for grsec kernel blockinfile: diff --git a/mysql/tasks/datadir.yml b/mysql/tasks/datadir.yml index c375f5d5..da4af342 100644 --- a/mysql/tasks/datadir.yml +++ b/mysql/tasks/datadir.yml @@ -43,3 +43,4 @@ - mysql_custom_datadir | length > 0 - mysql_custom_datadir != mysql_current_real_datadir_test.stdout - not mysql_custom_datadir_test.stat.exists + - not ansible_check_mode diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml index bd6ecab2..1779667a 100644 --- a/mysql/tasks/logdir.yml +++ b/mysql/tasks/logdir.yml @@ -43,3 +43,4 @@ - mysql_custom_logdir | length > 0 - mysql_custom_logdir != mysql_current_real_logdir_test.stdout - not mysql_custom_logdir_test.stat.exists + - not ansible_check_mode diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml index 652eace7..99c89d8a 100644 --- a/mysql/tasks/packages_jessie.yml +++ b/mysql/tasks/packages_jessie.yml @@ -42,6 +42,7 @@ tags: - mysql - services + when: not ansible_check_mode - name: apg package is installed apt: diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 880f5050..34e4d2b6 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -28,6 +28,7 @@ tags: - mysql - services + when: not ansible_check_mode - name: apg package is installed apt: @@ -57,4 +58,4 @@ tags: - mysql - packages - when: ansible_python_version is version('3', '>=') \ No newline at end of file + when: ansible_python_version is version('3', '>=') diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 1ac8f2df..9ae7fd15 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -156,6 +156,7 @@ dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link when: mysql_cron_optimize | bool + when: not ansible_check_mode tags: - mysql @@ -248,4 +249,4 @@ mode: "0755" force: no tags: - - mysql \ No newline at end of file + - mysql diff --git a/nagios-nrpe/handlers/main.yml b/nagios-nrpe/handlers/main.yml index 25ab29ad..de27314f 100644 --- a/nagios-nrpe/handlers/main.yml +++ b/nagios-nrpe/handlers/main.yml @@ -4,8 +4,10 @@ service: name: nagios-nrpe-server state: restarted + when: not ansible_check_mode - name: restart nrpe service: name: nrpe state: restarted + when: not ansible_check_mode diff --git a/ntpd/tasks/main.yml b/ntpd/tasks/main.yml index 2d66d765..ae4a97c5 100644 --- a/ntpd/tasks/main.yml +++ b/ntpd/tasks/main.yml @@ -21,3 +21,4 @@ notify: restart ntp tags: - ntp + when: not ansible_check_mode diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 96c11e3a..c2efd93f 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -14,7 +14,9 @@ block: | # Used for Evoadmin-web export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - when: envvar_grep_path.rc != 0 + when: + - envvar_grep_path.rc != 0 + - not ansible_check_mode - name: Additional packages are installed apt: @@ -34,6 +36,7 @@ - negotiation - alias - log_forensic + when: not ansible_check_mode - name: Copy Apache settings for modules copy: @@ -60,3 +63,4 @@ loop: - evolinux-evasive - evolinux-modsec + when: not ansible_check_mode diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index 5ea0fa57..a423aaf8 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -22,6 +22,7 @@ AllowFullYearView=3 ErrorMessages="An error occured. Contact your Administrator" mode: "0644" + when: not ansible_check_mode - name: Create conf-available/awstats-icon.conf file copy: @@ -39,6 +40,7 @@ register: command_result changed_when: "'Enabling' in command_result.stderr" notify: reload apache + when: not ansible_check_mode - name: Create awstats cron lineinfile: @@ -46,6 +48,7 @@ create: yes regexp: '-config=awstats' line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" + when: not ansible_check_mode - name: Comment default awstat cron's tasks lineinfile: @@ -54,3 +57,4 @@ line: '#\1' backrefs: yes state: present + when: not ansible_check_mode diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index ff3cd9a7..58b2047c 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -26,6 +26,7 @@ dest: /var/www/index.html line: '
  • Infos PHP
    • ' regexp: "Infos PHP" + when: not ansible_check_mode - name: install opcache.php copy: @@ -38,6 +39,7 @@ dest: /var/www/index.html line: '
  • Infos OpCache PHP
    • ' regexp: "Infos OpCache PHP" + when: not ansible_check_mode - name: Add elements to user account template file: @@ -64,6 +66,7 @@ loop: - access.log - error.log + when: not ansible_check_mode - name: "Install userlogrotate (jessie)" copy: diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 8a7c9613..80a6f34a 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -5,6 +5,7 @@ state: present name: proxy_fcgi notify: restart apache2 + when: not ansible_check_mode - include_role: name: remount-usr diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index f83b0a5d..9e894786 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -65,10 +65,12 @@ changed_when: False check_mode: no register: new_packweb_phpmyadmin_suffix + when: not ansible_check_mode - name: overwrite packweb_phpmyadmin_suffix set_fact: packweb_phpmyadmin_suffix: "{{ new_packweb_phpmyadmin_suffix.stdout }}" + when: not ansible_check_mode - debug: var: packweb_phpmyadmin_suffix @@ -86,15 +88,18 @@ Require all denied Include /etc/apache2/ipaddr_whitelist.conf + when: not ansible_check_mode - name: enable phpmyadmin link in default site index replace: dest: /var/www/index.html regexp: '' replace: '
  • Accès PhpMyAdmin
    • ' + when: not ansible_check_mode - name: replace phpmyadmin suffix in default site index replace: dest: /var/www/index.html regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ packweb_phpmyadmin_suffix }}" + when: not ansible_check_mode diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 079a14d5..75fe86ba 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -4,23 +4,28 @@ service: name: php5-fpm state: restarted + when: not ansible_check_mode - name: restart php7.0-fpm service: name: php7.0-fpm state: restarted + when: not ansible_check_mode - name: restart php7.3-fpm service: name: php7.3-fpm state: restarted + when: not ansible_check_mode - name: restart php7.4-fpm service: name: php7.4-fpm state: restarted + when: not ansible_check_mode - name: restart php8.1-fpm service: name: php8.1-fpm state: restarted + when: not ansible_check_mode diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index d327690a..19030c0c 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -25,6 +25,7 @@ file: dest: "{{ php_cli_custom_ini_file }}" mode: "0644" + when: not ansible_check_mode - name: "Set custom values for PHP to enable Symfony" ini_file: @@ -36,3 +37,4 @@ loop: - { option: "date.timezone", value: "Europe/Paris" } when: php_symfony_requirements | bool + when: not ansible_check_mode diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 4dcde767..b9dd9ac2 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -79,12 +79,14 @@ with_items: - /etc/php - /etc/php/{{ php_version }} + when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 12)" file: dest: /etc/php/{{ php_version }}/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -94,6 +96,7 @@ dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -103,6 +106,7 @@ dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable + when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 403a7b76..7d2d7e11 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -68,12 +68,14 @@ with_items: - /etc/php - /etc/php/7.4 + when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 11)" file: dest: /etc/php/7.4/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -83,6 +85,7 @@ dest: /etc/php/7.4/fpm mode: "0755" when: php_fpm_enable + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -92,6 +95,7 @@ dest: /etc/php/7.4/apache2 mode: "0755" when: php_apache_enable + when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 2fc4293e..ff27e410 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -68,12 +68,14 @@ loop: - /etc/php - /etc/php/7.3 + when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 10)" file: dest: /etc/php/7.3/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -83,6 +85,7 @@ dest: /etc/php/7.3/fpm mode: "0755" when: php_fpm_enable | bool + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -92,6 +95,7 @@ dest: /etc/php/7.3/apache2 mode: "0755" when: php_apache_enable | bool + when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index 75105166..1082dcf5 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -56,6 +56,7 @@ file: dest: /etc/php5 mode: "0755" + when: not ansible_check_mode - include: config_cli.yml @@ -63,6 +64,7 @@ file: dest: /etc/php5/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -72,6 +74,7 @@ dest: /etc/php5/fpm mode: "0755" when: php_fpm_enable | bool + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -81,3 +84,4 @@ dest: /etc/php5/apache2 mode: "0755" when: php_apache_enable | bool + when: not ansible_check_mode diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 698621ac..6188877c 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -68,6 +68,7 @@ loop: - /etc/php - /etc/php/7.0 + when: not ansible_check_mode - include: config_cli.yml @@ -75,6 +76,7 @@ file: dest: /etc/php/7.0/cli mode: "0755" + when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -84,6 +86,7 @@ dest: /etc/php/7.0/fpm mode: "0755" when: php_fpm_enable | bool + when: not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -93,6 +96,7 @@ dest: /etc/php/7.0/apache2 mode: "0755" when: php_apache_enable | bool + when: not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 4e706889..14ffabab 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -14,6 +14,7 @@ file: dest: /etc/php/7.4/cli mode: "0755" + when: not ansible_check_mode - name: Symlink Evolix Apache config files from 7.4 to 7.0 file: @@ -31,6 +32,7 @@ dest: /etc/php/7.4/apache2 mode: "0755" when: php_apache_enable | bool + when: not ansible_check_mode - name: Symlink Evolix FPM config files from 7.4 to 7.0 file: @@ -50,3 +52,4 @@ dest: /etc/php/7.4/fpm mode: "0755" when: php_fpm_enable | bool + when: not ansible_check_mode diff --git a/proftpd/handlers/main.yml b/proftpd/handlers/main.yml index 0914d289..bffa7ede 100644 --- a/proftpd/handlers/main.yml +++ b/proftpd/handlers/main.yml @@ -3,3 +3,4 @@ service: name: proftpd state: restarted + when: not ansible_check_mode diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 9ddb6273..d4fe03f4 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -70,6 +70,7 @@ notify: restart proftpd tags: - proftpd + when: not ansible_check_mode - name: Put empty vpasswd file if missing copy: @@ -92,6 +93,7 @@ notify: restart proftpd tags: - proftpd + when: not ansible_check_mode - include: accounts.yml when: proftpd_accounts | length > 0 diff --git a/squid/handlers/main.yml b/squid/handlers/main.yml index 4f5329b9..675a9dbd 100644 --- a/squid/handlers/main.yml +++ b/squid/handlers/main.yml @@ -3,31 +3,38 @@ service: name: munin-node state: restarted + when: not ansible_check_mode - name: restart squid service: name: squid state: restarted + when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded + when: not ansible_check_mode - name: restart squid3 service: name: squid3 state: restarted + when: not ansible_check_mode - name: reload squid3 service: name: squid3 state: reloaded + when: not ansible_check_mode - name: restart log2mail service: name: log2mail state: restarted + when: not ansible_check_mode - name: restart minifirewall command: /etc/init.d/minifirewall restart + when: not ansible_check_mode diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 4a3cab4d..540e56d9 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -121,6 +121,7 @@ when: - squid_localproxy_enable | bool - ansible_distribution_major_version is version('9', '>=') + - not ansible_check_mode - name: "evolinux custom overrides (Debian 9 or later)" copy: diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index 98f275ff..074b38fb 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -10,3 +10,4 @@ remote_src: False src: ftp/evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf + when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index 1acb2aa5..d9589548 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -3,7 +3,9 @@ - name: "Ensure that evoadmin_contact_email is defined" fail: msg: Please configure var evoadmin_contact_email - when: evoadmin_contact_email is none or evoadmin_contact_email | length == 0 + when: + - evoadmin_contact_email is none or evoadmin_contact_email | length == 0 + - not ansible_check_mode - include: packages.yml @@ -23,3 +25,4 @@ marker: "" block: |
  • Interface admin web (EvoAdmin-web)
    • + when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml index 6bdf1421..eb7a31cd 100644 --- a/webapps/evoadmin-web/tasks/ssl.yml +++ b/webapps/evoadmin-web/tasks/ssl.yml @@ -17,6 +17,7 @@ owner: root group: ssl-cert mode: "0640" + when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index bbad1b8f..fa61b830 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -54,7 +54,9 @@ dest: "{{ evoadmin_document_root }}" version: jessie update: False - when: ansible_distribution_release == "jessie" + when: + - ansible_distribution_release == "jessie" + - not ansible_check_mode - name: "Clone evoadmin repository (Debian 9 or later)" git: @@ -62,7 +64,9 @@ dest: "{{ evoadmin_document_root }}" version: master update: False - when: ansible_distribution_major_version is version('9', '>=') + when: + - ansible_distribution_major_version is version('9', '>=') + - not ansible_check_mode - name: Change ownership on git repository file: -- 2.39.2 From 5e63340aa9aea99989b27a88025853c447b5de35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Fri, 2 Dec 2022 18:05:56 +0100 Subject: [PATCH 273/497] openvpn: shellpki upstream release 22.12.1 --- openvpn/files/shellpki/cert-expirations.sh | 26 ++++++++++++---------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/openvpn/files/shellpki/cert-expirations.sh b/openvpn/files/shellpki/cert-expirations.sh index dbb25357..b0cfc09a 100644 --- a/openvpn/files/shellpki/cert-expirations.sh +++ b/openvpn/files/shellpki/cert-expirations.sh @@ -1,6 +1,6 @@ #!/bin/sh -VERSION="22.12" +VERSION="22.12.1" show_version() { cat </dev/null | grep 'status' | cut -d' ' -f2) + + if [ "$carp" = "backup" ]; then + exit 0 + fi + fi +} + check_ca_expiration() { echo "CA certificate:" openssl x509 -enddate -noout -in ${cacert_path} \ @@ -79,17 +89,8 @@ check_certs_expiration() { main() { SYSTEM=$(uname | tr '[:upper:]' '[:lower:]') - - if [ "${SYSTEM}" = "openbsd" ]; then - carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2) - - if [ "$carp" = "backup" ]; then - exit 0 - fi - fi - - cacert_path="/etc/openvpn/ssl/ca/cacert.pem" - index_path="/etc/openvpn/ssl/ca/index.txt" + cacert_path="/etc/shellpki/cacert.pem" + index_path="/etc/shellpki/index.txt" somedays="3456000" # 40 days currently expired_certs="" expiring_soon_certs="" @@ -107,6 +108,7 @@ main() { ;; "") + check_carp_state echo "Warning : all times are in UTC !" echo "" check_ca_expiration -- 2.39.2 From 6cc3e03864965c5d2805bd3c4e47853ebdccb88f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Mon, 5 Dec 2022 09:50:29 +0100 Subject: [PATCH 274/497] openvpn: specifies that the mail for expirations is for OpenVPN --- CHANGELOG.md | 1 + openvpn/tasks/debian.yml | 2 +- openvpn/tasks/openbsd.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 089f1346..e69a5b72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: systemd override depends on Varnish version instead of Debian version * keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) * openvpn: shellpki upstream release 22.12 +* openvpn: specifies that the mail for expirations is for OpenVPN ### Fixed diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 55ca2f8e..9c809cfd 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -261,7 +261,7 @@ cron: name: "OpenVPN certificates expiration" special_time: monthly - job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' + job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password set_fact: diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index f5d9e4ff..7dc75b83 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -189,7 +189,7 @@ cron: name: "OpenVPN certificates expiration" special_time: monthly - job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' + job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password set_fact: -- 2.39.2 From 22f30b59f2ba8e18addee08737ade01f1d8d7097 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 5 Dec 2022 14:22:08 +0100 Subject: [PATCH 275/497] certbot: auto-detect HAPEE version in renewal hook --- CHANGELOG.md | 1 + certbot/files/hooks/deploy/hapee.sh | 23 ++++++++++++----------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e69a5b72..a4c3b3f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* certbot: auto-detect HAPEE version in renewal hook * evocheck: install script according to Debian version * evolinux-base: utils.yml can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) diff --git a/certbot/files/hooks/deploy/hapee.sh b/certbot/files/hooks/deploy/hapee.sh index a8acdea9..89b04452 100644 --- a/certbot/files/hooks/deploy/hapee.sh +++ b/certbot/files/hooks/deploy/hapee.sh @@ -10,7 +10,17 @@ debug() { fi } daemon_found_and_running() { - test -n "$(pidof hapee-lb)" && test -n "${hapee_bin}" + readonly hapee_main_pid=$(ps -u root u | grep hapee-lb | grep -v grep | awk '{print $2}') + if [ -n "${hapee_main_pid}" ] && [ -d "/proc/${hapee_main_pid}" ] ; then + readonly hapee_bin=$(readlink "/proc/${hapee_main_pid}/exe") + readonly hapee_config_file=$(cat "/proc/${hapee_main_pid}/cmdline" | tr "\0" " " | grep --only-matching --extended-regexp -- "-f \S+" | awk '{print $2}') + readonly hapee_pid_file=$(cat "/proc/${hapee_main_pid}/cmdline" | tr "\0" " " | grep --only-matching --extended-regexp -- "-p \S+" | awk '{print $2}') + readonly hapee_service_name="$(basename -s .pid "${hapee_pid_file}").service" + + kill -0 "${hapee_main_pid}" && test -n "${hapee_bin}" && test -f "${hapee_config_file}" && systemctl -q is-active "${hapee_service_name}" + else + return 1 + fi } found_renewed_lineage() { test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem" @@ -40,12 +50,6 @@ detect_hapee_cert_dir() { if [ -n "${config_cert_dir}" ]; then debug "Cert directory is configured with ${config_cert_dir}" echo "${config_cert_dir}" - elif [ -d "/etc/haproxy/ssl" ]; then - debug "No configured cert directory found, but /etc/haproxy/ssl exists" - echo "/etc/haproxy/ssl" - elif [ -d "/etc/ssl/haproxy" ]; then - debug "No configured cert directory found, but /etc/ssl/haproxy exists" - echo "/etc/ssl/haproxy" else error "Cert directory not found." fi @@ -56,7 +60,6 @@ main() { fi if daemon_found_and_running; then - readonly hapee_config_file="/etc/hapee-2.4/hapee-lb.cfg" readonly hapee_cert_dir=$(detect_hapee_cert_dir) if found_renewed_lineage; then @@ -72,7 +75,7 @@ main() { if config_check; then debug "HAPEE detected... reloading" - systemctl reload hapee-2.4-lb.service + systemctl reload "${hapee_service_name}" else error "HAPEE config is broken, you must fix it !" fi @@ -88,6 +91,4 @@ readonly PROGNAME=$(basename "$0") readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly hapee_bin="/opt/hapee-2.4/sbin/hapee-lb" - main -- 2.39.2 From 982112bd64f11ac411543b29bec90148662dfbfb Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Wed, 7 Dec 2022 15:46:40 +0100 Subject: [PATCH 276/497] rabbitmq: add link in default page --- CHANGELOG.md | 1 + rabbitmq/tasks/main.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4c3b3f6..a82c636a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: check_haproxy_stats supports DRAIN status * packweb-apache: enable log_forensic module * varnish: create special tmp directory for syntax validation +* rabbitmq: add link in default page ### Changed diff --git a/rabbitmq/tasks/main.yml b/rabbitmq/tasks/main.yml index c8e49407..a3438adc 100644 --- a/rabbitmq/tasks/main.yml +++ b/rabbitmq/tasks/main.yml @@ -47,3 +47,9 @@ - include: munin.yml when: etc_munin_directory.stat.exists + +- name: entry for RabbitMQ in web page is present + lineinfile: + dest: /var/www/index.html + insertbefore: '' + line: '
  • RabbitMQ
    • ' -- 2.39.2 From 3c2369a3a291916bcf232de78db6001f79ac0a35 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Dec 2022 21:04:33 +0100 Subject: [PATCH 277/497] listupgrade: better detection for PostgreSQL --- CHANGELOG.md | 1 + listupgrade/files/listupgrade.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a82c636a..521fb2a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-user: Add sudoers privilege for chck php\_fpm81 * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified +* listupgrade: better detection for PostgreSQL * lxc-solr: detect the real partition options * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index 74a673aa..df19b173 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -240,7 +240,7 @@ main() { echo "MySQL" >>"${servicesToRestart}" elif echo "${pkg}" | grep -q "^mariadb-server"; then echo "MariaDB" >>"${servicesToRestart}" - elif echo "${pkg}" | grep -qE "^postgresql-[[:digit:]]+\.[[:digit:]]+$"; then + elif echo "${pkg}" | grep -qE "^postgresql-[[:digit:]]+(\.[[:digit:]]+)?$"; then echo "PostgreSQL" >>"${servicesToRestart}" elif echo "${pkg}" | grep -qE "^tomcat[[:digit:]]+$"; then echo "Tomcat" >>"${servicesToRestart}" -- 2.39.2 From ce361c6819c510f39a36de754856f596e9ba74f0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Dec 2022 21:05:12 +0100 Subject: [PATCH 278/497] listupgrade: sort/uniq of packages/services lists in email template --- CHANGELOG.md | 1 + listupgrade/files/listupgrade.sh | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 521fb2a8..8b6e6388 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified * listupgrade: better detection for PostgreSQL +* listupgrade: sort/uniq of packages/services lists in email template * lxc-solr: detect the real partition options * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index df19b173..3e1baa39 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -100,15 +100,15 @@ semaine prochaine. Voici la listes de packages qui seront mis à jour : -$(cat "${packages}") +$(cat "${packages}" | sort | uniq) Liste des packages dont la mise-à-jour a été manuellement suspendue : -$(cat "${packagesHold}") +$(cat "${packagesHold}" | sort | uniq) Liste des services qui seront redémarrés : -$(cat "${servicesToRestart}") +$(cat "${servicesToRestart}" | sort | uniq) N'hésitez pas à nous faire toute remarque sur ce créneau d'intervention le plus tôt possible. -- 2.39.2 From e4158005089825f4d5a4fee43295eba35c758cec Mon Sep 17 00:00:00 2001 From: Bruno Tatu Date: Thu, 8 Dec 2022 17:17:32 +0100 Subject: [PATCH 279/497] Run if there are enough place --- fail2ban/templates/fail2ban_dbpurge.j2 | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 index 1611bcbd..528c44bb 100644 --- a/fail2ban/templates/fail2ban_dbpurge.j2 +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -1,3 +1,11 @@ #!/bin/sh -# Juin 2022 : #64088 -/usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE date('now', '-{{ fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }}') > datetime(timeofban, 'unixepoch'); VACUUM;" +# Juin - Decembre 2022 : #64088 +# Purge pour Stretch et Buster + +place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 ) +place_pris=$( echo "$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" |bc ) + +if [ $place_pris -lt $place_dispo ] +then + /usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }} second') > datetime(timeofban, 'unixepoch'); VACUUM;" +fi -- 2.39.2 From 101c2828469c608d503d1db3fa2ec20d1085a388 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Thu, 8 Dec 2022 17:32:53 +0100 Subject: [PATCH 280/497] proftpd: Fix format of public key files controlled by ansible The comments used by ansible's blockinfile module break the format expected by proftpd for public ssh keys, making them unusable. Replace with a template, we will just have to accept that we need to use ansible for all changes to these file. --- CHANGELOG.md | 1 + proftpd/tasks/accounts.yml | 10 +++++----- proftpd/templates/authorized_keys.j2 | 3 +++ 3 files changed, 9 insertions(+), 5 deletions(-) create mode 100644 proftpd/templates/authorized_keys.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b6e6388..af42fcb4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-user: Fix sudoers privilege for check php\_fpm80 * nagios-nrpe: Fix check opendkim for recent change in listening port * varnish: fix missing state, that blocked the task +* proftpd: Fix format of public key files controlled by ansible ### Removed diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml index 0ff57272..833cc1c1 100644 --- a/proftpd/tasks/accounts.yml +++ b/proftpd/tasks/accounts.yml @@ -62,13 +62,13 @@ - proftpd - name: Allow keys for SFTP account - blockinfile: - dest: "/etc/proftpd/sftp.authorized_keys/{{ item.name }}" - state: present - block: "{{ item.sshkeys }}" - create: yes + template: + dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}" + src: authorized_keys.j2 mode: 0600 loop: "{{ proftpd_accounts_final }}" + loop_control: + loop_var: _proftpd_account notify: restart proftpd when: - proftpd_sftp_enable | bool diff --git a/proftpd/templates/authorized_keys.j2 b/proftpd/templates/authorized_keys.j2 new file mode 100644 index 00000000..620e50f9 --- /dev/null +++ b/proftpd/templates/authorized_keys.j2 @@ -0,0 +1,3 @@ +{%- for key in _proftpd_account.sshkeys %} +{{ key }} +{%- endfor %} -- 2.39.2 From bc1facd1ba89b381c612b7500d3127f6bdbe7bee Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Fri, 9 Dec 2022 10:19:51 +0100 Subject: [PATCH 281/497] proftpd: Fix mode of public key files and directory --- CHANGELOG.md | 1 + proftpd/tasks/accounts.yml | 2 +- proftpd/tasks/main.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index af42fcb4..fa4175fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,6 +54,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: Fix check opendkim for recent change in listening port * varnish: fix missing state, that blocked the task * proftpd: Fix format of public key files controlled by ansible +* proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody) ### Removed diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml index 833cc1c1..4db814ef 100644 --- a/proftpd/tasks/accounts.yml +++ b/proftpd/tasks/accounts.yml @@ -65,7 +65,7 @@ template: dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}" src: authorized_keys.j2 - mode: 0600 + mode: 0644 loop: "{{ proftpd_accounts_final }}" loop_control: loop_var: _proftpd_account diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index d4fe03f4..f29fbd81 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -52,7 +52,7 @@ file: path: /etc/proftpd/sftp.authorized_keys/ state: directory - mode: "0700" + mode: "0755" owner: root group: root notify: restart proftpd -- 2.39.2 From 4e7a46c9c3ada50015f5ba326a78ffbf5e324848 Mon Sep 17 00:00:00 2001 From: Bruno Tatu Date: Mon, 12 Dec 2022 11:02:31 +0100 Subject: [PATCH 282/497] Run VACUUM where there are enough space and always delete old IPs --- fail2ban/templates/fail2ban_dbpurge.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 index 528c44bb..3de092a3 100644 --- a/fail2ban/templates/fail2ban_dbpurge.j2 +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -2,10 +2,12 @@ # Juin - Decembre 2022 : #64088 # Purge pour Stretch et Buster +/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ bantime.stdout }} second') > datetime(timeofban, 'unixepoch');" + place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 ) place_pris=$( echo "$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" |bc ) if [ $place_pris -lt $place_dispo ] then - /usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }} second') > datetime(timeofban, 'unixepoch'); VACUUM;" + /usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "VACUUM;" fi -- 2.39.2 From ce5e4b12c68b378628f94b7aacabdec76da0b59a Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 12 Dec 2022 11:53:55 +0100 Subject: [PATCH 283/497] Apache: Drop duplicate when keys --- apache/tasks/main.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index f6763278..acbde71c 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -62,10 +62,11 @@ loop: - cgi notify: reload apache - when: apache_mpm == "prefork" or apache_mpm == "itk" + when: + - apache_mpm == "prefork" or apache_mpm == "itk" + - not ansible_check_mode tags: - apache - when: not ansible_check_mode - name: Copy Apache defaults config file @@ -132,10 +133,11 @@ state: link force: yes notify: reload apache - when: apache_evolinux_default_enabled | bool + when: + - apache_evolinux_default_enabled | bool + - not ansible_check_mode tags: - apache - when: not ansible_check_mode - include: server_status.yml tags: @@ -158,10 +160,11 @@ ## Set umask for writing by Apache user. ## Set rights on files and directories written by Apache umask 007 - when: envvar_grep_umask.rc != 0 + when: + - envvar_grep_umask.rc != 0 + - not ansible_check_mode tags: - apache - when: not ansible_check_mode - include_role: name: evolix/remount-usr -- 2.39.2 From b02400fd846dd53e9c26a1bb464790cad74dff13 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 12 Dec 2022 12:36:29 +0100 Subject: [PATCH 284/497] php: (partial) fix duplicate when --- php/tasks/main_bullseye.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 7d2d7e11..9b1fdf33 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -84,8 +84,9 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: php_fpm_enable - when: not ansible_check_mode + when: + - php_fpm_enable + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -94,8 +95,9 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: php_apache_enable - when: not ansible_check_mode + when: + - php_apache_enable + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable -- 2.39.2 From d4f58b9395096039e6cb14419cf4ca9ff15ff319 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 12 Dec 2022 14:29:07 +0100 Subject: [PATCH 285/497] Drop duplicate when keys introduced in fafff25c202095e7d140fb70ba6c4c7461bb1c05 --- evolinux-users/tasks/user.yml | 5 +++-- lxc/tasks/create-container.yml | 20 ++++++++++++-------- munin/tasks/main.yml | 5 +++-- mysql/tasks/utils.yml | 5 +++-- php/tasks/config_cli.yml | 5 +++-- php/tasks/main_bookworm.yml | 10 ++++++---- php/tasks/main_buster.yml | 10 ++++++---- php/tasks/main_jessie.yml | 10 ++++++---- php/tasks/main_stretch.yml | 10 ++++++---- php/tasks/sury_post.yml | 10 ++++++---- 10 files changed, 54 insertions(+), 36 deletions(-) diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 50af1812..d6bcde9b 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -160,8 +160,9 @@ dest: '/home/{{ user.name }}/.profile' insertafter: EOF line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - when: grep_profile_evomaintenance.rc != 0 - when: not ansible_check_mode + when: + - grep_profile_evomaintenance.rc != 0 + - not ansible_check_mode # SSH keys diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index b841bb67..24e009f9 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -13,23 +13,26 @@ template: debian state: stopped template_options: "--arch amd64 --release {{ release }}" - when: container_exists.stdout_lines | length == 0 - when: not ansible_check_mode + when: + - container_exists.stdout_lines | length == 0 + - not ansible_check_mode - name: "Disable network configuration inside container {{ name }}" replace: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/networking" regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no - when: lxc_network_type == "none" - when: not ansible_check_mode + when: + - lxc_network_type == "none" + - not ansible_check_mode - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" - when: lxc_network_type == "none" and release == "jessie" - when: not ansible_check_mode + when: + - lxc_network_type == "none" and release == "jessie" + - not ansible_check_mode - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" file: @@ -55,8 +58,9 @@ name: "/var/lib/lxc/{{ name }}/rootfs/etc/rc.local" line: "chmod 755 /dev" insertbefore: "^exit 0$" - when: release == 'jessie' - when: not ansible_check_mode + when: + - release == 'jessie' + - not ansible_check_mode - name: "Ensure that {{ name }} container is running" lxc_container: diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index f4aab7c6..93f50e07 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -32,8 +32,9 @@ removes: /var/lib/munin/localdomain notify: restart munin-node - when: not ansible_hostname == "localdomain" - when: not ansible_check_mode + when: + - not ansible_hostname == "localdomain" + - not ansible_check_mode tags: - munin diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 9ae7fd15..e3fe76da 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -155,8 +155,9 @@ src: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link - when: mysql_cron_optimize | bool - when: not ansible_check_mode + when: + - mysql_cron_optimize | bool + - not ansible_check_mode tags: - mysql diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index 19030c0c..e4fac4a7 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -36,5 +36,6 @@ mode: "0644" loop: - { option: "date.timezone", value: "Europe/Paris" } - when: php_symfony_requirements | bool - when: not ansible_check_mode + when: + - php_symfony_requirements | bool + - not ansible_check_mode diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index b9dd9ac2..49c91719 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -95,8 +95,9 @@ file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" - when: php_fpm_enable - when: not ansible_check_mode + when: + - php_fpm_enable + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable @@ -105,8 +106,9 @@ file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" - when: php_apache_enable - when: not ansible_check_mode + when: + - php_apache_enable + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index ff27e410..eff2dc8f 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -84,8 +84,9 @@ file: dest: /etc/php/7.3/fpm mode: "0755" - when: php_fpm_enable | bool - when: not ansible_check_mode + when: + - php_fpm_enable | bool + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -94,8 +95,9 @@ file: dest: /etc/php/7.3/apache2 mode: "0755" - when: php_apache_enable | bool - when: not ansible_check_mode + when: + - php_apache_enable | bool + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index 1082dcf5..a5aecdb7 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -73,8 +73,9 @@ file: dest: /etc/php5/fpm mode: "0755" - when: php_fpm_enable | bool - when: not ansible_check_mode + when: + - php_fpm_enable | bool + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -83,5 +84,6 @@ file: dest: /etc/php5/apache2 mode: "0755" - when: php_apache_enable | bool - when: not ansible_check_mode + when: + - php_apache_enable | bool + - not ansible_check_mode diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 6188877c..6934fa6a 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -85,8 +85,9 @@ file: dest: /etc/php/7.0/fpm mode: "0755" - when: php_fpm_enable | bool - when: not ansible_check_mode + when: + - php_fpm_enable | bool + - not ansible_check_mode - include: config_apache.yml when: php_apache_enable | bool @@ -95,8 +96,9 @@ file: dest: /etc/php/7.0/apache2 mode: "0755" - when: php_apache_enable | bool - when: not ansible_check_mode + when: + - php_apache_enable | bool + - not ansible_check_mode - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 14ffabab..6855214b 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -31,8 +31,9 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: php_apache_enable | bool - when: not ansible_check_mode + when: + - php_apache_enable | bool + - not ansible_check_mode - name: Symlink Evolix FPM config files from 7.4 to 7.0 file: @@ -51,5 +52,6 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: php_fpm_enable | bool - when: not ansible_check_mode + when: + - php_fpm_enable | bool + - not ansible_check_mode -- 2.39.2 From 0722b84341984d8a1bfb2bc6ce330c20b49e16b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Tue, 13 Dec 2022 17:49:21 +0100 Subject: [PATCH 286/497] openvpn: shellpki upstream release 22.12.2 --- CHANGELOG.md | 2 +- openvpn/files/shellpki/openssl.cnf | 4 ++-- openvpn/files/shellpki/shellpki | 10 ++++++---- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa4175fb..034d7a6c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,7 +45,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version * keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) -* openvpn: shellpki upstream release 22.12 +* openvpn: shellpki upstream release 22.12.2 * openvpn: specifies that the mail for expirations is for OpenVPN ### Fixed diff --git a/openvpn/files/shellpki/openssl.cnf b/openvpn/files/shellpki/openssl.cnf index 5e1e3c83..48ab9bd5 100644 --- a/openvpn/files/shellpki/openssl.cnf +++ b/openvpn/files/shellpki/openssl.cnf @@ -1,4 +1,4 @@ -# VERSION="22.04" +# VERSION="22.12.2" [ ca ] default_ca = CA_default @@ -14,7 +14,7 @@ crl = $dir/crl.pem private_key = $dir/cakey.key RANDFILE = $dir/.rand default_days = 365 -default_crl_days= 365 +default_crl_days= 730 default_md = sha256 preserve = no policy = policy_match diff --git a/openvpn/files/shellpki/shellpki b/openvpn/files/shellpki/shellpki index 5e7169c9..ac1d263d 100755 --- a/openvpn/files/shellpki/shellpki +++ b/openvpn/files/shellpki/shellpki @@ -5,7 +5,7 @@ set -u -VERSION="22.12" +VERSION="22.12.2" show_version() { cat < Date: Tue, 13 Dec 2022 17:53:59 +0100 Subject: [PATCH 287/497] openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream --- CHANGELOG.md | 2 ++ openvpn/tasks/debian.yml | 10 ---------- openvpn/tasks/openbsd.yml | 10 ---------- 3 files changed, 2 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 034d7a6c..72f793e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -58,6 +58,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed +* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream + ### Security ## [22.09] 2022-09-19 diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 9c809cfd..463df8e9 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -77,16 +77,6 @@ - include_role: name: evolix/remount-usr -- name: Fix CRL rights in shellpki command - lineinfile: - dest: "/usr/local/sbin/shellpki" - regexp: '{{ item.regexp }}' - insertafter: "{{ item.insertafter }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - - name: Deploy OpenVPN server config template: src: "server.conf.j2" diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index 7dc75b83..a594e12d 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -60,16 +60,6 @@ path: /etc/shellpki/dh2048.pem size: 2048 -- name: Fix CRL rights in shellpki command - lineinfile: - dest: "/usr/local/sbin/shellpki" - regexp: '{{ item.regexp }}' - insertafter: "{{ item.insertafter }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - - name: Deploy OpenVPN server config template: src: "server.conf.j2" -- 2.39.2 From 91b40ce72f659f7e7c91a30984f39184f7cc0f69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Tue, 13 Dec 2022 19:37:54 +0100 Subject: [PATCH 288/497] openvpn: Fix mode of shellpki script --- CHANGELOG.md | 1 + openvpn/tasks/debian.yml | 2 +- openvpn/tasks/openbsd.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72f793e6..1ca523a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -55,6 +55,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: fix missing state, that blocked the task * proftpd: Fix format of public key files controlled by ansible * proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody) +* openvpn: Fix mode of shellpki script ### Removed diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 463df8e9..b0201f0c 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -48,7 +48,7 @@ group: "{{ item.group }}" with_items: - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "shellpki", group: "shellpki" } - - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "root" } + - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "root" } - name: Add sudo rights lineinfile: diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index a594e12d..b0e629be 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -38,7 +38,7 @@ group: "{{ item.group }}" with_items: - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "_shellpki", group: "_shellpki" } - - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "wheel" } + - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "wheel" } - name: Add sudo rights lineinfile: -- 2.39.2 From 1728eaee68118ac67477ae01c5c09486aa36b2f2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 07:38:04 +0100 Subject: [PATCH 289/497] =?UTF-8?q?Revert=20"Add=20=E2=80=9Cwhen:=20not=20?= =?UTF-8?q?ansible=5Fcheck=5Fmode=E2=80=9D=20to=20allow=20more=20--check"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit fafff25c202095e7d140fb70ba6c4c7461bb1c05. This reverts commit e64471c5a8084f95a8e6f955d3fa918c55b8e846. --- apache/handlers/main.yml | 3 --- apache/tasks/auth.yml | 3 --- apache/tasks/ip_whitelist.yml | 1 - apache/tasks/log2mail.yml | 1 - apache/tasks/main.yml | 18 ++++++------------ apache/tasks/munin.yml | 3 --- apache/tasks/server_status.yml | 7 ------- etc-git/tasks/main.yml | 5 +---- etc-git/tasks/repositories.yml | 2 +- etc-git/tasks/repository.yml | 4 +--- evoacme/handlers/main.yml | 5 ----- evocheck/tasks/exec.yml | 4 +--- evolinux-base/tasks/default_www.yml | 1 - evolinux-base/tasks/hardware.yml | 8 +------- evolinux-base/tasks/log2mail.yml | 2 -- evolinux-base/tasks/packages.yml | 4 +--- evolinux-base/tasks/postfix.yml | 14 +++----------- evolinux-users/tasks/user.yml | 5 +---- haproxy/handlers/main.yml | 3 --- haproxy/tasks/main.yml | 2 -- lxc-php/tasks/php74.yml | 1 - lxc-php/tasks/php80.yml | 1 - lxc-php/tasks/php81.yml | 1 - lxc/tasks/create-container.yml | 18 ++++-------------- lxc/tasks/main.yml | 2 -- minifirewall/tasks/config.yml | 22 ++++------------------ munin/handlers/main.yml | 4 +--- munin/tasks/main.yml | 7 +------ mysql/tasks/datadir.yml | 1 - mysql/tasks/logdir.yml | 1 - mysql/tasks/packages_jessie.yml | 1 - mysql/tasks/packages_stretch.yml | 3 +-- mysql/tasks/utils.yml | 6 ++---- nagios-nrpe/handlers/main.yml | 2 -- ntpd/tasks/main.yml | 1 - packweb-apache/tasks/apache.yml | 6 +----- packweb-apache/tasks/awstats.yml | 4 ---- packweb-apache/tasks/main.yml | 3 --- packweb-apache/tasks/multiphp.yml | 1 - packweb-apache/tasks/phpmyadmin.yml | 5 ----- php/handlers/main.yml | 5 ----- php/tasks/config_cli.yml | 5 +---- php/tasks/main_bookworm.yml | 10 ++-------- php/tasks/main_bullseye.yml | 10 ++-------- php/tasks/main_buster.yml | 10 ++-------- php/tasks/main_jessie.yml | 10 ++-------- php/tasks/main_stretch.yml | 10 ++-------- php/tasks/sury_post.yml | 9 ++------- proftpd/handlers/main.yml | 1 - proftpd/tasks/main.yml | 2 -- squid/handlers/main.yml | 7 ------- squid/tasks/main.yml | 1 - webapps/evoadmin-web/tasks/ftp.yml | 1 - webapps/evoadmin-web/tasks/main.yml | 5 +---- webapps/evoadmin-web/tasks/ssl.yml | 1 - webapps/evoadmin-web/tasks/user.yml | 8 ++------ 56 files changed, 46 insertions(+), 234 deletions(-) diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index 931e9c94..96daa368 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -3,16 +3,13 @@ service: name: apache2 state: restarted - when: not ansible_check_mode - name: reload apache service: name: apache2 state: reloaded - when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted - when: not ansible_check_mode diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index bebd39e9..fd01517c 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -22,7 +22,6 @@ state: present tags: - apache - when: not ansible_check_mode - name: Copy private_htpasswd copy: @@ -45,7 +44,6 @@ notify: reload apache tags: - apache - when: not ansible_check_mode - name: remove user:pwd from private htpasswd lineinfile: @@ -56,4 +54,3 @@ notify: reload apache tags: - apache - when: not ansible_check_mode diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index a40d6075..18f4a681 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -10,7 +10,6 @@ tags: - apache - ips - when: not ansible_check_mode - name: remove IP addresses from private IP whitelist lineinfile: diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index daf59db9..3b0650b7 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -6,7 +6,6 @@ state: present tags: - apache - when: not ansible_check_mode - name: Add log2mail config for Apache segfaults template: diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index acbde71c..39c8db24 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -53,7 +53,6 @@ notify: reload apache tags: - apache - when: not ansible_check_mode - name: basic modules are enabled apache2_module: @@ -62,11 +61,10 @@ loop: - cgi notify: reload apache - when: - - apache_mpm == "prefork" or apache_mpm == "itk" - - not ansible_check_mode + when: apache_mpm == "prefork" or apache_mpm == "itk" tags: - apache + when: not ansible_check_mode - name: Copy Apache defaults config file @@ -133,11 +131,10 @@ state: link force: yes notify: reload apache - when: - - apache_evolinux_default_enabled | bool - - not ansible_check_mode + when: apache_evolinux_default_enabled | bool tags: - apache + when: not ansible_check_mode - include: server_status.yml tags: @@ -160,11 +157,10 @@ ## Set umask for writing by Apache user. ## Set rights on files and directories written by Apache umask 007 - when: - - envvar_grep_umask.rc != 0 - - not ansible_check_mode + when: envvar_grep_umask.rc != 0 tags: - apache + when: not ansible_check_mode - include_role: name: evolix/remount-usr @@ -197,7 +193,6 @@ replace: "{{ apache_logrotate_frequency }}" tags: - apache - when: not ansible_check_mode - name: "logrotate: rotate {{ apache_logrotate_rotate }}" replace: @@ -206,7 +201,6 @@ replace: '\1 {{ apache_logrotate_rotate }}' tags: - apache - when: not ansible_check_mode - include: log2mail.yml when: apache_log2mail_include diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index b9602511..fe07a5cf 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -23,7 +23,6 @@ tags: - apache - munin - when: not ansible_check_mode - name: "Install fcgi packages for Munin graphs" apt: @@ -44,7 +43,6 @@ tags: - apache - munin - when: not ansible_check_mode - name: "Apache has access to /var/log/munin/" file: @@ -53,4 +51,3 @@ tags: - apache - munin - when: not ansible_check_mode diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index fa54090f..efd2b00e 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -26,12 +26,10 @@ changed_when: False check_mode: no register: new_apache_serverstatus_suffix - when: not ansible_check_mode - name: overwrite apache_serverstatus_suffix set_fact: apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}" - when: not ansible_check_mode - debug: var: apache_serverstatus_suffix @@ -42,14 +40,12 @@ dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" - when: not ansible_check_mode - name: add server-status suffix in default site index if missing replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ apache_serverstatus_suffix }}"' - when: not ansible_check_mode - name: add server-status suffix in default VHost replace: @@ -57,14 +53,12 @@ regexp: '' replace: '' notify: reload apache - when: not ansible_check_mode - name: Munin configuration has a section for apache lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "[apache_*]" create: no - when: not ansible_check_mode - name: apache-status URL is configured for Munin lineinfile: @@ -74,4 +68,3 @@ insertafter: "[apache_*]" create: no notify: restart munin-node - when: not ansible_check_mode diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index e29d249f..f71ba552 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -8,7 +8,6 @@ - etc-git when: - ansible_distribution == "Debian" - - not ansible_check_mode - name: Install and configure utilities include: utils.yml @@ -19,6 +18,4 @@ include: repositories.yml tags: - etc-git - when: - - etc_git_config_repositories | bool - - not ansible_check_mode + when: etc_git_config_repositories | bool \ No newline at end of file diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index 27bba9c3..71ff0665 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -34,4 +34,4 @@ - _usr_share_scripts.stat.isdir - ansible_distribution_major_version is version('10', '>=') tags: - - etc-git + - etc-git \ No newline at end of file diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index b1619c03..80987da2 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -22,7 +22,6 @@ value: "root@{{ ansible_fqdn | default('localhost') }}" tags: - etc-git - when: not ansible_check_mode - name: "{{ repository_path }}/.git is restricted to root" file: @@ -50,7 +49,6 @@ loop: "{{ gitignore_items | default([]) }}" tags: - etc-git - when: not ansible_check_mode - name: "does {{ repository_path }}/ have any commit?" command: "git log" @@ -72,4 +70,4 @@ register: git_commit when: git_log.rc != 0 or (git_init is defined and git_init is changed) tags: - - etc-git + - etc-git \ No newline at end of file diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index fb817eb7..1ea11783 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -1,17 +1,14 @@ - name: newaliases command: newaliases - when: not ansible_check_mode - name: Test Apache conf command: apache2ctl -t notify: "Reload Apache conf" - when: not ansible_check_mode - name: reload apache2 service: name: apache2 state: reloaded - when: not ansible_check_mode - name: apt update apt: @@ -21,10 +18,8 @@ service: name: squid3 state: reloaded - when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded - when: not ansible_check_mode diff --git a/evocheck/tasks/exec.yml b/evocheck/tasks/exec.yml index 1338a97b..306cf019 100644 --- a/evocheck/tasks/exec.yml +++ b/evocheck/tasks/exec.yml @@ -10,8 +10,6 @@ - debug: var: evocheck_run.stdout_lines - when: - - not ansible_check_mode - - evocheck_run.stdout | length > 0 + when: evocheck_run.stdout | length > 0 tags: - evocheck-exec diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 4d8905b5..84580b54 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -38,7 +38,6 @@ owner: root group: ssl-cert mode: "0640" - when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index d8a966d8..7ebecc82 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -43,9 +43,7 @@ state: present tags: - packages - when: - - ansible_virtualization_role == "host" - - not ansible_check_mode + when: ansible_virtualization_role == "host" ## RAID # Dell and others: MegaRAID SAS @@ -110,7 +108,6 @@ name: ssacli tags: - packages - when: not ansible_check_mode when: - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - "'Adaptec Smart Storage PQI' in raidmodel.stdout" @@ -137,7 +134,6 @@ state: present tags: - packages - when: not ansible_check_mode - name: cciss-vol-statusd init script is present (HP gen <10) template: @@ -250,7 +246,6 @@ allow_unauthenticated: yes tags: - packages - when: not ansible_check_mode - name: Configure packages for DELL/LSI hardware template: @@ -268,7 +263,6 @@ tags: - packages - config - when: not ansible_check_mode when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 25937b3e..35ce19cf 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -16,7 +16,6 @@ daemon-reload: yes state: started enabled: yes - when: not ansible_check_mode - name: log2mail config is present blockinfile: @@ -33,5 +32,4 @@ notify: restart log2mail tags: - log2mail - when: not ansible_check_mode diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index ad72ed55..b4a1d666 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -89,9 +89,7 @@ apt: name: serveur-base allow_unauthenticated: yes - when: - - evolinux_packages_serveur_base | bool - - not ansible_check_mode + when: evolinux_packages_serveur_base | bool - name: Install/Update packages for Stretch and later apt: diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 53017d1f..6a46548b 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -20,7 +20,6 @@ notify: reload postfix tags: - postfix - when: not ansible_check_mode - name: configure postfix mynetworks lineinfile: @@ -31,7 +30,6 @@ notify: reload postfix tags: - postfix - when: not ansible_check_mode - name: fetch users list shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" @@ -50,9 +48,7 @@ line: "{{ item }}: root" loop: "{{ non_root_users_list.stdout_lines }}" notify: newaliases - when: - - evolinux_postfix_users_alias_root | bool - - not ansible_check_mode + when: evolinux_postfix_users_alias_root | bool tags: - postfix @@ -69,9 +65,7 @@ - error - bounce notify: newaliases - when: - - evolinux_postfix_mailer_alias_root | bool - - not ansible_check_mode + when: evolinux_postfix_mailer_alias_root | bool tags: - postfix @@ -81,9 +75,7 @@ regexp: "^root:" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" notify: newaliases - when: - - evolinux_postfix_root_alias | bool - - not ansible_check_mode + when: evolinux_postfix_root_alias | bool tags: - postfix diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index d6bcde9b..0f8bd480 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -160,9 +160,7 @@ dest: '/home/{{ user.name }}/.profile' insertafter: EOF line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - when: - - grep_profile_evomaintenance.rc != 0 - - not ansible_check_mode + when: grep_profile_evomaintenance.rc != 0 # SSH keys @@ -194,6 +192,5 @@ when: - user.ssh_keys is defined - user.ssh_keys | length > 0 - - not ansible_check_mode - meta: flush_handlers diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml index 24378067..9cf3b9cb 100644 --- a/haproxy/handlers/main.yml +++ b/haproxy/handlers/main.yml @@ -3,16 +3,13 @@ service: name: haproxy state: reloaded - when: not ansible_check_mode - name: restart haproxy service: name: haproxy state: restarted - when: not ansible_check_mode - name: restart munin-node service: name: munin-node state: restarted - when: not ansible_check_mode diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index 62664415..d38e83af 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -123,7 +123,6 @@ tags: - haproxy - logrotate - when: not ansible_check_mode - name: Rotate logs with nodelaycompress lineinfile: @@ -134,7 +133,6 @@ tags: - haproxy - logrotate - when: not ansible_check_mode - name: Set net.ipv4.ip_nonlocal_bind sysctl: diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 85211747..64677009 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -10,7 +10,6 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - when: not ansible_check_mode - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 98b2c4d8..b0ff90fe 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -10,7 +10,6 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 6ca43148..91dc38e1 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -10,7 +10,6 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - when: not ansible_check_mode - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index 24e009f9..ad4f35d6 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -4,7 +4,6 @@ changed_when: false check_mode: no register: container_exists - when: not ansible_check_mode - name: "Create container {{ name }}" lxc_container: @@ -13,26 +12,20 @@ template: debian state: stopped template_options: "--arch amd64 --release {{ release }}" - when: - - container_exists.stdout_lines | length == 0 - - not ansible_check_mode + when: container_exists.stdout_lines | length == 0 - name: "Disable network configuration inside container {{ name }}" replace: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/networking" regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no - when: - - lxc_network_type == "none" - - not ansible_check_mode + when: lxc_network_type == "none" - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" - when: - - lxc_network_type == "none" and release == "jessie" - - not ansible_check_mode + when: lxc_network_type == "none" and release == "jessie" - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" file: @@ -51,16 +44,13 @@ lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/hosts" line: "127.0.0.1 {{ name }}" - when: not ansible_check_mode - name: "Fix permission on /dev for container {{ name }}" lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/rc.local" line: "chmod 755 /dev" insertbefore: "^exit 0$" - when: - - release == 'jessie' - - not ansible_check_mode + when: release == 'jessie' - name: "Ensure that {{ name }} container is running" lxc_container: diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 6f9f0875..3ec586bd 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -48,7 +48,6 @@ changed_when: false check_mode: no register: check_fs_options - when: not ansible_check_mode - name: Check if options are correct assert: @@ -57,7 +56,6 @@ - "'noexec' not in check_fs_options.stdout" - "'nosuid' not in check_fs_options.stdout" msg: "LXC directory is in a filesystem with incompatible options" - when: not ansible_check_mode - name: Create containers include: create-container.yml diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index ae38ff4d..b0a1d7a6 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -30,7 +30,6 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no - when: not ansible_check_mode - name: End marker for IP addresses lineinfile: @@ -38,7 +37,6 @@ create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' - when: not ansible_check_mode - name: Verify that at least 1 trusted IP is provided assert: @@ -86,7 +84,6 @@ PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}' create: no register: minifirewall_config_ips - when: not ansible_check_mode - name: Begin marker for ports lineinfile: @@ -94,7 +91,6 @@ line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no - when: not ansible_check_mode - name: End marker for ports lineinfile: @@ -102,7 +98,6 @@ line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no - when: not ansible_check_mode - name: Configure ports blockinfile: @@ -127,7 +122,6 @@ SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}' create: no register: minifirewall_config_ports - when: not ansible_check_mode - name: Configure DNSSERVEURS lineinfile: @@ -199,9 +193,7 @@ line: "PROXY='{{ minifirewall_proxy }}'" regexp: "PROXY=('|\").*('|\")" create: no - when: - - minifirewall_proxy is not none - - not ansible_check_mode + when: minifirewall_proxy is not none - name: Configure PROXYPORT lineinfile: @@ -209,9 +201,7 @@ line: "PROXYPORT='{{ minifirewall_proxyport }}'" regexp: "PROXYPORT=('|\").*('|\")" create: no - when: - - minifirewall_proxyport is not none - - not ansible_check_mode + when: minifirewall_proxyport is not none # Warning: keep double quotes for the value, # since we often reference a shell variable that needs to be interpolated @@ -221,9 +211,7 @@ line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\"" regexp: "PROXYBYPASS=('|\").*('|\")" create: no - when: - - minifirewall_proxyport is not none - - not ansible_check_mode + when: minifirewall_proxybypass is not none - name: Configure BACKUPSERVERS lineinfile: @@ -231,9 +219,7 @@ line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'" regexp: "BACKUPSERVERS=('|\").*('|\")" create: no - when: - - minifirewall_backupservers is not none - - not ansible_check_mode + when: minifirewall_backupservers is not none - name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS lineinfile: diff --git a/munin/handlers/main.yml b/munin/handlers/main.yml index 6dcd127d..8654181d 100644 --- a/munin/handlers/main.yml +++ b/munin/handlers/main.yml @@ -4,14 +4,12 @@ service: name: munin-node state: restarted - when: not ansible_check_mode - name: restart munin_node service: name: munin_node state: restarted - when: not ansible_check_mode - name: systemd daemon-reload systemd: - daemon_reload: yes + daemon_reload: yes \ No newline at end of file diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index 93f50e07..a4ea9a49 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -32,9 +32,7 @@ removes: /var/lib/munin/localdomain notify: restart munin-node - when: - - not ansible_hostname == "localdomain" - - not ansible_check_mode + when: not ansible_hostname == "localdomain" tags: - munin @@ -81,7 +79,6 @@ notify: restart munin-node tags: - munin - when: not ansible_check_mode - name: Enable sensors_ plugin on dedicated hardware file: @@ -95,7 +92,6 @@ notify: restart munin-node tags: - munin - when: not ansible_check_mode - name: Enable ipmi_ plugin on dedicated hardware file: @@ -109,7 +105,6 @@ - temp - power - volts - when: not ansible_check_mode - name: adjustments for grsec kernel blockinfile: diff --git a/mysql/tasks/datadir.yml b/mysql/tasks/datadir.yml index da4af342..c375f5d5 100644 --- a/mysql/tasks/datadir.yml +++ b/mysql/tasks/datadir.yml @@ -43,4 +43,3 @@ - mysql_custom_datadir | length > 0 - mysql_custom_datadir != mysql_current_real_datadir_test.stdout - not mysql_custom_datadir_test.stat.exists - - not ansible_check_mode diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml index 1779667a..bd6ecab2 100644 --- a/mysql/tasks/logdir.yml +++ b/mysql/tasks/logdir.yml @@ -43,4 +43,3 @@ - mysql_custom_logdir | length > 0 - mysql_custom_logdir != mysql_current_real_logdir_test.stdout - not mysql_custom_logdir_test.stat.exists - - not ansible_check_mode diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml index 99c89d8a..652eace7 100644 --- a/mysql/tasks/packages_jessie.yml +++ b/mysql/tasks/packages_jessie.yml @@ -42,7 +42,6 @@ tags: - mysql - services - when: not ansible_check_mode - name: apg package is installed apt: diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 34e4d2b6..880f5050 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -28,7 +28,6 @@ tags: - mysql - services - when: not ansible_check_mode - name: apg package is installed apt: @@ -58,4 +57,4 @@ tags: - mysql - packages - when: ansible_python_version is version('3', '>=') + when: ansible_python_version is version('3', '>=') \ No newline at end of file diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index e3fe76da..1ac8f2df 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -155,9 +155,7 @@ src: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link - when: - - mysql_cron_optimize | bool - - not ansible_check_mode + when: mysql_cron_optimize | bool tags: - mysql @@ -250,4 +248,4 @@ mode: "0755" force: no tags: - - mysql + - mysql \ No newline at end of file diff --git a/nagios-nrpe/handlers/main.yml b/nagios-nrpe/handlers/main.yml index de27314f..25ab29ad 100644 --- a/nagios-nrpe/handlers/main.yml +++ b/nagios-nrpe/handlers/main.yml @@ -4,10 +4,8 @@ service: name: nagios-nrpe-server state: restarted - when: not ansible_check_mode - name: restart nrpe service: name: nrpe state: restarted - when: not ansible_check_mode diff --git a/ntpd/tasks/main.yml b/ntpd/tasks/main.yml index ae4a97c5..2d66d765 100644 --- a/ntpd/tasks/main.yml +++ b/ntpd/tasks/main.yml @@ -21,4 +21,3 @@ notify: restart ntp tags: - ntp - when: not ansible_check_mode diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index c2efd93f..96c11e3a 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -14,9 +14,7 @@ block: | # Used for Evoadmin-web export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - when: - - envvar_grep_path.rc != 0 - - not ansible_check_mode + when: envvar_grep_path.rc != 0 - name: Additional packages are installed apt: @@ -36,7 +34,6 @@ - negotiation - alias - log_forensic - when: not ansible_check_mode - name: Copy Apache settings for modules copy: @@ -63,4 +60,3 @@ loop: - evolinux-evasive - evolinux-modsec - when: not ansible_check_mode diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index a423aaf8..5ea0fa57 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -22,7 +22,6 @@ AllowFullYearView=3 ErrorMessages="An error occured. Contact your Administrator" mode: "0644" - when: not ansible_check_mode - name: Create conf-available/awstats-icon.conf file copy: @@ -40,7 +39,6 @@ register: command_result changed_when: "'Enabling' in command_result.stderr" notify: reload apache - when: not ansible_check_mode - name: Create awstats cron lineinfile: @@ -48,7 +46,6 @@ create: yes regexp: '-config=awstats' line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" - when: not ansible_check_mode - name: Comment default awstat cron's tasks lineinfile: @@ -57,4 +54,3 @@ line: '#\1' backrefs: yes state: present - when: not ansible_check_mode diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 58b2047c..ff3cd9a7 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -26,7 +26,6 @@ dest: /var/www/index.html line: '
  • Infos PHP
    • ' regexp: "Infos PHP" - when: not ansible_check_mode - name: install opcache.php copy: @@ -39,7 +38,6 @@ dest: /var/www/index.html line: '
  • Infos OpCache PHP
    • ' regexp: "Infos OpCache PHP" - when: not ansible_check_mode - name: Add elements to user account template file: @@ -66,7 +64,6 @@ loop: - access.log - error.log - when: not ansible_check_mode - name: "Install userlogrotate (jessie)" copy: diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 80a6f34a..8a7c9613 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -5,7 +5,6 @@ state: present name: proxy_fcgi notify: restart apache2 - when: not ansible_check_mode - include_role: name: remount-usr diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index 9e894786..f83b0a5d 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -65,12 +65,10 @@ changed_when: False check_mode: no register: new_packweb_phpmyadmin_suffix - when: not ansible_check_mode - name: overwrite packweb_phpmyadmin_suffix set_fact: packweb_phpmyadmin_suffix: "{{ new_packweb_phpmyadmin_suffix.stdout }}" - when: not ansible_check_mode - debug: var: packweb_phpmyadmin_suffix @@ -88,18 +86,15 @@ Require all denied Include /etc/apache2/ipaddr_whitelist.conf - when: not ansible_check_mode - name: enable phpmyadmin link in default site index replace: dest: /var/www/index.html regexp: '' replace: '
  • Accès PhpMyAdmin
    • ' - when: not ansible_check_mode - name: replace phpmyadmin suffix in default site index replace: dest: /var/www/index.html regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ packweb_phpmyadmin_suffix }}" - when: not ansible_check_mode diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 75fe86ba..079a14d5 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -4,28 +4,23 @@ service: name: php5-fpm state: restarted - when: not ansible_check_mode - name: restart php7.0-fpm service: name: php7.0-fpm state: restarted - when: not ansible_check_mode - name: restart php7.3-fpm service: name: php7.3-fpm state: restarted - when: not ansible_check_mode - name: restart php7.4-fpm service: name: php7.4-fpm state: restarted - when: not ansible_check_mode - name: restart php8.1-fpm service: name: php8.1-fpm state: restarted - when: not ansible_check_mode diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index e4fac4a7..d327690a 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -25,7 +25,6 @@ file: dest: "{{ php_cli_custom_ini_file }}" mode: "0644" - when: not ansible_check_mode - name: "Set custom values for PHP to enable Symfony" ini_file: @@ -36,6 +35,4 @@ mode: "0644" loop: - { option: "date.timezone", value: "Europe/Paris" } - when: - - php_symfony_requirements | bool - - not ansible_check_mode + when: php_symfony_requirements | bool diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 49c91719..4dcde767 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -79,14 +79,12 @@ with_items: - /etc/php - /etc/php/{{ php_version }} - when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 12)" file: dest: /etc/php/{{ php_version }}/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -95,9 +93,7 @@ file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" - when: - - php_fpm_enable - - not ansible_check_mode + when: php_fpm_enable - include: config_apache.yml when: php_apache_enable @@ -106,9 +102,7 @@ file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" - when: - - php_apache_enable - - not ansible_check_mode + when: php_apache_enable - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 9b1fdf33..403a7b76 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -68,14 +68,12 @@ with_items: - /etc/php - /etc/php/7.4 - when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 11)" file: dest: /etc/php/7.4/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable @@ -84,9 +82,7 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: - - php_fpm_enable - - not ansible_check_mode + when: php_fpm_enable - include: config_apache.yml when: php_apache_enable @@ -95,9 +91,7 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: - - php_apache_enable - - not ansible_check_mode + when: php_apache_enable - include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index eff2dc8f..2fc4293e 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -68,14 +68,12 @@ loop: - /etc/php - /etc/php/7.3 - when: not ansible_check_mode - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 10)" file: dest: /etc/php/7.3/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -84,9 +82,7 @@ file: dest: /etc/php/7.3/fpm mode: "0755" - when: - - php_fpm_enable | bool - - not ansible_check_mode + when: php_fpm_enable | bool - include: config_apache.yml when: php_apache_enable | bool @@ -95,9 +91,7 @@ file: dest: /etc/php/7.3/apache2 mode: "0755" - when: - - php_apache_enable | bool - - not ansible_check_mode + when: php_apache_enable | bool - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index a5aecdb7..75105166 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -56,7 +56,6 @@ file: dest: /etc/php5 mode: "0755" - when: not ansible_check_mode - include: config_cli.yml @@ -64,7 +63,6 @@ file: dest: /etc/php5/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -73,9 +71,7 @@ file: dest: /etc/php5/fpm mode: "0755" - when: - - php_fpm_enable | bool - - not ansible_check_mode + when: php_fpm_enable | bool - include: config_apache.yml when: php_apache_enable | bool @@ -84,6 +80,4 @@ file: dest: /etc/php5/apache2 mode: "0755" - when: - - php_apache_enable | bool - - not ansible_check_mode + when: php_apache_enable | bool diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 6934fa6a..698621ac 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -68,7 +68,6 @@ loop: - /etc/php - /etc/php/7.0 - when: not ansible_check_mode - include: config_cli.yml @@ -76,7 +75,6 @@ file: dest: /etc/php/7.0/cli mode: "0755" - when: not ansible_check_mode - include: config_fpm.yml when: php_fpm_enable | bool @@ -85,9 +83,7 @@ file: dest: /etc/php/7.0/fpm mode: "0755" - when: - - php_fpm_enable | bool - - not ansible_check_mode + when: php_fpm_enable | bool - include: config_apache.yml when: php_apache_enable | bool @@ -96,9 +92,7 @@ file: dest: /etc/php/7.0/apache2 mode: "0755" - when: - - php_apache_enable | bool - - not ansible_check_mode + when: php_apache_enable | bool - include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 6855214b..4e706889 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -14,7 +14,6 @@ file: dest: /etc/php/7.4/cli mode: "0755" - when: not ansible_check_mode - name: Symlink Evolix Apache config files from 7.4 to 7.0 file: @@ -31,9 +30,7 @@ file: dest: /etc/php/7.4/apache2 mode: "0755" - when: - - php_apache_enable | bool - - not ansible_check_mode + when: php_apache_enable | bool - name: Symlink Evolix FPM config files from 7.4 to 7.0 file: @@ -52,6 +49,4 @@ file: dest: /etc/php/7.4/fpm mode: "0755" - when: - - php_fpm_enable | bool - - not ansible_check_mode + when: php_fpm_enable | bool diff --git a/proftpd/handlers/main.yml b/proftpd/handlers/main.yml index bffa7ede..0914d289 100644 --- a/proftpd/handlers/main.yml +++ b/proftpd/handlers/main.yml @@ -3,4 +3,3 @@ service: name: proftpd state: restarted - when: not ansible_check_mode diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index f29fbd81..f45958a9 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -70,7 +70,6 @@ notify: restart proftpd tags: - proftpd - when: not ansible_check_mode - name: Put empty vpasswd file if missing copy: @@ -93,7 +92,6 @@ notify: restart proftpd tags: - proftpd - when: not ansible_check_mode - include: accounts.yml when: proftpd_accounts | length > 0 diff --git a/squid/handlers/main.yml b/squid/handlers/main.yml index 675a9dbd..4f5329b9 100644 --- a/squid/handlers/main.yml +++ b/squid/handlers/main.yml @@ -3,38 +3,31 @@ service: name: munin-node state: restarted - when: not ansible_check_mode - name: restart squid service: name: squid state: restarted - when: not ansible_check_mode - name: reload squid service: name: squid state: reloaded - when: not ansible_check_mode - name: restart squid3 service: name: squid3 state: restarted - when: not ansible_check_mode - name: reload squid3 service: name: squid3 state: reloaded - when: not ansible_check_mode - name: restart log2mail service: name: log2mail state: restarted - when: not ansible_check_mode - name: restart minifirewall command: /etc/init.d/minifirewall restart - when: not ansible_check_mode diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 540e56d9..4a3cab4d 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -121,7 +121,6 @@ when: - squid_localproxy_enable | bool - ansible_distribution_major_version is version('9', '>=') - - not ansible_check_mode - name: "evolinux custom overrides (Debian 9 or later)" copy: diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index 074b38fb..98f275ff 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -10,4 +10,3 @@ remote_src: False src: ftp/evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf - when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index d9589548..1acb2aa5 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -3,9 +3,7 @@ - name: "Ensure that evoadmin_contact_email is defined" fail: msg: Please configure var evoadmin_contact_email - when: - - evoadmin_contact_email is none or evoadmin_contact_email | length == 0 - - not ansible_check_mode + when: evoadmin_contact_email is none or evoadmin_contact_email | length == 0 - include: packages.yml @@ -25,4 +23,3 @@ marker: "" block: |
  • Interface admin web (EvoAdmin-web)
    • - when: not ansible_check_mode diff --git a/webapps/evoadmin-web/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml index eb7a31cd..6bdf1421 100644 --- a/webapps/evoadmin-web/tasks/ssl.yml +++ b/webapps/evoadmin-web/tasks/ssl.yml @@ -17,7 +17,6 @@ owner: root group: ssl-cert mode: "0640" - when: not ansible_check_mode - name: Create certificate for default site command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index fa61b830..bbad1b8f 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -54,9 +54,7 @@ dest: "{{ evoadmin_document_root }}" version: jessie update: False - when: - - ansible_distribution_release == "jessie" - - not ansible_check_mode + when: ansible_distribution_release == "jessie" - name: "Clone evoadmin repository (Debian 9 or later)" git: @@ -64,9 +62,7 @@ dest: "{{ evoadmin_document_root }}" version: master update: False - when: - - ansible_distribution_major_version is version('9', '>=') - - not ansible_check_mode + when: ansible_distribution_major_version is version('9', '>=') - name: Change ownership on git repository file: -- 2.39.2 From 34fefa12122de3a093d1df92b7455147e996b4ba Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 07:46:12 +0100 Subject: [PATCH 290/497] typos --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ca523a4..e8a249ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,7 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: install script according to Debian version * evolinux-base: utils.yml can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) -* evolinux-user: Add sudoers privilege for chck php\_fpm81 +* evolinux-user: Add sudoers privilege for check php\_fpm81 * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified * listupgrade: better detection for PostgreSQL @@ -44,7 +44,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * squid: whitelist deb.freexian.com * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version -* keepalived: change exit code (warning if runnin but not on expected state ; critical if not running) +* keepalived: change exit code (warning if running but not on expected state ; critical if not running) * openvpn: shellpki upstream release 22.12.2 * openvpn: specifies that the mail for expirations is for OpenVPN -- 2.39.2 From 1acd2f63db44e7832604eb81dbd5219def28211c Mon Sep 17 00:00:00 2001 From: Bruno Tatu Date: Wed, 14 Dec 2022 09:50:16 +0100 Subject: [PATCH 291/497] =?UTF-8?q?on=20enl=C3=A8ve=20bc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fail2ban/templates/fail2ban_dbpurge.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 index 3de092a3..ee984438 100644 --- a/fail2ban/templates/fail2ban_dbpurge.j2 +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -5,7 +5,7 @@ /usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ bantime.stdout }} second') > datetime(timeofban, 'unixepoch');" place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 ) -place_pris=$( echo "$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" |bc ) +place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) ) if [ $place_pris -lt $place_dispo ] then -- 2.39.2 From ac85efe8aa9dc02bb1baaaba6b9499fc335d0049 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 14 Dec 2022 11:01:03 +0100 Subject: [PATCH 292/497] vrrpd: Small fix to work in check mode --- vrrpd/tasks/ip.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index 59594395..273c882e 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -17,4 +17,6 @@ daemon_reload: yes enabled: yes state: "{{ vrrp_address.state }}" - when: vrrp_systemd_unit is changed \ No newline at end of file + when: + - vrrp_systemd_unit is changed + - not ansible_check_mode \ No newline at end of file -- 2.39.2 From 21ab9b1e68bb0dfff2848b88bd7ff65879843c24 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 11:30:35 +0100 Subject: [PATCH 293/497] Revert ce5e4b12c68b378628f94b7aacabdec76da0b59a --- apache/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 39c8db24..1a028205 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -64,7 +64,6 @@ when: apache_mpm == "prefork" or apache_mpm == "itk" tags: - apache - when: not ansible_check_mode - name: Copy Apache defaults config file @@ -134,7 +133,6 @@ when: apache_evolinux_default_enabled | bool tags: - apache - when: not ansible_check_mode - include: server_status.yml tags: @@ -160,7 +158,6 @@ when: envvar_grep_umask.rc != 0 tags: - apache - when: not ansible_check_mode - include_role: name: evolix/remount-usr -- 2.39.2 From 240ccee12b37b6e7f85ad32cd128d8929319caf1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 11:37:38 +0100 Subject: [PATCH 294/497] Release 22.12 --- CHANGELOG.md | 47 +++++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e8a249ad..1de94487 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,56 +12,67 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* all: Use proper keyrings directory for APT version -* all: Add signed-by option for additional APT sources +### Changed + +### Fixed + +### Removed + +### Security + +## [22.12] 2022-12-14 + +### Added + +* all: add signed-by option for additional APT sources * all: preliminary work to support Debian 12 +* all: use proper keyrings directory for APT version * evolinux-base: replace regular kernel by cloud kernel on virtual servers -* lxc-php: set php-fpm umask to 007 -* nagios-nrpe: check_ceph_* -* nagios-nrpe: check_haproxy_stats supports DRAIN status -* packweb-apache: enable log_forensic module -* varnish: create special tmp directory for syntax validation +* lxc-php: set php-fpm umask to `007` +* nagios-nrpe: `check_ceph_*` +* nagios-nrpe: `check_haproxy_stats` supports DRAIN status +* packweb-apache: enable `log_forensic` module * rabbitmq: add link in default page +* varnish: create special tmp directory for syntax validation ### Changed * certbot: auto-detect HAPEE version in renewal hook * evocheck: install script according to Debian version -* evolinux-base: utils.yml can be excluded +* evolinux-base: `utils.yml` can be excluded * evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions) -* evolinux-user: Add sudoers privilege for check php\_fpm81 +* evolinux-user: add sudoers privilege for check `php_fpm81` * evomaintenance: allow missing API endpoint if APi is disabled * java: use default JRE package when version is not specified +* keepalived: change exit code (_warning_ if running but not on expected state ; _critical_ if not running) * listupgrade: better detection for PostgreSQL * listupgrade: sort/uniq of packages/services lists in email template * lxc-solr: detect the real partition options * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com +* openvpn: shellpki upstream release 22.12.2 +* openvpn: specifies that the mail for expirations is for OpenVPN * packweb-apache: manual dependencies resolution * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) -* squid: whitelist deb.freexian.com +* squid: whitelist `deb.freexian.com` * varnish: better package facts usage with check mode and tags * varnish: systemd override depends on Varnish version instead of Debian version -* keepalived: change exit code (warning if running but not on expected state ; critical if not running) -* openvpn: shellpki upstream release 22.12.2 -* openvpn: specifies that the mail for expirations is for OpenVPN ### Fixed -* evolinux-user: Fix sudoers privilege for check php\_fpm80 +* evolinux-user: Fix sudoers privilege for check `php_fpm80` * nagios-nrpe: Fix check opendkim for recent change in listening port -* varnish: fix missing state, that blocked the task -* proftpd: Fix format of public key files controlled by ansible -* proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody) * openvpn: Fix mode of shellpki script +* proftpd: Fix format of public key files controlled by Ansible +* proftpd: Fix mode of public key directory and files (they have to be accessible by `proftpd:nobody`) +* varnish: fix missing state, that blocked the task ### Removed * openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream -### Security ## [22.09] 2022-09-19 -- 2.39.2 From 0622e9ff1ee8f719e910600198c9b9557deff5db Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Dec 2022 11:47:53 +0100 Subject: [PATCH 295/497] fix non-breaking spaces --- CHANGELOG.md | 2 +- evomaintenance/templates/evomaintenance.j2 | 2 +- fail2ban/templates/jail.local.j2 | 6 +++--- lxc-php/tasks/umask.yml | 10 +++++----- packweb-apache/tasks/update_userlogrotate.yml | 2 +- tomcat-instance/defaults/main.yml | 2 +- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1de94487..8f5e0e0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -205,7 +205,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: tail template follows symlinks * mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner -### Fixed +### Fixed * Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails. diff --git a/evomaintenance/templates/evomaintenance.j2 b/evomaintenance/templates/evomaintenance.j2 index 006d1c09..4a068fe6 100644 --- a/evomaintenance/templates/evomaintenance.j2 +++ b/evomaintenance/templates/evomaintenance.j2 @@ -11,7 +11,7 @@ FULLFROM="{{ evomaintenance_full_from }}" URGENCYFROM={{ evomaintenance_urgency_from }} URGENCYTEL="{{ evomaintenance_urgency_tel }}" REALM="{{ evomaintenance_realm }}" -API_ENDPOINT={{ evomaintenance_api_endpoint }} +API_ENDPOINT={{ evomaintenance_api_endpoint }} API_KEY={{ evomaintenance_api_key }} HOOK_API={{ evomaintenance_hook_api | bool | ternary('1','0') }} diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 19c4f35b..3738ee33 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -38,7 +38,7 @@ bantime = {{ fail2ban_recidive_bantime }} # Evolix custom jails [wordpress-hard] -enabled = {{ fail2ban_wordpress_hard }} +enabled = {{ fail2ban_wordpress_hard }} port = http, https filter = wordpress-hard logpath = /var/log/auth.log @@ -47,7 +47,7 @@ findtime = {{ fail2ban_wordpress_hard_findtime }} bantime = {{ fail2ban_wordpress_hard_bantime }} [wordpress-soft] -enabled = {{ fail2ban_wordpress_soft }} +enabled = {{ fail2ban_wordpress_soft }} port = http, https filter = wordpress-soft logpath = /var/log/auth.log @@ -56,7 +56,7 @@ findtime = {{ fail2ban_wordpress_soft_findtime }} bantime = {{ fail2ban_wordpress_soft_bantime }} [roundcube] -enabled = {{ fail2ban_roundcube }} +enabled = {{ fail2ban_roundcube }} port = http, https filter = roundcube logpath = /var/lib/roundcube/logs/errors diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 170851ab..8dc9039a 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -1,27 +1,27 @@ # Ajoute UMask=0007 à l'unité systemd PHP-FPM du conteneur LXC -# dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf +# dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf --- - name: "Définis le chemin du système de fichiers du conteneur LXC." set_fact: - lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" - name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." ansible.builtin.file: - path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" + path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" state: directory register: systemd_path - name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC." ansible.builtin.lineinfile: - path: "{{ systemd_path.path }}/evolinux.conf" + path: "{{ systemd_path.path }}/evolinux.conf" regex: "\\[Service\\]" line: "[Service]" create: yes - name: "UMask=0007 est présent dans la surchage des services PHP-FPM des conteneurs LXC." ansible.builtin.lineinfile: - path: "{{ systemd_path.path }}/evolinux.conf" + path: "{{ systemd_path.path }}/evolinux.conf" regex: "^UMask=" line: "UMask=0007" insertafter: "\\[Service\\]" diff --git a/packweb-apache/tasks/update_userlogrotate.yml b/packweb-apache/tasks/update_userlogrotate.yml index a94080b0..1e8a6d85 100644 --- a/packweb-apache/tasks/update_userlogrotate.yml +++ b/packweb-apache/tasks/update_userlogrotate.yml @@ -9,7 +9,7 @@ - name: "Met-à-jour userlogrotate" ansible.builtin.copy: src: userlogrotate - dest: "{{ item }}" + dest: "{{ item }}" mode: "0755" loop: "{{ find_logrotate.files }}" when: find_logrotate.files | length>0 diff --git a/tomcat-instance/defaults/main.yml b/tomcat-instance/defaults/main.yml index 6a2ec877..92e68738 100644 --- a/tomcat-instance/defaults/main.yml +++ b/tomcat-instance/defaults/main.yml @@ -1,5 +1,5 @@ --- tomcat_instance_java_path: '/usr/lib/jvm/java-7-openjdk-amd64' tomcat_instance_root: '/srv/tomcat' -tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}" +tomcat_instance_shutdown: "{{ tomcat_instance_port | int + 1 }}" tomcat_instance_mps: 256 -- 2.39.2 From 6aac8933b86d2ce4b60d5c75f24b00e07490ecae Mon Sep 17 00:00:00 2001 From: Bruno Tatu Date: Wed, 14 Dec 2022 17:53:10 +0100 Subject: [PATCH 296/497] Support dbpurgeage if is a number or a string --- fail2ban/tasks/fix-dbpurgeage.yml | 12 +++++++++++- fail2ban/templates/fail2ban_dbpurge.j2 | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml index 67819a3f..64d67806 100644 --- a/fail2ban/tasks/fix-dbpurgeage.yml +++ b/fail2ban/tasks/fix-dbpurgeage.yml @@ -6,10 +6,20 @@ - name: Register bantime from default config from package shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1" - register: default_dbpurgeage + register: dbpurgeage changed_when: false check_mode: false + - name: + set_fact: + dbpurgeage_default : "{{ dbpurgeage.stdout }}" + when: dbpurgeage.stdout | regex_search("^\\d+\w+$") + + - name: + set_fact: + dbpurgeage_default : "{{ dbpurgeage.stdout }} second" + when: dbpurgeage.stdout | regex_search("^\\d+$") + - name: Add crontab template: src: fail2ban_dbpurge.j2 diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 index ee984438..8b6d9612 100644 --- a/fail2ban/templates/fail2ban_dbpurge.j2 +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -2,7 +2,7 @@ # Juin - Decembre 2022 : #64088 # Purge pour Stretch et Buster -/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ bantime.stdout }} second') > datetime(timeofban, 'unixepoch');" +/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');" place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 ) place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) ) -- 2.39.2 From 55a64845ce811d1e050bc606b9a8648ae2819713 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 15 Dec 2022 11:43:13 +0100 Subject: [PATCH 297/497] postfix: add localhost. to mydestination --- CHANGELOG.md | 1 + postfix/templates/evolinux_main.cf.j2 | 2 +- postfix/templates/packmail_main.cf.j2 | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f5e0e0c..2edbe41a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * packweb-apache: enable `log_forensic` module * rabbitmq: add link in default page * varnish: create special tmp directory for syntax validation +* postfix: add localhost.$mydomain to mydestination ### Changed diff --git a/postfix/templates/evolinux_main.cf.j2 b/postfix/templates/evolinux_main.cf.j2 index 0c871546..5d298f1d 100644 --- a/postfix/templates/evolinux_main.cf.j2 +++ b/postfix/templates/evolinux_main.cf.j2 @@ -5,7 +5,7 @@ myhostname = {{ postfix_hostname }} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = $myhostname -mydestination = $myhostname localhost.localdomain localhost +mydestination = $myhostname localhost localhost.localdomain localhost.$mydomain relayhost = mynetworks = 127.0.0.0/8 mailbox_size_limit = 0 diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 82b94afa..b8d4ef38 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -74,7 +74,7 @@ myhostname = {{ ansible_fqdn }} # Liste des noms de domaine (ou IP) consideres comme local #par defaut, = $myhostname, localhost.$mydomain, localhost -mydestination = $myhostname localhost.localdomain localhost +mydestination = $myhostname localhost localhost.localdomain localhost.$mydomain # Indique le domaine apparaissant dans le courrier envoye #par defaut, = $myhostname -- 2.39.2 From ab3e648f184c62f2d0af37830d3c06e2cd6b465d Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 15 Dec 2022 14:47:04 +0100 Subject: [PATCH 298/497] Add variable for fix logging --- postgresql/templates/postgresql.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/postgresql/templates/postgresql.conf.j2 b/postgresql/templates/postgresql.conf.j2 index 9adce0b4..48551f4d 100644 --- a/postgresql/templates/postgresql.conf.j2 +++ b/postgresql/templates/postgresql.conf.j2 @@ -20,6 +20,8 @@ log_checkpoints = on log_lock_waits = on log_temp_files = 5MB log_autovacuum_min_duration = 1s +log_line_prefix = '%t [%p]: user=%u,db=%d,app=%a,client=%h ' +lc_messages = 'C' # Locales lc_monetary = 'fr_FR.UTF-8' -- 2.39.2 From 2493219270dc9108b1756c29a381672bd6be7c67 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 16 Dec 2022 16:18:33 +0100 Subject: [PATCH 299/497] Add mysql_skip.sh --- mysql/files/mysql_skip.sh | 47 +++++++++++++++++++++++++++ mysql/tasks/main.yml | 2 ++ mysql/tasks/mysql_skip.yml | 44 +++++++++++++++++++++++++ mysql/templates/mysql_skip.conf.j2 | 1 + mysql/templates/mysql_skip.systemd.j2 | 16 +++++++++ 5 files changed, 110 insertions(+) create mode 100644 mysql/files/mysql_skip.sh create mode 100644 mysql/tasks/mysql_skip.yml create mode 100644 mysql/templates/mysql_skip.conf.j2 create mode 100644 mysql/templates/mysql_skip.systemd.j2 diff --git a/mysql/files/mysql_skip.sh b/mysql/files/mysql_skip.sh new file mode 100644 index 00000000..95bc28f7 --- /dev/null +++ b/mysql/files/mysql_skip.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +# File containing error messages to skip (one per line). +error_messages="/etc/mysql_skip.conf" + +# Sleep interval between 2 check. +sleep_interval="1" + +# Exit when Seconds_Behind_Master reached 0. +exit_when_uptodate="false" + +# Options to pass to mysql. +#mysql_opt="-P 3307" + +# File to log skipped queries to (leave empty for no logs). +log_file="/var/log/mysql_skip.log" + +mysql_skip_error() { + error="$1" + + error="$(date --iso-8601=seconds) Skiping: $error" + printf "Skipping: $error\n" + mysql $mysql_opt -e 'SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1; START SLAVE;' + + [ -n "$log_file" ] && echo "$error" >>"$log_file" +} + +while true; do + slave_status="$(mysql $mysql_opt -e 'SHOW SLAVE STATUS\G')" + seconds_behind_master=$(echo "$slave_status" |grep 'Seconds_Behind_Master: ' |awk -F ' ' '{print $2}') + last_SQL_error="$(echo "$slave_status" |grep 'Last_SQL_Error: ' |sed 's/^.\+Last_SQL_Error: //')" + + if [ "$seconds_behind_master" = "0" ]; then + #printf 'Replication is up to date!\n' + if [ "$exit_when_uptodate" = "true" ]; then + exit 0 + fi + + elif [ -z "$last_SQL_error" ]; then + sleep $sleep_interval + + elif echo "$last_SQL_error" |grep -q -f $error_messages; then + mysql_skip_error "$last_SQL_error" + + fi + sleep 1 +done diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index 70a972f3..95cde4a1 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -45,3 +45,5 @@ - include_tasks: log2mail.yml - include_tasks: utils.yml + +- include_tasks: mysql_skip.yml diff --git a/mysql/tasks/mysql_skip.yml b/mysql/tasks/mysql_skip.yml new file mode 100644 index 00000000..bd4d5ff6 --- /dev/null +++ b/mysql/tasks/mysql_skip.yml @@ -0,0 +1,44 @@ +--- + +- name: "Copy script mysql_skip.sh into /usr/local/bin/" + copy: + src: mysql_skip.sh + dest: "/usr/local/bin/mysql_skip.sh" + owner: root + group: root + mode: "0700" + force: yes + tags: + - mysql_skip + +- name: "Copy config file for mysql_skip.sh" + template: + src: mysql_skip.conf.j2 + dest: "/etc/mysql_skip.conf" + owner: root + group: root + mode: "0600" + tags: + - mysql_skip + +- name: "Create log file for mysql_skip.sh" + file: + path: "/var/log/mysql_skip.log" + state: touch + owner: root + group: adm + mode: "0640" + tags: + - mysql_skip + +- name: "Copy mysql_skip.sh systemd unit" + template: + src: mysql_skip.systemd.j2 + dest: /etc/systemd/system/mysql_skip.service + force: yes + +- name: "Start or stop systemd unit" + systemd: + name: mysql_skip + daemon_reload: yes + state: "{{ mysql_skip_enabled | bool | ternary('started', 'stopped') }}" \ No newline at end of file diff --git a/mysql/templates/mysql_skip.conf.j2 b/mysql/templates/mysql_skip.conf.j2 new file mode 100644 index 00000000..3c8ef5fc --- /dev/null +++ b/mysql/templates/mysql_skip.conf.j2 @@ -0,0 +1 @@ +## Put your matched patern here ## diff --git a/mysql/templates/mysql_skip.systemd.j2 b/mysql/templates/mysql_skip.systemd.j2 new file mode 100644 index 00000000..afe44700 --- /dev/null +++ b/mysql/templates/mysql_skip.systemd.j2 @@ -0,0 +1,16 @@ +[Unit] +Description=Script for skip define mysql replication errors + +[Service] +ExecStart=/usr/local/bin/mysql_skip.sh +Type=simple +User=root +Group=root +PIDFile=/run/mysql_skip.pid +ExecStop=/bin/kill -- $MAINPID +KillMode=process +Restart=on-failure +RestartSec=5s + +[Install] +WantedBy=multi-user.target -- 2.39.2 From 506e7ff3a3695a835700f6625283e19f9dc6e365 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 16 Dec 2022 16:25:46 +0100 Subject: [PATCH 300/497] Add mysql_skip_enabled in main --- mysql/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index 80f526c6..59f46667 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -50,6 +50,8 @@ mysql_restart_if_needed: True mysql_performance_schema: True +mysql_skip_enabled: false + # replication variables: mysql_replication: false mysql_log_bin: null -- 2.39.2 From a6cfc0159bda08efa51effe84f0c2718768d436e Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 16 Dec 2022 16:31:43 +0100 Subject: [PATCH 301/497] Add logrotate for mysql_skip log file --- mysql/tasks/mysql_skip.yml | 10 ++++++++++ mysql/templates/mysql_skip.logrotate.j2 | 10 ++++++++++ 2 files changed, 20 insertions(+) create mode 100644 mysql/templates/mysql_skip.logrotate.j2 diff --git a/mysql/tasks/mysql_skip.yml b/mysql/tasks/mysql_skip.yml index bd4d5ff6..12d70057 100644 --- a/mysql/tasks/mysql_skip.yml +++ b/mysql/tasks/mysql_skip.yml @@ -31,6 +31,16 @@ tags: - mysql_skip +- name: "Copy logrotate file for mysql_skip.sh" + template: + src: mysql_skip.logrotate.j2 + dest: "/etc/logrotate.d/mysql_skip" + owner: root + group: root + mode: "0600" + tags: + - mysql_skip + - name: "Copy mysql_skip.sh systemd unit" template: src: mysql_skip.systemd.j2 diff --git a/mysql/templates/mysql_skip.logrotate.j2 b/mysql/templates/mysql_skip.logrotate.j2 new file mode 100644 index 00000000..4a75b3ea --- /dev/null +++ b/mysql/templates/mysql_skip.logrotate.j2 @@ -0,0 +1,10 @@ +/var/log/mysql_skip.log { + missingok + notifempty + monthly + rotate 12 + compress + create 640 root adm + dateext + dateformat -%Y%m%d%H +} \ No newline at end of file -- 2.39.2 From d8238d04c2795b51cf3acb215c5cf0ee92a45cc1 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 19 Dec 2022 17:02:10 +0100 Subject: [PATCH 302/497] evolinux-base: ensure dbus enabled and started --- evolinux-base/tasks/hostname.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index 2b9cfa93..2dd1ccae 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -4,6 +4,12 @@ name: dbus state: present +- name: dbus is enabled and started + service: + name: dbus + state: enabled + enabled: true + - name: Set hostname "{{ evolinux_hostname }}" hostname: name: "{{ evolinux_hostname }}" -- 2.39.2 From 144c723e8715cdcfeafb643edf2a795b837c8d2a Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 19 Dec 2022 17:04:42 +0100 Subject: [PATCH 303/497] Revert "evolinux-base: ensure dbus enabled and started" This reverts commit d8238d04c2795b51cf3acb215c5cf0ee92a45cc1. --- evolinux-base/tasks/hostname.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index 2dd1ccae..2b9cfa93 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -4,12 +4,6 @@ name: dbus state: present -- name: dbus is enabled and started - service: - name: dbus - state: enabled - enabled: true - - name: Set hostname "{{ evolinux_hostname }}" hostname: name: "{{ evolinux_hostname }}" -- 2.39.2 From 7005344a5b4e5cd9ebb212ee7206a11490e20b24 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 19 Dec 2022 17:05:45 +0100 Subject: [PATCH 304/497] evolinux-base: ensure dbus enabled and started --- CHANGELOG.md | 2 ++ evolinux-base/tasks/hostname.yml | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2edbe41a..dca61a6c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst) + ### Removed ### Security diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index 2b9cfa93..ec3f99d1 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -4,6 +4,12 @@ name: dbus state: present +- name: dbus is enabled and started + service: + name: dbus + state: started + enabled: true + - name: Set hostname "{{ evolinux_hostname }}" hostname: name: "{{ evolinux_hostname }}" -- 2.39.2 From 1c6fdbf85ab8646bb317be52dd76ddd0fdcc1e6f Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 22 Dec 2022 11:31:28 -0500 Subject: [PATCH 305/497] Remove warning ignores as they are depreciated Will cause a hard fail in ansible 2.14, so better get rid of them now. There is no alternative, but the ansible warnings for those modules are not hard failures anyways. --- CHANGELOG.md | 1 + etc-git/tasks/repository.yml | 3 --- evolinux-base/handlers/main.yml | 4 ---- kibana/tasks/main.yml | 2 -- nginx/tasks/munin_vhost.yml | 4 ---- rbenv/tasks/main.yml | 8 -------- remount-usr/handlers/main.yml | 4 +--- webapps/evoadmin-web/tasks/user.yml | 2 -- 8 files changed, 2 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dca61a6c..975f00dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added ### Changed +* Removed all "warn: False" args in command, shell and other modules as it's been depreciated and will give a hard fail in ansible-core 2.14.0. ### Fixed diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index 80987da2..dbf66cda 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -9,7 +9,6 @@ args: chdir: "{{ repository_path }}" creates: "{{ repository_path }}/.git/" - warn: no register: git_init tags: - etc-git @@ -54,7 +53,6 @@ command: "git log" args: chdir: "{{ repository_path }}" - warn: no changed_when: False failed_when: False register: git_log @@ -66,7 +64,6 @@ shell: "git add -A . && git commit -m \"Initial commit via Ansible\"" args: chdir: "{{ repository_path }}" - warn: no register: git_commit when: git_log.rc != 0 or (git_init is defined and git_init is changed) tags: diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index 7331a245..388bf051 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -23,13 +23,9 @@ - name: remount /home command: mount -o remount /home - args: - warn: no - name: remount /var command: mount -o remount /var - args: - warn: no - name: restart nginx diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index e6377dde..341bfd13 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -126,8 +126,6 @@ # - name: Get mount options for /usr partition # shell: "mount | grep 'on /usr type'" -# args: -# warn: no # register: mount # changed_when: False # failed_when: False diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml index ff9f8423..5aa137c9 100644 --- a/nginx/tasks/munin_vhost.yml +++ b/nginx/tasks/munin_vhost.yml @@ -18,15 +18,11 @@ shell: "chown --verbose www-data:munin /var/log/munin/munin-cgi-*" register: command_result changed_when: "'changed' in command_result.stdout" - args: - warn: no - name: Mode for munin-cgi is set to 660 shell: "chmod --verbose 660 /var/log/munin/munin-cgi-*" register: command_result changed_when: "'changed' in command_result.stdout" - args: - warn: no - name: Systemd unit for Munin-fcgi is installed copy: diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index de366e78..8294cfdc 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -88,8 +88,6 @@ - name: "is Ruby {{ rbenv_ruby_version }} available for {{ username }} ?" shell: /bin/bash -lc "rbenv versions | grep {{ rbenv_ruby_version }}" - args: - warn: no failed_when: False changed_when: False check_mode: False @@ -101,8 +99,6 @@ - name: "Ruby {{ rbenv_ruby_version }} is available for {{ username }} (be patient... could be long)" shell: /bin/bash -lc "TMPDIR=~/tmp rbenv install {{ rbenv_ruby_version }}" - args: - warn: no when: ruby_installed.rc != 0 become_user: "{{ username }}" become: yes @@ -111,8 +107,6 @@ - name: "is Ruby {{ rbenv_ruby_version }} selected for {{ username }} ?" shell: /bin/bash -lc "rbenv version | cut -d ' ' -f 1 | grep -Fx '{{ rbenv_ruby_version }}'" - args: - warn: no register: ruby_selected changed_when: False failed_when: False @@ -124,8 +118,6 @@ - name: "select Ruby {{ rbenv_ruby_version }} for {{ username }}" shell: /bin/bash -lc "rbenv global {{ rbenv_ruby_version }} && rbenv rehash" - args: - warn: no when: ruby_selected.rc != 0 become_user: "{{ username }}" become: yes diff --git a/remount-usr/handlers/main.yml b/remount-usr/handlers/main.yml index 5f197e78..f13f3ed6 100644 --- a/remount-usr/handlers/main.yml +++ b/remount-usr/handlers/main.yml @@ -1,6 +1,4 @@ --- - name: remount usr command: "mount -o remount /usr" - failed_when: false - args: - warn: no + failed_when: false \ No newline at end of file diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index bbad1b8f..f26bc57b 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -100,8 +100,6 @@ register: command_result changed_when: "'changed' in command_result.stdout" # failed_when: False - args: - warn: False - name: Add evoadmin sudoers file template: -- 2.39.2 From 5611bb73a288836951eaf861f547091cead63f2a Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 22 Dec 2022 11:31:28 -0500 Subject: [PATCH 306/497] Remove warning ignores as they are depreciated Will cause a hard fail in ansible 2.14, so better get rid of them now. There is no alternative, but the ansible warnings for those modules are not hard failures anyways. --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 975f00dc..e64cb4c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * Removed all "warn: False" args in command, shell and other modules as it's been depreciated and will give a hard fail in ansible-core 2.14.0. +* Removed all "warn: False" args in command, shell and other modules as it's been depreciated and will give a hard fail in ansible-core 2.14.0. + ### Fixed * evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst) -- 2.39.2 From 0e6c2567e2764fa98dbe7a5566a47722b1c7fabe Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 22 Dec 2022 11:35:52 -0500 Subject: [PATCH 307/497] Fix presentation error in changelog markdown --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e64cb4c9..3edf0dac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,6 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added ### Changed -* Removed all "warn: False" args in command, shell and other modules as it's been depreciated and will give a hard fail in ansible-core 2.14.0. * Removed all "warn: False" args in command, shell and other modules as it's been depreciated and will give a hard fail in ansible-core 2.14.0. -- 2.39.2 From 8ca237c5f74e0c2eabd88bd363388dd586964a98 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 27 Dec 2022 14:47:55 +0100 Subject: [PATCH 308/497] fail2ban: Fix indent in tasks/fix-dbpurgeage.yml --- fail2ban/tasks/fix-dbpurgeage.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml index 64d67806..1246e601 100644 --- a/fail2ban/tasks/fix-dbpurgeage.yml +++ b/fail2ban/tasks/fix-dbpurgeage.yml @@ -1,3 +1,4 @@ +--- - name: Sqlite needed ansible.builtin.apt: name: @@ -10,15 +11,15 @@ changed_when: false check_mode: false - - name: - set_fact: - dbpurgeage_default : "{{ dbpurgeage.stdout }}" - when: dbpurgeage.stdout | regex_search("^\\d+\w+$") +- name: + set_fact: + dbpurgeage_default : "{{ dbpurgeage.stdout }}" + when: dbpurgeage.stdout | regex_search("^\\d+\w+$") - - name: - set_fact: - dbpurgeage_default : "{{ dbpurgeage.stdout }} second" - when: dbpurgeage.stdout | regex_search("^\\d+$") +- name: + set_fact: + dbpurgeage_default : "{{ dbpurgeage.stdout }} second" + when: dbpurgeage.stdout | regex_search("^\\d+$") - name: Add crontab template: -- 2.39.2 From be8c69b4b8219a74b6f794ca1f7cc360930d3b9f Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 27 Dec 2022 16:19:00 +0100 Subject: [PATCH 309/497] .Jenkinsfile > Add some ansible lint --- .Jenkinsfile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.Jenkinsfile b/.Jenkinsfile index 3f591b98..49fc9915 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -6,6 +6,20 @@ pipeline { } stages { + stage('Anible Lint') { + agent { + docker { + image 'evolix/ansible-lint:latest' + } + } + steps { + script { + sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir >> lint.txt || : ; done' + recordIssues(tools: [ansibleLint(pattern: 'lint.txt')]) + } + } + } + stage('Build tagged docker image') { when { buildingTag() -- 2.39.2 From 1c66a1a5f37813f6591c72748dde939fa5a138e6 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 27 Dec 2022 18:16:52 +0100 Subject: [PATCH 310/497] Jenkinsfile > Use workspace tmp dir --- .Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.Jenkinsfile b/.Jenkinsfile index 49fc9915..3f436cda 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -14,7 +14,7 @@ pipeline { } steps { script { - sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir >> lint.txt || : ; done' + sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir >> $WORKSPACE_TMP/lint.txt || : ; done' recordIssues(tools: [ansibleLint(pattern: 'lint.txt')]) } } -- 2.39.2 From 0654fb8cedd85cc3b54ebf6317e82fa316100526 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 27 Dec 2022 18:43:37 +0100 Subject: [PATCH 311/497] Jenkinsfile > Creating a temp file to collect lint result is not required --- .Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.Jenkinsfile b/.Jenkinsfile index 3f436cda..d10526b2 100644 --- a/.Jenkinsfile +++ b/.Jenkinsfile @@ -14,8 +14,8 @@ pipeline { } steps { script { - sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir >> $WORKSPACE_TMP/lint.txt || : ; done' - recordIssues(tools: [ansibleLint(pattern: 'lint.txt')]) + sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir || : ; done' + recordIssues(tools: [ansibleLint()]) } } } -- 2.39.2 From 8eae5bba63e2d6eba85e35e73d36bac374c1e718 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 28 Dec 2022 09:02:17 +0100 Subject: [PATCH 312/497] Use systemd module instead of command --- CHANGELOG.md | 3 ++- bind/handlers/main.yml | 4 +++- docker-host/handlers/main.yml | 3 ++- logstash/handlers/main.yml | 3 ++- postgresql/handlers/main.yml | 3 ++- varnish/handlers/main.yml | 3 ++- 6 files changed, 13 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3edf0dac..9396143e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* Removed all "warn: False" args in command, shell and other modules as it's been depreciated and will give a hard fail in ansible-core 2.14.0. +* Use systemd module instead of command +* Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. ### Fixed diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index 8bb61a21..15b9d046 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -1,6 +1,8 @@ --- - name: reload systemd - command: systemctl daemon-reload + systemd: + daemon-reload: yes + - name: restart apparmor service: diff --git a/docker-host/handlers/main.yml b/docker-host/handlers/main.yml index 8b484b49..c21a84ef 100644 --- a/docker-host/handlers/main.yml +++ b/docker-host/handlers/main.yml @@ -1,6 +1,7 @@ --- - name: reload systemd - command: systemctl daemon-reload + systemd: + daemon-reload: yes - name: restart docker service: diff --git a/logstash/handlers/main.yml b/logstash/handlers/main.yml index d21d4de3..82021675 100644 --- a/logstash/handlers/main.yml +++ b/logstash/handlers/main.yml @@ -7,4 +7,5 @@ daemon_reload: yes - name: reload systemd - command: systemctl daemon-reload \ No newline at end of file + systemd: + daemon-reload: yes \ No newline at end of file diff --git a/postgresql/handlers/main.yml b/postgresql/handlers/main.yml index 5275b6a1..15a773dd 100644 --- a/postgresql/handlers/main.yml +++ b/postgresql/handlers/main.yml @@ -16,7 +16,8 @@ daemon_reload: yes - name: reload systemd - command: systemctl daemon-reload + systemd: + daemon-reload: yes - name: Restart minifirewall command: /etc/init.d/minifirewall restart diff --git a/varnish/handlers/main.yml b/varnish/handlers/main.yml index 7f9fd3ff..6e47bc10 100644 --- a/varnish/handlers/main.yml +++ b/varnish/handlers/main.yml @@ -12,7 +12,8 @@ daemon_reload: yes - name: reload systemd - command: systemctl daemon-reload + systemd: + daemon-reload: yes - name: restart munin-node service: -- 2.39.2 From 7a0e0d81d6e7a2bd6bf5378814558e2e36a034bc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 28 Dec 2022 09:03:37 +0100 Subject: [PATCH 313/497] Proper jinja spacing --- CHANGELOG.md | 1 + amazon-ec2/tasks/create-instance.yml | 30 +++++++++++----------- bind/templates/logrotate_bind.j2 | 4 +-- docker-host/defaults/main.yml | 4 +-- elasticsearch/tasks/additional_scripts.yml | 2 +- etc-git/tasks/repository.yml | 2 +- evoacme/templates/evoacme.conf.j2 | 12 ++++----- evocheck/tasks/install.yml | 2 +- fail2ban/tasks/main.yml | 2 +- fail2ban/templates/jail.local.j2 | 2 +- java/tasks/openjdk.yml | 2 +- kvm-host/tasks/tools.yml | 2 +- lxc-php/tasks/main.yml | 2 +- lxc-php/templates/mailname.j2 | 2 +- lxc-solr/tasks/solr.yml | 2 +- mongodb/tasks/main_bullseye.yml | 12 ++++----- mongodb/tasks/main_buster.yml | 6 ++--- mongodb/tasks/main_jessie.yml | 12 ++++----- mysql-oracle/tasks/utils.yml | 8 +++--- mysql/tasks/utils.yml | 8 +++--- mysql/templates/replication.cnf.j2 | 2 +- nagios-nrpe/tasks/main.yml | 2 +- php/tasks/main_bookworm.yml | 6 ++--- postgresql/tasks/config.yml | 6 ++--- postgresql/tasks/munin.yml | 8 +++--- postgresql/tasks/nrpe.yml | 2 +- postgresql/tasks/packages_bookworm.yml | 2 +- postgresql/tasks/packages_bullseye.yml | 2 +- postgresql/tasks/packages_buster.yml | 2 +- postgresql/tasks/packages_jessie.yml | 4 +-- postgresql/tasks/packages_stretch.yml | 2 +- postgresql/tasks/pgdg-repo.yml | 4 +-- postgresql/templates/postgresql.pref.j2 | 4 +-- varnish/tasks/main.yml | 4 +-- varnish/tasks/munin.yml | 2 +- webapps/evoadmin-web/tasks/user.yml | 2 +- 36 files changed, 86 insertions(+), 85 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9396143e..1f1a6b64 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* Proper jinja spacing * evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst) ### Removed diff --git a/amazon-ec2/tasks/create-instance.yml b/amazon-ec2/tasks/create-instance.yml index a3f84b1a..86e8f803 100644 --- a/amazon-ec2/tasks/create-instance.yml +++ b/amazon-ec2/tasks/create-instance.yml @@ -3,34 +3,34 @@ - name: Launch new instance(s) ec2: state: present - aws_access_key: "{{aws_access_key}}" - aws_secret_key: "{{aws_secret_key}}" - region: "{{aws_region}}" - image: "{{ec2_base_ami}}" - instance_type: "{{ec2_instance_type}}" - count: "{{ec2_instance_count}}" - assign_public_ip: "{{ec2_public_ip}}" - group: "{{ec2_security_group.name}}" - key_name: "{{ec2_keyname}}" + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + region: "{{ aws_region }}" + image: "{{ ec2_base_ami }}" + instance_type: "{{ ec2_instance_type }}" + count: "{{ ec2_instance_count }}" + assign_public_ip: "{{ ec2_public_ip }}" + group: "{{ ec2_security_group.name }}" + key_name: "{{ ec2_keyname }}" wait: yes register: ec2 - name: Add newly created instance(s) to inventory add_host: - hostname: "{{item.public_dns_name}}" + hostname: "{{ item.public_dns_name }}" groupname: launched-instances ansible_user: admin ansible_ssh_common_args: "-o StrictHostKeyChecking=no" - loop: "{{ec2.instances}}" + loop: "{{ ec2.instances }}" - debug: - msg: "Your newly created instance is reachable at: {{item.public_dns_name}}" - loop: "{{ec2.instances}}" + msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}" + loop: "{{ ec2.instances }}" - name: Wait for SSH to come up on all instances (give up after 2m) wait_for: state: started - host: "{{item.public_dns_name}}" + host: "{{ item.public_dns_name }}" port: 22 timeout: 120 - loop: "{{ec2.instances}}" + loop: "{{ ec2.instances }}" diff --git a/bind/templates/logrotate_bind.j2 b/bind/templates/logrotate_bind.j2 index 3fe1589e..27877958 100644 --- a/bind/templates/logrotate_bind.j2 +++ b/bind/templates/logrotate_bind.j2 @@ -1,7 +1,7 @@ {% if bind_chroot_set %} -{{ bind_chroot_path }}{{bind_log_file}} { +{{ bind_chroot_path }}{{ bind_log_file }} { {% else %} -{{bind_log_file}} { +{{ bind_log_file }} { {% endif %} weekly missingok diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 44496203..e4988e99 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -1,7 +1,7 @@ --- # If docher_home sets to /home/, the partition should be mounted with exec option. docker_home: /var/lib/docker -docker_tmpdir: "{{docker_home}}/tmp" +docker_tmpdir: "{{ docker_home }}/tmp" # Chose to use iptables instead of docker-proxy userland process docker_conf_use_iptables: False @@ -22,7 +22,7 @@ docker_daemon_listening_ip: 0.0.0.0 # TLS docker_tls_enabled: False -docker_tls_path: "{{docker_home}}/tls" +docker_tls_path: "{{ docker_home }}/tls" docker_tls_ca: ca/ca.pem docker_tls_ca_key: ca/ca-key.pem docker_tls_cert: server/cert.pem diff --git a/elasticsearch/tasks/additional_scripts.yml b/elasticsearch/tasks/additional_scripts.yml index 19e43535..e8373ef8 100644 --- a/elasticsearch/tasks/additional_scripts.yml +++ b/elasticsearch/tasks/additional_scripts.yml @@ -2,7 +2,7 @@ - include_role: name: evolix/remount-usr - when: elasticsearch_additional_scripts_dir is search ("/usr") + when: elasticsearch_additional_scripts_dir is search("/usr") - name: "{{ elasticsearch_additional_scripts_dir }} exists" file: diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index dbf66cda..7ebfc773 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -2,7 +2,7 @@ - include_role: name: evolix/remount-usr - when: repository_path is search ("/usr") + when: repository_path is search("/usr") - name: "{{ repository_path }} is versioned with git" command: "git init ." diff --git a/evoacme/templates/evoacme.conf.j2 b/evoacme/templates/evoacme.conf.j2 index 27405f56..c2718763 100644 --- a/evoacme/templates/evoacme.conf.j2 +++ b/evoacme/templates/evoacme.conf.j2 @@ -1,9 +1,9 @@ ### File generated by Ansible ### -SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }}} -ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }}} -CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }}} -CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }}} +SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir } }} +ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir } }} +CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir } }} +CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir } }} HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"} -LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }}} -SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }}} +LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir } }} +SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday } }} diff --git a/evocheck/tasks/install.yml b/evocheck/tasks/install.yml index c996542e..8abd7d57 100644 --- a/evocheck/tasks/install.yml +++ b/evocheck/tasks/install.yml @@ -1,7 +1,7 @@ --- - include_role: name: evolix/remount-usr - when: evocheck_bin_dir is search ("/usr") + when: evocheck_bin_dir is search("/usr") tags: - evocheck diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 08478112..b9c2d109 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -97,7 +97,7 @@ marker: "# ANSIBLE MANAGED" block: | [DEFAULT] - dbpurgeage = {{ fail2ban_recidive_bantime}} + dbpurgeage = {{ fail2ban_recidive_bantime }} insertafter: EOF create: yes mode: "0644" diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 3738ee33..6713c92e 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -16,7 +16,7 @@ destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }} # ACTIONS banaction = iptables-multiport -action = %({{fail2ban_default_action}})s +action = %({{ fail2ban_default_action }})s [sshd] diff --git a/java/tasks/openjdk.yml b/java/tasks/openjdk.yml index 4af3cec1..13135d9c 100644 --- a/java/tasks/openjdk.yml +++ b/java/tasks/openjdk.yml @@ -25,7 +25,7 @@ - name: Install specific openjdk package apt: - name: "openjdk-{{ java_version}}-jre-headless" + name: "openjdk-{{ java_version }}-jre-headless" default_release: "{{ java_apt_release }}" state: present tags: diff --git a/kvm-host/tasks/tools.yml b/kvm-host/tasks/tools.yml index 83845a31..1e114bb7 100644 --- a/kvm-host/tasks/tools.yml +++ b/kvm-host/tasks/tools.yml @@ -8,7 +8,7 @@ - include_role: name: remount-usr - when: kvm_scripts_dir is search ("/usr") + when: kvm_scripts_dir is search("/usr") - name: add-vm script is present copy: diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index 4471a709..d967287d 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -4,7 +4,7 @@ msg: Please configure var lxc_php_version when: lxc_php_version is none -- name: "Update APT cache in container {{lxc_php_version}}" +- name: "Update APT cache in container {{ lxc_php_version }}" lxc_container: name: "{{ lxc_php_version }}" container_command: "apt-get update" diff --git a/lxc-php/templates/mailname.j2 b/lxc-php/templates/mailname.j2 index e374dd45..ff7139b8 100644 --- a/lxc-php/templates/mailname.j2 +++ b/lxc-php/templates/mailname.j2 @@ -1 +1 @@ -{{ansible_fqdn}} +{{ ansible_fqdn }} diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index 9e37bf44..a2f0c373 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -39,4 +39,4 @@ mode: '0755' - name: "Install Solr {{ solr_version }}" - command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{name}} -p {{ solr_port }}" + command: "lxc-attach -n {{ name }} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{ name }} -p {{ solr_port }}" diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index cd8bb15f..baaf155f 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -20,8 +20,8 @@ - name: Add MongoDB GPG key copy: - src: "server-{{mongodb_version}}.asc" - dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc" + src: "server-{{ mongodb_version }}.asc" + dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes mode: "0644" owner: root @@ -29,16 +29,16 @@ - name: Enable APT sources list apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main" state: present - filename: "mongodb-org-{{mongodb_version}}" + filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Disable unsigned APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" + repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main" state: absent - filename: "mongodb-org-{{mongodb_version}}" + filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Install packages diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index 5d2024c8..44baabc9 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -14,7 +14,7 @@ - name: Add MongoDB GPG key copy: - src: "server-{{mongodb_version}}.asc" + src: "server-{{ mongodb_version }}.asc" dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes mode: "0644" @@ -25,14 +25,14 @@ apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: present - filename: "mongodb-org-{{mongodb_version}}" + filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Disable unsigned APT sources list apt_repository: repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: absent - filename: "mongodb-org-{{mongodb_version}}" + filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Install packages diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml index 7fdb3df5..bc239393 100644 --- a/mongodb/tasks/main_jessie.yml +++ b/mongodb/tasks/main_jessie.yml @@ -14,8 +14,8 @@ - name: Add MongoDB GPG key copy: - src: "server-{{mongodb_version}}.asc" - dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + src: "server-{{ mongodb_version }}.asc" + dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{ mongodb_version }}.asc" force: yes mode: "0644" owner: root @@ -23,16 +23,16 @@ - name: Enable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main" + repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main" state: present - filename: "mongodb-org-{{mongodb_version}}" + filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Disable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main" + repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main" state: absent - filename: "mongodb-org-{{mongodb_version}}" + filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Install packages diff --git a/mysql-oracle/tasks/utils.yml b/mysql-oracle/tasks/utils.yml index e0520cee..82b0ddbe 100644 --- a/mysql-oracle/tasks/utils.yml +++ b/mysql-oracle/tasks/utils.yml @@ -5,7 +5,7 @@ - include_role: name: evolix/remount-usr - when: _mysql_scripts_dir is search ("/usr") + when: _mysql_scripts_dir is search("/usr") - name: Scripts directory exists file: @@ -106,7 +106,7 @@ name: evolix/remount-usr tags: - mysql - when: _mysql_scripts_dir is search ("/usr") + when: _mysql_scripts_dir is search("/usr") - name: mysqltuner is installed # copy: @@ -132,7 +132,7 @@ name: evolix/remount-usr tags: - mysql - when: _mysql_scripts_dir is search ("/usr") + when: _mysql_scripts_dir is search("/usr") - name: mysql-optimize.sh is installed copy: @@ -203,7 +203,7 @@ - include_role: name: evolix/remount-usr - when: _mysql_scripts_dir is search ("/usr") + when: _mysql_scripts_dir is search("/usr") - name: Install my-add.sh copy: diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 1ac8f2df..8adbb1be 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -5,7 +5,7 @@ - include_role: name: evolix/remount-usr - when: _mysql_scripts_dir is search ("/usr") + when: _mysql_scripts_dir is search("/usr") - name: Ensure scripts directory exists file: @@ -96,7 +96,7 @@ - include_role: name: evolix/remount-usr - when: _mysql_scripts_dir is search ("/usr") + when: _mysql_scripts_dir is search("/usr") - name: Install mysqltuner # copy: @@ -132,7 +132,7 @@ - include_role: name: evolix/remount-usr - when: _mysql_scripts_dir is search ("/usr") + when: _mysql_scripts_dir is search("/usr") - name: Optimize script for MySQL copy: @@ -196,7 +196,7 @@ - include_role: name: evolix/remount-usr - when: _mysql_scripts_dir is search ("/usr") + when: _mysql_scripts_dir is search("/usr") - name: Install my-add.sh copy: diff --git a/mysql/templates/replication.cnf.j2 b/mysql/templates/replication.cnf.j2 index 030f2470..460f0833 100644 --- a/mysql/templates/replication.cnf.j2 +++ b/mysql/templates/replication.cnf.j2 @@ -1,4 +1,4 @@ -# {{ansible_managed}} +# {{ ansible_managed }} [mysqld] {% if mysql_log_bin %} diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index 77770020..7ccc6718 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -58,7 +58,7 @@ - include_role: name: evolix/remount-usr - when: nagios_plugins_directory is search ("/usr") + when: nagios_plugins_directory is search("/usr") tags: - nagios-nrpe - nagios-plugins diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 4dcde767..74329046 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -19,9 +19,9 @@ php_apache_custom_ini_file: "{{ php_apache_conf_dir }}/zzz-evolinux-custom.ini" php_fpm_defaults_ini_file: "{{ php_fpm_conf_dir }}/z-evolinux-defaults.ini" php_fpm_custom_ini_file: "{{ php_fpm_conf_dir }}/zzz-evolinux-custom.ini" - php_fpm_debian_default_pool_file: "{{ php_fpm_pool_dir}}/www.conf" - php_fpm_default_pool_file: "{{ php_fpm_pool_dir}}/www-evolinux-defaults.conf" - php_fpm_default_pool_custom_file: "{{ php_fpm_pool_dir}}/www-evolinux-zcustom.conf" + php_fpm_debian_default_pool_file: "{{ php_fpm_pool_dir }}/www.conf" + php_fpm_default_pool_file: "{{ php_fpm_pool_dir }}/www-evolinux-defaults.conf" + php_fpm_default_pool_custom_file: "{{ php_fpm_pool_dir }}/www-evolinux-zcustom.conf" php_fpm_default_pool_socket: "/var/run/php/php{{ php_version }}-fpm.sock" php_fpm_service_name: "php{{ php_version }}-fpm" diff --git a/postgresql/tasks/config.yml b/postgresql/tasks/config.yml index f29026df..966f0930 100644 --- a/postgresql/tasks/config.yml +++ b/postgresql/tasks/config.yml @@ -17,13 +17,13 @@ - name: Allow conf.d/*.conf files to be included in PostgreSQL configuration lineinfile: - name: "/etc/postgresql/{{postgresql_version}}/main/postgresql.conf" + name: "/etc/postgresql/{{ postgresql_version }}/main/postgresql.conf" line: include_dir = 'conf.d' notify: restart postgresql - name: Create conf.d directory file: - name: "/etc/postgresql/{{postgresql_version}}/main/conf.d/" + name: "/etc/postgresql/{{ postgresql_version }}/main/conf.d/" state: directory owner: postgres group: postgres @@ -32,7 +32,7 @@ - name: Copy PostgreSQL config file template: src: postgresql.conf.j2 - dest: "/etc/postgresql/{{postgresql_version}}/main/conf.d/zz-evolinux.conf" + dest: "/etc/postgresql/{{ postgresql_version }}/main/conf.d/zz-evolinux.conf" owner: postgres group: postgres mode: "0644" diff --git a/postgresql/tasks/munin.yml b/postgresql/tasks/munin.yml index 227304c8..feb0b678 100644 --- a/postgresql/tasks/munin.yml +++ b/postgresql/tasks/munin.yml @@ -12,8 +12,8 @@ - name: Add Munin plugins for PostgreSQL file: state: link - src: '/usr/share/munin/plugins/{{item}}' - dest: '/etc/munin/plugins/{{item}}' + src: '/usr/share/munin/plugins/{{ item }}' + dest: '/etc/munin/plugins/{{ item }}' loop: - postgres_bgwriter - postgres_checkpoints @@ -26,8 +26,8 @@ - name: Add Munin plugins for PostgreSQL (for specific databases) file: state: link - src: '/usr/share/munin/plugins/{{item[0]}}' - dest: '/etc/munin/plugins/{{item[0]}}{{item[1]}}' + src: '/usr/share/munin/plugins/{{ item[0] }}' + dest: '/etc/munin/plugins/{{ item[0] }}{{ item[1] }}' loop: "{{ _plugins | product(_databases) | list }}" vars: _plugins: diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml index 4aea2d81..833ab1ea 100644 --- a/postgresql/tasks/nrpe.yml +++ b/postgresql/tasks/nrpe.yml @@ -42,7 +42,7 @@ lineinfile: name: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_pgsql\]=' - line: 'command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{postgresql_nrpe_password.stdout}}"' + line: 'command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"' notify: restart nagios-nrpe-server when: postgresql_create_nrpe_user is changed when: nrpe_evolix_config.stat.exists diff --git a/postgresql/tasks/packages_bookworm.yml b/postgresql/tasks/packages_bookworm.yml index 2a78b967..fb09497f 100644 --- a/postgresql/tasks/packages_bookworm.yml +++ b/postgresql/tasks/packages_bookworm.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - "postgresql-{{postgresql_version}}" + - "postgresql-{{ postgresql_version }}" - pgtop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_bullseye.yml b/postgresql/tasks/packages_bullseye.yml index 1b4cb0ac..5ed62d9a 100644 --- a/postgresql/tasks/packages_bullseye.yml +++ b/postgresql/tasks/packages_bullseye.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - "postgresql-{{postgresql_version}}" + - "postgresql-{{ postgresql_version }}" - pgtop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 815e741d..7ecf11be 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - "postgresql-{{postgresql_version}}" + - "postgresql-{{ postgresql_version }}" - pgtop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index b9f9b31b..60bb2247 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -10,8 +10,8 @@ - name: Install postgresql package apt: - name: '{{item}}' + name: '{{ item }}' loop: - - "postgresql-{{postgresql_version}}" + - "postgresql-{{ postgresql_version }}" - ptop - libdbd-pg-perl diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index a43c313b..45b8840c 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -11,6 +11,6 @@ - name: Install postgresql package apt: name: - - "postgresql-{{postgresql_version}}" + - "postgresql-{{ postgresql_version }}" - ptop - libdbd-pg-perl diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index f03ae52f..ef467f97 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -31,12 +31,12 @@ - name: Add PGDG repository apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" + repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" update_cache: yes - name: Remove unsigned PGDG repository apt_repository: - repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" + repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" update_cache: yes state: absent diff --git a/postgresql/templates/postgresql.pref.j2 b/postgresql/templates/postgresql.pref.j2 index 74196cf6..5d252e05 100644 --- a/postgresql/templates/postgresql.pref.j2 +++ b/postgresql/templates/postgresql.pref.j2 @@ -1,3 +1,3 @@ -Package: postgresql-{{postgresql_version}} postgresql-client-common postgresql-common libpq5 ptop -Pin: release a={{ansible_distribution_release}}-pgdg +Package: postgresql-{{ postgresql_version }} postgresql-client-common postgresql-common libpq5 ptop +Pin: release a={{ ansible_distribution_release }}-pgdg Pin-Priority: 999 diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 43399f0d..7af86b72 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -122,8 +122,8 @@ - name: Patch logrotate conf replace: name: /etc/logrotate.d/varnish - regexp: '^(\s+)(/usr/sbin/invoke-rc.d {{item}}.*)' - replace: '\1systemctl -q is-active {{item}} && \2' + regexp: '^(\s+)(/usr/sbin/invoke-rc.d {{ item }}.*)' + replace: '\1systemctl -q is-active {{ item }} && \2' loop: - varnishlog - varnishncsa diff --git a/varnish/tasks/munin.yml b/varnish/tasks/munin.yml index 1ccf5f88..77637a98 100644 --- a/varnish/tasks/munin.yml +++ b/varnish/tasks/munin.yml @@ -33,7 +33,7 @@ - name: Enable varnish5 munin plugin file: src: /usr/local/share/munin/plugins/varnish5_ - dest: "/etc/munin/plugins/varnish5_{{item}}" + dest: "/etc/munin/plugins/varnish5_{{ item }}" state: link loop: - memory_usage diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index f26bc57b..0d453e9a 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -80,7 +80,7 @@ - include_role: name: evolix/remount-usr - when: evoadmin_scripts_dir is search ("/usr") + when: evoadmin_scripts_dir is search("/usr") - name: "Create {{ evoadmin_scripts_dir }}" file: -- 2.39.2 From 1a034af94435a0353f456eb485771e83bcf68b42 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 30 Dec 2022 10:45:09 +0100 Subject: [PATCH 314/497] nagios-nrpe: Print pool config path in check_phpfpm_multi output --- nagios-nrpe/files/plugins/check_phpfpm_multi | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nagios-nrpe/files/plugins/check_phpfpm_multi b/nagios-nrpe/files/plugins/check_phpfpm_multi index 865c31d3..b02fc7e2 100644 --- a/nagios-nrpe/files/plugins/check_phpfpm_multi +++ b/nagios-nrpe/files/plugins/check_phpfpm_multi @@ -56,20 +56,20 @@ for pool_file in $POOL_FILES; do if [ "${ret}" -ge 2 ]; then nb_crit=$((nb_crit + 1)) - output="${output}${result}\n" [ "${return}" -le 2 ] && return=2 elif [ "${ret}" -ge 1 ]; then nb_warn=$((nb_warn + 1)) - output="${output}${result}\n" [ "${return}" -le 1 ] && return=1 else nb_ok=$((nb_ok + 1)) - output="${output}$(echo "$result" | cut -d '|' -f1)\n" [ "${return}" -le 0 ] && return=0 fi + result_status=$(echo ${result} | awk -F' - ' '{ print $1}') + result_content=$(echo ${result} | awk -F' - ' '{ print $2}') + output="${output}${result_status} - ${pool_file} - ${result_content}\n" -done; +done [ "${return}" -ge 0 ] && header="OK" -- 2.39.2 From 84014017166739d07b52dadf2283a87bc2650c90 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 30 Dec 2022 10:46:24 +0100 Subject: [PATCH 315/497] Update CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f1a6b64..29868078 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* nagios-nrpe: Print pool config path in check_phpfpm_multi output + ### Changed * Use systemd module instead of command -- 2.39.2 From 48e3ced983c0e25ea2f342ed5e9c62c6eeabaa00 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 2 Jan 2023 17:27:25 +0100 Subject: [PATCH 316/497] elasticsearch : use logrotate for garbage collector logs --- CHANGELOG.md | 1 + elasticsearch/tasks/configuration.yml | 12 ++++++++++++ elasticsearch/tasks/logs.yml | 9 +++++++++ elasticsearch/templates/logrotate.j2 | 12 ++++++++++++ elasticsearch/templates/rotate_elasticsearch_logs.j2 | 3 +-- 5 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 elasticsearch/templates/logrotate.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 29868078..8f9491d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Proper jinja spacing * evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst) +* elasticsearch : use logrotate for garbage collector logs instead of breaking compression cron ### Removed diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index 99c311c2..c4a5916a 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -118,6 +118,18 @@ tags: - config +- name: Garbage collector logs rotation by the JVM is disabled + lineinfile: + dest: /etc/elasticsearch/jvm.options.d/evolinux.options + regexp: "^-Xlog:gc" + line: "-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=0" + create: yes + owner: root + group: elasticsearch + mode: "0640" + tags: + - config + - name: Configure cluster members lineinfile: dest: /etc/elasticsearch/elasticsearch.yml diff --git a/elasticsearch/tasks/logs.yml b/elasticsearch/tasks/logs.yml index 01829dc9..018a0201 100644 --- a/elasticsearch/tasks/logs.yml +++ b/elasticsearch/tasks/logs.yml @@ -17,3 +17,12 @@ group: root mode: "0750" when: is_cron_installed.rc == 0 + +- name: "Setup logrotate for JVM garbage collector" + template: + src: logrotate.j2 + dest: /etc/logrotate/elasticsearch + owner: root + group: root + mode: "0750" + when: is_cron_installed.rc == 0 diff --git a/elasticsearch/templates/logrotate.j2 b/elasticsearch/templates/logrotate.j2 new file mode 100644 index 00000000..1e78ddec --- /dev/null +++ b/elasticsearch/templates/logrotate.j2 @@ -0,0 +1,12 @@ +/var/log/elasticsearch/gc.log { + su elasticsearch elasticsearch + daily + rotate {{ elasticsearch_log_rotate_days }} + compress + nodelaycompress + missingok + copytruncate + dateext + dateformat .%Y-%m-%d +} + diff --git a/elasticsearch/templates/rotate_elasticsearch_logs.j2 b/elasticsearch/templates/rotate_elasticsearch_logs.j2 index 849a9ca1..981ca433 100644 --- a/elasticsearch/templates/rotate_elasticsearch_logs.j2 +++ b/elasticsearch/templates/rotate_elasticsearch_logs.j2 @@ -8,7 +8,6 @@ MAX_AGE={{ elasticsearch_log_rotate_days | mandatory }} # Compress logs find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??" -exec gzip --best {} \; find ${LOG_DIR} -type f -user ${USER} -name "*-????-??-??.log" -exec gzip --best {} \; -find ${LOG_DIR} -type f -user ${USER} -name "*.log.??" -not -name "*.gz" -exec gzip --best {} \; # Delete old logs -find ${LOG_DIR} -type f -user ${USER} -name "*gz" -ctime +${MAX_AGE} -delete \ No newline at end of file +find ${LOG_DIR} -type f -user ${USER} -name "*gz" -ctime +${MAX_AGE} -delete -- 2.39.2 From 6c4243f3e1d6fa7bfcb7e25377e611df9a011176 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 3 Jan 2023 10:56:19 +0100 Subject: [PATCH 317/497] postgresql: logrotate with dateext and right permissions --- postgresql/files/logrotate_postgresql | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/postgresql/files/logrotate_postgresql b/postgresql/files/logrotate_postgresql index a9306aa3..1cb786a1 100644 --- a/postgresql/files/logrotate_postgresql +++ b/postgresql/files/logrotate_postgresql @@ -1,11 +1,10 @@ /var/log/postgresql/*.log { + su postgres adm daily rotate 10 copytruncate nodelaycompress compress - notifempty missingok - su root root + dateext } - -- 2.39.2 From 4cdf3bb07489006cb953aa704cca8ac8a5fd6512 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 4 Jan 2023 10:22:43 +0100 Subject: [PATCH 318/497] postgresql: fix regression introduced in 6c4243f3e in logrotate group --- postgresql/files/logrotate_postgresql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postgresql/files/logrotate_postgresql b/postgresql/files/logrotate_postgresql index 1cb786a1..656e2991 100644 --- a/postgresql/files/logrotate_postgresql +++ b/postgresql/files/logrotate_postgresql @@ -1,5 +1,5 @@ /var/log/postgresql/*.log { - su postgres adm + su postgres postgres daily rotate 10 copytruncate -- 2.39.2 From 90ba88e1571cb8f45a60708d129f4d9d8e04aaf2 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 5 Jan 2023 15:06:30 -0500 Subject: [PATCH 319/497] Forgot to remove one of the warn: no occurences --- remount-usr/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml index 1bfedc64..e4cf9d36 100644 --- a/remount-usr/tasks/main.yml +++ b/remount-usr/tasks/main.yml @@ -10,8 +10,6 @@ - name: "mount /usr in rw" command: 'mount -o remount,rw /usr' - args: - warn: no changed_when: False when: usr_partition.rc == 0 notify: remount usr -- 2.39.2 From dbef71d791f1a6f7f8fdf6452f83e28d8cf71c6c Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 6 Jan 2023 09:54:51 +0100 Subject: [PATCH 320/497] Drop trailing whitespaces --- docker-host/defaults/main.yml | 2 +- dovecot/tasks/main.yml | 2 +- etc-git/tasks/main.yml | 2 +- etc-git/tasks/utils.yml | 2 +- evolinux-users/tasks/main.yml | 2 +- lxc-php/tasks/umask.yml | 2 +- memcached/tasks/nrpe.yml | 2 +- mongodb/tasks/main_bullseye.yml | 2 +- munin/tasks/main.yml | 2 +- mysql/tasks/mysql_skip.yml | 2 +- nginx/tasks/main.yml | 2 +- openvpn/tasks/debian.yml | 2 +- openvpn/tasks/openbsd.yml | 2 +- postgresql/tasks/packages_bookworm.yml | 2 +- postgresql/tasks/packages_bullseye.yml | 2 +- proftpd/tasks/accounts.yml | 2 +- proftpd/tasks/main.yml | 2 +- squid/tasks/main.yml | 2 +- vrrpd/tasks/ip.yml | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index e4988e99..42c9cecc 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -20,7 +20,7 @@ docker_remote_access_enabled: False docker_daemon_port: 2376 docker_daemon_listening_ip: 0.0.0.0 -# TLS +# TLS docker_tls_enabled: False docker_tls_path: "{{ docker_home }}/tls" docker_tls_ca: ca/ca.pem diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index c9de6045..dddd951c 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -87,7 +87,7 @@ name: log2mail state: present tags: dovecot - + - name: dovecot is configured in log2mail blockinfile: path: /etc/log2mail/config/mail.conf diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index f71ba552..ac28e1e7 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -6,7 +6,7 @@ state: present tags: - etc-git - when: + when: - ansible_distribution == "Debian" - name: Install and configure utilities diff --git a/etc-git/tasks/utils.yml b/etc-git/tasks/utils.yml index cd060de1..831f62a6 100644 --- a/etc-git/tasks/utils.yml +++ b/etc-git/tasks/utils.yml @@ -51,7 +51,7 @@ register: is_cron_installed - block: - - name: Legacy cron jobs for /etc/.git status are absent + - name: Legacy cron jobs for /etc/.git status are absent file: dest: "{{ item }}" state: absent diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index d105aefe..1e9cc5a3 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -16,7 +16,7 @@ vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" - when: + when: - user.create == evolinux_users_create - evolinux_users | length > 0 diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 8dc9039a..4460d587 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -11,7 +11,7 @@ path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" state: directory register: systemd_path - + - name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC." ansible.builtin.lineinfile: path: "{{ systemd_path.path }}/evolinux.conf" diff --git a/memcached/tasks/nrpe.yml b/memcached/tasks/nrpe.yml index ff0fc8b3..9fe28942 100644 --- a/memcached/tasks/nrpe.yml +++ b/memcached/tasks/nrpe.yml @@ -8,7 +8,7 @@ - block: - name: Install dependencies apt: - name: + name: - libcache-memcached-perl - libmemcached11 diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index baaf155f..c17642ea 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -3,7 +3,7 @@ - fail: msg: Not compatible with Debian 11 (Bullseye) when: - - ansible_distribution_release == "bullseye" + - ansible_distribution_release == "bullseye" - mongodb_version is version('5.0', '<') - name: Look for legacy apt keyring diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index a4ea9a49..6d3098dd 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -85,7 +85,7 @@ src: /usr/share/munin/plugins/sensors_ dest: "/etc/munin/plugins/sensors_{{ item }}" state: link - with_items: + with_items: - fan - temp when: ansible_virtualization_role == "host" diff --git a/mysql/tasks/mysql_skip.yml b/mysql/tasks/mysql_skip.yml index 12d70057..65d1c13f 100644 --- a/mysql/tasks/mysql_skip.yml +++ b/mysql/tasks/mysql_skip.yml @@ -46,7 +46,7 @@ src: mysql_skip.systemd.j2 dest: /etc/systemd/system/mysql_skip.service force: yes - + - name: "Start or stop systemd unit" systemd: name: mysql_skip diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index b3f1c313..e7abc1b5 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -66,7 +66,7 @@ - name: Include IP address whitelist task include: ip_whitelist.yml -- name: Copy evolinux_server_custom +- name: Copy evolinux_server_custom copy: src: nginx/snippets/evolinux_server_custom dest: /etc/nginx/snippets/evolinux_server_custom diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index b0201f0c..2fa0a647 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -290,6 +290,6 @@ The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN. Take note of the generated CA password and store it in your password manager : {{ ca_pwd }} - + Press enter to exit when it's done. diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index b0e629be..ef16044e 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -218,6 +218,6 @@ The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN. Take note of the generated CA password and store it in your password manager : {{ ca_pwd }} - + Press enter to exit when it's done. diff --git a/postgresql/tasks/packages_bookworm.yml b/postgresql/tasks/packages_bookworm.yml index fb09497f..8db31b9b 100644 --- a/postgresql/tasks/packages_bookworm.yml +++ b/postgresql/tasks/packages_bookworm.yml @@ -1,5 +1,5 @@ --- - + - name: "Set variables (Debian 12)" set_fact: postgresql_version: '15' diff --git a/postgresql/tasks/packages_bullseye.yml b/postgresql/tasks/packages_bullseye.yml index 5ed62d9a..e825b799 100644 --- a/postgresql/tasks/packages_bullseye.yml +++ b/postgresql/tasks/packages_bullseye.yml @@ -1,5 +1,5 @@ --- - + - name: "Set variables (Debian 11)" set_fact: postgresql_version: '13' diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml index 4db814ef..b5cc5e85 100644 --- a/proftpd/tasks/accounts.yml +++ b/proftpd/tasks/accounts.yml @@ -70,7 +70,7 @@ loop_control: loop_var: _proftpd_account notify: restart proftpd - when: + when: - proftpd_sftp_enable | bool - proftpd_sftp_use_publickeys | bool tags: diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index f45958a9..3afc69cb 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -56,7 +56,7 @@ owner: root group: root notify: restart proftpd - when: + when: - proftpd_sftp_enable | bool - proftpd_sftp_use_publickeys | bool tags: diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 4a3cab4d..5cb60ea9 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -24,7 +24,7 @@ - name: Fetch packages package_facts: - manager: auto + manager: auto - debug: var: ansible_facts.packages[squid_daemon_name] diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index 273c882e..e58595a2 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -17,6 +17,6 @@ daemon_reload: yes enabled: yes state: "{{ vrrp_address.state }}" - when: + when: - vrrp_systemd_unit is changed - not ansible_check_mode \ No newline at end of file -- 2.39.2 From e5cae4ba781a46e7a48ea9d88545cf57a1d0823e Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Mon, 9 Jan 2023 14:10:47 -0500 Subject: [PATCH 321/497] Fix evoacme jinja syntax problem This problem was introduced by commit 7a0e0d81d6e7a2bd6bf5378814558e2e36a034bc It made ansible crash when parsing the template. --- evoacme/templates/evoacme.conf.j2 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/evoacme/templates/evoacme.conf.j2 b/evoacme/templates/evoacme.conf.j2 index c2718763..eae3ff45 100644 --- a/evoacme/templates/evoacme.conf.j2 +++ b/evoacme/templates/evoacme.conf.j2 @@ -1,9 +1,9 @@ ### File generated by Ansible ### -SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir } }} -ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir } }} -CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir } }} -CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir } }} +SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }} } +ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }} } +CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }} } +CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }} } HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"} -LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir } }} -SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday } }} +LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }} } +SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }} } -- 2.39.2 From 08db5a5140f39a591f50a63d87faf027afeebba6 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 10 Jan 2023 11:26:57 -0500 Subject: [PATCH 322/497] Fix problems with docker-host daemon.json config --- CHANGELOG.md | 1 + docker-host/templates/daemon.json.j2 | 4 +--- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f9491d0..fba9fb49 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Proper jinja spacing * evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst) * elasticsearch : use logrotate for garbage collector logs instead of breaking compression cron +* docker-host: fix type in daemon.json and remove host configuration that is already in the systemd service by default ### Removed diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index 08dcb1b2..f144d543 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -5,7 +5,7 @@ "data-root": "{{ docker_home }}", {# Keep containers running while docker daemon downtime #} - "live-restore": {{ docker_conf_live_restore | to_json }},, + "live-restore": {{ docker_conf_live_restore | to_json }}, {# Turn on user namespace remaping #} "userns-remap": "default", @@ -34,7 +34,5 @@ {% if docker_remote_access_enabled %} "hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"] - {% else %} - "hosts": ["fd://"] {% endif %} } -- 2.39.2 From 0413f93852e38e15d4a96d781400049a3f41a481 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 10 Jan 2023 15:16:30 -0500 Subject: [PATCH 323/497] Fix problems with docker-host daemon.json config Docker is very strict with it's json format and doesnt seem to allow any surprise new lines or extra commas after the last option before the closing }. Since this is a dynamically constructed file, we dont know what the last option will be. By putting the commas at the start of the line and removing all newspace, we remove the problem, at the expense of a less readable jinja template. --- docker-host/templates/daemon.json.j2 | 52 ++++++++++++---------------- 1 file changed, 22 insertions(+), 30 deletions(-) diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index f144d543..a044234b 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -1,38 +1,30 @@ { - "debug": false, - + "debug": false {# Docker data-dir (default to /var/lib/docker) #} - "data-root": "{{ docker_home }}", - + ,"data-root": "{{ docker_home }}" {# Keep containers running while docker daemon downtime #} - "live-restore": {{ docker_conf_live_restore | to_json }}, - + ,"live-restore": {{ docker_conf_live_restore | to_json }} {# Turn on user namespace remaping #} - "userns-remap": "default", - - {% if docker_conf_use_iptables %} + ,"userns-remap": "default" +{% if docker_conf_use_iptables %} {# Use iptables instead of docker-proxy #} - "userland-proxy": false, - "iptables": true, - {% endif %} - + ,"userland-proxy": false + ,"iptables": true +{% endif %} {# Disable the possibility for containers processes to gain new privileges #} - "no-new-privileges": {{ docker_conf_no_newprivileges | to_json }}, - - {% if docker_conf_disable_default_networking %} + ,"no-new-privileges": {{ docker_conf_no_newprivileges | to_json }} +{% if docker_conf_disable_default_networking %} {# Disable all default network connectivity #} - "bridge": "none", - "icc": false, - {% endif %} - - {% if docker_tls_enabled %} - "tls": true, - "tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}", - "tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}", - "tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}", - {% endif %} - - {% if docker_remote_access_enabled %} - "hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"] - {% endif %} + ,"bridge": "none" + ,"icc": false +{% endif %} +{% if docker_tls_enabled %} + ,"tls": true + ,"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}" + ,"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}" + ,"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}" +{% endif %} +{% if docker_remote_access_enabled %} + ,"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"] +{% endif %} } -- 2.39.2 From 417734eed2376555dae492f920e8b126b55bb51b Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 11 Jan 2023 16:14:46 +0100 Subject: [PATCH 324/497] haproxy: fix missing admin ACL in stats module access permissions --- CHANGELOG.md | 1 + haproxy/templates/haproxy.default.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fba9fb49..7e03b8bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst) * elasticsearch : use logrotate for garbage collector logs instead of breaking compression cron * docker-host: fix type in daemon.json and remove host configuration that is already in the systemd service by default +* haproxy: fix missing admin ACL in stats module access permissions ### Removed diff --git a/haproxy/templates/haproxy.default.cfg.j2 b/haproxy/templates/haproxy.default.cfg.j2 index e33d111a..0f13e54d 100644 --- a/haproxy/templates/haproxy.default.cfg.j2 +++ b/haproxy/templates/haproxy.default.cfg.j2 @@ -63,7 +63,7 @@ listen stats acl stats_users http_auth(stats_users) stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users {% else %} - stats http-request deny if !stats_access_ips + stats http-request deny if !stats_access_ips !stats_admin_ips {% endif %} http-request set-log-level silent -- 2.39.2 From 68017d8db96803cb2464a4ca73432edaaa7c81b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Thu, 12 Jan 2023 14:22:40 +0100 Subject: [PATCH 325/497] openvpn: fix the client cipher configuration to match the server cipher configuration --- CHANGELOG.md | 1 + openvpn/templates/ovpn.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e03b8bf..01240c44 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * elasticsearch : use logrotate for garbage collector logs instead of breaking compression cron * docker-host: fix type in daemon.json and remove host configuration that is already in the systemd service by default * haproxy: fix missing admin ACL in stats module access permissions +* openvpn: fix the client cipher configuration to match the server cipher configuration ### Removed diff --git a/openvpn/templates/ovpn.conf.j2 b/openvpn/templates/ovpn.conf.j2 index d1b3c214..f65d43fd 100644 --- a/openvpn/templates/ovpn.conf.j2 +++ b/openvpn/templates/ovpn.conf.j2 @@ -9,5 +9,5 @@ nobind persist-key persist-tun -cipher AES-256-CBC +cipher AES-256-GCM -- 2.39.2 From dcc378776c920f9fdec32ca046ce74bbe14854c7 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 13 Jan 2023 11:04:32 +0100 Subject: [PATCH 326/497] webapp/nextcloud : Change default data directory to be outside web root --- CHANGELOG.md | 1 + webapps/nextcloud/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 01240c44..6da60c0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Use systemd module instead of command * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. +* webapp/nextcloud : Change default data directory to be outside web root ### Fixed diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml index 5c586620..c6e0a316 100644 --- a/webapps/nextcloud/defaults/main.yml +++ b/webapps/nextcloud/defaults/main.yml @@ -9,7 +9,7 @@ nextcloud_domains: [] nextcloud_home: "/home/{{ nextcloud_user }}" nextcloud_webroot: "{{ nextcloud_home }}/nextcloud" -nextcloud_data: "{{ nextcloud_webroot }}/data" +nextcloud_data: "{{ nextcloud_home }}/data" nextcloud_db_user: "{{ nextcloud_user }}" nextcloud_db_name: "{{ nextcloud_instance_name }}" -- 2.39.2 From c27551939d65f118f851bc2c59b995fed2706b66 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 13 Jan 2023 11:05:55 +0100 Subject: [PATCH 327/497] webapps/nextcloud : Small enhancement on the vhost template to lock out data dir --- CHANGELOG.md | 3 ++- webapps/nextcloud/templates/apache-vhost.conf.j2 | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6da60c0c..b9d77908 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,7 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * Use systemd module instead of command * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. -* webapp/nextcloud : Change default data directory to be outside web root +* webapps/nextcloud : Change default data directory to be outside web root +* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir ### Fixed diff --git a/webapps/nextcloud/templates/apache-vhost.conf.j2 b/webapps/nextcloud/templates/apache-vhost.conf.j2 index ff9f621c..556fa4cb 100644 --- a/webapps/nextcloud/templates/apache-vhost.conf.j2 +++ b/webapps/nextcloud/templates/apache-vhost.conf.j2 @@ -5,9 +5,11 @@ ServerAlias {{ domain_alias }} {% endfor %} + # SSL # SSLEngine on # SSLCertificateFile /etc/letsencrypt/live/{{ nextcloud_instance_name }}/fullchain.pem # SSLCertificateKeyFile /etc/letsencrypt/live/{{ nextcloud_instance_name }}/privkey.pem + # Header always set Strict-Transport-Security "max-age=15552000" DocumentRoot {{ nextcloud_webroot }}/ @@ -21,6 +23,15 @@ + + Require all denied + AllowOverride None + + + Dav off + + + # SSL Redirect # RewriteEngine On # RewriteCond %{HTTPS} !=on -- 2.39.2 From 0cb751591ac115da41e3f058b723df6b95af420d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Tue, 17 Jan 2023 11:11:33 +0100 Subject: [PATCH 328/497] =?UTF-8?q?nagios-nrpe=20:=20Rewrite=20check=5Fvrr?= =?UTF-8?q?pd=20for=20a=20better=20check=20(check=20rp=5Ffilter,=20vrrpd?= =?UTF-8?q?=20and=20uvrrpd=20compatible,=20use=20arguments,=20=E2=80=A6)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 1 + nagios-nrpe/files/plugins/check_vrrpd | 254 ++++++++++++++++++-------- 2 files changed, 176 insertions(+), 79 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9d77908..d601b50d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. * webapps/nextcloud : Change default data directory to be outside web root * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir +* nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) ### Fixed diff --git a/nagios-nrpe/files/plugins/check_vrrpd b/nagios-nrpe/files/plugins/check_vrrpd index 9390aa6e..5cd50027 100755 --- a/nagios-nrpe/files/plugins/check_vrrpd +++ b/nagios-nrpe/files/plugins/check_vrrpd @@ -1,94 +1,190 @@ #!/bin/bash +# shellcheck disable=SC2207,SC2009,SC2076 -# README -# -# Variable to adjust : is_master and vrrpd_processes. -# vrrpd_processes is the number of vrrpd processes that should run on the server. -# is_master defines whether the vrrpd group should be master (1) or backup (0). -# -# If some instances have to be master and some other have to be backup, -# then the value of is_master is 2 and the states has to be precised in arguments. -# e.g. : ./check_vrrpd master backup master -# The order is defined by the output order of `ps auwx | grep vrrp` +usage() { +cat << EOL + Usage : -RC=0 -IFS=' -' + $0 --master X,Y --backup Z -is_master=2 # 1 if master ; 0 if backup ; 2 if mixed master and backup, in this case, it has to be precised in arguments -vrrpd_processes=3 # number of vrrpd processes that should be running -is_vrrpd_running=$(sudo /usr/lib/nagios//plugins/check_procs -C vrrpd -c $vrrpd_processes:$vrrpd_processes) -rc_is_vrrpd_running=$? -IP_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $--NF}'; done)) -INT_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $13}'; done)) -ID_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $19}'; done)) + -m|--master ID_MASTER # VRRP ID that should be master, separated by a comma "," + -b|--backup ID_BACKUP # VRRP ID that should be backup, separated by a comma "," + [--vrrpd] # Check for vrrpd daemon (default) + [--uvrrpd] # Check for uvrrpd daemon +EOL +} -if [[ $rc_is_vrrpd_running -ne 0 ]]; then - echo $is_vrrpd_running instead of $vrrpd_processes +unset ID_master +unset ID_backup +vrrpd_option="unset" +uvrrpd_option="unset" +unset critical_output +critical_state="unset" +unset warning_output +warning_state="unset" +unset ok_output +ok_state="unset" +exit_code=0 +used_daemon="vrrpd" +IFS=" +" + +# If no argument then show usage +if [ "$#" -eq 0 ]; then + usage exit 2 fi -for i in $(seq 0 $((${#ID_vrrpd[*]}-1))); do - ifconfig vrrp_${ID_vrrpd[$i]}_${INT_vrrpd[$i]} >/dev/null 2>&1 - # If has interface - if [[ $? -eq 0 ]]; then - # If has to be master : OK - if [[ $is_master -eq 1 ]]; then - echo OK - ${IP_vrrpd[$i]} exists and is master - # If has to be backup : KO - elif [[ $is_master -eq 0 ]]; then - echo CRITICAL - ${IP_vrrpd[$i]} exists whereas it should be backup - RC=2 - # We retrieve the state it should be from args - elif [[ $is_master -eq 2 ]]; then - arg=$(($i+1)) - state=${!arg} - # If has to be master : OK - if [[ $state = master ]]; then - echo OK - ${IP_vrrpd[$i]} exists and is master - # If has to be backup : KO - elif [[ $state = backup ]]; then - echo CRITICAL - ${IP_vrrpd[$i]} exists whereas it should be backup - RC=2 +while :; do + case $1 in + -h|-\?|--help) # Call a "usage" function to display a synopsis, then exit. + usage + exit + ;; + -m|--master) # Takes an option argument, ensuring it has been specified. + if [ -n "$2" ]; then + ID_master=($(echo "$2" | tr "," "\n")) # Make an array with values separated by "," + shift else - echo "CRITICAL - The arguments have to be master or backup. Exiting" + printf 'ERROR: "--master" requires a non-empty option argument.\n' >&2 exit 2 fi - # Unknown - else - RC=3 - fi - # If hasn't interface - elif [[ $? -ne 0 ]]; then - # If has to be master : KO - if [[ $is_master -eq 1 ]]; then - echo CRITICAL - ${IP_vrrpd[$i]} does not exist whereas it should be master - RC=2 - # If has to be backup : OK - elif [[ $is_master -eq 0 ]]; then - echo OK - ${IP_vrrpd[$i]} is backup - # We retrieve the state it should be from args - elif [[ $is_master -eq 2 ]]; then - arg=$(($i+1)) - state=${!arg} - # If has to be master : KO - if [[ $state = master ]]; then - echo CRITICAL - ${IP_vrrpd[$i]} does not exist whereas it should be master - RC=2 - # If has to be backup : OK - elif [[ $state = backup ]]; then - echo OK - ${IP_vrrpd[$i]} is backup + ;; + -b|--backup) # Takes an option argument, ensuring it has been specified. + if [ -n "$2" ]; then + ID_backup=($(echo "$2" | tr "," "\n")) # Make an array with values separated by "," + shift else - echo "CRITICAL - The arguments have to be master or backup. Exiting" + printf 'ERROR: "--backup" requires a non-empty option argument.\n' >&2 exit 2 fi - # Unknown - else - RC=3 - fi - # Unknown - else - RC=3 - fi + ;; + --vrrpd) + used_daemon="vrrpd" + vrrpd_option="set" + ;; + --uvrrpd) + used_daemon="uvrrpd" + uvrrpd_option="set" + ;; + -?*) + printf 'WARNING: Unknown option (ignored): %s\n' "$1" >&2 + ;; + *) # Default case: If no more options then break out of the loop. + break + esac + shift done -exit $RC + +# Make sure that each given ID is given once only +all_ID=("${ID_master[@]}" "${ID_backup[@]}") +uniqueNum=$(printf '%s\n' "${all_ID[@]}"|awk '!($0 in seen){seen[$0];c++} END {print c}') +if [ "$uniqueNum" != ${#all_ID[@]} ]; then + echo "ERROR : At least one VRRP ID is given multiple times" + exit 2 +fi + +# Make sure --vrrpd and --uvrrpd are not both set +if [ $vrrpd_option = "set" ] && [ $uvrrpd_option = "set" ]; then + echo "ERROR : You cannot set both parameters --vrrpd and --uvrrpd" + exit 2 +fi + +# Make sure no sysclt parameter "rp_filter" is set to 1 +if grep -q 1 /proc/sys/net/ipv4/conf/*/rp_filter; then + critical_output="${critical_output}CRITICAL - rp_filter is set to 1 at least for one interface\n" + critical_state="set" +fi + +vrrpd_processes_number=$((${#ID_master[@]}+${#ID_backup[@]})) # Number of vrrpd processes that should be running = length of arrays ID_master + ID_backup +regex_ipv4="((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])" +regex_ipv6="(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))" +vrrpd_processes=$(ps auwx | grep "$used_daemon" | grep -v -e grep -e check) +ID_running_vrrpd=($(for i in ${vrrpd_processes}; do echo "$i" | grep -Eo -- "-v [0-9]+" | awk '{print $2}'; done)) + +# Check the number of running vrrpd processes in comparison to the number of ID given +if ! sudo /usr/lib/nagios/plugins/check_procs -C "$used_daemon" -c $vrrpd_processes_number:$vrrpd_processes_number >/dev/null; then + critical_output="${critical_output}CRITICAL : $vrrpd_processes_number VRRP ID are given but $(ps auwx | grep "$used_daemon" | grep -v -e grep -e check -c) $used_daemon processes are running\n" + if pgrep uvrrp >/dev/null && [ $uvrrpd_option = "unset" ]; then + critical_output="${critical_output}It seems that uvrrpd is running. Use parameter --uvrrpd\n" + fi + critical_state="set" +fi + +IFS=" " + +# For each ID_master, make sure a process exist +if [ ${#ID_master[@]} -ne 0 ]; then + for i in "${ID_master[@]}"; do + # If array contains the current ID, then a process exist, and we have to make sure the corresponding interface exists + if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then + vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i") + INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}') + IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}") + if [ "$used_daemon" = "vrrpd" ]; then + int_name="vrrp_${i}_${INT_current_vrrpd}" + elif [ "$used_daemon" = "uvrrpd" ]; then + int_name="${INT_current_vrrpd}_${i}" + fi + if /sbin/ifconfig "$int_name" 2> /dev/null | grep -q "$IP_current_vrrpd"; then + ok_output="${ok_output}OK - ID $i has a process and $IP_current_vrrpd is master\n" + ok_state="set" + else + warning_output="${warning_output}WARNING - The IP $IP_current_vrrpd for ID $i is backup while it should be master\n" + warning_state="set" + fi + else + critical_output="${critical_output}CRITICAL - No process is running for VRRP ID $i\n" + critical_state="set" + fi + done +fi + +# For each ID_backup, make sure a process exist +if [ ${#ID_backup[@]} -ne 0 ]; then + for i in "${ID_backup[@]}"; do + # If array contains the current ID, then a process exist, and we have to make sure the corresponding interface does not exist + if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then + vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i") + INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}') + IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}") + if [ "$used_daemon" = "vrrpd" ]; then + int_name="vrrp_${i}_${INT_current_vrrpd}" + elif [ "$used_daemon" = "uvrrpd" ]; then + int_name="${INT_current_vrrpd}_${i}" + fi + if ! /sbin/ifconfig "$int_name" 2> /dev/null | grep -q "$IP_current_vrrpd"; then + ok_output="${ok_output}OK - ID $i has a process and $IP_current_vrrpd is backup\n" + ok_state="set" + else + warning_output="${warning_output}WARNING - The IP $IP_current_vrrpd for ID $i is master while it should be backup\n" + warning_state="set" + fi + else + critical_output="${critical_output}CRITICAL - No process is running for VRRP ID $i\n" + critical_state="set" + fi + done +fi + +# Make $exit_code the highest set +if [ "$critical_state" = "set" ]; then + exit_code=2 +elif [ "$warning_state" = "set" ]; then + exit_code=1 +elif [ "$ok_state" = "set" ]; then + exit_code=0 +fi + +# Echo most critical output first, least last +if [ -n "$critical_output" ]; then + echo -e "$critical_output" | grep -v "^$" +fi +if [ -n "$warning_output" ]; then + echo -e "$warning_output" | grep -v "^$" +fi +if [ -n "$ok_output" ]; then + echo -e "$ok_output" | grep -v "^$" +fi + +exit $exit_code -- 2.39.2 From 8d16f17354b4e7a11b1127b94a32fe9be9517617 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 18 Jan 2023 10:29:41 +0100 Subject: [PATCH 329/497] * clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix. * postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs. --- CHANGELOG.md | 2 ++ clamav/tasks/main.yml | 2 +- postfix/templates/packmail_main.cf.j2 | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d601b50d..60118ebe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker-host: fix type in daemon.json and remove host configuration that is already in the systemd service by default * haproxy: fix missing admin ACL in stats module access permissions * openvpn: fix the client cipher configuration to match the server cipher configuration +* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix. +* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs. ### Removed diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml index 6d1da3eb..f74efae5 100644 --- a/clamav/tasks/main.yml +++ b/clamav/tasks/main.yml @@ -13,7 +13,7 @@ - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' } - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' } - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' } - - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' } + - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '200' } - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' } - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' } - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' } diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index b8d4ef38..d8fd0604 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -412,6 +412,7 @@ smtpd_sasl_path = private/auth-client # Amavis and OpenDKIM content_filter = smtp-amavis:[127.0.0.1]:10024 +smtp-amavis_destination_concurrency_failed_cohort_limit = 0 smtpd_milters = inet:[127.0.0.1]:8891 non_smtpd_milters = inet:[127.0.0.1]:8891 -- 2.39.2 From 6864f61343c7d62f0be7eef29df362cdc7bd31e6 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 18 Jan 2023 16:49:28 +0100 Subject: [PATCH 330/497] keepalived: Make sure state file is readable The file is created 600 on Bullseye otherwise --- keepalived/files/notify.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/keepalived/files/notify.sh b/keepalived/files/notify.sh index b99c0489..7844a341 100644 --- a/keepalived/files/notify.sh +++ b/keepalived/files/notify.sh @@ -1,2 +1,3 @@ #!/bin/bash echo $1 $2 is in $3 state > /var/run/keepalive.state +chmod og+r /var/run/keepalive.state -- 2.39.2 From 5120249e5987c1440c0eb6a13d6aaa9bb65cc4ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Wed, 18 Jan 2023 17:44:03 +0100 Subject: [PATCH 331/497] nagios-nrpe : fix check_vrrpd grep "17" was able to grep "170" --- nagios-nrpe/files/plugins/check_vrrpd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nagios-nrpe/files/plugins/check_vrrpd b/nagios-nrpe/files/plugins/check_vrrpd index 5cd50027..a82c379b 100755 --- a/nagios-nrpe/files/plugins/check_vrrpd +++ b/nagios-nrpe/files/plugins/check_vrrpd @@ -118,7 +118,7 @@ if [ ${#ID_master[@]} -ne 0 ]; then for i in "${ID_master[@]}"; do # If array contains the current ID, then a process exist, and we have to make sure the corresponding interface exists if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then - vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i") + vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i ") INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}') IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}") if [ "$used_daemon" = "vrrpd" ]; then @@ -145,7 +145,7 @@ if [ ${#ID_backup[@]} -ne 0 ]; then for i in "${ID_backup[@]}"; do # If array contains the current ID, then a process exist, and we have to make sure the corresponding interface does not exist if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then - vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i") + vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i ") INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}') IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}") if [ "$used_daemon" = "vrrpd" ]; then -- 2.39.2 From 31e90abe572c440e3800802ed7cad414d5e490d8 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 23 Jan 2023 10:33:07 +0100 Subject: [PATCH 332/497] fail2ban: add 'Internal login failure' to Dovecot filter --- CHANGELOG.md | 1 + fail2ban/files/dovecot-evolix.conf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 60118ebe..c9d203ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * nagios-nrpe: Print pool config path in check_phpfpm_multi output +* fail2ban: add "Internal login failure" to Dovecot filter ### Changed diff --git a/fail2ban/files/dovecot-evolix.conf b/fail2ban/files/dovecot-evolix.conf index e1ef1a3f..5c18fb9f 100644 --- a/fail2ban/files/dovecot-evolix.conf +++ b/fail2ban/files/dovecot-evolix.conf @@ -1,3 +1,3 @@ [Definition] -failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=,.* +failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Internal login failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=,.* ignoreregex = -- 2.39.2 From 13f45785994fb1a71273f7bc1d6ea2e642759c4b Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 23 Jan 2023 15:01:57 +0100 Subject: [PATCH 333/497] postfix: Do not notify errors of classes policy, protocol in of main.cf --- CHANGELOG.md | 1 + postfix/templates/packmail_main.cf.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c9d203ae..f4e6d441 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud : Change default data directory to be outside web root * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir * nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) +* postfix: Do not notify errors of classes policy, protocol in `notify_classes` of main.cf. ### Fixed diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index d8fd0604..e81d333b 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -294,7 +294,7 @@ slow_destination_concurrency_failed_cohort_limit = 100 # bounce : envoie les entetes de tous les message renvoyes # 2bounce : envoie les entetes de tous les messages renvoyes non delivres #par defaut, = resource, software -notify_classes = resource, software, bounce, 2bounce, delay, policy, protocol +notify_classes = resource, software, bounce, 2bounce, delay # A qui les reporter ? #Pour delay -- 2.39.2 From e0c143d9cfe2d6b77e196524414306bd8363cc22 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 23 Jan 2023 15:35:47 +0100 Subject: [PATCH 334/497] postfix: come back to default value of for pack mails --- CHANGELOG.md | 2 +- postfix/templates/packmail_main.cf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f4e6d441..adaf8ea0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud : Change default data directory to be outside web root * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir * nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) -* postfix: Do not notify errors of classes policy, protocol in `notify_classes` of main.cf. +* postfix: come back to default value of `notify_classes` for pack mails. ### Fixed diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index e81d333b..df45da05 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -294,7 +294,7 @@ slow_destination_concurrency_failed_cohort_limit = 100 # bounce : envoie les entetes de tous les message renvoyes # 2bounce : envoie les entetes de tous les messages renvoyes non delivres #par defaut, = resource, software -notify_classes = resource, software, bounce, 2bounce, delay +#notify_classes = resource, software # A qui les reporter ? #Pour delay -- 2.39.2 From 8244bd46153dec235bf00b090ded4f86735050d7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 30 Jan 2023 12:05:43 +0100 Subject: [PATCH 335/497] nagios-nrpe: add tasks/files for a wrapper --- CHANGELOG.md | 1 + nagios-nrpe/files/alerts_switch | 83 ++++++++++++ nagios-nrpe/files/alerts_wrapper | 217 +++++++++++++++++++++++++++++++ nagios-nrpe/files/check_async | 4 +- nagios-nrpe/tasks/main.yml | 2 + nagios-nrpe/tasks/wrapper.yml | 35 +++++ 6 files changed, 340 insertions(+), 2 deletions(-) create mode 100644 nagios-nrpe/files/alerts_switch create mode 100644 nagios-nrpe/files/alerts_wrapper create mode 100644 nagios-nrpe/tasks/wrapper.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index adaf8ea0..a443fcf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * nagios-nrpe: Print pool config path in check_phpfpm_multi output +* nagios-nrpe: add tasks/files for a wrapper * fail2ban: add "Internal login failure" to Dovecot filter ### Changed diff --git a/nagios-nrpe/files/alerts_switch b/nagios-nrpe/files/alerts_switch new file mode 100644 index 00000000..3c5a1417 --- /dev/null +++ b/nagios-nrpe/files/alerts_switch @@ -0,0 +1,83 @@ +#!/bin/bash + +# https://forge.evolix.org/projects/evolix-private/repository +# +# You should not alter this file. +# If you need to, create and customize a copy. + +set -e + +readonly PROGNAME=$(basename $0) +readonly PROGDIR=$(readlink -m $(dirname $0)) +readonly ARGS="$@" + +usage() { + echo "$PROGNAME action prefix" +} + +disable_alerts () { + disabled_file="$1_disabled" + enabled_file="$1_enabled" + + if [ -e "${enabled_file}" ]; then + mv "${enabled_file}" "${disabled_file}" + else + touch "${disabled_file}" + chmod 0644 "${disabled_file}" + fi +} + +enable_alerts () { + disabled_file="$1_disabled" + enabled_file="$1_enabled" + + if [ -e "${disabled_file}" ]; then + mv "${disabled_file}" "${enabled_file}" + else + touch "${enabled_file}" + chmod 0644 "${enabled_file}" + fi +} + +now () { + date --iso-8601=seconds +} + +log_disable () { + echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1 +} + +log_enable () { + echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1 +} + +main () { + local action=$1 + local prefix=$2 + + local base_dir="/var/lib/misc" + mkdir -p "${base_dir}" + + local file_path="${base_dir}/${prefix}_alerts" + local log_file="/var/log/${prefix}_alerts.log" + + case "$action" in + enable) + enable_alerts ${file_path} + log_enable ${log_file} + ;; + disable) + disable_alerts ${file_path} + log_disable ${log_file} + ;; + help) + usage + ;; + *) + >&2 echo "Unknown action '$action'" + exit 1 + ;; + esac +} + +main $ARGS diff --git a/nagios-nrpe/files/alerts_wrapper b/nagios-nrpe/files/alerts_wrapper new file mode 100644 index 00000000..d4524fdd --- /dev/null +++ b/nagios-nrpe/files/alerts_wrapper @@ -0,0 +1,217 @@ +#!/bin/bash + +# https://forge.evolix.org/projects/evolix-private/repository +# +# You should not alter this file. +# If you need to, create and customize a copy. + +VERSION="21.04" +readonly VERSION + +# base functions + +show_version() { + cat <, + Jérémy Lecour + and others. + +alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat < "${check_stdout}" + check_rc=$? + readonly check_rc + + delay=0 + + if [ -e "${alerts_disabled_file}" ]; then + delay=$(delay_from_alerts_disabled_file) + + if [ "${delay}" -le "0" ]; then + enable_check + fi + fi + + if [ -e "${alerts_disabled_file}" ]; then + formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c') + readonly formatted_last_change + + echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")" + if [ ${check_rc} = 0 ]; then + # Nagios OK + exit 0 + else + # Nagios WARNING + exit 1 + fi + else + cat "${check_stdout}" + exit ${check_rc} + fi +} + +# Default: 1 day before re-enabling the check +wrapper_limit_default="1d" +readonly wrapper_limit_default + +if [[ "${1}" =~ -.* ]]; then + # parse options + # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a + while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + -V|--version) + show_version + exit 0 + ;; + + --limit) + # with value separated by space + if [ -n "$2" ]; then + wrapper_limit=$2 + shift + else + printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --limit=?*) + # with value speparated by = + wrapper_limit=${1#*=} + ;; + --limit=) + # without value + printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + --name) + # with value separated by space + if [ -n "$2" ]; then + check_name=$2 + shift + else + printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --name=?*) + # with value speparated by = + check_name=${1#*=} + ;; + --name=) + # without value + printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + --) + # End of all options. + shift + break + ;; + -?*) + # ignore unknown options + printf 'WARN: Unknown option : %s\n' "$1" >&2 + exit 1 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift + done + # The rest is the command + check_command="$*" +else + # no option is passed (backward compatibility with previous version) + # treat the first argument as check_name and the rest as the command + check_name="${1}" + shift + check_command="$*" +fi + +# Default values or errors +if [ -z "${wrapper_limit}" ]; then + wrapper_limit="${wrapper_limit_default}" +fi +if [ -z "${check_name}" ]; then + printf 'ERROR: You must specify a check name, with --name.\n' >&2 + exit 1 +fi +if [ -z "${check_command}" ]; then + printf 'ERROR: You must specify a command to execute.\n' >&2 + exit 1 +fi + +readonly check_name +readonly check_command +readonly wrapper_limit +alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled" +readonly alerts_disabled_file + +check_file="/var/lib/misc/${check_name}_alerts_disabled" +readonly check_file + +check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX") +readonly check_stdout + +# shellcheck disable=SC2064 +trap "rm ${check_stdout}" EXIT + +main diff --git a/nagios-nrpe/files/check_async b/nagios-nrpe/files/check_async index 5ff8ad24..2a54f920 100644 --- a/nagios-nrpe/files/check_async +++ b/nagios-nrpe/files/check_async @@ -59,9 +59,9 @@ delay_from_check_file() { enable_check() { if [ "$(id -u)" -eq "0" ] ; then - /usr/share/scripts/alerts_switch enable "${check_name}" + /usr/local/bin/alerts_switch enable "${check_name}" else - sudo /usr/share/scripts/alerts_switch enable "${check_name}" + sudo /usr/local/bin/alerts_switch enable "${check_name}" fi } diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index 7ccc6718..5a77c4ee 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -83,3 +83,5 @@ notify: restart nagios-nrpe-server tags: - nagios-nrpe + +- include_tasks: wrapper.yml \ No newline at end of file diff --git a/nagios-nrpe/tasks/wrapper.yml b/nagios-nrpe/tasks/wrapper.yml new file mode 100644 index 00000000..99cd50f3 --- /dev/null +++ b/nagios-nrpe/tasks/wrapper.yml @@ -0,0 +1,35 @@ +--- + + +- name: "Remount /usr if needed" + include_role: + name: remount-usr + +- name: alerts_switch is at the right place + command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch" + args: + creates: /usr/local/bin/alerts_switch + +- name: "copy alerts_switch" + copy: + src: alerts_switch + dest: /usr/local/bin/alerts_switch + owner: root + group: root + mode: "0750" + force: yes + +- name: "symlink for backward compatibility" + file: + src: /usr/local/bin/alerts_switch + dest: /usr/share/scripts/alerts_switch + state: link + +- name: "copy alerts_wrapper" + copy: + src: alerts_wrapper + dest: "{{ nagios_plugins_directory }}/alerts_wrapper" + owner: root + group: staff + mode: "0755" + force: yes \ No newline at end of file -- 2.39.2 From f354f16cd60f4a8ad411ba5b6b0f0f75a33d4f1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Tue, 31 Jan 2023 11:13:08 +0100 Subject: [PATCH 336/497] openvpn: Change check_openvpn destination file to comply with recent EvoBSD change --- CHANGELOG.md | 1 + openvpn/tasks/openbsd.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a443fcf7..4e5bcd54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir * nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) * postfix: come back to default value of `notify_classes` for pack mails. +* openvpn: Change check_openvpn destination file to comply with recent EvoBSD change ### Fixed diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index ef16044e..e33923e1 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -132,7 +132,7 @@ - name: Configure NRPE OpenVPN check lineinfile: - dest: "/etc/nrpe.d/zzz_evolix.cfg" + dest: "/etc/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn\]=' line: "command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P {{ management_pwd }}" create: yes -- 2.39.2 From b1a602bf75abe66bd09eb8228aec64e4c627aa1d Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 31 Jan 2023 17:52:55 +0100 Subject: [PATCH 337/497] Add php5.6 with Sury on Debian 10 --- php/README.md | 2 ++ php/files/sury.preferences | 2 +- php/handlers/main.yml | 5 ++++ php/tasks/main_buster.yml | 50 +++++++++++++++++++++++--------------- php/tasks/sury_pre.yml | 24 +++++++++--------- 5 files changed, 51 insertions(+), 32 deletions(-) diff --git a/php/README.md b/php/README.md index e0a194ac..e2190a3c 100644 --- a/php/README.md +++ b/php/README.md @@ -6,6 +6,8 @@ Installation and basic configuration of PHP Minimal configuration is in `tasks/main.yml` +Set variable `php_version` in your playbook. + ## Available variables The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/php/files/sury.preferences b/php/files/sury.preferences index 15aa9c16..adcc5918 100644 --- a/php/files/sury.preferences +++ b/php/files/sury.preferences @@ -1,4 +1,4 @@ -Package: php* libapache2-mod-php* libpcre2* libzip4* libgd* +Package: php* libapache2-mod-php* libpcre2* libzip4* libgd* libpcre3* Pin: origin packages.sury.org Pin-Priority: 999 diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 079a14d5..0b372db7 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -5,6 +5,11 @@ name: php5-fpm state: restarted +- name: restart php5.6-fpm + service: + name: php5.6-fpm + state: restarted + - name: restart php7.0-fpm service: name: php7.0-fpm diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 2fc4293e..0b8468ad 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -1,18 +1,27 @@ --- +- name: "Set php version to 7.3 if Sury repo is not enabled" + set_fact: + php_version: "7.3" + when: + - php_sury_enable == 'False' + - php_version != '7.3' + + - name: "Set variables (Debian 10)" set_fact: - php_cli_defaults_ini_file: /etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini - php_cli_custom_ini_file: /etc/php/7.3/cli/conf.d/zzz-evolinux-custom.ini - php_apache_defaults_ini_file: /etc/php/7.3/apache2/conf.d/z-evolinux-defaults.ini - php_apache_custom_ini_file: /etc/php/7.3/apache2/conf.d/zzz-evolinux-custom.ini - php_fpm_defaults_ini_file: /etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini - php_fpm_custom_ini_file: /etc/php/7.3/fpm/conf.d/zzz-evolinux-custom.ini - php_fpm_debian_default_pool_file: /etc/php/7.3/fpm/pool.d/www.conf - php_fpm_default_pool_file: /etc/php/7.3/fpm/pool.d/www-evolinux-defaults.conf - php_fpm_default_pool_custom_file: /etc/php/7.3/fpm/pool.d/www-evolinux-zcustom.conf - php_fpm_default_pool_socket: /var/run/php/php7.3-fpm.sock - php_fpm_service_name: php7.3-fpm + #php_version: "{{ '7.3' if php_sury_enable == 'False' }}" + php_cli_defaults_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zvolinux-defaults.ini + php_cli_custom_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini + php_apache_defaults_ini_file: /etc/php/{{ php_version }}/apache2/conf.d/z-evolinux-defaults.ini + php_apache_custom_ini_file: /etc/php/{{ php_version }}/apache2/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_ini_file: /etc/php/{{ php_version }}/fpm/conf.d/z-evolinux-defaults.ini + php_fpm_custom_ini_file: /etc/php/{{ php_version }}/fpm/conf.d/zzz-evolinux-custom.ini + php_fpm_debian_default_pool_file: /etc/php/{{ php_version }}/fpm/pool.d/www.conf + php_fpm_default_pool_file: /etc/php/{{ php_version }}/fpm/pool.d/www-evolinux-defaults.conf + php_fpm_default_pool_custom_file: /etc/php/{{ php_version }}/fpm/pool.d/www-evolinux-zcustom.conf + php_fpm_default_pool_socket: /var/run/php/php{{ php_version }}-fpm.sock + php_fpm_service_name: php{{ php_version }}-fpm # Packages @@ -38,6 +47,9 @@ - include: sury_pre.yml when: php_sury_enable | bool +- debug: + var: php_stretch_packages + - name: "Install PHP packages (Debian 10)" apt: name: '{{ php_stretch_packages }}' @@ -54,8 +66,8 @@ - name: "Install PHP FPM packages (Debian 10)" apt: name: - - php-fpm - - php + - php{{ php_version }}-fpm + - php{{ php_version }} state: present when: php_fpm_enable | bool @@ -67,12 +79,12 @@ mode: "0755" loop: - /etc/php - - /etc/php/7.3 + - /etc/php/{{ php_version }} - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 10)" file: - dest: /etc/php/7.3/cli + dest: /etc/php/{{ php_version }}/cli mode: "0755" - include: config_fpm.yml @@ -80,7 +92,7 @@ - name: "Enforce permissions on PHP fpm directory (Debian 10)" file: - dest: /etc/php/7.3/fpm + dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable | bool @@ -89,9 +101,9 @@ - name: "Enforce permissions on PHP apache2 directory (Debian 10)" file: - dest: /etc/php/7.3/apache2 + dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable | bool -- include: sury_post.yml - when: php_sury_enable | bool +#- include: sury_post.yml +# when: php_sury_enable | bool diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index a1dcbb0e..cb0fc075 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -33,17 +33,17 @@ - name: "Override package list for Sury (Debian 9 or later)" set_fact: php_stretch_packages: - - php-cli - - php-gd - - php-intl - - php-imap - - php-ldap - - php-mysql + - php{{ php_version }}-cli + - php{{ php_version }}-gd + - php{{ php_version }}-intl + - php{{ php_version }}-imap + - php{{ php_version }}-ldap + - php{{ php_version }}-mysql # php-mcrypt is no longer packaged for PHP 7.2 - - php-pgsql - - php-gettext - - php-curl - - php-ssh2 - - composer - - libphp-phpmailer + - php{{ php_version }}-pgsql + - php{{ php_version }}-gettext + - php{{ php_version }}-curl + - php{{ php_version }}-ssh2 +# - composer +# - libphp-phpmailer when: ansible_distribution_release != "bullseye" -- 2.39.2 From 70be09342b626d2300a2cb57f626868f02988c19 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 31 Jan 2023 17:54:12 +0100 Subject: [PATCH 338/497] Remove task debug --- php/tasks/main_buster.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 0b8468ad..b7722716 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -10,7 +10,6 @@ - name: "Set variables (Debian 10)" set_fact: - #php_version: "{{ '7.3' if php_sury_enable == 'False' }}" php_cli_defaults_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zvolinux-defaults.ini php_cli_custom_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini php_apache_defaults_ini_file: /etc/php/{{ php_version }}/apache2/conf.d/z-evolinux-defaults.ini @@ -47,9 +46,6 @@ - include: sury_pre.yml when: php_sury_enable | bool -- debug: - var: php_stretch_packages - - name: "Install PHP packages (Debian 10)" apt: name: '{{ php_stretch_packages }}' -- 2.39.2 From d3765ada569b8adb65c599a550be7a23aa677ef4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Feb 2023 11:27:16 +0100 Subject: [PATCH 339/497] nagios-nrpe: old wrapper might be missing --- nagios-nrpe/tasks/wrapper.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nagios-nrpe/tasks/wrapper.yml b/nagios-nrpe/tasks/wrapper.yml index 99cd50f3..f49c7509 100644 --- a/nagios-nrpe/tasks/wrapper.yml +++ b/nagios-nrpe/tasks/wrapper.yml @@ -5,10 +5,16 @@ include_role: name: remount-usr +- name: check if old script is present + stat: + path: /usr/share/scripts/alerts_switch + register: old_alerts_switch + - name: alerts_switch is at the right place command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch" args: creates: /usr/local/bin/alerts_switch + when: old_alerts_switch.stat.exists - name: "copy alerts_switch" copy: @@ -24,6 +30,7 @@ src: /usr/local/bin/alerts_switch dest: /usr/share/scripts/alerts_switch state: link + when: old_alerts_switch.stat.exists - name: "copy alerts_wrapper" copy: -- 2.39.2 From 3f0eecc0569efafd0a842df9296c793f2c2b5b5a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Feb 2023 11:27:40 +0100 Subject: [PATCH 340/497] minifirewall: upstream release 23.02 --- minifirewall/files/minifirewall | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall index 4beeaf7d..3922e889 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/files/minifirewall @@ -29,7 +29,7 @@ # Description: Firewall designed for standalone server ### END INIT INFO -VERSION="22.06" +VERSION="23.02" NAME="minifirewall" # shellcheck disable=SC2034 @@ -147,6 +147,9 @@ fi # } ## Beware that commands executed from included files are not modified by this trick. +remove_colors() { + sed -r 's/\x1B\[(;?[0-9]{1,3})+[mGK]//g' +} syslog_info() { if [ -x "${LOGGER_BIN}" ]; then ${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1" @@ -268,9 +271,9 @@ check_unpersisted_state() { elif [ -z "${diff_bin}" ]; then printf "${YELLOW}skip state comparison (Can't find diff command)${RESET}\n" >&2 else - # store current state + # store current state (without colors) mkdir -p "$(dirname "${STATE_FILE_CURRENT}")" - status_without_numbers > "${STATE_FILE_CURRENT}" + status_without_numbers | remove_colors > "${STATE_FILE_CURRENT}" # clean previous diff file rm -f "${STATE_FILE_DIFF}" @@ -310,9 +313,9 @@ report_state_changes() { check_unpersisted_state fi - # Then reset the known state + # Then reset the known state (without colors) mkdir -p "$(dirname "${STATE_FILE_LATEST}")" - status_without_numbers > "${STATE_FILE_LATEST}" + status_without_numbers | remove_colors > "${STATE_FILE_LATEST}" # But if there is a previous known state # let's compare with the new known state @@ -920,8 +923,9 @@ stop() { printf "${BLUE}flushing all rules and accepting everything${RESET}\n" + # Save previous state (without colors) mkdir -p "$(dirname "${STATE_FILE_PREVIOUS}")" - status_without_numbers > "${STATE_FILE_PREVIOUS}" + status_without_numbers | remove_colors > "${STATE_FILE_PREVIOUS}" # Delete all rules ${IPT} -F INPUT -- 2.39.2 From 49e92d20b0ed40a79f1fb97a6c3a5c3cf6813dd0 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 1 Feb 2023 15:23:51 +0100 Subject: [PATCH 341/497] evolinux-users: Update sudoers template to remove commands allowed without password --- CHANGELOG.md | 1 + evolinux-users/templates/sudoers_jessie.j2 | 2 +- evolinux-users/templates/sudoers_stretch.j2 | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e5bcd54..3515f60d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) * postfix: come back to default value of `notify_classes` for pack mails. * openvpn: Change check_openvpn destination file to comply with recent EvoBSD change +* evolinux-users: Update sudoers template to remove commands allowed without password ### Fixed diff --git a/evolinux-users/templates/sudoers_jessie.j2 b/evolinux-users/templates/sudoers_jessie.j2 index c0703c49..6bc3e57b 100644 --- a/evolinux-users/templates/sudoers_jessie.j2 +++ b/evolinux-users/templates/sudoers_jessie.j2 @@ -1,6 +1,6 @@ Defaults umask=0077 -Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount +Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh User_Alias ADMINS = {{ user.name }} nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 index 8211f121..287483d9 100644 --- a/evolinux-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -1,6 +1,6 @@ Defaults umask=0077 -Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount +Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall -- 2.39.2 From 7ba743072ac1a8e53d3a78500b49b62b07089eda Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 10 Feb 2023 11:46:23 +0100 Subject: [PATCH 342/497] evocheck: upstream release 22.12 --- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 112 +++++++++++++++++++++++------- evocheck/files/evocheck.wheezy.sh | 2 +- 3 files changed, 87 insertions(+), 29 deletions(-) mode change 100644 => 100755 evocheck/files/evocheck.sh diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index a5a32a5a..02ec4bbb 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.11" +VERSION="22.12" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh old mode 100644 new mode 100755 index c5cd8fbd..9299edd3 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.11" +VERSION="22.12" readonly VERSION # base functions @@ -131,6 +131,13 @@ check_dpkgwarning() { test -e /etc/apt/apt.conf.d/z-evolinux.conf \ || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" } +# Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option. +check_localhost_in_postfix_mydestination() { + # shellcheck disable=SC2016 + if ! grep mydestination /etc/postfix/main.cf | grep --extended-regexp 'localhost[^\\.]' | grep 'localhost.localdomain' | grep 'localhost.$mydomain'; then + failed "IS_LOCALHOST_IN_POSTFIX_MYDESTINATION" "'localhost' and/or 'localhost.localdomain' and/or 'localhost.\$mydomain' are missing in Postfix mydestination option. Consider adding then." + fi +} # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) check_nrpepostfix() { if is_installed postfix; then @@ -391,7 +398,7 @@ check_log2mailrunning() { fi } check_log2mailapache() { - conf=/etc/log2mail/config/Apache + conf=/etc/log2mail/config/apache if is_pack_web && is_installed log2mail; then grep -s -q "^file = /var/log/apache2/error.log" $conf \ || failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache" @@ -463,18 +470,26 @@ check_evobackup() { evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron" } -# Vérification de la mise en place de la purge pour fail2ban -check_purge_fail2ban() { +# Vérification de la mise en place d'un cron de purge de la base SQLite de Fail2ban +check_fail2ban_purge() { if is_debian_stretch || is_debian_buster; then if is_installed fail2ban; then test -f /etc/cron.daily/fail2ban_dbpurge || failed "IS_FAIL2BAN_PURGE" "missing script fail2ban_dbpurge cron" fi fi } +# Vérification qu'il ne reste pas des jails nommées ssh non renommées en sshd +check_ssh_fail2ban_jail_renamed() { + if is_installed fail2ban && [ -f /etc/fail2ban/jail.local ]; then + if grep --quiet --fixed-strings "[ssh]" /etc/fail2ban/jail.local; then + failed "IS_SSH_FAIL2BAN_JAIL_RENAMED" "Jail ssh must be renamed sshd in fail2ban >= 0.9." + fi + fi +} # Vérification de l'exclusion des montages (NFS) dans les sauvegardes check_evobackup_exclude_mount() { - excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX") - files_to_cleanup="${files_to_cleanup} ${excludes_file}" + excludes_file=$(mktemp --tmpdir "evocheck.evobackup_exclude_mount.XXXXX") + files_to_cleanup+=("${excludes_file}") # shellcheck disable=SC2044 for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do @@ -643,7 +658,7 @@ check_notupgraded() { fi done if $upgraded; then - last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')") + last_upgrade=$(date +%s -d "$(zgrep --no-filename --no-messages upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')") fi if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ || grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then @@ -841,10 +856,17 @@ check_redis_backup() { # You could change the default path in /etc/evocheck.cf # REDIS_BACKUP_PATH may contain space-separated paths, example: # REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb' - REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"} - for file in ${REDIS_BACKUP_PATH}; do - test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})" - done + # Old default path: /home/backup/dump.rdb + # New default path: /home/backup/redis/dump.rdb + if [ -z "${REDIS_BACKUP_PATH}" ]; then + if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ]; then + failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)." + fi + else + for file in ${REDIS_BACKUP_PATH}; do + test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump ${file} is missing." + done + fi fi } check_elastic_backup() { @@ -895,15 +917,15 @@ check_mysqlnrpe() { grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ || failed "IS_MYSQLNRPE" "check_mysql is missing" fi - fi + fi } check_phpevolinuxconf() { is_debian_stretch && phpVersion="7.0" is_debian_buster && phpVersion="7.3" is_debian_bullseye && phpVersion="7.4" if is_installed php; then - { test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \ - && test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini + { test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \ + && test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini" } || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config" fi } @@ -929,8 +951,8 @@ check_duplicate_fs_label() { # Do it only if thereis blkid binary BLKID_BIN=$(command -v blkid) if [ -n "$BLKID_BIN" ]; then - tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX") - files_to_cleanup="${files_to_cleanup} ${tmpFile}" + tmpFile=$(mktemp --tmpdir "evocheck.duplicate_fs_label.XXXXX") + files_to_cleanup+=("${tmpFile}") parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) for part in $parts; do @@ -1097,8 +1119,8 @@ check_evobackup_incs() { bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} if [ -f "${bkctld_cron_file}" ]; then root_crontab=$(grep -v "^#" "${bkctld_cron_file}") - echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" - echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" + echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "'bkctld inc' is missing in ${bkctld_cron_file}" + echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "'check-incs.sh' is missing in ${bkctld_cron_file}" else failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing" fi @@ -1129,7 +1151,7 @@ check_chrooted_binary_uptodate() { for process_name in ${process_list}; do # what is the binary path? original_bin=$(command -v "${process_name}") - for pid in $(pgrep ${process_name}); do + for pid in $(pgrep "${process_name}"); do process_bin=$(realpath "/proc/${pid}/exe") # Is the process chrooted? real_root=$(realpath "/proc/${pid}/root") @@ -1157,7 +1179,6 @@ check_nginx_letsencrypt_uptodate() { fi fi } - check_lxc_container_resolv_conf() { if is_installed lxc; then container_list=$(lxc-ls) @@ -1178,6 +1199,38 @@ check_lxc_container_resolv_conf() { done fi } +# Check that there are containers if lxc is installed. +check_no_lxc_container() { + if is_installed lxc; then + containers_count=$(lxc-ls | wc -l) + if [ "$containers_count" -eq 0 ]; then + failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no container. Consider removing it." + fi + fi +} +# Check that in LXC containers, phpXX-fpm services have UMask set to 0007. +check_lxc_php_fpm_service_umask_set() { + if is_installed lxc; then + php_containers_list=$(lxc-ls --filter php) + missing_umask="" + for container in $php_containers_list; do + # Translate container name in service name + if [ "$container" = "php56" ]; then + service="php5-fpm" + else + service="${container:0:4}.${container:4}-fpm" + fi + umask=$(lxc-attach --name "${container}" -- systemctl show -p UMask "$service" | cut -d "=" -f2) + if ! [ "$umask" != "0007" ]; then + missing_umask="${missing_umask} ${container}" + fi + done + if [ -n "${missing_umask}" ]; then + failed "IS_LXC_PHP_FPM_SERVICE_UMASK_SET" "UMask is not set to 0007 in PHP-FPM services of theses containers : ${missing_umask}." + fi + fi +} + download_versions() { local file file=${1:-} @@ -1280,8 +1333,8 @@ add_to_path() { echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}" } check_versions() { - versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX") - files_to_cleanup="${files_to_cleanup} ${versions_file}" + versions_file=$(mktemp --tmpdir "evocheck.versions.XXXXX") + files_to_cleanup+=("${versions_file}") download_versions "${versions_file}" add_to_path "/usr/share/scripts" @@ -1308,8 +1361,8 @@ main() { # Detect operating system name, version and release detect_os - main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") - files_to_cleanup="${files_to_cleanup} ${main_output_file}" + main_output_file=$(mktemp --tmpdir "evocheck.main.XXXXX") + files_to_cleanup+=("${main_output_file}") test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777 test "${IS_ROOT_0700:=1}" = 1 && check_root_0700 @@ -1322,6 +1375,7 @@ main() { test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning + test "${IS_LOCALHOST_IN_POSTFIX_MYDESTINATION:=1}" = 1 && check_localhost_in_postfix_mydestination test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs @@ -1367,6 +1421,8 @@ main() { test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup + test "${IS_PURGE_FAIL2BAN:=1}" = 1 && check_fail2ban_purge + test "${IS_SSH_FAIL2BAN_JAIL_RENAMED:=1}" = 1 && check_ssh_fail2ban_jail_renamed test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate test "${IS_APACHECTL:=1}" = 1 && check_apachectl @@ -1418,6 +1474,8 @@ main() { test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf + test "${IS_NO_LXC_CONTAINER:=1}" = 1 && check_no_lxc_container + test "${IS_LXC_PHP_FPM_SERVICE_UMASK_SET:=1}" = 1 && check_lxc_php_fpm_service_umask_set test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions if [ -f "${main_output_file}" ]; then @@ -1432,8 +1490,8 @@ main() { exit ${RC} } cleanup_temp_files() { - # shellcheck disable=SC2086 - rm -f ${files_to_cleanup} + # shellcheck disable=SC2086,SC2317 + rm -f ${files_to_cleanup[@]} } PROGNAME=$(basename "$0") @@ -1448,7 +1506,7 @@ readonly ARGS export LANG=C export LANGUAGE=C -files_to_cleanup="" +declare -a files_to_cleanup # shellcheck disable=SC2064 trap cleanup_temp_files 0 diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index cd41cb50..1b91675c 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.11" +VERSION="22.12" readonly VERSION # base functions -- 2.39.2 From 32f0561e72ec8e8022298910ae68efd377c2ba6c Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 10 Feb 2023 12:32:39 +0100 Subject: [PATCH 343/497] evocheck: upstream release 23.02 --- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 2 +- evocheck/files/evocheck.wheezy.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index 02ec4bbb..d6cd62e1 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.12" +VERSION="23.02" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 9299edd3..32cf0098 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.12" +VERSION="23.02" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index 1b91675c..4b0dcf3d 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="22.12" +VERSION="23.02" readonly VERSION # base functions -- 2.39.2 From 33503e4538a3de0644e3cac51c2abe579bdd8699 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Mon, 13 Feb 2023 10:09:37 +0100 Subject: [PATCH 344/497] php: Add sury support on Debian 11 --- php/files/reg.asc | 920 ++++++++++++++++++++++++++++++++++++ php/tasks/main_bullseye.yml | 46 +- php/tasks/sury_pre.yml | 17 +- 3 files changed, 962 insertions(+), 21 deletions(-) create mode 100644 php/files/reg.asc diff --git a/php/files/reg.asc b/php/files/reg.asc new file mode 100644 index 00000000..3fadeb07 --- /dev/null +++ b/php/files/reg.asc @@ -0,0 +1,920 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.6 +Comment: Hostname: keyserver.ubuntu.com + +mQINBEoHZ5kBEAC680PjynWTcP3ZtVfWWL6zQAcD8JoC+c5MbnpFScqtBc2MdlVZu6zED+B5 +sw2SSLf1EZlfbTPc3GcWTwdiXj2GQKzjMra1MZKUnVOD/uMVkj0ZTszUQziW01O9sWPhxbMu +Qr7OD04jQ7TjtBBEJD+yf0HJsDVC7TCbpcNNtmhXByXqw7bgo0rzxeOB3hL88I7AcC7ve5iR +xwXoXJYs1hgJMPmZXJmhKb0a3pVk075yMsXnxlOqM7XBk++zodDR03Ym21GLFOu+3DLTX9aC +aU/AjXb/udtEBAHv+iVxZChzka/KkYMY+KX8A7niE/UN2PIfhWDTmLLcTyBAOuis6cUqDm2a +w0IbXh359dfBbgV4/QLoafcM841W47Menp9tb0Qz1uHYwV6jjDEmbpGgEJRGIqd143j/zGBP +xffmtPq1zn/QFVBQNltLiMyclAR1Yb4fksDkt8JGmvI+FwaHdx3dn1VU0hbdYR/5CHtsxN4V +P/juUOrjbagp5zBBXLlVIVceGoD0mNkNWPyZh8C3SHg2Y+Q7t+cz4xysQN5BUHL4DX6nEIJA +u0cZdBtr8dtkJToYlhSFaLFwZh/XmOgOndSNmeJz4ll29Xc3V2/hCQlllHXux5E79rRNRKK/ +rSydUzYir755udPWw18+6mPUzT6NDaVDDAwSOLOn99OUJt6bBQARAQABtB9HcmVnb3J5IENv +bHBhcnQgPHJlZ0Bldm9saXguY2E+iQI3BBMBCAAhBQJWEagEAhsDBQsJCAcDBRUKCQgLBRYC +AwEAAh4BAheAAAoJEESXUni4YStdYDAQAKuwOHT+wDS6vL6Xqp/59eKLaB02lTQuTDFq55K4 +dK9TNYOTmPoxvgeJigT3pHHfKQFS/wwigkOfv8VebBZAcjY03N+Joau1Vi+Er2VNR5Pt0jAf +ApwZqe+8NMAfefculZvO0g91g2lcqJoMUIaUemAqOD/CoAMMXGQSNlX4BLsI7dbvkLLjbPSa +wEODAMvuSLilI38dj7wBC30IAOQkOdkB34I/eL/sGruOxYSK7UFJfNU1aD2oQhTkYEQ5cgNK +vE325fOx7m/sZ5aAlNvtZ3jS4ym45feT9xrbG2qHTbJiVAhdtfHMXGOU6/0UHJ3+YHHdzZhu +0NCWinu18nDVeDWLmkqkZd77QtTpC/zw5s3+t8lpyqUAF+bN80ZHbB47bFphIupmWGDP2ihM +NBWBwwFZb7ry27mLyyXKVOFWrYZPrdlNheEjUP7x0GzEO0kuxYO4fyTic5lu594hxwt/LWV1 +s48SV95dXqpQIRroV8ePZoJxlD4hXh1x23AgkWgG+SS3perIGypmouOdl9CQ3yAYSCfcTKw2 +dOWOxGubseyBWw3EDlWKZLkrqbBGxfBz8XJ92iCJ27rRhtpd6XEbqhRfPR9TGTliIfaruTLp +MPrKZh74Hs7LAhHo0nkwcOoE/iYHhQpNXHMnj0hqMcwzzf6MlSrgJ/VPgQ721d5nTwrjtCBH +cmVnb3J5IENvbHBhcnQgPHJlZ0BkZWJpYW4ub3JnPohGBBARAgAGBQJMa+/FAAoJENXKmwTy +xCO8ggsAnAzhqo1IQ+3qwCWD9ifx4niyPiAFAKCo1ou0sB38EuQXnWCyp1ajblx37ohGBBAR +AgAGBQJQn+UPAAoJEHDzXiRtUx5z2B0An3U1rm/gCkoWtAcsC/IYQ2hMVaMDAJ9ddV8IywsM +vnKJ35rfg1PLT4KNFohGBBARCAAGBQJKB3HmAAoJEDIXXA3BAnoOiOgAn2tHyIuAGEY2ctJC +yM+C7hmyMNMKAJ9asA/uRkG4wiJwEP8DCnNB7Obfq4hGBBARCAAGBQJMXHEgAAoJEOFVF/Ir +CSDAnq0An2xcCMh6H6vIT9rmbxHgGbc8VfTEAKCopbM+QMAGQvOROMfqWJhiCB0fHIhGBBAR +CAAGBQJMXT8rAAoJENTl7azAFD0tTz4AmwaE8zBHaUWbUnsYwWXqxavmf8BCAKC1hL9GKk60 +yXTEW1W1QUm8jIYILIhGBBARCAAGBQJMXzSgAAoJEPmF40AK/HR2eqoAni/Hvg2M4e4vrju5 +wPT+dONsA9/vAKC1X1c4YL1XiJ0fXpT02U13r9e8AIhGBBARCAAGBQJMZ0yhAAoJEJ94+Dzo +xDRhLFYAnihJShfS/zRoG7iTNhgwqyLxGqczAJ0WIP7yfVZbP1N5oe6LwhQsZ1BdVohGBBAR +CgAGBQJMXlHCAAoJENoZYjcCOz9Pjd8AoMdNUjbpkScdndClI4EqT7tn6PI/AJ9Luiw8fIEs +iD5yM8NOkdykX1LPyYkBHAQTAQgABgUCSttnewAKCRAtDVq4fCU9UlJJCACTQKre8pA3ud/V +esa7/TmJI1S1cVWj8FlS/gatvLJndd90i50p9uGm1yA4g8iwMnGdcIWCuRfBlhjUnUJnTX4B +QdnUU6HCv9RQ/OlJ99k7vNhswtgoEGQWq1mH1opSviZ3xhMwFTiXISQ12i4TiGSiUfbXItzq +yxOf/gtjAMGrfnNB4MUYPrHL/lSMs24evYFR5DgOKDwVE3vVY2Wf2ytWKZJQNvKcm7sxIxKq +W3OlW4wzG2IMxMSTl6SHYOqIhRGS9xAj9hpIfD5XzZjl/iHmMZMcuRA1LPxQjqdZ5CeF391P +p6vEobkSyX0LyDvqcvy//VHn0l8cRuyEmgrTpdmTiQGcBBABCAAGBQJMdo7oAAoJECI64FW9 +lOFUIpkMAJ/obi1HblArRgKmxiCIMD2/nTcj/ML3tL9HfZ8bpWZ6YJIUsFRcmHCVWaOaCBMJ +omiICZbcot3v7/1p0D/AE57i0IFPZpXXu4utC8B70JjWaMJT22kVi3hvhrChxlZYNZlkXr8G +mKhGJpzEfVlg3hp26jbj3jEEGmjJlii7uuSrV1VJjyZaDfTNbgXMbUL/3sISsKODINCLlgCG +iVqa6Xc8bIo54zQ1Rx30Ijn/6ElFvBMSdZPu4wQ9hKrJGhrqY9FZ/U0xfaawEzxbmdZKDxVO +Xdd/qD3lNAi8Jg6m6qQO9/A4c/Ln80ll8St6MrfLwJ58QRWawTQcl8wSTxouC/ag85VwW1lX +FfnulWVjqRAY41gVY2SaBb78A8pwuwy+ixBWGqAyGRVjahNj/uznD3kwQh1DUwjyDe9lV0TV +5IpQy4YfXjkukwt8kVvQUL/p9w3/gmPZ2lXBuEgMT/NKZWKszgp/JZ45qDUD8hgPlK9bICRm +iQ1KjcAV3mh6dYLwJ4kBnAQTAQIABgUCUipIgwAKCRDvc+baWDa4Gqa8C/9aWvMONUnoDGjS +H6gIsnJn0pGQ4zx/SU+Bt8MG0SPbtv8Zu1twofiX7xSV8p7/RmESaQyjbzOD9mMvXwl5mF2N +q8IbDhvJmEcCCgVolhM1g1YtF8uM/Az74tNLmI8gsIiX/Er8045jMANp+UozOLvrzx9NpVBj +InDRhXt5ZF4YeMdB44cZL2OH8juSbpZAPFAi3Lm39gSMj3eUiUavT6r0Ok7AC3qMiaTvvtb1 +VU5vl/CcevaFE0DfZQ3+1iXsshnUu6ql2NvFPSn0tR1S8Ekk8NfItbAGComC4BF71MXxY9Af +RW21ROLzRR5Szm93E5DirjTC+vfxQYwEmemn9v8KWxMlmFTu08GbBhi54bBb0iuaRc9lf5E2 +dixJqLU4JVUPxjOk6tFvQHtZQRj7e5fu/lusZ++WKXnZsH0AiRekbN/j1Qh65aDi17w0ebXX +lsKc1kqryHNTq4PBrhrKbNBa+tlFDcmn3yUReIxfcZ1Bm3N6PxNiQSxx9Wf6LL/1rPuJAhwE +EAECAAYFAkxccZ8ACgkQ8aab5CnA/+7HvQ//dhkVGegUq2TyePOTWBxK7EyLVEZEBr2HXa+y +Xqg2i8Fdou5smHNEd0q8dz9oMBEWcZtRYmGKzinGcmxzArdmVyXV4fEkUab9zfL8g6dGxo+N +wqoHt9DteuJEURwakSJ7oDW+DlfzxMJ924sg5cuUtqcnZwy73a58Y5fkPaZVf+/HrkadZT3f +7fM8pb7JgJSRhgmdi3MfbUQcDgbZ604MifdEVIbXX56ex/9OuthbQ3lp6jHsvHcXPG5qt9th +RXkztoyKcArSimHcOFrLqWAQsF8u8PIYNaTKyJO8uRDYjMGcJQv6B8HqV2eiLCZtIEdcoWev +Y/oeflGDh0PbGpswAiQzoSxjvVdPgPUTqNnsl/eWvup4govByKV4y8dxgyM5a68a2N2t4ki2 +TwVu8LpCRzuiin0EvgkM4jKSFU/KPiZemdLq31D6o0dQorx+Im31XWv/H8XoI2jGbNeMVWHq +5WumzPhTfgFVajQEc94Te29vea9OV+mlgIDuTzqLD2Je5G6BDqu5EmTlO5sPDJAwM1c2ckJb +fHjtUih3Vw2B339NqF+aneOX9MH4blAlX2V5vuz0xtmEcd7Dy6wKjzmX1Tcec4VjDDgtCoH7 +vWzCeQmlWLzf1tF9keUvRn7eUktyAqozvNdE4fs6+3igdFKoI1RHNkFO45AuFe1goN+uDFOJ +AhwEEAECAAYFAkxgK4sACgkQHnWacmqf3XRTUBAAtb4DXxkzn14Qo9JME9KfZ3QA1ZfoNffR +PgxHkLX3q/KzGvbQYQc86kh6b/19aV1ahcUBrpABOkV/0k6tASrs9N6V6KBcIQbJwRETyWU6 +G/rG47h+4fWIMew5XwCzUzvqAD5GDp2XfivDQuVt1Ta2WcEAmKVYNlHYowpnEqxvLNSSbXuX +Afe+OK4XxaFr7i4zr8zS6S7NRigAdENCt2Mr4slo0ldnRn6uQ57ixfs23g8LO4/89zW+GxKG +PPUQbo9epE4hCewTAyWwrpVz9NxrodvDL6D1W7kY6caiOd5tArNKpwF/GCH/vsGPU3NsFISI ++P8GJUwtmM/47xgcteHthx2yC0HUArTV0w4+PnAaelpxzAyqd3KxLLUNJ3vjv3xpwV3eGWSG +zd3UZ4AYTJmSlbgzuJzQIwwyxHsA7ypUUsbdrsoQaTkACUOsHO1l/oT4P+z3/tWPuXqUmO+D +Ly/pBiCRrV7c4cHMzud/dKBXuAK/gS7VD4Is+K8/srdEJTrPB88zleiLOdffymHtCAmZPn93 +bvPXUcJk1PiNQYRwQIuIjHJbbZL8rxqVo4NCmi2HwjqMaow4GLEPSEdqEu83LpSU0Ts0BJvF +/6UTUEs04zDjSXpAGrPhWoom2jxUllAJq5Aek+f662dZpxVLxzMHWrLly7Fb1WPLbCrWhqIl +k+SJAhwEEAECAAYFAkxgNzgACgkQ14hMRxjhj0QJqg/+LKFGM1orBnYv+DZeVGbcPrBJVkeK +nAVgX+HpIo9uY7F6rRMZU8BHmxqM66k/tPwwrVzrgrLScK6spQTUjxKbjGkktT+LPVdFdB9F +2QdEYCwX1AB+0InLVtrXF/yFFTqlxxgLCRamRziO6w/1QDFMsDdNbIgxErjMb7d0MqRFNlvR +fO/ElovAPWlf+4zA0xiCRVbV3tbNl1/ILh41C8gc1VoTYdmUP7W3F6xCpy4MirSkY8LLDcax +wF9blsfc+gj8mW5yegBZnEoZchasl1thZ7Jt05tMkcEFTVYMfeReo/5Ww/dEpSfhjhryq5MH +0sSBT/1YGwbdgBRVzmocrWtQJ9i22MY3RboKNeAFs/wx9L38z570rOdemtfuXzKmI8jlcfQI +BIrE0p1zHE0OzgdfAI/uiJMZ3dRZJXsr8iVWuER97QqYZZkgDMaSHxvuKcNKQol9AbnDWbpl +q0J7CBo5si41rXpUIb/18FydC3k2KzjkCAaZs7VUCguWU/YKVw68kfrksJB0gIGqh66wYda9 +dpJVmjVNTR5bWbo8//ZHQXFfGccWoRImEZ7dD4xKTl1B1ihmgad0H7Bynd0IiORVs5zbdbIE +FCwnMjjB5nr4teU0wq20H8CaR36Rw38KgRrcJdSrJVDrmg+A4PPsW3aA1K3oCvREoR2+p322 +8j2c0pyJAhwEEAECAAYFAkxljxgACgkQE8C1Zno4sLCijQ//VodIvktCD/rmvxmbby+tjTFp +yNPRgiIdLyXU0Wfoi0TqzLsATfOluWVpJqSqIQ36g0wYc9T8BemqcBepDhj5e9NpYe4oq5kF +IxIJHzH5jHSM32vPVxJU4PzYcZzAMEVWCEBx0CHgW2cYc/Sq+YNq8Y/c69R8WNjse0qOZP7g +zTInr4JqL181TVvGHt9Ak4KNakxEVLXGIXVSV9QDDGCpYMkfpEy7pwvtV68DFVj2nHHetzCp +3gYi90nsVvk3t8iowNUTlKkxnj4dZ2lFMJfZBBeNev31JLkhyqExUoBzZMDmW+c58nye8Ode +hXnvZ9nc0pe2Z6XWLuraYDqNDKGMWsOTG8gCPVrZL5BtHr4Qh5uuAwT44PzkdPCdw9NaHw1n +0s47Uuailgg+ZuZgFXxNcRD5A93Ovl6/skln7KyTr+kJ6BsDcdWzcXpgQ62/3ayxgaOEZlKE +VLJsngKhcjlINiIXc6t0AVZhAlgLrLAvi1G19ISqNPNBRGUWeCYjC++RCaC7i/vAFWIQOTLA +NfCtzwhF+kopF2tmmt0ubapaH2CycmWLr0EIvPUIJ7GAW6tkjjv8tfkn2VtT59+gE1WmwR4q +55XkJ8zbX9tJx62w84zkQA6nMnbBQ9nfWY1eThRk5IOXKElyk8cNIZlqIPPH8RVP/Ng9Pjj4 ++vSOAjkT8LyJAhwEEAECAAYFAkxmx/gACgkQHAH0Q8nJPFo1uw/+Nu1AJqt6ifpA/EaWoDnU +9hSYcpVq3mGivwEE08U5/2trXl5fcAe8qvdPB8JIYRROTLSUIsTkERftzxMzsCIb+iMj7bKx +5Ip18GSmTOcJU32hin/l/DZlDxB9/bo8LqCurbpEDeZ84zV//F6AqMc0mUyxhdVA/y8gEp6x +YNnVHU+AmIxzHkE4n+Rrc6JdGUODOL4iZcewBl2IKcYzRzcELIFMzjnSNbA/uxKE9g1kTa0F +QUTTpy/y5f36ykfWWdrz9OZFR81/UlZ//gv+sr1UHs6uMs0QayF2QJW4iF0KX4IQWCcbSRyn +iHuOzpmJuTFu0KNmU2cfRFLgyer80glsqicj0MwI9shdtpp2+ulfi2itC/gGM00cynt2WP3d +arrohFDOwCuAVWjp5dtENk8LNCK2aYEXlHiW10kaGi9k67AVfrV55p8WVTWcpT9oQ76wafnp +jUb6XPou4DM0Z5ItJqvDQv8823b5BCnMeyG61x9qCTMhGMEzDLFFkXalViQtIjsS0tzF+S1I +B+dVVvCC0tMnPWoyyqYNqtC0rIS0I+89uQuDD/4jAf6hL7sKLUzdLs8NByjQoV9nIaXEHzp7 +jBlgAZgx2SX+eK8wF/Lo4d0a0jddX8PRZEjkx0HOhaYcW59tui/ZXr2UDwlTTuyfsSpo35K0 ++VdJ+mtz8gHZ2lCJAhwEEAECAAYFAkx25QoACgkQryKDqnbirHtS6w//Xt2HPPu9r9Lp4Z7C +U1EtWEDzBHZoiYrX8GBjfx7XJqX0kJWAXTHoN9HtGDwCil2bTb3WwopNrFUShR2yEs2Tbo8I +j1n4veQxx5japTb9b3gwh/8lRRPCfF++jn9q6927D+0jJde7hx3G/o0OoJP2H04kEM5wrzup +1nOkH/L5+bFerw4eYir+hl0oVfrnK40RKSnzy+6sD+FCFwLipOofDX+qVp1VguzwkfAwLTSD +PVxsjfvxKdRCj49RbI0Q1svMu8iS0Hu+i6e+pPVgvy2Bh9iPQiPNaGG9IeHy5mnq9T8yxKd3 +KY0mj6ipuHm3c1HPJln5bFlt1K6mrysbZtxafo+O6XeIUoRNqKi9eyA9udgIdHPuMAypsYFq +M1Pn7TLdSnRCyuhG0UFlr/nx3VVH7PLOerxMCZf7ApfcWA/s/iBG2DLpeB698UKOSfogcbWO +JW7Dteg4ZCL9zLxRiTZHLsMHnW/aZAAwoh/zV2Kpd6qbrZSyqgn3Pys8kwiFnnf9aWdqXmls +oNswHZeh3JvMOgs2QyY9X/+Bz3k1vf4a2aU2gINvL55aRmtgd3VDvWVk41WcRAvOfBPCC9TL +0UKbIBT+/rxuse6UiS/lVRNngvOpuUBmd0Zo/PiXxsxq+aKX6FQzZs0HsqAR/Ov7bmbh7Z+c +WwE0ZEogPivsD97qv2aJAhwEEAECAAYFAlVxpVAACgkQ2oKDDjzMOjq1exAAo41+8W0VSibl +OmQWDesxI8T+Qlw1v3Luf1CexMx9UsEktH5yP+guCeVpADMupSeKis8q0ayOgqXim6gyRjHS +1HklDGwUnhUyfDu5VNqy7BOrbUKq32TOqudwtq5PEyohof89/hR0UwfC18hBkumW7NfCmEY+ +kUkvlAVzVwbSAm1bjkFu3DLD3RKN4d4UG3kFc4tqY0BweC85UvJaFFnY362RLCBV4gTjXVgl +UIHXpDSt863NBTtbNJUTIf1tt5sFqknZh2N5UzgtkTz6t4N47+k0VZfxuk/f9MmuDEHAEBBp +lj4X+ofPXbxbr2iaAZjT/LjU76tYq7thkbU2NRB6RtDv+Tqfib5z5ecwNEKIgQ6BelCh7pRI +wnMYhx3wj2aeY28vJ9vE76NizPWiZpYzD3MHyWfN+kIuSDRZPBhSNLnfA5uUuBQNjS1Ad+QR +Xo6CtWZ1cE/7Xv6DCKmk0ThbGrvwkHKJGrpJeaaf8lP0fo0L9cIipqx3NSSKHGe+B7zhQZO0 +QBlTfXRlErjuZ/j+V8MTZqsmlhdVi+hElTioj24MQJiXfB956RuOM+g4P9v2QT5RRD0C4XaS ++KSC3eejZGYEeJAmB0uRztsRntyryw2LF6WxcSyEg0pY+/SLFxMfRIPlcAxMM0SB7HSAFZ5V +nQJHc7bBkNpw179YqexsIKaJAhwEEAEIAAYFAkxccTMACgkQ8RQITAhhERF8zQ//R2Bls2xP +vxotETrAPF5MOjDqlK6aeOnSyI7shiWWXL+7ds52SWsmD7IL+7XW0t+fwvfEVOb+qNWIiVaS +Yg4nvZQnTkCqTnDxTzdxipEaiK0MC0bXmAikBQjZ0iiveOMYOeRx2PWuUOHrymcvJ+atlkq6 +pk/mycZGpVitnO9crTb17SLsm71k5aV2u7EBCEUcbakmrx1mDvBoi/tSns5y9YEPTc6JcKtz +VqbyiSAY5dZSaLc8IW9Aqn533kPyIwYXnbxd8cPFDxDLhIeBmZnVTLURE3517RXZu1ngZEFh +pSoT3w0Xg0cgh7eJ4Vmo8MnW3p33+dSHbWRlgrNZcB0PBWZrByS/iS1b9REgFTyU4UeI7lH5 +zLgPdxPKBvCNObRhKg/dAmqSDq5EHYgWxn50p3TCfhrDrkoD+3seeee+mNARjLP4EDyBF4/k +57SqT7ytj9TWQoQuGAodQqNXwMKNcldz4FRZ3rMFrUpJj3uD9x2tlT/3bCVKQ1QcPSzKcEcq +zq9AZzjH7cVEbgpKI5zBJlejWB6aGvHLIhYZb4EYuO03OgEDDj9AUvIBFBxKdRvCzeTZOCTM +/8oAgSSVmFewEI4E0yNxvZu7wjSV5LI0AiyhwnCWlfYM9Hgxbai3cv2osIK2p5GXbaRykhwc +jc4lPrIsEE3At2UzlzO4TTI202GJAhwEEAEIAAYFAkxdPzMACgkQhy9wLE1uJahHJA//a9iV +wDsx+OxFu8+vPEXmJCKt1o17+PyhskIvNSXlVPvpYIpqNKUJQXpqBkiNASrCOQSHrQtw6p28 +9i011TMqmMZsUkjqk/Y3Yzx+SPT6KUfny7qQzGW2DpHL1qILDFMywzvt9djzWT6hmH5LCLSB +3aWMHIwPDvtvylzHPIN2XIABSBxnHgeEi+2ZZoLZE7HlQbwsAU7Xguj0K1DHe+urOBYvU0rq +ceqiJhnY8b71bwQRhFqVhoFkW/IPp7dujQxeJVvHZQLLNkB4RMqG+kR2Ku04U1Fxbh7oc0vr +e8EAYdMfutU3ZRWZ4D8Ltr+q/hxy6dm/bHrpFu6NIxox6KrR8zewcoGDQKI9BlQn8mrIof0W +YWNUusb//Vbz58iOh3POcjs7VkD7aPo9R/TaruBIWv77kbjszlQaKKHWV4aIVS9EXW0cPpeF +OQUaq91aAxB8Tw0Clx1TfVc/QZJB7/l6k8deXgo/+4JCU/BBmsplR6mG5mhY1Iq5PnuutU+W ++sHQRYSiq0EKdwmAaq3AIz7D+rWafv83Ea1cZaMph23ChqVX/e+YVI7rxxYCY1bubd7TtYWb +VG2W8ufTwemZBxWFq8HXc9d+Qm3LHV20Qxp5fAoYr6O67XYgQicIFW7f0lJ54igqH67wFjOf +zOTHfWK0izIeLVtp8xmj7hbFrXXd46+JAhwEEAEIAAYFAkxdRNoACgkQU5RHndNSTFGQ7Q// +YTQ8KFH7n9MYRpb83fTRfkyreyQyTdbcBsQw7R8Tksx/qbidiZZfI2cILweIqsumN2bF+ibQ +VYx/PpKEStaW1VQI5Crx/kSRmBaOlipbbfO+A3sbp98hpKMmaIxvV7IhN9qKhjcQR0YGXcam +5oVVwjIb2n89nqiS0qnGIUSTLzK5IR8Chob6tpnD3jQAnxE96wyhADedhCVMf799HSoQiiAH +TUarSv/HMIws34LRgZ2voFXADq+CE1Q2rBEapwrcDSkEQEZ79LImeuS/S1Be2ritRO+TFLzc +982LuHBxUa4MlcwWtWaQQ6PW/c5J7QJz0RiqaaL0DZxCw/Cr2e3MIfTCdK0zPg4A9BrNsQkR +/zYmePPTejvbsYpsWbpOknwZNqoYRc4cEaukAtdhZhFUDfL7jfh5HppCIM6EN3ovmTsRhauv +LeAI3J7JqrPp2yLDbL43U+1ejsD22+l2rmJQcQpRsdD8KlJX8bD3J0fCRhhIFNABjMmy3e4T +bij7ZM3ovNZLCgjHmNa5ASMyS3l/T2Rqu9rh/pZbPWS2hPTlmYTStpb2T+Ax/anpXSW3ZiAW +fHGOSjNrl9+LFqCdjyzvk/u2kbgd9VtjjFfpPS8xS1dGk7iIHHQQ1GZXc8s2WB9XkGGpD/j3 +8bvLJG9EXtqVWwJLo6t/PMOgnHK9dneq4I+JAhwEEAEIAAYFAkxfI2cACgkQeo9J6LY0gL4z +KQ//YgbbsU+C4e9A4L+b9lOTh4ICrmYg0jD86oBtjTsomMO+UP3T+mVH/meHWTzr+6ib1vsu +Nz85E5OWHeHL1Mzj60gbZSn/PMcfL++kKVCMhJs/HN6z4t/hY+GkafkeZgglnqItkZGK85ME +SmpoecuYsExEj9fQaNjHuCOrp3c+B0PJ3PSQ3qTknsOnUwkOgAhgeni1RusUqckryre1pPrb +Oy9RrTroHGsbvzfbYEYS8IVoaMP1AJj6o1kb6vomTmWlh7r5UM5iZRcFrKK3qjQaTYr9f8vf +vpJZ0GlWT6T4szOmekTnYuZJGOumkLScn66qSihvxXXlurPP0XzVObz7YrZ+GEDNJxXwPJpw +fpYZHsuSXv9Pu8S1wjbvL1xq8WEjwd9q4kgch6r5SD4+syLydwLHiBXTc5dfVO5Xs6KzWtXE +MNsFBrDO3pgHtWvS2V6peL/yG7RJJztzZUc/IYZWuEJIU76rzU4YK/SC2Vse9lVA3I4s0knw +5TCFvZHTV9KIjqT95xOgdlZKmQc0uXSPNrVfoi28JOfcAGnSnRX52KFt6yBrhCBCWuVTZTgk +hKSIktI9PPC/C3xyLwxJjz1jPwEomhtnNx9B04W17G5c8nW1yCjxPxY4Q9LCYpMYXGB2Nena +YydDbgfA6ua1exRQ+ZkWpnHqsmCLL7B0C/7oTOeJAhwEEAEIAAYFAkxfNK8ACgkQ0V0xOIIA +QXMoXhAAs79q+JHo7ulKZvKDkh+OVOXrSh5eKGUmuqK4RJuxrHmthUFkNTsyNBEZc2+QWw4B +8q8ka0x2/1eIDqwsKwHOfcQdyMepGiKnGWm58vL5CeoV/pZW/Yzrs6Q13o6/mm02bcxiVlqs +ZGFiRaueY2QJ66viPY0TJPlK3CavKKgZQ4xQtfQ/MDg8sdEnu3G/1PWyyHfMVsq7fG6MXCdY +TisgHAEyQJXgpCnk1YIuwxZQPKbMhcjiGbkKBMeQi9uZDiDUtY6s6S5MZGsG5v0KTuoBt2Kw +XHbTgkFT9wKaQnK4rfMjGtZFuwiZw8MPsFgz2QAR+1s4mIkCbLPPl+jwL+F4UkEUJvpKWcPI +AHnDe2q82vOc5ToWfm/C1cSf7cuLi2hGuSKw8JHuJ4hBF5NaMhmsrBOxjS9BC1OrutNvjoa/ +bBihJxX6pyz6Fhd3wnjtF8f+H2pxu9/9M6bv6lkHZDQxfnt2+muwsRncx/wU5JJcxzxUzcLl +wctSMFHmNU2egx6Kw+vPgPdkthrOZjkLQZZj9DZxHK2j2ENAm4jVF2Z6cUHHm5tVTsR7XF5t +CeFRNPUlhoEz4zdJiN2qflMY0pm9MjBpF44O8usWrEpUiPN53bIOpbPM08zYZ+BBGPOgxZbh +6Y68YUAq9XfVn9okE73HeyLLS/bpBj1QSe6QapV7sg+JAhwEEAEIAAYFAkxh7k8ACgkQcDc8 +8SkNuc7NWg/+It0T/mHuye7+PG1kQbutyVw69/C7yyZkoICrcQQ+Oh81Ba+DENSKrPVkmt2o +U3HR1bL+QbFDjUa+hnLHXh4N9hlREDbsaYdYz3xLbXeGOPDt0QrLn3mdZ2cZrZwLjcqsu+bz +5sRZMbKKTXqKkMQaDcJa2CU60aEoH9d+QJkIhOHiqkNvVyrKbiMoGnJoKDppwG1e3+Ri/oXA +6Sx3cWwmdVrNlwNAKraTFlw5Xh0RUQ5NJstxX56PN7tMm+PEnY94bPTJHiyzG1obm2Ona7sg ++P3DIvqMFIkldhNz/DdeCjSN4qrB2u71tC7xwAneqqLpPuYhpMpFtD/JX2lOhoOvo43n+atM +jqIU7xhZ2W0L7n64Ym31+wqqz6NEx+aVp+OgYVJPH6MA6jel3/KFhHoWpdnLJIL3XLq3Op4U +tCio5JfouHfuHVdslmKlH/6rO8SFY4VZGF+RZURMze0I6b3HN3WQb9Qv78hg0ZrI4E7JIbhc +oQQDIXgASS575vjK63/WRuMDxEpLEUflESKBsG02GJWe6knx5lACdIyD/8kZ6MIV9mE31Nqd +zVKv+i7BBomu+ci/4B4LXn5LcPphmGPAvL1aabC7D/9lxLPA5Ur6LHDU08LA7S3j5Z7Iob4m +KbS7pKaBdYPLm+kfAlw88bDnPioZwkWSggD5/6iwEN2XseeJAhwEEAEIAAYFAkxh9TkACgkQ +dzH8zGPk4neH6A/+PTNKtYOQmFxM+1QJEqK8+4ZOyeIB74wHGI0VyFWRb6Bt6K7OIYAfp8Vr +F4kH3DYPqRYWZLyG8Krkff3HUwdgBdrsRRQKN5Q1YwpwpofCcdDY9l3fmlUNx4MQN4Cx9uBT +XY1OGTOMHHCog2eIOIkc3sT4xZ/zIcgFKM245lXl+fLvbJId8jZjYFwefNerUX1bucNoaloC +drmbUN2OItXISlczLhSZlXcOyxU2Q1DICK4EksZy0y6XRnYA4/7JK209AS5jIZb6UvV4kMGU +y0/CBTW9fJx1jZthN4bLxHMSVFHvG8oqRPmr7bO6KyvnxeGY/0bd30nA0hoVyDtKuIAuBYXL +nrnjHogjF5sl4LCXLNDmIqbYoXMCAuYrlGaGsLzqGqjPX22yb+5B3zYCB17nCP4/l84auAJL +6/EOrkOjTRPWIqsRO+dK8QENfp2zYfWmr0G7xBQPdeDvyFHbY6LO+PwzVfzESGranmiliTDq +fGUGT/F6F3eBhKb392zDllJgfeKLt8V00vqaY8jqXS4AB6ze7XkcEXKsshN2atVsstUmjLKZ +iSO73irt1X/Cg6SrKkjDgUhwTmOxywkHBYjsot2NSYcrdkYEfK3nPpesB19dgJYzPn0Mborc +vJ3ixf5c2mjT1GHIdrp6XEjqLs2zu8dKLDiTJPSV/Q1H1nEasMKJAhwEEAEIAAYFAkxi3k8A +CgkQd8b7Q+PTCCRE8A/+OY2000flzIxhqxc23BzEOXWxwZ+tH2r0UQTq8kwZiSsva+NIjN5G +bx3MMcT4IyGF3VaxKZRJDPGcK3ByJS8HnCv58OE2iF9sUT2BZJEIfgniHgDA6iLyyQDmM9N6 +9UVoYYqIWff6Ve+4gPYebafy3UAgUJLHdrknfhE2fseE3jEtdsn9AizP7hc46xPkeuaAD474 +4jtM8h0zVk36l3gdRwFZEWMsxATskct3hLjKv4R/EFdEgIo8x7hK0uxvc6JyyguOznrwAgP4 +0LgXv+Ci2BWrf0awhOyuDJ+BiViKtEuzcqgwPR4GgOKkvzti8jkPNAvjCEIHTpWJwkIZ+SNW +aaIZVfbZdSTMf3tfVkUJ8tLImtfHwJ9b+BPxpiP1DENZtxmbOsKPKeH1SIGO2BUt/Y+i0KYM +rJmhQiL4k62PIRRhMKuYjQ5sasa9oyAACxg6nJMJoeJalJtcE0ZynCwdCFIkhYLXVPAgHCUo +/c5Wq20YMW0sqerdf/oLwTHe8Gyru8JfcRS1mLBuTPWQUGIt2h37WMysv4hCHT29N98w6zJL +jIGHH6Sd8PBw+WBxg6rpeGH8VVuLfHerB6XEMxoQM7FVAefDUCrHzWUrNHgSl5qG14HQ+46y +xxegb5XNGM+ku721W/t7YsA15ASgZi8ehaQ7iSl56TGu8vQCTaDqPmqJAhwEEAEIAAYFAkxn +Ti8ACgkQs0ZPiWqhWUgz+BAArOWNP1VqUSh1LpZ2mgjMLCW8cPChtEKI4/RHUElI9r6BVMGR +/35Ww1HMcayD+H7WZDXXiBqG/yPJJtmMfBW0xWH3dbo1pEn8IUZd6mWSlbhzxRkVr6AFhDKo +4T6QVQQ6nwJg9aBveBAXGnsr9/PieQNsp9IyACxZCvjoEh+2TV6xE4r0WaPKGLai5qPuvzSN +2efP1Fl6gtmoxgI0yiLDyMlQZPi+/jXC7qcae74qYFUqih1hAq3EaCfiUNCVCulAEYnzhu+Y +qJorF+Xl3vV/i/NT09k7GwvxLy1waPAi93yekg/QwkJMSrvehxXJlPdkUXUKCsgE9o+1CztW +iIK37utWFTnkApQaKUyHJA8T++ReyRXDCEq3Mu82ZMQDzsWRhJuWmX7/5MAw/1H6yG0HLxC8 +sGH64oduKWZIlWwjkox0pUrA/ZkEDaznUxUK0ay0exYtcPJ9uUcmXsFvxCe0SOGwarNKbEjs +FkZ/lelB2LZprKk/10BqRg3AzPEix8IK9hRRM5jXK1ZDEYRGYw/c9VoQPf7eMpF52zAZ45h8 +UjL/q6oAg3egW+ddbsEEXzsAgpcfNKhN/edoUKhQd5d2h0S8IpmPMrwvqrRaRSlOrqMhbqro +GQhFOV4+fO6zwkV0P6Y9QSIKibjZDS+QUZPXCLfpKRSYVQlkFwGVeVUcZzqJAhwEEAEIAAYF +Akxsv4oACgkQ5E+AFtNjD4l5ohAAtgotU7QYfbvY/6b2DKShrm0guTeROOi1imRMfMD5Nvy4 +CazA7qm07G9Jxo/yFYHMaXXeG02vx0pSb6Gbx9Z/jtwrOALmtIUAajTFmcC1Koshn1KAlqtV +FriWzwAz/jYIK8BL8Db3LCgGP0SSyIaD86x3VXm4JE04AJeAtFUikQwBU6iNA8Mue0rmdIgz +vQ2Fg7qk11Nafx4xT7XU/K4BAy8U+6Ai4F8VPxdh94zc+Z5qVd5lRZ9fYsdzztYoc8xtOzjJ +YzDACo6j6covoSD56gQi9htJzraPtKaWu+gz4P0ijZ/naX/hsXlOnZ7IQzaByetVgXoU2Hg5 +D6UN7YCrQ75TB+Q7Mh702dvihXCr2smUkBOBnEqKoxrLqLtrDYPLw7ELuM+bRzZb2nfBYzh7 +/o5hEG3NO1rXIQ21cYvfPSggkI1fq8kOsWbd9uIXR4iHycohZ9DsSW4iQ7+IwVu1Giypf/R2 +Fpz+cL6aGI5DKFRBuz5ucjyhJrl9wes8v1hsTDNAPSbOyd3I4PHa3N4gxWbFvV6TZfSwHKm2 +fot2bglB+n9otZaPBVnHdsntQsRnS6K7Ptft/EZ1zJvWJcOnAjZEtj62mbrP2bQ48r+wkWy0 +LbOoQZ20auH/YaqOO8ZdA3QGpvK2GCfYB6JzD3bQomsQWMlaAkx1wfFQUBQ5xtOJAhwEEAEI +AAYFAkxvKsUACgkQfFas/pR4l9iqyQ//el6hebIh5S7ekU/6R/msFAmuluGh03OAMYa+JwUm +YqXR6iGf0Ftw7XgYJt2NiY5ZtaOULtZe3zOslFio4KRAwjKgEOzSzEDc0wFtZnj0/LlSTk9c +zrrymcJQCAgKKV4WTffgiPpzDM1ajaHxY0WQfYJng/5pVxWb6QXjtB5mupf4T1Yv2blWAKpK +Fw67Fz/iN4DlWil21vx3FgpAHY+7JVB/129BnbdHtbzP2CiQxZ9PoQt40bhrinI4cHyPHcHk +EPKBD6GnyuyIoPGYRsILp76rH9vWQJWtY71DQwlB9+w/JTVP3TRinXJ0BSBvFGNcP4hqY5b+ +8tKmSBPJM0umER6Q16HosZtI+8rY+4yvaHjtEIqau/AdBnCW/EBeG1YyjDOQAQzVdOR84PLf +Nyz+eqeZI17fZtokRjTg41J2b1+F0GbUOTQueqzlTK3spWYrPgDe54luHoYmgVqlsj71Zv7F +cWEf7L9RdcA7sqCQXpDggcOTRDVg+eR6eCLGJetBfq4fsX0ae10TRh/pGut8Vu6NTcFGw5c8 +vt74h+WFIXPknpBeKl1HcKUXTLJxQP5CDrZF/HzUaLYI1SaKv1jVm36gV2YZvuZQyim4vBgg +V1/9K1EMgUW7GRnQoOpQP6zxFWnpPXPY3TDvdleaqeET3xET75mGgD0WIUreBaKjp+CJAhwE +EAEIAAYFAkxv+OAACgkQnQteWx7sjw4tUw/9FgAffwwit35JdS4S0LQqmkmGXlMvfZEkfezj +GH6ITG/YWri9QE0ktGJqyCbP9tnL3WCno8bs90tmrQyagjbp7EsADz8L36vbYrOU72mNHaeL +qbJcCoztUSWAe9aPJ4ESwTXbXCkl8xE0fm1zTF0MLq3T40Qqw67oMTBygYqhb8zeY43bKOzZ +f0fBLqFE8+LTZDEk00Ucc72M+W+J87rdiHUuJDFdAZbuAvBGT9p1YNkcqaRWSmgRddJ9nBTD +a/Qe9IBnAXBblouKiVvSTGpcyAyGKJ9cPtaviCLRXk17rGli43AymorBdGPpliZmMtrInMm4 +FAhSoU3nwB6b8oI5gMh46Dze05PYkVVZylO4Vo2AILUkeo6tagy3t+BEFAmonnpluJKZkfcY +/FvvoaT8oej2U13tXStA0FXMOJd9fGLruJ+yZnAFPrVHZWA3ziyO/u9iprB7ZjqrT1OM1Nob +ZP7NwGxdqED3AYJAb3H97s4dMGAJO3WzGgHOfuZEMsH0/vIc3nWAkj9jsFcDxJ8uTVM6uy2R +oIfBM3/XspyZvm2MBTuEJvwhXW7JTnxsUEpZ7aJQVJLT9Z8PPj7rPLJCkDQsdwBw+e0heTl+ +BspMqppnKw0mXmrRfnqGGxgLtlIRn8bNEp4K3AVuNP2iWp9rMSVPg0qLGSFgEH1DtoN2DsiJ +AhwEEAEIAAYFAlWS7hEACgkQ66DGxxwAJW8VIhAAtBkHOqKPOA4A5MKAzWSIYAfX6FiUfFaI +Edwqm5ZmxHItPQk+Ze8VN8jUEzzArrvGOZnctSZy7dMgT4WY+CNy3FUtg4WbmuvflcvCHlSr +ontSVeFjxL8qhkBgUzaxqohesB899mszzDyaM0GMD7FKt4UisOV4K9VqhXKHBhcKi0foQKgx ++VMD35N4+SqgSUF4+td913DNxdxvF5BKICwp9edYv6NpP/u9DMqG3lceVCy+rR3VEGTsFGNa +HpJI0Sny797FR3w4k18wKQGaGwUtdMz6GcmhnDxgiV2V1StLloK6wbAVA4YY3BfE4l7XmJZS +bStlL54h9tffDi0Dj1oJkSKXMdnI8FdpQEvGTGP9ARUz7MCxwiRzcJfOpfxATt3793o6fMLU +2dOzrCCl+09bgG5+wls8nda2RB2RE1EHksoaNyz4OGpq9seYGe0qhNLN+lvIJsv1BaZNdD0s +CaF+xbUGCoYQgvOh3DCiZbg+Ao138YEQw9eKE+Xifi8M36IeBTdq7S1OcRCwaDMmVchLFT5X +AHmFeO3L3zCO1C95WmNsFg04+4avHqgOp5MolLSrOEvKTnFW1Ebv2BJizs45d28VAI/JhgPx +T0w69M9Jpybd+Cbg93fHTXclLAPyQWXzhlfDPmKhukhSsG5JXIt0gyBUsq6lUygyWZcewBwa +uy2JAhwEEAEKAAYFAkxdthEACgkQXTKNCCqqsUB3ZA//S25k6cAkZpIddDahnJxDIon8VWhe +JzGmOMfb+hMbQ0y7xeCKRdNBa5yw3LKttLugofqcrGV3V6lmE9jWz5hK2we+ZAdCo/wXUWuL +FJQW8WKY7hmDBwxROJ4jgC0LTgeRZhYEvhKpCH/rtSQuymstcTJd+5jkEE2FU1AOsoAOsaPx +1DAb+uqSv2VefP/TG4sZ2vg0fdEuJd1+SiuTTLLEAnsG2yQT9brcXDvXPOckawFAM1KOwk7S +fkYekg0iSA4Ii9RlXOhpxNcW/zZf3WuS/wrCCVYoY6OgH/+rp8LkBG7hdeAfRsMjozqtBYUE +JwPSvLfRnG76neTa0DSi1bigpOMvHDIeATuS/hR7UdmTkSMwZ8AvQBOaSRHobjQwjfDY7WYM +kvErANQkevWiWA4WshsS/MpEKxiUe6SGlLVeJZfX1dy6Jmh1WzswqoQ9eXQXX8zBltPAfKFs +KRmf+OpHT94qYZsMhqAXOd51joUtCBmqeuzvdp9KM+R8cmuoPVqmZ8ZMdMbD2dQUap5yVxw5 +yO3CfGMXGPGfvA/8fOav/3MwWXUL5Zqv/ZhdjpP/ZNEB4txLJk1rIg4kjKrZxz2PggbMcCGQ +0uf3SBZa6qXPVT0KbMjzvRKao473eNX2OPqk+K2hIYuZTVhAcKKuvN8qQu+o003Kzw1SWlLj +1zrwaX+JAhwEEAEKAAYFAkxeUcQACgkQORS1MvTfvpmBNg//eJFnqXakbedse6wPpmk56CxU +47abeG6ZCu/0FTwhwnagYfGXUKGTCepVjI/wLpevVeoXDbYmrUOT9zxqIL2Xssp/wz3Qb+HX +deft/drFmb4XMrdUGwi+N1nhvPCXjWOtyUrzuYXnpCz8e0vjSfn6RpJ6qdgTs3Psyca9kPPo +1Zgx29sumQMx7b0hcmRbSxNOmm/vGCpJKb43sHsYN2ESMCNzazQtpbt/HZ/xA/HqJCfEiKJm +GUQ5rboqvhpruhbUFnuLIpGRvLJqE3kRm2iq1XfnfjXqUVbX2aHxNXcNKa601Yla3HGisEAB +ILGvCRa12hrmh43EPpwLCnTOIB3Sejndl+8waKd0smV7Ox0oT1nSo5MHl/VtVLJzPnCX+EfB +bzOepXJ5HRRsX5sHOTPHjJTOUuQvzfKen5nAu6iKsQnawpwQvIN1C7/OtEhqDAjWFr+eqG49 +bqN9a+EKu53bnXqM46N0/kRWXJAsHKfllki9e0bRKV5rIH0grsCN8P8qq5003cp/owAyySX+ +Pu9jFs9Hw4nGmEkuZPYXkjg3wTYClaPjrmbKfWXgVl2BjW+N7xU1yJZaAJSpd8vqGtLK4qz4 +wk0CrGr59EHPeAE9fAxNg+oonDQ7YcuDnHkVY7LNpIGXQkChrv1YgBzzAN6CFBI8GgG3C5Gv +bYCj+NsHFyaJAhwEEAEKAAYFAkxlr5QACgkQMiR/u0CtH6b0ZA//atTqqwPfQWupcXoA/doN +nXnBZDHUePFkCBan7YHitR0kPBVPP10dRfyd9ShKs25+DgAFTr2JKKk4ofc8ib+2SB4rTPIf +gvc1h3GgtI7CXzuwKdcHojmOYXQQsLaxcQDNqEJqS6oGh1oHd8DQJTn/OiARVUvxi6LkioOp +eE0KAkUOfZfnROz5E7ox2ImvMNvhy6VcD6q2q4E4nuWXaSVw13/MqZ8lGHRhytdrVLvVndSK +U9EP79Tm+nIRwgqeJ0CttcSESoKLngTAvHSwVpiMcO9rLfWqYZB6FmhEjCyPl7hV1e9jXf80 +PLDihKscVEroxww4nflbIFOPsKP12vXuQs7cQr3BFE9yCowLz0X961WM2V4Cc6o6txY1MzU7 +FY7mFrwIy9b/WNLBXJUB+dpnKzmY38ECLJQ+gTxahgumxaNe0wQclIrkrnGLszOrIgLyVAL6 +/qD2qUywoNb3WWOHg6fOabKfTF3zBdzSYPNRXbhWNxt05EXARXRwYR/mkwpAdT3TUgbGlOcU +hNAqmtzEvT/Q/Cu0nPvwXnJ1Foix6S+zrFAM8gs6zeUc8Q3k0EQvi8m54jILnt5QqYFSGM40 +FLgryKBF9hjwcPN1Hu1Qij8Z3H9MllV6Df36YSgKN1XpG3Jy9ktJcHvQPgHYVmXNsmQlmQxE +ei/ZYehdgLeU0Q+JAhwEEAEKAAYFAkxsD/QACgkQeFPaTUmIGtMxgw//TrRErKK8vl8VnvHO +8TK8KAMFi/GaRM0RKze4nJp72CGSrY5/bg2jAlS0hEKmSirlbLD8+U5/wWa5SrQT36AcyXYm +I3weWgzNSvbCS3N1WnefhlUhkaC1PRMX3AI7EqwyTUX7o8Q8A/HVTgbgHnIKxO1y1EhcfY1I +WEvA1wTR29928n63dmy03rKB2cJvQupGd/xRPXBx55h79NlLOJOadlYsUrk3B+RWBZHsn7xp +wWXn+38fwuIFs7DJye3Eh1ceDootTd6wlI7Km8Nh0+bCCVbeInxp3THavrz1ohGhQ8O6AmPx +wX7TN2EakX5mrwePFgHasLpgciOVRpDsaoQPF7taQg+d7knrrgbD9Xf6JkDl9/sxnlZ//t72 +eQR3X+CGQFmfhl5rw+h28FkPxrFO+n6nk6opm1z1n8FFjQnTzFxp2taqVs3s58ondUiPWb2p +E8HOHQX9b4iYY5x6hrZehkSwoJOlwGssiJZSa9eCWs+yvJoJOG8yHunh48o91gY7kaqxGT9o +K+2MzW/uwh7ztZ/ElJj4Vg4XTOqHgSDmUKZjA6e8Z1xuXoVT7D7axP0NvgIj1jjeCD1ncQsf +Ay6tynZm/+Mz/PLwfe9uYGt5ZncwY9aKZRr8a9sUnaaIjeq7ywugKfQyxr1v4sjcQqELKfsM +NLrvOMjw2eLg+3UC9p6JAiIEEAEKAAwFAkxi3T4FgwlmAYAACgkQzNLtlNIXOemGQhAAo5Zp +Oa83tEIyfPOcj7HkQPTutAs8H+kgxzPMLYFhXSYKLPMsoH1TGMFC1JH6PjrzRdk6g7jmoUEK +2F6EL5QpFFKFNVWahRWY49F67jryslVdeZKvFMEY0qjqsJ9nEBIZW8wJ/7BNvYmZxBlWq7PU +0SKbbGNVexMagwctygY+mdnknS6vI3aom/yFByVcVXIdF52GJiAWA9nIx/poKS0ecCd4UuZr +eQd+d+x/z4Bww5E62k2mB9d+VDik1kjzL7bXfPV3+bWoyBmfl9zEYgNnQ3ICurKztkRmu1/k +1+68wHfU/0MR/1nJ9DkEfBi9Z7T3shtCiU+993wSHPeKgurkQwn+wzkthCNRNs3kOwee5Whs +/zD/dyZgH+lrJDHmW6C8zaa/K6Om9+AacXLId1xjQpmmkO83Tkf9qQvtC/UlocllGxHo3hAJ +dfxONF/jwY6Zs8NvRWPuswTEQOLCLeww5AhVfapOLBhcG7xZEye6VLArPNq4OsD2b8NyCd39 +GxtBdxR6/8OQbGoEmrYf7aGS+ga6oygj/+ut1M6w4YkQCbLd+OjL2ZUG85tALP/1KdCp1pTg +YW/TmF0BeT7ICa/MmZeYyO0DUKqvsbH7Dyk0aiYgu+Gm3ob6JNC7MGadUkWIyjLUHkPNmnXV +rGT4KAkRtX+cQl/R+rR+ewB6RErUtCmJAjcEEwEIACECGwMCHgECF4AFAkoHaOQFCwkIBwMF +FQoJCAsFFgIDAQAACgkQRJdSeLhhK13PHBAAiyiTX8GMp3CgLyIiieHJnBIQS5fxBICbsSrO +j8OHWnNAVwkiRbtXZQ2g4D4NvyGBuPN2hskjuGOj7aCsqpE4Ln23RfBTAI3fF3JgMGwkqWh3 +9a7Sjnw8DwxqaHB3zfs2AvPnolSUNyzc45VslNsE2j359UmvwZAGpqN0A1GfobFMWjmt3QoD +q58C8EyFOWx/Mzcl0qUrvGRbQjQ8najAYugpBjdRZ0MzGfro/pmoETJnTgrZimHNXvDtSTmZ +HTVYYbxj/99Iw5DeYschcK0yvbPFXGo12ndRrEs270LpOMmBpdBaW8bCj2uzATQLZbuaM/je +py3bzEFcCHUMkF+ekIf9zp6IUkSc2B3kkbQmVJKxOeiKWzCXvuu6pU1nRqrG/565CRkwWWol +p4TvlktQgHSZ6CoIxzDnYRE0eiGpsLxA10nE9VrUCjME5a+AYLQxj7ztDdDfb5r9Lq+1/bUN +gtiiQ0fbaNVXXe14+daezFw0sCGB14MWSPQz62rkG6piKB4ZMilRijiicWg/k/Rvlbi+QzH3 +PGhqaVOV0JpCTfh3rolf54x3JN3bdlW8wcev0DLPJOAuhv8nXoBBdilH999RH0lGv1NzbAIy +7goaG+XOe/fmxiZwhUQhmTdfFnXEtR8UL9/7+dv9nfVY+kIZIdSN+Sa5+pGs7bik8dfi1xy0 +IkdyZWdvcnkgQ29scGFydCA8cmVnQGdjb2xwYXJ0LmNvbT6IRgQQEQIABgUCTGvvxQAKCRDV +ypsE8sQjvNDlAKC18LdtboThQEnkx1lTvZZSZfApWgCfdj0UAdJxB9OLNqm3L8ukPYl8DW6I +RgQQEQIABgUCUJ/lDwAKCRBw814kbVMecylQAKCzW0oYdLbYjN2+VkMFlr9WWoeWugCfTyfX +Czqy8U9NJX0KMsEsVBmwB7yIRgQQEQgABgUCSgdx3wAKCRAyF1wNwQJ6DvPzAKCBblkNp8NA +k+lQwKAeqyjGAr+kawCfXlAQCvjXpRb6fYYu9X0S4r3gdfiIRgQQEQgABgUCTFxxIAAKCRDh +VRfyKwkgwGBWAKCXP+R5VvROrrh366WPoeX552dN6QCbB8aK562QKVhd4OGwbqhHAJzpE7KI +RgQQEQgABgUCTF0/KwAKCRDU5e2swBQ9LSl6AKCpl0Sd/zaVE+rXCmCg9lF4Z/DyJACfVE+x +FXdayyRPKh6cy6g1x+KeMQCIRgQQEQgABgUCTF80oAAKCRD5heNACvx0dlAxAJ9JA62AWyTp +1xpVLyxGchSp7G1I3ACeIJGHywtqpfbJfG6YiFjt2C5uVVeIRgQQEQgABgUCTGdMoQAKCRCf +ePg86MQ0YfqTAJ9hOim0VRfs5+pf6rsMNStUWZXksACeODXRe1BY90f2o28VOFpxoDQMhZmI +RgQQEQoABgUCTF5RwgAKCRDaGWI3Ajs/T8IZAKDCaii1ecrI+HP8NT7zero94/RE5QCdH9zl +k7ui4NR8EuEegYPvqFw7cI+JARwEEwEIAAYFAkrbZ3sACgkQLQ1auHwlPVLxQgf/Y5PQaqBd +FXEs9QkD2Ei7WaD1AZkGwpICpVmV1kA724sJ0uXgLavd1E9NtjhMVKWYwdjEl2556oZL2i/H +XfRz+VgRcysjLM/ICcGDxy6OygziguJRpwBWk0xMowNgWFGIDvTt+Hlc7f5UnBrSE4hGmWHQ +9Vxc4qFiADKL5IuiLssYgJY31xkwSyWcEnUe8WolOb4BOX7SLuuTIO6u/Ud+Zh+N3o2amWBn +3l/OBfi2lM/TTrjFEiJ0KOfyutiGV6a6/SkfGKBzhgdzWj4M8vIMthxFAapU++3WXF7qNQAX +f50EN2TKXKHgmidfpWFqmbPhIkEaoheUYYOCaiaXY/IKgIkBnAQQAQgABgUCTHaO6AAKCRAi +OuBVvZThVI98DACKydotmw0GE4sNu7CHhGMZJqvSu2MSMK7IyjoShr/JU9PO9yXEB6TQpfLw +E5b9bso87SouahOJV+bYvBaLx7JTT0awNSMRxlGnf4il8F0FOcl3RgXpgv14YxXxs8KJHLV4 +GhHRwVxzJu8hdNltsTJ7JjJQS3kUYjBpIfJlyp4yNvZvUeRQJWTs1l31CkPwU6fXP6pxCP7s +loh/zL1zVGY2q0GrTkFlrCJIxceiPNll44Rl4PrIMTmBQHVipToRinsrFbyD5QTAjiorVol2 +il078fK2IeavCxtRUR6jTiHx4/IWqt+kPycq11EK4bFMKQIAJeF0aBoAX4fWOoSPIFWI/Nz4 +m+EecHCk5frctfxNV6VAB5Lf4XwjEho9HFZwqmSQ9snMi3zrEZnhnrCJ1/Gs/ALt9vu0Z6d2 +ZoLFgxW2hdOyaXrE54rMKillYoTLZ5d8+uTQVoN8XFz5SliSNb1tu1//i8U9Y1tpSUUTD87G +SuNV6q49gYSeDqZ54EZEiHeJAZwEEwECAAYFAlIqSIMACgkQ73Pm2lg2uBpHzAv/dOSlPdQx +6o4MrM1lB6imRf4KPTmjkIwnO4N5iFrsZch+BNJ64PdGukhuAi1EXY7LBJlXRO9BPxdJI6IF +R91ELvM5VzNzZDdwZVPDV8wJwkpBTQTgNJXCjETePf6adpQ1ORMm6Kg40WIH67BLBN993Bfz +dQbskas89BxmEdqaz1eGDaBTHO2N39jOG4vTNouatsTsUlDxCxNW/razg0uLgMPpL8dJpZ0B +4cCi7z/+r+OYrV2DQlJo6Cc/vieROA2ElFa3p9unYRcuY4Mcn6Hl4gA3QnuQDsn00GPDTqBG +OEvhjcrHghhB0WzxAu+lc6te4vOTS0OCVTWMNU/ROaG7x8vQSFqaNWxEigkVlRDofxsyGQw7 +CxNS1mwsYAc2kbA84N4OxMZ4sHkLnheoVjUYaXz3JmLMnlA0AerkZVQRfzm/+rlEwLW79G1G +tsVaRP0WmG9/nNZXAr2wfD8menJAIV1lB/pCSkNlHmEM4uGFAb1lA/EENQS8sz8NvvdvLNYs +iQIcBBABAgAGBQJMXHGfAAoJEPGmm+QpwP/ujggP/1V5FTQ8rwB8uw4u7Zg5EEta/aM4E8Pb +idUJ8KDr6p5Zad+hGWCPKT3nloPbN3iaYXblmxDuAYhHl1neH96tWYU6vygmiR2Xo53y06tY +EKQbdIF3+pfOCSFh9NnFlAqw72cMWsL0VqSoZL+SgY4IojwupFWPNIJbB0JaOSW21kFf6/U1 +juAbtat4J8+l4j8mNgWCUeHBENN78lYD506VIuuJRlsWiUBhH0unzY33A1BoJwyXo0TmL3wd +0g2JIGT5sJmpeMkMlKminVjZCcY7AzoTS60QrCj2FCGBtfbUOH9OQvBojWOPz7ALmKj/aOl7 +3UtGnvlscJPeilteNQFWEib1e85ufAG0Ry1AEDtR0GsdARJhqiG6jRn3v0lBxfG2dVWbHrFq +a5FkUm73c9r+xjDC5NquWhd4GHyG3IgVPMvkw8sciL33o9A/XhNdjQiZmpok77nswvbuNOEX +diQVnHcylh7bNaoXR6+3R8FVA/TThpW2EjxIg9TwAPfJFKWV0SWfyJSOZLFOiEYDEqBI190j +3WSJNV+p0+lN8CDu8jFHxehsTGOAALCSQq0mZTKJJh0GH7d2YD5BV9isUvsfne52GLx/xmoJ ++cKJfszaWq2FoMhIPD/tnVYA/LPodylTRC6/8C0WIMR0eAaF+ByCoU7aEMWJDEJfX2MoyQHa +fBV8iQIcBBABAgAGBQJMYCuLAAoJEB51mnJqn910WK8QAOJQVb/ihBQC0IsBpJwKyOH5B/XI +jwE6BeErvO0rnmcYTr57AXwKNYxOvtIV8uS8gFzfaZJM4YHsF5BNToT3l2UIrWGK+O5nUL7S +UM32plf7QPI/NSfyCtBxKWfXgbFQ8X/oNdwq7HMzCtRqZDoYv5btUajFsTP8gykqXqH9Ry4G +hCFmnP0UNUWwTq4D2/bImt+iOOw4C7MXyROQ8aZd69aUsAln340L7rXz/yGTGvabdLXKuVDE +QJtiZ1m/bewAw3A7zw3mKtMAA8Em8EJuTfmFvVQEpBBdacjwIn+ZpSzuY11arLIWNp78Yegp +mFsuCANZDr/V33Xxo2Bb+4cbuOzSlXw+mOx1WYo1Fkj5Ga2IGkTbijqByIPwnCB03T/3nG/u +hde1SS9YGGNL17Z2qDOlNtufKsbfPJf9xtiEN1vJ2cbOEDD+WbC2nvJQju4t4WaX06Kyok6b +HPqupuGSOaa9VMYk6TzPAOG9hzcD8SBjO6S59z/qtGNqKZOcTWpeXWI/4qdvWtAPmafB4fVt +2XS+vOwn1c4gNQFK+nCatlYywfuKxoQqGC+i/ld8wuniugtOjX4XbK2HzvuKMuCo0z6x/7Nx +pOJAOf1jgWuQWruIt5VEULh56mhglEV1vL93aCUxOE7kKAcas7Ojbve/EQruWlFbzxJW6VgE +1ncxHX5yiQIcBBABAgAGBQJMYDc4AAoJENeITEcY4Y9ExdYQANMHDBB1HSdVXEmkfVjMgW5O +BF0AphUt1r9ptI6NvzcuJ5lFTIXHDa263UBRpHb65EgaHYqKC5LKLSXmUoKXcTU9fBLWFRYG +N11qVpdoO1WSD7R7U7ZDbix76ujLCfOtPlqrh0TzHEzE3U22X3hxL+rHjDbvrLQuEhKbVYaB +WaY1THCJjB4SA4YcWOXUNNA1i+baXlDw2XKqZrEriv+zARTxlF1GzpXBoh9ymH9TsyPg1dg9 +BbzzGy6r99LMMHmt/kB8BrOX6BfnzeLwSmg4VZ/aUWSAKK2cxbvmQFA5HkuFJ2sUc2VXmuPR +DRY+vurz9PHMF5WZI8ait4/2m+W4zvsYZdgOPPkGr63+DVKssczpZWSq4zX5Ykmd9e+bsCUn +E9jAI0iH4P4SKyFt1IkRWMAaUxQjN2v5/CIyydaavQGKM7AB0CjZL2835LwqiboOmptxzuWJ +5HJM5JSqr1HMHP8vokNKcbrU0taV9IuTuBjPl198TR1vxPhHYcACIt6TP4wr1ApAsax3yoDd +T/KrmCaczIeX6BmFFqXjDM/azhpQKIyFGgbDzrRAQ/CatG8Vy1baA5uJIsmiLxc7imwtUf5r +uJOlXSi72uQd9eBx55mlt+zNHbrxULPYBIL4zOe3g1SXb0leZsvPjVAWcj21AgH2QJx1IoV0 +POwfFLEVCjTxiQIcBBABAgAGBQJMZY8YAAoJEBPAtWZ6OLCw8NEQALA9UfSTm/Zqc2pJn+nN +q4sfhPUhYlTUxE1D49FzF4GmUHDYzMlU8VVZub5LahrITDINOIidmf49wXc3BcjcEKCUjND2 +aL/0JMtyMMORH+3g/Vz8HvktL3EnOiTw+Z9p1GNbEROI195VIWwNRjU/EYv78ErcrQ99MzJu +O5yz+Qibp6JUSIzMGVTAiGIPzdJvnbd9JQXfg+fhanWKIIzj0dqNmH7tqYuld0K1nD/5cf5j +o8Gc2L8GQgIStjUF5OwkElnO45iSYz4rgw2PfHVQBX8GsLBGRhKcxUK9psNBHIP0eWUk7sTG +4/cbLgkQow+u0ryitmu+IJ/Q79NUiRNrw6a0rf2FUY3Nh/AbVqLVdQChKrxGtDQuJtpwh+uV +RYTmc1rPmyPbsWj6xmgfvkLgX14E+5EPx8H1wyRsRpBPEW+Wb397I5eEt+gCEjfjrCprD/xX +eNSRMdOT9NVG1HJ3wmeTEddkpbDNhtY09ydMzS1O3auJReh0L7ZRn8gPmnXk4EPamDNzY8N2 +OVByXKEPhb3bHD9RCHEaSe02BDcR1nbpbVAX3onquvK4ejZMuZIXXktbBcnqHz+zbRGRyoQO +Jsgh6bv3qun3fer12w22PJ8Q8ifhAmcS+Lhadvq4hskVprr5tRmvxHRKPgZF0ZqGOmqvikyV +YhFvZabdkKACAYCZiQIcBBABAgAGBQJMZsf4AAoJEBwB9EPJyTxaJbQP/1OgrWHtcJ39T7gf +wh+3lbFvmcQ4ggc45PfnM7jM+OZbkPZOMnTmXgDXIz+0SKbPUVH86XPbeZAXHXavtIFvqbPC +yC284oQeG0gzwS5yxygry5jj0fZmw2W0MfSQWEuUkj4HBkqEhgXGmbsYhCbbN6+O8XvBvIvY +EIYO5a7wSzi/21NPuG3hcGMFV2yzr6p2FtvXfO5biWGcf0yvkj0YeBzaCwdty4F+1qGAIHcH +oPhXCEggJKZtOYVZmsHz6/6RYghmRaSoGoG7Jj9+6udgZCycn6EKPVTE+p3tMiHxJzviEFRD +Ov6iNBC55cFhSbMplkW7fH/M6rkW/e6+1zhxP1K11gwNTtoMJelrePLRpf/w12lNJl9jhe6h +fw07mluEogjhXLVOQWSFjz3Y1Tfb0ez53ev/ooucvk9XT/svl2UM/K6RqyWYl1A8KCp5OgW5 +nXzRZ6fc4Ht9OY0sxMNLTLZ3enwrVa857n2VrnOgRTe8bFqNSMcR39QMAD6h9qmJR7cNbFKn +IyQQiOtKCDFbZ7wyMroepw8wNLXPlvtMvS2zSBmMC/gJsdZVHK0u3O1Rpp1Jhq/qsve7D/fE +NhHih8FBKPH1YXUOILdR0zDkyBUdXHBUpZlcRovaznkigKX6LL7f2SbXZo/jO0L1FHDhYQs7 +kl7OmWIXh8XW4m0ocB3IiQIcBBABAgAGBQJMduUKAAoJEK8ig6p24qx7z1gP/3wRRaEX7n5p +oZUnpEcNy3ZRQPAfVAAX07aBSnTuHzuphX0smAfJu5fqEuYP1XzBUV/WSxuQ6nGtFoVSLEpg +W3EX+KgLUGEv7Y4NI9LUNd47CNcZ3Fo26hQ1ur66c0asuLjseHbHl1aYwRgOarMy3X8JO1b8 +x3z9edPan11kBIeLpjlBnnScZVB9EB2ezptxaXvyvyq/+SAfRMnGKKO6qx5vG9uK2g7GOPJk +dzS5LGeguixNjh7pN1ewiSHO/AqPyywVGYiYB9dnVWT0RwCZMXs3YmytZHfc58EpmKDoI19W +MFA4Hsdgwp9ucXJMfZZ1Xw0i02fJQKs911aw0dF/hVjHSOQfVAiNvBFn8u5l4hgFG3JkZ6Yl +rktrC6HThK3mo+KUNlynB70xSLXwxIHYkQUTxGr0HqZgRQJL03pPqk2Y+Lx4ndu4g0YwnInv +1arb5Yfg/y4IJ6GDY6W6gvPP4wUrxue1w6BwqRwO0rD0vRMJtJqzoIRNCE8aqtQP96OmH5iy +xAQo39Mvz5cntzaNMV9LOm7RgSaBvt/hLwxfhG2KX6Fca8hAXo0Q9dg5FbHSyLxF0mSZTRpO +NPFzMz5zc2yUpjW3Holt9+5n9pzi8EUVwfNnFzijagzbL9bwuyc37M9wnPp5x2wLx3MF2o/3 +fNzpyo5Lh+IH7efZcG4XnUsYiQIcBBABAgAGBQJVcaVQAAoJENqCgw48zDo65e0P/2RDhlCL +zEUuut3KmGhBmPbiTX7CnpwFhatNFIb+C1EJ2giPmmrwn0O25ED8dJFC0GhZrwNatuRzSefI +yc75hGrTr/BFqRLAOD4xfMqOE5U4+z0frVTyuxB9Gdr31EmZ9miykKnfzcz1YY4MpQtzQOWj +SiYFgjofwcpI+b5MjnqG3T8q1PzONnvvx7BrXt0lRNqL5MyByaV51CPbENyhWeJMu5tX3hAR +rsuWoBP3kw6Df/ij5I71EfO4vD8C8F6AKWt8mBjyOfIpDmHkxNU0HYrmOnxzqXGqHTu+II83 +vgJOurjZ7TnqEe9jB4XMNF7w6+SPL6u3bNfzH0KPpEjzBV7jQKFUhllkRbcf2PeLnmzex3+U +pEJjS5HLOkJt3B8wyANnZB358921snsv4LVJmgx1aVpeYWNo8vRgzKRMZT5Qk3ckXmuzHN3O +FGKwLJnHmnha6rXG0ShlYjNY2wJjfmwaed4wU9k7T73tFbzoWJ1NXP37iQuEnOINVbNCQdfK +cvL/82Q3LcpiapN1E/QYdfYjNju9NVpnSFICDEEYOfvodDlxbEQegZdd8zVHayYQJuc62sUd +zPvMYLvQTq+x5tk1vJD+VSJ1sAbVZ3gzAANyMyYQ4670RK9H8z4ygxa09lAunkcJ3cUHRFat +JyRM/u5NYxmCxxL5l0/UqOJg775tiQIcBBABCAAGBQJMXHEzAAoJEPEUCEwIYRERgesP/1xd +2SPeYmC5X4OpUDsbqQoe79ojCbmd+2CoFHm+GM0WbtJHFi3BEJcVW//QNQJRSE5dKXCHtIDb +jDhzlTKYT4q0f0p25mWMJFOXqb8sNiorXXdDz7k7GwrRZFsi/XlyiIrCwVHwLpyDGkY5IPBz +p5JMXuxViM/TYn9BIX58rP7eVwAcazSBIs+QpAvUi4pfxNdPhrHh3Pczllxg6DamsEPBZsjM +fz7pJxiddkJgAlDpIa8C3ZX4HdMnoPZhMh3JHxry4CIceMC8BOuX4c3GyXuFkKTMJSlRViKG +57WyN7eQe17UZni23QLifLYD7V1r4cY7cWj1s/qsGtLsvtuVL2brOvHeHVEE7s6dWpQea6lo +jLtlWjNXvb7WQ6XNFqpal5x7MG95QbBKWGHfifhVt7WrDSW6kbouXYYEgRhSZBkPPjSZXTEv +54YkBVwCsb9fykKLOTy+wyJ5Ttj1kxtrMWsaofhDYOo9OtywwKL4AnfBMhE3NcrZ5Yf5MHHx +NK/A95j9p8/HY1dKSHNDRub7PMM73Xp0fc/6cCyl9sTM9SFymKvvcMFChRcy1ZF9kVkXP3w4 +ZzoJz2YSTK4zIRY/Qqc+Z+BhX/rRuhwiILuCH9hXhhvBx9rKBxxKcTw1Gl5hZ8nP2CGXNkAV +qSXL/0H8hschAtxw203KMvqbpSq7bYkniQIcBBABCAAGBQJMXT8zAAoJEIcvcCxNbiWo+oQP +/2mKGGHKVA63SdyOkyAaz+mV2y9jIw+0hf2D6eoQ/OJ2l6vQqc4atQ9NsMBH5SKo+kPLhfof +NcO6axy4ngb27YK1czUS0oyF+Vv618k+1WePw4Kh4afVZGrGsHBiv8DcKbeAoEn3gVORu5UY +ElINIsW9ZIuIypyFXhV/zf30zR8MOd1uuJjif4ac7V+n+O0GpBgzCkKZoCdO7NJ3QH7RmpJ/ +TYAug0UMY9YvU1P2ffTvZuHxdY8adJGnieFnsLrO7yYHlva6Y2T47m0QwM6BXe673hj45H7s +rZpbvNIEyRiXpucEm7YBCboiA8vBTjXOo8D27Aa5MoZUHF+znB9gRKWKUnkCyCT409yo8qJI +5uSm5LWOa3Dsje3jlzfQh0BVLbq2f/g/kgm06Sb8jWzLYHUvA/+K774sOQu2gSG0FkV8BQJc +M9RMdImzIMpNpV9JYOWZCzVbTe2ZzzZuNXQJFG7reuZ8SoB8JyrLEqNbfzJ4G+pNbXZbrSA3 +ybMgkaIvt5xDujQSwH/we/V3W296WHmVbU1U1W6lfW43KbOXriCrLl/j6qiy9ln/gkVc/Amx +Mh2RC5bKOCTRJ2TgPms2+a4tSpOrqapcpa0OnZJJTG/sifz9/3eDGPTKoVkN1fYZqTp+0s8m +NohYO6YMJsuqkYNr7UAHOTE1p8nhrq4RQlaIiQIcBBABCAAGBQJMXUTaAAoJEFOUR53TUkxR +rf4P/jp1G3yjSGwglzqEbvu4rzO6LrC8ZqnxOSWjKd8xN/CIje6naB5P3gRFLphJaDUgnlpx +nQYODkDZlMPsSmUY6+GrM+XDPIEnw2Yp2Vb6OVTSeDzgpjgNsdKptNGR2ENFpC5ReAKEKAUy +7bLcraD04IV35hnuHNevjq86VO+Dev/SQ2NJf0NrOuC3iW2YA5SEXcJYGp1vXAZjRUprOnxK +n/e04kTTA4b3cKzoEo/bQqk7C+7fLG1vHziDDPszsZ09G7eAhnhZmFVTk/jvBxJ9ra56Bo8l +ArknJ7A/LHvGe2SEd9MVcoKIHGpM3IPhJldZiXNeyz/HuUA+xKAY2Ox+p0vDlKUAF/koME7u +2wwx4ncMnRdbVOGNGDJTJhJGWk3VIUsicbQQ8M+wKnkJmLNI0ZGWdoNADdIR/xSIhL8bUaVu +PC8amQwK3VD7iNRcbNnIw0+Xbzev892lbBvav1Y/V6G9lBeS4KrLu1s5h+cmCq84RlW3xCzY +B3yZhWUeojvuplyNKPApJwkjWXGC1LK6VldZzYksXMb+9JxtoE6A/9F++NKqEmDilKl15YFV +Dy/beTjoSK1+6T6RrTKOPt6kFu2460PTa9KOqjpQ60hxOn/YpyAeEK/MtRuBjAT+wBCIX+NY +UIxHNX3mcl35l6Gb1nYtL4CxBG4h557CGM4s65IJiQIcBBABCAAGBQJMXyNnAAoJEHqPSei2 +NIC+Za4P+gLihkZlHwFEM0pNSR9GoL6OsaEnsUebefwcLSrX10Ee+5mpODki11Sf1flIWJ7J +I+2Gj7U2NtFFXBvzNCUDN30Xb+QJBSU+pgJERtXThl8hKYuot79wg7FclsIo9P/NEQ60/tji +2iSQ/w12NIApczn6FmX/xVaKafJyf/QRnI0mxQvd5w7JEoeIKvaUVjt5Zz9fUhTiM/9kDCv7 +E4a+PuVP7nyQdSCoduhFYQwLf+727mxtdLjK5OHXl1jYx5tcFdTyumZpB7bG/R6U2wb55kxd +iAltk4U+59p7NG7JSu5Lnexq+p5/281vVH33PrIINuZUhmpPovFNeDz6lFqEICQvaiS2STte +/BY6yBwIDx/1nUhiBF3yUU1TOQrtQUfRjox4QRj1g8YpGspsUXagBltN04l4tev6Hw8tCn7A +/f/RkdQ/7U6N24ZP3BdBx1R9nKvksE+C+v5QwlqpufU8Zaj1YpmPBn/yfSzSCvd9cE8pa4zO +KujACMEsPh0c/BDoiWsmxKLTzOoeKGwl15x6x1Y1yTKOLD0wXXvEM0TVF3x3RJgvpdnvonN6 +c7URWq31zKcISwLOKCK1c0UK7hyD8zFISiPChiUUdGicZ1Jo0me+xp7R9b2QQnwVj4kO94gY +maw/3ouaDqOrU80N5pVC5vC8XSp/iGAY8wR0fc0qsPY6iQIcBBABCAAGBQJMXzSvAAoJENFd +MTiCAEFz+XAQAJo4XauT6qsxxS3i4ADlzeesoE5g+QPzg5mpVP8NA+kEXqLuvW7ZZjDzMClh +bpnhT9L6lgMdKOzODa8PzMMe8lMlQtGQsfby9Jy7c15wFwO3YLr0OesnS0gGMV0cxpu7XVmZ +ROPqOn1eVk25eaZHO3dHrc4ve2OMP3ZG+df3+kwQpiMgrl5x+9UHOWfqEtyT590yzofK3FCj +qHZwMUt2pYeCksErljI2hmrKDqp1zVcjE7OoQwc6M14i2HvhYwAtvEJTuqyIjFZL/XzGS4La +2q43fiLlAJalwlvIBEtRH7E5qWJEiS8gs47+Qcwigw16RhVp0FxhD7kT1vHrCoqwMFh5ULQB +fEYVQVbfVaXU9vL61LOvPfnE7QVCMnREwzCyYlD+FonI/LK1pqbzXgEJjh48rXEVuzic1G3Z +zipxiAbJNattO5aWuQjlEQv1ykWGIwh5Fa+LEQ6Idcxi32CsD7FFCYI4dg9GpZwM0NjJYrYN +sN+Nl8/o96LBGzCsminV+M+jXyGN7S08DoEyuuoAwmiY/48lAQJQChMH+M0M/UthALdcTooe +epFC3AiHiIaKUouRyqo60vNbAixbv1olxZpu12KlgCAg/ra9VcYjvt48msQTtmDQLz8/aY2L +eoFLm4L4NMqIQ5Dxywqen1MTKkk6GIx+7pAJH5Z3izmQJEYpiQIcBBABCAAGBQJMYe5MAAoJ +EHA3PPEpDbnOyQgQAJcCcEi6GZBjFHjNE3N2iLVUMItWSEdx93NabuJi7FpuhorwaJphZiYY +3ehgSa4t0/gNzkRkscCmbzjAr/auQsS+iSpINgCKUJ+dwOO7t03owH7ARXb4gmWY58poL+J5 +ZgkqDok7ZtW09G+OenTaAccIpmb1IaGHDASwZ74EuH5M2P3iP42h7Q7Slhxer1GVloLD4SPs +8W/3Rslwh+/ccYfweNC3gLvU1q50bj6kvO6OWemcI1NAWtxEDTGjsS+BsXBPlYQRF3tqtoQF +Ht3xUKlGjHBO0DYymOMAlQzXfW7uqUYenrOXmOV048rqZxRtSdQwlXUHyaGIuyCRWqzzqYip +ArtquhHSSKedxe5wltdqeB9G/D/zwHR1fz4VFkECxRp0rWnnOnWJEp6+uxYPiIV/36qB7X9d +NFxlt0Vu3vZZiXgo9RMLjdQdYuBBJrshlwKkOlYPDzpYjHWmXJjKUIhDTqD5Kr2CTw3TrRyu +mHevt0nbqlnzoHd935ZssJdbYGDC+F9aUfcyzwJN+CH34zKz5gtteGP48DewptBF61Dyl0Pa +rHthrkwMqdZBA6cHE4lGpvrGh3GXASqf/rtAHwLM4brOhtH/LYYjvO81wThRmtjyjmSsokSl +0p496fHxPDuGr7kbBDMtdfVdty8zJ8IaWI11wTYExu/6VgY9dlhuiQIcBBABCAAGBQJMYfU5 +AAoJEHcx/Mxj5OJ3X+MQAIdfUJP5Pmxv6T+yNRYSZ44Kx6cJJVvPtWkV+h5gx2sY/uTAS4/y +oiBrtnxilEr1D3MbWyElI6jZPlDXxl/Jx42kEEur5BkVOFmAmAJYRork7qCds2RAWGnhqlNH +vuMIz1/PfJlcB2hS5qo+JZLxTFk4ltOTUT6W8ENacKzcpzWGeQvqG/dY8H8FL2hnvNLiGITY +XZY6hWGvW5Ti5xzIBXj7QN1C3WZAmxTOt9C/t6PHHktfC+MNGN9zQEBAn9MLkE80oSwEX38q +/ukX1RpXCUTZmxIbXOaLc6deaTcxjJbBOX+YE1dSXrg3KxhXg1IUsMVBhQx96p+yhTUwznfE +F3pZQiWZhVP9/qGa56tR6pejRM8nfgZaLNcT7nVibIk/7Js+fXRYp5nWUKf3f0BoymQss9MU +cQLFs2Dm/l6iX1gFUgqoiOVIAX8DRc7MfJ+UTlHBOMGDKVok9nVsZegQYe6P/C88vfFlI1Qy +fV4KAdAb4YwD2HatpcjDcX5TRX49mD+pmK0bx4+L3toRG6W3OPvTcsaubE9peNfjwS5L6CF/ +M0Fq6IhIUobcDRjmUNtiXk77WmI0ZM1RiaaknHHCHXGQgS+QPd82Htox2ndOwP0ScgbqlL4D +LT3ZJqRJVWgnWK/n2BrctT63KFAZa68Epm4v0GZtTjpJpL1DYnUd/J6OiQIcBBABCAAGBQJM +Yt5PAAoJEHfG+0Pj0wgkbVQP/1NGXS+oar0Y3GuQZ+HwYq4t7Sh8CbCIZlei01oDcC95Fl65 +HtTZJcd8RTPCkTilZV4orC+gHppLVGi2GQdSJ6C4whlnliwDtgU6uJ9uuP6EKTsGh1jAoTlq +eSDx1n8/F4JG6A1xVOekZ8NzTIfpfdFlAYANe+z674ZrRPi6tL5euQ9/iJpi//bZJMVvmttM +2QJ+XxNn/CrGKGZbA1PjBYYol3s7DjZLhR3IhgK/rvmVCo+0waZzPqI0CD/axU2OXT8B4lIG +WvDcccX/8p1tzIjlXNNsDV804c+VtUVX3jZMISmVMWLfkShhnUEhfwi5CUNtctL1SPlqwvbK +q3bxZjol/OFu2KbW1IjhZ2dJ2e1hQ1V8jUjSYQ4xdDDwzS/Z6EWWn7cLycAR8xF4CQd92hCx +o5AIgkQGG1R6iraztY5H/fdhXjzySby6q9Zvfa+rw0GkXpJzffKwrjZu27+QCqvNGX/3b1f2 +s0eZ3EkFam9cMD3df8PCPU7Wt/IN8Sxv7JQqkb6StQF3NjI/lnFLcb7qf4dhZItGZBbkWfwj +M2PMEIbCl66bi8XqviJUUskn2XWfhaodv13VyXGeGzVEw4+N4auDM1w3WZ5SnSXWrFazIXCw +IBWYFSyHlKawy+Rd3I9ueYyA7PqgwdczNxTwILXhB0+pBd0Z9FMxjL85C1N7iQIcBBABCAAG +BQJMZ04vAAoJELNGT4lqoVlI9tEP/0yGcqKoQuNUIsuMasD3zVuh5j77i4wo/FCqQvMQIlzd +PWl+gC9W0xDA7vILOcqZEErIi4PPGwqpQYGUgh9KynP4HQau+43qe2BrvdauFCIJPsmuwfER +OwrgdSkKyvdXA08WG77v0a1V+u6nsnmbXg5/xZZdwCAKt+kILPVemxeIy+f1AAHj2zLnDGfy +0JE1jN4w+JZrhdWtsYXWMnfRFQQqPbnVqi5BkFDeRalBn0R4mLTCCOZn/fGodA7EdmRL1dLN +X9FbnfD8AWMDEPMDZ/h8HdK7dD16XxW7i5o6ZbVvftyf/yaF+bhtOyTHabkdSlMJXHzl5mnW +mH8NVlTTQt05SJ86NhOjr98dhSvcQOxFT/fVajDcXAQbdKnylAWHEjnejGgt9QwpM99l/Mp4 +8j2rLgqfexF54y53km5ssTub3QJ19FG0FPLvRB5fnXfzOvn8iDhcC5V7dA7q08afUjaLDTVG +6byCHe8TR9weCaCrV7vvGHzmEEPRNzu02C86SXGZw05eRMWFKJL0AG1avj6k24hsnatuoUke +6IA5zcx81GbkqPDiOiiYJOEZFY1Eokm6MhIQ30HwUO0TQ93TdNgD0pJdAiElPyhs6csf6/Jr +ijOSajEDcEOuKzqYnrmY2AmDgfyOrjoW44ADKOcRTnnhAF26ljBzwqa4xguz9HEUiQIcBBAB +CAAGBQJMbL+KAAoJEORPgBbTYw+Jb74QAIQ2ADLJSvn+c5MBWYwc2NcFrRHIc0JXwmn+wzG+ +QLeFDGO9SV//LM9L0XIIbsFFn71Rv+/KqyFLn9SyeGdJakuL/AMC4qF1m6bCzwSMdoZeYBwK +2r3bgPU4xW94O8zKOfRF9kwxP+QK2adfR1y7j3X70rICZYAua2ugkZcIDkN549PBze+2LYnR +3CIhyOV6nYTArKhYuaDiNnS822l8VThOgk/Dmdof0+ExQfl7Nc2oAk7wljhmLX7nMonNZcDI +ct+fDsVS856UYg3aJR8EuDCAayZHZvo24/bKPwroxl26+tEEfsqks7epWZZRGY0lH+IY2qoP +oFhHPodpAw+faiafD5/06Vo3SzH2i/btYQEwwCCA21cRLwpv9432Ia4ekvjPQ2E3fjBWGyNs +UA49MYhtllX/8jk6LE+AIU43PFit6ZB2BzVBunsy/LH4ZLxdi5sLTA1f0dO9jNkqf3xGbRIp +PVXtQ6t/9PUXAy1evqWBQgRNHVScKL6pjuoLurSIenQCbcNQo1iNLB9DuenAHNUBP6Ny3cby +hqMpazBoCIb4HqtdeUBmzdDZ3okIdjXQaxsHZhDsLNQM1ggj9mu0vJWSkXfdXpew2Z/J3Cco +lOuTcTqfGi5kdoDHPLvFDEYyrGKiHTV6P7TxoIxml4A0rY6gHFYlF1b5SXmUiCt+cKMgiQIc +BBABCAAGBQJMbyrFAAoJEHxWrP6UeJfYj6EP/0SlRe8esTX01wSot7D9mZfjK/yvpA3g2YQi +3U86Nb2vvLvJAamLzV+Ka5GL34lPASAIgwfilQyVhmAsyTOQ1sIU+rPav4olOoUTBaORlzL6 +1AmhtI5N0HpjgnIDLmtKF5F/kRxm7JmcgnHgiKoSZCzZH2tomVVIGA9/aSDznr4N/uJZ0yWT +6MxKbmS3udM8WAgKxNN8IB2Z/xVDJ2dXMt0a4IgHNAn7wgfaizOiOKaJ77c4c/LNRiyhomA3 +VgHDBTP+WgDwEcJupo6RiXWyvd1yDTEsHCApieODSIlniWUePiuwjBPNNKwH0/yRo1fkK6cY +kqbCD8Dk10p7HUr1+BEGW2fns45mpwJH9PvbJ7e7VldPs7AKmEKC0HHKZ9BNa3AJiujwnaUj +EYt6hq+/DRUQp6iqTPDAKE1bNTA4JD55zd1gGthsGHKfTSAydT/kdvxWH8fK6F0vOssQy7iD +o+8VVoVpbl3qJ1MtvbJTxum4ElFhPYaG4Oh/JPK1vhWVXva9T1PX6sGskdC9DPgDLStCweq3 +RqzAhjPvcqgpx39mZGU/SQzwVUFN7aqASNl0ZFUMmnZ/4aNNYXY9yEAvx8GetdZm8s+0gw4O +zecerDlVf6xykodTT9sK3qiiRF53P5A8HlgyXoewut6MyKGEwhItfUshFSp7MMMJcycl+I8Y +iQIcBBABCAAGBQJMb/jgAAoJEJ0LXlse7I8OrucP/jRV886elnIly0yuYX3ALXDPgGKFwbRZ +GWC1qjf3ESdrqjC+On7jMLnT3/A4l03F23bpHEAOnTl5Ounb1PrhDnvo7msJUH1ZdtqsoT16 +sAPbq14Rsg4+n7f72KYKwcQaNVkgizg/W6a8VJDOxQQgkrZh3Lp90O8krIp6MDgd+XKEQRjV +HxyhzpHHyqAaY+/nhRY3VXATZ/5K4+pdyRt0aWlpvftYTvX/iZnGBrsfjgYkBZnix/+PfFtF +A2p0AXfiFfFuU3BlE/kG35gGDgbYf9SouHuYeR6TLgEMOekxeqPacbTTpM051Mq4tewfFQHM +raLLSMCucl+duu7kyDRXfwZ+zoQ7I74UT9gRkI/jSYecRKAoSYnoewDo2bNMEsnYjFwyf+Zt +MEV3glEDcE7FXgm20YYjFb7uMQIVbiuXnFho9RQFyu6z67cfIcJzEn1pttMdV0vmMfi872Cr +BKGHxYu4gP1a+yQWx6N4Xgm1eJVdAdzhmkX7mH5C2GKLPIWzwT+onyi3qCCUWp4NL+2QescH +IVkc8daU0AH4IGp0A83dpRDb91vYWFImVW2brurAsBwNtKRhpd6yG+ufE8+9PBzQ+hZD4+C0 +jyR/T5HAsuMQNSfcDDEi70E6wRLEd/KYp0YePkoAKES5CB3n46XS+WESddBXfeK0OZpAbXye +45lyiQIcBBABCAAGBQJVku4RAAoJEOugxsccACVvHtQP/1218tsrXF0nLofFs9edddWw4NLo +ZYc3HvELTHfyq4/41ERGOQoevO5/3tMzSyAG5C2lmKOz8SDHjAwkLmbqiYI2EbwYxLg1lTzw +1jZGpjzBfKm+dll3SWroKiyesv/iPrExc6fJ1mxLWtP6G7R4m6ibmz46uywwreT6WvhKRKzs +IPQdf84W13y2ItpFe9n2U3/Sy50brOnqAiLj/zIP5PIaaHzrqUIevdINFgyIWee2s7tTDcNm +zV8TV6+cMs4jT8nqguNy0lBGjMsSm4BviQRZJON7h/v3/yf67TctHMWJxeD62STnXS6wjEIk +TTYSNSEZGvMw6Ti3lVB4nlx7WW8wLX9X5/1QdPc9jZyVpsh8QzqUtp+jDo6dfXPBYfUlwm1v +Q84BVfcknpMkVMDLX9EMS8M2HLWBGCOEa2/n88ocUnjX2ZL5C2MGlK1TTyxSWCA8D9beVpKa +PdYP8JfUiZpC5nLKKBvyEGJhUa2dOY6jdbPRZX+V2TWMIwGWq03kSv4VBHdErK+HUXXcFvue +OdQBEOcN4H78RPd20CNTEIE4bsxgT+riXcjUDDrfIH4EQsA4oh1Z5fXpE47y3ZMMJuWfRzrg +es5QTKNFKDfLsDwPvgyJV3iLbJeKp3G/Te+scm3UDYi9dCB0eu1MiKM6SIxrJIGzl068Xndh +QNLOTpCjiQIcBBABCgAGBQJMXbYRAAoJEF0yjQgqqrFAvAsQALNsAqgOJrnudiKERxnGU8dD +YlxWPADlESd/DfsoEFkyd87GXVzfOE3ZaGKW66PB/D8eEfiT3wWVNpmAfIoHePXkPsA7NSyD +CORROlpxXE9zFaiRYMzY3EdCsvSjSn2F3K7pymCC5yuYFXTW1J6x+CS8YCEautV5h6oIsGsD +4zqXyHLWM6Htm1J1Rk0vW9tJqtfO39CFD/McuOUC6QMNLeBlWri8VDFmdGixOmLNAtBoZkPv +i7AE3BFa4utWcLLjm5gMDsPW2xag21LAwX+xiZ/G0xkDfwKM6w01KcIp03wVzWBwtaUApsmu +6fsH6gFPFuqrAKadAJY/L/U0A5QI8Lw8joq152skYYwzwC0INYTw+gst4IJDWPtjd5sK80Q9 +NJpnqLJv91KAn5+Ya/i+K3jjFQLwII8x1rX+B+hxsbofh95VdfPJW7W2ZMFAc5kpiN6Vmw6O +X5i0x407cMV2TslvGI5L0aQ1T9mnMipqMnQNX9sMjCUSRNVa1DTYPr4ANkPy4ssXxenRN6Y6 +J1Y2KORYgm93FfUpQaUUHOPzBT8PlfuTn1rNZpIABEl7RB2qpsJIWytQjZ8U/9epUiiChMXk +1zmB8izRWAoX9NtLM7KttiFht1nRYgB+8Q9/Ta5mros/htAW4slcFzNwEqFFEYNpgdtfh+S5 +50o9SeOpmQQqiQIcBBABCgAGBQJMXlHEAAoJEDkUtTL0376Zk/AP/2NHH69E18cRAOuET57I +oRZmJqa+a+cIdmXFIhWlxUtQfEBdXwSDDcCNVZCWWabiHieSEahXSbCQIpjsjfTLHVVmBBCY +a1XFHixF3tnR8auN/KONFQ5tl5IViAw0tYBX1zbx3FqZf/XMqzOr/twpKrbI2VaslvjPpu1E +sZ7KiXnqjWU1Dp9ydwK7sdb34V6w/N/uonaulFq6IZ4GzQzIaF7/SkOwm9am9TKON/OmE9HL +hz4kGimtnvztfaGQANF/YxBdjXEvtUp76y8QwXrxOD8f7EFQmascGPIJqgR9KLYp1Tsw6EFJ +eKpDGJjzevkBN8eeIDLOWfcG+qlhNHHtnbfXnv9Ojr8b1idvSsdqvwFBAjw2svZAK5f0wkrx +KU3U5/hTIz89EQuT0o/oJWBj67ONQYHyh4CYMZi3oTiqFWQH10utKi4kGnM8jaDA2No4q4xk +n6L99QIU+RClkamJVBQdmzoSYpjiFoAlXDIhwQGt+QmhbizZLp6NqxXJOOHJ8ictRpRlzHOq +ERlLNkmaaf4YTyBeEIH+GYad/xiqDQqm5NQHFBira2dZskxKC3SND1e5sTd0nYIur09wbJG+ +z72oKoiPMCf4Lzawpi83Yz3Swks8hZ32fbObhuiAmfXqEfDlhbf6Hz9NqTxE57faXm8pWrRy +o1QgHe7WNpM8vth/iQIcBBABCgAGBQJMZa+UAAoJEDIkf7tArR+mQ54P/j192Qx1SS9xW+Ao +2V6IdWidRtV25Pkt4LckZAIJHfVEvjpM8z1uuY34YacjFeZWtfI3mpM9JUQ2Zx854oSX9z0S +iQ0u5XnPNBavYZ+DKgGygOyDQdNdjvdzR13IT3RIu+OAnAFkBfwS2r8i2rrWpeZxltPR1Uc8 +J0ZtJ+DLgdbtWZxCGIl5eupdbf03oNQ0GHP/h4W9Ls2kvJOzILQx24+9tCZBIi6ZuHjlawhV +uZwTvhuc9HNhl5knHeyOZCFfBcNTWFnxuHIzYq0AU/12+WYuZ+SLll7+yA1yHpP7tQrz6oSY +rQGLzsBq0/kONM4WYmhMQVtgxuxjZV7DK8+1f1YlbKCGrk/R4lZ2JklJ2+qI2WMiiW4BdZ3o +CkEi8z5Z2vISsbTe9LujYnEbiTyCiEZlrz5bkavOgMP8T/0NlA0GSUt1Jo4hkLG9eWUfYgq/ +7N9vMQd0ihpUVKciJyqaSixVZVX2OdUW0nCh2ftwOzfvjhBG3GydQDb6Q8tdiOeLL4kB/zpO +VfZu3UydE7CAtqzvNj9DRR6hfyuELHULoxkP7DHCJIx2k4ZZwgUmLHYIyni8ITsRUnapzqwO +Gy4wmQM9ZGvI1vFXINsV8FUKg55scO7baXwizGX6UQ4jwvCBkt7i/1lYhY5udn8vmQ0cRf9Z +HjKhTYfZ05hp1dAc9Z7piQIcBBABCgAGBQJMbA/0AAoJEHhT2k1JiBrTtIEP+wRhrJcz3w7K +y8F8xF7+ihU9k/lvDjqZLlYKuX6kJsTupTygmC7bNVw4uBfGzlujY5kroa375kGK0Q6Uh4PT +ffiySDUmKj4ap29rlLT3JzFuu5CIH2jskPEAYhqgaf1NZUKAcIncDtVGZWi5J/Gi8faVyRnn +tE86gVvHzlgsDoz4WLE/Wer/LUkotK66I9sn6t877lm948GIrJ0pknNHB1bCcR6YhNRS6fI5 +n9W3bkHBBs+ilCd1GlWKl+a/NmBnr3yMKEYrM8hdh8RVJlHW1puyLruumoxolSToGvhAIPV5 +E8D8dc92Pa5N0tELtw4a1Ao9zl4X980QQ9XPqp19LdgrN4ipqxgaxlVywzSq1fObqtSd5IYo +NuLz3PvoFeoDyP0degy+4PxXX+hERcpe224No/Oo6cPvyxblgftFpMlRVuxLJx79m2B0db/A +lIEN4RAa6mO77ZcJnAeInD6ZWnHw+bVPTbGnsz/9L8EJA/SjILpBcG9UO9pqUYu+aL80AgDF +FoWlq/Oy5YOjTIBBMcE9iN4V7RV0S7ygA7xXQ8JEon3lrgVNRQ3tyrqclXKw90ehPS8ntYJe +8rr7M7hw9SGC/UwLlZctG0BO/Le1aoRI7U6NTnfKgdhfn2UAPX7tgSAX/xgZDcuF3T8KeTwH +/GYjjUzgeoKuZMtfMjXtEOfxiQIiBBABCgAMBQJMYt0+BYMJZgGAAAoJEMzS7ZTSFznpEuUP +/ih8u8cHaYsnA0vQnfXUB3NDtKpwPA39yTh12Em2QWP9ezw9CizD9VRBmR3kksbxvFI7lNHF +bBR26jzHvz5wh0OFAoL0QpnwqO6YVDYAnDbwU+9Gyk9zFz5WAiTaj1AFMA2Y6tfq9M6eYOG8 +7eNVVdRI6NOwmjO5cO1NNFO6fo4zxa93VLX8CS+4Xgt+qYnJc6bZDbwUPdmfSr0UgRVVbZAO +CGE4f2tSeLQwEOkO44XB1rgRilyGu9dRShgxLQoauAXzsQvqMzaNwjal2bz+yunhj14Q81xk +xJZ96I0w7IzMPmu5tjyPa/1Bhn+f8cHkqQQKcu4Bf2OEtANNU6M98reiS/K4cHEj0ChdFiHX +l2z4WxSsihbC3megEX96l9A2uVgJK0VsSPQQkGKzVsJkEAsld8tC4XK4OzukpXB184h68huy +TL1jdJkYcZoBQ/3Lo6Z7TJ5ZvnUhdpuvQdRfmBYK1AuRuNuhmPDYV2/qqmFOYBrpUY2/qv0k +xOYUduergCG6cI8zFK+KWn3S3sfxVt/032qe7oa9/VsloGBRwiaLl7MAwzHJfUgZCMIcfJgx +6sQRhrvZbwWg64UyG+xFuocSqTRkcCU2fezMZHhLA6B6CZgk0sY/VBQLBBOy4bmtb54AslmW +f39NNnD/VzkSqURypo3aDKn/f/v9+JNBfcCJiQI3BBMBCAAhAhsDAh4BAheABQJKB2jkBQsJ +CAcDBRUKCQgLBRYCAwEAAAoJEESXUni4YStd9mcP/AtRNozdY/n06hAVJCnI2W0U0/BknKBd +z8SXGItd3Mb++tWs8tMvZw40hB3C6oQJu9CdZ4tzZtf1jSUxoAJjGTGOiz0pooeINAuN0xRa +eLzUPyQNJpd1/CsZPFgtn4FeUa/T9WwHxZn/XzDBPd+N3uKzM63ZRpKU2lkSvSrh7fvqP13A +h8Zq/quMgOsCbQR6Dp1swJIm0s9gPfN4mEVXeknXnd2vRGrblJYL3u8V7cfjUjnCUlFmB7U5 +TiROYZYeP3OIuDsAqv8+xweBswWxCxX0LYsuRHRxmLKWEYHAV6e0czRSJYKQdV90+URoOZin +Qdeo24cWK6caJEavAHFnDcKP5aMCrCtp9hM9EB1J5/w0zOEXLotwhD3cWVDv1k2s0w9wkNZp +PJKRdXL9f0en47MpqJqR9/8U9X9j8t8tTUbo9PcUcf3YB4hvmEBauBHrCBNslMx58uPYOFjV +YqbwHUzhTKHhUGVHbCkQrUOjD0z3sjKlzXFqO8Ba3sDAP+hs9+g3YUQX+A403rYJoI/b4Bvy +eZ4ryKanz4/zhskMDdSBZ/UvduPm+gHEyq8Xtj/jxRDX0EqLvkphDdUgZqnmanx3FkkH9EOx +fUxnqpdwJvAj6k3diWEuei7pSbTBlqi80fLRUm43135UP6AryHtUnraBSsaGskH4pznmwUfW +Kh5WtChHcmVnb3J5IENvbHBhcnQgKEV2b2xpeCkgPHJlZ0Bldm9saXguZnI+iEYEEBECAAYF +Akxr78UACgkQ1cqbBPLEI7xL7ACghnGFWacQR2ySOwHGcuP3y2NepV8AoLz9sWYoqYd0SL5T +192WWkJWAboKiEYEEBECAAYFAlCf5Q8ACgkQcPNeJG1THnOB7QCghdTeFj/8kaopb1WjUCof +BrrhzNQAnjYiGUchyKzDS++2vV4VPwxvMZZIiEYEEBEIAAYFAkoHceYACgkQMhdcDcECeg7B +0gCfXpPTRYvu8+YGBrnl3ryzbBrYCiIAnRMek3cGNpJrDT76nPCVkp9J7zqjiEYEEBEIAAYF +AkxccSAACgkQ4VUX8isJIMAYjQCfRZD7k69DKbhcMYOYWt5paHpg6SMAoIPdjQhnId+yPSTL +h05O6LtJU7XOiEYEEBEIAAYFAkxdPysACgkQ1OXtrMAUPS2JYACeP1vgz920Qbq9CMig1p7V +9Bve+7sAn0FIeNCiAGp7owWq6mZX4BOD0o/IiEYEEBEIAAYFAkxfNKAACgkQ+YXjQAr8dHYl +2QCfa1lGYuTcxswPc6nqR8P9G1KoS5gAoNsq+dtZCJmYMIflfGNOxlzLUsNziEYEEBEIAAYF +AkxnTKEACgkQn3j4POjENGFPMQCeNYzQIXlYtcurpdjQru//evWc084AnA4MQEEKUkVvRLOl +PvkCi847vss1iEYEEBEKAAYFAkxeUcIACgkQ2hliNwI7P0846ACgm2JlzfNk5w49MB4cGDwy +Aodz+MQAnjanm/JlttRZCU+zLaxHxEj4JovdiQEcBBMBCAAGBQJK22d7AAoJEC0NWrh8JT1S +LqwIAKQmrdBXWS2UmANTYLBfDuytJJm+mHj1YSJ8ro92xzst6WBmqxMwQ2EscOv7S0rI/LGr +8PfXBnpp7Mf3zhwEXeUts0ZUt/Vy6s8UAVPTGPSQlj/Ya8u0mFfXkdGsLMgMdds9Cz8fLbZr +SycslmVmLtK4S+rhjQhJ0vXt2sL5VJ3HRznCpmSP5+ZQOlH/PenHLmV0kC9KcOsrxgvV6Rls +HIZ7oiATogYm/kuwXwQ+0qQAMsTY3AGwE0yuMXvDuDUnGdUBzaZJJZ/wodDFYlDxTJb9NOh5 +P7PDBQghiR0LrnU+Y4b4Oh6ne61EyGRhP5ULvZ8RZsvDCO27gjNxRH1nJkmJAZwEEAEIAAYF +Akx2jugACgkQIjrgVb2U4VSOeAwAsBhm8cj/o2YZPP0gFdUCUyr6ecydoD1d0ER8wwvOci64 +bA6Xeu+i8LtcAHKowj0h1uVye9SXK7FpfyPlD3j6hbikG5CKXSwwEfEOUHmBIdY+UarL2Att +791yM3hADK/LjKObU/hEFs+b50xsug4pbYGbnDgitj4AG7mrqLLReCAV708jbizQyxizDl2w +/aXbgRvjjVczuxFeFYGlkIFv+da3NoeYCV1oH7Wcg2vrBb+TrxgIbAMW4V36v+fIPaTsderL +QQTv86Rq5Uv+FvZaoA1y7rXMpDbD8OJ1DdRv5BeDAGOAWUFYj+XDDdpfKt91zOlzfr74hikP +1NWx0NEyG09wxvkV/6P1zjbv8NVedwhDBs6QQsco/oYx25Pqsin+x0mnc1NiDpR+9Oe7c4ha +6JzzN3ufllxydLpK4D1RC/ITKhNhIrG26qSEtk9K6zM4QQbD/Ngh/hztcHMObLYv4MIz/Uus +K+CoJDI9kPAISK7zKTHfGTbM4O+gST0gqcFSiQGcBBMBAgAGBQJSKkiDAAoJEO9z5tpYNrga +fAoL/0E2pxy8oF9vH2d87G/tYfJB1sndWixltZtLYJMZ6HVAwYBsq6ju02893SllpZ6xp99x +xAss+xeJF8PlpH5nauQOn07IyUNTytxa6kJ/xHcIuVEVFEBU5SUaXStqfugM/EE/V8pbW5di +oIILQx52NKli/JhrBWlW4/1k8moyuCkZqYsdwwp2QgLrJhcTNB1nWx4DBgonAL7GOGy7s2DP +6zoQT2rDmlMY+Y0GrYkt6dwwed0y8mP/6c1ayLP/5E7ZlJK7Lj/3WFxYXeOOP3rU2xm+Brym +u1ND4gGC9P+p3rlEBJ/loSruk9bbviULqiO5s7dB4Xzr2joED4u0suutYtSPnuY1fNV0DGxG +qgYvhwxcuOHVD3zBMuAfYoGSRQNsMrpzBnfytP2pF2CcS9L7maaTBxyKF7UbpqdvDDh74i+A +/J2O0TmMuraSX6r/szqCS8B5UdetjxWHpaEViIy4TiFBMIzkhhJIn4nngn8lHniRT6ex+TWp +dM/vkeO5f9ea24kCHAQQAQIABgUCTFxxnwAKCRDxppvkKcD/7nyjD/wIQDebpZRkWpthmHaP +NtpU8vn2WWtxigo4D/crBIrhWCvJGqm9P9n33AXpGGc3T6VEJGyq4lxdwBP/K5FC8a3hgCXr +dXAA+V5knfURy8kya5FBGK34YtrGXBcNv77I9GdGdum+tooYNnNJERueRkBLA4aIImB/W3NL +eL1f8vWVi4vys8Utpj8+5pg5GLstbpmzewtc2LQFstMDeCjBsrDiuZZrsp3fO6zKnizg0SOS +jTkSdXwvCma9j4mlmU2Ry9QJf3EBqyDwhe5Rcrl8TopaP75wOKD3r5npo+e95Wjvxy06PjjK +1ntAYLMuEODWiKAhQ31YYYg8v0yMvBRFLfFmtgmSoFcIiGJw7azkxJefqIhQr6SWUF2G3keQ +iD3qNjrriIqxdJQqj1XZjbwwHMKlvtvokf0xCWltpqzgW9YBcKwqr80Sp5Z2M5wjeB9TWhSu +uoG44r8dtz7GEVllGwGd+hRYbyhdaEjdgFjZtJ/T2n5ESYQ5h3V3vjJbbxVZ3fOE4ksVNEkR +5cv/h1x631SuU/287bb/ObGieYIbaIxpaQPedcPuX1+hHbLCrtZ9FAx1COzhIJbXG/2mS+2b +hTUyax9RQ4n01fgsU/C6FPeGqfyrrfijS2XKQAGsigRGm7rIjENjXM2fGqNsWGEPt9v3YoAl +vVv216XE3sCRMz4Ua4kCHAQQAQIABgUCTGAriwAKCRAedZpyap/ddM2HEADRXZZx9vRiIKFC +taquk6DZB15B+CTJSe+rhtiiRiSH8GZcifbF2ARqZF00OctbKkbBNycNV8FuxRiaZZSZN1fu +ZckgOKwMK83Llj0tHd+BTrjmOiZqrZ20l9j4CMfvoTQZLOqxbf0XKpfkx+WEf8HaJ59+2GDy +CvqYrzYW4oQLdc1wwQ1mI/6XcP5YyTPaOai7WzrRhL0ClYj6/kKrcyzUm3G91SuC/AXPGs5n +8QVINq1hidCyEjuRO29Pi9YjOIRA0YSmWwmF1Jq0CAWDlSeWZf6oZZq232UM4OnDosjp58pj +ldIf8YS8TcNLjFZUSq3ilfIJgTLZIfMj0H+YZyBRvHL8071X6xmqcQXmZb2xGOJHu/Zn1qrq +BjN7HIOrohVvVqccR5rbmQp2m763vqGCPL8nxZszGvH7v5PFCTdrfa8tlqiugadUvYW+SCn7 +RI1QMijJJjrlWolD6ZJLSiA21a9B/y8XmUluedCQ+RiJLzYBVSZhHI4j6EdavCKbTZfeUZEW +PiYbpjltZ5oOjoTzI/C7GKn/btPdY298tHPIRPJP2P4Ybi0Xzx1tsZIApFEn/uHxzxndigef +Q0EtTz/ikmVN3CAPo2i9dj1urBixB2QuoESumF2hjUHs9rZDtug6CuskojI0GAb2wPNf/U6x +ugU3APwb6c8O+66de8wHNYkCHAQQAQIABgUCTGA3OAAKCRDXiExHGOGPRLxnEADsBFKXFFK9 +8wUfiWk8b5ov+XJRvYhrOQZz7fX0iIxUaZCLaSIViyOD8RYFXr9KKuhGc7pcEvU71ccRdmN3 +SoHz+RQDrCJlRgBosEAY5hfIuqtuCEF/njo1cNSR7kjkYc5PKXpbHL2G+15X8aOBdsd/Wa0W +E6vLxMerhS5ILRbRs30W/VzcNnlb/3dhHSvJPVF9FGBeZuOahY1edZKU7xu8k+udND6lV1Xy +j25Ty0mb1WfQ6ORuqLhXPbfIycqLD2sNmpFBNVlRkRejEhJU9IiOrqkgECPjqKUMo9cnCCt1 +rVO0EZYvJGD75wl1PySqbQus1MMLep6FJsqvnUpEh/HzS6+Q3/2AL3a9JLITDm2h0TkCeX6q +o7b27aoe+J4cjiApF5E643OduBA6Ox2iauEr1t5d1J8ewFWx929EQYHnLgHtBx0CzZGUAZqU +NJEqLwfgxZaN86Kdw1xP6qKCuCdkhrsLt7gsACvSpkIEEhVxoAHqJleWF4MqozwfpsEO9BSg +L071pyc0Czw0XJlNNq2sn/GomNRvXLbYeSpqzsLdOAYxsG2l7aNRHVb81ml/OEvIuxHZE4Ae +cjxfsvnONarc5jWIA7iFgk3sLaTVejP4Y8cbn4rXn+98QwseRPBMHRPx84W0Rx+YUXQSAvVG +2GboFMP1PvnEEv0Qqq6JsdMmZYkCHAQQAQIABgUCTGWPGAAKCRATwLVmejiwsLktD/9ALTT3 +VOyGLPKCdTYn+kXo/R4x1+VpRdoLLkUnxKBzfTVqtHg6X9GAqMn4b8PIgIh+9ULPiK9OLV5k +bdko3T/cbP+Cl2iqSbVZoKuYpf/xd49oIdiJm/omruVotTDbz5vOHwxzmrSRcxXNzKrnmptr +f48dZjoDdrirUJNDlPE7yvM0IvBSwPv5R+t7gcti0/ZZFWDSEQ1fphx5q5fD47+t2Oqeyq9s +oIC1uO9xnzB7tTmQ4m1Up0mwRsf/r0JdTkcT2Q1PNOttWUY4aDncF+d8wCraPW7715C7iP/U +saAW2h+MwAVC3yMT6iu1dcufRJsgFg0iEd7G4Uxp4IcCfwSLWD1mh4NEXZ8Tis4hTnfpbICs +Go7qPAFDdPhWRw7ZGs/aLV0+E6hu0t5hE2CWaOCS7hfx8Z9W1heEuMBqDXZeSEfkiA6/sNHW +ocgNXiDXVMdyHm53xlswdbSDxDT6CPcdvzHsyNP9/pYd6+CFgTBAw60XqLrjYPr3tyTHBWgt +vFS0tmSq2h6zMht+yMu0WCoZgw4iTYKtwoE+8RE0aaqwxUcNw1w5h8TTFY0b0NyfD16pHX94 +TruaZnlnpNWZtHgYEqtobMH6SKyOsy0G+BJ/XM3jLKczi1U5osqH0yBRCWxVk0uUAOT7Y8fi +wkUSNQl8wnUbDoRSOtwCn1AQ0LRgOokCHAQQAQIABgUCTGbH+AAKCRAcAfRDyck8Wux1D/4y +7uso609rTdbQTInHqA2XUshIOCgsk9aW9Vphgs4hY0VEhhfRyajEa6RrjdYs68BuWUWO8qs8 +PKe3LhgTDv2ZmSBMdXEowYVY0CvvHhyHHZwdMl+6vRZX1uI3SHf3TKqT0eci7gNNvYnCbdMO +nXiBCM8nYUbbPOzSBKFEq3CE7EhNOvSMZwTu6pnOdH0qiVUvqNTx/hEo9qg+brPrPcLho7Yp +cGu/Kuqp30r2b/HVv4U5X5mOy/OebqzCAb8WEdWoY9V9sDo0bf4or5DZaY/JB6tozg7bQ4Zv +CTwyu4x9D1SqnySE9/wsu9xSlhni8e43o9ujv3jxABpbbOPqt00wA43wSoCbdfv4mWLsbGk4 +byKR3eWEh1XcUwRfaPk08fh0ssskKBk8C4sUMIk5oTiT+VU7IZ50gh8+XgMxrwdMcWAQH/Qs +VtsYhDGA0UTw7C1Qp8mCmeqLVw9RA11d/S47UgYlXBQiv+3LXuYfmz/sALy/ktIpz/tp5CtY +PeP3CPuFMTlKpVScL7+DbeW4pwwR3pkm1QAVaG/lb3Dqc4QpYcucetSyfdof1E7ZQtCRTR+L +BXBHkfqQT4xnqYOU8ULraaLaUGOd3y17rlYUXlHijhNtytzSbn+GPDnbteQYqZPx16IS1H/6 +buaSwB5ZRHBbfsF9O8JP9+ldLkbjaodxpIkCHAQQAQIABgUCTHblCgAKCRCvIoOqduKse+8L +EACKRmLci/pI12k8kF81SrF1TEZG4Mlqtij0vFQNTvaLJW9PSX5xE9ln/WcsLwUPf0ciV7bF +M92bdaPiiEDOzpC3MFEV8Kx/cBGPdGNx42SHbOrxzbriIt+OCFxylsqlElW+Wbo8chPtXWzi +/G39v1a/xHVxzBg4uUPFRL6zOOZ12M+l+TCijja4EKgctCb63t+x82GCW8UspmTTaEn8UT5F +STK+qp4+cQeIYBRBcHAGKyfzKJ6Chbv3MlNq+zhmg3b8NYLTKWOgpP4th1v44EeO/R8Oibnt +KJ9hqQF7a58hb2JLuoEmXXBJVk552hKD5UjKm1DrfZAapUTbWvVv9L5IdozaDph+GZzpXQ4C +Mxlwil3JVEe9sWPoT35iApFSgoWbDNYGW8M/CRiyLzYtCqcAzExJbU9KnKOV9kbebiZ8J7CZ +gxot5en0OaXrc/ALPHjYKrNmZEQ+B7dlUcN7KzFMEJHPC5Jb9xsV3Jje6T17lA+W4skejqPC +ZB1mi9D6SHTN0MYajeRLasFq7F1Vytd0H09MLkQ3i2lymE50Su7cOsMk1+KjA63C0JmMquMp +4rvuBt6Sh3qVaXDTPEUV5ZT5by7z6KCb4iYg7AB3IsCTsP9njUCZh19YE8IKxd4y1XXD+ymW +FwxcQs8Fak4HdGfmXLf7G55wI1E4GHFEwWMJ1YkCHAQQAQIABgUCVXGlUAAKCRDagoMOPMw6 +OpY6D/9xPI7IEHZCcGdZV1C5JH93KmiqARv45K0p36nAxmGH16mpFYtTOuK9oJ3ZSAZtbGp2 +oppbQX5AZHhRUvHcjwv33ME0RduosJqeMA8GT/xZKfXNGvQpn/ZG/pDyDLbL0LyEngRR1R+E +JCPNAna+op7ULQSQ/gf/HSwPI6ImnirMwXFAGOBSW0s29z0ilC/BYRlr4xt5uGwWugYnyhJK +/SSwrGBaDxB7hakk2LTeVOe18etFCno07VPoI8pUtNLBiLmySM2aK2Muy4NR+jZjU9x6oDoB +tTq40fkFln64nK82hqFoJP6kDPkzdQx5NaRiH4PAr1DOydHyXofs0MghS0UKlCZR6rkyAR2k +9r+b9+KUDEQYrHXXDqhpeCunQv9LGzTi9GmaCatNHJTwTmVk1+oydWiruYLQCQHETCzQrK2Y +FEonJnwJO8XremTXw+V3jyKZLee311I+ggQmtI5StRF7fFh7OGzdJXBVw5hI1VlISketFvAz +rllAI8Txt59l45NFNkZDZlJlJeadffen6GOXsWr5q5JfS9XlfLbGlzlrcZCG0uxGfKoYaUJM +0SNa5rvWO04pEK6AjBufkinWJBIJ1l9bz1uSkDY8g2tQWvdZrqGgih2DAXDhv+lu96U62fn6 +k+UtKx1D2Y6JI+KEdeGffuVp+4SnydvYIAH4GgSaN4kCHAQQAQgABgUCTFxxMwAKCRDxFAhM +CGEREQw7EADTPt7E7JjfPg5B5r8xEQwvWnQ09/dE9xie4ohfzCOfGVpvTquyG3xKrbw9SKhh +akS8HPLGgBvvodqvZOqPGP6eZKfAAZmlER5fAEtw42deAGhL074S4XOeuPmRPnYlzPZW8cy8 +HhcmjbuwXbhC7SJs1KtQ+sHZ6ihtTqXoqjsC1ArMOuA0Lsw9d4IOT5sXILtqnk92ynkX420i +yAiRU5RXlASnBNg5fAmMGZbW2/EGrHtfE+zzpqX0N38qKmBnE7kRgPM8OGYxYGpUl8x+M1zz +KY8BLhJx+gwCzI4L22uKwqv8dz3kzdWD1RBUUKJycCDzwrR+RI+xO9cQzaU/HOykH3HoRfIG +TmaewYDxl2vsVeHVDbGdZOmhVRzLqQIS259eRjQe6ZjdMiRJe15j+udFF/iVMgSgq93vWWNF +WB9Q7dKRZyPHjBuFuL9YP1VmxiNELX/BkQlDXcnlXHvK+KSFuEgV8RgQenmFtHy64YBC0MoS +ka4NtWkPl9EimPn3iAHNLBCfqqs83TaG9Fl8+V9se/B//AcsNoM0/3vBU/L/5F0PppPVO6fk +ELDY2V11zy7L5KcLJWm8f4YwOKCdyDYPYVTpl7xGM+30n5h3xto8Mz6f5NWVZbfxfErLU5iK +aeDdSebdqns+FUXmZYUlWJGCXEnY1aAzy/9MpRSz+mtXAokCHAQQAQgABgUCTF0/MwAKCRCH +L3AsTW4lqMf4D/9oxFxZbLh/kRIjys0wNgeiq0oBLh+KgN83Rf+vc74A2q2T9/XiopuEtk0T +ywbz3Xw9KlidyGr9Rrbl6O6aWpy0csxUOWvprE7jaTwjqZxqISNCcsPFbsWQieJ1bVv6upjE +j/wrTRh4IEC/P+K1OU0lWblbeDDEv2K8aj2uiO8g5Ckp9X8Y47Lh9VMPvSOPN6aFyX0s1DDV +fweQtoYGQOmteY/pFDP+K+FV8iBw/wjEVEWflqWUCIOAWBT4w2sJ49KDdi3RGmFk6PSp/JsU +SLGrwUU3YnRiVh2vsK0X5nukWk41jm/1XdvPzEEpMK/RYiSAzGXKvs+UUWFi8g7AHQNfJOl0 +hmB8LYFV7mQOLdbNIVTRB/ImbexKtuLDxU35CIxrJFvg7Ry3ulIZgDgFZEM0D/xu+2tBd28X +GjppOjqp2W6Zwnn4uwqBXMrggtNRVSeGASTDs8WPdwR3PxYKxx237f8J/aC3o2k08q8KbjmR +QVRLlOo1huZxmXpn+SUUKUJ0dqrrQHIEyzGtS/VSRRI+Kj4wiThPOS6zmc/vFaLjl5T69sOA +LS5TJqoGZz7j+GDK2MINkWWNM61SNyzomtdQc2PIICR7TP9zJbOvad1QDfT7kyM1JuhpvV/6 +7XIP/oxk6OfgMT7yHTF6rh+G8UUNt/ZBCYAipcFByCKDwNB5sIkCHAQQAQgABgUCTF1E2gAK +CRBTlEed01JMUcebD/9aEHlc3TtXSGHF/gxVl0zsi3mFM/wibd2n/2Zv2gRrL0Su7BunKEMc +l+7SECKbDzWC3LYucKhjgVuPHSgGakk3ANiXiDw4qFqiYil1Prf/MK8F6RWye00IIG7yZamG ++1kLA5ft7sjO/emappGvW7bicXqgoEsazImSi9ekfYhLFKHn64IR4UjynHibKjoXA+EatPnN +pT+IHnBRRHRq2uaU8ycQoxiwUT8WMPyjlIg7NT+IIYqQm7DRjSTsUoTwhdaMlH7YCbi/dX0y +SlfG0LF/5fdg+MV0h/hPqy6gq2oRouILZlfEGtvv0vBmqagmPP+m4KJ/6/Ikf5ysMtC/NlN7 +exkyj4M8Nl1U07ijha5CQCvn6DyQmy7xT/rmbJ0i1zjZauFmPf1ZaqennMkz2ndC0glSAYIh +d76mDDWGjvszrYpbO7KdJJeiO0LkoSW7fKxgabNm6x5MaPVhcynmjlC8BFbn8xuZQst13Pit +VmFtIDX+SJVFQCK0Ypuw0NhkXx4sRqkBukASSwCRrDxPPWqlg9/Ji9uKjInS7M/y3RDZqwJK +UZqLw2pdlzdAStExWfA3YAX6lI7IrpHMuoPUt+aKNyO6XBLMOGmAGo6LUP8vOvwfkFI72nWL +IgHSbB7MzHLFcMxyb4CvGjpZQzu3VDt7sDIweT4ZqWMuMIxreik+M4kCHAQQAQgABgUCTF8j +ZwAKCRB6j0notjSAvpDND/4nzSbiS1pMCum5H8dhR6odBPIRanEa8fLaltUQCfwG+CXBfuH0 +nguvR07j3oMWLZJ0YqZIfGWy+FRMAqFjkY9Wm35ddEO4fm5O7j662mJn32S7ouAWvMXeZa7i +uhz7pe5o5hxoN9dzr/jD0qNIUwWzCl8C1KC6Gm2Szhnzr4jMM6fxol3i1TIjzqcRACqIFM9k +rJdpHe18XEE0Ao/cNC4bPdPFEqFdDi+zoYXNrHqyCl0FqnWOkq9IVa6Sizy/8+ncgLt7mxpR +CeA6v/N4w55AGlxfS284QzDWUDzAoMzMibhnqoY/3p9xup1tMtOZe+2R6/AOfSa7nB3BSGDi +g3INNT37Xh3OiwYtiGoAPGnBvMdVQYeLd0ySC1cTls+HsXuhfediraNnzRRgioi+r7Ew29Dj +H4O0gWhunw0gqn5NO/0sqQyN5cW70iIjhJlXA2pJYXSLvONRzQ9GmvhYIq+UA89UmriycCBd +u12zi0NfEY85B8qqzFP1c0EJrHclHNm4SuSh/cXFlejRbIiSejp9uCHXQqELSRWzxRWOSy9T +4iARC/twBSE+rJYfCrTMLKZznBzz+FgY/NU91w+teGbKanrKLKjRJtlXanm5kMSVXpmeTnc4 +x46OO8QjHGto4hyaILX+H0+jYcTFZXV1wXPqgevaGLL5fZ2EwfdURZOMI4kCHAQQAQgABgUC +TF80rwAKCRDRXTE4ggBBc1JWD/9xj+Vpx8DaFRrmDwND90I7bFDux0MrxxGZ1NJc0WhF03+t +1rqP5aoqgXTx6UxMHTTQXRk6dNKpqRdWCiacxd9LUpUIFj8QrSE6zwWweW+5e1lCa4cIC69y +AHRN7LwdWV/s8dTbBWxPuCspDXrb3wPNmNaouw76T2Ny5Qwt13PnkaHmoNGIDju8yOpVhcAM +mRIeAHgJn5X3WkMPi9dGfKr94Vv+K1dAKzl1VQ2DHUcS8dVUTqugYcaq1NXeZ8ipacQtTy6o +4+aiY1iBJDvKdH1MxJGsS2EvcXT14r5YzOz+KTwIExlrKK98+3XI/u1L3VkUHqY9rILN03Q+ +cKxX/3dV3j9YDu3mUNL9at+cZ4FjZG/rJ0B/7frBxf9fy+7RnqKHsrr5H7jFK+mZlqyAWqLn +Lxi1kW9tliiEZ5RgqLsYQk/nvvA/hr01rAI/todTvFHV7RIByNQVrp8zBbpmSUhyGaycc3q0 +aNStTXoy6dFS5WLAirq5o0W2zKRbWF6RAZLCwYAz8BAvKfbdDNAjTeXQ1X6kEYxEmsOJL3UQ +UYLUHm8Ko8pPeaFLjMfRNZYVdQhpyLQbKxEDWwmzuAxODTHPa+bWmD2QRP6g/be8ff43L+zW +Ti+1bglSk5xCncsGp5ydPfxYhAQiizIySbmVGV0u+hVPSB+vGJTelgw8p0PMeokCHAQQAQgA +BgUCTGHuTwAKCRBwNzzxKQ25zl+FD/0TkiEx7eq83NaPbkxw4fQGgIfV+ZQHHZPHZxQmWQe5 +Nw+o6jBv4spK4iTQOgfcyZQ9vcNoxDyvFXTPxD1SA9VhJKY/pvZYgFk4chfIAwqsuLhL2B4x +fL7XRU044MIy12YG24mQ6wq4Yp4CLX0J7XTkqF4o5gZ53W2lZ8IBhGee13vY658Ie7OmSwXd +HZwLABOIck59PBOnDQmbIWHw2nO8esxPuCG7A1vJ9oX71PRYGe53310L/vqRWliGwgINI+Lc +ghnn/GIxdBNAQzvn1vrBtLvZB50Ck5WxRZdRyAh29i8IQKVt43X3CeXatFqPke30n1hudgXN +f5zu7aJAHA3TvIghig9L9uZtHUMIZzxSovTF75ACmxfqiCXxS2pxqzJacDpahog4rJ/AZbsG +3787vyhM2zjCiSZIrA2GE53M4M3TQpV8gKAZy54Gdjy2S8FcOiFARFGXVu/l6j3vf2dDrTdI +Hlr+Ta/f2eKfKhyCLT5ShZwem9O10mpDfP/Lznb4kPKygCjT24t/UdY21mvVKwAiXDtkeeSI +LhXVj+I4ddyx4xf5mrH7khCxwDiYKr/sPmzFUg6gHHPsxIMoV/8+DA/VU+x/r2thuSH2rdKp +IuPcN1fLI3R/Buy2Pv3KGHzzOHQyHv2UbfGK5ijKY/lF5Y3RWYynInUcjQLbx9g+V4kCHAQQ +AQgABgUCTGH1OQAKCRB3MfzMY+Tid/cSD/0XD2h3/YcPxSfN1Wc+CRkbtw/14V3lgDOa83Q1 +Gr6GySQZMeZ9NeBIeC03fvlfmQl4EwFebqGR7jsuRRVZ03P9I9fKoPXJhlx/hpbavP8mkAAd +Ye/ziA5xjzIi6j7GIpID9ULMvAW9nwPtL6p0ritjvkfx7EOJ1D30ID5Gn0BzyhgPUKiqLsR9 +zdP11Z4u85ja1cgkVXMl6IEMflMJ/qUonGX51sEGvAC9OfbshoASv9g1cohRJe0MAVG0arWj +KkxekFXTaChVOSuzfavExtlW2eCHy2IH4LVRT2VlOiPA+dyRZuhjBMaRr9raeYnNtB+7SLWu +XeRgMcAiwWdvKSJRIS1H1sVAlP02APy67wBeHEcMrURx0NzAZaw/7XeyPAt7+S00LJNp6qNQ +fnecBTF5LZkfKGIentqjKKN0Ns20lyMuo5TGb2mZSdhlYRixsY/z95STNhsGe3SNzgdSpbG1 +2eB8j+uaoLj9Gjd4UF0uAhfS/xqDXF3MONZX+IjKbGnVx1MMwg/ECPjtfRu0nzm2o3jpYQgU +XlnM/kAjGDcHgWsWyWdKVeMB+bXOwGPl6wDmcAkaj2GoUJP2B2bDnd6QHmtBQSD0jiRmqoXb +ARisPDuTJ7VywYSND/zTkYfBpXh9YLikxYS+Vl+NtLuvILXsyOt9FV5pxNOoWKVbj3X03okC +HAQQAQgABgUCTGdOLwAKCRCzRk+JaqFZSNlnEADIAMz9GZZwdKchx9VqWzsHKetF7ASrZuv0 +5DSzfPH9lxJQZskWDRnLLtTzpSkrMDqueu7bgKE5XIoRcPgIfKoBI/iJBZPQaoxN9aRyxrNa +HM/F3AF2H0hc3fqUyi5+s58C5/El8Bc8oq1ePKGrOWFAFoNTYIvQJ3CNbXfw3tm56TGVKKws +SMiH+9xk2fIBj1m8mSpAwZKo6CMjlVU3Mz3h7DNiEa0yCiESl3USCIBO1dmIRs08DNn+MZyE +oeXSXM+eJtw+GpWGwDflnwOlKDlDj42y4K6pH6BubyfXe9ylb5DI19TV1X3wtvsqyhE+nPuT +4V6j8Bli1YKm/KhwjkXw7KggkStS+6TMlT6EF9f7JiLbDjAqhCZ0eBvgCm/p0/TNL0lBwrf5 +90vD8QpXfnxAprdGR8O9ZEyviUqpw4JRnlRiH7TMBHVDiNCJ0eX53oyFd/TuDSTcvfyp3i2J +GO38NQfoO0u880bpRbCiBsLcZfEAByaXp2hV/9oPEvBP+95GwbnMAR8PlmL8EDzygDElweDc +F11FvcD6pgKQdXPubxeM6vJgcrFEozzW0mLZxXLUlv0n64YUMy/7JVoETPIEFJqAKwsMvaJy +OHJH7ycbs2dTeWNT3KDigSM49VE8ERd7XzyncZUbRk3ZkhGgRAE0Fe1prHPDx86PClBV76hm +hIkCHAQQAQgABgUCTGy/igAKCRDkT4AW02MPibaTD/442P0Qwf27NHs5RV+n/M2CKeG4sZmB +epDU0XjnqjTZJYYcMtKvVJ3EPvB8qh3Y69d+pCy92pE9x+4TXj+59pSYxSaZFacW+3s1884K +BQYe4256NjbVnxQEIStYtS4wRL1xjYBoNnPu1hq+vj+zArQ1pCWjCcM9Wzpl2tUPu7Lat7Os +qB7HnDvgDB/HUbNgpni6EmfrWN3YlbGthnBXfGvAf3nyPwuM++GKs7a7R/6+it/dnPdke3Tb +/aJKAC8YXlUSo4mEqpuBzz4Sk+5wBv+xS0h2GF4z+mnwsMY7ChqlyX1eLqfx+WWdO7V5CuPM +sHMp0WxsCw4x8NPhzBzEPFlYSvYlS2z5M/RMie0g5JuXvs/ajDHZItZYJoVbeRAIVZ5q3ru4 +jR2tuSLQNo8qoqll+u7qA01zeEh3heov+FZXqoe8I1z7XOS6i7ZP745+zdbyRhi2beqEQ6XB +7ub3jSSOUPM+x+LKxXC7bbhKLlAat5256wZnTTKRVNEUuoCFPtUR8FwzwRXl9AOl1Ekmqdfq +M1F9TKYq3dPATHCxw/vV1QrCaIbqdJBAtf7ZLHH9B0sAZ8kudVPQeB+Ghr4KYaSPyX8Vstx6 +tl+qTyuVlkWd26OZo1mFUc9kPej7cjiXtf/XOp2mI73piU4bfTAOBHAopiNiKe25M/75bGso +bAWSh4kCHAQQAQgABgUCTG8qxQAKCRB8Vqz+lHiX2Nc0EACkkjvmLuJz2Wp9Lq0fvdjBhGCp +95dZFpvcBFJfX0rzifUEmbWRp9fiU9P2SJaCy392PL0gEhEi4P7Aos1rRfyXjGhxcy+TYSUA +HaP/jQF59XED6t2ElW8+NnZNQ3NE1NnZ2ivcig09GdxvfV/Ivi3dAjYXslsd0um4pVCEEBlc +lWw9lWRfm1V9/Zmz+/83CNuc6yVGmch9lckcq/1zxqcBE38WyP/cR6nvvuiC4NY9W6e3LobD +eLkagJqFtsThM06Hy2mI3pDsC33nu0Za1tOV1ihJCUTxArZBDqUYWBN7C7hfx6/+IO+as+2Z +hi8bav8mjY9j7chXREqnmJq5uTXGyI0LDuTABn+Sfr8861zPeev56GhS3/gBIsvhEik+Hym1 +1qnvlFhICo6Gq8qtXiJ9KQE+XI/bWZgFuflJdDLWT7V+DUw5+Rdqo3Qay0vHvsto+EMQLCiL +8qLdw3eE5/lVOn9vHPccypGq5saMyS2hdS7yF8x+laj9xfIwMyp3CKTJ892K/NOh+dEhAo4J +ZNw5tHCviE2KVRxDWNjjBOcrpONkp8o/OPe5bxCXVnV5F9oZqHCfWtXc+MTlI4dkk2dPRB3P +JNUnKbSgX4x63th/m6oAB1JJ5DE1iT+fdDre4zBpSI3ILCxegWL4ve+hLHUWS/ubfkJtlO5z +4w4wiLmfPokCHAQQAQgABgUCTG/44AAKCRCdC15bHuyPDso6EADTyj6fKEvSzHFo4caqYOVX +d5kZir9ss0hzplt/csBDosMdW+wO+wxzt7jXXtfPlA0OGoFqCVEtxUGQG4qYHSbCKPd9PEHS +ruWlcqNFAqRBi6k0phM8GeKbE0+B1u0qiyEvuG8IuP+1DlXla3yG4yEUWqprBMjl46OnTd7u +ZKS24zOqnS4Hx9fId3s7bW1JwrVmodbx2rdHDyZKXqCpwXFJsVWe3cbh/h2lXYalDKzwbdcm +rgDZUJp75YxlxerMiTG9Xc/4e+XOs30DKGy2cHAMitswtjXm7ZKZ8yL5pmbmDeP99XASwByB +7Mm6KuvQSA+8ByLmkvu9XBrRq5WUG9Cx3m0Shxy7e74w5/u4LJkqrmr1wdw+gZIvWG3UuTWR +kqJw6rEoiv8WTjJSWE5rTFVaN6YH2OuOFsTWNaUH1bc01HpEKivhk3ZiOOg2Bhxbt7i7oYJc +Y+UHCbC3PwwktM3wEnANz9UMoIFxn/2OHdIWl09t50iaDErTmtgbfkENDdsXEcLA7qs+8vpr +8qY+M7ycCuRat7Vu2dqopwpkhRpKtddoMNYZ5/51vFcSuz9BdCk+y+q06Ri494UPVFJsHTvn +gjtEcxsJopZn4pddzk8g2z69BBWRv31c8xiV5X5QTf9zmRUFD06pux6dn1CUI4zoul5kW0ah +LwQysmqgG40apYkCHAQQAQgABgUCVZLuEQAKCRDroMbHHAAlb97dEAC8oQamwtIj/SWT2PJS +Kl3bdPdQaYI8+9ZL9xXLYyhOl8aduFVMlJ7rqkWSdwg/AGnp8nh/pQiaGsnRweqFoSte3poC +QkNmRR3pgsZ1qqWMxqVrE37R51MSGRBEZq50diQ0sG63tzX7GSnsHXyxDjVfR4J0/ohZzyXn +UubBB8X/C72E8CaxrFAzyrLY0zqJBMzub+b2zg5Ac0V+GK45Iz4duftmvnWf6d9aOvXsPqe9 +/BPbix8l8lCWUjfAPh0sSskI48mIi+jK6rm7+JmsF+9zIoVxlnnlFcmDxMGtapUl73BzpCKI +tbplOogAKpA9/2pcSvf2JO26cjQm2gN7BHGfApB4qYFHb90fmSt7XUQEwxyCbsQyhS7Tb6bN +wI8mTqajGoRZydB8WZVjRgsnnCHa9ecY3Hs1IrTMKM3gl7Kmm1tzbtAK+NMSH0mxPG3dmTbv +NIkjOcgGTYo4r9Qt4Q6rV0zfm43dZs7AP6nECRYyMggEoHHBDh1PaPUjoUsJ4Q/b0R8yvNNC +8defastUYtUkepBJ90FzlIJeMLf/1t/1cYX0or5wfp7DPAGxTx3+5EtyKC2Vk3JltR5QkLaj +blZ2PIq8TTtdDprXJuOtucF33p3SwXRjA59DrxEofOf1B2cAcxvb42QgZ0ToJmfeTz9TfGDS +adTRh+oqbbjogv0A8okCHAQQAQoABgUCTF22EQAKCRBdMo0IKqqxQBAND/sHFnas21+PsxN5 +Uo2Gr6ieI6NqP2347xT3ZAugQFDhobNJkdXexShpW/PAAxN8/JdndFtuF3nNCy6gSt9c+eLx +uZ1srzyE9nZeXne59TDI4+ubXhuu/oXIfj0n2j7m53st6+RI5JJ3SuI9kJTOhIYA+7AHBpZp +XUu+m8sS+Jhyy3h7tqJw4IrwwOfW9/WEwhp3Yb2zDoEBe2Na5whcjFRtCJkJub4YwL3L/D5G +w31dFnTFQV9C8BNmyPfoHiTWRQovejmORLdNOzaHKy9a0c4fF6C92j4s9wR3KM/eaVJxM5bD +NvP78usX8LQY5A6C/3+e7kRo1gzDoDhgYii3gDm5hItXXU0V6sTcFWWVSPGwrm+628G3VWmm +1b57mxWn6+7Yzw01R/CyqEzovFG+M1BZrJn2JqJ8Y4pM7T0oRpi0/Ee9Dqiw4+v5I8wKCTag +713ZLx2IdMQxIsMnmBq/819ZqjKkYpAbgteov/foku+Y8RvymE+afjxcE+aYQpYOyMPNRMRp +Dq6CKkVErPNpI758Eav7UqUi5KyfMQ6tMh09F+mKBZvAVE7AGIbrQWhHlTCOYdSRA7uFtgSX +TUQlMSsj/2xkorXaPoFqShOr1hiWIG78zduIGT5FxSG06j8h7j2h6W7nCj0rYaOzDNOBM9yt +3il8eu9SeAgl2cEosRL/4IkCHAQQAQoABgUCTF5RxAAKCRA5FLUy9N++mdKJD/9Lclk6nEQu +xlcgA/0ugEKmWn5JsNnq8ZUl78nZP6fKY0syx9v4bMA+ICQrokfwY4o6dMxcj2Us6JUp/FBV +Z5lo2T2iPE+ucxobFslNdpZtzOQGOsOJ0N7qirafFXJ7ACtydbnCUaPfzkPYwwplHFqT+yQH +k4RxBysHWw9a9YoBMl9KFjIwZ7Q8v0x4ywySwfRAKEzFp+ESP+hDwhlOqTBKFL1/P54lmbhG +JHDCNbwxGLIjiAeCjomyoxpg5YdSZVyWttmsy1rxMV+ndERK5vELfZYqdlhL0quVPzd1L+g0 +m2iA4QdeGfqrCxex7olq1su60PFrMee2wFzH8YEYY70nCi6/JRTb/Vk0wNqgyNjKY434EzHn +liuyhFvsTkQy+ciegx1lQixRxJfVnyz1BkHNDd37qL9lbzPwVqLhhh7jkjW8koPbExQGjVcH +St2HCGDcAxyOJK9sG5a2GxPn1K/SzHXWwhVCSQN7sJSkpNmRNgjpJdOTnEtsfRC7keUEG853 +cKtWtqJw38/ye6RbXXHM9y4oiLkSWLneGH3sQFtbmdtjubLQNXE7rfuUHarwCnVHV5FaeAn9 +FNBoo9MCAZL1cuxe7CR/awAuH/JAkuZOanj2jFwvqeyfNgsB/LIlHIBTLPwVXDOZ3E7+KUMJ +lQ45DOfhGPOSzv3QTL4gP6lcvIkCHAQQAQoABgUCTGWvlAAKCRAyJH+7QK0fpgPsD/9gJRwY +37FXgq6tqiUO+q8H1m+VQ4y64cKNA/SMOGxV04h7o5tC3B9D/ZghAyfQ71Li88PIk8n7PAV0 +Wnbv+V/9kawa7C7Bfq4OJOGzMU0Y0JPd6LnupBtq+jtE9H1TLneCiBu05bjeLSQde438Or9w +SV0sLwqKncwqRJY8iIjz9O44X+6+6p4CqdMYmsZV9nGM+cES6uytQ/sB/mh5PutZahslWurz +ouec1uqTY4uuGNwOz+MJvYUNPyajcgtpH8JNQ0phlUvV+nAOJuiNXBHw8MbxNzTdLfsdtdpy +zRH6NAMN3QHrtEGAQ8XgFnCtu6BEPpgOQIB1pMw9OiRMhkcu9uCNCY5p9NMhL1tEx92DkSyW +lmFIF/h1Ohd4yaxnn9jwTVxxhdAxqK0rIORy+sHUSuc5LrtItNe+AnTvQeY7MRgZwJuCCohQ +L3OLXULZajB98g6cZQJmNmtdUeqMY/QymIOH8IoY3SCOws4h4QZSSVxNczo2Ag5R5QKSpBA6 +jjsFo/VHUX0wB/KbJTb1Hl2vtID20kR7MfzACFTI9AEbwvG6CX7oWsnciom7bHEiyHWR4Olp +tlpQk2RQ4T3RG8r9kDgJuX6KmDH6uI9CdYTuBxQgIfpEm+tfSki3LVfnOKgkRDqAJciBv+ua +qeW7KSjNDpBC4u8pn9tyX8RhpYUP7IkCHAQQAQoABgUCTGwP9AAKCRB4U9pNSYga09OUD/9X +xTiFFzcuev5k8MtYx7+T30Z549gFnOx6GdFgCK7GzW7ZjnofKt8e0NIQmzzCf0g1vxdulqeZ +7Oh8iFrxpPZyOKJoO2BDKS9VnYEANQf+quUJPTdyhGqdMSDQGbSEqjLF3oNp/+jdIIMjuo3Q +nShdK/BJPcluN7AoOFLQ3QH4Q5fEbtwc+bEJL9TfFqAhUhcY3TYnqWtsMRW3tkrgCvcp0Bo7 +LMSJB6jH4Dx5q60Am4V1Zz7C9wxtZeZP+P0h0YYWCbOmQWhzT2aCRYDrp1o3SsuatHm/bPkv +rliBzslW8i5Hh3gv5Atn/P5bhMaXtJiGepkat/MGw1hP8BYaSb/mmy9XbdMlfDijcsAF2+w6 +w1b782oCGXgz2ISqPLsFYWccS4GOAwSytep22iwsWpIx2JNNndg4GVfgBxx3QIhci7EVN5Pv +/586PwxTetIZmQ+FNNHcAzqBzi3oe6J8o7HlMEHjG6Dps/D2clTNHtD0vSk5ECfhSC3W8OAD +VSuB8NxZVfI2UfnyCsdjyDLUu06fMR4gNW+zlSHI1FJBSVuU8CCQOtMPJ5fHPq3hEc0DFyLx +8fPE02n8It0wm5RrdUkgOjiVK2n251SyAwSM6zATCFOIt6zdZWx6T/HrJw5wzI+wgsZHibVt +i0vOA0GsAXzobE5yyhhWTnhqJgW2vKNHjYkCIgQQAQoADAUCTGLdPgWDCWYBgAAKCRDM0u2U +0hc56aYKD/4gPLkcER4nlKdsMN5x4MuUjBbv/+Hab1+hSDxEiA0Ya2Lt3J64y03fz7J1RzIB +djH2QGhdvuZtEohiad44DUdLNGJ98q7PPll2KPeuuth+bDa3P4h8ynVbCJRSmIkSVCRG90eE +AibHWOgTNOmn48Rwq5zMEgwNvmgsX7ZRm7Mwggt24LIK93iBMqH7WqS1CujF+WqQygpk671e +GUIWSUc/iBmaHZ/yoElL5cSBSPHm+ePyQsPSN7ooaWfodXXTADpQN4d5Tl1WzwZT8G5cRVLP +4CZ4sqbzJ9EKWFMlohcf3ibT4r8H5ij8btgq0TvNcoMvCbO2P94KChQWxQSwJRftJ9/GPPo1 +7zK7pXGK1QMZNMYhvbYSdcbxG/AsmC4qJb4NVdrrxBiEye41+M+nQiT7g2GbbJ9gBCv8k7lH +iw3B+KfNoAkQ2v2CaVMrguQuzxCs8Zpl7iKuFG+d3SGqnn8rRrRPE5AOlSk6bOr22jLyGsns +URt6Mvh5QyVrk0G/6YW/5IMIVNuS/i12m6ireKvpPBkUIkNlS938vNqZ4LnsZ/+gBlZqmY8H +sZEt6Wfq7efDBw8z1FLRW58xOqCY0vh4tteFJkcY1LgzK5GUddIHfYcO/Y6p/3/Vq1/ao4VJ +Jq+HSIsqrdW1nF3EDSbwyy96uAdxuhfZLxSgRugCKyyOk4kCNwQTAQgAIQIbAwIeAQIXgAUC +Sgdo4AULCQgHAwUVCgkICwUWAgMBAAAKCRBEl1J4uGErXaQAD/9wcX8JM24NI9mCjnHOGOuV +eo/1Z9sefzYvhlbbTWvJsEdt5eaL0FRl+kErHtwNyEqvOTAmt860GrpekjkFYQObCsmDOiEy +i+vJBScub9YK6TJSOQJ7f7zyIwzHgvilktujiS+/YDqd1IEyxD3QxQ9PTdjcQX/Z7enfBeei +sBFfgRwbH32p5EtdwovrmBYtgyXUqp+lSg9kG3vvdj0bt/Fkq7Es1eEW8Sp9QqaBpo2fuzNS +rojYfZu68coreRIV/nhuA7/ehjiVXlvzi3su+0ybJwGZXLXaM7kxXoYm5i8NDxp4p+7laXe2 +J6HUuIQM5ea4NuPu9BKIpKGxqNXQE+n4tmX3lp6QwXuZShwOXjSFsKxXvipKI4sAkxPfrPFa +xzz/EDqUf9lzCBZ5nl6+OLv+GyTz6Meq1NGIX1N7u6XBPtdCujVbKzXd5PbEk0Y00skLFcQ4 +9FwAwDFw1XIPljQ6WttsQlV6k0yoVJZc6HHovnV1zGDviSyUdegDX9uKBmgGG8ApliPLvZ6r +haU4yHykFHBMPfwBNBwrmthTShdPS7xh4bz5xYlay9wm2CzIVB6muK8PIyTrRfouuFivJuYA +zoEcPBbubalC3OCocLl2xv+Qb5G7cz2hTDx9JZXUD18IeG2A2mcLeGp1zTc1qz/7h9qa0TLe +fWpC75exhIgXVrkCDQRKB2tdARAAqsQbw2Qd1WfbJr9U1KRdwTKm2OsDODftgNv0zmfaiYCN +iOKEsrsJdtonmaisMi+Z+5/wrf3Q0bV54qmwOMTlCVvqnpxwbVik8VVGWgUcLJYYK5Lkn0dz +rtZs6AaT/sbFewir8q6m3ADbq9hTXxt9uUfe5Z/D4sdbhgbWtQa/DeJwWZr6VeyCHcY8BhR0 +FXYmYDZ0c1rmbZZBt+vIF4UNTNU4x6me9va6QPW0nWTEjae9ExGSPwm1B4hQd63Nop6E2Vqu +ahdJqKVRYYmD/IqVXOxAhFRA/w9vqF95aV2BB/ZrF0FTA8iCEbFy3oNrZfq8KlJRCtcUH2qf +igMndOt8P65omM1DQhlvterVgm2PCb1GmwLEbMi+HtLntziFozYGLTlAMcUJt7Pyu/iinzx6 +Sc4U108dmNTJLxqSZtvJFaRyHml9x7oP2gWjpuyVgo1KuEXKq2Z96S+sxE/YtPyB/cBpazZ+ ++o/i7PLhxKa1RTIA8NgkDelWeNalvYzjNkB+tXeH0UnxtBTC+PW8dyUP8OmmM/2V1Dzcj9Tm +Ky/G04TFQyL1NjvFjzXyIUO5WpdEbSs04h5J3KM6YZJlicqB2aKAUslOi9wUIpKRK+UZBTSj +886jynsu+HA1Ob6tcTSlwtj95RV7nBTiTM6MpPuxTmZ2DR/vLE6c7yE+XgrOx9EAEQEAAYkC +HwQYAQgACQUCSgdrXQIbDAAKCRBEl1J4uGErXVFeD/9Q2vtN0FeOiveLwN4KAFbMLZP97bT/ +sRJkQQUZoawfbINwzGDuFrZSsWipoBLam6BnMH6OfHkUOrCToZROHYagW/nv/WTjBTX8lJt8 +SFhHh4ONPBaxF90z/YrpWlNcs/z/rqu+sm1KgCA9mkheENGOj3t97udZNfA1N4NZu67Lo6HZ +yUUCK+eJtX6BS2HgMGokHuGha/LokTor1lkl52Y3CVfds9YDrJmlSQVhxI/S6/IajLwKFyHd +pMiK/o8q3mYuZ7JKCBOooNnRpa4myUrBetf1p6xZqbhEAALMFJc7/8NXxesqvG7RQJ7VWyYO +5BhgzPutqTUOVZskc3r4cvaB7CT1CsKPdW+af/I8q/C7dhTWWthirPN4DCdcTIlK9ECpba+m +S7MQG/3ta7+/3lT3yyMKlhLkAaUlUNa/VbzUHOlVA1txJk6jcuEzWIzebEtoT/aYJZwNE+jL +CFOC75HTGlxp7/8ngHCXn1rcBS9TQJ7CGX31HhbmNak0LtzhAS4B+fWQLrFfShTREcYD+31z +yLns4jIKY8dehPner0Y8RX31/0eQOknRwRSl6uceu/6liJT23KHYzT3FPGHuK2QH6AHnORGS +g6FmBsbXSzosQOKWE3sO0dzjPIE6DRKwZIJmqQKvHqeAvPsC0U7JBWlKl0eMoIuDjp9qFDKz +BWcdiQ== +=iUyJ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 403a7b76..73e34483 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -1,18 +1,25 @@ --- +- name: "Set php version to 7.4 if Sury repo is not enabled" + set_fact: + php_version: "7.4" + when: + - php_sury_enable == 'False' + - php_version != '7.4' + - name: "Set variables (Debian 11)" set_fact: - php_cli_defaults_ini_file: /etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini - php_cli_custom_ini_file: /etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini - php_apache_defaults_ini_file: /etc/php/7.4/apache2/conf.d/z-evolinux-defaults.ini - php_apache_custom_ini_file: /etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini - php_fpm_defaults_ini_file: /etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini - php_fpm_custom_ini_file: /etc/php/7.4/fpm/conf.d/zzz-evolinux-custom.ini - php_fpm_debian_default_pool_file: /etc/php/7.4/fpm/pool.d/www.conf - php_fpm_default_pool_file: /etc/php/7.4/fpm/pool.d/www-evolinux-defaults.conf - php_fpm_default_pool_custom_file: /etc/php/7.4/fpm/pool.d/www-evolinux-zcustom.conf - php_fpm_default_pool_socket: /var/run/php/php7.4-fpm.sock - php_fpm_service_name: php7.4-fpm + php_cli_defaults_ini_file: /etc/php/{{ php_version }}/cli/conf.d/z-evolinux-defaults.ini + php_cli_custom_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini + php_apache_defaults_ini_file: /etc/php/{{ php_version }}/apache2/conf.d/z-evolinux-defaults.ini + php_apache_custom_ini_file: /etc/php/{{ php_version }}/apache2/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_ini_file: /etc/php/{{ php_version }}/fpm/conf.d/z-evolinux-defaults.ini + php_fpm_custom_ini_file: /etc/php/{{ php_version }}/fpm/conf.d/zzz-evolinux-custom.ini + php_fpm_debian_default_pool_file: /etc/php/{{ php_version }}/fpm/pool.d/www.conf + php_fpm_default_pool_file: /etc/php/{{ php_version }}/fpm/pool.d/www-evolinux-defaults.conf + php_fpm_default_pool_custom_file: /etc/php/{{ php_version }}/fpm/pool.d/www-evolinux-zcustom.conf + php_fpm_default_pool_socket: /var/run/php/php{{ php_version }}-fpm.sock + php_fpm_service_name: php{{ php_version }}-fpm # Packages @@ -25,7 +32,6 @@ - php-imap - php-ldap - php-mysql - # php-mcrypt is no longer packaged for PHP 7.2 - php-pgsql - php-sqlite3 - php-curl @@ -54,8 +60,8 @@ - name: "Install PHP FPM packages (Debian 11)" apt: name: - - php-fpm - - php + - php{{ php_version }}-fpm + - php{{ php_version }} state: present when: php_fpm_enable @@ -67,12 +73,12 @@ mode: "0755" with_items: - /etc/php - - /etc/php/7.4 + - /etc/php/{{ php_version }} - include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 11)" file: - dest: /etc/php/7.4/cli + dest: /etc/php/{{ php_version }}/cli mode: "0755" - include: config_fpm.yml @@ -80,7 +86,7 @@ - name: "Enforce permissions on PHP fpm directory (Debian 11)" file: - dest: /etc/php/7.4/fpm + dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable @@ -89,9 +95,9 @@ - name: "Enforce permissions on PHP apache2 directory (Debian 11)" file: - dest: /etc/php/7.4/apache2 + dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable -- include: sury_post.yml - when: php_sury_enable +#- include: sury_post.yml +# when: php_sury_enable diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index cb0fc075..c94930a6 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -8,6 +8,14 @@ owner: root group: root +- name: copy pub.evolix.net GPG key + copy: + src: reg.asc + dest: "{{ apt_keyring_dir }}/reg.asc" + mode: "0644" + owner: root + group: root + - name: Setup deb.sury.org repository - Install apt-transport-https apt: state: present @@ -18,6 +26,14 @@ src: sury.preferences dest: /etc/apt/preferences.d/z-sury +- name: Setup pub.evolix.net repository - Add source list + apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}-php81/" + filename: evolix-php + state: present + when: + - ansible_distribution_release == "bullseye" + - name: Setup deb.sury.org repository - Add source list apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main" @@ -46,4 +62,3 @@ - php{{ php_version }}-ssh2 # - composer # - libphp-phpmailer - when: ansible_distribution_release != "bullseye" -- 2.39.2 From 4f5e745310a13f9c9c49550922b2904f3400ec00 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 13 Feb 2023 10:27:49 +0100 Subject: [PATCH 345/497] Add handlers pour php8.2 --- php/handlers/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 0b372db7..206eab3a 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -29,3 +29,8 @@ service: name: php8.1-fpm state: restarted + +- name: restart php8.2-fpm + service: + name: php8.2-fpm + state: restarted -- 2.39.2 From d1b2fd81452e4c0a468a7c30b6d5baee3c0e2a17 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 14 Feb 2023 15:49:09 +0100 Subject: [PATCH 346/497] php: Fix sury support on Debian 11 --- php/tasks/sury_pre.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index c94930a6..3301071d 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -25,6 +25,8 @@ copy: src: sury.preferences dest: /etc/apt/preferences.d/z-sury + when: + - ansible_distribution_release == "bullseye" - name: Setup pub.evolix.net repository - Add source list apt_repository: -- 2.39.2 From 6968128e7c0d5826d21a720dbcc00fee96ef9e71 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 14 Feb 2023 16:43:41 +0100 Subject: [PATCH 347/497] php: fix last commit and update changelog --- CHANGELOG.md | 2 ++ php/tasks/sury_pre.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3515f60d..dff99012 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: Print pool config path in check_phpfpm_multi output * nagios-nrpe: add tasks/files for a wrapper * fail2ban: add "Internal login failure" to Dovecot filter +* php: add a way to choose which version to install using sury repository ### Changed @@ -37,6 +38,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * openvpn: fix the client cipher configuration to match the server cipher configuration * clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix. * postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs. +* php: install using sury repositories on bullseye ### Removed diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 3301071d..9b8fc684 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -26,7 +26,7 @@ src: sury.preferences dest: /etc/apt/preferences.d/z-sury when: - - ansible_distribution_release == "bullseye" + - ansible_distribution_release != "bullseye" - name: Setup pub.evolix.net repository - Add source list apt_repository: -- 2.39.2 From 21a4f763307a6af7c91f4158f2322058c886dfae Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 21 Feb 2023 15:08:02 +0100 Subject: [PATCH 348/497] bind: use systemd module --- CHANGELOG.md | 1 + bind/handlers/main.yml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dff99012..e20d3c5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Use systemd module instead of command * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. +* bind: use systemd module * webapps/nextcloud : Change default data directory to be outside web root * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir * nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index 15b9d046..b426fcd1 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -5,17 +5,17 @@ - name: restart apparmor - service: + systemd: name: apparmor state: restarted - name: restart bind - service: + systemd: name: bind9 state: restarted - name: restart munin-node - service: + systemd: name: munin-node state: restarted -- 2.39.2 From 86a3c78a04c316652f5f862aad14b21b19e25f19 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 21 Feb 2023 15:09:05 +0100 Subject: [PATCH 349/497] yarn: update apt key --- CHANGELOG.md | 9 +-- nodejs/files/yarn.asc | 143 ++++++++++++++++++------------------------ 2 files changed, 65 insertions(+), 87 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e20d3c5f..314401ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,12 +22,13 @@ The **patch** part changes is incremented if multiple releases happen the same m * Use systemd module instead of command * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. * bind: use systemd module +* evolinux-users: Update sudoers template to remove commands allowed without password +* nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) +* openvpn: Change check_openvpn destination file to comply with recent EvoBSD change +* postfix: come back to default value of `notify_classes` for pack mails. * webapps/nextcloud : Change default data directory to be outside web root * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir -* nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) -* postfix: come back to default value of `notify_classes` for pack mails. -* openvpn: Change check_openvpn destination file to comply with recent EvoBSD change -* evolinux-users: Update sudoers template to remove commands allowed without password +* yarn: update apt key ### Fixed diff --git a/nodejs/files/yarn.asc b/nodejs/files/yarn.asc index e8d9cabb..03d9338a 100644 --- a/nodejs/files/yarn.asc +++ b/nodejs/files/yarn.asc @@ -158,86 +158,63 @@ V1L7FROM6fKydeSLJbx17SNjVdQnq1OsyqSO0catAFNptMHBsN+tiCI29gpGegao umV9cnND69aYvyPBgvdtmzPChjSmc6rzW1yXCJDm2qzwm/BcwJNXW5B3EUPxc0qS Wste9fUna0G4l/WMuaIzVkuTgXf1/r9HeQbjtxAztxH0d0VgdHAWPDkUYmztcZ4s d0PWkVa18qSrOvyhI96gCzdvMRLX17m1kPvP5PlPulvqizjDs8BScqeSzGgSbbQV -m5Tx4w2uF4/n3FBnABEBAAGJBEQEGAECAA8FAlwsRBECGwIFCQIKEgACKQkQFkaw -G4blAxDBXSAEGQECAAYFAlwsRBEACgkQI+cWZ4i2Ph6B0g//cPis3v2M6XvAbVoM -3GIMXnsVj1WAHuwA/ja7UfZJ9+kV/PiMLkAbW0fBj0/y0O3Ry12VVQGXhC+Vo4j6 -C8qwFP4OXa6EsxHXuvWMIztBaX1Kav613aXBtxp6tTrud0FFUh4sDc1RREb3tMr6 -y5cvFJgnrdWcX1gsl6ODcgWBGNc6ZX7H7j48hMR6KmNeZocW7p8W+BgDQJqXYwVN -L15qOHzVAh0dWsFLE9gwBTmDCY03x9arxSNDGCXyxt6E77LbNVIoSRlEbkvi6j33 -nEbuERICYl6CltXQCyiVKjheJcLMjbgv5+bLCv2zfeJ/WyOmOGKpHRu+lBV1Gvli -RxUblVlmjWPhYPBZXGyjII16Tqr+ilREcZFW+STccbrVct75JWLbxwlEmix+W1Hw -SRCR+KHx3Cur4ZPMOBlPsFilOOsNa7ROUB56t7zv21Ef3BeeaCd9c4kzNGN8d1ic -EqSXoWWPqgST0LZPtZyqWZVnWrHChVHfrioxhSnw8O3wY1A2GSahiCSvvjvOeEoJ -yU21ZMw6AVyHCh6v42oYadBfGgFwNo5OCMhNxNy/CcUrBSDqyLVTM5QlNsT75Ys7 -kHHnc+Jk+xx4JpiyNCz5LzcPhlwpqnJQcjJdY1hDhK75Ormj/NfCMeZ8g1aVPX4x -Eq8AMyZYhZ5/lmM+13Rdv8ZW6FK7HQ/+IAKzntxOjw0MzCXkksKdmIOZ2bLeOVI8 -aSLaUmoT5CLuoia9g7iFHlYrSY+01riRrAaPtYx0x8onfyVxL9dlW/Fv5+qc1fF5 -FxdhyIgdqgzm82TnXHu/haUxYmUvNrbsmmNl5UTTOf+YQHMccKFdYfZ2rCBtbN2n -iXG1tuz2+k83pozu4mJ1rOOLNAsQoY3yR6OODte1FyOgp7blwDhTIoQb8/UiJ7CM -BI3OPrfoXFAnhYoxeRSAN4UFu9/HIkqfaQgRPCZS1gNerWF6r6yz9AZWUZqjSJss -jBqXCtK9bGbTYBZk+pw3H9Nd0RJ2WJ9qPqmlmUr1wdqct0ChsJx1xAT86QrssicJ -/HFFmF45hlnGkHUBWLaVJt8YkLb/DqOIbVbwyCLQtJ80VQLEeupfmu5QNsTpntRY -NKf8cr00uc8vSYXYFRxa5H5oRT1eoFEEjDDvokNnHXfT+Hya44IjYpzaqvAgeDp6 -sYlOdtWIv/V3s+trxACwTkRN7zw3lLTbT8PK9szK0fYZ5KHG1/AKH+mbZ6qNc/25 -PNbAFRtttLGuEIC3HJ12IAp2JdjioeD2OnWLu4ZeCT2CKKFsleZPrSyCrn3gyZPm -fYvv5h2JbQNO6uweOrZENWX5SU43OBoplbuKJZsMP6p6NahuGnIeJLlv509JYAf/ -HN4ARyvvOpOJBFsEGAEIACYCGwIWIQRy7PRqVrStOckHu7cWRrAbhuUDEAUCYA3F -QQUJB6PoMAIpwV0gBBkBAgAGBQJcLEQRAAoJECPnFmeItj4egdIP/3D4rN79jOl7 -wG1aDNxiDF57FY9VgB7sAP42u1H2SffpFfz4jC5AG1tHwY9P8tDt0ctdlVUBl4Qv -laOI+gvKsBT+Dl2uhLMR17r1jCM7QWl9Smr+td2lwbcaerU67ndBRVIeLA3NUURG -97TK+suXLxSYJ63VnF9YLJejg3IFgRjXOmV+x+4+PITEeipjXmaHFu6fFvgYA0Ca -l2MFTS9eajh81QIdHVrBSxPYMAU5gwmNN8fWq8UjQxgl8sbehO+y2zVSKEkZRG5L -4uo995xG7hESAmJegpbV0AsolSo4XiXCzI24L+fmywr9s33if1sjpjhiqR0bvpQV -dRr5YkcVG5VZZo1j4WDwWVxsoyCNek6q/opURHGRVvkk3HG61XLe+SVi28cJRJos -fltR8EkQkfih8dwrq+GTzDgZT7BYpTjrDWu0TlAeere879tRH9wXnmgnfXOJMzRj -fHdYnBKkl6Flj6oEk9C2T7WcqlmVZ1qxwoVR364qMYUp8PDt8GNQNhkmoYgkr747 -znhKCclNtWTMOgFchwoer+NqGGnQXxoBcDaOTgjITcTcvwnFKwUg6si1UzOUJTbE -++WLO5Bx53PiZPsceCaYsjQs+S83D4ZcKapyUHIyXWNYQ4Su+Tq5o/zXwjHmfINW -lT1+MRKvADMmWIWef5ZjPtd0Xb/GVuhSCRAWRrAbhuUDEMTLEACyFHe0SPm4rMMA -E6dyadTJP8wRoI2epQciRqitIhANhmJ244WyqPWV3tDTgH/TaWPV7DerL6d2jOnw -mdfT5JeXkWrGf5Gxwz619UFx/S4VpPOQf4eJb1Z9WaOdQ87A9+BwwO8d+2XROhMm -iAetVo6jhvil0xR5t9HYg/uUSUu+tlHXlwPjdlYHUwUnt8HftoefWLXJj8ADHir1 -slw7jjFR/INE2dWqk6Lx2Ala+3yHN7/vpfOYvY4EyTvIeyLSoVn0fzUrsIv3HQSR -WogO3MykjkiMjNbhdH8CXbEiQ1MiFKsugyi0kY6HOIe3//+cZ4xXlQLsLRnV3xm9 -e/xGOte4M8o05JaUCrcsCmubOnqUIaZmDF9bITHI7bhkxLkvXopoxx4UodiL4PPG -OarAdRD2Y73eI7W6QhqZt8267tsLx4qe0q8/pCr7gX60E9hOSx2NszyS0FPME2CI -4vxVR+GxS8gzp5hFQ8OUaSC9a6eb4YI66bDhkRog0GrMagX3JJI2172blRyp8Fe7 -DAEUOb/xCcaKdv6waT+pqtrOaxDArDVRPVVqDlr1fY0lJis92ycBk4Gs8pAYiMEZ -lGUoh5MouBEPP7HtfZTMlsQm8J5hq3cJ+AxUPSbGTWUCql7hGpT4S97mpyATuLnW -qLZmBgDHhpHEmUQmONKSSpzSjjAS6LkCDQRcN/VvARAAoEHIkyjFDsfoCxA/b2qN -jz+l8OI2WhAMdqxReg7JN9R61qbetj9RYIcWswPSO84c0ioRUk+xJavEFh/6Lg00 -QKwJKPf0kd1Us6SfqklxGczOaWNLyiM7JthFRNMp0qVX6NjLqGoCNO+d/+nNk6s2 -x4rLECj/EROmE3ZQQEo5nBXmPlhXpVem23rGfXEQvXDNqFmvqrP+Befn/+aDpo89 -QIm3sE8G0LfgcajIdSfgLH+NJTvOVAtXXVXJPK39Njr1aBzWTbWhLS2bji7DwP7h -shdh7DE2rS623vlzvkkrms8oKkiRpKATdhQ8CEx+mhTFKCj6GtNqhwttCbf98N9G -piHD0has65YtgQQjk2pLR62rZf6czagRfKbFQzXjl2JxS/bsHVhTkhyJFqgDcHCS -Xe7K8uGTAE2AkakGhGyDJYqGVSl0w5IAU8dqDQMc0IpsVMbFk4nX4GgOwixwrzrg -Ch0jRi+EwUHJYZHBAyzNCkr++D25R0gwNhPMjSKe8Ks6G3hH3XP/ZVlceW/gPfxR -ixUTk/q7s3xPpPhLMREEpKS1aGcmYxEkrkVBDAzNYKdKP1MYwLn4lh4yNFXWlTCl -nDyI6UODTHwt8xDddtnT9u+U+xc6OJiYcCOstl+ovS9HmM/Kt9VTEX9cckEEL1IS -+9esQMr4b5X02Y1q9Q2uEucAEQEAAYkEWwQYAQgAJgIbAhYhBHLs9GpWtK05yQe7 -txZGsBuG5QMQBQJgDcVSBQkHmDbjAinBXSAEGQECAAYFAlw39W8ACgkQT3dnk2lH -W6p0eg/+K2JJu1RbTSLJPFYQhLcxX+5d2unkuNLIy3kArtZuB992E2Fw00okPGtu -PdSyk2ygh4DeYnwmabIWChi7LDp+YnqcI4GfMxNG6RsHs+A/77rLBST3BB1sejZp -pmKCQZDSC2pvYaZBpS80UvftCZ9RFdY+kTC22Btn/5ekiQOfIqhUH9CyGWS/YlGc -iomVIVn1hSPN8l4EpBCDtceRaephvzjQIZT3AxOfSlpwJviYjAOkSX4qWyIjC5Ke -5kfEOldUuBN1JGAm45tKlrz/LD/+VOc2IWpbkOIAVSldUgpRyiIJQAZ80trNxrJI -7ncaID8lAa7pBptJiL0KorRjk3c6Y7p830Nwe0J5e5+W1RzN4wlR8+9uuRyP8Mcw -z/Hz2jwMiv38Vk4tAOe4PYNZuDnpjZ28yCpF3UUgvzjarubFAcg2jd8SauCQFlmO -fvT+1qIMSeLmWBOdlzJTUpJRcZqnkEE4WtiMSlxyWVFvUwOmKSGi8CLoGW1Ksh9t -hQ9zKhvVUiVoKn4Z79HXr4pX6rnp+mweJ2dEZtlqD7HxjVTlCHn9fzClt/Nt0h72 -1fJbS587AC/ZMgg5GV+GKu6Mij0sPAowUJVCIwN9uK/GHICZEAoMSngP8xzKnhU5 -FD38vwBvsqbKxTtICrv2NuwnQ0WBBQ58w5mv2RCMr2W6iegSKIAJEBZGsBuG5QMQ -U8oQAMjiPEOFmgRcuhvhlzXT53d/1b8sfG4MV9c45xKE65L+kPoSGzvNWYumB2Kw -Qzf8tWu+6PmOljj1Ofyilqm3bblOasHWgDGPTSOcBaVhl8nZrS3o2fzZy7aQKYE3 -gQBZ6+jzhHQzrnQURpR+s/mdSO3+Gs+6kBmh9dkIQ8U1cfaAbZgy17BipPZkpwjr -ltTcDyJniQyEm7L6yV6MWt2TiFUA5IvyH+hTSKrLHnR7+lYDEo28wV8f8UcLrUpQ -joiCOWZeNCubaIxHHoGtCE+zkhSsuW9lGSX0rzQlmx1vclrYwyMKhlpDOqy8kzdI -Ws7VF3vCXRi6fWSA7apRtQQ7PbuZOOyYTaEkEuJ5CfWhFGy3eikiXilPk05ECZd3 -/uMB1dmPFKT+MbUDCA/b8amfkNTLg+RFNX+5isMLkrJ+8k13ueTp/PToGMIkYsbR -+HRm0HmrdqGFPl7o+0xXUT4wGbQD8QfK81lzH1QQhsu+12OsFt+jQC3IDYiXOUBk -zgkwMlt8C0vU0i/EElpqx/0n19iHv7XvPn5q0MdNBS5pW+DOho0D+z+NM9MWpYUu -ymC/28jo8Olju+9DZuZwEUEbptmltcA8UQ5r4FHx4m3sfCmCs1QUeb8TPNL0x8OA -XnADXbxMgGYTNX7YvdUw3a8M73stqnN9M8lUXln7ulOCee2z -=IgpF ------END PGP PUBLIC KEY BLOCK----- +m5Tx4w2uF4/n3FBnABEBAAGJBFsEGAEIACYCGwIWIQRy7PRqVrStOckHu7cWRrAb +huUDEAUCY897hAUJDUbR8wIpwV0gBBkBAgAGBQJcLEQRAAoJECPnFmeItj4egdIP +/3D4rN79jOl7wG1aDNxiDF57FY9VgB7sAP42u1H2SffpFfz4jC5AG1tHwY9P8tDt +0ctdlVUBl4QvlaOI+gvKsBT+Dl2uhLMR17r1jCM7QWl9Smr+td2lwbcaerU67ndB +RVIeLA3NUURG97TK+suXLxSYJ63VnF9YLJejg3IFgRjXOmV+x+4+PITEeipjXmaH +Fu6fFvgYA0Cal2MFTS9eajh81QIdHVrBSxPYMAU5gwmNN8fWq8UjQxgl8sbehO+y +2zVSKEkZRG5L4uo995xG7hESAmJegpbV0AsolSo4XiXCzI24L+fmywr9s33if1sj +pjhiqR0bvpQVdRr5YkcVG5VZZo1j4WDwWVxsoyCNek6q/opURHGRVvkk3HG61XLe ++SVi28cJRJosfltR8EkQkfih8dwrq+GTzDgZT7BYpTjrDWu0TlAeere879tRH9wX +nmgnfXOJMzRjfHdYnBKkl6Flj6oEk9C2T7WcqlmVZ1qxwoVR364qMYUp8PDt8GNQ +NhkmoYgkr747znhKCclNtWTMOgFchwoer+NqGGnQXxoBcDaOTgjITcTcvwnFKwUg +6si1UzOUJTbE++WLO5Bx53PiZPsceCaYsjQs+S83D4ZcKapyUHIyXWNYQ4Su+Tq5 +o/zXwjHmfINWlT1+MRKvADMmWIWef5ZjPtd0Xb/GVuhSCRAWRrAbhuUDEHSxD/9M +5il+6iZDsLMFQvsZJjRWnquPxRXBfyA3aiLJXsmMwWfSdEjS3JKq2hrOKVT3FgkN +CHBxhPREIPEhlE7EsGmdYvvzceYeM8LuK4DVMIjjpsIlxyS+h3iQNamoITbwuZyc +Hgv9FGVOElrtntqPY6BZWBdK1ZVAT3Q4hf1+o2UZ6o5gcmu6rR5wlgsqdGc5XCev +YVaJ7qQXvLhU0gzWyJ1p//d4DQUqrXW9+1bFg/gwPFn+ZBoO40/IovwoIdo1xX4p +KgH47aXFRHB53LhNtve422XDEuQnBTwNucvxAA91TmFt1BDVy1VCEwlDaKMS4Tuw +xrBEBKwsuBqelJPEcDzzt+yvc3jPoVrNrC5zLpAF3VPCUCkf21tbqYroFy/UfQls +O26iJhfPxoLEGtuCYt+DrpnR/1DteKqtett+Z1nJ9JEZAxk8QjdcpdMa5kBtC1hd +vb9f8ySSxv91RtzmyehIc7TBogwK+mydWMskTmNAl4ecGepfghPfA5JDW0NUm/Vv +/DAylze+BXzXPBeMXDAsHOcf4A8QVht9jX5a03QpPcFcXUYFjtItrjeDyzlSBp3K +8B9ECMy2+ke0U0jupNWlFxxzR15e+rEi450ilL/wKm7Va5VhQuNlXToIZJdQg/3e +n2jb+0Wye2SNCdPjF8663z+VwaZDVaDXqnT72wEJv7kCDQRcN/VvARAAoEHIkyjF +DsfoCxA/b2qNjz+l8OI2WhAMdqxReg7JN9R61qbetj9RYIcWswPSO84c0ioRUk+x +JavEFh/6Lg00QKwJKPf0kd1Us6SfqklxGczOaWNLyiM7JthFRNMp0qVX6NjLqGoC +NO+d/+nNk6s2x4rLECj/EROmE3ZQQEo5nBXmPlhXpVem23rGfXEQvXDNqFmvqrP+ +Befn/+aDpo89QIm3sE8G0LfgcajIdSfgLH+NJTvOVAtXXVXJPK39Njr1aBzWTbWh +LS2bji7DwP7hshdh7DE2rS623vlzvkkrms8oKkiRpKATdhQ8CEx+mhTFKCj6GtNq +hwttCbf98N9GpiHD0has65YtgQQjk2pLR62rZf6czagRfKbFQzXjl2JxS/bsHVhT +khyJFqgDcHCSXe7K8uGTAE2AkakGhGyDJYqGVSl0w5IAU8dqDQMc0IpsVMbFk4nX +4GgOwixwrzrgCh0jRi+EwUHJYZHBAyzNCkr++D25R0gwNhPMjSKe8Ks6G3hH3XP/ +ZVlceW/gPfxRixUTk/q7s3xPpPhLMREEpKS1aGcmYxEkrkVBDAzNYKdKP1MYwLn4 +lh4yNFXWlTClnDyI6UODTHwt8xDddtnT9u+U+xc6OJiYcCOstl+ovS9HmM/Kt9VT +EX9cckEEL1IS+9esQMr4b5X02Y1q9Q2uEucAEQEAAYkEWwQYAQgAJgIbAhYhBHLs +9GpWtK05yQe7txZGsBuG5QMQBQJjz3uOBQkNOyCfAinBXSAEGQECAAYFAlw39W8A +CgkQT3dnk2lHW6p0eg/+K2JJu1RbTSLJPFYQhLcxX+5d2unkuNLIy3kArtZuB992 +E2Fw00okPGtuPdSyk2ygh4DeYnwmabIWChi7LDp+YnqcI4GfMxNG6RsHs+A/77rL +BST3BB1sejZppmKCQZDSC2pvYaZBpS80UvftCZ9RFdY+kTC22Btn/5ekiQOfIqhU +H9CyGWS/YlGciomVIVn1hSPN8l4EpBCDtceRaephvzjQIZT3AxOfSlpwJviYjAOk +SX4qWyIjC5Ke5kfEOldUuBN1JGAm45tKlrz/LD/+VOc2IWpbkOIAVSldUgpRyiIJ +QAZ80trNxrJI7ncaID8lAa7pBptJiL0KorRjk3c6Y7p830Nwe0J5e5+W1RzN4wlR +8+9uuRyP8Mcwz/Hz2jwMiv38Vk4tAOe4PYNZuDnpjZ28yCpF3UUgvzjarubFAcg2 +jd8SauCQFlmOfvT+1qIMSeLmWBOdlzJTUpJRcZqnkEE4WtiMSlxyWVFvUwOmKSGi +8CLoGW1Ksh9thQ9zKhvVUiVoKn4Z79HXr4pX6rnp+mweJ2dEZtlqD7HxjVTlCHn9 +fzClt/Nt0h721fJbS587AC/ZMgg5GV+GKu6Mij0sPAowUJVCIwN9uK/GHICZEAoM +SngP8xzKnhU5FD38vwBvsqbKxTtICrv2NuwnQ0WBBQ58w5mv2RCMr2W6iegSKIAJ +EBZGsBuG5QMQ0SIQAMFN0FlUSP5TiKrTFMj79TcCLDeAvk8+h7nNj/dlgDpRl4kp +r+XO/a0VTwK8XVszNA43FDuT0WORPG73LYlgJi5gdLeWoXaEnW1f+ZyR2uc8/UNu +8nwv2dPLefLbhrWpkQbcriOt5FHL61Z8CqYa67vm2Lkr1yD+y3XFAuB2j3hbB1pF +xmc3wvkY+ZMA3fMb+ZbAlV9ylNn4MWzK2Z1hzC0G33Ym6z8SbqljvTn0ABS8BI0g +cJaPtSV7+rq+a/YOCBudSY1qBLCHGvpkByispqKjguS/95+37zcqEbTCTX9S5XmS +lsKFY08+6rq7yu8ptLkbg/RuXLzAvn6g56zFQlPeR+BIrKeCbWRu9hx4kSS6uN22 +MgYgv7l9ohNTzRxnugHnnerdyElDge50AQeFR43bdHEhvyumPLjaJ2WbSHtxRkLw +HcXOlx6lL/i2DJeLMaCshITV6TfvubVYG8djMUogWiXK0T74oocPSs00HDNs7OPy +9W44ZAFknGvoaTOEYxNgSI84yUf2304IhP+U9pYcRnJwJM4pOzcXZxPibrQf2Ex9 +XZXRkb9jkfYMvs0XBnCTUnSl5WVVlNHo2oUC2/mwuc321M6ucf7uDwN6FdPQVlJh +1qXVLvbNiyYug0lvwXsyfwu6IX+wl+kAP5NrRYuX8H+L0eauTGrRsld7OZ3H +=e4wy +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file -- 2.39.2 From cd8a8122885d3b06ad40b38e4e25bc6d87de1d01 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 21 Feb 2023 15:14:00 +0100 Subject: [PATCH 350/497] bind: fix fail in check mode --- CHANGELOG.md | 1 + bind/handlers/main.yml | 1 + bind/tasks/main.yml | 4 +++- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 314401ba..7d8d1c6c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,6 +41,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix. * postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs. * php: install using sury repositories on bullseye +* bind: fix fail in check mode ### Removed diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index b426fcd1..49854b91 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -13,6 +13,7 @@ systemd: name: bind9 state: restarted + when: not ansible_check_mode - name: restart munin-node systemd: diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index d1348cd2..ac278651 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -42,7 +42,9 @@ line: 'include "/etc/bind/zones.rfc1918";' regexp: "zones.rfc1918" notify: restart bind - when: bind_recursive_server | bool + when: + - bind_recursive_server | bool + - not ansible_check_mode - name: Set bind configuration for authoritative server template: -- 2.39.2 From ae5c829373daf3d1d45fad1f724f1aa3cd17eabc Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 21 Feb 2023 17:47:23 +0100 Subject: [PATCH 351/497] php: Fix missing variable error introduced in b1a602bf7 --- php/tasks/main_bookworm.yml | 7 +++++-- php/tasks/main_bullseye.yml | 2 +- php/tasks/main_buster.yml | 10 ++++++---- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 74329046..8982f8f5 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -1,8 +1,11 @@ --- -- name: "Set php version to 8.1 (Debian 12)" +- name: "Set php version to 8.2(Debian 12)" set_fact: - php_version: "8.1" + php_version: "8.2" + when: + - php_sury_enable == false + check_mode: no - name: "Set php config directories (Debian 12)" set_fact: diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 73e34483..d577ea5b 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -5,7 +5,7 @@ php_version: "7.4" when: - php_sury_enable == 'False' - - php_version != '7.4' + check_mode: no - name: "Set variables (Debian 11)" set_fact: diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index b7722716..24673378 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -1,12 +1,14 @@ --- +- debug: + msg: "{{ php_sury_enable }}" + - name: "Set php version to 7.3 if Sury repo is not enabled" set_fact: php_version: "7.3" - when: - - php_sury_enable == 'False' - - php_version != '7.3' - + when: + - php_sury_enable == false + check_mode: no - name: "Set variables (Debian 10)" set_fact: -- 2.39.2 From 2c1db6a2224bfabf0890146aa7e814961996bba8 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 21 Feb 2023 17:55:46 +0100 Subject: [PATCH 352/497] userlogrotate: create role separated from packweb-apache --- CHANGELOG.md | 1 + packweb-apache/tasks/main.yml | 16 ++------- packweb-apache/tasks/update_userlogrotate.yml | 16 --------- .../files/userlogrotate | 0 .../files/userlogrotate_jessie | 0 userlogrotate/tasks/main.yml | 34 +++++++++++++++++++ 6 files changed, 38 insertions(+), 29 deletions(-) delete mode 100644 packweb-apache/tasks/update_userlogrotate.yml rename {packweb-apache => userlogrotate}/files/userlogrotate (100%) rename {packweb-apache => userlogrotate}/files/userlogrotate_jessie (100%) create mode 100644 userlogrotate/tasks/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d8d1c6c..ae6a202c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: add tasks/files for a wrapper * fail2ban: add "Internal login failure" to Dovecot filter * php: add a way to choose which version to install using sury repository +* userlogrotate: create role separated from packweb-apache ### Changed diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index ff3cd9a7..c0a44935 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -65,19 +65,8 @@ - access.log - error.log -- name: "Install userlogrotate (jessie)" - copy: - src: userlogrotate_jessie - dest: /etc/cron.weekly/userlogrotate - mode: "0755" - when: ansible_distribution_release == "jessie" - -- name: "Install userlogrotate (Debian 9 or later)" - copy: - src: userlogrotate - dest: /etc/cron.weekly/userlogrotate - mode: "0755" - when: ansible_distribution_major_version is version('9', '>=') +- include_role: + name: userlogrotate - name: Force DIR_MODE to 0750 in /etc/adduser.conf lineinfile: @@ -102,3 +91,4 @@ - include: multiphp.yml when: packweb_multiphp_versions | length > 0 + diff --git a/packweb-apache/tasks/update_userlogrotate.yml b/packweb-apache/tasks/update_userlogrotate.yml deleted file mode 100644 index 1e8a6d85..00000000 --- a/packweb-apache/tasks/update_userlogrotate.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: "Cherche l'emplacement de userlogrotate" - ansible.builtin.find: - path: /etc - patterns: userlogrotate - register: find_logrotate - -- name: "Met-à-jour userlogrotate" - ansible.builtin.copy: - src: userlogrotate - dest: "{{ item }}" - mode: "0755" - loop: "{{ find_logrotate.files }}" - when: find_logrotate.files | length>0 - diff --git a/packweb-apache/files/userlogrotate b/userlogrotate/files/userlogrotate similarity index 100% rename from packweb-apache/files/userlogrotate rename to userlogrotate/files/userlogrotate diff --git a/packweb-apache/files/userlogrotate_jessie b/userlogrotate/files/userlogrotate_jessie similarity index 100% rename from packweb-apache/files/userlogrotate_jessie rename to userlogrotate/files/userlogrotate_jessie diff --git a/userlogrotate/tasks/main.yml b/userlogrotate/tasks/main.yml new file mode 100644 index 00000000..2642186c --- /dev/null +++ b/userlogrotate/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: "Is userlogrotate present ?" + ansible.builtin.find: + paths: ["/etc/cron.weekly", "/etc/cron.daily"] + patterns: ["userlogrotate"] + register: find_logrotate + check_mode: no + +- name: "Update userlogrotate" + ansible.builtin.copy: + src: userlogrotate + dest: "{{ item.path }}" + mode: "0755" + loop: "{{ find_logrotate.files }}" + when: find_logrotate.files | length>0 + +- name: "Install userlogrotate (jessie)" + copy: + src: userlogrotate_jessie + dest: /etc/cron.weekly/userlogrotate + mode: "0755" + when: + - ansible_distribution_release == "jessie" + - find_logrotate.files | length==0 + +- name: "Install userlogrotate (Debian 9 or later)" + copy: + src: userlogrotate + dest: /etc/cron.weekly/userlogrotate + mode: "0755" + when: + - ansible_distribution_major_version is version('9', '>=') + - find_logrotate.files | length==0 + -- 2.39.2 From 8cbe8371472faee7a8c56a30ccefef915575c2af Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 21 Feb 2023 18:30:09 +0100 Subject: [PATCH 353/497] bind: refactor role * queries log can be enabled or disabled * split tasks * check if AppArmor is present * don't install Munin plugin whose data file is not present * remove example ACL in authoritative configuration --- CHANGELOG.md | 3 +- bind/defaults/main.yml | 1 + bind/handlers/main.yml | 1 - bind/tasks/authoritative.yml | 11 ++++ bind/tasks/main.yml | 50 ++++++------------- bind/tasks/munin.yml | 6 +-- bind/tasks/recursive.yml | 19 +++++++ bind/templates/apparmor.usr.sbin.named.j2 | 2 + ...nd9.service.j2 => bind9.service.jessie.j2} | 0 bind/templates/logrotate_bind.j2 | 2 +- bind/templates/munin-env_bind9.j2 | 10 +++- .../named.conf.options_authoritative.j2 | 12 +++-- .../templates/named.conf.options_recursive.j2 | 4 ++ 13 files changed, 75 insertions(+), 46 deletions(-) create mode 100644 bind/tasks/authoritative.yml create mode 100644 bind/tasks/recursive.yml rename bind/templates/{bind9.service.j2 => bind9.service.jessie.j2} (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae6a202c..dc445fee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Use systemd module instead of command * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. -* bind: use systemd module +* bind: refactor role * evolinux-users: Update sudoers template to remove commands allowed without password * nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) * openvpn: Change check_openvpn destination file to comply with recent EvoBSD change @@ -42,7 +42,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix. * postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs. * php: install using sury repositories on bullseye -* bind: fix fail in check mode ### Removed diff --git a/bind/defaults/main.yml b/bind/defaults/main.yml index 99b33e13..c34490f8 100644 --- a/bind/defaults/main.yml +++ b/bind/defaults/main.yml @@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service bind_statistics_file: /var/run/named.stats bind_log_file: /var/log/bind.log bind_query_file: /var/log/bind_queries.log +bind_query_file_enabled: False bind_cache_dir: /var/cache/bind diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index 49854b91..b426fcd1 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -13,7 +13,6 @@ systemd: name: bind9 state: restarted - when: not ansible_check_mode - name: restart munin-node systemd: diff --git a/bind/tasks/authoritative.yml b/bind/tasks/authoritative.yml new file mode 100644 index 00000000..52992fa1 --- /dev/null +++ b/bind/tasks/authoritative.yml @@ -0,0 +1,11 @@ +--- + +- name: Set bind configuration for authoritative server + template: + src: named.conf.options_authoritative.j2 + dest: /etc/bind/named.conf.options + owner: bind + group: bind + mode: "0644" + force: yes + notify: restart bind \ No newline at end of file diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index ac278651..b62017e6 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -8,6 +8,13 @@ bind_chroot_path: /var/chroot-bind when: bind_chroot_set | bool +- name: Check AppArmor + shell: systemctl is-active apparmor || systemctl is-enabled apparmor + failed_when: False + changed_when: False + check_mode: no + register: check_apparmor + - name: configure apparmor template: src: apparmor.usr.sbin.named.j2 @@ -17,6 +24,7 @@ mode: '0644' force: yes notify: restart apparmor + when: check_apparmor.rc == 0 - name: package are installed apt: @@ -25,49 +33,23 @@ - dnstop state: present -- name: Set bind configuration for recursive server - template: - src: named.conf.options_recursive.j2 - dest: /etc/bind/named.conf.options - owner: bind - group: bind - mode: "0644" - force: yes - notify: restart bind - when: bind_recursive_server | bool - -- name: enable zones.rfc1918 for recursive server - lineinfile: - dest: /etc/bind/named.conf.local - line: 'include "/etc/bind/zones.rfc1918";' - regexp: "zones.rfc1918" - notify: restart bind - when: - - bind_recursive_server | bool - - not ansible_check_mode - -- name: Set bind configuration for authoritative server - template: - src: named.conf.options_authoritative.j2 - dest: /etc/bind/named.conf.options - owner: bind - group: bind - mode: "0644" - force: yes - notify: restart bind +- include: authoritative.yml when: bind_authoritative_server | bool -- name: Create systemd service +- include: recursive.yml + when: bind_recursive_server | bool + +- name: Create systemd service for Debian 8 (Jessie) template: - src: bind9.service.j2 + src: bind9.service.jessie.j2 dest: "{{ bind_systemd_service_path }}" owner: root group: root mode: "0644" force: yes notify: - - reload systemd - - restart bind + - reload systemd + - restart bind when: ansible_distribution_release == "jessie" - name: "touch {{ bind_log_file }} if non chroot" diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index f97ddf85..7bedfd2c 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -19,7 +19,7 @@ - bind9_rndc notify: restart munin-node when: - - bind_authoritative_server + - bind_authoritative_server | bool - munin_node_plugins_config.stat.exists tags: - bind @@ -32,10 +32,10 @@ state: link loop: - bind9 - - bind9_rndc notify: restart munin-node when: - - bind_recursive_server + - bind_recursive_server | bool + - bind_query_file_enabled | bool - munin_node_plugins_config.stat.exists tags: - bind diff --git a/bind/tasks/recursive.yml b/bind/tasks/recursive.yml new file mode 100644 index 00000000..ddbeafbf --- /dev/null +++ b/bind/tasks/recursive.yml @@ -0,0 +1,19 @@ +--- + + +- name: Set bind configuration for recursive server + template: + src: named.conf.options_recursive.j2 + dest: /etc/bind/named.conf.options + owner: bind + group: bind + mode: "0644" + force: yes + notify: restart bind + +- name: enable zones.rfc1918 for recursive server + lineinfile: + dest: /etc/bind/named.conf.local + line: 'include "/etc/bind/zones.rfc1918";' + regexp: "zones.rfc1918" + notify: restart bind diff --git a/bind/templates/apparmor.usr.sbin.named.j2 b/bind/templates/apparmor.usr.sbin.named.j2 index 9a554437..1f61f325 100644 --- a/bind/templates/apparmor.usr.sbin.named.j2 +++ b/bind/templates/apparmor.usr.sbin.named.j2 @@ -56,7 +56,9 @@ # some people like to put logs in /var/log/named/ instead of having # syslog do the heavy lifting. {{ bind_log_file }} rw, + {% if bind_query_file_enabled | bool %} {{ bind_query_file }} rw, + {% endif %} # gssapi /var/lib/sss/pubconf/krb5.include.d/** r, diff --git a/bind/templates/bind9.service.j2 b/bind/templates/bind9.service.jessie.j2 similarity index 100% rename from bind/templates/bind9.service.j2 rename to bind/templates/bind9.service.jessie.j2 diff --git a/bind/templates/logrotate_bind.j2 b/bind/templates/logrotate_bind.j2 index 27877958..c7ec3c30 100644 --- a/bind/templates/logrotate_bind.j2 +++ b/bind/templates/logrotate_bind.j2 @@ -1,4 +1,4 @@ -{% if bind_chroot_set %} +{% if bind_chroot_set | bool %} {{ bind_chroot_path }}{{ bind_log_file }} { {% else %} {{ bind_log_file }} { diff --git a/bind/templates/munin-env_bind9.j2 b/bind/templates/munin-env_bind9.j2 index de88b27a..2af70548 100644 --- a/bind/templates/munin-env_bind9.j2 +++ b/bind/templates/munin-env_bind9.j2 @@ -1,9 +1,17 @@ [bind*] user root -env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }} +{% if bind_query_file_enabled | bool %} +{% if bind_chroot_set | bool %} +env.logfile {{ bind_chroot_path }}{{ bind_query_file }} +{% else %} +env.logfile {{ bind_query_file }} +{% endif %} +{% endif %} + {% if bind_authoritative_server %} env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }} {% endif %} + env.MUNIN_PLUGSTATE /var/lib/munin timeout 120 diff --git a/bind/templates/named.conf.options_authoritative.j2 b/bind/templates/named.conf.options_authoritative.j2 index 8f48cbb5..4b6065b6 100644 --- a/bind/templates/named.conf.options_authoritative.j2 +++ b/bind/templates/named.conf.options_authoritative.j2 @@ -1,7 +1,7 @@ -acl "foo" { - ::ffff:192.0.2.21; 192.0.2.21; - 2001:db8::21; -}; +// acl "foo" { +// ::ffff:192.0.2.21; 192.0.2.21; +// 2001:db8::21; +// }; options { directory "{{ bind_cache_dir }}"; @@ -20,16 +20,20 @@ options { logging { category default { default_file; }; +{% if bind_query_file_enabled | bool %} category queries { query_logging; }; +{% endif %} channel default_file { file "{{ bind_log_file }}"; severity info; }; +{% if bind_query_file_enabled | bool %} channel query_logging { file "{{ bind_query_file }}" versions 2 size 128M; print-category yes; print-severity yes; print-time yes; }; +{% endif %} }; diff --git a/bind/templates/named.conf.options_recursive.j2 b/bind/templates/named.conf.options_recursive.j2 index 27246d13..931ac71d 100644 --- a/bind/templates/named.conf.options_recursive.j2 +++ b/bind/templates/named.conf.options_recursive.j2 @@ -9,16 +9,20 @@ options { logging { category default { default_file; }; +{% if bind_query_file_enabled | bool %} category queries { query_logging; }; +{% endif %} channel default_file { file "{{ bind_log_file }}"; severity info; }; +{% if bind_query_file_enabled | bool %} channel query_logging { file "{{ bind_query_file }}" versions 2 size 128M; print-category yes; print-severity yes; print-time yes; }; +{% endif %} }; -- 2.39.2 From 8ec159c4449b99a58999fd5f04b1e0e9ac3d1bc4 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 24 Feb 2023 15:41:39 +0100 Subject: [PATCH 354/497] Add task in postfix for packmail and index.hml + vhost directive for mailgraph --- apache/tasks/server_status.yml | 7 +++++++ apache/templates/evolinux-default.conf.j2 | 18 ++++++++++++++++++ postfix/tasks/packmail.yml | 14 ++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index efd2b00e..38daf285 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -68,3 +68,10 @@ insertafter: "[apache_*]" create: no notify: restart munin-node + +- name: add mailgraph URL in index.html + lineinfile: + dest: /var/www/index.html + state: present + line: '
  • Stats Mail
    • ' + insertbefore: "" diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 68cdcf84..effa55c6 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -35,6 +35,15 @@ Include /etc/apache2/ipaddr_whitelist.conf + # Mailgraph configuration + Alias /mailgraph /usr/share/mailgraph + + DirectoryIndex mailgraph.cgi + Require all granted + Options +FollowSymLinks +ExecCGI + AddHandler cgi-script .cgi + + CustomLog /var/log/apache2/access.log vhost_combined ErrorLog /var/log/apache2/error.log LogLevel warn @@ -118,6 +127,15 @@ Include /etc/apache2/ipaddr_whitelist.conf     + # Mailgraph configuration + Alias /mailgraph /usr/share/mailgraph + + DirectoryIndex mailgraph.cgi + Require all granted + Options +FollowSymLinks +ExecCGI + AddHandler cgi-script .cgi + + # BEGIN phpMyAdmin section # END phpMyAdmin section diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 90d424b2..869113b0 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -10,6 +10,20 @@ tags: - postfix +- name: make /var/lib/mailgraph accessible by www-data + file: + path: "/var/lib/mailgraph" + state: directory + owner: www-data + group: www-data + mode: '0755' + +- name: make sure a service Mailgraph is running + systemd: + name: mailgraph.service + state: started + enabled: true + - name: create packmail main.cf template: src: packmail_main.cf.j2 -- 2.39.2 From 68d34c85284c37a2f3b5fa779ef5af37fcd79064 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 24 Feb 2023 15:46:00 +0100 Subject: [PATCH 355/497] Add changelog for add feature in postfix / apache and php --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc445fee..b0d7a4db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,9 @@ The **patch** part changes is incremented if multiple releases happen the same m * fail2ban: add "Internal login failure" to Dovecot filter * php: add a way to choose which version to install using sury repository * userlogrotate: create role separated from packweb-apache +* postfix: Add task for enable mailgraph on packmail +* apache: add tash for enable mailgraph on default vhost and index.html +* php: add variables php_version when sury is activated for each Debian version ### Changed -- 2.39.2 From 431ffd59917b2976271fccc12d06dc9311abc157 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 26 Feb 2023 00:10:00 +0100 Subject: [PATCH 356/497] evolinux-base: subversion is not installed anymore --- CHANGELOG.md | 2 ++ evolinux-base/tasks/packages.yml | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b0d7a4db..e6f1831d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,6 +48,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed +* evolinux-base: subversion is not installed anymore + ### Security ## [22.12] 2022-12-14 diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index b4a1d666..4c2249e3 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -55,7 +55,6 @@ - mutt - tree - git - - subversion - rsync - bc - pinentry-curses -- 2.39.2 From b2c215eef06896ed2e090cdf0510265611a6f74f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 26 Feb 2023 21:32:51 +0100 Subject: [PATCH 357/497] formatting --- bind/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index b62017e6..9b053b6c 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -1,11 +1,11 @@ # Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths. - name: set chroot variables set_fact: - bind_log_file: /var/log/bind.log - bind_query_file: /var/log/bind_queries.log - bind_cache_dir: /var/cache/bind - bind_statistics_file: /var/run/named.stats - bind_chroot_path: /var/chroot-bind + bind_log_file: /var/log/bind.log + bind_query_file: /var/log/bind_queries.log + bind_cache_dir: /var/cache/bind + bind_statistics_file: /var/run/named.stats + bind_chroot_path: /var/chroot-bind when: bind_chroot_set | bool - name: Check AppArmor @@ -21,7 +21,7 @@ dest: /etc/apparmor.d/usr.sbin.named owner: root group: root - mode: '0644' + mode: "0644" force: yes notify: restart apparmor when: check_apparmor.rc == 0 -- 2.39.2 From 17946f7280b5600b0c5b8c44b0aa436f591bb96b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Feb 2023 13:58:01 +0100 Subject: [PATCH 358/497] apt: add move-apt-keyrings script/tasks --- CHANGELOG.md | 1 + apt/files/move-apt-keyrings.sh | 32 ++++++++++++++++++++++++++++++ apt/tasks/move-apt-keyring.yml | 36 ++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 apt/files/move-apt-keyrings.sh create mode 100644 apt/tasks/move-apt-keyring.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index e6f1831d..024c0c50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* apt: add move-apt-keyrings script/tasks * nagios-nrpe: Print pool config path in check_phpfpm_multi output * nagios-nrpe: add tasks/files for a wrapper * fail2ban: add "Internal login failure" to Dovecot filter diff --git a/apt/files/move-apt-keyrings.sh b/apt/files/move-apt-keyrings.sh new file mode 100644 index 00000000..3283c4ee --- /dev/null +++ b/apt/files/move-apt-keyrings.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +# Move apt repository key from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ and add "signed-by" tag in source list +# +# Example: move-apt-keyrings.sh http://repo.mongodb.org/apt/debian mongodb-server-[0-9\\.]+.asc + +repository_pattern=$1 +key=$2 + +found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/") + +old_key_file="/etc/apt/trusted.gpg.d/${key}" +new_key_file="/etc/apt/keyrings/${key}" + +for file in ${found_files}; do + if ! grep --quiet "signed-by" "${file}"; then + signed_by="signed-by=${new_key_file}" + if grep --quiet "deb(-src)? \[" "${file}"; then + sed -i "s@deb\(-src\)\? \[\([^]]\+\)\]@deb\1 [\2 ${signed_by}]@" "${file}" + else + sed -i "s@deb\(-src\)\? @deb\1 [${signed_by}] @" "${file}" + fi + fi +done + +if [ -f "${old_key_file}" ] && [ ! -f "${new_key_file}" ]; then + mv "${old_key_file}" "${new_key_file}" +fi +if [ -f "${new_key_file}" ]; then + chmod 644 "${new_key_file}" + chown root: "${new_key_file}" +fi diff --git a/apt/tasks/move-apt-keyring.yml b/apt/tasks/move-apt-keyring.yml new file mode 100644 index 00000000..cf74c53e --- /dev/null +++ b/apt/tasks/move-apt-keyring.yml @@ -0,0 +1,36 @@ +--- +- name: New APT keyrings directory is present + file: + path: /etc/apt/keyrings + state: directory + mode: "0755" + owner: root + group: root + +- name: migration script is present + copy: + src: move-apt-keyrings.sh + dest: /root/move-apt-keyrings.sh + mode: "0755" + owner: root + group: root + +- name: Move repository signing key + command: "/root/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" + loop: + - { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" } + - { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" } + - { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" } + - { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" } + - { repository_pattern: "http://pkg.jenkins-ci.org/debian-stable", key: "jenkins.asc" } + - { repository_pattern: "https://packages.sury.org/php/", key: "sury.gpg" } + - { repository_pattern: "http://repo.mongodb.org/apt/debian", key: "mongodb-server-[0-9\\.]+.asc" } + - { repository_pattern: "http://apt.newrelic.com/debian/", key: "newrelic.asc" } + - { repository_pattern: "https://deb.nodesource.com/", key: "nodesource.asc" } + - { repository_pattern: "https://dl.yarnpkg.com/debian/", key: "yarn.asc" } + - { repository_pattern: "http://apt.postgresql.org/pub/repos/apt/", key: "postgresql.asc" } + register: _cmd + +- name: Debug command + debug: + var: _cmd -- 2.39.2 From c99e71fc6cc7be8e94476e4c2000c8010f4a9116 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Feb 2023 13:58:25 +0100 Subject: [PATCH 359/497] Add vscode settings --- .vscode/settings.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..ce271884 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,7 @@ +{ + "files.associations": { + "*.yml": "ansible", + "*.yaml": "ansible" + }, + "yaml.format.enable": false +} \ No newline at end of file -- 2.39.2 From 1d701b060e3f6e58cd938e59c90f88e0027533f6 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 27 Feb 2023 17:33:13 +0100 Subject: [PATCH 360/497] apt: Use pub.evolix.org instead of pub.evolix.net --- CHANGELOG.md | 1 + apt/files/pub_evolix.asc | 87 +++++++++++++++++++++++++++++ apt/tasks/evolix_public.yml | 4 +- apt/tasks/hold_packages.yml | 3 + apt/tasks/move-apt-keyring.yml | 1 + apt/templates/evolix_public.list.j2 | 6 +- 6 files changed, 97 insertions(+), 5 deletions(-) create mode 100644 apt/files/pub_evolix.asc diff --git a/CHANGELOG.md b/CHANGELOG.md index 024c0c50..ca6f8701 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud : Change default data directory to be outside web root * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir * yarn: update apt key +* apt: Use pub.evolix.org instead of pub.evolix.net' ### Fixed diff --git a/apt/files/pub_evolix.asc b/apt/files/pub_evolix.asc new file mode 100644 index 00000000..4a21bdfe --- /dev/null +++ b/apt/files/pub_evolix.asc @@ -0,0 +1,87 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N +YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN +OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV +Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw +ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7 +7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11 +mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma +dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3 +huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm +vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk ++XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB +tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy +PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A +BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy +x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq +yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7 +D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt +c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N +q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F +btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ +ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa +C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D +jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp +5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo +JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3 +Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F +5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o +aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba +mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp +g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs +h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M +Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb +sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A +5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A +etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8 +smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ +Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX +mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F +V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT +foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7 +b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5 +FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI +7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb ++dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc +fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF +bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR +Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+ +7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/ +RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc +8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX +fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd +gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/ +YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1 +4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL +1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK +3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj +9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB +jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC +LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG +j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H +BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M +jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q +BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym +Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6 +lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH +El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV +sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp +IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz +DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM +G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0 +IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs +UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac +lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm +AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r +adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf +SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v +2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz +kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg +2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad +OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf +nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk +jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH +oA9QflpnDubMnCve +=ZCml +-----END PGP PUBLIC KEY BLOCK----- diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 21062a32..8c4d5216 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -18,8 +18,8 @@ - name: Add Evolix GPG key copy: - src: reg.asc - dest: "{{ apt_keyring_dir }}/reg.asc" + src: pub_evolix.asc + dest: "{{ apt_keyring_dir }}/pub_evolix.asc" force: yes mode: "0644" owner: root diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 691f3763..1db3429e 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -1,5 +1,8 @@ --- +- include_role: + name: evolix/remount-usr + - name: "hold packages (apt)" shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})" args: diff --git a/apt/tasks/move-apt-keyring.yml b/apt/tasks/move-apt-keyring.yml index cf74c53e..5fd8e162 100644 --- a/apt/tasks/move-apt-keyring.yml +++ b/apt/tasks/move-apt-keyring.yml @@ -19,6 +19,7 @@ command: "/root/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" loop: - { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" } + - { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" } - { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" } - { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" } - { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" } diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index e0bc0de7..278b9378 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} {% if ansible_distribution_release == "bookworm" %} -deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/ +deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye main {% else %} -deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/ -{% endif %} \ No newline at end of file +deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main +{% endif %} -- 2.39.2 From d366683acc7e69c698d2ec4832d56462403d9270 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 28 Feb 2023 10:12:35 +0100 Subject: [PATCH 361/497] bind: jinja syntax --- bind/templates/apparmor.usr.sbin.named.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bind/templates/apparmor.usr.sbin.named.j2 b/bind/templates/apparmor.usr.sbin.named.j2 index 1f61f325..d9f0be04 100644 --- a/bind/templates/apparmor.usr.sbin.named.j2 +++ b/bind/templates/apparmor.usr.sbin.named.j2 @@ -56,9 +56,9 @@ # some people like to put logs in /var/log/named/ instead of having # syslog do the heavy lifting. {{ bind_log_file }} rw, - {% if bind_query_file_enabled | bool %} +{% if bind_query_file_enabled | bool %} {{ bind_query_file }} rw, - {% endif %} +{% endif %} # gssapi /var/lib/sss/pubconf/krb5.include.d/** r, -- 2.39.2 From e896459d060e6489b84e1470de41b4e2a2ce8bdc Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 28 Feb 2023 15:24:01 +0100 Subject: [PATCH 362/497] varnish: add variable varnish_update_config to disable configuration update --- CHANGELOG.md | 1 + varnish/defaults/main.yml | 1 + varnish/tasks/main.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ca6f8701..62732fdd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * postfix: Add task for enable mailgraph on packmail * apache: add tash for enable mailgraph on default vhost and index.html * php: add variables php_version when sury is activated for each Debian version +* varnish: add variable varnish_update_config to disable configuration update ### Changed diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml index acc9b114..ec8a251e 100644 --- a/varnish/defaults/main.yml +++ b/varnish/defaults/main.yml @@ -17,6 +17,7 @@ varnish_jail: "unix,user=vcache" varnish_additional_options: "" varnish_config_file: /etc/varnish/default.vcl +varnish_update_config: True varnish_secret_file: /etc/varnish/secret varnish_tmp_dir: /var/tmp-vcache \ No newline at end of file diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 7af86b72..cca302bb 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -137,6 +137,7 @@ dest: "{{ varnish_config_file }}" mode: "0644" force: yes + when: "{{ varnish_update_config }}" loop: "{{ query('first_found', templates) }}" vars: templates: -- 2.39.2 From 19e6d01a3408acada9e54ea9e070e6966fc0a287 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 1 Mar 2023 09:58:24 +0100 Subject: [PATCH 363/497] evocheck: upstream release 23.03 --- evocheck/files/evocheck.cf | 2 -- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 60 ++++++++++++++++++++++++++----- evocheck/files/evocheck.wheezy.sh | 2 +- 4 files changed, 53 insertions(+), 13 deletions(-) diff --git a/evocheck/files/evocheck.cf b/evocheck/files/evocheck.cf index 9eca204e..983363f9 100644 --- a/evocheck/files/evocheck.cf +++ b/evocheck/files/evocheck.cf @@ -1,5 +1,3 @@ -# Managed by Ansible -# # Configuration for evocheck # Use this file to change configuration values defined in evocheck.sh # Ex : IS_TMP_1777=0 diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index d6cd62e1..10334a30 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.02" +VERSION="<23.03>" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 32cf0098..03f41fcf 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.02" +VERSION="<23.03>" readonly VERSION # base functions @@ -100,6 +100,17 @@ is_installed(){ # logging +log() { + date=$(/bin/date +"${DATE_FORMAT}") + if [ "${1}" != '' ]; then + printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}" + else + while read line; do + printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}" + done < /dev/stdin + fi +} + failed() { check_name=$1 shift @@ -113,6 +124,9 @@ failed() { printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}" fi fi + + # Always log verbose + log "${check_name} FAILED! ${check_comments}" } # check functions @@ -134,7 +148,7 @@ check_dpkgwarning() { # Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option. check_localhost_in_postfix_mydestination() { # shellcheck disable=SC2016 - if ! grep mydestination /etc/postfix/main.cf | grep --extended-regexp 'localhost[^\\.]' | grep 'localhost.localdomain' | grep 'localhost.$mydomain'; then + if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp '(localhost[^\\.]|localhost.localdomain|localhost.$mydomain)'; then failed "IS_LOCALHOST_IN_POSTFIX_MYDESTINATION" "'localhost' and/or 'localhost.localdomain' and/or 'localhost.\$mydomain' are missing in Postfix mydestination option. Consider adding then." fi } @@ -1221,7 +1235,7 @@ check_lxc_php_fpm_service_umask_set() { service="${container:0:4}.${container:4}-fpm" fi umask=$(lxc-attach --name "${container}" -- systemctl show -p UMask "$service" | cut -d "=" -f2) - if ! [ "$umask" != "0007" ]; then + if [ "$umask" != "0007" ]; then missing_umask="${missing_umask} ${container}" fi done @@ -1489,9 +1503,12 @@ main() { exit ${RC} } -cleanup_temp_files() { +cleanup() { + # Cleanup tmp files # shellcheck disable=SC2086,SC2317 rm -f ${files_to_cleanup[@]} + + log "$PROGNAME exit." } PROGNAME=$(basename "$0") @@ -1502,17 +1519,23 @@ readonly PROGNAME ARGS=$@ readonly ARGS +LOGFILE="/var/log/evocheck.log" +readonly LOGFILE + +CONFIGFILE="/etc/evocheck.cf" +readonly CONFIGFILE + +DATE_FORMAT="%Y-%m-%d %H:%M:%S" +# shellcheck disable=SC2034 +readonly DATEFORMAT + # Disable LANG* export LANG=C export LANGUAGE=C -declare -a files_to_cleanup -# shellcheck disable=SC2064 -trap cleanup_temp_files 0 - # Source configuration file # shellcheck disable=SC1091 -test -f /etc/evocheck.cf && . /etc/evocheck.cf +test -f "${CONFIGFILE}" && . "${CONFIGFILE}" # Parse options # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a @@ -1560,5 +1583,24 @@ while :; do shift done +# Keep this after "show_version(); exit 0" which is called by check_versions +# to avoid logging exit twice. +declare -a files_to_cleanup +files_to_cleanup="" +# shellcheck disable=SC2064 +trap cleanup EXIT INT TERM + +log '-----------------------------------------------' +log "Running $PROGNAME $VERSION..." + +# Log config file content +if [ -f "${CONFIGFILE}" ]; then + log "Runtime configuration (${CONFIGFILE}):" + sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log +fi + # shellcheck disable=SC2086 main ${ARGS} + +log "End of $PROGNAME execution." + diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index 4b0dcf3d..cc76f613 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.02" +VERSION="<23.03>" readonly VERSION # base functions -- 2.39.2 From e3e589d13242532d4f18e092e1c35f23addace63 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 1 Mar 2023 10:08:57 +0100 Subject: [PATCH 364/497] evocheck: upstream release 23.03.01 --- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 2 +- evocheck/files/evocheck.wheezy.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index 10334a30..5d1a186e 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="<23.03>" +VERSION="23.03.01" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 03f41fcf..647192cc 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="<23.03>" +VERSION="23.03.01" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index cc76f613..cd038268 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="<23.03>" +VERSION="23.03.01" readonly VERSION # base functions -- 2.39.2 From d9c5563fd61fb9b48ac8fed7e4c28929b51c6ed9 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 1 Mar 2023 14:35:51 +0100 Subject: [PATCH 365/497] postfix: remove unused "aliases_scope=sub" from virtual_aliases.cf (it generated warnings) --- CHANGELOG.md | 1 + postfix/templates/virtual_aliases.cf.j2 | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62732fdd..5d500223 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,6 +48,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix. * postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs. * php: install using sury repositories on bullseye +* postfix: remove unused "aliases_scope=sub" from virtual_aliases.cf (it generated warnings) ### Removed diff --git a/postfix/templates/virtual_aliases.cf.j2 b/postfix/templates/virtual_aliases.cf.j2 index 1a6e5f9c..97f4baf3 100644 --- a/postfix/templates/virtual_aliases.cf.j2 +++ b/postfix/templates/virtual_aliases.cf.j2 @@ -2,4 +2,3 @@ search_base = {{ ldap_suffix }} query_filter = (&(mailacceptinggeneralid=%u@%d)(isActive=TRUE)) result_attribute = maildrop version = 3 -aliases_scope = sub -- 2.39.2 From cc7c2a7d4ecace0e0fb217c59b9fdb590bd4785d Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 1 Mar 2023 17:22:36 +0100 Subject: [PATCH 366/497] userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped) --- CHANGELOG.md | 1 + userlogrotate/files/userlogrotate | 4 ++-- userlogrotate/files/userlogrotate_jessie | 19 ++++++++++++++++++- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d500223..9bf75f8d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -49,6 +49,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs. * php: install using sury repositories on bullseye * postfix: remove unused "aliases_scope=sub" from virtual_aliases.cf (it generated warnings) +* userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped) ### Removed diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index 7ed42668..2c9d6c8b 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -39,13 +39,13 @@ test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 # Else, an error is raised (gzip file size changed while zipping) # and logs written during the zipping process might be lost. -for log in access.log access-*.log error.log; do +for log in access.log*[!\.gz] access-*.log*[!\.gz] error.log*[!\.gz]; do for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do gzip $i done done -for log in production.log delayed_job.log development.log test.log; do +for log in production.log*[!\.gz] delayed_job.log*[!\.gz] development.log*[!\.gz] test.log*[!\.gz]; do for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do gzip $i done diff --git a/userlogrotate/files/userlogrotate_jessie b/userlogrotate/files/userlogrotate_jessie index 339101a9..b13d7465 100644 --- a/userlogrotate/files/userlogrotate_jessie +++ b/userlogrotate/files/userlogrotate_jessie @@ -5,7 +5,6 @@ HOMEPREFIX="/home" rotate () { mv $1 $1.$DATE - gzip $1.$DATE touch $1 chown $2 $1 chmod g+r $1 @@ -36,3 +35,21 @@ for log in production.log delayed_job.log development.log test.log; do done apache2ctl restart > /dev/null + +# Zipping is done after web server reload, so that the file descriptor is released. +# Else, an error is raised (gzip file size changed while zipping) +# and logs written during the zipping process might be lost. + +for log in access.log*[!\.gz] access-*.log*[!\.gz] error.log*[!\.gz]; do + for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do + gzip $i + done +done + +for log in production.log*[!\.gz] delayed_job.log*[!\.gz] development.log*[!\.gz] test.log*[!\.gz]; do + for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do + gzip $i + done +done + + -- 2.39.2 From 7ec58bf1441da08929d07b1203dccaabb28aded7 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 1 Mar 2023 17:50:58 +0100 Subject: [PATCH 367/497] userlogrotate: skip zipping if .gz log already exists (prevents interactive question) --- CHANGELOG.md | 1 + userlogrotate/files/userlogrotate | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9bf75f8d..68995591 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -50,6 +50,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * php: install using sury repositories on bullseye * postfix: remove unused "aliases_scope=sub" from virtual_aliases.cf (it generated warnings) * userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped) +* userlogrotate: skip zipping if .gz log already exists (prevents interactive question) ### Removed diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index 2c9d6c8b..b91051fd 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -41,13 +41,13 @@ test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 for log in access.log*[!\.gz] access-*.log*[!\.gz] error.log*[!\.gz]; do for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do - gzip $i + test -f "$i" || gzip "$i" done done for log in production.log*[!\.gz] delayed_job.log*[!\.gz] development.log*[!\.gz] test.log*[!\.gz]; do for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do - gzip $i + test -f "$i" || gzip "$i" done done -- 2.39.2 From 4d3f92df236c4610fff3c67f9255ca92c0b53cc6 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 2 Mar 2023 17:50:17 +0100 Subject: [PATCH 368/497] postfix: avoid Amavis transport to be considered dead when restarted. --- CHANGELOG.md | 1 + postfix/templates/packmail_main.cf.j2 | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68995591..3c3fdcdf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -51,6 +51,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * postfix: remove unused "aliases_scope=sub" from virtual_aliases.cf (it generated warnings) * userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped) * userlogrotate: skip zipping if .gz log already exists (prevents interactive question) +* postfix: avoid Amavis transport to be considered dead when restarted. ### Removed diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index df45da05..b803389e 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -415,6 +415,7 @@ content_filter = smtp-amavis:[127.0.0.1]:10024 smtp-amavis_destination_concurrency_failed_cohort_limit = 0 smtpd_milters = inet:[127.0.0.1]:8891 non_smtpd_milters = inet:[127.0.0.1]:8891 +smtp-amavis_destination_concurrency_failed_cohort_limit = 0 {% if postfix_slow_transport_include == True %} # Slow transports configuration @@ -431,3 +432,4 @@ slow_destination_concurrency_failed_cohort_limit = 100 slow_destination_recipient_limit = 25 transport_maps = hash:$config_directory/transport {% endif %} + -- 2.39.2 From af569f8c26014ff4e83f6ba7ad3b5dab1786dff4 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 3 Mar 2023 14:39:16 +0100 Subject: [PATCH 369/497] userlogrotate: set rotate date format in right order (YYYY-MM-DD)! --- CHANGELOG.md | 1 + userlogrotate/files/userlogrotate | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c3fdcdf..cf777e17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir * yarn: update apt key * apt: Use pub.evolix.org instead of pub.evolix.net' +* userlogrotate: set rotate date format in right order (YYYY-MM-DD)! ### Fixed diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index b91051fd..a801c5ad 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -1,6 +1,6 @@ #!/bin/bash -DATE=`/bin/date +"%d-%m-%Y"` +DATE=`/bin/date +"%Y-%m-%d"` HOMEPREFIX="/home" rotate () { -- 2.39.2 From 4759ed645c52c0860c3f7fe9d89f653081a54aaa Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 8 Mar 2023 11:09:36 +0100 Subject: [PATCH 370/497] lxc: copy /etc/profile.d/evolinux.sh from host into container (P10001) --- CHANGELOG.md | 1 + lxc/tasks/create-container.yml | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf777e17..90c2edc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * apache: add tash for enable mailgraph on default vhost and index.html * php: add variables php_version when sury is activated for each Debian version * varnish: add variable varnish_update_config to disable configuration update +* lxc: copy /etc/profile.d/evolinux.sh from host into container ### Changed diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index ad4f35d6..eb4ecd3b 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -56,3 +56,15 @@ lxc_container: name: "{{ name }}" state: started + +- name: "Ensure /etc/profile.d exists in container" + ansible.builtin.file: + path: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d" + mode: '0755' + state: directory + +- name: "Copy host /etc/profile.d/evolinux into container" + ansible.builtin.copy: + src: "/etc/profile.d/evolinux.sh" + remote_src: true + dest: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d/evolinux.sh" -- 2.39.2 From 8b26f2f491eb5a5c9f0b21fea9451ea3f0c9bfad Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Fri, 10 Mar 2023 10:06:43 +0100 Subject: [PATCH 371/497] =?UTF-8?q?kvmstats:=20d=C3=A9sobfusquer=20convers?= =?UTF-8?q?ion=20vers=20html?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- kvm-host/files/kvmstats.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/kvm-host/files/kvmstats.sh b/kvm-host/files/kvmstats.sh index 0dcfb4e8..852e77d4 100755 --- a/kvm-host/files/kvmstats.sh +++ b/kvm-host/files/kvmstats.sh @@ -72,7 +72,19 @@ main() { column -t ;; 'html') - awk 'BEGIN{print "\n"}{printf "";for(i=1;i<=NF;i++)printf "", $i;print ""}END{print "
    %s
    \n"}' + awk ' +BEGIN { + print "\n" +} +{ + printf "" + for(i = 1; i <= NF; i++) + printf "", $i + print "" +} +END { + print "
    %s
    \n" +}' ;; 'csv') tr ' ' ',' -- 2.39.2 From 058753bcfead78f7a29b73029ccf9764b6b06f42 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Fri, 10 Mar 2023 10:07:00 +0100 Subject: [PATCH 372/497] =?UTF-8?q?kvmstats:=20Utiliser=20domstats=20pour?= =?UTF-8?q?=20r=C3=A9cup=C3=A9rer=20infos?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remplacer les multiples commandes virsh par une seule commande virsh domstats. La sortie est filtrée par une commande awk. Certains hyperviseurs ne savent pas lister les informations d’un volume RBD (Ceph) avec domblkinfo. Il semble que domstats fonctionne mieux pour ça et peut donner toutes les informations de toute façon. --- kvm-host/files/kvmstats.sh | 47 +++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/kvm-host/files/kvmstats.sh b/kvm-host/files/kvmstats.sh index 852e77d4..0258b322 100755 --- a/kvm-host/files/kvmstats.sh +++ b/kvm-host/files/kvmstats.sh @@ -42,25 +42,34 @@ error () { main() { for VM in $(virsh list --name --all | sed '/^$/d' | sort) do - echo "$VM" - - # cpu - virsh vcpucount --current "$VM" - - # mem - # libvirt stores memory in KiB, POW must be lowered by 1 - virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' || - virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}' - - # disk - for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}') - do - virsh domblkinfo "$VM" "$BLK" 2>/dev/null - done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }' - - # state - virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no - done | xargs -n5 | { + printf '%s ' "${VM}" + virsh domstats "${VM}" | awk ' +BEGIN { + FS = "=" +} +/vcpu\.current/ { + vcpu = $2 +} +/balloon\.current/ { + mem = $2 +} +/balloon\.maximum/ { + if (!mem) + mem = $2 +} +/block\.[0-9]+\.physical/ { + disksize += $2 +} +/state\.state/ { + if ($2 == 1) + running = "yes" + else + running = "no" +} +END { + print vcpu, mem / 1024 ^ 2, disksize / 1024 ^ 3, running +}' + done | { echo vm vcpu ram disk running awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }' test "$SHOW_AVAIL" && { -- 2.39.2 From fc95f57711e9d8db81a9406e994e52a66487269a Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 9 Mar 2023 16:33:01 +0100 Subject: [PATCH 373/497] elasticsearch: Disable GC rotation for JDK 8 --- CHANGELOG.md | 1 + elasticsearch/tasks/configuration.yml | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90c2edc3..70fc3f4a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,6 +54,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped) * userlogrotate: skip zipping if .gz log already exists (prevents interactive question) * postfix: avoid Amavis transport to be considered dead when restarted. +* elasticsearch: Disable GC rotation for JDK 8 (priorly done only for >= 9) ### Removed diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index c4a5916a..77e90b09 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -118,11 +118,23 @@ tags: - config -- name: Garbage collector logs rotation by the JVM is disabled +- name: Garbage collector logs rotation by the JVM is disabled (JDK >= 9) lineinfile: dest: /etc/elasticsearch/jvm.options.d/evolinux.options regexp: "^-Xlog:gc" - line: "-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=0" + line: "9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=0" + create: yes + owner: root + group: elasticsearch + mode: "0640" + tags: + - config + +- name: Garbage collector logs rotation by the JVM is disabled (JDK == 8) + lineinfile: + dest: /etc/elasticsearch/jvm.options.d/evolinux.options + regexp: "^-Xlog:gc" + line: "8:-XX:GCLogFileSize=0" create: yes owner: root group: elasticsearch -- 2.39.2 From 3f353ad072210baefd9e69c0b323b85833e77c51 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 10 Mar 2023 10:29:55 +0100 Subject: [PATCH 374/497] elasticsearch: disable GC logging --- CHANGELOG.md | 3 +-- elasticsearch/tasks/configuration.yml | 21 ++++----------------- elasticsearch/tasks/logs.yml | 8 -------- elasticsearch/templates/logrotate.j2 | 12 ------------ 4 files changed, 5 insertions(+), 39 deletions(-) delete mode 100644 elasticsearch/templates/logrotate.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 70fc3f4a..7bd46d2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,12 +38,12 @@ The **patch** part changes is incremented if multiple releases happen the same m * yarn: update apt key * apt: Use pub.evolix.org instead of pub.evolix.net' * userlogrotate: set rotate date format in right order (YYYY-MM-DD)! +* elasticsearch: Disable garabge collector logging (JDK >= 9) ### Fixed * Proper jinja spacing * evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst) -* elasticsearch : use logrotate for garbage collector logs instead of breaking compression cron * docker-host: fix type in daemon.json and remove host configuration that is already in the systemd service by default * haproxy: fix missing admin ACL in stats module access permissions * openvpn: fix the client cipher configuration to match the server cipher configuration @@ -54,7 +54,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped) * userlogrotate: skip zipping if .gz log already exists (prevents interactive question) * postfix: avoid Amavis transport to be considered dead when restarted. -* elasticsearch: Disable GC rotation for JDK 8 (priorly done only for >= 9) ### Removed diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index 77e90b09..7324f610 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -118,24 +118,11 @@ tags: - config -- name: Garbage collector logs rotation by the JVM is disabled (JDK >= 9) +- name: Disable garbage collector logs (JDK >= 9) lineinfile: - dest: /etc/elasticsearch/jvm.options.d/evolinux.options - regexp: "^-Xlog:gc" - line: "9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=0" - create: yes - owner: root - group: elasticsearch - mode: "0640" - tags: - - config - -- name: Garbage collector logs rotation by the JVM is disabled (JDK == 8) - lineinfile: - dest: /etc/elasticsearch/jvm.options.d/evolinux.options - regexp: "^-Xlog:gc" - line: "8:-XX:GCLogFileSize=0" - create: yes + dest: /etc/elasticsearch/jvm.options + regexp: "Xlog:gc" + line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m" owner: root group: elasticsearch mode: "0640" diff --git a/elasticsearch/tasks/logs.yml b/elasticsearch/tasks/logs.yml index 018a0201..8c5977a4 100644 --- a/elasticsearch/tasks/logs.yml +++ b/elasticsearch/tasks/logs.yml @@ -18,11 +18,3 @@ mode: "0750" when: is_cron_installed.rc == 0 -- name: "Setup logrotate for JVM garbage collector" - template: - src: logrotate.j2 - dest: /etc/logrotate/elasticsearch - owner: root - group: root - mode: "0750" - when: is_cron_installed.rc == 0 diff --git a/elasticsearch/templates/logrotate.j2 b/elasticsearch/templates/logrotate.j2 deleted file mode 100644 index 1e78ddec..00000000 --- a/elasticsearch/templates/logrotate.j2 +++ /dev/null @@ -1,12 +0,0 @@ -/var/log/elasticsearch/gc.log { - su elasticsearch elasticsearch - daily - rotate {{ elasticsearch_log_rotate_days }} - compress - nodelaycompress - missingok - copytruncate - dateext - dateformat .%Y-%m-%d -} - -- 2.39.2 From d64193287d656b24100bee1d2b4a3bca40d83b43 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 9 Mar 2023 14:37:42 +0100 Subject: [PATCH 375/497] postgresql: configure max_connections --- CHANGELOG.md | 1 + postgresql/defaults/main.yml | 1 + postgresql/templates/postgresql.conf.j2 | 3 +++ 3 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7bd46d2d..75912dbb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * php: add a way to choose which version to install using sury repository * userlogrotate: create role separated from packweb-apache * postfix: Add task for enable mailgraph on packmail +* postgresql: configure max_connections * apache: add tash for enable mailgraph on default vhost and index.html * php: add variables php_version when sury is activated for each Debian version * varnish: add variable varnish_update_config to disable configuration update diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index ffc3007c..634ea4f1 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -7,6 +7,7 @@ postgresql_shared_buffers: "{{ (ansible_memtotal_mb * 0.25) | int }}MB" postgresql_work_mem: 8MB postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" +postgresql_max_connections: None # Binding postgresql_listen_addresses: diff --git a/postgresql/templates/postgresql.conf.j2 b/postgresql/templates/postgresql.conf.j2 index 48551f4d..2f39937f 100644 --- a/postgresql/templates/postgresql.conf.j2 +++ b/postgresql/templates/postgresql.conf.j2 @@ -9,6 +9,9 @@ checkpoint_segments = 30 {% else %} max_wal_size = 15GB {% endif %} +{% if postgresql_max_connections and postgresql_max_connections | int > 0 %} +max_connections = {{ postgresql_max_connections }} +{% endif %} checkpoint_completion_target = 0.9 random_page_cost = {{ postgresql_random_page_cost }} -- 2.39.2 From b57fd16ee6b8fff7478a45c315d610ac130de137 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 12 Mar 2023 10:34:03 +0100 Subject: [PATCH 376/497] listupgrade: upstream release 23.03 --- CHANGELOG.md | 1 + listupgrade/files/listupgrade.sh | 23 +++++++++++++++++------ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75912dbb..94b9d45e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. * bind: refactor role * evolinux-users: Update sudoers template to remove commands allowed without password +* listupgrade: upstream release 23.03 * nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) * openvpn: Change check_openvpn destination file to comply with recent EvoBSD change * postfix: come back to default value of `notify_classes` for pack mails. diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index 3e1baa39..b3d281ec 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -9,13 +9,13 @@ # - 60 : current release is not in the $r_releases list # - 70 : at least an upgradable package is not in the $r_packages list -VERSION="21.06.3" +VERSION="23.03" show_version() { cat <, +Copyright 2018-2023 Evolix , Gregory Colpart , Romain Dessort , Ludovic Poujol , @@ -84,6 +84,7 @@ Subject: Prochain creneau pour mise a jour de votre serveur ${hostname} X-Debian-Release: ${local_release} X-Packages: ${packagesParsable} X-Date: ${date} +X-Listupgrade-Version: ${VERSION} Bonjour, @@ -100,15 +101,15 @@ semaine prochaine. Voici la listes de packages qui seront mis à jour : -$(cat "${packages}" | sort | uniq) +$(cat "${packages}") Liste des packages dont la mise-à-jour a été manuellement suspendue : -$(cat "${packagesHold}" | sort | uniq) +$(cat "${packagesHold}") Liste des services qui seront redémarrés : -$(cat "${servicesToRestart}" | sort | uniq) +$(cat "${servicesToRestart}") N'hésitez pas à nous faire toute remarque sur ce créneau d'intervention le plus tôt possible. @@ -181,6 +182,16 @@ main() { fi local_release=$(cut -f 1 -d . >"${servicesToRestart}" elif echo "${pkg}" | grep -q "^mariadb-server"; then echo "MariaDB" >>"${servicesToRestart}" - elif echo "${pkg}" | grep -qE "^postgresql-[[:digit:]]+(\.[[:digit:]]+)?$"; then + elif echo "${pkg}" | grep -qE "^postgresql-[[:digit:]]+\.[[:digit:]]+$"; then echo "PostgreSQL" >>"${servicesToRestart}" elif echo "${pkg}" | grep -qE "^tomcat[[:digit:]]+$"; then echo "Tomcat" >>"${servicesToRestart}" -- 2.39.2 From b4a63d3d55c8d737090d564adb28dc5a623daf00 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 12 Mar 2023 11:12:52 +0100 Subject: [PATCH 377/497] listupgrade: upstream release 23.03.1 --- CHANGELOG.md | 2 +- listupgrade/files/listupgrade.sh | 26 +++++++++++++++++++------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 94b9d45e..23b98520 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,7 +31,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. * bind: refactor role * evolinux-users: Update sudoers template to remove commands allowed without password -* listupgrade: upstream release 23.03 +* listupgrade: upstream release 23.03.1 * nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) * openvpn: Change check_openvpn destination file to comply with recent EvoBSD change * postfix: come back to default value of `notify_classes` for pack mails. diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index b3d281ec..b98d28ed 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -9,7 +9,7 @@ # - 60 : current release is not in the $r_releases list # - 70 : at least an upgradable package is not in the $r_packages list -VERSION="23.03" +VERSION="23.03.1" show_version() { cat < Date: Mon, 13 Mar 2023 10:15:01 +0100 Subject: [PATCH 378/497] userlogrotate: Corriger condition compression --- userlogrotate/files/userlogrotate | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index a801c5ad..94430e6e 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -41,13 +41,17 @@ test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 for log in access.log*[!\.gz] access-*.log*[!\.gz] error.log*[!\.gz]; do for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do - test -f "$i" || gzip "$i" + if test -f "$i"; then + gzip "$i" + fi done done for log in production.log*[!\.gz] delayed_job.log*[!\.gz] development.log*[!\.gz] test.log*[!\.gz]; do for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do - test -f "$i" || gzip "$i" + if test -f "$i"; then + gzip "$i" + fi done done -- 2.39.2 From b0d0a7422a3b7e3662ec8e7343737e643ded5965 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Mon, 13 Mar 2023 10:21:42 +0100 Subject: [PATCH 379/497] =?UTF-8?q?userlogrotate:=20Remplacer=20=C2=AB``?= =?UTF-8?q?=C2=BB=20par=20=C2=AB$()=C2=BB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- userlogrotate/files/userlogrotate | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index 94430e6e..6d480f91 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -1,6 +1,6 @@ #!/bin/bash -DATE=`/bin/date +"%Y-%m-%d"` +DATE="$(/bin/date +"%Y-%m-%d")" HOMEPREFIX="/home" rotate () { @@ -11,20 +11,20 @@ rotate () { } user_for() { - homedir=`echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#"` + homedir="$(echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#")" stat -L -c '%G' $homedir } for log in access.log access-*.log error.log; do - for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do - USER=`user_for $i` + for i in $(ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.); do + USER="$(user_for $i)" rotate $i root:$USER done done for log in production.log delayed_job.log development.log test.log; do - for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do - USER=`user_for $i` + for i in $(ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.); do + USER="$(user_for $i)" rotate $i $USER:$USER done done @@ -40,7 +40,7 @@ test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 # and logs written during the zipping process might be lost. for log in access.log*[!\.gz] access-*.log*[!\.gz] error.log*[!\.gz]; do - for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do + for i in $(ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.); do if test -f "$i"; then gzip "$i" fi @@ -48,7 +48,7 @@ for log in access.log*[!\.gz] access-*.log*[!\.gz] error.log*[!\.gz]; do done for log in production.log*[!\.gz] delayed_job.log*[!\.gz] development.log*[!\.gz] test.log*[!\.gz]; do - for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do + for i in $(ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.); do if test -f "$i"; then gzip "$i" fi -- 2.39.2 From 03cd4758111d9d48a140d3bfadf2a5fa32290760 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Mon, 13 Mar 2023 10:22:53 +0100 Subject: [PATCH 380/497] userlogrotate_jessie: Corriger condition compression --- userlogrotate/files/userlogrotate_jessie | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/userlogrotate/files/userlogrotate_jessie b/userlogrotate/files/userlogrotate_jessie index b13d7465..347736fc 100644 --- a/userlogrotate/files/userlogrotate_jessie +++ b/userlogrotate/files/userlogrotate_jessie @@ -42,13 +42,17 @@ apache2ctl restart > /dev/null for log in access.log*[!\.gz] access-*.log*[!\.gz] error.log*[!\.gz]; do for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do - gzip $i + if test -f "$i"; then + gzip "$i" + fi done done for log in production.log*[!\.gz] delayed_job.log*[!\.gz] development.log*[!\.gz] test.log*[!\.gz]; do for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do - gzip $i + if test -f "$i"; then + gzip "$i" + fi done done -- 2.39.2 From 12a0d8d57ecdf72e87e4b73e7bca6ef025500719 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 13 Mar 2023 11:18:29 +0100 Subject: [PATCH 381/497] Use HTTP for our new repository --- apt/tasks/move-apt-keyring.yml | 1 + apt/templates/evolix_public.list.j2 | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apt/tasks/move-apt-keyring.yml b/apt/tasks/move-apt-keyring.yml index 5fd8e162..ade3d190 100644 --- a/apt/tasks/move-apt-keyring.yml +++ b/apt/tasks/move-apt-keyring.yml @@ -20,6 +20,7 @@ loop: - { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" } - { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" } + - { repository_pattern: "https://pub.evolix.org/evolix", key: "pub_evolix.asc" } - { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" } - { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" } - { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" } diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index 278b9378..c0ea0eee 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} {% if ansible_distribution_release == "bookworm" %} -deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye main +deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] https://pub.evolix.org/evolix bullseye main {% else %} -deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main +deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] https://pub.evolix.org/evolix {{ ansible_distribution_release }} main {% endif %} -- 2.39.2 From 015a1bfec7d4144e86468d6361db56d28fdd840b Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 13 Mar 2023 11:57:44 +0100 Subject: [PATCH 382/497] Revert "Use HTTPS for our new repository" It errors out if ca-certificates is not yet installed This reverts commit 12a0d8d57ecdf72e87e4b73e7bca6ef025500719. --- apt/templates/evolix_public.list.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index c0ea0eee..278b9378 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} {% if ansible_distribution_release == "bookworm" %} -deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] https://pub.evolix.org/evolix bullseye main +deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye main {% else %} -deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] https://pub.evolix.org/evolix {{ ansible_distribution_release }} main +deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main {% endif %} -- 2.39.2 From 419071f470cac1f36e6ea5076855974760e610b1 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 13 Mar 2023 15:09:41 +0100 Subject: [PATCH 383/497] php: fix error introduced in 33503e4538 (False evaluated as a string instead of boolean) --- CHANGELOG.md | 1 + php/tasks/main_bullseye.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 23b98520..baafd147 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,6 +52,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix. * postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs. * php: install using sury repositories on bullseye +* php: fix error introduced in 33503e4538 (False evaluated as a string instead of boolean) * postfix: remove unused "aliases_scope=sub" from virtual_aliases.cf (it generated warnings) * userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped) * userlogrotate: skip zipping if .gz log already exists (prevents interactive question) diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index d577ea5b..4cb185b7 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -4,7 +4,7 @@ set_fact: php_version: "7.4" when: - - php_sury_enable == 'False' + - php_sury_enable == False check_mode: no - name: "Set variables (Debian 11)" -- 2.39.2 From c7940dc8c1b888017123731d0bba383fc77513cc Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 13 Mar 2023 15:12:37 +0100 Subject: [PATCH 384/497] CHANGELOG: tfix --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index baafd147..a105829b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,7 +38,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud : Change default data directory to be outside web root * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir * yarn: update apt key -* apt: Use pub.evolix.org instead of pub.evolix.net' +* apt: Use pub.evolix.org instead of pub.evolix.net * userlogrotate: set rotate date format in right order (YYYY-MM-DD)! * elasticsearch: Disable garabge collector logging (JDK >= 9) -- 2.39.2 From cc3fb051b00cc1161f2258fcc261c723ebbf1771 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 13 Mar 2023 16:34:59 +0100 Subject: [PATCH 385/497] Use our new repository for PHP --- lxc-php/tasks/php80.yml | 6 +++--- lxc-php/tasks/php81.yml | 6 +++--- php/tasks/sury_pre.yml | 10 +++++----- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index b0ff90fe..4e5ac498 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -20,12 +20,12 @@ mode: "0644" loop: - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" - - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php80/" + - "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main" - name: copy pub.evolix.net GPG key copy: - src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc + src: pub_evolix.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc mode: "0644" owner: root group: root diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 91dc38e1..677fe14d 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -20,12 +20,12 @@ mode: "0644" loop: - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" - - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php81/" + - "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main" - name: copy pub.evolix.net GPG key copy: - src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc + src: pub_evolix.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc mode: "0644" owner: root group: root diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 9b8fc684..0d146555 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -8,10 +8,10 @@ owner: root group: root -- name: copy pub.evolix.net GPG key +- name: copy pub.evolix.org GPG key copy: - src: reg.asc - dest: "{{ apt_keyring_dir }}/reg.asc" + src: pub_evolix.asc + dest: "{{ apt_keyring_dir }}/pub_evolix.asc" mode: "0644" owner: root group: root @@ -28,9 +28,9 @@ when: - ansible_distribution_release != "bullseye" -- name: Setup pub.evolix.net repository - Add source list +- name: Setup pub.evolix.org repository - Add source list apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}-php81/" + repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php81 main" filename: evolix-php state: present when: -- 2.39.2 From a9ce436b3c501132c31f515a4b7944a9bc752e97 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 13 Mar 2023 17:25:29 +0100 Subject: [PATCH 386/497] listupgrade: tfix --- listupgrade/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index fc02dfeb..2e38ef03 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -47,7 +47,7 @@ - name: Enable listupgrade cron cron: - name: "lisupgrade.sh" + name: "listupgrade.sh" cron_file: "listupgrade" user: root job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}" -- 2.39.2 From d6959c928749fc504b7c2d29149960708878f576 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 14 Mar 2023 13:28:36 +0100 Subject: [PATCH 387/497] Revert "Use bullseye suite even for bookworm" bookworm suite has been enabled on our new repository. This reverts commit 1fae737ac4ff0291c002395cfca4f2d9f7e85ba8. --- apt/templates/evolix_public.list.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index 278b9378..e00899e7 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,7 +1,3 @@ # {{ ansible_managed }} -{% if ansible_distribution_release == "bookworm" %} -deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye main -{% else %} deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main -{% endif %} -- 2.39.2 From 96a2bbecddc42544c1fcb90c2f6f3a90b9b9803c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Mar 2023 22:49:02 +0100 Subject: [PATCH 388/497] apt: move-apt-keyrings moved in /usr/share/scripts --- apt/files/move-apt-keyrings.sh | 2 +- apt/tasks/move-apt-keyring.yml | 18 ++++++++++++++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/apt/files/move-apt-keyrings.sh b/apt/files/move-apt-keyrings.sh index 3283c4ee..2d266412 100644 --- a/apt/files/move-apt-keyrings.sh +++ b/apt/files/move-apt-keyrings.sh @@ -7,7 +7,7 @@ repository_pattern=$1 key=$2 -found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/") +found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/*.list") old_key_file="/etc/apt/trusted.gpg.d/${key}" new_key_file="/etc/apt/keyrings/${key}" diff --git a/apt/tasks/move-apt-keyring.yml b/apt/tasks/move-apt-keyring.yml index ade3d190..4214d2d6 100644 --- a/apt/tasks/move-apt-keyring.yml +++ b/apt/tasks/move-apt-keyring.yml @@ -1,4 +1,5 @@ --- + - name: New APT keyrings directory is present file: path: /etc/apt/keyrings @@ -7,16 +8,29 @@ owner: root group: root +- include_role: + name: evolix/remount-usr + +- name: /usr/share/scripts exists + file: + dest: /usr/share/scripts + mode: "0700" + owner: root + group: root + state: directory + tags: + - apt + - name: migration script is present copy: src: move-apt-keyrings.sh - dest: /root/move-apt-keyrings.sh + dest: /usr/share/scripts/move-apt-keyrings.sh mode: "0755" owner: root group: root - name: Move repository signing key - command: "/root/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" + command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" loop: - { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" } - { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" } -- 2.39.2 From fa1935e46cc291879a2fc4faac0841b3800effad Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 Mar 2023 22:50:00 +0100 Subject: [PATCH 389/497] apt: add tools to migrate sources to deb822 format --- CHANGELOG.md | 1 + apt/files/deb822-migration.py | 96 +++++++++++++++++++++++++++++++++ apt/files/deb822-migration.sh | 48 +++++++++++++++++ apt/tasks/migrate-to-deb822.yml | 31 +++++++++++ 4 files changed, 176 insertions(+) create mode 100644 apt/files/deb822-migration.py create mode 100644 apt/files/deb822-migration.sh create mode 100644 apt/tasks/migrate-to-deb822.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index a105829b..6a0fac26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * apt: add move-apt-keyrings script/tasks +* apt: add tools to migrate sources to deb822 format * nagios-nrpe: Print pool config path in check_phpfpm_multi output * nagios-nrpe: add tasks/files for a wrapper * fail2ban: add "Internal login failure" to Dovecot filter diff --git a/apt/files/deb822-migration.py b/apt/files/deb822-migration.py new file mode 100644 index 00000000..10ee47ae --- /dev/null +++ b/apt/files/deb822-migration.py @@ -0,0 +1,96 @@ +#!/bin/env python3 + +import re +import sys +import os + +if len(sys.argv) > 1: + src_file = sys.argv[1] +else: + print("You must provide a source file as first argument", file=sys.stderr) + sys.exit(1) + +if not os.access(src_file, os.R_OK): + print(src_file, "is not readable", file=sys.stderr) + sys.exit(2) + +pattern = re.compile('^(?Pdeb|deb-src) +(?P\[.+\] ?)*(?P\w+:\/\/\S+) +(?P\S+)(?: +(?P.*))?$') + +sources = {} + +def split_options(raw): + table = str.maketrans({ + "[": None, + "]": None + }) + options = raw.translate(table).split(' ') + + return options + +with open(src_file,'r') as file: + for line in file: + matches = re.match(pattern, line) + if matches is not None: + # print(matches.groupdict()) + uri = matches['uri'] + + options = {} + if matches.group('options'): + for option in split_options(matches['options']): + if "=" in option: + key, value = option.split("=") + options[key] = value + + if uri in sources: + sources[uri]["Types"].add(matches["type"]) + sources[uri]["URIs"] = matches["uri"] + sources[uri]["Suites"].add(matches["suite"]) + sources[uri]["Components"].update(matches["components"].split(' ')) + else: + source = { + "Types": {matches['type']}, + "URIs": matches['uri'], + "Enabled": "yes", + } + + if matches.group('suite'): + source["Suites"] = set(matches['suite'].split(' ')) + + if matches.group('components'): + source["Components"] = set(matches['components'].split(' ')) + + if "arch" in options: + if "Architectures" in source: + source["Architectures"].append(options["arch"]) + else: + source["Architectures"] = {options["arch"]} + + if "signed-by" in options: + if "Signed-by" in source: + source["Signed-by"].append(options["signed-by"]) + else: + source["Signed-by"] = {options["signed-by"]} + + if "lang" in options: + if "Languages" in source: + source["Languages"].append(options["lang"]) + else: + source["Languages"] = {options["lang"]} + + if "target" in options: + if "Targets" in source: + source["Targets"].append(options["target"]) + else: + source["Targets"] = {options["target"]} + + sources[uri] = source + +for i, (uri, source) in enumerate(sources.items()): + if i > 0: + print("") + for key, value in source.items(): + if isinstance(value, str): + print("{}: {}".format(key, value) ) + else: + print("{}: {}".format(key, ' '.join(value)) ) + i += 1 \ No newline at end of file diff --git a/apt/files/deb822-migration.sh b/apt/files/deb822-migration.sh new file mode 100644 index 00000000..cffa2f95 --- /dev/null +++ b/apt/files/deb822-migration.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +deb822_migrate_script=$(command -v deb822-migration.py) + +if [ -z "${deb822_migrate_script}" ]; then + deb822_migrate_script="./deb822-migration.py" +fi +if [ ! -x "${deb822_migrate_script}" ]; then + >&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable" + exit 1 +fi + +dest_dir="/etc/apt/sources.list.d" +rc=0 + +migrate_file() { + legacy_file=$1 + deb822_file=$2 + + if [ -f "${legacy_file}" ]; then + if [ -f "${deb822_file}" ]; then + >&2 echo "ERROR: '${deb822_file}' already exists" + rc=2 + else + ${deb822_migrate_script} "${legacy_file}" > "${deb822_file}" + if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then + mv "${legacy_file}" "${legacy_file}.bak" + echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak" + else + >&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'" + rc=2 + fi + fi + else + >&2 echo "ERROR: '${legacy_file}' not found" + rc=2 + fi +} + +migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources" + +# shellcheck disable=SC2044 +for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do + deb822_file=$(basename "${legacy_file}" .list) + migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources" +done + +exit ${rc} \ No newline at end of file diff --git a/apt/tasks/migrate-to-deb822.yml b/apt/tasks/migrate-to-deb822.yml new file mode 100644 index 00000000..642bcb4f --- /dev/null +++ b/apt/tasks/migrate-to-deb822.yml @@ -0,0 +1,31 @@ +--- +- include_role: + name: evolix/remount-usr + +- name: /usr/share/scripts exists + file: + dest: /usr/share/scripts + mode: "0700" + owner: root + group: root + state: directory + tags: + - apt + +- name: Migration scripts are installed + copy: + src: "{{ item }}" + dest: "/usr/share/scripts/{{ item }}" + force: yes + mode: "0755" + loop: + - deb822-migration.py + - deb822-migration.sh + tags: + - apt + +- name: Exec migration script + command: /usr/share/scripts/deb822-migration.sh + ignore_errors: yes + tags: + - apt \ No newline at end of file -- 2.39.2 From dc6b340081943cc583ae63a5ba75d83730282fe2 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 16 Mar 2023 14:21:21 +0100 Subject: [PATCH 390/497] changelog: ajouter changements sur kvmstats --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6a0fac26..8f2d9288 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,6 +42,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * apt: Use pub.evolix.org instead of pub.evolix.net * userlogrotate: set rotate date format in right order (YYYY-MM-DD)! * elasticsearch: Disable garabge collector logging (JDK >= 9) +* kvmstats: use virsh domstats | awk to get guests informations ### Fixed -- 2.39.2 From 8d698ec6cb673bd8f1bb7fc6c82e5499b34441d1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 14:06:44 +0100 Subject: [PATCH 391/497] CHANGELOG cleanup --- CHANGELOG.md | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f2d9288..ea2c0922 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,53 +12,52 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* apache: add task to enable mailgraph on default vhost and index.html * apt: add move-apt-keyrings script/tasks * apt: add tools to migrate sources to deb822 format -* nagios-nrpe: Print pool config path in check_phpfpm_multi output -* nagios-nrpe: add tasks/files for a wrapper * fail2ban: add "Internal login failure" to Dovecot filter +* lxc: copy `/etc/profile.d/evolinux.sh` from host into container +* nagios-nrpe: add tasks/files for a wrapper +* nagios-nrpe: Print pool config path in check_phpfpm_multi output +* php: add `php_version` variable when sury is activated for each Debian version * php: add a way to choose which version to install using sury repository -* userlogrotate: create role separated from packweb-apache -* postfix: Add task for enable mailgraph on packmail +* postfix: Add task to enable mailgraph on packmail * postgresql: configure max_connections -* apache: add tash for enable mailgraph on default vhost and index.html -* php: add variables php_version when sury is activated for each Debian version -* varnish: add variable varnish_update_config to disable configuration update -* lxc: copy /etc/profile.d/evolinux.sh from host into container +* userlogrotate: create dedicated role, separated from packweb-apache +* varnish: add `varnish_update_config` variable to disable configuration update ### Changed * Use systemd module instead of command -* Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. +* Removed all `warn: False` args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0. +* apt: Use pub.evolix.org instead of pub.evolix.net * bind: refactor role +* elasticsearch: Disable garabge collector logging (JDK >= 9) * evolinux-users: Update sudoers template to remove commands allowed without password * listupgrade: upstream release 23.03.1 -* nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …) -* openvpn: Change check_openvpn destination file to comply with recent EvoBSD change +* nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …) +* openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change * postfix: come back to default value of `notify_classes` for pack mails. +* userlogrotate: set rotate date format in right order (YYYY-MM-DD)! * webapps/nextcloud : Change default data directory to be outside web root * webapps/nextcloud : Small enhancement on the vhost template to lock out data dir * yarn: update apt key -* apt: Use pub.evolix.org instead of pub.evolix.net -* userlogrotate: set rotate date format in right order (YYYY-MM-DD)! -* elasticsearch: Disable garabge collector logging (JDK >= 9) -* kvmstats: use virsh domstats | awk to get guests informations ### Fixed * Proper jinja spacing +* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurring failures in Postfix. +* docker-host: fix type in `daemon.json` and remove host configuration that is already in the systemd service by default * evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst) -* docker-host: fix type in daemon.json and remove host configuration that is already in the systemd service by default * haproxy: fix missing admin ACL in stats module access permissions * openvpn: fix the client cipher configuration to match the server cipher configuration -* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix. +* php: fix error introduced in #33503e4538 (`False` evaluated as a String instead of Boolean) +* php: install using Sury repositories on Bullseye * postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs. -* php: install using sury repositories on bullseye -* php: fix error introduced in 33503e4538 (False evaluated as a string instead of boolean) -* postfix: remove unused "aliases_scope=sub" from virtual_aliases.cf (it generated warnings) +* postfix: avoid Amavis transport to be considered dead when restarted. +* postfix: remove unused `aliases_scope=sub` from virtual_aliases.cf (it generated warnings) * userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped) * userlogrotate: skip zipping if .gz log already exists (prevents interactive question) -* postfix: avoid Amavis transport to be considered dead when restarted. ### Removed -- 2.39.2 From 50216eb5c76d580b04c5098ef79055a8fa5e874f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 14:27:53 +0100 Subject: [PATCH 392/497] listupgrade: upstream release 23.03.2 --- CHANGELOG.md | 2 +- listupgrade/files/listupgrade.sh | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea2c0922..b5b09f75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,7 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * bind: refactor role * elasticsearch: Disable garabge collector logging (JDK >= 9) * evolinux-users: Update sudoers template to remove commands allowed without password -* listupgrade: upstream release 23.03.1 +* listupgrade: upstream release 23.03.2 * nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …) * openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change * postfix: come back to default value of `notify_classes` for pack mails. diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index b98d28ed..2b9667d9 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -9,7 +9,7 @@ # - 60 : current release is not in the $r_releases list # - 70 : at least an upgradable package is not in the $r_packages list -VERSION="23.03.1" +VERSION="23.03.2" show_version() { cat < Date: Thu, 16 Mar 2023 14:31:34 +0100 Subject: [PATCH 393/497] listupgrade: upstream release 23.03.3 --- CHANGELOG.md | 2 +- listupgrade/files/listupgrade.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b5b09f75..5b9e693d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,7 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * bind: refactor role * elasticsearch: Disable garabge collector logging (JDK >= 9) * evolinux-users: Update sudoers template to remove commands allowed without password -* listupgrade: upstream release 23.03.2 +* listupgrade: upstream release 23.03.3 * nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …) * openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change * postfix: come back to default value of `notify_classes` for pack mails. diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index 2b9667d9..e6518f43 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -9,7 +9,7 @@ # - 60 : current release is not in the $r_releases list # - 70 : at least an upgradable package is not in the $r_packages list -VERSION="23.03.2" +VERSION="23.03.3" show_version() { cat <>"${servicesToRestart}" elif echo "${pkg}" | grep -q "^mariadb-server"; then echo "MariaDB" >>"${servicesToRestart}" - elif echo "${pkg}" | grep -qE "^postgresql-[[:digit:]]+\.[[:digit:]]+$"; then + elif echo "${pkg}" | grep -qE "^postgresql-[[:digit:]]+(\.[[:digit:]]+)?$"; then echo "PostgreSQL" >>"${servicesToRestart}" elif echo "${pkg}" | grep -qE "^tomcat[[:digit:]]+$"; then echo "Tomcat" >>"${servicesToRestart}" -- 2.39.2 From 6f96f6b45882dad01e27d95a5679ccbe08ad218f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 14:35:12 +0100 Subject: [PATCH 394/497] Use proper python Boolean --- apt/tasks/hold_packages.yml | 4 +- elasticsearch/tasks/datadir.yml | 2 +- fail2ban/tasks/fix-dbpurgeage.yml | 2 +- filebeat/tasks/main.yml | 4 +- kvm-host/tasks/ssh.yml | 2 +- lxc/tasks/create-container.yml | 2 +- lxc/tasks/main.yml | 6 +-- minifirewall/tasks/main.yml | 63 ++++++++++++++++++++++++----- mysql/defaults/main.yml | 4 +- nameserver/tasks/main.yml | 2 +- newrelic/tasks/php.yml | 2 +- openvpn/tasks/debian.yml | 6 +-- postfix/tasks/packmail.yml | 2 +- postgresql/tests/test.yml | 6 +-- proftpd/tasks/account.yml | 6 +-- proftpd/tasks/accounts_password.yml | 4 +- redis/tasks/main.yml | 2 +- redmine/tasks/mysql.yml | 2 +- redmine/tasks/user.yml | 2 +- remount-usr/handlers/main.yml | 2 +- spamassasin/tasks/main.yml | 2 +- tomcat-instance/tasks/check.yml | 4 +- tomcat-instance/tasks/systemd.yml | 2 +- webapps/wordpress/tasks/main.yml | 12 +++--- 24 files changed, 94 insertions(+), 51 deletions(-) diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 1db3429e..10f5b358 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -79,8 +79,8 @@ - name: Check if Cron is installed shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'" register: is_cron - changed_when: false - failed_when: false + changed_when: False + failed_when: False check_mode: no tags: - apt diff --git a/elasticsearch/tasks/datadir.yml b/elasticsearch/tasks/datadir.yml index c0c20f05..ef91cf1d 100644 --- a/elasticsearch/tasks/datadir.yml +++ b/elasticsearch/tasks/datadir.yml @@ -10,7 +10,7 @@ - name: "read the real datadir" command: readlink -f /var/lib/elasticsearch - changed_when: false + changed_when: False register: elasticsearch_current_real_datadir_test check_mode: no tags: diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml index 1246e601..dbf9c0d9 100644 --- a/fail2ban/tasks/fix-dbpurgeage.yml +++ b/fail2ban/tasks/fix-dbpurgeage.yml @@ -8,7 +8,7 @@ - name: Register bantime from default config from package shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1" register: dbpurgeage - changed_when: false + changed_when: False check_mode: false - name: diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index fa24a893..20858669 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -84,8 +84,8 @@ command: grep logstash-input-beats /usr/share/logstash/Gemfile check_mode: no register: logstash_plugin_installed - failed_when: false - changed_when: false + failed_when: False + changed_when: False when: - filebeat_logstash_plugin | bool - logstash_plugin.stat.exists diff --git a/kvm-host/tasks/ssh.yml b/kvm-host/tasks/ssh.yml index 3c097abc..d954bc06 100644 --- a/kvm-host/tasks/ssh.yml +++ b/kvm-host/tasks/ssh.yml @@ -9,7 +9,7 @@ command: cat /root/.ssh/id_rsa.pub register: ssh_keys check_mode: no - changed_when: false + changed_when: False - name: Print ssh public keys debug: diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index eb4ecd3b..edeca2ec 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -1,7 +1,7 @@ --- - name: "Check if container {{ name }} exists" command: "lxc-ls {{ name }}" - changed_when: false + changed_when: False check_mode: no register: container_exists diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 3ec586bd..8236b9f1 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -32,8 +32,8 @@ - name: Check if root has subuids command: grep '^root:100000:10000$' /etc/subuid - failed_when: false - changed_when: false + failed_when: False + changed_when: False register: root_subuids when: lxc_unprivilegied_containers | bool @@ -45,7 +45,7 @@ - name: Get filesystem options command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS - changed_when: false + changed_when: False check_mode: no register: check_fs_options diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index bc56b7dc..e0dbcaf0 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -6,6 +6,8 @@ stat: path: /etc/init.d/minifirewall register: _minifirewall_check + tags: + - always # Legacy versions of minifirewall don't define the VERSION variable - name: Look for minifirewall version @@ -14,6 +16,8 @@ changed_when: False check_mode: False register: _minifirewall_version_check + tags: + - always - name: Set install mode to legacy if needed set_fact: @@ -24,21 +28,30 @@ - minifirewall_install_mode != 'modern' - not (minifirewall_force_upgrade_script | bool) - _minifirewall_version_check.rc == 1 # grep didn't find but the file exists + tags: + - always - name: Set install mode to modern if not legacy set_fact: minifirewall_install_mode: modern when: minifirewall_install_mode != 'legacy' + tags: + - always - name: Debug install mode debug: var: minifirewall_install_mode verbosity: 1 + tags: + - always - name: 'Set minifirewall_restart_handler_name to "noop"' set_fact: minifirewall_restart_handler_name: "restart minifirewall (noop)" - when: not (minifirewall_restart_if_needed | bool) + when: + - not (minifirewall_restart_if_needed | bool) + tags: + - always - name: 'Set minifirewall_restart_handler_name to "legacy"' set_fact: @@ -46,6 +59,8 @@ when: - minifirewall_restart_if_needed | bool - minifirewall_install_mode == 'legacy' + tags: + - always - name: 'Set minifirewall_restart_handler_name to "modern"' set_fact: @@ -53,6 +68,8 @@ when: - minifirewall_restart_if_needed | bool - minifirewall_install_mode != 'legacy' + tags: + - always ####################################################################### @@ -62,54 +79,74 @@ when: - minifirewall_install_mode != 'legacy' - minifirewall_main_file is defined + tags: + - always - name: Install tasks (modern mode) - include: install.yml + import_tasks: install.yml when: minifirewall_install_mode != 'legacy' - name: Install tasks (legacy mode) - include: install.legacy.yml + import_tasks: install.legacy.yml when: minifirewall_install_mode == 'legacy' - name: Debug minifirewall_update_config debug: var: minifirewall_update_config | bool verbosity: 1 + tags: + - always - name: Config tasks (modern mode) - include: config.yml + include_tasks: config.yml when: - minifirewall_install_mode != 'legacy' - minifirewall_update_config | bool + tags: + - manage - name: Config tasks (legacy mode) - include: config.legacy.yml + include_tasks: config.legacy.yml + args: + apply: + tags: + - manage when: - minifirewall_install_mode == 'legacy' - minifirewall_update_config | bool - name: Utils tasks - include: utils.yml + include_tasks: utils.yml - name: NRPE tasks - include: nrpe.yml + include_tasks: nrpe.yml - name: Activation tasks - include: activate.yml + include_tasks: activate.yml - name: Debug minifirewall_tail_included debug: var: minifirewall_tail_included | bool verbosity: 1 + tags: + - always - name: Tail tasks (modern mode) - include: tail.yml + include_tasks: tail.yml + args: + apply: + tags: + - manage when: - minifirewall_install_mode != 'legacy' - minifirewall_tail_included | bool - name: Tail tasks (legacy mode) - include: tail.legacy.yml + include_tasks: tail.legacy.yml + args: + apply: + tags: + - manage when: - minifirewall_install_mode == 'legacy' - minifirewall_tail_included | bool @@ -120,10 +157,14 @@ debug: var: minifirewall_restart_force | bool verbosity: 1 + tags: + - always - name: Force restart minifirewall (legacy) command: /bin/true notify: "restart minifirewall (legacy)" + tags: + - always when: - minifirewall_install_mode == 'legacy' - minifirewall_restart_force | bool @@ -131,6 +172,8 @@ - name: Force restart minifirewall (modern) command: /bin/true notify: "restart minifirewall (modern)" + tags: + - always when: - minifirewall_install_mode != 'legacy' - minifirewall_restart_force | bool \ No newline at end of file diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index 59f46667..af43f495 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -50,10 +50,10 @@ mysql_restart_if_needed: True mysql_performance_schema: True -mysql_skip_enabled: false +mysql_skip_enabled: False # replication variables: -mysql_replication: false +mysql_replication: False mysql_log_bin: null mysql_binlog_format: mixed mysql_server_id: null diff --git a/nameserver/tasks/main.yml b/nameserver/tasks/main.yml index 420e65af..83ba2a34 100644 --- a/nameserver/tasks/main.yml +++ b/nameserver/tasks/main.yml @@ -3,7 +3,7 @@ shell: grep nameserver /etc/resolv.conf | awk '{ print $2 }' register: grep_nameserver check_mode: no - changed_when: false + changed_when: False tags: - nameserver diff --git a/newrelic/tasks/php.yml b/newrelic/tasks/php.yml index c41dbac9..3bd4d809 100644 --- a/newrelic/tasks/php.yml +++ b/newrelic/tasks/php.yml @@ -18,7 +18,7 @@ - name: list newrelic config files shell: "find /etc/php* -type f -name newrelic.ini" - changed_when: false + changed_when: False check_mode: no register: find_newrelic_ini diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 2fa0a647..bee05d9e 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -89,13 +89,13 @@ stat: path: "/etc/default/minifirewall" check_mode: no - changed_when: false + changed_when: False register: minifirewall_config - name: Retrieve the default interface shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2" check_mode: no - changed_when: false + changed_when: False register: minifirewall_int when: minifirewall_config.stat.exists @@ -176,7 +176,7 @@ stat: path: "/etc/nagios/nrpe.d/evolix.cfg" check_mode: no - changed_when: false + changed_when: False register: nrpe_evolix_config - name: Install NRPE check dependencies diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 869113b0..0407a72b 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -133,6 +133,6 @@ - name: update antispam list command: /usr/share/scripts/spam.sh - changed_when: false + changed_when: False tags: - postfix diff --git a/postgresql/tests/test.yml b/postgresql/tests/test.yml index 438eddee..88714dd1 100644 --- a/postgresql/tests/test.yml +++ b/postgresql/tests/test.yml @@ -6,7 +6,7 @@ apt: name: locales state: present - changed_when: false + changed_when: False - name: Setting default locales lineinfile: @@ -14,7 +14,7 @@ line: "{{ item }}" create: yes state: present - changed_when: false + changed_when: False loop: - "en_US.UTF-8 UTF-8" - "fr_FR ISO-8859-1" @@ -23,7 +23,7 @@ - name: Reconfigure locales command: /usr/sbin/locale-gen - changed_when: false + changed_when: False when: test_locales is changed roles: diff --git a/proftpd/tasks/account.yml b/proftpd/tasks/account.yml index a03fd1f1..cfe82156 100644 --- a/proftpd/tasks/account.yml +++ b/proftpd/tasks/account.yml @@ -1,7 +1,7 @@ --- - name: Check if FTP account exist command: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd - failed_when: false + failed_when: False check_mode: no changed_when: check_ftp_account.rc != 0 register: check_ftp_account @@ -36,7 +36,7 @@ register: hashed_ftp_password check_mode: no when: check_ftp_account.rc == 0 - changed_when: false + changed_when: False tags: - proftpd @@ -45,7 +45,7 @@ proftpd_password: "{{ hashed_ftp_password.stdout }}" check_mode: no when: check_ftp_account.rc == 0 - changed_when: false + changed_when: False tags: - proftpd diff --git a/proftpd/tasks/accounts_password.yml b/proftpd/tasks/accounts_password.yml index 01517083..3ae37c88 100644 --- a/proftpd/tasks/accounts_password.yml +++ b/proftpd/tasks/accounts_password.yml @@ -1,7 +1,7 @@ --- - name: Check if FTP account exist command: grep "^{{ item.name }}:" /etc/proftpd/vpasswd - failed_when: false + failed_when: False check_mode: no changed_when: check_ftp_account.rc != 0 register: check_ftp_account @@ -12,7 +12,7 @@ shell: grep "^{{ item.name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 register: protftpd_cur_password check_mode: no - changed_when: false + changed_when: False - name: Set password for this account set_fact: diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index d9a57bb2..24315b42 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -36,7 +36,7 @@ - name: Get Redis version shell: "redis-server -v | grep -Eo '(v=\\S+)' | cut -d'=' -f 2 | grep -E '^([0-9]|\\.)+$'" - changed_when: false + changed_when: False check_mode: no register: _redis_installed_version tags: diff --git a/redmine/tasks/mysql.yml b/redmine/tasks/mysql.yml index 6c40a338..5f1f6631 100644 --- a/redmine/tasks/mysql.yml +++ b/redmine/tasks/mysql.yml @@ -4,7 +4,7 @@ register: redmine_get_mysql_password check_mode: no changed_when: False - failed_when: false + failed_when: False tags: - redmine diff --git a/redmine/tasks/user.yml b/redmine/tasks/user.yml index 932e049c..dc959db1 100644 --- a/redmine/tasks/user.yml +++ b/redmine/tasks/user.yml @@ -41,4 +41,4 @@ - name: Enable systemd user mode command: "loginctl enable-linger {{ redmine_user }}" - changed_when: false + changed_when: False diff --git a/remount-usr/handlers/main.yml b/remount-usr/handlers/main.yml index f13f3ed6..854a8883 100644 --- a/remount-usr/handlers/main.yml +++ b/remount-usr/handlers/main.yml @@ -1,4 +1,4 @@ --- - name: remount usr command: "mount -o remount /usr" - failed_when: false \ No newline at end of file + failed_when: False \ No newline at end of file diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index a7568391..a2cbaf9a 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -87,7 +87,7 @@ - name: update SpamAssasin's rules command: "/usr/share/scripts/sa-update.sh" - changed_when: false + changed_when: False tags: - spamassassin diff --git a/tomcat-instance/tasks/check.yml b/tomcat-instance/tasks/check.yml index eff9d236..b9426a33 100644 --- a/tomcat-instance/tasks/check.yml +++ b/tomcat-instance/tasks/check.yml @@ -6,7 +6,7 @@ - name: Check use of gid command: id -ng "{{ tomcat_instance_port }}" register: check_port_gid - changed_when: false + changed_when: False failed_when: - check_port_gid | success - check_port_gid.stdout != "{{ tomcat_instance_name }}" @@ -14,7 +14,7 @@ - name: Check use of uid command: id -nu "{{ tomcat_instance_port }}" register: check_port_uid - changed_when: false + changed_when: False failed_when: - check_port_uid | success - check_port_uid.stdout != "{{ tomcat_instance_name }}" diff --git a/tomcat-instance/tasks/systemd.yml b/tomcat-instance/tasks/systemd.yml index 7558bbaa..c3a6a877 100644 --- a/tomcat-instance/tasks/systemd.yml +++ b/tomcat-instance/tasks/systemd.yml @@ -1,7 +1,7 @@ --- - name: Enable systemd user mode command: "loginctl enable-linger {{ tomcat_instance_name }}" - changed_when: false + changed_when: False - name: Set systemd conf var lineinfile: diff --git a/webapps/wordpress/tasks/main.yml b/webapps/wordpress/tasks/main.yml index e1f442c0..32eda170 100644 --- a/webapps/wordpress/tasks/main.yml +++ b/webapps/wordpress/tasks/main.yml @@ -25,7 +25,7 @@ - name: Generate random password command: apg -n1 -m 12 -M LCN register: shell_password - changed_when: false + changed_when: False - name: Read mysql config from .my.cnf set_fact: @@ -48,13 +48,13 @@ - name: Configure site shell: '{{ wordpress_wpcli }} core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password="{{ admin_pwd | quote }}" --admin_email={{ wordpress_email }} --skip-email' - changed_when: false + changed_when: False - name: Check if Wordpress is up to date shell: '{{ wordpress_wpcli }} core check-update | grep -q Success' register: check_version check_mode: no - failed_when: false + failed_when: False changed_when: check_version.rc == 1 - name: Update Wordpress @@ -65,17 +65,17 @@ - name: Install default plugin shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} || {{ wordpress_wpcli }} plugin install {{ item }}' - changed_when: false + changed_when: False loop: "{{ wordpress_plugins }}" - name: Update default plugins shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin update {{ item }}' - changed_when: false + changed_when: False loop: "{{ wordpress_plugins }}" - name: Activate default plugins shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin activate {{ item }}' - changed_when: false + changed_when: False loop: "{{ wordpress_plugins }}" - name: Send a summary mail -- 2.39.2 From 8df930f016993d0ca64f678f6cb0e9f48e6e2703 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 14:37:51 +0100 Subject: [PATCH 395/497] import changelog line --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b9e693d..348af53e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * elasticsearch: Disable garabge collector logging (JDK >= 9) * evolinux-users: Update sudoers template to remove commands allowed without password * listupgrade: upstream release 23.03.3 +* kvmstats: use virsh domstats | awk to get guests informations * nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …) * openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change * postfix: come back to default value of `notify_classes` for pack mails. -- 2.39.2 From 449103f53737710bf4b44cd41bf121daf7e0f12a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 14:46:42 +0100 Subject: [PATCH 396/497] whitespace --- php/tasks/main_bookworm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 8982f8f5..6ad64399 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -1,6 +1,6 @@ --- -- name: "Set php version to 8.2(Debian 12)" +- name: "Set php version to 8.2 (Debian 12)" set_fact: php_version: "8.2" when: -- 2.39.2 From 0e81eab6fa05da1e7f7b83af00167d17b8bf8a53 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 14:53:53 +0100 Subject: [PATCH 397/497] =?UTF-8?q?If=20you=20want=20`exit=200`,=20well?= =?UTF-8?q?=E2=80=A6=20run=20`exit=200`=20:D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- userlogrotate/files/userlogrotate | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index 6d480f91..dfa51738 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -55,5 +55,4 @@ for log in production.log*[!\.gz] delayed_job.log*[!\.gz] development.log*[!\.gz done done -# we want exit 0 -true +exit 0 \ No newline at end of file -- 2.39.2 From 65ee8c7e458aa41f1f24c4d6cc22f0c064bafad4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 14:56:39 +0100 Subject: [PATCH 398/497] Release 23.03 --- CHANGELOG.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 348af53e..dc0b7cc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,10 +8,23 @@ The **major** part of the version is the year The **minor** part changes is the month The **patch** part changes is incremented if multiple releases happen the same month + ## [Unreleased] ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [23.03] 2023-03-16 + +### Added + * apache: add task to enable mailgraph on default vhost and index.html * apt: add move-apt-keyrings script/tasks * apt: add tools to migrate sources to deb822 format @@ -64,7 +77,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: subversion is not installed anymore -### Security ## [22.12] 2022-12-14 -- 2.39.2 From eae2eed7b06fa77eec36ced64b0700fbcc3eb852 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 16 Mar 2023 17:14:16 +0100 Subject: [PATCH 399/497] Add role for PgBouncer --- CHANGELOG.md | 2 ++ pgbouncer/README.md | 38 ++++++++++++++++++++++++++++ pgbouncer/defaults/main.yml | 7 +++++ pgbouncer/tasks/main.yml | 17 +++++++++++++ pgbouncer/templates/pgbouncer.ini.j2 | 29 +++++++++++++++++++++ pgbouncer/templates/userlist.txt.j2 | 3 +++ 6 files changed, 96 insertions(+) create mode 100644 pgbouncer/README.md create mode 100644 pgbouncer/defaults/main.yml create mode 100644 pgbouncer/tasks/main.yml create mode 100644 pgbouncer/templates/pgbouncer.ini.j2 create mode 100644 pgbouncer/templates/userlist.txt.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index dc0b7cc3..36b62cb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* pgbouncer: new role + ### Changed ### Fixed diff --git a/pgbouncer/README.md b/pgbouncer/README.md new file mode 100644 index 00000000..2542f497 --- /dev/null +++ b/pgbouncer/README.md @@ -0,0 +1,38 @@ +# PgBouncer + +Installation and basic configuration of PgBouncer. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +Main variables are : + +* `pgbouncer_listen_addr`: the listen IP for PgBouncer (default: `127.0.0.1`), +* `pgbouncer_listen_port`: the listen post for PgBouncer (default: `6432`), +* `pgbouncer_databases`: the databases that clients of PgBouncer can connect to, +* `pgbouncer_account_list`: the accounts that clients of PgBouncer can connect to. + +The variable `pgbouncer_databases` must have the `name`, `host` and `port` attributes. The variable can be defined like this: + +``` +pgbouncer_databases: + - { name: "db1", host: "192.168.3.14", port: "5432" } + - { name: "*", host: "192.168.2.71", port: "5432" } +``` + +The variable `pgbouncer_account_list` must have the `name` and `hash` attributes. The variable can be defined like this: + +``` +pgbouncer_account_list: + - { name: "account1", hash: "" } + - { name: "account2", hash: "" } +``` + +The value of `hash` can be obtained by running this command on the PostgreSQL server: `select passwd from pg_shadow where usename='account1';` + +> These accounts must exist on the PostegreSQL server. + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/pgbouncer/defaults/main.yml b/pgbouncer/defaults/main.yml new file mode 100644 index 00000000..7b246270 --- /dev/null +++ b/pgbouncer/defaults/main.yml @@ -0,0 +1,7 @@ +--- +pgbouncer_listen_addr: "127.0.0.1" +pgbouncer_listen_port: "6432" + +pgbouncer_databases: [] + +pgbouncer_account_list: [] diff --git a/pgbouncer/tasks/main.yml b/pgbouncer/tasks/main.yml new file mode 100644 index 00000000..67639044 --- /dev/null +++ b/pgbouncer/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: PgBouncer is installed + apt: + name: pgbouncer + state: present +- name: Limit for PgBouncer is set + lineinfile: + path: /etc/default/pgbouncer + line: ulimit -n 65536 +- name: Add config file for PgBouncer + template: + src: pgbouncer.ini.j2 + dest: /etc/pgbouncer/pgbouncer.ini +- name: Populate userlist.txt + template: + src: userlist.txt.j2 + dest: /etc/pgbouncer/userlist.txt diff --git a/pgbouncer/templates/pgbouncer.ini.j2 b/pgbouncer/templates/pgbouncer.ini.j2 new file mode 100644 index 00000000..30d34ccb --- /dev/null +++ b/pgbouncer/templates/pgbouncer.ini.j2 @@ -0,0 +1,29 @@ +[databases] +{% for db in pgbouncer_databases %} +{{ db.name }} = host={{ db.host }} port={{ db.port }} +{% endfor %} + +[pgbouncer] +logfile = /var/log/postgresql/pgbouncer.log +pidfile = /var/run/postgresql/pgbouncer.pid + +listen_addr = {{ pgbouncer_listen_addr }} +listen_port = {{ pgbouncer_listen_port }} +unix_socket_dir = + +auth_type = scram-sha-256 +auth_file = /etc/pgbouncer/userlist.txt + +# La connexion au serveur redevient libre lorsque le client termine une transaction +# Autres valeurs possibles : session (lorsque le client ferme la session), statement (lorsque la requête se termine) +pool_mode = transaction + +# Nombre maximum de connexions entrantes +max_client_conn = 5000 + +# Nombre de connexion maintenues avec le serveur +default_pool_size = 20 + +# Ne pas enregistrer les connexions qui se passent bien +log_connections = 0 +log_disconnections = 0 diff --git a/pgbouncer/templates/userlist.txt.j2 b/pgbouncer/templates/userlist.txt.j2 new file mode 100644 index 00000000..abf316a3 --- /dev/null +++ b/pgbouncer/templates/userlist.txt.j2 @@ -0,0 +1,3 @@ +{% for account in pgbouncer_account_list %} +"{{ account.name }}" "{{ account.hash }}" +{% endfor %} -- 2.39.2 From b7dea8d4569c3e7dfcd85ce5114b2a42fb316176 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 21:35:03 +0100 Subject: [PATCH 400/497] minifirewall: support protocols in numeric form --- CHANGELOG.md | 2 ++ minifirewall/files/check_minifirewall | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 36b62cb2..cd14c099 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +minifirewall: support protocols in numeric form + ### Fixed ### Removed diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index e14d73f2..bcf70ff8 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -39,7 +39,7 @@ is_minifirewall_started() { if test -x /usr/share/scripts/minifirewall_status; then /usr/share/scripts/minifirewall_status > /dev/null else - /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + /sbin/iptables -L -n | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1)))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" fi fi } -- 2.39.2 From be03dfcb086bf00978077a1f6bf05cd9b0b2c466 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 21:36:13 +0100 Subject: [PATCH 401/497] apt: deb822 migration python script is looked relative to shell script --- CHANGELOG.md | 3 ++- apt/files/deb822-migration.sh | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd14c099..649f90e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -minifirewall: support protocols in numeric form +* apt: deb822 migration python script is looked relative to shell script +* minifirewall: support protocols in numeric form ### Fixed diff --git a/apt/files/deb822-migration.sh b/apt/files/deb822-migration.sh index cffa2f95..4e4a4dbc 100644 --- a/apt/files/deb822-migration.sh +++ b/apt/files/deb822-migration.sh @@ -3,7 +3,7 @@ deb822_migrate_script=$(command -v deb822-migration.py) if [ -z "${deb822_migrate_script}" ]; then - deb822_migrate_script="./deb822-migration.py" + deb822_migrate_script="$(dirname "$0")/deb822-migration.py" fi if [ ! -x "${deb822_migrate_script}" ]; then >&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable" -- 2.39.2 From 8bfc4c28bc98674d91671dd2bc2b2b6559120419 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 21:36:57 +0100 Subject: [PATCH 402/497] listupgrade: remove old typo version of the cron task --- CHANGELOG.md | 1 + listupgrade/tasks/main.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 649f90e0..4c32947d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * apt: deb822 migration python script is looked relative to shell script +* listupgrade: remove old typo version of the cron task * minifirewall: support protocols in numeric form ### Fixed diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 2e38ef03..42864806 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -58,6 +58,12 @@ month: "{{ listupgrade_cron_month }}" state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}" +- name: Remove old lisupgrade typo + cron: + name: "lisupgrade.sh" + cron_file: "listupgrade" + state: absent + - name: old-kernel-autoremoval script is present copy: src: old-kernel-autoremoval.sh -- 2.39.2 From edeb5bcfcf20c134ae4e40f8ee09a4eb7f8a2101 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 22:00:36 +0100 Subject: [PATCH 403/497] minifirewall also fix minifirewall_status --- minifirewall/files/minifirewall_status | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/minifirewall/files/minifirewall_status b/minifirewall/files/minifirewall_status index 7bf09285..2eec3697 100644 --- a/minifirewall/files/minifirewall_status +++ b/minifirewall/files/minifirewall_status @@ -2,7 +2,7 @@ is_started() { /sbin/iptables -L -n \ - | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + | grep --quiet --extended-regexp "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" } return_started() { echo "started" -- 2.39.2 From fac45cb64da38ae436188a78690bac0ad5a6e60c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 22:17:46 +0100 Subject: [PATCH 404/497] Release 23.03.1 --- CHANGELOG.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c32947d..edb6c431 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [23.03.1] 2023-03-16 + +### Added + * pgbouncer: new role ### Changed @@ -21,12 +33,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * listupgrade: remove old typo version of the cron task * minifirewall: support protocols in numeric form -### Fixed - -### Removed - -### Security - ## [23.03] 2023-03-16 ### Added -- 2.39.2 From 4c4a08f15ed4e33110c1ca81dd5c2316980e1ea9 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 17 Mar 2023 13:55:48 +0100 Subject: [PATCH 405/497] apt: Add binary key for our repository (for Jessie or less) --- apt/files/pub_evolix.gpg | Bin 0 -> 3948 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 apt/files/pub_evolix.gpg diff --git a/apt/files/pub_evolix.gpg b/apt/files/pub_evolix.gpg new file mode 100644 index 0000000000000000000000000000000000000000..ab6ab33f1ef06ecda418746a0da090eee50f46b1 GIT binary patch literal 3948 zcmajhWmFT48o+TjdUV$$Mms=iAkyFlh$tNb5+kHzv@|k8y1~&XIZ{ee=@=nM2qG#X z3S*>*2)pll-*eBs-|pAvJkPi1{La4+NJoZjfG-0WNrqHPSz7DPT@#>%)CL;3pYa!^ zkGoim+jr&%X$~j6&OF;SBXCH;8}l4p=elBhdA6UG$ye#T2D4>aB0WfLTj>49{Bn#@ zhw`-O8*0H*)0$gv#!_!K^8GYc8%@2Hy%{V{29o)#j(|N-EQ8!B^gqoka<)KoSBHen zFtiw$X$&s~PMA?dhJe{}F#Wcw(EG9|r%uGQX6$uT$=L_=(MBc2u=;ww%hyu{z|e4! z@Z&dmZw{EaD>}=Oc`$mWuUN|XLiU1BsGoHxCXA8X7^2N2XFdQ7-8v}1Fz>794MbGa z_7K#v5Veu#4k@}`w^-r;?fQ|g?L}y1aOuGxoX&Ts%SNhu4yO)p0~mum#8^7;fd$<+ zZ9bQWJy(AqvNRe$KPwFEp3qxM8%fw^7)7x0ShzBP%(*(G5T1+fnNJ6jih}$bG(Ldh z!x!sr*Gx3qTX?AiAk+7_i;-3DN`>VIu9oS(UT3{4nrC`PMuaBWEEv7@Ig&sAZle;I zB!zgb)&FjIFu#-|Jw~{UX<7U~(|*NhD+j zJ9LMlc_~bLC3LDABA!w5z#sk+!?wC|#klRxWd*5bSDpJE%7K)*`qagZE^SDMCNSFX5fR{JmK|Y>tA^e7cj-GBveq(1}ACy~w zkAEn?inCv!o3As}H_%bT`QJ-YF8*psKvOan0Ek45U4V?(6v16VRg<-Urh_;JLwVcqA0_+qE>9ve;w7jC_`yCGT|9rQ`Iy0F z#;*obI>>K91Z(DRDz0bB#XErF3*RvRh+)a88Reso*u&M9W}J~fr3<(h?}b8+v%Rl; zKM7J^sOQMQUSaUMp6yXTptP1rb2LVIb(z`gr-z2&XJHM`{}k`uFsN^ZYIaB@65|dO zIUHOx7N0XUr_q?vN^~z+ROpXpCb+sl&0_o&a?l0)3ECC=aPK8gsu=Dsg+1mT`|}?7 z9%2Ba`TkD{9;FAkDygqh!4p+-&&*H|(0Rg%f3=&7Bd;P^U zeEgt1B%QH-E6Kx90XDp!VN{_vRlkcpUJ5l#KC1Ot&c&EMSYKAh8$xzpkIVXyK7 zml4Tcybo_=&MUooGm?HoUD%;>ykuk5Ybe!xRvQiyqTb?;@H*GhTtr?fqpM5wYb+8Ezsv^sITlS%=aOjX;t+Ww*}6CiBnny8o;Hq9_GM5uYB zZ3W)PlzgjQDZ{BEP-#wMfJU|20R6AS7L4ChD6R3N6EBFV>jWx{XdBce?|o6jb`t5H zwtHy-KOl+^Fv!V4ZIb$VTyk2Z9~+mhH$~cUDLzn-{>?WkQbHS0<`(B`cZZb>h-@B` zobB}3IRz`U=_iTK(XQ-cMZ+ULB(bU&Rj%uMTyCw$m_f`>8WNm5W*zjyB1WYtuN!I1 zn)A2*^kcsbQciN>C#iuRKHA{=F;le0sV+9IaZfok@-BB$%Urt_w-{&S?PylC+_NmT zz#lH953)_f+9LIQ)cSZxiNLm$wR+z4s4Ay#G;7Tzyd~#~!SYNnnN#zPl?r|TF}qwl z%@I>Xx&hrpj!EXDAZbm8$C8zW^Hyyy4M@IiCbC+%S6@;RWYR0_o;LrwUaDZlM3>JN zH#0S`N%`Y@@?gr1FJ?sk4>Pp? zF!R5hkh?Mv!&mfzc|%E{%SCy;Luw^XyT|B$gq3jjB~{7K03-x8D;P9!1(VmmB2y^W zWLPxrOM_qB)iP-uv2Y6Z@PqsE!N9Fx<8Hb+hu`6yyklCPzd=7P4Fd7_#=_-M=_-nO zO}+ClQS_=wWV8(hY?i$*)u=*qRdDB$W$wfM)Q_ah&k)v>r-V@{cWJ~W!NN|dXU|rN z(dGQY=QhD_Y%D=yZzWFUd3L92ZT2Aj!{w%*S~U&uNMJ}G_Z4zQ?6P{yl!p1;I$f35Kn1Q2C+m~&p~$=SPgZ+b!)g3?mbT9=HT?Rr!98-|`H5(Mst z=iVCj(vrTF$PL4pSfg~4nL?ZaRPTpRb>+xOXH8WF<#FbL-U(L1M*Gs%=WBx@*(fbp z%e77l^d8w5Q`bTSa2>HrRZIQ*c@&Br@4nd_X&W&;YFE0;*w=ih{I>WX zPW0UV%A9%`R*_#89KGgW$w=y=;6esmQG}Dad<%+iQK2l3O>o&{XD5!j^w_yIdv_g$ z$6qAGCN9Q!*S3Ij&x*Qjjv#Z)k1$d@iUQrL`?c+P7h{+vyBd?cgssD?r04EJZA=H` zo-Kl~N#`Q$ql()6NG(;|SgB+t-q0otWTV&wdVKov-B*8YIeg_Huky7c0jzf=^Y&u* z^KtNE6qitOjDplqiTz2_V=0zYyB9vXoXG0rd!cZim)7WaCr&B9(!2*lKOF_>M6^bF z3tAKt9RULnzMZq4I~F?)@jz(Pj4@^4X9+7rJWV4JF>rD5k;`;VXm3}mMeU|A_B6Ep z(?FoCu(3Yu=(|jt+HV8fCqb$dC<~fnypAMDoSP+)f>O_zPivz<`b08|%Y;OK(Z?kp zV3IKkTG&Y$_q!*)DQp~&RkdHvmi&to)k5+*J0+}+F)uiWvrm_0eGdRyUnZ+gz`laa zgjU6L)aJD9^~6o5-0MEFJoWR?3$2gKNnToeU%%wg5x0)-7)hx-;c}nJ?CaVe2!6d0 zF57D}q{VC1%pQwe_jd*tD3^Uu`1w=9<}LujUPF#Ys(TGpiB_Ky=;W2GJ#CS-8J zO#B8Kh483kdt*uWq+;}Xk=5+!Bd1NH9Cabs`puiMQULFzqXqa?`C!$vtMgU$Z0tXr zkoo^#PW0S>JV0`4(l@RoK#l*_$?E`qGOoWQy7reu^kd{N4{Qztp0x496G}&UzNKFq z{5yE`-2MjWKNE#qMv@r)j82&~)#+4Q=GbV?upURBMdHo9fyS{7Ety-iR=4;;ySzzO zDh&32ew(Om`9dFdmtuUs;C_%zH?-WonBlitkz^jS3f#+{_OIWG5|Um|O%U)!|X zt`uAHNT+aYlfKF=v3gpmBcu_0tv=VOBtkxJ;__1Fab`+8Vaj$wHd$FUOp5)cNoDIw z-fj$g#-RF@67cV9B(0@a&v^c^q-(Xc-nX_2}i!-RLdT-Wp%h2s}4 zSwnK$BqxpTFz{uBFJMmP1QYQHRt6#vs=F@`%rn&0;AJKvNqlE9K1}c4X=VTA5bY)a zbzPyE3rl@x>6{a(b2iW}`Q$})Ks*b-t5Wjd)zgZmS%u9wi9*XYAD^hx!O3GfEp(3M z07OpUiJsoum|%Mkz>sS0s#f}b_PAqu={IEu)XQfD1pi?&UQcbzM$t6SfyY61;n`hS zuvBaaS|($LlbI8-*aVzbT{VzZ?&lME&7rzNpCE{YPjM6oT|a@0fZ0G=6DUdFmj;B4 zQHjKH@g=DJv*tU({JxR!4r;04Q9dE~rBM{rqGfPIf6wTxEV%n|_ICkp^9Kv3ue!u) zSXWwOeQ#I4Vz?5j{6v?ZfJqjtKn@*AL~uwXy};xID|gv~-C|O*stkCAPw^YK+iQvq zy6UvV+O5}wbx*gAzkz9 zyIP8i=nV21ck=;qK|7{MHTcR#qM&YbwaMVmtX3HC6ZeQDOmGxIi8IGwL>vmmrF2=b&en9r@^qmEE3r-IZhO|a zc2ESiOMInLP5JyruA0Qvdp36@*E>!Iu3U3~9Rz=uxAD6MQ+ulx97fCj8~xXD>v zZ~nO<|EenSmTZLhpu~Mu1$o2HEA5 Date: Fri, 17 Mar 2023 20:05:42 +0100 Subject: [PATCH 406/497] apt: use deb822 format on Debian 12 --- apt/files/deb822-migration.py | 122 +++++++++++++----- apt/files/deb822-migration.sh | 61 ++++----- apt/tasks/backports.deb822.yml | 35 +++++ .../{backports.yml => backports.oneline.yml} | 4 +- apt/tasks/basics.deb822.yml | 28 ++++ apt/tasks/basics.oneline.yml | 18 +++ apt/tasks/basics.yml | 33 ----- apt/tasks/evolix_public.deb822.yml | 45 +++++++ ...x_public.yml => evolix_public.oneline.yml} | 4 +- apt/tasks/hold_packages.yml | 2 +- apt/tasks/main.yml | 90 +++++++++++-- apt/templates/bookworm_backports.sources.j2 | 7 + apt/templates/bookworm_basics.list.j2 | 5 - apt/templates/bookworm_basics.sources.j2 | 9 ++ apt/templates/bookworm_security.sources.j2 | 7 + 15 files changed, 351 insertions(+), 119 deletions(-) mode change 100644 => 100755 apt/files/deb822-migration.py mode change 100644 => 100755 apt/files/deb822-migration.sh create mode 100644 apt/tasks/backports.deb822.yml rename apt/tasks/{backports.yml => backports.oneline.yml} (100%) create mode 100644 apt/tasks/basics.deb822.yml create mode 100644 apt/tasks/basics.oneline.yml delete mode 100644 apt/tasks/basics.yml create mode 100644 apt/tasks/evolix_public.deb822.yml rename apt/tasks/{evolix_public.yml => evolix_public.oneline.yml} (100%) create mode 100644 apt/templates/bookworm_backports.sources.j2 delete mode 100644 apt/templates/bookworm_basics.list.j2 create mode 100644 apt/templates/bookworm_basics.sources.j2 create mode 100644 apt/templates/bookworm_security.sources.j2 diff --git a/apt/files/deb822-migration.py b/apt/files/deb822-migration.py old mode 100644 new mode 100755 index 10ee47ae..a8873923 --- a/apt/files/deb822-migration.py +++ b/apt/files/deb822-migration.py @@ -3,20 +3,36 @@ import re import sys import os +import select +import apt +import apt_pkg -if len(sys.argv) > 1: - src_file = sys.argv[1] -else: - print("You must provide a source file as first argument", file=sys.stderr) - sys.exit(1) +# Order matters ! +destinations = { + "debian-security": "security.sources", + ".*-backports": "backports.sources", + ".debian.org": "system.sources", + "mirror.evolix.org": "system.sources", + "pub.evolix.net": "evolix_public_old.sources", + "pub.evolix.org": "evolix_public.sources", + "artifacts.elastic.co": "elastic.sources", + "download.docker.com": "docker.sources", + "downloads.linux.hpe.com": "hp.sources", + "pkg.jenkins-ci.org": "jenkins.sources", + "packages.sury.org": "sury.sources", + "repo.mongodb.org": "mongodb.sources", + "apt.newrelic.com": "newrelic.sources", + "deb.nodesource.com": "nodesource.sources", + "dl.yarnpkg.com": "yarn.sources", + "apt.postgresql.org": "postgresql.sources", + "packages.microsoft.com/repos/vscode": "microsoft-vscode.sources", + "packages.microsoft.com/repos/ms-teams": "microsoft-teams.sources", + "updates.signal.org": "signal.sources", + "downloads.1password.com/linux/debian": "1password.sources", + "download.virtualbox.org": "virtualbox.sources" +} -if not os.access(src_file, os.R_OK): - print(src_file, "is not readable", file=sys.stderr) - sys.exit(2) - -pattern = re.compile('^(?Pdeb|deb-src) +(?P\[.+\] ?)*(?P\w+:\/\/\S+) +(?P\S+)(?: +(?P.*))?$') - -sources = {} +sources_parts = apt_pkg.config.find_dir('Dir::Etc::sourceparts') def split_options(raw): table = str.maketrans({ @@ -27,25 +43,44 @@ def split_options(raw): return options -with open(src_file,'r') as file: - for line in file: - matches = re.match(pattern, line) - if matches is not None: - # print(matches.groupdict()) - uri = matches['uri'] +def auto_destination(uri): + basename = uri + basename = re.sub('\[[^\]]+\]', '', basename) + basename = re.sub('\w+://', '', basename) + basename = '_'.join(re.sub('[^a-zA-Z0-9]', ' ', basename).split()) + return '%s.sources' % basename + +def destination(matches): + for search_str in destinations.keys(): + search_pattern = re.compile(f'{search_str}(/|\s|$)') + if re.search(search_pattern, matches['uri']) or re.search(search_pattern, matches["suite"]): + return destinations[search_str] + # fallback if nothing matches + return auto_destination(matches['uri']) + +def prepare_sources(lines): + sources = {} + pattern = re.compile('^(?: *(?Pdeb|deb-src)) +(?P\[.+\] ?)*(?P\w+:\/\/\S+) +(?P\S+)(?: +(?P.*))?$') + + for line in lines: + matches = re.match(pattern, line) + + if matches is not None: + dest = destination(matches) options = {} + if matches.group('options'): for option in split_options(matches['options']): if "=" in option: key, value = option.split("=") options[key] = value - if uri in sources: - sources[uri]["Types"].add(matches["type"]) - sources[uri]["URIs"] = matches["uri"] - sources[uri]["Suites"].add(matches["suite"]) - sources[uri]["Components"].update(matches["components"].split(' ')) + if dest in sources: + sources[dest]["Types"].add(matches["type"]) + sources[dest]["URIs"] = matches["uri"] + sources[dest]["Suites"].add(matches["suite"]) + sources[dest]["Components"].update(matches["components"].split(' ')) else: source = { "Types": {matches['type']}, @@ -83,14 +118,35 @@ with open(src_file,'r') as file: else: source["Targets"] = {options["target"]} - sources[uri] = source + sources[dest] = source + return sources -for i, (uri, source) in enumerate(sources.items()): - if i > 0: - print("") - for key, value in source.items(): - if isinstance(value, str): - print("{}: {}".format(key, value) ) - else: - print("{}: {}".format(key, ' '.join(value)) ) - i += 1 \ No newline at end of file +def save_sources(sources, output_dir): + # print(output_dir) + # print(sources) + for dest, source in sources.items(): + source_path = output_dir + dest + + with open(source_path, 'w') as file: + for key, value in source.items(): + if isinstance(value, str): + file.write("{}: {}\n".format(key, value)) + else: + file.write("{}: {}\n".format(key, ' '.join(value))) + +def main(): + if select.select([sys.stdin, ], [], [], 0.0)[0]: + sources = prepare_sources(sys.stdin) + # elif len(sys.argv) > 1: + # sources = prepare_sources([sys.argv[1]]) + else: + print("You must provide source lines to stdin", file=sys.stderr) + sys.exit(1) + + output_dir = apt_pkg.config.find_dir('Dir::Etc::sourceparts') + save_sources(sources, output_dir) + +if __name__ == "__main__": + main() + +sys.exit(0) \ No newline at end of file diff --git a/apt/files/deb822-migration.sh b/apt/files/deb822-migration.sh old mode 100644 new mode 100755 index 4e4a4dbc..10fb7889 --- a/apt/files/deb822-migration.sh +++ b/apt/files/deb822-migration.sh @@ -10,39 +10,40 @@ if [ ! -x "${deb822_migrate_script}" ]; then exit 1 fi -dest_dir="/etc/apt/sources.list.d" -rc=0 - -migrate_file() { - legacy_file=$1 - deb822_file=$2 - - if [ -f "${legacy_file}" ]; then - if [ -f "${deb822_file}" ]; then - >&2 echo "ERROR: '${deb822_file}' already exists" - rc=2 - else - ${deb822_migrate_script} "${legacy_file}" > "${deb822_file}" - if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then - mv "${legacy_file}" "${legacy_file}.bak" - echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak" - else - >&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'" - rc=2 - fi - fi - else - >&2 echo "ERROR: '${legacy_file}' not found" - rc=2 - fi +sources_from_file() { + grep --extended-regexp "^\s*(deb|deb-src) " $1 } -migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources" +rc=0 +count=0 -# shellcheck disable=SC2044 -for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do - deb822_file=$(basename "${legacy_file}" .list) - migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources" +if [ -f /etc/apt/sources.list ]; then + sources_from_file /etc/apt/sources.list | ${deb822_migrate_script} + python_rc=$? + + if [ ${python_rc} -eq 0 ]; then + mv /etc/apt/sources.list /etc/apt/sources.list.bak + echo "OK: /etc/apt/sources.list" + count=$(( count + 1 )) + else + >&2 echo "ERROR: failed migration for /etc/apt/sources.list" + rc=1 + fi +fi + +for file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do + sources_from_file "${file}" | ${deb822_migrate_script} + python_rc=$? + + if [ ${python_rc} -eq 0 ]; then + mv "${file}" "${file}.bak" + echo "OK: ${file}" + count=$(( count + 1 )) + else + >&2 echo "ERROR: failed migration for ${file}" + rc=1 + fi done +echo "${count} file(s) migrated" exit ${rc} \ No newline at end of file diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml new file mode 100644 index 00000000..8e196cc0 --- /dev/null +++ b/apt/tasks/backports.deb822.yml @@ -0,0 +1,35 @@ +--- +- name: No backports config in default sources.list + lineinfile: + dest: /etc/apt/sources.list.d/ + regexp: "backports" + state: absent + tags: + - apt + +- name: Backports sources list is installed + template: + src: '{{ ansible_distribution_release }}_backports.sources.j2' + dest: /etc/apt/sources.list.d/backports.sources + force: yes + mode: "0640" + register: apt_backports_sources + tags: + - apt + +- name: Backports configuration + copy: + src: '{{ ansible_distribution_release }}_backports_preferences' + dest: /etc/apt/preferences.d/0-backports-defaults + force: yes + mode: "0640" + register: apt_backports_config + tags: + - apt + +- name: Apt update + apt: + update_cache: yes + when: apt_backports_sources is changed or apt_backports_config is changed + tags: + - apt diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.oneline.yml similarity index 100% rename from apt/tasks/backports.yml rename to apt/tasks/backports.oneline.yml index aecf6194..7f6509b0 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.oneline.yml @@ -33,13 +33,13 @@ line: 'Acquire::Check-Valid-Until no;' create: yes state: present - when: ansible_distribution_release == "jessie" tags: - apt + when: ansible_distribution_release == "jessie" - name: Apt update apt: update_cache: yes - when: apt_backports_list is changed or apt_backports_config is changed tags: - apt + when: apt_backports_list is changed or apt_backports_config is changed diff --git a/apt/tasks/basics.deb822.yml b/apt/tasks/basics.deb822.yml new file mode 100644 index 00000000..0a342e61 --- /dev/null +++ b/apt/tasks/basics.deb822.yml @@ -0,0 +1,28 @@ +--- + +- name: Change basics repositories + template: + src: "{{ ansible_distribution_release }}_basics.sources.j2" + dest: /etc/apt/sources.list.d/system.sources + mode: "0644" + force: yes + register: apt_basic_sources + tags: + - apt + +- name: Change security repositories + template: + src: "{{ ansible_distribution_release }}_security.sources.j2" + dest: /etc/apt/sources.list.d/security.sources + mode: "0644" + force: yes + register: apt_security_sources + tags: + - apt + +- name: Apt update + apt: + update_cache: yes + tags: + - apt + when: apt_basic_list is changed or apt_security_sources is changed diff --git a/apt/tasks/basics.oneline.yml b/apt/tasks/basics.oneline.yml new file mode 100644 index 00000000..8e0a562c --- /dev/null +++ b/apt/tasks/basics.oneline.yml @@ -0,0 +1,18 @@ +--- + +- name: Change basics repositories + template: + src: "{{ ansible_distribution_release }}_basics.list.j2" + dest: /etc/apt/sources.list + mode: "0644" + force: yes + register: apt_basic_list + tags: + - apt + +- name: Apt update + apt: + update_cache: yes + tags: + - apt + when: apt_basic_list is changed diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml deleted file mode 100644 index 33c79129..00000000 --- a/apt/tasks/basics.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: Change basics repositories - template: - src: "{{ ansible_distribution_release }}_basics.list.j2" - dest: /etc/apt/sources.list - mode: "0644" - force: yes - register: apt_basic_list - tags: - - apt - -- name: Clean GANDI sources.list.d/debian-security.list - file: - path: '{{ item }}' - state: absent - loop: - - /etc/apt/sources.list.d/debian-security.list - - /etc/apt/sources.list.d/debian-jessie.list - - /etc/apt/sources.list.d/debian-stretch.list - - /etc/apt/sources.list.d/debian-buster.list - - /etc/apt/sources.list.d/debian-bullseye.list - - /etc/apt/sources.list.d/debian-update.list - when: apt_clean_gandi_sourceslist | bool - tags: - - apt - -- name: Apt update - apt: - update_cache: yes - when: apt_basic_list is changed - tags: - - apt diff --git a/apt/tasks/evolix_public.deb822.yml b/apt/tasks/evolix_public.deb822.yml new file mode 100644 index 00000000..a98a9983 --- /dev/null +++ b/apt/tasks/evolix_public.deb822.yml @@ -0,0 +1,45 @@ +--- + +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - apt + +- name: Evolix embedded GPG key is absent + apt_key: + id: "B8612B5D" + keyring: /etc/apt/trusted.gpg + state: absent + tags: + - apt + when: _trusted_gpg_keyring.stat.exists + +- name: Add Evolix GPG key + copy: + src: pub_evolix.asc + dest: "{{ apt_keyring_dir }}/pub_evolix.asc" + force: yes + mode: "0644" + owner: root + group: root + tags: + - apt + +- name: Evolix public list is installed + template: + src: evolix_public.sources.j2 + dest: /etc/apt/sources.list.d/evolix_public.sources + force: yes + mode: "0640" + register: apt_evolix_public + tags: + - apt + +- name: Apt update + apt: + update_cache: yes + tags: + - apt + when: apt_evolix_public is changed diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.oneline.yml similarity index 100% rename from apt/tasks/evolix_public.yml rename to apt/tasks/evolix_public.oneline.yml index 8c4d5216..e3ca833e 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.oneline.yml @@ -12,9 +12,9 @@ id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent - when: _trusted_gpg_keyring.stat.exists tags: - apt + when: _trusted_gpg_keyring.stat.exists - name: Add Evolix GPG key copy: @@ -40,6 +40,6 @@ - name: Apt update apt: update_cache: yes - when: apt_evolix_public is changed tags: - apt + when: apt_evolix_public is changed diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 10f5b358..2b3b815f 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -97,6 +97,6 @@ day: "{{ apt_check_hold_cron_day }}" month: "{{ apt_check_hold_cron_month }}" state: "present" - when: is_cron.rc == 0 tags: - apt + when: is_cron.rc == 0 diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 353dca36..3459b1b5 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -1,10 +1,26 @@ --- - name: "Compatibility check" - fail: - msg: only compatible with Debian >= 8 - when: - - ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<') + assert: + that: + - ansible_distribution = "Debian" + - ansible_distribution_major_version is version('8', '>=') + msg: Only compatible with Debian >= 8 + tags: + - apt + +- name: "apt-transport-https is installed for https repositories (before Buster)" + apt: + name: + - apt-transport-https + tags: + - apt + when: ansible_distribution_major_version is version('10', '<') + +- name: "certificates are installed to https repositories" + apt: + name: + - ca-certificates tags: - apt @@ -14,23 +30,71 @@ tags: - apt -- name: Install basics repositories - include: basics.yml - when: apt_install_basics | bool +- name: Install basics repositories (Debian <12) + include: basics.debian-lt-12.yml tags: - apt + when: + - apt_install_basics | bool + - ansible_distribution_major_version is version('12', '<') -- name: Install APT Backports repository - include: backports.yml - when: apt_install_backports | bool +- name: Install basics repositories (Debian >=12) + include: basics.debian-ge-12.yml tags: - apt + when: + - apt_install_basics | bool + - ansible_distribution_major_version is version('12', '>=') -- name: Install Evolix Public APT repository - include: evolix_public.yml - when: apt_install_evolix_public | bool + +- name: Install backports repositories (Debian <12) + include: backports.debian-lt-12.yml tags: - apt + when: + - apt_install_backports | bool + - ansible_distribution_major_version is version('12', '<') + +- name: Install backports repositories (Debian >=12) + include: backports.debian-ge-12.yml + tags: + - apt + when: + - apt_install_backports | bool + - ansible_distribution_major_version is version('12', '>=') + + +- name: Install Evolix Public repositories (Debian <12) + include: evolix_public.debian-lt-12.yml + tags: + - apt + when: + - apt_install_evolix_public | bool + - ansible_distribution_major_version is version('12', '<') + +- name: Install Evolix Public repositories (Debian >=12) + include: evolix_public.debian-ge-12.yml + tags: + - apt + when: + - apt_install_evolix_public | bool + - ansible_distribution_major_version is version('12', '>=') + +- name: Clean GANDI sources + file: + path: '{{ item }}' + state: absent + loop: + - /etc/apt/sources.list.d/debian-security.list + - /etc/apt/sources.list.d/debian-jessie.list + - /etc/apt/sources.list.d/debian-stretch.list + - /etc/apt/sources.list.d/debian-buster.list + - /etc/apt/sources.list.d/debian-bullseye.list + - /etc/apt/sources.list.d/debian-update.list + tags: + - apt + when: apt_clean_gandi_sourceslist | bool + - name: Install check for packages marked hold include: hold_packages.yml diff --git a/apt/templates/bookworm_backports.sources.j2 b/apt/templates/bookworm_backports.sources.j2 new file mode 100644 index 00000000..20a505a3 --- /dev/null +++ b/apt/templates/bookworm_backports.sources.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://mirror.evolix.org/debian +Suites: bullseye-backports +Components: {{ apt_backports_components | mandatory }} +Enabled: yes diff --git a/apt/templates/bookworm_basics.list.j2 b/apt/templates/bookworm_basics.list.j2 deleted file mode 100644 index 1c6bc15b..00000000 --- a/apt/templates/bookworm_basics.list.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -deb http://mirror.evolix.org/debian bookworm {{ apt_basics_components | mandatory }} -deb http://mirror.evolix.org/debian/ bookworm-updates {{ apt_basics_components | mandatory }} -deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }} diff --git a/apt/templates/bookworm_basics.sources.j2 b/apt/templates/bookworm_basics.sources.j2 new file mode 100644 index 00000000..fbc3034a --- /dev/null +++ b/apt/templates/bookworm_basics.sources.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://mirror.evolix.org/debian +Suites: bookworm bookworm-updates +Components: {{ apt_basics_components | mandatory }} +Enabled: yes + +deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }} diff --git a/apt/templates/bookworm_security.sources.j2 b/apt/templates/bookworm_security.sources.j2 new file mode 100644 index 00000000..0b0e4190 --- /dev/null +++ b/apt/templates/bookworm_security.sources.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://security.debian.org/debian-security +Suites: bookworm-security +Components: {{ apt_basics_components | mandatory }} +Enabled: yes \ No newline at end of file -- 2.39.2 From 9358efedfed30d67df390fd4a224c4a2e3b2b538 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 17 Mar 2023 22:32:11 +0100 Subject: [PATCH 407/497] apt: fix many stupid mistakes --- apt/tasks/basics.deb822.yml | 16 ++++++++++++++++ apt/tasks/config.yml | 6 +++--- apt/tasks/main.yml | 20 ++++++++++---------- apt/templates/bookworm_backports.sources.j2 | 2 +- apt/templates/bookworm_basics.sources.j2 | 6 ++---- apt/templates/evolix_public.sources.j2 | 8 ++++++++ 6 files changed, 40 insertions(+), 18 deletions(-) create mode 100644 apt/templates/evolix_public.sources.j2 diff --git a/apt/tasks/basics.deb822.yml b/apt/tasks/basics.deb822.yml index 0a342e61..b99a8af4 100644 --- a/apt/tasks/basics.deb822.yml +++ b/apt/tasks/basics.deb822.yml @@ -20,6 +20,22 @@ tags: - apt +- name: Find one-line APT sources + ansible.builtin.find: + paths: /etc/apt + patterns: '*.list' + register: list_files + +- name: Disable one-line-formatted sources + command: "mv --verbose {{ item.path }} {{ item.path }}.bak" + environment: + LC_ALL: C + loop: "{{ list_files.files }}" + register: rename_cmd + changed_when: "'renamed' in rename_cmd.stdout" + tags: + - apt + - name: Apt update apt: update_cache: yes diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 7befa375..62155623 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -12,9 +12,9 @@ - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } - { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' } - when: apt_evolinux_config | bool tags: - apt + when: apt_evolinux_config | bool - name: DPkg invoke hooks lineinfile: @@ -28,14 +28,14 @@ - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" - when: apt_hooks | bool tags: - apt + when: apt_hooks | bool - name: Remove Aptitude apt: name: aptitude state: absent - when: apt_remove_aptitude | bool tags: - apt + when: apt_remove_aptitude | bool diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 3459b1b5..b72acb63 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -3,7 +3,7 @@ - name: "Compatibility check" assert: that: - - ansible_distribution = "Debian" + - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') msg: Only compatible with Debian >= 8 tags: @@ -17,7 +17,7 @@ - apt when: ansible_distribution_major_version is version('10', '<') -- name: "certificates are installed to https repositories" +- name: "certificates are installed for https repositories" apt: name: - ca-certificates @@ -25,13 +25,13 @@ - apt - name: Custom configuration - include: config.yml + import_tasks: config.yml when: apt_config | bool tags: - apt - name: Install basics repositories (Debian <12) - include: basics.debian-lt-12.yml + import_tasks: basics.oneline.yml tags: - apt when: @@ -39,7 +39,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install basics repositories (Debian >=12) - include: basics.debian-ge-12.yml + import_tasks: basics.deb822.yml tags: - apt when: @@ -48,7 +48,7 @@ - name: Install backports repositories (Debian <12) - include: backports.debian-lt-12.yml + import_tasks: backports.oneline.yml tags: - apt when: @@ -56,7 +56,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install backports repositories (Debian >=12) - include: backports.debian-ge-12.yml + import_tasks: backports.deb822.yml tags: - apt when: @@ -65,7 +65,7 @@ - name: Install Evolix Public repositories (Debian <12) - include: evolix_public.debian-lt-12.yml + import_tasks: evolix_public.oneline.yml tags: - apt when: @@ -73,7 +73,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install Evolix Public repositories (Debian >=12) - include: evolix_public.debian-ge-12.yml + import_tasks: evolix_public.deb822.yml tags: - apt when: @@ -97,7 +97,7 @@ - name: Install check for packages marked hold - include: hold_packages.yml + import_tasks: hold_packages.yml when: apt_install_hold_packages | bool tags: - apt diff --git a/apt/templates/bookworm_backports.sources.j2 b/apt/templates/bookworm_backports.sources.j2 index 20a505a3..5b1b99d1 100644 --- a/apt/templates/bookworm_backports.sources.j2 +++ b/apt/templates/bookworm_backports.sources.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} Types: deb -URIs: https://mirror.evolix.org/debian +URIs: http://mirror.evolix.org/debian Suites: bullseye-backports Components: {{ apt_backports_components | mandatory }} Enabled: yes diff --git a/apt/templates/bookworm_basics.sources.j2 b/apt/templates/bookworm_basics.sources.j2 index fbc3034a..247d7ec3 100644 --- a/apt/templates/bookworm_basics.sources.j2 +++ b/apt/templates/bookworm_basics.sources.j2 @@ -1,9 +1,7 @@ # {{ ansible_managed }} Types: deb -URIs: https://mirror.evolix.org/debian +URIs: http://mirror.evolix.org/debian Suites: bookworm bookworm-updates Components: {{ apt_basics_components | mandatory }} -Enabled: yes - -deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }} +Enabled: yes \ No newline at end of file diff --git a/apt/templates/evolix_public.sources.j2 b/apt/templates/evolix_public.sources.j2 new file mode 100644 index 00000000..defd1282 --- /dev/null +++ b/apt/templates/evolix_public.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types:deb +URIs: http://pub.evolix.org/evolix +Suites: {{ ansible_distribution_release }} +Components: main +Signed-by: {{ apt_keyring_dir }}/pub_evolix.asc +Enabled: yes -- 2.39.2 From 512b06a51300c2a193f8c5cc9cde0aee71f837e3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 17 Mar 2023 22:32:31 +0100 Subject: [PATCH 408/497] bookworm-detect: detect also from description --- bookworm-detect/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bookworm-detect/tasks/main.yml b/bookworm-detect/tasks/main.yml index 47dfd623..be11177e 100644 --- a/bookworm-detect/tasks/main.yml +++ b/bookworm-detect/tasks/main.yml @@ -8,4 +8,4 @@ ansible_distribution_major_version: 12 ansible_distribution: "Debian" ansible_distribution_release: "bookworm" - when: "ansible_lsb.codename == 'bookworm'" \ No newline at end of file + when: "'bookworm' in ansible_lsb.codename or 'bookworm' in ansible_lsb.description" \ No newline at end of file -- 2.39.2 From 6f61a0744c82e587248cb4d391217f2b98660906 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 15:38:05 +0100 Subject: [PATCH 409/497] apt: with Debian, 12 backports are installed but disabled by default --- CHANGELOG.md | 2 ++ apt/defaults/main.yml | 2 ++ apt/files/bookworm_backports_preferences | 3 +++ apt/tasks/backports.deb822.yml | 9 +-------- apt/tasks/main.yml | 4 ++-- apt/templates/bookworm_backports.sources.j2 | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 apt/files/bookworm_backports_preferences diff --git a/CHANGELOG.md b/CHANGELOG.md index edb6c431..fafbe518 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* apt: with Debian 12, backports are installed but disabled by default + ### Fixed ### Removed diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index 681f1d14..3720d893 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -8,6 +8,8 @@ apt_upgrade: False apt_install_basics: True apt_basics_components: "main" +# With Debian 12+ and the deb822 format of source files +# backports are always installed but enabled according to `apt_install_backports` apt_install_backports: False apt_backports_components: "main" diff --git a/apt/files/bookworm_backports_preferences b/apt/files/bookworm_backports_preferences new file mode 100644 index 00000000..eaf76d52 --- /dev/null +++ b/apt/files/bookworm_backports_preferences @@ -0,0 +1,3 @@ +Package: * +Pin: release a=bookworm-backports +Pin-Priority: 50 diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml index 8e196cc0..633b9266 100644 --- a/apt/tasks/backports.deb822.yml +++ b/apt/tasks/backports.deb822.yml @@ -1,13 +1,6 @@ --- -- name: No backports config in default sources.list - lineinfile: - dest: /etc/apt/sources.list.d/ - regexp: "backports" - state: absent - tags: - - apt -- name: Backports sources list is installed +- name: Backports deb822 sources list is installed template: src: '{{ ansible_distribution_release }}_backports.sources.j2' dest: /etc/apt/sources.list.d/backports.sources diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index b72acb63..104756d2 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -46,7 +46,6 @@ - apt_install_basics | bool - ansible_distribution_major_version is version('12', '>=') - - name: Install backports repositories (Debian <12) import_tasks: backports.oneline.yml tags: @@ -55,12 +54,13 @@ - apt_install_backports | bool - ansible_distribution_major_version is version('12', '<') +# With Debian 12+ and the deb822 format of source files +# backports are always installed but enabled according to `apt_install_backports` - name: Install backports repositories (Debian >=12) import_tasks: backports.deb822.yml tags: - apt when: - - apt_install_backports | bool - ansible_distribution_major_version is version('12', '>=') diff --git a/apt/templates/bookworm_backports.sources.j2 b/apt/templates/bookworm_backports.sources.j2 index 5b1b99d1..31ac2f3b 100644 --- a/apt/templates/bookworm_backports.sources.j2 +++ b/apt/templates/bookworm_backports.sources.j2 @@ -4,4 +4,4 @@ Types: deb URIs: http://mirror.evolix.org/debian Suites: bullseye-backports Components: {{ apt_backports_components | mandatory }} -Enabled: yes +Enabled: {{ apt_install_backports | bool | ternary('yes', 'no') }} -- 2.39.2 From 8f25dfe041af6fe8a7d0cdcbc37a809791aec93b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 18:35:54 +0100 Subject: [PATCH 410/497] evolinux-base: syntax --- evolinux-base/tasks/default_www.yml | 16 ++++--- evolinux-base/tasks/dump-server-state.yml | 4 +- evolinux-base/tasks/etc-evolinux.yml | 2 +- evolinux-base/tasks/fstab.yml | 39 ++++++++-------- evolinux-base/tasks/hostname.yml | 22 ++++----- evolinux-base/tasks/kernel.yml | 18 ++++---- evolinux-base/tasks/log2mail.yml | 8 ++-- evolinux-base/tasks/logs.yml | 19 ++++---- evolinux-base/tasks/main.yml | 38 ++++++++-------- evolinux-base/tasks/motd.yml | 2 +- evolinux-base/tasks/packages.yml | 30 ++++++------- evolinux-base/tasks/postfix.yml | 32 ++++++------- evolinux-base/tasks/provider_online.yml | 6 +-- evolinux-base/tasks/provider_orange_fce.yml | 6 +-- evolinux-base/tasks/provider_vmware.yml | 5 ++- evolinux-base/tasks/root.yml | 34 +++++++------- evolinux-base/tasks/system.yml | 50 ++++++++++----------- evolinux-base/tasks/utils.yml | 19 +++----- 18 files changed, 175 insertions(+), 175 deletions(-) diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 84580b54..2d94fe2b 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -1,13 +1,13 @@ --- - name: /var/www is present - file: + ansible.builtin.file: path: /var/www state: directory mode: "0755" when: evolinux_default_www_files | bool - name: images are copied - copy: + ansible.builtin.copy: src: default_www/img dest: /var/www/ mode: "0644" @@ -16,7 +16,7 @@ when: evolinux_default_www_files | bool - name: index is copied - template: + ansible.builtin.template: src: default_www/index.html.j2 dest: /var/www/index.html mode: "0644" @@ -28,21 +28,23 @@ - name: Default certificate is present block: - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}" + ansible.builtin.command: + cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}" args: creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" - name: Adjust rights on private key - file: + ansible.builtin.file: path: /etc/ssl/private/{{ ansible_fqdn }}.key owner: root group: ssl-cert mode: "0640" - name: Create certificate for default site - command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt + ansible.builtin.command: + cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt args: creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" when: evolinux_default_www_ssl_cert | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/dump-server-state.yml b/evolinux-base/tasks/dump-server-state.yml index 7d4a55cd..33822377 100644 --- a/evolinux-base/tasks/dump-server-state.yml +++ b/evolinux-base/tasks/dump-server-state.yml @@ -1,5 +1,5 @@ - name: dump-server-state script is present - copy: + ansible.builtin.copy: src: "dump-server-state.sh" dest: /usr/local/sbin/dump-server-state force: True @@ -8,7 +8,7 @@ mode: "0750" - name: symlink backup-server-state to dump-server-state - file: + ansible.builtin.file: src: /usr/local/sbin/dump-server-state dest: /usr/local/sbin/backup-server-state state: link diff --git a/evolinux-base/tasks/etc-evolinux.yml b/evolinux-base/tasks/etc-evolinux.yml index 56b0a976..e8ceb996 100644 --- a/evolinux-base/tasks/etc-evolinux.yml +++ b/evolinux-base/tasks/etc-evolinux.yml @@ -2,7 +2,7 @@ ### This is taken care of by the evolinux-todo role # - name: /etc/evolinux exists -# file: +# ansible.builtin.file: # dest: /etc/evolinux # owner: root # group: root diff --git a/evolinux-base/tasks/fstab.yml b/evolinux-base/tasks/fstab.yml index a3933844..a99ba692 100644 --- a/evolinux-base/tasks/fstab.yml +++ b/evolinux-base/tasks/fstab.yml @@ -4,69 +4,70 @@ # TODO: try to use the custom mount_uuid module for a different approach - name: Fetch fstab content - command: "grep -v '^#' /etc/fstab" + ansible.builtin.command: + cmd: "grep -v '^#' /etc/fstab" check_mode: no register: fstab_content failed_when: False changed_when: False - name: /home partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/home\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_home_options | mandatory }}\3' notify: remount /home when: - - fstab_content.stdout | regex_search('\s/home\s') - - evolinux_fstab_home | bool + - fstab_content.stdout | regex_search('\s/home\s') + - evolinux_fstab_home | bool - name: /tmp partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/tmp\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_tmp_options | mandatory }}\3' when: - - fstab_content.stdout | regex_search('\s/tmp\s') - - evolinux_fstab_tmp | bool + - fstab_content.stdout | regex_search('\s/tmp\s') + - evolinux_fstab_tmp | bool - name: /usr partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/usr\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_usr_options | mandatory }}\3' when: - - fstab_content.stdout | regex_search('\s/usr\s') - - evolinux_fstab_usr | bool + - fstab_content.stdout | regex_search('\s/usr\s') + - evolinux_fstab_usr | bool - name: /var partition is customized - replace: + ansible.builtin.replace: dest: /etc/fstab regexp: '([^#]\s+/var\s+\S+\s+)([a-z,]+)(\s+)' replace: '\1{{ evolinux_fstab_var_options | mandatory }}\3' notify: remount /var when: - - fstab_content.stdout | regex_search('\s/var\s') - - evolinux_fstab_var | bool + - fstab_content.stdout | regex_search('\s/var\s') + - evolinux_fstab_var | bool - name: /var/tmp is created - mount: + ansible.posix.mount: src: tmpfs name: /var/tmp fstype: tmpfs opts: "{{ evolinux_fstab_var_tmp_options | mandatory }}" state: mounted when: - - evolinux_fstab_var_tmp | bool + - evolinux_fstab_var_tmp | bool - name: /dev/shm is created (Debian 10 and later) - mount: + ansible.posix.mount: src: tmpfs name: /dev/shm fstype: tmpfs opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}" state: mounted when: - - evolinux_fstab_dev_shm | bool - - ansible_distribution_major_version is version('10', '>=') + - evolinux_fstab_dev_shm | bool + - ansible_distribution_major_version is version('10', '>=') -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index ec3f99d1..b283a51e 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -1,29 +1,29 @@ --- - name: dbus is installed - apt: + ansible.builtin.apt: name: dbus state: present - name: dbus is enabled and started - service: + ansible.builtin.systemd: name: dbus state: started enabled: true - name: Set hostname "{{ evolinux_hostname }}" - hostname: + ansible.builtin.hostname: name: "{{ evolinux_hostname }}" when: evolinux_hostname_hosts | bool - name: Set right localhost line in /etc/hosts - replace: + ansible.builtin.replace: dest: /etc/hosts regexp: '^127.0.0.1(\s+)localhost.*$' replace: '127.0.0.1\1localhost.localdomain localhost' when: evolinux_hostname_hosts | bool - name: Set ip+fqdn+hostname in /etc/hosts - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts regexp: '^{{ ansible_default_ipv4.address }}\s+' line: "{{ ansible_default_ipv4.address }} {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} {{ [evolinux_hostname, evolinux_internal_hostname] | unique | join(' ') }}" @@ -31,14 +31,14 @@ when: evolinux_hostname_hosts | bool - name: 127.0.1.1 is removed - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts regexp: '^127.0.1.1\s+' state: absent when: evolinux_hostname_hosts | bool - name: /etc/mailname is up-to-date - copy: + ansible.builtin.copy: dest: /etc/mailname content: "{{ evolinux_fqdn }}\n" force: yes @@ -47,18 +47,18 @@ # Override facts - name: Override ansible_hostname fact - set_fact: + ansible.builtin.set_fact: ansible_hostname: "{{ evolinux_hostname }}" when: ansible_hostname != evolinux_hostname - name: Override ansible_domain fact - set_fact: + ansible.builtin.set_fact: ansible_domain: "{{ evolinux_domain }}" when: ansible_domain != evolinux_domain - name: Override ansible_fqdn fact - set_fact: + ansible.builtin.set_fact: ansible_fqdn: "{{ evolinux_fqdn }}" when: ansible_fqdn != evolinux_fqdn -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index 62569b08..da3abf57 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -1,7 +1,7 @@ --- - name: "Use Cloud kernel on virtual servers" - apt: + ansible.builtin.apt: name: "linux-image-cloud-amd64" state: present when: @@ -10,7 +10,7 @@ - evolinux_kernel_cloud_auto | bool - name: "Remove non-Cloud kernel on virtual servers" - apt: + ansible.builtin.apt: name: "linux-image-amd64" state: absent when: @@ -19,7 +19,7 @@ - evolinux_kernel_cloud_auto | bool - name: Reboot after panic - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -31,7 +31,7 @@ when: evolinux_kernel_reboot_after_panic | bool - name: Don't reboot after panic - sysctl: + ansible.posix.sysctl: name: "{{ item }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: absent @@ -42,7 +42,7 @@ when: not evolinux_kernel_reboot_after_panic | bool - name: Disable net.ipv4.tcp_timestamps - sysctl: + ansible.posix.sysctl: name: net.ipv4.tcp_timestamps value: '0' sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -51,7 +51,7 @@ when: evolinux_kernel_disable_tcp_timestamps | bool - name: Customize the swappiness - sysctl: + ansible.posix.sysctl: name: vm.swappiness value: "{{ evolinux_kernel_swappiness }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -60,7 +60,7 @@ when: evolinux_kernel_customize_swappiness | bool - name: Patch for TCP stack vulnerability CVE-2016-5696 - sysctl: + ansible.posix.sysctl: name: net.ipv4.tcp_challenge_ack_limit value: "1073741823" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -69,7 +69,7 @@ when: evolinux_kernel_cve20165696 | bool - name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack) - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: "{{ evolinux_kernel_sysctl_path }}" @@ -81,4 +81,4 @@ - { name: "net.ipv4.ipfrag_high_thresh", value: "262144" } - { name: "net.ipv6.ip6frag_high_thresh", value: "262144" } -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 35ce19cf..9a1f3314 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -1,24 +1,24 @@ --- - name: Deploy log2mail systemd unit - copy: + ansible.builtin.copy: src: log2mail.service dest: /etc/systemd/system/log2mail.service mode: "0644" - name: Remove log2mail sysvinit service - file: + ansible.builtin.file: path: /etc/init.d/log2mail state: absent - name: Enable and start log2mail service - systemd: + ansible.builtin.systemd: name: log2mail daemon-reload: yes state: started enabled: yes - name: log2mail config is present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/log2mail/config/default owner: log2mail group: adm diff --git a/evolinux-base/tasks/logs.yml b/evolinux-base/tasks/logs.yml index 8298486e..a6dd97ad 100644 --- a/evolinux-base/tasks/logs.yml +++ b/evolinux-base/tasks/logs.yml @@ -3,7 +3,7 @@ # TODO: voir comment faire des backups initiaux des fichiers - name: Copy rsyslog.conf - copy: + ansible.builtin.copy: src: logs/rsyslog.conf dest: /etc/rsyslog.conf mode: "0644" @@ -11,7 +11,8 @@ when: evolinux_logs_rsyslog_conf | bool - name: Disable logrotate default conf - command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled + ansible.builtin.command: + cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled args: removes: /etc/logrotate.d/rsyslog creates: /etc/logrotate.d/rsyslog.disabled @@ -19,33 +20,33 @@ when: evolinux_logs_disable_logrotate_rsyslog | bool - name: Copy many logrotate files - copy: + ansible.builtin.copy: src: logs/logrotate.d/ dest: /etc/logrotate.d/ when: evolinux_logs_logrotate_confs | bool - name: Copy rsyslog logrotate file - template: + ansible.builtin.template: src: logs/zsyslog.j2 dest: /etc/logrotate.d/zsyslog when: evolinux_logs_logrotate_confs | bool - name: Configure logrotate.conf default rotate value - replace: + ansible.builtin.replace: dest: /etc/logrotate.conf regexp: "rotate [0-9]+" replace: "rotate 12" when: evolinux_logs_default_rotate | bool - name: Enable logrotate.conf dateext option - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.conf line: "dateext" regexp: "^#?\\s*dateext" when: evolinux_logs_default_dateext | bool - name: Enable logrotate.conf dateformat option - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.conf line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}" regexp: "^#?\\s*dateformat.*" @@ -53,11 +54,11 @@ when: evolinux_logs_default_dateext | bool - name: Disable logrotate.conf dateyesterday option - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.conf line: "# dateyesterday" regexp: "^\\s*dateyesterday" insertafter: 'dateext' when: evolinux_logs_default_dateext | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index ecbfe069..29a77524 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -14,7 +14,7 @@ apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" apt_install_evolix_public: "{{ evolinux_apt_public_sources }}" apt_upgrade: "{{ evolinux_apt_upgrade }}" - apt_basics_components: "{{ 'main contrib non-free' if ansible_virtualization_role == 'host' else 'main' }}" + apt_basics_components: "{{ ansible_virtualization_role == 'host' | ternary('main contrib non-free', 'main') }}" when: evolinux_apt_include | bool - name: /etc versioning with Git @@ -23,27 +23,27 @@ when: evolinux_etcgit_include | bool - name: /etc/evolinux base - include: etc-evolinux.yml + import_tasks: etc-evolinux.yml when: evolinux_etcevolinux_include | bool - name: Hostname - include: hostname.yml + import_tasks: hostname.yml when: evolinux_hostname_include | bool - name: Kernel tuning - include: kernel.yml + import_tasks: kernel.yml when: evolinux_kernel_include | bool - name: Fstab configuration - include: fstab.yml + import_tasks: fstab.yml when: evolinux_fstab_include | bool - name: Packages - include: packages.yml + import_tasks: packages.yml when: evolinux_packages_include | bool - name: System settings - include: system.yml + import_tasks: system.yml when: evolinux_system_include | bool - name: Minifirewall @@ -67,41 +67,43 @@ # when: evolinux_users_include - name: Root user configuration - include: root.yml + import_tasks: root.yml when: evolinux_root_include | bool - name: Postfix - include: postfix.yml + import_tasks: postfix.yml when: evolinux_postfix_include | bool - name: Logs management - include: logs.yml + import_tasks: logs.yml when: evolinux_logs_include | bool - name: Default index page - include: default_www.yml + import_tasks: default_www.yml when: evolinux_default_www_include | bool - name: Hardware drivers and tools - include: hardware.yml - when: evolinux_hardware_include | bool + import_tasks: hardware.yml + when: + - evolinux_hardware_include | bool + - ansible_virtualization_role == "host" - name: Customize for Online.net - include: provider_online.yml + import_tasks: provider_online.yml when: evolinux_provider_online_include | bool - name: Customize for Orange FCE - include: provider_orange_fce.yml + import_tasks: provider_orange_fce.yml when: evolinux_provider_orange_fce_include | bool - name: Override Log2mail service - include: log2mail.yml + import_tasks: log2mail.yml when: evolinux_log2mail_include | bool -- include: motd.yml +- import_tasks: motd.yml when: evolinux_motd_include | bool -- include: utils.yml +- import_tasks: utils.yml when: evolinux_utils_include | bool - name: Munin diff --git a/evolinux-base/tasks/motd.yml b/evolinux-base/tasks/motd.yml index 70079463..0d0b7157 100644 --- a/evolinux-base/tasks/motd.yml +++ b/evolinux-base/tasks/motd.yml @@ -1,6 +1,6 @@ --- - name: Deploy custom motd - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/motd force: True diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 4c2249e3..f8af347a 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -1,7 +1,7 @@ --- - name: Install/Update system tools - apt: + ansible.builtin.apt: name: - locales - sudo @@ -20,7 +20,7 @@ when: evolinux_packages_system | bool - name: Install/Update diagnostic tools - apt: + ansible.builtin.apt: name: - strace - htop @@ -39,7 +39,7 @@ when: evolinux_packages_diagnostic | bool - name: Install/Update hardware tools - apt: + ansible.builtin.apt: name: - hdparm - smartmontools @@ -47,7 +47,7 @@ when: ansible_virtualization_role == "host" - name: Install/Update common tools - apt: + ansible.builtin.apt: name: - vim - screen @@ -62,21 +62,21 @@ when: evolinux_packages_common | bool - name: Be sure that openntpd package is absent/purged - apt: + ansible.builtin.apt: name: openntpd state: absent purge: True when: evolinux_packages_purge_openntpd | bool - name: the chrony package is absent - apt: + ansible.builtin.apt: name: chrony purge: True state: absent when: evolinux_packages_purge_chrony | bool - name: Be sure locate/mlocate is absent/purged - apt: + ansible.builtin.apt: name: - locate - mlocate @@ -85,20 +85,20 @@ when: evolinux_packages_purge_locate | bool - name: Install/Update serveur-base meta-package - apt: + ansible.builtin.apt: name: serveur-base allow_unauthenticated: yes when: evolinux_packages_serveur_base | bool - name: Install/Update packages for Stretch and later - apt: + ansible.builtin.apt: name: net-tools when: - evolinux_packages_stretch | bool - ansible_distribution_major_version is version('9', '>=') - name: Install/Update packages for Buster and later - apt: + ansible.builtin.apt: name: - spectre-meltdown-checker - binutils @@ -107,14 +107,14 @@ - ansible_distribution_major_version is version('10', '>=') - name: Customize logcheck recipient - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logcheck/logcheck.conf regexp: '^SENDMAILTO=".*"$' line: 'SENDMAILTO="{{ logcheck_alert_email or general_alert_email | mandatory }}"' when: evolinux_packages_logcheck_recipient | bool - name: Deleting rpcbind and nfs-common - apt: + ansible.builtin.apt: name: - rpcbind - nfs-common @@ -125,7 +125,7 @@ # TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes) - name: Configure Listchanges on Jessie - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/listchanges.conf regexp: '^{{ item.option }}\s*=' line: "{{ item.option }}={{ item.value }}" @@ -138,7 +138,7 @@ - ansible_distribution_release == "jessie" - name: apt-listchanges is absent on Stretch and later - apt: + ansible.builtin.apt: name: apt-listchanges state: absent when: @@ -146,4 +146,4 @@ - ansible_distribution_major_version is version('9', '>=') - evolinux_packages_delete_aptlistchanges -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 6a46548b..1c5d986c 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -1,18 +1,18 @@ --- - name: Postfix packages are installed - apt: + ansible.builtin.apt: name: - postfix - mailgraph state: present - when: evolinux_postfix_packages | bool tags: - packages - postfix + when: evolinux_postfix_packages | bool - name: configure postfix myhostname - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/main.cf state: present line: "myhostname = {{ evolinux_fqdn }}" @@ -22,7 +22,7 @@ - postfix - name: configure postfix mynetworks - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/main.cf state: present line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost" @@ -32,8 +32,8 @@ - postfix - name: fetch users list - shell: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" executable: /bin/bash check_mode: no register: non_root_users_list @@ -42,18 +42,18 @@ - postfix - name: each user is aliased to root - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases regexp: "^{{ item }}:.*" line: "{{ item }}: root" loop: "{{ non_root_users_list.stdout_lines }}" notify: newaliases - when: evolinux_postfix_users_alias_root | bool tags: - postfix + when: evolinux_postfix_users_alias_root | bool - name: additional users address aliased to root - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases regexp: "^{{ item }}:.*" line: "{{ item }}: root" @@ -65,24 +65,24 @@ - error - bounce notify: newaliases - when: evolinux_postfix_mailer_alias_root | bool tags: - postfix + when: evolinux_postfix_mailer_alias_root | bool - name: root alias is configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases regexp: "^root:" line: "root: {{ postfix_alias_email or general_alert_email | mandatory }}" notify: newaliases - when: evolinux_postfix_root_alias | bool tags: - postfix + when: evolinux_postfix_root_alias | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers - name: exim4 is absent - apt: + ansible.builtin.apt: name: - exim4 - exim4-base @@ -90,9 +90,9 @@ - exim4-daemon-light purge: yes state: absent - when: evolinux_postfix_purge_exim | bool tags: - packages - postfix + when: evolinux_postfix_purge_exim | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/provider_online.yml b/evolinux-base/tasks/provider_online.yml index 8174d15c..5696e504 100644 --- a/evolinux-base/tasks/provider_online.yml +++ b/evolinux-base/tasks/provider_online.yml @@ -1,8 +1,8 @@ -- debug: +- ansible.builtin.debug: msg: "Online DNS servers fails sometimes! Please change them in /etc/resolv.conf." - name: custom NTP server for Online servers - set_fact: + ansible.builtin.set_fact: nagios_nrpe_default_ntp_server: "ntp.online.net" -# - meta: flush_handlers +# - ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/provider_orange_fce.yml b/evolinux-base/tasks/provider_orange_fce.yml index 4b9a26c7..c861ccd1 100644 --- a/evolinux-base/tasks/provider_orange_fce.yml +++ b/evolinux-base/tasks/provider_orange_fce.yml @@ -1,5 +1,5 @@ - name: Customize kernel for Orange FCE - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/evolinux_fce.conf @@ -10,7 +10,7 @@ - { name: net.ipv4.tcp_keepalive_intvl, value: 60 } - { name: net.ipv6.conf.all.disable_ipv6, value: 1 } -- debug: +- ansible.builtin.debug: msg: "Orange DNS servers suck! Please change them in /etc/resolv.conf." -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/provider_vmware.yml b/evolinux-base/tasks/provider_vmware.yml index dbf93d0e..04daa219 100644 --- a/evolinux-base/tasks/provider_vmware.yml +++ b/evolinux-base/tasks/provider_vmware.yml @@ -1,6 +1,7 @@ --- - name: Check if the virtual machine on VMWare Host - shell: "dmidecode | grep -q 'VMware'" + ansible.builtin.shell: + cmd: "dmidecode | grep -q 'VMware'" check_mode: no register: vmware_provider failed_when: False @@ -9,7 +10,7 @@ - packages - name: OpenVM Tools are installed for vmware - apt: + ansible.builtin.apt: state: present name: open-vm-tools tags: diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 3e3d6add..3b17faf7 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -1,14 +1,14 @@ --- - name: chmod 700 /root - file: + ansible.builtin.file: path: /root state: directory mode: "0700" when: evolinux_root_chmod | bool - name: "Customize root's bashrc..." - lineinfile: + ansible.builtin.lineinfile: dest: /root/.bashrc line: "{{ item }}" create: yes @@ -24,34 +24,35 @@ ## .bash_history should be append-only - name: Create .bash_history if missing - copy: + ansible.builtin.copy: content: "" dest: "/root/.bash_history" force: no when: evolinux_root_bash_history | bool - name: Set umask in /root/.profile - lineinfile: + ansible.builtin.lineinfile: dest: "/root/.profile" line: "umask 0077" regexp: "umask [0-9]+" when: evolinux_root_umask | bool - name: "/usr/share/scripts is present in root's PATH" - lineinfile: + ansible.builtin.lineinfile: dest: "/root/.profile" line: "PATH=\"${PATH}:/usr/share/scripts\"" when: ansible_distribution_major_version is version('10', '>=') - name: Custom git config for root - copy: + ansible.builtin.copy: src: root/gitconfig dest: "/root/.gitconfig" force: no when: evolinux_root_gitconfig | bool - name: Is .bash_history append-only - shell: lsattr /root/.bash_history | grep -E "^.*a.* " + ansible.builtin.shell: + cmd: lsattr /root/.bash_history | grep -E "^.*a.* " check_mode: no register: bash_history_append_only failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr" @@ -59,14 +60,15 @@ changed_when: False - name: Set .bash_history append-only - command: chattr +a /root/.bash_history + ansible.builtin.command: + cmd: chattr +a /root/.bash_history when: - - evolinux_root_bash_history_appendonly | bool - - bash_history_append_only.rc != 0 - - "'Inappropriate ioctl' not in bash_history_append_only.stderr" + - evolinux_root_bash_history_appendonly | bool + - bash_history_append_only.rc != 0 + - "'Inappropriate ioctl' not in bash_history_append_only.stderr" - name: Setting vim as selected-editor - lineinfile: + ansible.builtin.lineinfile: dest: /root/.selected_editor regexp: '^SELECTED_EDITOR=' line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\"" @@ -74,7 +76,7 @@ when: evolinux_root_vim_default | bool - name: Setting vim root configuration - lineinfile: + ansible.builtin.lineinfile: dest: /root/.vimrc line: "{{ item }}" create: yes @@ -89,7 +91,7 @@ when: evolinux_root_vim_conf | bool - name: disable SSH access for root - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" @@ -99,7 +101,7 @@ ### Disabled : it seems useless and too dangerous for now # - name: remove root from AllowUsers directive -# replace: +# ansible.builtin.replace: # dest: /etc/ssh/sshd_config # regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$' # replace: '\1\4' @@ -107,4 +109,4 @@ # notify: reload sshd # when: evolinux_root_disable_ssh -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 5d71e827..c6965e09 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -1,14 +1,14 @@ --- - name: /tmp must be world-writable - file: + ansible.builtin.file: path: /tmp state: directory mode: "u=rwx,g=rwx,o=rwxt" when: evolinux_system_chmod_tmp | bool - name: Setting default locales - lineinfile: + ansible.builtin.lineinfile: dest: /etc/locale.gen line: "{{ item }}" create: yes @@ -21,11 +21,12 @@ when: evolinux_system_locales | bool - name: Reconfigure locales - command: /usr/sbin/locale-gen + ansible.builtin.command: + cmd: /usr/sbin/locale-gen when: evolinux_system_locales and default_locales is changed - name: Setting default timezone - timezone: + community.general.timezone: name: "{{ evolinux_system_timezone | mandatory }}" notify: restart cron when: evolinux_system_set_timezone | bool @@ -37,20 +38,20 @@ name: evolix/remount-usr - name: Ensure automagic vim conf is disabled - lineinfile: + ansible.builtin.lineinfile: dest: /etc/vim/vimrc regexp: 'let g:skip_defaults_vim =' line: 'let g:skip_defaults_vim = 1' when: evolinux_system_vim_skip_defaults | bool - name: Setting vim as default editor - alternatives: + community.general.alternatives: name: editor path: /usr/bin/vim.basic when: evolinux_system_vim_default_editor | bool - name: Add "umask 027" to /etc/profile.d/evolinux.sh - lineinfile: + ansible.builtin.lineinfile: dest: /etc/profile.d/evolinux.sh line: "umask 027" create: yes @@ -58,7 +59,7 @@ when: evolinux_system_profile | bool - name: Set /etc/adduser.conf DIR_MODE to 0700 - replace: + ansible.builtin.replace: dest: /etc/adduser.conf regexp: "^DIR_MODE=0755$" replace: "DIR_MODE=0700" @@ -67,7 +68,7 @@ # TODO: trouver comment ne pas faire ça sur Xen Dom-U - name: Deactivating login on all tty except tty2 - lineinfile: + ansible.builtin.lineinfile: dest: /etc/securetty line: "tty2" create: yes @@ -75,7 +76,7 @@ when: evolinux_system_restrict_securetty | bool - name: Setting TMOUT to disconnect inactive users - lineinfile: + ansible.builtin.lineinfile: dest: /etc/profile.d/evolinux.sh line: "export TMOUT={{ evolinux_system_timeout }}" regexp: "^export TMOUT=" @@ -86,8 +87,8 @@ #- name: Customizing /etc/fstab - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -95,7 +96,7 @@ register: is_cron_installed - name: Set verbose logging for cron deamon - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/cron line: "EXTRA_OPTS='-L 15'" create: yes @@ -105,7 +106,7 @@ - evolinux_system_cron_verboselog | bool - name: Modify default umask for cron deamon - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/cron line: "umask 022" create: yes @@ -115,7 +116,7 @@ - evolinux_system_cron_umask | bool - name: Randomize periodic crontabs - replace: + ansible.builtin.replace: dest: /etc/crontab regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" @@ -134,7 +135,7 @@ ## alert5 - name: Install alert5 init script (jessie/stretch) - template: + ansible.builtin.template: src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 force: no @@ -144,7 +145,7 @@ - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" - name: Enable alert5 init script (jessie/stretch) - service: + ansible.builtin.service: name: alert5 enabled: yes when: @@ -155,7 +156,7 @@ - name: Install alert5 init script (buster and later) - template: + ansible.builtin.template: src: system/alert5.sh.j2 dest: /usr/share/scripts/alert5.sh force: no @@ -165,7 +166,7 @@ - ansible_distribution_major_version is version('10', '>=') - name: Install alert5 service (buster and later) - copy: + ansible.builtin.copy: src: alert5.service dest: /etc/systemd/system/alert5.service force: yes @@ -175,7 +176,7 @@ - ansible_distribution_major_version is version('10', '>=') - name: Enable alert5 init script (buster and later) - systemd: + ansible.builtin.systemd: name: alert5 daemon_reload: yes enabled: yes @@ -188,14 +189,15 @@ ## network interfaces - name: "Is there an \"allow-hotplug\" interface ?" - command: grep allow-hotplug /etc/network/interfaces + ansible.builtin.command: + cmd: grep allow-hotplug /etc/network/interfaces failed_when: False changed_when: False check_mode: no register: grep_hotplug_eni - name: "Network interfaces must be \"auto\" and not \"allow-hotplug\"" - replace: + ansible.builtin.replace: dest: /etc/network/interfaces regexp: "allow-hotplug" replace: "auto" @@ -203,6 +205,4 @@ - evolinux_system_eni_auto | bool - grep_hotplug_eni.rc == 0 -## /sbin/deny - -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index c8aa58e8..76fbac82 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -7,7 +7,7 @@ file: dump-server-state.yml - name: "/sbin/deny script is present" - copy: + ansible.builtin.copy: src: deny.sh dest: /sbin/deny mode: "0700" @@ -16,7 +16,7 @@ force: no - name: update-evobackup-canary script is present - copy: + ansible.builtin.copy: src: update-evobackup-canary dest: /usr/local/bin/update-evobackup-canary force: True @@ -26,26 +26,17 @@ # TODO: delete when this has been run once on all our servers - name: update-evobackup-canary is removed from sbin - file: + ansible.builtin.file: path: /usr/local/sbin/update-evobackup-canary state: absent -# - name: dir-check script is present -# copy: -# src: "dir-check.sh" -# dest: /usr/local/bin/dir-check -# force: True -# owner: root -# group: root -# mode: "0755" - - name: Deploy htop configuration - copy: + ansible.builtin.copy: src: htoprc dest: /etc/htoprc mode: "0644" - name: Deploy top configuration file - file: + ansible.builtin.file: path: /etc/topdefaultrc state: absent -- 2.39.2 From 38b106a8f214dde5172d27a06af5569d51ac3da8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 18:36:50 +0100 Subject: [PATCH 411/497] evolinux-base: reorganize hardware section --- evolinux-base/tasks/hardware.dell.yml | 99 +++++++ evolinux-base/tasks/hardware.hp.yml | 87 +++++++ evolinux-base/tasks/hardware.yml | 245 ++---------------- .../templates/hardware/hp.sources.j2 | 8 + .../hardware/hwraid.le-vert.net.sources.j2 | 8 + 5 files changed, 230 insertions(+), 217 deletions(-) create mode 100644 evolinux-base/tasks/hardware.dell.yml create mode 100644 evolinux-base/tasks/hardware.hp.yml create mode 100644 evolinux-base/templates/hardware/hp.sources.j2 create mode 100644 evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml new file mode 100644 index 00000000..409d1e07 --- /dev/null +++ b/evolinux-base/tasks/hardware.dell.yml @@ -0,0 +1,99 @@ +--- + +## LSI MegaRAID 12GSAS/PCIe Secure SAS39xx +# This is still incompatible with Debian + +- name: Check if PERC HBA11 device is present + ansible.builtin.shell: "lspci | grep -qE 'MegaRAID.*SAS39xx'" + check_mode: no + register: perc_hba11_search + failed_when: False + changed_when: False + tags: + - packages + +- name: MegaCLI SAS package must not be installed if PERC HBA11 is present + block: + - name: Disable harware RAID tasks + ansible.builtin.set_fact: + evolinux_packages_hardware_raid: False + + - name: blacklist mageclisas-status package + ansible.builtin.blockinfile: + dest: /etc/apt/preferences.d/0-blacklist + create: yes + marker: "## {mark} MEGACLISAS-STATUS BLACKLIST" + block: | + # DO NOT INSTALL THESE PACKAGES ON THIS SERVER + Package: megacli megaclisas-status + Pin: version * + Pin-Priority: -100 + + - name: Remove MegaCLI packages + ansible.builtin.apt: + name: + - megacli + - megaclisas-status + state: absent + when: perc_hba11_search.rc == 0 + +- name: MegaCLI SAS package is present + block: + - name: HWRaid GPG key is installed + ansible.builtin.copy: + src: hwraid.le-vert.net.asc + dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" + force: yes + mode: "0644" + owner: root + group: root + tags: + - packages + when: ansible_distribution_major_version is version('9', '>=') + + - name: Add HW tool repository (Debian <12) + ansible.builtin.apt_repository: + repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' + state: present + tags: + - packages + when: + - ansible_distribution_major_version is version('12', '<') + + - name: Add HW tool repository (Debian >=12) + ansible.builtin.template: + src: hardware/hwraid.le-vert.net.sources.j2 + dest: /etc/apt/sources.list.d/hwraid.le-vert.net.sources + tags: + - packages + when: + - ansible_distribution_major_version is version('12', '>=') + + - name: Install packages for DELL/LSI hardware + ansible.builtin.apt: + name: + - megacli + - megaclisas-status + allow_unauthenticated: yes + tags: + - packages + + - name: Configure packages for DELL/LSI hardware + ansible.builtin.template: + src: hardware/megaclisas-statusd.j2 + dest: /etc/default/megaclisas-statusd + mode: "0755" + tags: + - config + + - name: megaclisas-statusd is enabled and started + ansible.builtin.systemd: + name: megaclisas-statusd + enabled: true + state: restarted + tags: + - packages + - config + when: + - "'MegaRAID' in raidmodel.stdout" + diff --git a/evolinux-base/tasks/hardware.hp.yml b/evolinux-base/tasks/hardware.hp.yml new file mode 100644 index 00000000..ea17cae5 --- /dev/null +++ b/evolinux-base/tasks/hardware.hp.yml @@ -0,0 +1,87 @@ +--- + +- name: HPE GPG key is installed + ansible.builtin.copy: + src: hpePublicKey2048_key1.asc + dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" + force: yes + mode: "0644" + owner: root + group: root + tags: + - packages + +- name: Add HPE repository (Debian <12) + ansible.builtin.apt_repository: + repo: 'deb [signed-by={{ apt_keyring_dir }}/hpePublicKey2048_key1.asc] https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' + state: present + tags: + - packages + when: + - ansible_distribution_major_version is version('12', '<') + +- name: Add HPE repository (Debian >=12) + ansible.builtin.template: + src: hardware/hp.sources.j2 + dest: /etc/apt/sources.list.d/hp.sources + tags: + - packages + when: + - ansible_distribution_major_version is version('12', '>=') + +- name: Install HPE Smart Storage Administrator (ssacli) + ansible.builtin.apt: + name: ssacli + tags: + - packages + +# NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role +# So, if nagios-nrpe role is not installed it will not work +- name: Install and configure check_hpraid cron (HP gen >=10) + block: + - name: check_hpraid cron is present (HP gen >=10) + ansible.builtin.copy: + src: check_hpraid.cron.sh + dest: /etc/cron.{{ evolinux_cron_checkhpraid_frequency | mandatory }}/check_hpraid + mode: "0755" + tags: + - config + when: + - "'Adaptec Smart Storage PQI' in raidmodel.stdout" + +- name: Install and configure cciss-vol-status (HP gen <10) + block: + - name: Install cciss-vol-status (HP gen <10) + ansible.builtin.apt: + name: cciss-vol-status + state: present + tags: + - packages + + - name: cciss-vol-statusd init script is present (HP gen <10) + ansible.builtin.template: + src: hardware/cciss-vol-statusd.j2 + dest: /etc/init.d/cciss-vol-statusd + mode: "0755" + tags: + - packages + + - name: Configure cciss-vol-statusd (HP gen <10) + ansible.builtin.lineinfile: + dest: /etc/default/cciss-vol-statusd + line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"' + regexp: 'MAILTO=' + create: yes + tags: + - config + + - name: Enable cciss-vol-status in systemd (HP gen <10) + ansible.builtin.systemd: + name: cciss-vol-statusd + enabled: true + state: restarted + tags: + - packages + - config + when: + - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 7ebecc82..d9b0cdcd 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -1,15 +1,24 @@ --- - name: Install pciutils - apt: + ansible.builtin.apt: name: pciutils state: present tags: - packages +- name: firmware-non-free components are installed (Debian 12+) + ansible.builtin.replace: + dest: /etc/apt/sources.list.d/system.sources + regexp: '^(Components: ((?!\bfirmware-non-free\b).)*)$' + replace: '\1 firmware-non-free' + when: + - ansible_distribution_major_version is version('12', '>=') + ## Broadcom NetXtreme II - name: Check if Broadcom NetXtreme II device is present - shell: "lspci | grep -q 'NetXtreme II'" + ansible.builtin.shell: + cmd: "lspci | grep -q 'NetXtreme II'" check_mode: no register: broadcom_netextreme_search failed_when: False @@ -17,23 +26,21 @@ tags: - packages -# TODO: add the "non-free" part to the existing sources -# instead of adding a new source - -- name: Add non-free repo for Broadcom NetXtreme II - include_role: - name: evolix/apt - tasks_from: basics.yml - vars: - apt_basics_components: "main contrib non-free" +- name: Add non-free repo for Broadcom NetXtreme II (Debian <12) + ansible.builtin.replace: + dest: /etc/apt/sources.list + regexp: '^(main ((?!\bnon-free\b).)*)$' + replace: '\1 non-free' tags: - packages - when: broadcom_netextreme_search.rc == 0 + when: + - broadcom_netextreme_search.rc == 0 + - ansible_distribution_major_version is version('12', '<') +## Baremetal servers -## Dedicated hardware - name: Install some additionnals tools when it dedicated hardware - apt: + ansible.builtin.apt: name: - libipc-run-perl - freeipmi @@ -43,14 +50,13 @@ state: present tags: - packages - when: ansible_virtualization_role == "host" ## RAID # Dell and others: MegaRAID SAS # HP gen <10: Hewlett-Packard Company Smart Array # HP gen >=10: Adaptec Smart Storage PQI - name: Detect if RAID is installed - shell: + ansible.builtin.shell: cmd: "lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'" executable: /bin/bash check_mode: no @@ -60,211 +66,16 @@ tags: - packages -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - packages - -- name: HPE Smart Storage Administrator (ssacli) is present - block: - - name: HPE GPG embedded key is absent - apt_key: - id: "26C2B797" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - packages - - - name: HPE GPG key is installed - copy: - src: hpePublicKey2048_key1.asc - dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - packages - - - name: Add HPE repository - apt_repository: - repo: 'deb [signed-by={{ apt_keyring_dir }}/hpePublicKey2048_key1.asc] https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' - state: present - tags: - - packages - - - name: Remove unsigned HPE repository - apt_repository: - repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' - state: absent - tags: - - packages - - - name: Install HPE Smart Storage Administrator (ssacli) - apt: - name: ssacli - tags: - - packages +- name: "HP" + import_tasks: hardware.hp.yml when: - - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - - "'Adaptec Smart Storage PQI' in raidmodel.stdout" + - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout or 'Adaptec Smart Storage PQI' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool -# NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role -# So, if nagios-nrpe role is not installed it will not work -- name: Install and configure check_hpraid cron (HP gen >=10) - block: - - name: check_hpraid cron is present (HP gen >=10) - copy: - src: check_hpraid.cron.sh - dest: /etc/cron.{{ evolinux_cron_checkhpraid_frequency | mandatory }}/check_hpraid - mode: "0755" - tags: - - config - when: "'Adaptec Smart Storage PQI' in raidmodel.stdout" - -- name: Install and configure cciss-vol-status (HP gen <10) - block: - - name: Install cciss-vol-status (HP gen <10) - apt: - name: cciss-vol-status - state: present - tags: - - packages - - - name: cciss-vol-statusd init script is present (HP gen <10) - template: - src: hardware/cciss-vol-statusd.j2 - dest: /etc/init.d/cciss-vol-statusd - mode: "0755" - tags: - - packages - - - name: Configure cciss-vol-statusd (HP gen <10) - lineinfile: - dest: /etc/default/cciss-vol-statusd - line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"' - regexp: 'MAILTO=' - create: yes - tags: - - config - - - name: Enable cciss-vol-status in systemd (HP gen <10) - service: - name: cciss-vol-statusd - enabled: true - state: restarted - tags: - - packages - - config - when: - - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - - evolinux_packages_hardware_raid | bool - -## LSI MegaRAID 12GSAS/PCIe Secure SAS39xx -# This is still incompatible with Debian - -- name: Check if PERC HBA11 device is present - shell: "lspci | grep -qE 'MegaRAID.*SAS39xx'" - check_mode: no - register: perc_hba11_search - failed_when: False - changed_when: False - tags: - - packages - -- name: MegaCLI SAS package must not be installed if PERC HBA11 is present - block: - - name: Disable harware RAID tasks - set_fact: - evolinux_packages_hardware_raid: False - - - name: blacklist mageclisas-status package - blockinfile: - dest: /etc/apt/preferences.d/0-blacklist - create: yes - marker: "## {mark} MEGACLISAS-STATUS BLACKLIST" - block: | - # DO NOT INSTALL THESE PACKAGES ON THIS SERVER - Package: megacli megaclisas-status - Pin: version * - Pin-Priority: -100 - - - name: Remove MegaCLI packages - apt: - name: - - megacli - - megaclisas-status - state: absent - when: perc_hba11_search.rc == 0 - -- name: MegaCLI SAS package is present - block: - - name: HWRaid embedded GPG key is absent - apt_key: - id: "23B3D3B4" - keyring: /etc/apt/trusted.gpg - state: absent - tags: - - packages - when: _trusted_gpg_keyring.stat.exists - - - name: HWRaid GPG key is installed - copy: - src: hwraid.le-vert.net.asc - dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - packages - when: ansible_distribution_major_version is version('9', '>=') - - - name: Add HW tool repository - apt_repository: - repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' - state: present - tags: - - packages - - - name: Remove unsigned HW tool repository - apt_repository: - repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' - state: absent - tags: - - packages - - - name: Install packages for DELL/LSI hardware - apt: - name: - - megacli - - megaclisas-status - allow_unauthenticated: yes - tags: - - packages - - - name: Configure packages for DELL/LSI hardware - template: - src: hardware/megaclisas-statusd.j2 - dest: /etc/default/megaclisas-statusd - mode: "0755" - tags: - - config - - - name: Enable DELL/LSI hardware in systemd - service: - name: megaclisas-statusd - enabled: true - state: restarted - tags: - - packages - - config +- name: "Dell" + import_tasks: hardware.dell.yml when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/templates/hardware/hp.sources.j2 b/evolinux-base/templates/hardware/hp.sources.j2 new file mode 100644 index 00000000..04ccbc9d --- /dev/null +++ b/evolinux-base/templates/hardware/hp.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://downloads.linux.hpe.com/SDR/repo/mcp +Suites: {{ ansible_distribution_release }}/current +Components: non-free +Signed-by: {{ apt_keyring_dir }}/hpePublicKey2048_key1.asc +Enabled: yes \ No newline at end of file diff --git a/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 b/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 new file mode 100644 index 00000000..9d424a5b --- /dev/null +++ b/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://hwraid.le-vert.net/debian +Suites: {{ ansible_distribution_release }} +Components: main +Signed-by: {{ apt_keyring_dir }}/hwraid.le-vert.net.asc] +Enabled: yes -- 2.39.2 From 958109c3b3d85573bdedf5cef3ebf97a5857cb75 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 18:37:58 +0100 Subject: [PATCH 412/497] evolinux-base: reorganize ssh section --- evolinux-base/tasks/main.yml | 14 ++- evolinux-base/tasks/ssh.included-files.yml | 104 ++++++++++++++++++ .../tasks/{ssh.yml => ssh.single-file.yml} | 22 ++-- 3 files changed, 127 insertions(+), 13 deletions(-) create mode 100644 evolinux-base/tasks/ssh.included-files.yml rename evolinux-base/tasks/{ssh.yml => ssh.single-file.yml} (90%) diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 29a77524..b9afc630 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -56,9 +56,17 @@ name: evolix/evomaintenance when: evolinux_evomaintenance_include | bool -- name: SSH configuration - include: ssh.yml - when: evolinux_ssh_include | bool +- name: SSH configuration (single file) + import_tasks: ssh.single-file.yml + when: + - ansible_distribution_major_version is version('12', '<') + - evolinux_ssh_include | bool + +- name: SSH configuration (included-files) + import_tasks: ssh.included-files.yml + when: + - ansible_distribution_major_version is version('12', '>=') + - evolinux_ssh_include | bool ### disabled because of a memory leak # - name: Create evolinux users diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml new file mode 100644 index 00000000..952b661f --- /dev/null +++ b/evolinux-base/tasks/ssh.included-files.yml @@ -0,0 +1,104 @@ +--- +# This is a copy of ssh.single-file.yml +# It needs to be changed when we move to a included-files configuration + + +- ansible.builtin.debug: + msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" + when: evolinux_ssh_password_auth_addresses == [] + +# From 'man sshd_config' : +# « If all of the criteria on the Match line are satisfied, the keywords +# on the following lines override those set in the global section of the config +# file, until either another Match line or the end of the file. +# If a keyword appears in multiple Match blocks that are satisfied, +# only the first instance of the keyword is applied. » +# +# We want to allow any user from a list of IP addresses to login with password, +# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses + +- name: "Security directives for Evolinux (Debian 10 or later)" + ansible.builtin.blockinfile: + dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" + block: | + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + Match Group {{ evolinux_internal_group }} + PasswordAuthentication no + insertafter: EOF + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - evolinux_ssh_password_auth_addresses != [] + - ansible_distribution_major_version is version('10', '>=') + +- name: Security directives for Evolinux (Jessie/Stretch) + ansible.builtin.blockinfile: + dest: /etc/ssh/sshd_config + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" + block: | + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + insertafter: EOF + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - evolinux_ssh_password_auth_addresses != [] + - ansible_distribution_major_version is version('10', '<') + +# We disable AcceptEnv because it can be a security issue, but also because we +# do not want clients to push their environment variables like LANG. +- name: disable AcceptEnv in ssh config + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^AcceptEnv' + replace: "#AcceptEnv" + notify: reload sshd + when: evolinux_ssh_disable_acceptenv | bool + +- name: Set log level to verbose (for Debian >= 9) + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^#?LogLevel [A-Z]+' + replace: "LogLevel VERBOSE" + notify: reload sshd + when: ansible_distribution_major_version is version('9', '>=') + +- name: "Get current user" + ansible.builtin.command: + cmd: logname + changed_when: False + register: logname + check_mode: no + when: evolinux_ssh_allow_current_user | bool + +# we must double-escape caracters, because python +- name: verify AllowUsers directive + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + failed_when: False + changed_when: False + register: grep_allowusers_ssh + check_mode: no + when: evolinux_ssh_allow_current_user | bool + +- name: "Add AllowUsers sshd directive for current user" + ansible.builtin.lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowUsers {{ logname.stdout }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 + +- name: "Modify AllowUsers sshd directive for current user" + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' + replace: '\1 {{ logname.stdout }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 + +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.single-file.yml similarity index 90% rename from evolinux-base/tasks/ssh.yml rename to evolinux-base/tasks/ssh.single-file.yml index e063d164..e76d792f 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.single-file.yml @@ -1,5 +1,5 @@ --- -- debug: +- ansible.builtin.debug: msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" when: evolinux_ssh_password_auth_addresses == [] @@ -14,7 +14,7 @@ # but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses - name: "Security directives for Evolinux (Debian 10 or later)" - blockinfile: + ansible.builtin.blockinfile: dest: /etc/ssh/sshd_config marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" block: | @@ -30,7 +30,7 @@ - ansible_distribution_major_version is version('10', '>=') - name: Security directives for Evolinux (Jessie/Stretch) - blockinfile: + ansible.builtin.blockinfile: dest: /etc/ssh/sshd_config marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" block: | @@ -46,7 +46,7 @@ # We disable AcceptEnv because it can be a security issue, but also because we # do not want clients to push their environment variables like LANG. - name: disable AcceptEnv in ssh config - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^AcceptEnv' replace: "#AcceptEnv" @@ -54,7 +54,7 @@ when: evolinux_ssh_disable_acceptenv | bool - name: Set log level to verbose (for Debian >= 9) - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#?LogLevel [A-Z]+' replace: "LogLevel VERBOSE" @@ -62,7 +62,8 @@ when: ansible_distribution_major_version is version('9', '>=') - name: "Get current user" - command: logname + ansible.builtin.command: + cmd: logname changed_when: False register: logname check_mode: no @@ -70,7 +71,8 @@ # we must double-escape caracters, because python - name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" failed_when: False changed_when: False register: grep_allowusers_ssh @@ -78,7 +80,7 @@ when: evolinux_ssh_allow_current_user | bool - name: "Add AllowUsers sshd directive for current user" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ logname.stdout }}" insertafter: 'Subsystem' @@ -87,7 +89,7 @@ when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 - name: "Modify AllowUsers sshd directive for current user" - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' replace: '\1 {{ logname.stdout }}' @@ -95,4 +97,4 @@ notify: reload sshd when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers -- 2.39.2 From 5974f12b828197ec1105962c6265103b41c60787 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 18:50:06 +0100 Subject: [PATCH 413/497] evolinux-base: fix conditional precedence --- apt/templates/bookworm_basics.sources.j2 | 2 +- apt/templates/bookworm_security.sources.j2 | 2 +- evolinux-base/tasks/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apt/templates/bookworm_basics.sources.j2 b/apt/templates/bookworm_basics.sources.j2 index 247d7ec3..5a0cd3aa 100644 --- a/apt/templates/bookworm_basics.sources.j2 +++ b/apt/templates/bookworm_basics.sources.j2 @@ -4,4 +4,4 @@ Types: deb URIs: http://mirror.evolix.org/debian Suites: bookworm bookworm-updates Components: {{ apt_basics_components | mandatory }} -Enabled: yes \ No newline at end of file +Enabled: yes diff --git a/apt/templates/bookworm_security.sources.j2 b/apt/templates/bookworm_security.sources.j2 index 0b0e4190..56180957 100644 --- a/apt/templates/bookworm_security.sources.j2 +++ b/apt/templates/bookworm_security.sources.j2 @@ -4,4 +4,4 @@ Types: deb URIs: https://security.debian.org/debian-security Suites: bookworm-security Components: {{ apt_basics_components | mandatory }} -Enabled: yes \ No newline at end of file +Enabled: yes diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index b9afc630..35b48830 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -14,7 +14,7 @@ apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" apt_install_evolix_public: "{{ evolinux_apt_public_sources }}" apt_upgrade: "{{ evolinux_apt_upgrade }}" - apt_basics_components: "{{ ansible_virtualization_role == 'host' | ternary('main contrib non-free', 'main') }}" + apt_basics_components: "{{ (ansible_virtualization_role == 'host') | ternary('main contrib non-free', 'main') }}" when: evolinux_apt_include | bool - name: /etc versioning with Git -- 2.39.2 From 49d8c99328bab62d87e148b5028391db3288b44e Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 20 Mar 2023 14:56:11 +0100 Subject: [PATCH 414/497] pub_evolix.asc is also needed in lxc-php --- lxc-php/files/pub_evolix.asc | 87 ++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 lxc-php/files/pub_evolix.asc diff --git a/lxc-php/files/pub_evolix.asc b/lxc-php/files/pub_evolix.asc new file mode 100644 index 00000000..4a21bdfe --- /dev/null +++ b/lxc-php/files/pub_evolix.asc @@ -0,0 +1,87 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N +YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN +OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV +Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw +ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7 +7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11 +mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma +dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3 +huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm +vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk ++XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB +tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy +PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A +BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy +x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq +yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7 +D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt +c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N +q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F +btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ +ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa +C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D +jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp +5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo +JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3 +Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F +5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o +aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba +mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp +g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs +h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M +Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb +sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A +5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A +etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8 +smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ +Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX +mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F +V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT +foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7 +b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5 +FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI +7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb ++dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc +fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF +bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR +Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+ +7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/ +RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc +8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX +fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd +gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/ +YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1 +4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL +1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK +3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj +9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB +jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC +LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG +j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H +BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M +jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q +BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym +Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6 +lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH +El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV +sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp +IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz +DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM +G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0 +IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs +UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac +lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm +AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r +adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf +SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v +2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz +kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg +2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad +OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf +nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk +jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH +oA9QflpnDubMnCve +=ZCml +-----END PGP PUBLIC KEY BLOCK----- -- 2.39.2 From f1644ed138cb7a98193e4813aca5ff1a90a7c7cd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 18 Mar 2023 19:52:55 +0100 Subject: [PATCH 415/497] docker: source list for Debian 12 --- docker-host/tasks/main.yml | 24 ++++++++++++++++-------- docker-host/templates/docker.sources.j2 | 8 ++++++++ 2 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 docker-host/templates/docker.sources.j2 diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index b73fde0b..163ec76c 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -11,11 +11,17 @@ - name: Install source requirements apt: name: - - apt-transport-https - ca-certificates - gnupg2 state: present +- name: Install apt-transport-https (Debian <10) + apt: + name: + - apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + - name: Add Docker's official GPG key copy: src: docker-debian.asc @@ -25,17 +31,19 @@ owner: root group: root -- name: Add Docker repository +- name: Add Docker repository (Debian <12) apt_repository: repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + filename: docker.list state: present - filename: docker.list + when: ansible_distribution_major_version is version('12', '<') -- name: Drop unsigned Docker repository - apt_repository: - repo: 'deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' - state: absent - filename: docker.list +- name: Add Docker repository (Debian >=12) + ansible.builtin.template: + src: docker.sources.j2 + dest: /etc/apt/sources.list.d/docker.sources + state: present + when: ansible_distribution_major_version is version('12', '>=') - name: Install Docker apt: diff --git a/docker-host/templates/docker.sources.j2 b/docker-host/templates/docker.sources.j2 new file mode 100644 index 00000000..5e349774 --- /dev/null +++ b/docker-host/templates/docker.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://download.docker.com/linux/debian +Suites: {{ ansible_distribution_release }} +Components: stable +Signed-by: {{ apt_keyring_dir }}/docker-debian.asc +Enabled: yes \ No newline at end of file -- 2.39.2 From 45e8132d0765096e0f97799e2a7bf0f4d06d3cb2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:44:53 +0100 Subject: [PATCH 416/497] Install deb822 sources on Debian >=12 --- docker-host/tasks/main.yml | 39 ++++++----- elasticsearch/tasks/apt_sources.yml | 36 ++++++++++ elasticsearch/tasks/packages.yml | 70 +++---------------- elasticsearch/templates/elastic.sources.j2 | 8 +++ evolinux-base/tasks/hardware.dell.yml | 10 ++- filebeat/tasks/apt_sources.yml | 36 ++++++++++ filebeat/tasks/main.yml | 65 ++--------------- filebeat/templates/elastic.sources.j2 | 8 +++ .../files/{fluentd.asc => treasuredata.asc} | 0 fluentd/tasks/main.yml | 43 ++++-------- fluentd/templates/treasuredata.sources.j2 | 8 +++ jenkins/tasks/main.yml | 32 ++++----- jenkins/templates/jenkins.sources.j2 | 7 ++ kibana/tasks/apt_sources.yml | 36 ++++++++++ kibana/tasks/main.yml | 66 +++-------------- kibana/templates/elastic.sources.j2 | 8 +++ logstash/tasks/apt_sources.yml | 36 ++++++++++ logstash/tasks/main.yml | 65 ++--------------- logstash/templates/elastic.sources.j2 | 8 +++ metricbeat/tasks/apt_sources.yml | 36 ++++++++++ metricbeat/tasks/main.yml | 65 ++--------------- metricbeat/templates/elastic.sources.j2 | 8 +++ mongodb/tasks/main.yml | 11 +-- mongodb/tasks/main_bullseye.yml | 26 +------ newrelic/tasks/php.yml | 13 ++-- newrelic/tasks/sources.yml | 35 ++++------ newrelic/tasks/sysmond.yml | 4 +- newrelic/templates/newrelic.sources.j2 | 8 +++ nodejs/tasks/main.yml | 55 ++++++--------- nodejs/tasks/yarn.yml | 49 +++++-------- nodejs/templates/nodesource.sources.j2 | 8 +++ nodejs/templates/yarn.sources.j2 | 8 +++ php/tasks/sury_pre.yml | 60 +++++++++------- php/templates/sury.sources.j2 | 8 +++ postgresql/tasks/main.yml | 25 ++++--- postgresql/tasks/packages_bookworm.yml | 6 +- postgresql/tasks/packages_bullseye.yml | 1 + postgresql/tasks/packages_buster.yml | 1 + postgresql/tasks/packages_jessie.yml | 10 +-- postgresql/tasks/packages_stretch.yml | 1 + postgresql/tasks/pgdg-repo.yml | 31 ++++---- postgresql/tasks/postgis.yml | 1 + postgresql/templates/postgresql.sources.j2 | 8 +++ 43 files changed, 518 insertions(+), 541 deletions(-) create mode 100644 elasticsearch/tasks/apt_sources.yml create mode 100644 elasticsearch/templates/elastic.sources.j2 create mode 100644 filebeat/tasks/apt_sources.yml create mode 100644 filebeat/templates/elastic.sources.j2 rename fluentd/files/{fluentd.asc => treasuredata.asc} (100%) create mode 100644 fluentd/templates/treasuredata.sources.j2 create mode 100644 jenkins/templates/jenkins.sources.j2 create mode 100644 kibana/tasks/apt_sources.yml create mode 100644 kibana/templates/elastic.sources.j2 create mode 100644 logstash/tasks/apt_sources.yml create mode 100644 logstash/templates/elastic.sources.j2 create mode 100644 metricbeat/tasks/apt_sources.yml create mode 100644 metricbeat/templates/elastic.sources.j2 create mode 100644 newrelic/templates/newrelic.sources.j2 create mode 100644 nodejs/templates/nodesource.sources.j2 create mode 100644 nodejs/templates/yarn.sources.j2 create mode 100644 php/templates/sury.sources.j2 create mode 100644 postgresql/templates/postgresql.sources.j2 diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 163ec76c..db57a6b6 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -1,7 +1,7 @@ # This role installs the docker daemon --- - name: Remove older docker packages - apt: + ansible.builtin.apt: name: - docker - docker-engine @@ -9,21 +9,21 @@ state: absent - name: Install source requirements - apt: + ansible.builtin.apt: name: - ca-certificates - gnupg2 state: present - name: Install apt-transport-https (Debian <10) - apt: + ansible.builtin.apt: name: - apt-transport-https state: present when: ansible_distribution_major_version is version('10', '<') - name: Add Docker's official GPG key - copy: + ansible.builtin.copy: src: docker-debian.asc dest: "{{ apt_keyring_dir }}/docker-debian.asc" force: yes @@ -32,10 +32,11 @@ group: root - name: Add Docker repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' - filename: docker.list + filename: docker state: present + update_cache: yes when: ansible_distribution_major_version is version('12', '<') - name: Add Docker repository (Debian >=12) @@ -43,43 +44,48 @@ src: docker.sources.j2 dest: /etc/apt/sources.list.d/docker.sources state: present + register: docker_sources when: ansible_distribution_major_version is version('12', '>=') +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: docker_sources is changed + - name: Install Docker - apt: + ansible.builtin.apt: name: - docker-ce - docker-ce-cli - containerd.io - update_cache: yes - name: python-docker is installed - apt: + ansible.builtin.apt: name: python-docker state: present when: ansible_python_version is version('3', '<') - name: python3-docker is installed - apt: + ansible.builtin.apt: name: python3-docker state: present when: ansible_python_version is version('3', '>=') - name: Copy Docker daemon configuration file - template: + ansible.builtin.template: src: daemon.json.j2 dest: /etc/docker/daemon.json notify: restart docker - name: Creating Docker tmp directory - file: + ansible.builtin.file: path: "{{ docker_tmpdir }}" state: directory mode: "0644" owner: root - name: Creating Docker TLS directory - file: + ansible.builtin.file: path: "{{ docker_tls_path }}" state: directory mode: "0644" @@ -87,7 +93,7 @@ when: docker_tls_enabled | bool - name: Copy shellpki utility to Docker TLS directory - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "{{ docker_tls_path }}/{{ item }}" mode: "0744" @@ -97,12 +103,13 @@ when: docker_tls_enabled | bool - name: Check if certs are already created - stat: + ansible.builtin.stat: path: "{{ docker_tls_path }}/certs" register: tls_certs_stat - name: Creating a CA, server key - command: "{{ docker_tls_path }}/shellpki.sh init" + ansible.builtin.command: + cmd: "{{ docker_tls_path }}/shellpki.sh init" when: - docker_tls_enabled | bool - not tls_certs_stat.stat.isdir diff --git a/elasticsearch/tasks/apt_sources.yml b/elasticsearch/tasks/apt_sources.yml new file mode 100644 index 00000000..a0395ffe --- /dev/null +++ b/elasticsearch/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 097d85e5..5188e3cc 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -1,73 +1,23 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - elasticsearch - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - elasticsearch - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - elasticsearch - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - elasticsearch - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - elasticsearch - - packages - -- name: Unsigned Elastic sources list is not available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - elasticsearch - - packages +- name: APT sources + ansible.builtin.import_tasks: apt_sources.yml + args: + apply: + tags: + - elasticsearch + - packages - name: Elasticsearch is installed - apt: + ansible.builtin.apt: name: elasticsearch state: present + update_cache: yes tags: - elasticsearch - packages - name: Elasticsearch service is enabled - service: + ansible.builtin.systemd: name: elasticsearch enabled: yes tags: diff --git a/elasticsearch/templates/elastic.sources.j2 b/elasticsearch/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/elasticsearch/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml index 409d1e07..aa448147 100644 --- a/evolinux-base/tasks/hardware.dell.yml +++ b/evolinux-base/tasks/hardware.dell.yml @@ -55,6 +55,7 @@ ansible.builtin.apt_repository: repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' state: present + update_cache: yes tags: - packages when: @@ -66,8 +67,13 @@ dest: /etc/apt/sources.list.d/hwraid.le-vert.net.sources tags: - packages - when: - - ansible_distribution_major_version is version('12', '>=') + register: hwraid_sources + when: ansible_distribution_major_version is version('12', '>=') + + - name: Update APT cache + apt: + update_cache: yes + when: hwraid_sources is changed - name: Install packages for DELL/LSI hardware ansible.builtin.apt: diff --git a/filebeat/tasks/apt_sources.yml b/filebeat/tasks/apt_sources.yml new file mode 100644 index 00000000..d6597c74 --- /dev/null +++ b/filebeat/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 20858669..0c20cc6c 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -1,62 +1,11 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - filebeat - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - filebeat - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - filebeat - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - filebeat - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - filebeat - - packages - -- name: Unsigned Elastic sources list is not available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - filebeat - - packages +- name: APT sources + import_tasks: apt_sources.yml + args: + apply: + tags: + - filebeat + - packages - name: Filebeat is installed apt: diff --git a/filebeat/templates/elastic.sources.j2 b/filebeat/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/filebeat/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/fluentd/files/fluentd.asc b/fluentd/files/treasuredata.asc similarity index 100% rename from fluentd/files/fluentd.asc rename to fluentd/files/treasuredata.asc diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 09f93082..21b432f3 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -1,27 +1,9 @@ --- -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - packages - - fluentd - -- name: Fluentd embedded GPG key is absent - apt_key: - id: "AB97ACBE" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - packages - - fluentd - - name: Add Fluentd GPG key copy: - src: fluentd.asc - dest: "{{ apt_keyring_dir }}/fluentd.asc" + src: treasuredata.asc + dest: "{{ apt_keyring_dir }}/treasuredata.asc" force: yes mode: "0644" owner: root @@ -30,30 +12,31 @@ - packages - fluentd -- name: Fluentd sources list is available +- name: Add Treasuredata repository (Debian <12) apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" - filename: treasuredata - update_cache: yes + repo: "deb [signed-by={{ apt_keyring_dir }}/treasuredata.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" + filename: treasuredata.list state: present tags: - packages - fluentd + when: ansible_distribution_major_version is version('12', '<') -- name: Unsigned Fluentd sources list is not available - apt_repository: - repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" - filename: treasuredata - update_cache: yes - state: absent +- name: Add Treasuredata repository (Debian >=12) + ansible.builtin.template: + src: treasuredata.sources.j2 + dest: /etc/apt/sources.list.d/treasuredata.sources + state: present tags: - packages - fluentd + when: ansible_distribution_major_version is version('12', '>=') - name: Fluentd is installed. apt: name: td-agent state: present + update_cache: yes tags: - fluentd - packages diff --git a/fluentd/templates/treasuredata.sources.j2 b/fluentd/templates/treasuredata.sources.j2 new file mode 100644 index 00000000..38dc3eb7 --- /dev/null +++ b/fluentd/templates/treasuredata.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ +Suites: {{ ansible_distribution_release }} +Components: contrib +Signed-by: {{ apt_keyring_dir }}/treasuredata.asc +Enabled: yes \ No newline at end of file diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 956892f4..3a855f9c 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -5,18 +5,6 @@ # http://mirrors.jenkins.io/.* # http://jenkins.mirror.isppower.de/.* -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - -- name: Jenkins embedded GPG key is absent - apt_key: - id: "D50582E6" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - - name: Add Jenkins GPG key copy: src: jenkins.asc @@ -26,22 +14,30 @@ owner: root group: root -- name: Add jenkins APT repository +- name: Add Jenkins APT repository (Debian <12) apt_repository: repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/ filename: jenkins update_cache: yes + when: ansible_distribution_major_version is version('12', '<') -- name: Remove unsigned jenkins APT repository - apt_repository: - repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ - filename: jenkins +- name: Add Jenkins repository (Debian >=12) + ansible.builtin.template: + src: jenkins.sources.j2 + dest: /etc/apt/sources.list.d/jenkins.sources + state: present + register: jenkins_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: update_cache: yes - state: absent + when: jenkins_sources is changed - name: Install Jenkins apt: name: jenkins + state: present - name: Change Jenkins port replace: diff --git a/jenkins/templates/jenkins.sources.j2 b/jenkins/templates/jenkins.sources.j2 new file mode 100644 index 00000000..c3578a03 --- /dev/null +++ b/jenkins/templates/jenkins.sources.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://pkg.jenkins-ci.org/debian-stable +Suites: binary/ +Signed-by: {{ apt_keyring_dir }}/jenkins.asc +Enabled: yes \ No newline at end of file diff --git a/kibana/tasks/apt_sources.yml b/kibana/tasks/apt_sources.yml new file mode 100644 index 00000000..d6597c74 --- /dev/null +++ b/kibana/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 341bfd13..176af2d3 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -1,67 +1,17 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - kibana - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - kibana - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - kibana - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - kibana - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - kibana - - packages - -- name: Unsigned Elastic sources list is not available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - kibana - - packages +- name: APT sources + import_tasks: apt_sources.yml + args: + apply: + tags: + - kibana + - packages - name: Kibana is installed apt: name: kibana state: present + update_cache: yes tags: - kibana - packages diff --git a/kibana/templates/elastic.sources.j2 b/kibana/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/kibana/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/logstash/tasks/apt_sources.yml b/logstash/tasks/apt_sources.yml new file mode 100644 index 00000000..d6597c74 --- /dev/null +++ b/logstash/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index d1f4b2da..11b0a0bf 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -1,62 +1,11 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - logstash - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - logstash - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - logstash - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - logstash - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - logstash - - packages - -- name: Unsigned Elastic sources list is not available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - logstash - - packages +- name: APT sources + import_tasks: apt_sources.yml + args: + apply: + tags: + - logstash + - packages - name: Logstash is installed apt: diff --git a/logstash/templates/elastic.sources.j2 b/logstash/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/logstash/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/metricbeat/tasks/apt_sources.yml b/metricbeat/tasks/apt_sources.yml new file mode 100644 index 00000000..d6597c74 --- /dev/null +++ b/metricbeat/tasks/apt_sources.yml @@ -0,0 +1,36 @@ +--- +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') + +- name: Elastic GPG key is installed + ansible.builtin.copy: + src: elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Elastic repository (Debian <12) + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + filename: elastic + state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') + +- name: Add Elastic repository (Debian >=12) + ansible.builtin.template: + src: elastic.sources.j2 + dest: /etc/apt/sources.list.d/elastic.sources + state: present + register: elastic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: elastic_sources is changed \ No newline at end of file diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 71d65022..7fc21d09 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -1,62 +1,11 @@ --- - -- name: APT https transport is enabled - apt: - name: apt-transport-https - state: present - tags: - - metricbeat - - packages - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - metricbeat - - packages - -- name: Elastic embedded GPG key is absent - apt_key: - id: "D88E42B4" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - metricbeat - - packages - -- name: Elastic GPG key is installed - copy: - src: elastic.asc - dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes - mode: "0644" - owner: root - group: root - tags: - - metricbeat - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: present - update_cache: yes - tags: - - metricbeat - - packages - -- name: Elastic sources list is available - apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" - filename: elastic - state: absent - update_cache: yes - tags: - - metricbeat - - packages +- name: APT sources + import_tasks: apt_sources.yml + args: + apply: + tags: + - metricbeat + - packages - name: Metricbeat is installed apt: diff --git a/metricbeat/templates/elastic.sources.j2 b/metricbeat/templates/elastic.sources.j2 new file mode 100644 index 00000000..93df736d --- /dev/null +++ b/metricbeat/templates/elastic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/elastic.asc +Enabled: yes \ No newline at end of file diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index 3054ccfe..a71651bf 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -1,13 +1,14 @@ --- -- include: main_jessie.yml +- ansible.builtin.import_tasks: main_jessie.yml when: ansible_distribution_release == "jessie" -- include: main_stretch.yml +- ansible.builtin.import_tasks: main_stretch.yml when: ansible_distribution_release == "stretch" -- include: main_buster.yml +- ansible.builtin.import_tasks: main_buster.yml when: ansible_distribution_release == "buster" -- include: main_bullseye.yml - when: ansible_distribution_major_version is version('11', '>=') +- ansible.builtin.import_tasks: main_bullseye.yml + when: ansible_distribution_release == "bullseye" + diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index c17642ea..aa20fb97 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -1,22 +1,10 @@ --- - fail: - msg: Not compatible with Debian 11 (Bullseye) + msg: MongoDB versions <4.2 are not compatible with Debian 11 (Bullseye) when: - ansible_distribution_release == "bullseye" - - mongodb_version is version('5.0', '<') - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - -- name: MongoDB embedded GPG key is absent - apt_key: - id: "B8612B5D" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists + - mongodb_version is version('5.2', '<') - name: Add MongoDB GPG key copy: @@ -27,19 +15,11 @@ owner: root group: root -- name: Enable APT sources list +- name: Add MongoDB repository apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{ mongodb_version }}" - update_cache: yes - -- name: Disable unsigned APT sources list - apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main" - state: absent - filename: "mongodb-org-{{ mongodb_version }}" - update_cache: yes - name: Install packages apt: diff --git a/newrelic/tasks/php.yml b/newrelic/tasks/php.yml index 3bd4d809..5afe937d 100644 --- a/newrelic/tasks/php.yml +++ b/newrelic/tasks/php.yml @@ -1,7 +1,7 @@ --- - name: Pre-seed package configuration with app name - debconf: + ansible.builtin.debconf: name: newrelic-php5 question: "newrelic-php5/application-name" value: "{{ newrelic_appname }}" @@ -9,7 +9,7 @@ when: newrelic_appname | length > 0 - name: Pre-seed package configuration with license - debconf: + ansible.builtin.debconf: name: newrelic-php5 question: "newrelic-php5/license-key" value: "{{ newrelic_license }}" @@ -17,26 +17,27 @@ when: newrelic_license | length > 0 - name: list newrelic config files - shell: "find /etc/php* -type f -name newrelic.ini" + ansible.builtin.shell: + cmd: "find /etc/php* -type f -name newrelic.ini" changed_when: False check_mode: no register: find_newrelic_ini - name: Disable AWS detection - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item }}" regexp: '^;?newrelic.daemon.utilization.detect_aws' line: 'newrelic.daemon.utilization.detect_aws = false' loop: "{{ find_newrelic_ini.stdout_lines }}" - name: Disable Docker detection - lineinfile: + ansible.builtin.lineinfile: dest: "{{ item }}" regexp: '^;?newrelic.daemon.utilization.detect_docker' line: 'newrelic.daemon.utilization.detect_docker = false' loop: "{{ find_newrelic_ini.stdout_lines }}" - name: Install package for PHP - apt: + ansible.builtin.apt: name: newrelic-php5 state: present diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index cda58a85..22473df1 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -1,19 +1,7 @@ --- -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - -- name: NewRelic embedded GPG key is absent - apt_key: - id: "548C16BF" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - - name: Add NewRelic GPG key - copy: + ansible.builtin.copy: src: newrelic.asc dest: "{{ apt_keyring_dir }}/newrelic.asc" force: yes @@ -21,16 +9,23 @@ owner: root group: root -- name: Install NewRelic repository - apt_repository: +- name: Install NewRelic repository (Debian <12) + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/newrelic.asc] http://apt.newrelic.com/debian/ newrelic non-free" state: present filename: newrelic update_cache: yes + when: ansible_distribution_major_version is version('12', '<') -- name: Desinstall unsigned NewRelic repository - apt_repository: - repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" - state: absent - filename: newrelic +- name: Add NewRelic repository (Debian >=12) + ansible.builtin.template: + src: newrelic.sources.j2 + dest: /etc/apt/sources.list.d/newrelic.sources + state: present + register: newrelic_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: update_cache: yes + when: newrelic_sources is changed \ No newline at end of file diff --git a/newrelic/tasks/sysmond.yml b/newrelic/tasks/sysmond.yml index e5c5bab9..a6f7fdf6 100644 --- a/newrelic/tasks/sysmond.yml +++ b/newrelic/tasks/sysmond.yml @@ -1,11 +1,11 @@ --- - name: Install system monitor daemon - apt: + ansible.builtin.apt: name: newrelic-sysmond - name: Set license key for newrelic-sysmond - replace: + ansible.builtin.replace: dest: /etc/newrelic/nrsysmond.cfg regexp: "license_key=REPLACE_WITH_REAL_KEY" replace: "license_key={{ newrelic_license }}" diff --git a/newrelic/templates/newrelic.sources.j2 b/newrelic/templates/newrelic.sources.j2 new file mode 100644 index 00000000..85145fc0 --- /dev/null +++ b/newrelic/templates/newrelic.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://apt.newrelic.com/debian/ +Suites: newrelic +Components: non-free +Signed-by: {{ apt_keyring_dir }}/newrelic.asc +Enabled: yes \ No newline at end of file diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index 1bd6d38f..f79f058c 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -1,36 +1,17 @@ --- -- name: APT https transport is enabled - apt: +- name: APT https transport is enabled (Debian <10) + ansible.builtin.apt: name: apt-transport-https state: present tags: - system - packages - nodejs - -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - system - - packages - - nodejs - -- name: NodeJS embedded GPG key is absent - apt_key: - id: "68576280" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - system - - packages - - nodejs + when: ansible_distribution_major_version is version('10', '<') - name: NodeJS GPG key is installed - copy: + ansible.builtin.copy: src: nodesource.asc dest: "{{ apt_keyring_dir }}/nodesource.asc" mode: "0644" @@ -41,8 +22,8 @@ - packages - nodejs -- name: NodeJS sources list ({{ nodejs_apt_version }}) is available - apt_repository: +- name: Add NodeJS repository (Debian <12) + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" filename: nodesource update_cache: yes @@ -51,26 +32,32 @@ - system - packages - nodejs + when: ansible_distribution_major_version is version('12', '<') -- name: Unsigned NodeJS sources list ({{ nodejs_apt_version }}) is not available - apt_repository: - repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" - filename: nodesource - update_cache: yes - state: absent +- name: Add NodeJS repository (Debian >=12) + ansible.builtin.template: + src: nodesource.sources.j2 + dest: /etc/apt/sources.list.d/nodesource.sources + state: present + register: nodesource_sources tags: - system - packages - nodejs + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: nodesource_sources is changed - name: NodeJS is installed - apt: + ansible.builtin.apt: name: nodejs state: present - update_cache: yes tags: - packages - nodejs -- include: yarn.yml +- ansible.builtin.import_tasks: yarn.yml when: nodejs_install_yarn | bool diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index 5d585c42..645f8f90 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -1,29 +1,7 @@ --- -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - tags: - - system - - packages - - nodejs - - yarn - -- name: Yarn embedded GPG key is absent - apt_key: - id: "86E50310" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - tags: - - system - - packages - - nodejs - - yarn - - name: Yarn GPG key is installed - copy: + ansible.builtin.copy: src: yarn.asc dest: "{{ apt_keyring_dir }}/yarn.asc" mode: "0644" @@ -35,32 +13,39 @@ - nodejs - yarn -- name: Yarn sources list is available - apt_repository: +- name: Add Yarn repository (Debian <12) + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/yarn.asc] https://dl.yarnpkg.com/debian/ stable main" filename: yarn - update_cache: yes state: present tags: - system - packages - nodejs - yarn + when: ansible_distribution_major_version is version('12', '<') -- name: Unsigned Yarn sources list is not available - apt_repository: - repo: "deb https://dl.yarnpkg.com/debian/ stable main" - filename: yarn +- name: Add Yarn repository (Debian >=12) + ansible.builtin.template: + src: yarn.sources.j2 + dest: /etc/apt/sources.list.d/yarn.sources + state: present update_cache: yes - state: absent + register: yarn_sources tags: - system - packages - nodejs - yarn + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: yarn_sources is changed - name: Yarn is installed - apt: + ansible.builtin.apt: name: yarn state: present tags: diff --git a/nodejs/templates/nodesource.sources.j2 b/nodejs/templates/nodesource.sources.j2 new file mode 100644 index 00000000..02a4653a --- /dev/null +++ b/nodejs/templates/nodesource.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://deb.nodesource.com/{{ nodejs_apt_version }} +Suites: {{ ansible_distribution_release }} +Components: main +Signed-by: {{ apt_keyring_dir }}/nodesource.asc +Enabled: yes \ No newline at end of file diff --git a/nodejs/templates/yarn.sources.j2 b/nodejs/templates/yarn.sources.j2 new file mode 100644 index 00000000..cd98bc13 --- /dev/null +++ b/nodejs/templates/yarn.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://dl.yarnpkg.com/debian/ +Suites: stable +Components: main +Signed-by: {{ apt_keyring_dir }}/yarn.asc +Enabled: yes diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 0d146555..7f5b6bf4 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -1,12 +1,10 @@ --- -- name: Setup deb.sury.org repository - Add GPG key - copy: - src: sury.gpg - dest: "{{ apt_keyring_dir }}/sury.gpg" - mode: "0644" - owner: root - group: root +- name: Setup deb.sury.org repository - Install apt-transport-https + apt: + name: apt-transport-https + state: present + when: ansible_distribution_major_version is version('10', '<') - name: copy pub.evolix.org GPG key copy: @@ -16,18 +14,6 @@ owner: root group: root -- name: Setup deb.sury.org repository - Install apt-transport-https - apt: - state: present - name: apt-transport-https - -- name: Setup deb.sury.org repository - Add preferences file - copy: - src: sury.preferences - dest: /etc/apt/preferences.d/z-sury - when: - - ansible_distribution_release != "bullseye" - - name: Setup pub.evolix.org repository - Add source list apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php81 main" @@ -36,17 +22,41 @@ when: - ansible_distribution_release == "bullseye" -- name: Setup deb.sury.org repository - Add source list +- name: Setup deb.sury.org repository - Add preferences file + copy: + src: sury.preferences + dest: /etc/apt/preferences.d/z-sury + when: + - ansible_distribution_release != "bullseye" + +- name: Setup deb.sury.org repository - Add GPG key + copy: + src: sury.gpg + dest: "{{ apt_keyring_dir }}/sury.gpg" + mode: "0644" + owner: root + group: root + +- name: Add Sury repository (Debian <12) apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main" filename: sury state: present + update_cache: yes + when: ansible_distribution_major_version is version('12', '<') -- name: Setup deb.sury.org repository - Remove unsigned source list - apt_repository: - repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" - filename: sury - state: absent +- name: Add Sury repository (Debian >=12) + ansible.builtin.template: + src: sury.sources.j2 + dest: /etc/apt/sources.list.d/sury.sources + state: present + register: sury_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + apt: + update_cache: yes + when: sury_sources is changed - name: "Override package list for Sury (Debian 9 or later)" set_fact: diff --git a/php/templates/sury.sources.j2 b/php/templates/sury.sources.j2 new file mode 100644 index 00000000..7d8a95c5 --- /dev/null +++ b/php/templates/sury.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://packages.sury.org/php/ +Suites: {{ ansible_distribution_release }} +Components: main +Signed-by: {{ apt_keyring_dir }}/sury.gpg +Enabled: yes \ No newline at end of file diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml index 1783a763..14d9f9eb 100644 --- a/postgresql/tasks/main.yml +++ b/postgresql/tasks/main.yml @@ -1,25 +1,28 @@ --- -- include: locales.yml +- ansible.builtin.import_tasks: locales.yml -- include: packages_jessie.yml +- ansible.builtin.import_tasks: packages_jessie.yml when: ansible_distribution_release == "jessie" -- include: packages_stretch.yml +- ansible.builtin.import_tasks: packages_stretch.yml when: ansible_distribution_release == "stretch" -- include: packages_buster.yml +- ansible.builtin.import_tasks: packages_buster.yml when: ansible_distribution_release == "buster" -- include: packages_bullseye.yml - when: ansible_distribution_major_version is version('11', '>=') +- ansible.builtin.import_tasks: packages_bullseye.yml + when: ansible_distribution_release == "bullseye" -- include: config.yml +- ansible.builtin.import_tasks: packages_bookworm.yml + when: ansible_distribution_release == "bookworm" -- include: nrpe.yml +- ansible.builtin.import_tasks: config.yml -- include: munin.yml +- ansible.builtin.import_tasks: nrpe.yml -- include: logrotate.yml +- ansible.builtin.import_tasks: munin.yml -- include: postgis.yml +- ansible.builtin.import_tasks: logrotate.yml + +- ansible.builtin.import_tasks: postgis.yml when: postgresql_install_postgis | bool diff --git a/postgresql/tasks/packages_bookworm.yml b/postgresql/tasks/packages_bookworm.yml index 8db31b9b..c2088c39 100644 --- a/postgresql/tasks/packages_bookworm.yml +++ b/postgresql/tasks/packages_bookworm.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 12)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '15' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.import_tasks: pgdg-repo.yml when: postgresql_version != '15' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - pgtop diff --git a/postgresql/tasks/packages_bullseye.yml b/postgresql/tasks/packages_bullseye.yml index e825b799..bfbac181 100644 --- a/postgresql/tasks/packages_bullseye.yml +++ b/postgresql/tasks/packages_bullseye.yml @@ -14,3 +14,4 @@ - "postgresql-{{ postgresql_version }}" - pgtop - libdbd-pg-perl + update_cache: yes diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 7ecf11be..3e8851fb 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -14,3 +14,4 @@ - "postgresql-{{ postgresql_version }}" - pgtop - libdbd-pg-perl + update_cache: yes diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index 60bb2247..70b5e181 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -10,8 +10,8 @@ - name: Install postgresql package apt: - name: '{{ item }}' - loop: - - "postgresql-{{ postgresql_version }}" - - ptop - - libdbd-pg-perl + name: + - "postgresql-{{ postgresql_version }}" + - ptop + - libdbd-pg-perl + update_cache: yes diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index 45b8840c..97a71952 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -14,3 +14,4 @@ - "postgresql-{{ postgresql_version }}" - ptop - libdbd-pg-perl + update_cache: yes diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index ef467f97..9db20921 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -8,18 +8,6 @@ - meta: flush_handlers -- name: Look for legacy apt keyring - stat: - path: /etc/apt/trusted.gpg - register: _trusted_gpg_keyring - -- name: PGDG embedded GPG key is absent - apt_key: - id: "ACCC4CF8" - keyring: /etc/apt/trusted.gpg - state: absent - when: _trusted_gpg_keyring.stat.exists - - name: Add PGDG GPG key copy: src: postgresql.asc @@ -29,16 +17,25 @@ owner: root group: root -- name: Add PGDG repository +- name: Add PGDG repository (Debian <12) apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" + filename: postgresql update_cache: yes + when: ansible_distribution_major_version is version('12', '<') -- name: Remove unsigned PGDG repository - apt_repository: - repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" +- name: Add PGDG repository (Debian >=12) + ansible.builtin.template: + src: postgresql.sources.j2 + dest: /etc/apt/sources.list.d/postgresql.sources + state: present + register: postgresql_sources + when: ansible_distribution_major_version is version('12', '>=') + +- name: Update APT cache + ansible.builtin.apt: update_cache: yes - state: absent + when: elastic_sources is changed - name: Add APT preference file template: diff --git a/postgresql/tasks/postgis.yml b/postgresql/tasks/postgis.yml index f2300943..dbd511e9 100644 --- a/postgresql/tasks/postgis.yml +++ b/postgresql/tasks/postgis.yml @@ -5,3 +5,4 @@ - postgis - "postgresql-{{ postgresql_version }}-postgis-2.5" - "postgresql-{{ postgresql_version }}-postgis-2.5-scripts" + update_cache: yes diff --git a/postgresql/templates/postgresql.sources.j2 b/postgresql/templates/postgresql.sources.j2 new file mode 100644 index 00000000..38284d20 --- /dev/null +++ b/postgresql/templates/postgresql.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://apt.postgresql.org/pub/repos/apt/ +Suites: {{ ansible_distribution_release }}-pgdg +Components: main +Signed-by: {{ apt_keyring_dir }}/postgresql.asc +Enabled: yes \ No newline at end of file -- 2.39.2 From efd6e8d6b3b9023c5a411a847af37bda76ff47bc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:45:44 +0100 Subject: [PATCH 417/497] apt: add wrapper tasks files for backward compatibility --- apt/tasks/backports.yml | 13 +++++++++++++ apt/tasks/basics.yml | 13 +++++++++++++ apt/tasks/evolix_public.yml | 13 +++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 apt/tasks/backports.yml create mode 100644 apt/tasks/basics.yml create mode 100644 apt/tasks/evolix_public.yml diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml new file mode 100644 index 00000000..205574e5 --- /dev/null +++ b/apt/tasks/backports.yml @@ -0,0 +1,13 @@ +--- + +# Backward compatibility task file + +- name: Install backports repositories (Debian <12) + import_tasks: backports.oneline.yml + when: + - ansible_distribution_major_version is version('12', '<') + +- name: Install backports repositories (Debian >=12) + import_tasks: backports.deb822.yml + when: + - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml new file mode 100644 index 00000000..7966c849 --- /dev/null +++ b/apt/tasks/basics.yml @@ -0,0 +1,13 @@ +--- + +# Backward compatibility task file + +- name: Install basics repositories (Debian <12) + import_tasks: basics.oneline.yml + when: + - ansible_distribution_major_version is version('12', '<') + +- name: Install basics repositories (Debian >=12) + import_tasks: basics.deb822.yml + when: + - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml new file mode 100644 index 00000000..6d0a2de4 --- /dev/null +++ b/apt/tasks/evolix_public.yml @@ -0,0 +1,13 @@ +--- + +# Backward compatibility task file + +- name: Install Evolix Public repositories (Debian <12) + import_tasks: evolix_public.oneline.yml + when: + - ansible_distribution_major_version is version('12', '<') + +- name: Install Evolix Public repositories (Debian >=12) + import_tasks: evolix_public.deb822.yml + when: + - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file -- 2.39.2 From 16aabbe091802d00ee740d66960a693471a1791d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:46:15 +0100 Subject: [PATCH 418/497] fluentd: deb922 sources --- fluentd/tasks/main.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 21b432f3..fa9a0470 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -15,8 +15,9 @@ - name: Add Treasuredata repository (Debian <12) apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/treasuredata.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" - filename: treasuredata.list + filename: treasuredata state: present + update_cache: yes tags: - packages - fluentd @@ -27,16 +28,21 @@ src: treasuredata.sources.j2 dest: /etc/apt/sources.list.d/treasuredata.sources state: present + register: treasuredata_sources tags: - packages - fluentd when: ansible_distribution_major_version is version('12', '>=') +- name: Update APT cache + apt: + update_cache: yes + when: treasuredata_sources is changed + - name: Fluentd is installed. apt: name: td-agent state: present - update_cache: yes tags: - fluentd - packages -- 2.39.2 From 09d3f606cd4478e0e036f03c383ce36addda6c01 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:47:09 +0100 Subject: [PATCH 419/497] lxc-php: lxc dependency is resolved manually --- lxc-php/meta/main.yml | 6 +----- lxc-php/tasks/main.yml | 8 ++++++++ 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/lxc-php/meta/main.yml b/lxc-php/meta/main.yml index 58c2298c..88d4c6e9 100644 --- a/lxc-php/meta/main.yml +++ b/lxc-php/meta/main.yml @@ -27,8 +27,4 @@ galaxy_info: allow_duplicates: yes -dependencies: - - { role: evolix/lxc, - lxc_containers: [ { name: "{{ lxc_php_version }}", release: "{{ lxc_php_container_releases[lxc_php_version] }}" } ], - when: lxc_php_version is defined - } +dependencies: [] diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index d967287d..9862e523 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -4,6 +4,14 @@ msg: Please configure var lxc_php_version when: lxc_php_version is none + +- include_role: + name: evolix/lxc + vars: + lxc_containers: + - { name: "{{ lxc_php_version }}", release: "{{ lxc_php_container_releases[lxc_php_version] }}" } + when: lxc_php_version is defined + - name: "Update APT cache in container {{ lxc_php_version }}" lxc_container: name: "{{ lxc_php_version }}" -- 2.39.2 From 1d03e73a62de116490d2e455a4010b6d6bb227d8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:50:58 +0100 Subject: [PATCH 420/497] lxc-php: extract variables --- lxc-php/tasks/mail_opensmtpd.yml | 4 ++-- lxc-php/tasks/mail_ssmtp.yml | 2 +- lxc-php/tasks/main.yml | 4 ++++ lxc-php/tasks/misc.yml | 6 +++--- lxc-php/tasks/php56.yml | 4 ++-- lxc-php/tasks/php70.yml | 4 ++-- lxc-php/tasks/php73.yml | 4 ++-- lxc-php/tasks/php74.yml | 6 +++--- lxc-php/tasks/php80.yml | 23 ++++++++++++++--------- lxc-php/tasks/php81.yml | 22 +++++++++++++--------- lxc-php/tasks/umask.yml | 6 +----- 11 files changed, 47 insertions(+), 38 deletions(-) diff --git a/lxc-php/tasks/mail_opensmtpd.yml b/lxc-php/tasks/mail_opensmtpd.yml index 25dec9ea..02f36728 100644 --- a/lxc-php/tasks/mail_opensmtpd.yml +++ b/lxc-php/tasks/mail_opensmtpd.yml @@ -8,7 +8,7 @@ - name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" template: src: smtpd.conf.j2 - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/smtpd.conf" + dest: "{{ lxc_rootfs }}/etc/smtpd.conf" mode: "0644" notify: "Restart opensmtpd" when: lxc_php_container_releases[lxc_php_version] in ["jessie", "stretch", "buster"] @@ -17,7 +17,7 @@ - name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" template: src: smtpd.conf.bullseye.j2 - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/smtpd.conf" + dest: "{{ lxc_rootfs }}/etc/smtpd.conf" mode: "0644" notify: "Restart opensmtpd" when: not lxc_php_container_releases[lxc_php_version] in ["jessie", "stretch", "buster"] diff --git a/lxc-php/tasks/mail_ssmtp.yml b/lxc-php/tasks/mail_ssmtp.yml index 95055044..f14cfe57 100644 --- a/lxc-php/tasks/mail_ssmtp.yml +++ b/lxc-php/tasks/mail_ssmtp.yml @@ -8,5 +8,5 @@ - name: "{{ lxc_php_version }} - Configure ssmtp" template: src: ssmtp.conf.j2 - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/ssmtp/ssmtp.conf" + dest: "{{ lxc_rootfs }}/etc/ssmtp/ssmtp.conf" mode: "0644" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index 9862e523..bd2ae182 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -12,6 +12,10 @@ - { name: "{{ lxc_php_version }}", release: "{{ lxc_php_container_releases[lxc_php_version] }}" } when: lxc_php_version is defined +- name: set LXC rootfs + ansible.builtin.set_fact: + lxc_rootfs: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + - name: "Update APT cache in container {{ lxc_php_version }}" lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index c5aa5245..22598ee0 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -4,18 +4,18 @@ copy: remote_src: yes src: "/etc/timezone" - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/timezone" + dest: "{{ lxc_rootfs }}/etc/timezone" - name: "{{ lxc_php_version }} - Ensure container's root directory is 755" file: - path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + path: "{{ lxc_rootfs }}" state: directory mode: '0755' - name: "{{ lxc_php_version }} - Configure mailname for the container" copy: content: "{{ evolinux_hostname }}.{{ evolinux_domain }}\n" - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/mailname" + dest: "{{ lxc_rootfs }}/etc/mailname" notify: "Restart opensmtpd" - name: "{{ lxc_php_version }} - Install misc packages" diff --git a/lxc-php/tasks/php56.yml b/lxc-php/tasks/php56.yml index ece7dc8d..b0f376d8 100644 --- a/lxc-php/tasks/php56.yml +++ b/lxc-php/tasks/php56.yml @@ -12,8 +12,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php5/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php5/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php5/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php5/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php70.yml b/lxc-php/tasks/php70.yml index 2291b386..18523846 100644 --- a/lxc-php/tasks/php70.yml +++ b/lxc-php/tasks/php70.yml @@ -12,8 +12,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php73.yml b/lxc-php/tasks/php73.yml index d7fd7937..4bb037e7 100644 --- a/lxc-php/tasks/php73.yml +++ b/lxc-php/tasks/php73.yml @@ -12,8 +12,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 64677009..65660f92 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -7,7 +7,7 @@ - name: "{{ lxc_php_version }} - fix bullseye repository" replace: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' @@ -18,8 +18,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 4e5ac498..0e9d29a6 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -1,31 +1,36 @@ --- +- name: set APT keyring + ansible.builtin.set_fact: + lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d + + - name: "{{ lxc_php_version }} - Install dependency packages" lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" - name: "{{ lxc_php_version }} - fix bullseye repository" replace: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list.d/sury.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" line: "{{ item }}" state: present create: yes mode: "0644" loop: - - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" - - "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main" + - "deb [signed-by={{ lxc_apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main" - name: copy pub.evolix.net GPG key copy: src: pub_evolix.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" mode: "0644" owner: root group: root @@ -33,7 +38,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/sury.gpg" mode: "0644" owner: root group: root @@ -55,8 +60,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.0/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.0/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.0/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.0/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 677fe14d..966a2880 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -1,31 +1,35 @@ --- +- name: set APT keyring + ansible.builtin.set_fact: + lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d + - name: "{{ lxc_php_version }} - Install dependency packages" lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" - name: "{{ lxc_php_version }} - fix bullseye repository" replace: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Add sury repo" lineinfile: - dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/sources.list.d/sury.list" + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" line: "{{ item }}" state: present create: yes mode: "0644" loop: - - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" - - "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main" + - "deb [signed-by={{ lxc_apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main" - name: copy pub.evolix.net GPG key copy: src: pub_evolix.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" mode: "0644" owner: root group: root @@ -33,7 +37,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/sury.gpg" mode: "0644" owner: root group: root @@ -55,8 +59,8 @@ mode: "0644" notify: "Reload {{ lxc_php_version }}-fpm" loop: - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.1/fpm/conf.d/z-evolinux-defaults.ini" - - "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/php/8.1/cli/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.1/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.1/cli/conf.d/z-evolinux-defaults.ini" loop_control: loop_var: line_item diff --git a/lxc-php/tasks/umask.yml b/lxc-php/tasks/umask.yml index 4460d587..254fd75e 100644 --- a/lxc-php/tasks/umask.yml +++ b/lxc-php/tasks/umask.yml @@ -2,13 +2,9 @@ # dans /etc/systemd/system/phpX.X-fpm.service.d/evolinux.conf --- -- name: "Définis le chemin du système de fichiers du conteneur LXC." - set_fact: - lxc_rootfs_path: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" - - name: "Crée des répertoires (si absents) pour surcharger la config des services PHP dans les conteneurs LXC." ansible.builtin.file: - path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" + path: "{{ lxc_rootfs }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d" state: directory register: systemd_path -- 2.39.2 From f8f5bec8b5f672ee09d134b41d3cea583c6c9793 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:52:09 +0100 Subject: [PATCH 421/497] lxc-php: prepare php82 --- lxc-php/defaults/main.yml | 2 ++ lxc-php/tasks/main.yml | 23 +++++++++++++---------- lxc-php/tasks/php82.yml | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 10 deletions(-) create mode 100644 lxc-php/tasks/php82.yml diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 9b501b6c..d27f60f2 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -21,6 +21,7 @@ lxc_php_container_releases: php74: "bullseye" php80: "bullseye" php81: "bullseye" + # php82: "bookworm" lxc_php_services: php56: 'php5-fpm.service' @@ -29,5 +30,6 @@ lxc_php_services: php74: 'php7.4-fpm.service' php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' + # php82: 'php8.2-fpm.service' apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index bd2ae182..a1e91431 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: "Ensure that lxc_php_version is defined" - fail: + ansible.builtin.fail: msg: Please configure var lxc_php_version when: lxc_php_version is none @@ -17,28 +17,31 @@ lxc_rootfs: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" - name: "Update APT cache in container {{ lxc_php_version }}" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "apt-get update" -- include: "php56.yml" +- ansible.builtin.import_tasks: "php56.yml" when: lxc_php_version == "php56" -- include: "php70.yml" +- ansible.builtin.import_tasks: "php70.yml" when: lxc_php_version == "php70" -- include: "php73.yml" +- ansible.builtin.import_tasks: "php73.yml" when: lxc_php_version == "php73" -- include: "php74.yml" +- ansible.builtin.import_tasks: "php74.yml" when: lxc_php_version == "php74" -- include: "php80.yml" +- ansible.builtin.import_tasks: "php80.yml" when: lxc_php_version == "php80" -- include: "php81.yml" +- ansible.builtin.import_tasks: "php81.yml" when: lxc_php_version == "php81" -- include: "umask.yml" +# - ansible.builtin.import_tasks: "php82.yml" +# when: lxc_php_version == "php82" -- include: "misc.yml" +- ansible.builtin.import_tasks: "umask.yml" + +- ansible.builtin.import_tasks: "misc.yml" diff --git a/lxc-php/tasks/php82.yml b/lxc-php/tasks/php82.yml new file mode 100644 index 00000000..8ecb1e33 --- /dev/null +++ b/lxc-php/tasks/php82.yml @@ -0,0 +1,32 @@ +--- + +- name: set APT keyring + ansible.builtin.set_fact: + lxc_apt_keyring_dir: /etc/apt/keyrings + +- name: "{{ lxc_php_version }} - Install PHP packages" + lxc_container: + name: "{{ lxc_php_version }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" + +# TODO : adapt to Bookworm and deb822 format + +- name: "{{ lxc_php_version }} - fix bookworm repository" + replace: + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" + regexp: 'bullseye/updates' + replace: 'bullseye-security' + +- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" + template: + src: z-evolinux-defaults.ini.j2 + dest: "{{ line_item }}" + mode: "0644" + notify: "Reload {{ lxc_php_version }}-fpm" + loop: + - "{{ lxc_rootfs }}/etc/php/8.2/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.2/cli/conf.d/z-evolinux-defaults.ini" + loop_control: + loop_var: line_item + +- include: "mail_opensmtpd.yml" -- 2.39.2 From a0986f034d3760dc7d8bc60a5c65c3604db75fb9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:52:34 +0100 Subject: [PATCH 422/497] mongodb: prepare Debian 12 --- mongodb/tasks/main.yml | 2 + mongodb/tasks/main_bookworm.yml | 103 +++++++++++++++++++++++++++ mongodb/templates/mongodb.sources.j2 | 8 +++ 3 files changed, 113 insertions(+) create mode 100644 mongodb/tasks/main_bookworm.yml create mode 100644 mongodb/templates/mongodb.sources.j2 diff --git a/mongodb/tasks/main.yml b/mongodb/tasks/main.yml index a71651bf..e8bf2cfc 100644 --- a/mongodb/tasks/main.yml +++ b/mongodb/tasks/main.yml @@ -12,3 +12,5 @@ - ansible.builtin.import_tasks: main_bullseye.yml when: ansible_distribution_release == "bullseye" +- ansible.builtin.import_tasks: main_bookworm.yml + when: ansible_distribution_release == "bookworm" diff --git a/mongodb/tasks/main_bookworm.yml b/mongodb/tasks/main_bookworm.yml new file mode 100644 index 00000000..19bb513b --- /dev/null +++ b/mongodb/tasks/main_bookworm.yml @@ -0,0 +1,103 @@ +--- + +- fail: + msg: MongoDB is not compatible with Debian 12 (Bookworm) + when: + - ansible_distribution_release == "bookworm" + +# - fail: +# msg: MongoDB version <5 are not compatible with Debian 12 (Bookworm) +# when: +# - ansible_distribution_release == "bookworm" +# - mongodb_version is version('5.0', '<') + +- name: Add MongoDB repository + ansible.builtin.template: + src: mongodb.sources.j2 + dest: /etc/apt/sources.list.d/mongodb.sources + state: present + register: mongodb_sources + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + when: mongodb_sources is changed + +- name: Install packages + ansible.builtin.apt: + name: mongodb-org + state: present + register: _mongodb_install_package + +- name: MongoDB service in enabled and started + systemd: + name: mongod + enabled: yes + state: started + when: _mongodb_install_package is changed + +- name: install dependency for monitoring + apt: + name: python3-pymongo + state: present + +- name: Custom configuration + template: + src: mongodb_bullseye.conf.j2 + dest: "/etc/mongod.conf" + force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" + notify: restart mongod + +- name: Configure logrotate + template: + src: logrotate_bullseye.j2 + dest: /etc/logrotate.d/mongodb + force: yes + backup: no + +- include_role: + name: evolix/remount-usr + +- name: Create plugin directory + file: + name: /usr/local/share/munin/ + state: directory + mode: "0755" + +- name: Create plugin directory + file: + name: /usr/local/share/munin/plugins/ + state: directory + mode: "0755" + +- name: Munin plugins are present + copy: + src: "munin/{{ item }}" + dest: '/usr/local/share/munin/plugins/{{ item }}' + force: yes + loop: + - mongo_btree + - mongo_collections + - mongo_conn + - mongo_docs + - mongo_lock + - mongo_mem + - mongo_ops + - mongo_page_faults + notify: restart munin-node + +- name: Enable core Munin plugins + file: + src: '/usr/local/share/munin/plugins/{{ item }}' + dest: /etc/munin/plugins/{{ item }} + state: link + loop: + - mongo_btree + - mongo_collections + - mongo_conn + - mongo_docs + - mongo_lock + - mongo_mem + - mongo_ops + - mongo_page_faults + notify: restart munin-node diff --git a/mongodb/templates/mongodb.sources.j2 b/mongodb/templates/mongodb.sources.j2 new file mode 100644 index 00000000..ab55d938 --- /dev/null +++ b/mongodb/templates/mongodb.sources.j2 @@ -0,0 +1,8 @@ +# {{ansible_managed }} + +Types: deb +URIs: http://repo.mongodb.org/apt/debian +Suites: bookworm/mongodb-org/{{ mongodb_version }} +Components: main +Signed-by: {{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc +Enabled: yes \ No newline at end of file -- 2.39.2 From 151e6914a8624739504b3aa4d8aa05fe36386a5e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:52:55 +0100 Subject: [PATCH 423/497] mysql: fixes for Debian 12 --- mysql/tasks/main.yml | 9 +++++++++ mysql/tasks/utils.yml | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index 95cde4a1..2a24c69f 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -4,6 +4,15 @@ set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" +- name: Default log directory is present + file: + path: /var/log/mysql + owner: mysql + group: adm + mode: "2750" + state: directory + when: ansible_distribution_major_version is version('12', '>=') + - include_tasks: packages_stretch.yml when: ansible_distribution_major_version is version('9', '>=') diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 8adbb1be..306ccd00 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -55,11 +55,11 @@ - name: "Install dependencies for mytop (Debian 12 or later)" apt: name: - - mariadb-client-10.6 + - mariadb-client - libconfig-inifiles-perl - libterm-readkey-perl - libdbd-mariadb-perl - when: ansible_distribution_major_version is version('12', '=') + when: ansible_distribution_major_version is version('12', '>=') - name: Read debian-sys-maint password (Debian < 11) shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' -- 2.39.2 From 247a89e928898431232fd64a502d68e77a456bcf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:53:14 +0100 Subject: [PATCH 424/497] syntax --- php/tasks/main_buster.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 24673378..58fda84e 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -1,14 +1,14 @@ --- - debug: - msg: "{{ php_sury_enable }}" + var: php_sury_enable - name: "Set php version to 7.3 if Sury repo is not enabled" set_fact: php_version: "7.3" - when: - - php_sury_enable == false check_mode: no + when: + - not (php_sury_enable | bool) - name: "Set variables (Debian 10)" set_fact: -- 2.39.2 From 1d3866e3f0efec1fee1f67be8d52e16df0bcd5b6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 19 Mar 2023 11:53:39 +0100 Subject: [PATCH 425/497] packweb-apache: include_role instead of import_role --- packweb-apache/tasks/dependencies.yml | 28 +++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/packweb-apache/tasks/dependencies.yml b/packweb-apache/tasks/dependencies.yml index 0182654c..c22d4e0b 100644 --- a/packweb-apache/tasks/dependencies.yml +++ b/packweb-apache/tasks/dependencies.yml @@ -1,80 +1,80 @@ --- -- import_role: +- include_role: name: evolix/apache -- import_role: +- include_role: name: evolix/php vars: php_apache_enable: True when: packweb_apache_modphp -- import_role: +- include_role: name: evolix/php vars: php_fpm_enable: True when: packweb_apache_fpm -- import_role: +- include_role: name: evolix/squid vars: squid_localproxy_enable: True -- import_role: +- include_role: name: evolix/mysql when: packweb_mysql_variant == "debian" -- import_role: +- include_role: name: evolix/mysql-oracle when: packweb_mysql_variant == "oracle" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php56 lxc_php_create_mysql_link: True when: "'php56' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php70 lxc_php_create_mysql_link: True when: "'php70' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php73 lxc_php_create_mysql_link: True when: "'php73' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php74 lxc_php_create_mysql_link: True when: "'php74' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php80 lxc_php_create_mysql_link: True when: "'php80' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/lxc-php vars: lxc_php_version: php81 lxc_php_create_mysql_link: True when: "'php81' in packweb_multiphp_versions" -- import_role: +- include_role: name: evolix/webapps/evoadmin-web vars: evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" -- import_role: +- include_role: name: evolix/evoacme \ No newline at end of file -- 2.39.2 From 7a73df6bd75c914f7f90e200c28c57dbbd7661b5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Mar 2023 21:33:49 +0100 Subject: [PATCH 426/497] Comments on Dell RAID controllers --- evolinux-base/tasks/hardware.dell.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml index aa448147..6e1673a6 100644 --- a/evolinux-base/tasks/hardware.dell.yml +++ b/evolinux-base/tasks/hardware.dell.yml @@ -1,6 +1,9 @@ --- -## LSI MegaRAID 12GSAS/PCIe Secure SAS39xx +## H745: Broadcom / LSI MegaRAID Tri-Mode SAS3516 (rev 01) +# This is OK + +## H750: Broadcom / LSI MegaRAID 12GSAS/PCIe Secure SAS39xx # This is still incompatible with Debian - name: Check if PERC HBA11 device is present -- 2.39.2 From ee21973371462839a455dc109cb34970c4b55def Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Mar 2023 23:33:19 +0100 Subject: [PATCH 427/497] Use FQCN Fully Qualified Collection Name --- amavis/handlers/main.yml | 2 +- amavis/tasks/main.yml | 4 +- amazon-ec2/amazon-ec2-evolinux.yml | 6 +- amazon-ec2/tasks/create-instance.yml | 8 +- amazon-ec2/tasks/post-install.yml | 2 +- amazon-ec2/tasks/setup.yml | 4 +- apache/handlers/main.yml | 6 +- apache/tasks/auth.yml | 12 +-- apache/tasks/ip_whitelist.yml | 4 +- apache/tasks/log2mail.yml | 4 +- apache/tasks/main.yml | 46 +++++----- apache/tasks/munin.yml | 11 +-- apache/tasks/server_status.yml | 26 +++--- apt/tasks/backports.deb822.yml | 6 +- apt/tasks/backports.oneline.yml | 10 +-- apt/tasks/backports.yml | 4 +- apt/tasks/basics.deb822.yml | 9 +- apt/tasks/basics.oneline.yml | 4 +- apt/tasks/basics.yml | 4 +- apt/tasks/config.yml | 6 +- apt/tasks/evolix_public.deb822.yml | 10 +-- apt/tasks/evolix_public.oneline.yml | 10 +-- apt/tasks/evolix_public.yml | 4 +- apt/tasks/hold_packages.yml | 25 +++--- apt/tasks/main.yml | 28 +++--- apt/tasks/migrate-to-deb822.yml | 9 +- apt/tasks/move-apt-keyring.yml | 13 +-- bind/handlers/main.yml | 8 +- bind/tasks/authoritative.yml | 2 +- bind/tasks/main.yml | 32 +++---- bind/tasks/munin.yml | 22 ++--- bind/tasks/recursive.yml | 4 +- bookworm-detect/tasks/main.yml | 4 +- bullseye-detect/tasks/main.yml | 2 +- certbot/handlers/main.yml | 11 +-- certbot/tasks/acme-challenge.yml | 17 ++-- certbot/tasks/install-legacy.yml | 19 ++-- certbot/tasks/install-package.yml | 2 +- certbot/tasks/main.yml | 19 ++-- clamav/handlers/main.yml | 2 +- clamav/tasks/main.yml | 10 +-- dhcpd/handlers/main.yml | 2 +- dhcpd/tasks/main.yml | 2 +- docker-host/handlers/main.yml | 4 +- dovecot/handlers/main.yml | 6 +- dovecot/tasks/main.yml | 24 ++--- dovecot/tasks/munin.yml | 6 +- drbd/handlers/main.yml | 2 +- drbd/tasks/main.yml | 6 +- drbd/tasks/munin.yml | 6 +- drbd/tasks/nagios.yml | 6 +- drbd/tasks/packages.yml | 4 +- elasticsearch/handlers/main.yml | 2 +- elasticsearch/tasks/additional_scripts.yml | 6 +- elasticsearch/tasks/bootstrap_checks.yml | 11 +-- elasticsearch/tasks/configuration.yml | 30 +++---- elasticsearch/tasks/curator.yml | 6 +- elasticsearch/tasks/datadir.yml | 13 +-- elasticsearch/tasks/logs.yml | 6 +- elasticsearch/tasks/main.yml | 18 ++-- elasticsearch/tasks/plugin_head.yml | 16 ++-- elasticsearch/tasks/tmpdir.yml | 13 +-- etc-git/tasks/commit.yml | 3 +- etc-git/tasks/lxc_commit.yml | 8 +- etc-git/tasks/main.yml | 6 +- etc-git/tasks/repositories.yml | 8 +- etc-git/tasks/repository.yml | 19 ++-- etc-git/tasks/utils.yml | 22 ++--- evoacme/handlers/main.yml | 14 +-- evoacme/tasks/certbot.yml | 14 +-- evoacme/tasks/conf.yml | 6 +- evoacme/tasks/evoacme_hook.yml | 7 +- evoacme/tasks/main.yml | 10 +-- evoacme/tasks/permissions.yml | 8 +- evoacme/tasks/scripts.yml | 12 +-- evobackup-client/handlers/main.yml | 9 +- evobackup-client/tasks/jail.yml | 17 ++-- evobackup-client/tasks/main.yml | 10 +-- evobackup-client/tasks/open_ssh_ports.yml | 4 +- evobackup-client/tasks/ssh_key.yml | 6 +- evobackup-client/tasks/upload_scripts.yml | 2 +- evobackup-client/tasks/verify_ssh.yml | 2 +- evocheck/tasks/cron.yml | 6 +- evocheck/tasks/exec.yml | 5 +- evocheck/tasks/install.yml | 14 +-- evocheck/tasks/main.yml | 4 +- evolinux-base/handlers/main.yml | 38 ++++---- evolinux-base/tasks/etc-evolinux.yml | 2 +- evolinux-base/tasks/hardware.dell.yml | 5 +- evolinux-base/tasks/hardware.yml | 4 +- evolinux-base/tasks/main.yml | 58 ++++++------ evolinux-base/tasks/system.yml | 4 +- evolinux-base/tasks/utils.yml | 4 +- evolinux-todo/tasks/cat.yml | 5 +- evolinux-todo/tasks/main.yml | 4 +- evolinux-users/handlers/main.yml | 5 +- evolinux-users/tasks/main.yml | 10 +-- evolinux-users/tasks/ssh.yml | 26 +++--- evolinux-users/tasks/ssh_allowgroups.yml | 7 +- evolinux-users/tasks/ssh_allowusers.yml | 14 +-- evolinux-users/tasks/sudo.yml | 8 +- evolinux-users/tasks/sudo_jessie.yml | 4 +- evolinux-users/tasks/sudo_stretch_common.yml | 7 +- evolinux-users/tasks/sudo_stretch_user.yml | 4 +- evolinux-users/tasks/user.yml | 50 ++++++----- evomaintenance/handlers/main.yml | 5 +- evomaintenance/tasks/config.yml | 4 +- .../tasks/install_package_debian.yml | 4 +- .../tasks/install_vendor_debian.yml | 10 +-- evomaintenance/tasks/install_vendor_other.yml | 6 +- evomaintenance/tasks/main.yml | 10 +-- evomaintenance/tasks/minifirewall.yml | 11 +-- evomaintenance/tasks/trap.yml | 8 +- fail2ban/handlers/main.yml | 4 +- fail2ban/tasks/fix-dbpurgeage.yml | 9 +- fail2ban/tasks/ip_whitelist.yml | 4 +- fail2ban/tasks/main.yml | 22 ++--- filebeat/handlers/main.yml | 2 +- filebeat/tasks/apt_sources.yml | 2 +- filebeat/tasks/main.yml | 29 +++--- fluentd/handlers/main.yml | 4 +- fluentd/tasks/main.yml | 14 +-- generate-ldif/tasks/exec.yml | 5 +- generate-ldif/tasks/main.yml | 4 +- haproxy/handlers/main.yml | 6 +- haproxy/tasks/main.yml | 29 +++--- haproxy/tasks/munin.yml | 6 +- haproxy/tasks/packages_backports.yml | 12 +-- java/tasks/main.yml | 4 +- java/tasks/openjdk.yml | 10 +-- java/tasks/oracle.yml | 15 ++-- jenkins/handlers/main.yml | 6 +- jenkins/tasks/main.yml | 10 +-- keepalived/handlers/main.yml | 4 +- keepalived/tasks/main.yml | 12 +-- kibana/handlers/main.yml | 2 +- kibana/tasks/apt_sources.yml | 2 +- kibana/tasks/main.yml | 18 ++-- kibana/tasks/proxy_nginx.yml | 4 +- kvm-host/handlers/main.yml | 2 +- kvm-host/tasks/images.yml | 10 +-- kvm-host/tasks/main.yml | 12 +-- kvm-host/tasks/munin.yml | 12 +-- kvm-host/tasks/packages.yml | 4 +- kvm-host/tasks/ssh.yml | 11 +-- kvm-host/tasks/tools.yml | 18 ++-- ldap/handlers/main.yml | 2 +- ldap/tasks/init.yml | 15 ++-- ldap/tasks/ldapvirc.yml | 21 +++-- ldap/tasks/main.yml | 10 +-- ldap/tasks/nagios.yml | 20 +++-- listupgrade/tasks/main.yml | 18 ++-- logstash/handlers/main.yml | 4 +- logstash/tasks/apt_sources.yml | 2 +- logstash/tasks/logs.yml | 10 +-- logstash/tasks/main.yml | 18 ++-- logstash/tasks/tmpdir.yml | 9 +- lxc-php/handlers/main.yml | 22 ++--- lxc-php/tasks/mail_opensmtpd.yml | 6 +- lxc-php/tasks/mail_ssmtp.yml | 4 +- lxc-php/tasks/main.yml | 2 +- lxc-php/tasks/misc.yml | 10 +-- lxc-php/tasks/php56.yml | 6 +- lxc-php/tasks/php70.yml | 6 +- lxc-php/tasks/php73.yml | 6 +- lxc-php/tasks/php74.yml | 8 +- lxc-php/tasks/php80.yml | 18 ++-- lxc-php/tasks/php81.yml | 18 ++-- lxc-php/tasks/php82.yml | 8 +- lxc-solr/tasks/main.yml | 6 +- lxc-solr/tasks/solr.yml | 16 ++-- lxc/tasks/create-container.yml | 19 ++-- lxc/tasks/main.yml | 23 ++--- memcached/handlers/main.yml | 6 +- memcached/tasks/instance-default.yml | 4 +- memcached/tasks/instance-multi.yml | 10 +-- memcached/tasks/main.yml | 10 +-- memcached/tasks/munin.yml | 8 +- memcached/tasks/nrpe.yml | 14 +-- memcached/tasks/phpmemcachedadmin.yml | 6 +- metricbeat/handlers/main.yml | 2 +- metricbeat/tasks/apt_sources.yml | 2 +- metricbeat/tasks/main.yml | 20 ++--- minifirewall/handlers/main.yml | 10 ++- minifirewall/tasks/activate.yml | 8 +- minifirewall/tasks/config.legacy.yml | 54 +++++------ minifirewall/tasks/config.yml | 73 +++++++-------- minifirewall/tasks/install.legacy.yml | 6 +- minifirewall/tasks/install.yml | 10 +-- minifirewall/tasks/main.yml | 49 +++++----- minifirewall/tasks/nrpe.yml | 18 ++-- minifirewall/tasks/tail.legacy.yml | 19 ++-- minifirewall/tasks/tail.yml | 15 ++-- minifirewall/tasks/utils.yml | 6 +- minifirewall/tests/test.yml | 2 +- mongodb/handlers/main.yml | 6 +- mongodb/tasks/main_bookworm.yml | 20 ++--- mongodb/tasks/main_bullseye.yml | 26 +++--- mongodb/tasks/main_buster.yml | 30 +++---- mongodb/tasks/main_jessie.yml | 18 ++-- mongodb/tasks/main_stretch.yml | 13 +-- monit/handlers/main.yml | 4 +- monit/tasks/main.yml | 4 +- munin/handlers/main.yml | 6 +- munin/tasks/main.yml | 27 +++--- mysql-oracle/handlers/main.yml | 13 +-- mysql-oracle/tasks/config.yml | 6 +- mysql-oracle/tasks/datadir.yml | 14 +-- mysql-oracle/tasks/log2mail.yml | 4 +- mysql-oracle/tasks/main.yml | 20 ++--- mysql-oracle/tasks/munin.yml | 8 +- mysql-oracle/tasks/nrpe.yml | 11 +-- mysql-oracle/tasks/packages.yml | 32 +++---- mysql-oracle/tasks/tmpdir.yml | 4 +- mysql-oracle/tasks/users.yml | 20 +++-- mysql-oracle/tasks/utils.yml | 49 +++++----- mysql/handlers/main.yml | 10 +-- mysql/tasks/config_jessie.yml | 6 +- mysql/tasks/config_stretch.yml | 12 +-- mysql/tasks/datadir.yml | 14 +-- mysql/tasks/log2mail.yml | 4 +- mysql/tasks/logdir.yml | 14 +-- mysql/tasks/main.yml | 38 ++++---- mysql/tasks/munin.yml | 18 ++-- mysql/tasks/mysql_skip.yml | 12 +-- mysql/tasks/nrpe.yml | 11 +-- mysql/tasks/packages_jessie.yml | 14 +-- mysql/tasks/packages_stretch.yml | 12 +-- mysql/tasks/replication.yml | 12 +-- mysql/tasks/tmpdir.yml | 4 +- mysql/tasks/users_bullseye.yml | 2 +- mysql/tasks/users_buster.yml | 16 ++-- mysql/tasks/users_jessie.yml | 11 +-- mysql/tasks/users_stretch.yml | 16 ++-- mysql/tasks/utils.yml | 61 ++++++------- nagios-nrpe/handlers/main.yml | 4 +- nagios-nrpe/tasks/main.yml | 18 ++-- nagios-nrpe/tasks/wrapper.yml | 13 +-- nameserver/tasks/main.yml | 7 +- networkd-to-ifconfig/tasks/main.yml | 24 ++--- .../tasks/set_facts_from_ansible.yml | 4 +- .../tasks/set_facts_from_systemd.yml | 8 +- newrelic/handlers/main.yml | 8 +- newrelic/tasks/main.yml | 6 +- nginx/handlers/main.yml | 6 +- nginx/tasks/ip_whitelist.yml | 4 +- nginx/tasks/logrotate.yml | 2 +- nginx/tasks/main.yml | 42 ++++----- nginx/tasks/munin_graphs.yml | 4 +- nginx/tasks/munin_vhost.yml | 14 +-- nginx/tasks/packages.yml | 6 +- nginx/tasks/packages_backports.yml | 6 +- nginx/tasks/server_status_read.yml | 14 +-- nginx/tasks/server_status_write.yml | 6 +- ntpd/handlers/main.yml | 2 +- ntpd/tasks/main.yml | 6 +- opendkim/handlers/main.yml | 4 +- opendkim/tasks/main.yml | 18 ++-- openvpn/handlers/main.yml | 7 +- openvpn/tasks/debian.yml | 90 ++++++++++--------- openvpn/tasks/main.yml | 6 +- openvpn/tasks/openbsd.yml | 65 +++++++------- packweb-apache/handlers/main.yml | 4 +- packweb-apache/tasks/apache.yml | 16 ++-- packweb-apache/tasks/awstats.yml | 13 +-- packweb-apache/tasks/dependencies.yml | 24 ++--- packweb-apache/tasks/fhs_retrictions.yml | 14 +-- packweb-apache/tasks/main.yml | 37 ++++---- packweb-apache/tasks/multiphp.yml | 8 +- packweb-apache/tasks/phpmyadmin.yml | 35 ++++---- percona/tasks/main.yml | 22 ++--- percona/tasks/xtrabackup.yml | 7 +- pgbouncer/tasks/main.yml | 8 +- php/handlers/main.yml | 14 +-- php/tasks/config_apache.yml | 8 +- php/tasks/config_cli.yml | 8 +- php/tasks/config_fpm.yml | 14 +-- php/tasks/main.yml | 12 +-- php/tasks/main_bookworm.yml | 32 +++---- php/tasks/main_bullseye.yml | 28 +++--- php/tasks/main_buster.yml | 30 +++---- php/tasks/main_jessie.yml | 22 ++--- php/tasks/main_stretch.yml | 28 +++--- php/tasks/sury_post.yml | 12 +-- php/tasks/sury_pre.yml | 16 ++-- postfix/handlers/main.yml | 7 +- postfix/tasks/common.yml | 5 +- postfix/tasks/main.yml | 8 +- postfix/tasks/minimal.yml | 4 +- postfix/tasks/packmail.yml | 30 ++++--- postfix/tasks/slow_transport.yml | 4 +- postgresql/handlers/main.yml | 14 +-- postgresql/tasks/config.yml | 12 +-- postgresql/tasks/locales.yml | 6 +- postgresql/tasks/logrotate.yml | 2 +- postgresql/tasks/munin.yml | 8 +- postgresql/tasks/nrpe.yml | 15 ++-- postgresql/tasks/packages_bullseye.yml | 6 +- postgresql/tasks/packages_buster.yml | 6 +- postgresql/tasks/packages_jessie.yml | 6 +- postgresql/tasks/packages_stretch.yml | 6 +- postgresql/tasks/pgdg-repo.yml | 10 +-- postgresql/tasks/postgis.yml | 2 +- postgresql/tests/test.yml | 7 +- proftpd/handlers/main.yml | 2 +- proftpd/tasks/account.yml | 19 ++-- proftpd/tasks/accounts.yml | 14 +-- proftpd/tasks/accounts_password.yml | 17 ++-- proftpd/tasks/main.yml | 21 ++--- rabbitmq/handlers/main.yml | 6 +- rabbitmq/tasks/main.yml | 18 ++-- rabbitmq/tasks/munin.yml | 10 +-- rabbitmq/tasks/nrpe.yml | 14 +-- rbenv/tasks/main.yml | 26 +++--- redis/handlers/main.yml | 12 +-- redis/tasks/default-log2mail.yml | 4 +- redis/tasks/default-munin.yml | 19 ++-- redis/tasks/default-server.yml | 6 +- redis/tasks/instance-log2mail.yml | 2 +- redis/tasks/instance-munin.yml | 14 +-- redis/tasks/instance-server.yml | 32 +++---- redis/tasks/main.yml | 44 ++++----- redis/tasks/nrpe.yml | 22 ++--- redis/tasks/thp.yml | 9 +- redmine/handlers/main.yml | 4 +- redmine/tasks/config.yml | 10 +-- redmine/tasks/main.yml | 8 +- redmine/tasks/mysql.yml | 14 +-- redmine/tasks/nginx.yml | 6 +- redmine/tasks/packages.yml | 6 +- redmine/tasks/release.yml | 33 ++++--- redmine/tasks/source.yml | 16 ++-- redmine/tasks/syslog.yml | 6 +- redmine/tasks/user.yml | 12 +-- remount-usr/handlers/main.yml | 3 +- remount-usr/tasks/main.yml | 6 +- spamassasin/handlers/main.yml | 2 +- spamassasin/tasks/main.yml | 29 +++--- squid/handlers/main.yml | 15 ++-- squid/tasks/log2mail.yml | 6 +- squid/tasks/logrotate_jessie.yml | 5 +- squid/tasks/logrotate_stretch.yml | 5 +- squid/tasks/main.yml | 50 +++++------ squid/tasks/minifirewall.legacy.yml | 10 +-- squid/tasks/minifirewall.yml | 15 ++-- squid/tasks/systemd.yml | 9 +- ssl/handlers/main.yml | 2 +- ssl/tasks/haproxy.yml | 8 +- ssl/tasks/main.yml | 12 +-- supervisord/handlers/main.yml | 2 +- supervisord/tasks/main.yml | 4 +- tomcat-instance/tasks/alias.yml | 4 +- tomcat-instance/tasks/bootstrap.yml | 8 +- tomcat-instance/tasks/check.yml | 8 +- tomcat-instance/tasks/main.yml | 10 +-- tomcat-instance/tasks/systemd.yml | 5 +- tomcat-instance/tasks/user.yml | 25 +++--- tomcat/tasks/main.yml | 4 +- tomcat/tasks/nagios.yml | 8 +- tomcat/tasks/packages.yml | 16 ++-- unbound/handlers/main.yml | 2 +- unbound/tasks/main.yml | 8 +- userlogrotate/tasks/main.yml | 4 +- varnish/handlers/main.yml | 8 +- varnish/tasks/main.yml | 34 +++---- varnish/tasks/munin.yml | 14 +-- vrrpd/tasks/ip.yml | 6 +- vrrpd/tasks/main.yml | 15 ++-- webapps/evoadmin-mail/handlers/main.yml | 6 +- webapps/evoadmin-mail/tasks/apache.yml | 6 +- webapps/evoadmin-mail/tasks/main.yml | 14 +-- webapps/evoadmin-mail/tasks/nginx.yml | 8 +- webapps/evoadmin-mail/tasks/ssl.yml | 10 ++- webapps/evoadmin-web/handlers/main.yml | 7 +- webapps/evoadmin-web/tasks/config.yml | 6 +- webapps/evoadmin-web/tasks/ftp.yml | 4 +- webapps/evoadmin-web/tasks/main.yml | 16 ++-- webapps/evoadmin-web/tasks/packages.yml | 12 +-- webapps/evoadmin-web/tasks/ssl.yml | 10 ++- webapps/evoadmin-web/tasks/user.yml | 35 ++++---- webapps/evoadmin-web/tasks/web.yml | 22 ++--- webapps/nextcloud/handlers/main.yml | 6 +- webapps/nextcloud/tasks/apache-system.yml | 9 +- webapps/nextcloud/tasks/apache-vhost.yml | 4 +- webapps/nextcloud/tasks/archive.yml | 9 +- webapps/nextcloud/tasks/config.yml | 23 +++-- webapps/nextcloud/tasks/main.yml | 18 ++-- webapps/nextcloud/tasks/mysql-user.yml | 16 ++-- webapps/nextcloud/tasks/user.yml | 7 +- webapps/roundcube/handlers/main.yml | 6 +- webapps/roundcube/tasks/main.yml | 28 +++--- webapps/wordpress/tasks/main.yml | 39 ++++---- 392 files changed, 2517 insertions(+), 2298 deletions(-) diff --git a/amavis/handlers/main.yml b/amavis/handlers/main.yml index 62049999..6d76108b 100644 --- a/amavis/handlers/main.yml +++ b/amavis/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart amavis - service: + ansible.builtin.service: name: amavis state: restarted diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml index 1b0932d5..4fa452e5 100644 --- a/amavis/tasks/main.yml +++ b/amavis/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install Amavis - apt: + ansible.builtin.apt: name: - postgrey - amavisd-new @@ -9,7 +9,7 @@ - amavis - name: configure Amavis - template: + ansible.builtin.template: src: amavis.conf.j2 dest: /etc/amavis/conf.d/49-evolinux-defaults mode: "0644" diff --git a/amazon-ec2/amazon-ec2-evolinux.yml b/amazon-ec2/amazon-ec2-evolinux.yml index d4e125a7..18dcb7a0 100644 --- a/amazon-ec2/amazon-ec2-evolinux.yml +++ b/amazon-ec2/amazon-ec2-evolinux.yml @@ -9,10 +9,10 @@ aws_region: ca-central-1 tasks: - - include_role: + - ansible.builtin.include_role: name: evolix/amazon-ec2 tasks_from: setup.yml - - include_role: + - ansible.builtin.include_role: name: evolix/amazon-ec2 tasks_from: create-instance.yml @@ -51,7 +51,7 @@ - mysql post_tasks: - - include_role: + - ansible.builtin.include_role: name: evolix/etc-git tasks_from: commit.yml vars: diff --git a/amazon-ec2/tasks/create-instance.yml b/amazon-ec2/tasks/create-instance.yml index 86e8f803..7dd4ef3f 100644 --- a/amazon-ec2/tasks/create-instance.yml +++ b/amazon-ec2/tasks/create-instance.yml @@ -1,7 +1,7 @@ --- - name: Launch new instance(s) - ec2: + amazon.aws.ec2: state: present aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" @@ -16,19 +16,19 @@ register: ec2 - name: Add newly created instance(s) to inventory - add_host: + ansible.builtin.add_host: hostname: "{{ item.public_dns_name }}" groupname: launched-instances ansible_user: admin ansible_ssh_common_args: "-o StrictHostKeyChecking=no" loop: "{{ ec2.instances }}" -- debug: +- ansible.builtin.debug: msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}" loop: "{{ ec2.instances }}" - name: Wait for SSH to come up on all instances (give up after 2m) - wait_for: + ansible.builtin.wait_for: state: started host: "{{ item.public_dns_name }}" port: 22 diff --git a/amazon-ec2/tasks/post-install.yml b/amazon-ec2/tasks/post-install.yml index 369f4941..80f624a8 100644 --- a/amazon-ec2/tasks/post-install.yml +++ b/amazon-ec2/tasks/post-install.yml @@ -1,5 +1,5 @@ --- - name: Remove admin user - user: + ansible.builtin.user: name: admin state: absent diff --git a/amazon-ec2/tasks/setup.yml b/amazon-ec2/tasks/setup.yml index fe136fa1..d3bc00a5 100644 --- a/amazon-ec2/tasks/setup.yml +++ b/amazon-ec2/tasks/setup.yml @@ -1,7 +1,7 @@ --- - name: Create default security group - ec2_group: + amazon.aws.ec2_group: name: "{{ ec2_security_group.name }}" state: present aws_access_key: "{{ aws_access_key }}" @@ -12,7 +12,7 @@ rules_egress: "{{ ec2_security_group.rules_egress }}" - name: Create key pair - ec2_key: + amazon.aws.ec2_key: name: "{{ ec2_keyname }}" state: present aws_access_key: "{{ aws_access_key }}" diff --git a/apache/handlers/main.yml b/apache/handlers/main.yml index 96daa368..e8e31627 100644 --- a/apache/handlers/main.yml +++ b/apache/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart apache - service: + ansible.builtin.service: name: apache2 state: restarted - name: reload apache - service: + ansible.builtin.service: name: apache2 state: reloaded - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index fd01517c..2c4d75ff 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -1,7 +1,7 @@ --- - name: Init ipaddr_whitelist.conf file - copy: + ansible.builtin.copy: src: ipaddr_whitelist.conf dest: /etc/apache2/ipaddr_whitelist.conf owner: root @@ -12,10 +12,10 @@ - apache - name: Load IP whitelist task - include: ip_whitelist.yml + ansible.builtin.import_tasks: ip_whitelist.yml - name: include private IP whitelist for server-status - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/mods-available/status.conf line: " include /etc/apache2/ipaddr_whitelist.conf" insertafter: 'SetHandler server-status' @@ -24,7 +24,7 @@ - apache - name: Copy private_htpasswd - copy: + ansible.builtin.copy: src: private_htpasswd dest: /etc/apache2/private_htpasswd owner: root @@ -36,7 +36,7 @@ - apache - name: add user:pwd to private htpasswd - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/private_htpasswd line: "{{ item }}" state: present @@ -46,7 +46,7 @@ - apache - name: remove user:pwd from private htpasswd - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/private_htpasswd line: "{{ item }}" state: absent diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index 18f4a681..5060f56e 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -1,7 +1,7 @@ --- - name: add IP addresses to private IP whitelist - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: present @@ -12,7 +12,7 @@ - ips - name: remove IP addresses from private IP whitelist - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: absent diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index 3b0650b7..42b18dae 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -1,14 +1,14 @@ --- - name: log2mail is installed - apt: + ansible.builtin.apt: name: log2mail state: present tags: - apache - name: Add log2mail config for Apache segfaults - template: + ansible.builtin.template: src: log2mail-apache.j2 dest: "/etc/log2mail/config/apache" owner: log2mail diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 1a028205..c1ca9d7b 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: packages are installed (Debian 9 or later) - apt: + ansible.builtin.apt: name: - apache2 - libapache2-mod-evasive @@ -14,7 +14,7 @@ when: ansible_distribution_major_version is version('9', '>=') - name: itk package is installed if required (Debian 9 or later) - apt: + ansible.builtin.apt: name: - libapache2-mpm-itk state: present @@ -26,7 +26,7 @@ - apache_mpm == "itk" - name: packages are installed (jessie) - apt: + ansible.builtin.apt: name: - apache2-mpm-itk - libapache2-mod-evasive @@ -39,7 +39,7 @@ when: ansible_distribution_release == "jessie" - name: basic modules are enabled - apache2_module: + community.general.apache2_module: name: '{{ item }}' state: present loop: @@ -55,7 +55,7 @@ - apache - name: basic modules are enabled - apache2_module: + community.general.apache2_module: name: '{{ item }}' state: present loop: @@ -67,7 +67,7 @@ - name: Copy Apache defaults config file - copy: + ansible.builtin.copy: src: evolinux-defaults.conf dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf" owner: root @@ -79,7 +79,7 @@ - apache - name: Copy Apache custom config file - copy: + ansible.builtin.copy: src: evolinux-custom.conf dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf" owner: root @@ -91,7 +91,7 @@ - apache - name: disable status.conf - file: + ansible.builtin.file: dest: /etc/apache2/mods-enabled/status.conf state: absent notify: reload apache @@ -99,7 +99,8 @@ - apache - name: Ensure Apache config files are enabled - command: "a2enconf {{ item }}" + ansible.builtin.command: + cmd: "a2enconf {{ item }}" register: command_result changed_when: "'Enabling' in command_result.stderr" loop: @@ -109,12 +110,12 @@ tags: - apache -- include: auth.yml +- ansible.builtin.include: auth.yml tags: - apache - name: default vhost is installed - template: + ansible.builtin.template: src: evolinux-default.conf.j2 dest: /etc/apache2/sites-available/000-evolinux-default.conf mode: "0640" @@ -124,7 +125,7 @@ - apache - name: default vhost is enabled - file: + ansible.builtin.file: src: /etc/apache2/sites-available/000-evolinux-default.conf dest: /etc/apache2/sites-enabled/000-default.conf state: link @@ -134,12 +135,13 @@ tags: - apache -- include: server_status.yml +- ansible.builtin.include: server_status.yml tags: - apache - name: is umask already present? - command: "grep -E '^umask ' /etc/apache2/envvars" + ansible.builtin.command: + cmd: "grep -E '^umask ' /etc/apache2/envvars" failed_when: False changed_when: False register: envvar_grep_umask @@ -148,7 +150,7 @@ - apache - name: Add a mark in envvars for umask - blockinfile: + ansible.builtin.blockinfile: dest: /etc/apache2/envvars marker: "## {mark} ANSIBLE MANAGED BLOCK" block: | @@ -159,13 +161,13 @@ tags: - apache -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - apache - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -175,7 +177,7 @@ - apache - name: "Install save_apache_status.sh" - copy: + ansible.builtin.copy: src: save_apache_status.sh dest: /usr/share/scripts/save_apache_status.sh mode: "0755" @@ -184,7 +186,7 @@ - apache - name: "logrotate: {{ apache_logrotate_frequency }}" - replace: + ansible.builtin.replace: dest: /etc/logrotate.d/apache2 regexp: "(daily|weekly|monthly)" replace: "{{ apache_logrotate_frequency }}" @@ -192,19 +194,19 @@ - apache - name: "logrotate: rotate {{ apache_logrotate_rotate }}" - replace: + ansible.builtin.replace: dest: /etc/logrotate.d/apache2 regexp: '^(\s+rotate) \d+$' replace: '\1 {{ apache_logrotate_rotate }}' tags: - apache -- include: log2mail.yml +- ansible.builtin.include: log2mail.yml when: apache_log2mail_include tags: - apache -- include: munin.yml +- ansible.builtin.include: munin.yml when: apache_munin_include | bool tags: - apache diff --git a/apache/tasks/munin.yml b/apache/tasks/munin.yml index fe07a5cf..af3c1a21 100644 --- a/apache/tasks/munin.yml +++ b/apache/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: "Install munin-node and core plugins packages" - apt: + ansible.builtin.apt: name: - munin-node - munin-plugins-core @@ -11,7 +11,7 @@ - munin - name: "Enable Munin plugins" - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link @@ -25,7 +25,7 @@ - munin - name: "Install fcgi packages for Munin graphs" - apt: + ansible.builtin.apt: name: - libapache2-mod-fcgid - libcgi-fast-perl @@ -36,7 +36,8 @@ - munin - name: "Enable libapache2-mod-fcgid" - command: a2enmod fcgid + ansible.builtin.command: + cmd: a2enmod fcgid register: cmd_enable_fcgid changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout" notify: restart apache @@ -45,7 +46,7 @@ - munin - name: "Apache has access to /var/log/munin/" - file: + ansible.builtin.file: path: /var/log/munin/ group: www-data tags: diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 38daf285..7b188e51 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -1,7 +1,7 @@ --- - name: server status dirname exists - file: + ansible.builtin.file: dest: "{{ apache_serverstatus_suffix_file | dirname }}" mode: "0700" owner: root @@ -9,7 +9,7 @@ state: directory - name: set apache serverstatus suffix if provided - copy: + ansible.builtin.copy: dest: "{{ apache_serverstatus_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ apache_serverstatus_suffix }}\u000A" @@ -17,51 +17,53 @@ when: apache_serverstatus_suffix | length > 0 - name: generate random string for server-status suffix - shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}" + ansible.builtin.shell: + cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}" args: creates: "{{ apache_serverstatus_suffix_file }}" - name: read apache server status suffix - command: "tail -n 1 {{ apache_serverstatus_suffix_file }}" + ansible.builtin.command: + cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}" changed_when: False check_mode: no register: new_apache_serverstatus_suffix - name: overwrite apache_serverstatus_suffix - set_fact: + ansible.builtin.set_fact: apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}" -- debug: +- ansible.builtin.debug: var: apache_serverstatus_suffix verbosity: 1 - name: replace server-status suffix in default site index - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ apache_serverstatus_suffix }}" - name: add server-status suffix in default site index if missing - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ apache_serverstatus_suffix }}"' - name: add server-status suffix in default VHost - replace: + ansible.builtin.replace: dest: /etc/apache2/sites-available/000-evolinux-default.conf regexp: '' replace: '' notify: reload apache - name: Munin configuration has a section for apache - lineinfile: + ansible.builtin.lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "[apache_*]" create: no - name: apache-status URL is configured for Munin - lineinfile: + ansible.builtin.lineinfile: dest: /etc/munin/plugin-conf.d/munin-node line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto" regexp: 'env.url http://[^\\/]+/server-status' @@ -70,7 +72,7 @@ notify: restart munin-node - name: add mailgraph URL in index.html - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html state: present line: '
  • Stats Mail
    • ' diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml index 633b9266..421e59e6 100644 --- a/apt/tasks/backports.deb822.yml +++ b/apt/tasks/backports.deb822.yml @@ -1,7 +1,7 @@ --- - name: Backports deb822 sources list is installed - template: + ansible.builtin.template: src: '{{ ansible_distribution_release }}_backports.sources.j2' dest: /etc/apt/sources.list.d/backports.sources force: yes @@ -11,7 +11,7 @@ - apt - name: Backports configuration - copy: + ansible.builtin.copy: src: '{{ ansible_distribution_release }}_backports_preferences' dest: /etc/apt/preferences.d/0-backports-defaults force: yes @@ -21,7 +21,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes when: apt_backports_sources is changed or apt_backports_config is changed tags: diff --git a/apt/tasks/backports.oneline.yml b/apt/tasks/backports.oneline.yml index 7f6509b0..9b7118b7 100644 --- a/apt/tasks/backports.oneline.yml +++ b/apt/tasks/backports.oneline.yml @@ -1,6 +1,6 @@ --- - name: No backports config in default sources.list - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/sources.list regexp: "backports" state: absent @@ -8,7 +8,7 @@ - apt - name: Backports sources list is installed - template: + ansible.builtin.template: src: '{{ ansible_distribution_release }}_backports.list.j2' dest: /etc/apt/sources.list.d/backports.list force: yes @@ -18,7 +18,7 @@ - apt - name: Backports configuration - copy: + ansible.builtin.copy: src: '{{ ansible_distribution_release }}_backports_preferences' dest: /etc/apt/preferences.d/0-backports-defaults force: yes @@ -28,7 +28,7 @@ - apt - name: Archived backport are accepted (jessie) - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/apt/apt.conf.d/99no-check-valid-until' line: 'Acquire::Check-Valid-Until no;' create: yes @@ -38,7 +38,7 @@ when: ansible_distribution_release == "jessie" - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml index 205574e5..6ebf65ab 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -3,11 +3,11 @@ # Backward compatibility task file - name: Install backports repositories (Debian <12) - import_tasks: backports.oneline.yml + ansible.builtin.import_tasks: backports.oneline.yml when: - ansible_distribution_major_version is version('12', '<') - name: Install backports repositories (Debian >=12) - import_tasks: backports.deb822.yml + ansible.builtin.import_tasks: backports.deb822.yml when: - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/basics.deb822.yml b/apt/tasks/basics.deb822.yml index b99a8af4..a8663572 100644 --- a/apt/tasks/basics.deb822.yml +++ b/apt/tasks/basics.deb822.yml @@ -1,7 +1,7 @@ --- - name: Change basics repositories - template: + ansible.builtin.template: src: "{{ ansible_distribution_release }}_basics.sources.j2" dest: /etc/apt/sources.list.d/system.sources mode: "0644" @@ -11,7 +11,7 @@ - apt - name: Change security repositories - template: + ansible.builtin.template: src: "{{ ansible_distribution_release }}_security.sources.j2" dest: /etc/apt/sources.list.d/security.sources mode: "0644" @@ -27,7 +27,8 @@ register: list_files - name: Disable one-line-formatted sources - command: "mv --verbose {{ item.path }} {{ item.path }}.bak" + ansible.builtin.command: + cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak" environment: LC_ALL: C loop: "{{ list_files.files }}" @@ -37,7 +38,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/basics.oneline.yml b/apt/tasks/basics.oneline.yml index 8e0a562c..4d457f0d 100644 --- a/apt/tasks/basics.oneline.yml +++ b/apt/tasks/basics.oneline.yml @@ -1,7 +1,7 @@ --- - name: Change basics repositories - template: + ansible.builtin.template: src: "{{ ansible_distribution_release }}_basics.list.j2" dest: /etc/apt/sources.list mode: "0644" @@ -11,7 +11,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml index 7966c849..885f33f5 100644 --- a/apt/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -3,11 +3,11 @@ # Backward compatibility task file - name: Install basics repositories (Debian <12) - import_tasks: basics.oneline.yml + ansible.builtin.import_tasks: basics.oneline.yml when: - ansible_distribution_major_version is version('12', '<') - name: Install basics repositories (Debian >=12) - import_tasks: basics.deb822.yml + ansible.builtin.import_tasks: basics.deb822.yml when: - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 62155623..b403ab03 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -1,7 +1,7 @@ --- - name: Evolinux config for APT - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/apt.conf.d/z-evolinux.conf line: "{{ item.line }}" regexp: "{{ item.regexp }}" @@ -17,7 +17,7 @@ when: apt_evolinux_config | bool - name: DPkg invoke hooks - lineinfile: + ansible.builtin.lineinfile: dest: /etc/apt/apt.conf.d/z-evolinux.conf line: "{{ item }}" create: yes @@ -33,7 +33,7 @@ when: apt_hooks | bool - name: Remove Aptitude - apt: + ansible.builtin.apt: name: aptitude state: absent tags: diff --git a/apt/tasks/evolix_public.deb822.yml b/apt/tasks/evolix_public.deb822.yml index a98a9983..036645e7 100644 --- a/apt/tasks/evolix_public.deb822.yml +++ b/apt/tasks/evolix_public.deb822.yml @@ -1,14 +1,14 @@ --- - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring tags: - apt - name: Evolix embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent @@ -17,7 +17,7 @@ when: _trusted_gpg_keyring.stat.exists - name: Add Evolix GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" force: yes @@ -28,7 +28,7 @@ - apt - name: Evolix public list is installed - template: + ansible.builtin.template: src: evolix_public.sources.j2 dest: /etc/apt/sources.list.d/evolix_public.sources force: yes @@ -38,7 +38,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/evolix_public.oneline.yml b/apt/tasks/evolix_public.oneline.yml index e3ca833e..9c502a33 100644 --- a/apt/tasks/evolix_public.oneline.yml +++ b/apt/tasks/evolix_public.oneline.yml @@ -1,14 +1,14 @@ --- - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring tags: - apt - name: Evolix embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent @@ -17,7 +17,7 @@ when: _trusted_gpg_keyring.stat.exists - name: Add Evolix GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" force: yes @@ -28,7 +28,7 @@ - apt - name: Evolix public list is installed - template: + ansible.builtin.template: src: evolix_public.list.j2 dest: /etc/apt/sources.list.d/evolix_public.list force: yes @@ -38,7 +38,7 @@ - apt - name: Apt update - apt: + ansible.builtin.apt: update_cache: yes tags: - apt diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 6d0a2de4..8795a6a5 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -3,11 +3,11 @@ # Backward compatibility task file - name: Install Evolix Public repositories (Debian <12) - import_tasks: evolix_public.oneline.yml + ansible.builtin.import_tasks: evolix_public.oneline.yml when: - ansible_distribution_major_version is version('12', '<') - name: Install Evolix Public repositories (Debian >=12) - import_tasks: evolix_public.deb822.yml + ansible.builtin.import_tasks: evolix_public.deb822.yml when: - ansible_distribution_major_version is version('12', '>=') \ No newline at end of file diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 2b3b815f..26ced4c7 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -1,11 +1,11 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: "hold packages (apt)" - shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})" executable: /bin/bash check_mode: no register: apt_mark @@ -18,7 +18,7 @@ - apt - name: "/etc/evolinux is present" - file: + ansible.builtin.file: dest: /etc/evolinux mode: "0700" state: directory @@ -26,7 +26,7 @@ - apt - name: "hold packages (config)" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/evolinux/apt_hold_packages.cf line: "{{ item }}" create: True @@ -36,8 +36,8 @@ - apt - name: "unhold packages (apt)" - shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})" executable: /bin/bash check_mode: no register: apt_mark @@ -48,7 +48,7 @@ - apt - name: "unhold packages (config)" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/evolinux/apt_hold_packages.cf line: "{{ item }}" create: True @@ -58,7 +58,7 @@ - apt - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -68,7 +68,7 @@ - apt - name: Check scripts is installed - copy: + ansible.builtin.copy: src: check_held_packages.sh dest: /usr/share/scripts/check_held_packages.sh force: yes @@ -77,7 +77,8 @@ - apt - name: Check if Cron is installed - shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'" + ansible.builtin.shell: + cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'" register: is_cron changed_when: False failed_when: False @@ -86,7 +87,7 @@ - apt - name: Check for held packages (script) - cron: + ansible.builtin.cron: cron_file: apt-hold-packages name: check_held_packages job: "/usr/share/scripts/check_held_packages.sh" diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 104756d2..295f42f1 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: "Compatibility check" - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') @@ -10,7 +10,7 @@ - apt - name: "apt-transport-https is installed for https repositories (before Buster)" - apt: + ansible.builtin.apt: name: - apt-transport-https tags: @@ -18,20 +18,20 @@ when: ansible_distribution_major_version is version('10', '<') - name: "certificates are installed for https repositories" - apt: + ansible.builtin.apt: name: - ca-certificates tags: - apt - name: Custom configuration - import_tasks: config.yml + ansible.builtin.import_tasks: config.yml when: apt_config | bool tags: - apt - name: Install basics repositories (Debian <12) - import_tasks: basics.oneline.yml + ansible.builtin.import_tasks: basics.oneline.yml tags: - apt when: @@ -39,7 +39,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install basics repositories (Debian >=12) - import_tasks: basics.deb822.yml + ansible.builtin.import_tasks: basics.deb822.yml tags: - apt when: @@ -47,7 +47,7 @@ - ansible_distribution_major_version is version('12', '>=') - name: Install backports repositories (Debian <12) - import_tasks: backports.oneline.yml + ansible.builtin.import_tasks: backports.oneline.yml tags: - apt when: @@ -57,7 +57,7 @@ # With Debian 12+ and the deb822 format of source files # backports are always installed but enabled according to `apt_install_backports` - name: Install backports repositories (Debian >=12) - import_tasks: backports.deb822.yml + ansible.builtin.import_tasks: backports.deb822.yml tags: - apt when: @@ -65,7 +65,7 @@ - name: Install Evolix Public repositories (Debian <12) - import_tasks: evolix_public.oneline.yml + ansible.builtin.import_tasks: evolix_public.oneline.yml tags: - apt when: @@ -73,7 +73,7 @@ - ansible_distribution_major_version is version('12', '<') - name: Install Evolix Public repositories (Debian >=12) - import_tasks: evolix_public.deb822.yml + ansible.builtin.import_tasks: evolix_public.deb822.yml tags: - apt when: @@ -81,7 +81,7 @@ - ansible_distribution_major_version is version('12', '>=') - name: Clean GANDI sources - file: + ansible.builtin.file: path: '{{ item }}' state: absent loop: @@ -97,20 +97,20 @@ - name: Install check for packages marked hold - import_tasks: hold_packages.yml + ansible.builtin.import_tasks: hold_packages.yml when: apt_install_hold_packages | bool tags: - apt - name: Updating APT cache - apt: + ansible.builtin.apt: update_cache: yes changed_when: False tags: - apt - name: Upgrading system - apt: + ansible.builtin.apt: upgrade: dist when: apt_upgrade | bool tags: diff --git a/apt/tasks/migrate-to-deb822.yml b/apt/tasks/migrate-to-deb822.yml index 642bcb4f..720045bf 100644 --- a/apt/tasks/migrate-to-deb822.yml +++ b/apt/tasks/migrate-to-deb822.yml @@ -1,9 +1,9 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -13,7 +13,7 @@ - apt - name: Migration scripts are installed - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "/usr/share/scripts/{{ item }}" force: yes @@ -25,7 +25,8 @@ - apt - name: Exec migration script - command: /usr/share/scripts/deb822-migration.sh + ansible.builtin.command: + cmd: /usr/share/scripts/deb822-migration.sh ignore_errors: yes tags: - apt \ No newline at end of file diff --git a/apt/tasks/move-apt-keyring.yml b/apt/tasks/move-apt-keyring.yml index 4214d2d6..5b0cdd9b 100644 --- a/apt/tasks/move-apt-keyring.yml +++ b/apt/tasks/move-apt-keyring.yml @@ -1,18 +1,18 @@ --- - name: New APT keyrings directory is present - file: + ansible.builtin.file: path: /etc/apt/keyrings state: directory mode: "0755" owner: root group: root -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -22,7 +22,7 @@ - apt - name: migration script is present - copy: + ansible.builtin.copy: src: move-apt-keyrings.sh dest: /usr/share/scripts/move-apt-keyrings.sh mode: "0755" @@ -30,7 +30,8 @@ group: root - name: Move repository signing key - command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" + ansible.builtin.command: + cmd: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\"" loop: - { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" } - { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" } @@ -48,5 +49,5 @@ register: _cmd - name: Debug command - debug: + ansible.builtin.debug: var: _cmd diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index b426fcd1..5461579d 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -1,21 +1,21 @@ --- - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes - name: restart apparmor - systemd: + ansible.builtin.systemd: name: apparmor state: restarted - name: restart bind - systemd: + ansible.builtin.systemd: name: bind9 state: restarted - name: restart munin-node - systemd: + ansible.builtin.systemd: name: munin-node state: restarted diff --git a/bind/tasks/authoritative.yml b/bind/tasks/authoritative.yml index 52992fa1..abfa96d8 100644 --- a/bind/tasks/authoritative.yml +++ b/bind/tasks/authoritative.yml @@ -1,7 +1,7 @@ --- - name: Set bind configuration for authoritative server - template: + ansible.builtin.template: src: named.conf.options_authoritative.j2 dest: /etc/bind/named.conf.options owner: bind diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 9b053b6c..67776531 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -1,6 +1,6 @@ # Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths. - name: set chroot variables - set_fact: + ansible.builtin.set_fact: bind_log_file: /var/log/bind.log bind_query_file: /var/log/bind_queries.log bind_cache_dir: /var/cache/bind @@ -9,14 +9,15 @@ when: bind_chroot_set | bool - name: Check AppArmor - shell: systemctl is-active apparmor || systemctl is-enabled apparmor + ansible.builtin.shell: + cmd: systemctl is-active apparmor || systemctl is-enabled apparmor failed_when: False changed_when: False check_mode: no register: check_apparmor - name: configure apparmor - template: + ansible.builtin.template: src: apparmor.usr.sbin.named.j2 dest: /etc/apparmor.d/usr.sbin.named owner: root @@ -27,20 +28,20 @@ when: check_apparmor.rc == 0 - name: package are installed - apt: + ansible.builtin.apt: name: - bind9 - dnstop state: present -- include: authoritative.yml +- ansible.builtin.include: authoritative.yml when: bind_authoritative_server | bool -- include: recursive.yml +- ansible.builtin.include: recursive.yml when: bind_recursive_server | bool - name: Create systemd service for Debian 8 (Jessie) - template: + ansible.builtin.template: src: bind9.service.jessie.j2 dest: "{{ bind_systemd_service_path }}" owner: root @@ -53,7 +54,7 @@ when: ansible_distribution_release == "jessie" - name: "touch {{ bind_log_file }} if non chroot" - file: + ansible.builtin.file: path: "{{ bind_log_file }}" owner: bind group: adm @@ -62,7 +63,7 @@ when: not (bind_chroot_set | bool) - name: "touch {{ bind_query_file }} if non chroot" - file: + ansible.builtin.file: path: "{{ bind_query_file }}" owner: bind group: adm @@ -71,7 +72,7 @@ when: not (bind_chroot_set | bool) - name: send chroot-bind.sh in /root - copy: + ansible.builtin.copy: src: chroot-bind.sh dest: /root/chroot-bind.sh mode: "0700" @@ -81,19 +82,20 @@ when: bind_chroot_set | bool - name: exec chroot-bind.sh - command: "/root/chroot-bind.sh" + ansible.builtin.command: + cmd: "/root/chroot-bind.sh" register: chrootbind_run changed_when: False when: bind_chroot_set | bool -- debug: +- ansible.builtin.debug: var: chrootbind_run.stdout_lines when: - bind_chroot_set | bool - chrootbind_run.stdout | length > 0 - name: Modify OPTIONS in /etc/default/bind9 for chroot - replace: + ansible.builtin.replace: dest: /etc/default/bind9 regexp: '^OPTIONS=.*' replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' @@ -101,7 +103,7 @@ when: bind_chroot_set | bool - name: logrotate for bind - template: + ansible.builtin.template: src: logrotate_bind.j2 dest: /etc/logrotate.d/bind9 owner: root @@ -110,4 +112,4 @@ force: yes notify: restart bind -- include: munin.yml +- ansible.builtin.include: munin.yml diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 7bedfd2c..4a655533 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -10,7 +10,7 @@ - munin - name: Enable munin plugins for authoritative server - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link @@ -18,31 +18,31 @@ - bind9 - bind9_rndc notify: restart munin-node - when: - - bind_authoritative_server | bool - - munin_node_plugins_config.stat.exists tags: - bind - munin + when: + - bind_authoritative_server | bool + - munin_node_plugins_config.stat.exists - name: Enable munin plugins for recursive server - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link loop: - bind9 notify: restart munin-node + tags: + - bind + - munin when: - bind_recursive_server | bool - bind_query_file_enabled | bool - munin_node_plugins_config.stat.exists - tags: - - bind - - munin - name: Add munin plugin configuration - template: + ansible.builtin.template: src: munin-env_bind9.j2 dest: /etc/munin/plugin-conf.d/bind9 owner: root @@ -50,7 +50,7 @@ mode: "0644" force: yes notify: restart munin-node - when: munin_node_plugins_config.stat.exists tags: - bind - munin + when: munin_node_plugins_config.stat.exists diff --git a/bind/tasks/recursive.yml b/bind/tasks/recursive.yml index ddbeafbf..364f1021 100644 --- a/bind/tasks/recursive.yml +++ b/bind/tasks/recursive.yml @@ -2,7 +2,7 @@ - name: Set bind configuration for recursive server - template: + ansible.builtin.template: src: named.conf.options_recursive.j2 dest: /etc/bind/named.conf.options owner: bind @@ -12,7 +12,7 @@ notify: restart bind - name: enable zones.rfc1918 for recursive server - lineinfile: + ansible.builtin.lineinfile: dest: /etc/bind/named.conf.local line: 'include "/etc/bind/zones.rfc1918";' regexp: "zones.rfc1918" diff --git a/bookworm-detect/tasks/main.yml b/bookworm-detect/tasks/main.yml index be11177e..c0c50fdd 100644 --- a/bookworm-detect/tasks/main.yml +++ b/bookworm-detect/tasks/main.yml @@ -1,10 +1,10 @@ --- -- debug: +- ansible.builtin.debug: var: ansible_lsb # Force facts until Debian 12 is released because Ansible is dumb -- set_fact: +- ansible.builtin.set_fact: ansible_distribution_major_version: 12 ansible_distribution: "Debian" ansible_distribution_release: "bookworm" diff --git a/bullseye-detect/tasks/main.yml b/bullseye-detect/tasks/main.yml index 6f97db0a..e18d826b 100644 --- a/bullseye-detect/tasks/main.yml +++ b/bullseye-detect/tasks/main.yml @@ -1,7 +1,7 @@ --- # Force facts until Debian 11 is released because Ansible is dumb -- set_fact: +- ansible.builtin.set_fact: ansible_distribution_major_version: 11 ansible_distribution: "Debian" ansible_distribution_release: "bullseye" diff --git a/certbot/handlers/main.yml b/certbot/handlers/main.yml index 4363ed3d..54f114e2 100644 --- a/certbot/handlers/main.yml +++ b/certbot/handlers/main.yml @@ -1,23 +1,24 @@ --- - name: reload nginx - service: + ansible.builtin.systemd: name: nginx state: reloaded - name: reload apache - service: + ansible.builtin.systemd: name: apache2 state: reloaded - name: reload haproxy - service: + ansible.builtin.systemd: name: haproxy state: reloaded - name: systemd daemon-reload - systemd: + ansible.builtin.systemd: daemon_reload: yes - name: install letsencrypt-auto - command: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade + ansible.builtin.command: + cmd: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade diff --git a/certbot/tasks/acme-challenge.yml b/certbot/tasks/acme-challenge.yml index 56b0c099..29c0267d 100644 --- a/certbot/tasks/acme-challenge.yml +++ b/certbot/tasks/acme-challenge.yml @@ -1,18 +1,18 @@ --- - name: Certbot work directory is present - file: + ansible.builtin.file: dest: "{{ certbot_work_dir }}" state: directory mode: "0755" - name: Check if Nginx is installed - stat: + ansible.builtin.stat: path: /etc/nginx register: is_nginx - name: ACME challenge for Nginx is installed - template: + ansible.builtin.template: src: acme-challenge/nginx.conf.j2 dest: /etc/nginx/snippets/letsencrypt.conf force: yes @@ -20,32 +20,33 @@ when: is_nginx.stat.exists - name: Check if Apache is installed - stat: + ansible.builtin.stat: path: /usr/sbin/apachectl register: is_apache - name: ACME challenge for Apache block: - name: ACME challenge for Apache is installed - template: + ansible.builtin.template: src: acme-challenge/apache.conf.j2 dest: /etc/apache2/conf-available/letsencrypt.conf force: yes notify: reload apache - name: ACME challenge for Apache is enabled - command: "a2enconf letsencrypt" + ansible.builtin.command: + cmd: "a2enconf letsencrypt" register: command_result changed_when: "'Enabling' in command_result.stderr" notify: reload apache when: is_apache.stat.exists - name: Check if HAProxy is installed - stat: + ansible.builtin.stat: path: /etc/haproxy register: is_haproxy - name: ACME challenge for HAProxy is installed - debug: + ansible.builtin.debug: msg: "ACME challenge configuration for HAProxy must be configured manually" when: is_haproxy.stat.exists diff --git a/certbot/tasks/install-legacy.yml b/certbot/tasks/install-legacy.yml index 446e557a..3048a4a4 100644 --- a/certbot/tasks/install-legacy.yml +++ b/certbot/tasks/install-legacy.yml @@ -1,16 +1,16 @@ --- - name: certbot package is removed - apt: + ansible.builtin.apt: name: certbot state: absent -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr # copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto - name: Let's Encrypt script is present - copy: + ansible.builtin.copy: src: letsencrypt-auto dest: /usr/local/bin/letsencrypt-auto mode: '0755' @@ -20,22 +20,23 @@ notify: install letsencrypt-auto - name: Check certbot script - stat: + ansible.builtin.stat: path: /usr/local/bin/certbot register: certbot_path - name: Rename certbot script if present - command: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak" + ansible.builtin.command: + cmd: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak" when: certbot_path.stat.exists - name: Let's Encrypt script is symlinked as certbot - file: + ansible.builtin.file: src: "/usr/local/bin/letsencrypt-auto" dest: "/usr/local/bin/certbot" state: link - name: systemd artefacts are absent - file: + ansible.builtin.file: dest: "{{ item }}" state: absent loop: @@ -45,14 +46,14 @@ notify: systemd daemon-reload - name: custom crontab is present - copy: + ansible.builtin.copy: src: cron_jessie dest: /etc/cron.d/certbot force: yes when: certbot_custom_crontab | bool - name: disable self-upgrade - ini_file: + community.general.ini_file: dest: "/etc/letsencrypt/cli.ini" section: null option: "no-self-upgrade" diff --git a/certbot/tasks/install-package.yml b/certbot/tasks/install-package.yml index 06247db4..c12b49e4 100644 --- a/certbot/tasks/install-package.yml +++ b/certbot/tasks/install-package.yml @@ -1,6 +1,6 @@ --- - name: certbot package is installed - apt: + ansible.builtin.apt: name: certbot state: latest diff --git a/certbot/tasks/main.yml b/certbot/tasks/main.yml index cede35a6..3dcb1334 100644 --- a/certbot/tasks/main.yml +++ b/certbot/tasks/main.yml @@ -1,28 +1,28 @@ --- - name: "System compatibility checks" - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') msg: only compatible with Debian 9+ - name: Install legacy script on Debian 8 - include: install-legacy.yml + ansible.builtin.include: install-legacy.yml when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '<') - name: Install package on Debian 9+ - include: install-package.yml + ansible.builtin.include: install-package.yml when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '>=') -- include: acme-challenge.yml +- ansible.builtin.include: acme-challenge.yml - name: Deploy hooks are present - copy: + ansible.builtin.copy: src: hooks/deploy/ dest: /etc/letsencrypt/renewal-hooks/deploy/ mode: "0700" @@ -30,7 +30,7 @@ group: root - name: Manual deploy hook is present - copy: + ansible.builtin.copy: src: hooks/manual-deploy.sh dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh mode: "0700" @@ -38,7 +38,7 @@ group: root - name: "sync_remote is configured with servers" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf regexp: "^servers=" line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\"" @@ -46,14 +46,15 @@ # begining of backward compatibility tasks - name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present - command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh" + ansible.builtin.command: + cmd: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh" args: removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh # end of backward compatibility tasks - name: "certbot lock is ignored by Git" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/.gitignore line: letsencrypt/.certbot.lock create: yes diff --git a/clamav/handlers/main.yml b/clamav/handlers/main.yml index e053f01a..c931807b 100644 --- a/clamav/handlers/main.yml +++ b/clamav/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart clamav - service: + ansible.builtin.service: name: clamav-daemon state: restarted diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml index f74efae5..7044ddce 100644 --- a/clamav/tasks/main.yml +++ b/clamav/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: configure clamav-daemon - debconf: + ansible.builtin.debconf: name: clamav-daemon question: "{{ item.key }}" value: "{{ item.value }}" @@ -52,7 +52,7 @@ - clamav - name: configure clamav-freshclam - debconf: + ansible.builtin.debconf: name: clamav-freshclam question: "{{ item.key }}" value: "{{ item.value }}" @@ -73,7 +73,7 @@ - clamav - name: install ClamAV - apt: + ansible.builtin.apt: name: - clamav-daemon - clamav @@ -92,7 +92,7 @@ - clamav - name: add clamav user to amavis group - user: + ansible.builtin.user: name: clamav groups: amavis append: True @@ -100,7 +100,7 @@ - clamav - name: allow supplementary groups - replace: + ansible.builtin.replace: dest: /etc/clamav/clamd.conf regexp: 'AllowSupplementaryGroups false' replace: 'AllowSupplementaryGroups true' diff --git a/dhcpd/handlers/main.yml b/dhcpd/handlers/main.yml index 09f93269..8cfa9eb0 100644 --- a/dhcpd/handlers/main.yml +++ b/dhcpd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart dhcp - service: + ansible.builtin.service: name: isc-dhcp-server state: restarted diff --git a/dhcpd/tasks/main.yml b/dhcpd/tasks/main.yml index 828a219f..214c5d58 100644 --- a/dhcpd/tasks/main.yml +++ b/dhcpd/tasks/main.yml @@ -1,4 +1,4 @@ - name: ensure packages are installed - apt: + ansible.builtin.apt: name: isc-dhcp-server state: present diff --git a/docker-host/handlers/main.yml b/docker-host/handlers/main.yml index c21a84ef..46d42215 100644 --- a/docker-host/handlers/main.yml +++ b/docker-host/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes - name: restart docker - service: + ansible.builtin.systemd: name: docker state: restarted enabled: yes diff --git a/dovecot/handlers/main.yml b/dovecot/handlers/main.yml index 7d40488b..1e6afce7 100644 --- a/dovecot/handlers/main.yml +++ b/dovecot/handlers/main.yml @@ -1,16 +1,16 @@ --- - name: restart dovecot - service: + ansible.builtin.service: name: dovecot state: restarted - name: reload dovecot - service: + ansible.builtin.service: name: dovecot state: reloaded - name: restart log2mail - service: + ansible.builtin.service: name: log2mail state: restarted diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index dddd951c..adb81238 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -1,5 +1,5 @@ - name: ensure packages are installed - apt: + ansible.builtin.apt: name: - dovecot-ldap - dovecot-imapd @@ -11,12 +11,12 @@ - dovecot - name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes) - openssl_dhparam: + community.crypto.openssl_dhparam: path: /etc/ssl/dhparams.pem size: 4096 - name: disable pam auth - replace: + ansible.builtin.replace: dest: /etc/dovecot/conf.d/10-auth.conf regexp: "[^#]!include auth-system.conf.ext" replace: "#!include auth-system.conf.ext" @@ -24,7 +24,7 @@ - dovecot - name: update ldap auth - lineinfile: + ansible.builtin.lineinfile: dest: /etc/dovecot/dovecot-ldap.conf.ext line: "{{ item.key }} = {{ item.value }}" regexp: "^#*{{ item.key }}" @@ -43,7 +43,7 @@ - dovecot - name: create vmail group - group: + ansible.builtin.group: name: vmail gid: "{{ dovecot_vmail_gid }}" system: True @@ -51,7 +51,7 @@ - dovecot - name: create vmail user - user: + ansible.builtin.user: name: vmail group: vmail uid: "{{ dovecot_vmail_uid }}" @@ -61,7 +61,7 @@ - dovecot - name: deploy evolix config - template: + ansible.builtin.template: src: z-evolinux-defaults.conf.j2 dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf mode: "0644" @@ -70,7 +70,7 @@ - dovecot - name: deploy file for custom configuration - template: + ansible.builtin.template: src: zzz-evolinux-custom.conf.j2 dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf mode: "0644" @@ -78,18 +78,18 @@ tags: - dovecot -- include: munin.yml +- ansible.builtin.include: munin.yml tags: - - dovecot + - dovecot - name: log2mail is installed - apt: + ansible.builtin.apt: name: log2mail state: present tags: dovecot - name: dovecot is configured in log2mail - blockinfile: + ansible.builtin.blockinfile: path: /etc/log2mail/config/mail.conf create: true owner: log2mail diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml index c6b58d28..8db1456c 100644 --- a/dovecot/tasks/munin.yml +++ b/dovecot/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -9,13 +9,13 @@ - name: Munin plugins are present and configured block: - name: Install munin plugin - copy: + ansible.builtin.copy: src: munin_plugin dest: /etc/munin/plugins/dovecot mode: "0755" - name: Install munin config - copy: + ansible.builtin.copy: src: munin_config dest: /etc/munin/plugin-conf.d/dovecot mode: "0644" diff --git a/drbd/handlers/main.yml b/drbd/handlers/main.yml index 0b7f394e..5ca5295a 100644 --- a/drbd/handlers/main.yml +++ b/drbd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/drbd/tasks/main.yml b/drbd/tasks/main.yml index 6e0eca0a..c7134f27 100644 --- a/drbd/tasks/main.yml +++ b/drbd/tasks/main.yml @@ -1,6 +1,6 @@ --- -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: munin.yml +- ansible.builtin.include: munin.yml -- include: nagios.yml +- ansible.builtin.include: nagios.yml diff --git a/drbd/tasks/munin.yml b/drbd/tasks/munin.yml index 0e297d16..205cfb5f 100644 --- a/drbd/tasks/munin.yml +++ b/drbd/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: Check if Munin plugins exists - stat: + ansible.builtin.stat: path: /etc/munin/plugins/ register: munin_plugins_dir check_mode: no @@ -10,7 +10,7 @@ # https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/drbd/drbd - name: Get Munin plugin - copy: + ansible.builtin.copy: src: munin/drbd-plugin dest: /etc/munin/plugins/drbd mode: "0755" @@ -20,7 +20,7 @@ - drbd - name: Copy Munin plugin conf - copy: + ansible.builtin.copy: src: munin/drbd-config dest: /etc/munin/plugin-conf.d/drbd mode: "0644" diff --git a/drbd/tasks/nagios.yml b/drbd/tasks/nagios.yml index ea436a5b..d62e00d2 100644 --- a/drbd/tasks/nagios.yml +++ b/drbd/tasks/nagios.yml @@ -1,21 +1,21 @@ --- - name: Check if Nagios is installed - stat: + ansible.builtin.stat: path: /usr/local/lib/nagios/plugins/ register: nagios_plugins_dir check_mode: no tags: - drbd -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - drbd # https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=3367&cf_id=30 - name: Install Nagios plugin - copy: + ansible.builtin.copy: src: "nagios/check_drbd" dest: "/usr/local/lib/nagios/plugins/check_drbd" mode: "0755" diff --git a/drbd/tasks/packages.yml b/drbd/tasks/packages.yml index 59b4bb2e..a4f4f373 100644 --- a/drbd/tasks/packages.yml +++ b/drbd/tasks/packages.yml @@ -1,5 +1,5 @@ - name: Install dependency - apt: + ansible.builtin.apt: name: - drbd-utils - lvm2 @@ -7,7 +7,7 @@ - drbd - name: Enable drbd.service - service: + ansible.builtin.service: name: drbd enabled: yes tags: diff --git a/elasticsearch/handlers/main.yml b/elasticsearch/handlers/main.yml index c8a57b70..2531b0b8 100644 --- a/elasticsearch/handlers/main.yml +++ b/elasticsearch/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: restart elasticsearch - systemd: + ansible.builtin.systemd: daemon_reload: yes name: elasticsearch state: restarted diff --git a/elasticsearch/tasks/additional_scripts.yml b/elasticsearch/tasks/additional_scripts.yml index e8373ef8..8dcb0759 100644 --- a/elasticsearch/tasks/additional_scripts.yml +++ b/elasticsearch/tasks/additional_scripts.yml @@ -1,11 +1,11 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: elasticsearch_additional_scripts_dir is search("/usr") - name: "{{ elasticsearch_additional_scripts_dir }} exists" - file: + ansible.builtin.file: dest: "{{ elasticsearch_additional_scripts_dir }}" mode: "0700" owner: root @@ -13,7 +13,7 @@ state: directory - name: Plugins upgrade script is installed - copy: + ansible.builtin.copy: src: upgrade_elasticsearch_plugins.sh dest: "{{ elasticsearch_additional_scripts_dir }}/upgrade_elasticsearch_plugins.sh" mode: "0755" diff --git a/elasticsearch/tasks/bootstrap_checks.yml b/elasticsearch/tasks/bootstrap_checks.yml index b1f79046..0df9a618 100644 --- a/elasticsearch/tasks/bootstrap_checks.yml +++ b/elasticsearch/tasks/bootstrap_checks.yml @@ -1,7 +1,8 @@ --- - name: Read maximum map count - command: "sysctl -n vm.max_map_count" + ansible.builtin.command: + cmd: "sysctl -n vm.max_map_count" register: max_map_count failed_when: False changed_when: False @@ -9,7 +10,7 @@ - config - name: Maximum map count check - sysctl: + ansible.posix.sysctl: name: vm.max_map_count value: 262144 sysctl_file: /etc/sysctl.d/elasticsearch.conf @@ -18,7 +19,7 @@ - config - name: bootstrap.memory_lock - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "bootstrap.memory_lock: true" regexp: "^bootstrap.memory_lock:" @@ -27,12 +28,12 @@ - config - name: Create a system config directory for systemd overrides - file: + ansible.builtin.file: path: /etc/systemd/system/elasticsearch.service.d state: directory - name: Override memory config in systemd unit - ini_file: + community.general.ini_file: dest: /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf section: Service option: "LimitMEMLOCK" diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index 7324f610..9c3875b0 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -1,7 +1,7 @@ --- - name: Configure cluster name - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "cluster.name: {{ elasticsearch_cluster_name }}" regexp: "^cluster.name:" @@ -11,7 +11,7 @@ - config - name: Configure node name - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "node.name: {{ elasticsearch_node_name }}" regexp: "^node.name:" @@ -20,7 +20,7 @@ - config - name: Configure network host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "network.host: {{ elasticsearch_network_host }}" regexp: "^network.host:" @@ -30,7 +30,7 @@ - config - name: Configure network publish_host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "network.publish_host: {{ elasticsearch_network_publish_host }}" regexp: "^network.publish_host:" @@ -40,7 +40,7 @@ - config - name: Configure http publish_host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "http.publish_host: {{ elasticsearch_http_publish_host }}" regexp: "^http.publish_host:" @@ -50,7 +50,7 @@ - config - name: Configure discovery seed hosts - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}" regexp: "^discovery.seed_hosts:" @@ -59,7 +59,7 @@ - config - name: Configure empty discovery seed hosts - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml regexp: "^discovery.seed_hosts:" state: absent @@ -68,7 +68,7 @@ - config - name: Configure initial master nodes - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "cluster.initial_master_nodes: {{ elasticsearch_cluster_initial_master_nodes | to_yaml(default_flow_style=True) }}" regexp: "^cluster.initial_master_nodes:" @@ -77,7 +77,7 @@ - config - name: Configure empty initial master nodes - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml regexp: "^cluster.initial_master_nodes:" state: absent @@ -86,7 +86,7 @@ - config - name: Configure RESTART_ON_UPGRADE - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/elasticsearch line: "RESTART_ON_UPGRADE={{ elasticsearch_restart_on_upgrade | bool | ternary('true','false') }}" regexp: "^RESTART_ON_UPGRADE=" @@ -95,7 +95,7 @@ - config - name: JVM Heap size (min) is set - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options.d/evolinux.options regexp: "^-Xms" line: "-Xms{{ elasticsearch_jvm_xms }}" @@ -107,7 +107,7 @@ - config - name: JVM Heap size (max) is set - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options.d/evolinux.options regexp: "^-Xmx" line: "-Xmx{{ elasticsearch_jvm_xmx }}" @@ -119,7 +119,7 @@ - config - name: Disable garbage collector logs (JDK >= 9) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options regexp: "Xlog:gc" line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m" @@ -130,7 +130,7 @@ - config - name: Configure cluster members - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}" regexp: "^discovery.zen.ping.unicast.hosts:" @@ -140,7 +140,7 @@ - config - name: Configure minimum master nodes - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}" regexp: "^discovery.zen.minimum_master_nodes:" diff --git a/elasticsearch/tasks/curator.yml b/elasticsearch/tasks/curator.yml index c7c44259..4cf7c9d5 100644 --- a/elasticsearch/tasks/curator.yml +++ b/elasticsearch/tasks/curator.yml @@ -1,11 +1,11 @@ --- - name: Use the correct debian repository - set_fact: + ansible.builtin.set_fact: curator_debian_repository: '{% if ansible_distribution_release == "jessie" %}debian{% else %}debian9{% endif %}' - name: Curator sources list is available - apt_repository: + ansible.builtin.apt_repository: repo: "deb https://packages.elastic.co/curator/5/{{ curator_debian_repository }} stable main" filename: curator update_cache: yes @@ -15,7 +15,7 @@ - packages - name: Curator package is installed - apt: + ansible.builtin.apt: name: elasticsearch-curator state: present tags: diff --git a/elasticsearch/tasks/datadir.yml b/elasticsearch/tasks/datadir.yml index ef91cf1d..c442ae42 100644 --- a/elasticsearch/tasks/datadir.yml +++ b/elasticsearch/tasks/datadir.yml @@ -3,13 +3,13 @@ - name: Set real datadir value when customized block: - name: "Is custom datadir present ?" - stat: + ansible.builtin.stat: path: "{{ elasticsearch_custom_datadir }}" register: elasticsearch_custom_datadir_test check_mode: no - name: "read the real datadir" - command: readlink -f /var/lib/elasticsearch + ansible.builtin.command: readlink -f /var/lib/elasticsearch changed_when: False register: elasticsearch_current_real_datadir_test check_mode: no @@ -22,23 +22,24 @@ - name: Datadir is moved to custom path block: - name: elasticsearch is stopped - service: + ansible.builtin.service: name: elasticsearch state: stopped - name: Move elasticsearch datadir to custom datadir - command: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }} + ansible.builtin.command: + cmd: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }} args: creates: "{{ elasticsearch_custom_datadir }}" - name: Symlink {{ elasticsearch_custom_datadir }} to /var/lib/elasticsearch - file: + ansible.builtin.file: src: "{{ elasticsearch_custom_datadir }}" dest: '/var/lib/elasticsearch' state: link - name: elasticsearch is started - service: + ansible.builtin.service: name: elasticsearch state: started tags: diff --git a/elasticsearch/tasks/logs.yml b/elasticsearch/tasks/logs.yml index 8c5977a4..0569ef07 100644 --- a/elasticsearch/tasks/logs.yml +++ b/elasticsearch/tasks/logs.yml @@ -1,8 +1,8 @@ --- - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -10,7 +10,7 @@ register: is_cron_installed - name: "log rotation script" - template: + ansible.builtin.template: src: rotate_elasticsearch_logs.j2 dest: /etc/cron.daily/rotate_elasticsearch_logs owner: root diff --git a/elasticsearch/tasks/main.yml b/elasticsearch/tasks/main.yml index 6f5ccc8c..132089c7 100644 --- a/elasticsearch/tasks/main.yml +++ b/elasticsearch/tasks/main.yml @@ -1,21 +1,21 @@ --- -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: configuration.yml +- ansible.builtin.include: configuration.yml -- include: bootstrap_checks.yml +- ansible.builtin.include: bootstrap_checks.yml -- include: tmpdir.yml +- ansible.builtin.include: tmpdir.yml -- include: datadir.yml +- ansible.builtin.include: datadir.yml -- include: logs.yml +- ansible.builtin.include: logs.yml -- include: additional_scripts.yml +- ansible.builtin.include: additional_scripts.yml -- include: plugin_head.yml +- ansible.builtin.include: plugin_head.yml when: elasticsearch_plugin_head | bool -- include: curator.yml +- ansible.builtin.include: curator.yml when: elasticsearch_curator | bool diff --git a/elasticsearch/tasks/plugin_head.yml b/elasticsearch/tasks/plugin_head.yml index 2f7cae39..2a98d080 100644 --- a/elasticsearch/tasks/plugin_head.yml +++ b/elasticsearch/tasks/plugin_head.yml @@ -1,7 +1,7 @@ --- - name: "User {{ elasticsearch_plugin_head_owner }} is present" - user: + ansible.builtin.user: name: "{{ elasticsearch_plugin_head_owner }}" home: "{{ elasticsearch_plugin_head_home }}" createhome: yes @@ -11,7 +11,7 @@ - name: Head plugin is installed block: - name: Head repository is checked-out - git: + ansible.builtin.git: repo: "https://github.com/mobz/elasticsearch-head.git" dest: "{{ elasticsearch_plugin_head_clone_dir }}" clone: yes @@ -19,12 +19,12 @@ - packages - name: Create tmpdir - file: + ansible.builtin.file: dest: "{{ elasticsearch_plugin_head_tmp_dir }}" state: directory - name: NPM packages for head are installed - npm: + community.general.npm: path: "{{ elasticsearch_plugin_head_clone_dir }}" tags: - packages @@ -35,7 +35,7 @@ become: yes - name: Elasticsearch HTTP/CORS are enabled - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "http.cors.enabled: true" regexp: "^http.cors.enabled:" @@ -46,7 +46,7 @@ - elasticsearch - name: Elasticsearch HTTP/CORS accepts all origins - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "http.cors.allow-origin: \"*\"" regexp: "^http.cors.allow-origin:" @@ -57,7 +57,7 @@ - elasticsearch - name: Install systemd unit - template: + ansible.builtin.template: src: elasticsearch-head.service.j2 dest: /etc/systemd/system/elasticsearch-head.service tags: @@ -65,7 +65,7 @@ - systemd - name: Enable systemd unit - systemd: + ansible.builtin.systemd: name: elasticsearch-head daemon_reload: yes enabled: yes diff --git a/elasticsearch/tasks/tmpdir.yml b/elasticsearch/tasks/tmpdir.yml index 30375af1..e3601fb8 100644 --- a/elasticsearch/tasks/tmpdir.yml +++ b/elasticsearch/tasks/tmpdir.yml @@ -1,7 +1,8 @@ --- - name: Check if /tmp is noexec - shell: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec" + ansible.builtin.shell: + cmd: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec" register: fstab_tmp_noexec failed_when: False changed_when: False @@ -9,13 +10,13 @@ - name: Tmpdir is moved to custom path block: - - set_fact: + - ansible.builtin.set_fact: _elasticsearch_custom_tmpdir: "{{ elasticsearch_custom_tmpdir | default(elasticsearch_default_tmpdir, True) | mandatory }}" tags: - elasticsearch - name: "Create {{ _elasticsearch_custom_tmpdir }}" - file: + ansible.builtin.file: path: "{{ _elasticsearch_custom_tmpdir }}" owner: elasticsearch group: elasticsearch @@ -25,7 +26,7 @@ - elasticsearch - name: change JVM tmpdir (< 6.x) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options.d/evolinux.options line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}" regexp: "^-Djava.io.tmpdir=" @@ -40,7 +41,7 @@ when: elastic_stack_version is version('6', '<') - name: check if ES_TMPDIR is available (>= 6.x) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/elasticsearch line: "ES_TMPDIR={{ _elasticsearch_custom_tmpdir }}" regexp: "^ES_TMPDIR=" @@ -53,7 +54,7 @@ # Note : Should not do any changes as -Djava.io.tmpdir=${ES_TMPDIR} is already here in the default config. - name: change JVM tmpdir (>= 6.x) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/elasticsearch/jvm.options line: "-Djava.io.tmpdir=${ES_TMPDIR}" regexp: "^-Djava.io.tmpdir=" diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index c92e3c6a..55c02934 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -1,7 +1,8 @@ --- - name: "Execute ansible-commit" - command: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\"" + ansible.builtin.command: + cmd: "/usr/local/bin/ansible-commit --verbose --message \"{{ commit_message | mandatory }}\"" changed_when: - _ansible_commit.stdout - "'CHANGED:' in _ansible_commit.stdout" diff --git a/etc-git/tasks/lxc_commit.yml b/etc-git/tasks/lxc_commit.yml index 26fc8738..1c3d0d67 100644 --- a/etc-git/tasks/lxc_commit.yml +++ b/etc-git/tasks/lxc_commit.yml @@ -1,15 +1,15 @@ --- - name: "Assert that we have been called with `container` defined" - assert: + ansible.builtin.assert: that: - container is defined - name: "Define path to /etc in {{ container }} container" - set_fact: + ansible.builtin.set_fact: container_etc: "{{ ('/var/lib/lxc', container, 'rootfs/etc') | path_join }}" - name: "Check if /etc is a git repository in {{ container }}" - stat: + ansible.builtin.stat: path: "{{ (container_etc, '.git') | path_join }}" get_attributes: no get_checksum: no @@ -17,7 +17,7 @@ register: "container_etc_git" - name: "Evocommit /etc of {{ container }}" - command: + ansible.builtin.command: argv: - /usr/local/bin/evocommit - '--ansible' diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index ac28e1e7..bae705d3 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Git is installed (Debian) - apt: + ansible.builtin.apt: name: git state: present tags: @@ -10,12 +10,12 @@ - ansible_distribution == "Debian" - name: Install and configure utilities - include: utils.yml + ansible.builtin.include: utils.yml tags: - etc-git - name: Configure repositories - include: repositories.yml + ansible.builtin.include: repositories.yml tags: - etc-git when: etc_git_config_repositories | bool \ No newline at end of file diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index 71ff0665..d9d64ad6 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -1,6 +1,6 @@ --- -- include: repository.yml +- ansible.builtin.include: repository.yml vars: repository_path: "/etc" gitignore_items: @@ -15,18 +15,18 @@ - etc-git - name: verify /usr/share/scripts presence - stat: + ansible.builtin.stat: path: /usr/share/scripts register: _usr_share_scripts tags: - etc-git -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: - _usr_share_scripts.stat.isdir -- include: repository.yml +- ansible.builtin.include: repository.yml vars: repository_path: "/usr/share/scripts" gitignore_items: [] diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index 7ebfc773..1601a157 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -1,11 +1,12 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: repository_path is search("/usr") - name: "{{ repository_path }} is versioned with git" - command: "git init ." + ansible.builtin.command: + cmd: "git init ." args: chdir: "{{ repository_path }}" creates: "{{ repository_path }}/.git/" @@ -14,7 +15,7 @@ - etc-git - name: Git user.email is configured - git_config: + community.general.git_config: name: user.email repo: "{{ repository_path }}" scope: local @@ -23,7 +24,7 @@ - etc-git - name: "{{ repository_path }}/.git is restricted to root" - file: + ansible.builtin.file: path: "{{ repository_path }}/.git" owner: root mode: "0700" @@ -32,7 +33,7 @@ - etc-git - name: "{{ repository_path }}/.gitignore is present" - copy: + ansible.builtin.copy: src: gitignore dest: "{{ repository_path }}/.gitignore" owner: root @@ -42,7 +43,7 @@ - etc-git - name: "Some entries MUST be in the {{ repository_path }}/.gitignore file" - lineinfile: + ansible.builtin.lineinfile: dest: "{{ repository_path }}/.gitignore" line: "{{ item }}" loop: "{{ gitignore_items | default([]) }}" @@ -50,7 +51,8 @@ - etc-git - name: "does {{ repository_path }}/ have any commit?" - command: "git log" + ansible.builtin.command: + cmd: "git log" args: chdir: "{{ repository_path }}" changed_when: False @@ -61,7 +63,8 @@ - etc-git - name: initial commit is present? - shell: "git add -A . && git commit -m \"Initial commit via Ansible\"" + ansible.builtin.shell: + cmd: "git add -A . && git commit -m \"Initial commit via Ansible\"" args: chdir: "{{ repository_path }}" register: git_commit diff --git a/etc-git/tasks/utils.yml b/etc-git/tasks/utils.yml index 831f62a6..b54e1c61 100644 --- a/etc-git/tasks/utils.yml +++ b/etc-git/tasks/utils.yml @@ -1,12 +1,12 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - etc-git - name: "evocommit script is installed" - copy: + ansible.builtin.copy: src: evocommit dest: /usr/local/bin/evocommit mode: "0755" @@ -15,7 +15,7 @@ - etc-git - name: "ansible-commit script is installed" - copy: + ansible.builtin.copy: src: ansible-commit dest: /usr/local/bin/ansible-commit mode: "0755" @@ -24,7 +24,7 @@ - etc-git - name: "etc-git-optimize script is installed" - copy: + ansible.builtin.copy: src: etc-git-optimize dest: /usr/share/scripts/etc-git-optimize mode: "0755" @@ -33,7 +33,7 @@ - etc-git - name: "etc-git-status script is installed" - copy: + ansible.builtin.copy: src: etc-git-status dest: /usr/share/scripts/etc-git-status mode: "0755" @@ -42,8 +42,8 @@ - etc-git - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash failed_when: False changed_when: False @@ -52,7 +52,7 @@ - block: - name: Legacy cron jobs for /etc/.git status are absent - file: + ansible.builtin.file: dest: "{{ item }}" state: absent loop: @@ -60,7 +60,7 @@ - /etc/cron.d/etc-git-status - name: Cron job for monthly git optimization - cron: + ansible.builtin.cron: name: "Monthly optimization" cron_file: etc-git special_time: "monthly" @@ -68,7 +68,7 @@ job: "/usr/share/scripts/etc-git-optimize" - name: Cron job for hourly git status - cron: + ansible.builtin.cron: name: "Hourly warning for unclean Git repository if nobody is connected" cron_file: etc-git special_time: "hourly" @@ -77,7 +77,7 @@ state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}" - name: Cron job for daily git status - cron: + ansible.builtin.cron: name: "Daily warning for unclean Git repository" cron_file: etc-git user: root diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index 1ea11783..b188bfe7 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -1,25 +1,27 @@ - name: newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases - name: Test Apache conf - command: apache2ctl -t + ansible.builtin.command: + cmd: apache2ctl -t notify: "Reload Apache conf" - name: reload apache2 - service: + ansible.builtin.service: name: apache2 state: reloaded - name: apt update - apt: + ansible.builtin.apt: update_cache: yes - name: reload squid3 - service: + ansible.builtin.service: name: squid3 state: reloaded - name: reload squid - service: + ansible.builtin.service: name: squid state: reloaded diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 26327569..bc844393 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -1,27 +1,29 @@ --- - name: Do no install certbot crontab - set_fact: + ansible.builtin.set_fact: certbot_custom_crontab: False -- include_role: +- ansible.builtin.include_role: name: evolix/certbot -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Disable /etc/cron.d/certbot - command: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled + ansible.builtin.command: + cmd: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled args: removes: /etc/cron.d/certbot - name: Disable /etc/cron.daily/certbot - command: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled + ansible.builtin.command: + cmd: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled args: removes: /etc/cron.daily/certbot - name: Install evoacme custom cron - copy: + ansible.builtin.copy: src: evoacme.cron dest: /etc/cron.daily/evoacme mode: "0755" diff --git a/evoacme/tasks/conf.yml b/evoacme/tasks/conf.yml index 402fbdcf..125feb32 100644 --- a/evoacme/tasks/conf.yml +++ b/evoacme/tasks/conf.yml @@ -1,5 +1,5 @@ --- -- ini_file: +- community.general.ini_file: dest: "{{ evoacme_crt_dir }}/openssl.cnf" section: 'req' option: "{{ item.name }}" @@ -11,7 +11,7 @@ - { name: 'prompt', var: 'no' } - name: Update openssl conf - ini_file: + community.general.ini_file: dest: "{{ evoacme_crt_dir }}/openssl.cnf" section: 'req_dn' option: "{{ item.name }}" @@ -25,7 +25,7 @@ - { name: 'emailAddress', var: "{{ evoacme_ssl_email }}" } - name: Copy new evoacme conf - template: + ansible.builtin.template: src: templates/evoacme.conf.j2 dest: /etc/default/evoacme owner: root diff --git a/evoacme/tasks/evoacme_hook.yml b/evoacme/tasks/evoacme_hook.yml index 2951fa00..14963944 100644 --- a/evoacme/tasks/evoacme_hook.yml +++ b/evoacme/tasks/evoacme_hook.yml @@ -1,18 +1,19 @@ --- - name: "Create {{ hook_name }} hook directory" - file: + ansible.builtin.file: dest: "{{ evoacme_hooks_dir }}" state: directory - name: "Search for {{ hook_name }} hook" - command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)" + ansible.builtin.command: + cmd: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)" check_mode: no changed_when: False register: _find_hook - name: "Copy {{ hook_name }} hook if missing" - copy: + ansible.builtin.copy: src: "hooks/{{ hook_name }}" dest: "{{ evoacme_hooks_dir }}/{{ hook_name }}" mode: "0750" diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index 1cc84c5d..29e3e89f 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -1,16 +1,16 @@ --- - name: Verify Debian version - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '>=') msg: only compatible with Debian >= 9 when: not (evoacme_disable_debian_check | bool) -- include: certbot.yml +- ansible.builtin.include: certbot.yml -- include: permissions.yml +- ansible.builtin.include: permissions.yml # Enable this task if you want to deploy hooks # - include: evoacme_hook.yml @@ -18,6 +18,6 @@ # hook_name: "{{ item }}" # loop: [] -- include: conf.yml +- ansible.builtin.include: conf.yml -- include: scripts.yml +- ansible.builtin.include: scripts.yml diff --git a/evoacme/tasks/permissions.yml b/evoacme/tasks/permissions.yml index 69bcbe12..4d10ff7e 100644 --- a/evoacme/tasks/permissions.yml +++ b/evoacme/tasks/permissions.yml @@ -1,7 +1,7 @@ --- - name: Fix crt directory permissions - file: + ansible.builtin.file: path: "{{ evoacme_crt_dir }}" mode: "0755" owner: root @@ -9,7 +9,7 @@ state: directory - name: "Fix hooks directory permissions" - file: + ansible.builtin.file: path: "{{ evoacme_hooks_dir }}" mode: "0700" owner: root @@ -17,7 +17,7 @@ state: directory - name: Fix log directory permissions - file: + ansible.builtin.file: path: "{{ evoacme_log_dir }}" mode: "0755" owner: root @@ -25,7 +25,7 @@ state: directory - name: Fix challenge directory permissions - file: + ansible.builtin.file: path: "{{ evoacme_acme_dir }}" mode: "0755" owner: root diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml index 89aacff8..e70e990f 100644 --- a/evoacme/tasks/scripts.yml +++ b/evoacme/tasks/scripts.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create CSR dir - file: + ansible.builtin.file: path: "{{ evoacme_csr_dir }}" state: directory owner: root @@ -12,7 +12,7 @@ mode: "0755" - name: Copy make-csr.sh script - copy: + ansible.builtin.copy: src: make-csr.sh dest: /usr/local/sbin/make-csr owner: root @@ -20,7 +20,7 @@ mode: "0755" - name: Copy vhost-domains.sh script - copy: + ansible.builtin.copy: src: vhost-domains.sh dest: /usr/local/sbin/vhost-domains owner: root @@ -28,7 +28,7 @@ mode: "0755" - name: Copy evoacme script - copy: + ansible.builtin.copy: src: evoacme.sh dest: /usr/local/sbin/evoacme owner: root @@ -36,7 +36,7 @@ mode: "0755" - name: Delete scripts in old location - file: + ansible.builtin.file: path: "/usr/local/bin/{{ item }}" state: absent loop: diff --git a/evobackup-client/handlers/main.yml b/evobackup-client/handlers/main.yml index de71f634..f7d98aa9 100644 --- a/evobackup-client/handlers/main.yml +++ b/evobackup-client/handlers/main.yml @@ -1,17 +1,20 @@ --- - name: restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: - "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - "'minifirewall started' not in minifirewall_init_restart.stdout" - name: 'created new jail' - command: "bkctld restart {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld restart {{ evolinux_hostname }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}" - name: 'jail updated' - command: "bkctld restart {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld restart {{ evolinux_hostname }}" # - "bkctld sync {{ evolinux_hostname }}" delegate_to: "{{ evobackup_client__hosts[0].ip }}" when: evobackup_client__hosts | length > 1 diff --git a/evobackup-client/tasks/jail.yml b/evobackup-client/tasks/jail.yml index fbb6080c..5eb0c36e 100644 --- a/evobackup-client/tasks/jail.yml +++ b/evobackup-client/tasks/jail.yml @@ -1,7 +1,8 @@ --- - name: 'create jail' - command: "bkctld init {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld init {{ evolinux_hostname }}" args: creates: "/backup/jails/{{ evolinux_hostname }}/" become: true @@ -15,7 +16,8 @@ # temp fix for bkctld 2.x because the ip and key command return 1 # if the jail is not started, see https://gitea.evolix.org/evolix/evobackup/issues/31 - name: 'start jail' - command: "bkctld restart {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld restart {{ evolinux_hostname }}" become: true delegate_to: "{{ evobackup_client__hosts[0].ip }}" tags: @@ -23,7 +25,8 @@ - evobackup_client_jail - name: 'add ip to jail' - command: "bkctld ip {{ evolinux_hostname }} {{ ansible_host }}" + ansible.builtin.command: + cmd: "bkctld ip {{ evolinux_hostname }} {{ ansible_host }}" become: true delegate_to: "{{ evobackup_client__hosts[0].ip }}" notify: 'jail updated' @@ -32,7 +35,8 @@ - evobackup_client_jail - name: 'add key to jail' - command: "bkctld key {{ evolinux_hostname }} /root/{{ evolinux_hostname }}.pub" + ansible.builtin.command: + cmd: "bkctld key {{ evolinux_hostname }} /root/{{ evolinux_hostname }}.pub" become: true delegate_to: "{{ evobackup_client__hosts[0].ip }}" notify: 'jail updated' @@ -41,7 +45,8 @@ - evobackup_client_jail - name: 'get jail port' - command: "bkctld port {{ evolinux_hostname }}" + ansible.builtin.command: + cmd: "bkctld port {{ evolinux_hostname }}" become: true register: bkctld_port delegate_to: "{{ evobackup_client__hosts[0].ip }}" @@ -50,7 +55,7 @@ - evobackup_client_jail - name: 'register jail port' - set_fact: + ansible.builtin.set_fact: evobackup_ssh_port={{ bkctld_port.stdout }} tags: - evobackup_client diff --git a/evobackup-client/tasks/main.yml b/evobackup-client/tasks/main.yml index a2dd4405..4b01a276 100644 --- a/evobackup-client/tasks/main.yml +++ b/evobackup-client/tasks/main.yml @@ -1,26 +1,26 @@ --- -- include: "ssh_key.yml" +- ansible.builtin.include: "ssh_key.yml" tags: - evobackup_client - evobackup_client_backup_ssh_key -- include: "jail.yml" +- ansible.builtin.include: "jail.yml" tags: - evobackup_client - evobackup_client_jail -- include: "upload_scripts.yml" +- ansible.builtin.include: "upload_scripts.yml" tags: - evobackup_client - evobackup_client_backup_scripts -- include: "open_ssh_ports.yml" +- ansible.builtin.include: "open_ssh_ports.yml" tags: - evobackup_client - evobackup_client_backup_firewall -- include: "verify_ssh.yml" +- ansible.builtin.include: "verify_ssh.yml" tags: - evobackup_client - evobackup_client_backup_hosts diff --git a/evobackup-client/tasks/open_ssh_ports.yml b/evobackup-client/tasks/open_ssh_ports.yml index 3d1701ef..837996e4 100644 --- a/evobackup-client/tasks/open_ssh_ports.yml +++ b/evobackup-client/tasks/open_ssh_ports.yml @@ -1,7 +1,7 @@ --- - name: Is there a Minifirewall ? - stat: + ansible.builtin.stat: path: /etc/default/minifirewall register: evobackup_client__minifirewall tags: @@ -9,7 +9,7 @@ - evobackup_client_backup_firewall - name: Add backup SSH port in /etc/default/minifirewall - blockinfile: + ansible.builtin.blockinfile: dest: /etc/default/minifirewall marker: "# {mark} {{ item.name }}" block: | diff --git a/evobackup-client/tasks/ssh_key.yml b/evobackup-client/tasks/ssh_key.yml index 6438634e..1b2617f9 100644 --- a/evobackup-client/tasks/ssh_key.yml +++ b/evobackup-client/tasks/ssh_key.yml @@ -1,7 +1,7 @@ --- - name: Create SSH key - user: + ansible.builtin.user: name: root generate_ssh_key: true ssh_key_file: "{{ evobackup_client__root_key_path }}" @@ -12,7 +12,7 @@ - evobackup_client_backup_ssh_key - name: Print SSH key - debug: + ansible.builtin.debug: var: evobackup_client__root_key.ssh_public_key when: evobackup_client__root_key.ssh_public_key is defined tags: @@ -20,7 +20,7 @@ - evobackup_client_backup_ssh_key - name: 'copy ssh public key to backup server' - copy: + ansible.builtin.copy: content: "{{ evobackup_client__root_key.ssh_public_key }}" dest: "/root/{{ evolinux_hostname }}.pub" become: true diff --git a/evobackup-client/tasks/upload_scripts.yml b/evobackup-client/tasks/upload_scripts.yml index 1ef4a74f..1349a72d 100644 --- a/evobackup-client/tasks/upload_scripts.yml +++ b/evobackup-client/tasks/upload_scripts.yml @@ -1,7 +1,7 @@ --- - name: Upload evobackup script - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ evobackup_client__cron_path }}" force: true diff --git a/evobackup-client/tasks/verify_ssh.yml b/evobackup-client/tasks/verify_ssh.yml index d48fb455..07238f9e 100644 --- a/evobackup-client/tasks/verify_ssh.yml +++ b/evobackup-client/tasks/verify_ssh.yml @@ -1,7 +1,7 @@ --- - name: Verify evolix backup servers - known_hosts: + ansible.builtin.known_hosts: path: /root/.ssh/known_hosts name: "[{{ item.name }}]:{{ item.port }}" key: "[{{ item.name }}]:{{ item.port }} {{ item.fingerprint }}" diff --git a/evocheck/tasks/cron.yml b/evocheck/tasks/cron.yml index ecf1e1d0..cfea8ca2 100644 --- a/evocheck/tasks/cron.yml +++ b/evocheck/tasks/cron.yml @@ -1,8 +1,8 @@ --- - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash failed_when: False changed_when: False @@ -10,7 +10,7 @@ register: is_cron_installed - name: evocheck crontab is updated - template: + ansible.builtin.template: src: crontab.j2 dest: /etc/cron.d/evocheck mode: "0644" diff --git a/evocheck/tasks/exec.yml b/evocheck/tasks/exec.yml index 306cf019..d5aa9320 100644 --- a/evocheck/tasks/exec.yml +++ b/evocheck/tasks/exec.yml @@ -1,6 +1,7 @@ --- - name: run evocheck - command: "{{ evocheck_bin_dir }}/evocheck.sh" + ansible.builtin.command: + cmd: "{{ evocheck_bin_dir }}/evocheck.sh" register: evocheck_run changed_when: False failed_when: False @@ -8,7 +9,7 @@ tags: - evocheck-exec -- debug: +- ansible.builtin.debug: var: evocheck_run.stdout_lines when: evocheck_run.stdout | length > 0 tags: diff --git a/evocheck/tasks/install.yml b/evocheck/tasks/install.yml index 8abd7d57..b210302b 100644 --- a/evocheck/tasks/install.yml +++ b/evocheck/tasks/install.yml @@ -1,12 +1,12 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: evocheck_bin_dir is search("/usr") tags: - evocheck - name: Scripts dir is present - file: + ansible.builtin.file: path: "{{ evocheck_bin_dir }}" state: directory owner: root @@ -16,22 +16,22 @@ - evocheck - name: Script for Debian 7 and earlier - set_fact: + ansible.builtin.set_fact: evocheck_script_src: evocheck.wheezy.sh when: ansible_distribution_major_version is version('7', '<=') - name: Script for Debian 8 - set_fact: + ansible.builtin.set_fact: evocheck_script_src: evocheck.jessie.sh when: ansible_distribution_major_version is version('8', '=') - name: Script for Debian 9 and later - set_fact: + ansible.builtin.set_fact: evocheck_script_src: evocheck.sh when: ansible_distribution_major_version is version('9', '>=') - name: Copy evocheck.sh - copy: + ansible.builtin.copy: src: "{{ evocheck_script_src }}" dest: "{{ evocheck_bin_dir }}/evocheck.sh" mode: "0700" @@ -41,7 +41,7 @@ - evocheck - name: Copy evocheck.cf - copy: + ansible.builtin.copy: src: evocheck.cf dest: /etc/evocheck.cf force: no diff --git a/evocheck/tasks/main.yml b/evocheck/tasks/main.yml index 14c6988f..ad47a24e 100644 --- a/evocheck/tasks/main.yml +++ b/evocheck/tasks/main.yml @@ -1,6 +1,6 @@ --- -- include: install.yml +- ansible.builtin.include: install.yml -- include: cron.yml +- ansible.builtin.include: cron.yml when: evocheck_update_crontab | bool diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index 388bf051..1c6df437 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -1,75 +1,81 @@ --- - name: dpkg-reconfigure-debconf - command: dpkg-reconfigure --frontend noninteractive debconf + ansible.builtin.command: + cmd: dpkg-reconfigure --frontend noninteractive debconf - name: dpkg-reconfigure-locales - command: dpkg-reconfigure --frontend noninteractive locales + ansible.builtin.command: + cmd: dpkg-reconfigure --frontend noninteractive locales - name: dpkg-reconfigure-apt - command: dpkg-reconfigure --frontend noninteractive apt-listchanges + ansible.builtin.command: + cmd: dpkg-reconfigure --frontend noninteractive apt-listchanges # - name: debconf-set-selections # command: debconf-set-selections /root/debconf-preseed - name: apt update - apt: + ansible.builtin.apt: update_cache: yes - name: restart rsyslog - service: + ansible.builtin.service: name: rsyslog state: restarted - name: remount /home - command: mount -o remount /home + ansible.builtin.command: + cmd: mount -o remount /home - name: remount /var - command: mount -o remount /var + ansible.builtin.command: + cmd: mount -o remount /var - name: restart nginx - service: + ansible.builtin.service: name: nginx state: restarted - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded - name: restart apache - service: + ansible.builtin.service: name: apache2 state: restarted - name: reload apache - service: + ansible.builtin.service: name: apache2 state: reloaded - name: restart cron - service: + ansible.builtin.service: name: cron state: restarted - name: newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases changed_when: False - name: reload sshd - service: + ansible.builtin.service: name: ssh state: reloaded - name: reload postfix - service: + ansible.builtin.service: name: postfix state: reloaded - name: restart log2mail - service: + ansible.builtin.service: name: log2mail state: restarted diff --git a/evolinux-base/tasks/etc-evolinux.yml b/evolinux-base/tasks/etc-evolinux.yml index e8ceb996..5ee3c238 100644 --- a/evolinux-base/tasks/etc-evolinux.yml +++ b/evolinux-base/tasks/etc-evolinux.yml @@ -9,5 +9,5 @@ # mode: "0700" # state: directory -- include_role: +- ansible.builtin.include_role: name: evolix/evolinux-todo diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml index 6e1673a6..a146ec5c 100644 --- a/evolinux-base/tasks/hardware.dell.yml +++ b/evolinux-base/tasks/hardware.dell.yml @@ -7,7 +7,8 @@ # This is still incompatible with Debian - name: Check if PERC HBA11 device is present - ansible.builtin.shell: "lspci | grep -qE 'MegaRAID.*SAS39xx'" + ansible.builtin.shell: + cmd: "lspci | grep -qE 'MegaRAID.*SAS39xx'" check_mode: no register: perc_hba11_search failed_when: False @@ -74,7 +75,7 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: hwraid_sources is changed diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index d9b0cdcd..30badf70 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -67,13 +67,13 @@ - packages - name: "HP" - import_tasks: hardware.hp.yml + ansible.builtin.import_tasks: hardware.hp.yml when: - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout or 'Adaptec Smart Storage PQI' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool - name: "Dell" - import_tasks: hardware.dell.yml + ansible.builtin.import_tasks: hardware.dell.yml when: - "'MegaRAID' in raidmodel.stdout" - evolinux_packages_hardware_raid | bool diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 35b48830..fc9f5b87 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: "System compatibility checks" - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') msg: only compatible with Debian >= 8 - name: Apt configuration - include_role: + ansible.builtin.include_role: name: evolix/apt vars: apt_install_basics: "{{ evolinux_apt_replace_default_sources }}" @@ -18,52 +18,52 @@ when: evolinux_apt_include | bool - name: /etc versioning with Git - include_role: + ansible.builtin.include_role: name: evolix/etc-git when: evolinux_etcgit_include | bool - name: /etc/evolinux base - import_tasks: etc-evolinux.yml + ansible.builtin.import_tasks: etc-evolinux.yml when: evolinux_etcevolinux_include | bool - name: Hostname - import_tasks: hostname.yml + ansible.builtin.import_tasks: hostname.yml when: evolinux_hostname_include | bool - name: Kernel tuning - import_tasks: kernel.yml + ansible.builtin.import_tasks: kernel.yml when: evolinux_kernel_include | bool - name: Fstab configuration - import_tasks: fstab.yml + ansible.builtin.import_tasks: fstab.yml when: evolinux_fstab_include | bool - name: Packages - import_tasks: packages.yml + ansible.builtin.import_tasks: packages.yml when: evolinux_packages_include | bool - name: System settings - import_tasks: system.yml + ansible.builtin.import_tasks: system.yml when: evolinux_system_include | bool - name: Minifirewall - include_role: + ansible.builtin.include_role: name: evolix/minifirewall when: evolinux_minifirewall_include | bool - name: Evomaintenance - include_role: + ansible.builtin.include_role: name: evolix/evomaintenance when: evolinux_evomaintenance_include | bool - name: SSH configuration (single file) - import_tasks: ssh.single-file.yml + ansible.builtin.import_tasks: ssh.single-file.yml when: - ansible_distribution_major_version is version('12', '<') - evolinux_ssh_include | bool - name: SSH configuration (included-files) - import_tasks: ssh.included-files.yml + ansible.builtin.import_tasks: ssh.included-files.yml when: - ansible_distribution_major_version is version('12', '>=') - evolinux_ssh_include | bool @@ -75,71 +75,71 @@ # when: evolinux_users_include - name: Root user configuration - import_tasks: root.yml + ansible.builtin.import_tasks: root.yml when: evolinux_root_include | bool - name: Postfix - import_tasks: postfix.yml + ansible.builtin.import_tasks: postfix.yml when: evolinux_postfix_include | bool - name: Logs management - import_tasks: logs.yml + ansible.builtin.import_tasks: logs.yml when: evolinux_logs_include | bool - name: Default index page - import_tasks: default_www.yml + ansible.builtin.import_tasks: default_www.yml when: evolinux_default_www_include | bool - name: Hardware drivers and tools - import_tasks: hardware.yml + ansible.builtin.import_tasks: hardware.yml when: - evolinux_hardware_include | bool - ansible_virtualization_role == "host" - name: Customize for Online.net - import_tasks: provider_online.yml + ansible.builtin.import_tasks: provider_online.yml when: evolinux_provider_online_include | bool - name: Customize for Orange FCE - import_tasks: provider_orange_fce.yml + ansible.builtin.import_tasks: provider_orange_fce.yml when: evolinux_provider_orange_fce_include | bool - name: Override Log2mail service - import_tasks: log2mail.yml + ansible.builtin.import_tasks: log2mail.yml when: evolinux_log2mail_include | bool -- import_tasks: motd.yml +- ansible.builtin.import_tasks: motd.yml when: evolinux_motd_include | bool -- import_tasks: utils.yml +- ansible.builtin.import_tasks: utils.yml when: evolinux_utils_include | bool - name: Munin - include_role: + ansible.builtin.include_role: name: evolix/munin when: evolinux_munin_include | bool - name: Nagios/NRPE - include_role: + ansible.builtin.include_role: name: evolix/nagios-nrpe when: evolinux_nagios_nrpe_include | bool - name: fail2ban - include_role: + ansible.builtin.include_role: name: evolix/fail2ban when: evolinux_fail2ban_include | bool - name: Evocheck - include_role: + ansible.builtin.include_role: name: evolix/evocheck when: evolinux_evocheck_include | bool - name: Listupgrade - include_role: + ansible.builtin.include_role: name: evolix/listupgrade when: evolinux_listupgrade_include | bool - name: Generate ldif script - include_role: + ansible.builtin.include_role: name: evolix/generate-ldif when: evolinux_generateldif_include | bool diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index c6965e09..ecad62d9 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -34,7 +34,7 @@ # TODO : find a way to force the console-data configuration # non-interactively (like tzdata ↑) -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Ensure automagic vim conf is disabled @@ -129,7 +129,7 @@ - is_cron_installed.rc == 0 - evolinux_system_cron_random | bool -- include_role: +- ansible.builtin.include_role: name: evolix/ntpd ## alert5 diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 76fbac82..a97be579 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -1,9 +1,9 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr -- include_tasks: +- ansible.builtin.include_tasks: file: dump-server-state.yml - name: "/sbin/deny script is present" diff --git a/evolinux-todo/tasks/cat.yml b/evolinux-todo/tasks/cat.yml index 58e3ba4c..e1d4faf8 100644 --- a/evolinux-todo/tasks/cat.yml +++ b/evolinux-todo/tasks/cat.yml @@ -1,13 +1,14 @@ --- - name: cat /etc/evolinux/todo.txt - command: "cat /etc/evolinux/todo.txt" + ansible.builtin.command: + cmd: "cat /etc/evolinux/todo.txt" register: evolinux_todo changed_when: False failed_when: False check_mode: no - name: "Content of /etc/evolinux/todo.txt" - debug: + ansible.builtin.debug: var: evolinux_todo.stdout_lines when: evolinux_todo.stdout | length > 0 diff --git a/evolinux-todo/tasks/main.yml b/evolinux-todo/tasks/main.yml index 8b5fa6b7..0cf5628c 100644 --- a/evolinux-todo/tasks/main.yml +++ b/evolinux-todo/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: /etc/evolinux is present - file: + ansible.builtin.file: dest: /etc/evolinux mode: "0700" state: directory when: ansible_distribution == "Debian" - name: /etc/evolinux/todo.txt is present - copy: + ansible.builtin.copy: src: todo.defaults.txt dest: /etc/evolinux/todo.txt mode: "0640" diff --git a/evolinux-users/handlers/main.yml b/evolinux-users/handlers/main.yml index a94909a5..039ab7c2 100644 --- a/evolinux-users/handlers/main.yml +++ b/evolinux-users/handlers/main.yml @@ -1,9 +1,10 @@ --- - name: reload sshd - service: + ansible.builtin.service: name: sshd state: reloaded - name: newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases changed_when: False diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index 1e9cc5a3..f0fd703a 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -1,18 +1,18 @@ --- - name: "System compatibility checks" - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') msg: only compatible with Debian >= 8 -- debug: +- ansible.builtin.debug: msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" when: evolinux_users | length == 0 - name: Create user accounts - include: user.yml + ansible.builtin.include: user.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -21,8 +21,8 @@ - evolinux_users | length > 0 - name: Configure sudo - include: sudo.yml + ansible.builtin.include: sudo.yml - name: Configure SSH - include: ssh.yml + ansible.builtin.include: ssh.yml when: evolinux_users | length > 0 diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 25a08297..9110911f 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -1,51 +1,53 @@ --- - name: verify AllowGroups directive - command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_allowgroups_ssh -- debug: +- ansible.builtin.debug: var: grep_allowgroups_ssh verbosity: 1 - name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_allowusers_ssh -- debug: +- ansible.builtin.debug: var: grep_allowusers_ssh verbosity: 1 -- assert: +- ansible.builtin.assert: that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" msg: "We can't deal with AllowUsers and AllowGroups at the same time" -- set_fact: +- ansible.builtin.set_fact: # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+", ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}" # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10" ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}" -- debug: +- ansible.builtin.debug: var: ssh_allowgroups verbosity: 1 -- debug: +- ansible.builtin.debug: var: ssh_allowusers verbosity: 1 -- include: ssh_allowgroups.yml +- ansible.builtin.include: ssh_allowgroups.yml when: - ssh_allowgroups - not ssh_allowusers -- include: ssh_allowusers.yml +- ansible.builtin.include: ssh_allowusers.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -55,11 +57,11 @@ - not ssh_allowgroups - name: disable root login - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd when: evolinux_root_disable_ssh | bool -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index a4e4ee54..2dac1f80 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -3,14 +3,15 @@ # this check must be repeated for each user # even if it's been done before - name: verify AllowGroups directive - command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_allowgroups_ssh - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowGroups {{ evolinux_ssh_group }}" insertafter: 'Subsystem' @@ -19,7 +20,7 @@ when: grep_allowgroups_ssh.rc != 0 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' replace: '\1 {{ evolinux_ssh_group }}' diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index 1aa31f3c..00827a46 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -3,14 +3,15 @@ # this check must be repeated for each user # even if it's been done before - name: verify AllowUsers directive - command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_allowusers_ssh - name: "Add AllowUsers sshd directive with '{{ user.name }}'" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ user.name }}" insertafter: 'Subsystem' @@ -19,7 +20,7 @@ when: grep_allowusers_ssh.rc != 0 - name: "Append '{{ user.name }}' to AllowUsers sshd directive" - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' replace: '\1 {{ user.name }}' @@ -28,14 +29,15 @@ when: grep_allowusers_ssh.rc == 0 - name: "verify Match User directive" - command: "grep -E '^Match User' /etc/ssh/sshd_config" + ansible.builtin.command: + cmd: "grep -E '^Match User' /etc/ssh/sshd_config" changed_when: False failed_when: False check_mode: no register: grep_matchuser_ssh - name: "Add Match User sshd directive with '{{ user.name }}'" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" @@ -44,7 +46,7 @@ when: grep_matchuser_ssh.rc != 0 - name: "Append '{{ user.name }}' to Match User's sshd directive" - replace: + ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^(Match User ((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index 769e7a4e..85149147 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -1,6 +1,6 @@ --- -- include: sudo_jessie.yml +- ansible.builtin.include: sudo_jessie.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -11,9 +11,9 @@ - block: - - include: sudo_stretch_common.yml + - ansible.builtin.include: sudo_stretch_common.yml - - include: sudo_stretch_user.yml + - ansible.builtin.include: sudo_stretch_user.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -24,4 +24,4 @@ - ansible_distribution_major_version is defined - ansible_distribution_major_version is version('9', '>=') -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml index d3f70198..6400a8ee 100644 --- a/evolinux-users/tasks/sudo_jessie.yml +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -1,7 +1,7 @@ --- - name: "Verify Evolinux sudoers file presence (jessie)" - template: + ansible.builtin.template: src: sudoers_jessie.j2 dest: /etc/sudoers.d/evolinux force: no @@ -10,7 +10,7 @@ register: copy_sudoers_evolinux - name: "Add user in sudoers file for '{{ user.name }}' (jessie)" - replace: + ansible.builtin.replace: dest: /etc/sudoers.d/evolinux regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' diff --git a/evolinux-users/tasks/sudo_stretch_common.yml b/evolinux-users/tasks/sudo_stretch_common.yml index fb8f9ac7..ba7fb50b 100644 --- a/evolinux-users/tasks/sudo_stretch_common.yml +++ b/evolinux-users/tasks/sudo_stretch_common.yml @@ -1,7 +1,7 @@ --- - name: "/etc/sudoers.d presence and permissions" - file: + ansible.builtin.file: path: /etc/sudoers.d owner: root group: root @@ -9,7 +9,7 @@ state: directory - name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)" - template: + ansible.builtin.template: src: sudoers_stretch.j2 dest: /etc/sudoers.d/evolinux force: no @@ -18,6 +18,7 @@ register: copy_sudoers_evolinux - name: "Create '{{ evolinux_sudo_group }}' group (Debian 9 or later)" - group: + + ansible.builtin.group: name: "{{ evolinux_sudo_group }}" system: yes diff --git a/evolinux-users/tasks/sudo_stretch_user.yml b/evolinux-users/tasks/sudo_stretch_user.yml index 97f1f77d..40830535 100644 --- a/evolinux-users/tasks/sudo_stretch_user.yml +++ b/evolinux-users/tasks/sudo_stretch_user.yml @@ -1,13 +1,13 @@ --- - name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "{{ evolinux_sudo_group }}" append: yes - name: "Add user to 'adm' group (Debian 9 or later)" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "adm" append: yes diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 0f8bd480..5bba2e0e 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -2,23 +2,25 @@ # Unix account -- fail: +- ansible.builtin.fail: msg: "You must provide a value for the 'user.name ' variable." when: (user.name is not defined) or (user.name | length == 0) -- fail: +- ansible.builtin.fail: msg: "You must provide a value for the 'user.uid ' variable." when: (user.uid is not defined) or (user.uid | string | length == 0) - name: "Test if '{{ user.name }}' exists" - command: 'id -u "{{ user.name }}"' + ansible.builtin.command: + cmd: 'id -u "{{ user.name }}"' register: get_id_from_login failed_when: False changed_when: False check_mode: no - name: "Test if uid '{{ user.uid }}' exists" - command: 'id -un -- "{{ user.uid }}"' + ansible.builtin.command: + cmd: 'id -un -- "{{ user.uid }}"' register: get_login_from_id failed_when: False changed_when: False @@ -28,7 +30,7 @@ # the uid already exists # and the user associated with this uid is not the desired user - name: "Fail if uid already exists for another user" - fail: + ansible.builtin.fail: msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'" when: - get_login_from_id.rc == 0 @@ -38,7 +40,7 @@ # the user doesn't already exist and the uid isn't already used # or the user exists with the defined uid - name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')" - user: + ansible.builtin.user: state: present uid: '{{ user.uid }}' name: '{{ user.name }}' @@ -53,7 +55,7 @@ # the user doesn't already exist but the defined uid is already used # or another user already exists with a the same uid - name: "Unix account for '{{ user.name }}' is present (with random uid)" - user: + ansible.builtin.user: state: present name: '{{ user.name }}' comment: '{{ user.fullname }}' @@ -64,12 +66,12 @@ - (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name) - name: Is /etc/aliases present? - stat: + ansible.builtin.stat: path: /etc/aliases register: etc_aliases - name: Set mail alias - lineinfile: + ansible.builtin.lineinfile: state: present dest: /etc/aliases line: '{{ user.name }}: root' @@ -82,13 +84,14 @@ ## Group for SSH authorizations - name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)" - group: + + ansible.builtin.group: name: "{{ evolinux_ssh_group }}" state: present when: ansible_distribution_major_version is version('10', '>=') - name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "{{ evolinux_ssh_group }}" append: yes @@ -97,7 +100,8 @@ ## Optional group for all evolinux users - name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)" - group: + + ansible.builtin.group: name: "{{ evolinux_internal_group }}" state: present when: @@ -106,7 +110,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "{{ evolinux_internal_group }}" append: yes @@ -118,7 +122,8 @@ ## Optional secondary groups, defined per user - name: "Secondary Unix groups are present" - group: + + ansible.builtin.group: name: "{{ group }}" loop: "{{ user.groups }}" loop_control: @@ -128,7 +133,7 @@ - user.groups | length > 0 - name: "Unix user '{{ user.name }}' belongs to secondary groups" - user: + ansible.builtin.user: name: '{{ user.name }}' groups: "{{ user.groups | join(',') }}" append: yes @@ -139,7 +144,7 @@ # Permissions on home directory - name: "Home directory for '{{ user.name }}' is not accessible by group and other users" - file: + ansible.builtin.file: name: '/home/{{ user.name }}' mode: "0700" state: directory @@ -147,7 +152,8 @@ # Evomaintenance - name: Search profile for presence of evomaintenance - command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile' + ansible.builtin.command: + cmd: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile' changed_when: False failed_when: False check_mode: no @@ -155,7 +161,7 @@ ## Don't add the trap if it is present or commented - name: "User '{{ user.name }}' has its shell trap for evomaintenance" - lineinfile: + ansible.builtin.lineinfile: state: present dest: '/home/{{ user.name }}/.profile' insertafter: EOF @@ -165,7 +171,7 @@ # SSH keys - name: "SSH directory for '{{ user.name }}' is present" - file: + ansible.builtin.file: dest: '/home/{{ user.name }}/.ssh/' state: directory mode: "0700" @@ -173,7 +179,7 @@ group: '{{ user.name }}' - name: "SSH public key for '{{ user.name }}' is present" - authorized_key: + ansible.posix.authorized_key: user: "{{ user.name }}" key: "{{ user.ssh_key }}" state: present @@ -182,7 +188,7 @@ - user.ssh_key | length > 0 - name: "SSH public keys for '{{ user.name }}' are present" - authorized_key: + ansible.posix.authorized_key: user: "{{ user.name }}" key: "{{ ssk_key }}" state: present @@ -193,4 +199,4 @@ - user.ssh_keys is defined - user.ssh_keys | length > 0 -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/evomaintenance/handlers/main.yml b/evomaintenance/handlers/main.yml index 37c9af95..63cfcd86 100644 --- a/evomaintenance/handlers/main.yml +++ b/evomaintenance/handlers/main.yml @@ -1,14 +1,15 @@ --- - name: restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: - "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - "'minifirewall started' not in minifirewall_init_restart.stdout" - name: restart minifirewall (noop) - meta: noop + ansible.builtin.meta: noop register: minifirewall_init_restart failed_when: False changed_when: False diff --git a/evomaintenance/tasks/config.yml b/evomaintenance/tasks/config.yml index 99339874..d3e7a1b7 100644 --- a/evomaintenance/tasks/config.yml +++ b/evomaintenance/tasks/config.yml @@ -1,6 +1,6 @@ --- -- assert: +- ansible.builtin.assert: that: - evomaintenance_api_endpoint is not none - evomaintenance_api_key is not none @@ -8,7 +8,7 @@ when: evomaintenance_hook_api | bool - name: Configuration is installed - template: + ansible.builtin.template: src: evomaintenance.j2 dest: /etc/evomaintenance.cf owner: root diff --git a/evomaintenance/tasks/install_package_debian.yml b/evomaintenance/tasks/install_package_debian.yml index ce9d90e7..f4a16d00 100644 --- a/evomaintenance/tasks/install_package_debian.yml +++ b/evomaintenance/tasks/install_package_debian.yml @@ -1,14 +1,14 @@ --- - name: Evolix public repositry is installed - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: evolix_public.yml tags: - evomaintenance - name: Package is installed - apt: + ansible.builtin.apt: name: evomaintenance allow_unauthenticated: yes tags: diff --git a/evomaintenance/tasks/install_vendor_debian.yml b/evomaintenance/tasks/install_vendor_debian.yml index 99448e3c..c8fb6183 100644 --- a/evomaintenance/tasks/install_vendor_debian.yml +++ b/evomaintenance/tasks/install_vendor_debian.yml @@ -1,7 +1,7 @@ --- - name: Dependencies are installed - apt: + ansible.builtin.apt: name: - sudo - curl @@ -10,7 +10,7 @@ - evomaintenance - name: PG dependencies are installed - apt: + ansible.builtin.apt: name: - postgresql-client state: present @@ -18,13 +18,13 @@ tags: - evomaintenance -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - evomaintenance - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -34,7 +34,7 @@ - evomaintenance - name: Evomaintenance script and template are installed - copy: + ansible.builtin.copy: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: root diff --git a/evomaintenance/tasks/install_vendor_other.yml b/evomaintenance/tasks/install_vendor_other.yml index a28eeab3..ece9aae2 100644 --- a/evomaintenance/tasks/install_vendor_other.yml +++ b/evomaintenance/tasks/install_vendor_other.yml @@ -1,12 +1,12 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - evomaintenance - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -16,7 +16,7 @@ - evomaintenance - name: Evomaintenance script and template are installed - copy: + ansible.builtin.copy: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: root diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 1f4a6f55..88a41900 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -1,24 +1,24 @@ --- -- include: install_package_debian.yml +- ansible.builtin.include: install_package_debian.yml when: - not (evomaintenance_install_vendor | bool) - ansible_distribution == "Debian" -- include: install_vendor_debian.yml +- ansible.builtin.include: install_vendor_debian.yml when: - evomaintenance_install_vendor | bool - ansible_distribution == "Debian" -- include: install_vendor_other.yml +- ansible.builtin.include: install_vendor_other.yml when: - evomaintenance_install_vendor | bool - ansible_distribution != "Debian" -- include: config.yml +- ansible.builtin.include: config.yml -- include: minifirewall.yml +- ansible.builtin.include: minifirewall.yml when: - evomaintenance_hook_db | bool - ansible_distribution == "Debian" diff --git a/evomaintenance/tasks/minifirewall.yml b/evomaintenance/tasks/minifirewall.yml index 98dad15b..8b02a83b 100644 --- a/evomaintenance/tasks/minifirewall.yml +++ b/evomaintenance/tasks/minifirewall.yml @@ -1,17 +1,17 @@ --- -- set_fact: +- ansible.builtin.set_fact: minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" - name: Is minifirewall installed? - stat: + ansible.builtin.stat: path: /etc/default/minifirewall register: minifirewall_default_file tags: - evomaintenance - name: minifirewall section for evomaintenance - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/minifirewall line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" insertafter: "^# EvoMaintenance" @@ -22,7 +22,7 @@ - evomaintenance - name: remove minifirewall example rule for the proxy - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/minifirewall regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' state: absent @@ -32,7 +32,8 @@ - evomaintenance - name: Force restart minifirewall - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: restart minifirewall when: minifirewall_restart_force | bool tags: diff --git a/evomaintenance/tasks/trap.yml b/evomaintenance/tasks/trap.yml index 0c3b70e0..004a6513 100644 --- a/evomaintenance/tasks/trap.yml +++ b/evomaintenance/tasks/trap.yml @@ -1,5 +1,5 @@ - name: is {{ home }}/.bash_profile present? - stat: + ansible.builtin.stat: path: "{{ home }}/.bash_profile" check_mode: no register: bash_profile @@ -7,7 +7,7 @@ - evomaintenance - name: install shell trap in {{ home }}/.bash_profile - lineinfile: + ansible.builtin.lineinfile: dest: "{{ home }}/.bash_profile" line: "trap \"sudo /usr/share/scripts/evomaintenance.sh\" 0" insertafter: EOF @@ -17,7 +17,7 @@ - evomaintenance - name: is {{ home }}/.profile present? - stat: + ansible.builtin.stat: path: "{{ home }}/.profile" check_mode: no register: profile @@ -26,7 +26,7 @@ - evomaintenance - name: install shell trap in {{ home }}/.profile - lineinfile: + ansible.builtin.lineinfile: dest: "{{ home }}/.profile" line: "trap \"sudo /usr/share/scripts/evomaintenance.sh\" 0" insertafter: EOF diff --git a/fail2ban/handlers/main.yml b/fail2ban/handlers/main.yml index 85f32698..49db2f25 100644 --- a/fail2ban/handlers/main.yml +++ b/fail2ban/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart fail2ban - service: + ansible.builtin.service: name: fail2ban state: restarted - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml index dbf9c0d9..6fa86c91 100644 --- a/fail2ban/tasks/fix-dbpurgeage.yml +++ b/fail2ban/tasks/fix-dbpurgeage.yml @@ -6,23 +6,24 @@ state: present - name: Register bantime from default config from package - shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1" + ansible.builtin.shell: + cmd: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1" register: dbpurgeage changed_when: False check_mode: false - name: - set_fact: + ansible.builtin.set_fact: dbpurgeage_default : "{{ dbpurgeage.stdout }}" when: dbpurgeage.stdout | regex_search("^\\d+\w+$") - name: - set_fact: + ansible.builtin.set_fact: dbpurgeage_default : "{{ dbpurgeage.stdout }} second" when: dbpurgeage.stdout | regex_search("^\\d+$") - name: Add crontab - template: + ansible.builtin.template: src: fail2ban_dbpurge.j2 dest: /etc/cron.daily/fail2ban_dbpurge mode: 0700 diff --git a/fail2ban/tasks/ip_whitelist.yml b/fail2ban/tasks/ip_whitelist.yml index f899e618..02cdb3c9 100644 --- a/fail2ban/tasks/ip_whitelist.yml +++ b/fail2ban/tasks/ip_whitelist.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}" - name: Update ignoreips lists - ini_file: + community.general.ini_file: dest: /etc/fail2ban/jail.local section: "DEFAULT" option: "ignoreip" diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index b9c2d109..1629a02a 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -3,7 +3,7 @@ # or we risk being jailed by fail2ban - name: Prepare fail2ban hierarchy - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: root @@ -16,13 +16,13 @@ tags: - fail2ban -- set_fact: +- ansible.builtin.set_fact: fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}" tags: - fail2ban - name: local jail is installed - template: + ansible.builtin.template: src: jail.local.j2 dest: /etc/fail2ban/jail.local mode: "0644" @@ -32,13 +32,13 @@ - fail2ban - name: Include ignoredips update task - include: ip_whitelist.yml + ansible.builtin.include: ip_whitelist.yml when: fail2ban_force_update_ignore_ips | bool tags: - fail2ban - name: custom filters are installed - copy: + ansible.builtin.copy: src: "{{ item }}" dest: /etc/fail2ban/filter.d/ mode: "0644" @@ -53,7 +53,7 @@ - fail2ban - name: package fail2ban is installed - apt: + ansible.builtin.apt: name: fail2ban state: present tags: @@ -61,7 +61,7 @@ - packages - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugins check_mode: no register: etc_munin_plugins @@ -70,7 +70,7 @@ - munin - name: is fail2ban Munin plugin available ? - stat: + ansible.builtin.stat: path: /usr/share/munin/plugins/fail2ban check_mode: no register: fail2ban_munin_plugin @@ -79,7 +79,7 @@ - munin - name: Enable Munin plugins - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/fail2ban" dest: "/etc/munin/plugins/fail2ban" state: link @@ -92,7 +92,7 @@ - munin - name: "Extend dbpurgeage if recidive jail is enabled" - blockinfile: + ansible.builtin.blockinfile: dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage marker: "# ANSIBLE MANAGED" block: | @@ -106,7 +106,7 @@ - fail2ban_recidive - name: Fix dbpurgeage for stretch and buster - include: fix-dbpurgeage.yml + ansible.builtin.include: fix-dbpurgeage.yml when: - ansible_distribution_release == "stretch" or ansible_distribution_release == "buster" tags: diff --git a/filebeat/handlers/main.yml b/filebeat/handlers/main.yml index 3ad08a63..8456ee33 100644 --- a/filebeat/handlers/main.yml +++ b/filebeat/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: restart filebeat - systemd: + ansible.builtin.systemd: name: filebeat state: restarted when: not ansible_check_mode diff --git a/filebeat/tasks/apt_sources.yml b/filebeat/tasks/apt_sources.yml index d6597c74..a0395ffe 100644 --- a/filebeat/tasks/apt_sources.yml +++ b/filebeat/tasks/apt_sources.yml @@ -31,6 +31,6 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: elastic_sources is changed \ No newline at end of file diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 0c20cc6c..86dd617b 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - import_tasks: apt_sources.yml + ansible.builtin.import_tasks: apt_sources.yml args: apply: tags: @@ -8,7 +8,7 @@ - packages - name: Filebeat is installed - apt: + ansible.builtin.apt: name: filebeat state: "{% if filebeat_upgrade_package %}latest{% else %}present{% endif %}" notify: restart filebeat @@ -17,20 +17,21 @@ - packages - name: Filebeat service is enabled - systemd: + ansible.builtin.systemd: name: filebeat enabled: yes notify: restart filebeat when: not ansible_check_mode - name: is logstash-plugin available? - stat: + ansible.builtin.stat: path: /usr/share/logstash/bin/logstash-plugin check_mode: no register: logstash_plugin - name: is logstash-input-beats installed? - command: grep logstash-input-beats /usr/share/logstash/Gemfile + ansible.builtin.command: + cmd: grep logstash-input-beats /usr/share/logstash/Gemfile check_mode: no register: logstash_plugin_installed failed_when: False @@ -41,11 +42,11 @@ - name: Logstash plugin is installed block: - - include_role: + - ansible.builtin.include_role: name: evolix/remount-usr - name: logstash-plugin install logstash-input-beats - command: /usr/share/logstash/bin/logstash-plugin install logstash-input-beats + ansible.builtin.command: /usr/share/logstash/bin/logstash-plugin install logstash-input-beats when: - filebeat_logstash_plugin | bool - logstash_plugin.stat.exists @@ -54,7 +55,7 @@ # When we don't use a config template (default) - block: - name: cloud_metadata processor is disabled - replace: + ansible.builtin.replace: dest: /etc/filebeat/filebeat.yml regexp: '^(\s+)(- add_cloud_metadata:)' replace: '\1# \2' @@ -62,7 +63,7 @@ when: not (filebeat_processors_cloud_metadata | bool) - name: cloud_metadata processor is disabled - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml line: " - add_cloud_metadata: ~" insert_after: '^processors:' @@ -70,7 +71,7 @@ when: filebeat_processors_cloud_metadata | bool - name: Filebeat knows where to find Elasticsearch - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml regexp: '^ hosts: .*' line: " hosts: [\"{{ filebeat_elasticsearch_hosts | join('\", \"') }}\"]" @@ -79,7 +80,7 @@ when: filebeat_elasticsearch_hosts | length > 0 - name: Filebeat protocol for Elasticsearch - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml regexp: '^ #?protocol: .*' line: " protocol: \"{{ filebeat_elasticsearch_protocol }}\"" @@ -88,7 +89,7 @@ when: filebeat_elasticsearch_protocol == "http" or filebeat_elasticsearch_protocol == "https" - name: Filebeat auth/username for Elasticsearch are configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml regexp: '{{ item.regexp }}' line: '{{ item.line }}' @@ -105,7 +106,7 @@ - not ansible_check_mode - name: Filebeat api_key for Elasticsearch are configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/filebeat/filebeat.yml regexp: '^ #?api_key: .*' line: ' api_key: "{{ filebeat_elasticsearch_auth_api_key }}"' @@ -116,7 +117,7 @@ # When we use a config template - block: - name: Configuration is up-to-date - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/filebeat/filebeat.yml force: "{{ filebeat_force_config }}" diff --git a/fluentd/handlers/main.yml b/fluentd/handlers/main.yml index 2468cef3..e87c76ab 100644 --- a/fluentd/handlers/main.yml +++ b/fluentd/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart fluentd - systemd: + ansible.builtin.systemd: name: td-agent state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index fa9a0470..b6f262c1 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Add Fluentd GPG key - copy: + ansible.builtin.copy: src: treasuredata.asc dest: "{{ apt_keyring_dir }}/treasuredata.asc" force: yes @@ -13,7 +13,7 @@ - fluentd - name: Add Treasuredata repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/treasuredata.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" filename: treasuredata state: present @@ -35,12 +35,12 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: treasuredata_sources is changed - name: Fluentd is installed. - apt: + ansible.builtin.apt: name: td-agent state: present tags: @@ -48,7 +48,7 @@ - packages - name: Fluentd is configured. - template: + ansible.builtin.template: src: td-agent.conf.j2 dest: "{{ fluentd_conf_path }}" mode: "0644" @@ -57,7 +57,7 @@ - fluentd - name: Fluentd is running and enabled on boot. - systemd: + ansible.builtin.systemd: name: td-agent enabled: yes state: started @@ -65,7 +65,7 @@ - fluentd - name: NRPE check is configured - lineinfile: + ansible.builtin.lineinfile: path: /etc/nagios/nrpe.d/evolix.cfg line: 'command[check_fluentd]=/usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}' notify: "restart nagios-nrpe-server" diff --git a/generate-ldif/tasks/exec.yml b/generate-ldif/tasks/exec.yml index 213560a5..0c25758a 100644 --- a/generate-ldif/tasks/exec.yml +++ b/generate-ldif/tasks/exec.yml @@ -1,6 +1,7 @@ --- - name: run generateldif - command: '{{ general_scripts_dir }}/generateldif.sh' + ansible.builtin.command: + cmd: '{{ general_scripts_dir }}/generateldif.sh' register: generateldif_run changed_when: False failed_when: False @@ -8,7 +9,7 @@ tags: - generateldif-exec -- debug: +- ansible.builtin.debug: var: generateldif_run.stdout_lines verbosity: 1 tags: diff --git a/generate-ldif/tasks/main.yml b/generate-ldif/tasks/main.yml index 019f5a83..29acb2fc 100644 --- a/generate-ldif/tasks/main.yml +++ b/generate-ldif/tasks/main.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: general_scripts_dir is search("/usr") - name: "copy generateldif.sh" - template: + ansible.builtin.template: src: templates/generateldif.sh.j2 dest: '{{ general_scripts_dir }}/generateldif.sh' owner: root diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml index 9cf3b9cb..a20031f1 100644 --- a/haproxy/handlers/main.yml +++ b/haproxy/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: reload haproxy - service: + ansible.builtin.service: name: haproxy state: reloaded - name: restart haproxy - service: + ansible.builtin.service: name: haproxy state: restarted - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index d38e83af..12fdd224 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: ssl-cert package is installed - apt: + ansible.builtin.apt: name: ssl-cert state: present tags: @@ -8,7 +8,7 @@ - packages - name: HAProxy SSL directory is present - file: + ansible.builtin.file: path: /etc/haproxy/ssl owner: root group: root @@ -19,7 +19,8 @@ - ssl - name: Self-signed certificate is present in HAProxy ssl directory - shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem" + ansible.builtin.shell: + cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem" args: creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem notify: reload haproxy @@ -28,7 +29,7 @@ - ssl - name: HAProxy stats_access_ips are present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/haproxy/stats_access_ips create: yes block: | @@ -42,7 +43,7 @@ - update-config - name: HAProxy stats_admin_ips are present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/haproxy/stats_admin_ips create: yes block: | @@ -56,7 +57,7 @@ - update-config - name: HAProxy maintenance_ips are present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/haproxy/maintenance_ips create: yes block: | @@ -70,7 +71,7 @@ - update-config - name: HAProxy deny_ips are present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/haproxy/deny_ips create: yes block: | @@ -83,11 +84,11 @@ - config - update-config -- include: packages_backports.yml +- ansible.builtin.include: packages_backports.yml when: haproxy_backports | bool - name: Install HAProxy package - apt: + ansible.builtin.apt: name: haproxy state: present tags: @@ -95,7 +96,7 @@ - packages - name: Copy HAProxy configuration - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/haproxy/haproxy.cfg force: "{{ haproxy_force_config }}" @@ -115,7 +116,7 @@ - update-config - name: Rotate logs with dateext - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.d/haproxy line: ' dateext' regexp: '^\s*#*\s*(no)?dateext' @@ -125,7 +126,7 @@ - logrotate - name: Rotate logs with nodelaycompress - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logrotate.d/haproxy line: ' nodelaycompress' regexp: '^\s*#*\s*(no)?delaycompress' @@ -135,7 +136,7 @@ - logrotate - name: Set net.ipv4.ip_nonlocal_bind - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_nonlocal_bind value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}" sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}" @@ -147,4 +148,4 @@ - haproxy_allow_ip_nonlocal_bind is defined - haproxy_allow_ip_nonlocal_bind is not none -- include: munin.yml +- ansible.builtin.include: munin.yml diff --git a/haproxy/tasks/munin.yml b/haproxy/tasks/munin.yml index 1f65dbe3..e2f2302d 100644 --- a/haproxy/tasks/munin.yml +++ b/haproxy/tasks/munin.yml @@ -1,6 +1,6 @@ --- - name: Install Munin plugin and dependencies - apt: + ansible.builtin.apt: name: - munin-plugins-extra - liblwp-useragent-determined-perl @@ -9,7 +9,7 @@ - haproxy - name: Enable Munin Haproxy plugins - file: + ansible.builtin.file: src: /usr/share/munin/plugins/haproxy_ng dest: /etc/munin/plugins/haproxy_ng force: yes @@ -19,7 +19,7 @@ - haproxy - name: Copy Munin Haproxy config - template: + ansible.builtin.template: src: munin.conf.j2 dest: /etc/munin/plugin-conf.d/haproxy mode: "0644" diff --git a/haproxy/tasks/packages_backports.yml b/haproxy/tasks/packages_backports.yml index eab4fbca..5832c4d4 100644 --- a/haproxy/tasks/packages_backports.yml +++ b/haproxy/tasks/packages_backports.yml @@ -1,26 +1,26 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/apt tasks_from: backports.yml tags: - haproxy - packages -- set_fact: +- ansible.builtin.set_fact: haproxy_backports_packages: "{{ haproxy_backports_packages_stretch }}" when: ansible_distribution_release == 'stretch' -- set_fact: +- ansible.builtin.set_fact: haproxy_backports_packages: "{{ haproxy_backports_packages_buster }}" when: ansible_distribution_release == 'buster' -- set_fact: +- ansible.builtin.set_fact: haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}" when: ansible_distribution_release == 'bullseye' - name: Prefer HAProxy package from backports - template: + ansible.builtin.template: src: haproxy_apt_preferences.j2 dest: /etc/apt/preferences.d/999-haproxy force: yes @@ -31,7 +31,7 @@ - packages - name: update apt - apt: + ansible.builtin.apt: update_cache: yes when: haproxy_apt_preferences is changed tags: diff --git a/java/tasks/main.yml b/java/tasks/main.yml index f899bf1c..d07ce5eb 100644 --- a/java/tasks/main.yml +++ b/java/tasks/main.yml @@ -3,8 +3,8 @@ # msg: "This role support only java 8 for now !" # when: java_version != 8 -- include: openjdk.yml +- ansible.builtin.include: openjdk.yml when: java_alternative == 'openjdk' -- include: oracle.yml +- ansible.builtin.include: oracle.yml when: java_alternative == 'oracle' diff --git a/java/tasks/openjdk.yml b/java/tasks/openjdk.yml index 13135d9c..e0d947db 100644 --- a/java/tasks/openjdk.yml +++ b/java/tasks/openjdk.yml @@ -1,12 +1,12 @@ --- - name: Decide which Debian release to use - set_fact: + ansible.builtin.set_fact: java_apt_release: '{% if ansible_distribution_release == "jessie" %}jessie-backports{% else %}{{ ansible_distribution_release }}{% endif %}' tags: - java - name: Install jessie-backports - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: backports.yml when: ansible_distribution_release == "jessie" @@ -14,7 +14,7 @@ - java - name: Install default openjdk package - apt: + ansible.builtin.apt: name: "default-jre-headless" default_release: "{{ java_apt_release }}" state: present @@ -24,7 +24,7 @@ when: java_version is none - name: Install specific openjdk package - apt: + ansible.builtin.apt: name: "openjdk-{{ java_version }}-jre-headless" default_release: "{{ java_apt_release }}" state: present @@ -34,7 +34,7 @@ when: java_version is not none - name: This openjdk version is the default alternative - alternatives: + community.general.alternatives: name: java path: "{{ java_bin_path[java_version] }}" tags: diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml index 0b057695..75d181d3 100644 --- a/java/tasks/oracle.yml +++ b/java/tasks/oracle.yml @@ -1,6 +1,6 @@ --- - name: Install dependencies for build java package - apt: + ansible.builtin.apt: name: - java-package - build-essential @@ -9,7 +9,7 @@ - java - name: Create jvm dir - file: + ansible.builtin.file: path: "{{ item }}" state: directory mode: "0777" @@ -21,7 +21,7 @@ - java - name: Get Oracle jre archive - get_url: + ansible.builtin.get_url: url: 'https://download.oracle.com/otn-pub/java/jdk/8u192-b12/750e1c8617c5452694857ad95c3ee230/server-jre-8u192-linux-x64.tar.gz' dest: '/srv/java-package/src/' checksum: 'sha256:3d811a5ec65dc6fc261f488757bae86ecfe285a79992363b016f60cdb4dbe7e6' @@ -31,7 +31,8 @@ - java - name: Make Debian package from Oracle JDK archive - shell: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/server-jre-8u192-linux-x64.tar.gz" + ansible.builtin.shell: + cmd: "yes | TMPDIR=/srv/java-package/tmp make-jpkg /srv/java-package/src/server-jre-8u192-linux-x64.tar.gz" args: chdir: /srv/java-package creates: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb @@ -39,17 +40,17 @@ tags: - java -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Install java package - apt: + ansible.builtin.apt: deb: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb tags: - java - name: This openjdk version is the default alternative - alternatives: + community.general.alternatives: name: java path: "/usr/lib/jvm/oracle-java{{ java_version }}-server-jre-amd64/bin/java" when: java_default_alternative | bool diff --git a/jenkins/handlers/main.yml b/jenkins/handlers/main.yml index b7d269cf..a38d1b47 100644 --- a/jenkins/handlers/main.yml +++ b/jenkins/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: reload squid - service: + ansible.builtin.service: name: squid state: reloaded - name: reload squid3 - service: + ansible.builtin.service: name: squid3 state: reloaded - name: Restart Jenkins - service: + ansible.builtin.service: name: jenkins state: restarted diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 3a855f9c..1e6b777b 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -6,7 +6,7 @@ # http://jenkins.mirror.isppower.de/.* - name: Add Jenkins GPG key - copy: + ansible.builtin.copy: src: jenkins.asc dest: "{{ apt_keyring_dir }}/jenkins.asc" force: yes @@ -15,7 +15,7 @@ group: root - name: Add Jenkins APT repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/ filename: jenkins update_cache: yes @@ -30,17 +30,17 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: jenkins_sources is changed - name: Install Jenkins - apt: + ansible.builtin.apt: name: jenkins state: present - name: Change Jenkins port - replace: + ansible.builtin.replace: name: /etc/default/jenkins regexp: "^HTTP_PORT=.*$" replace: "HTTP_PORT=8081" diff --git a/keepalived/handlers/main.yml b/keepalived/handlers/main.yml index 252fe515..7c9235d2 100644 --- a/keepalived/handlers/main.yml +++ b/keepalived/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart keepalived - systemd: + ansible.builtin.systemd: name: keepalived state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted diff --git a/keepalived/tasks/main.yml b/keepalived/tasks/main.yml index b98ff1ae..3ab0f8be 100644 --- a/keepalived/tasks/main.yml +++ b/keepalived/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: install Keepalived service - apt: + ansible.builtin.apt: pkg: keepalived state: present tags: - keepalived - name: Add notify.sh script for NRPE check - file: + ansible.builtin.file: src: notify.sh dest: /etc/keepalived/notify.sh mode: "0755" @@ -21,7 +21,7 @@ - nrpe - name: check_keepalived is installed - file: + ansible.builtin.file: src: check_keepalived dest: /usr/local/lib/nagios/plugins/check_keepalived mode: "0755" @@ -33,7 +33,7 @@ - nrpe - name: Use check_keepalived for NRPE - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: 'command\[check_keepalived\]' replace: 'command[check_keepalived]=/usr/local/lib/nagios/plugins/check_keepalived' @@ -43,7 +43,7 @@ - nrpe - name: generate Keepalived configuration - template: + ansible.builtin.template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf mode: "0644" @@ -52,7 +52,7 @@ - keepalived - name: enable and restart Keepalived service - systemd: + ansible.builtin.systemd: name: keepalived daemon_reload: yes state: started diff --git a/kibana/handlers/main.yml b/kibana/handlers/main.yml index cbccd8e0..90467e19 100644 --- a/kibana/handlers/main.yml +++ b/kibana/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart kibana - systemd: + ansible.builtin.systemd: name: kibana state: restarted diff --git a/kibana/tasks/apt_sources.yml b/kibana/tasks/apt_sources.yml index d6597c74..a0395ffe 100644 --- a/kibana/tasks/apt_sources.yml +++ b/kibana/tasks/apt_sources.yml @@ -31,6 +31,6 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: elastic_sources is changed \ No newline at end of file diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 176af2d3..bcfb852a 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - import_tasks: apt_sources.yml + ansible.builtin.import_tasks: apt_sources.yml args: apply: tags: @@ -8,7 +8,7 @@ - packages - name: Kibana is installed - apt: + ansible.builtin.apt: name: kibana state: present update_cache: yes @@ -17,7 +17,7 @@ - packages - name: kibana server host configuration - lineinfile: + ansible.builtin.lineinfile: dest: /etc/kibana/kibana.yml line: "server.host: \"{{ kibana_server_host }}\"" regexp: '^server.host:' @@ -27,7 +27,7 @@ - kibana - name: kibana server basepath configuration - lineinfile: + ansible.builtin.lineinfile: dest: /etc/kibana/kibana.yml line: "server.basePath: \"{{ kibana_server_basepath }}\"" regexp: '^server.basePath:' @@ -37,7 +37,7 @@ - kibana - name: kibana log destination is present - file: + ansible.builtin.file: dest: /var/log/kibana owner: kibana group: kibana @@ -47,7 +47,7 @@ - kibana - name: kibana log messages go to custom file - lineinfile: + ansible.builtin.lineinfile: dest: /etc/kibana/kibana.yml line: "logging.dest: \"/var/log/kibana/kibana.log\"" regexp: '^logging.dest:' @@ -57,7 +57,7 @@ - kibana - name: Kibana service is enabled and started - systemd: + ansible.builtin.systemd: name: kibana enabled: yes state: started @@ -65,7 +65,7 @@ - kibana - name: Logrotate configuration is enabled - copy: + ansible.builtin.copy: src: logrotate dest: /etc/logrotate.d/kibana mode: "0644" @@ -94,7 +94,7 @@ # - optimize # - data -- include: proxy_nginx.yml +- ansible.builtin.include: proxy_nginx.yml when: kibana_proxy_nginx | bool tags: - kibana diff --git a/kibana/tasks/proxy_nginx.yml b/kibana/tasks/proxy_nginx.yml index 5849fdd6..7b680284 100644 --- a/kibana/tasks/proxy_nginx.yml +++ b/kibana/tasks/proxy_nginx.yml @@ -1,13 +1,13 @@ --- - name: Example proxy for Kibana with Nginx (with SSL) - template: + ansible.builtin.template: src: nginx_proxy_kibana_ssl.j2 dest: /etc/nginx/sites-available/kibana_ssl.conf force: no - name: Example proxy for Kibana with Nginx (without SSL) - template: + ansible.builtin.template: src: nginx_proxy_kibana_nossl.j2 dest: /etc/nginx/sites-available/kibana_nossl.conf force: no diff --git a/kvm-host/handlers/main.yml b/kvm-host/handlers/main.yml index 0b7f394e..5ca5295a 100644 --- a/kvm-host/handlers/main.yml +++ b/kvm-host/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/kvm-host/tasks/images.yml b/kvm-host/tasks/images.yml index b9ec57a8..9e8a7670 100644 --- a/kvm-host/tasks/images.yml +++ b/kvm-host/tasks/images.yml @@ -3,13 +3,13 @@ - name: Set images path when customized block: - name: "Is {{ kvm_custom_libvirt_images_path }} present ?" - stat: + ansible.builtin.stat: path: "{{ kvm_custom_libvirt_images_path }}" check_mode: no register: kvm_custom_libvirt_images_path_test - name: "read the real datadir" - command: readlink -f /var/lib/libvirt/images + ansible.builtin.command: readlink -f /var/lib/libvirt/images changed_when: False check_mode: no register: kvm_libvirt_images_current_real_path_test @@ -18,19 +18,19 @@ - name: Images directory is moved to custom path block: - name: "Move libvirt images to {{ kvm_custom_libvirt_images_path }}" - command: mv /var/lib/libvirt/images {{ kvm_custom_libvirt_images_path }} + ansible.builtin.command: mv /var/lib/libvirt/images {{ kvm_custom_libvirt_images_path }} args: creates: "{{ kvm_custom_libvirt_images_path }}" - name: Fix owner/group/permissions - file: + ansible.builtin.file: path: "{{ kvm_custom_libvirt_images_path }}" owner: root group: libvirt mode: "02775" - name: "Symlink {{ kvm_custom_libvirt_images_path }} to /var/lib/libvirt/images" - file: + ansible.builtin.file: src: "{{ kvm_custom_libvirt_images_path }}" dest: '/var/lib/libvirt/images' state: link diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml index a2f6953c..c6004b7b 100644 --- a/kvm-host/tasks/main.yml +++ b/kvm-host/tasks/main.yml @@ -1,16 +1,16 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/drbd when: kvm_install_drbd ## TODO: check why it's disabled -- include: ssh.yml +- ansible.builtin.include: ssh.yml -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: munin.yml +- ansible.builtin.include: munin.yml -- include: images.yml +- ansible.builtin.include: images.yml -- include: tools.yml +- ansible.builtin.include: tools.yml diff --git a/kvm-host/tasks/munin.yml b/kvm-host/tasks/munin.yml index d16bcfd9..45edc8d6 100644 --- a/kvm-host/tasks/munin.yml +++ b/kvm-host/tasks/munin.yml @@ -1,22 +1,22 @@ --- -- include_role: +- ansible.builtin.include_role: name: remount-usr - name: Create local munin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" - name: Get Munin plugins - get_url: + ansible.builtin.get_url: url: "https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/libvirt/{{ item }}" dest: "/usr/local/share/munin/plugins/" mode: "0755" @@ -28,7 +28,7 @@ notify: restart munin-node - name: Enable Munin plugins - file: + ansible.builtin.file: src: "/usr/local/share/munin/plugins/{{ plugin_name }}" dest: "/etc/munin/plugins/{{ plugin_name }}" state: link @@ -42,7 +42,7 @@ notify: restart munin-node - name: Copy Munin plugins conf - copy: + ansible.builtin.copy: src: files/munin-plugins dest: "/etc/munin/plugin-conf.d/kvm" mode: "0644" diff --git a/kvm-host/tasks/packages.yml b/kvm-host/tasks/packages.yml index 1b58b324..12e7897e 100644 --- a/kvm-host/tasks/packages.yml +++ b/kvm-host/tasks/packages.yml @@ -1,7 +1,7 @@ --- - name: Install packages for kvm/libvirt - apt: + ansible.builtin.apt: name: - qemu-kvm - netcat-openbsd @@ -14,7 +14,7 @@ state: present - name: Install packages for kvmstats - apt: + ansible.builtin.apt: name: - dialog - html-xml-utils diff --git a/kvm-host/tasks/ssh.yml b/kvm-host/tasks/ssh.yml index d954bc06..9ce09eb7 100644 --- a/kvm-host/tasks/ssh.yml +++ b/kvm-host/tasks/ssh.yml @@ -1,18 +1,19 @@ --- - name: Generate root ssh_key - user: + ansible.builtin.user: name: root generate_ssh_key: yes ssh_key_bits: 2048 - name: Fetch ssh public keys - command: cat /root/.ssh/id_rsa.pub + ansible.builtin.command: + cmd: cat /root/.ssh/id_rsa.pub register: ssh_keys check_mode: no changed_when: False - name: Print ssh public keys - debug: + ansible.builtin.debug: msg: "{{ ssh_keys.stdout }}" #- name: Autorize other kvm ssh key @@ -28,7 +29,7 @@ # when: item[1] != inventory_hostname - name: Crontab for sync libvirt xml file - cron: + ansible.builtin.cron: name: "sync libvirt xml on {{ kvm_pair }}" state: present special_time: "hourly" @@ -42,7 +43,7 @@ tags: crontab - name: Crontab for sync list of running vm - cron: + ansible.builtin.cron: name: "sync list of libvirt running vm on {{ kvm_pair }}" state: present special_time: "daily" diff --git a/kvm-host/tasks/tools.yml b/kvm-host/tasks/tools.yml index 1e114bb7..7931f541 100644 --- a/kvm-host/tasks/tools.yml +++ b/kvm-host/tasks/tools.yml @@ -1,17 +1,17 @@ --- - name: remove old package - apt: + ansible.builtin.apt: name: kvm-tools purge: yes state: absent -- include_role: +- ansible.builtin.include_role: name: remount-usr when: kvm_scripts_dir is search("/usr") - name: add-vm script is present - copy: + ansible.builtin.copy: src: add-vm.sh dest: "{{ kvm_scripts_dir }}/add-vm" mode: "0700" @@ -20,7 +20,7 @@ force: yes - name: migrate-vm script is present - copy: + ansible.builtin.copy: src: migrate-vm.sh dest: "{{ kvm_scripts_dir }}/migrate-vm" mode: "0700" @@ -29,7 +29,7 @@ force: yes - name: kvmstats script is present - copy: + ansible.builtin.copy: src: kvmstats.sh dest: "{{ kvm_scripts_dir }}/kvmstats" mode: "0700" @@ -38,7 +38,7 @@ force: yes - name: kvmstats cron is present - template: + ansible.builtin.template: src: kvmstats.cron.j2 dest: "/etc/cron.hourly/kvmstats" mode: "0755" @@ -46,7 +46,7 @@ group: root - name: entry for kvmstats in web page is present - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html insertbefore: '' line: '
  • kvmstats
    • ' @@ -55,13 +55,13 @@ # backward compatibility - name: remove old migrate-vm script - file: + ansible.builtin.file: path: /usr/share/scripts/migrate-vm state: absent when: "'/usr/share/scripts' not in kvm_scripts_dir" - name: remove old kvmstats script - file: + ansible.builtin.file: path: /usr/share/scripts/kvmstats state: absent when: "'/usr/share/scripts' not in kvm_scripts_dir" \ No newline at end of file diff --git a/ldap/handlers/main.yml b/ldap/handlers/main.yml index 2105f4b5..5735515b 100644 --- a/ldap/handlers/main.yml +++ b/ldap/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart slapd - service: + ansible.builtin.service: name: slapd state: restarted diff --git a/ldap/tasks/init.yml b/ldap/tasks/init.yml index 16be0842..0ab85f18 100644 --- a/ldap/tasks/init.yml +++ b/ldap/tasks/init.yml @@ -1,32 +1,35 @@ --- - name: upload ldap initial config - template: + ansible.builtin.template: src: config_ldapvi.j2 dest: /root/evolinux_ldap_config.ldapvi mode: "0640" - name: upload ldap initial entries - template: + ansible.builtin.template: src: first-entries.ldif.j2 dest: /root/evolinux_ldap_first-entries.ldif mode: "0640" - name: inject config - command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi + ansible.builtin.command: + cmd: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi environment: TERM: xterm - name: inject first entries - command: slapadd -l /root/evolinux_ldap_first-entries.ldif + ansible.builtin.command: + cmd: slapadd -l /root/evolinux_ldap_first-entries.ldif - name: upload custom schema - copy: + ansible.builtin.copy: src: "{{ ldap_schema }}" dest: "/root/{{ ldap_schema }}" mode: "0640" when: ldap_schema is defined - name: inject custom schema - command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" + ansible.builtin.command: + cmd: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" when: ldap_schema is defined \ No newline at end of file diff --git a/ldap/tasks/ldapvirc.yml b/ldap/tasks/ldapvirc.yml index f44249d6..568ad60a 100644 --- a/ldap/tasks/ldapvirc.yml +++ b/ldap/tasks/ldapvirc.yml @@ -1,13 +1,13 @@ --- - name: "Is /root/.ldapvirc present ?" - stat: + ansible.builtin.stat: path: /root/.ldapvirc check_mode: no register: root_ldapvirc_path - name: Warning when ldapvirc file is present and ldap_admin_password is given - debug: + ansible.builtin.debug: msg: "WARNING: an LDAP admin password is given, but an ldapvirc file already exists. It will not be updated." when: - ldap_admin_password | length > 0 @@ -15,13 +15,14 @@ # Generate ldap password if none is given and ldapvirc is absent - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present when: not root_ldapvirc_path.stat.exists - name: create a password for cn=admin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: new_ldap_admin_password changed_when: False when: @@ -30,20 +31,21 @@ # Use the generated password or the one found in the file - name: overwrite ldap_admin_password - set_fact: + ansible.builtin.set_fact: ldap_admin_password: "{{ new_ldap_admin_password.stdout }}" when: - ldap_admin_password | length == 0 - not root_ldapvirc_path.stat.exists - name: hash password for cn=admin - command: "slappasswd -s {{ ldap_admin_password }}" + ansible.builtin.command: + cmd: "slappasswd -s {{ ldap_admin_password }}" register: ldap_admin_password_ssha changed_when: False when: not root_ldapvirc_path.stat.exists - name: create ldapvirc config - template: + ansible.builtin.template: src: ldapvirc.j2 dest: /root/.ldapvirc mode: "0640" @@ -51,12 +53,13 @@ # Read ldap password when none is given and ldapvirc is present - name: read ldap admin password from ldapvirc file - shell: "grep -E '^password: .+$' /root/.ldapvirc | awk '{print $2}'" + ansible.builtin.shell: + cmd: "grep -E '^password: .+$' /root/.ldapvirc | awk '{print $2}'" changed_when: False check_mode: no register: new_ldap_admin_password # Use the password found in the file - name: overwrite ldap_admin_password - set_fact: + ansible.builtin.set_fact: ldap_admin_password: "{{ new_ldap_admin_password.stdout }}" diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index 9bfb6517..ca89b997 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -1,5 +1,5 @@ - name: LDAP packages are installed - apt: + ansible.builtin.apt: name: - slapd - ldap-utils @@ -9,18 +9,18 @@ update_cache: yes - name: change slapd listen ip:port - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/slapd regexp: 'SLAPD_SERVICES=.*' line: "SLAPD_SERVICES=\"{{ ldap_listen }}\"" notify: restart slapd - name: ldapvirc file - include: ldapvirc.yml + ansible.builtin.include: ldapvirc.yml - name: nagios config file for LDAP - include: nagios.yml + ansible.builtin.include: nagios.yml - name: initialize database - include: init.yml + ansible.builtin.include: init.yml when: not root_ldapvirc_path.stat.exists \ No newline at end of file diff --git a/ldap/tasks/nagios.yml b/ldap/tasks/nagios.yml index 0c92f7b3..58120baa 100644 --- a/ldap/tasks/nagios.yml +++ b/ldap/tasks/nagios.yml @@ -1,13 +1,13 @@ --- - name: "Is /etc/nagios/monitoring-plugins.ini present ?" - stat: + ansible.builtin.stat: path: /etc/nagios/monitoring-plugins.ini check_mode: no register: nagios_monitoring_plugins_path - name: Warning when nagios config is present and ldap_nagios_password is given - debug: + ansible.builtin.debug: msg: "WARNING: an LDAP nagios password is given, but a nagios config already exists. It will not be updated." when: - ldap_nagios_password | length > 0 @@ -15,7 +15,7 @@ # Generate ldap password if none is given and nagios config is absent - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present when: @@ -23,7 +23,8 @@ - not nagios_monitoring_plugins_path.stat.exists - name: create a password for cn=admin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: new_ldap_nagios_password changed_when: False when: @@ -32,14 +33,14 @@ # Use the generated password or the one found in the file - name: overwrite ldap_nagios_password (from apg) - set_fact: + ansible.builtin.set_fact: ldap_nagios_password: "{{ new_ldap_nagios_password.stdout }}" when: - ldap_nagios_password | length == 0 - not nagios_monitoring_plugins_path.stat.exists - name: set params for NRPE check - ini_file: + community.general.ini_file: dest: /etc/nagios/monitoring-plugins.ini owner: root group: nagios @@ -57,7 +58,7 @@ # Read ldap password when none is given and nagios config is present # We can't parse a remote file, so we have to fetch it first - name: Fetch /etc/nagios/monitoring-plugins.ini - fetch: + ansible.builtin.fetch: src: /etc/nagios/monitoring-plugins.ini dest: /tmp/{{ inventory_hostname }}/ flat: yes @@ -65,10 +66,11 @@ # Then web can parse it with the 'ini' lookup # and set the variable - name: overwrite ldap_nagios_password (from file) - set_fact: + ansible.builtin.set_fact: ldap_nagios_password: "{{ lookup('ini', 'pass section=check_ldap file=/tmp/{{ inventory_hostname }}/monitoring-plugins.ini') }}" - name: hash password for cn=nagios - command: "slappasswd -s {{ ldap_nagios_password }}" + ansible.builtin.command: + cmd: "slappasswd -s {{ ldap_nagios_password }}" register: ldap_nagios_password_ssha changed_when: False \ No newline at end of file diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 42864806..cc5b99aa 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Scripts dir is present - file: + ansible.builtin.file: path: "/usr/share/scripts" state: directory owner: root @@ -12,7 +12,7 @@ mode: "0700" - name: Copy listupgrade script - copy: + ansible.builtin.copy: src: listupgrade.sh dest: "/usr/share/scripts/listupgrade.sh" mode: "0700" @@ -21,7 +21,7 @@ force: yes - name: Create /etc/evolinux - file: + ansible.builtin.file: path: /etc/evolinux state: directory owner: root @@ -29,7 +29,7 @@ mode: "0700" - name: Copy listupgrade config - template: + ansible.builtin.template: src: listupgrade.cnf.j2 dest: /etc/evolinux/listupgrade.cnf mode: "0600" @@ -38,7 +38,7 @@ force: no - name: Cron.d is present - file: + ansible.builtin.file: path: "/etc/cron.d" state: directory mode: "0755" @@ -46,7 +46,7 @@ group: root - name: Enable listupgrade cron - cron: + ansible.builtin.cron: name: "listupgrade.sh" cron_file: "listupgrade" user: root @@ -59,13 +59,13 @@ state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}" - name: Remove old lisupgrade typo - cron: + ansible.builtin.cron: name: "lisupgrade.sh" cron_file: "listupgrade" state: absent - name: old-kernel-autoremoval script is present - copy: + ansible.builtin.copy: src: old-kernel-autoremoval.sh dest: /usr/share/scripts/old-kernel-autoremoval.sh mode: "0755" diff --git a/logstash/handlers/main.yml b/logstash/handlers/main.yml index 82021675..b38c949e 100644 --- a/logstash/handlers/main.yml +++ b/logstash/handlers/main.yml @@ -1,11 +1,11 @@ --- - name: restart logstash - systemd: + ansible.builtin.systemd: name: logstash state: restarted daemon_reload: yes - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes \ No newline at end of file diff --git a/logstash/tasks/apt_sources.yml b/logstash/tasks/apt_sources.yml index d6597c74..a0395ffe 100644 --- a/logstash/tasks/apt_sources.yml +++ b/logstash/tasks/apt_sources.yml @@ -31,6 +31,6 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: elastic_sources is changed \ No newline at end of file diff --git a/logstash/tasks/logs.yml b/logstash/tasks/logs.yml index b09ebaf2..8262ce29 100644 --- a/logstash/tasks/logs.yml +++ b/logstash/tasks/logs.yml @@ -1,7 +1,7 @@ --- - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -9,7 +9,7 @@ register: is_cron_installed - name: "log rotation script" - template: + ansible.builtin.template: src: rotate_logstash_logs.j2 dest: /etc/cron.daily/rotate_logstash_logs owner: root @@ -18,12 +18,12 @@ when: is_cron_installed.rc == 0 - name: "Create a system config directory for systemd overrides" - file: + ansible.builtin.file: path: /etc/systemd/system/logstash.service.d state: directory - name: "disable syslog" - ini_file: + community.general.ini_file: path: /etc/systemd/system/logstash.service.d/override.conf section: Service option: "{{ item.option }}" diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 11b0a0bf..4f3b8da7 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - import_tasks: apt_sources.yml + ansible.builtin.import_tasks: apt_sources.yml args: apply: tags: @@ -8,7 +8,7 @@ - packages - name: Logstash is installed - apt: + ansible.builtin.apt: name: logstash state: present tags: @@ -16,14 +16,14 @@ - packages - name: Logstash service is enabled - systemd: + ansible.builtin.systemd: name: logstash enabled: yes tags: - logstash - name: JVM Heap size (min) is set - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logstash/jvm.options regexp: "^-Xms" line: "-Xms{{ logstash_jvm_xms }}" @@ -32,7 +32,7 @@ - config - name: JVM Heap size (max) is set - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logstash/jvm.options regexp: "^-Xmx" line: "-Xmx{{ logstash_jvm_xmx }}" @@ -41,7 +41,7 @@ - config - name: Add a configuration - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/logstash/conf.d/logstash.conf owner: logstash @@ -60,10 +60,10 @@ - logstash - config -- debug: +- ansible.builtin.debug: var: logstash_template verbosity: 1 -- include: logs.yml +- ansible.builtin.include: logs.yml -- include: tmpdir.yml +- ansible.builtin.include: tmpdir.yml diff --git a/logstash/tasks/tmpdir.yml b/logstash/tasks/tmpdir.yml index e41b1205..ab054d34 100644 --- a/logstash/tasks/tmpdir.yml +++ b/logstash/tasks/tmpdir.yml @@ -1,18 +1,19 @@ --- - name: Check if /tmp is noexec - shell: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec" + ansible.builtin.shell: + cmd: "cat /etc/fstab | grep -E \" +/tmp\" | grep noexec" register: fstab_tmp_noexec failed_when: False changed_when: False check_mode: no - block: - - set_fact: + - ansible.builtin.set_fact: _logstash_custom_tmpdir: "{{ logstash_custom_tmpdir | default(logstash_default_tmpdir, True) | mandatory }}" - name: "Create {{ _logstash_custom_tmpdir }}" - file: + ansible.builtin.file: path: "{{ _logstash_custom_tmpdir }}" owner: logstash group: logstash @@ -22,7 +23,7 @@ - logstash - name: change JVM tmpdir - lineinfile: + ansible.builtin.lineinfile: dest: /etc/logstash/jvm.options line: "-Djava.io.tmpdir={{ _logstash_custom_tmpdir }}" regexp: "^-Djava.io.tmpdir=" diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index 0beaa055..1a2d7a6e 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -1,57 +1,57 @@ --- - name: Reload PHP-FPM - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload {{ lxc_php_services[lxc_php_version] }}" - name: Restart PHP-FPM - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl restart {{ lxc_php_services[lxc_php_version] }}" - name: Reload php81-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php8.1-fpm" - name: Reload php80-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php8.0-fpm" - name: Reload php74-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php7.4-fpm" - name: Reload php73-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php7.3-fpm" - name: Reload php70-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php7.0-fpm" - name: Reload php56-fpm - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl reload php5-fpm" - name: Restart opensmtpd - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl restart opensmtpd" - name: Daemon reload - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl daemon-reload" - name: Restart container - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" state: restarted diff --git a/lxc-php/tasks/mail_opensmtpd.yml b/lxc-php/tasks/mail_opensmtpd.yml index 02f36728..35d0e75b 100644 --- a/lxc-php/tasks/mail_opensmtpd.yml +++ b/lxc-php/tasks/mail_opensmtpd.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install opensmtpd" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y opensmtpd" - name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" - template: + ansible.builtin.template: src: smtpd.conf.j2 dest: "{{ lxc_rootfs }}/etc/smtpd.conf" mode: "0644" @@ -15,7 +15,7 @@ - name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" - template: + ansible.builtin.template: src: smtpd.conf.bullseye.j2 dest: "{{ lxc_rootfs }}/etc/smtpd.conf" mode: "0644" diff --git a/lxc-php/tasks/mail_ssmtp.yml b/lxc-php/tasks/mail_ssmtp.yml index f14cfe57..b57d5d77 100644 --- a/lxc-php/tasks/mail_ssmtp.yml +++ b/lxc-php/tasks/mail_ssmtp.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install ssmtp" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y ssmtp " - name: "{{ lxc_php_version }} - Configure ssmtp" - template: + ansible.builtin.template: src: ssmtp.conf.j2 dest: "{{ lxc_rootfs }}/etc/ssmtp/ssmtp.conf" mode: "0644" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index a1e91431..c3d58eba 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -5,7 +5,7 @@ when: lxc_php_version is none -- include_role: +- ansible.builtin.include_role: name: evolix/lxc vars: lxc_containers: diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index 22598ee0..248aa8e2 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -1,30 +1,30 @@ --- - name: "{{ lxc_php_version }} - Configure timezone for the container" - copy: + ansible.builtin.copy: remote_src: yes src: "/etc/timezone" dest: "{{ lxc_rootfs }}/etc/timezone" - name: "{{ lxc_php_version }} - Ensure container's root directory is 755" - file: + ansible.builtin.file: path: "{{ lxc_rootfs }}" state: directory mode: '0755' - name: "{{ lxc_php_version }} - Configure mailname for the container" - copy: + ansible.builtin.copy: content: "{{ evolinux_hostname }}.{{ evolinux_domain }}\n" dest: "{{ lxc_rootfs }}/etc/mailname" notify: "Restart opensmtpd" - name: "{{ lxc_php_version }} - Install misc packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y cron logrotate git zip unzip" - name: "{{ lxc_php_version }} - Add MySQL socket to container default mounts" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_config: - "lxc.mount.entry = /run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0" diff --git a/lxc-php/tasks/php56.yml b/lxc-php/tasks/php56.yml index b0f376d8..d210d80b 100644 --- a/lxc-php/tasks/php56.yml +++ b/lxc-php/tasks/php56.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -17,4 +17,4 @@ loop_control: loop_var: line_item -- include: "mail_ssmtp.yml" +- ansible.builtin.include: "mail_ssmtp.yml" diff --git a/lxc-php/tasks/php70.yml b/lxc-php/tasks/php70.yml index 18523846..52c96883 100644 --- a/lxc-php/tasks/php70.yml +++ b/lxc-php/tasks/php70.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -17,4 +17,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php73.yml b/lxc-php/tasks/php73.yml index 4bb037e7..ade67b97 100644 --- a/lxc-php/tasks/php73.yml +++ b/lxc-php/tasks/php73.yml @@ -1,12 +1,12 @@ --- - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -17,4 +17,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 65660f92..f1dd021a 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -1,18 +1,18 @@ --- - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - fix bullseye repository" - replace: + ansible.builtin.replace: dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -23,4 +23,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 0e9d29a6..043c0174 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -6,18 +6,18 @@ - name: "{{ lxc_php_version }} - Install dependency packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" - name: "{{ lxc_php_version }} - fix bullseye repository" - replace: + ansible.builtin.replace: dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Add sury repo" - lineinfile: + ansible.builtin.lineinfile: dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" line: "{{ item }}" state: present @@ -28,7 +28,7 @@ - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main" - name: copy pub.evolix.net GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" mode: "0644" @@ -36,7 +36,7 @@ group: root - name: copy packages.sury.org GPG Key - copy: + ansible.builtin.copy: src: sury.gpg dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/sury.gpg" mode: "0644" @@ -44,17 +44,17 @@ group: root - name: "{{ lxc_php_version }} - Update APT cache" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt update" - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -65,4 +65,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 966a2880..a1e9c71b 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -5,18 +5,18 @@ lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d - name: "{{ lxc_php_version }} - Install dependency packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" - name: "{{ lxc_php_version }} - fix bullseye repository" - replace: + ansible.builtin.replace: dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Add sury repo" - lineinfile: + ansible.builtin.lineinfile: dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" line: "{{ item }}" state: present @@ -27,7 +27,7 @@ - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main" - name: copy pub.evolix.net GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" mode: "0644" @@ -35,7 +35,7 @@ group: root - name: copy packages.sury.org GPG Key - copy: + ansible.builtin.copy: src: sury.gpg dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/sury.gpg" mode: "0644" @@ -43,17 +43,17 @@ group: root - name: "{{ lxc_php_version }} - Update APT cache" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt update" - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -64,4 +64,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/tasks/php82.yml b/lxc-php/tasks/php82.yml index 8ecb1e33..a83207c8 100644 --- a/lxc-php/tasks/php82.yml +++ b/lxc-php/tasks/php82.yml @@ -5,20 +5,20 @@ lxc_apt_keyring_dir: /etc/apt/keyrings - name: "{{ lxc_php_version }} - Install PHP packages" - lxc_container: + community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" # TODO : adapt to Bookworm and deb822 format - name: "{{ lxc_php_version }} - fix bookworm repository" - replace: + ansible.builtin.replace: dest: "{{ lxc_rootfs }}/etc/apt/sources.list" regexp: 'bullseye/updates' replace: 'bullseye-security' - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" - template: + ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" mode: "0644" @@ -29,4 +29,4 @@ loop_control: loop_var: line_item -- include: "mail_opensmtpd.yml" +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-solr/tasks/main.yml b/lxc-solr/tasks/main.yml index bc279a04..fdfd1208 100644 --- a/lxc-solr/tasks/main.yml +++ b/lxc-solr/tasks/main.yml @@ -1,16 +1,16 @@ --- - name: LXC configuration - include_role: + ansible.builtin.include_role: name: evolix/lxc - name: Ensure containers root directory is 755 - file: + ansible.builtin.file: path: "/var/lib/lxc/{{ item.name }}/rootfs" state: directory mode: '0755' loop: "{{ lxc_containers }}" -- include: solr.yml +- ansible.builtin.include: solr.yml args: name: "{{ item.name }}" solr_version: "{{ item.solr_version }}" diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml index a2f0c373..7eafb696 100644 --- a/lxc-solr/tasks/solr.yml +++ b/lxc-solr/tasks/solr.yml @@ -1,7 +1,7 @@ --- - name: "Set values for Solr < 9.0.0" - set_fact: + ansible.builtin.set_fact: tarball_url: https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz start_command: "/etc/init.d/solr start" @@ -9,7 +9,7 @@ when: "solr_version is version('9.0.0', '<')" - name: "Set values for Solr >= 9.0.0" - set_fact: + ansible.builtin.set_fact: tarball_url: https://archive.apache.org/dist/solr/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz tarball_path: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz start_command: "systemctl start solr" @@ -17,26 +17,28 @@ when: "solr_version is version('9.0.0', '>=')" - name: Install java and lsof packages - command: "lxc-attach -n {{ name }} -- apt-get install -y default-jre-headless lsof" + ansible.builtin.command: + cmd: "lxc-attach -n {{ name }} -- apt-get install -y default-jre-headless lsof" - name: "Download Solr {{ solr_version }}" - get_url: + ansible.builtin.get_url: url: "{{ tarball_url }}" dest: "{{ tarball_path }}" mode: '0644' - name: "Extract solr-{{ solr_version }}.tgz" - unarchive: + ansible.builtin.unarchive: src: "{{ tarball_path }}" dest: /var/lib/lxc/{{ name }}/rootfs/root/ remote_src: yes - name: "Make sure /home/solr exists" - file: + ansible.builtin.file: path: /home/solr/{{ name }} recurse: yes state: directory mode: '0755' - name: "Install Solr {{ solr_version }}" - command: "lxc-attach -n {{ name }} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{ name }} -p {{ solr_port }}" + ansible.builtin.command: + cmd: "lxc-attach -n {{ name }} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{ name }} -p {{ solr_port }}" diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index edeca2ec..3b70cdde 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -1,12 +1,13 @@ --- - name: "Check if container {{ name }} exists" - command: "lxc-ls {{ name }}" + ansible.builtin.command: + cmd: "lxc-ls {{ name }}" changed_when: False check_mode: no register: container_exists - name: "Create container {{ name }}" - lxc_container: + community.general.lxc_container: name: "{{ name }}" container_log: true template: debian @@ -15,45 +16,45 @@ when: container_exists.stdout_lines | length == 0 - name: "Disable network configuration inside container {{ name }}" - replace: + ansible.builtin.replace: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/networking" regexp: "^#CONFIGURE_INTERFACES=yes" replace: CONFIGURE_INTERFACES=no when: lxc_network_type == "none" - name: "Disable interface shut down on halt inside container {{ name }} (Jessie container)" - lineinfile: + ansible.builtin.lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/default/halt" line: "NETDOWN=no" when: lxc_network_type == "none" and release == "jessie" - name: "Make the container {{ name }} poweroff on SIGPWR sent by lxc-stop (Jessie container)" - file: + ansible.builtin.file: src: /lib/systemd/system/poweroff.target dest: "/var/lib/lxc/{{ name }}/rootfs/etc/systemd/system/sigpwr.target" state: link when: release == 'jessie' - name: "Configure the DNS resolvers in the container {{ name }}" - copy: + ansible.builtin.copy: remote_src: yes src: /etc/resolv.conf dest: "/var/lib/lxc/{{ name }}/rootfs/etc/" - name: "Add hostname in /etc/hosts for container {{ name }}" - lineinfile: + ansible.builtin.lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/hosts" line: "127.0.0.1 {{ name }}" - name: "Fix permission on /dev for container {{ name }}" - lineinfile: + ansible.builtin.lineinfile: name: "/var/lib/lxc/{{ name }}/rootfs/etc/rc.local" line: "chmod 755 /dev" insertbefore: "^exit 0$" when: release == 'jessie' - name: "Ensure that {{ name }} container is running" - lxc_container: + community.general.lxc_container: name: "{{ name }}" state: started diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index 8236b9f1..d0f9f144 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -1,56 +1,59 @@ --- - name: Install lxc tools - apt: + ansible.builtin.apt: name: - lxc - debootstrap - xz-utils - name: python-lxc is installed (Debian <= 10) - apt: + ansible.builtin.apt: name: python-lxc state: present when: ansible_python_version is version('3', '<') - name: python3-lxc is installed (Debian >= 10) - apt: + ansible.builtin.apt: name: python3-lxc state: present when: ansible_python_version is version('3', '>=') - name: Install additional packages (Debian >= 10) - apt: + ansible.builtin.apt: name: - apparmor - lxc-templates when: ansible_distribution_major_version is version('10', '>=') - name: Copy LXC default containers configuration - template: + ansible.builtin.template: src: default.conf dest: /etc/lxc/ - name: Check if root has subuids - command: grep '^root:100000:10000$' /etc/subuid + ansible.builtin.command: + cmd: grep '^root:100000:10000$' /etc/subuid failed_when: False changed_when: False register: root_subuids when: lxc_unprivilegied_containers | bool - name: Add subuid and subgid ranges to root - command: usermod -v 100000-199999 -w 100000-109999 root + ansible.builtin.command: + cmd: usermod -v 100000-199999 -w 100000-109999 root when: - lxc_unprivilegied_containers | bool - root_subuids.rc != 0 - name: Get filesystem options - command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS + ansible.builtin.command: + cmd: findmnt --noheadings --target /var/lib/lxc --output OPTIONS changed_when: False check_mode: no register: check_fs_options - name: Check if options are correct - assert: + ansible.builtin.assert: that: - "'nodev' not in check_fs_options.stdout" - "'noexec' not in check_fs_options.stdout" @@ -58,7 +61,7 @@ msg: "LXC directory is in a filesystem with incompatible options" - name: Create containers - include: create-container.yml + ansible.builtin.include: create-container.yml vars: name: "{{ item.name }}" release: "{{ item.release }}" diff --git a/memcached/handlers/main.yml b/memcached/handlers/main.yml index 136c39d7..20dbe61e 100644 --- a/memcached/handlers/main.yml +++ b/memcached/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart memcached - service: + ansible.builtin.service: name: memcached state: restarted - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted diff --git a/memcached/tasks/instance-default.yml b/memcached/tasks/instance-default.yml index 635b3576..8a0630a4 100644 --- a/memcached/tasks/instance-default.yml +++ b/memcached/tasks/instance-default.yml @@ -1,6 +1,6 @@ - name: Memcached is configured. - template: + ansible.builtin.template: src: memcached.conf.j2 dest: /etc/memcached.conf mode: "0644" @@ -9,7 +9,7 @@ - memcached - name: Memcached is running and enabled on boot. - service: + ansible.builtin.service: name: memcached enabled: yes state: started diff --git a/memcached/tasks/instance-multi.yml b/memcached/tasks/instance-multi.yml index 61568a5d..873b0b15 100644 --- a/memcached/tasks/instance-multi.yml +++ b/memcached/tasks/instance-multi.yml @@ -1,14 +1,14 @@ --- - name: Add systemd unit template - copy: + ansible.builtin.copy: src: memcached@.service dest: /etc/systemd/system/memcached@.service tags: - memcached - name: Disable default memcached systemd unit - systemd: + ansible.builtin.systemd: name: memcached enabled: false state: stopped @@ -16,14 +16,14 @@ - memcached - name: Make sure memcached.conf is absent - file: + ansible.builtin.file: path: /etc/memcached.conf state: absent tags: - memcached - name: "Create a configuration file for instance ({{ memcached_instance_name }})" - template: + ansible.builtin.template: src: memcached.conf.j2 dest: /etc/memcached_{{ memcached_instance_name }}.conf mode: "0644" @@ -31,7 +31,7 @@ - memcached - name: "Enable and start the memcached instance ({{ memcached_instance_name }})" - systemd: + ansible.builtin.systemd: name: memcached@{{ memcached_instance_name }} enabled: yes state: started diff --git a/memcached/tasks/main.yml b/memcached/tasks/main.yml index 86d0aa40..96060d4a 100644 --- a/memcached/tasks/main.yml +++ b/memcached/tasks/main.yml @@ -1,16 +1,16 @@ - name: Ensure memcached is installed - apt: + ansible.builtin.apt: name: memcached state: present tags: - memcached -- include: instance-default.yml +- ansible.builtin.include: instance-default.yml when: memcached_instance_name is undefined -- include: instance-multi.yml +- ansible.builtin.include: instance-multi.yml when: memcached_instance_name is defined -- include: munin.yml +- ansible.builtin.include: munin.yml -- include: nrpe.yml +- ansible.builtin.include: nrpe.yml diff --git a/memcached/tasks/munin.yml b/memcached/tasks/munin.yml index f97962c4..b25b9275 100644 --- a/memcached/tasks/munin.yml +++ b/memcached/tasks/munin.yml @@ -1,11 +1,11 @@ --- - name: Choose packages (Oracle) - set_fact: + ansible.builtin.set_fact: multi: "multi_" when: memcached_instance_name is defined - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -15,14 +15,14 @@ - block: - name: Install munin-plugins-extra and libcache-memcached-perl for Munin - apt: + ansible.builtin.apt: name: - 'munin-plugins-extra' - 'libcache-memcached-perl' state: present - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/share/munin/plugins/memcached_' dest: /etc/munin/plugins/{{ multi }}{{ item }} state: link diff --git a/memcached/tasks/nrpe.yml b/memcached/tasks/nrpe.yml index 9fe28942..a01cf1e7 100644 --- a/memcached/tasks/nrpe.yml +++ b/memcached/tasks/nrpe.yml @@ -1,28 +1,28 @@ --- - name: Is nrpe present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg register: nrpe_evolix_config - block: - name: Install dependencies - apt: + ansible.builtin.apt: name: - libcache-memcached-perl - libmemcached11 - - include_role: + - ansible.builtin.include_role: name: evolix/remount-usr - name: Copy Nagios check for memcached - copy: + ansible.builtin.copy: src: check_memcached.pl dest: /usr/local/lib/nagios/plugins/ mode: "0755" - name: install check_memcached_instances - copy: + ansible.builtin.copy: src: check_memcached_instances.sh dest: /usr/local/lib/nagios/plugins/check_memcached_instances force: yes @@ -31,7 +31,7 @@ group: root - name: Add NRPE check (single instance) - lineinfile: + ansible.builtin.lineinfile: name: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_memcached\]=' line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached.pl -H 127.0.0.1 -p {{ memcached_port }}' @@ -39,7 +39,7 @@ when: memcached_instance_name is undefined - name: Add NRPE check (multi instance) - lineinfile: + ansible.builtin.lineinfile: name: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_memcached\]=' line: 'command[check_memcached]=/usr/local/lib/nagios/plugins/check_memcached_instances' diff --git a/memcached/tasks/phpmemcachedadmin.yml b/memcached/tasks/phpmemcachedadmin.yml index 0a8e4417..1e49ae9e 100644 --- a/memcached/tasks/phpmemcachedadmin.yml +++ b/memcached/tasks/phpmemcachedadmin.yml @@ -1,6 +1,6 @@ --- - name: Create phpMemcachedAdmin root dir - file: + ansible.builtin.file: path: /var/www/phpmemcachedadmin/ state: directory mode: "0755" @@ -8,7 +8,7 @@ - memcached - name: Install phpMemcachedAdmin - unarchive: + ansible.builtin.unarchive: src: 'https://github.com/elijaa/phpmemcachedadmin/archive/1.3.0.tar.gz' dest: /var/www/phpmemcachedadmin/ remote_src: True @@ -18,7 +18,7 @@ - memcached - name: Copy phpMemcachedAdmin config - template: + ansible.builtin.template: src: Memcache.php.j2 dest: /var/www/phpmemcachedadmin/Config/Memcache.php mode: "0755" diff --git a/metricbeat/handlers/main.yml b/metricbeat/handlers/main.yml index cd83ab5d..949eac26 100644 --- a/metricbeat/handlers/main.yml +++ b/metricbeat/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart metricbeat - systemd: + ansible.builtin.systemd: name: metricbeat state: restarted diff --git a/metricbeat/tasks/apt_sources.yml b/metricbeat/tasks/apt_sources.yml index d6597c74..a0395ffe 100644 --- a/metricbeat/tasks/apt_sources.yml +++ b/metricbeat/tasks/apt_sources.yml @@ -31,6 +31,6 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: elastic_sources is changed \ No newline at end of file diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 7fc21d09..16cc4865 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - import_tasks: apt_sources.yml + ansible.builtin.import_tasks: apt_sources.yml args: apply: tags: @@ -8,7 +8,7 @@ - packages - name: Metricbeat is installed - apt: + ansible.builtin.apt: name: metricbeat state: "{% if metribeat_upgrade_package %}latest{% else %}present{% endif %}" notify: restart metricbeat @@ -17,7 +17,7 @@ - packages - name: Metricbeat service is enabled - systemd: + ansible.builtin.systemd: name: metricbeat enabled: yes notify: restart metricbeat @@ -25,7 +25,7 @@ # When we don't use a config template (default) - block: - name: Metricbeat knows where to find Elasticsearch - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml regexp: '^ hosts: .*' line: " hosts: [\"{{ metricbeat_elasticsearch_hosts | join('\", \"') }}\"]" @@ -34,7 +34,7 @@ when: metricbeat_elasticsearch_hosts | length > 0 - name: Metricbeat protocol for Elasticsearch - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml regexp: '^ #?protocol: .*' line: " protocol: \"{{ metricbeat_elasticsearch_protocol }}\"" @@ -43,7 +43,7 @@ when: metricbeat_elasticsearch_protocol == "http" or metricbeat_elasticsearch_protocol == "https" - name: Metricbeat auth/username for Elasticsearch are configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml regexp: '{{ item.regexp }}' line: '{{ item.line }}' @@ -57,7 +57,7 @@ - metricbeat_elasticsearch_auth_password | length > 0 - name: Metricbeat api_key for Elasticsearch are configured - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml regexp: '^ #?api_key: .*' line: ' api_key: "{{ metricbeat_elasticsearch_auth_api_key }}"' @@ -66,7 +66,7 @@ when: metricbeat_elasticsearch_auth_api_key | length > 0 - name: disable cloud_metadata - replace: + ansible.builtin.replace: dest: /etc/metricbeat/metricbeat.yml regexp: '^(\s+)(- add_cloud_metadata:)' replace: '\1# \2' @@ -74,7 +74,7 @@ when: not (metricbeat_processors_cloud_metadata | bool) - name: cloud_metadata processor is disabled - lineinfile: + ansible.builtin.lineinfile: dest: /etc/metricbeat/metricbeat.yml line: " - add_cloud_metadata: ~" insert_after: '^processors:' @@ -85,7 +85,7 @@ # When we use a config template - block: - name: Configuration is up-to-date - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/metricbeat/metricbeat.yml force: "{{ metricbeat_force_config }}" diff --git a/minifirewall/handlers/main.yml b/minifirewall/handlers/main.yml index 3c541de5..bcc6081b 100644 --- a/minifirewall/handlers/main.yml +++ b/minifirewall/handlers/main.yml @@ -1,22 +1,24 @@ --- - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart minifirewall (modern) - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'minifirewall failed' in minifirewall_init_restart.stdout" - name: restart minifirewall (legacy) - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart register: minifirewall_init_restart failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" - name: restart minifirewall (noop) - meta: noop + ansible.builtin.meta: noop register: minifirewall_init_restart failed_when: False changed_when: False \ No newline at end of file diff --git a/minifirewall/tasks/activate.yml b/minifirewall/tasks/activate.yml index e971407b..57a2ea26 100644 --- a/minifirewall/tasks/activate.yml +++ b/minifirewall/tasks/activate.yml @@ -1,12 +1,12 @@ --- - name: check if /etc/init.d/alert5 exists - stat: + ansible.builtin.stat: path: /etc/init.d/alert5 register: initd_alert5 - name: Uncomment minifirewall start line - replace: + ansible.builtin.replace: dest: /etc/init.d/alert5 regexp: '^#/etc/init.d/minifirewall start' replace: '/etc/init.d/minifirewall start' @@ -15,12 +15,12 @@ - minifirewall_autostart | bool - name: check if /usr/share/scripts/alert5 exists - stat: + ansible.builtin.stat: path: /usr/share/scripts/alert5.sh register: usr_share_scripts_alert5 - name: Uncomment minifirewall start line - replace: + ansible.builtin.replace: dest: /usr/share/scripts/alert5.sh regexp: '^#/etc/init.d/minifirewall start' replace: '/etc/init.d/minifirewall start' diff --git a/minifirewall/tasks/config.legacy.yml b/minifirewall/tasks/config.legacy.yml index a151e76c..c14e76c4 100644 --- a/minifirewall/tasks/config.legacy.yml +++ b/minifirewall/tasks/config.legacy.yml @@ -1,53 +1,54 @@ --- -- debug: +- ansible.builtin.debug: var: minifirewall_trusted_ips verbosity: 1 -- debug: +- ansible.builtin.debug: var: minifirewall_privilegied_ips verbosity: 1 - name: Stat minifirewall config file (before) - stat: + ansible.builtin.stat: path: "{{ minifirewall_main_file }}" register: minifirewall_before - name: Check if minifirewall is running - shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + ansible.builtin.shell: + cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False failed_when: False check_mode: no register: minifirewall_is_running -- debug: +- ansible.builtin.debug: var: minifirewall_is_running verbosity: 1 - name: Begin marker for IP addresses - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no - name: End marker for IP addresses - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' - name: Verify that at least 1 trusted IP is provided - assert: + ansible.builtin.assert: that: minifirewall_trusted_ips | length > 0 msg: You must provide at least 1 trusted IP -- debug: +- ansible.builtin.debug: msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!" when: minifirewall_trusted_ips == ["0.0.0.0/0"] - name: Configure IP addresses - blockinfile: + ansible.builtin.blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" block: | @@ -77,21 +78,21 @@ register: minifirewall_config_ips - name: Begin marker for ports - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no - name: End marker for ports - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no - name: Configure ports - blockinfile: + ansible.builtin.blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" block: | @@ -115,7 +116,7 @@ register: minifirewall_config_ports - name: Configure DNSSERVEURS - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" regexp: "DNSSERVEURS='.*'" @@ -123,7 +124,7 @@ when: minifirewall_dns_servers is not none - name: Configure HTTPSITES - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" @@ -131,7 +132,7 @@ when: minifirewall_http_sites is not none - name: Configure HTTPSSITES - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" regexp: "HTTPSSITES='.*'" @@ -139,7 +140,7 @@ when: minifirewall_https_sites is not none - name: Configure FTPSITES - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" regexp: "FTPSITES='.*'" @@ -147,7 +148,7 @@ when: minifirewall_ftp_sites is not none - name: Configure SSHOK - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" regexp: "SSHOK='.*'" @@ -155,7 +156,7 @@ when: minifirewall_ssh_ok is not none - name: Configure SMTPOK - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" regexp: "SMTPOK='.*'" @@ -163,7 +164,7 @@ when: minifirewall_smtp_ok is not none - name: Configure SMTPSECUREOK - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" regexp: "SMTPSECUREOK='.*'" @@ -171,7 +172,7 @@ when: minifirewall_smtp_secure_ok is not none - name: Configure NTPOK - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" regexp: "NTPOK='.*'" @@ -179,26 +180,27 @@ when: minifirewall_ntp_ok is not none - name: evomaintenance - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" insertafter: "^# EvoMaintenance" loop: "{{ evomaintenance_hosts }}" - name: remove minifirewall example rule for the evomaintenance - lineinfile: + ansible.builtin.lineinfile: dest: "{{ minifirewall_main_file }}" regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' state: absent when: evomaintenance_hosts | length > 0 - name: Stat minifirewall config file (after) - stat: + ansible.builtin.stat: path: "{{ minifirewall_main_file }}" register: minifirewall_after - name: Schedule minifirewall restart (legacy) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (legacy)" when: - minifirewall_install_mode == 'legacy' @@ -207,6 +209,6 @@ - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed -- debug: +- ansible.builtin.debug: var: minifirewall_init_restart verbosity: 2 diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index b0a1d7a6..2d4da100 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -1,58 +1,58 @@ --- -- debug: +- ansible.builtin.debug: var: minifirewall_trusted_ips verbosity: 1 -- debug: +- ansible.builtin.debug: var: minifirewall_privilegied_ips verbosity: 1 - name: Stat minifirewall config file (before) - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" register: minifirewall_before - name: Check if minifirewall is running - shell: + ansible.builtin.shell: cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False failed_when: False check_mode: no register: minifirewall_is_running -- debug: +- ansible.builtin.debug: var: minifirewall_is_running verbosity: 1 - name: Begin marker for IP addresses - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS" insertbefore: '^# Main interface' create: no - name: End marker for IP addresses - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" create: no line: "# END ANSIBLE MANAGED BLOCK FOR IPS" insertafter: '^PRIVILEGIEDIPS=' - name: Verify that at least 1 trusted IP is provided - assert: + ansible.builtin.assert: that: minifirewall_trusted_ips | length > 0 msg: You must provide at least 1 trusted IP -- debug: +- ansible.builtin.debug: msg: "Warning: minifirewall_trusted_ips contains '0.0.0.0/0', the firewall is useless on IPv4!" when: "'0.0.0.0/0' in minifirewall_trusted_ips" -- debug: +- ansible.builtin.debug: msg: "Warning: minifirewall_trusted_ips contains '::/0', the firewall is useless on IPv6!" when: "'::/0' in minifirewall_trusted_ips" - name: Configure IP addresses - blockinfile: + ansible.builtin.blockinfile: dest: "/etc/default/minifirewall" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" block: | @@ -86,21 +86,21 @@ register: minifirewall_config_ips - name: Begin marker for ports - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS" insertbefore: '^# Protected services' create: no - name: End marker for ports - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "# END ANSIBLE MANAGED BLOCK FOR PORTS" insertafter: '^SERVICESUDP3=' create: no - name: Configure ports - blockinfile: + ansible.builtin.blockinfile: dest: "/etc/default/minifirewall" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" block: | @@ -124,7 +124,7 @@ register: minifirewall_config_ports - name: Configure DNSSERVEURS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'" regexp: "DNSSERVEURS=('|\").*('|\")" @@ -132,7 +132,7 @@ when: minifirewall_dns_servers is not none - name: Configure HTTPSITES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES=('|\").*('|\")" @@ -140,7 +140,7 @@ when: minifirewall_http_sites is not none - name: Configure HTTPSSITES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'" regexp: "HTTPSSITES=('|\").*('|\")" @@ -148,7 +148,7 @@ when: minifirewall_https_sites is not none - name: Configure FTPSITES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'" regexp: "FTPSITES=('|\").*('|\")" @@ -156,7 +156,7 @@ when: minifirewall_ftp_sites is not none - name: Configure SSHOK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'" regexp: "SSHOK=('|\").*('|\")" @@ -164,7 +164,7 @@ when: minifirewall_ssh_ok is not none - name: Configure SMTPOK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'" regexp: "SMTPOK=('|\").*('|\")" @@ -172,7 +172,7 @@ when: minifirewall_smtp_ok is not none - name: Configure SMTPSECUREOK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'" regexp: "SMTPSECUREOK=('|\").*('|\")" @@ -180,7 +180,7 @@ when: minifirewall_smtp_secure_ok is not none - name: Configure NTPOK - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'" regexp: "NTPOK=('|\").*('|\")" @@ -188,7 +188,7 @@ when: minifirewall_ntp_ok is not none - name: Configure PROXY - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "PROXY='{{ minifirewall_proxy }}'" regexp: "PROXY=('|\").*('|\")" @@ -196,7 +196,7 @@ when: minifirewall_proxy is not none - name: Configure PROXYPORT - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "PROXYPORT='{{ minifirewall_proxyport }}'" regexp: "PROXYPORT=('|\").*('|\")" @@ -206,7 +206,7 @@ # Warning: keep double quotes for the value, # since we often reference a shell variable that needs to be interpolated - name: Configure PROXYBYPASS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\"" regexp: "PROXYBYPASS=('|\").*('|\")" @@ -214,7 +214,7 @@ when: minifirewall_proxybypass is not none - name: Configure BACKUPSERVERS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'" regexp: "BACKUPSERVERS=('|\").*('|\")" @@ -222,7 +222,7 @@ when: minifirewall_backupservers is not none - name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='{{ minifirewall_sysctl_icmp_echo_ignore_broadcasts }}'" regexp: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS=('|\").*('|\")" @@ -230,7 +230,7 @@ when: minifirewall_sysctl_icmp_echo_ignore_broadcasts is not none - name: Configure SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='{{ minifirewall_sysctl_icmp_ignore_bogus_error_responses }}'" regexp: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=('|\").*('|\")" @@ -238,7 +238,7 @@ when: minifirewall_sysctl_icmp_ignore_bogus_error_responses is not none - name: Configure SYSCTL_ACCEPT_SOURCE_ROUTE - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_ACCEPT_SOURCE_ROUTE='{{ minifirewall_sysctl_accept_source_route }}'" regexp: "SYSCTL_ACCEPT_SOURCE_ROUTE=('|\").*('|\")" @@ -246,7 +246,7 @@ when: minifirewall_sysctl_accept_source_route is not none - name: Configure SYSCTL_TCP_SYNCOOKIES - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_TCP_SYNCOOKIES='{{ minifirewall_sysctl_tcp_syncookies }}'" regexp: "SYSCTL_TCP_SYNCOOKIES=('|\").*('|\")" @@ -254,7 +254,7 @@ when: minifirewall_sysctl_tcp_syncookies is not none - name: Configure SYSCTL_ICMP_REDIRECTS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_ICMP_REDIRECTS='{{ minifirewall_sysctl_icmp_redirects }}'" regexp: "SYSCTL_ICMP_REDIRECTS=('|\").*('|\")" @@ -262,7 +262,7 @@ when: minifirewall_sysctl_icmp_redirects is not none - name: Configure SYSCTL_RP_FILTER - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_RP_FILTER='{{ minifirewall_sysctl_rp_filter }}'" regexp: "SYSCTL_RP_FILTER=('|\").*('|\")" @@ -270,7 +270,7 @@ when: minifirewall_sysctl_rp_filter is not none - name: Configure SYSCTL_LOG_MARTIANS - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_LOG_MARTIANS='{{ minifirewall_sysctl_log_martians }}'" regexp: "SYSCTL_LOG_MARTIANS=('|\").*('|\")" @@ -278,12 +278,13 @@ when: minifirewall_sysctl_log_martians is not none - name: Stat minifirewall config file (after) - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" register: minifirewall_after - name: Schedule minifirewall restart (modern) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (modern)" when: - minifirewall_install_mode != 'legacy' @@ -291,6 +292,6 @@ - minifirewall_is_running.rc == 0 - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed -- debug: +- ansible.builtin.debug: var: minifirewall_init_restart verbosity: 2 diff --git a/minifirewall/tasks/install.legacy.yml b/minifirewall/tasks/install.legacy.yml index 323426b5..7d03efff 100644 --- a/minifirewall/tasks/install.legacy.yml +++ b/minifirewall/tasks/install.legacy.yml @@ -1,12 +1,12 @@ --- - name: dependencies are satisfied - apt: + ansible.builtin.apt: name: iptables state: present - name: init script is copied - template: + ansible.builtin.template: src: minifirewall.legacy.j2 dest: /etc/init.d/minifirewall force: "{{ minifirewall_force_upgrade_script | default('no') }}" @@ -15,7 +15,7 @@ group: root - name: configuration is copied - copy: + ansible.builtin.copy: src: minifirewall.legacy.conf dest: "{{ minifirewall_main_file }}" force: "{{ minifirewall_force_upgrade_config | default('no') }}" diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index daac6f81..1a507d31 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -1,12 +1,12 @@ --- - name: dependencies are satisfied - apt: + ansible.builtin.apt: name: iptables state: present - name: init script is copied - copy: + ansible.builtin.copy: src: minifirewall dest: /etc/init.d/minifirewall force: "{{ minifirewall_force_upgrade_script | default('no') }}" @@ -16,7 +16,7 @@ register: minifirewall_upgrade_script - name: configuration is copied - copy: + ansible.builtin.copy: src: minifirewall.conf dest: "/etc/default/minifirewall" force: "{{ minifirewall_force_upgrade_config | default('no') }}" @@ -26,7 +26,7 @@ register: minifirewall_upgrade_config - name: includes directory is present - file: + ansible.builtin.file: path: /etc/minifirewall.d/ state: directory owner: root @@ -34,7 +34,7 @@ mode: "0700" - name: examples for includes are present - copy: + ansible.builtin.copy: src: "minifirewall.d/" dest: "/etc/minifirewall.d/" force: "no" diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index e0dbcaf0..5457d60c 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -3,7 +3,7 @@ # Legacy or modern mode? ############################################## - name: Check minifirewall - stat: + ansible.builtin.stat: path: /etc/init.d/minifirewall register: _minifirewall_check tags: @@ -11,7 +11,8 @@ # Legacy versions of minifirewall don't define the VERSION variable - name: Look for minifirewall version - shell: "grep -E '^\\s*VERSION=' /etc/init.d/minifirewall" + ansible.builtin.shell: + cmd: "grep -E '^\\s*VERSION=' /etc/init.d/minifirewall" failed_when: False changed_when: False check_mode: False @@ -20,7 +21,7 @@ - always - name: Set install mode to legacy if needed - set_fact: + ansible.builtin.set_fact: minifirewall_install_mode: legacy minifirewall_main_file: "{{ minifirewall_legacy_main_file }}" minifirewall_tail_file: "{{ minifirewall_legacy_tail_file }}" @@ -32,21 +33,21 @@ - always - name: Set install mode to modern if not legacy - set_fact: + ansible.builtin.set_fact: minifirewall_install_mode: modern when: minifirewall_install_mode != 'legacy' tags: - always - name: Debug install mode - debug: + ansible.builtin.debug: var: minifirewall_install_mode verbosity: 1 tags: - always - name: 'Set minifirewall_restart_handler_name to "noop"' - set_fact: + ansible.builtin.set_fact: minifirewall_restart_handler_name: "restart minifirewall (noop)" when: - not (minifirewall_restart_if_needed | bool) @@ -54,7 +55,7 @@ - always - name: 'Set minifirewall_restart_handler_name to "legacy"' - set_fact: + ansible.builtin.set_fact: minifirewall_restart_handler_name: "restart minifirewall (legacy)" when: - minifirewall_restart_if_needed | bool @@ -63,7 +64,7 @@ - always - name: 'Set minifirewall_restart_handler_name to "modern"' - set_fact: + ansible.builtin.set_fact: minifirewall_restart_handler_name: "restart minifirewall (modern)" when: - minifirewall_restart_if_needed | bool @@ -74,7 +75,7 @@ ####################################################################### - name: Fail if minifirewall_main_file is defined (legacy mode) - fail: + ansible.builtin.fail: msg: "Variable minifirewall_main_file is deprecated and not configurable anymore." when: - minifirewall_install_mode != 'legacy' @@ -83,22 +84,22 @@ - always - name: Install tasks (modern mode) - import_tasks: install.yml + ansible.builtin.import_tasks: install.yml when: minifirewall_install_mode != 'legacy' - name: Install tasks (legacy mode) - import_tasks: install.legacy.yml + ansible.builtin.import_tasks: install.legacy.yml when: minifirewall_install_mode == 'legacy' - name: Debug minifirewall_update_config - debug: + ansible.builtin.debug: var: minifirewall_update_config | bool verbosity: 1 tags: - always - name: Config tasks (modern mode) - include_tasks: config.yml + ansible.builtin.include_tasks: config.yml when: - minifirewall_install_mode != 'legacy' - minifirewall_update_config | bool @@ -106,7 +107,7 @@ - manage - name: Config tasks (legacy mode) - include_tasks: config.legacy.yml + ansible.builtin.include_tasks: config.legacy.yml args: apply: tags: @@ -116,23 +117,23 @@ - minifirewall_update_config | bool - name: Utils tasks - include_tasks: utils.yml + ansible.builtin.include_tasks: utils.yml - name: NRPE tasks - include_tasks: nrpe.yml + ansible.builtin.include_tasks: nrpe.yml - name: Activation tasks - include_tasks: activate.yml + ansible.builtin.include_tasks: activate.yml - name: Debug minifirewall_tail_included - debug: + ansible.builtin.debug: var: minifirewall_tail_included | bool verbosity: 1 tags: - always - name: Tail tasks (modern mode) - include_tasks: tail.yml + ansible.builtin.include_tasks: tail.yml args: apply: tags: @@ -142,7 +143,7 @@ - minifirewall_tail_included | bool - name: Tail tasks (legacy mode) - include_tasks: tail.legacy.yml + ansible.builtin.include_tasks: tail.legacy.yml args: apply: tags: @@ -154,14 +155,15 @@ # Restart? - name: Debug minifirewall_restart_force - debug: + ansible.builtin.debug: var: minifirewall_restart_force | bool verbosity: 1 tags: - always - name: Force restart minifirewall (legacy) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (legacy)" tags: - always @@ -170,7 +172,8 @@ - minifirewall_restart_force | bool - name: Force restart minifirewall (modern) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (modern)" tags: - always diff --git a/minifirewall/tasks/nrpe.yml b/minifirewall/tasks/nrpe.yml index 2e9674f7..691dd454 100644 --- a/minifirewall/tasks/nrpe.yml +++ b/minifirewall/tasks/nrpe.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -12,7 +12,7 @@ state: directory - name: minifirewall_status is installed - copy: + ansible.builtin.copy: src: minifirewall_status dest: /usr/share/scripts/minifirewall_status force: "{{ minifirewall_force_update_nrpe_scripts | bool }}" @@ -21,7 +21,7 @@ group: root - name: /usr/local/lib/nagios/plugins/ exists - file: + ansible.builtin.file: dest: "{{ nagios_plugins_directory }}" mode: "02755" owner: root @@ -29,7 +29,7 @@ state: directory - name: check_minifirewall is installed - copy: + ansible.builtin.copy: src: check_minifirewall dest: "{{ nagios_plugins_directory }}/check_minifirewall" force: "{{ minifirewall_force_update_nrpe_scripts | bool }}" @@ -38,12 +38,12 @@ group: staff - name: Is NRPE installed? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg register: nrpe_evolix_cfg - name: check_minifirewall is available for NRPE - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: 'command\[check_minifirewall\]' line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall' @@ -51,12 +51,12 @@ when: nrpe_evolix_cfg.stat.exists - name: Is evolinux sudoers installed? - stat: + ansible.builtin.stat: path: /etc/sudoers.d/evolinux register: sudoers_evolinux - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_minifirewall' line: 'nagios ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_minifirewall' diff --git a/minifirewall/tasks/tail.legacy.yml b/minifirewall/tasks/tail.legacy.yml index dc7fbdc9..d78d2090 100644 --- a/minifirewall/tasks/tail.legacy.yml +++ b/minifirewall/tasks/tail.legacy.yml @@ -1,24 +1,24 @@ --- - name: Stat minifirewall config file (before) - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" register: minifirewall_before - name: Check if minifirewall is running - shell: + ansible.builtin.shell: cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False failed_when: False check_mode: no register: minifirewall_is_running -- debug: +- ansible.builtin.debug: var: minifirewall_is_running verbosity: 1 - name: Add some rules at the end of minifirewall file - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ minifirewall_tail_file }}" force: "{{ minifirewall_tail_force | bool }}" @@ -32,24 +32,25 @@ - "templates/minifirewall.default.tail.j2" register: minifirewall_tail_template -- debug: +- ansible.builtin.debug: var: minifirewall_tail_template verbosity: 1 - name: source minifirewall.tail at the end of the main file - blockinfile: + ansible.builtin.blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES" block: ". {{ minifirewall_tail_file }}" insertbefore: EOF register: minifirewall_tail_source -- debug: +- ansible.builtin.debug: var: minifirewall_tail_source verbosity: 1 - name: Schedule minifirewall restart (legacy) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (legacy)" when: - minifirewall_install_mode == 'legacy' @@ -57,6 +58,6 @@ - minifirewall_is_running.rc == 0 - minifirewall_tail_template is changed -- debug: +- ansible.builtin.debug: var: minifirewall_init_restart verbosity: 1 diff --git a/minifirewall/tasks/tail.yml b/minifirewall/tasks/tail.yml index 73d60d9c..a3911f4a 100644 --- a/minifirewall/tasks/tail.yml +++ b/minifirewall/tasks/tail.yml @@ -1,24 +1,24 @@ --- - name: Stat minifirewall config file (before) - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" register: minifirewall_before - name: Check if minifirewall is running - shell: + ansible.builtin.shell: cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" changed_when: False failed_when: False check_mode: no register: minifirewall_is_running -- debug: +- ansible.builtin.debug: var: minifirewall_is_running verbosity: 1 - name: Add some rules at the end of minifirewall file - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ minifirewall_tail_file }}" force: "{{ minifirewall_tail_force | bool }}" @@ -32,12 +32,13 @@ - "templates/minifirewall.default.tail.j2" register: minifirewall_tail_template -- debug: +- ansible.builtin.debug: var: minifirewall_tail_template verbosity: 1 - name: Schedule minifirewall restart (modern) - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: "restart minifirewall (modern)" when: - minifirewall_install_mode != 'legacy' @@ -45,6 +46,6 @@ - minifirewall_is_running.rc == 0 - minifirewall_tail_template is changed -- debug: +- ansible.builtin.debug: var: minifirewall_init_restart verbosity: 1 diff --git a/minifirewall/tasks/utils.yml b/minifirewall/tasks/utils.yml index 775bdd95..14ea7aac 100644 --- a/minifirewall/tasks/utils.yml +++ b/minifirewall/tasks/utils.yml @@ -1,10 +1,10 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/scripts exists - file: + ansible.builtin.file: dest: /usr/share/scripts mode: "0700" owner: root @@ -12,7 +12,7 @@ state: directory - name: blacklist-countries.sh is copied - copy: + ansible.builtin.copy: src: blacklist-countries.sh dest: /usr/share/scripts/blacklist-countries.sh force: "no" diff --git a/minifirewall/tests/test.yml b/minifirewall/tests/test.yml index 43dd567f..a7168a68 100644 --- a/minifirewall/tests/test.yml +++ b/minifirewall/tests/test.yml @@ -3,7 +3,7 @@ vars: - minifirewall_trusted_ips: ["{{ ansible_default_ipv4.address }}/24"] pre_tasks: - - apt: + - ansible.builtin.apt: name: git roles: - role: minifirewall diff --git a/mongodb/handlers/main.yml b/mongodb/handlers/main.yml index 15f70437..7b793cdf 100644 --- a/mongodb/handlers/main.yml +++ b/mongodb/handlers/main.yml @@ -1,16 +1,16 @@ --- # handlers file for mongodb - name: restart mongod - service: + ansible.builtin.service: name: mongod state: restarted - name: restart mongodb - service: + ansible.builtin.service: name: mongodb state: restarted - name: restart munin-node - systemd: + ansible.builtin.systemd: name: munin-node state: restarted diff --git a/mongodb/tasks/main_bookworm.yml b/mongodb/tasks/main_bookworm.yml index 19bb513b..8261dcb2 100644 --- a/mongodb/tasks/main_bookworm.yml +++ b/mongodb/tasks/main_bookworm.yml @@ -1,6 +1,6 @@ --- -- fail: +- ansible.builtin.fail: msg: MongoDB is not compatible with Debian 12 (Bookworm) when: - ansible_distribution_release == "bookworm" @@ -30,48 +30,48 @@ register: _mongodb_install_package - name: MongoDB service in enabled and started - systemd: + ansible.builtin.systemd: name: mongod enabled: yes state: started when: _mongodb_install_package is changed - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python3-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongodb_bullseye.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_bullseye.j2 dest: /etc/logrotate.d/mongodb force: yes backup: no -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" - name: Munin plugins are present - copy: + ansible.builtin.copy: src: "munin/{{ item }}" dest: '/usr/local/share/munin/plugins/{{ item }}' force: yes @@ -87,7 +87,7 @@ notify: restart munin-node - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/local/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index aa20fb97..4a02ee9b 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -1,13 +1,13 @@ --- -- fail: +- ansible.builtin.fail: msg: MongoDB versions <4.2 are not compatible with Debian 11 (Bullseye) when: - ansible_distribution_release == "bullseye" - mongodb_version is version('5.2', '<') - name: Add MongoDB GPG key - copy: + ansible.builtin.copy: src: "server-{{ mongodb_version }}.asc" dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes @@ -16,61 +16,61 @@ group: root - name: Add MongoDB repository - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{ mongodb_version }}" - name: Install packages - apt: + ansible.builtin.apt: name: mongodb-org update_cache: yes state: present register: _mongodb_install_package - name: MongoDB service in enabled and started - systemd: + ansible.builtin.systemd: name: mongod enabled: yes state: started when: _mongodb_install_package is changed - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python3-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongodb_bullseye.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_bullseye.j2 dest: /etc/logrotate.d/mongodb force: yes backup: no -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" - name: Munin plugins are present - copy: + ansible.builtin.copy: src: "munin/{{ item }}" dest: '/usr/local/share/munin/plugins/{{ item }}' force: yes @@ -86,7 +86,7 @@ notify: restart munin-node - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/local/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index 44baabc9..415a5a3f 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -1,19 +1,19 @@ --- - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring - name: MongoDB embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent when: _trusted_gpg_keyring.stat.exists - name: Add MongoDB GPG key - copy: + ansible.builtin.copy: src: "server-{{ mongodb_version }}.asc" dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes @@ -22,69 +22,69 @@ group: root - name: Enable APT sources list - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Disable unsigned APT sources list - apt_repository: + ansible.builtin.apt_repository: repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: absent filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Install packages - apt: + ansible.builtin.apt: name: mongodb-org update_cache: yes state: present register: _mongodb_install_package - name: MongoDB service in enabled and started - systemd: + ansible.builtin.systemd: name: mongod enabled: yes state: started when: _mongodb_install_package is changed - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongodb_buster.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_buster.j2 dest: /etc/logrotate.d/mongodb force: yes backup: no -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" - name: Munin plugins are present - copy: + ansible.builtin.copy: src: "munin/{{ item }}" dest: '/usr/local/share/munin/plugins/{{ item }}' force: yes @@ -100,7 +100,7 @@ notify: restart munin-node - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/local/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml index bc239393..61d57f85 100644 --- a/mongodb/tasks/main_jessie.yml +++ b/mongodb/tasks/main_jessie.yml @@ -1,19 +1,19 @@ --- - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring - name: MongoDB embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent when: _trusted_gpg_keyring.stat.exists - name: Add MongoDB GPG key - copy: + ansible.builtin.copy: src: "server-{{ mongodb_version }}.asc" dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{ mongodb_version }}.asc" force: yes @@ -22,39 +22,39 @@ group: root - name: Enable APT sources list - apt_repository: + ansible.builtin.apt_repository: repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Disable APT sources list - apt_repository: + ansible.builtin.apt_repository: repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main" state: absent filename: "mongodb-org-{{ mongodb_version }}" update_cache: yes - name: Install packages - apt: + ansible.builtin.apt: name: mongodb-org allow_unauthenticated: yes state: present - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongod_jessie.conf.j2 dest: "/etc/mongod.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongod - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_jessie.j2 dest: /etc/logrotate.d/mongodb force: yes diff --git a/mongodb/tasks/main_stretch.yml b/mongodb/tasks/main_stretch.yml index fe44e259..0dc33fcf 100644 --- a/mongodb/tasks/main_stretch.yml +++ b/mongodb/tasks/main_stretch.yml @@ -1,38 +1,39 @@ --- - name: Install packages - apt: + ansible.builtin.apt: name: - mongodb - mongo-tools state: present - name: install dependency for monitoring - apt: + ansible.builtin.apt: name: python-pymongo state: present - name: Custom configuration - template: + ansible.builtin.template: src: mongodb_stretch.conf.j2 dest: "/etc/mongodb.conf" force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" notify: restart mongodb - name: enable service - service: + ansible.builtin.service: name: mongodb enabled: yes - name: Configure logrotate - template: + ansible.builtin.template: src: logrotate_stretch.j2 dest: /etc/logrotate.d/mongodb-server force: yes backup: no - name: disable previous logrotate - command: mv /etc/logrotate.d/mongodb /etc/logrotate.d/mongodb.disabled + ansible.builtin.command: + cmd: mv /etc/logrotate.d/mongodb /etc/logrotate.d/mongodb.disabled args: removes: /etc/logrotate.d/mongodb creates: /etc/logrotate.d/mongodb.disabled diff --git a/monit/handlers/main.yml b/monit/handlers/main.yml index d7900061..51beff76 100644 --- a/monit/handlers/main.yml +++ b/monit/handlers/main.yml @@ -1,11 +1,11 @@ --- - name: reload monit - service: + ansible.builtin.service: name: monit state: reloaded - name: restart monit - service: + ansible.builtin.service: name: monit state: restarted diff --git a/monit/tasks/main.yml b/monit/tasks/main.yml index fcdd0b4c..49e4c99b 100644 --- a/monit/tasks/main.yml +++ b/monit/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: monit is installed - apt: + ansible.builtin.apt: name: monit state: present tags: @@ -9,7 +9,7 @@ - packages - name: custom config is installed - template: + ansible.builtin.template: src: evolinux-defaults.conf.j2 dest: /etc/monit/conf.d/z-evolinux-defaults.conf mode: "0640" diff --git a/munin/handlers/main.yml b/munin/handlers/main.yml index 8654181d..76782bf8 100644 --- a/munin/handlers/main.yml +++ b/munin/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart munin_node - service: + ansible.builtin.service: name: munin_node state: restarted - name: systemd daemon-reload - systemd: + ansible.builtin.systemd: daemon_reload: yes \ No newline at end of file diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index 6d3098dd..53aad7d0 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Ensure that Munin (and useful dependencies) is installed - apt: + ansible.builtin.apt: name: - munin - munin-node @@ -14,19 +14,20 @@ - packages - name: Ensure /usr is still writable - include_role: + ansible.builtin.include_role: name: evolix/remount-usr - block: - name: Replace localdomain in Munin config - replace: + ansible.builtin.replace: dest: /etc/munin/munin.conf regexp: 'localhost.localdomain' replace: '{{ ansible_fqdn }}' notify: restart munin-node - name: Rename the localdomain data dir - shell: "mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename \"s/localhost.localdomain/{{ ansible_fqdn }}/\" /var/lib/munin/{{ ansible_domain }}/*" + ansible.builtin.shell: + cmd: "mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} && rename \"s/localhost.localdomain/{{ ansible_fqdn }}/\" /var/lib/munin/{{ ansible_domain }}/*" args: creates: /var/lib/munin/{{ ansible_domain }} removes: /var/lib/munin/localdomain @@ -36,11 +37,11 @@ tags: - munin -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Install some Munin plugins (disabled) - copy: + ansible.builtin.copy: src: 'plugins/{{ item }}' dest: '/usr/share/munin/plugins/{{ item }}' loop: @@ -49,7 +50,7 @@ - munin - name: Ensure some Munin plugins are disabled - file: + ansible.builtin.file: path: '/etc/munin/plugins/{{ item }}' state: absent loop: @@ -65,7 +66,7 @@ - munin - name: Ensure some Munin plugins are enabled - file: + ansible.builtin.file: src: "/usr/share/munin/plugins/{{ item }}" dest: "/etc/munin/plugins/{{ item }}" state: link @@ -81,7 +82,7 @@ - munin - name: Enable sensors_ plugin on dedicated hardware - file: + ansible.builtin.file: src: /usr/share/munin/plugins/sensors_ dest: "/etc/munin/plugins/sensors_{{ item }}" state: link @@ -94,7 +95,7 @@ - munin - name: Enable ipmi_ plugin on dedicated hardware - file: + ansible.builtin.file: src: /usr/share/munin/plugins/ipmi_ dest: "/etc/munin/plugins/ipmi_{{ item }}" state: link @@ -107,7 +108,7 @@ - volts - name: adjustments for grsec kernel - blockinfile: + ansible.builtin.blockinfile: dest: /etc/munin/plugin-conf.d/munin-node marker: "# {mark} ANSIBLE MANAGED GRSECURITY CUSTOMIZATIONS" block: | @@ -123,13 +124,13 @@ when: ansible_kernel is search("-grs-") - name: Create override directory for munin-node unit - file: + ansible.builtin.file: name: /etc/systemd/system/munin-node.service.d/ state: directory mode: "0755" - name: Override is present for protected home - ini_file: + community.general.ini_file: dest: "/etc/systemd/system/munin-node.service.d/override.conf" section: "Service" option: "ProtectHome" diff --git a/mysql-oracle/handlers/main.yml b/mysql-oracle/handlers/main.yml index c89d562a..eef49ef5 100644 --- a/mysql-oracle/handlers/main.yml +++ b/mysql-oracle/handlers/main.yml @@ -1,28 +1,29 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart mysql - service: + ansible.builtin.service: name: mysql state: restarted - name: restart mysql (noop) - meta: noop + ansible.builtin.meta: noop failed_when: False changed_when: False - name: reload systemd - systemd: + ansible.builtin.systemd: name: mysql daemon_reload: yes - name: Restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart diff --git a/mysql-oracle/tasks/config.yml b/mysql-oracle/tasks/config.yml index 16590a59..ff42ed20 100644 --- a/mysql-oracle/tasks/config.yml +++ b/mysql-oracle/tasks/config.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_config_directory: "/etc/mysql/mysql.conf.d" - name: "Copy MySQL defaults config file" - copy: + ansible.builtin.copy: src: evolinux-defaults.cnf dest: "{{ mysql_config_directory }}/z-evolinux-defaults.cnf" owner: root @@ -15,7 +15,7 @@ - mysql - name: "Copy MySQL custom config file" - template: + ansible.builtin.template: src: evolinux-custom.cnf.j2 dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf" owner: root diff --git a/mysql-oracle/tasks/datadir.yml b/mysql-oracle/tasks/datadir.yml index c375f5d5..d28d6440 100644 --- a/mysql-oracle/tasks/datadir.yml +++ b/mysql-oracle/tasks/datadir.yml @@ -2,13 +2,14 @@ - block: - name: "Is {{ mysql_custom_datadir }} present ?" - stat: + ansible.builtin.stat: path: "{{ mysql_custom_datadir }}" check_mode: no register: mysql_custom_datadir_test - name: "read the real datadir" - command: readlink -f /var/lib/mysql + ansible.builtin.command: + cmd: readlink -f /var/lib/mysql changed_when: False check_mode: no register: mysql_current_real_datadir_test @@ -18,23 +19,24 @@ - block: - name: MySQL is stopped - service: + ansible.builtin.service: name: mysql state: stopped - name: Move MySQL datadir to {{ mysql_custom_datadir }} - command: mv {{ mysql_current_real_datadir_test.stdout }} {{ mysql_custom_datadir }} + ansible.builtin.command: + cmd: mv {{ mysql_current_real_datadir_test.stdout }} {{ mysql_custom_datadir }} args: creates: "{{ mysql_custom_datadir }}" - name: Symlink {{ mysql_custom_datadir }} to /var/lib/mysql - file: + ansible.builtin.file: src: "{{ mysql_custom_datadir }}" dest: '/var/lib/mysql' state: link - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: diff --git a/mysql-oracle/tasks/log2mail.yml b/mysql-oracle/tasks/log2mail.yml index 568b6649..4eee01c8 100644 --- a/mysql-oracle/tasks/log2mail.yml +++ b/mysql-oracle/tasks/log2mail.yml @@ -1,7 +1,7 @@ --- - name: Is log2mail present ? - stat: + ansible.builtin.stat: path: /etc/log2mail/config check_mode: no register: log2mail_config_dir @@ -10,7 +10,7 @@ - log2mail - name: Copy log2mail config - template: + ansible.builtin.template: src: log2mail.j2 dest: /etc/log2mail/config/mysql.conf owner: log2mail diff --git a/mysql-oracle/tasks/main.yml b/mysql-oracle/tasks/main.yml index 2e2f09bf..1e928681 100644 --- a/mysql-oracle/tasks/main.yml +++ b/mysql-oracle/tasks/main.yml @@ -1,22 +1,22 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: users.yml +- ansible.builtin.include: users.yml -- include: config.yml +- ansible.builtin.include: config.yml -- include: datadir.yml +- ansible.builtin.include: datadir.yml -- include: tmpdir.yml +- ansible.builtin.include: tmpdir.yml -- include: nrpe.yml +- ansible.builtin.include: nrpe.yml -- include: munin.yml +- ansible.builtin.include: munin.yml -- include: log2mail.yml +- ansible.builtin.include: log2mail.yml -- include: utils.yml +- ansible.builtin.include: utils.yml diff --git a/mysql-oracle/tasks/munin.yml b/mysql-oracle/tasks/munin.yml index b9e633b0..bed33556 100644 --- a/mysql-oracle/tasks/munin.yml +++ b/mysql-oracle/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -11,14 +11,14 @@ - block: - name: Install perl libraries for Munin - apt: + ansible.builtin.apt: name: - libdbd-mysql-perl - libcache-cache-perl state: present - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link @@ -30,7 +30,7 @@ notify: restart munin-node - name: Enable contributed Munin plugins - file: + ansible.builtin.file: src: /usr/share/munin/plugins/mysql_ dest: '/etc/munin/plugins/mysql_{{ item }}' state: link diff --git a/mysql-oracle/tasks/nrpe.yml b/mysql-oracle/tasks/nrpe.yml index c3457699..cce8e4b7 100644 --- a/mysql-oracle/tasks/nrpe.yml +++ b/mysql-oracle/tasks/nrpe.yml @@ -1,7 +1,7 @@ --- - name: is NRPE present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg check_mode: no register: nrpe_evolix_config @@ -10,7 +10,7 @@ - nrpe - name: NRPE user exists for MySQL ? - stat: + ansible.builtin.stat: path: ~nagios/.my.cnf check_mode: no register: nrpe_my_cnf @@ -20,13 +20,14 @@ - block: - name: Create a password for NRPE - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_nrpe_password check_mode: no changed_when: False - name: Create nrpe user - mysql_user: + community.mysql.mysql_user: name: nrpe password: '{{ mysql_nrpe_password.stdout }}' priv: "*.*:REPLICATION CLIENT" @@ -36,7 +37,7 @@ register: create_nrpe_user - name: Store credentials in nagios home - ini_file: + community.general.ini_file: dest: "~nagios/.my.cnf" owner: nagios group: nagios diff --git a/mysql-oracle/tasks/packages.yml b/mysql-oracle/tasks/packages.yml index 5bf8848e..7ceadd89 100644 --- a/mysql-oracle/tasks/packages.yml +++ b/mysql-oracle/tasks/packages.yml @@ -1,43 +1,43 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_apt_config_package: mysql-apt-config_0.8.9-1_all.deb - name: Set default MySQL version to 5.7 - debconf: + ansible.builtin.debconf: name: mysql-apt-config question: mysql-apt-config/enable-repo value: mysql-5.7 vtype: select - name: MySQL APT config package is available - copy: + ansible.builtin.copy: src: "{{ mysql_apt_config_package }}" dest: "/root/{{ mysql_apt_config_package }}" -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: MySQL APT config package is installed - apt: + ansible.builtin.apt: deb: "/root/{{ mysql_apt_config_package }}" state: present register: mysql_apt_config_deb - name: Open firewall for MySQL.com repository - replace: + ansible.builtin.replace: name: /etc/default/minifirewall regexp: "^(HTTPSITES='((?!(repo\\.mysql\\.com|0\\.0\\.0\\.0)).)*)'$" replace: "\\1 repo.mysql.com'" notify: Restart minifirewall -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: /usr/share/mysql exists - file: + ansible.builtin.file: dest: /usr/share/mysql/ mode: "0755" owner: root @@ -45,7 +45,7 @@ state: directory - name: mysql-systemd-start scripts is installed - copy: + ansible.builtin.copy: src: debian/mysql-systemd-start dest: /usr/share/mysql/mysql-systemd-start mode: "0755" @@ -54,7 +54,7 @@ force: yes - name: systemd unit is installed - copy: + ansible.builtin.copy: src: debian/mysql-server-5.7.mysql.service dest: /etc/systemd/system/mysql.service mode: "0644" @@ -64,12 +64,12 @@ register: mysql_systemd_unit - name: APT cache is up-to-date - apt: + ansible.builtin.apt: update_cache: yes when: mysql_apt_config_deb is changed - name: Install MySQL packages - apt: + ansible.builtin.apt: name: - mysql-server - mysql-client @@ -80,7 +80,7 @@ - packages - name: Install MySQL dev packages - apt: + ansible.builtin.apt: name: libmysqlclient20 update_cache: yes state: present @@ -90,7 +90,7 @@ when: mysql_install_libclient | bool - name: MySQL is started - systemd: + ansible.builtin.systemd: name: mysql daemon_reload: yes state: started @@ -99,7 +99,7 @@ - services - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present tags: diff --git a/mysql-oracle/tasks/tmpdir.yml b/mysql-oracle/tasks/tmpdir.yml index 790a9f2e..d293ea82 100644 --- a/mysql-oracle/tasks/tmpdir.yml +++ b/mysql-oracle/tasks/tmpdir.yml @@ -2,7 +2,7 @@ - block: - name: "Create {{ mysql_custom_tmpdir }}" - file: + ansible.builtin.file: path: "{{ mysql_custom_tmpdir }}" owner: mysql group: mysql @@ -12,7 +12,7 @@ - mysql - name: Configure tmpdir - ini_file: + community.general.ini_file: dest: "{{ mysql_config_directory }}/zzz-evolinux-custom.cnf" section: mysqld option: tmpdir diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml index d0c444e5..62923f27 100644 --- a/mysql-oracle/tasks/users.yml +++ b/mysql-oracle/tasks/users.yml @@ -1,7 +1,7 @@ --- - name: Python2 dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: - python-mysqldb - python-pymysql @@ -11,7 +11,7 @@ when: ansible_python_version is version('3', '<') - name: Python3 dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: - python3-mysqldb - python3-pymysql @@ -21,14 +21,15 @@ when: ansible_python_version is version('3', '>=') - name: create a password for mysqladmin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False tags: - mysql - name: there is a mysqladmin user - mysql_user: + community.mysql.mysql_user: name: mysqladmin password: '{{ mysql_admin_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -41,7 +42,7 @@ - mysql - name: mysqladmin is the default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client @@ -57,14 +58,15 @@ - name: create a password for debian-sys-maint - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_debian_password changed_when: False tags: - mysql - name: there is a debian-sys-maint user - mysql_user: + community.mysql.mysql_user: name: debian-sys-maint password: '{{ mysql_debian_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -76,7 +78,7 @@ - mysql - name: store debian-sys-maint user credentials - ini_file: + community.general.ini_file: dest: /etc/mysql/debian.cnf mode: "0600" section: "{{ item[0] }}" @@ -94,7 +96,7 @@ - mysql - name: remove root user - mysql_user: + community.mysql.mysql_user: name: root host_all: yes config_file: "/root/.my.cnf" diff --git a/mysql-oracle/tasks/utils.yml b/mysql-oracle/tasks/utils.yml index 82b0ddbe..cbcc9e37 100644 --- a/mysql-oracle/tasks/utils.yml +++ b/mysql-oracle/tasks/utils.yml @@ -1,14 +1,14 @@ --- -- set_fact: +- ansible.builtin.set_fact: _mysql_scripts_dir: "{{ mysql_scripts_dir | default(general_scripts_dir, True) | mandatory }}" -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Scripts directory exists - file: + ansible.builtin.file: dest: "{{ _mysql_scripts_dir }}" mode: "0700" state: directory @@ -18,7 +18,7 @@ # mytop - name: "mytop is installed (Debian 9)" - apt: + ansible.builtin.apt: name: mytop state: present tags: @@ -33,7 +33,7 @@ # when: ansible_distribution_major_version is version('9', '>=') - name: "mytop dependencies are installed (Buster)" - apt: + ansible.builtin.apt: name: - libconfig-inifiles-perl - libdbd-mysql-perl @@ -47,7 +47,7 @@ when: ansible_distribution_release == "stretch" - name: "Install dependencies for mytop (Debian 10)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.3 - libconfig-inifiles-perl @@ -55,21 +55,21 @@ when: ansible_distribution_release == "buster" - name: "Install dependencies for mytop (Debian 11 or later)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.5 - libconfig-inifiles-perl - libterm-readkey-perl when: ansible_distribution_major_version is version('11', '>=') -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - mytop - mysql - name: "mytop is installed (Debian 9 or later)" - copy: + ansible.builtin.copy: src: mytop dest: /usr/local/bin/mytop mode: "0755" @@ -82,7 +82,8 @@ when: ansible_distribution_major_version is version('9', '>=') - name: Read debian-sys-maint password - shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' + ansible.builtin.shell: + cmd: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' register: mysql_debian_password changed_when: False check_mode: no @@ -91,7 +92,7 @@ - mysql - name: mytop configuration is copied - template: + ansible.builtin.template: src: mytop-config.j2 dest: /root/.mytop mode: "0600" @@ -102,7 +103,7 @@ # mysqltuner -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - mysql @@ -113,7 +114,7 @@ # src: mysqltuner.pl # dest: "{{ _mysql_scripts_dir }}/mysqltuner.pl" # mode: "0700" - apt: + ansible.builtin.apt: name: mysqltuner state: present tags: @@ -121,21 +122,21 @@ - mysqltuner - name: aha is installed - apt: + ansible.builtin.apt: name: aha tags: - mysql # automatic optimizations -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - mysql when: _mysql_scripts_dir is search("/usr") - name: mysql-optimize.sh is installed - copy: + ansible.builtin.copy: src: mysql-optimize.sh dest: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" mode: "0700" @@ -143,7 +144,7 @@ - mysql - name: "Cron dir for optimize is present" - file: + ansible.builtin.file: path: "/etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}" state: directory mode: "0755" @@ -153,7 +154,7 @@ - mysql - name: "Enable cron to optimize MySQL" - file: + ansible.builtin.file: src: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link @@ -162,7 +163,7 @@ - mysql - name: "Disable cron to optimize MySQL" - file: + ansible.builtin.file: dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: absent when: not (mysql_cron_optimize | bool) @@ -170,7 +171,7 @@ - mysql - name: "Cron dir for mysqltuner is present" - file: + ansible.builtin.file: path: "/etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}" state: directory mode: "0755" @@ -181,7 +182,7 @@ - mysqltuner - name: "Enable mysqltuner in cron" - copy: + ansible.builtin.copy: src: mysqltuner.cron.sh dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh mode: "0755" @@ -191,7 +192,7 @@ - mysqltuner - name: "Disable mysqltuner in cron" - file: + ansible.builtin.file: dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh state: absent when: not (mysql_cron_mysqltuner | bool) @@ -201,12 +202,12 @@ # my-add.sh -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Install my-add.sh - copy: + ansible.builtin.copy: src: my-add.sh dest: "{{ _mysql_scripts_dir }}/my-add.sh" mode: "0700" diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 80afafe5..01ffeccd 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -1,25 +1,25 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart mysql - service: + ansible.builtin.service: name: mysql state: restarted - name: restart mysql (noop) - meta: noop + ansible.builtin.meta: noop failed_when: False changed_when: False - name: reload systemd - systemd: + ansible.builtin.systemd: name: mysql daemon_reload: yes - name: 'restart xinetd' - service: + ansible.builtin.service: name: 'xinetd' state: 'restarted' diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index a5dd4d77..174fc56a 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_config_directory: /etc/mysql/conf.d - name: "Copy MySQL defaults config file (jessie)" - copy: + ansible.builtin.copy: src: evolinux-defaults.cnf dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_defaults_file }}" owner: root @@ -15,7 +15,7 @@ - mysql - name: "Copy MySQL custom config file (jessie)" - template: + ansible.builtin.template: src: evolinux-custom.cnf.j2 dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_custom_file }}" owner: root diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index cfbeedfe..dcf4e9e7 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: mysql_config_directory: /etc/mysql/mariadb.conf.d - name: "Copy MySQL defaults config file (Debian 9 or later)" - copy: + ansible.builtin.copy: src: evolinux-defaults.cnf dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_defaults_file }}" owner: root @@ -15,7 +15,7 @@ - mysql - name: "Copy MySQL custom config file (Debian 9 or later)" - template: + ansible.builtin.template: src: evolinux-custom.cnf.j2 dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_custom_file }}" owner: root @@ -26,19 +26,19 @@ - mysql - name: "Create a system config directory for systemd overrides (Debian 9 or later)" - file: + ansible.builtin.file: path: /etc/systemd/system/mariadb.service.d state: directory - name: "Override MariaDB systemd unit (Debian 9 or later)" - template: + ansible.builtin.template: src: mariadb.systemd.j2 dest: /etc/systemd/system/mariadb.service.d/evolinux.conf force: yes register: mariadb_systemd_override - name: reload systemd and restart MariaDB - systemd: + ansible.builtin.systemd: name: mysql daemon_reload: yes notify: "{{ mysql_restart_handler_name }}" diff --git a/mysql/tasks/datadir.yml b/mysql/tasks/datadir.yml index c375f5d5..d28d6440 100644 --- a/mysql/tasks/datadir.yml +++ b/mysql/tasks/datadir.yml @@ -2,13 +2,14 @@ - block: - name: "Is {{ mysql_custom_datadir }} present ?" - stat: + ansible.builtin.stat: path: "{{ mysql_custom_datadir }}" check_mode: no register: mysql_custom_datadir_test - name: "read the real datadir" - command: readlink -f /var/lib/mysql + ansible.builtin.command: + cmd: readlink -f /var/lib/mysql changed_when: False check_mode: no register: mysql_current_real_datadir_test @@ -18,23 +19,24 @@ - block: - name: MySQL is stopped - service: + ansible.builtin.service: name: mysql state: stopped - name: Move MySQL datadir to {{ mysql_custom_datadir }} - command: mv {{ mysql_current_real_datadir_test.stdout }} {{ mysql_custom_datadir }} + ansible.builtin.command: + cmd: mv {{ mysql_current_real_datadir_test.stdout }} {{ mysql_custom_datadir }} args: creates: "{{ mysql_custom_datadir }}" - name: Symlink {{ mysql_custom_datadir }} to /var/lib/mysql - file: + ansible.builtin.file: src: "{{ mysql_custom_datadir }}" dest: '/var/lib/mysql' state: link - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: diff --git a/mysql/tasks/log2mail.yml b/mysql/tasks/log2mail.yml index 568b6649..4eee01c8 100644 --- a/mysql/tasks/log2mail.yml +++ b/mysql/tasks/log2mail.yml @@ -1,7 +1,7 @@ --- - name: Is log2mail present ? - stat: + ansible.builtin.stat: path: /etc/log2mail/config check_mode: no register: log2mail_config_dir @@ -10,7 +10,7 @@ - log2mail - name: Copy log2mail config - template: + ansible.builtin.template: src: log2mail.j2 dest: /etc/log2mail/config/mysql.conf owner: log2mail diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml index bd6ecab2..10d2f70e 100644 --- a/mysql/tasks/logdir.yml +++ b/mysql/tasks/logdir.yml @@ -2,13 +2,14 @@ - block: - name: "Is {{ mysql_custom_logdir }} present ?" - stat: + ansible.builtin.stat: path: "{{ mysql_custom_logdir }}" check_mode: no register: mysql_custom_logdir_test - name: "read the real logdir" - command: readlink -f /var/log/mysql + ansible.builtin.command: + cmd: readlink -f /var/log/mysql changed_when: False check_mode: no register: mysql_current_real_logdir_test @@ -18,23 +19,24 @@ - block: - name: MySQL is stopped - service: + ansible.builtin.service: name: mysql state: stopped - name: Move MySQL logdir to {{ mysql_custom_logdir }} - command: mv {{ mysql_current_real_logdir_test.stdout }} {{ mysql_custom_logdir }} + ansible.builtin.command: + cmd: mv {{ mysql_current_real_logdir_test.stdout }} {{ mysql_custom_logdir }} args: creates: "{{ mysql_custom_logdir }}" - name: Symlink {{ mysql_custom_logdir }} to /var/log/mysql - file: + ansible.builtin.file: src: "{{ mysql_custom_logdir }}" dest: '/var/log/mysql' state: link - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index 2a24c69f..cc32bff4 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -1,11 +1,11 @@ --- - name: Set if MySQL should be restart (if needed) or not at all - set_fact: + ansible.builtin.set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" - name: Default log directory is present - file: + ansible.builtin.file: path: /var/log/mysql owner: mysql group: adm @@ -13,46 +13,46 @@ state: directory when: ansible_distribution_major_version is version('12', '>=') -- include_tasks: packages_stretch.yml +- ansible.builtin.include_tasks: packages_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include_tasks: packages_jessie.yml +- ansible.builtin.include_tasks: packages_jessie.yml when: ansible_distribution_release == "jessie" ## There is nothing to do with users on Debian 11+ - yet we need a /root/.my.cnf for compatibility -- include_tasks: users_bullseye.yml +- ansible.builtin.include_tasks: users_bullseye.yml when: ansible_distribution_major_version is version('11', '>=') -- include_tasks: users_buster.yml +- ansible.builtin.include_tasks: users_buster.yml when: ansible_distribution_release == "buster" -- include_tasks: users_stretch.yml +- ansible.builtin.include_tasks: users_stretch.yml when: ansible_distribution_release == "stretch" -- include_tasks: users_jessie.yml +- ansible.builtin.include_tasks: users_jessie.yml when: ansible_distribution_release == "jessie" -- include_tasks: config_stretch.yml +- ansible.builtin.include_tasks: config_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include_tasks: config_jessie.yml +- ansible.builtin.include_tasks: config_jessie.yml when: ansible_distribution_release == "jessie" -- include_tasks: replication.yml +- ansible.builtin.include_tasks: replication.yml when: mysql_replication | bool -- include_tasks: datadir.yml +- ansible.builtin.include_tasks: datadir.yml -- include_tasks: logdir.yml +- ansible.builtin.include_tasks: logdir.yml -- include_tasks: tmpdir.yml +- ansible.builtin.include_tasks: tmpdir.yml -- include_tasks: nrpe.yml +- ansible.builtin.include_tasks: nrpe.yml -- include_tasks: munin.yml +- ansible.builtin.include_tasks: munin.yml -- include_tasks: log2mail.yml +- ansible.builtin.include_tasks: log2mail.yml -- include_tasks: utils.yml +- ansible.builtin.include_tasks: utils.yml -- include_tasks: mysql_skip.yml +- ansible.builtin.include_tasks: mysql_skip.yml diff --git a/mysql/tasks/munin.yml b/mysql/tasks/munin.yml index 7d67065f..9b4e9617 100644 --- a/mysql/tasks/munin.yml +++ b/mysql/tasks/munin.yml @@ -1,7 +1,7 @@ --- - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: munin_node_plugins_config @@ -11,7 +11,7 @@ - block: - name: "Install perl libraries for Munin (Debian < 11)" - apt: + ansible.builtin.apt: name: - libdbd-mysql-perl - libcache-cache-perl @@ -19,14 +19,14 @@ when: ansible_distribution_major_version is version('11', '<') - name: "Install perl libraries for Munin (Debian >= 11)" - apt: + ansible.builtin.apt: name: - libcache-cache-perl - libdbd-mariadb-perl when: ansible_distribution_major_version is version('11', '>=') - name: Enable core Munin plugins - file: + ansible.builtin.file: src: '/usr/share/munin/plugins/{{ item }}' dest: /etc/munin/plugins/{{ item }} state: link @@ -38,7 +38,7 @@ notify: restart munin-node - name: Enable contributed Munin plugins - file: + ansible.builtin.file: src: /usr/share/munin/plugins/mysql_ dest: '/etc/munin/plugins/mysql_{{ item }}' state: link @@ -67,7 +67,7 @@ notify: restart munin-node - name: verify Munin configuration for mysql < Debian 11 - replace: + ansible.builtin.replace: dest: /etc/munin/plugin-conf.d/munin-node after: '\[mysql\*\]' regexp: '^env.mysqluser (.+)$' @@ -76,7 +76,7 @@ when: ansible_distribution_major_version is version_compare('11', '<') - name: set Munin env.mysqluser option for mysql >= Debian 11 - replace: + ansible.builtin.replace: dest: /etc/munin/plugin-conf.d/munin-node after: '\[mysql\*\]' regexp: '^env.mysqluser (.+)$' @@ -85,7 +85,7 @@ when: ansible_distribution_major_version is version_compare('11', '>=') - name: set Munin env.mysqlopts option for mysql >= Debian 11 - replace: + ansible.builtin.replace: dest: /etc/munin/plugin-conf.d/munin-node after: '\[mysql\*\]' regexp: '^env.mysqlopts (.+)$' @@ -94,7 +94,7 @@ when: ansible_distribution_major_version is version_compare('11', '>=') - name: set Munin env.mysqlconnection option for mysql >= Debian 11 - replace: + ansible.builtin.replace: dest: /etc/munin/plugin-conf.d/munin-node after: '\[mysql\*\]' regexp: '^env.mysqlconnection (.+)$' diff --git a/mysql/tasks/mysql_skip.yml b/mysql/tasks/mysql_skip.yml index 65d1c13f..2455641a 100644 --- a/mysql/tasks/mysql_skip.yml +++ b/mysql/tasks/mysql_skip.yml @@ -1,7 +1,7 @@ --- - name: "Copy script mysql_skip.sh into /usr/local/bin/" - copy: + ansible.builtin.copy: src: mysql_skip.sh dest: "/usr/local/bin/mysql_skip.sh" owner: root @@ -12,7 +12,7 @@ - mysql_skip - name: "Copy config file for mysql_skip.sh" - template: + ansible.builtin.template: src: mysql_skip.conf.j2 dest: "/etc/mysql_skip.conf" owner: root @@ -22,7 +22,7 @@ - mysql_skip - name: "Create log file for mysql_skip.sh" - file: + ansible.builtin.file: path: "/var/log/mysql_skip.log" state: touch owner: root @@ -32,7 +32,7 @@ - mysql_skip - name: "Copy logrotate file for mysql_skip.sh" - template: + ansible.builtin.template: src: mysql_skip.logrotate.j2 dest: "/etc/logrotate.d/mysql_skip" owner: root @@ -42,13 +42,13 @@ - mysql_skip - name: "Copy mysql_skip.sh systemd unit" - template: + ansible.builtin.template: src: mysql_skip.systemd.j2 dest: /etc/systemd/system/mysql_skip.service force: yes - name: "Start or stop systemd unit" - systemd: + ansible.builtin.systemd: name: mysql_skip daemon_reload: yes state: "{{ mysql_skip_enabled | bool | ternary('started', 'stopped') }}" \ No newline at end of file diff --git a/mysql/tasks/nrpe.yml b/mysql/tasks/nrpe.yml index c3457699..cce8e4b7 100644 --- a/mysql/tasks/nrpe.yml +++ b/mysql/tasks/nrpe.yml @@ -1,7 +1,7 @@ --- - name: is NRPE present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg check_mode: no register: nrpe_evolix_config @@ -10,7 +10,7 @@ - nrpe - name: NRPE user exists for MySQL ? - stat: + ansible.builtin.stat: path: ~nagios/.my.cnf check_mode: no register: nrpe_my_cnf @@ -20,13 +20,14 @@ - block: - name: Create a password for NRPE - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_nrpe_password check_mode: no changed_when: False - name: Create nrpe user - mysql_user: + community.mysql.mysql_user: name: nrpe password: '{{ mysql_nrpe_password.stdout }}' priv: "*.*:REPLICATION CLIENT" @@ -36,7 +37,7 @@ register: create_nrpe_user - name: Store credentials in nagios home - ini_file: + community.general.ini_file: dest: "~nagios/.my.cnf" owner: nagios group: nagios diff --git a/mysql/tasks/packages_jessie.yml b/mysql/tasks/packages_jessie.yml index 652eace7..942c1006 100644 --- a/mysql/tasks/packages_jessie.yml +++ b/mysql/tasks/packages_jessie.yml @@ -1,7 +1,7 @@ --- - name: Choose packages (Oracle) - set_fact: + ansible.builtin.set_fact: mysql_packages: "{{ mysql_packages_oracle }}" when: mysql_variant == "oracle" tags: @@ -9,7 +9,7 @@ - packages - name: Choose packages (MariaDB) - set_fact: + ansible.builtin.set_fact: mysql_packages: "{{ mysql_packages_mariadb }}" when: mysql_variant == "mariadb" tags: @@ -17,7 +17,7 @@ - packages - name: Install MySQL packages - apt: + ansible.builtin.apt: name: "{{ mysql_packages }}" update_cache: yes state: present @@ -26,7 +26,7 @@ - packages - name: Install MySQL dev packages - apt: + ansible.builtin.apt: name: libmysqlclient-dev update_cache: yes state: present @@ -36,7 +36,7 @@ when: mysql_install_libclient | bool - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: @@ -44,7 +44,7 @@ - services - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present tags: @@ -52,7 +52,7 @@ - packages - name: Python dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: python-mysqldb state: present tags: diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 880f5050..8853a13c 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -1,7 +1,7 @@ --- - name: Install MySQL packages - apt: + ansible.builtin.apt: name: - mariadb-server - mariadb-client @@ -12,7 +12,7 @@ - packages - name: Install MySQL dev packages - apt: + ansible.builtin.apt: name: default-libmysqlclient-dev update_cache: yes state: present @@ -22,7 +22,7 @@ when: mysql_install_libclient | bool - name: MySQL is started - service: + ansible.builtin.service: name: mysql state: started tags: @@ -30,7 +30,7 @@ - services - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present tags: @@ -38,7 +38,7 @@ - packages - name: Python2 dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: - python-mysqldb - python-pymysql @@ -49,7 +49,7 @@ when: ansible_python_version is version('3', '<') - name: Python3 dependencies for Ansible are installed - apt: + ansible.builtin.apt: name: - python3-mysqldb - python3-pymysql diff --git a/mysql/tasks/replication.yml b/mysql/tasks/replication.yml index f447d099..4ca491da 100644 --- a/mysql/tasks/replication.yml +++ b/mysql/tasks/replication.yml @@ -1,14 +1,14 @@ --- - name: 'Copy MySQL configuration for replication' - template: + ansible.builtin.template: src: 'replication.cnf.j2' dest: "{{ mysql_config_directory }}/zzzz-replication.cnf" mode: "0644" notify: 'restart mysql' - name: 'Create repl user' - mysql_user: + community.mysql.mysql_user: name: 'repl' host: '%' encrypted: true @@ -20,22 +20,22 @@ when: mysql_repl_password | length > 0 - name: 'Install xinetd' - apt: + ansible.builtin.apt: name: 'xinetd' - name: 'Add xinetd configuration for MySQL HAProxy check' - copy: + ansible.builtin.copy: src: 'xinetd/mysqlchk' dest: '/etc/xinetd.d/' mode: '0644' notify: 'restart xinetd' # /!\ Warning, this is a temporary hack -- include_role: +- ansible.builtin.include_role: name: remount-usr - name: 'Copy mysqlchk script' - copy: + ansible.builtin.copy: src: 'xinetd/mysqlchk.sh' dest: '/usr/share/scripts/' mode: '0755' diff --git a/mysql/tasks/tmpdir.yml b/mysql/tasks/tmpdir.yml index 79a3ac5e..ecd9e279 100644 --- a/mysql/tasks/tmpdir.yml +++ b/mysql/tasks/tmpdir.yml @@ -2,7 +2,7 @@ - block: - name: "Create {{ mysql_custom_tmpdir }}" - file: + ansible.builtin.file: path: "{{ mysql_custom_tmpdir }}" owner: mysql group: mysql @@ -12,7 +12,7 @@ - mysql - name: Configure tmpdir - ini_file: + community.general.ini_file: dest: "{{ mysql_config_directory }}/{{ mysql_evolinux_custom_file }}" section: mysqld option: tmpdir diff --git a/mysql/tasks/users_bullseye.yml b/mysql/tasks/users_bullseye.yml index 1bdc9084..d2b6c04d 100644 --- a/mysql/tasks/users_bullseye.yml +++ b/mysql/tasks/users_bullseye.yml @@ -1,7 +1,7 @@ --- - name: Populate the .my.cnf of root with default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client diff --git a/mysql/tasks/users_buster.yml b/mysql/tasks/users_buster.yml index dc7cec85..490a7ccc 100644 --- a/mysql/tasks/users_buster.yml +++ b/mysql/tasks/users_buster.yml @@ -1,7 +1,8 @@ --- - name: create a password for mysqladmin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False check_mode: False @@ -9,7 +10,7 @@ - mysql - name: there is a mysqladmin user - mysql_user: + community.mysql.mysql_user: name: mysqladmin password: '{{ mysql_admin_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -21,7 +22,7 @@ - mysql - name: mysqladmin is the default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client @@ -36,7 +37,8 @@ - mysql - name: create a password for debian-sys-maint - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_debian_password changed_when: False check_mode: False @@ -44,7 +46,7 @@ - mysql - name: there is a debian-sys-maint user - mysql_user: + community.mysql.mysql_user: name: debian-sys-maint password: '{{ mysql_debian_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -56,7 +58,7 @@ - mysql - name: store debian-sys-maint user credentials - ini_file: + community.general.ini_file: dest: /etc/mysql/debian.cnf mode: "0600" section: "{{ item[0] }}" @@ -74,7 +76,7 @@ - mysql - name: root user is absent - mysql_user: + community.mysql.mysql_user: name: root host_all: yes config_file: "/root/.my.cnf" diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml index e2b066b1..1bde42c9 100644 --- a/mysql/tasks/users_jessie.yml +++ b/mysql/tasks/users_jessie.yml @@ -1,12 +1,13 @@ --- - name: "Abort if MariaDB on Debian 8" - fail: + ansible.builtin.fail: msg: "We can't create other users with 'debian-sys-maint' on Debian 8 with MariaDB.\nWe must give it the GRANT privilege before continuing." when: mysql_variant == "mariadb" - name: create a password for mysqladmin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False check_mode: no @@ -14,7 +15,7 @@ - mysql - name: there is a mysqladmin user - mysql_user: + community.mysql.mysql_user: name: mysqladmin password: '{{ mysql_admin_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -26,7 +27,7 @@ - mysql - name: mysqladmin is the default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client @@ -41,7 +42,7 @@ - mysql - name: root user is absent - mysql_user: + community.mysql.mysql_user: name: root host_all: yes config_file: "/root/.my.cnf" diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml index dc7cec85..490a7ccc 100644 --- a/mysql/tasks/users_stretch.yml +++ b/mysql/tasks/users_stretch.yml @@ -1,7 +1,8 @@ --- - name: create a password for mysqladmin - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_admin_password changed_when: False check_mode: False @@ -9,7 +10,7 @@ - mysql - name: there is a mysqladmin user - mysql_user: + community.mysql.mysql_user: name: mysqladmin password: '{{ mysql_admin_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -21,7 +22,7 @@ - mysql - name: mysqladmin is the default user - ini_file: + community.general.ini_file: dest: /root/.my.cnf mode: "0600" section: client @@ -36,7 +37,8 @@ - mysql - name: create a password for debian-sys-maint - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: mysql_debian_password changed_when: False check_mode: False @@ -44,7 +46,7 @@ - mysql - name: there is a debian-sys-maint user - mysql_user: + community.mysql.mysql_user: name: debian-sys-maint password: '{{ mysql_debian_password.stdout }}' priv: "*.*:ALL,GRANT" @@ -56,7 +58,7 @@ - mysql - name: store debian-sys-maint user credentials - ini_file: + community.general.ini_file: dest: /etc/mysql/debian.cnf mode: "0600" section: "{{ item[0] }}" @@ -74,7 +76,7 @@ - mysql - name: root user is absent - mysql_user: + community.mysql.mysql_user: name: root host_all: yes config_file: "/root/.my.cnf" diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 306ccd00..f8005ee2 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -1,14 +1,14 @@ --- -- set_fact: +- ansible.builtin.set_fact: _mysql_scripts_dir: "{{ mysql_scripts_dir | default(general_scripts_dir, True) | mandatory }}" -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Ensure scripts directory exists - file: + ansible.builtin.file: dest: "{{ _mysql_scripts_dir }}" mode: "0700" state: directory @@ -18,7 +18,7 @@ # mytop - name: "Install mytop (Debian 8)" - apt: + ansible.builtin.apt: name: mytop state: present tags: @@ -28,7 +28,7 @@ when: ansible_distribution_release == "jessie" - name: "Install dependencies for mytop (Debian 9)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.1 - libconfig-inifiles-perl @@ -36,7 +36,7 @@ when: ansible_distribution_release == "stretch" - name: "Install dependencies for mytop (Debian 10)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.3 - libconfig-inifiles-perl @@ -44,7 +44,7 @@ when: ansible_distribution_release == "buster" - name: "Install dependencies for mytop (Debian 11)" - apt: + ansible.builtin.apt: name: - mariadb-client-10.5 - libconfig-inifiles-perl @@ -53,7 +53,7 @@ when: ansible_distribution_release == "bullseye" - name: "Install dependencies for mytop (Debian 12 or later)" - apt: + ansible.builtin.apt: name: - mariadb-client - libconfig-inifiles-perl @@ -62,7 +62,8 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Read debian-sys-maint password (Debian < 11) - shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' + ansible.builtin.shell: + cmd: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' register: mysql_debian_password changed_when: False check_mode: no @@ -71,7 +72,7 @@ when: ansible_distribution_major_version is version('11', '<') - name: Configure mytop (Debian < 11) - template: + ansible.builtin.template: src: mytop.j2 dest: /root/.mytop mode: "0600" @@ -82,7 +83,7 @@ when: ansible_distribution_major_version is version('11', '<') - name: Configure mytop (Debian >= 11) - template: + ansible.builtin.template: src: mytop.bullseye.j2 dest: /root/.mytop mode: "0600" @@ -94,7 +95,7 @@ # mysqltuner -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") @@ -103,7 +104,7 @@ # src: mysqltuner.pl # dest: "{{ _mysql_scripts_dir }}/mysqltuner.pl" # mode: "0700" - apt: + ansible.builtin.apt: name: mysqltuner state: present tags: @@ -111,7 +112,7 @@ - mysqltuner - name: Install aha - apt: + ansible.builtin.apt: name: aha tags: - mysql @@ -119,7 +120,7 @@ # Percona Toolkit - name: "Install percona-toolkit (Debian 9 or later)" - apt: + ansible.builtin.apt: name: percona-toolkit state: present tags: @@ -130,12 +131,12 @@ # automatic optimizations -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Optimize script for MySQL - copy: + ansible.builtin.copy: src: mysql-optimize.sh dest: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" mode: "0700" @@ -143,7 +144,7 @@ - mysql - name: "Cron dir for optimize is present" - file: + ansible.builtin.file: path: "/etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}" state: directory mode: "0755" @@ -151,7 +152,7 @@ group: root - name: "Enable cron to optimize MySQL" - file: + ansible.builtin.file: src: "{{ _mysql_scripts_dir }}/mysql-optimize.sh" dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: link @@ -160,7 +161,7 @@ - mysql - name: "Disable cron to optimize MySQL" - file: + ansible.builtin.file: dest: /etc/cron.{{ mysql_cron_optimize_frequency | mandatory }}/mysql-optimize.sh state: absent when: not (mysql_cron_optimize | bool) @@ -168,7 +169,7 @@ - mysql - name: "Cron dir for mysqltuner is present" - file: + ansible.builtin.file: path: "/etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}" state: directory mode: "0755" @@ -176,7 +177,7 @@ group: root - name: "Enable mysqltuner in cron" - copy: + ansible.builtin.copy: src: mysqltuner.cron.sh dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh mode: "0755" @@ -185,7 +186,7 @@ - mysql - name: "Disable mysqltuner in cron" - file: + ansible.builtin.file: dest: /etc/cron.{{ mysql_cron_mysqltuner_frequency | mandatory }}/mysqltuner.sh state: absent when: not (mysql_cron_mysqltuner | bool) @@ -194,12 +195,12 @@ # my-add.sh -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: _mysql_scripts_dir is search("/usr") - name: Install my-add.sh - copy: + ansible.builtin.copy: src: my-add.sh dest: "{{ _mysql_scripts_dir }}/my-add.sh" mode: "0700" @@ -208,14 +209,14 @@ - mysql - name: Install apg - apt: + ansible.builtin.apt: name: apg tags: - mysql - packages - name: "Install save_mysql_processlist.sh" - copy: + ansible.builtin.copy: src: save_mysql_processlist.sh dest: "{{ _mysql_scripts_dir }}/save_mysql_processlist.sh" mode: "0755" @@ -224,7 +225,7 @@ - mysql - name: "Install mysql_connections" - copy: + ansible.builtin.copy: src: mysql_connections.sh dest: "{{ _mysql_scripts_dir }}/mysql_connections" mode: "0755" @@ -233,7 +234,7 @@ - mysql - name: "Install mysql-queries-killer.sh" - copy: + ansible.builtin.copy: src: mysql-queries-killer.sh dest: "{{ _mysql_scripts_dir }}/mysql-queries-killer.sh" mode: "0755" @@ -242,7 +243,7 @@ - mysql - name: "Install evomariabackup" - copy: + ansible.builtin.copy: src: evomariabackup.sh dest: "{{ _mysql_scripts_dir }}/evomariabackup" mode: "0755" diff --git a/nagios-nrpe/handlers/main.yml b/nagios-nrpe/handlers/main.yml index 25ab29ad..b4b24b09 100644 --- a/nagios-nrpe/handlers/main.yml +++ b/nagios-nrpe/handlers/main.yml @@ -1,11 +1,11 @@ --- - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart nrpe - service: + ansible.builtin.service: name: nrpe state: restarted diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index 5a77c4ee..c05cf85a 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: base nrpe & plugins packages are installed - apt: + ansible.builtin.apt: name: - nagios-nrpe-server - monitoring-plugins @@ -14,7 +14,7 @@ - name: custom plugin dependencies packages are installed - apt: + ansible.builtin.apt: name: - libfcgi-client-perl state: present @@ -25,7 +25,7 @@ - nagios-plugins - name: custom configuration is present - template: + ansible.builtin.template: src: evolix.cfg.j2 dest: /etc/nagios/nrpe.d/evolix.cfg group: nagios @@ -36,7 +36,7 @@ - nagios-nrpe - name: update allowed_hosts lists - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg line: "allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}" regexp: '^allowed_hosts=' @@ -47,7 +47,7 @@ - nagios-nrpe - name: Nagios config is secured - file: + ansible.builtin.file: dest: /etc/nagios/ mode: "0750" group: nagios @@ -56,7 +56,7 @@ tags: - nagios-nrpe -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: nagios_plugins_directory is search("/usr") tags: @@ -64,7 +64,7 @@ - nagios-plugins - name: Nagios plugins are installed - copy: + ansible.builtin.copy: src: plugins/ dest: "{{ nagios_plugins_directory }}/" mode: "0755" @@ -74,7 +74,7 @@ - nagios-plugins - name: Nagios lib is secured - file: + ansible.builtin.file: dest: /usr/local/lib/nagios/ mode: "0755" group: nagios @@ -84,4 +84,4 @@ tags: - nagios-nrpe -- include_tasks: wrapper.yml \ No newline at end of file +- ansible.builtin.include_tasks: wrapper.yml \ No newline at end of file diff --git a/nagios-nrpe/tasks/wrapper.yml b/nagios-nrpe/tasks/wrapper.yml index f49c7509..add493fd 100644 --- a/nagios-nrpe/tasks/wrapper.yml +++ b/nagios-nrpe/tasks/wrapper.yml @@ -2,22 +2,23 @@ - name: "Remount /usr if needed" - include_role: + ansible.builtin.include_role: name: remount-usr - name: check if old script is present - stat: + ansible.builtin.stat: path: /usr/share/scripts/alerts_switch register: old_alerts_switch - name: alerts_switch is at the right place - command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch" + ansible.builtin.command: + cmd: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch" args: creates: /usr/local/bin/alerts_switch when: old_alerts_switch.stat.exists - name: "copy alerts_switch" - copy: + ansible.builtin.copy: src: alerts_switch dest: /usr/local/bin/alerts_switch owner: root @@ -26,14 +27,14 @@ force: yes - name: "symlink for backward compatibility" - file: + ansible.builtin.file: src: /usr/local/bin/alerts_switch dest: /usr/share/scripts/alerts_switch state: link when: old_alerts_switch.stat.exists - name: "copy alerts_wrapper" - copy: + ansible.builtin.copy: src: alerts_wrapper dest: "{{ nagios_plugins_directory }}/alerts_wrapper" owner: root diff --git a/nameserver/tasks/main.yml b/nameserver/tasks/main.yml index 83ba2a34..16b06bbd 100644 --- a/nameserver/tasks/main.yml +++ b/nameserver/tasks/main.yml @@ -1,6 +1,7 @@ --- - name: Get actual nameserver - shell: grep nameserver /etc/resolv.conf | awk '{ print $2 }' + ansible.builtin.shell: + cmd: grep nameserver /etc/resolv.conf | awk '{ print $2 }' register: grep_nameserver check_mode: no changed_when: False @@ -8,7 +9,7 @@ - nameserver - name: Set nameserver - lineinfile: + ansible.builtin.lineinfile: dest: /etc/resolv.conf line: "nameserver {{ item }}" state: present @@ -17,7 +18,7 @@ - nameserver - name: Unset others nameserver - lineinfile: + ansible.builtin.lineinfile: dest: /etc/resolv.conf line: "nameserver {{ item }}" state: absent diff --git a/networkd-to-ifconfig/tasks/main.yml b/networkd-to-ifconfig/tasks/main.yml index d1ac0ac4..ff192645 100644 --- a/networkd-to-ifconfig/tasks/main.yml +++ b/networkd-to-ifconfig/tasks/main.yml @@ -1,11 +1,11 @@ --- - name: Check state of /etc/network/interfaces - stat: + ansible.builtin.stat: path: /etc/network/interfaces register: interfaces_file -- debug: +- ansible.builtin.debug: msg: A /etc/network/interfaces file already exists, nothing is done. when: - interfaces_file.stat.exists @@ -13,29 +13,29 @@ - block: - name: "Look for systemd network config" - stat: + ansible.builtin.stat: path: /etc/systemd/network/50-default.network register: systemd_network_file - name: Set interface name - set_fact: + ansible.builtin.set_fact: eni_interface_name: "{{ ansible_default_ipv4.interface }}" - - include: set_facts_from_systemd.yml + - ansible.builtin.include: set_facts_from_systemd.yml when: systemd_network_file.stat.exists - - include: set_facts_from_ansible.yml + - ansible.builtin.include: set_facts_from_ansible.yml when: not systemd_network_file.stat.exists - name: Check config (IPv4) - assert: + ansible.builtin.assert: that: - eni_ipv4_address | ipv4 - eni_ipv4_gateway | ipv4 msg: "IPv4 configuration is invalid" - name: Check config (IPV6) - assert: + ansible.builtin.assert: that: - eni_ipv6_address | ipv6 - eni_ipv6_gateway | ipv6 @@ -43,7 +43,7 @@ when: (eni_ipv6_address | length > 0) or (eni_ipv6_gateway | length > 0) - name: "A new /etc/network/interfaces is generated" - template: + ansible.builtin.template: src: interfaces.j2 dest: /etc/network/interfaces mode: "0644" @@ -51,18 +51,18 @@ group: root - name: "Systemd 'networkd' unit is stopped and disabled" - systemd: + ansible.builtin.systemd: name: systemd-networkd.service enabled: False state: stopped - name: "Systemd 'networking' unit is restarted (it often results in error)" - systemd: + ansible.builtin.systemd: name: networking enabled: True state: restarted ignore_errors: True - - debug: + - ansible.builtin.debug: msg: You should verify your configuration, then reboot the server. when: (force_update_eni_file | bool) or (not interfaces_file.stat.exists) diff --git a/networkd-to-ifconfig/tasks/set_facts_from_ansible.yml b/networkd-to-ifconfig/tasks/set_facts_from_ansible.yml index 5f6f4011..b358801d 100644 --- a/networkd-to-ifconfig/tasks/set_facts_from_ansible.yml +++ b/networkd-to-ifconfig/tasks/set_facts_from_ansible.yml @@ -1,13 +1,13 @@ --- - name: Prepare variables (IPv4) - set_fact: + ansible.builtin.set_fact: eni_ipv4_address: "{{ ansible_default_ipv4.address | ipv4 }}" eni_ipv4_gateway: "{{ ansible_default_ipv4.gateway | ipv4 }}" when: ansible_default_ipv4 | length > 0 - name: Prepare variables (IPv6) - set_fact: + ansible.builtin.set_fact: eni_ipv6_address: "{{ ansible_default_ipv6.address | ipv6 | first }}" eni_ipv6_gateway: "{{ ansible_default_ipv6.gateway | ipv6 | first }}" when: ansible_default_ipv6 | length > 0 diff --git a/networkd-to-ifconfig/tasks/set_facts_from_systemd.yml b/networkd-to-ifconfig/tasks/set_facts_from_systemd.yml index d21012fd..66dc648c 100644 --- a/networkd-to-ifconfig/tasks/set_facts_from_systemd.yml +++ b/networkd-to-ifconfig/tasks/set_facts_from_systemd.yml @@ -1,17 +1,19 @@ --- - name: "Parse addresses" - shell: "grep Address= /etc/systemd/network/50-default.network | cut -d'=' -f2" + ansible.builtin.shell: + cmd: "grep Address= /etc/systemd/network/50-default.network | cut -d'=' -f2" register: network_address_grep check_mode: no - name: "Parse gateways" - shell: "grep Gateway= /etc/systemd/network/50-default.network | cut -d'=' -f2" + ansible.builtin.shell: + cmd: "grep Gateway= /etc/systemd/network/50-default.network | cut -d'=' -f2" register: network_gateway_grep check_mode: no - name: Prepare variables - set_fact: + ansible.builtin.set_fact: eni_ipv4_address: "{{ network_address_grep.stdout_lines | ipv4 | first }}" eni_ipv4_gateway: "{{ network_gateway_grep.stdout_lines | ipv4 | first }}" eni_ipv6_address: "{{ network_address_grep.stdout_lines | ipv6 | first }}" diff --git a/newrelic/handlers/main.yml b/newrelic/handlers/main.yml index 4ad78be9..ffa52956 100644 --- a/newrelic/handlers/main.yml +++ b/newrelic/handlers/main.yml @@ -1,20 +1,20 @@ --- - name: reload squid3 - service: + ansible.builtin.service: name: squid3 state: reloaded - name: reload squid - service: + ansible.builtin.service: name: squid state: reloaded - name: apt update - apt: + ansible.builtin.apt: update_cache: yes - name: restart newrelic-sysmond - systemd: + ansible.builtin.systemd: name: newrelic-sysmond state: restarted diff --git a/newrelic/tasks/main.yml b/newrelic/tasks/main.yml index a4e8f2b3..e2c49021 100644 --- a/newrelic/tasks/main.yml +++ b/newrelic/tasks/main.yml @@ -1,9 +1,9 @@ --- -- include: sources.yml +- ansible.builtin.include: sources.yml -- include: php.yml +- ansible.builtin.include: php.yml when: newrelic_php | bool -- include: sysmond.yml +- ansible.builtin.include: sysmond.yml when: newrelic_sysmond | bool diff --git a/nginx/handlers/main.yml b/nginx/handlers/main.yml index 494d40f4..bdd5f477 100644 --- a/nginx/handlers/main.yml +++ b/nginx/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart nginx - service: + ansible.builtin.service: name: nginx state: restarted - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded - name: restart munin - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/nginx/tasks/ip_whitelist.yml b/nginx/tasks/ip_whitelist.yml index 2667d1d3..fc4fd2d2 100644 --- a/nginx/tasks/ip_whitelist.yml +++ b/nginx/tasks/ip_whitelist.yml @@ -1,7 +1,7 @@ --- - name: add IP addresses to private IP whitelist - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/snippets/ipaddr_whitelist line: "allow {{ item }};" state: present @@ -12,7 +12,7 @@ - ips - name: remove IP addresses from private IP whitelist - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/snippets/ipaddr_whitelist line: "allow {{ item }};" state: absent diff --git a/nginx/tasks/logrotate.yml b/nginx/tasks/logrotate.yml index c987c2f7..d475e419 100644 --- a/nginx/tasks/logrotate.yml +++ b/nginx/tasks/logrotate.yml @@ -1,7 +1,7 @@ --- - name: Logrotate is configured for Nginx - copy: + ansible.builtin.copy: src: logrotate_nginx dest: /etc/logrotate.d/nginx force: no diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index e7abc1b5..aec36bec 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -1,16 +1,16 @@ --- -- debug: +- ansible.builtin.debug: msg: "Nginx minimal mode has been removed, falling back to normal mode." when: not nginx_minimal | bool -- debug: +- ansible.builtin.debug: msg: "Nginx minimal mode has been set, using minimal mode." when: nginx_minimal | bool -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: server_status_read.yml +- ansible.builtin.include: server_status_read.yml tags: - nginx @@ -18,7 +18,7 @@ # without touching the main file - name: customize worker_connections - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/nginx.conf regexp: '^(\s*worker_connections)\s+.+;' line: ' worker_connections 1024;' @@ -27,7 +27,7 @@ - nginx - name: use epoll - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/nginx.conf regexp: '^(\s*use)\s+.+;' line: ' use epoll;' @@ -36,7 +36,7 @@ - nginx - name: Install Nginx http configuration - copy: + ansible.builtin.copy: src: nginx/evolinux-defaults.conf dest: /etc/nginx/conf.d/z-evolinux-defaults.conf mode: "0640" @@ -50,7 +50,7 @@ # and not too loose for private_htpasswd - name: Copy ipaddr_whitelist - copy: + ansible.builtin.copy: src: nginx/snippets/ipaddr_whitelist dest: /etc/nginx/snippets/ipaddr_whitelist owner: www-data @@ -64,10 +64,10 @@ - ips - name: Include IP address whitelist task - include: ip_whitelist.yml + ansible.builtin.include: ip_whitelist.yml - name: Copy evolinux_server_custom - copy: + ansible.builtin.copy: src: nginx/snippets/evolinux_server_custom dest: /etc/nginx/snippets/evolinux_server_custom owner: www-data @@ -81,7 +81,7 @@ - ips - name: Copy private_htpasswd - copy: + ansible.builtin.copy: src: nginx/snippets/private_htpasswd dest: /etc/nginx/snippets/private_htpasswd owner: www-data @@ -94,7 +94,7 @@ - nginx - name: add user:pwd to private htpasswd - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/snippets/private_htpasswd line: "{{ item }}" state: present @@ -104,7 +104,7 @@ - nginx - name: remove user:pwd from private htpasswd - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nginx/snippets/private_htpasswd line: "{{ item }}" state: absent @@ -114,7 +114,7 @@ - nginx - name: nginx vhost is installed - template: + ansible.builtin.template: src: "{{ nginx_default_template_regular }}" dest: /etc/nginx/sites-available/evolinux-default.conf mode: "0640" @@ -124,7 +124,7 @@ - nginx - name: default vhost is enabled - file: + ansible.builtin.file: src: /etc/nginx/sites-available/evolinux-default.conf dest: /etc/nginx/sites-enabled/default state: link @@ -134,12 +134,12 @@ tags: - nginx -- include: server_status_write.yml +- ansible.builtin.include: server_status_write.yml tags: - nginx - name: Verify that the service is enabled and started - service: + ansible.builtin.service: name: nginx enabled: yes state: started @@ -147,7 +147,7 @@ - nginx - name: Check if Munin is installed - stat: + ansible.builtin.stat: path: /etc/munin/plugin-conf.d/munin-node check_mode: no register: stat_munin_node @@ -155,16 +155,16 @@ - nginx - munin -- include: munin_vhost.yml +- ansible.builtin.include: munin_vhost.yml when: stat_munin_node.stat.exists tags: - nginx - munin -- include: munin_graphs.yml +- ansible.builtin.include: munin_graphs.yml when: stat_munin_node.stat.exists tags: - nginx - munin -- include: logrotate.yml +- ansible.builtin.include: logrotate.yml diff --git a/nginx/tasks/munin_graphs.yml b/nginx/tasks/munin_graphs.yml index 5958c856..f2a6e4b5 100644 --- a/nginx/tasks/munin_graphs.yml +++ b/nginx/tasks/munin_graphs.yml @@ -1,14 +1,14 @@ --- - name: Munin config for Nginx is present - template: + ansible.builtin.template: src: munin/evolinux.nginx dest: /etc/munin/plugin-conf.d/ mode: "0644" notify: restart munin - name: Munin plugins for Nginx are installed - file: + ansible.builtin.file: src: '/usr/share/munin/plugins/{{ item }}' dest: '/etc/munin/plugins/{{ item }}' state: link diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml index 5aa137c9..98cc8672 100644 --- a/nginx/tasks/munin_vhost.yml +++ b/nginx/tasks/munin_vhost.yml @@ -1,13 +1,13 @@ --- - name: Add munin to hosts - lineinfile: + ansible.builtin.lineinfile: dest: /etc/hosts regexp: 'munin$' line: '127.0.0.1 munin' insertafter: EOF - name: Packages for Munin CGI are installed - apt: + ansible.builtin.apt: name: - liblwp-useragent-determined-perl - libcgi-fast-perl @@ -15,22 +15,24 @@ state: present - name: Owner for munin-cgi is set to www-data:munin - shell: "chown --verbose www-data:munin /var/log/munin/munin-cgi-*" + ansible.builtin.shell: + cmd: "chown --verbose www-data:munin /var/log/munin/munin-cgi-*" register: command_result changed_when: "'changed' in command_result.stdout" - name: Mode for munin-cgi is set to 660 - shell: "chmod --verbose 660 /var/log/munin/munin-cgi-*" + ansible.builtin.shell: + cmd: "chmod --verbose 660 /var/log/munin/munin-cgi-*" register: command_result changed_when: "'changed' in command_result.stdout" - name: Systemd unit for Munin-fcgi is installed - copy: + ansible.builtin.copy: src: systemd/spawn-fcgi-munin-graph.service dest: /etc/systemd/system/spawn-fcgi-munin-graph.service - name: Systemd unit for Munin-fcgi is started - systemd: + ansible.builtin.systemd: name: spawn-fcgi-munin-graph daemon_reload: yes enabled: yes diff --git a/nginx/tasks/packages.yml b/nginx/tasks/packages.yml index f2c0596f..fd9febcf 100644 --- a/nginx/tasks/packages.yml +++ b/nginx/tasks/packages.yml @@ -1,16 +1,16 @@ -- set_fact: +- ansible.builtin.set_fact: nginx_default_package_name: nginx-light when: nginx_minimal | bool -- include: packages_backports.yml +- ansible.builtin.include: packages_backports.yml when: nginx_backports | bool # TODO: install "nginx" + only necessary modules, instead of "nginx-full" - name: Nginx is installed - apt: + ansible.builtin.apt: name: "{{ nginx_package_name | default(nginx_default_package_name) }}" state: present tags: diff --git a/nginx/tasks/packages_backports.yml b/nginx/tasks/packages_backports.yml index 820d8713..aac2304d 100644 --- a/nginx/tasks/packages_backports.yml +++ b/nginx/tasks/packages_backports.yml @@ -1,7 +1,7 @@ --- - name: Backports repository is configured - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: backports.yml tags: @@ -9,7 +9,7 @@ - packages - name: Prefer Nginx packages from backports - template: + ansible.builtin.template: src: apt/nginx_preferences dest: /etc/apt/preferences.d/999-nginx force: yes @@ -20,7 +20,7 @@ - packages - name: APT cache is updated - apt: + ansible.builtin.apt: update_cache: yes when: nginx_apt_preferences is changed tags: diff --git a/nginx/tasks/server_status_read.yml b/nginx/tasks/server_status_read.yml index 652bc154..e97d898a 100644 --- a/nginx/tasks/server_status_read.yml +++ b/nginx/tasks/server_status_read.yml @@ -1,7 +1,7 @@ --- - name: "server status dirname exists '{{ nginx_serverstatus_suffix_file | dirname }}'" - file: + ansible.builtin.file: dest: "{{ nginx_serverstatus_suffix_file | dirname }}" mode: "0700" owner: root @@ -9,7 +9,7 @@ state: directory - name: set nginx serverstatus suffix if provided - copy: + ansible.builtin.copy: dest: "{{ nginx_serverstatus_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ nginx_serverstatus_suffix }}\u000A" @@ -17,20 +17,22 @@ when: nginx_serverstatus_suffix | length > 0 - name: generate random string for server-status suffix - shell: "apg -a 1 -M N -n 1 > {{ nginx_serverstatus_suffix_file }}" + ansible.builtin.shell: + cmd: "apg -a 1 -M N -n 1 > {{ nginx_serverstatus_suffix_file }}" args: creates: "{{ nginx_serverstatus_suffix_file }}" - name: read nginx server status suffix - command: "tail -n 1 {{ nginx_serverstatus_suffix_file }}" + ansible.builtin.command: + cmd: "tail -n 1 {{ nginx_serverstatus_suffix_file }}" changed_when: False check_mode: no register: new_nginx_serverstatus_suffix - name: overwrite nginx_serverstatus_suffix - set_fact: + ansible.builtin.set_fact: nginx_serverstatus_suffix: "{{ new_nginx_serverstatus_suffix.stdout }}" -- debug: +- ansible.builtin.debug: var: nginx_serverstatus_suffix verbosity: 1 diff --git a/nginx/tasks/server_status_write.yml b/nginx/tasks/server_status_write.yml index beb56c67..dbed56cb 100644 --- a/nginx/tasks/server_status_write.yml +++ b/nginx/tasks/server_status_write.yml @@ -1,19 +1,19 @@ --- - name: replace server-status suffix in default site index - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '__SERVERSTATUS_SUFFIX__' replace: "{{ nginx_serverstatus_suffix }}" - name: add server-status suffix in default site index if missing - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '"/server-status-?"' replace: '"/server-status-{{ nginx_serverstatus_suffix }}"' - name: add server-status suffix in default VHost - replace: + ansible.builtin.replace: dest: /etc/nginx/sites-available/evolinux-default.conf regexp: 'location /server-status-? {' replace: 'location /server-status-{{ nginx_serverstatus_suffix }} {' diff --git a/ntpd/handlers/main.yml b/ntpd/handlers/main.yml index 333d30de..70b41926 100644 --- a/ntpd/handlers/main.yml +++ b/ntpd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart ntp - service: + ansible.builtin.service: name: ntp state: restarted diff --git a/ntpd/tasks/main.yml b/ntpd/tasks/main.yml index 2d66d765..ac5f8288 100644 --- a/ntpd/tasks/main.yml +++ b/ntpd/tasks/main.yml @@ -1,20 +1,20 @@ --- - name: Remove openntpd package - apt: + ansible.builtin.apt: name: openntpd state: absent tags: - ntp - name: Install ntp package - apt: + ansible.builtin.apt: name: ntp state: present tags: - ntp - name: Copy ntp config - template: + ansible.builtin.template: src: ntp.conf.j2 dest: /etc/ntp.conf mode: "0644" diff --git a/opendkim/handlers/main.yml b/opendkim/handlers/main.yml index ccf166a8..3cc7b05f 100644 --- a/opendkim/handlers/main.yml +++ b/opendkim/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: reload opendkim - systemd: + ansible.builtin.systemd: name: opendkim state: reloaded - name: restart opendkim - systemd: + ansible.builtin.systemd: name: opendkim state: restarted diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index 94aa3dfd..1c7a416a 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install OpenDKIM - apt: + ansible.builtin.apt: name: - opendkim - opendkim-tools @@ -11,7 +11,7 @@ - opendkim - name: Add user opendkim in ssl-cert group - user: + ansible.builtin.user: name: opendkim groups: ssl-cert state: present @@ -20,7 +20,7 @@ - opendkim - name: add 127.0.0.1 to TrustedHosts - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/opendkim/TrustedHosts' line: '127.0.0.1' create: True @@ -32,7 +32,7 @@ - opendkim - name: create config files - file: + ansible.builtin.file: name: "/etc/opendkim/{{ item }}" state: touch owner: opendkim @@ -46,7 +46,7 @@ - opendkim - name: copy OpenDKIM config - copy: + ansible.builtin.copy: src: opendkim.conf dest: /etc/opendkim.conf mode: "0644" @@ -57,7 +57,7 @@ - name: Set folder permissions to 0750 - file: + ansible.builtin.file: path: "/etc/opendkim/" owner: opendkim group: opendkim @@ -67,18 +67,18 @@ - opendkim - name: ensure opendkim is started and enabled - systemd: + ansible.builtin.systemd: name: opendkim state: started enabled: True tags: - opendkim -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: deploy opendkim-add.sh script - copy: + ansible.builtin.copy: src: opendkim-add.sh dest: /usr/share/scripts/opendkim-add.sh mode: "0750" diff --git a/openvpn/handlers/main.yml b/openvpn/handlers/main.yml index 44b0de93..cc74ea52 100644 --- a/openvpn/handlers/main.yml +++ b/openvpn/handlers/main.yml @@ -1,14 +1,15 @@ --- - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart nrpe - service: + ansible.builtin.service: name: nrpe state: restarted - name: reload packetfilter - command: pfctl -f /etc/pf.conf + ansible.builtin.command: + cmd: pfctl -f /etc/pf.conf diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index bee05d9e..9810a472 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -1,11 +1,11 @@ --- - name: Install OpenVPN - apt: + ansible.builtin.apt: name: openvpn - name: Delete unwanted OpenVPN folders - file: + ansible.builtin.file: state: absent dest: "/etc/openvpn/{{ item }}" with_items: @@ -13,7 +13,7 @@ - server - name: Create the _openvpn user - user: + ansible.builtin.user: name: _openvpn system: yes create_home: no @@ -21,7 +21,7 @@ shell: "/usr/sbin/nologin" - name: Create the shellpki user - user: + ansible.builtin.user: name: shellpki system: yes create_home: no @@ -29,18 +29,18 @@ shell: "/usr/sbin/nologin" - name: Create /etc/shellpki - file: + ansible.builtin.file: dest: "/etc/shellpki" mode: "0755" owner: shellpki group: shellpki state: directory -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Copy shellpki files - copy: + ansible.builtin.copy: src: "shellpki/{{ item.source }}" dest: "{{ item.destination }}" mode: "{{ item.mode }}" @@ -51,7 +51,7 @@ - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "root" } - name: Add sudo rights - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/sudoers.d/shellpki" regexp: '/usr/local/sbin/shellpki' line: "%shellpki ALL = (root) /usr/local/sbin/shellpki" @@ -62,7 +62,7 @@ validate: 'visudo -cf %s' - name: Deploy OpenVPN client config template - template: + ansible.builtin.template: src: "ovpn.conf.j2" dest: "/etc/shellpki/ovpn.conf" mode: "0600" @@ -70,15 +70,15 @@ group: shellpki - name: Generate dhparam - openssl_dhparam: + community.crypto.openssl_dhparam: path: /etc/shellpki/dh2048.pem size: 2048 -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Deploy OpenVPN server config - template: + ansible.builtin.template: src: "server.conf.j2" dest: "/etc/openvpn/server.conf" mode: "0600" @@ -86,21 +86,22 @@ group: root - name: Is minifirewall installed ? - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" check_mode: no changed_when: False register: minifirewall_config - name: Retrieve the default interface - shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2" + ansible.builtin.shell: + cmd: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2" check_mode: no changed_when: False register: minifirewall_int when: minifirewall_config.stat.exists - name: Add minifirewall rule in config file - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "{{ item }}" with_items: @@ -109,7 +110,7 @@ when: minifirewall_config.stat.exists - name: Activate minifirewall rule - iptables: + ansible.builtin.iptables: table: nat chain: POSTROUTING source: "{{ openvpn_lan }}/{{ openvpn_netmask_cidr }}" @@ -118,7 +119,7 @@ when: minifirewall_config.stat.exists - name: Add 1194/udp OpenVPN port to public services in minifirewall - replace: + ansible.builtin.replace: dest: "/etc/default/minifirewall" regexp: "^SERVICESUDP1='(.*)?'$" replace: "SERVICESUDP1='\\1 1194'" @@ -126,7 +127,7 @@ when: minifirewall_config.stat.exists - name: Activate minifirewall rule for IPv4 - iptables: + ansible.builtin.iptables: chain: INPUT protocol: udp destination_port: "1194" @@ -135,7 +136,7 @@ when: minifirewall_config.stat.exists - name: Activate minifirewall rule for IPv6 - iptables: + ansible.builtin.iptables: chain: INPUT protocol: udp destination_port: "1194" @@ -144,23 +145,23 @@ when: minifirewall_config.stat.exists - name: Enable forwarding - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward value: "1" sysctl_file: "/etc/sysctl.d/openvpn.conf" - name: Configure logrotate for OpenVPN - copy: + ansible.builtin.copy: src: logrotate_openvpn dest: /etc/logrotate.d/openvpn force: no - name: Generate a password for the management interface - set_fact: + ansible.builtin.set_fact: management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}" - name: Set the management password - copy: + ansible.builtin.copy: dest: "/etc/openvpn/management-pwd" content: "{{ management_pwd }}" mode: "0600" @@ -168,27 +169,27 @@ group: root - name: Enable openvpn service - systemd: + ansible.builtin.systemd: name: "openvpn@server.service" enabled: yes - name: Is NRPE installed ? - stat: + ansible.builtin.stat: path: "/etc/nagios/nrpe.d/evolix.cfg" check_mode: no changed_when: False register: nrpe_evolix_config - name: Install NRPE check dependencies - apt: + ansible.builtin.apt: name: libnet-telnet-perl when: nrpe_evolix_config.stat.exists -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Install OpenVPN NRPE check - copy: + ansible.builtin.copy: src: "files/check_openvpn_debian.pl" dest: "/usr/local/lib/nagios/plugins/check_openvpn" mode: "0755" @@ -197,18 +198,18 @@ when: nrpe_evolix_config.stat.exists - name: Configure NRPE OpenVPN check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/nagios/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn\]=' line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}" notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Install OpenVPN certificates NRPE check - copy: + ansible.builtin.copy: src: "files/check_openvpn_certificates.sh" dest: "/usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" mode: "0755" @@ -217,7 +218,7 @@ when: nrpe_evolix_config.stat.exists - name: Add sudo rights for NRPE check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/sudoers.d/openvpn" regexp: 'check_openvpn_certificates.sh' line: "nagios ALL=NOPASSWD: /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" @@ -229,18 +230,18 @@ when: nrpe_evolix_config.stat.exists - name: Configure NRPE certificates check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/nagios/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn_certificates\]=' line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Copy script to check expirations - copy: + ansible.builtin.copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" mode: "0700" @@ -248,42 +249,45 @@ group: root - name: Install cron to warn about certificates expiration - cron: + ansible.builtin.cron: name: "OpenVPN certificates expiration" special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password - set_fact: + ansible.builtin.set_fact: ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" check_mode: no changed_when: no - name: Initialization of the CA - shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' + ansible.builtin.shell: + cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' - name: Creation of the server's certificate - shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' + ansible.builtin.shell: + cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' - name: Get the server key - shell: 'ls -tr /etc/shellpki/private/ | tail -1' + ansible.builtin.shell: + cmd: 'ls -tr /etc/shellpki/private/ | tail -1' register: ca_key check_mode: no changed_when: no - name: Configure the server key - replace: + ansible.builtin.replace: path: /etc/openvpn/server.conf regexp: 'key /etc/shellpki/private/TO_COMPLETE' replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' - name: Restart OpenVPN - systemd: + ansible.builtin.systemd: name: "openvpn@server.service" state: restarted - name: Warn the user about manual checks - pause: + ansible.builtin.pause: prompt: | /!\ WARNING /!\ You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "systemctl restart openvpn@server.service". diff --git a/openvpn/tasks/main.yml b/openvpn/tasks/main.yml index 1e20772a..26a04ee7 100644 --- a/openvpn/tasks/main.yml +++ b/openvpn/tasks/main.yml @@ -1,15 +1,15 @@ --- - name: System compatibility checks - assert: + ansible.builtin.assert: that: "ansible_distribution == 'Debian' or ansible_distribution == 'OpenBSD'" msg: "Only compatible with Debian and OpenBSD" - name: Include Debian version - include: debian.yml + ansible.builtin.include: debian.yml when: ansible_distribution == "Debian" - name: Include OpenBSD version - include: openbsd.yml + ansible.builtin.include: openbsd.yml when: ansible_distribution == "OpenBSD" diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index e33923e1..28781880 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -1,12 +1,12 @@ --- - name: Install OpenVPN - openbsd_pkg: + community.general.openbsd_pkg: name: openvpn-- when: ansible_distribution == 'OpenBSD' - name: Create /etc/openvpn - file: + ansible.builtin.file: dest: "/etc/openvpn" state: directory owner: root @@ -14,7 +14,7 @@ mode: "0755" - name: Create the shellpki user - user: + ansible.builtin.user: name: _shellpki system: yes create_home: no @@ -22,7 +22,7 @@ shell: "/sbin/nologin" - name: Create /etc/shellpki - file: + ansible.builtin.file: dest: "/etc/shellpki" state: directory owner: _shellpki @@ -30,7 +30,7 @@ mode: "0755" - name: Copy shellpki files - copy: + ansible.builtin.copy: src: "shellpki/{{ item.source }}" dest: "{{ item.destination }}" mode: "{{ item.mode }}" @@ -41,14 +41,14 @@ - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "wheel" } - name: Add sudo rights - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/sudoers" regexp: '/usr/local/sbin/shellpki' line: "%_shellpki ALL = (root) /usr/local/sbin/shellpki" validate: 'visudo -cf %s' - name: Deploy OpenVPN client config template - template: + ansible.builtin.template: src: "ovpn.conf.j2" dest: "/etc/shellpki/ovpn.conf" mode: "0640" @@ -56,12 +56,12 @@ group: _shellpki - name: Generate dhparam - openssl_dhparam: + community.crypto.openssl_dhparam: path: /etc/shellpki/dh2048.pem size: 2048 - name: Deploy OpenVPN server config - template: + ansible.builtin.template: src: "server.conf.j2" dest: "/etc/openvpn/server.conf" mode: "0600" @@ -69,7 +69,7 @@ group: wheel - name: Configure PacketFilter - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/pf.conf" line: "{{ item }}" validate: 'pfctl -nf %s' @@ -79,7 +79,7 @@ - "pass in quick on $ext_if proto udp from any to self port 1194" - name: Create a cron to rotate the logs - cron: + ansible.builtin.cron: name: "OpenVPN logs rotation" weekday: "6" hour: "4" @@ -87,11 +87,11 @@ job: "cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo \"$(date +\\%F' '\\%R) - logfile turned over via cron\" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name \"openvpn.log.*\" -mtime +365 -exec rm {} \\+" - name: Generate a password for the management interface - set_fact: + ansible.builtin.set_fact: management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}" - name: Set the management password - copy: + ansible.builtin.copy: dest: "/etc/openvpn/management-pwd" content: "{{ management_pwd }}" mode: "0600" @@ -99,30 +99,30 @@ group: wheel - name: Enable openvpn service - service: + ansible.builtin.service: name: openvpn enabled: yes - name: Set openvpn flags - lineinfile: + ansible.builtin.lineinfile: dest: /etc/rc.conf.local regexp: "^openvpn_flags=" line: "openvpn_flags=--daemon --config /etc/openvpn/server.conf" create: yes - name: Is NRPE installed ? - stat: + ansible.builtin.stat: path: "/etc/nrpe.d/evolix.cfg" check_mode: no register: nrpe_evolix_config - name: Install NRPE check dependencies - openbsd_pkg: + community.general.openbsd_pkg: name: p5-Net-Telnet when: nrpe_evolix_config.stat.exists - name: Install OpenVPN NRPE check - copy: + ansible.builtin.copy: src: "files/check_openvpn_openbsd.pl" dest: "/usr/local/libexec/nagios/plugins/check_openvpn.pl" mode: "0755" @@ -131,7 +131,7 @@ when: nrpe_evolix_config.stat.exists - name: Configure NRPE OpenVPN check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn\]=' line: "command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P {{ management_pwd }}" @@ -143,7 +143,7 @@ when: nrpe_evolix_config.stat.exists - name: Install OpenVPN certificates NRPE check - copy: + ansible.builtin.copy: src: "files/check_openvpn_certificates.sh" dest: "/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh" mode: "0755" @@ -152,7 +152,7 @@ when: nrpe_evolix_config.stat.exists - name: Add doas rights for NRPE check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/doas.conf" regexp: 'check_openvpn_certificates.sh' line: "permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh" @@ -160,7 +160,7 @@ when: nrpe_evolix_config.stat.exists - name: Configure NRPE certificates check - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn_certificates\]=' line: "command[check_openvpn_certificates]=doas /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh" @@ -168,7 +168,7 @@ when: nrpe_evolix_config.stat.exists - name: Copy script to check expirations - copy: + ansible.builtin.copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" mode: "0700" @@ -176,42 +176,45 @@ group: wheel - name: Install cron to warn about certificates expiration - cron: + ansible.builtin.cron: name: "OpenVPN certificates expiration" special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password - set_fact: + ansible.builtin.set_fact: ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" check_mode: no changed_when: no - name: Initialization of the CA - shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' + ansible.builtin.shell: + cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' - name: Creation of the server's certificate - shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' + ansible.builtin.shell: + cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' - name: Get the server key - shell: 'ls -tr /etc/shellpki/private/ | tail -1' + ansible.builtin.shell: + cmd: 'ls -tr /etc/shellpki/private/ | tail -1' register: ca_key check_mode: no changed_when: no - name: Configure the server key - replace: + ansible.builtin.replace: path: /etc/openvpn/server.conf regexp: 'key /etc/shellpki/private/TO_COMPLETE' replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' - name: Restart OpenVPN - service: + ansible.builtin.service: name: openvpn state: restarted - name: Warn the user about manual checks - pause: + ansible.builtin.pause: prompt: | /!\ WARNING /!\ You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn". diff --git a/packweb-apache/handlers/main.yml b/packweb-apache/handlers/main.yml index af4d94d2..f9170bc9 100644 --- a/packweb-apache/handlers/main.yml +++ b/packweb-apache/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart apache - service: + ansible.builtin.service: name: apache2 state: restarted - name: reload apache - service: + ansible.builtin.service: name: apache2 state: reloaded diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 96c11e3a..434e75d0 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -1,14 +1,15 @@ --- - name: Check if Apache envvars have a PATH - command: "grep -E '^export PATH ' /etc/apache2/envvars" + ansible.builtin.command: + cmd: "grep -E '^export PATH ' /etc/apache2/envvars" failed_when: False changed_when: False register: envvar_grep_path check_mode: no - name: Add a PATH envvar for Apache - blockinfile: + ansible.builtin.blockinfile: dest: /etc/apache2/envvars marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH" block: | @@ -17,7 +18,7 @@ when: envvar_grep_path.rc != 0 - name: Additional packages are installed - apt: + ansible.builtin.apt: name: - libapache2-mod-security2 - modsecurity-crs @@ -25,7 +26,7 @@ state: present - name: Additional modules are enabled - apache2_module: + community.general.apache2_module: name: '{{ item }}' state: present loop: @@ -36,7 +37,7 @@ - log_forensic - name: Copy Apache settings for modules - copy: + ansible.builtin.copy: src: "evolinux-modsec.conf" dest: "/etc/apache2/conf-available/evolinux-modsec.conf" owner: root @@ -45,7 +46,7 @@ force: no - name: Copy Apache settings for modules - template: + ansible.builtin.template: src: "evolinux-evasive.conf.j2" dest: "/etc/apache2/conf-available/evolinux-evasive.conf" owner: root @@ -54,7 +55,8 @@ force: no - name: Ensure Apache modules configs are enabled - command: "a2enconf {{ item }}" + ansible.builtin.command: + cmd: "a2enconf {{ item }}" register: command_result changed_when: "'Enabling' in command_result.stderr" loop: diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index 5ea0fa57..08c94381 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -1,11 +1,11 @@ --- - name: Install awstats - apt: + ansible.builtin.apt: name: awstats state: present - name: Configure awstats - blockinfile: + ansible.builtin.blockinfile: dest: /etc/awstats/awstats.conf.local marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB" block: | @@ -24,7 +24,7 @@ mode: "0644" - name: Create conf-available/awstats-icon.conf file - copy: + ansible.builtin.copy: dest: /etc/apache2/conf-available/awstats-icon.conf content: | Alias /awstats-icon/ /usr/share/awstats/icon/ @@ -35,20 +35,21 @@ mode: "0644" - name: Enable apache awstats-icon configuration - command: "a2enconf awstats-icon" + ansible.builtin.command: + cmd: "a2enconf awstats-icon" register: command_result changed_when: "'Enabling' in command_result.stderr" notify: reload apache - name: Create awstats cron - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cron.d/awstats create: yes regexp: '-config=awstats' line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" - name: Comment default awstat cron's tasks - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cron.d/awstats regexp: "(?i)^([^#]*update\\.sh.*)" line: '#\1' diff --git a/packweb-apache/tasks/dependencies.yml b/packweb-apache/tasks/dependencies.yml index c22d4e0b..cd0efd40 100644 --- a/packweb-apache/tasks/dependencies.yml +++ b/packweb-apache/tasks/dependencies.yml @@ -1,21 +1,21 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/apache -- include_role: +- ansible.builtin.include_role: name: evolix/php vars: php_apache_enable: True when: packweb_apache_modphp -- include_role: +- ansible.builtin.include_role: name: evolix/php vars: php_fpm_enable: True when: packweb_apache_fpm -- include_role: +- ansible.builtin.include_role: name: evolix/squid vars: squid_localproxy_enable: True @@ -24,53 +24,53 @@ name: evolix/mysql when: packweb_mysql_variant == "debian" -- include_role: +- ansible.builtin.include_role: name: evolix/mysql-oracle when: packweb_mysql_variant == "oracle" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php56 lxc_php_create_mysql_link: True when: "'php56' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php70 lxc_php_create_mysql_link: True when: "'php70' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php73 lxc_php_create_mysql_link: True when: "'php73' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php74 lxc_php_create_mysql_link: True when: "'php74' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php80 lxc_php_create_mysql_link: True when: "'php80' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/lxc-php vars: lxc_php_version: php81 lxc_php_create_mysql_link: True when: "'php81' in packweb_multiphp_versions" -- include_role: +- ansible.builtin.include_role: name: evolix/webapps/evoadmin-web vars: evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" diff --git a/packweb-apache/tasks/fhs_retrictions.yml b/packweb-apache/tasks/fhs_retrictions.yml index 7fa41478..6cb486d6 100644 --- a/packweb-apache/tasks/fhs_retrictions.yml +++ b/packweb-apache/tasks/fhs_retrictions.yml @@ -1,7 +1,8 @@ --- - name: Remove read permission on some folders (/, /etc, ...) - shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}" + ansible.builtin.shell: + cmd: "test -d {{ item }} && chmod --verbose o-r {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" failed_when: False @@ -25,7 +26,8 @@ - /etc/default - name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...) - shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}" + ansible.builtin.shell: + cmd: "test -d {{ item }} && chmod --verbose 750 {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" failed_when: False @@ -41,13 +43,14 @@ - /var/log/installer - name: Change group to www-data for /etc/phpmyadmin/ - file: + ansible.builtin.file: dest: /etc/phpmyadmin/ group: www-data state: directory - name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...) - shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}" + ansible.builtin.shell: + cmd: "test -f {{ item }} && chmod --verbose u-s {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" failed_when: False @@ -59,7 +62,8 @@ - /usr/bin/mtr - name: Set 640 permission on some files (/var/log/evolix.log, ...) - shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}" + ansible.builtin.shell: + cmd: "test -f {{ item }} && chmod --verbose 640 {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" failed_when: False diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index c0a44935..7843a642 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -1,46 +1,46 @@ --- - name: Dependencies are satisfied - include_tasks: dependencies.yml + ansible.builtin.include_tasks: dependencies.yml -- fail: +- ansible.builtin.fail: msg: only compatible with Debian >= 8 when: - ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<') - name: Additional packages are installed - apt: + ansible.builtin.apt: name: - zip - unzip state: present - name: install info.php - copy: + ansible.builtin.copy: src: info.php dest: /var/www/info.php mode: "0644" - name: enable info.php link in default site index - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html line: '
  • Infos PHP
    • ' regexp: "Infos PHP" - name: install opcache.php - copy: + ansible.builtin.copy: src: opcache.php dest: /var/www/opcache.php mode: "0644" - name: enable opcache.php link in default site index - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html line: '
  • Infos OpCache PHP
    • ' regexp: "Infos OpCache PHP" - name: Add elements to user account template - file: + ansible.builtin.file: path: "/etc/skel/{{ item.path }}" state: "{{ item.state }}" mode: "{{ item.mode }}" @@ -50,7 +50,8 @@ - { path: www, mode: "0750", state: directory } - name: Apache log file (templates) are present - command: "touch /etc/skel/log/{{ item }}" + ansible.builtin.command: + cmd: "touch /etc/skel/log/{{ item }}" args: creates: "/etc/skel/log/{{ item }}" loop: @@ -58,37 +59,37 @@ - error.log - name: Apache log file (templates) have the proper permissions - file: + ansible.builtin.file: dest: "/etc/skel/log/{{ item }}" mode: "0644" loop: - access.log - error.log -- include_role: +- ansible.builtin.include_role: name: userlogrotate - name: Force DIR_MODE to 0750 in /etc/adduser.conf - lineinfile: + ansible.builtin.lineinfile: dest: /etc/adduser.conf regexp: '^DIR_MODE=' line: 'DIR_MODE=0750' -- include: apache.yml +- ansible.builtin.include: apache.yml -- include: phpmyadmin.yml +- ansible.builtin.include: phpmyadmin.yml -- include: awstats.yml +- ansible.builtin.include: awstats.yml -- include: fhs_retrictions.yml +- ansible.builtin.include: fhs_retrictions.yml when: packweb_fhs_retrictions | bool - name: Periodically cache ftp directory sizes for ftpadmin.sh - cron: + ansible.builtin.cron: name: "ProFTPd directory size caching" special_time: daily job: "/usr/share/scripts/evoadmin/stats.sh" -- include: multiphp.yml +- ansible.builtin.include: multiphp.yml when: packweb_multiphp_versions | length > 0 diff --git a/packweb-apache/tasks/multiphp.yml b/packweb-apache/tasks/multiphp.yml index 8a7c9613..b6719374 100644 --- a/packweb-apache/tasks/multiphp.yml +++ b/packweb-apache/tasks/multiphp.yml @@ -1,16 +1,16 @@ --- - name: Enable proxy_fcgi - apache2_module: + community.general.apache2_module: state: present name: proxy_fcgi notify: restart apache2 -- include_role: +- ansible.builtin.include_role: name: remount-usr - name: Copy phpContainer script - copy: + ansible.builtin.copy: src: phpContainer dest: /usr/local/bin/phpContainer mode: "0755" @@ -27,7 +27,7 @@ # line: "alias php='sudo /usr/local/bin/phpContainer'" - name: Add multiphp sudoers file - copy: + ansible.builtin.copy: src: multiphp-sudoers dest: /etc/sudoers.d/multiphp mode: "0600" diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index f83b0a5d..11832300 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -1,18 +1,18 @@ --- - name: Install apg - apt: + ansible.builtin.apt: name: apg # On Debian 10, we need to install the package from buster-backports - name: Enable backports (Debian 10) - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: backports.yml when: ansible_distribution_major_version is version('10', '=') - name: Prefer phpMyAdmin package from backports (Debian 10) - template: + ansible.builtin.template: src: phpmyadmin_apt_preferences.j2 dest: /etc/apt/preferences.d/999-phpmyadmin force: yes @@ -20,27 +20,28 @@ when: ansible_distribution_major_version is version('10', '=') - name: Install phpmyadmin - apt: + ansible.builtin.apt: name: phpmyadmin update_cache: yes - name: Check if phpmyadmin default configuration is present - stat: + ansible.builtin.stat: path: /etc/apache2/conf-enabled/phpmyadmin.conf register: pma_default_config -- debug: +- ansible.builtin.debug: var: pma_default_config verbosity: 1 - name: Disable phpmyadmin default configuration - command: "a2disconf phpmyadmin" + ansible.builtin.command: + cmd: "a2disconf phpmyadmin" register: command_result changed_when: "'Disabling' in command_result.stderr" when: pma_default_config.stat.exists - name: "phpmyadmin suffix dirname '{{ packweb_phpmyadmin_suffix_file | dirname }}' exists" - file: + ansible.builtin.file: dest: "{{ packweb_phpmyadmin_suffix_file | dirname }}" mode: "0700" owner: root @@ -48,7 +49,7 @@ state: directory - name: set phpmyadmin suffix if provided - copy: + ansible.builtin.copy: dest: "{{ packweb_phpmyadmin_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ packweb_phpmyadmin_suffix }}\u000A" @@ -56,26 +57,28 @@ when: packweb_phpmyadmin_suffix | length > 0 - name: generate random string for phpmyadmin suffix - shell: "apg -a 1 -M N -n 1 > {{ packweb_phpmyadmin_suffix_file }}" + ansible.builtin.shell: + cmd: "apg -a 1 -M N -n 1 > {{ packweb_phpmyadmin_suffix_file }}" args: creates: "{{ packweb_phpmyadmin_suffix_file }}" - name: read phpmyadmin suffix - command: "tail -n 1 {{ packweb_phpmyadmin_suffix_file }}" + ansible.builtin.command: + cmd: "tail -n 1 {{ packweb_phpmyadmin_suffix_file }}" changed_when: False check_mode: no register: new_packweb_phpmyadmin_suffix - name: overwrite packweb_phpmyadmin_suffix - set_fact: + ansible.builtin.set_fact: packweb_phpmyadmin_suffix: "{{ new_packweb_phpmyadmin_suffix.stdout }}" -- debug: +- ansible.builtin.debug: var: packweb_phpmyadmin_suffix verbosity: 1 - name: enable phpMyAdmin config - blockinfile: + ansible.builtin.blockinfile: dest: /etc/apache2/sites-available/000-evolinux-default.conf marker: "# {mark} phpMyAdmin section" block: | @@ -88,13 +91,13 @@ - name: enable phpmyadmin link in default site index - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '' replace: '
  • Accès PhpMyAdmin
    • ' - name: replace phpmyadmin suffix in default site index - replace: + ansible.builtin.replace: dest: /var/www/index.html regexp: '__PHPMYADMIN_SUFFIX__' replace: "{{ packweb_phpmyadmin_suffix }}" diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml index 6dc319ff..32637df7 100644 --- a/percona/tasks/main.yml +++ b/percona/tasks/main.yml @@ -1,22 +1,22 @@ --- -- set_fact: +- ansible.builtin.set_fact: percona__apt_config_package_file: "percona-release_latest.{{ ansible_distribution_release }}_all.deb" - name: Look for legacy apt keyring - stat: + ansible.builtin.stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring - name: Percona embedded GPG key is absent - apt_key: + ansible.builtin.apt_key: id: "8507EFA5" keyring: /etc/apt/trusted.gpg state: absent when: _trusted_gpg_keyring.stat.exists - name: Add Percona GPG key - copy: + ansible.builtin.copy: src: percona.asc dest: "{{ apt_keyring_dir }}/percona.asc" force: yes @@ -25,8 +25,8 @@ group: root - name: Check if percona-release is installed - shell: "set -o pipefail && dpkg -l percona-release 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l percona-release 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -34,7 +34,7 @@ register: percona__apt_config_package_installed - name: Percona APT config package is available - copy: + ansible.builtin.copy: src: "{{ percona__apt_config_package_file }}" dest: "/root/{{ percona__apt_config_package_file }}" when: not (percona__apt_config_package_installed | bool) @@ -43,23 +43,23 @@ # name: evolix/remount-usr - name: Percona APT config package is installed from deb file - apt: + ansible.builtin.apt: deb: "/root/{{ percona__apt_config_package_file }}" state: present register: percona__apt_config_deb when: not (percona__apt_config_package_installed | bool) - name: Percona APT config package is installed from repository - apt: + ansible.builtin.apt: name: percona-release state: latest register: percona__apt_config_deb when: percona__apt_config_package_installed | bool - name: APT cache is up-to-date - apt: + ansible.builtin.apt: update_cache: yes when: percona__apt_config_deb is changed -- include: xtrabackup.yml +- ansible.builtin.include: xtrabackup.yml when: percona__install_xtrabackup | bool diff --git a/percona/tasks/xtrabackup.yml b/percona/tasks/xtrabackup.yml index 7d4e29d1..6a68fbff 100644 --- a/percona/tasks/xtrabackup.yml +++ b/percona/tasks/xtrabackup.yml @@ -1,16 +1,17 @@ --- - name: Percona Tools is enabled - command: percona-release enable tools release + ansible.builtin.command: + cmd: percona-release enable tools release # changed_when: # register: percona__release_enable_tools - name: APT cache is up-to-date - apt: + ansible.builtin.apt: update_cache: yes # when: percona__release_enable_tools is changed - name: Percona XtraBackup package is installed - apt: + ansible.builtin.apt: name: "{{ percona__xtrabackup_package_name }}" state: present diff --git a/pgbouncer/tasks/main.yml b/pgbouncer/tasks/main.yml index 67639044..fefef4e1 100644 --- a/pgbouncer/tasks/main.yml +++ b/pgbouncer/tasks/main.yml @@ -1,17 +1,17 @@ --- - name: PgBouncer is installed - apt: + ansible.builtin.apt: name: pgbouncer state: present - name: Limit for PgBouncer is set - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/pgbouncer line: ulimit -n 65536 - name: Add config file for PgBouncer - template: + ansible.builtin.template: src: pgbouncer.ini.j2 dest: /etc/pgbouncer/pgbouncer.ini - name: Populate userlist.txt - template: + ansible.builtin.template: src: userlist.txt.j2 dest: /etc/pgbouncer/userlist.txt diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 206eab3a..b333fe9b 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -1,36 +1,36 @@ --- - name: restart php5-fpm - service: + ansible.builtin.service: name: php5-fpm state: restarted - name: restart php5.6-fpm - service: + ansible.builtin.service: name: php5.6-fpm state: restarted - name: restart php7.0-fpm - service: + ansible.builtin.service: name: php7.0-fpm state: restarted - name: restart php7.3-fpm - service: + ansible.builtin.service: name: php7.3-fpm state: restarted - name: restart php7.4-fpm - service: + ansible.builtin.service: name: php7.4-fpm state: restarted - name: restart php8.1-fpm - service: + ansible.builtin.service: name: php8.1-fpm state: restarted - name: restart php8.2-fpm - service: + ansible.builtin.service: name: php8.2-fpm state: restarted diff --git a/php/tasks/config_apache.yml b/php/tasks/config_apache.yml index 795678fd..4ddc8448 100644 --- a/php/tasks/config_apache.yml +++ b/php/tasks/config_apache.yml @@ -1,7 +1,7 @@ --- - name: Set default values for PHP - ini_file: + community.general.ini_file: dest: "{{ php_apache_defaults_ini_file }}" section: PHP option: "{{ item.option }}" @@ -19,7 +19,7 @@ - { option: "opcache.max_accelerated_files", value: "8000" } - name: Disable PHP functions - ini_file: + community.general.ini_file: dest: "{{ php_apache_defaults_ini_file }}" section: PHP option: disable_functions @@ -27,7 +27,7 @@ mode: "0644" - name: Custom php.ini - copy: + ansible.builtin.copy: dest: "{{ php_apache_custom_ini_file }}" content: | ; Put customized values here. @@ -36,7 +36,7 @@ force: no - name: "Set custom values for PHP to enable Symfony" - ini_file: + community.general.ini_file: dest: "{{ php_apache_custom_ini_file }}" section: PHP option: "{{ item.option }}" diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index d327690a..506a1077 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -1,6 +1,6 @@ --- - name: "Set default php.ini values for CLI" - ini_file: + community.general.ini_file: dest: "{{ php_cli_defaults_ini_file }}" section: PHP option: "{{ item.option }}" @@ -13,7 +13,7 @@ - { option: "disable_functions", value: "" } - name: Custom php.ini for CLI - copy: + ansible.builtin.copy: dest: "{{ php_cli_custom_ini_file }}" content: | ; Put customized values here. @@ -22,12 +22,12 @@ # This task is not merged with the above copy # because "force: no" prevents any fix after the fact - name: "Permissions for custom php.ini for CLI" - file: + ansible.builtin.file: dest: "{{ php_cli_custom_ini_file }}" mode: "0644" - name: "Set custom values for PHP to enable Symfony" - ini_file: + community.general.ini_file: dest: "{{ php_cli_custom_ini_file }}" section: PHP option: "{{ item.option }}" diff --git a/php/tasks/config_fpm.yml b/php/tasks/config_fpm.yml index ad543f19..9fc1cc33 100644 --- a/php/tasks/config_fpm.yml +++ b/php/tasks/config_fpm.yml @@ -1,7 +1,7 @@ --- - name: Set default php.ini values for FPM - ini_file: + community.general.ini_file: dest: "{{ php_fpm_defaults_ini_file }}" section: PHP option: "{{ item.option }}" @@ -20,7 +20,7 @@ notify: "restart {{ php_fpm_service_name }}" - name: Disable PHP functions for FPM - ini_file: + community.general.ini_file: dest: "{{ php_fpm_defaults_ini_file }}" section: PHP option: disable_functions @@ -28,7 +28,7 @@ notify: "restart {{ php_fpm_service_name }}" - name: Custom php.ini for FPM - copy: + ansible.builtin.copy: dest: "{{ php_fpm_custom_ini_file }}" content: | ; Put customized values here. @@ -36,7 +36,7 @@ notify: "restart {{ php_fpm_service_name }}" - name: Set default PHP FPM values - ini_file: + community.general.ini_file: dest: "{{ php_fpm_default_pool_file }}" section: www option: "{{ item.option }}" @@ -60,7 +60,7 @@ when: ansible_distribution_major_version is version('9', '>=') - name: Custom PHP FPM values - copy: + ansible.builtin.copy: dest: "{{ php_fpm_default_pool_custom_file }}" content: | ; Put customized values here. @@ -70,7 +70,7 @@ notify: "restart {{ php_fpm_service_name }}" - name: "Set custom values for PHP to enable Symfony" - ini_file: + community.general.ini_file: dest: "{{ php_cli_custom_ini_file }}" section: PHP option: "{{ item.option }}" @@ -82,7 +82,7 @@ when: php_symfony_requirements | bool - name: Delete debian default pool - file: + ansible.builtin.file: path: "{{ php_fpm_debian_default_pool_file | mandatory }}" state: absent notify: "restart {{ php_fpm_service_name }}" diff --git a/php/tasks/main.yml b/php/tasks/main.yml index 180712b2..f9144832 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -1,23 +1,23 @@ --- -- assert: +- ansible.builtin.assert: that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') - ansible_distribution_major_version is version('12', '<=') msg: This is only compatible with Debian 8 → 12 -- include_tasks: main_jessie.yml +- ansible.builtin.include_tasks: main_jessie.yml when: ansible_distribution_release == "jessie" -- include_tasks: main_stretch.yml +- ansible.builtin.include_tasks: main_stretch.yml when: ansible_distribution_release == "stretch" -- include_tasks: main_buster.yml +- ansible.builtin.include_tasks: main_buster.yml when: ansible_distribution_release == "buster" -- include_tasks: main_bullseye.yml +- ansible.builtin.include_tasks: main_bullseye.yml when: ansible_distribution_release == "bullseye" -- include_tasks: main_bookworm.yml +- ansible.builtin.include_tasks: main_bookworm.yml when: ansible_distribution_release == "bookworm" diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index 6ad64399..d4dd381f 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -1,21 +1,21 @@ --- - name: "Set php version to 8.2 (Debian 12)" - set_fact: + ansible.builtin.set_fact: php_version: "8.2" when: - php_sury_enable == false check_mode: no - name: "Set php config directories (Debian 12)" - set_fact: + ansible.builtin.set_fact: php_cli_conf_dir: "/etc/php/{{ php_version }}/cli/conf.d" php_apache_conf_dir: "/etc/php/{{ php_version }}/apache2/conf.d" php_fpm_conf_dir: "/etc/php/{{ php_version }}/fpm/conf.d" php_fpm_pool_dir: "/etc/php/{{ php_version }}/fpm/pool.d" - name: "Set php config files (Debian 12)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: "{{ php_cli_conf_dir }}/z-evolinux-defaults.ini" php_cli_custom_ini_file: "{{ php_cli_conf_dir }}/zzz-evolinux-custom.ini" php_apache_defaults_ini_file: "{{ php_apache_conf_dir }}/z-evolinux-defaults.ini" @@ -31,7 +31,7 @@ # Packages - name: "Set package list (Debian 12)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php-cli - php-gd @@ -49,16 +49,16 @@ - composer - libphp-phpmailer -- include: sury_pre.yml +- ansible.builtin.include: sury_pre.yml when: php_sury_enable - name: "Install PHP packages (Debian 12)" - apt: + ansible.builtin.apt: name: '{{ php_stretch_packages }}' state: present - name: "Install mod_php packages (Debian 12)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php - php @@ -66,7 +66,7 @@ when: php_apache_enable - name: "Install PHP FPM packages (Debian 12)" - apt: + ansible.builtin.apt: name: - php-fpm - php @@ -76,36 +76,36 @@ # Configuration - name: "Enforce permissions on PHP directory (Debian 12)" - file: + ansible.builtin.file: dest: "{{ item }}" mode: "0755" with_items: - /etc/php - /etc/php/{{ php_version }} -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 12)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable - name: "Enforce permissions on PHP fpm directory (Debian 12)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable - name: "Enforce permissions on PHP apache2 directory (Debian 12)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable -- include: sury_post.yml +- ansible.builtin.include: sury_post.yml when: php_sury_enable diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 4cb185b7..b12740a7 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -1,14 +1,14 @@ --- - name: "Set php version to 7.4 if Sury repo is not enabled" - set_fact: + ansible.builtin.set_fact: php_version: "7.4" when: - php_sury_enable == False check_mode: no - name: "Set variables (Debian 11)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: /etc/php/{{ php_version }}/cli/conf.d/z-evolinux-defaults.ini php_cli_custom_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini php_apache_defaults_ini_file: /etc/php/{{ php_version }}/apache2/conf.d/z-evolinux-defaults.ini @@ -24,7 +24,7 @@ # Packages - name: "Set package list (Debian 11)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php-cli - php-gd @@ -41,16 +41,16 @@ - composer - libphp-phpmailer -- include: sury_pre.yml +- ansible.builtin.include: sury_pre.yml when: php_sury_enable - name: "Install PHP packages (Debian 11)" - apt: + ansible.builtin.apt: name: '{{ php_stretch_packages }}' state: present - name: "Install mod_php packages (Debian 11)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php - php @@ -58,7 +58,7 @@ when: php_apache_enable - name: "Install PHP FPM packages (Debian 11)" - apt: + ansible.builtin.apt: name: - php{{ php_version }}-fpm - php{{ php_version }} @@ -68,33 +68,33 @@ # Configuration - name: "Enforce permissions on PHP directory (Debian 11)" - file: + ansible.builtin.file: dest: "{{ item }}" mode: "0755" with_items: - /etc/php - /etc/php/{{ php_version }} -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 11)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable - name: "Enforce permissions on PHP fpm directory (Debian 11)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable - name: "Enforce permissions on PHP apache2 directory (Debian 11)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 58fda84e..588d21d5 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -1,17 +1,17 @@ --- -- debug: +- ansible.builtin.debug: var: php_sury_enable - name: "Set php version to 7.3 if Sury repo is not enabled" - set_fact: + ansible.builtin.set_fact: php_version: "7.3" check_mode: no when: - not (php_sury_enable | bool) - name: "Set variables (Debian 10)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zvolinux-defaults.ini php_cli_custom_ini_file: /etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini php_apache_defaults_ini_file: /etc/php/{{ php_version }}/apache2/conf.d/z-evolinux-defaults.ini @@ -27,7 +27,7 @@ # Packages - name: "Set package list (Debian 10)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php-cli - php-gd @@ -45,16 +45,16 @@ - composer - libphp-phpmailer -- include: sury_pre.yml +- ansible.builtin.include: sury_pre.yml when: php_sury_enable | bool - name: "Install PHP packages (Debian 10)" - apt: + ansible.builtin.apt: name: '{{ php_stretch_packages }}' state: present - name: "Install mod_php packages (Debian 10)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php - php @@ -62,7 +62,7 @@ when: php_apache_enable | bool - name: "Install PHP FPM packages (Debian 10)" - apt: + ansible.builtin.apt: name: - php{{ php_version }}-fpm - php{{ php_version }} @@ -72,33 +72,33 @@ # Configuration - name: "Enforce permissions on PHP directory (Debian 10)" - file: + ansible.builtin.file: dest: "{{ item }}" mode: "0755" loop: - /etc/php - /etc/php/{{ php_version }} -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 10)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable | bool - name: "Enforce permissions on PHP fpm directory (Debian 10)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/fpm mode: "0755" when: php_fpm_enable | bool -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable | bool - name: "Enforce permissions on PHP apache2 directory (Debian 10)" - file: + ansible.builtin.file: dest: /etc/php/{{ php_version }}/apache2 mode: "0755" when: php_apache_enable | bool diff --git a/php/tasks/main_jessie.yml b/php/tasks/main_jessie.yml index 75105166..fc517533 100644 --- a/php/tasks/main_jessie.yml +++ b/php/tasks/main_jessie.yml @@ -1,7 +1,7 @@ --- - name: "Set variables (Debian 8)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: /etc/php5/cli/conf.d/z-evolinux-defaults.ini php_cli_custom_ini_file: /etc/php5/cli/conf.d/zzz-evolinux-custom.ini php_apache_defaults_ini_file: /etc/php5/apache2/conf.d/z-evolinux-defaults.ini @@ -17,7 +17,7 @@ # Packages - name: "Install PHP packages (Debian 8)" - apt: + ansible.builtin.apt: name: - php5-cli - php5-gd @@ -35,7 +35,7 @@ state: present - name: "Install mod_php packages (Debian 8)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php5 - php5 @@ -43,7 +43,7 @@ when: php_apache_enable | bool - name: "Install PHP FPM packages (Debian 8)" - apt: + ansible.builtin.apt: name: - php5-fpm - php5 @@ -53,31 +53,31 @@ # Configuration - name: Enforce permissions on PHP directory (Debian 8) - file: + ansible.builtin.file: dest: /etc/php5 mode: "0755" -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: Enforce permissions on PHP cli directory (Debian 8) - file: + ansible.builtin.file: dest: /etc/php5/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable | bool - name: Enforce permissions on PHP fpm directory (Debian 8) - file: + ansible.builtin.file: dest: /etc/php5/fpm mode: "0755" when: php_fpm_enable | bool -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable | bool - name: Enforce permissions on PHP apache2 directory (Debian 8) - file: + ansible.builtin.file: dest: /etc/php5/apache2 mode: "0755" when: php_apache_enable | bool diff --git a/php/tasks/main_stretch.yml b/php/tasks/main_stretch.yml index 698621ac..25f264b7 100644 --- a/php/tasks/main_stretch.yml +++ b/php/tasks/main_stretch.yml @@ -1,7 +1,7 @@ --- - name: "Set variables (Debian 9)" - set_fact: + ansible.builtin.set_fact: php_cli_defaults_ini_file: /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini php_cli_custom_ini_file: /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini php_apache_defaults_ini_file: /etc/php/7.0/apache2/conf.d/z-evolinux-defaults.ini @@ -17,7 +17,7 @@ # Packages - name: "Set package list (Debian 9)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php-cli - php-gd @@ -35,16 +35,16 @@ - composer - libphp-phpmailer -- include: sury_pre.yml +- ansible.builtin.include: sury_pre.yml when: php_sury_enable | bool - name: "Install PHP packages (Debian 9)" - apt: + ansible.builtin.apt: name: '{{ php_stretch_packages }}' state: present - name: "Install mod_php packages (Debian 9)" - apt: + ansible.builtin.apt: name: - libapache2-mod-php - php @@ -52,7 +52,7 @@ when: php_apache_enable | bool - name: "Install PHP FPM packages (Debian 9)" - apt: + ansible.builtin.apt: name: - php-fpm - php @@ -62,37 +62,37 @@ # Configuration - name: "Enforce permissions on PHP directory (Debian 9)" - file: + ansible.builtin.file: dest: "{{ item }}" mode: "0755" loop: - /etc/php - /etc/php/7.0 -- include: config_cli.yml +- ansible.builtin.include: config_cli.yml - name: "Enforce permissions on PHP cli directory (Debian 9)" - file: + ansible.builtin.file: dest: /etc/php/7.0/cli mode: "0755" -- include: config_fpm.yml +- ansible.builtin.include: config_fpm.yml when: php_fpm_enable | bool - name: "Enforce permissions on PHP fpm directory (Debian 9)" - file: + ansible.builtin.file: dest: /etc/php/7.0/fpm mode: "0755" when: php_fpm_enable | bool -- include: config_apache.yml +- ansible.builtin.include: config_apache.yml when: php_apache_enable | bool - name: "Enforce permissions on PHP apache2 directory (Debian 9)" - file: + ansible.builtin.file: dest: /etc/php/7.0/apache2 mode: "0755" when: php_apache_enable | bool -- include: sury_post.yml +- ansible.builtin.include: sury_post.yml when: php_sury_enable | bool diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 4e706889..ef4d3c7e 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -1,7 +1,7 @@ --- - name: Symlink Evolix CLI config files from 7.4 to 7.0 - file: + ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" force: yes @@ -11,12 +11,12 @@ - { src: "{{ php_cli_custom_ini_file }}", dest: "/etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini" } - name: Enforce permissions on PHP 7.4/cli directory - file: + ansible.builtin.file: dest: /etc/php/7.4/cli mode: "0755" - name: Symlink Evolix Apache config files from 7.4 to 7.0 - file: + ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" force: yes @@ -27,13 +27,13 @@ when: php_apache_enable | bool - name: Enforce permissions on PHP 7.4/cli directory - file: + ansible.builtin.file: dest: /etc/php/7.4/apache2 mode: "0755" when: php_apache_enable | bool - name: Symlink Evolix FPM config files from 7.4 to 7.0 - file: + ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" force: yes @@ -46,7 +46,7 @@ when: php_fpm_enable | bool - name: Enforce permissions on PHP 7.4/cli directory - file: + ansible.builtin.file: dest: /etc/php/7.4/fpm mode: "0755" when: php_fpm_enable | bool diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 7f5b6bf4..1f04b661 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -1,13 +1,13 @@ --- - name: Setup deb.sury.org repository - Install apt-transport-https - apt: + ansible.builtin.apt: name: apt-transport-https state: present when: ansible_distribution_major_version is version('10', '<') - name: copy pub.evolix.org GPG key - copy: + ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" mode: "0644" @@ -15,7 +15,7 @@ group: root - name: Setup pub.evolix.org repository - Add source list - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php81 main" filename: evolix-php state: present @@ -23,14 +23,14 @@ - ansible_distribution_release == "bullseye" - name: Setup deb.sury.org repository - Add preferences file - copy: + ansible.builtin.copy: src: sury.preferences dest: /etc/apt/preferences.d/z-sury when: - ansible_distribution_release != "bullseye" - name: Setup deb.sury.org repository - Add GPG key - copy: + ansible.builtin.copy: src: sury.gpg dest: "{{ apt_keyring_dir }}/sury.gpg" mode: "0644" @@ -38,7 +38,7 @@ group: root - name: Add Sury repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main" filename: sury state: present @@ -54,12 +54,12 @@ when: ansible_distribution_major_version is version('12', '>=') - name: Update APT cache - apt: + ansible.builtin.apt: update_cache: yes when: sury_sources is changed - name: "Override package list for Sury (Debian 9 or later)" - set_fact: + ansible.builtin.set_fact: php_stretch_packages: - php{{ php_version }}-cli - php{{ php_version }}-gd diff --git a/postfix/handlers/main.yml b/postfix/handlers/main.yml index 6c2e879b..d8cef9f7 100644 --- a/postfix/handlers/main.yml +++ b/postfix/handlers/main.yml @@ -1,13 +1,14 @@ --- - name: restart postfix - service: + ansible.builtin.service: name: postfix state: restarted - name: reload postfix - service: + ansible.builtin.service: name: postfix state: reloaded - name: postmap transport - command: postmap /etc/postfix/transport + ansible.builtin.command: + cmd: postmap /etc/postfix/transport diff --git a/postfix/tasks/common.yml b/postfix/tasks/common.yml index bcd5ed79..29e6dd07 100644 --- a/postfix/tasks/common.yml +++ b/postfix/tasks/common.yml @@ -1,7 +1,8 @@ --- - name: check if main.cf is default - shell: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -' + ansible.builtin.shell: + cmd: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -' changed_when: False check_mode: no register: default_main_cf @@ -9,7 +10,7 @@ - postfix - name: add lines in /etc/.gitignore - lineinfile: + ansible.builtin.lineinfile: dest: /etc/.gitignore line: '{{ item }}' state: present diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml index d8caf2b2..4ef2858a 100644 --- a/postfix/tasks/main.yml +++ b/postfix/tasks/main.yml @@ -1,12 +1,12 @@ --- -- include: common.yml +- ansible.builtin.include: common.yml -- include: minimal.yml +- ansible.builtin.include: minimal.yml when: not (postfix_packmail | bool) -- include: packmail.yml +- ansible.builtin.include: packmail.yml when: postfix_packmail | bool -- include: slow_transport.yml +- ansible.builtin.include: slow_transport.yml when: postfix_slow_transport_include | bool diff --git a/postfix/tasks/minimal.yml b/postfix/tasks/minimal.yml index 970b9dcb..f8ea1b0b 100644 --- a/postfix/tasks/minimal.yml +++ b/postfix/tasks/minimal.yml @@ -1,13 +1,13 @@ --- - name: ensure packages are installed - apt: + ansible.builtin.apt: name: postfix state: present tags: - postfix - name: create minimal main.cf - template: + ansible.builtin.template: src: evolinux_main.cf.j2 dest: /etc/postfix/main.cf owner: root diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 0407a72b..170dbd35 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -1,6 +1,6 @@ --- - name: ensure packages are installed - apt: + ansible.builtin.apt: name: - postfix - postfix-ldap @@ -11,7 +11,7 @@ - postfix - name: make /var/lib/mailgraph accessible by www-data - file: + ansible.builtin.file: path: "/var/lib/mailgraph" state: directory owner: www-data @@ -19,13 +19,13 @@ mode: '0755' - name: make sure a service Mailgraph is running - systemd: + ansible.builtin.systemd: name: mailgraph.service state: started enabled: true - name: create packmail main.cf - template: + ansible.builtin.template: src: packmail_main.cf.j2 dest: /etc/postfix/main.cf owner: root @@ -38,7 +38,7 @@ - postfix - name: deploy packmail master.cf - template: + ansible.builtin.template: src: packmail_master.cf.j2 dest: /etc/postfix/master.cf mode: "0644" @@ -47,7 +47,7 @@ - postfix - name: copy default filter files - copy: + ansible.builtin.copy: src: filter dest: "/etc/postfix/{{ item }}" force: no @@ -68,7 +68,8 @@ - postfix - name: postmap filter files - command: "postmap /etc/postfix/{{ item }}" + ansible.builtin.command: + cmd: "postmap /etc/postfix/{{ item }}" loop: - virtual - client.access @@ -86,7 +87,7 @@ - postfix - name: deploy ldap postfix config - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "/etc/postfix/{{ item }}" mode: "0644" @@ -98,13 +99,13 @@ tags: - postfix -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - postfix - name: copy spam.sh script - copy: + ansible.builtin.copy: src: spam.sh dest: /usr/share/scripts/spam.sh mode: "0700" @@ -112,8 +113,8 @@ - postfix - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -121,7 +122,7 @@ register: is_cron_installed - name: enable spam.sh cron - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cron.d/spam line: "42 * * * * root /usr/share/scripts/spam.sh" create: yes @@ -132,7 +133,8 @@ - postfix - name: update antispam list - command: /usr/share/scripts/spam.sh + ansible.builtin.command: + cmd: /usr/share/scripts/spam.sh changed_when: False tags: - postfix diff --git a/postfix/tasks/slow_transport.yml b/postfix/tasks/slow_transport.yml index 2f1867ae..6e42ef1d 100644 --- a/postfix/tasks/slow_transport.yml +++ b/postfix/tasks/slow_transport.yml @@ -1,6 +1,6 @@ --- - name: slow transport is defined in master.cf - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/master.cf regexp: "^slow " line: "slow unix - - n - - smtp" @@ -9,7 +9,7 @@ - postfix - name: list of providers for slow transport - lineinfile: + ansible.builtin.lineinfile: dest: /etc/postfix/transport line: "{{ item }}" create: yes diff --git a/postgresql/handlers/main.yml b/postgresql/handlers/main.yml index 15a773dd..0cb017d4 100644 --- a/postgresql/handlers/main.yml +++ b/postgresql/handlers/main.yml @@ -1,26 +1,28 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart postgresql - systemd: + ansible.builtin.systemd: name: postgresql state: restarted daemon_reload: yes - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes - name: Restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart - name: reconfigure locales - command: dpkg-reconfigure -f noninteractive locales + ansible.builtin.command: + cmd: dpkg-reconfigure -f noninteractive locales diff --git a/postgresql/tasks/config.yml b/postgresql/tasks/config.yml index 966f0930..87091b8f 100644 --- a/postgresql/tasks/config.yml +++ b/postgresql/tasks/config.yml @@ -1,12 +1,12 @@ --- - name: Ensure /etc/systemd/system/postgresql.service.d exists - file: + ansible.builtin.file: path: /etc/systemd/system/postgresql@.service.d state: directory recurse: true - name: Override PostgreSQL systemd unit - copy: + ansible.builtin.copy: src: postgresql.service.override.conf dest: /etc/systemd/system/postgresql@.service.d/override.conf force: yes @@ -16,13 +16,13 @@ - restart postgresql - name: Allow conf.d/*.conf files to be included in PostgreSQL configuration - lineinfile: + ansible.builtin.lineinfile: name: "/etc/postgresql/{{ postgresql_version }}/main/postgresql.conf" line: include_dir = 'conf.d' notify: restart postgresql - name: Create conf.d directory - file: + ansible.builtin.file: name: "/etc/postgresql/{{ postgresql_version }}/main/conf.d/" state: directory owner: postgres @@ -30,7 +30,7 @@ mode: "0755" - name: Copy PostgreSQL config file - template: + ansible.builtin.template: src: postgresql.conf.j2 dest: "/etc/postgresql/{{ postgresql_version }}/main/conf.d/zz-evolinux.conf" owner: postgres @@ -38,4 +38,4 @@ mode: "0644" notify: restart postgresql -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers diff --git a/postgresql/tasks/locales.yml b/postgresql/tasks/locales.yml index 8cf70989..30d21001 100644 --- a/postgresql/tasks/locales.yml +++ b/postgresql/tasks/locales.yml @@ -1,9 +1,9 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: select locales to be generated - locale_gen: + community.general.locale_gen: name: "{{ item }}" state: present loop: @@ -12,7 +12,7 @@ notify: reconfigure locales - name: set default locale - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/locale" regexp: "^LANG=" line: "LANG={{ locales_default }}" diff --git a/postgresql/tasks/logrotate.yml b/postgresql/tasks/logrotate.yml index f67f407a..55adc5bd 100644 --- a/postgresql/tasks/logrotate.yml +++ b/postgresql/tasks/logrotate.yml @@ -1,6 +1,6 @@ --- - name: logrotate configuration - copy: + ansible.builtin.copy: src: logrotate_postgresql dest: /etc/logrotate.d/postgresql-common force: no diff --git a/postgresql/tasks/munin.yml b/postgresql/tasks/munin.yml index feb0b678..f826a639 100644 --- a/postgresql/tasks/munin.yml +++ b/postgresql/tasks/munin.yml @@ -1,16 +1,16 @@ --- - name: Are Munin plugins present in /etc ? - stat: + ansible.builtin.stat: path: /etc/munin/plugins register: etc_munin_plugins - name: Are Munin plugins present in /usr/share ? - stat: + ansible.builtin.stat: path: /usr/share/munin/plugins register: usr_share_munin_plugins - name: Add Munin plugins for PostgreSQL - file: + ansible.builtin.file: state: link src: '/usr/share/munin/plugins/{{ item }}' dest: '/etc/munin/plugins/{{ item }}' @@ -24,7 +24,7 @@ when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists - name: Add Munin plugins for PostgreSQL (for specific databases) - file: + ansible.builtin.file: state: link src: '/usr/share/munin/plugins/{{ item[0] }}' dest: '/etc/munin/plugins/{{ item[0] }}{{ item[1] }}' diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml index 833ab1ea..a4d1ef49 100644 --- a/postgresql/tasks/nrpe.yml +++ b/postgresql/tasks/nrpe.yml @@ -1,28 +1,29 @@ --- - name: apg package is installed - apt: + ansible.builtin.apt: name: apg state: present - name: Generate random password for nrpe user - command: apg -n1 -m 12 -M SCNL + ansible.builtin.command: + cmd: apg -n1 -m 12 -M SCNL register: postgresql_nrpe_password changed_when: False - name: python-psycopg2 is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: python-psycopg2 state: present when: ansible_python_version is version('3', '<') - name: python3-psycopg2 is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: python3-psycopg2 state: present when: ansible_python_version is version('3', '>=') - name: Is nrpe present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg register: nrpe_evolix_config @@ -30,7 +31,7 @@ - name: Create nrpe user become: yes become_user: postgres - postgresql_user: + community.postgresql.postgresql_user: name: nrpe password: '{{ postgresql_nrpe_password.stdout }}' encrypted: yes @@ -39,7 +40,7 @@ when: nrpe_evolix_config.stat.exists - name: Add NRPE check - lineinfile: + ansible.builtin.lineinfile: name: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_pgsql\]=' line: 'command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p "{{ postgresql_nrpe_password.stdout }}"' diff --git a/postgresql/tasks/packages_bullseye.yml b/postgresql/tasks/packages_bullseye.yml index bfbac181..4f42119b 100644 --- a/postgresql/tasks/packages_bullseye.yml +++ b/postgresql/tasks/packages_bullseye.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 11)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '13' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.include: pgdg-repo.yml when: postgresql_version != '13' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - pgtop diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 3e8851fb..f35182ba 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 10)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '11' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.include: pgdg-repo.yml when: postgresql_version != '11' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - pgtop diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index 70b5e181..632ddacb 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 8)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '9.4' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.include: pgdg-repo.yml when: postgresql_version != '9.4' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - ptop diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index 97a71952..494fce3f 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -1,15 +1,15 @@ --- - name: "Set variables (Debian 9)" - set_fact: + ansible.builtin.set_fact: postgresql_version: '9.6' when: postgresql_version is none or postgresql_version | length == 0 -- include: pgdg-repo.yml +- ansible.builtin.include: pgdg-repo.yml when: postgresql_version != '9.6' - name: Install postgresql package - apt: + ansible.builtin.apt: name: - "postgresql-{{ postgresql_version }}" - ptop diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 9db20921..e9f25307 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -1,15 +1,15 @@ --- - name: Open firewall for PGDG repository - replace: + ansible.builtin.replace: name: /etc/default/minifirewall regexp: "^(HTTPSITES='((?!apt\\.postgresql\\.org|0\\.0\\.0\\.0).)*)'$" replace: "\\1 apt.postgresql.org'" notify: Restart minifirewall -- meta: flush_handlers +- ansible.builtin.meta: flush_handlers - name: Add PGDG GPG key - copy: + ansible.builtin.copy: src: postgresql.asc dest: "{{ apt_keyring_dir }}/postgresql.asc" force: yes @@ -18,7 +18,7 @@ group: root - name: Add PGDG repository (Debian <12) - apt_repository: + ansible.builtin.apt_repository: repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ ansible_distribution_release }}-pgdg main" filename: postgresql update_cache: yes @@ -38,7 +38,7 @@ when: elastic_sources is changed - name: Add APT preference file - template: + ansible.builtin.template: src: postgresql.pref.j2 dest: /etc/apt/preferences.d/postgresql.pref mode: "0644" diff --git a/postgresql/tasks/postgis.yml b/postgresql/tasks/postgis.yml index dbd511e9..ea50fc61 100644 --- a/postgresql/tasks/postgis.yml +++ b/postgresql/tasks/postgis.yml @@ -1,6 +1,6 @@ --- - name: Install PostGIS extention - apt: + ansible.builtin.apt: name: - postgis - "postgresql-{{ postgresql_version }}-postgis-2.5" diff --git a/postgresql/tests/test.yml b/postgresql/tests/test.yml index 88714dd1..5472e972 100644 --- a/postgresql/tests/test.yml +++ b/postgresql/tests/test.yml @@ -3,13 +3,13 @@ pre_tasks: - name: Install locales - apt: + ansible.builtin.apt: name: locales state: present changed_when: False - name: Setting default locales - lineinfile: + ansible.builtin.lineinfile: dest: /etc/locale.gen line: "{{ item }}" create: yes @@ -22,7 +22,8 @@ register: test_locales - name: Reconfigure locales - command: /usr/sbin/locale-gen + ansible.builtin.command: + cmd: /usr/sbin/locale-gen changed_when: False when: test_locales is changed diff --git a/proftpd/handlers/main.yml b/proftpd/handlers/main.yml index 0914d289..2b320f4a 100644 --- a/proftpd/handlers/main.yml +++ b/proftpd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart proftpd - service: + ansible.builtin.service: name: proftpd state: restarted diff --git a/proftpd/tasks/account.yml b/proftpd/tasks/account.yml index cfe82156..4ad009e2 100644 --- a/proftpd/tasks/account.yml +++ b/proftpd/tasks/account.yml @@ -1,6 +1,7 @@ --- - name: Check if FTP account exist - command: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd + ansible.builtin.command: + cmd: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd failed_when: False check_mode: no changed_when: check_ftp_account.rc != 0 @@ -9,7 +10,8 @@ - proftpd - name: Generate FTP password - command: apg -n1 + ansible.builtin.command: + cmd: apg -n1 register: ftp_password check_mode: no when: check_ftp_account.rc != 0 @@ -17,14 +19,14 @@ - proftpd - name: Print generated password - debug: + ansible.builtin.debug: msg: "{{ ftp_password.stdout }}" when: check_ftp_account.rc != 0 tags: - proftpd - name: Hash generated FTP password - set_fact: + ansible.builtin.set_fact: proftpd_password: "{{ ftp_password.stdout | password_hash('sha512') }}" check_mode: no when: check_ftp_account.rc != 0 @@ -32,7 +34,8 @@ - proftpd - name: Get current FTP password - shell: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 + ansible.builtin.shell: + cmd: grep "^{{ proftpd_name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 register: hashed_ftp_password check_mode: no when: check_ftp_account.rc == 0 @@ -41,7 +44,7 @@ - proftpd - name: Get current FTP password - set_fact: + ansible.builtin.set_fact: proftpd_password: "{{ hashed_ftp_password.stdout }}" check_mode: no when: check_ftp_account.rc == 0 @@ -50,7 +53,7 @@ - proftpd - name: Create FTP account - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/vpasswd state: present create: yes @@ -61,7 +64,7 @@ - proftpd - name: Allow FTP account - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/conf.d/z-evolinux.conf state: present line: " AllowUser {{ proftpd_name }}" diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml index b5cc5e85..99b036c9 100644 --- a/proftpd/tasks/accounts.yml +++ b/proftpd/tasks/accounts.yml @@ -1,11 +1,11 @@ --- -- include: accounts_password.yml +- ansible.builtin.include: accounts_password.yml when: item.password is undefined loop: "{{ proftpd_accounts }}" tags: - proftpd -- set_fact: +- ansible.builtin.set_fact: proftpd_accounts_final: "{{ proftpd_accounts_final + [ item ] }}" when: item.password is defined loop: "{{ proftpd_accounts }}" @@ -13,7 +13,7 @@ - proftpd - name: Create FTP account - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/vpasswd state: present create: yes @@ -26,7 +26,7 @@ - proftpd - name: Allow FTP account (FTP) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/conf.d/z-evolinux.conf state: present line: "\tAllowUser {{ item.name }}" @@ -38,7 +38,7 @@ - proftpd - name: Allow FTP account (FTPS) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/conf.d/ftps.conf state: present line: "\tAllowUser {{ item.name }}" @@ -50,7 +50,7 @@ - proftpd - name: Allow FTP account (SFTP) - lineinfile: + ansible.builtin.lineinfile: dest: /etc/proftpd/conf.d/sftp.conf state: present line: "\tAllowUser {{ item.name }}" @@ -62,7 +62,7 @@ - proftpd - name: Allow keys for SFTP account - template: + ansible.builtin.template: dest: "/etc/proftpd/sftp.authorized_keys/{{ _proftpd_account.name }}" src: authorized_keys.j2 mode: 0644 diff --git a/proftpd/tasks/accounts_password.yml b/proftpd/tasks/accounts_password.yml index 3ae37c88..0b986f39 100644 --- a/proftpd/tasks/accounts_password.yml +++ b/proftpd/tasks/accounts_password.yml @@ -1,6 +1,7 @@ --- - name: Check if FTP account exist - command: grep "^{{ item.name }}:" /etc/proftpd/vpasswd + ansible.builtin.command: + cmd: grep "^{{ item.name }}:" /etc/proftpd/vpasswd failed_when: False check_mode: no changed_when: check_ftp_account.rc != 0 @@ -9,13 +10,14 @@ - block: - name: Get current FTP password - shell: grep "^{{ item.name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 + ansible.builtin.shell: + cmd: grep "^{{ item.name }}:" /etc/proftpd/vpasswd | cut -d':' -f2 register: protftpd_cur_password check_mode: no changed_when: False - name: Set password for this account - set_fact: + ansible.builtin.set_fact: protftpd_password: "{{ protftpd_cur_password.stdout }}" when: check_ftp_account.rc == 0 @@ -23,20 +25,21 @@ - block: - name: Generate FTP password - command: "apg -n 1 -m 16 -M lcN" + ansible.builtin.command: + cmd: "apg -n 1 -m 16 -M lcN" register: proftpd_apg_password check_mode: no - name: Print generated password - debug: + ansible.builtin.debug: msg: "{{ proftpd_apg_password.stdout }}" - name: Hash generated password - set_fact: + ansible.builtin.set_fact: protftpd_password: "{{ proftpd_apg_password.stdout | password_hash('sha512') }}" when: check_ftp_account.rc != 0 - name: Update proftpd_accounts with password - set_fact: + ansible.builtin.set_fact: proftpd_accounts_final: "{{ proftpd_accounts_final + [ item | combine({ 'password': protftpd_password }) ] }}" diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index 3afc69cb..ce292ad5 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: package is installed - apt: + ansible.builtin.apt: name: proftpd-basic state: present tags: @@ -8,7 +8,8 @@ - packages - name: ftpusers groupe exists - group: + + ansible.builtin.group: name: ftpusers state: present notify: restart proftpd @@ -16,7 +17,7 @@ - proftpd - name: FTP jail is installed - template: + ansible.builtin.template: src: evolinux.conf.j2 dest: /etc/proftpd/conf.d/z-evolinux.conf mode: "0644" @@ -27,7 +28,7 @@ - proftpd - name: FTPS jail is installed - template: + ansible.builtin.template: src: ftps.conf.j2 dest: /etc/proftpd/conf.d/ftps.conf mode: "0644" @@ -38,7 +39,7 @@ - proftpd - name: SFTP jail is installed - template: + ansible.builtin.template: src: sftp.conf.j2 dest: /etc/proftpd/conf.d/sftp.conf mode: "0644" @@ -49,7 +50,7 @@ - proftpd - name: SFTP key folder exists if needed - file: + ansible.builtin.file: path: /etc/proftpd/sftp.authorized_keys/ state: directory mode: "0755" @@ -63,7 +64,7 @@ - proftpd - name: mod_tls_memcache is disabled - replace: + ansible.builtin.replace: dest: /etc/proftpd/modules.conf regexp: '^LoadModule mod_tls_memcache.c' replace: '#LoadModule mod_tls_memcache.c' @@ -72,7 +73,7 @@ - proftpd - name: Put empty vpasswd file if missing - copy: + ansible.builtin.copy: src: vpasswd dest: /etc/proftpd/vpasswd force: no @@ -84,7 +85,7 @@ # So, readonly when opened with vim. # Then readable by group. - name: Enforce permissions on password file - file: + ansible.builtin.file: path: /etc/proftpd/vpasswd mode: "0440" owner: root @@ -93,5 +94,5 @@ tags: - proftpd -- include: accounts.yml +- ansible.builtin.include: accounts.yml when: proftpd_accounts | length > 0 diff --git a/rabbitmq/handlers/main.yml b/rabbitmq/handlers/main.yml index 9f73baa6..ecd03471 100644 --- a/rabbitmq/handlers/main.yml +++ b/rabbitmq/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart rabbitmq - service: + ansible.builtin.service: name: rabbitmq-server state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/rabbitmq/tasks/main.yml b/rabbitmq/tasks/main.yml index a3438adc..f485bc1f 100644 --- a/rabbitmq/tasks/main.yml +++ b/rabbitmq/tasks/main.yml @@ -1,10 +1,10 @@ - name: Install packages - apt: + ansible.builtin.apt: name: rabbitmq-server state: present - name: Create rabbitmq-env.conf - copy: + ansible.builtin.copy: src: evolinux-rabbitmq-env.conf dest: /etc/rabbitmq/rabbitmq-env.conf owner: rabbitmq @@ -13,7 +13,7 @@ force: no - name: Create rabbitmq.config - copy: + ansible.builtin.copy: src: evolinux-rabbitmq.config dest: /etc/rabbitmq/rabbitmq.config owner: rabbitmq @@ -22,34 +22,34 @@ force: no - name: Adjust ulimit - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/rabbitmq-server line: ulimit -n 2048 - name: is NRPE present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg check_mode: no register: nrpe_evolix_config tags: - nrpe -- include: nrpe.yml +- ansible.builtin.include: nrpe.yml when: nrpe_evolix_config.stat.exists - name: is Munin present ? - stat: + ansible.builtin.stat: path: /etc/munin check_mode: no register: etc_munin_directory tags: - nrpe -- include: munin.yml +- ansible.builtin.include: munin.yml when: etc_munin_directory.stat.exists - name: entry for RabbitMQ in web page is present - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html insertbefore: '' line: '
  • RabbitMQ
    • ' diff --git a/rabbitmq/tasks/munin.yml b/rabbitmq/tasks/munin.yml index cb872391..63ad5a15 100644 --- a/rabbitmq/tasks/munin.yml +++ b/rabbitmq/tasks/munin.yml @@ -1,13 +1,13 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - rabbitmq - munin - name: Create local munin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" @@ -16,7 +16,7 @@ - munin - name: Create local plugins directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" @@ -25,7 +25,7 @@ - munin - name: Copy rabbitmq_connections munin plugin - copy: + ansible.builtin.copy: src: rabbitmq_connections dest: /usr/local/share/munin/plugins/rabbitmq_connections mode: "0755" @@ -35,7 +35,7 @@ - munin - name: Enable rabbitmq_connections munin plugin - file: + ansible.builtin.file: src: /usr/local/share/munin/plugins/rabbitmq_connections dest: "/etc/munin/plugins/rabbitmq_connections" state: link diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index b2f2a3a8..f491a68c 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -1,23 +1,23 @@ --- - name: python-requests is installed (check_rabbitmq dependency) - apt: + ansible.builtin.apt: name: python-requests state: present when: ansible_python_version is version('3', '<') - name: python3-requests is installed (check_rabbitmq dependency) - apt: + ansible.builtin.apt: name: python3-requests state: present when: ansible_python_version is version('3', '>=') -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr # https://raw.githubusercontent.com/CaptPhunkosis/check_rabbitmq/master/check_rabbitmq - name: check_rabbitmq is installed - copy: + ansible.builtin.copy: src: check_rabbitmq dest: /usr/local/lib/nagios/plugins/check_rabbitmq owner: root @@ -27,7 +27,7 @@ when: ansible_distribution_major_version is version('11', '<=') - name: check_rabbitmq (Python 3 version) is installed - copy: + ansible.builtin.copy: src: check_rabbitmq.python3 dest: /usr/local/lib/nagios/plugins/check_rabbitmq owner: root @@ -37,14 +37,14 @@ when: ansible_distribution_major_version is version('11', '>=') - name: check_rabbitmq is available for NRPE - lineinfile: + ansible.builtin.lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: 'command\[check_rab_connection_count\]' line: 'command[check_rab_connection_count]=sudo /usr/local/lib/nagios/plugins/check_rabbitmq -a connection_count -C {{ rabbitmq_connections_critical }} -W {{ rabbitmq_connections_warning }}' notify: restart nagios-nrpe-server - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_rabbitmq' line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_rabbitmq' diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 8294cfdc..4362c5db 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: "Rbenv dependencies are installed" - apt: + ansible.builtin.apt: name: - build-essential - git @@ -19,7 +19,7 @@ - packages - name: "gemrc for {{ username }}" - copy: + ansible.builtin.copy: src: gemrc dest: "~{{ username }}/.gemrc" owner: '{{ username }}' @@ -28,7 +28,7 @@ - rbenv - name: "Rbenv repository is checked out for {{ username }}" - git: + ansible.builtin.git: repo: '{{ rbenv_repo }}' dest: '{{ rbenv_root }}' version: '{{ rbenv_version }}' @@ -40,7 +40,7 @@ - rbenv - name: "default gems are installed for {{ username }}" - lineinfile: + ansible.builtin.lineinfile: dest: '{{ rbenv_root }}/default-gems' line: "{{ item }}" owner: '{{ username }}' @@ -53,7 +53,7 @@ - rbenv - name: "plugins directory for {{ username }}" - file: + ansible.builtin.file: path: '{{ rbenv_root }}/plugins' state: directory become_user: "{{ username }}" @@ -62,7 +62,7 @@ - rbenv - name: "plugins are installed for {{ username }}" - git: + ansible.builtin.git: repo: '{{ item.repo }}' dest: '{{ rbenv_root }}/plugins/{{ item.name }}' version: '{{ item.version }}' @@ -75,7 +75,7 @@ - rbenv - name: "Rbenv is initialized in profile for {{ username }}" - blockinfile: + ansible.builtin.blockinfile: dest: '~{{ username }}/.profile' marker: "# {mark} ANSIBLE MANAGED RBENV INIT" block: | @@ -87,7 +87,8 @@ - rbenv - name: "is Ruby {{ rbenv_ruby_version }} available for {{ username }} ?" - shell: /bin/bash -lc "rbenv versions | grep {{ rbenv_ruby_version }}" + ansible.builtin.shell: + cmd: /bin/bash -lc "rbenv versions | grep {{ rbenv_ruby_version }}" failed_when: False changed_when: False check_mode: False @@ -98,7 +99,8 @@ - rbenv - name: "Ruby {{ rbenv_ruby_version }} is available for {{ username }} (be patient... could be long)" - shell: /bin/bash -lc "TMPDIR=~/tmp rbenv install {{ rbenv_ruby_version }}" + ansible.builtin.shell: + cmd: /bin/bash -lc "TMPDIR=~/tmp rbenv install {{ rbenv_ruby_version }}" when: ruby_installed.rc != 0 become_user: "{{ username }}" become: yes @@ -106,7 +108,8 @@ - rbenv - name: "is Ruby {{ rbenv_ruby_version }} selected for {{ username }} ?" - shell: /bin/bash -lc "rbenv version | cut -d ' ' -f 1 | grep -Fx '{{ rbenv_ruby_version }}'" + ansible.builtin.shell: + cmd: /bin/bash -lc "rbenv version | cut -d ' ' -f 1 | grep -Fx '{{ rbenv_ruby_version }}'" register: ruby_selected changed_when: False failed_when: False @@ -117,7 +120,8 @@ - rbenv - name: "select Ruby {{ rbenv_ruby_version }} for {{ username }}" - shell: /bin/bash -lc "rbenv global {{ rbenv_ruby_version }} && rbenv rehash" + ansible.builtin.shell: + cmd: /bin/bash -lc "rbenv global {{ rbenv_ruby_version }} && rbenv rehash" when: ruby_selected.rc != 0 become_user: "{{ username }}" become: yes diff --git a/redis/handlers/main.yml b/redis/handlers/main.yml index 6d870b39..73a7a09d 100644 --- a/redis/handlers/main.yml +++ b/redis/handlers/main.yml @@ -1,30 +1,30 @@ --- - name: restart redis - systemd: + ansible.builtin.systemd: name: "{{ redis_systemd_name }}" state: restarted - name: restart redis (noop) - meta: noop + ansible.builtin.meta: noop failed_when: False changed_when: False - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart nagios-nrpe-server - service: + ansible.builtin.service: name: nagios-nrpe-server state: restarted - name: restart log2mail - service: + ansible.builtin.service: name: log2mail state: restarted - name: restart sysfsutils - service: + ansible.builtin.service: name: sysfsutils state: restarted diff --git a/redis/tasks/default-log2mail.yml b/redis/tasks/default-log2mail.yml index 3c50cab7..55466e16 100644 --- a/redis/tasks/default-log2mail.yml +++ b/redis/tasks/default-log2mail.yml @@ -1,7 +1,7 @@ --- - name: log2mail config is present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/log2mail/config/redis.conf owner: log2mail group: adm @@ -19,7 +19,7 @@ - log2mail - name: log2mail user is in redis group - user: + ansible.builtin.user: name: log2mail groups: redis append: yes diff --git a/redis/tasks/default-munin.yml b/redis/tasks/default-munin.yml index 1c9ab759..44c45011 100644 --- a/redis/tasks/default-munin.yml +++ b/redis/tasks/default-munin.yml @@ -1,18 +1,18 @@ --- - name: Install munin check dependencies - apt: + ansible.builtin.apt: name: libswitch-perl state: present tags: - redis -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - redis - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" @@ -20,7 +20,7 @@ - redis - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" @@ -28,7 +28,7 @@ - redis - name: Copy redis munin plugin - copy: + ansible.builtin.copy: src: munin_redis dest: /usr/local/share/munin/plugins/redis_ mode: "0755" @@ -37,7 +37,7 @@ - redis - name: Enable redis munin plugin - file: + ansible.builtin.file: src: /usr/local/share/munin/plugins/redis_ dest: "/etc/munin/plugins/redis_{{ plugin_name }}" state: link @@ -56,14 +56,15 @@ - redis - name: Count redis condif blocks in munin-node configuration - command: grep -c "\[redis_" /etc/munin/plugin-conf.d/munin-node + ansible.builtin.command: + cmd: grep -c "\[redis_" /etc/munin/plugin-conf.d/munin-node register: munin_redis_blocs_in_config failed_when: False changed_when: False check_mode: no - name: Add redis password for munin (if no more than 1 config block) - ini_file: + community.general.ini_file: dest: /etc/munin/plugin-conf.d/munin-node section: 'redis_*' option: env.password @@ -77,7 +78,7 @@ - name: Warn if multiple instance in munin-plugins configuration - debug: + ansible.builtin.debug: msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed" when: - redis_password is not none diff --git a/redis/tasks/default-server.yml b/redis/tasks/default-server.yml index 10b4d382..89a664e6 100644 --- a/redis/tasks/default-server.yml +++ b/redis/tasks/default-server.yml @@ -1,7 +1,7 @@ --- - name: Redis is configured. - template: + ansible.builtin.template: src: redis.conf.j2 dest: "{{ redis_conf_dir }}/redis.conf" mode: "0640" @@ -12,7 +12,7 @@ - redis - name: Config directory permissions are set - file: + ansible.builtin.file: dest: "{{ redis_conf_dir }}" mode: "0750" owner: redis @@ -21,7 +21,7 @@ - redis - name: Redis is running and enabled on boot. - systemd: + ansible.builtin.systemd: name: "{{ redis_systemd_name }}" enabled: yes state: started diff --git a/redis/tasks/instance-log2mail.yml b/redis/tasks/instance-log2mail.yml index a20e1a0a..c57e5745 100644 --- a/redis/tasks/instance-log2mail.yml +++ b/redis/tasks/instance-log2mail.yml @@ -1,7 +1,7 @@ --- - name: log2mail config is present - blockinfile: + ansible.builtin.blockinfile: dest: /etc/log2mail/config/redis.conf owner: log2mail group: adm diff --git a/redis/tasks/instance-munin.yml b/redis/tasks/instance-munin.yml index 72865e98..3d2274e7 100644 --- a/redis/tasks/instance-munin.yml +++ b/redis/tasks/instance-munin.yml @@ -1,18 +1,18 @@ --- - name: Install munin check dependencies - apt: + ansible.builtin.apt: name: libswitch-perl state: present tags: - redis -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - redis - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" @@ -20,7 +20,7 @@ - redis - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" @@ -28,7 +28,7 @@ - redis - name: Copy redis munin plugin - copy: + ansible.builtin.copy: src: munin_redis dest: /usr/local/share/munin/plugins/redis_ mode: "0755" @@ -37,7 +37,7 @@ - redis - name: Enable redis munin plugin - file: + ansible.builtin.file: src: /usr/local/share/munin/plugins/redis_ dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{ plugin_name }}" state: link @@ -56,7 +56,7 @@ - redis - name: Configure redis plugin for munin - template: + ansible.builtin.template: src: templates/munin-plugin-instances.conf.j2 dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}' mode: "0740" diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml index 3f70733e..42dc1876 100644 --- a/redis/tasks/instance-server.yml +++ b/redis/tasks/instance-server.yml @@ -1,14 +1,15 @@ --- - name: Verify Redis port - assert: + ansible.builtin.assert: that: - redis_port | int != 6379 msg: "If you want to use port 6379, use the default instance, not a named instance." when: not (redis_force_instance_port | bool) - name: "Instance '{{ redis_instance_name }}' group is present" - group: + + ansible.builtin.group: name: "redis-{{ redis_instance_name }}" state: present system: True @@ -16,7 +17,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' user is present" - user: + ansible.builtin.user: name: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" state: present @@ -26,7 +27,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' config directory is present" - file: + ansible.builtin.file: dest: "{{ redis_conf_dir }}" mode: "0750" owner: "redis-{{ redis_instance_name }}" @@ -37,7 +38,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' config hooks directories are present" - file: + ansible.builtin.file: dest: "{{ _dir }}" mode: "0750" owner: "redis-{{ redis_instance_name }}" @@ -58,7 +59,8 @@ - redis - name: "Instance '{{ redis_instance_name }}' hooks examples are present" - command: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}" + ansible.builtin.command: + cmd: "cp -a /etc/redis/{{ _dir }}/00_example {{ redis_conf_dir }}/{{ _dir }}" args: creates: "{{ redis_conf_dir }}/{{ _dir }}/00_example" loop: @@ -75,7 +77,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' socket/pid directories are present" - file: + ansible.builtin.file: dest: "{{ _dir }}" mode: "0755" owner: "redis-{{ redis_instance_name }}" @@ -91,7 +93,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' data/log directories are present" - file: + ansible.builtin.file: dest: "{{ _dir }}" mode: "0751" owner: "redis-{{ redis_instance_name }}" @@ -107,7 +109,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' log file are present" - file: + ansible.builtin.file: path: "{{ redis_log_dir }}/redis-server.log" mode: "660" owner: "redis-{{ redis_instance_name }}" @@ -118,7 +120,7 @@ - name: "Instance '{{ redis_instance_name }}' configuration file is present" - template: + ansible.builtin.template: src: redis.conf.j2 dest: "{{ redis_conf_dir }}/redis.conf" mode: "0640" @@ -129,7 +131,7 @@ - redis - name: Systemd template for redis instances is installed (Debian 8) - template: + ansible.builtin.template: src: 'redis-server@jessie.service.j2' dest: '/etc/systemd/system/redis-server@.service' mode: "0644" @@ -142,7 +144,7 @@ - redis - name: Systemd template for redis instances is installed (Debian 9) - template: + ansible.builtin.template: src: 'redis-server@stretch.service.j2' dest: '/etc/systemd/system/redis-server@.service' mode: "0644" @@ -155,7 +157,7 @@ - redis - name: Systemd template for redis instances is installed (Debian 10 or later) - template: + ansible.builtin.template: src: 'redis-server@buster.service.j2' dest: '/etc/systemd/system/redis-server@.service' mode: "0644" @@ -168,7 +170,7 @@ - redis - name: "Instance '{{ redis_instance_name }}' systemd unit is enabled and started" - systemd: + ansible.builtin.systemd: name: "{{ redis_systemd_name }}" enabled: yes state: started @@ -177,7 +179,7 @@ - redis - name: Redis SysVinit script is stopped and disabled - service: + ansible.builtin.service: name: "redis-server" enabled: no state: stopped diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index 24315b42..1077811b 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -1,10 +1,10 @@ --- -- set_fact: +- ansible.builtin.set_fact: redis_restart_handler_name: "{{ redis_restart_if_needed | bool | ternary('restart redis', 'restart redis (noop)') }}" - name: Linux kernel overcommit memory setting is enabled - sysctl: + ansible.posix.sysctl: name: "vm.overcommit_memory" value: "1" sysctl_file: "/etc/sysctl.d/evolinux-redis.conf" @@ -12,11 +12,11 @@ reload: yes - name: Customize Kernel Transparent Huge Page - include: thp.yml + ansible.builtin.include: thp.yml when: redis_sysctl_transparent_hugepage_enabled is not none - name: Redis is installed - apt: + ansible.builtin.apt: name: - redis-server - redis-tools @@ -26,7 +26,7 @@ - packages - name: Redis Sentinel is installed - apt: + ansible.builtin.apt: name: "redis-sentinel" state: present tags: @@ -35,21 +35,22 @@ when: redis_sentinel_install | bool - name: Get Redis version - shell: "redis-server -v | grep -Eo '(v=\\S+)' | cut -d'=' -f 2 | grep -E '^([0-9]|\\.)+$'" + ansible.builtin.shell: + cmd: "redis-server -v | grep -Eo '(v=\\S+)' | cut -d'=' -f 2 | grep -E '^([0-9]|\\.)+$'" changed_when: False check_mode: no register: _redis_installed_version tags: - redis -- set_fact: +- ansible.builtin.set_fact: redis_installed_version: "{{ _redis_installed_version.stdout }}" check_mode: no tags: - redis - name: set variables for default mode - set_fact: + ansible.builtin.set_fact: redis_conf_dir: "{{ redis_conf_dir_prefix }}" redis_socket_dir: "{{ redis_socket_dir_prefix }}" redis_pid_dir: "{{ redis_pid_dir_prefix }}" @@ -58,7 +59,7 @@ when: redis_instance_name is not defined - name: set variables for instance mode - set_fact: + ansible.builtin.set_fact: redis_systemd_name: "redis-server@{{ redis_instance_name }}" redis_conf_dir: "{{ redis_conf_dir_prefix }}-{{ redis_instance_name }}" redis_socket_dir: "{{ redis_socket_dir_prefix }}-{{ redis_instance_name }}" @@ -68,7 +69,7 @@ when: redis_instance_name is defined - name: Fail if redis_bind_interface is set - fail: + ansible.builtin.fail: msg: "Please change 'redis_bind_interface' (String) to 'redis_bind_interfaces' (List)" when: - redis_bind_interface is defined @@ -76,15 +77,15 @@ - redis_bind_interface | length > 0 - name: configure Redis for default mode - include: default-server.yml + ansible.builtin.include: default-server.yml when: redis_instance_name is not defined - name: configure Redis for instance mode - include: instance-server.yml + ansible.builtin.include: instance-server.yml when: redis_instance_name is defined - name: Is Munin installed - stat: + ansible.builtin.stat: path: /etc/munin/plugins register: _munin_installed tags: @@ -92,7 +93,7 @@ - munin - name: configure Munin for default mode - include: default-munin.yml + ansible.builtin.include: default-munin.yml when: - _munin_installed.stat.exists - _munin_installed.stat.isdir @@ -102,7 +103,7 @@ - munin - name: configure Munin for instance mode - include: instance-munin.yml + ansible.builtin.include: instance-munin.yml when: - _munin_installed.stat.exists - _munin_installed.stat.isdir @@ -112,7 +113,7 @@ - munin - name: Is log2mail installed - stat: + ansible.builtin.stat: path: /etc/log2mail/config register: _log2mail_installed tags: @@ -120,7 +121,7 @@ - log2mail - name: configure log2mail for default mode - include: default-log2mail.yml + ansible.builtin.include: default-log2mail.yml when: - _log2mail_installed.stat.exists - _log2mail_installed.stat.isdir @@ -130,7 +131,7 @@ - log2mail - name: configure log2mail for instance mode - include: instance-log2mail.yml + ansible.builtin.include: instance-log2mail.yml when: - _log2mail_installed.stat.exists - _log2mail_installed.stat.isdir @@ -140,7 +141,7 @@ - log2mail - name: is NRPE present ? - stat: + ansible.builtin.stat: path: /etc/nagios/nrpe.d/evolix.cfg check_mode: no register: nrpe_evolix_config @@ -148,13 +149,14 @@ - redis - nrpe -- include: nrpe.yml +- ansible.builtin.include: nrpe.yml when: nrpe_evolix_config.stat.exists tags: - redis - nrpe - name: Force restart redis - command: /bin/true + ansible.builtin.command: + cmd: /bin/true notify: restart redis when: redis_restart_force | bool diff --git a/redis/tasks/nrpe.yml b/redis/tasks/nrpe.yml index b42e2da2..61400b99 100644 --- a/redis/tasks/nrpe.yml +++ b/redis/tasks/nrpe.yml @@ -1,7 +1,7 @@ --- - name: Install perl lib-redis (needed by check_redis) - apt: + ansible.builtin.apt: name: libredis-perl state: present tags: @@ -9,7 +9,7 @@ - nrpe - name: install check_redis on Jessie - copy: + ansible.builtin.copy: src: check_redis.pl dest: /usr/local/lib/nagios/plugins/check_redis force: yes @@ -24,7 +24,7 @@ - nrpe - name: set the path of check_redis on Jessie - set_fact: + ansible.builtin.set_fact: redis_check_redis_path: /usr/local/lib/nagios/plugins/check_redis when: - ansible_distribution == "Debian" @@ -34,7 +34,7 @@ - nrpe - name: set the path of check_redis on Stretch and later - set_fact: + ansible.builtin.set_fact: redis_check_redis_path: /usr/lib/nagios/plugins/check_redis when: - ansible_distribution == "Debian" @@ -44,7 +44,7 @@ - nrpe - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_redis$' line: 'nagios ALL = NOPASSWD: {{ redis_check_redis_path }}' @@ -57,7 +57,7 @@ - nrpe - name: Use check_redis for NRPE - replace: + ansible.builtin.replace: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_redis\]=.+' replace: 'command[check_redis]=sudo {{ redis_check_redis_path }} -H {{ redis_bind_interfaces | first }} -p {{ redis_port }}' @@ -68,7 +68,7 @@ - nrpe - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_redis$' line: 'nagios ALL = NOPASSWD: {{ redis_check_redis_path }}' @@ -80,11 +80,11 @@ - nrpe - name: "Remount /usr with RW for 'install check_redis instance'" - include_role: + ansible.builtin.include_role: name: evolix/remount-usr - name: install check_redis_instances - copy: + ansible.builtin.copy: src: check_redis_instances.sh dest: /usr/local/lib/nagios/plugins/check_redis_instances force: yes @@ -96,7 +96,7 @@ - nrpe - name: Use check_redis_instances for NRPE - replace: + ansible.builtin.replace: dest: /etc/nagios/nrpe.d/evolix.cfg regexp: '^command\[check_redis\]=.+' replace: 'command[check_redis]=sudo /usr/local/lib/nagios/plugins/check_redis_instances' @@ -107,7 +107,7 @@ - nrpe - name: sudo without password for nagios - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sudoers.d/evolinux regexp: 'check_redis_instances$' line: 'nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_redis_instances' diff --git a/redis/tasks/thp.yml b/redis/tasks/thp.yml index 7a0dce27..7a215788 100644 --- a/redis/tasks/thp.yml +++ b/redis/tasks/thp.yml @@ -1,7 +1,7 @@ --- - name: sysfsutils is installed - apt: + ansible.builtin.apt: name: - sysfsutils state: present @@ -11,7 +11,7 @@ - kernel - name: Check possible values for THP - assert: + ansible.builtin.assert: that: redis_sysctl_transparent_hugepage_enabled is in ['always', 'madvise', 'never'] msg: "redis_sysctl_transparent_hugepage_enabled has incorrect value : '{{ redis_sysctl_transparent_hugepage_enabled }}' not in ['always', 'madvise', 'never']" tags: @@ -19,7 +19,7 @@ - kernel - name: "Set THP to {{ redis_sysctl_transparent_hugepage_enabled }} at boot" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sysfs.conf line: kernel/mm/transparent_hugepage/enabled = {{ redis_sysctl_transparent_hugepage_enabled }} regexp: "kernel/mm/transparent_hugepage/enabled" @@ -28,7 +28,8 @@ - kernel - name: "Set THP to {{ redis_sysctl_transparent_hugepage_enabled }} for this boot" - shell: "echo '{{ redis_sysctl_transparent_hugepage_enabled }}' >> /sys/kernel/mm/transparent_hugepage/enabled" + ansible.builtin.shell: + cmd: "echo '{{ redis_sysctl_transparent_hugepage_enabled }}' >> /sys/kernel/mm/transparent_hugepage/enabled" tags: - redis - kernel \ No newline at end of file diff --git a/redmine/handlers/main.yml b/redmine/handlers/main.yml index 3759afc4..595d83f4 100644 --- a/redmine/handlers/main.yml +++ b/redmine/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart rsyslog - service: + ansible.builtin.service: name: rsyslog state: restarted - name: reload nginc - service: + ansible.builtin.service: name: nginx state: reloaded diff --git a/redmine/tasks/config.yml b/redmine/tasks/config.yml index e45bcea5..282f20f6 100644 --- a/redmine/tasks/config.yml +++ b/redmine/tasks/config.yml @@ -1,6 +1,6 @@ --- - name: Create systemd config dir - file: + ansible.builtin.file: state: directory dest: "/home/{{ redmine_user }}/{{ item }}" mode: "0750" @@ -14,7 +14,7 @@ - redmine - name: Deploy systemd unit - copy: + ansible.builtin.copy: src: puma.service dest: "/home/{{ redmine_user }}/.config/systemd/user/puma.service" mode: "0644" @@ -24,7 +24,7 @@ - redmine - name: Set user .profile - copy: + ansible.builtin.copy: src: profile dest: "/home/{{ redmine_user }}/.profile" owner: "{{ redmine_user }}" @@ -34,7 +34,7 @@ - redmine - name: Create config directory - file: + ansible.builtin.file: path: "/home/{{ redmine_user }}/config" state: directory owner: "{{ redmine_user }}" @@ -44,7 +44,7 @@ - redmine - name: Copy configurations file - template: + ansible.builtin.template: src: "{{ item }}.j2" dest: "/home/{{ redmine_user }}/config/{{ item }}" owner: "{{ redmine_user }}" diff --git a/redmine/tasks/main.yml b/redmine/tasks/main.yml index eb5c5915..41acd751 100644 --- a/redmine/tasks/main.yml +++ b/redmine/tasks/main.yml @@ -1,8 +1,8 @@ --- -- include: packages.yml -- include: syslog.yml -- include: user.yml -- include_role: +- ansible.builtin.include: packages.yml +- ansible.builtin.include: syslog.yml +- ansible.builtin.include: user.yml +- ansible.builtin.include_role: name: evolix/rbenv vars: - username: "{{ redmine_user }}" diff --git a/redmine/tasks/mysql.yml b/redmine/tasks/mysql.yml index 5f1f6631..6cf3ef36 100644 --- a/redmine/tasks/mysql.yml +++ b/redmine/tasks/mysql.yml @@ -1,6 +1,7 @@ --- - name: Get actual Mysql password - shell: "grep password /home/{{ redmine_user }}/.my.cnf | awk '{ print $3 }'" + ansible.builtin.shell: + cmd: "grep password /home/{{ redmine_user }}/.my.cnf | awk '{ print $3 }'" register: redmine_get_mysql_password check_mode: no changed_when: False @@ -9,7 +10,8 @@ - redmine - name: Generate Mysql password - shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' + ansible.builtin.shell: + cmd: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)' register: redmine_generate_mysql_password check_mode: no changed_when: False @@ -18,13 +20,13 @@ - redmine - name: Set Mysql password - set_fact: + ansible.builtin.set_fact: redmine_db_pass: "{{ redmine_generate_mysql_password.stdout | default(redmine_get_mysql_password.stdout) }}" tags: - redmine - name: Create Mysql database - mysql_db: + community.mysql.mysql_db: name: "{{ redmine_db_name }}" config_file: "/root/.my.cnf" state: present @@ -34,7 +36,7 @@ - redmine - name: Store credentials in my.cnf - ini_file: + community.general.ini_file: dest: "/home/{{ redmine_user }}/.my.cnf" owner: "{{ redmine_user }}" group: "{{ redmine_user }}" @@ -51,7 +53,7 @@ - redmine - name: Create Mysql user - mysql_user: + community.mysql.mysql_user: name: "{{ redmine_db_username }}" password: '{{ redmine_db_pass }}' priv: "{{ redmine_user }}.*:ALL" diff --git a/redmine/tasks/nginx.yml b/redmine/tasks/nginx.yml index 1ea1f40a..3ceebb0e 100644 --- a/redmine/tasks/nginx.yml +++ b/redmine/tasks/nginx.yml @@ -1,6 +1,6 @@ --- - name: Add www-data to Redmine group - user: + ansible.builtin.user: name: www-data groups: "{{ redmine_user }}" append: True @@ -9,7 +9,7 @@ - nginx - name: Copy nginx vhost - template: + ansible.builtin.template: src: nginx.conf.j2 dest: "/etc/nginx/sites-available/{{ redmine_user }}.conf" mode: "0644" @@ -19,7 +19,7 @@ - nginx - name: Enable nginx vhost - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/{{ redmine_user }}.conf" dest: "/etc/nginx/sites-enabled/{{ redmine_user }}.conf" state: link diff --git a/redmine/tasks/packages.yml b/redmine/tasks/packages.yml index 294ef693..9d6978a7 100644 --- a/redmine/tasks/packages.yml +++ b/redmine/tasks/packages.yml @@ -1,6 +1,6 @@ --- - name: Install dependency - apt: + ansible.builtin.apt: name: - libpam-systemd - imagemagick @@ -20,7 +20,7 @@ # dependency for mysql_user and mysql_db - name: python modules is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: - python-mysqldb - python-pymysql @@ -31,7 +31,7 @@ # dependency for mysql_user and mysql_db - name: python3 modules is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: - python3-mysqldb - python3-pymysql diff --git a/redmine/tasks/release.yml b/redmine/tasks/release.yml index 548132fc..4f1430a5 100644 --- a/redmine/tasks/release.yml +++ b/redmine/tasks/release.yml @@ -1,6 +1,7 @@ --- - name: Get id of user - command: "id -u {{ redmine_user }}" + ansible.builtin.command: + cmd: "id -u {{ redmine_user }}" register: redmine_command_user_id changed_when: False check_mode: False @@ -8,7 +9,7 @@ - redmine - name: Define user environment - set_fact: + ansible.builtin.set_fact: user_env: XDG_RUNTIME_DIR: "/run/user/{{ redmine_command_user_id.stdout }}" RAILS_ENV: production @@ -16,7 +17,7 @@ - redmine - name: Stop puma service - systemd: + ansible.builtin.systemd: name: puma daemon_reload: yes state: stopped @@ -27,7 +28,7 @@ - redmine - name: Create mysqldump directory - file: + ansible.builtin.file: path: "/home/{{ redmine_user }}/mysqldump" state: directory owner: "{{ redmine_user }}" @@ -37,7 +38,7 @@ - redmine - name: Dump mysql database - mysql_db: + community.mysql.mysql_db: state: dump config_file: "/home/{{ redmine_user }}/.my.cnf" name: "{{ redmine_db_name }}" @@ -46,7 +47,7 @@ - redmine - name: Change www link - file: + ansible.builtin.file: state: link src: "/home/{{ redmine_user }}/releases/{{ redmine_version }}" dest: "/home/{{ redmine_user }}/www" @@ -56,7 +57,8 @@ - redmine - name: Update Gemfile.lock - command: "~/.rbenv/bin/rbenv exec bundle lock" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle lock" args: chdir: "/home/{{ redmine_user }}/www" become_user: "{{ redmine_user }}" @@ -65,7 +67,8 @@ - redmine - name: Update local gems with bundle - command: "~/.rbenv/bin/rbenv exec bundle install --deployment" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle install --deployment" args: chdir: "/home/{{ redmine_user }}/www" become_user: "{{ redmine_user }}" @@ -74,7 +77,8 @@ - redmine - name: Generate secret token - command: "~/.rbenv/bin/rbenv exec bundle exec rake -q generate_secret_token" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle exec rake -q generate_secret_token" args: chdir: "/home/{{ redmine_user }}/www" creates: "/home/{{ redmine_user }}/www/config/initializers/secret_token.rb" @@ -84,7 +88,8 @@ - redmine - name: Migrate database with rake - command: "~/.rbenv/bin/rbenv exec bundle exec rake -q db:migrate" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle exec rake -q db:migrate" args: chdir: "/home/{{ redmine_user }}/www/" become_user: "{{ redmine_user }}" @@ -93,7 +98,8 @@ - redmine - name: Populate Mysql database - command: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:load_default_data REDMINE_LANG=fr" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:load_default_data REDMINE_LANG=fr" args: chdir: "/home/{{ redmine_user }}/www/" become_user: "{{ redmine_user }}" @@ -103,7 +109,8 @@ - redmine - name: Migrate plugins - command: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:plugins:migrate" + ansible.builtin.command: + cmd: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:plugins:migrate" args: chdir: "/home/{{ redmine_user }}/www/" become_user: "{{ redmine_user }}" @@ -112,7 +119,7 @@ - redmine - name: Start puma service - systemd: + ansible.builtin.systemd: name: puma daemon_reload: yes state: started diff --git a/redmine/tasks/source.yml b/redmine/tasks/source.yml index 7893a5ad..980d2c13 100644 --- a/redmine/tasks/source.yml +++ b/redmine/tasks/source.yml @@ -1,6 +1,6 @@ --- - name: Create releases directory - file: + ansible.builtin.file: path: "/home/{{ redmine_user }}/{{ item }}" state: directory owner: "{{ redmine_user }}" @@ -13,7 +13,7 @@ - redmine - name: Download Redmine archive - unarchive: + ansible.builtin.unarchive: src: "https://redmine.org/releases/redmine-{{ redmine_version }}.tar.gz" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}" remote_src: True @@ -24,7 +24,7 @@ - redmine - name: Link config files - file: + ansible.builtin.file: state: link src: "/home/{{ redmine_user }}/config/{{ item }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/config/{{ item }}" @@ -38,7 +38,7 @@ - redmine - name: Copy/Update plugin from archive - unarchive: + ansible.builtin.unarchive: src: "{{ item.zip }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/plugins/" remote_src: yes @@ -51,7 +51,7 @@ - redmine - name: Copy/Update plugin from git repository - git: + ansible.builtin.git: repo: "{{ item.git }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/plugins/{{ item.git | basename | splitext | first }}" version: "{{ item.tree | default('master') }}" @@ -63,7 +63,7 @@ - redmine - name: Copy/Update theme from archive - unarchive: + ansible.builtin.unarchive: src: "{{ item.zip }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/public/themes" remote_src: yes @@ -76,7 +76,7 @@ - redmine - name: Copy/Update theme from git repository - git: + ansible.builtin.git: repo: "{{ item.git }}" dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/public/themes/{{ item.git | basename | splitext | first }}" version: "{{ item.tree | default('master') }}" @@ -88,7 +88,7 @@ - redmine - name: Deploy custom Gemfile - template: + ansible.builtin.template: src: Gemfile.local.j2 dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/Gemfile.local" owner: "{{ redmine_user }}" diff --git a/redmine/tasks/syslog.yml b/redmine/tasks/syslog.yml index b53e2660..14be7827 100644 --- a/redmine/tasks/syslog.yml +++ b/redmine/tasks/syslog.yml @@ -1,6 +1,6 @@ --- - name: Create log directory - file: + ansible.builtin.file: state: directory dest: /var/log/redmine owner: root @@ -10,7 +10,7 @@ - redmine - name: Copy syslog configuration - copy: + ansible.builtin.copy: src: syslog.conf dest: /etc/rsyslog.d/redmine.conf mode: "0644" @@ -19,7 +19,7 @@ - redmine - name: Copy logrotate configuration - copy: + ansible.builtin.copy: src: logrotate dest: /etc/logrotate.d/redmine mode: "0644" diff --git a/redmine/tasks/user.yml b/redmine/tasks/user.yml index dc959db1..db9cbd1a 100644 --- a/redmine/tasks/user.yml +++ b/redmine/tasks/user.yml @@ -1,13 +1,14 @@ --- - name: Create redmine group - group: + + ansible.builtin.group: name: "{{ redmine_user }}" state: present tags: - redmine - name: Create redmine user - user: + ansible.builtin.user: name: "{{ redmine_user }}" state: present group: "{{ redmine_user }}" @@ -18,7 +19,7 @@ - redmine - name: Add redmine user to Redis group - user: + ansible.builtin.user: name: "{{ redmine_user }}" groups: "redis-{{ redmine_user }}" append: True @@ -27,7 +28,7 @@ - redmine - name: Create required directory - file: + ansible.builtin.file: path: "{{ item }}" state: directory owner: "{{ redmine_user }}" @@ -40,5 +41,6 @@ - redmine - name: Enable systemd user mode - command: "loginctl enable-linger {{ redmine_user }}" + ansible.builtin.command: + cmd: "loginctl enable-linger {{ redmine_user }}" changed_when: False diff --git a/remount-usr/handlers/main.yml b/remount-usr/handlers/main.yml index 854a8883..ea22acee 100644 --- a/remount-usr/handlers/main.yml +++ b/remount-usr/handlers/main.yml @@ -1,4 +1,5 @@ --- - name: remount usr - command: "mount -o remount /usr" + ansible.builtin.command: + cmd: "mount -o remount /usr" failed_when: False \ No newline at end of file diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml index e4cf9d36..eb5c0109 100644 --- a/remount-usr/tasks/main.yml +++ b/remount-usr/tasks/main.yml @@ -2,14 +2,16 @@ # findmnt returns 0 on hit, 1 on miss # If the return code is higher than 1, it's a blocking failure - name: "check if /usr is a read-only partition" - command: 'findmnt /usr --noheadings --options ro' + ansible.builtin.command: + cmd: 'findmnt /usr --noheadings --options ro' changed_when: False failed_when: usr_partition.rc > 1 check_mode: no register: usr_partition - name: "mount /usr in rw" - command: 'mount -o remount,rw /usr' + ansible.builtin.command: + cmd: 'mount -o remount,rw /usr' changed_when: False when: usr_partition.rc == 0 notify: remount usr diff --git a/spamassasin/handlers/main.yml b/spamassasin/handlers/main.yml index 7479d736..78597a37 100644 --- a/spamassasin/handlers/main.yml +++ b/spamassasin/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart spamassassin - service: + ansible.builtin.service: name: spamassassin state: restarted diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index a2cbaf9a..9f2889ca 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install SpamAssasin - apt: + ansible.builtin.apt: name: - spamassassin state: present @@ -8,7 +8,7 @@ - spamassassin - name: configure SpamAssasin - copy: + ansible.builtin.copy: src: spamassassin.cf dest: /etc/spamassassin/local_evolix.cf mode: "0644" @@ -17,7 +17,7 @@ - spamassassin - name: enable SpamAssasin - replace: + ansible.builtin.replace: dest: /etc/default/spamassassin regexp: 'ENABLED=0' replace: 'ENABLED=1' @@ -26,7 +26,7 @@ - spamassassin - name: add amavis user to debian-spamd group - user: + ansible.builtin.user: name: amavis groups: debian-spamd append: yes @@ -34,31 +34,31 @@ - spamassassin - name: fix right on /var/lib/spamassassin - file: + ansible.builtin.file: dest: /var/lib/spamassassin state: directory mode: "0750" tags: - spamassassin -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: - spamassassin - name: Check evomaintenance config - stat: + ansible.builtin.stat: path: /etc/evomaintenance.cf register: _evomaintenance_config - name: Verify sa-update dependency - assert: + ansible.builtin.assert: that: - _evomaintenance_config.stat.exists msg: sa-update.sh needs /etc/evomaintenance.cf - name: copy sa-update.sh script - copy: + ansible.builtin.copy: src: sa-update.sh dest: /usr/share/scripts/sa-update.sh mode: "0750" @@ -66,8 +66,8 @@ - spamassassin - name: Check if cron is installed - shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash check_mode: no failed_when: False @@ -75,7 +75,7 @@ register: is_cron_installed - name: enable sa-update.sh cron - lineinfile: + ansible.builtin.lineinfile: dest: /etc/cron.d/sa-update line: "42 6 5 1,4,7,10 * root /usr/share/scripts/sa-update.sh" create: yes @@ -86,13 +86,14 @@ - spamassassin - name: update SpamAssasin's rules - command: "/usr/share/scripts/sa-update.sh" + ansible.builtin.command: + cmd: "/usr/share/scripts/sa-update.sh" changed_when: False tags: - spamassassin - name: ensure SpamAssasin is started and enabled - systemd: + ansible.builtin.systemd: name: spamassassin state: started enabled: True diff --git a/squid/handlers/main.yml b/squid/handlers/main.yml index 4f5329b9..149d4827 100644 --- a/squid/handlers/main.yml +++ b/squid/handlers/main.yml @@ -1,33 +1,34 @@ --- - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: restart squid - service: + ansible.builtin.service: name: squid state: restarted - name: reload squid - service: + ansible.builtin.service: name: squid state: reloaded - name: restart squid3 - service: + ansible.builtin.service: name: squid3 state: restarted - name: reload squid3 - service: + ansible.builtin.service: name: squid3 state: reloaded - name: restart log2mail - service: + ansible.builtin.service: name: log2mail state: restarted - name: restart minifirewall - command: /etc/init.d/minifirewall restart + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart diff --git a/squid/tasks/log2mail.yml b/squid/tasks/log2mail.yml index 5454dc10..1d36eb09 100644 --- a/squid/tasks/log2mail.yml +++ b/squid/tasks/log2mail.yml @@ -1,14 +1,14 @@ --- - name: is log2mail installed? - stat: + ansible.builtin.stat: path: /etc/log2mail/config/ check_mode: no register: log2mail_config - block: - name: log2mail proxy config is present - template: + ansible.builtin.template: src: log2mail.j2 dest: /etc/log2mail/config/squid.conf mode: "0640" @@ -17,7 +17,7 @@ notify: restart log2mail - name: log2mail user is in proxy group - user: + ansible.builtin.user: name: log2mail groups: proxy append: yes diff --git a/squid/tasks/logrotate_jessie.yml b/squid/tasks/logrotate_jessie.yml index 010d13cc..345cd053 100644 --- a/squid/tasks/logrotate_jessie.yml +++ b/squid/tasks/logrotate_jessie.yml @@ -11,7 +11,8 @@ # is the one provided by the package. - name: check if logrotate file is default - shell: 'printf "43994674706b672ae5018f592beccf2e /etc/logrotate.d/{{ squid_daemon_name }}" | md5sum --check' + ansible.builtin.shell: + cmd: 'printf "43994674706b672ae5018f592beccf2e /etc/logrotate.d/{{ squid_daemon_name }}" | md5sum --check' changed_when: False failed_when: False check_mode: no @@ -20,7 +21,7 @@ - squid - name: logrotate configuration - template: + ansible.builtin.template: src: logrotate_jessie.j2 dest: /etc/logrotate.d/{{ squid_daemon_name }} force: yes diff --git a/squid/tasks/logrotate_stretch.yml b/squid/tasks/logrotate_stretch.yml index 579c228c..df264068 100644 --- a/squid/tasks/logrotate_stretch.yml +++ b/squid/tasks/logrotate_stretch.yml @@ -11,7 +11,8 @@ # is the one provided by the package. - name: check if logrotate file is default - shell: 'printf "c210feea019412adac8a5d5dcba427af /etc/logrotate.d/{{ squid_daemon_name }}" | md5sum --check' + ansible.builtin.shell: + cmd: 'printf "c210feea019412adac8a5d5dcba427af /etc/logrotate.d/{{ squid_daemon_name }}" | md5sum --check' changed_when: False failed_when: False check_mode: no @@ -20,7 +21,7 @@ - squid - name: logrotate configuration - template: + ansible.builtin.template: src: logrotate_stretch.j2 dest: /etc/logrotate.d/{{ squid_daemon_name }} force: yes diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 5cb60ea9..0a200188 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -1,49 +1,49 @@ --- -- fail: +- ansible.builtin.fail: msg: only compatible with Debian >= 8 when: - ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<') - name: "Set squid name (jessie)" - set_fact: + ansible.builtin.set_fact: squid_daemon_name: squid3 when: ansible_distribution_release == "jessie" - name: "Set squid name (Debian 9 or later)" - set_fact: + ansible.builtin.set_fact: squid_daemon_name: squid when: ansible_distribution_major_version is version('9', '>=') - name: "Install Squid packages" - apt: + ansible.builtin.apt: name: - "{{ squid_daemon_name }}" - squidclient state: present - name: Fetch packages - package_facts: + ansible.builtin.package_facts: manager: auto -- debug: +- ansible.builtin.debug: var: ansible_facts.packages[squid_daemon_name] - name: "Set alternative config file (Debian 9 or later)" - copy: + ansible.builtin.copy: src: default_squid dest: /etc/default/squid when: ansible_distribution_major_version is version('9', '>=') - name: "squid.conf is present (jessie)" - template: + ansible.builtin.template: src: squid.conf.j2 dest: /etc/squid3/squid.conf notify: "restart squid3" when: ansible_distribution_release == "jessie" - name: "evolix whitelist is present (jessie)" - copy: + ansible.builtin.copy: src: whitelist-evolinux.conf dest: /etc/squid3/whitelist.conf force: no @@ -51,21 +51,21 @@ when: ansible_distribution_release == "jessie" - name: "evolinux defaults squid file (Debian 9 or later)" - copy: + ansible.builtin.copy: src: evolinux-defaults.conf dest: /etc/squid/evolinux-defaults.conf notify: "restart squid" when: ansible_distribution_major_version is version('9', '>=') - name: "evolinux defaults whitelist (Debian 9 or later)" - copy: + ansible.builtin.copy: src: evolinux-whitelist-defaults.conf dest: /etc/squid/evolinux-whitelist-defaults.conf notify: "reload squid" when: ansible_distribution_major_version is version('9', '>=') - name: "evolinux custom whitelist (Debian 9 or later)" - copy: + ansible.builtin.copy: dest: /etc/squid/evolinux-whitelist-custom.conf content: | # Put customized values here. @@ -73,7 +73,7 @@ when: ansible_distribution_major_version is version('9', '>=') - name: "evolinux acl for local proxy (Debian 9 or later)" - template: + ansible.builtin.template: src: evolinux-acl.conf.j2 dest: /etc/squid/evolinux-acl.conf force: no @@ -83,7 +83,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux custom acl (Debian 9 or later)" - copy: + ansible.builtin.copy: dest: /etc/squid/evolinux-acl.conf content: | # Put customized values here. @@ -93,7 +93,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux http_access for local proxy (Debian 9 or later)" - copy: + ansible.builtin.copy: src: evolinux-httpaccess.conf dest: /etc/squid/evolinux-httpaccess.conf force: no @@ -103,7 +103,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux custom http_access (Debian 9 or later)" - copy: + ansible.builtin.copy: dest: /etc/squid/evolinux-httpaccess.conf content: | # Put customized values here. @@ -113,7 +113,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux overrides for local proxy (Debian 9 or later)" - template: + ansible.builtin.template: src: evolinux-custom.conf.j2 dest: /etc/squid/evolinux-custom.conf force: no @@ -123,7 +123,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: "evolinux custom overrides (Debian 9 or later)" - copy: + ansible.builtin.copy: dest: /etc/squid/evolinux-custom.conf content: | # Put customized values here. @@ -133,7 +133,7 @@ - ansible_distribution_major_version is version('9', '>=') - name: add some URL in whitelist (Debian 8) - lineinfile: + ansible.builtin.lineinfile: insertafter: EOF dest: /etc/squid3/whitelist.conf line: "{{ item }}" @@ -143,7 +143,7 @@ when: ansible_distribution_major_version == '8' - name: add some URL in whitelist (Debian 9 or later) - lineinfile: + ansible.builtin.lineinfile: insertafter: EOF dest: /etc/squid/evolinux-whitelist-custom.conf line: "{{ item }}" @@ -152,15 +152,15 @@ notify: "reload squid" when: ansible_distribution_major_version is version('9', '>=') -- include: systemd.yml +- ansible.builtin.include: systemd.yml when: ansible_distribution_major_version is version('10', '>=') -- include: logrotate_jessie.yml +- ansible.builtin.include: logrotate_jessie.yml when: ansible_distribution_release == "jessie" -- include: logrotate_stretch.yml +- ansible.builtin.include: logrotate_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include: minifirewall.yml +- ansible.builtin.include: minifirewall.yml -- include: log2mail.yml +- ansible.builtin.include: log2mail.yml diff --git a/squid/tasks/minifirewall.legacy.yml b/squid/tasks/minifirewall.legacy.yml index f7e78ee5..18ee45aa 100644 --- a/squid/tasks/minifirewall.legacy.yml +++ b/squid/tasks/minifirewall.legacy.yml @@ -1,20 +1,20 @@ --- - name: Check if Minifirewall is present - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" check_mode: no register: minifirewall_test - block: - name: HTTPSITES list is commented in minifirewall - replace: + ansible.builtin.replace: dest: "/etc/default/minifirewall" regexp: "^(HTTPSITES='[^0-9])" replace: '#\1' notify: restart minifirewall - name: all HTTPSITES are authorized in minifirewall - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSITES='0.0.0.0/0'" regexp: "HTTPSITES='.*'" @@ -22,7 +22,7 @@ notify: restart minifirewall - name: add iptables rules for the proxy - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" regexp: "^#? *{{ item }}" line: "{{ item }}" @@ -35,7 +35,7 @@ notify: restart minifirewall - name: remove minifirewall example rule for the proxy - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)' state: absent diff --git a/squid/tasks/minifirewall.yml b/squid/tasks/minifirewall.yml index 5abdf9df..7cece087 100644 --- a/squid/tasks/minifirewall.yml +++ b/squid/tasks/minifirewall.yml @@ -1,20 +1,20 @@ --- - name: Check if Minifirewall is present - stat: + ansible.builtin.stat: path: "/etc/default/minifirewall" check_mode: no register: minifirewall_test - block: - name: HTTPSITES list is commented in minifirewall - replace: + ansible.builtin.replace: dest: "/etc/default/minifirewall" regexp: "^(HTTPSITES='[^0-9])" replace: '#\1' notify: restart minifirewall - name: all HTTPSITES are authorized in minifirewall - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "HTTPSITES='0.0.0.0/0'" regexp: "HTTPSITES='.*'" @@ -23,14 +23,15 @@ # The PROXY variable means that minifirewall is "modern" - name: Look for PROXY variable - shell: "grep -E '^\\s*PROXY=' /etc/default/minifirewall" + ansible.builtin.shell: + cmd: "grep -E '^\\s*PROXY=' /etc/default/minifirewall" failed_when: False changed_when: False check_mode: False register: _minifirewall_proxy_var_check - name: Set proxy configuration for minifirewall (legacy mode) - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" regexp: "^#? *{{ item }}" line: "{{ item }}" @@ -44,7 +45,7 @@ when: _minifirewall_proxy_var_check.rc == 1 - name: remove minifirewall example rule for the proxy (legacy mode) - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" regexp: '^#.*(-t nat).*(-d X\.X\.X\.X)' state: absent @@ -52,7 +53,7 @@ when: _minifirewall_proxy_var_check.rc == 1 - name: Set proxy configuration for minifirewall (modern mode) - replace: + ansible.builtin.replace: dest: "/etc/default/minifirewall" replace: "PROXY='on'" regexp: "PROXY='.*'" diff --git a/squid/tasks/systemd.yml b/squid/tasks/systemd.yml index c84e52d6..7e262f23 100644 --- a/squid/tasks/systemd.yml +++ b/squid/tasks/systemd.yml @@ -1,14 +1,15 @@ --- - name: Look for existing systemd unit - command: systemctl -q is-active squid.service + ansible.builtin.command: + cmd: systemctl -q is-active squid.service changed_when: False failed_when: False check_mode: no register: _squid_systemd_active - name: Squid systemd overrides directory exists - file: + ansible.builtin.file: dest: /etc/systemd/system/squid.service.d/ state: directory owner: root @@ -16,7 +17,7 @@ mode: "0755" - name: "Squid systemd unit service is present" - template: + ansible.builtin.template: src: systemd-override.conf.j2 dest: /etc/systemd/system/squid.service.d/override.conf mode: "0644" @@ -24,7 +25,7 @@ register: _squid_systemd_override - name: "Systemd daemon is reloaded and Squid restarted" - systemd: + ansible.builtin.systemd: name: squid state: restarted daemon_reload: yes diff --git a/ssl/handlers/main.yml b/ssl/handlers/main.yml index 3393e45a..d4dcb52a 100644 --- a/ssl/handlers/main.yml +++ b/ssl/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: reload haproxy - service: + ansible.builtin.service: name: haproxy state: reloaded diff --git a/ssl/tasks/haproxy.yml b/ssl/tasks/haproxy.yml index 2ba30ac9..878524f3 100644 --- a/ssl/tasks/haproxy.yml +++ b/ssl/tasks/haproxy.yml @@ -1,6 +1,6 @@ --- - name: Concatenate SSL certificate, key and dhparam - set_fact: + ansible.builtin.set_fact: ssl_cat: "{{ ssl_cat | default() }}{{ lookup('file', item) }}\n" with_fileglob: - "ssl/{{ ssl_cert }}.pem" @@ -10,7 +10,7 @@ - ssl - name: Create haproxy ssl directory - file: + ansible.builtin.file: dest: /etc/haproxy/ssl state: directory mode: "0700" @@ -18,7 +18,7 @@ - ssl - name: Copy concatenated certificate and key - copy: + ansible.builtin.copy: content: "{{ ssl_cat }}" dest: "/etc/haproxy/ssl/{{ ssl_cert }}.pem" mode: "0600" @@ -27,7 +27,7 @@ - ssl - name: Reset ssl_cat variable - set_fact: + ansible.builtin.set_fact: ssl_cat: "" tags: - ssl diff --git a/ssl/tasks/main.yml b/ssl/tasks/main.yml index 3ec71115..01398dec 100644 --- a/ssl/tasks/main.yml +++ b/ssl/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Copy SSL certificate - copy: + ansible.builtin.copy: src: "ssl/{{ ssl_cert }}.pem" dest: "/etc/ssl/certs/{{ ssl_cert }}.pem" mode: "0644" @@ -9,7 +9,7 @@ - ssl - name: Copy SSL key - copy: + ansible.builtin.copy: src: "ssl/{{ ssl_cert }}.key" dest: "/etc/ssl/private/{{ ssl_cert }}.key" mode: "0640" @@ -20,7 +20,7 @@ - ssl - name: Copy SSL dhparam - copy: + ansible.builtin.copy: src: "ssl/{{ ssl_cert }}.dhp" dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp" mode: "0644" @@ -29,8 +29,8 @@ - ssl - name: Check if Haproxy is installed - shell: "set -o pipefail && dpkg -l haproxy 2>/dev/null | grep -q -E '^(i|h)i'" - args: + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l haproxy 2>/dev/null | grep -q -E '^(i|h)i'" executable: /bin/bash register: haproxy_check check_mode: no @@ -39,5 +39,5 @@ tags: - ssl -- include: haproxy.yml +- ansible.builtin.include: haproxy.yml when: haproxy_check.rc == 0 diff --git a/supervisord/handlers/main.yml b/supervisord/handlers/main.yml index be10ba0a..dde2339d 100644 --- a/supervisord/handlers/main.yml +++ b/supervisord/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart supervisor - service: + ansible.builtin.service: name: supervisor state: restarted diff --git a/supervisord/tasks/main.yml b/supervisord/tasks/main.yml index b35bd03f..7b61ccbb 100644 --- a/supervisord/tasks/main.yml +++ b/supervisord/tasks/main.yml @@ -1,12 +1,12 @@ --- - name: Install Supervisor - apt: + ansible.builtin.apt: name: supervisor tags: - supervisord - name: Add http configuration for Supervisor - copy: + ansible.builtin.copy: src: http.conf dest: /etc/supervisor/conf.d/ mode: "0644" diff --git a/tomcat-instance/tasks/alias.yml b/tomcat-instance/tasks/alias.yml index 99ae1910..b61b27e5 100644 --- a/tomcat-instance/tasks/alias.yml +++ b/tomcat-instance/tasks/alias.yml @@ -1,6 +1,6 @@ --- - name: Create bin dir for alias - file: + ansible.builtin.file: path: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/bin" state: directory mode: "0770" @@ -8,7 +8,7 @@ group: "{{ tomcat_instance_name }}" - name: Copy alias script for systemctl --user - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/bin/" mode: "0770" diff --git a/tomcat-instance/tasks/bootstrap.yml b/tomcat-instance/tasks/bootstrap.yml index 001088b1..818ddceb 100644 --- a/tomcat-instance/tasks/bootstrap.yml +++ b/tomcat-instance/tasks/bootstrap.yml @@ -1,6 +1,6 @@ --- - name: Create tomcat dirs - file: + ansible.builtin.file: path: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/{{ item }}" state: directory mode: "u=rwx,g=rwxs,o=" @@ -15,7 +15,7 @@ - 'lib' - name: Templating of env file - template: + ansible.builtin.template: src: 'templates/env.j2' dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/env" mode: "0660" @@ -24,7 +24,7 @@ force: no - name: Templating of server.xml file - template: + ansible.builtin.template: src: 'templates/server.xml-tomcat{{ tomcat_version }}.j2' dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/server.xml" mode: "0660" @@ -33,7 +33,7 @@ force: no - name: Copy config file - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/{{ item | basename }}" mode: "0660" diff --git a/tomcat-instance/tasks/check.yml b/tomcat-instance/tasks/check.yml index b9426a33..3273b802 100644 --- a/tomcat-instance/tasks/check.yml +++ b/tomcat-instance/tasks/check.yml @@ -1,10 +1,11 @@ --- - name: Check tomcat_instance_name - debug: + ansible.builtin.debug: msg: "{{ tomcat_instance_name }}" - name: Check use of gid - command: id -ng "{{ tomcat_instance_port }}" + ansible.builtin.command: + cmd: id -ng "{{ tomcat_instance_port }}" register: check_port_gid changed_when: False failed_when: @@ -12,7 +13,8 @@ - check_port_gid.stdout != "{{ tomcat_instance_name }}" - name: Check use of uid - command: id -nu "{{ tomcat_instance_port }}" + ansible.builtin.command: + cmd: id -nu "{{ tomcat_instance_port }}" register: check_port_uid changed_when: False failed_when: diff --git a/tomcat-instance/tasks/main.yml b/tomcat-instance/tasks/main.yml index 1da21794..70baa536 100644 --- a/tomcat-instance/tasks/main.yml +++ b/tomcat-instance/tasks/main.yml @@ -1,6 +1,6 @@ --- -- include: check.yml -- include: user.yml -- include: systemd.yml -- include: alias.yml -- include: bootstrap.yml +- ansible.builtin.include: check.yml +- ansible.builtin.include: user.yml +- ansible.builtin.include: systemd.yml +- ansible.builtin.include: alias.yml +- ansible.builtin.include: bootstrap.yml diff --git a/tomcat-instance/tasks/systemd.yml b/tomcat-instance/tasks/systemd.yml index c3a6a877..87c64ae6 100644 --- a/tomcat-instance/tasks/systemd.yml +++ b/tomcat-instance/tasks/systemd.yml @@ -1,10 +1,11 @@ --- - name: Enable systemd user mode - command: "loginctl enable-linger {{ tomcat_instance_name }}" + ansible.builtin.command: + cmd: "loginctl enable-linger {{ tomcat_instance_name }}" changed_when: False - name: Set systemd conf var - lineinfile: + ansible.builtin.lineinfile: dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/.profile" state: present owner: "{{ tomcat_instance_name }}" diff --git a/tomcat-instance/tasks/user.yml b/tomcat-instance/tasks/user.yml index d4fc8521..e24870e6 100644 --- a/tomcat-instance/tasks/user.yml +++ b/tomcat-instance/tasks/user.yml @@ -1,31 +1,33 @@ --- -- fail: +- ansible.builtin.fail: msg: "You must provide a value for the 'tomcat_instance_port' variable." when: tomcat_instance_port is not defined or tomcat_instance_port | length == 0 - name: "Test if uid '{{ tomcat_instance_port }}' exists" - command: 'id -un -- "{{ tomcat_instance_port }}"' + ansible.builtin.command: + cmd: 'id -un -- "{{ tomcat_instance_port }}"' register: get_login_from_id failed_when: False changed_when: False check_mode: no - name: "Fail if uid already exists for another user" - fail: + ansible.builtin.fail: msg: "Uid '{{ tomcat_instance_port }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ tomcat_instance_name }}'" when: - get_login_from_id.rc == 0 - get_login_from_id.stdout != tomcat_instance_name - name: Create group instance - group: + + ansible.builtin.group: name: "{{ tomcat_instance_name }}" gid: "{{ tomcat_instance_port }}" - name: Create user instance - user: + ansible.builtin.user: name: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" uid: "{{ tomcat_instance_port }}" @@ -34,7 +36,7 @@ createhome: no - name: Create home dir - file: + ansible.builtin.file: path: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}" state: directory owner: "{{ tomcat_instance_name }}" @@ -42,12 +44,12 @@ mode: "u=rwx,g=rwxs,o=" - name: Is /etc/aliases present? - stat: + ansible.builtin.stat: path: /etc/aliases register: etc_aliases - name: Set mail alias for user - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/aliases' state: present line: "{{ tomcat_instance_name }}: {{ tomcat_instance_mail }}" @@ -56,11 +58,12 @@ register: tomcat_instance_mail_alias - name: Run newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases when: tomcat_instance_mail_alias is changed - name: Enable sudo right - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/sudoers.d/tomcat' state: present mode: "0440" @@ -69,7 +72,7 @@ validate: 'visudo -cf %s' - name: Enable sudo right for deploy user - lineinfile: + ansible.builtin.lineinfile: dest: '/etc/sudoers.d/tomcat' state: present mode: "0440" diff --git a/tomcat/tasks/main.yml b/tomcat/tasks/main.yml index 545c0813..2cc62d0a 100644 --- a/tomcat/tasks/main.yml +++ b/tomcat/tasks/main.yml @@ -1,4 +1,4 @@ --- -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: nagios.yml +- ansible.builtin.include: nagios.yml diff --git a/tomcat/tasks/nagios.yml b/tomcat/tasks/nagios.yml index 1eb297cf..d51b4375 100644 --- a/tomcat/tasks/nagios.yml +++ b/tomcat/tasks/nagios.yml @@ -1,19 +1,19 @@ --- - name: Intall monitorings plugins - apt: + ansible.builtin.apt: name: monitoring-plugins state: present -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr - name: Create Nagios plugins dir - file: + ansible.builtin.file: path: /usr/local/lib/nagios/plugins state: directory - name: Copy Tomcat instance check - template: + ansible.builtin.template: src: check_tomcat_instance.sh.j2 dest: /usr/local/lib/nagios/plugins/check_tomcat_instance.sh mode: "0755" diff --git a/tomcat/tasks/packages.yml b/tomcat/tasks/packages.yml index f1b968cc..a4b25661 100644 --- a/tomcat/tasks/packages.yml +++ b/tomcat/tasks/packages.yml @@ -1,35 +1,35 @@ --- - name: Set Tomcat version to 7 on Debian 8 if missing - set_fact: + ansible.builtin.set_fact: tomcat_version: 7 when: - ansible_distribution_release == "jessie" - tomcat_version is not defined - name: Set Tomcat version to 8 on Debian 9 if missing - set_fact: + ansible.builtin.set_fact: tomcat_version: 8 when: - ansible_distribution_release == "stretch" - tomcat_version is not defined - name: Set Tomcat version to 9 on Debian 10 if missing - set_fact: + ansible.builtin.set_fact: tomcat_version: 9 when: - ansible_distribution_release == "buster" - tomcat_version is not defined - name: Set Tomcat version to 9 on Debian 11 if missing - set_fact: + ansible.builtin.set_fact: tomcat_version: 9 when: - ansible_distribution_release == "bullseye" - tomcat_version is not defined - name: Install packages - apt: + ansible.builtin.apt: name: - "tomcat{{ tomcat_version }}" - "tomcat{{ tomcat_version }}-user" @@ -37,7 +37,7 @@ state: present - name: Create tomcat root dir - file: + ansible.builtin.file: path: "{{ tomcat_instance_root }}" state: directory owner: "{{ tomcat_root_dir_owner | default('root') }}" @@ -45,13 +45,13 @@ mode: "0755" - name: Copy systemd unit - template: + ansible.builtin.template: src: 'tomcat.service.j2' dest: "/etc/systemd/user/tomcat.service" mode: "0755" - name: Disable default tomcat service - service: + ansible.builtin.service: name: "tomcat{{ tomcat_version }}" state: stopped enabled: false diff --git a/unbound/handlers/main.yml b/unbound/handlers/main.yml index 05a3ff40..7c801751 100644 --- a/unbound/handlers/main.yml +++ b/unbound/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: reload unbound - service: + ansible.builtin.service: name: unbound state: reloaded diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml index ea7e9060..6e76eb3b 100644 --- a/unbound/tasks/main.yml +++ b/unbound/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install Unbound package - apt: + ansible.builtin.apt: name: unbound state: present when: ansible_distribution == "Debian" @@ -8,7 +8,7 @@ - unbound - name: Retrieve list of root DNS servers - get_url: + ansible.builtin.get_url: url: https://www.internic.net/domain/named.cache dest: /etc/unbound/root.hints force: yes @@ -18,7 +18,7 @@ - unbound - name: Copy Unbound config - template: + ansible.builtin.template: src: unbound.conf.j2 dest: /etc/unbound/unbound.conf owner: root @@ -30,7 +30,7 @@ - unbound - name: Starting and enabling Unbound - service: + ansible.builtin.service: name: unbound enabled: yes state: started diff --git a/userlogrotate/tasks/main.yml b/userlogrotate/tasks/main.yml index 2642186c..4f9c5fc7 100644 --- a/userlogrotate/tasks/main.yml +++ b/userlogrotate/tasks/main.yml @@ -15,7 +15,7 @@ when: find_logrotate.files | length>0 - name: "Install userlogrotate (jessie)" - copy: + ansible.builtin.copy: src: userlogrotate_jessie dest: /etc/cron.weekly/userlogrotate mode: "0755" @@ -24,7 +24,7 @@ - find_logrotate.files | length==0 - name: "Install userlogrotate (Debian 9 or later)" - copy: + ansible.builtin.copy: src: userlogrotate dest: /etc/cron.weekly/userlogrotate mode: "0755" diff --git a/varnish/handlers/main.yml b/varnish/handlers/main.yml index 6e47bc10..96b9fb5a 100644 --- a/varnish/handlers/main.yml +++ b/varnish/handlers/main.yml @@ -1,21 +1,21 @@ --- - name: reload varnish - systemd: + ansible.builtin.systemd: name: varnish state: reloaded daemon_reload: yes - name: restart varnish - systemd: + ansible.builtin.systemd: name: varnish state: restarted daemon_reload: yes - name: reload systemd - systemd: + ansible.builtin.systemd: daemon-reload: yes - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index cca302bb..b06ab5a2 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: Install Varnish - apt: + ansible.builtin.apt: name: varnish state: present tags: - varnish - name: Fetch packages - package_facts: + ansible.builtin.package_facts: manager: auto check_mode: no tags: @@ -15,7 +15,7 @@ - config - update-config -- set_fact: +- ansible.builtin.set_fact: varnish_package_facts: "{{ ansible_facts.packages['varnish'] | first }}" check_mode: no tags: @@ -32,7 +32,7 @@ # - update-config - name: Remove default varnish configuration files - file: + ansible.builtin.file: path: "{{ item }}" state: absent loop: @@ -45,7 +45,7 @@ - config - name: Copy Custom Varnish ExecReload script (Debian < 10) - template: + ansible.builtin.template: src: "reload-vcl.sh.j2" dest: "/etc/varnish/reload-vcl.sh" mode: "0700" @@ -57,7 +57,7 @@ - varnish - name: Create a system config directory for systemd overrides - file: + ansible.builtin.file: path: /etc/systemd/system/varnish.service.d state: directory tags: @@ -65,7 +65,7 @@ - config - name: Remove legacy systemd override - file: + ansible.builtin.file: path: /etc/systemd/system/varnish.service.d/evolinux.conf state: absent notify: @@ -75,7 +75,7 @@ - config - name: Varnish systemd override template (Varnish 4 and 5) - set_fact: + ansible.builtin.set_fact: varnish_systemd_override_template: override.conf.varnish4.j2 when: - varnish_package_facts['version'] is version('4', '>=') @@ -86,7 +86,7 @@ - update-config - name: Varnish systemd override template (Varnish 6) - set_fact: + ansible.builtin.set_fact: varnish_systemd_override_template: override.conf.varnish6.j2 when: - varnish_package_facts['version'] is version('6', '>=') @@ -97,7 +97,7 @@ - update-config - name: Varnish systemd override template (Varnish 7 and later) - set_fact: + ansible.builtin.set_fact: varnish_systemd_override_template: override.conf.varnish7.j2 when: - varnish_package_facts['version'] is version('7', '>=') @@ -107,7 +107,7 @@ - update-config - name: Override Varnish systemd unit - template: + ansible.builtin.template: src: "{{ varnish_systemd_override_template }}" dest: /etc/systemd/system/varnish.service.d/override.conf force: yes @@ -120,7 +120,7 @@ - update-config - name: Patch logrotate conf - replace: + ansible.builtin.replace: name: /etc/logrotate.d/varnish regexp: '^(\s+)(/usr/sbin/invoke-rc.d {{ item }}.*)' replace: '\1systemctl -q is-active {{ item }} && \2' @@ -132,7 +132,7 @@ - logrotate - name: Copy Varnish configuration - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ varnish_config_file }}" mode: "0644" @@ -156,7 +156,7 @@ - update-config - name: Create Varnish config dir - file: + ansible.builtin.file: path: /etc/varnish/conf.d state: directory mode: "0755" @@ -166,7 +166,7 @@ - update-config - name: Copy included Varnish config - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/varnish/conf.d/ force: yes @@ -183,11 +183,11 @@ # We usually use /vat/tmp-cache then validate the syntax with this command: # sudo -u vcache TMPDIR=/var/tmp-vcache varnishd -Cf /etc/varnish/default.vcl > /dev/null - name: Special tmp directory - file: + ansible.builtin.file: path: "{{ varnish_tmp_dir }}" state: directory owner: vcache group: varnish mode: "0750" -- include: munin.yml +- ansible.builtin.include: munin.yml diff --git a/varnish/tasks/munin.yml b/varnish/tasks/munin.yml index 77637a98..3b329d46 100644 --- a/varnish/tasks/munin.yml +++ b/varnish/tasks/munin.yml @@ -1,29 +1,29 @@ --- - name: Install dependencies - apt: + ansible.builtin.apt: name: libxml-parser-perl tags: varnish -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr tags: varnish - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/ state: directory mode: "0755" tags: varnish - name: Create plugin directory - file: + ansible.builtin.file: name: /usr/local/share/munin/plugins/ state: directory mode: "0755" tags: varnish - name: Copy varnish5 munin plugin - copy: + ansible.builtin.copy: src: munin/varnish5_ dest: /usr/local/share/munin/plugins/ mode: "0755" @@ -31,7 +31,7 @@ tags: varnish - name: Enable varnish5 munin plugin - file: + ansible.builtin.file: src: /usr/local/share/munin/plugins/varnish5_ dest: "/etc/munin/plugins/varnish5_{{ item }}" state: link @@ -51,7 +51,7 @@ tags: varnish - name: Copy varnish5 munin plugin config - copy: + ansible.builtin.copy: src: munin/varnish5.conf dest: /etc/munin/plugin-conf.d/varnish5 mode: "0644" diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index e58595a2..87a05092 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -1,18 +1,18 @@ --- - name: set unit name - set_fact: + ansible.builtin.set_fact: vrrp_systemd_unit_name: "vrrp-{{ vrrp_address.id }}.service" - name: add systemd unit - template: + ansible.builtin.template: src: vrrp.service.j2 dest: "/etc/systemd/system/{{ vrrp_systemd_unit_name }}" force: yes register: vrrp_systemd_unit - name: enable and start systemd unit - systemd: + ansible.builtin.systemd: name: "{{ vrrp_systemd_unit_name }}" daemon_reload: yes enabled: yes diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index 44ebe65a..605fb0fd 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -1,13 +1,13 @@ --- - name: Install Evolix public repositry - include_role: + ansible.builtin.include_role: name: evolix/apt tasks_from: evolix_public.yml tags: - vrrpd - name: Install vrrpd packages - apt: + ansible.builtin.apt: name: vrrpd=1.0-2.evolix allow_unauthenticated: yes state: present @@ -15,7 +15,7 @@ - vrrpd - name: Adjust sysctl config (except rp_filter) - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/vrrpd.conf @@ -29,14 +29,15 @@ - vrrpd - name: look if rp_filter is managed by minifirewall - command: grep "SYSCTL_RP_FILTER=" /etc/default/minifirewall + ansible.builtin.command: + cmd: grep "SYSCTL_RP_FILTER=" /etc/default/minifirewall failed_when: False changed_when: False check_mode: no register: grep_sysctl_rp_filter_minifirewall - name: Configure SYSCTL_RP_FILTER in minifirewall - lineinfile: + ansible.builtin.lineinfile: dest: "/etc/default/minifirewall" line: "SYSCTL_RP_FILTER='0'" regexp: "SYSCTL_RP_FILTER=('|\").*('|\")" @@ -44,7 +45,7 @@ when: grep_sysctl_rp_filter_minifirewall.rc == 0 - name: Adjust sysctl config (only rp_filter) - sysctl: + ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/vrrpd.conf @@ -58,7 +59,7 @@ - vrrpd - name: Create VRRP address - include: ip.yml + ansible.builtin.include: ip.yml loop: "{{ vrrp_addresses }}" loop_control: loop_var: "vrrp_address" \ No newline at end of file diff --git a/webapps/evoadmin-mail/handlers/main.yml b/webapps/evoadmin-mail/handlers/main.yml index beb030e2..a8638ea5 100644 --- a/webapps/evoadmin-mail/handlers/main.yml +++ b/webapps/evoadmin-mail/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: reload apache2 - service: + ansible.builtin.service: name: apache2 state: reloaded - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded - name: reload php-fpm - service: + ansible.builtin.service: name: php7.0-fpm state: reloaded diff --git a/webapps/evoadmin-mail/tasks/apache.yml b/webapps/evoadmin-mail/tasks/apache.yml index f975c5f9..26c2b53b 100644 --- a/webapps/evoadmin-mail/tasks/apache.yml +++ b/webapps/evoadmin-mail/tasks/apache.yml @@ -1,6 +1,6 @@ --- - name: Install evoadminmail VHost - template: + ansible.builtin.template: src: apache_evoadminmail.conf.j2 dest: /etc/apache2/sites-available/evoadminmail.conf notify: reload apache2 @@ -8,7 +8,7 @@ - evoadmin-mail - name: Enable evoadminmail vhost - file: + ansible.builtin.file: src: "/etc/apache2/sites-available/evoadminmail.conf" dest: "/etc/apache2/sites-enabled/evoadminmail.conf" state: link @@ -18,7 +18,7 @@ - evoadmin-mail - name: Disable evoadminmail vhost - file: + ansible.builtin.file: dest: "/etc/apache2/sites-enabled/evoadminmail.conf" state: absent notify: reload apache2 diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index 88f2dbb6..a1018eca 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -1,18 +1,18 @@ --- - name: Remount /usr RW - include_role: + ansible.builtin.include_role: name: evolix/remount-usr - name: Install evoadmin-mail package - apt: + ansible.builtin.apt: deb: /tmp/evoadmin-mail.deb state: present tags: - evoadmin-mail - name: Configure contact mail - ini_file: + community.general.ini_file: dest: /etc/evoadmin-mail/config.ini section: global option: mail @@ -20,16 +20,16 @@ tags: - evoadmin-mail -- include: ssl.yml +- ansible.builtin.include: ssl.yml -- include: apache.yml +- ansible.builtin.include: apache.yml when: evoadminmail_webserver == "apache" -- include: nginx.yml +- ansible.builtin.include: nginx.yml when: evoadminmail_webserver == "nginx" - name: enable evoadmin-mail link in default site index - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html state: present regexp: "EvoAdmin-mail" diff --git a/webapps/evoadmin-mail/tasks/nginx.yml b/webapps/evoadmin-mail/tasks/nginx.yml index 2cb490e8..9b527009 100644 --- a/webapps/evoadmin-mail/tasks/nginx.yml +++ b/webapps/evoadmin-mail/tasks/nginx.yml @@ -1,6 +1,6 @@ --- - name: Copy php-fpm evoadmin-mail pool - copy: + ansible.builtin.copy: src: pool.evoadmin-mail.conf dest: /etc/php/7.0/fpm/pool.d/evoadmin-mail.conf notify: reload php-fpm @@ -8,7 +8,7 @@ - evoadmin-mail - name: Install evoadminmail VHost - template: + ansible.builtin.template: src: nginx_evoadminmail.conf.j2 dest: /etc/nginx/sites-available/evoadminmail.conf notify: reload nginx @@ -16,7 +16,7 @@ - evoadmin-mail - name: Active evoadminmail VHost - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/evoadminmail.conf" dest: "/etc/nginx/sites-enabled/evoadminmail.conf" state: link @@ -26,7 +26,7 @@ - evoadmin-mail - name: Disable evoadminmail vhost - file: + ansible.builtin.file: dest: "/etc/nginx/sites-enabled/evoadminmail.conf" state: absent notify: reload nginx diff --git a/webapps/evoadmin-mail/tasks/ssl.yml b/webapps/evoadmin-mail/tasks/ssl.yml index b6f47127..9d9c9896 100644 --- a/webapps/evoadmin-mail/tasks/ssl.yml +++ b/webapps/evoadmin-mail/tasks/ssl.yml @@ -1,20 +1,21 @@ --- - name: ssl-cert package is installed - apt: + ansible.builtin.apt: name: ssl-cert state: present tags: - evoadmin-mail - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}" + ansible.builtin.command: + cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}" args: creates: "/etc/ssl/private/{{ evoadminmail_host }}.key" tags: - evoadmin-mail - name: Adjust rights on private key - file: + ansible.builtin.file: dest: /etc/ssl/private/{{ evoadminmail_host }}.key owner: root group: ssl-cert @@ -23,7 +24,8 @@ - evoadmin-mail - name: Create certificate for default site - command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt + ansible.builtin.command: + cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt args: creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt" tags: diff --git a/webapps/evoadmin-web/handlers/main.yml b/webapps/evoadmin-web/handlers/main.yml index 669b0553..2c49ce24 100644 --- a/webapps/evoadmin-web/handlers/main.yml +++ b/webapps/evoadmin-web/handlers/main.yml @@ -1,14 +1,15 @@ --- - name: reload apache2 - service: + ansible.builtin.service: name: apache2 state: reloaded - name: restart apache2 - service: + ansible.builtin.service: name: apache2 state: restarted - name: newaliases - command: newaliases + ansible.builtin.command: + cmd: newaliases diff --git a/webapps/evoadmin-web/tasks/config.yml b/webapps/evoadmin-web/tasks/config.yml index 1053360c..8c3dc801 100644 --- a/webapps/evoadmin-web/tasks/config.yml +++ b/webapps/evoadmin-web/tasks/config.yml @@ -1,13 +1,13 @@ --- - name: "Create /etc/evolinux" - file: + ansible.builtin.file: dest: "/etc/evolinux" recurse: True state: directory - name: Configure web-add config file - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/evolinux/web-add.conf force: "{{ evoadmin_add_conf_force }}" @@ -21,7 +21,7 @@ register: evoadmin_add_conf_template - name: Configure web-add template file for mail - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ evoadmin_scripts_dir }}/web-mail.tpl" force: "{{ evoadmin_mail_tpl_force }}" diff --git a/webapps/evoadmin-web/tasks/ftp.yml b/webapps/evoadmin-web/tasks/ftp.yml index 98f275ff..8c400e68 100644 --- a/webapps/evoadmin-web/tasks/ftp.yml +++ b/webapps/evoadmin-web/tasks/ftp.yml @@ -1,12 +1,12 @@ --- - name: patch must be installed - apt: + ansible.builtin.apt: name: patch state: present - name: Patch ProFTPd config file - patch: + ansible.posix.patch: remote_src: False src: ftp/evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf diff --git a/webapps/evoadmin-web/tasks/main.yml b/webapps/evoadmin-web/tasks/main.yml index 1acb2aa5..19253bf5 100644 --- a/webapps/evoadmin-web/tasks/main.yml +++ b/webapps/evoadmin-web/tasks/main.yml @@ -1,24 +1,24 @@ --- - name: "Ensure that evoadmin_contact_email is defined" - fail: + ansible.builtin.fail: msg: Please configure var evoadmin_contact_email when: evoadmin_contact_email is none or evoadmin_contact_email | length == 0 -- include: packages.yml +- ansible.builtin.include: packages.yml -- include: user.yml +- ansible.builtin.include: user.yml -- include: config.yml +- ansible.builtin.include: config.yml -- include: ssl.yml +- ansible.builtin.include: ssl.yml -- include: web.yml +- ansible.builtin.include: web.yml -- include: ftp.yml +- ansible.builtin.include: ftp.yml - name: enable evoadmin-web link in default site index - blockinfile: + ansible.builtin.blockinfile: dest: /var/www/index.html marker: "" block: | diff --git a/webapps/evoadmin-web/tasks/packages.yml b/webapps/evoadmin-web/tasks/packages.yml index 1d0af87a..d44ca731 100644 --- a/webapps/evoadmin-web/tasks/packages.yml +++ b/webapps/evoadmin-web/tasks/packages.yml @@ -1,16 +1,16 @@ --- -- include_role: +- ansible.builtin.include_role: name: evolix/apt tasks_from: evolix_public.yml # /!\ Warning, this is a temporary hack -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr # /!\ Warning, this is a temporary hack - name: Install PHP packages from sid (Debian 10) - apt: + ansible.builtin.apt: deb: '{{ item }}' state: present loop: @@ -18,7 +18,7 @@ when: ansible_distribution_major_version is version('10', '=') - name: Install PHP packages from sid (Debian 12) - apt: + ansible.builtin.apt: deb: '{{ item }}' state: present loop: @@ -26,14 +26,14 @@ when: ansible_distribution_major_version is version('12', '=') - name: Install PHP packages - apt: + ansible.builtin.apt: name: - php-pear - php-log state: present - name: Install PHP5 packages (jessie) - apt: + ansible.builtin.apt: name: php5-pam state: present allow_unauthenticated: True diff --git a/webapps/evoadmin-web/tasks/ssl.yml b/webapps/evoadmin-web/tasks/ssl.yml index 6bdf1421..04fed56c 100644 --- a/webapps/evoadmin-web/tasks/ssl.yml +++ b/webapps/evoadmin-web/tasks/ssl.yml @@ -2,23 +2,25 @@ - name: ssl-cert package is installed - apt: + ansible.builtin.apt: name: ssl-cert state: present - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "/CN={{ evoadmin_host }}" + ansible.builtin.command: + cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "/CN={{ evoadmin_host }}" args: creates: "/etc/ssl/private/{{ evoadmin_host }}.key" - name: Adjust rights on private key - file: + ansible.builtin.file: path: /etc/ssl/private/{{ evoadmin_host }}.key owner: root group: ssl-cert mode: "0640" - name: Create certificate for default site - command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt + ansible.builtin.command: + cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt args: creates: "/etc/ssl/certs/{{ evoadmin_host }}.crt" diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 0d453e9a..96c29803 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -1,7 +1,7 @@ --- - name: Create evoadmin account - user: + ansible.builtin.user: name: evoadmin comment: "Evoadmin Web Account" home: "{{ evoadmin_home_dir }}" @@ -9,30 +9,31 @@ system: yes - name: Create www-evoadmin group - group: + + ansible.builtin.group: name: www-evoadmin state: present - name: "Create www-evoadmin and add to group shadow (jessie)" - user: + ansible.builtin.user: name: www-evoadmin groups: shadow append: True when: ansible_distribution_release == "jessie" - name: "Create www-evoadmin (Debian 9 or later)" - user: + ansible.builtin.user: name: www-evoadmin system: yes when: ansible_distribution_major_version is version('9', '>=') - name: Is /etc/aliases present? - stat: + ansible.builtin.stat: path: /etc/aliases register: etc_aliases - name: Set evoadmin aliases - lineinfile: + ansible.builtin.lineinfile: dest: /etc/aliases line: "{{ item.line }}" regexp: "{{ item.regexp }}" @@ -44,12 +45,12 @@ when: etc_aliases.stat.exists - name: Git is needed to clone the evoadmin repository - apt: + ansible.builtin.apt: name: git state: present - name: "Clone evoadmin repository (jessie)" - git: + ansible.builtin.git: repo: https://forge.evolix.org/evoadmin-web.git dest: "{{ evoadmin_document_root }}" version: jessie @@ -57,7 +58,7 @@ when: ansible_distribution_release == "jessie" - name: "Clone evoadmin repository (Debian 9 or later)" - git: + ansible.builtin.git: repo: https://forge.evolix.org/evoadmin-web.git dest: "{{ evoadmin_document_root }}" version: master @@ -65,44 +66,46 @@ when: ansible_distribution_major_version is version('9', '>=') - name: Change ownership on git repository - file: + ansible.builtin.file: dest: "{{ evoadmin_document_root }}" owner: "{{ evoadmin_username }}" group: "{{ evoadmin_username }}" recurse: True - name: Create evoadmin log directory - file: + ansible.builtin.file: name: "{{ evoadmin_log_dir }}" owner: "{{ evoadmin_username }}" group: "{{ evoadmin_username }}" state: directory -- include_role: +- ansible.builtin.include_role: name: evolix/remount-usr when: evoadmin_scripts_dir is search("/usr") - name: "Create {{ evoadmin_scripts_dir }}" - file: + ansible.builtin.file: dest: "{{ evoadmin_scripts_dir }}" # recurse: True mode: "0700" state: directory - name: Install scripts like web-add.sh - shell: "cp {{ evoadmin_document_root }}/scripts/* {{ evoadmin_scripts_dir }}/" + ansible.builtin.shell: + cmd: "cp {{ evoadmin_document_root }}/scripts/* {{ evoadmin_scripts_dir }}/" args: creates: "{{ evoadmin_scripts_dir }}/web-add.sh" # we use a shell command to have a "changed" that really reflects the result. - name: Fix permissions - command: "chmod -R --verbose u=rwX,g=rX,o= {{ evoadmin_document_root }}" + ansible.builtin.command: + cmd: "chmod -R --verbose u=rwX,g=rX,o= {{ evoadmin_document_root }}" register: command_result changed_when: "'changed' in command_result.stdout" # failed_when: False - name: Add evoadmin sudoers file - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/sudoers.d/evoadmin mode: "0600" diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index ea4019a3..fc266462 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -1,7 +1,7 @@ --- - name: "Set custom values for PHP config (jessie)" - ini_file: + community.general.ini_file: dest: /etc/php5/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -10,7 +10,7 @@ when: ansible_distribution_release == "jessie" - name: "Set custom values for PHP config (Debian 9)" - ini_file: + community.general.ini_file: dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -19,7 +19,7 @@ when: ansible_distribution_release == "stretch" - name: "Set custom values for PHP config (Debian 10)" - ini_file: + community.general.ini_file: dest: /etc/php/7.3/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -28,7 +28,7 @@ when: ansible_distribution_release == "buster" - name: "Set custom values for PHP config (Debian 11)" - ini_file: + community.general.ini_file: dest: /etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -37,7 +37,7 @@ when: ansible_distribution_release == "bullseye" - name: "Set custom values for PHP config (Debian 11)" - ini_file: + community.general.ini_file: dest: /etc/php/8.1/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" @@ -46,7 +46,7 @@ when: ansible_distribution_release == "bookworm" - name: Install evoadmin VHost - template: + ansible.builtin.template: src: "{{ item }}" dest: /etc/apache2/sites-available/evoadmin.conf force: "{{ evoadmin_force_vhost }}" @@ -61,21 +61,23 @@ notify: reload apache2 - name: Enable evoadmin vhost - command: "a2ensite evoadmin.conf" + ansible.builtin.command: + cmd: "a2ensite evoadmin.conf" register: cmd_a2ensite changed_when: "'Enabling site' in cmd_a2ensite.stdout" notify: reload apache2 when: evoadmin_enable_vhost | bool - name: Disable evoadmin vhost - command: "a2dissite evoadmin.conf" + ansible.builtin.command: + cmd: "a2dissite evoadmin.conf" register: cmd_a2dissite changed_when: "'Disabling site' in cmd_a2dissite.stdout" notify: reload apache2 when: not (evoadmin_enable_vhost | bool) - name: Copy htpasswd for evoadmin - template: + ansible.builtin.template: src: "{{ item }}" dest: "/var/www/.ansible_evoadmin_htpasswd" mode: "0644" @@ -93,7 +95,7 @@ when: evoadmin_htpasswd | bool - name: Copy config file for evoadmin - template: + ansible.builtin.template: src: "{{ item }}" dest: "{{ evoadmin_document_root }}/conf/config.local.php" mode: "0640" diff --git a/webapps/nextcloud/handlers/main.yml b/webapps/nextcloud/handlers/main.yml index 46b3b014..6997c361 100644 --- a/webapps/nextcloud/handlers/main.yml +++ b/webapps/nextcloud/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: reload php-fpm - service: + ansible.builtin.service: name: php7.3-fpm state: reloaded - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded - name: reload apache - service: + ansible.builtin.service: name: apache2 state: reloaded \ No newline at end of file diff --git a/webapps/nextcloud/tasks/apache-system.yml b/webapps/nextcloud/tasks/apache-system.yml index 490d2f8d..bbea82a4 100644 --- a/webapps/nextcloud/tasks/apache-system.yml +++ b/webapps/nextcloud/tasks/apache-system.yml @@ -1,16 +1,17 @@ --- - name: "Get PHP Version" - shell: 'php -v | grep "PHP [0-9]." | sed -E "s/PHP ([0-9]\.[0-9]).*/\1/g;"' + ansible.builtin.shell: + cmd: 'php -v | grep "PHP [0-9]." | sed -E "s/PHP ([0-9]\.[0-9]).*/\1/g;"' register: shell_php check_mode: no - name: "Set variables" - set_fact: + ansible.builtin.set_fact: php_version: "{{ shell_php.stdout }}" - name: Apply specific PHP settings (apache) - ini_file: + community.general.ini_file: path: "/etc/php/{{ php_version }}/apache2/conf.d/zzz-evolinux-custom.ini" section: '' option: "{{ item.option }}" @@ -23,7 +24,7 @@ - {option: 'memory_limit', value: '512M'} - name: Apply specific PHP settings (cli) - ini_file: + community.general.ini_file: path: "/etc/php/{{ php_version }}/cli/conf.d/zzz-evolinux-custom.ini" section: '' option: "{{ item.option }}" diff --git a/webapps/nextcloud/tasks/apache-vhost.yml b/webapps/nextcloud/tasks/apache-vhost.yml index e3f213ca..36e5b989 100644 --- a/webapps/nextcloud/tasks/apache-vhost.yml +++ b/webapps/nextcloud/tasks/apache-vhost.yml @@ -1,6 +1,6 @@ --- - name: Copy Apache vhost - template: + ansible.builtin.template: src: apache-vhost.conf.j2 dest: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" mode: "0640" @@ -9,7 +9,7 @@ - nextcloud - name: Enable Apache vhost - file: + ansible.builtin.file: src: "/etc/apache2/sites-available/{{ nextcloud_instance_name }}.conf" dest: "/etc/apache2/sites-enabled/{{ nextcloud_instance_name }}.conf" state: link diff --git a/webapps/nextcloud/tasks/archive.yml b/webapps/nextcloud/tasks/archive.yml index d59bd582..47defe79 100644 --- a/webapps/nextcloud/tasks/archive.yml +++ b/webapps/nextcloud/tasks/archive.yml @@ -1,7 +1,7 @@ --- - name: Retrieve Nextcloud archive - get_url: + ansible.builtin.get_url: url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}" dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}" force: no @@ -9,7 +9,7 @@ - nextcloud - name: Retrieve Nextcloud sha256 checksum - get_url: + ansible.builtin.get_url: url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}.sha256" dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}.sha256" force: no @@ -17,7 +17,8 @@ - nextcloud - name: Verify Nextcloud sha256 checksum - command: "sha256sum -c {{ nextcloud_archive_name }}.sha256" + ansible.builtin.command: + cmd: "sha256sum -c {{ nextcloud_archive_name }}.sha256" changed_when: "False" args: chdir: "{{ nextcloud_home }}" @@ -25,7 +26,7 @@ - nextcloud - name: Extract Nextcloud archive - unarchive: + ansible.builtin.unarchive: src: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}" dest: "{{ nextcloud_home }}" creates: "{{ nextcloud_home }}/nextcloud" diff --git a/webapps/nextcloud/tasks/config.yml b/webapps/nextcloud/tasks/config.yml index 85142726..2cc8cd7e 100644 --- a/webapps/nextcloud/tasks/config.yml +++ b/webapps/nextcloud/tasks/config.yml @@ -2,15 +2,16 @@ - block: - name: Generate admin password - command: 'apg -n 1 -m 16 -M lcN' + ansible.builtin.command: + cmd: 'apg -n 1 -m 16 -M lcN' register: nextcloud_admin_password_apg check_mode: no changed_when: False - - debug: + - ansible.builtin.debug: var: nextcloud_admin_password_apg - - set_fact: + - ansible.builtin.set_fact: nextcloud_admin_password: "{{ nextcloud_admin_password_apg.stdout }}" tags: @@ -18,7 +19,8 @@ when: nextcloud_admin_password | length == 0 - name: Get Nextcloud Status - shell: "php ./occ status --output json | grep -v 'Nextcloud is not installed'" + ansible.builtin.shell: + cmd: "php ./occ status --output json | grep -v 'Nextcloud is not installed'" args: chdir: "{{ nextcloud_webroot }}" become_user: "{{ nextcloud_user }}" @@ -28,7 +30,8 @@ - nextcloud - name: Install Nextcloud - command: "php ./occ maintenance:install --database mysql --database-name {{ nextcloud_db_name | mandatory }} --database-user {{ nextcloud_db_user | mandatory }} --database-pass {{ nextcloud_db_pass | mandatory }} --admin-user {{ nextcloud_admin_login | mandatory }} --admin-pass {{ nextcloud_admin_password | mandatory }} --data-dir {{ nextcloud_data | mandatory }}" + ansible.builtin.command: + cmd: "php ./occ maintenance:install --database mysql --database-name {{ nextcloud_db_name | mandatory }} --database-user {{ nextcloud_db_user | mandatory }} --database-pass {{ nextcloud_db_pass | mandatory }} --admin-user {{ nextcloud_admin_login | mandatory }} --admin-pass {{ nextcloud_admin_password | mandatory }} --data-dir {{ nextcloud_data | mandatory }}" args: chdir: "{{ nextcloud_webroot }}" creates: "{{ nextcloud_home }}/config/config.php" @@ -38,7 +41,7 @@ - nextcloud - name: Configure Nextcloud Mysql password - replace: + ansible.builtin.replace: dest: "{{ nextcloud_home }}/nextcloud/config/config.php" regexp: "'dbpassword' => '([^']*)'," replace: "'dbpassword' => '{{ nextcloud_db_pass }}'," @@ -46,7 +49,7 @@ - nextcloud - name: Configure Nextcloud cron - cron: + ansible.builtin.cron: name: 'Nextcloud' minute: "*/5" job: "php -f {{ nextcloud_webroot }}/cron.php" @@ -55,7 +58,8 @@ - nextcloud - name: Erase previously trusted domains config - command: "php ./occ config:system:set trusted_domains" + ansible.builtin.command: + cmd: "php ./occ config:system:set trusted_domains" args: chdir: "{{ nextcloud_webroot }}" become_user: "{{ nextcloud_user }}" @@ -63,7 +67,8 @@ - nextcloud - name: Configure trusted domains - command: "php ./occ config:system:set trusted_domains {{ item.0 }} --value {{ item.1 }}" + ansible.builtin.command: + cmd: "php ./occ config:system:set trusted_domains {{ item.0 }} --value {{ item.1 }}" args: chdir: "{{ nextcloud_webroot }}" with_indexed_items: diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 2823f8f5..02304334 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install dependencies - apt: + ansible.builtin.apt: state: present name: - bzip2 @@ -23,7 +23,7 @@ # dependency for mysql_user and mysql_db - python2 - name: python modules is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: - python-mysqldb - python-pymysql @@ -34,7 +34,7 @@ # dependency for mysql_user and mysql_db - python3 - name: python3 modules is installed (Ansible dependency) - apt: + ansible.builtin.apt: name: - python3-mysqldb - python3-pymysql @@ -43,14 +43,14 @@ - nextcloud when: ansible_python_version is version('3', '>=') -- include: apache-system.yml +- ansible.builtin.include: apache-system.yml -- include: user.yml +- ansible.builtin.include: user.yml -- include: archive.yml +- ansible.builtin.include: archive.yml -- include: apache-vhost.yml +- ansible.builtin.include: apache-vhost.yml -- include: mysql-user.yml +- ansible.builtin.include: mysql-user.yml -- include: config.yml +- ansible.builtin.include: config.yml diff --git a/webapps/nextcloud/tasks/mysql-user.yml b/webapps/nextcloud/tasks/mysql-user.yml index a12a80f4..82c3acb3 100644 --- a/webapps/nextcloud/tasks/mysql-user.yml +++ b/webapps/nextcloud/tasks/mysql-user.yml @@ -1,6 +1,7 @@ --- - name: Get actual Mysql password - shell: "grep password {{ nextcloud_home }}/.my.cnf | awk '{ print $3 }'" + ansible.builtin.shell: + cmd: "grep password {{ nextcloud_home }}/.my.cnf | awk '{ print $3 }'" register: nextcloud_db_pass_grep check_mode: no changed_when: False @@ -9,7 +10,8 @@ - nextcloud - name: Generate Mysql password - command: 'apg -n 1 -m 16 -M lcN' + ansible.builtin.command: + cmd: 'apg -n 1 -m 16 -M lcN' register: nextcloud_db_pass_apg check_mode: no changed_when: False @@ -17,17 +19,17 @@ - nextcloud - name: Set Mysql password - set_fact: + ansible.builtin.set_fact: nextcloud_db_pass: "{{ nextcloud_db_pass_grep.stdout | default(nextcloud_db_pass_apg.stdout, True) }}" tags: - nextcloud -- debug: +- ansible.builtin.debug: var: nextcloud_db_pass verbosity: 1 - name: Create Mysql database - mysql_db: + community.mysql.mysql_db: name: "{{ nextcloud_db_name }}" config_file: "/root/.my.cnf" state: present @@ -35,7 +37,7 @@ - nextcloud - name: Create Mysql user - mysql_user: + community.mysql.mysql_user: name: "{{ nextcloud_db_user }}" password: '{{ nextcloud_db_pass }}' priv: "{{ nextcloud_db_name }}.*:ALL" @@ -46,7 +48,7 @@ - nextcloud - name: Store credentials in my.cnf - ini_file: + community.general.ini_file: dest: "{{ nextcloud_home }}/.my.cnf" owner: "{{ nextcloud_user }}" group: "{{ nextcloud_user }}" diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index 8fa3fee1..01cc037c 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -1,13 +1,14 @@ --- - name: Create {{ nextcloud_user }} unix group - group: + + ansible.builtin.group: name: "{{ nextcloud_user | mandatory }}" state: present tags: - nextcloud - name: Create {{ nextcloud_user | mandatory }} unix user - user: + ansible.builtin.user: name: "{{ nextcloud_user | mandatory }}" group: "{{ nextcloud_user | mandatory }}" home: "{{ nextcloud_home | mandatory }}" @@ -19,7 +20,7 @@ - nextcloud - name: Create top-level directories - file: + ansible.builtin.file: dest: "{{ item }}" state: directory mode: "0700" diff --git a/webapps/roundcube/handlers/main.yml b/webapps/roundcube/handlers/main.yml index 98b530d9..f16ba8d6 100644 --- a/webapps/roundcube/handlers/main.yml +++ b/webapps/roundcube/handlers/main.yml @@ -1,15 +1,15 @@ --- - name: restart imapproxy - systemd: + ansible.builtin.systemd: name: imapproxy state: restarted - name: reload apache2 - service: + ansible.builtin.service: name: apache2 state: reloaded - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 08fe73d1..17422246 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: configure roundcube-core - debconf: + ansible.builtin.debconf: name: roundcube-core question: "{{ item.key }}" value: "{{ item.value }}" @@ -12,7 +12,7 @@ - roundcube - name: install Roundcube - apt: + ansible.builtin.apt: name: - imapproxy - roundcube @@ -25,7 +25,7 @@ - roundcube - name: configure imapproxy imap host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/imapproxy.conf regexp: "^server_hostname" line: "server_hostname {{ roundcube_imap_host }}" @@ -34,7 +34,7 @@ - roundcube - name: configure imapproxy imap port - lineinfile: + ansible.builtin.lineinfile: dest: /etc/imapproxy.conf regexp: "^server_port" line: "server_port {{ roundcube_imap_port }}" @@ -43,7 +43,7 @@ - roundcube - name: enable and start imapproxy - service: + ansible.builtin.service: name: imapproxy state: started enabled: True @@ -51,7 +51,7 @@ - roundcube - name: configure roundcube imap host - lineinfile: + ansible.builtin.lineinfile: dest: /etc/roundcube/config.inc.php regexp: "\\$config\\['default_host'\\]" line: "$config['default_host'] = array('127.0.0.1');" @@ -59,7 +59,7 @@ - roundcube - name: configure roudcube imap port - lineinfile: + ansible.builtin.lineinfile: dest: /etc/roundcube/config.inc.php regexp: "\\$config\\['default_port'\\]" insertafter: "\\$config\\['default_host'\\]" @@ -68,7 +68,7 @@ - roundcube - name: configure managesieve plugin - copy: + ansible.builtin.copy: src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist dest: /etc/roundcube/plugins/managesieve/config.inc.php mode: "0644" @@ -77,7 +77,7 @@ - roundcube - name: enable default plugins - replace: + ansible.builtin.replace: dest: /etc/roundcube/config.inc.php regexp: "^\\$config\\['plugins'\\] = array\\($" replace: "$config['plugins'] = array('zipdownload','managesieve'" @@ -85,7 +85,7 @@ - roundcube - name: deploy apache roundcube vhost - template: + ansible.builtin.template: src: apache2.conf.j2 dest: /etc/apache2/sites-available/roundcube.conf mode: "0640" @@ -95,7 +95,7 @@ - roundcube - name: enable apache roundcube vhost - file: + ansible.builtin.file: src: /etc/apache2/sites-available/roundcube.conf dest: /etc/apache2/sites-enabled/roundcube.conf state: link @@ -105,14 +105,14 @@ - roundcube - name: deploy Nginx roundcube vhost - template: + ansible.builtin.template: src: nginx.conf.j2 dest: /etc/nginx/sites-available/roundcube.conf when: roundcube_webserver == "nginx" notify: reload nginx - name: enable Nginx roundcube vhost - file: + ansible.builtin.file: src: "/etc/nginx/sites-available/roundcube.conf" dest: "/etc/nginx/sites-enabled/roundcube.conf" state: link @@ -120,7 +120,7 @@ notify: reload nginx - name: enable roundcube link in default site index - lineinfile: + ansible.builtin.lineinfile: dest: /var/www/index.html state: present regexp: "Webmail" diff --git a/webapps/wordpress/tasks/main.yml b/webapps/wordpress/tasks/main.yml index 32eda170..3ef832a8 100644 --- a/webapps/wordpress/tasks/main.yml +++ b/webapps/wordpress/tasks/main.yml @@ -1,34 +1,36 @@ --- - name: Create bin dir - file: + ansible.builtin.file: state: directory dest: "{{ ansible_env.HOME }}/bin" mode: "0750" - name: Download wp-cli - get_url: + ansible.builtin.get_url: url: "https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar" dest: "{{ ansible_env.HOME }}/bin/wp-cli.phar" mode: "0750" - name: Download Wordpress - shell: '{{ wordpress_wpcli }} core download --locale=fr_FR --version={{ wordpress_version }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core download --locale=fr_FR --version={{ wordpress_version }}' args: creates: "{{ ansible_env.HOME }}/www/index.php" - name: Retrieve .my.cnf - fetch: + ansible.builtin.fetch: src: "{{ ansible_env.HOME }}/.my.cnf" dest: "/tmp/wordpress-{{ ansible_user }}.cnf" flat: yes - name: Generate random password - command: apg -n1 -m 12 -M LCN + ansible.builtin.command: + cmd: apg -n1 -m 12 -M LCN register: shell_password changed_when: False - name: Read mysql config from .my.cnf - set_fact: + ansible.builtin.set_fact: db_host: "{{ lookup('ini', 'host section=client file=/tmp/wordpress-{{ ansible_user }}.cnf default=127.0.0.1') }}" db_user: "{{ lookup('ini', 'user section=client file=/tmp/wordpress-{{ ansible_user }}.cnf default={{ ansible_user }}') }}" db_pwd: "{{ lookup('ini', 'password section=client file=/tmp/wordpress-{{ ansible_user }}.cnf') }}" @@ -36,50 +38,57 @@ admin_pwd: "{{ shell_password.stdout }}" - name: Remove local .my.cnf - file: + ansible.builtin.file: path: "/tmp/wordpress-{{ ansible_user }}.cnf" state: absent delegate_to: localhost - name: Configure Wordpress (wp-config.php) - shell: '{{ wordpress_wpcli }} core config --dbhost={{ db_host }} --dbuser={{ db_user }} --dbpass={{ db_pwd }} --dbname={{ db_name }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core config --dbhost={{ db_host }} --dbuser={{ db_user }} --dbpass={{ db_pwd }} --dbname={{ db_name }}' args: creates: "{{ ansible_env.HOME }}/www/wp-config.php" - name: Configure site - shell: '{{ wordpress_wpcli }} core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password="{{ admin_pwd | quote }}" --admin_email={{ wordpress_email }} --skip-email' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core install --url={{ wordpress_host | quote }} --title={{ wordpress_title | quote }} --admin_user=admin --admin_password="{{ admin_pwd | quote }}" --admin_email={{ wordpress_email }} --skip-email' changed_when: False - name: Check if Wordpress is up to date - shell: '{{ wordpress_wpcli }} core check-update | grep -q Success' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core check-update | grep -q Success' register: check_version check_mode: no failed_when: False changed_when: check_version.rc == 1 - name: Update Wordpress - shell: '{{ wordpress_wpcli }} core update --version={{ wordpress_version }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} core update --version={{ wordpress_version }}' args: removes: "{{ ansible_env.HOME }}/www/index.php" when: check_version.rc == 1 - name: Install default plugin - shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} || {{ wordpress_wpcli }} plugin install {{ item }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} plugin is-installed {{ item }} || {{ wordpress_wpcli }} plugin install {{ item }}' changed_when: False loop: "{{ wordpress_plugins }}" - name: Update default plugins - shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin update {{ item }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin update {{ item }}' changed_when: False loop: "{{ wordpress_plugins }}" - name: Activate default plugins - shell: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin activate {{ item }}' + ansible.builtin.shell: + cmd: '{{ wordpress_wpcli }} plugin is-installed {{ item }} && {{ wordpress_wpcli }} plugin activate {{ item }}' changed_when: False loop: "{{ wordpress_plugins }}" - name: Send a summary mail - mail: + community.general.mail: host: 'localhost' port: 25 to: "{{ wordpress_email }}" -- 2.39.2 From 70c93310f9ea26ad0f1be3471f056dc958fade52 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Mar 2023 23:48:40 +0100 Subject: [PATCH 428/497] Fix ansible-lint violations --- lxc-php/meta/main.yml | 2 +- mongodb/tasks/main_bookworm.yml | 2 +- php/tasks/main_bookworm.yml | 3 +-- php/tasks/main_bullseye.yml | 3 +-- php/tasks/main_buster.yml | 3 +-- postfix/meta/main.yml | 10 +++++----- postfix/tasks/packmail.yml | 2 +- varnish/tasks/main.yml | 2 +- webapps/nextcloud/tasks/config.yml | 2 +- 9 files changed, 13 insertions(+), 16 deletions(-) diff --git a/lxc-php/meta/main.yml b/lxc-php/meta/main.yml index 88d4c6e9..f0f9bb70 100644 --- a/lxc-php/meta/main.yml +++ b/lxc-php/meta/main.yml @@ -27,4 +27,4 @@ galaxy_info: allow_duplicates: yes -dependencies: [] +dependencies: [] diff --git a/mongodb/tasks/main_bookworm.yml b/mongodb/tasks/main_bookworm.yml index 8261dcb2..ef64f00c 100644 --- a/mongodb/tasks/main_bookworm.yml +++ b/mongodb/tasks/main_bookworm.yml @@ -11,7 +11,7 @@ # - ansible_distribution_release == "bookworm" # - mongodb_version is version('5.0', '<') -- name: Add MongoDB repository +- name: Add MongoDB repository ansible.builtin.template: src: mongodb.sources.j2 dest: /etc/apt/sources.list.d/mongodb.sources diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml index d4dd381f..68de60d6 100644 --- a/php/tasks/main_bookworm.yml +++ b/php/tasks/main_bookworm.yml @@ -3,8 +3,7 @@ - name: "Set php version to 8.2 (Debian 12)" ansible.builtin.set_fact: php_version: "8.2" - when: - - php_sury_enable == false + when: not (php_sury_enable | bool) check_mode: no - name: "Set php config directories (Debian 12)" diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index b12740a7..f8232c45 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -3,8 +3,7 @@ - name: "Set php version to 7.4 if Sury repo is not enabled" ansible.builtin.set_fact: php_version: "7.4" - when: - - php_sury_enable == False + when: not (php_sury_enable | bool) check_mode: no - name: "Set variables (Debian 11)" diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml index 588d21d5..6a5f1d1a 100644 --- a/php/tasks/main_buster.yml +++ b/php/tasks/main_buster.yml @@ -7,8 +7,7 @@ ansible.builtin.set_fact: php_version: "7.3" check_mode: no - when: - - not (php_sury_enable | bool) + when: not (php_sury_enable | bool) - name: "Set variables (Debian 10)" ansible.builtin.set_fact: diff --git a/postfix/meta/main.yml b/postfix/meta/main.yml index 188769a2..b39e6795 100644 --- a/postfix/meta/main.yml +++ b/postfix/meta/main.yml @@ -25,8 +25,8 @@ galaxy_info: # alphanumeric characters. Maximum 20 tags per role. dependencies: - - { role: evolix/ldap, ldap_schema: 'cn4evolix.ldif', when: postfix_packmail == True } - - { role: evolix/spamassasin, when: postfix_packmail == True } - - { role: evolix/clamav, when: postfix_packmail == True } - - { role: evolix/opendkim, when: postfix_packmail == True } - - { role: evolix/dovecot, when: postfix_packmail == True } + - { role: evolix/ldap, ldap_schema: 'cn4evolix.ldif', when: postfix_packmail | bool } + - { role: evolix/spamassasin, when: postfix_packmail | bool } + - { role: evolix/clamav, when: postfix_packmail | bool } + - { role: evolix/opendkim, when: postfix_packmail | bool } + - { role: evolix/dovecot, when: postfix_packmail | bool } diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 170dbd35..be0b075e 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -21,7 +21,7 @@ - name: make sure a service Mailgraph is running ansible.builtin.systemd: name: mailgraph.service - state: started + state: started enabled: true - name: create packmail main.cf diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index b06ab5a2..6cdb92db 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -137,7 +137,7 @@ dest: "{{ varnish_config_file }}" mode: "0644" force: yes - when: "{{ varnish_update_config }}" + when: varnish_update_config | bool loop: "{{ query('first_found', templates) }}" vars: templates: diff --git a/webapps/nextcloud/tasks/config.yml b/webapps/nextcloud/tasks/config.yml index 2cc8cd7e..93b9b925 100644 --- a/webapps/nextcloud/tasks/config.yml +++ b/webapps/nextcloud/tasks/config.yml @@ -36,7 +36,7 @@ chdir: "{{ nextcloud_webroot }}" creates: "{{ nextcloud_home }}/config/config.php" become_user: "{{ nextcloud_user }}" - when: (nc_status.stdout | from_json).installed == false + when: not ((nc_status.stdout | from_json).installed | bool) tags: - nextcloud -- 2.39.2 From 939b2358a3019e1af6d336acc9519b149488d899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= Date: Wed, 22 Mar 2023 15:21:58 +0100 Subject: [PATCH 429/497] openvpn: updated the README file --- CHANGELOG.md | 1 + openvpn/README.md | 28 ++++++++++++++++++++-------- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fafbe518..ea1a712f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * apt: with Debian 12, backports are installed but disabled by default +* openvpn: updated the README file ### Fixed diff --git a/openvpn/README.md b/openvpn/README.md index ddaffcce..79ed6246 100644 --- a/openvpn/README.md +++ b/openvpn/README.md @@ -5,17 +5,27 @@ Install and configure OpenVPN, based on [our HowtoOpenVPN wiki](https://wiki.evo ## Tasks Everything is in the `tasks/main.yml` file. -Some manual actions are requested at the end of the playbook, to do before finishing the playbook. -Here is a copy of what is requested : +Here is what this role does : -* You have to manually create the CA on the server with `shellpki init server.example.com`. The command will ask you to create a password, and will ask you again to give the same one several times. -* You have to manually generate the CRL on the server with `openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf`. The previously created password will be asked. -* You have to manually create the server's certificate with `shellpki create server.example.com`. -* You have to adjust the config file `/etc/openvpn/server.conf` for the following parameters : `local` (to check), `cert` (to check), `key` (to add), `server` (to check), `push` (to complete if needed). -* Finally, you can (re)start the OpenVPN service with `systemctl restart openvpn@server.service` on Debian, or `rcctl restart openvpn` on OpenBSD. +* Installs and configures OpenVPN +* Installs and configures shellpki +* Authorizes users in shellpki group to use shellpki with sudo +* Configures NAT if minifirewall exists, for Debian only +* Allows connexion to UDP/1194 port publicly in minifirewall if it exists or in PacketFilter for OpenBSD +* Enables IPv4 forwarding with sysctl +* Configures NRPE to check OpenVPN +* Adds a cron to warn about certificates expiration +* Inits the CA and create the server's certificate -Then, you can use `shellpki` to generate client certificates. +NAT allows servers reached through OpenVPN to be reached by the public IP of the OpenVPN server. The public IP of the OpenVPN server must therefore be allowed on the end servers. + +Some manual actions are requested at the end of the playbook, to do before finishing the playbook : + +* You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn". +* You must take note of the generated CA password and store it in your password manager. + +Finally, you can use `shellpki` to generate client certificates. ## Variables @@ -23,6 +33,8 @@ Then, you can use `shellpki` to generate client certificates. * `openvpn_netmask`: netmask of the network to use for OpenVPN * `openvpn_netmask_cidr`: automatically generated prefix length of the netmask, in CIDR notation +By default, if the server IP is 192.0.2.42, then OpenVPN LAN will be 10.2.42.0/24 (last 2 digit of main IP of server set as 2nd and 3rd digit of OpenVPN LAN). + ## Dependencies * Files in `files/shellpki/*` are gotten from the upstream [shellpki](https://gitea.evolix.org/evolix/shellpki) and must be updated when the upstream is. -- 2.39.2 From 47e35f77d2159109aae4634d079127f91daa0ce1 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 27 Mar 2023 10:16:57 +0200 Subject: [PATCH 430/497] evoacme: Fix syntax that introduced extra ending space --- evoacme/templates/evoacme.conf.j2 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/evoacme/templates/evoacme.conf.j2 b/evoacme/templates/evoacme.conf.j2 index eae3ff45..a42e0782 100644 --- a/evoacme/templates/evoacme.conf.j2 +++ b/evoacme/templates/evoacme.conf.j2 @@ -1,9 +1,9 @@ ### File generated by Ansible ### -SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }} } -ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }} } -CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }} } -CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }} } +SSL_KEY_DIR=${SSL_KEY_DIR:-"{{ evoacme_ssl_key_dir }}"} +ACME_DIR=${ACME_DIR:-"{{ evoacme_acme_dir }}"} +CSR_DIR=${CSR_DIR:-"{{ evoacme_csr_dir }}"} +CRT_DIR=${CRT_DIR:-"{{ evoacme_crt_dir }}"} HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"} -LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }} } -SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }} } +LOG_DIR=${LOG_DIR:-"{{ evoacme_log_dir }}"} +SSL_MINDAY=${SSL_MINDAY:-"{{ evoacme_ssl_minday }}"} -- 2.39.2 From 09f951de181ade87fceaf8409836d99a84cb1c66 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 27 Mar 2023 11:21:25 +0200 Subject: [PATCH 431/497] listupgrade: No removal (especially of the just installed cron_file) needed --- listupgrade/tasks/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index cc5b99aa..f51c0f09 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -58,12 +58,6 @@ month: "{{ listupgrade_cron_month }}" state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}" -- name: Remove old lisupgrade typo - ansible.builtin.cron: - name: "lisupgrade.sh" - cron_file: "listupgrade" - state: absent - - name: old-kernel-autoremoval script is present ansible.builtin.copy: src: old-kernel-autoremoval.sh -- 2.39.2 From 0ed1fb9f0a45955e6dd42777f15e3f66b1f806b9 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 27 Mar 2023 16:13:11 +0200 Subject: [PATCH 432/497] evolinux-base: add wrapper task file for backward compatibility --- evolinux-base/tasks/ssh.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 evolinux-base/tasks/ssh.yml diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml new file mode 100644 index 00000000..2e15ec83 --- /dev/null +++ b/evolinux-base/tasks/ssh.yml @@ -0,0 +1,13 @@ +--- + +# Backward compatibility task file + +- name: SSH configuration (Debian <12) + ansible.builtin.import_tasks: ssh.single-file.yml + when: + - ansible_distribution_major_version is version('12', '<') + +- name: SSH configuration (Debian >=12) + ansible.builtin.import_tasks: ssh.included-files.yml + when: + - ansible_distribution_major_version is version('12', '>=') -- 2.39.2 From 004c85b0ff23a64fe2a36d53322f246a1be38c2c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Mar 2023 23:35:04 +0200 Subject: [PATCH 433/497] typo --- minifirewall/files/minifirewall.conf | 2 +- minifirewall/files/minifirewall.d/zzz-custom | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 1cd73d7f..95043310 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -102,7 +102,7 @@ BACKUPSERVERS='' # # Within included files, you can use those helper functions : # * is_ipv6_enabled: returns true if IPv6 is enabled, or false -# * is_docker_enabled: returns true if Docker mode is eabled, or false +# * is_docker_enabled: returns true if Docker mode is enabled, or false # * is_proxy_enabled: returns true if Proxy mode is enabled , or false diff --git a/minifirewall/files/minifirewall.d/zzz-custom b/minifirewall/files/minifirewall.d/zzz-custom index 7ac24f06..fa0f5374 100644 --- a/minifirewall/files/minifirewall.d/zzz-custom +++ b/minifirewall/files/minifirewall.d/zzz-custom @@ -7,5 +7,5 @@ # # Within included files, you can use those helper functions : # * is_ipv6_enabled: returns true if IPv6 is enabled, or false -# * is_docker_enabled: returns true if Docker mode is eabled, or false +# * is_docker_enabled: returns true if Docker mode is enabled, or false # * is_proxy_enabled: returns true if Proxy mode is enabled , or false -- 2.39.2 From 78c70c1d05e46c09a8d19419a4f5b2b6bd870c30 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Mar 2023 23:36:26 +0200 Subject: [PATCH 434/497] mysql: create log directory for stretch and later --- mysql/tasks/main.yml | 12 +++--------- mysql/tasks/packages_stretch.yml | 29 +++++++++++++++++++++-------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index cc32bff4..73493588 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -4,21 +4,13 @@ ansible.builtin.set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" -- name: Default log directory is present - ansible.builtin.file: - path: /var/log/mysql - owner: mysql - group: adm - mode: "2750" - state: directory - when: ansible_distribution_major_version is version('12', '>=') - - ansible.builtin.include_tasks: packages_stretch.yml when: ansible_distribution_major_version is version('9', '>=') - ansible.builtin.include_tasks: packages_jessie.yml when: ansible_distribution_release == "jessie" + ## There is nothing to do with users on Debian 11+ - yet we need a /root/.my.cnf for compatibility - ansible.builtin.include_tasks: users_bullseye.yml when: ansible_distribution_major_version is version('11', '>=') @@ -32,12 +24,14 @@ - ansible.builtin.include_tasks: users_jessie.yml when: ansible_distribution_release == "jessie" + - ansible.builtin.include_tasks: config_stretch.yml when: ansible_distribution_major_version is version('9', '>=') - ansible.builtin.include_tasks: config_jessie.yml when: ansible_distribution_release == "jessie" + - ansible.builtin.include_tasks: replication.yml when: mysql_replication | bool diff --git a/mysql/tasks/packages_stretch.yml b/mysql/tasks/packages_stretch.yml index 8853a13c..acd98d2e 100644 --- a/mysql/tasks/packages_stretch.yml +++ b/mysql/tasks/packages_stretch.yml @@ -8,8 +8,21 @@ update_cache: yes state: present tags: - - mysql - - packages + - mysql + - packages + +- name: Default log directory is present + ansible.builtin.file: + path: /var/log/mysql + owner: mysql + group: adm + mode: "2750" + state: directory + notify: restart mysql + tags: + - mysql + - packages + when: ansible_distribution_major_version is version('12', '>=') - name: Install MySQL dev packages ansible.builtin.apt: @@ -17,8 +30,8 @@ update_cache: yes state: present tags: - - mysql - - packages + - mysql + - packages when: mysql_install_libclient | bool - name: MySQL is started @@ -26,16 +39,16 @@ name: mysql state: started tags: - - mysql - - services + - mysql + - services - name: apg package is installed ansible.builtin.apt: name: apg state: present tags: - - mysql - - packages + - mysql + - packages - name: Python2 dependencies for Ansible are installed ansible.builtin.apt: -- 2.39.2 From a999ac20da540f2de3fd912a3f0d6b2053e65925 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 27 Mar 2023 23:36:35 +0200 Subject: [PATCH 435/497] fqcn --- tomcat-instance/tasks/check.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tomcat-instance/tasks/check.yml b/tomcat-instance/tasks/check.yml index 3273b802..e172d5c3 100644 --- a/tomcat-instance/tasks/check.yml +++ b/tomcat-instance/tasks/check.yml @@ -22,4 +22,5 @@ - check_port_uid.stdout != "{{ tomcat_instance_name }}" #- name: Check use of http port -# command: grep ' Date: Wed, 29 Mar 2023 11:41:26 +0200 Subject: [PATCH 436/497] generate-ldif: Support for Debian 12 The script required few changes to adapt to the new output of lscpu & usage of lspci lscpu - Multiple Vendor ID fields (CPU & Bios) > We keep the first one tied to the CPU info - No more CPU Speed displayed for virtual machines. We guess the CPU Speed with the CPU Name (Thanks intel puting it in the CPU Name). But that's not going to work with AMD CPUs. An alternative would be to have a peek at /proc/cpu lspci - Remove the "0x" prefix as it seems invalid with lscpi version on Debian 12. On older debian, vendor/device id are accepted with or without the "0x" prefix --- CHANGELOG.md | 2 ++ generate-ldif/templates/generateldif.sh.j2 | 24 +++++++++++----------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea1a712f..65fc4ab1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* generate-ldif: Support for Debian 12 + ### Removed ### Security diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 229c1443..e306f075 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -40,27 +40,27 @@ if [ "$type" = "kvm" ]; then HardwareMark="KVM" HardwareModel="Virtual Machine" - cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3) - cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" - cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz" + cpuMark=$(lscpu | grep "Vendor ID:" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3) + cpuModel="Virtual $(lscpu | grep "Model name" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" + cpuFreq="$(lscpu | grep "GHz" | head -n1 | tr -s '\t' ' ' | cut -d'@' -f2 | tr -d ' ')" elif [ "$type" = "vmware" ]; then ComputerType="VM" HardwareMark="VMWare" HardwareModel="Virtual Machine" - cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3) - cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" - cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz" + cpuMark=$(lscpu | grep "Vendor ID:" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3) + cpuModel="Virtual $(lscpu | grep "Model name" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" + cpuFreq="$(lscpu | grep "GHz" | head -n1 | tr -s '\t' ' ' | cut -d'@' -f2 | tr -d ' ')" elif [ "$type" = "virtualbox" ]; then ComputerType="VM" HardwareMark="VirtualBox" HardwareModel="Virtual Machine" - cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3) - cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" - cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz" + cpuMark=$(lscpu | grep "Vendor ID:" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3) + cpuModel="Virtual $(lscpu | grep "Model name" | head -n1 | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU" + cpuFreq="$(lscpu | grep "GHz" | head -n1 | tr -s '\t' ' ' | cut -d'@' -f2 | tr -d ' ')" else ComputerType="Baremetal" HardwareModel=$(dmidecode -s system-product-name | grep -v '^#') @@ -307,10 +307,10 @@ for net in $(ls /sys/class/net); do hw=$(cat ${path}/address) # In some cases some devices does not have a vendor or device, skip it test -f ${path}/device/vendor || continue - vendor_id=$(cat ${path}/device/vendor) + vendor_id=$(cat ${path}/device/vendor | sed -E 's/^0x//g') test -f ${path}/device/device || continue - dev_id=$(cat ${path}/device/device) - [ "${dev_id}" = "0x0001" ] && dev_id="0x1000" + dev_id=$(cat ${path}/device/device | sed -E 's/^0x//g') + [ "${dev_id}" = "0001" ] && dev_id="1000" dev=$(lspci -d "${vendor_id}:${dev_id}" -vm) vendor=$(echo "${dev}" | grep -E "^Vendor" | cut -d':' -f2 | xargs) model=$(echo "${dev}" | grep -E "^Vendor" -A1 | grep -E "^Device" | cut -d':' -f2 | xargs) -- 2.39.2 From d37f6c0e3fd7ccddd1b4f7a889714f862a9d40e5 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 30 Mar 2023 13:19:13 +0200 Subject: [PATCH 437/497] PgBouncer: add handler (restart) --- CHANGELOG.md | 1 + pgbouncer/handlers/main.yml | 5 +++++ pgbouncer/tasks/main.yml | 3 +++ 3 files changed, 9 insertions(+) create mode 100644 pgbouncer/handlers/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 65fc4ab1..51ce155e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * apt: with Debian 12, backports are installed but disabled by default * openvpn: updated the README file +* pgbouncer: add handler to restart the service ### Fixed diff --git a/pgbouncer/handlers/main.yml b/pgbouncer/handlers/main.yml new file mode 100644 index 00000000..f539a226 --- /dev/null +++ b/pgbouncer/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart PgBouncer + ansible.builtin.systemd: + name: pgbouncer.service + state: restarted diff --git a/pgbouncer/tasks/main.yml b/pgbouncer/tasks/main.yml index fefef4e1..1d76931f 100644 --- a/pgbouncer/tasks/main.yml +++ b/pgbouncer/tasks/main.yml @@ -7,11 +7,14 @@ ansible.builtin.lineinfile: path: /etc/default/pgbouncer line: ulimit -n 65536 + notify: Restart PgBouncer - name: Add config file for PgBouncer ansible.builtin.template: src: pgbouncer.ini.j2 dest: /etc/pgbouncer/pgbouncer.ini + notify: Restart PgBouncer - name: Populate userlist.txt ansible.builtin.template: src: userlist.txt.j2 dest: /etc/pgbouncer/userlist.txt + notify: Restart PgBouncer -- 2.39.2 From ce247dba5668806bdb4000977bccb32726d0b287 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 30 Mar 2023 17:58:30 +0200 Subject: [PATCH 438/497] Add role for Graylog --- CHANGELOG.md | 2 + graylog/README.md | 18 +++++++ graylog/defaults/main.yml | 5 ++ graylog/tasks/main.yml | 100 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 125 insertions(+) create mode 100644 graylog/README.md create mode 100644 graylog/defaults/main.yml create mode 100644 graylog/tasks/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 51ce155e..0a307be6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* graylog: new role + ### Changed * apt: with Debian 12, backports are installed but disabled by default diff --git a/graylog/README.md b/graylog/README.md new file mode 100644 index 00000000..1ad4e712 --- /dev/null +++ b/graylog/README.md @@ -0,0 +1,18 @@ +# Graylog + +Installation and basic configuration of Graylog. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +Main variables are : + +* `graylog_version`: the Graylog version to install (default: `5.0`), +* `graylog_listen_ip`: the listen IP for Graylog (default: `"127.0.0.1"`), +* `graylog_listen_port`: the listen port for Graylog (default: `9000`), +* `graylog_custom_datadir`: the Graylog data directory (default: `""`, the empty string). + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/graylog/defaults/main.yml b/graylog/defaults/main.yml new file mode 100644 index 00000000..26ed02ea --- /dev/null +++ b/graylog/defaults/main.yml @@ -0,0 +1,5 @@ +--- +graylog_version: "5.0" +graylog_listen_ip: "127.0.0.1" +graylog_listen_port: 9000 +graylog_custom_datadir: "" diff --git a/graylog/tasks/main.yml b/graylog/tasks/main.yml new file mode 100644 index 00000000..66e1b5c3 --- /dev/null +++ b/graylog/tasks/main.yml @@ -0,0 +1,100 @@ +--- + +- name: Dependencies are installed + ansible.builtin.apt: + name: + - apt-transport-https + - openjdk-11-jre-headless + - uuid-runtime + - pwgen + - dirmngr + - gnupg + - wget + update_cache: yes + +- name: Elasticsearch is configured + ansible.builtin.lineinfile: + dest: '/etc/elasticsearch/elasticsearch.yml' + line: 'action.auto_create_index: false' + register: es_config + +- name: Elasticsearch is restarted + ansible.builtin.systemd: + name: elasticsearch + state: restarted + when: es_config is changed + +- name: Graylog repository is installed + ansible.builtin.apt: + deb: 'https://packages.graylog2.org/repo/packages/graylog-{{ graylog_version }}-repository_latest.deb' + +- name: Graylog is installed + ansible.builtin.apt: + name: + - graylog-server + update_cache: yes + +- name: Graylog password_secret is set + ansible.builtin.replace: + dest: '/etc/graylog/server/server.conf' + regexp: '^(password_secret =)$' + replace: '\1 {{ lookup("ansible.builtin.password", "/dev/null chars=ascii_lowercase,digits length=96") }}' + +- name: Graylog root_password_sha2 is set + ansible.builtin.replace: + dest: '/etc/graylog/server/server.conf' + regexp: '^(root_password_sha2 =)$' + replace: '\1 {{ graylog_root_password_sha2 }}' + when: graylog_root_password_sha2 is defined + +- name: Graylog http_bind_address is set + ansible.builtin.lineinfile: + dest: '/etc/graylog/server/server.conf' + line: 'http_bind_address = {{ graylog_listen_ip }}:{{ graylog_listen_port }}' + +- block: + - name: "Is {{ graylog_custom_datadir }} present ?" + ansible.builtin.stat: + path: "{{ graylog_custom_datadir }}" + check_mode: no + register: graylog_custom_datadir_test + + - name: "read the real datadir" + ansible.builtin.command: + cmd: readlink -f /var/lib/graylog-server + changed_when: False + check_mode: no + register: graylog_current_real_datadir_test + when: graylog_custom_datadir is defined and graylog_custom_datadir | length > 0 + +- block: + - name: Graylog is stopped + ansible.builtin.service: + name: graylog-server + state: stopped + + - name: Move Graylog datadir to {{ graylog_custom_datadir }} + ansible.builtin.command: + cmd: mv {{ graylog_current_real_datadir_test.stdout }} {{ graylog_custom_datadir }} + args: + creates: "{{ graylog_custom_datadir }}" + + - name: Symlink {{ graylog_custom_datadir }} to /var/lib/graylog-server + ansible.builtin.file: + src: "{{ graylog_custom_datadir }}" + dest: '/var/lib/graylog-server' + state: link + when: + - graylog_custom_datadir | length > 0 + - graylog_custom_datadir != graylog_current_real_datadir_test.stdout + - not graylog_custom_datadir_test.stat.exists + +- name: Graylog is started + ansible.builtin.service: + name: graylog-server + state: started + +- name: Graylog is enabled + ansible.builtin.service: + name: graylog-server + enabled: yes -- 2.39.2 From c157450a2c9bc43af6ec089cb5e8508a2b26216a Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 27 Mar 2023 12:02:22 +0200 Subject: [PATCH 439/497] =?UTF-8?q?d=C3=A9but=20creation=20r=C3=B4le=20pat?= =?UTF-8?q?roni?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- patroni/README.md | 4 ++ patroni/defaults/main.yml | 20 +++++++++ patroni/meta/main.yml | 31 +++++++++++++ patroni/tasks/backports.yml | 27 ++++++++++++ patroni/tasks/config.yml | 18 ++++++++ patroni/tasks/main.yml | 6 +++ patroni/tasks/packages.yml | 8 ++++ patroni/templates/patroni.conf.j2 | 73 +++++++++++++++++++++++++++++++ patroni/templates/patroni.pref.j2 | 3 ++ 9 files changed, 190 insertions(+) create mode 100644 patroni/README.md create mode 100644 patroni/defaults/main.yml create mode 100644 patroni/meta/main.yml create mode 100644 patroni/tasks/backports.yml create mode 100644 patroni/tasks/config.yml create mode 100644 patroni/tasks/main.yml create mode 100644 patroni/tasks/packages.yml create mode 100644 patroni/templates/patroni.conf.j2 create mode 100644 patroni/templates/patroni.pref.j2 diff --git a/patroni/README.md b/patroni/README.md new file mode 100644 index 00000000..e3999617 --- /dev/null +++ b/patroni/README.md @@ -0,0 +1,4 @@ +# Patroni + +Installation and basic configuration of Patroni. + diff --git a/patroni/defaults/main.yml b/patroni/defaults/main.yml new file mode 100644 index 00000000..5ceee3ba --- /dev/null +++ b/patroni/defaults/main.yml @@ -0,0 +1,20 @@ +--- + +# Install Patroni from backport Evolix +patroni_backport: false + +# Define variable for Patroni + +cluster_name: "mycluster" +patroni_restapi_listen: "127.0.0.1" +patroni_port: "8008" +postgresql_hosts_cluster: [] +postgresql_host: 127.0.0.1 +postgresql_version: '' +postgresql_replication_user: 'repl' +postgresql_superuser: 'admin' + +# Define variable for etcd +etcd_hosts: [] +etcd_port: "2379" + diff --git a/patroni/meta/main.yml b/patroni/meta/main.yml new file mode 100644 index 00000000..dffff81a --- /dev/null +++ b/patroni/meta/main.yml @@ -0,0 +1,31 @@ +galaxy_info: + company: Evolix + description: Installation and basic configuration of Patroni + + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: "2.7" + + platforms: + - name: Debian + versions: + - buster + - bullseye + - bookworm + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. + diff --git a/patroni/tasks/backports.yml b/patroni/tasks/backports.yml new file mode 100644 index 00000000..43e76f22 --- /dev/null +++ b/patroni/tasks/backports.yml @@ -0,0 +1,27 @@ +--- + +- name: Add Evolix GPG key + ansible.builtin.copy: + src: pub_evolix.asc + dest: "{{ apt_keyring_dir }}/pub_evolix.asc" + force: yes + mode: "0644" + owner: root + group: root + +- name: Add Evolix backports repository + ansible.builtin.apt_repository: + repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-backports main" + filename: backports.list + state: present + +- name: Update APT cache + ansible.builtin.apt: + update_cache: yes + +- name: Add APT preference file + ansible.builtin.template: + src: patroni.pref.j2 + dest: /etc/apt/preferences.d/patroni.pref + mode: "0644" + diff --git a/patroni/tasks/config.yml b/patroni/tasks/config.yml new file mode 100644 index 00000000..54a19c0e --- /dev/null +++ b/patroni/tasks/config.yml @@ -0,0 +1,18 @@ +--- + +- name: Create a password for PostgreSQL repl user + command: "apg -a 0 -m 16" + register: postgresql_replication_password + +- name: Create a password for PostgreSQL superuser user + command: "apg -a 0 -m 16" + register: postgresql_superuser_password + +- name: Create Patroni config file + ansible.builtin.template: + src: patroni.conf.j2 + dest: /etc/patroni/config-{{ cluster_name }}.yml + owner: root + group: root + mode: "0644" + diff --git a/patroni/tasks/main.yml b/patroni/tasks/main.yml new file mode 100644 index 00000000..05f82a89 --- /dev/null +++ b/patroni/tasks/main.yml @@ -0,0 +1,6 @@ +--- + +- ansible.builtin.import_tasks: packages.yml + +- ansible.builtin.import_tasks: backports.yml + when: patroni_backport: | bool diff --git a/patroni/tasks/packages.yml b/patroni/tasks/packages.yml new file mode 100644 index 00000000..198dcb7b --- /dev/null +++ b/patroni/tasks/packages.yml @@ -0,0 +1,8 @@ +--- + +- name: Install patroni package + ansible.builtin.apt: + name: + - patroni + update_cache: yes + diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 new file mode 100644 index 00000000..c88c96fb --- /dev/null +++ b/patroni/templates/patroni.conf.j2 @@ -0,0 +1,73 @@ +scope: {{ cluster_name }} +name: {{ cluster_name }} + +restapi: + listen: {{ patroni_restapi_listen }}:{{ patroni_port }} + connect_address: {{ patroni_restapi_listen }}:{{ patroni_port }} + +etcd: + hosts: + - {{ etcd_hosts }}:{{ etcd_port }} + - {{ etcd_hosts }}:{{ etcd_port }} + - {{ etcd_hosts }}:{{ etcd_port }} + +bootstrap: + dcs: + ttl: 30 + loop_wait: 10 + retry_timeout: 10 + maximum_lag_on_failover: 1048576 + postgresql: + use_pg_rewind: true + use_slots: true + parameters: + wal_level: replica + hot_standby: "on" + wal_keep_segment: 8 + max_wal_senders: 5 + max_relication_slots: 5 + checkpoint_timeout: 30 + + initdb: + - encoding: UTF8 + - data-checksums + + pg_hba: + - host replication repl 127.0.0.1/32 md5 + - host replication repl {{ postgresql_hosts_cluster }}/0 md5 + - host replication repl {{ postgresql_hosts_cluster }}/0 md5 + - host replication repl {{ postgresql_hosts_cluster }}/0 md5 + - host all all 0.0.0.0/0 md5 + + users: + {{ postgresql_superuser }}: + password: {{ postgresql_superuser_password }} + options: + - createrole + - createdb + {{ postgresql_replication_user }}: + password: {{ postgresql_replication_password }} + options: + - replication + +postgresql: + listen: {{ postgresql_host }}:{{ postgresql_port }} + connect_address: {{ postgresql_host }}:{{ postgresql_port }} + bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ + data_dir: /home/{{ cluster_name }} + pgpass: /tmp/{{ cluster_name }}-pgpass + authentication: + replication: + username: {{ postgresql_replication_user }} + password: {{ postgresql_replication_password }} + superuser: + username: {{ postgresql_superuser }} + password: {{ postgresql_superuser_password }} + parameters: + unix_socket_directories: '/tmp' + +tags: + nofailover: false + noloadbalance: false + clonefrom: false + nosync: false diff --git a/patroni/templates/patroni.pref.j2 b/patroni/templates/patroni.pref.j2 new file mode 100644 index 00000000..6e6dd081 --- /dev/null +++ b/patroni/templates/patroni.pref.j2 @@ -0,0 +1,3 @@ +Package: patroni +Pin: release a={{ ansible_distribution_release }}-backports +Pin-Priority: 999 -- 2.39.2 From 7d75ed1a968cf13fdb68da6c640903eedd00a938 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 30 Mar 2023 18:23:46 +0200 Subject: [PATCH 440/497] Add key GPG evolix, and fix some bugs --- patroni/files/pub_evolix.asc | 87 +++++++++++++++++++++++++++++++ patroni/tasks/config.yml | 4 +- patroni/tasks/main.yml | 7 +-- patroni/templates/patroni.conf.j2 | 32 ++++++------ 4 files changed, 109 insertions(+), 21 deletions(-) create mode 100644 patroni/files/pub_evolix.asc diff --git a/patroni/files/pub_evolix.asc b/patroni/files/pub_evolix.asc new file mode 100644 index 00000000..4a21bdfe --- /dev/null +++ b/patroni/files/pub_evolix.asc @@ -0,0 +1,87 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N +YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN +OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV +Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw +ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7 +7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11 +mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma +dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3 +huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm +vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk ++XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB +tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy +PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A +BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy +x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq +yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7 +D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt +c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N +q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F +btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ +ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa +C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D +jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp +5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo +JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3 +Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F +5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o +aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba +mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp +g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs +h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M +Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb +sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A +5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A +etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8 +smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ +Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX +mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F +V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT +foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7 +b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5 +FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI +7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb ++dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc +fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF +bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR +Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+ +7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/ +RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc +8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX +fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd +gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/ +YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1 +4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL +1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK +3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj +9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB +jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC +LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG +j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H +BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M +jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q +BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym +Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6 +lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH +El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV +sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp +IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz +DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM +G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0 +IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs +UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac +lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm +AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r +adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf +SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v +2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz +kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg +2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad +OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf +nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk +jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH +oA9QflpnDubMnCve +=ZCml +-----END PGP PUBLIC KEY BLOCK----- diff --git a/patroni/tasks/config.yml b/patroni/tasks/config.yml index 54a19c0e..f48959b9 100644 --- a/patroni/tasks/config.yml +++ b/patroni/tasks/config.yml @@ -1,11 +1,11 @@ --- - name: Create a password for PostgreSQL repl user - command: "apg -a 0 -m 16" + command: "apg -M LCN -n1 -m 16" register: postgresql_replication_password - name: Create a password for PostgreSQL superuser user - command: "apg -a 0 -m 16" + command: "apg -M LCN -n1 -m 16" register: postgresql_superuser_password - name: Create Patroni config file diff --git a/patroni/tasks/main.yml b/patroni/tasks/main.yml index 05f82a89..36b4eb41 100644 --- a/patroni/tasks/main.yml +++ b/patroni/tasks/main.yml @@ -1,6 +1,7 @@ --- -- ansible.builtin.import_tasks: packages.yml - - ansible.builtin.import_tasks: backports.yml - when: patroni_backport: | bool + when: patroni_backport | bool + +- ansible.builtin.import_tasks: packages.yml +- ansible.builtin.import_tasks: config.yml diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 index c88c96fb..c4eae345 100644 --- a/patroni/templates/patroni.conf.j2 +++ b/patroni/templates/patroni.conf.j2 @@ -1,15 +1,15 @@ scope: {{ cluster_name }} -name: {{ cluster_name }} +name: {{ cluster_name_host }} restapi: - listen: {{ patroni_restapi_listen }}:{{ patroni_port }} - connect_address: {{ patroni_restapi_listen }}:{{ patroni_port }} + listen: {{ patroni_restapi_listen }}:{{ patroni_restapi_port }} + connect_address: {{ patroni_restapi_listen }}:{{ patroni_restapi_port }} etcd: hosts: - - {{ etcd_hosts }}:{{ etcd_port }} - - {{ etcd_hosts }}:{{ etcd_port }} - - {{ etcd_hosts }}:{{ etcd_port }} +{% for server in groups['etcd'] %} + - {{ hostvars[server]['etcd_host'] }}:{{ etcd_client_port }} +{% endfor %} bootstrap: dcs: @@ -34,35 +34,35 @@ bootstrap: pg_hba: - host replication repl 127.0.0.1/32 md5 - - host replication repl {{ postgresql_hosts_cluster }}/0 md5 - - host replication repl {{ postgresql_hosts_cluster }}/0 md5 - - host replication repl {{ postgresql_hosts_cluster }}/0 md5 +{% for server in groups['patroni'] %} + - host replication repl {{ hostvars[server]['postgresql_hosts_cluster'] }}/0 md5 +{% endfor %} - host all all 0.0.0.0/0 md5 users: {{ postgresql_superuser }}: - password: {{ postgresql_superuser_password }} + password: {{ postgresql_superuser_password.stdout }} options: - createrole - createdb {{ postgresql_replication_user }}: - password: {{ postgresql_replication_password }} + password: {{ postgresql_replication_password.stdout }} options: - replication postgresql: listen: {{ postgresql_host }}:{{ postgresql_port }} connect_address: {{ postgresql_host }}:{{ postgresql_port }} - bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ - data_dir: /home/{{ cluster_name }} - pgpass: /tmp/{{ cluster_name }}-pgpass + bin_dir: /var/lib/postgresql/{{ postgresql_version }}/bin/ + data_dir: /home/{{ cluster_name_host }} + pgpass: /tmp/{{ cluster_name_host }}-pgpass authentication: replication: username: {{ postgresql_replication_user }} - password: {{ postgresql_replication_password }} + password: {{ postgresql_replication_password.stdout }} superuser: username: {{ postgresql_superuser }} - password: {{ postgresql_superuser_password }} + password: {{ postgresql_superuser_password.stdout }} parameters: unix_socket_directories: '/tmp' -- 2.39.2 From 8ec5c79ca1028dbae749d15e7f25f88eb669cc6b Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 3 Apr 2023 14:45:17 +0200 Subject: [PATCH 441/497] Add new role Patroni in CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a307be6..4afd0a00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * graylog: new role +* Patroni: new role for install Patroni cluster ### Changed -- 2.39.2 From b7723cfe69f4c471c0b70823dce11eaacd53d175 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 3 Apr 2023 17:21:14 +0200 Subject: [PATCH 442/497] fix bin_dir variable --- patroni/templates/patroni.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 index c4eae345..d60272a8 100644 --- a/patroni/templates/patroni.conf.j2 +++ b/patroni/templates/patroni.conf.j2 @@ -53,7 +53,7 @@ bootstrap: postgresql: listen: {{ postgresql_host }}:{{ postgresql_port }} connect_address: {{ postgresql_host }}:{{ postgresql_port }} - bin_dir: /var/lib/postgresql/{{ postgresql_version }}/bin/ + bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ data_dir: /home/{{ cluster_name_host }} pgpass: /tmp/{{ cluster_name_host }}-pgpass authentication: -- 2.39.2 From 23b26fa239340230ae07b9cb8c50cc364fda24d5 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 3 Apr 2023 17:33:12 +0200 Subject: [PATCH 443/497] changement variable postgresql_hosts --- patroni/defaults/main.yml | 3 ++- patroni/templates/patroni.conf.j2 | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/patroni/defaults/main.yml b/patroni/defaults/main.yml index 5ceee3ba..85ead1b1 100644 --- a/patroni/defaults/main.yml +++ b/patroni/defaults/main.yml @@ -9,7 +9,8 @@ cluster_name: "mycluster" patroni_restapi_listen: "127.0.0.1" patroni_port: "8008" postgresql_hosts_cluster: [] -postgresql_host: 127.0.0.1 +postgresql_listen_ips: 127.0.0.1 +postgresql_connect_ip: 127.0.0.1 postgresql_version: '' postgresql_replication_user: 'repl' postgresql_superuser: 'admin' diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 index d60272a8..2dc23a28 100644 --- a/patroni/templates/patroni.conf.j2 +++ b/patroni/templates/patroni.conf.j2 @@ -51,8 +51,8 @@ bootstrap: - replication postgresql: - listen: {{ postgresql_host }}:{{ postgresql_port }} - connect_address: {{ postgresql_host }}:{{ postgresql_port }} + listen: {{ postgresql_listen_ips }}:{{ postgresql_port }} + connect_address: {{ postgresql_connect_ip }}:{{ postgresql_port }} bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ data_dir: /home/{{ cluster_name_host }} pgpass: /tmp/{{ cluster_name_host }}-pgpass -- 2.39.2 From 956e644ac458bc12c9a5b8fb656d440dc93ac6f8 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 7 Apr 2023 11:00:13 +0200 Subject: [PATCH 444/497] evocheck: upstream release 23.04 --- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 16 +++++++++++----- evocheck/files/evocheck.wheezy.sh | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index 5d1a186e..6fb3d3d7 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.03.01" +VERSION="23.04" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 647192cc..d907a54f 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.03.01" +VERSION="23.04" readonly VERSION # base functions @@ -146,10 +146,16 @@ check_dpkgwarning() { || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" } # Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option. -check_localhost_in_postfix_mydestination() { +check_postfix_mydestination() { # shellcheck disable=SC2016 - if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp '(localhost[^\\.]|localhost.localdomain|localhost.$mydomain)'; then - failed "IS_LOCALHOST_IN_POSTFIX_MYDESTINATION" "'localhost' and/or 'localhost.localdomain' and/or 'localhost.\$mydomain' are missing in Postfix mydestination option. Consider adding then." + if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost([[:blank:]]|$)'; then + failed "IS_POSTFIX_MYDESTINATION" "'localhost' s missing in Postfix mydestination option." + fi + if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost.localdomain'; then + failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option." + fi + if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost.$mydomain'; then + failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option." fi } # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) @@ -1389,7 +1395,7 @@ main() { test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning - test "${IS_LOCALHOST_IN_POSTFIX_MYDESTINATION:=1}" = 1 && check_localhost_in_postfix_mydestination + test "${IS_POSTFIX_MYDESTINATION:=1}" = 1 && check_postfix_mydestination test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index cd038268..b9ac86e6 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.03.01" +VERSION="23.04" readonly VERSION # base functions -- 2.39.2 From 0c2e06de33df24ce776304eeecf756ea22724959 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 7 Apr 2023 11:53:30 +0200 Subject: [PATCH 445/497] evocheck: upstream release 23.04.01 --- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 6 +++--- evocheck/files/evocheck.wheezy.sh | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index 6fb3d3d7..05b5f8d1 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.04" +VERSION="23.04.01" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index d907a54f..52441988 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.04" +VERSION="23.04.01" readonly VERSION # base functions @@ -151,10 +151,10 @@ check_postfix_mydestination() { if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost([[:blank:]]|$)'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost' s missing in Postfix mydestination option." fi - if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost.localdomain'; then + if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost\.localdomain'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option." fi - if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost.$mydomain'; then + if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost\.\$mydomain'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option." fi } diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index b9ac86e6..461540b3 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.04" +VERSION="23.04.01" readonly VERSION # base functions -- 2.39.2 From 602bb22984e13be8fc89e3c1fbc2cacd49422fc4 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 13 Apr 2023 09:55:35 +0200 Subject: [PATCH 446/497] Add template systemd for patroni --- patroni/tasks/config.yml | 8 ++++++++ patroni/templates/patroni.service.j2 | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 patroni/templates/patroni.service.j2 diff --git a/patroni/tasks/config.yml b/patroni/tasks/config.yml index f48959b9..4d44e285 100644 --- a/patroni/tasks/config.yml +++ b/patroni/tasks/config.yml @@ -16,3 +16,11 @@ group: root mode: "0644" +- mane: Create Systemd Unit for Patroni + ansible.builtin.template: + src: patroni.service.j2 + dest: /etc/systemd/system/patroni.service + owner: root + group: root + mode: "0644" + diff --git a/patroni/templates/patroni.service.j2 b/patroni/templates/patroni.service.j2 new file mode 100644 index 00000000..6f9e1521 --- /dev/null +++ b/patroni/templates/patroni.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Runners to orchestrate a high-availability PostgreSQL +After=syslog.target network.target + +[Service] +Type=simple + +User=postgres +Group=postgres + +ExecStart=/usr/bin/patroni /etc/patroni/config-{{ cluster_name }}.yml +KillMode=process +TimeoutSec=30 +Restart=no + +[Install] +WantedBy=multi-user.targ -- 2.39.2 From e8c7d2c3e367ed0bb555ea08818f206fcd87070d Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Mon, 20 Mar 2023 18:00:22 +0100 Subject: [PATCH 447/497] lxc-php: add support for PHP 8.2 container --- CHANGELOG.md | 1 + evolinux-users/templates/sudoers_stretch.j2 | 1 + lxc-php/defaults/main.yml | 6 +-- lxc-php/handlers/main.yml | 5 ++ lxc-php/tasks/main.yml | 4 +- lxc-php/tasks/php82.yml | 53 +++++++++++++++++---- 6 files changed, 56 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4afd0a00..1528a40d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * graylog: new role * Patroni: new role for install Patroni cluster +* lxc-php: add support for PHP 8.2 container ### Changed diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 index 287483d9..29a22da7 100644 --- a/evolinux-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -14,6 +14,7 @@ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index d27f60f2..17af05cf 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -21,7 +21,7 @@ lxc_php_container_releases: php74: "bullseye" php80: "bullseye" php81: "bullseye" - # php82: "bookworm" + php82: "bullseye" lxc_php_services: php56: 'php5-fpm.service' @@ -30,6 +30,6 @@ lxc_php_services: php74: 'php7.4-fpm.service' php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' - # php82: 'php8.2-fpm.service' + php82: 'php8.2-fpm.service' -apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index 1a2d7a6e..b703933b 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -10,6 +10,11 @@ name: "{{ lxc_php_version }}" container_command: "systemctl restart {{ lxc_php_services[lxc_php_version] }}" +- name: Reload php82-fpm + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl reload php8.2-fpm" + - name: Reload php81-fpm community.general.lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index c3d58eba..035bfe15 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -39,8 +39,8 @@ - ansible.builtin.import_tasks: "php81.yml" when: lxc_php_version == "php81" -# - ansible.builtin.import_tasks: "php82.yml" -# when: lxc_php_version == "php82" +- ansible.builtin.import_tasks: "php82.yml" + when: lxc_php_version == "php82" - ansible.builtin.import_tasks: "umask.yml" diff --git a/lxc-php/tasks/php82.yml b/lxc-php/tasks/php82.yml index a83207c8..1fb81851 100644 --- a/lxc-php/tasks/php82.yml +++ b/lxc-php/tasks/php82.yml @@ -2,21 +2,56 @@ - name: set APT keyring ansible.builtin.set_fact: - lxc_apt_keyring_dir: /etc/apt/keyrings + lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d + +- name: "{{ lxc_php_version }} - Install dependency packages" + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg" + +- name: "{{ lxc_php_version }} - fix bullseye repository" + ansible.builtin.replace: + dest: "{{ lxc_rootfs }}/etc/apt/sources.list" + regexp: 'bullseye/updates' + replace: 'bullseye-security' + +- name: "{{ lxc_php_version }} - Add sury repo" + ansible.builtin.lineinfile: + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" + line: "{{ item }}" + state: present + create: yes + mode: "0644" + loop: + - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php82 main" + +- name: copy pub.evolix.net GPG key + ansible.builtin.copy: + src: pub_evolix.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc + mode: "0644" + owner: root + group: root + +- name: copy packages.sury.org GPG Key + ansible.builtin.copy: + src: sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg + mode: "0644" + owner: root + group: root + +- name: "{{ lxc_php_version }} - Update APT cache" + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt update" - name: "{{ lxc_php_version }} - Install PHP packages" community.general.lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" -# TODO : adapt to Bookworm and deb822 format - -- name: "{{ lxc_php_version }} - fix bookworm repository" - ansible.builtin.replace: - dest: "{{ lxc_rootfs }}/etc/apt/sources.list" - regexp: 'bullseye/updates' - replace: 'bullseye-security' - - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" ansible.builtin.template: src: z-evolinux-defaults.ini.j2 -- 2.39.2 From 42e98791d95409963d57a20f83ff459a170d4744 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 23 Apr 2023 10:29:50 +0200 Subject: [PATCH 448/497] Extract patroni role into its own branch for now --- CHANGELOG.md | 1 - patroni/README.md | 4 -- patroni/defaults/main.yml | 21 ------- patroni/files/pub_evolix.asc | 87 ---------------------------- patroni/meta/main.yml | 31 ---------- patroni/tasks/backports.yml | 27 --------- patroni/tasks/config.yml | 26 --------- patroni/tasks/main.yml | 7 --- patroni/tasks/packages.yml | 8 --- patroni/templates/patroni.conf.j2 | 73 ----------------------- patroni/templates/patroni.pref.j2 | 3 - patroni/templates/patroni.service.j2 | 17 ------ 12 files changed, 305 deletions(-) delete mode 100644 patroni/README.md delete mode 100644 patroni/defaults/main.yml delete mode 100644 patroni/files/pub_evolix.asc delete mode 100644 patroni/meta/main.yml delete mode 100644 patroni/tasks/backports.yml delete mode 100644 patroni/tasks/config.yml delete mode 100644 patroni/tasks/main.yml delete mode 100644 patroni/tasks/packages.yml delete mode 100644 patroni/templates/patroni.conf.j2 delete mode 100644 patroni/templates/patroni.pref.j2 delete mode 100644 patroni/templates/patroni.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 1528a40d..4cb6a43d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,6 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * graylog: new role -* Patroni: new role for install Patroni cluster * lxc-php: add support for PHP 8.2 container ### Changed diff --git a/patroni/README.md b/patroni/README.md deleted file mode 100644 index e3999617..00000000 --- a/patroni/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Patroni - -Installation and basic configuration of Patroni. - diff --git a/patroni/defaults/main.yml b/patroni/defaults/main.yml deleted file mode 100644 index 85ead1b1..00000000 --- a/patroni/defaults/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -# Install Patroni from backport Evolix -patroni_backport: false - -# Define variable for Patroni - -cluster_name: "mycluster" -patroni_restapi_listen: "127.0.0.1" -patroni_port: "8008" -postgresql_hosts_cluster: [] -postgresql_listen_ips: 127.0.0.1 -postgresql_connect_ip: 127.0.0.1 -postgresql_version: '' -postgresql_replication_user: 'repl' -postgresql_superuser: 'admin' - -# Define variable for etcd -etcd_hosts: [] -etcd_port: "2379" - diff --git a/patroni/files/pub_evolix.asc b/patroni/files/pub_evolix.asc deleted file mode 100644 index 4a21bdfe..00000000 --- a/patroni/files/pub_evolix.asc +++ /dev/null @@ -1,87 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N -YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN -OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV -Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw -ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7 -7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11 -mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma -dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3 -huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm -vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk -+XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB -tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy -PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A -BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy -x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq -yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7 -D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt -c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N -q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F -btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ -ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa -C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D -jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp -5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo -JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3 -Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F -5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o -aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba -mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp -g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs -h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M -Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb -sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A -5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A -etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8 -smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ -Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX -mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F -V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT -foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7 -b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5 -FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI -7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb -+dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc -fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF -bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR -Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+ -7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/ -RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc -8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX -fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd -gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/ -YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1 -4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL -1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK -3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj -9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB -jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC -LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG -j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H -BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M -jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q -BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym -Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6 -lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH -El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV -sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp -IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz -DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM -G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0 -IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs -UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac -lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm -AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r -adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf -SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v -2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz -kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg -2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad -OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf -nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk -jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH -oA9QflpnDubMnCve -=ZCml ------END PGP PUBLIC KEY BLOCK----- diff --git a/patroni/meta/main.yml b/patroni/meta/main.yml deleted file mode 100644 index dffff81a..00000000 --- a/patroni/meta/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -galaxy_info: - company: Evolix - description: Installation and basic configuration of Patroni - - issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: "2.7" - - platforms: - - name: Debian - versions: - - buster - - bullseye - - bookworm - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is - # a keyword that describes and categorizes the role. - # Users find roles by searching for tags. Be sure to - # remove the '[]' above if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of - # alphanumeric characters. Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. - diff --git a/patroni/tasks/backports.yml b/patroni/tasks/backports.yml deleted file mode 100644 index 43e76f22..00000000 --- a/patroni/tasks/backports.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Add Evolix GPG key - ansible.builtin.copy: - src: pub_evolix.asc - dest: "{{ apt_keyring_dir }}/pub_evolix.asc" - force: yes - mode: "0644" - owner: root - group: root - -- name: Add Evolix backports repository - ansible.builtin.apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-backports main" - filename: backports.list - state: present - -- name: Update APT cache - ansible.builtin.apt: - update_cache: yes - -- name: Add APT preference file - ansible.builtin.template: - src: patroni.pref.j2 - dest: /etc/apt/preferences.d/patroni.pref - mode: "0644" - diff --git a/patroni/tasks/config.yml b/patroni/tasks/config.yml deleted file mode 100644 index 4d44e285..00000000 --- a/patroni/tasks/config.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- name: Create a password for PostgreSQL repl user - command: "apg -M LCN -n1 -m 16" - register: postgresql_replication_password - -- name: Create a password for PostgreSQL superuser user - command: "apg -M LCN -n1 -m 16" - register: postgresql_superuser_password - -- name: Create Patroni config file - ansible.builtin.template: - src: patroni.conf.j2 - dest: /etc/patroni/config-{{ cluster_name }}.yml - owner: root - group: root - mode: "0644" - -- mane: Create Systemd Unit for Patroni - ansible.builtin.template: - src: patroni.service.j2 - dest: /etc/systemd/system/patroni.service - owner: root - group: root - mode: "0644" - diff --git a/patroni/tasks/main.yml b/patroni/tasks/main.yml deleted file mode 100644 index 36b4eb41..00000000 --- a/patroni/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- ansible.builtin.import_tasks: backports.yml - when: patroni_backport | bool - -- ansible.builtin.import_tasks: packages.yml -- ansible.builtin.import_tasks: config.yml diff --git a/patroni/tasks/packages.yml b/patroni/tasks/packages.yml deleted file mode 100644 index 198dcb7b..00000000 --- a/patroni/tasks/packages.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- name: Install patroni package - ansible.builtin.apt: - name: - - patroni - update_cache: yes - diff --git a/patroni/templates/patroni.conf.j2 b/patroni/templates/patroni.conf.j2 deleted file mode 100644 index 2dc23a28..00000000 --- a/patroni/templates/patroni.conf.j2 +++ /dev/null @@ -1,73 +0,0 @@ -scope: {{ cluster_name }} -name: {{ cluster_name_host }} - -restapi: - listen: {{ patroni_restapi_listen }}:{{ patroni_restapi_port }} - connect_address: {{ patroni_restapi_listen }}:{{ patroni_restapi_port }} - -etcd: - hosts: -{% for server in groups['etcd'] %} - - {{ hostvars[server]['etcd_host'] }}:{{ etcd_client_port }} -{% endfor %} - -bootstrap: - dcs: - ttl: 30 - loop_wait: 10 - retry_timeout: 10 - maximum_lag_on_failover: 1048576 - postgresql: - use_pg_rewind: true - use_slots: true - parameters: - wal_level: replica - hot_standby: "on" - wal_keep_segment: 8 - max_wal_senders: 5 - max_relication_slots: 5 - checkpoint_timeout: 30 - - initdb: - - encoding: UTF8 - - data-checksums - - pg_hba: - - host replication repl 127.0.0.1/32 md5 -{% for server in groups['patroni'] %} - - host replication repl {{ hostvars[server]['postgresql_hosts_cluster'] }}/0 md5 -{% endfor %} - - host all all 0.0.0.0/0 md5 - - users: - {{ postgresql_superuser }}: - password: {{ postgresql_superuser_password.stdout }} - options: - - createrole - - createdb - {{ postgresql_replication_user }}: - password: {{ postgresql_replication_password.stdout }} - options: - - replication - -postgresql: - listen: {{ postgresql_listen_ips }}:{{ postgresql_port }} - connect_address: {{ postgresql_connect_ip }}:{{ postgresql_port }} - bin_dir: /usr/lib/postgresql/{{ postgresql_version }}/bin/ - data_dir: /home/{{ cluster_name_host }} - pgpass: /tmp/{{ cluster_name_host }}-pgpass - authentication: - replication: - username: {{ postgresql_replication_user }} - password: {{ postgresql_replication_password.stdout }} - superuser: - username: {{ postgresql_superuser }} - password: {{ postgresql_superuser_password.stdout }} - parameters: - unix_socket_directories: '/tmp' - -tags: - nofailover: false - noloadbalance: false - clonefrom: false - nosync: false diff --git a/patroni/templates/patroni.pref.j2 b/patroni/templates/patroni.pref.j2 deleted file mode 100644 index 6e6dd081..00000000 --- a/patroni/templates/patroni.pref.j2 +++ /dev/null @@ -1,3 +0,0 @@ -Package: patroni -Pin: release a={{ ansible_distribution_release }}-backports -Pin-Priority: 999 diff --git a/patroni/templates/patroni.service.j2 b/patroni/templates/patroni.service.j2 deleted file mode 100644 index 6f9e1521..00000000 --- a/patroni/templates/patroni.service.j2 +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=Runners to orchestrate a high-availability PostgreSQL -After=syslog.target network.target - -[Service] -Type=simple - -User=postgres -Group=postgres - -ExecStart=/usr/bin/patroni /etc/patroni/config-{{ cluster_name }}.yml -KillMode=process -TimeoutSec=30 -Restart=no - -[Install] -WantedBy=multi-user.targ -- 2.39.2 From 6cd72cf9f44f3051435d6e0355afac27f6363674 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 23 Apr 2023 10:48:39 +0200 Subject: [PATCH 449/497] Release 23.04 --- CHANGELOG.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4cb6a43d..0db8d343 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,11 +13,24 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [23.04] 2023-04-23 + +### Added + * graylog: new role * lxc-php: add support for PHP 8.2 container ### Changed +* Use FQCN (Fully Qualified Collection Name) * apt: with Debian 12, backports are installed but disabled by default * openvpn: updated the README file * pgbouncer: add handler to restart the service @@ -26,10 +39,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * generate-ldif: Support for Debian 12 -### Removed - -### Security - ## [23.03.1] 2023-03-16 ### Added -- 2.39.2 From 8f4bcccbc39873af6f8f44735450f136a881af53 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 26 Apr 2023 17:43:26 +0200 Subject: [PATCH 450/497] packweb-apache,nagios-nrpe: add missing task and config fo PHP 8.2 container --- nagios-nrpe/templates/evolix.cfg.j2 | 1 + packweb-apache/tasks/dependencies.yml | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 263fde10..c0f97ea7 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -83,6 +83,7 @@ command[check_php-fpm73]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/ command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ +command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor command[check_raid_status]=/usr/lib/nagios/plugins/check_raid command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool diff --git a/packweb-apache/tasks/dependencies.yml b/packweb-apache/tasks/dependencies.yml index cd0efd40..bf29b849 100644 --- a/packweb-apache/tasks/dependencies.yml +++ b/packweb-apache/tasks/dependencies.yml @@ -70,6 +70,13 @@ lxc_php_create_mysql_link: True when: "'php81' in packweb_multiphp_versions" +- ansible.builtin.include_role: + name: evolix/lxc-php + vars: + lxc_php_version: php82 + lxc_php_create_mysql_link: True + when: "'php82' in packweb_multiphp_versions" + - ansible.builtin.include_role: name: evolix/webapps/evoadmin-web vars: @@ -77,4 +84,4 @@ evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" - include_role: - name: evolix/evoacme \ No newline at end of file + name: evolix/evoacme -- 2.39.2 From 5c60fad29c27a5d850db00793a8df456fccfda1c Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 26 Apr 2023 18:10:45 +0200 Subject: [PATCH 451/497] evolinux-users: remove Stretch references in tasks that also apply to next Debian versions. --- CHANGELOG.md | 2 ++ evolinux-users/tasks/sudo.yml | 4 ++-- .../tasks/{sudo_stretch_common.yml => sudo_common.yml} | 2 +- evolinux-users/tasks/{sudo_stretch_user.yml => sudo_user.yml} | 0 evolinux-users/templates/{sudoers_stretch.j2 => sudoers.j2} | 0 5 files changed, 5 insertions(+), 3 deletions(-) rename evolinux-users/tasks/{sudo_stretch_common.yml => sudo_common.yml} (95%) rename evolinux-users/tasks/{sudo_stretch_user.yml => sudo_user.yml} (100%) rename evolinux-users/templates/{sudoers_stretch.j2 => sudoers.j2} (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0db8d343..afc09df4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,8 +14,10 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added ### Changed +* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions. ### Fixed +* packweb-apache,nagios-nrpe: add missing task and config fo PHP 8.2 container ### Removed diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index 85149147..b3089aab 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -11,9 +11,9 @@ - block: - - ansible.builtin.include: sudo_stretch_common.yml + - ansible.builtin.include: sudo_common.yml - - ansible.builtin.include: sudo_stretch_user.yml + - ansible.builtin.include: sudo_user.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" diff --git a/evolinux-users/tasks/sudo_stretch_common.yml b/evolinux-users/tasks/sudo_common.yml similarity index 95% rename from evolinux-users/tasks/sudo_stretch_common.yml rename to evolinux-users/tasks/sudo_common.yml index ba7fb50b..0560f997 100644 --- a/evolinux-users/tasks/sudo_stretch_common.yml +++ b/evolinux-users/tasks/sudo_common.yml @@ -10,7 +10,7 @@ - name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)" ansible.builtin.template: - src: sudoers_stretch.j2 + src: sudoers.j2 dest: /etc/sudoers.d/evolinux force: no mode: "0440" diff --git a/evolinux-users/tasks/sudo_stretch_user.yml b/evolinux-users/tasks/sudo_user.yml similarity index 100% rename from evolinux-users/tasks/sudo_stretch_user.yml rename to evolinux-users/tasks/sudo_user.yml diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers.j2 similarity index 100% rename from evolinux-users/templates/sudoers_stretch.j2 rename to evolinux-users/templates/sudoers.j2 -- 2.39.2 From 9821fc8f785c09b8ac29e5c1df1a3bf8fc594e8f Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 27 Apr 2023 10:52:32 +0200 Subject: [PATCH 452/497] userlogrotate: rotate also php.log --- CHANGELOG.md | 1 + userlogrotate/files/userlogrotate | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index afc09df4..14ecfebb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [Unreleased] ### Added +* userlogrotate: rotate also php.log. ### Changed * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions. diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index dfa51738..ce8cc28a 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -15,7 +15,7 @@ user_for() { stat -L -c '%G' $homedir } -for log in access.log access-*.log error.log; do +for log in access.log access-*.log error.log php.log; do for i in $(ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.); do USER="$(user_for $i)" rotate $i root:$USER @@ -55,4 +55,4 @@ for log in production.log*[!\.gz] delayed_job.log*[!\.gz] development.log*[!\.gz done done -exit 0 \ No newline at end of file +exit 0 -- 2.39.2 From db0b5ab3db2ff94a9d4b7b21ee18ee51fe0068db Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 2 May 2023 14:20:39 +0200 Subject: [PATCH 453/497] postfix: add missing localhost.$mydomain to mydestination --- CHANGELOG.md | 3 ++- evolinux-base/tasks/postfix.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14ecfebb..27288389 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,7 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions. ### Fixed -* packweb-apache,nagios-nrpe: add missing task and config fo PHP 8.2 container +* packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container +* potsfix: add missing `localhost.$mydomain` to mydestination ### Removed diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 1c5d986c..d9dba3e2 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -25,7 +25,7 @@ ansible.builtin.lineinfile: dest: /etc/postfix/main.cf state: present - line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost" + line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost localhost.$mydomain" regexp: '^mydestination' notify: reload postfix tags: -- 2.39.2 From d3345d28668922f0bb82bd0ed304922364f58b71 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 9 May 2023 09:31:03 +0200 Subject: [PATCH 454/497] apt: move stretch backports to archive.d.o --- apt/templates/stretch_backports.list.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apt/templates/stretch_backports.list.j2 b/apt/templates/stretch_backports.list.j2 index 4f69547d..ffd6f98f 100644 --- a/apt/templates/stretch_backports.list.j2 +++ b/apt/templates/stretch_backports.list.j2 @@ -1,3 +1,3 @@ # {{ ansible_managed }} -deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }} +deb http://archive.debian.org/debian stretch-backports {{ apt_backports_components | mandatory }} -- 2.39.2 From ad2d96d890cc9f29058105ff947f600b8101b0bf Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 11 May 2023 17:51:55 +0200 Subject: [PATCH 455/497] tfix s/import/include/ --- filebeat/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 86dd617b..9714183d 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - ansible.builtin.import_tasks: apt_sources.yml + ansible.builtin.include_tasks: apt_sources.yml args: apply: tags: -- 2.39.2 From 6ab34517b6aac32b3e9a2451ea7b1977481d8001 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 12 May 2023 12:35:49 +0200 Subject: [PATCH 456/497] nagios-nrpe: add a NRPE check-local command with completion --- CHANGELOG.md | 1 + nagios-nrpe/files/check-local | 12 ++++++++++++ nagios-nrpe/files/check-local_completion | 13 +++++++++++++ nagios-nrpe/tasks/check-local.yml | 24 ++++++++++++++++++++++++ nagios-nrpe/tasks/main.yml | 5 ++++- 5 files changed, 54 insertions(+), 1 deletion(-) create mode 100755 nagios-nrpe/files/check-local create mode 100644 nagios-nrpe/files/check-local_completion create mode 100644 nagios-nrpe/tasks/check-local.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 27288389..ef47af93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * userlogrotate: rotate also php.log. +* nagios-nrpe: add a NRPE check-local command with completion. ### Changed * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions. diff --git a/nagios-nrpe/files/check-local b/nagios-nrpe/files/check-local new file mode 100755 index 00000000..4d96c639 --- /dev/null +++ b/nagios-nrpe/files/check-local @@ -0,0 +1,12 @@ +#!/usr/bin/bash + +if ! test -f /usr/lib/nagios/plugins/check_nrpe; then + echo '/usr/lib/nagios/plugins/check_nrpe is missing, please install nagios-nrpe-plugin package.' + exit 1 +fi + + + +/usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c check_$1 + + diff --git a/nagios-nrpe/files/check-local_completion b/nagios-nrpe/files/check-local_completion new file mode 100644 index 00000000..040d60d4 --- /dev/null +++ b/nagios-nrpe/files/check-local_completion @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +_check_local_dynamic_completion() { + local cur; + cur=${COMP_WORDS[COMP_CWORD]}; + check_list=$(grep 'check_' /etc/nagios/nrpe.d/evolix.cfg | grep -vE '^[[:blank:]]*#' | awk -F'[\[\]=_]' '{print $3}') + COMPREPLY=(); + COMPREPLY=( $( compgen -W '$(grep check_ /etc/nagios/nrpe.d/evolix.cfg | grep -vE "^[[:blank:]]*#" | awk -F"[\[\]=_]" "{print \$3}")' -- $cur ) ); +} + +complete -F _check_local_dynamic_completion check-local + + diff --git a/nagios-nrpe/tasks/check-local.yml b/nagios-nrpe/tasks/check-local.yml new file mode 100644 index 00000000..6718da3f --- /dev/null +++ b/nagios-nrpe/tasks/check-local.yml @@ -0,0 +1,24 @@ +--- +# Install check-local utilitary +# This task is for Debian >= 10 only! + +- name: Package nagios-nrpe-plugin is intalled + ansible.builtin.apt: + name: nagios-nrpe-plugin + when: ansible_distribution_major_version is version('10', '>=') + +- name: Utilitary check-local is installed + ansible.builtin.copy: + src: check-local + dest: /usr/local/bin/check-local + mode: "0755" + when: ansible_distribution_major_version is version('10', '>=') + +- name: Completion for utilitary check-local is installed + ansible.builtin.copy: + src: check-local_completion + dest: /etc/bash_completion.d/check-local + mode: "0755" + when: ansible_distribution_major_version is version('10', '>=') + + diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index c05cf85a..607335e1 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -84,4 +84,7 @@ tags: - nagios-nrpe -- ansible.builtin.include_tasks: wrapper.yml \ No newline at end of file +- ansible.builtin.include_tasks: wrapper.yml + +- ansible.builtin.include_tasks: check-local.yml + when: ansible_distribution_major_version is version('10', '>=') -- 2.39.2 From 3d8ae87368210f449dd1b576c3bdfd3c047c45da Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 12 May 2023 12:38:40 +0200 Subject: [PATCH 457/497] nagios-nrpe: add double quotes to input var in check-local --- nagios-nrpe/files/check-local | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/files/check-local b/nagios-nrpe/files/check-local index 4d96c639..73db2c66 100755 --- a/nagios-nrpe/files/check-local +++ b/nagios-nrpe/files/check-local @@ -7,6 +7,6 @@ fi -/usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c check_$1 +/usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c "check_$1" -- 2.39.2 From f79d8456d6250ec2a5e21e68f15e0d5b1a8907f7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 12 May 2023 18:14:19 +0200 Subject: [PATCH 458/497] elasticsearch: improve networking configuration --- CHANGELOG.md | 2 + elasticsearch/defaults/main.yml | 14 +++++- elasticsearch/tasks/configuration.yml | 67 +++++++++++++++++++++++++-- 3 files changed, 78 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ef47af93..1397fdbb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: add a NRPE check-local command with completion. ### Changed + +* elasticsearch: improve networking configuration * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions. ### Fixed diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 98b1a646..ba5d6728 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -5,10 +5,20 @@ elasticsearch_cluster_name: Null elasticsearch_cluster_members: Null elasticsearch_minimum_master_nodes: Null elasticsearch_node_name: "${HOSTNAME}" -elasticsearch_network_host: - - "_local_" + +# https://www.elastic.co/guide/en/elasticsearch/reference/8.7/modules-network.html +elasticsearch_network_host: "_local_" elasticsearch_network_publish_host: Null +elasticsearch_network_port: Null + +elasticsearch_http_host: Null elasticsearch_http_publish_host: Null +elasticsearch_http_port: Null + +elasticsearch_transport_host: Null +elasticsearch_transport_publish_host: Null +elasticsearch_transport_port: Null + elasticsearch_discovery_seed_hosts: Null elasticsearch_cluster_initial_master_nodes: Null elasticsearch_custom_datadir: Null diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index 9c3875b0..0b601aff 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -22,7 +22,7 @@ - name: Configure network host ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml - line: "network.host: {{ elasticsearch_network_host }}" + line: "network.host: {{ elasticsearch_network_host }}" regexp: "^network.host:" insertafter: "^# *network.host:" when: elasticsearch_network_host | default("", True) | length > 0 @@ -32,28 +32,89 @@ - name: Configure network publish_host ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml - line: "network.publish_host: {{ elasticsearch_network_publish_host }}" + line: "network.publish_host: {{ elasticsearch_network_publish_host }}" regexp: "^network.publish_host:" insertafter: "^network.host:" when: elasticsearch_network_publish_host | default("", True) | length > 0 tags: - config +- name: Configure network port + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "network.port: {{ elasticsearch_network_port }}" + regexp: "^network.port:" + insertafter: "^network.host:" + when: elasticsearch_network_port | default("", True) | length > 0 + tags: + - config + +- name: Configure http host + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "http.host: {{ elasticsearch_http_host }}" + regexp: "^http.host:" + insertafter: "^# *http.host:" + when: elasticsearch_http_host | default("", True) | length > 0 + tags: + - config + - name: Configure http publish_host ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml - line: "http.publish_host: {{ elasticsearch_http_publish_host }}" + line: "http.publish_host: {{ elasticsearch_http_publish_host }}" regexp: "^http.publish_host:" insertafter: "^http.port:" when: elasticsearch_http_publish_host | default("", True) | length > 0 tags: - config +- name: Configure http port + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "http.port: {{ elasticsearch_http_port }}" + regexp: "^http.port:" + insertafter: "^http.host:" + when: elasticsearch_http_port | default("", True) | length > 0 + tags: + - config + +- name: Configure transport host + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "transport.host: {{ elasticsearch_transport_host }}" + regexp: "^transport.host:" + insertafter: "^# *transport.host:" + when: elasticsearch_transport_host | default("", True) | length > 0 + tags: + - config + +- name: Configure transport publish_host + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "transport.publish_host: {{ elasticsearch_transport_publish_host }}" + regexp: "^transport.publish_host:" + insertafter: "^transport.host:" + when: elasticsearch_transport_publish_host | default("", True) | length > 0 + tags: + - config + +- name: Configure transport port + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "transport.port: {{ elasticsearch_transport_port }}" + regexp: "^transport.port:" + insertafter: "^transport.host:" + when: elasticsearch_transport_port | default("", True) | length > 0 + tags: + - config + - name: Configure discovery seed hosts ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}" regexp: "^discovery.seed_hosts:" + insertafter: "^# *discovery.seed_hosts:" when: elasticsearch_discovery_seed_hosts | default([], True) | length > 0 tags: - config -- 2.39.2 From 7660444c9a8a9070b82647f7b3b2212d4026a251 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 12 May 2023 18:14:25 +0200 Subject: [PATCH 459/497] fix syntax --- elasticsearch/tasks/packages.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 5188e3cc..2d5ca6b8 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -1,6 +1,7 @@ --- + - name: APT sources - ansible.builtin.import_tasks: apt_sources.yml + ansible.builtin.include_tasks: apt_sources.yml args: apply: tags: -- 2.39.2 From 5ef4d91f1cd6efb9a3f10dd2b0c96eba1633e14e Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 16 May 2023 18:04:03 +0200 Subject: [PATCH 460/497] =?UTF-8?q?mysql:=20add=20missing=20notify=20to=20?= =?UTF-8?q?restart=20MySQL=C2=A0after=20setting=20config?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- mysql/tasks/config_stretch.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index dcf4e9e7..cda4867c 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -11,6 +11,7 @@ group: root mode: "0644" force: yes + notify: "{{ mysql_restart_handler_name }}" tags: - mysql @@ -22,6 +23,7 @@ group: root mode: "0644" force: "{{ mysql_force_custom_config }}" + notify: "{{ mysql_restart_handler_name }}" tags: - mysql -- 2.39.2 From 7b667d165078a1cc566315a92ce2d0c1b11b2c54 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 19 May 2023 16:21:41 +0200 Subject: [PATCH 461/497] Add task for mount nextcloud_data volume --- webapps/nextcloud/tasks/user.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index 01cc037c..fdc5b7a6 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -32,3 +32,11 @@ - "{{ nextcloud_home }}/data" tags: - nextcloud + +- name: Mount up Ceph volume by UUID + ansible.posix.mount: + path: "{{ nextcloud_data }}" + src: "{{ nextcloud_data_uuid }}" + fstype: ext4 + opts: defaults,noexec,nosuid,nodev,relatime,lazytime + state: present -- 2.39.2 From 8706a35705e13bdab2a318c615ebdb9c4d1b0195 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 22 May 2023 14:16:14 +0200 Subject: [PATCH 462/497] mysql: improve shell syntax for mysql_skip script --- CHANGELOG.md | 5 ++++- mysql/files/mysql_skip.sh | 21 ++++++++++----------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1397fdbb..6673906a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,15 +12,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [Unreleased] ### Added + * userlogrotate: rotate also php.log. * nagios-nrpe: add a NRPE check-local command with completion. ### Changed * elasticsearch: improve networking configuration -* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions. +* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions +* mysql: improve shell syntax for mysql_skip script ### Fixed + * packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container * potsfix: add missing `localhost.$mydomain` to mydestination diff --git a/mysql/files/mysql_skip.sh b/mysql/files/mysql_skip.sh index 95bc28f7..ca72a9fc 100644 --- a/mysql/files/mysql_skip.sh +++ b/mysql/files/mysql_skip.sh @@ -18,29 +18,28 @@ log_file="/var/log/mysql_skip.log" mysql_skip_error() { error="$1" - error="$(date --iso-8601=seconds) Skiping: $error" - printf "Skipping: $error\n" - mysql $mysql_opt -e 'SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1; START SLAVE;' + mysql ${mysql_opt} -e 'SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1; START SLAVE;' - [ -n "$log_file" ] && echo "$error" >>"$log_file" + printf 'Skipping: %s\n' "$error" + [ -n "$log_file" ] && printf '%s Skipping: %s\n' "$(date --iso-8601=seconds)" "$error" >>"$log_file" } while true; do - slave_status="$(mysql $mysql_opt -e 'SHOW SLAVE STATUS\G')" - seconds_behind_master=$(echo "$slave_status" |grep 'Seconds_Behind_Master: ' |awk -F ' ' '{print $2}') - last_SQL_error="$(echo "$slave_status" |grep 'Last_SQL_Error: ' |sed 's/^.\+Last_SQL_Error: //')" + slave_status="$(mysql ${mysql_opt} -e 'SHOW SLAVE STATUS\G')" + seconds_behind_master=$(echo "${slave_status}" |grep 'Seconds_Behind_Master: ' |awk -F ' ' '{print $2}') + last_SQL_error="$(echo "${slave_status}" |grep 'Last_SQL_Error: ' |sed 's/^.\+Last_SQL_Error: //')" - if [ "$seconds_behind_master" = "0" ]; then + if [ "${seconds_behind_master}" = "0" ]; then #printf 'Replication is up to date!\n' - if [ "$exit_when_uptodate" = "true" ]; then + if [ "${exit_when_uptodate}" = "true" ]; then exit 0 fi elif [ -z "$last_SQL_error" ]; then - sleep $sleep_interval + sleep ${sleep_interval} elif echo "$last_SQL_error" |grep -q -f $error_messages; then - mysql_skip_error "$last_SQL_error" + mysql_skip_error "${last_SQL_error}" fi sleep 1 -- 2.39.2 From 91bcd2a6050936916b57fab632220c723c6b44b6 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 25 May 2023 11:43:53 +0200 Subject: [PATCH 463/497] policy_pam: New role allowing to manage password policy with pam_pwquality & pam_pwhistory --- CHANGELOG.md | 1 + policy_pam/defaults/main.yml | 32 +++++++++++++ policy_pam/meta/main.yml | 25 ++++++++++ policy_pam/tasks/main.yml | 88 ++++++++++++++++++++++++++++++++++++ 4 files changed, 146 insertions(+) create mode 100644 policy_pam/defaults/main.yml create mode 100644 policy_pam/meta/main.yml create mode 100644 policy_pam/tasks/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 6673906a..2664ba03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * userlogrotate: rotate also php.log. * nagios-nrpe: add a NRPE check-local command with completion. +* policy_pam: New role allowing to manage password policy with pam_pwquality & pam_pwhistory ### Changed diff --git a/policy_pam/defaults/main.yml b/policy_pam/defaults/main.yml new file mode 100644 index 00000000..5a2f79d2 --- /dev/null +++ b/policy_pam/defaults/main.yml @@ -0,0 +1,32 @@ +--- + +# PAM -- pam_pwquality +# Ensure password meet a given quality/complexity requirement +policy_pam_pwquality: true + +# Configuration settings for pam_pwquality +# For more in depth info, see man pam_pwquality(8) + +# Minimum password lengh/credit +policy_pam_pwquality_minlen: 4 + +# Credits values for char types +# Value : Interger N with : +# N >= 0 - Maximum credit given for each char type in the password +# N < 0 - Minimum number of chars of given type in the password +# digit chars +policy_pam_pwquality_dcredit: 0 +# uppercase chars +policy_pam_pwquality_ucredit: 0 +# lowercase chars +policy_pam_pwquality_lcredit: 0 +# other chars +policy_pam_pwquality_ocredit: 0 + + +# PAM -- pam_pwhistory +# Prevent old password re-use +policy_pam_pwhistory: true + +# How many old passwords to retain +policy_pam_pwhistory_length: 5 \ No newline at end of file diff --git a/policy_pam/meta/main.yml b/policy_pam/meta/main.yml new file mode 100644 index 00000000..85198ada --- /dev/null +++ b/policy_pam/meta/main.yml @@ -0,0 +1,25 @@ +--- +galaxy_info: + author: Evolix + company: Evolix + description: Add repositories to APT sources list. + + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: "2.10" + + platforms: + - name: Debian + versions: + - bullseye + + galaxy_tags: [] + # Be sure to remove the '[]' above if you add dependencies + # to this list. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/policy_pam/tasks/main.yml b/policy_pam/tasks/main.yml new file mode 100644 index 00000000..e5c7bb9a --- /dev/null +++ b/policy_pam/tasks/main.yml @@ -0,0 +1,88 @@ +--- +# +# -password [success=1 default=ignore] pam_unix.so obscure yescrypt +# +password requisite pam_pwquality.so retry=3 +# +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt + + + +# PAM -- pam_pwquality + +- name: libpam-pwquality is installed + apt: + state: present + name: + - libpam-pwquality + - cracklib-runtime + when: policy_pam_pwquality + +- name: Enable pam_pwquality + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+requisite\s+pam_pwquality.so' + line: "password requisite pam_pwquality.so retry=3" + insertafter: '(the "Primary" block)' + when: policy_pam_pwquality + +- name: Disable pam_pwquality + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+requisite\s+pam_pwquality.so' + state: absent + when: policy_pam_pwquality is false + +- name: Configure pam_pwquality + replace: + dest: /etc/security/pwquality.conf + regexp: "^#? ?{{ item.name }} = .*" + replace: "{{ item.name }} = {{ item.value }}" + with_items: + - { name: minlen, value: "{{ policy_pam_pwquality_minlen }}" } + - { name: dcredit, value: "{{ policy_pam_pwquality_dcredit }}" } + - { name: ucredit, value: "{{ policy_pam_pwquality_ucredit }}" } + - { name: lcredit, value: "{{ policy_pam_pwquality_lcredit }}" } + - { name: ocredit, value: "{{ policy_pam_pwquality_ocredit }}" } + when: policy_pam_pwquality + + + +# PAM -- pam_pwhistory + +- name: Enable pam_pwhistory + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+required\s+pam_pwhistory.so' + line: "password required pam_pwhistory.so remember={{ policy_pam_pwhistory_length }} {{ 'use_authtok' if policy_pam_pwquality}}" + insertbefore: 'pam_unix.so' + when: policy_pam_pwhistory + +# LATER : Enforce a password min age +# - name: Change PASS_MIN_DAYS +# replace: +# dest: /etc/login.defs +# replace: "PASS_MIN_DAYS 7" +# regexp: '^PASS_MIN_DAYS.*' + +- name: Disable pam_pwhistory + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+required\s+pam_pwhistory.so' + state: absent + when: policy_pam_pwhistory is false + + + +# PAM -- pam_unix +- name: Update pam_unix if previous modules were enabled + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: 'pam_unix.so obscure' + line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt" + when: policy_pam_pwhistory or policy_pam_pwquality + +- name: Update pam_unix if previous modules are all disabled + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: 'pam_unix.so obscure' + line: "password [success=1 default=ignore] pam_unix.so obscure yescrypt" + when: policy_pam_pwhistory is false and policy_pam_pwquality is false \ No newline at end of file -- 2.39.2 From 5563b4f8f2212a5be20dc343fd3a6f4744bcbac8 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 25 May 2023 16:01:04 +0200 Subject: [PATCH 464/497] nagios-nrpe: improve check-local output and fix completion in Debian 10 --- nagios-nrpe/files/check-local | 8 ++++++-- nagios-nrpe/files/check-local_completion | 3 +-- nagios-nrpe/tasks/check-local.yml | 3 +++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/nagios-nrpe/files/check-local b/nagios-nrpe/files/check-local index 73db2c66..8b045cb0 100755 --- a/nagios-nrpe/files/check-local +++ b/nagios-nrpe/files/check-local @@ -1,12 +1,16 @@ -#!/usr/bin/bash +#!/usr/bin/env bash if ! test -f /usr/lib/nagios/plugins/check_nrpe; then echo '/usr/lib/nagios/plugins/check_nrpe is missing, please install nagios-nrpe-plugin package.' exit 1 fi +if [ -r /etc/nagios/nrpe.d/evolix.cfg ]; then + command=$(grep "check_$1" /etc/nagios/nrpe.d/evolix.cfg | tail -n1 | cut -d'=' -f2-) + printf "Command:\n $command\n" +fi - +printf "NRPE daemon output:" /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c "check_$1" diff --git a/nagios-nrpe/files/check-local_completion b/nagios-nrpe/files/check-local_completion index 040d60d4..174ae061 100644 --- a/nagios-nrpe/files/check-local_completion +++ b/nagios-nrpe/files/check-local_completion @@ -3,9 +3,8 @@ _check_local_dynamic_completion() { local cur; cur=${COMP_WORDS[COMP_CWORD]}; - check_list=$(grep 'check_' /etc/nagios/nrpe.d/evolix.cfg | grep -vE '^[[:blank:]]*#' | awk -F'[\[\]=_]' '{print $3}') COMPREPLY=(); - COMPREPLY=( $( compgen -W '$(grep check_ /etc/nagios/nrpe.d/evolix.cfg | grep -vE "^[[:blank:]]*#" | awk -F"[\[\]=_]" "{print \$3}")' -- $cur ) ); + COMPREPLY=( $( compgen -W '$(grep check_ /etc/nagios/nrpe.d/evolix.cfg | grep -vE "^[[:blank:]]*#" | awk -F"[\\\[\\\]=_]" "{print \$3}")' -- $cur ) ); } complete -F _check_local_dynamic_completion check-local diff --git a/nagios-nrpe/tasks/check-local.yml b/nagios-nrpe/tasks/check-local.yml index 6718da3f..d2adbcd1 100644 --- a/nagios-nrpe/tasks/check-local.yml +++ b/nagios-nrpe/tasks/check-local.yml @@ -1,6 +1,9 @@ --- # Install check-local utilitary # This task is for Debian >= 10 only! +- name: "Remount /usr if needed" + ansible.builtin.include_role: + name: remount-usr - name: Package nagios-nrpe-plugin is intalled ansible.builtin.apt: -- 2.39.2 From 9ff615f19a3240a80c48c9d4ad2fdd1012624ec0 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 25 May 2023 16:02:27 +0200 Subject: [PATCH 465/497] nagios-nrpe: switch to echo (printf problem with % chars) --- nagios-nrpe/files/check-local | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nagios-nrpe/files/check-local b/nagios-nrpe/files/check-local index 8b045cb0..98c2f142 100755 --- a/nagios-nrpe/files/check-local +++ b/nagios-nrpe/files/check-local @@ -7,10 +7,11 @@ fi if [ -r /etc/nagios/nrpe.d/evolix.cfg ]; then command=$(grep "check_$1" /etc/nagios/nrpe.d/evolix.cfg | tail -n1 | cut -d'=' -f2-) - printf "Command:\n $command\n" + echo "Command:" + echo " $command" fi -printf "NRPE daemon output:" +echo "NRPE daemon output:" /usr/lib/nagios/plugins/check_nrpe -H 127.0.0.1 -c "check_$1" -- 2.39.2 From 3e00632a41894c15f8c89b627a6fb4f0b5ca1956 Mon Sep 17 00:00:00 2001 From: emorino Date: Mon, 29 May 2023 10:51:36 +0200 Subject: [PATCH 466/497] Add include to /etc/opendkim-evolix.conf on default configuration file, cf. #68552 --- opendkim/files/opendkim-evolix.conf | 17 +++++++++++++++++ opendkim/tasks/main.yml | 14 ++++++++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 opendkim/files/opendkim-evolix.conf diff --git a/opendkim/files/opendkim-evolix.conf b/opendkim/files/opendkim-evolix.conf new file mode 100644 index 00000000..ed80dc8b --- /dev/null +++ b/opendkim/files/opendkim-evolix.conf @@ -0,0 +1,17 @@ +UserID opendkim:opendkim +Socket inet:8891@127.0.0.1 +PidFile /var/run/opendkim/opendkim.pid +OversignHeaders From +TrustAnchorFile /usr/share/dns/root.key +Selector default +Canonicalization relaxed/relaxed +InternalHosts refile:/etc/opendkim/TrustedHosts +KeyTable refile:/etc/opendkim/KeyTable +LogResults Yes +LogWhy Yes +Mode sv +SigningTable refile:/etc/opendkim/SigningTable +Syslog Yes +SyslogSuccess Yes +TemporaryDirectory /var/tmp +UMask 007 diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index 1c7a416a..96a521b5 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -45,10 +45,20 @@ tags: - opendkim +- name: Add Include in opendkim.conf + ansible.builtin.lineinfile: + dest: /etc/opendkim.conf + line: 'Include /etc/opendkim-evolix.conf' + state: present + create: no + mode: "0644" + tags: + - opendkim + - name: copy OpenDKIM config ansible.builtin.copy: - src: opendkim.conf - dest: /etc/opendkim.conf + src: opendkim-evolix.conf + dest: /etc/opendkim-evolix.conf mode: "0644" force: yes notify: restart opendkim -- 2.39.2 From 6837df5a9e45cfa981c1152bcb13adc650f8f17f Mon Sep 17 00:00:00 2001 From: emorino Date: Mon, 29 May 2023 10:53:02 +0200 Subject: [PATCH 467/497] Delete old configuration file --- opendkim/files/opendkim.conf | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 opendkim/files/opendkim.conf diff --git a/opendkim/files/opendkim.conf b/opendkim/files/opendkim.conf deleted file mode 100644 index ed80dc8b..00000000 --- a/opendkim/files/opendkim.conf +++ /dev/null @@ -1,17 +0,0 @@ -UserID opendkim:opendkim -Socket inet:8891@127.0.0.1 -PidFile /var/run/opendkim/opendkim.pid -OversignHeaders From -TrustAnchorFile /usr/share/dns/root.key -Selector default -Canonicalization relaxed/relaxed -InternalHosts refile:/etc/opendkim/TrustedHosts -KeyTable refile:/etc/opendkim/KeyTable -LogResults Yes -LogWhy Yes -Mode sv -SigningTable refile:/etc/opendkim/SigningTable -Syslog Yes -SyslogSuccess Yes -TemporaryDirectory /var/tmp -UMask 007 -- 2.39.2 From 1ae40e768601b7a5c2b52f1a66c7db558b7aaa6c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 31 May 2023 11:27:32 +0200 Subject: [PATCH 468/497] nagios-nrpe: remount /usr **after** installing the packages --- CHANGELOG.md | 1 + nagios-nrpe/tasks/check-local.yml | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2664ba03..3df84a35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* nagios-nrpe: remount /usr **after** installing the packages * packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container * potsfix: add missing `localhost.$mydomain` to mydestination diff --git a/nagios-nrpe/tasks/check-local.yml b/nagios-nrpe/tasks/check-local.yml index d2adbcd1..e62b7642 100644 --- a/nagios-nrpe/tasks/check-local.yml +++ b/nagios-nrpe/tasks/check-local.yml @@ -1,15 +1,16 @@ --- # Install check-local utilitary # This task is for Debian >= 10 only! -- name: "Remount /usr if needed" - ansible.builtin.include_role: - name: remount-usr - name: Package nagios-nrpe-plugin is intalled ansible.builtin.apt: name: nagios-nrpe-plugin when: ansible_distribution_major_version is version('10', '>=') +- name: "Remount /usr if needed" + ansible.builtin.include_role: + name: remount-usr + - name: Utilitary check-local is installed ansible.builtin.copy: src: check-local -- 2.39.2 From 81e1d1b0c1e953170f52f6413c041581e6f01e9e Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Wed, 31 May 2023 15:50:20 +0200 Subject: [PATCH 469/497] Add variable pgbouncer_auth_type and add README --- pgbouncer/README.md | 1 + pgbouncer/defaults/main.yml | 2 ++ pgbouncer/templates/pgbouncer.ini.j2 | 4 ++-- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/pgbouncer/README.md b/pgbouncer/README.md index 2542f497..bf1914fc 100644 --- a/pgbouncer/README.md +++ b/pgbouncer/README.md @@ -14,6 +14,7 @@ Main variables are : * `pgbouncer_listen_port`: the listen post for PgBouncer (default: `6432`), * `pgbouncer_databases`: the databases that clients of PgBouncer can connect to, * `pgbouncer_account_list`: the accounts that clients of PgBouncer can connect to. +* `pgbouncer_auth_type`: the variable `auth_type` define by default to `scram-sha-256`, if you installed PgBouncer on PostgreSQL version inferior to 14, set this variable to `md5`. The variable `pgbouncer_databases` must have the `name`, `host` and `port` attributes. The variable can be defined like this: diff --git a/pgbouncer/defaults/main.yml b/pgbouncer/defaults/main.yml index 7b246270..4290afa5 100644 --- a/pgbouncer/defaults/main.yml +++ b/pgbouncer/defaults/main.yml @@ -2,6 +2,8 @@ pgbouncer_listen_addr: "127.0.0.1" pgbouncer_listen_port: "6432" +pgbouncer_auth_type: "scram-sha-256" + pgbouncer_databases: [] pgbouncer_account_list: [] diff --git a/pgbouncer/templates/pgbouncer.ini.j2 b/pgbouncer/templates/pgbouncer.ini.j2 index 30d34ccb..3bed0c5b 100644 --- a/pgbouncer/templates/pgbouncer.ini.j2 +++ b/pgbouncer/templates/pgbouncer.ini.j2 @@ -11,7 +11,7 @@ listen_addr = {{ pgbouncer_listen_addr }} listen_port = {{ pgbouncer_listen_port }} unix_socket_dir = -auth_type = scram-sha-256 +auth_type = {{ pgbouncer_auth_type }} auth_file = /etc/pgbouncer/userlist.txt # La connexion au serveur redevient libre lorsque le client termine une transaction @@ -26,4 +26,4 @@ default_pool_size = 20 # Ne pas enregistrer les connexions qui se passent bien log_connections = 0 -log_disconnections = 0 +log_disconnections = 0 \ No newline at end of file -- 2.39.2 From 9f87049ee4691db3af4ba31eee266e1273c3bb76 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Wed, 31 May 2023 17:09:42 +0200 Subject: [PATCH 470/497] add variables for admin_users and stats_users to access on the pgbouncer console --- pgbouncer/README.md | 14 ++++++++++++++ pgbouncer/defaults/main.yml | 6 +++++- pgbouncer/tasks/main.yml | 3 +++ pgbouncer/templates/pgbouncer.ini.j2 | 3 +++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/pgbouncer/README.md b/pgbouncer/README.md index bf1914fc..fe8c0493 100644 --- a/pgbouncer/README.md +++ b/pgbouncer/README.md @@ -36,4 +36,18 @@ The value of `hash` can be obtained by running this command on the PostgreSQL se > These accounts must exist on the PostegreSQL server. +The variables `pgbouncer_admin_users` and `pgbouncer_stats_users` list the SQL user can be access on pgbouncer console. This variables can be defines like this : + +``` +pgbouncer_admin_users: + - account1 + - account2 +``` + +``` +pgbouncer_stats_users: + - account1 + - account2 +``` + The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/pgbouncer/defaults/main.yml b/pgbouncer/defaults/main.yml index 4290afa5..5b5d293f 100644 --- a/pgbouncer/defaults/main.yml +++ b/pgbouncer/defaults/main.yml @@ -6,4 +6,8 @@ pgbouncer_auth_type: "scram-sha-256" pgbouncer_databases: [] -pgbouncer_account_list: [] +pgbouncer_admin_users: [] + +pgbouncer_stats_users: [] + +pgbouncer_account_list: [] \ No newline at end of file diff --git a/pgbouncer/tasks/main.yml b/pgbouncer/tasks/main.yml index 1d76931f..f52383a2 100644 --- a/pgbouncer/tasks/main.yml +++ b/pgbouncer/tasks/main.yml @@ -3,16 +3,19 @@ ansible.builtin.apt: name: pgbouncer state: present + - name: Limit for PgBouncer is set ansible.builtin.lineinfile: path: /etc/default/pgbouncer line: ulimit -n 65536 notify: Restart PgBouncer + - name: Add config file for PgBouncer ansible.builtin.template: src: pgbouncer.ini.j2 dest: /etc/pgbouncer/pgbouncer.ini notify: Restart PgBouncer + - name: Populate userlist.txt ansible.builtin.template: src: userlist.txt.j2 diff --git a/pgbouncer/templates/pgbouncer.ini.j2 b/pgbouncer/templates/pgbouncer.ini.j2 index 3bed0c5b..11eac58c 100644 --- a/pgbouncer/templates/pgbouncer.ini.j2 +++ b/pgbouncer/templates/pgbouncer.ini.j2 @@ -14,6 +14,9 @@ unix_socket_dir = auth_type = {{ pgbouncer_auth_type }} auth_file = /etc/pgbouncer/userlist.txt +admin_users = {{ pgbouncer_admin_users | join(",") }} +stats_users = {{ pgbouncer_stats_users | join(",") }} + # La connexion au serveur redevient libre lorsque le client termine une transaction # Autres valeurs possibles : session (lorsque le client ferme la session), statement (lorsque la requête se termine) pool_mode = transaction -- 2.39.2 From 2c079755e984558ae93d94f1617a2120471eebb7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 31 May 2023 17:25:08 +0200 Subject: [PATCH 471/497] elasticsearch: comment the Xlog:gc line instead of changing it completely --- CHANGELOG.md | 1 + elasticsearch/tasks/configuration.yml | 11 ++++------- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3df84a35..788c871f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed +* elasticsearch: comment the Xlog:gc line instead of changing it completely * nagios-nrpe: remount /usr **after** installing the packages * packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container * potsfix: add missing `localhost.$mydomain` to mydestination diff --git a/elasticsearch/tasks/configuration.yml b/elasticsearch/tasks/configuration.yml index 0b601aff..223eff90 100644 --- a/elasticsearch/tasks/configuration.yml +++ b/elasticsearch/tasks/configuration.yml @@ -179,14 +179,11 @@ tags: - config -- name: Disable garbage collector logs (JDK >= 9) - ansible.builtin.lineinfile: +- name: Disable garbage collector logs + ansible.builtin.replace: dest: /etc/elasticsearch/jvm.options - regexp: "Xlog:gc" - line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m" - owner: root - group: elasticsearch - mode: "0640" + regexp: '^([^#]*-Xlog:gc.+)' + replace: '#\1' tags: - config -- 2.39.2 From 502715101103b8a52f70394456037cea3bc17e56 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 31 May 2023 17:25:24 +0200 Subject: [PATCH 472/497] elasticsearch: use an Integer --- elasticsearch/tasks/bootstrap_checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elasticsearch/tasks/bootstrap_checks.yml b/elasticsearch/tasks/bootstrap_checks.yml index 0df9a618..3626bd17 100644 --- a/elasticsearch/tasks/bootstrap_checks.yml +++ b/elasticsearch/tasks/bootstrap_checks.yml @@ -12,7 +12,7 @@ - name: Maximum map count check ansible.posix.sysctl: name: vm.max_map_count - value: 262144 + value: "262144" sysctl_file: /etc/sysctl.d/elasticsearch.conf when: max_map_count | int < 262144 tags: -- 2.39.2 From 318991fe424220e7a606013b58770f7a42434bd1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 1 Jun 2023 09:43:20 +0200 Subject: [PATCH 473/497] pbbouncer: minor fixes --- CHANGELOG.md | 1 + pgbouncer/README.md | 8 ++++++-- pgbouncer/defaults/main.yml | 7 ++++++- pgbouncer/tasks/main.yml | 7 ++++--- pgbouncer/templates/pgbouncer.ini.j2 | 2 +- 5 files changed, 18 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 788c871f..0887de1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * elasticsearch: improve networking configuration * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions * mysql: improve shell syntax for mysql_skip script +* pbbouncer: minor fixes ### Fixed diff --git a/pgbouncer/README.md b/pgbouncer/README.md index fe8c0493..94cdeccf 100644 --- a/pgbouncer/README.md +++ b/pgbouncer/README.md @@ -32,9 +32,13 @@ pgbouncer_account_list: - { name: "account2", hash: "" } ``` -The value of `hash` can be obtained by running this command on the PostgreSQL server: `select passwd from pg_shadow where usename='account1';` +The value of `hash` can be obtained by running this command on the PostgreSQL server: -> These accounts must exist on the PostegreSQL server. +``` +select passwd from pg_shadow where usename='account1'; +``` + +> These accounts must exist on the PostgreSQL server. The variables `pgbouncer_admin_users` and `pgbouncer_stats_users` list the SQL user can be access on pgbouncer console. This variables can be defines like this : diff --git a/pgbouncer/defaults/main.yml b/pgbouncer/defaults/main.yml index 5b5d293f..211e6a5d 100644 --- a/pgbouncer/defaults/main.yml +++ b/pgbouncer/defaults/main.yml @@ -1,13 +1,18 @@ --- -pgbouncer_listen_addr: "127.0.0.1" +pgbouncer_listen_addr: + - "127.0.0.1" pgbouncer_listen_port: "6432" +# For PostgreSQL version < 14, use "md5" +# For PostgreSQL version >= 14, use "scram-sha-256" pgbouncer_auth_type: "scram-sha-256" +# Each entry must have "name", "host" and "port" keys pgbouncer_databases: [] pgbouncer_admin_users: [] pgbouncer_stats_users: [] +# Each entry must have "name" and "hash" keys pgbouncer_account_list: [] \ No newline at end of file diff --git a/pgbouncer/tasks/main.yml b/pgbouncer/tasks/main.yml index f52383a2..0463899d 100644 --- a/pgbouncer/tasks/main.yml +++ b/pgbouncer/tasks/main.yml @@ -7,17 +7,18 @@ - name: Limit for PgBouncer is set ansible.builtin.lineinfile: path: /etc/default/pgbouncer + regexp: "ulimit -n" line: ulimit -n 65536 - notify: Restart PgBouncer + notify: restart pgbouncer - name: Add config file for PgBouncer ansible.builtin.template: src: pgbouncer.ini.j2 dest: /etc/pgbouncer/pgbouncer.ini - notify: Restart PgBouncer + notify: restart pgbouncer - name: Populate userlist.txt ansible.builtin.template: src: userlist.txt.j2 dest: /etc/pgbouncer/userlist.txt - notify: Restart PgBouncer + notify: restart pgbouncer diff --git a/pgbouncer/templates/pgbouncer.ini.j2 b/pgbouncer/templates/pgbouncer.ini.j2 index 11eac58c..b2d89e47 100644 --- a/pgbouncer/templates/pgbouncer.ini.j2 +++ b/pgbouncer/templates/pgbouncer.ini.j2 @@ -7,7 +7,7 @@ logfile = /var/log/postgresql/pgbouncer.log pidfile = /var/run/postgresql/pgbouncer.pid -listen_addr = {{ pgbouncer_listen_addr }} +listen_addr = {{ pgbouncer_listen_addr | join(',') }} listen_port = {{ pgbouncer_listen_port }} unix_socket_dir = -- 2.39.2 From 060018be2607de372b5ef53bd5c514006b2a1312 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 1 Jun 2023 09:43:43 +0200 Subject: [PATCH 474/497] vscode: ansible/yaml formatter --- .vscode/settings.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index ce271884..799fe466 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -3,5 +3,6 @@ "*.yml": "ansible", "*.yaml": "ansible" }, - "yaml.format.enable": false + "yaml.format.enable": false, + "ansible.python.interpreterPath": "/bin/python" } \ No newline at end of file -- 2.39.2 From e00af3aafb9bfade644fc12ac37f905fab788c5f Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 2 Jun 2023 09:47:20 +0200 Subject: [PATCH 475/497] nagios-nrpe: allow check-local for Debian < 10 --- nagios-nrpe/tasks/check-local.yml | 4 ---- nagios-nrpe/tasks/main.yml | 1 - 2 files changed, 5 deletions(-) diff --git a/nagios-nrpe/tasks/check-local.yml b/nagios-nrpe/tasks/check-local.yml index e62b7642..1b696292 100644 --- a/nagios-nrpe/tasks/check-local.yml +++ b/nagios-nrpe/tasks/check-local.yml @@ -1,11 +1,9 @@ --- # Install check-local utilitary -# This task is for Debian >= 10 only! - name: Package nagios-nrpe-plugin is intalled ansible.builtin.apt: name: nagios-nrpe-plugin - when: ansible_distribution_major_version is version('10', '>=') - name: "Remount /usr if needed" ansible.builtin.include_role: @@ -16,13 +14,11 @@ src: check-local dest: /usr/local/bin/check-local mode: "0755" - when: ansible_distribution_major_version is version('10', '>=') - name: Completion for utilitary check-local is installed ansible.builtin.copy: src: check-local_completion dest: /etc/bash_completion.d/check-local mode: "0755" - when: ansible_distribution_major_version is version('10', '>=') diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index 607335e1..f78f9fbf 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -87,4 +87,3 @@ - ansible.builtin.include_tasks: wrapper.yml - ansible.builtin.include_tasks: check-local.yml - when: ansible_distribution_major_version is version('10', '>=') -- 2.39.2 From 5c095dc862c5e0b25ed6d2a5201941e96210773d Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 5 Jun 2023 10:27:22 +0200 Subject: [PATCH 476/497] policy_pam : Enforce password min days to prevent circumvention of pwhistory --- policy_pam/defaults/main.yml | 7 ++++++- policy_pam/tasks/main.yml | 13 ++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/policy_pam/defaults/main.yml b/policy_pam/defaults/main.yml index 5a2f79d2..867a3fa5 100644 --- a/policy_pam/defaults/main.yml +++ b/policy_pam/defaults/main.yml @@ -29,4 +29,9 @@ policy_pam_pwquality_ocredit: 0 policy_pam_pwhistory: true # How many old passwords to retain -policy_pam_pwhistory_length: 5 \ No newline at end of file +policy_pam_pwhistory_length: 5 + +# How (days) old the password should be before allowing user to change it's password +# It is to prevent circumvention of pam_pwhistory +# Set to 0 to disable +policy_pam_password_min_days: 0 \ No newline at end of file diff --git a/policy_pam/tasks/main.yml b/policy_pam/tasks/main.yml index e5c7bb9a..e238e22e 100644 --- a/policy_pam/tasks/main.yml +++ b/policy_pam/tasks/main.yml @@ -56,13 +56,6 @@ insertbefore: 'pam_unix.so' when: policy_pam_pwhistory -# LATER : Enforce a password min age -# - name: Change PASS_MIN_DAYS -# replace: -# dest: /etc/login.defs -# replace: "PASS_MIN_DAYS 7" -# regexp: '^PASS_MIN_DAYS.*' - - name: Disable pam_pwhistory ansible.builtin.lineinfile: dest: /etc/pam.d/common-password @@ -70,6 +63,12 @@ state: absent when: policy_pam_pwhistory is false +# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes +- name: Change PASS_MIN_DAYS + replace: + dest: /etc/login.defs + replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}' + regexp: '^PASS_MIN_DAYS(\s+).*' # PAM -- pam_unix -- 2.39.2 From b234fdaea97eb67b3fc10eb6b0b633b96d19c9ec Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 5 Jun 2023 10:33:34 +0200 Subject: [PATCH 477/497] pam_policy : Ensure it's only executed on Debian 11+ systems --- policy_pam/tasks/main.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/policy_pam/tasks/main.yml b/policy_pam/tasks/main.yml index e238e22e..26587d26 100644 --- a/policy_pam/tasks/main.yml +++ b/policy_pam/tasks/main.yml @@ -1,8 +1,13 @@ --- -# -# -password [success=1 default=ignore] pam_unix.so obscure yescrypt -# +password requisite pam_pwquality.so retry=3 -# +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt + +# System compatibility check. yescrypt only works on Debian 11+ +# So we ensure that this role isn't executed on older systems +- name: "System compatibility check" + assert: + that: + - ansible_distribution == "Debian" + - ansible_distribution_major_version is version_compare('11', '>=') + msg: pam_policy is only compatible with Debian >= 11 -- 2.39.2 From 24d7fe5def802826db10797927bc798913792629 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 5 Jun 2023 11:33:08 +0200 Subject: [PATCH 478/497] pam_policy: Default settings : disabled --- policy_pam/defaults/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/policy_pam/defaults/main.yml b/policy_pam/defaults/main.yml index 867a3fa5..fb8075ac 100644 --- a/policy_pam/defaults/main.yml +++ b/policy_pam/defaults/main.yml @@ -2,31 +2,31 @@ # PAM -- pam_pwquality # Ensure password meet a given quality/complexity requirement -policy_pam_pwquality: true +policy_pam_pwquality: false # Configuration settings for pam_pwquality # For more in depth info, see man pam_pwquality(8) # Minimum password lengh/credit -policy_pam_pwquality_minlen: 4 +policy_pam_pwquality_minlen: 16 # Credits values for char types # Value : Interger N with : # N >= 0 - Maximum credit given for each char type in the password # N < 0 - Minimum number of chars of given type in the password # digit chars -policy_pam_pwquality_dcredit: 0 +policy_pam_pwquality_dcredit: -1 # uppercase chars policy_pam_pwquality_ucredit: 0 # lowercase chars -policy_pam_pwquality_lcredit: 0 +policy_pam_pwquality_lcredit: -1 # other chars -policy_pam_pwquality_ocredit: 0 +policy_pam_pwquality_ocredit: -1 # PAM -- pam_pwhistory # Prevent old password re-use -policy_pam_pwhistory: true +policy_pam_pwhistory: false # How many old passwords to retain policy_pam_pwhistory_length: 5 -- 2.39.2 From 1ec212f514c35f61d85b722c6eb0c8c74a0c4f12 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 5 Jun 2023 14:28:06 +0200 Subject: [PATCH 479/497] rename handler --- pgbouncer/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgbouncer/handlers/main.yml b/pgbouncer/handlers/main.yml index f539a226..9ce44055 100644 --- a/pgbouncer/handlers/main.yml +++ b/pgbouncer/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: Restart PgBouncer +- name: restart pgbouncer ansible.builtin.systemd: name: pgbouncer.service state: restarted -- 2.39.2 From 9a5b5a39a93f383e727138a76fedaf4ecf6a025f Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 12 Jun 2023 11:35:53 +0200 Subject: [PATCH 480/497] policy_pam > Add support for Debian 10/9 --- policy_pam/meta/main.yml | 2 ++ policy_pam/tasks/main.yml | 32 ++++++++++++++++++++++---------- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/policy_pam/meta/main.yml b/policy_pam/meta/main.yml index 85198ada..5da132b9 100644 --- a/policy_pam/meta/main.yml +++ b/policy_pam/meta/main.yml @@ -14,6 +14,8 @@ galaxy_info: - name: Debian versions: - bullseye + - buster + - stretch galaxy_tags: [] # Be sure to remove the '[]' above if you add dependencies diff --git a/policy_pam/tasks/main.yml b/policy_pam/tasks/main.yml index 26587d26..a2746011 100644 --- a/policy_pam/tasks/main.yml +++ b/policy_pam/tasks/main.yml @@ -1,20 +1,32 @@ --- -# System compatibility check. yescrypt only works on Debian 11+ -# So we ensure that this role isn't executed on older systems +# System compatibility check. +# Untested on old (Jessie & older) Debian versions - name: "System compatibility check" - assert: + ansible.builtin.assert: that: - ansible_distribution == "Debian" - - ansible_distribution_major_version is version_compare('11', '>=') - msg: pam_policy is only compatible with Debian >= 11 + - ansible_distribution_major_version is version_compare('9', '>=') + msg: pam_policy is only compatible with Debian >= 9 +# yescrypt, Debian 11 default hashing alg isn't present on Debian 10 and lower +- name: "Set hashing alg (sha512 - Debian <= 10)" + ansible.builtin.set_fact: + pam_policy_hashing_alg: 'sha512' + when: + ansible_distribution_major_version is version_compare('10', '<=') + +- name: "Set hashing alg (yescrypt - Debian >= 11 )" + ansible.builtin.set_fact: + pam_policy_hashing_alg: 'yescrypt' + when: + ansible_distribution_major_version is version_compare('11', '>=') # PAM -- pam_pwquality - name: libpam-pwquality is installed - apt: + ansible.builtin.apt: state: present name: - libpam-pwquality @@ -37,7 +49,7 @@ when: policy_pam_pwquality is false - name: Configure pam_pwquality - replace: + ansible.builtin.replace: dest: /etc/security/pwquality.conf regexp: "^#? ?{{ item.name }} = .*" replace: "{{ item.name }} = {{ item.value }}" @@ -70,7 +82,7 @@ # Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes - name: Change PASS_MIN_DAYS - replace: + ansible.builtin.replace: dest: /etc/login.defs replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}' regexp: '^PASS_MIN_DAYS(\s+).*' @@ -81,12 +93,12 @@ ansible.builtin.lineinfile: dest: /etc/pam.d/common-password regexp: 'pam_unix.so obscure' - line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt" + line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass {{ pam_policy_hashing_alg }}" when: policy_pam_pwhistory or policy_pam_pwquality - name: Update pam_unix if previous modules are all disabled ansible.builtin.lineinfile: dest: /etc/pam.d/common-password regexp: 'pam_unix.so obscure' - line: "password [success=1 default=ignore] pam_unix.so obscure yescrypt" + line: "password [success=1 default=ignore] pam_unix.so obscure {{ pam_policy_hashing_alg }}" when: policy_pam_pwhistory is false and policy_pam_pwquality is false \ No newline at end of file -- 2.39.2 From 1c60b02e7748f6f9fdf3e1bd2191579a352e9ef9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 15 Jun 2023 15:26:07 +0200 Subject: [PATCH 481/497] .gitignore .vscode directory --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 102ea9f6..080ae1f8 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ .kateproject.d .vagrant/ *.swp +.vscode \ No newline at end of file -- 2.39.2 From 19787152d8d1d49703cedbe3f16ca9effe69a5d5 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 15 Jun 2023 17:19:13 +0200 Subject: [PATCH 482/497] postfix: remove duplicate directive --- postfix/templates/packmail_main.cf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index b803389e..28c57631 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -412,7 +412,6 @@ smtpd_sasl_path = private/auth-client # Amavis and OpenDKIM content_filter = smtp-amavis:[127.0.0.1]:10024 -smtp-amavis_destination_concurrency_failed_cohort_limit = 0 smtpd_milters = inet:[127.0.0.1]:8891 non_smtpd_milters = inet:[127.0.0.1]:8891 smtp-amavis_destination_concurrency_failed_cohort_limit = 0 -- 2.39.2 From 2e73bf09f7fa12c6809ed4bdacc9cad48e656d56 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 15 Jun 2023 16:37:18 +0200 Subject: [PATCH 483/497] amavis: Workaround https://bugs.debian.org/569150 --- amavis/files/amavis_purge_virusmails | 2 ++ amavis/tasks/main.yml | 9 +++++++++ 2 files changed, 11 insertions(+) create mode 100644 amavis/files/amavis_purge_virusmails diff --git a/amavis/files/amavis_purge_virusmails b/amavis/files/amavis_purge_virusmails new file mode 100644 index 00000000..ba7ef51a --- /dev/null +++ b/amavis/files/amavis_purge_virusmails @@ -0,0 +1,2 @@ +#!/bin/bash +find /var/lib/amavis/virusmails/ -type f -mtime +30 -delete diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml index 4fa452e5..da46721e 100644 --- a/amavis/tasks/main.yml +++ b/amavis/tasks/main.yml @@ -16,3 +16,12 @@ notify: restart amavis tags: - amavis + +- name: Install purge custom cron + ansible.builtin.copy: + src: amavis_purge_virusmails + dest: /etc/cron.daily/amavis_purge_virusmails + mode: "0755" + tags: + - amavis + - amavis_purge_cron -- 2.39.2 From aec5406043af57dcc9efeb0fa5c929865218ba2f Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 19 Jun 2023 16:09:40 +0200 Subject: [PATCH 484/497] varnish: Allow the systemd template to be overriden with a template outside of the role --- CHANGELOG.md | 1 + varnish/defaults/main.yml | 6 ++++-- varnish/tasks/main.yml | 3 +++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0887de1e..a274dbb3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions * mysql: improve shell syntax for mysql_skip script * pbbouncer: minor fixes +* varnish: Allow the systemd template to be overriden with a template outside of the role ### Fixed diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml index ec8a251e..560e241f 100644 --- a/varnish/defaults/main.yml +++ b/varnish/defaults/main.yml @@ -16,8 +16,10 @@ varnish_thread_pool_max: 5000 varnish_jail: "unix,user=vcache" varnish_additional_options: "" +varnish_systemd_override_template: Null + varnish_config_file: /etc/varnish/default.vcl -varnish_update_config: True +varnish_update_config: true varnish_secret_file: /etc/varnish/secret -varnish_tmp_dir: /var/tmp-vcache \ No newline at end of file +varnish_tmp_dir: /var/tmp-vcache diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 6cdb92db..585688b9 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -80,6 +80,7 @@ when: - varnish_package_facts['version'] is version('4', '>=') - varnish_package_facts['version'] is version('6', '<') + - varnish_systemd_override_template | length == 0 tags: - varnish - config @@ -91,6 +92,7 @@ when: - varnish_package_facts['version'] is version('6', '>=') - varnish_package_facts['version'] is version('7', '<') + - varnish_systemd_override_template | length == 0 tags: - varnish - config @@ -101,6 +103,7 @@ varnish_systemd_override_template: override.conf.varnish7.j2 when: - varnish_package_facts['version'] is version('7', '>=') + - varnish_systemd_override_template | length == 0 tags: - varnish - config -- 2.39.2 From 64c1da40b0682404394d85559770060f09df10f6 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 21 Jun 2023 16:14:35 +0200 Subject: [PATCH 485/497] =?UTF-8?q?nagios-nrpe:=20corrige=20les=20cas=20o?= =?UTF-8?q?=C3=B9=20un=20check=20est=20d=C3=A9fini=20plusieurs=20fois=20ou?= =?UTF-8?q?=20comment=C3=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- nagios-nrpe/files/check-local | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nagios-nrpe/files/check-local b/nagios-nrpe/files/check-local index 98c2f142..40587425 100755 --- a/nagios-nrpe/files/check-local +++ b/nagios-nrpe/files/check-local @@ -6,7 +6,7 @@ if ! test -f /usr/lib/nagios/plugins/check_nrpe; then fi if [ -r /etc/nagios/nrpe.d/evolix.cfg ]; then - command=$(grep "check_$1" /etc/nagios/nrpe.d/evolix.cfg | tail -n1 | cut -d'=' -f2-) + command=$(grep "check_$1" /etc/nagios/nrpe.d/evolix.cfg | grep -v '^[[:blank:]]*#' | tail -n1 | cut -d'=' -f2-) echo "Command:" echo " $command" fi -- 2.39.2 From 42ad894d454ec002560f0c7afbce1dafa0422bf0 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 23 Jun 2023 11:26:35 +0200 Subject: [PATCH 486/497] dovecot: new Munin plugins, fix old_stats config --- CHANGELOG.md | 4 + dovecot/README.md | 13 + dovecot/files/munin_config | 2 - dovecot/files/munin_plugin | 128 --------- dovecot/files/munin_plugin_dovecot1 | 242 ++++++++++++++++++ dovecot/files/munin_plugin_dovecot_stats_ | 158 ++++++++++++ dovecot/handlers/main.yml | 4 + dovecot/tasks/munin.yml | 75 +++++- dovecot/templates/z-evolinux-defaults.conf.j2 | 21 +- 9 files changed, 506 insertions(+), 141 deletions(-) delete mode 100644 dovecot/files/munin_config delete mode 100755 dovecot/files/munin_plugin create mode 100644 dovecot/files/munin_plugin_dovecot1 create mode 100644 dovecot/files/munin_plugin_dovecot_stats_ diff --git a/CHANGELOG.md b/CHANGELOG.md index a274dbb3..5a1dda59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * userlogrotate: rotate also php.log. * nagios-nrpe: add a NRPE check-local command with completion. * policy_pam: New role allowing to manage password policy with pam_pwquality & pam_pwhistory +* dovecot: fix old_stats plugin for Dovecot 2.3. +* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched) ### Changed @@ -34,6 +36,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed +* dovecot: remove Munin plugin dovecot (not working) + ### Security ## [23.04] 2023-04-23 diff --git a/dovecot/README.md b/dovecot/README.md index 736b95dc..8652006f 100644 --- a/dovecot/README.md +++ b/dovecot/README.md @@ -2,6 +2,8 @@ Installation and basic configuration of dovecot +Do not use this role to update Dovecot 2.2 to 2.3. + ## Tasks Minimal configuration is in `tasks/main.yml` @@ -9,3 +11,14 @@ Minimal configuration is in `tasks/main.yml` ## Available variables The full list of variables (with default values) can be found in `defaults/main.yml`. + +## Munin plugins + +### dovecot_stats_ + +Note : This is an Evolix patched version. + +This plugin can be installed only when installin a server, because it needs Dovevcot plugin stats (Dovecot 2.2) or old_stats (Dovecot 2.3), which previously were not activated by default. + +To skip this plugin installation, use "--skip-tags dovecot_stats_". + diff --git a/dovecot/files/munin_config b/dovecot/files/munin_config deleted file mode 100644 index 1a0553d8..00000000 --- a/dovecot/files/munin_config +++ /dev/null @@ -1,2 +0,0 @@ -[dovecot] -group adm diff --git a/dovecot/files/munin_plugin b/dovecot/files/munin_plugin deleted file mode 100755 index f12c2b04..00000000 --- a/dovecot/files/munin_plugin +++ /dev/null @@ -1,128 +0,0 @@ -#! /bin/bash -# -# Munin Plugin -# to count logins to your dovecot mailserver -# -# Created by Dominik Schulz -# http://developer.gauner.org/munin/ -# Contributions by: -# - Stephane Enten -# - Steve Schnepp -# - pcy (make 'Connected Users' DERIVE, check existence of logfile in autoconf) -# -# Parameters understood: -# -# config (required) -# autoconf (optional - used by munin-config) -# -# Config variables: -# -# logfile - Where to find the syslog file -# -# Add the following line to a file in /etc/munin/plugin-conf.d: -# env.logfile /var/log/your/logfile.log -# -# Magic markers (optional - used by munin-config and installation scripts): -# -#%# family=auto -#%# capabilities=autoconf - -###################### -# Configuration -###################### -EXPR_BIN=/usr/bin/expr -LOGFILE=${logfile:-/var/log/mail.log} -###################### - -if [ "$1" = "autoconf" ]; then - [ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)" - exit 0 -fi - -if [ "$1" = "config" ]; then - echo 'graph_title Dovecot Logins' - echo 'graph_category mail' - echo 'graph_args --base 1000 -l 0' - echo 'graph_vlabel Login Counters' - - for t in Total TLS SSL IMAP POP3 - do - field=$(echo $t | tr '[:upper:]' '[:lower:]') - echo "login_$field.label $t Logins" - echo "login_$field.type DERIVE" - echo "login_$field.min 0" - done - - echo 'connected.label Connected Users' - echo "connected.type DERIVE" - - exit 0 -fi - -###################### -# Total Logins -###################### -echo -en "login_total.value " -VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n -###################### -# Connected Users -###################### -DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE) -CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE) -VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS) -if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then - VALUE=0 -fi -echo -en "connected.value " -echo $VALUE -echo -n -###################### -# TLS Logins -###################### -echo -en "login_tls.value " -VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n -###################### -# SSL Logins -###################### -echo -en "login_ssl.value " -VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n -###################### -# IMAP Logins -###################### -echo -en "login_imap.value " -VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n -###################### -# POP3 Logins -###################### -echo -en "login_pop3.value " -VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n diff --git a/dovecot/files/munin_plugin_dovecot1 b/dovecot/files/munin_plugin_dovecot1 new file mode 100644 index 00000000..83f4d897 --- /dev/null +++ b/dovecot/files/munin_plugin_dovecot1 @@ -0,0 +1,242 @@ +#!/usr/bin/perl + +#%# family=auto +#%# capabilities=autoconf + +use Munin::Plugin; + +$pos = undef; +$connected = 0; +$connectedimap = 0; +$connectedpop3 = 0; +$connections = 0; +$connectionsimap = 0; +$connectionspop3 = 0; +$login = 0; +$pop3login = 0; +$imaplogin = 0; +$tls = 0; +$ssl = 0; +$aborted = 0; + +($dirname = $0) =~ s/[^\/]+$//; + +$dovelogfile = 0 ; + +$logfile = $ENV{'LOGFILE'} || '/var/log/mail.log'; + +if ( $logfile =~ /dovecot/ ) { + $dovelogfile = 1 ; +} + +# Use an overridden $PATH for all external programs if needed +$DOVEADM = "doveadm"; + +if ( $ARGV[0] and $ARGV[0] eq "autoconf" ) { + + if (! -x $DOVEADM) { + print "no (no doveadm)\n"; + exit(0); + } + + if (! -f $logfile) { + print "no (logfile $logfile does not exist)\n"; + exit(0); + } + + if (-r "$logfile") { + print "yes\n"; + exit 0; + } else { + print "no (logfile not readable)\n"; + } + exit 0; +} + +if (-f "$logfile.0") { + $rotlogfile = $logfile . ".0"; +} elsif (-f "$logfile.1") { + $rotlogfile = $logfile . ".1"; +} elsif (-f "$logfile.01") { + $rotlogfile = $logfile . ".01"; +} else { + $rotlogfile = $logfile . ".0"; +} + +if ( $ARGV[0] and $ARGV[0] eq "config" ) { + print "multigraph dovecot_connections\n"; + print "graph_title Dovecot connections\n"; + print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n"; + print "graph_vlabel connections\n"; + print "graph_category mail\n"; + print "connections.label Connections open\n"; + print "connections.type GAUGE\n"; + print "connections.draw LINE1\n"; + print "connections.min 0\n"; + print "connectionsimap.label IMAP\n"; + print "connectionsimap.type GAUGE\n"; + print "connectionsimap.draw AREA\n"; + print "connectionsimap.min 0\n"; + print "connectionspop3.label POP3\n"; + print "connectionspop3.type GAUGE\n"; + print "connectionspop3.draw STACK\n"; + print "connectionspop3.min 0\n"; + + print "multigraph dovecot_connected\n"; + print "graph_title Dovecot connected users\n"; + print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n"; + print "graph_vlabel connections\n"; + print "graph_category mail\n"; + print "connected.label Connected users\n"; + print "connected.type GAUGE\n"; + print "connected.draw LINE1\n"; + print "connected.min 0\n"; + print "connectedimap.label IMAP\n"; + print "connectedimap.type GAUGE\n"; + print "connectedimap.draw AREA\n"; + print "connectedimap.min 0\n"; + print "connectedpop3.label POP3\n"; + print "connectedpop3.type GAUGE\n"; + print "connectedpop3.draw STACK\n"; + print "connectedpop3.min 0\n"; + + print "multigraph dovecot_logins\n"; + print "graph_title Dovecot logins\n"; + print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n"; + print "graph_vlabel logins/5 minute\n"; + print "graph_category mail\n"; + print "login.label Logins\n"; + print "login.type GAUGE\n"; + print "login.draw LINE1\n"; + print "login.min 0\n"; + print "imaplogin.label IMAP logins\n"; + print "imaplogin.type GAUGE\n"; + print "imaplogin.draw LINE1\n"; + print "imaplogin.min 0\n"; + print "pop3login.label POP3 logins\n"; + print "pop3login.type GAUGE\n"; + print "pop3login.draw LINE1\n"; + print "pop3login.min 0\n"; + print "tls.label TLS\n"; + print "tls.type GAUGE\n"; + print "tls.draw LINE1\n"; + print "tls.min 0\n"; + print "ssl.label SSL\n"; + print "ssl.type GAUGE\n"; + print "ssl.draw LINE1\n"; + print "ssl.min 0\n"; + print "aborted.label Aborted logins\n"; + print "aborted.type GAUGE\n"; + print "aborted.draw LINE1\n"; + print "aborted.min 0\n"; + exit 0; +} + +if (! -f $logfile and ! -f $rotlogfile) { + print "multigraph dovecot_connections\n"; + print "connections.value U"; + print "connectionsimap.value U"; + print "connectionspop3.value U"; + print "multigraph dovecot_connected\n"; + print "connected.value U\n"; + print "connectedimap.value U\n"; + print "connectedpop3.value U\n"; + print "multigraph dovecot_logins\n"; + print "login.value U\n"; + print "pop3login.value U\n"; + print "imaplogin.value U\n"; + print "tls.value U\n"; + print "ssl.value U\n"; + print "aborted.value U\n"; + + exit 0; +} + +# dit kan beter maar twee calls zijn toch nodig also we niet zelf aggegreren +# suggestie: doveadm who -1 | awk '{print $1" "$2" "$4}' | sort | uniq -c +$connectedimap = `$DOVEADM -f flow who | grep imap | wc -l`; +$connectedpop3 = `$DOVEADM -f flow who | grep pop3 | wc -l`; +$connectionsimap = `$DOVEADM -f flow who -1 | grep imap | wc -l`; +$connectionspop3 = `$DOVEADM -f flow who -1 | grep pop3 | wc -l`; + +#trim +$connectedimap =~ s/\s+$//; +$connectedpop3 =~ s/\s+$//; +$connectionsimap =~ s/\s+$//; +$connectionspop3 =~ s/\s+$//; + +$connected = $connectedimap + $connectedpop3; +$connections = $connectionsimap + $connectionspop3; + +my ($pos) = restore_state(); + +$startsize = (stat $logfile)[7]; + +if (!defined $pos) { + # Initial run. + $pos = $startsize; +} + +if ($startsize < $pos) { + # Log rotated + parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]); + $pos = 0; +} + +parseDovecotfile ($logfile, $pos, $startsize); +$pos = $startsize; + +save_state($pos); + +print "multigraph dovecot_connections\n"; +print "connections.value $connections\n"; +print "connectionsimap.value $connectionsimap\n"; +print "connectionspop3.value $connectionspop3\n"; +print "multigraph dovecot_connected\n"; +print "connected.value $connected\n"; +print "connectedimap.value $connectedimap\n"; +print "connectedpop3.value $connectedpop3\n"; +print "multigraph dovecot_logins\n"; +print "login.value $login\n"; +print "pop3login.value $pop3login\n"; +print "imaplogin.value $imaplogin\n"; +print "tls.value $tls\n"; +print "ssl.value $ssl\n"; +print "aborted.value $aborted\n"; + + +sub parseDovecotfile { + my ($fname, $start, $stop) = @_; + open (logf, $fname) or exit 3; + seek (logf, $start, 0) or exit 2; + + while (tell (logf) < $stop) { + my $line =; + chomp ($line); + + if ( $dovelogfile == 0 and $line !~ m/dovecot/) { next; } + else { + if ($line =~ m/Aborted/) { + $aborted++; + + } elsif ($line =~ m/Login:/) { + $login++; + + if ( $line =~ m/TLS/) { + $tls++; + } elsif ($line =~ m/SSL/) { + $ssl++; + } + + if ( $line =~ m/pop3-login:/) { + $pop3login++; + } elsif ($line =~ m/imap-login:/) { + $imaplogin++; + } + } + } + } + close(logf); +} + +# vim:syntax=perl diff --git a/dovecot/files/munin_plugin_dovecot_stats_ b/dovecot/files/munin_plugin_dovecot_stats_ new file mode 100644 index 00000000..6daf9bae --- /dev/null +++ b/dovecot/files/munin_plugin_dovecot_stats_ @@ -0,0 +1,158 @@ +#!/bin/bash +: <<=cut + +=head1 NAME + +dovecot_stats_ - Munin plugin to display statistics for the dovecot mail server + +=head1 CONFIGURATION + +This plugin must be run with permissions to run "doveadm". That usually means root, but to test, run the following as any user: + + doveadm who + +If you get a permission denied message, check the permissions on the socket mentioned in the error line. + +=head1 MAGIC MARKERS + + #%# family=contrib + #%# capability=autoconf suggest + +=head1 AUTHOR + +Paul Saunders + +=cut + +. $MUNIN_LIBDIR/plugins/plugin.sh +is_multigraph + +if [[ "$1" == "autoconf" ]]; then + if [[ -x /usr/bin/doveadm ]]; then + echo yes + else + echo no + fi + exit 0 +fi + +# Dovecot 2.3 changes the stas format, but we can still access the older version with "doveadm oldstats". +dovecot_version=$(/usr/sbin/dovecot --version | awk '{print $1}') + +verlte() { + [ "$1" = "$2" ] && return 1 || [ "$2" = "`echo -e "$1\n$2" | sort -V | head -n1`" ] +} + +verlt() { + [ "$1" = "$2" ] && return 1 || verlte $2 $1 +} + +# The stats command is "stats" unless the version is NOT less than 2.3, in which case it's "oldstats". +stats_command="stats" +verlt $dovecot_version 2.3 || stats_command="oldstats" + + +if [[ "$1" == "suggest" ]]; then + doveadm $stats_command dump domain|awk 'NR!=1 {print $1}' + exit 0 +fi + +domain=$(basename $0) +domain=${domain#dovecot_stats_} + +if [[ -z $domain ]]; then + exit 1 +fi + +if [[ "$1" == "config" ]]; then + cat < Date: Fri, 23 Jun 2023 15:10:02 +0200 Subject: [PATCH 487/497] Drop useless spaces --- apt/tasks/migrate-to-deb822.yml | 6 +++--- listupgrade/tasks/main.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apt/tasks/migrate-to-deb822.yml b/apt/tasks/migrate-to-deb822.yml index 720045bf..60ee0f2c 100644 --- a/apt/tasks/migrate-to-deb822.yml +++ b/apt/tasks/migrate-to-deb822.yml @@ -14,8 +14,8 @@ - name: Migration scripts are installed ansible.builtin.copy: - src: "{{ item }}" - dest: "/usr/share/scripts/{{ item }}" + src: "{{ item }}" + dest: "/usr/share/scripts/{{ item }}" force: yes mode: "0755" loop: @@ -29,4 +29,4 @@ cmd: /usr/share/scripts/deb822-migration.sh ignore_errors: yes tags: - - apt \ No newline at end of file + - apt diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index f51c0f09..e3f308ef 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -50,7 +50,7 @@ name: "listupgrade.sh" cron_file: "listupgrade" user: root - job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}" + job: "/usr/share/scripts/listupgrade.sh --cron{{ listupgrade_cron_force | bool | ternary(' --force','') }}" minute: "{{ listupgrade_cron_minute }}" hour: "{{ listupgrade_cron_hour }}" weekday: "{{ listupgrade_cron_weekday }}" -- 2.39.2 From def4d545381ce72e4b21b38a0b72a808e310ba55 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 27 Jun 2023 17:09:19 +0200 Subject: [PATCH 488/497] dovecot: fix taks for check mode (minor) --- dovecot/tasks/munin.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml index dd53d35f..d223f1e0 100644 --- a/dovecot/tasks/munin.yml +++ b/dovecot/tasks/munin.yml @@ -60,6 +60,8 @@ regex: '^[[:blank:]]*user root[[:blank:]]*$' insertafter: '\[{{ item }}\]' line: 'user root' + create: yes + mode: '0644' loop: ['dovecot1', 'dovecot_stats_*'] notify: restart munin-node -- 2.39.2 From 00fe225a3ce0164effde8b5a14147bb6310119ee Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 28 Jun 2023 13:22:59 +0200 Subject: [PATCH 489/497] =?UTF-8?q?force:=20[yes,no]=20=E2=86=92=20force?= =?UTF-8?q?=20[true,false]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 1 + apache/tasks/auth.yml | 4 ++-- apache/tasks/log2mail.yml | 2 +- apache/tasks/main.yml | 10 +++++----- apache/tasks/server_status.yml | 2 +- apt/tasks/backports.deb822.yml | 4 ++-- apt/tasks/backports.oneline.yml | 4 ++-- apt/tasks/basics.deb822.yml | 4 ++-- apt/tasks/basics.oneline.yml | 2 +- apt/tasks/evolix_public.deb822.yml | 4 ++-- apt/tasks/evolix_public.oneline.yml | 4 ++-- apt/tasks/hold_packages.yml | 2 +- apt/tasks/migrate-to-deb822.yml | 2 +- bind/tasks/authoritative.yml | 2 +- bind/tasks/main.yml | 8 ++++---- bind/tasks/munin.yml | 2 +- bind/tasks/recursive.yml | 2 +- certbot/tasks/acme-challenge.yml | 4 ++-- certbot/tasks/install-legacy.yml | 4 ++-- docker-host/tasks/main.yml | 2 +- elasticsearch/tasks/additional_scripts.yml | 2 +- elasticsearch/tasks/apt_sources.yml | 2 +- etc-git/tasks/repository.yml | 2 +- etc-git/tasks/utils.yml | 8 ++++---- evocheck/tasks/cron.yml | 2 +- evocheck/tasks/install.yml | 4 ++-- evolinux-base/tasks/default_www.yml | 2 +- evolinux-base/tasks/dump-server-state.yml | 2 +- evolinux-base/tasks/hardware.dell.yml | 2 +- evolinux-base/tasks/hardware.hp.yml | 2 +- evolinux-base/tasks/hostname.yml | 2 +- evolinux-base/tasks/root.yml | 4 ++-- evolinux-base/tasks/system.yml | 6 +++--- evolinux-base/tasks/utils.yml | 2 +- evolinux-todo/tasks/main.yml | 2 +- evolinux-users/tasks/sudo_common.yml | 2 +- evolinux-users/tasks/sudo_jessie.yml | 2 +- evomaintenance/tasks/install_vendor_debian.yml | 2 +- evomaintenance/tasks/install_vendor_other.yml | 2 +- filebeat/tasks/apt_sources.yml | 2 +- fluentd/tasks/main.yml | 2 +- haproxy/tasks/munin.yml | 2 +- haproxy/tasks/packages_backports.yml | 2 +- jenkins/tasks/main.yml | 2 +- keepalived/tasks/main.yml | 4 ++-- kibana/tasks/apt_sources.yml | 2 +- kibana/tasks/proxy_nginx.yml | 4 ++-- kvm-host/tasks/munin.yml | 4 ++-- kvm-host/tasks/tools.yml | 6 +++--- listupgrade/tasks/main.yml | 4 ++-- logstash/tasks/apt_sources.yml | 2 +- memcached/tasks/nrpe.yml | 2 +- metricbeat/tasks/apt_sources.yml | 2 +- mongodb/tasks/main_bookworm.yml | 4 ++-- mongodb/tasks/main_bullseye.yml | 6 +++--- mongodb/tasks/main_buster.yml | 6 +++--- mongodb/tasks/main_jessie.yml | 4 ++-- mongodb/tasks/main_stretch.yml | 2 +- monit/tasks/main.yml | 2 +- mysql-oracle/tasks/config.yml | 4 ++-- mysql-oracle/tasks/packages.yml | 4 ++-- mysql-oracle/tasks/utils.yml | 4 ++-- mysql/tasks/config_jessie.yml | 2 +- mysql/tasks/config_stretch.yml | 4 ++-- mysql/tasks/mysql_skip.yml | 4 ++-- mysql/tasks/utils.yml | 12 ++++++------ nagios-nrpe/tasks/main.yml | 2 +- nagios-nrpe/tasks/wrapper.yml | 4 ++-- newrelic/tasks/sources.yml | 2 +- nginx/tasks/logrotate.yml | 2 +- nginx/tasks/main.yml | 10 +++++----- nginx/tasks/packages_backports.yml | 2 +- nginx/tasks/server_status_read.yml | 2 +- opendkim/tasks/main.yml | 4 ++-- openvpn/tasks/debian.yml | 2 +- packweb-apache/tasks/apache.yml | 4 ++-- packweb-apache/tasks/awstats.yml | 2 +- packweb-apache/tasks/phpmyadmin.yml | 4 ++-- percona/tasks/main.yml | 2 +- php/tasks/config_apache.yml | 2 +- php/tasks/config_cli.yml | 4 ++-- php/tasks/config_fpm.yml | 4 ++-- php/tasks/sury_post.yml | 6 +++--- postfix/tasks/minimal.yml | 2 +- postfix/tasks/packmail.yml | 4 ++-- postgresql/tasks/config.yml | 2 +- postgresql/tasks/logrotate.yml | 2 +- postgresql/tasks/pgdg-repo.yml | 2 +- proftpd/tasks/main.yml | 2 +- rabbitmq/tasks/main.yml | 4 ++-- rabbitmq/tasks/nrpe.yml | 4 ++-- rbenv/tasks/main.yml | 4 ++-- redis/tasks/nrpe.yml | 4 ++-- squid/tasks/logrotate_jessie.yml | 2 +- squid/tasks/logrotate_stretch.yml | 2 +- squid/tasks/main.yml | 16 ++++++++-------- squid/tasks/systemd.yml | 2 +- supervisord/tasks/main.yml | 2 +- tomcat-instance/tasks/bootstrap.yml | 6 +++--- unbound/tasks/main.yml | 2 +- varnish/tasks/main.yml | 12 ++++++------ vrrpd/tasks/ip.yml | 2 +- webapps/nextcloud/tasks/archive.yml | 4 ++-- 103 files changed, 179 insertions(+), 178 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a1dda59..16d1312e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* all: change syntax "force: [yes,no]" → "force [true,false]" * elasticsearch: improve networking configuration * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions * mysql: improve shell syntax for mysql_skip script diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index 2c4d75ff..596c63e9 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -7,7 +7,7 @@ owner: root group: root mode: "0640" - force: no + force: false tags: - apache @@ -30,7 +30,7 @@ owner: root group: root mode: "0640" - force: no + force: false notify: reload apache tags: - apache diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index 42b18dae..f0f1853d 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -14,6 +14,6 @@ owner: log2mail group: adm mode: "0644" - force: no + force: false tags: - apache diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index c1ca9d7b..78dabc61 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -73,7 +73,7 @@ owner: root group: root mode: "0640" - force: yes + force: true notify: reload apache tags: - apache @@ -85,7 +85,7 @@ owner: root group: root mode: "0640" - force: no + force: false notify: reload apache tags: - apache @@ -119,7 +119,7 @@ src: evolinux-default.conf.j2 dest: /etc/apache2/sites-available/000-evolinux-default.conf mode: "0640" - force: no + force: false notify: reload apache tags: - apache @@ -129,7 +129,7 @@ src: /etc/apache2/sites-available/000-evolinux-default.conf dest: /etc/apache2/sites-enabled/000-default.conf state: link - force: yes + force: true notify: reload apache when: apache_evolinux_default_enabled | bool tags: @@ -181,7 +181,7 @@ src: save_apache_status.sh dest: /usr/share/scripts/save_apache_status.sh mode: "0755" - force: no + force: false tags: - apache diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 7b188e51..271a8739 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -13,7 +13,7 @@ dest: "{{ apache_serverstatus_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ apache_serverstatus_suffix }}\u000A" - force: yes + force: true when: apache_serverstatus_suffix | length > 0 - name: generate random string for server-status suffix diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml index 421e59e6..0382892d 100644 --- a/apt/tasks/backports.deb822.yml +++ b/apt/tasks/backports.deb822.yml @@ -4,7 +4,7 @@ ansible.builtin.template: src: '{{ ansible_distribution_release }}_backports.sources.j2' dest: /etc/apt/sources.list.d/backports.sources - force: yes + force: true mode: "0640" register: apt_backports_sources tags: @@ -14,7 +14,7 @@ ansible.builtin.copy: src: '{{ ansible_distribution_release }}_backports_preferences' dest: /etc/apt/preferences.d/0-backports-defaults - force: yes + force: true mode: "0640" register: apt_backports_config tags: diff --git a/apt/tasks/backports.oneline.yml b/apt/tasks/backports.oneline.yml index 9b7118b7..11de5c52 100644 --- a/apt/tasks/backports.oneline.yml +++ b/apt/tasks/backports.oneline.yml @@ -11,7 +11,7 @@ ansible.builtin.template: src: '{{ ansible_distribution_release }}_backports.list.j2' dest: /etc/apt/sources.list.d/backports.list - force: yes + force: true mode: "0640" register: apt_backports_list tags: @@ -21,7 +21,7 @@ ansible.builtin.copy: src: '{{ ansible_distribution_release }}_backports_preferences' dest: /etc/apt/preferences.d/0-backports-defaults - force: yes + force: true mode: "0640" register: apt_backports_config tags: diff --git a/apt/tasks/basics.deb822.yml b/apt/tasks/basics.deb822.yml index a8663572..617e6c92 100644 --- a/apt/tasks/basics.deb822.yml +++ b/apt/tasks/basics.deb822.yml @@ -5,7 +5,7 @@ src: "{{ ansible_distribution_release }}_basics.sources.j2" dest: /etc/apt/sources.list.d/system.sources mode: "0644" - force: yes + force: true register: apt_basic_sources tags: - apt @@ -15,7 +15,7 @@ src: "{{ ansible_distribution_release }}_security.sources.j2" dest: /etc/apt/sources.list.d/security.sources mode: "0644" - force: yes + force: true register: apt_security_sources tags: - apt diff --git a/apt/tasks/basics.oneline.yml b/apt/tasks/basics.oneline.yml index 4d457f0d..f949a0b2 100644 --- a/apt/tasks/basics.oneline.yml +++ b/apt/tasks/basics.oneline.yml @@ -5,7 +5,7 @@ src: "{{ ansible_distribution_release }}_basics.list.j2" dest: /etc/apt/sources.list mode: "0644" - force: yes + force: true register: apt_basic_list tags: - apt diff --git a/apt/tasks/evolix_public.deb822.yml b/apt/tasks/evolix_public.deb822.yml index 036645e7..84d193b3 100644 --- a/apt/tasks/evolix_public.deb822.yml +++ b/apt/tasks/evolix_public.deb822.yml @@ -20,7 +20,7 @@ ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -31,7 +31,7 @@ ansible.builtin.template: src: evolix_public.sources.j2 dest: /etc/apt/sources.list.d/evolix_public.sources - force: yes + force: true mode: "0640" register: apt_evolix_public tags: diff --git a/apt/tasks/evolix_public.oneline.yml b/apt/tasks/evolix_public.oneline.yml index 9c502a33..deff0b7d 100644 --- a/apt/tasks/evolix_public.oneline.yml +++ b/apt/tasks/evolix_public.oneline.yml @@ -20,7 +20,7 @@ ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -31,7 +31,7 @@ ansible.builtin.template: src: evolix_public.list.j2 dest: /etc/apt/sources.list.d/evolix_public.list - force: yes + force: true mode: "0640" register: apt_evolix_public tags: diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 26ced4c7..e92b7b44 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -71,7 +71,7 @@ ansible.builtin.copy: src: check_held_packages.sh dest: /usr/share/scripts/check_held_packages.sh - force: yes + force: true mode: "0755" tags: - apt diff --git a/apt/tasks/migrate-to-deb822.yml b/apt/tasks/migrate-to-deb822.yml index 60ee0f2c..18aa1580 100644 --- a/apt/tasks/migrate-to-deb822.yml +++ b/apt/tasks/migrate-to-deb822.yml @@ -16,7 +16,7 @@ ansible.builtin.copy: src: "{{ item }}" dest: "/usr/share/scripts/{{ item }}" - force: yes + force: true mode: "0755" loop: - deb822-migration.py diff --git a/bind/tasks/authoritative.yml b/bind/tasks/authoritative.yml index abfa96d8..7fbd827d 100644 --- a/bind/tasks/authoritative.yml +++ b/bind/tasks/authoritative.yml @@ -7,5 +7,5 @@ owner: bind group: bind mode: "0644" - force: yes + force: true notify: restart bind \ No newline at end of file diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 67776531..1e20eee2 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -23,7 +23,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart apparmor when: check_apparmor.rc == 0 @@ -47,7 +47,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: - reload systemd - restart bind @@ -77,7 +77,7 @@ dest: /root/chroot-bind.sh mode: "0700" owner: root - force: yes + force: true backup: yes when: bind_chroot_set | bool @@ -109,7 +109,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart bind - ansible.builtin.include: munin.yml diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 4a655533..fee99750 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -48,7 +48,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart munin-node tags: - bind diff --git a/bind/tasks/recursive.yml b/bind/tasks/recursive.yml index 364f1021..887f206e 100644 --- a/bind/tasks/recursive.yml +++ b/bind/tasks/recursive.yml @@ -8,7 +8,7 @@ owner: bind group: bind mode: "0644" - force: yes + force: true notify: restart bind - name: enable zones.rfc1918 for recursive server diff --git a/certbot/tasks/acme-challenge.yml b/certbot/tasks/acme-challenge.yml index 29c0267d..acd93fe0 100644 --- a/certbot/tasks/acme-challenge.yml +++ b/certbot/tasks/acme-challenge.yml @@ -15,7 +15,7 @@ ansible.builtin.template: src: acme-challenge/nginx.conf.j2 dest: /etc/nginx/snippets/letsencrypt.conf - force: yes + force: true notify: reload nginx when: is_nginx.stat.exists @@ -30,7 +30,7 @@ ansible.builtin.template: src: acme-challenge/apache.conf.j2 dest: /etc/apache2/conf-available/letsencrypt.conf - force: yes + force: true notify: reload apache - name: ACME challenge for Apache is enabled diff --git a/certbot/tasks/install-legacy.yml b/certbot/tasks/install-legacy.yml index 3048a4a4..157c8dc1 100644 --- a/certbot/tasks/install-legacy.yml +++ b/certbot/tasks/install-legacy.yml @@ -16,7 +16,7 @@ mode: '0755' owner: root group: root - force: yes + force: true notify: install letsencrypt-auto - name: Check certbot script @@ -49,7 +49,7 @@ ansible.builtin.copy: src: cron_jessie dest: /etc/cron.d/certbot - force: yes + force: true when: certbot_custom_crontab | bool - name: disable self-upgrade diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index db57a6b6..f4175297 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -26,7 +26,7 @@ ansible.builtin.copy: src: docker-debian.asc dest: "{{ apt_keyring_dir }}/docker-debian.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/elasticsearch/tasks/additional_scripts.yml b/elasticsearch/tasks/additional_scripts.yml index 8dcb0759..abda3090 100644 --- a/elasticsearch/tasks/additional_scripts.yml +++ b/elasticsearch/tasks/additional_scripts.yml @@ -19,4 +19,4 @@ mode: "0755" owner: "root" group: "root" - force: yes + force: true diff --git a/elasticsearch/tasks/apt_sources.yml b/elasticsearch/tasks/apt_sources.yml index a0395ffe..e525ba4b 100644 --- a/elasticsearch/tasks/apt_sources.yml +++ b/elasticsearch/tasks/apt_sources.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: src: elastic.asc dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index 1601a157..426eab41 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -38,7 +38,7 @@ dest: "{{ repository_path }}/.gitignore" owner: root mode: "0600" - force: no + force: false tags: - etc-git diff --git a/etc-git/tasks/utils.yml b/etc-git/tasks/utils.yml index b54e1c61..e33589b3 100644 --- a/etc-git/tasks/utils.yml +++ b/etc-git/tasks/utils.yml @@ -10,7 +10,7 @@ src: evocommit dest: /usr/local/bin/evocommit mode: "0755" - force: yes + force: true tags: - etc-git @@ -19,7 +19,7 @@ src: ansible-commit dest: /usr/local/bin/ansible-commit mode: "0755" - force: yes + force: true tags: - etc-git @@ -28,7 +28,7 @@ src: etc-git-optimize dest: /usr/share/scripts/etc-git-optimize mode: "0755" - force: yes + force: true tags: - etc-git @@ -37,7 +37,7 @@ src: etc-git-status dest: /usr/share/scripts/etc-git-status mode: "0755" - force: yes + force: true tags: - etc-git diff --git a/evocheck/tasks/cron.yml b/evocheck/tasks/cron.yml index cfea8ca2..4e9c249e 100644 --- a/evocheck/tasks/cron.yml +++ b/evocheck/tasks/cron.yml @@ -16,5 +16,5 @@ mode: "0644" owner: root group: root - force: yes + force: true when: is_cron_installed.rc == 0 diff --git a/evocheck/tasks/install.yml b/evocheck/tasks/install.yml index b210302b..d1c1daf0 100644 --- a/evocheck/tasks/install.yml +++ b/evocheck/tasks/install.yml @@ -36,7 +36,7 @@ dest: "{{ evocheck_bin_dir }}/evocheck.sh" mode: "0700" owner: root - force: yes + force: true tags: - evocheck @@ -44,6 +44,6 @@ ansible.builtin.copy: src: evocheck.cf dest: /etc/evocheck.cf - force: no + force: false tags: - evocheck diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 2d94fe2b..673ac397 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -20,7 +20,7 @@ src: default_www/index.html.j2 dest: /var/www/index.html mode: "0644" - force: no + force: false when: evolinux_default_www_files | bool # SSL cert diff --git a/evolinux-base/tasks/dump-server-state.yml b/evolinux-base/tasks/dump-server-state.yml index 33822377..65ff2f45 100644 --- a/evolinux-base/tasks/dump-server-state.yml +++ b/evolinux-base/tasks/dump-server-state.yml @@ -12,4 +12,4 @@ src: /usr/local/sbin/dump-server-state dest: /usr/local/sbin/backup-server-state state: link - force: yes + force: true diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml index a146ec5c..532b3f58 100644 --- a/evolinux-base/tasks/hardware.dell.yml +++ b/evolinux-base/tasks/hardware.dell.yml @@ -47,7 +47,7 @@ ansible.builtin.copy: src: hwraid.le-vert.net.asc dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/evolinux-base/tasks/hardware.hp.yml b/evolinux-base/tasks/hardware.hp.yml index ea17cae5..a22eeb70 100644 --- a/evolinux-base/tasks/hardware.hp.yml +++ b/evolinux-base/tasks/hardware.hp.yml @@ -4,7 +4,7 @@ ansible.builtin.copy: src: hpePublicKey2048_key1.asc dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index b283a51e..a361ee44 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -41,7 +41,7 @@ ansible.builtin.copy: dest: /etc/mailname content: "{{ evolinux_fqdn }}\n" - force: yes + force: true when: evolinux_hostname_mailname | bool # Override facts diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 3b17faf7..98cd3b3d 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -27,7 +27,7 @@ ansible.builtin.copy: content: "" dest: "/root/.bash_history" - force: no + force: false when: evolinux_root_bash_history | bool - name: Set umask in /root/.profile @@ -47,7 +47,7 @@ ansible.builtin.copy: src: root/gitconfig dest: "/root/.gitconfig" - force: no + force: false when: evolinux_root_gitconfig | bool - name: Is .bash_history append-only diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index ecad62d9..8f3d7b03 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -138,7 +138,7 @@ ansible.builtin.template: src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 - force: no + force: false mode: "0755" when: - evolinux_system_alert5_init | bool @@ -159,7 +159,7 @@ ansible.builtin.template: src: system/alert5.sh.j2 dest: /usr/share/scripts/alert5.sh - force: no + force: false mode: "0755" when: - evolinux_system_alert5_init | bool @@ -169,7 +169,7 @@ ansible.builtin.copy: src: alert5.service dest: /etc/systemd/system/alert5.service - force: yes + force: true mode: "0644" when: - evolinux_system_alert5_init | bool diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index a97be579..a1c4d646 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -13,7 +13,7 @@ mode: "0700" owner: root group: root - force: no + force: false - name: update-evobackup-canary script is present ansible.builtin.copy: diff --git a/evolinux-todo/tasks/main.yml b/evolinux-todo/tasks/main.yml index 0cf5628c..9b0d9c80 100644 --- a/evolinux-todo/tasks/main.yml +++ b/evolinux-todo/tasks/main.yml @@ -12,5 +12,5 @@ src: todo.defaults.txt dest: /etc/evolinux/todo.txt mode: "0640" - force: no + force: false when: ansible_distribution == "Debian" diff --git a/evolinux-users/tasks/sudo_common.yml b/evolinux-users/tasks/sudo_common.yml index 0560f997..0f463756 100644 --- a/evolinux-users/tasks/sudo_common.yml +++ b/evolinux-users/tasks/sudo_common.yml @@ -12,7 +12,7 @@ ansible.builtin.template: src: sudoers.j2 dest: /etc/sudoers.d/evolinux - force: no + force: false mode: "0440" validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml index 6400a8ee..2cc50500 100644 --- a/evolinux-users/tasks/sudo_jessie.yml +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -4,7 +4,7 @@ ansible.builtin.template: src: sudoers_jessie.j2 dest: /etc/sudoers.d/evolinux - force: no + force: false mode: "0440" validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux diff --git a/evomaintenance/tasks/install_vendor_debian.yml b/evomaintenance/tasks/install_vendor_debian.yml index c8fb6183..7241081c 100644 --- a/evomaintenance/tasks/install_vendor_debian.yml +++ b/evomaintenance/tasks/install_vendor_debian.yml @@ -40,7 +40,7 @@ owner: root group: root mode: "{{ item.mode }}" - force: yes + force: true backup: yes loop: - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' } diff --git a/evomaintenance/tasks/install_vendor_other.yml b/evomaintenance/tasks/install_vendor_other.yml index ece9aae2..32387b39 100644 --- a/evomaintenance/tasks/install_vendor_other.yml +++ b/evomaintenance/tasks/install_vendor_other.yml @@ -22,7 +22,7 @@ owner: root group: root mode: "{{ item.mode }}" - force: yes + force: true backup: yes loop: - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' } diff --git a/filebeat/tasks/apt_sources.yml b/filebeat/tasks/apt_sources.yml index a0395ffe..e525ba4b 100644 --- a/filebeat/tasks/apt_sources.yml +++ b/filebeat/tasks/apt_sources.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: src: elastic.asc dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index b6f262c1..9f350bf4 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -4,7 +4,7 @@ ansible.builtin.copy: src: treasuredata.asc dest: "{{ apt_keyring_dir }}/treasuredata.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/haproxy/tasks/munin.yml b/haproxy/tasks/munin.yml index e2f2302d..f7a35e56 100644 --- a/haproxy/tasks/munin.yml +++ b/haproxy/tasks/munin.yml @@ -12,7 +12,7 @@ ansible.builtin.file: src: /usr/share/munin/plugins/haproxy_ng dest: /etc/munin/plugins/haproxy_ng - force: yes + force: true state: link notify: restart munin-node tags: diff --git a/haproxy/tasks/packages_backports.yml b/haproxy/tasks/packages_backports.yml index 5832c4d4..2a5a855c 100644 --- a/haproxy/tasks/packages_backports.yml +++ b/haproxy/tasks/packages_backports.yml @@ -23,7 +23,7 @@ ansible.builtin.template: src: haproxy_apt_preferences.j2 dest: /etc/apt/preferences.d/999-haproxy - force: yes + force: true mode: "0640" register: haproxy_apt_preferences tags: diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 1e6b777b..835d3a3e 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: src: jenkins.asc dest: "{{ apt_keyring_dir }}/jenkins.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/keepalived/tasks/main.yml b/keepalived/tasks/main.yml index 3ab0f8be..30f9557a 100644 --- a/keepalived/tasks/main.yml +++ b/keepalived/tasks/main.yml @@ -14,7 +14,7 @@ mode: "0755" owner: root group: root - force: yes + force: true notify: restart keepalived tags: - keepalived @@ -27,7 +27,7 @@ mode: "0755" owner: root group: root - force: yes + force: true tags: - keepalived - nrpe diff --git a/kibana/tasks/apt_sources.yml b/kibana/tasks/apt_sources.yml index a0395ffe..e525ba4b 100644 --- a/kibana/tasks/apt_sources.yml +++ b/kibana/tasks/apt_sources.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: src: elastic.asc dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/kibana/tasks/proxy_nginx.yml b/kibana/tasks/proxy_nginx.yml index 7b680284..e3b672b8 100644 --- a/kibana/tasks/proxy_nginx.yml +++ b/kibana/tasks/proxy_nginx.yml @@ -4,13 +4,13 @@ ansible.builtin.template: src: nginx_proxy_kibana_ssl.j2 dest: /etc/nginx/sites-available/kibana_ssl.conf - force: no + force: false - name: Example proxy for Kibana with Nginx (without SSL) ansible.builtin.template: src: nginx_proxy_kibana_nossl.j2 dest: /etc/nginx/sites-available/kibana_nossl.conf - force: no + force: false # - name: Kibana host in Nginx is enabled # file: diff --git a/kvm-host/tasks/munin.yml b/kvm-host/tasks/munin.yml index 45edc8d6..8cd45cb5 100644 --- a/kvm-host/tasks/munin.yml +++ b/kvm-host/tasks/munin.yml @@ -20,7 +20,7 @@ url: "https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/libvirt/{{ item }}" dest: "/usr/local/share/munin/plugins/" mode: "0755" - force: no + force: false loop: - kvm_cpu - kvm_io @@ -32,7 +32,7 @@ src: "/usr/local/share/munin/plugins/{{ plugin_name }}" dest: "/etc/munin/plugins/{{ plugin_name }}" state: link - force: yes + force: true loop: - kvm_cpu - kvm_io diff --git a/kvm-host/tasks/tools.yml b/kvm-host/tasks/tools.yml index 7931f541..fccf9307 100644 --- a/kvm-host/tasks/tools.yml +++ b/kvm-host/tasks/tools.yml @@ -17,7 +17,7 @@ mode: "0700" owner: root group: root - force: yes + force: true - name: migrate-vm script is present ansible.builtin.copy: @@ -26,7 +26,7 @@ mode: "0700" owner: root group: root - force: yes + force: true - name: kvmstats script is present ansible.builtin.copy: @@ -35,7 +35,7 @@ mode: "0700" owner: root group: root - force: yes + force: true - name: kvmstats cron is present ansible.builtin.template: diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index e3f308ef..dec4881d 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -18,7 +18,7 @@ mode: "0700" owner: root group: root - force: yes + force: true - name: Create /etc/evolinux ansible.builtin.file: @@ -35,7 +35,7 @@ mode: "0600" owner: root group: root - force: no + force: false - name: Cron.d is present ansible.builtin.file: diff --git a/logstash/tasks/apt_sources.yml b/logstash/tasks/apt_sources.yml index a0395ffe..e525ba4b 100644 --- a/logstash/tasks/apt_sources.yml +++ b/logstash/tasks/apt_sources.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: src: elastic.asc dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/memcached/tasks/nrpe.yml b/memcached/tasks/nrpe.yml index a01cf1e7..aba43da6 100644 --- a/memcached/tasks/nrpe.yml +++ b/memcached/tasks/nrpe.yml @@ -25,7 +25,7 @@ ansible.builtin.copy: src: check_memcached_instances.sh dest: /usr/local/lib/nagios/plugins/check_memcached_instances - force: yes + force: true mode: "0755" owner: root group: root diff --git a/metricbeat/tasks/apt_sources.yml b/metricbeat/tasks/apt_sources.yml index a0395ffe..e525ba4b 100644 --- a/metricbeat/tasks/apt_sources.yml +++ b/metricbeat/tasks/apt_sources.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: src: elastic.asc dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/mongodb/tasks/main_bookworm.yml b/mongodb/tasks/main_bookworm.yml index ef64f00c..93989230 100644 --- a/mongodb/tasks/main_bookworm.yml +++ b/mongodb/tasks/main_bookworm.yml @@ -52,7 +52,7 @@ ansible.builtin.template: src: logrotate_bullseye.j2 dest: /etc/logrotate.d/mongodb - force: yes + force: true backup: no - ansible.builtin.include_role: @@ -74,7 +74,7 @@ ansible.builtin.copy: src: "munin/{{ item }}" dest: '/usr/local/share/munin/plugins/{{ item }}' - force: yes + force: true loop: - mongo_btree - mongo_collections diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index 4a02ee9b..0cfebf20 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -10,7 +10,7 @@ ansible.builtin.copy: src: "server-{{ mongodb_version }}.asc" dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -51,7 +51,7 @@ ansible.builtin.template: src: logrotate_bullseye.j2 dest: /etc/logrotate.d/mongodb - force: yes + force: true backup: no - ansible.builtin.include_role: @@ -73,7 +73,7 @@ ansible.builtin.copy: src: "munin/{{ item }}" dest: '/usr/local/share/munin/plugins/{{ item }}' - force: yes + force: true loop: - mongo_btree - mongo_collections diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index 415a5a3f..7d47ed25 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -16,7 +16,7 @@ ansible.builtin.copy: src: "server-{{ mongodb_version }}.asc" dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -65,7 +65,7 @@ ansible.builtin.template: src: logrotate_buster.j2 dest: /etc/logrotate.d/mongodb - force: yes + force: true backup: no - ansible.builtin.include_role: @@ -87,7 +87,7 @@ ansible.builtin.copy: src: "munin/{{ item }}" dest: '/usr/local/share/munin/plugins/{{ item }}' - force: yes + force: true loop: - mongo_btree - mongo_collections diff --git a/mongodb/tasks/main_jessie.yml b/mongodb/tasks/main_jessie.yml index 61d57f85..50767d68 100644 --- a/mongodb/tasks/main_jessie.yml +++ b/mongodb/tasks/main_jessie.yml @@ -16,7 +16,7 @@ ansible.builtin.copy: src: "server-{{ mongodb_version }}.asc" dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{ mongodb_version }}.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -57,5 +57,5 @@ ansible.builtin.template: src: logrotate_jessie.j2 dest: /etc/logrotate.d/mongodb - force: yes + force: true backup: no diff --git a/mongodb/tasks/main_stretch.yml b/mongodb/tasks/main_stretch.yml index 0dc33fcf..5b9a84c0 100644 --- a/mongodb/tasks/main_stretch.yml +++ b/mongodb/tasks/main_stretch.yml @@ -28,7 +28,7 @@ ansible.builtin.template: src: logrotate_stretch.j2 dest: /etc/logrotate.d/mongodb-server - force: yes + force: true backup: no - name: disable previous logrotate diff --git a/monit/tasks/main.yml b/monit/tasks/main.yml index 49e4c99b..65deb5f9 100644 --- a/monit/tasks/main.yml +++ b/monit/tasks/main.yml @@ -13,7 +13,7 @@ src: evolinux-defaults.conf.j2 dest: /etc/monit/conf.d/z-evolinux-defaults.conf mode: "0640" - force: yes + force: true notify: restart monit tags: - monit diff --git a/mysql-oracle/tasks/config.yml b/mysql-oracle/tasks/config.yml index ff42ed20..0a3370ab 100644 --- a/mysql-oracle/tasks/config.yml +++ b/mysql-oracle/tasks/config.yml @@ -10,7 +10,7 @@ owner: root group: root mode: "0644" - force: yes + force: true tags: - mysql @@ -21,6 +21,6 @@ owner: root group: root mode: "0644" - force: no + force: false tags: - mysql diff --git a/mysql-oracle/tasks/packages.yml b/mysql-oracle/tasks/packages.yml index 7ceadd89..ede629f5 100644 --- a/mysql-oracle/tasks/packages.yml +++ b/mysql-oracle/tasks/packages.yml @@ -51,7 +51,7 @@ mode: "0755" owner: root group: root - force: yes + force: true - name: systemd unit is installed ansible.builtin.copy: @@ -60,7 +60,7 @@ mode: "0644" owner: root group: root - force: yes + force: true register: mysql_systemd_unit - name: APT cache is up-to-date diff --git a/mysql-oracle/tasks/utils.yml b/mysql-oracle/tasks/utils.yml index cbcc9e37..2504eaa2 100644 --- a/mysql-oracle/tasks/utils.yml +++ b/mysql-oracle/tasks/utils.yml @@ -75,7 +75,7 @@ mode: "0755" owner: root group: staff - force: yes + force: true tags: - mytop - mysql @@ -96,7 +96,7 @@ src: mytop-config.j2 dest: /root/.mytop mode: "0600" - force: yes + force: true tags: - mytop - mysql diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index 174fc56a..3d8c494d 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -10,7 +10,7 @@ owner: root group: root mode: "0644" - force: yes + force: true tags: - mysql diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index cda4867c..57346fb5 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -10,7 +10,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: "{{ mysql_restart_handler_name }}" tags: - mysql @@ -36,7 +36,7 @@ ansible.builtin.template: src: mariadb.systemd.j2 dest: /etc/systemd/system/mariadb.service.d/evolinux.conf - force: yes + force: true register: mariadb_systemd_override - name: reload systemd and restart MariaDB diff --git a/mysql/tasks/mysql_skip.yml b/mysql/tasks/mysql_skip.yml index 2455641a..e98567a7 100644 --- a/mysql/tasks/mysql_skip.yml +++ b/mysql/tasks/mysql_skip.yml @@ -7,7 +7,7 @@ owner: root group: root mode: "0700" - force: yes + force: true tags: - mysql_skip @@ -45,7 +45,7 @@ ansible.builtin.template: src: mysql_skip.systemd.j2 dest: /etc/systemd/system/mysql_skip.service - force: yes + force: true - name: "Start or stop systemd unit" ansible.builtin.systemd: diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index f8005ee2..9d81514a 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -76,7 +76,7 @@ src: mytop.j2 dest: /root/.mytop mode: "0600" - force: yes + force: true tags: - mytop - mysql @@ -87,7 +87,7 @@ src: mytop.bullseye.j2 dest: /root/.mytop mode: "0600" - force: yes + force: true tags: - mytop - mysql @@ -220,7 +220,7 @@ src: save_mysql_processlist.sh dest: "{{ _mysql_scripts_dir }}/save_mysql_processlist.sh" mode: "0755" - force: no + force: false tags: - mysql @@ -229,7 +229,7 @@ src: mysql_connections.sh dest: "{{ _mysql_scripts_dir }}/mysql_connections" mode: "0755" - force: no + force: false tags: - mysql @@ -238,7 +238,7 @@ src: mysql-queries-killer.sh dest: "{{ _mysql_scripts_dir }}/mysql-queries-killer.sh" mode: "0755" - force: no + force: false tags: - mysql @@ -247,6 +247,6 @@ src: evomariabackup.sh dest: "{{ _mysql_scripts_dir }}/evomariabackup" mode: "0755" - force: no + force: false tags: - mysql \ No newline at end of file diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index f78f9fbf..aa36f9c9 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -30,7 +30,7 @@ dest: /etc/nagios/nrpe.d/evolix.cfg group: nagios mode: "0640" - force: no + force: false notify: restart nagios-nrpe-server tags: - nagios-nrpe diff --git a/nagios-nrpe/tasks/wrapper.yml b/nagios-nrpe/tasks/wrapper.yml index add493fd..4eb98350 100644 --- a/nagios-nrpe/tasks/wrapper.yml +++ b/nagios-nrpe/tasks/wrapper.yml @@ -24,7 +24,7 @@ owner: root group: root mode: "0750" - force: yes + force: true - name: "symlink for backward compatibility" ansible.builtin.file: @@ -40,4 +40,4 @@ owner: root group: staff mode: "0755" - force: yes \ No newline at end of file + force: true \ No newline at end of file diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index 22473df1..3f745db9 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -4,7 +4,7 @@ ansible.builtin.copy: src: newrelic.asc dest: "{{ apt_keyring_dir }}/newrelic.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/nginx/tasks/logrotate.yml b/nginx/tasks/logrotate.yml index d475e419..9081ef41 100644 --- a/nginx/tasks/logrotate.yml +++ b/nginx/tasks/logrotate.yml @@ -4,7 +4,7 @@ ansible.builtin.copy: src: logrotate_nginx dest: /etc/logrotate.d/nginx - force: no + force: false tags: - nginx - logrotate diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index aec36bec..1284a6a1 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -40,7 +40,7 @@ src: nginx/evolinux-defaults.conf dest: /etc/nginx/conf.d/z-evolinux-defaults.conf mode: "0640" - # force: yes + # force: true notify: reload nginx tags: - nginx @@ -57,7 +57,7 @@ group: www-data directory_mode: "0640" mode: "0640" - force: no + force: false notify: reload nginx tags: - nginx @@ -74,7 +74,7 @@ group: www-data directory_mode: "0640" mode: "0640" - force: no + force: false notify: reload nginx tags: - nginx @@ -88,7 +88,7 @@ group: www-data directory_mode: "0640" mode: "0640" - force: no + force: false notify: reload nginx tags: - nginx @@ -128,7 +128,7 @@ src: /etc/nginx/sites-available/evolinux-default.conf dest: /etc/nginx/sites-enabled/default state: link - force: yes + force: true notify: reload nginx when: nginx_evolinux_default_enabled | bool tags: diff --git a/nginx/tasks/packages_backports.yml b/nginx/tasks/packages_backports.yml index aac2304d..88402bb9 100644 --- a/nginx/tasks/packages_backports.yml +++ b/nginx/tasks/packages_backports.yml @@ -12,7 +12,7 @@ ansible.builtin.template: src: apt/nginx_preferences dest: /etc/apt/preferences.d/999-nginx - force: yes + force: true mode: "0640" register: nginx_apt_preferences tags: diff --git a/nginx/tasks/server_status_read.yml b/nginx/tasks/server_status_read.yml index e97d898a..d6cecbe3 100644 --- a/nginx/tasks/server_status_read.yml +++ b/nginx/tasks/server_status_read.yml @@ -13,7 +13,7 @@ dest: "{{ nginx_serverstatus_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ nginx_serverstatus_suffix }}\u000A" - force: yes + force: true when: nginx_serverstatus_suffix | length > 0 - name: generate random string for server-status suffix diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index 96a521b5..a9c1bf49 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -60,7 +60,7 @@ src: opendkim-evolix.conf dest: /etc/opendkim-evolix.conf mode: "0644" - force: yes + force: true notify: restart opendkim tags: - opendkim @@ -72,7 +72,7 @@ owner: opendkim group: opendkim mode: "0750" - force: yes + force: true tags: - opendkim diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 9810a472..173299b4 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -154,7 +154,7 @@ ansible.builtin.copy: src: logrotate_openvpn dest: /etc/logrotate.d/openvpn - force: no + force: false - name: Generate a password for the management interface ansible.builtin.set_fact: diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 434e75d0..b7e05f71 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -43,7 +43,7 @@ owner: root group: root mode: "0644" - force: no + force: false - name: Copy Apache settings for modules ansible.builtin.template: @@ -52,7 +52,7 @@ owner: root group: root mode: "0644" - force: no + force: false - name: Ensure Apache modules configs are enabled ansible.builtin.command: diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index 08c94381..f6e8b309 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -31,7 +31,7 @@ Require all granted - force: no + force: false mode: "0644" - name: Enable apache awstats-icon configuration diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index 11832300..abb1c552 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -15,7 +15,7 @@ ansible.builtin.template: src: phpmyadmin_apt_preferences.j2 dest: /etc/apt/preferences.d/999-phpmyadmin - force: yes + force: true mode: "0644" when: ansible_distribution_major_version is version('10', '=') @@ -53,7 +53,7 @@ dest: "{{ packweb_phpmyadmin_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ packweb_phpmyadmin_suffix }}\u000A" - force: yes + force: true when: packweb_phpmyadmin_suffix | length > 0 - name: generate random string for phpmyadmin suffix diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml index 32637df7..069956d0 100644 --- a/percona/tasks/main.yml +++ b/percona/tasks/main.yml @@ -19,7 +19,7 @@ ansible.builtin.copy: src: percona.asc dest: "{{ apt_keyring_dir }}/percona.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/php/tasks/config_apache.yml b/php/tasks/config_apache.yml index 4ddc8448..addab08c 100644 --- a/php/tasks/config_apache.yml +++ b/php/tasks/config_apache.yml @@ -33,7 +33,7 @@ ; Put customized values here. ; default_charset = "ISO-8859-1" mode: "0644" - force: no + force: false - name: "Set custom values for PHP to enable Symfony" community.general.ini_file: diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index 506a1077..e7084d9b 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -17,10 +17,10 @@ dest: "{{ php_cli_custom_ini_file }}" content: | ; Put customized values here. - force: no + force: false # This task is not merged with the above copy -# because "force: no" prevents any fix after the fact +# because "force: false" prevents any fix after the fact - name: "Permissions for custom php.ini for CLI" ansible.builtin.file: dest: "{{ php_cli_custom_ini_file }}" diff --git a/php/tasks/config_fpm.yml b/php/tasks/config_fpm.yml index 9fc1cc33..836559bf 100644 --- a/php/tasks/config_fpm.yml +++ b/php/tasks/config_fpm.yml @@ -32,7 +32,7 @@ dest: "{{ php_fpm_custom_ini_file }}" content: | ; Put customized values here. - force: no + force: false notify: "restart {{ php_fpm_service_name }}" - name: Set default PHP FPM values @@ -66,7 +66,7 @@ ; Put customized values here. ; default_charset = "ISO-8859-1" mode: "0644" - force: no + force: false notify: "restart {{ php_fpm_service_name }}" - name: "Set custom values for PHP to enable Symfony" diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index ef4d3c7e..d529ec53 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -4,7 +4,7 @@ ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" - force: yes + force: true state: link loop: - { src: "{{ php_cli_defaults_ini_file }}", dest: "/etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini" } @@ -19,7 +19,7 @@ ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" - force: yes + force: true state: link loop: - { src: "{{ php_apache_defaults_ini_file }}", dest: "/etc/php/7.4/apache2/conf.d/z-evolinux-defaults.ini" } @@ -36,7 +36,7 @@ ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" - force: yes + force: true state: link loop: - { src: "{{ php_fpm_defaults_ini_file }}", dest: "/etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini" } diff --git a/postfix/tasks/minimal.yml b/postfix/tasks/minimal.yml index f8ea1b0b..36327b3e 100644 --- a/postfix/tasks/minimal.yml +++ b/postfix/tasks/minimal.yml @@ -13,7 +13,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart postfix when: (postfix_force_main_cf | bool) or (postfix_maincf_md5_jessie in default_main_cf.stdout) or (postfix_maincf_md5_stretch in default_main_cf.stdout) tags: diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index be0b075e..f5ccf66d 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -31,7 +31,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart postfix when: (postfix_force_main_cf | bool) or (postfix_maincf_md5_jessie in default_main_cf.stdout) or (postfix_maincf_md5_stretch in default_main_cf.stdout) tags: @@ -50,7 +50,7 @@ ansible.builtin.copy: src: filter dest: "/etc/postfix/{{ item }}" - force: no + force: false loop: - virtual - client.access diff --git a/postgresql/tasks/config.yml b/postgresql/tasks/config.yml index 87091b8f..2f735df0 100644 --- a/postgresql/tasks/config.yml +++ b/postgresql/tasks/config.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: src: postgresql.service.override.conf dest: /etc/systemd/system/postgresql@.service.d/override.conf - force: yes + force: true mode: "0644" notify: - reload systemd diff --git a/postgresql/tasks/logrotate.yml b/postgresql/tasks/logrotate.yml index 55adc5bd..dbe66bb8 100644 --- a/postgresql/tasks/logrotate.yml +++ b/postgresql/tasks/logrotate.yml @@ -3,4 +3,4 @@ ansible.builtin.copy: src: logrotate_postgresql dest: /etc/logrotate.d/postgresql-common - force: no + force: false diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index e9f25307..b988618a 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -12,7 +12,7 @@ ansible.builtin.copy: src: postgresql.asc dest: "{{ apt_keyring_dir }}/postgresql.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index ce292ad5..26dcfb85 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -76,7 +76,7 @@ ansible.builtin.copy: src: vpasswd dest: /etc/proftpd/vpasswd - force: no + force: false notify: restart proftpd tags: - proftpd diff --git a/rabbitmq/tasks/main.yml b/rabbitmq/tasks/main.yml index f485bc1f..d78c70fd 100644 --- a/rabbitmq/tasks/main.yml +++ b/rabbitmq/tasks/main.yml @@ -10,7 +10,7 @@ owner: rabbitmq group: rabbitmq mode: "0600" - force: no + force: false - name: Create rabbitmq.config ansible.builtin.copy: @@ -19,7 +19,7 @@ owner: rabbitmq group: rabbitmq mode: "0600" - force: no + force: false - name: Adjust ulimit ansible.builtin.lineinfile: diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index f491a68c..d181b07c 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -23,7 +23,7 @@ owner: root group: root mode: "0755" - force: yes + force: true when: ansible_distribution_major_version is version('11', '<=') - name: check_rabbitmq (Python 3 version) is installed @@ -33,7 +33,7 @@ owner: root group: root mode: "0755" - force: yes + force: true when: ansible_distribution_major_version is version('11', '>=') - name: check_rabbitmq is available for NRPE diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 4362c5db..000eb163 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -33,7 +33,7 @@ dest: '{{ rbenv_root }}' version: '{{ rbenv_version }}' accept_hostkey: yes - force: yes + force: true become_user: "{{ username }}" become: yes tags: @@ -67,7 +67,7 @@ dest: '{{ rbenv_root }}/plugins/{{ item.name }}' version: '{{ item.version }}' accept_hostkey: yes - force: yes + force: true loop: "{{ rbenv_plugins }}" become_user: "{{ username }}" become: yes diff --git a/redis/tasks/nrpe.yml b/redis/tasks/nrpe.yml index 61400b99..a786c78f 100644 --- a/redis/tasks/nrpe.yml +++ b/redis/tasks/nrpe.yml @@ -12,7 +12,7 @@ ansible.builtin.copy: src: check_redis.pl dest: /usr/local/lib/nagios/plugins/check_redis - force: yes + force: true mode: "0755" owner: root group: root @@ -87,7 +87,7 @@ ansible.builtin.copy: src: check_redis_instances.sh dest: /usr/local/lib/nagios/plugins/check_redis_instances - force: yes + force: true mode: "0755" owner: root group: root diff --git a/squid/tasks/logrotate_jessie.yml b/squid/tasks/logrotate_jessie.yml index 345cd053..a0cfdff1 100644 --- a/squid/tasks/logrotate_jessie.yml +++ b/squid/tasks/logrotate_jessie.yml @@ -24,7 +24,7 @@ ansible.builtin.template: src: logrotate_jessie.j2 dest: /etc/logrotate.d/{{ squid_daemon_name }} - force: yes + force: true when: squid_logrotate_md5.rc == 0 tags: - squid diff --git a/squid/tasks/logrotate_stretch.yml b/squid/tasks/logrotate_stretch.yml index df264068..965256d4 100644 --- a/squid/tasks/logrotate_stretch.yml +++ b/squid/tasks/logrotate_stretch.yml @@ -24,7 +24,7 @@ ansible.builtin.template: src: logrotate_stretch.j2 dest: /etc/logrotate.d/{{ squid_daemon_name }} - force: yes + force: true when: squid_logrotate_md5.rc == 0 tags: - squid diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 0a200188..2f0e94aa 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -46,7 +46,7 @@ ansible.builtin.copy: src: whitelist-evolinux.conf dest: /etc/squid3/whitelist.conf - force: no + force: false notify: "reload squid3" when: ansible_distribution_release == "jessie" @@ -69,14 +69,14 @@ dest: /etc/squid/evolinux-whitelist-custom.conf content: | # Put customized values here. - force: no + force: false when: ansible_distribution_major_version is version('9', '>=') - name: "evolinux acl for local proxy (Debian 9 or later)" ansible.builtin.template: src: evolinux-acl.conf.j2 dest: /etc/squid/evolinux-acl.conf - force: no + force: false notify: "reload squid" when: - squid_localproxy_enable | bool @@ -87,7 +87,7 @@ dest: /etc/squid/evolinux-acl.conf content: | # Put customized values here. - force: no + force: false when: - not (squid_localproxy_enable | bool) - ansible_distribution_major_version is version('9', '>=') @@ -96,7 +96,7 @@ ansible.builtin.copy: src: evolinux-httpaccess.conf dest: /etc/squid/evolinux-httpaccess.conf - force: no + force: false notify: "reload squid" when: - squid_localproxy_enable | bool @@ -107,7 +107,7 @@ dest: /etc/squid/evolinux-httpaccess.conf content: | # Put customized values here. - force: no + force: false when: - not (squid_localproxy_enable | bool) - ansible_distribution_major_version is version('9', '>=') @@ -116,7 +116,7 @@ ansible.builtin.template: src: evolinux-custom.conf.j2 dest: /etc/squid/evolinux-custom.conf - force: no + force: false notify: "reload squid" when: - squid_localproxy_enable | bool @@ -127,7 +127,7 @@ dest: /etc/squid/evolinux-custom.conf content: | # Put customized values here. - force: no + force: false when: - not (squid_localproxy_enable | bool) - ansible_distribution_major_version is version('9', '>=') diff --git a/squid/tasks/systemd.yml b/squid/tasks/systemd.yml index 7e262f23..da07eb81 100644 --- a/squid/tasks/systemd.yml +++ b/squid/tasks/systemd.yml @@ -21,7 +21,7 @@ src: systemd-override.conf.j2 dest: /etc/systemd/system/squid.service.d/override.conf mode: "0644" - force: yes + force: true register: _squid_systemd_override - name: "Systemd daemon is reloaded and Squid restarted" diff --git a/supervisord/tasks/main.yml b/supervisord/tasks/main.yml index 7b61ccbb..8d30c649 100644 --- a/supervisord/tasks/main.yml +++ b/supervisord/tasks/main.yml @@ -10,7 +10,7 @@ src: http.conf dest: /etc/supervisor/conf.d/ mode: "0644" - force: no + force: false notify: restart supervisor when: supervisord_enable_http | bool tags: diff --git a/tomcat-instance/tasks/bootstrap.yml b/tomcat-instance/tasks/bootstrap.yml index 818ddceb..c53a4a14 100644 --- a/tomcat-instance/tasks/bootstrap.yml +++ b/tomcat-instance/tasks/bootstrap.yml @@ -21,7 +21,7 @@ mode: "0660" owner: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" - force: no + force: false - name: Templating of server.xml file ansible.builtin.template: @@ -30,7 +30,7 @@ mode: "0660" owner: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" - force: no + force: false - name: Copy config file ansible.builtin.copy: @@ -39,6 +39,6 @@ mode: "0660" owner: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" - force: no + force: false with_fileglob: - "tomcat{{ tomcat_version }}/*" diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml index 6e76eb3b..976c6386 100644 --- a/unbound/tasks/main.yml +++ b/unbound/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.get_url: url: https://www.internic.net/domain/named.cache dest: /etc/unbound/root.hints - force: yes + force: true mode: "0644" notify: reload unbound tags: diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 585688b9..68f3fc74 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -80,7 +80,7 @@ when: - varnish_package_facts['version'] is version('4', '>=') - varnish_package_facts['version'] is version('6', '<') - - varnish_systemd_override_template | length == 0 + - varnish_systemd_override_template is none or varnish_systemd_override_template | length == 0 tags: - varnish - config @@ -92,7 +92,7 @@ when: - varnish_package_facts['version'] is version('6', '>=') - varnish_package_facts['version'] is version('7', '<') - - varnish_systemd_override_template | length == 0 + - varnish_systemd_override_template is none or varnish_systemd_override_template | length == 0 tags: - varnish - config @@ -103,7 +103,7 @@ varnish_systemd_override_template: override.conf.varnish7.j2 when: - varnish_package_facts['version'] is version('7', '>=') - - varnish_systemd_override_template | length == 0 + - varnish_systemd_override_template is none or varnish_systemd_override_template | length == 0 tags: - varnish - config @@ -113,7 +113,7 @@ ansible.builtin.template: src: "{{ varnish_systemd_override_template }}" dest: /etc/systemd/system/varnish.service.d/override.conf - force: yes + force: true notify: - reload systemd - restart varnish @@ -139,7 +139,7 @@ src: "{{ item }}" dest: "{{ varnish_config_file }}" mode: "0644" - force: yes + force: true when: varnish_update_config | bool loop: "{{ query('first_found', templates) }}" vars: @@ -172,7 +172,7 @@ ansible.builtin.template: src: "{{ item }}" dest: /etc/varnish/conf.d/ - force: yes + force: true mode: "0644" with_fileglob: - "templates/varnish/conf.d/*.vcl" diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index 87a05092..b46a8954 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -8,7 +8,7 @@ ansible.builtin.template: src: vrrp.service.j2 dest: "/etc/systemd/system/{{ vrrp_systemd_unit_name }}" - force: yes + force: true register: vrrp_systemd_unit - name: enable and start systemd unit diff --git a/webapps/nextcloud/tasks/archive.yml b/webapps/nextcloud/tasks/archive.yml index 47defe79..f4e1cf26 100644 --- a/webapps/nextcloud/tasks/archive.yml +++ b/webapps/nextcloud/tasks/archive.yml @@ -4,7 +4,7 @@ ansible.builtin.get_url: url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}" dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}" - force: no + force: false tags: - nextcloud @@ -12,7 +12,7 @@ ansible.builtin.get_url: url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}.sha256" dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}.sha256" - force: no + force: false tags: - nextcloud -- 2.39.2 From 18f160fb836e800d803abfe5040d70e7a4d07836 Mon Sep 17 00:00:00 2001 From: Bruno TATU Date: Wed, 28 Jun 2023 14:55:16 +0200 Subject: [PATCH 490/497] =?UTF-8?q?valeur=20que=20l'on=20propose=20par=20d?= =?UTF-8?q?=C3=A9faut?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fail2ban/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 098a550a..bfff9b29 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -45,4 +45,6 @@ fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}" fail2ban_roundcube: False fail2ban_roundcube_maxretry: 5 fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}" -fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}" \ No newline at end of file +fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}" + +dbpurgeage_default: "86400 second" -- 2.39.2 From a6bac1f20b641854fb8f99d76273a7739a02365d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Jul 2023 14:21:22 +0200 Subject: [PATCH 491/497] =?UTF-8?q?change=20syntax=20"become:=20[yes,no]"?= =?UTF-8?q?=20=E2=86=92=20"become:=20[true,false]"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 3 ++- amazon-ec2/amazon-ec2-evolinux.yml | 2 +- elasticsearch/tasks/plugin_head.yml | 2 +- evoacme/tests/vagrant.yml | 2 +- fail2ban/tests/test.yml | 2 +- java/tasks/oracle.yml | 2 +- postgresql/tasks/locales.yml | 2 +- postgresql/tasks/nrpe.yml | 2 +- rbenv/tasks/main.yml | 18 +++++++++--------- redmine/tasks/release.yml | 4 ++-- 10 files changed, 20 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 16d1312e..6dbcaecb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,7 +21,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* all: change syntax "force: [yes,no]" → "force [true,false]" +* all: change syntax "force: [yes,no]" → "force: [true,false]" +* all: change syntax "become: [yes,no]" → "become: [true,false]" * elasticsearch: improve networking configuration * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions * mysql: improve shell syntax for mysql_skip script diff --git a/amazon-ec2/amazon-ec2-evolinux.yml b/amazon-ec2/amazon-ec2-evolinux.yml index 18dcb7a0..23f1f358 100644 --- a/amazon-ec2/amazon-ec2-evolinux.yml +++ b/amazon-ec2/amazon-ec2-evolinux.yml @@ -18,7 +18,7 @@ - name: Install Evolinux hosts: launched-instances - become: yes + become: true vars_files: - 'vars/secrets.yml' diff --git a/elasticsearch/tasks/plugin_head.yml b/elasticsearch/tasks/plugin_head.yml index 2a98d080..24a34643 100644 --- a/elasticsearch/tasks/plugin_head.yml +++ b/elasticsearch/tasks/plugin_head.yml @@ -32,7 +32,7 @@ environment: TMPDIR: "{{ elasticsearch_plugin_head_tmp_dir }}" become_user: "{{ elasticsearch_plugin_head_owner }}" - become: yes + become: true - name: Elasticsearch HTTP/CORS are enabled ansible.builtin.lineinfile: diff --git a/evoacme/tests/vagrant.yml b/evoacme/tests/vagrant.yml index 9eb9077d..83466e63 100644 --- a/evoacme/tests/vagrant.yml +++ b/evoacme/tests/vagrant.yml @@ -1,6 +1,6 @@ - hosts: default gather_facts: yes - become: yes + become: true roles: # - squid diff --git a/fail2ban/tests/test.yml b/fail2ban/tests/test.yml index 59e70a73..687b1a35 100644 --- a/fail2ban/tests/test.yml +++ b/fail2ban/tests/test.yml @@ -1,6 +1,6 @@ --- - hosts: all - become: yes + become: true # gather_facts: no roles: - role: fail2ban diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml index 75d181d3..3c4b5b11 100644 --- a/java/tasks/oracle.yml +++ b/java/tasks/oracle.yml @@ -36,7 +36,7 @@ args: chdir: /srv/java-package creates: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb - become: False + become: false tags: - java diff --git a/postgresql/tasks/locales.yml b/postgresql/tasks/locales.yml index 30d21001..7446b485 100644 --- a/postgresql/tasks/locales.yml +++ b/postgresql/tasks/locales.yml @@ -8,7 +8,7 @@ state: present loop: - "fr_FR.UTF-8" - become: yes + become: true notify: reconfigure locales - name: set default locale diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml index a4d1ef49..a78c249b 100644 --- a/postgresql/tasks/nrpe.yml +++ b/postgresql/tasks/nrpe.yml @@ -29,7 +29,7 @@ - block: - name: Create nrpe user - become: yes + become: true become_user: postgres community.postgresql.postgresql_user: name: nrpe diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 000eb163..ea73a9e6 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -35,7 +35,7 @@ accept_hostkey: yes force: true become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -48,7 +48,7 @@ create: yes loop: '{{ rbenv_default_gems }}' become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -57,7 +57,7 @@ path: '{{ rbenv_root }}/plugins' state: directory become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -70,7 +70,7 @@ force: true loop: "{{ rbenv_plugins }}" become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -82,7 +82,7 @@ export PATH="{{ rbenv_root }}/bin:$PATH" eval "$(rbenv init -)" become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -94,7 +94,7 @@ check_mode: False register: ruby_installed become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -103,7 +103,7 @@ cmd: /bin/bash -lc "TMPDIR=~/tmp rbenv install {{ rbenv_ruby_version }}" when: ruby_installed.rc != 0 become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -115,7 +115,7 @@ failed_when: False check_mode: False become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -124,6 +124,6 @@ cmd: /bin/bash -lc "rbenv global {{ rbenv_ruby_version }} && rbenv rehash" when: ruby_selected.rc != 0 become_user: "{{ username }}" - become: yes + become: true tags: - rbenv diff --git a/redmine/tasks/release.yml b/redmine/tasks/release.yml index 4f1430a5..5c07e6a0 100644 --- a/redmine/tasks/release.yml +++ b/redmine/tasks/release.yml @@ -62,7 +62,7 @@ args: chdir: "/home/{{ redmine_user }}/www" become_user: "{{ redmine_user }}" - become: yes + become: true tags: - redmine @@ -72,7 +72,7 @@ args: chdir: "/home/{{ redmine_user }}/www" become_user: "{{ redmine_user }}" - become: yes + become: true tags: - redmine -- 2.39.2 From e4436d9066b71895ae99629763d0e91d9bbd6fa9 Mon Sep 17 00:00:00 2001 From: Tom David--Broglio Date: Mon, 3 Jul 2023 18:37:15 +0200 Subject: [PATCH 492/497] docker-host: added var for user namespace setting --- CHANGELOG.md | 1 + docker-host/defaults/main.yml | 3 +++ docker-host/templates/daemon.json.j2 | 2 ++ 3 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6dbcaecb..fae32929 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * userlogrotate: rotate also php.log. * nagios-nrpe: add a NRPE check-local command with completion. * policy_pam: New role allowing to manage password policy with pam_pwquality & pam_pwhistory +* docker-host: added var for user namespace setting * dovecot: fix old_stats plugin for Dovecot 2.3. * dovecot: add Munin plugins dovecot1 and dovecot_stats (patched) diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 42c9cecc..bc5dc88f 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -12,6 +12,9 @@ docker_conf_no_newprivileges: False # Toggle live restore (need to be disabled in swarm mode) docker_conf_live_restore: True +# Toggle user namespace +docker_conf_user_namespace: True + # Disable all default network connectivity docker_conf_disable_default_networking: False diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index a044234b..92d60f8d 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -4,8 +4,10 @@ ,"data-root": "{{ docker_home }}" {# Keep containers running while docker daemon downtime #} ,"live-restore": {{ docker_conf_live_restore | to_json }} +{% if docker_conf_user_namespace %} {# Turn on user namespace remaping #} ,"userns-remap": "default" +{% endif %} {% if docker_conf_use_iptables %} {# Use iptables instead of docker-proxy #} ,"userland-proxy": false -- 2.39.2 From 1ecb463104b4e3a9ca4b1138adce755872be67a1 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 4 Jul 2023 09:44:42 +0200 Subject: [PATCH 493/497] change default minimal_backoff_time (Postfix role) --- CHANGELOG.md | 1 + postfix/templates/evolinux_main.cf.j2 | 2 +- postfix/templates/packmail_main.cf.j2 | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fae32929..e5ab606a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * mysql: improve shell syntax for mysql_skip script * pbbouncer: minor fixes * varnish: Allow the systemd template to be overriden with a template outside of the role +* postfix (packmail or when postfix_slow_transport_include is True): change `minimal_backoff_time` from 2h to 15m (see HowtoPostfix) ### Fixed diff --git a/postfix/templates/evolinux_main.cf.j2 b/postfix/templates/evolinux_main.cf.j2 index 5d298f1d..b9464669 100644 --- a/postfix/templates/evolinux_main.cf.j2 +++ b/postfix/templates/evolinux_main.cf.j2 @@ -24,7 +24,7 @@ smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_una {% if postfix_slow_transport_include == True %} # Slow transports configuration -minimal_backoff_time = 2h +minimal_backoff_time = 15m maximal_backoff_time = 6h maximal_queue_lifetime = 4d queue_run_delay = 100s diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 28c57631..44596d40 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -418,7 +418,7 @@ smtp-amavis_destination_concurrency_failed_cohort_limit = 0 {% if postfix_slow_transport_include == True %} # Slow transports configuration -minimal_backoff_time = 2h +minimal_backoff_time = 15m maximal_backoff_time = 6h maximal_queue_lifetime = 4d queue_run_delay = 100s -- 2.39.2 From bb54c9209e9ddf3f111cbe018b21e67dc8013c3a Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 4 Jul 2023 09:52:47 +0200 Subject: [PATCH 494/497] add options for Amavis integration in Postfix packmail --- CHANGELOG.md | 1 + postfix/templates/packmail_main.cf.j2 | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5ab606a..2ce0a0c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * pbbouncer: minor fixes * varnish: Allow the systemd template to be overriden with a template outside of the role * postfix (packmail or when postfix_slow_transport_include is True): change `minimal_backoff_time` from 2h to 15m (see HowtoPostfix) +* postfix (packmail) : optimize Amavis integration ### Fixed diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 44596d40..0d80cf00 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -410,11 +410,15 @@ broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client -# Amavis and OpenDKIM +# Amavis content_filter = smtp-amavis:[127.0.0.1]:10024 +smtp-amavis_destination_concurrency_failed_cohort_limit = 0 +smtp-amavis_destination_concurrency_negative_feedback = 0 +smtp-amavis_destination_concurrency_limit = 2 + +# OpenDKIM smtpd_milters = inet:[127.0.0.1]:8891 non_smtpd_milters = inet:[127.0.0.1]:8891 -smtp-amavis_destination_concurrency_failed_cohort_limit = 0 {% if postfix_slow_transport_include == True %} # Slow transports configuration -- 2.39.2 From fb184a0ecf5e4dbb78fd377c983c0fabf5c61dc2 Mon Sep 17 00:00:00 2001 From: Bruno TATU Date: Tue, 4 Jul 2023 15:36:02 +0200 Subject: [PATCH 495/497] Set fail2ban_dbpurgeage_default variable for fail2ban --- CHANGELOG.md | 1 + fail2ban/defaults/main.yml | 2 +- fail2ban/tasks/fix-dbpurgeage.yml | 4 ++-- fail2ban/templates/fail2ban_dbpurge.j2 | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ce0a0c2..37bdd103 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * docker-host: added var for user namespace setting * dovecot: fix old_stats plugin for Dovecot 2.3. * dovecot: add Munin plugins dovecot1 and dovecot_stats (patched) +* fail2ban: add default variable fail2ban_dbpurgeage_default ### Changed diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index bfff9b29..78862cb4 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -47,4 +47,4 @@ fail2ban_roundcube_maxretry: 5 fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}" fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}" -dbpurgeage_default: "86400 second" +fail2ban_dbpurgeage_default: "86400 second" diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml index 6fa86c91..c24335cd 100644 --- a/fail2ban/tasks/fix-dbpurgeage.yml +++ b/fail2ban/tasks/fix-dbpurgeage.yml @@ -14,12 +14,12 @@ - name: ansible.builtin.set_fact: - dbpurgeage_default : "{{ dbpurgeage.stdout }}" + fail2ban_dbpurgeage_default : "{{ dbpurgeage.stdout }}" when: dbpurgeage.stdout | regex_search("^\\d+\w+$") - name: ansible.builtin.set_fact: - dbpurgeage_default : "{{ dbpurgeage.stdout }} second" + fail2ban_dbpurgeage_default : "{{ dbpurgeage.stdout }} second" when: dbpurgeage.stdout | regex_search("^\\d+$") - name: Add crontab diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 index 8b6d9612..44c20f4c 100644 --- a/fail2ban/templates/fail2ban_dbpurge.j2 +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -2,7 +2,7 @@ # Juin - Decembre 2022 : #64088 # Purge pour Stretch et Buster -/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');" +/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ fail2ban_dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');" place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 ) place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) ) -- 2.39.2 From e347b6eca8719234af117783ca68d62e71795d3d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 Jul 2023 17:24:38 +0200 Subject: [PATCH 496/497] minifirewall: upstream release 23.07 --- CHANGELOG.md | 1 + minifirewall/files/minifirewall | 163 +++++++++++++++++++++++++++----- 2 files changed, 142 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 37bdd103..c529c00e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * all: change syntax "become: [yes,no]" → "become: [true,false]" * elasticsearch: improve networking configuration * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions +* minifirewall: upstream release 23.07 * mysql: improve shell syntax for mysql_skip script * pbbouncer: minor fixes * varnish: Allow the systemd template to be overriden with a template outside of the role diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall index 3922e889..2272a4b0 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/files/minifirewall @@ -5,7 +5,7 @@ # It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel # See https://gitea.evolix.org/evolix/minifirewall -# Copyright (c) 2007-2022 Evolix +# Copyright (c) 2007-2023 Evolix # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 3 @@ -29,14 +29,19 @@ # Description: Firewall designed for standalone server ### END INIT INFO -VERSION="23.02" +VERSION="23.07" -NAME="minifirewall" +PROGNAME="minifirewall" # shellcheck disable=SC2034 DESC="Firewall designed for standalone server" set -u +if [ "$(id -u)" -ne "0" ] ; then + echo "${PROGNAME} must be run as root." >&2 + exit 1 +fi + # Variables configuration ######################### @@ -103,6 +108,9 @@ STATE_FILE_CURRENT='/var/run/minifirewall_state_current' STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous' STATE_FILE_DIFF='/var/run/minifirewall_state_diff' +ACTIVE_CONFIG='/var/run/minifirewall_active_config' +ACTIVE_CONFIG_DIFF="${ACTIVE_CONFIG}.diff" + LOGGER_BIN=$(command -v logger) # No colors by default @@ -152,12 +160,12 @@ remove_colors() { } syslog_info() { if [ -x "${LOGGER_BIN}" ]; then - ${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1" + ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1" fi } syslog_error() { if [ -x "${LOGGER_BIN}" ]; then - ${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1" + ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1" fi } sort_values() { @@ -254,14 +262,91 @@ source_configuration() { source_file_or_error "${config_file}" fi } +include_files() { + if [ -d "${includes_dir}" ]; then + find ${includes_dir} -type f -readable -not -name '*.*' | sort -h + else + echo "" + fi +} source_includes() { if [ -d "${includes_dir}" ]; then - include_files=$(find ${includes_dir} -type f -readable -not -name '*.*' | sort -h) - for include_file in ${include_files}; do + for include_file in $(include_files); do source_file_or_error "${include_file}" done fi } +filter_config_file() { + # Remove lines with: + # * empty or only whitespaces + # * comments + grep --extended-regexp --invert-match -e "^(\s*#)" -e "^\s*$" "${1}" +} +save_active_configuration() { + dest_file=${1} + rm -f "${dest_file}" + + echo "# ${config_file}" >> "${dest_file}" + filter_config_file "${config_file}" >> "${dest_file}" + + found_include_files=$(include_files) + if [ -n "${found_include_files}" ]; then + for include_file in ${found_include_files}; do + echo "# ${include_file}" >> "${dest_file}" + filter_config_file "${include_file}" >> "${dest_file}" + done + fi +} +check_active_configuration() { + # NRPE-compatible return codes + # 0: OK + # 1: WARNING + # 2: CRITICAL + # 3: UNKNOWN + rc=0 + + if [ -f "${ACTIVE_CONFIG}" ]; then + cmp_bin=$(command -v cmp) + diff_bin=$(command -v diff) + + if [ -z "${cmp_bin}" ]; then + printf "${YELLOW}WARNING: Skipped active configuration check (Can't find cmp(1) command)${RESET}\n" + rc=1 + elif [ -z "${diff_bin}" ]; then + printf "${YELLOW}WARNING: Skipped active configuration check (Can't find diff(1) command)${RESET}\n" + rc=1 + else + rm -f "${ACTIVE_CONFIG_DIFF}" + + tmp_config_file=$(mktemp --tmpdir=/tmp minifirewall.XXX) + save_active_configuration "${tmp_config_file}" + + cmp_result=$(cmp "${ACTIVE_CONFIG}" "${tmp_config_file}" 2>&1) + cmp_rc=$? + + if [ ${cmp_rc} -eq 0 ]; then + # echo " config has not changed since latest start" + printf "${GREEN}OK: Active configuration is up-to-date.${RESET}\n" + rc=0 + elif [ ${cmp_rc} -eq 1 ]; then + diff -u "${ACTIVE_CONFIG}" "${tmp_config_file}" > "${ACTIVE_CONFIG_DIFF}" + + printf "${RED}CRITICAL: Active configuration is not up-to-date (minifirewall not restarted after config change?), check %s${RESET}\n" "${ACTIVE_CONFIG_DIFF}" + rc=2 + else + printf "${RED}CRITICAL: Error while comparing rules:${RESET}\n" + printf "${cmp_result}\n" + rc=2 + fi + + rm -f "${tmp_config_file}" + fi + else + printf "${YELLOW}WARNING: Skipped active configuration check (missing file ${ACTIVE_CONFIG})${RESET}\n" + rc=1 + fi + exit ${rc} +} check_unpersisted_state() { cmp_bin=$(command -v cmp) diff_bin=$(command -v diff) @@ -279,7 +364,7 @@ check_unpersisted_state() { rm -f "${STATE_FILE_DIFF}" if [ -f "${STATE_FILE_LATEST}" ]; then - cmp_result=$(cmp "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}") + cmp_result=$(cmp "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" 2>&1) cmp_rc=$? if [ ${cmp_rc} -eq 0 ]; then @@ -320,7 +405,7 @@ report_state_changes() { # But if there is a previous known state # let's compare with the new known state if [ -f "${STATE_FILE_PREVIOUS}" ]; then - cmp_result=$(cmp "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}") + cmp_result=$(cmp "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}" 2>&1) cmp_rc=$? if [ ${cmp_rc} -eq 0 ]; then @@ -339,11 +424,11 @@ report_state_changes() { start() { syslog_info "starting" - printf "${BOLD}${NAME} starting${RESET}\n" + printf "${BOLD}${PROGNAME} starting${RESET}\n" # Stop and warn if error! set -e - trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT + trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT # sysctl network security settings ################################## @@ -909,17 +994,20 @@ start() { trap - INT TERM EXIT syslog_info "started" - printf "${GREEN}${BOLD}${NAME} started${RESET}\n" + printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n" # No need to exit on error anymore set +e + # save active configuration + save_active_configuration "${ACTIVE_CONFIG}" + report_state_changes } stop() { syslog_info "stopping" - printf "${BOLD}${NAME} stopping${RESET}\n" + printf "${BOLD}${PROGNAME} stopping${RESET}\n" printf "${BLUE}flushing all rules and accepting everything${RESET}\n" @@ -1000,10 +1088,10 @@ stop() { ${IPT6} -X NEEDRESTRICT fi - rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" + rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" "${ACTIVE_CONFIG}" syslog_info "stopped" - printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n" + printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n" } status() { @@ -1038,7 +1126,7 @@ status_without_numbers() { reset() { syslog_info "resetting" - printf "${BOLD}${NAME} resetting${RESET}\n" + printf "${BOLD}${PROGNAME} resetting${RESET}\n" ${IPT} -Z if is_ipv6_enabled; then @@ -1053,21 +1141,43 @@ reset() { fi syslog_info "reset" - printf "${GREEN}${BOLD}${NAME} reset${RESET}\n" + printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n" } show_version() { cat <. +Copyright 2007-2023 Evolix . -${NAME} comes with ABSOLUTELY NO WARRANTY. +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License. END } +show_help() { + cat < Date: Tue, 4 Jul 2023 17:25:44 +0200 Subject: [PATCH 497/497] minifirewall: update nrpe script to check active configuration --- CHANGELOG.md | 1 + minifirewall/files/check_minifirewall | 95 +++++++++++++++++++++------ 2 files changed, 77 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c529c00e..0ad148c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * elasticsearch: improve networking configuration * evolinux-users: remove Stretch references in tasks that also apply to next Debian versions * minifirewall: upstream release 23.07 +* minifirewall: update nrpe script to check active configuration * mysql: improve shell syntax for mysql_skip script * pbbouncer: minor fixes * varnish: Allow the systemd template to be overriden with a template outside of the role diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index bcf70ff8..bfd5bfc7 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -1,5 +1,11 @@ #!/bin/sh +set -u + +return=0 +summary="" +details="" + is_alert5_enabled() { # It's not very clear how to reliably detect if a SysVinit script # wrapped in a systemd unit is enabled or not. @@ -39,48 +45,99 @@ is_minifirewall_started() { if test -x /usr/share/scripts/minifirewall_status; then /usr/share/scripts/minifirewall_status > /dev/null else - /sbin/iptables -L -n | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1)))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + /sbin/iptables -L -n | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" fi fi } -return_critical() { - echo "CRITICAL: $1" - exit 2 +summary_critical() { + summary="CRITICAL: $1" + [ "${return}" -le 2 ] && return=2 } - -return_warning() { - echo "WARNING: $1" - exit 1 +summary_warning() { + summary="WARNING: $1" + [ "${return}" -le 1 ] && return=1 } - -return_ok() { - echo "OK: $1" - exit 0 +summary_ok() { + summary="OK: $1" + [ "${return}" -le 0 ] && return=0 +} +append_details() { + if [ -z "${details}" ]; then + details="${1}\n" + else + details="${details}$1\n" + fi } main() { if is_alert5_enabled; then - if is_minifirewall_enabled; then + append_details "alert5 is enabled" + + if is_minifirewall_enabled; then + append_details "minifirewall is enabled" + if is_minifirewall_started; then - return_ok "Minifirewall is started." + append_details "minifirewall is started" + + check_result=$(/etc/init.d/minifirewall check-active-config) + check_rc=$? + + if [ ${check_rc} -eq 0 ]; then + append_details "configuration is up-to-date" + summary_ok "minifirewall is started and configuration is up-to-date" + else + if echo "${check_result}" | grep --quiet --regexp 'usage'; then + append_details "minifirewall is too old to check active configuration" + else + case "${check_rc}" in + 1) + summary_warning "minifirewall is started, but unknown configuration state" + ;; + 2) + summary_critical "minifirewall is started, but configuration is outdated" + append_details "configuration is outdated" + ;; + *) + summary_unchk "minifirewall is started, but unknown configuration state" + ;; + esac + append_details "=> run '/etc/init.d/minifirewall check-active-config' for details" + fi + fi else - return_critical "Minifirewall is not started." + summary_critical "minifirewall is stopped, but enabled in alert5 or systemd" fi else + append_details "minifirewall is disabled" + if is_minifirewall_started; then - return_warning "Minifirewall is started, but disabled in alert5 or systemd." + append_details "minifirewall is started" + summary_warning "minifirewall is started, but disabled in alert5 or systemd" else - return_ok "Minifirewall is not started, but disabled in alert5 or systemd." + append_details "minifirewall is stopped" + summary_ok "minifirewall is stopped, but disabled in alert5 or systemd" fi fi else + append_details "alert5 is disabled" + if is_minifirewall_started; then - return_warning "Minifirewall is started, but Alert5 script is not enabled." + append_details "minifirewall is started" + summary_warning "minifirewall is started, but alert5 is disabled" else - return_ok "Minifirewall is not started and Alert5 script is not enabled." + append_details "minifirewall is stopped" + summary_ok "minifirewall is stopped and alert5 is disabled" fi fi + + [ "${return}" -ge 0 ] && header="OK" + [ "${return}" -ge 1 ] && header="WARNING" + [ "${return}" -ge 2 ] && header="CRITICAL" + + printf "%s\n\n%s\n" "${summary}" "${details}" + + exit "${return}" } main -- 2.39.2