evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 33 Wiki Activity

rename backup-server-state to dump-server-state #150

Closed
gcolpart wants to merge 518 commits from unstable into rename-backup-server-state
pull from: unstable
merge into: evolix:rename-backup-server-state
Conversation 0 Commits 518 Files changed 646 +21634 -6900
646 changed files with 21634 additions and 6900 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
.Jenkinsfile Normal file
View file

@ -0,0 +1,64 @@
pipeline {
agent { label 'docker' }
environment {
ROLES_VERSION = "${env.GIT_COMMIT}"
}
stages {
stage('Anible Lint') {
agent {
docker {
image 'evolix/ansible-lint:latest'
}
}
steps {
script {
sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir || : ; done'
recordIssues(tools: [ansibleLint()])
}
}
}
stage('Build tagged docker image') {
when {
buildingTag()
}
steps {
script {
def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}")
im.inside {
sh 'echo Test needed'
}
def version = TAG_NAME
def versions = version.split('\\.')
def major = versions[0]
def minor = versions[0] + '.' + versions[1]
def patch = version.trim()
docker.withRegistry('', 'hub.docker') {
im.push(major)
im.push(minor)
im.push(patch)
}
}
}
}
stage('Build latest docker image') {
when {
branch 'unstable'
}
steps {
script {
def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}")
im.inside {
sh 'echo Test needed'
}
docker.withRegistry('', 'hub.docker') {
im.push('latest')
}
}
}
}
}
}

36
.drone.yml
View file

@ -1,36 +0,0 @@
kind: pipeline
name: default
steps:
- name: build tagged docker image
image: plugins/docker
settings:
username:
from_secret: docker_username
password:
from_secret: docker_password
dockerfile: Dockerfile
repo: evolix/ansible-roles
auto_tag: true
environment:
ROLES_VERSION: $DRONE_COMMIT_SHA
when:
event:
- tag
- name: build latest docker image
image: plugins/docker
settings:
username:
from_secret: docker_username
password:
from_secret: docker_password
dockerfile: Dockerfile
repo: evolix/ansible-roles
tags: latest
environment:
ROLES_VERSION: $DRONE_COMMIT_SHA
when:
branch:
- unstable

1
.gitignore vendored
View file

@ -2,3 +2,4 @@
.kateproject.d
.vagrant/
*.swp
.vscode

8
.vscode/settings.json vendored Normal file
View file

@ -0,0 +1,8 @@
{
"files.associations": {
"*.yml": "ansible",
"*.yaml": "ansible"
},
"yaml.format.enable": false,
"ansible.python.interpreterPath": "/bin/python"
}

367
CHANGELOG.md
View file

@ -8,28 +8,376 @@ The **major** part of the version is the year
The **minor** part changes is the month
The **patch** part changes is incremented if multiple releases happen the same month
## [Unreleased]
### Added
* userlogrotate: rotate also php.log.
* nagios-nrpe: add a NRPE check-local command with completion.
* policy_pam: New role allowing to manage password policy with pam_pwquality & pam_pwhistory
* docker-host: added var for user namespace setting
* dovecot: fix old_stats plugin for Dovecot 2.3.
* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
* fail2ban: add default variable fail2ban_dbpurgeage_default
### Changed
* evocheck: upstream release 22.03.1
* evolinux-base: backup-server-state release 22.03.3
* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
* generate-ldif: Add services check for bkctld
* minifirewall: upstream release 22.03.3 and use includes directory
* openvpn: use a subnet topology instead of the net30 default topology
* all: change syntax "force: [yes,no]" → "force: [true,false]"
* all: change syntax "become: [yes,no]" → "become: [true,false]"
* elasticsearch: improve networking configuration
* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
* minifirewall: upstream release 23.07
* minifirewall: update nrpe script to check active configuration
* mysql: improve shell syntax for mysql_skip script
* pbbouncer: minor fixes
* varnish: Allow the systemd template to be overriden with a template outside of the role
* postfix (packmail or when postfix_slow_transport_include is True): change `minimal_backoff_time` from 2h to 15m (see HowtoPostfix)
* postfix (packmail) : optimize Amavis integration
### Fixed
* Repair keepalived role
* generate-ldif: Correct generated entries for php-fpm in containers
* elasticsearch: comment the Xlog:gc line instead of changing it completely
* nagios-nrpe: remount /usr **after** installing the packages
* packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container
* potsfix: add missing `localhost.$mydomain` to mydestination
### Removed
* dovecot: remove Munin plugin dovecot (not working)
### Security
## [23.04] 2023-04-23
### Added
* graylog: new role
* lxc-php: add support for PHP 8.2 container
### Changed
* Use FQCN (Fully Qualified Collection Name)
* apt: with Debian 12, backports are installed but disabled by default
* openvpn: updated the README file
* pgbouncer: add handler to restart the service
### Fixed
* generate-ldif: Support for Debian 12
## [23.03.1] 2023-03-16
### Added
* pgbouncer: new role
### Changed
* apt: deb822 migration python script is looked relative to shell script
* listupgrade: remove old typo version of the cron task
* minifirewall: support protocols in numeric form
## [23.03] 2023-03-16
### Added
* apache: add task to enable mailgraph on default vhost and index.html
* apt: add move-apt-keyrings script/tasks
* apt: add tools to migrate sources to deb822 format
* fail2ban: add "Internal login failure" to Dovecot filter
* lxc: copy `/etc/profile.d/evolinux.sh` from host into container
* nagios-nrpe: add tasks/files for a wrapper
* nagios-nrpe: Print pool config path in check_phpfpm_multi output
* php: add `php_version` variable when sury is activated for each Debian version
* php: add a way to choose which version to install using sury repository
* postfix: Add task to enable mailgraph on packmail
* postgresql: configure max_connections
* userlogrotate: create dedicated role, separated from packweb-apache
* varnish: add `varnish_update_config` variable to disable configuration update
### Changed
* Use systemd module instead of command
* Removed all `warn: False` args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
* apt: Use pub.evolix.org instead of pub.evolix.net
* bind: refactor role
* elasticsearch: Disable garabge collector logging (JDK >= 9)
* evolinux-users: Update sudoers template to remove commands allowed without password
* listupgrade: upstream release 23.03.3
* kvmstats: use virsh domstats | awk to get guests informations
* nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …)
* openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change
* postfix: come back to default value of `notify_classes` for pack mails.
* userlogrotate: set rotate date format in right order (YYYY-MM-DD)!
* webapps/nextcloud : Change default data directory to be outside web root
* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
* yarn: update apt key
### Fixed
* Proper jinja spacing
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurring failures in Postfix.
* docker-host: fix type in `daemon.json` and remove host configuration that is already in the systemd service by default
* evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
* haproxy: fix missing admin ACL in stats module access permissions
* openvpn: fix the client cipher configuration to match the server cipher configuration
* php: fix error introduced in #33503e4538 (`False` evaluated as a String instead of Boolean)
* php: install using Sury repositories on Bullseye
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
* postfix: avoid Amavis transport to be considered dead when restarted.
* postfix: remove unused `aliases_scope=sub` from virtual_aliases.cf (it generated warnings)
* userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped)
* userlogrotate: skip zipping if .gz log already exists (prevents interactive question)
### Removed
* evolinux-base: subversion is not installed anymore
## [22.12] 2022-12-14
### Added
* all: add signed-by option for additional APT sources
* all: preliminary work to support Debian 12
* all: use proper keyrings directory for APT version
* evolinux-base: replace regular kernel by cloud kernel on virtual servers
* lxc-php: set php-fpm umask to `007`
* nagios-nrpe: `check_ceph_*`
* nagios-nrpe: `check_haproxy_stats` supports DRAIN status
* packweb-apache: enable `log_forensic` module
* rabbitmq: add link in default page
* varnish: create special tmp directory for syntax validation
* postfix: add localhost.$mydomain to mydestination
### Changed
* certbot: auto-detect HAPEE version in renewal hook
* evocheck: install script according to Debian version
* evolinux-base: `utils.yml` can be excluded
* evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions)
* evolinux-user: add sudoers privilege for check `php_fpm81`
* evomaintenance: allow missing API endpoint if APi is disabled
* java: use default JRE package when version is not specified
* keepalived: change exit code (_warning_ if running but not on expected state ; _critical_ if not running)
* listupgrade: better detection for PostgreSQL
* listupgrade: sort/uniq of packages/services lists in email template
* lxc-solr: detect the real partition options
* lxc-solr: download URL according to Solr Version
* lxc-solr: set homedir and port at install
* minifirewall: whitelist deb.freexian.com
* openvpn: shellpki upstream release 22.12.2
* openvpn: specifies that the mail for expirations is for OpenVPN
* packweb-apache: manual dependencies resolution
* redis: some values should be quoted
* redis: variable to disable transparent hugepage (default: do nothing)
* squid: whitelist `deb.freexian.com`
* varnish: better package facts usage with check mode and tags
* varnish: systemd override depends on Varnish version instead of Debian version
### Fixed
* evolinux-user: Fix sudoers privilege for check `php_fpm80`
* nagios-nrpe: Fix check opendkim for recent change in listening port
* openvpn: Fix mode of shellpki script
* proftpd: Fix format of public key files controlled by Ansible
* proftpd: Fix mode of public key directory and files (they have to be accessible by `proftpd:nobody`)
* varnish: fix missing state, that blocked the task
### Removed
* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
## [22.09] 2022-09-19
### Added
* evolinux_users: create only users who have a certain value for the `create` key (default: `always`).
* php: install php-xml with recent PHP versions
* vrrp: add an `ip.yml` task file to help create VRRP addresses
* webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php.
* memcached: NRPE check for multi-instance setup
* munin: Add ipmi_ plugins on dedicated hardware
* proftpd: Add options to override configs (and add a warning if file was overriden)
* proftpd: Allow user auth with ssh keys
### Changed
* evocheck: upstream release 22.09
* evolinux-base: update-evobackup-canary upstream release 22.06
* generate-ldif: Support any MariaDB version
* minifirewall: use handlers to restart minifirewall
* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
* openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS
* nagios-nrpe: Upgrade check_mongo
### Fixed
* fail2ban: fix dovecot-evolix regex syntax
* haproxy: make it so that munin doesn't break if there is a non default `haproxy_stats_path`
* mysql: Add missing Munin conf for Debian 11
* redis: config directory must be owned by the user that runs the service (to be able to write tmp config files in it)
* varnish: make `-j <jail_config>` the first argument on jessie/stretch as it has to be the first argument there.
* webapps/nextcloud: Add missing dependencies for imagick
### Removed
* evocheck: remove failure if deprecated variable is used
* webapps/nextcloud: Drop support for Nginx
## [22.07.1] 2022-07-28
### Changed
* evocheck: upstream release 22.07
* evomaintenance: upstream release 22.07
* mongodb: replace version_compare() with version()
* nagios-nrpe: check_disk1 returns only alerts
* nagios-nrpe: use regexp to exclude paths/devices in check_disk1
## [22.07] 2022-07-08
### Added
* fail2ban: Ensure apply dbpurgeage from stretch and buster
## [22.07] 2022-07-06
### Added
* evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours)
* haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
* kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
* openvpn: configure logrotate
### Changed
* openvpn: minimal rights on /etc/shellpki/ and crl.pem
### Fixed
* evolinux-base: Update PermitRootLogin task to work on Debian 11
* evolinux-user: Update PermitRootLogin task to work on Debian 11
* minifirewall: docker mode is configurable
## [22.06.3] 2022-06-17
### Changed
* evolinux-base: blacklist and do not install megaclisas-status package on incompatible servers
## [22.06.2] 2022-06-10
### Added
* postgresql: add variable to configure binding addresses (default: 127.0.0.1)
### Changed
* evocheck: upstream release 22.06.2
* fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal)
* fail2ban: If jail.local was overriden, add a warning
* fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
* fail2ban: Allow to tune the default action with ansible
* fail2ban: Change default action to ban only (instead of ban + mail with whois report)
* fail2ban: Configure recidive jail (off by default) + extend dbpurgeage
* redis: binding is possible on multiple interfaces (breaking change)
### Fixed
* Enforce String notation for mode
* postgresql: fix nested loop for Munin plugins
* postgresql: Fix task order when using pgdg repo
* postgresql: Install the right pg version
## [22.06.1] 2022-06-06
### Changed
* evocheck: upstream release 22.06.1
* minifirewall: upstream release 22.06
* mysql: evomariabackup release 22.06.1
* mysql: reorganize evomariabackup to use mtree instead of our own dir-check
## [22.06] 2022-06-03
### Added
* certbot: add hapee (HAProxy Enterprise Edition) deploy hook
* evolinux-base: add dir-check script
* evolinux-base: add update-evobackup-canary script
* mysql: add post-backup-hook to evomariabackup
* mysql: use dir-check inside evomariabackup
### Changed
* docker: Allow "live-restore" to be toggled with docker_conf_live_restore
* evocheck: upstream release 22.06
* evolinux-base: Replacement of variable `evolinux_packages_hardware` by `ansible_virtualization_role == "host"` automatize host type detection and avoids installing smartd & other on VM.
* minifirewall: tail template follows symlinks
* mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner
### Fixed
* Role `postfix`: Add missing `localhost.localdomain localhost` to `mydestination` variable which caused undelivered of some local mails.
## [22.05.1] 2022-05-12
### Added
* docker : Introduce new default settings + allow to change the docker data directory
* docker : Introduce new variables to tweak daemon settings
### Changed
* evocheck: upstream release 22.05
### Removed
* docker : Removed Debian Jessie support
## [22.05] 2022-05-10
### Added
* etc-git: use "ansible-commit" to efficiently commit all available repositories (including /etc inside LXC) from Ansible
* minifirewall: compatibility with "legacy" version of minifirewall
* minifirewall: configure proxy/backup/sysctl values
* munin: Add possibility to install local plugins, and install dhcp_pool plugin
* nagios-nrpe: Add a check dhcp_pool
* redis: Activate overcommit sysctl
* redis: Add log2mail user to redis group
### Changed
* dump-server-state: upstream release 22.04.3
* evocheck: upstream release 22.04.1
* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
* evolinux-base: rename backup-server-state to dump-server-state
* generate-ldif: Add services check for bkctld
* minifirewall: restore "force-restart" and fix "restart-if-needed"
* minifirewall: tail template follows symlinks
* minifirewall: upstream release 22.05
* opendkim : add generate opendkim-genkey in sha256 and key 4096
* openvpn: use a local copy of files instead of cloning an external git repository
* openvpn: use a subnet topology instead of the net30 default topology
* tomcat: Tomcat 9 by default with Debian 11
* vrrpd: Store sysctl values in specific file
### Fixed
* etc-git : Remount /usr in rw for git gc in in /usr/share/scripts/
* etc-git: Make evocommit fully compatible with OpenBSD
* generate-ldif: Correct generated entries for php-fpm in containers
* keepalived: repair broken role
* minifirewall: fix `failed_when` condition on restart
* postfix: Do not send mails through milters a second time after amavis (in packmail)
* redis: Remount /usr with RW before adding nagios plugin
## [22.03] 2022-03-02
### Added
@ -52,8 +400,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* lxc: Fail if /var is nosuid
* openvpn: make it compatible with OpenBSD and add some improvements
## [22.01.3] 2022-01-31
### Changed
@ -267,6 +613,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
* bookworm-detect: transitional role to help dealing with unreleased bookworm version
* dovecot: Update munin plugin & configure it
* dovecot: vmail uid/gid are configurable
* evoacme: variable to disable Debian version check (default: False)

2
amavis/files/amavis_purge_virusmails Normal file
View file

@ -0,0 +1,2 @@
#!/bin/bash
find /var/lib/amavis/virusmails/ -type f -mtime +30 -delete

2
amavis/handlers/main.yml
View file

@ -1,5 +1,5 @@
---
- name: restart amavis
service:
ansible.builtin.service:
name: amavis
state: restarted

13
amavis/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: install Amavis
apt:
ansible.builtin.apt:
name:
- postgrey
- amavisd-new
@ -9,10 +9,19 @@
- amavis
- name: configure Amavis
template:
ansible.builtin.template:
src: amavis.conf.j2
dest: /etc/amavis/conf.d/49-evolinux-defaults
mode: "0644"
notify: restart amavis
tags:
- amavis
- name: Install purge custom cron
ansible.builtin.copy:
src: amavis_purge_virusmails
dest: /etc/cron.daily/amavis_purge_virusmails
mode: "0755"
tags:
- amavis
- amavis_purge_cron

8
amazon-ec2/amazon-ec2-evolinux.yml
View file

@ -9,16 +9,16 @@
aws_region: ca-central-1
tasks:
- include_role:
- ansible.builtin.include_role:
name: evolix/amazon-ec2
tasks_from: setup.yml
- include_role:
- ansible.builtin.include_role:
name: evolix/amazon-ec2
tasks_from: create-instance.yml
- name: Install Evolinux
hosts: launched-instances
become: yes
become: true
vars_files:
- 'vars/secrets.yml'
@ -51,7 +51,7 @@
- mysql
post_tasks:
- include_role:
- ansible.builtin.include_role:
name: evolix/etc-git
tasks_from: commit.yml
vars:

38
amazon-ec2/tasks/create-instance.yml
View file

@ -1,36 +1,36 @@
---
- name: Launch new instance(s)
ec2:
amazon.aws.ec2:
state: present
aws_access_key: "{{aws_access_key}}"
aws_secret_key: "{{aws_secret_key}}"
region: "{{aws_region}}"
image: "{{ec2_base_ami}}"
instance_type: "{{ec2_instance_type}}"
count: "{{ec2_instance_count}}"
assign_public_ip: "{{ec2_public_ip}}"
group: "{{ec2_security_group.name}}"
key_name: "{{ec2_keyname}}"
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
region: "{{ aws_region }}"
image: "{{ ec2_base_ami }}"
instance_type: "{{ ec2_instance_type }}"
count: "{{ ec2_instance_count }}"
assign_public_ip: "{{ ec2_public_ip }}"
group: "{{ ec2_security_group.name }}"
key_name: "{{ ec2_keyname }}"
wait: yes
register: ec2
- name: Add newly created instance(s) to inventory
add_host:
hostname: "{{item.public_dns_name}}"
ansible.builtin.add_host:
hostname: "{{ item.public_dns_name }}"
groupname: launched-instances
ansible_user: admin
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
loop: "{{ec2.instances}}"
loop: "{{ ec2.instances }}"
- debug:
msg: "Your newly created instance is reachable at: {{item.public_dns_name}}"
loop: "{{ec2.instances}}"
- ansible.builtin.debug:
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
loop: "{{ ec2.instances }}"
- name: Wait for SSH to come up on all instances (give up after 2m)
wait_for:
ansible.builtin.wait_for:
state: started
host: "{{item.public_dns_name}}"
host: "{{ item.public_dns_name }}"
port: 22
timeout: 120
loop: "{{ec2.instances}}"
loop: "{{ ec2.instances }}"

2
amazon-ec2/tasks/post-install.yml
View file

@ -1,5 +1,5 @@
---
- name: Remove admin user
user:
ansible.builtin.user:
name: admin
state: absent

4
amazon-ec2/tasks/setup.yml
View file

@ -1,7 +1,7 @@
---
- name: Create default security group
ec2_group:
amazon.aws.ec2_group:
name: "{{ ec2_security_group.name }}"
state: present
aws_access_key: "{{ aws_access_key }}"
@ -12,7 +12,7 @@
rules_egress: "{{ ec2_security_group.rules_egress }}"
- name: Create key pair
ec2_key:
amazon.aws.ec2_key:
name: "{{ ec2_keyname }}"
state: present
aws_access_key: "{{ aws_access_key }}"

6
apache/handlers/main.yml
View file

@ -1,15 +1,15 @@
---
- name: restart apache
service:
ansible.builtin.service:
name: apache2
state: restarted
- name: reload apache
service:
ansible.builtin.service:
name: apache2
state: reloaded
- name: restart munin-node
service:
ansible.builtin.service:
name: munin-node
state: restarted

16
apache/tasks/auth.yml
View file

@ -1,21 +1,21 @@
---
- name: Init ipaddr_whitelist.conf file
copy:
ansible.builtin.copy:
src: ipaddr_whitelist.conf
dest: /etc/apache2/ipaddr_whitelist.conf
owner: root
group: root
mode: "0640"
force: no
force: false
tags:
- apache
- name: Load IP whitelist task
include: ip_whitelist.yml
ansible.builtin.import_tasks: ip_whitelist.yml
- name: include private IP whitelist for server-status
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/mods-available/status.conf
line: " include /etc/apache2/ipaddr_whitelist.conf"
insertafter: 'SetHandler server-status'
@ -24,19 +24,19 @@
- apache
- name: Copy private_htpasswd
copy:
ansible.builtin.copy:
src: private_htpasswd
dest: /etc/apache2/private_htpasswd
owner: root
group: root
mode: "0640"
force: no
force: false
notify: reload apache
tags:
- apache
- name: add user:pwd to private htpasswd
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: present
@ -46,7 +46,7 @@
- apache
- name: remove user:pwd from private htpasswd
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: absent

4
apache/tasks/ip_whitelist.yml
View file

@ -1,7 +1,7 @@
---
- name: add IP addresses to private IP whitelist
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
@ -12,7 +12,7 @@
- ips
- name: remove IP addresses from private IP whitelist
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: absent

6
apache/tasks/log2mail.yml
View file

@ -1,19 +1,19 @@
---
- name: log2mail is installed
apt:
ansible.builtin.apt:
name: log2mail
state: present
tags:
- apache
- name: Add log2mail config for Apache segfaults
template:
ansible.builtin.template:
src: log2mail-apache.j2
dest: "/etc/log2mail/config/apache"
owner: log2mail
group: adm
mode: "0644"
force: no
force: false
tags:
- apache

56
apache/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
- name: packages are installed (Debian 9 or later)
apt:
ansible.builtin.apt:
name:
- apache2
- libapache2-mod-evasive
@ -14,7 +14,7 @@
when: ansible_distribution_major_version is version('9', '>=')
- name: itk package is installed if required (Debian 9 or later)
apt:
ansible.builtin.apt:
name:
- libapache2-mpm-itk
state: present
@ -26,7 +26,7 @@
- apache_mpm == "itk"
- name: packages are installed (jessie)
apt:
ansible.builtin.apt:
name:
- apache2-mpm-itk
- libapache2-mod-evasive
@ -39,7 +39,7 @@
when: ansible_distribution_release == "jessie"
- name: basic modules are enabled
apache2_module:
community.general.apache2_module:
name: '{{ item }}'
state: present
loop:
@ -55,7 +55,7 @@
- apache
- name: basic modules are enabled
apache2_module:
community.general.apache2_module:
name: '{{ item }}'
state: present
loop:
@ -67,31 +67,31 @@
- name: Copy Apache defaults config file
copy:
ansible.builtin.copy:
src: evolinux-defaults.conf
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
owner: root
group: root
mode: "0640"
force: yes
force: true
notify: reload apache
tags:
- apache
- name: Copy Apache custom config file
copy:
ansible.builtin.copy:
src: evolinux-custom.conf
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
owner: root
group: root
mode: "0640"
force: no
force: false
notify: reload apache
tags:
- apache
- name: disable status.conf
file:
ansible.builtin.file:
dest: /etc/apache2/mods-enabled/status.conf
state: absent
notify: reload apache
@ -99,7 +99,8 @@
- apache
- name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}"
ansible.builtin.command:
cmd: "a2enconf {{ item }}"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
loop:
@ -109,37 +110,38 @@
tags:
- apache
- include: auth.yml
- ansible.builtin.include: auth.yml
tags:
- apache
- name: default vhost is installed
template:
ansible.builtin.template:
src: evolinux-default.conf.j2
dest: /etc/apache2/sites-available/000-evolinux-default.conf
mode: "0640"
force: no
force: false
notify: reload apache
tags:
- apache
- name: default vhost is enabled
file:
ansible.builtin.file:
src: /etc/apache2/sites-available/000-evolinux-default.conf
dest: /etc/apache2/sites-enabled/000-default.conf
state: link
force: yes
force: true
notify: reload apache
when: apache_evolinux_default_enabled | bool
tags:
- apache
- include: server_status.yml
- ansible.builtin.include: server_status.yml
tags:
- apache
- name: is umask already present?
command: "grep -E '^umask ' /etc/apache2/envvars"
ansible.builtin.command:
cmd: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False
changed_when: False
register: envvar_grep_umask
@ -148,7 +150,7 @@
- apache
- name: Add a mark in envvars for umask
blockinfile:
ansible.builtin.blockinfile:
dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK"
block: |
@ -159,13 +161,13 @@
tags:
- apache
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
tags:
- apache
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -175,16 +177,16 @@
- apache
- name: "Install save_apache_status.sh"
copy:
ansible.builtin.copy:
src: save_apache_status.sh
dest: /usr/share/scripts/save_apache_status.sh
mode: "0755"
force: no
force: false
tags:
- apache
- name: "logrotate: {{ apache_logrotate_frequency }}"
replace:
ansible.builtin.replace:
dest: /etc/logrotate.d/apache2
regexp: "(daily|weekly|monthly)"
replace: "{{ apache_logrotate_frequency }}"
@ -192,19 +194,19 @@
- apache
- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
replace:
ansible.builtin.replace:
dest: /etc/logrotate.d/apache2
regexp: '^(\s+rotate) \d+$'
replace: '\1 {{ apache_logrotate_rotate }}'
tags:
- apache
- include: log2mail.yml
- ansible.builtin.include: log2mail.yml
when: apache_log2mail_include
tags:
- apache
- include: munin.yml
- ansible.builtin.include: munin.yml
when: apache_munin_include | bool
tags:
- apache

11
apache/tasks/munin.yml
View file

@ -1,7 +1,7 @@
---
- name: "Install munin-node and core plugins packages"
apt:
ansible.builtin.apt:
name:
- munin-node
- munin-plugins-core
@ -11,7 +11,7 @@
- munin
- name: "Enable Munin plugins"
file:
ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
@ -25,7 +25,7 @@
- munin
- name: "Install fcgi packages for Munin graphs"
apt:
ansible.builtin.apt:
name:
- libapache2-mod-fcgid
- libcgi-fast-perl
@ -36,7 +36,8 @@
- munin
- name: "Enable libapache2-mod-fcgid"
command: a2enmod fcgid
ansible.builtin.command:
cmd: a2enmod fcgid
register: cmd_enable_fcgid
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
notify: restart apache
@ -45,7 +46,7 @@
- munin
- name: "Apache has access to /var/log/munin/"
file:
ansible.builtin.file:
path: /var/log/munin/
group: www-data
tags:

33
apache/tasks/server_status.yml
View file

@ -1,7 +1,7 @@
---
- name: server status dirname exists
file:
ansible.builtin.file:
dest: "{{ apache_serverstatus_suffix_file | dirname }}"
mode: "0700"
owner: root
@ -9,62 +9,71 @@
state: directory
- name: set apache serverstatus suffix if provided
copy:
ansible.builtin.copy:
dest: "{{ apache_serverstatus_suffix_file }}"
# The last character "\u000A" is a line feed (LF), it's better to keep it
content: "{{ apache_serverstatus_suffix }}\u000A"
force: yes
force: true
when: apache_serverstatus_suffix | length > 0
- name: generate random string for server-status suffix
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
ansible.builtin.shell:
cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
args:
creates: "{{ apache_serverstatus_suffix_file }}"
- name: read apache server status suffix
command: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
ansible.builtin.command:
cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
changed_when: False
check_mode: no
register: new_apache_serverstatus_suffix
- name: overwrite apache_serverstatus_suffix
set_fact:
ansible.builtin.set_fact:
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
- debug:
- ansible.builtin.debug:
var: apache_serverstatus_suffix
verbosity: 1
- name: replace server-status suffix in default site index
replace:
ansible.builtin.replace:
dest: /var/www/index.html
regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ apache_serverstatus_suffix }}"
- name: add server-status suffix in default site index if missing
replace:
ansible.builtin.replace:
dest: /var/www/index.html
regexp: '"/server-status-?"'
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
- name: add server-status suffix in default VHost
replace:
ansible.builtin.replace:
dest: /etc/apache2/sites-available/000-evolinux-default.conf
regexp: '<Location /server-status-?>'
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
notify: reload apache
- name: Munin configuration has a section for apache
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "[apache_*]"
create: no
- name: apache-status URL is configured for Munin
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
regexp: 'env.url http://[^\\/]+/server-status'
insertafter: "[apache_*]"
create: no
notify: restart munin-node
- name: add mailgraph URL in index.html
ansible.builtin.lineinfile:
dest: /var/www/index.html
state: present
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'
insertbefore: "</ul>"

18
apache/templates/evolinux-default.conf.j2
View file

@ -35,6 +35,15 @@
Include /etc/apache2/ipaddr_whitelist.conf
</Directory>
# Mailgraph configuration
Alias /mailgraph /usr/share/mailgraph
<Directory /usr/share/mailgraph>
DirectoryIndex mailgraph.cgi
Require all granted
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>
CustomLog /var/log/apache2/access.log vhost_combined
ErrorLog /var/log/apache2/error.log
LogLevel warn
@ -118,6 +127,15 @@
Include /etc/apache2/ipaddr_whitelist.conf
</Location>
# Mailgraph configuration
Alias /mailgraph /usr/share/mailgraph
<Directory /usr/share/mailgraph>
DirectoryIndex mailgraph.cgi
Require all granted
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>
# BEGIN phpMyAdmin section
# END phpMyAdmin section

4
apt/defaults/main.yml
View file

@ -8,6 +8,8 @@ apt_upgrade: False
apt_install_basics: True
apt_basics_components: "main"
# With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports`
apt_install_backports: False
apt_backports_components: "main"
@ -25,3 +27,5 @@ apt_check_hold_cron_hour: "*/4"
apt_check_hold_cron_weekday: "*"
apt_check_hold_cron_day: "*"
apt_check_hold_cron_month: "*"
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"

3
apt/files/bookworm_backports_preferences Normal file
View file

@ -0,0 +1,3 @@
Package: *
Pin: release a=bookworm-backports
Pin-Priority: 50

152
apt/files/deb822-migration.py Executable file
View file

@ -0,0 +1,152 @@
#!/bin/env python3
import re
import sys
import os
import select
import apt
import apt_pkg
# Order matters !
destinations = {
"debian-security": "security.sources",
".*-backports": "backports.sources",
".debian.org": "system.sources",
"mirror.evolix.org": "system.sources",
"pub.evolix.net": "evolix_public_old.sources",
"pub.evolix.org": "evolix_public.sources",
"artifacts.elastic.co": "elastic.sources",
"download.docker.com": "docker.sources",
"downloads.linux.hpe.com": "hp.sources",
"pkg.jenkins-ci.org": "jenkins.sources",
"packages.sury.org": "sury.sources",
"repo.mongodb.org": "mongodb.sources",
"apt.newrelic.com": "newrelic.sources",
"deb.nodesource.com": "nodesource.sources",
"dl.yarnpkg.com": "yarn.sources",
"apt.postgresql.org": "postgresql.sources",
"packages.microsoft.com/repos/vscode": "microsoft-vscode.sources",
"packages.microsoft.com/repos/ms-teams": "microsoft-teams.sources",
"updates.signal.org": "signal.sources",
"downloads.1password.com/linux/debian": "1password.sources",
"download.virtualbox.org": "virtualbox.sources"
}
sources_parts = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
def split_options(raw):
table = str.maketrans({
"[": None,
"]": None
})
options = raw.translate(table).split(' ')
return options
def auto_destination(uri):
basename = uri
basename = re.sub('\[[^\]]+\]', '', basename)
basename = re.sub('\w+://', '', basename)
basename = '_'.join(re.sub('[^a-zA-Z0-9]', ' ', basename).split())
return '%s.sources' % basename
def destination(matches):
for search_str in destinations.keys():
search_pattern = re.compile(f'{search_str}(/|\s|$)')
if re.search(search_pattern, matches['uri']) or re.search(search_pattern, matches["suite"]):
return destinations[search_str]
# fallback if nothing matches
return auto_destination(matches['uri'])
def prepare_sources(lines):
sources = {}
pattern = re.compile('^(?: *(?P<type>deb|deb-src)) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
for line in lines:
matches = re.match(pattern, line)
if matches is not None:
dest = destination(matches)
options = {}
if matches.group('options'):
for option in split_options(matches['options']):
if "=" in option:
key, value = option.split("=")
options[key] = value
if dest in sources:
sources[dest]["Types"].add(matches["type"])
sources[dest]["URIs"] = matches["uri"]
sources[dest]["Suites"].add(matches["suite"])
sources[dest]["Components"].update(matches["components"].split(' '))
else:
source = {
"Types": {matches['type']},
"URIs": matches['uri'],
"Enabled": "yes",
}
if matches.group('suite'):
source["Suites"] = set(matches['suite'].split(' '))
if matches.group('components'):
source["Components"] = set(matches['components'].split(' '))
if "arch" in options:
if "Architectures" in source:
source["Architectures"].append(options["arch"])
else:
source["Architectures"] = {options["arch"]}
if "signed-by" in options:
if "Signed-by" in source:
source["Signed-by"].append(options["signed-by"])
else:
source["Signed-by"] = {options["signed-by"]}
if "lang" in options:
if "Languages" in source:
source["Languages"].append(options["lang"])
else:
source["Languages"] = {options["lang"]}
if "target" in options:
if "Targets" in source:
source["Targets"].append(options["target"])
else:
source["Targets"] = {options["target"]}
sources[dest] = source
return sources
def save_sources(sources, output_dir):
# print(output_dir)
# print(sources)
for dest, source in sources.items():
source_path = output_dir + dest
with open(source_path, 'w') as file:
for key, value in source.items():
if isinstance(value, str):
file.write("{}: {}\n".format(key, value))
else:
file.write("{}: {}\n".format(key, ' '.join(value)))
def main():
if select.select([sys.stdin, ], [], [], 0.0)[0]:
sources = prepare_sources(sys.stdin)
# elif len(sys.argv) > 1:
# sources = prepare_sources([sys.argv[1]])
else:
print("You must provide source lines to stdin", file=sys.stderr)
sys.exit(1)
output_dir = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
save_sources(sources, output_dir)
if __name__ == "__main__":
main()
sys.exit(0)

49
apt/files/deb822-migration.sh Executable file
View file

@ -0,0 +1,49 @@
#!/bin/sh
deb822_migrate_script=$(command -v deb822-migration.py)
if [ -z "${deb822_migrate_script}" ]; then
deb822_migrate_script="$(dirname "$0")/deb822-migration.py"
fi
if [ ! -x "${deb822_migrate_script}" ]; then
>&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"
exit 1
fi
sources_from_file() {
grep --extended-regexp "^\s*(deb|deb-src) " $1
}
rc=0
count=0
if [ -f /etc/apt/sources.list ]; then
sources_from_file /etc/apt/sources.list | ${deb822_migrate_script}
python_rc=$?
if [ ${python_rc} -eq 0 ]; then
mv /etc/apt/sources.list /etc/apt/sources.list.bak
echo "OK: /etc/apt/sources.list"
count=$(( count + 1 ))
else
>&2 echo "ERROR: failed migration for /etc/apt/sources.list"
rc=1
fi
fi
for file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
sources_from_file "${file}" | ${deb822_migrate_script}
python_rc=$?
if [ ${python_rc} -eq 0 ]; then
mv "${file}" "${file}.bak"
echo "OK: ${file}"
count=$(( count + 1 ))
else
>&2 echo "ERROR: failed migration for ${file}"
rc=1
fi
done
echo "${count} file(s) migrated"
exit ${rc}

32
apt/files/move-apt-keyrings.sh Normal file
View file

@ -0,0 +1,32 @@
#!/bin/sh
# Move apt repository key from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ and add "signed-by" tag in source list
#
# Example: move-apt-keyrings.sh http://repo.mongodb.org/apt/debian mongodb-server-[0-9\\.]+.asc
repository_pattern=$1
key=$2
found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/*.list")
old_key_file="/etc/apt/trusted.gpg.d/${key}"
new_key_file="/etc/apt/keyrings/${key}"
for file in ${found_files}; do
if ! grep --quiet "signed-by" "${file}"; then
signed_by="signed-by=${new_key_file}"
if grep --quiet "deb(-src)? \[" "${file}"; then
sed -i "s@deb\(-src\)\? \[\([^]]\+\)\]@deb\1 [\2 ${signed_by}]@" "${file}"
else
sed -i "s@deb\(-src\)\? @deb\1 [${signed_by}] @" "${file}"
fi
fi
done
if [ -f "${old_key_file}" ] && [ ! -f "${new_key_file}" ]; then
mv "${old_key_file}" "${new_key_file}"
fi
if [ -f "${new_key_file}" ]; then
chmod 644 "${new_key_file}"
chown root: "${new_key_file}"
fi

87
apt/files/pub_evolix.asc Normal file
View file

@ -0,0 +1,87 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N
YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN
OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV
Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw
ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7
7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11
mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma
dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3
huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm
vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk
+XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB
tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy
PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy
x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq
yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7
D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt
c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N
q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F
btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ
ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa
C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D
jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp
5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo
JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3
Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F
5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o
aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba
mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp
g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs
h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M
Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb
sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A
5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A
etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8
smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ
Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX
mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F
V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT
foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7
b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5
FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI
7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb
+dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc
fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF
bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR
Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+
7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/
RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc
8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX
fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd
gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/
YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1
4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL
1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK
3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj
9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB
jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC
LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG
j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H
BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M
jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q
BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym
Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6
lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH
El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV
sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp
IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz
DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM
G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0
IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs
UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac
lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm
AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r
adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf
SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v
2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz
kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg
2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad
OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf
nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk
jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH
oA9QflpnDubMnCve
=ZCml
-----END PGP PUBLIC KEY BLOCK-----

BIN
apt/files/pub_evolix.gpg Normal file
View file

Binary file not shown.

28
apt/tasks/backports.deb822.yml Normal file
View file

@ -0,0 +1,28 @@
---
- name: Backports deb822 sources list is installed
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.sources.j2'
dest: /etc/apt/sources.list.d/backports.sources
force: true
mode: "0640"
register: apt_backports_sources
tags:
- apt
- name: Backports configuration
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: true
mode: "0640"
register: apt_backports_config
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
when: apt_backports_sources is changed or apt_backports_config is changed
tags:
- apt

45
apt/tasks/backports.oneline.yml Normal file
View file

@ -0,0 +1,45 @@
---
- name: No backports config in default sources.list
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
tags:
- apt
- name: Backports sources list is installed
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: true
mode: "0640"
register: apt_backports_list
tags:
- apt
- name: Backports configuration
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: true
mode: "0640"
register: apt_backports_config
tags:
- apt
- name: Archived backport are accepted (jessie)
ansible.builtin.lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
state: present
tags:
- apt
when: ansible_distribution_release == "jessie"
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_backports_list is changed or apt_backports_config is changed

50
apt/tasks/backports.yml
View file

@ -1,45 +1,13 @@
---
- name: No backports config in default sources.list
lineinfile:
dest: /etc/apt/sources.list
regexp: "backports"
state: absent
tags:
- apt
- name: Backports sources list is installed
template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: yes
mode: "0640"
register: apt_backports_list
tags:
- apt
# Backward compatibility task file
- name: Backports configuration
copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
mode: "0640"
register: apt_backports_config
tags:
- apt
- name: Install backports repositories (Debian <12)
ansible.builtin.import_tasks: backports.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Archived backport are accepted (jessie)
lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
state: present
when: ansible_distribution_release == "jessie"
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_backports_list is changed or apt_backports_config is changed
tags:
- apt
- name: Install backports repositories (Debian >=12)
ansible.builtin.import_tasks: backports.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

45
apt/tasks/basics.deb822.yml Normal file
View file

@ -0,0 +1,45 @@
---
- name: Change basics repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.sources.j2"
dest: /etc/apt/sources.list.d/system.sources
mode: "0644"
force: true
register: apt_basic_sources
tags:
- apt
- name: Change security repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_security.sources.j2"
dest: /etc/apt/sources.list.d/security.sources
mode: "0644"
force: true
register: apt_security_sources
tags:
- apt
- name: Find one-line APT sources
ansible.builtin.find:
paths: /etc/apt
patterns: '*.list'
register: list_files
- name: Disable one-line-formatted sources
ansible.builtin.command:
cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak"
environment:
LC_ALL: C
loop: "{{ list_files.files }}"
register: rename_cmd
changed_when: "'renamed' in rename_cmd.stdout"
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_basic_list is changed or apt_security_sources is changed

18
apt/tasks/basics.oneline.yml Normal file
View file

@ -0,0 +1,18 @@
---
- name: Change basics repositories
ansible.builtin.template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
force: true
register: apt_basic_list
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_basic_list is changed

38
apt/tasks/basics.yml
View file

@ -1,33 +1,13 @@
---
- name: Change basics repositories
template:
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
force: yes
register: apt_basic_list
tags:
- apt
# Backward compatibility task file
- name: Clean GANDI sources.list.d/debian-security.list
file:
path: '{{ item }}'
state: absent
loop:
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-jessie.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-buster.list
- /etc/apt/sources.list.d/debian-bullseye.list
- /etc/apt/sources.list.d/debian-update.list
when: apt_clean_gandi_sourceslist | bool
tags:
- apt
- name: Install basics repositories (Debian <12)
ansible.builtin.import_tasks: basics.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Apt update
apt:
update_cache: yes
when: apt_basic_list is changed
tags:
- apt
- name: Install basics repositories (Debian >=12)
ansible.builtin.import_tasks: basics.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

12
apt/tasks/config.yml
View file

@ -1,7 +1,7 @@
---
- name: Evolinux config for APT
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
@ -12,12 +12,12 @@
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
when: apt_evolinux_config | bool
tags:
- apt
when: apt_evolinux_config | bool
- name: DPkg invoke hooks
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/apt/apt.conf.d/z-evolinux.conf
line: "{{ item }}"
create: yes
@ -28,14 +28,14 @@
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
when: apt_hooks | bool
tags:
- apt
when: apt_hooks | bool
- name: Remove Aptitude
apt:
ansible.builtin.apt:
name: aptitude
state: absent
when: apt_remove_aptitude | bool
tags:
- apt
when: apt_remove_aptitude | bool

45
apt/tasks/evolix_public.deb822.yml Normal file
View file

@ -0,0 +1,45 @@
---
- name: Look for legacy apt keyring
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
tags:
- apt
when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: true
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
ansible.builtin.template:
src: evolix_public.sources.j2
dest: /etc/apt/sources.list.d/evolix_public.sources
force: true
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_evolix_public is changed

45
apt/tasks/evolix_public.oneline.yml Normal file
View file

@ -0,0 +1,45 @@
---
- name: Look for legacy apt keyring
ansible.builtin.stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
- name: Evolix embedded GPG key is absent
ansible.builtin.apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
tags:
- apt
when: _trusted_gpg_keyring.stat.exists
- name: Add Evolix GPG key
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: true
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
ansible.builtin.template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: true
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
ansible.builtin.apt:
update_cache: yes
tags:
- apt
when: apt_evolix_public is changed

50
apt/tasks/evolix_public.yml
View file

@ -1,45 +1,13 @@
---
- name: Look for legacy apt keyring
stat:
path: /etc/apt/trusted.gpg
register: _trusted_gpg_keyring
tags:
- apt
# Backward compatibility task file
- name: Evolix embedded GPG key is absent
apt_key:
id: "B8612B5D"
keyring: /etc/apt/trusted.gpg
state: absent
when: _trusted_gpg_keyring.stat.exists
tags:
- apt
- name: Install Evolix Public repositories (Debian <12)
ansible.builtin.import_tasks: evolix_public.oneline.yml
when:
- ansible_distribution_major_version is version('12', '<')
- name: Add Evolix GPG key
copy:
src: reg.asc
dest: /etc/apt/trusted.gpg.d/reg.asc
force: yes
mode: "0644"
owner: root
group: root
tags:
- apt
- name: Evolix public list is installed
template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
mode: "0640"
register: apt_evolix_public
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_evolix_public is changed
tags:
- apt
- name: Install Evolix Public repositories (Debian >=12)
ansible.builtin.import_tasks: evolix_public.deb822.yml
when:
- ansible_distribution_major_version is version('12', '>=')

34
apt/tasks/hold_packages.yml
View file

@ -1,8 +1,11 @@
---
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: "hold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
executable: /bin/bash
check_mode: no
register: apt_mark
@ -15,7 +18,7 @@
- apt
- name: "/etc/evolinux is present"
file:
ansible.builtin.file:
dest: /etc/evolinux
mode: "0700"
state: directory
@ -23,7 +26,7 @@
- apt
- name: "hold packages (config)"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -33,8 +36,8 @@
- apt
- name: "unhold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
args:
ansible.builtin.shell:
cmd: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
executable: /bin/bash
check_mode: no
register: apt_mark
@ -45,7 +48,7 @@
- apt
- name: "unhold packages (config)"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
@ -55,7 +58,7 @@
- apt
- name: /usr/share/scripts exists
file:
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
@ -65,25 +68,26 @@
- apt
- name: Check scripts is installed
copy:
ansible.builtin.copy:
src: check_held_packages.sh
dest: /usr/share/scripts/check_held_packages.sh
force: yes
force: true
mode: "0755"
tags:
- apt
- name: Check if Cron is installed
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
ansible.builtin.shell:
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
register: is_cron
changed_when: false
failed_when: false
changed_when: False
failed_when: False
check_mode: no
tags:
- apt
- name: Check for held packages (script)
cron:
ansible.builtin.cron:
cron_file: apt-hold-packages
name: check_held_packages
job: "/usr/share/scripts/check_held_packages.sh"
@ -94,6 +98,6 @@
day: "{{ apt_check_hold_cron_day }}"
month: "{{ apt_check_hold_cron_month }}"
state: "present"
when: is_cron.rc == 0
tags:
- apt
when: is_cron.rc == 0

98
apt/tasks/main.yml
View file

@ -1,52 +1,116 @@
---
- name: "Compatibility check"
fail:
msg: only compatible with Debian >= 8
when:
- ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
ansible.builtin.assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=')
msg: Only compatible with Debian >= 8
tags:
- apt
- name: "apt-transport-https is installed for https repositories (before Buster)"
ansible.builtin.apt:
name:
- apt-transport-https
tags:
- apt
when: ansible_distribution_major_version is version('10', '<')
- name: "certificates are installed for https repositories"
ansible.builtin.apt:
name:
- ca-certificates
tags:
- apt
- name: Custom configuration
include: config.yml
ansible.builtin.import_tasks: config.yml
when: apt_config | bool
tags:
- apt
- name: Install basics repositories
include: basics.yml
when: apt_install_basics | bool
- name: Install basics repositories (Debian <12)
ansible.builtin.import_tasks: basics.oneline.yml
tags:
- apt
when:
- apt_install_basics | bool
- ansible_distribution_major_version is version('12', '<')
- name: Install APT Backports repository
include: backports.yml
when: apt_install_backports | bool
- name: Install basics repositories (Debian >=12)
ansible.builtin.import_tasks: basics.deb822.yml
tags:
- apt
when:
- apt_install_basics | bool
- ansible_distribution_major_version is version('12', '>=')
- name: Install Evolix Public APT repository
include: evolix_public.yml
when: apt_install_evolix_public | bool
- name: Install backports repositories (Debian <12)
ansible.builtin.import_tasks: backports.oneline.yml
tags:
- apt
when:
- apt_install_backports | bool
- ansible_distribution_major_version is version('12', '<')
# With Debian 12+ and the deb822 format of source files
# backports are always installed but enabled according to `apt_install_backports`
- name: Install backports repositories (Debian >=12)
ansible.builtin.import_tasks: backports.deb822.yml
tags:
- apt
when:
- ansible_distribution_major_version is version('12', '>=')
- name: Install Evolix Public repositories (Debian <12)
ansible.builtin.import_tasks: evolix_public.oneline.yml
tags:
- apt
when:
- apt_install_evolix_public | bool
- ansible_distribution_major_version is version('12', '<')
- name: Install Evolix Public repositories (Debian >=12)
ansible.builtin.import_tasks: evolix_public.deb822.yml
tags:
- apt
when:
- apt_install_evolix_public | bool
- ansible_distribution_major_version is version('12', '>=')
- name: Clean GANDI sources
ansible.builtin.file:
path: '{{ item }}'
state: absent
loop:
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-jessie.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-buster.list
- /etc/apt/sources.list.d/debian-bullseye.list
- /etc/apt/sources.list.d/debian-update.list
tags:
- apt
when: apt_clean_gandi_sourceslist | bool
- name: Install check for packages marked hold
include: hold_packages.yml
ansible.builtin.import_tasks: hold_packages.yml
when: apt_install_hold_packages | bool
tags:
- apt
- name: Updating APT cache
apt:
ansible.builtin.apt:
update_cache: yes
changed_when: False
tags:
- apt
- name: Upgrading system
apt:
ansible.builtin.apt:
upgrade: dist
when: apt_upgrade | bool
tags:

32
apt/tasks/migrate-to-deb822.yml Normal file
View file

@ -0,0 +1,32 @@
---
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- apt
- name: Migration scripts are installed
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/share/scripts/{{ item }}"
force: true
mode: "0755"
loop:
- deb822-migration.py
- deb822-migration.sh
tags:
- apt
- name: Exec migration script
ansible.builtin.command:
cmd: /usr/share/scripts/deb822-migration.sh
ignore_errors: yes
tags:
- apt

53
apt/tasks/move-apt-keyring.yml Normal file
View file

@ -0,0 +1,53 @@
---
- name: New APT keyrings directory is present
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
owner: root
group: root
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
ansible.builtin.file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- apt
- name: migration script is present
ansible.builtin.copy:
src: move-apt-keyrings.sh
dest: /usr/share/scripts/move-apt-keyrings.sh
mode: "0755"
owner: root
group: root
- name: Move repository signing key
ansible.builtin.command:
cmd: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
loop:
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
- { repository_pattern: "https://pub.evolix.org/evolix", key: "pub_evolix.asc" }
- { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" }
- { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" }
- { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" }
- { repository_pattern: "http://pkg.jenkins-ci.org/debian-stable", key: "jenkins.asc" }
- { repository_pattern: "https://packages.sury.org/php/", key: "sury.gpg" }
- { repository_pattern: "http://repo.mongodb.org/apt/debian", key: "mongodb-server-[0-9\\.]+.asc" }
- { repository_pattern: "http://apt.newrelic.com/debian/", key: "newrelic.asc" }
- { repository_pattern: "https://deb.nodesource.com/", key: "nodesource.asc" }
- { repository_pattern: "https://dl.yarnpkg.com/debian/", key: "yarn.asc" }
- { repository_pattern: "http://apt.postgresql.org/pub/repos/apt/", key: "postgresql.asc" }
register: _cmd
- name: Debug command
ansible.builtin.debug:
var: _cmd

7
apt/templates/bookworm_backports.sources.j2 Normal file
View file

@ -0,0 +1,7 @@
# {{ ansible_managed }}
Types: deb
URIs: http://mirror.evolix.org/debian
Suites: bullseye-backports
Components: {{ apt_backports_components | mandatory }}
Enabled: {{ apt_install_backports | bool | ternary('yes', 'no') }}

7
apt/templates/bookworm_basics.sources.j2 Normal file
View file

@ -0,0 +1,7 @@
# {{ ansible_managed }}
Types: deb
URIs: http://mirror.evolix.org/debian
Suites: bookworm bookworm-updates
Components: {{ apt_basics_components | mandatory }}
Enabled: yes

7
apt/templates/bookworm_security.sources.j2 Normal file
View file

@ -0,0 +1,7 @@
# {{ ansible_managed }}
Types: deb
URIs: https://security.debian.org/debian-security
Suites: bookworm-security
Components: {{ apt_basics_components | mandatory }}
Enabled: yes

2
apt/templates/bullseye_basics.list.j2
View file

@ -2,4 +2,4 @@
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }}
deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}

2
apt/templates/evolix_public.list.j2
View file

@ -1,3 +1,3 @@
# {{ ansible_managed }}
deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main

8
apt/templates/evolix_public.sources.j2 Normal file
View file

@ -0,0 +1,8 @@
# {{ ansible_managed }}
Types:deb
URIs: http://pub.evolix.org/evolix
Suites: {{ ansible_distribution_release }}
Components: main
Signed-by: {{ apt_keyring_dir }}/pub_evolix.asc
Enabled: yes

2
apt/templates/stretch_backports.list.j2
View file

@ -1,3 +1,3 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }}
deb http://archive.debian.org/debian stretch-backports {{ apt_backports_components | mandatory }}

1
bind/defaults/main.yml
View file

@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service
bind_statistics_file: /var/run/named.stats
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_query_file_enabled: False
bind_cache_dir: /var/cache/bind

10
bind/handlers/main.yml
View file

@ -1,19 +1,21 @@
---
- name: reload systemd
command: systemctl daemon-reload
ansible.builtin.systemd:
daemon-reload: yes
- name: restart apparmor
service:
ansible.builtin.systemd:
name: apparmor
state: restarted
- name: restart bind
service:
ansible.builtin.systemd:
name: bind9
state: restarted
- name: restart munin-node
service:
ansible.builtin.systemd:
name: munin-node
state: restarted

11
bind/tasks/authoritative.yml Normal file
View file

@ -0,0 +1,11 @@
---
- name: Set bind configuration for authoritative server
ansible.builtin.template:
src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: true
notify: restart bind

94
bind/tasks/main.yml
View file

@ -1,75 +1,60 @@
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
- name: set chroot variables
set_fact:
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind
bind_statistics_file: /var/run/named.stats
bind_chroot_path: /var/chroot-bind
ansible.builtin.set_fact:
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind
bind_statistics_file: /var/run/named.stats
bind_chroot_path: /var/chroot-bind
when: bind_chroot_set | bool
- name: Check AppArmor
ansible.builtin.shell:
cmd: systemctl is-active apparmor || systemctl is-enabled apparmor
failed_when: False
changed_when: False
check_mode: no
register: check_apparmor
- name: configure apparmor
template:
ansible.builtin.template:
src: apparmor.usr.sbin.named.j2
dest: /etc/apparmor.d/usr.sbin.named
owner: root
group: root
mode: '0644'
force: yes
mode: "0644"
force: true
notify: restart apparmor
when: check_apparmor.rc == 0
- name: package are installed
apt:
ansible.builtin.apt:
name:
- bind9
- dnstop
state: present
- name: Set bind configuration for recursive server
template:
src: named.conf.options_recursive.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
when: bind_recursive_server | bool
- name: enable zones.rfc1918 for recursive server
lineinfile:
dest: /etc/bind/named.conf.local
line: 'include "/etc/bind/zones.rfc1918";'
regexp: "zones.rfc1918"
notify: restart bind
when: bind_recursive_server | bool
- name: Set bind configuration for authoritative server
template:
src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
- ansible.builtin.include: authoritative.yml
when: bind_authoritative_server | bool
- name: Create systemd service
template:
src: bind9.service.j2
- ansible.builtin.include: recursive.yml
when: bind_recursive_server | bool
- name: Create systemd service for Debian 8 (Jessie)
ansible.builtin.template:
src: bind9.service.jessie.j2
dest: "{{ bind_systemd_service_path }}"
owner: root
group: root
mode: "0644"
force: yes
force: true
notify:
- reload systemd
- restart bind
- reload systemd
- restart bind
when: ansible_distribution_release == "jessie"
- name: "touch {{ bind_log_file }} if non chroot"
file:
ansible.builtin.file:
path: "{{ bind_log_file }}"
owner: bind
group: adm
@ -78,7 +63,7 @@
when: not (bind_chroot_set | bool)
- name: "touch {{ bind_query_file }} if non chroot"
file:
ansible.builtin.file:
path: "{{ bind_query_file }}"
owner: bind
group: adm
@ -87,29 +72,30 @@
when: not (bind_chroot_set | bool)
- name: send chroot-bind.sh in /root
copy:
ansible.builtin.copy:
src: chroot-bind.sh
dest: /root/chroot-bind.sh
mode: "0700"
owner: root
force: yes
force: true
backup: yes
when: bind_chroot_set | bool
- name: exec chroot-bind.sh
command: "/root/chroot-bind.sh"
ansible.builtin.command:
cmd: "/root/chroot-bind.sh"
register: chrootbind_run
changed_when: False
when: bind_chroot_set | bool
- debug:
- ansible.builtin.debug:
var: chrootbind_run.stdout_lines
when:
- bind_chroot_set | bool
- chrootbind_run.stdout | length > 0
- name: Modify OPTIONS in /etc/default/bind9 for chroot
replace:
ansible.builtin.replace:
dest: /etc/default/bind9
regexp: '^OPTIONS=.*'
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
@ -117,13 +103,13 @@
when: bind_chroot_set | bool
- name: logrotate for bind
template:
ansible.builtin.template:
src: logrotate_bind.j2
dest: /etc/logrotate.d/bind9
owner: root
group: root
mode: "0644"
force: yes
force: true
notify: restart bind
- include: munin.yml
- ansible.builtin.include: munin.yml

26
bind/tasks/munin.yml
View file

@ -1,7 +1,7 @@
---
- name: is Munin present ?
stat:
ansible.builtin.stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: munin_node_plugins_config
@ -10,7 +10,7 @@
- munin
- name: Enable munin plugins for authoritative server
file:
ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
@ -18,39 +18,39 @@
- bind9
- bind9_rndc
notify: restart munin-node
when:
- bind_authoritative_server
- munin_node_plugins_config.stat.exists
tags:
- bind
- munin
when:
- bind_authoritative_server | bool
- munin_node_plugins_config.stat.exists
- name: Enable munin plugins for recursive server
file:
ansible.builtin.file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
loop:
- bind9
- bind9_rndc
notify: restart munin-node
when:
- bind_recursive_server
- munin_node_plugins_config.stat.exists
tags:
- bind
- munin
when:
- bind_recursive_server | bool
- bind_query_file_enabled | bool
- munin_node_plugins_config.stat.exists
- name: Add munin plugin configuration
template:
ansible.builtin.template:
src: munin-env_bind9.j2
dest: /etc/munin/plugin-conf.d/bind9
owner: root
group: root
mode: "0644"
force: yes
force: true
notify: restart munin-node
when: munin_node_plugins_config.stat.exists
tags:
- bind
- munin
when: munin_node_plugins_config.stat.exists

19
bind/tasks/recursive.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: Set bind configuration for recursive server
ansible.builtin.template:
src: named.conf.options_recursive.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: true
notify: restart bind
- name: enable zones.rfc1918 for recursive server
ansible.builtin.lineinfile:
dest: /etc/bind/named.conf.local
line: 'include "/etc/bind/zones.rfc1918";'
regexp: "zones.rfc1918"
notify: restart bind

2
bind/templates/apparmor.usr.sbin.named.j2
View file

@ -56,7 +56,9 @@
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
{{ bind_log_file }} rw,
{% if bind_query_file_enabled | bool %}
{{ bind_query_file }} rw,
{% endif %}
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,

0
bind/templates/bind9.service.j2 → bind/templates/bind9.service.jessie.j2
View file

6
bind/templates/logrotate_bind.j2
View file

@ -1,7 +1,7 @@
{% if bind_chroot_set %}
{{ bind_chroot_path }}{{bind_log_file}} {
{% if bind_chroot_set | bool %}
{{ bind_chroot_path }}{{ bind_log_file }} {
{% else %}
{{bind_log_file}} {
{{ bind_log_file }} {
{% endif %}
weekly
missingok

10
bind/templates/munin-env_bind9.j2
View file

@ -1,9 +1,17 @@
[bind*]
user root
env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
{% if bind_query_file_enabled | bool %}
{% if bind_chroot_set | bool %}
env.logfile {{ bind_chroot_path }}{{ bind_query_file }}
{% else %}
env.logfile {{ bind_query_file }}
{% endif %}
{% endif %}
{% if bind_authoritative_server %}
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
{% endif %}
env.MUNIN_PLUGSTATE /var/lib/munin
timeout 120

12
bind/templates/named.conf.options_authoritative.j2
View file

@ -1,7 +1,7 @@
acl "foo" {
::ffff:192.0.2.21; 192.0.2.21;
2001:db8::21;
};
// acl "foo" {
// ::ffff:192.0.2.21; 192.0.2.21;
// 2001:db8::21;
// };
options {
directory "{{ bind_cache_dir }}";
@ -20,16 +20,20 @@ options {
logging {
category default { default_file; };
{% if bind_query_file_enabled | bool %}
category queries { query_logging; };
{% endif %}
channel default_file {
file "{{ bind_log_file }}";
severity info;
};
{% if bind_query_file_enabled | bool %}
channel query_logging {
file "{{ bind_query_file }}" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;
};
{% endif %}
};

4
bind/templates/named.conf.options_recursive.j2
View file

@ -9,16 +9,20 @@ options {
logging {
category default { default_file; };
{% if bind_query_file_enabled | bool %}
category queries { query_logging; };
{% endif %}
channel default_file {
file "{{ bind_log_file }}";
severity info;
};
{% if bind_query_file_enabled | bool %}
channel query_logging {
file "{{ bind_query_file }}" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;
};
{% endif %}
};

11
bookworm-detect/tasks/main.yml Normal file
View file

@ -0,0 +1,11 @@
---
- ansible.builtin.debug:
var: ansible_lsb
# Force facts until Debian 12 is released because Ansible is dumb
- ansible.builtin.set_fact:
ansible_distribution_major_version: 12
ansible_distribution: "Debian"
ansible_distribution_release: "bookworm"
when: "'bookworm' in ansible_lsb.codename or 'bookworm' in ansible_lsb.description"

2
bullseye-detect/tasks/main.yml
View file

@ -1,7 +1,7 @@
---
# Force facts until Debian 11 is released because Ansible is dumb
- set_fact:
- ansible.builtin.set_fact:
ansible_distribution_major_version: 11
ansible_distribution: "Debian"
ansible_distribution_release: "bullseye"

94
certbot/files/hooks/deploy/hapee.sh Normal file
View file

@ -0,0 +1,94 @@
#!/bin/sh
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
daemon_found_and_running() {
readonly hapee_main_pid=$(ps -u root u | grep hapee-lb | grep -v grep | awk '{print $2}')
if [ -n "${hapee_main_pid}" ] && [ -d "/proc/${hapee_main_pid}" ] ; then
readonly hapee_bin=$(readlink "/proc/${hapee_main_pid}/exe")
readonly hapee_config_file=$(cat "/proc/${hapee_main_pid}/cmdline" | tr "\0" " " | grep --only-matching --extended-regexp -- "-f \S+" | awk '{print $2}')
readonly hapee_pid_file=$(cat "/proc/${hapee_main_pid}/cmdline" | tr "\0" " " | grep --only-matching --extended-regexp -- "-p \S+" | awk '{print $2}')
readonly hapee_service_name="$(basename -s .pid "${hapee_pid_file}").service"
kill -0 "${hapee_main_pid}" && test -n "${hapee_bin}" && test -f "${hapee_config_file}" && systemctl -q is-active "${hapee_service_name}"
else
return 1
fi
}
found_renewed_lineage() {
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
}
config_check() {
${hapee_bin} -c -f "${hapee_config_file}" > /dev/null 2>&1
}
concat_files() {
# shellcheck disable=SC2174
mkdir --mode=700 --parents "${hapee_cert_dir}"
chown root: "${hapee_cert_dir}"
debug "Concatenating certificate files to ${hapee_cert_file}"
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${hapee_cert_file}"
chmod 600 "${hapee_cert_file}"
chown root: "${hapee_cert_file}"
}
cert_and_key_mismatch() {
hapee_cert_md5=$(openssl x509 -noout -modulus -in "${hapee_cert_file}" | openssl md5)
hapee_key_md5=$(openssl rsa -noout -modulus -in "${hapee_cert_file}" | openssl md5)
test "${hapee_cert_md5}" != "${hapee_key_md5}"
}
detect_hapee_cert_dir() {
# get last field or line wich defines the crt directory
config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/\S+' "${hapee_config_file}" | head -1 | awk '{ print $(NF)}')
if [ -n "${config_cert_dir}" ]; then
debug "Cert directory is configured with ${config_cert_dir}"
echo "${config_cert_dir}"
else
error "Cert directory not found."
fi
}
main() {
if [ -z "${RENEWED_LINEAGE}" ]; then
error "This script must be called only by certbot!"
fi
if daemon_found_and_running; then
readonly hapee_cert_dir=$(detect_hapee_cert_dir)
if found_renewed_lineage; then
hapee_cert_file="${hapee_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
concat_files
if cert_and_key_mismatch; then
mv "${hapee_cert_file}" "${failed_cert_file}"
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
fi
if config_check; then
debug "HAPEE detected... reloading"
systemctl reload "${hapee_service_name}"
else
error "HAPEE config is broken, you must fix it !"
fi
else
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
fi
else
debug "HAPEE is not running or missing. Skip."
fi
}
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
main

4
certbot/files/hooks/deploy/sync_remote.sh
View file

@ -28,10 +28,6 @@ main() {
if [ -z "${RENEWED_LINEAGE}" ]; then
error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)."
fi
if [ -z "${servers}" ]; then
debug "Empty server list, skip."
exit 0
fi
if found_renewed_lineage; then
RENEWED_DOMAINS=${RENEWED_DOMAINS:-$(domain_from_cert)}

11
certbot/handlers/main.yml
View file

@ -1,23 +1,24 @@
---
- name: reload nginx
service:
ansible.builtin.systemd:
name: nginx
state: reloaded
- name: reload apache
service:
ansible.builtin.systemd:
name: apache2
state: reloaded
- name: reload haproxy
service:
ansible.builtin.systemd:
name: haproxy
state: reloaded
- name: systemd daemon-reload
systemd:
ansible.builtin.systemd:
daemon_reload: yes
- name: install letsencrypt-auto
command: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade
ansible.builtin.command:
cmd: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade

21
certbot/tasks/acme-challenge.yml
View file

@ -1,51 +1,52 @@
---
- name: Certbot work directory is present
file:
ansible.builtin.file:
dest: "{{ certbot_work_dir }}"
state: directory
mode: "0755"
- name: Check if Nginx is installed
stat:
ansible.builtin.stat:
path: /etc/nginx
register: is_nginx
- name: ACME challenge for Nginx is installed
template:
ansible.builtin.template:
src: acme-challenge/nginx.conf.j2
dest: /etc/nginx/snippets/letsencrypt.conf
force: yes
force: true
notify: reload nginx
when: is_nginx.stat.exists
- name: Check if Apache is installed
stat:
ansible.builtin.stat:
path: /usr/sbin/apachectl
register: is_apache
- name: ACME challenge for Apache
block:
- name: ACME challenge for Apache is installed
template:
ansible.builtin.template:
src: acme-challenge/apache.conf.j2
dest: /etc/apache2/conf-available/letsencrypt.conf
force: yes
force: true
notify: reload apache
- name: ACME challenge for Apache is enabled
command: "a2enconf letsencrypt"
ansible.builtin.command:
cmd: "a2enconf letsencrypt"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
notify: reload apache
when: is_apache.stat.exists
- name: Check if HAProxy is installed
stat:
ansible.builtin.stat:
path: /etc/haproxy
register: is_haproxy
- name: ACME challenge for HAProxy is installed
debug:
ansible.builtin.debug:
msg: "ACME challenge configuration for HAProxy must be configured manually"
when: is_haproxy.stat.exists

23
certbot/tasks/install-legacy.yml
View file

@ -1,41 +1,42 @@
---
- name: certbot package is removed
apt:
ansible.builtin.apt:
name: certbot
state: absent
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
# copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto
- name: Let's Encrypt script is present
copy:
ansible.builtin.copy:
src: letsencrypt-auto
dest: /usr/local/bin/letsencrypt-auto
mode: '0755'
owner: root
group: root
force: yes
force: true
notify: install letsencrypt-auto
- name: Check certbot script
stat:
ansible.builtin.stat:
path: /usr/local/bin/certbot
register: certbot_path
- name: Rename certbot script if present
command: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak"
ansible.builtin.command:
cmd: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak"
when: certbot_path.stat.exists
- name: Let's Encrypt script is symlinked as certbot
file:
ansible.builtin.file:
src: "/usr/local/bin/letsencrypt-auto"
dest: "/usr/local/bin/certbot"
state: link
- name: systemd artefacts are absent
file:
ansible.builtin.file:
dest: "{{ item }}"
state: absent
loop:
@ -45,14 +46,14 @@
notify: systemd daemon-reload
- name: custom crontab is present
copy:
ansible.builtin.copy:
src: cron_jessie
dest: /etc/cron.d/certbot
force: yes
force: true
when: certbot_custom_crontab | bool
- name: disable self-upgrade
ini_file:
community.general.ini_file:
dest: "/etc/letsencrypt/cli.ini"
section: null
option: "no-self-upgrade"

2
certbot/tasks/install-package.yml
View file

@ -1,6 +1,6 @@
---
- name: certbot package is installed
apt:
ansible.builtin.apt:
name: certbot
state: latest

19
certbot/tasks/main.yml
View file

@ -1,28 +1,28 @@
---
- name: "System compatibility checks"
assert:
ansible.builtin.assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=')
msg: only compatible with Debian 9+
- name: Install legacy script on Debian 8
include: install-legacy.yml
ansible.builtin.include: install-legacy.yml
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '<')
- name: Install package on Debian 9+
include: install-package.yml
ansible.builtin.include: install-package.yml
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '>=')
- include: acme-challenge.yml
- ansible.builtin.include: acme-challenge.yml
- name: Deploy hooks are present
copy:
ansible.builtin.copy:
src: hooks/deploy/
dest: /etc/letsencrypt/renewal-hooks/deploy/
mode: "0700"
@ -30,7 +30,7 @@
group: root
- name: Manual deploy hook is present
copy:
ansible.builtin.copy:
src: hooks/manual-deploy.sh
dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
mode: "0700"
@ -38,7 +38,7 @@
group: root
- name: "sync_remote is configured with servers"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
regexp: "^servers="
line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\""
@ -46,14 +46,15 @@
# begining of backward compatibility tasks
- name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present
command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
ansible.builtin.command:
cmd: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
args:
removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh
# end of backward compatibility tasks
- name: "certbot lock is ignored by Git"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/.gitignore
line: letsencrypt/.certbot.lock
create: yes

2
clamav/handlers/main.yml
View file

@ -1,5 +1,5 @@
---
- name: restart clamav
service:
ansible.builtin.service:
name: clamav-daemon
state: restarted

12
clamav/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: configure clamav-daemon
debconf:
ansible.builtin.debconf:
name: clamav-daemon
question: "{{ item.key }}"
value: "{{ item.value }}"
@ -13,7 +13,7 @@
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '200' }
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
@ -52,7 +52,7 @@
- clamav
- name: configure clamav-freshclam
debconf:
ansible.builtin.debconf:
name: clamav-freshclam
question: "{{ item.key }}"
value: "{{ item.value }}"
@ -73,7 +73,7 @@
- clamav
- name: install ClamAV
apt:
ansible.builtin.apt:
name:
- clamav-daemon
- clamav
@ -92,7 +92,7 @@
- clamav
- name: add clamav user to amavis group
user:
ansible.builtin.user:
name: clamav
groups: amavis
append: True
@ -100,7 +100,7 @@
- clamav
- name: allow supplementary groups
replace:
ansible.builtin.replace:
dest: /etc/clamav/clamd.conf
regexp: 'AllowSupplementaryGroups false'
replace: 'AllowSupplementaryGroups true'

2
dhcpd/handlers/main.yml
View file

@ -1,5 +1,5 @@
---
- name: restart dhcp
service:
ansible.builtin.service:
name: isc-dhcp-server
state: restarted

2
dhcpd/tasks/main.yml
View file

@ -1,4 +1,4 @@
- name: ensure packages are installed
apt:
ansible.builtin.apt:
name: isc-dhcp-server
state: present

32
docker-host/defaults/main.yml
View file

@ -1,17 +1,35 @@
---
# If docher_home sets to /home/, the partition should be mounted with exec
# option.
docker_home: /srv/docker
docker_tmpdir: "{{docker_home}}/tmp"
# If docher_home sets to /home/, the partition should be mounted with exec option.
docker_home: /var/lib/docker
docker_tmpdir: "{{ docker_home }}/tmp"
docker_remote_access_enabled: True
# Chose to use iptables instead of docker-proxy userland process
docker_conf_use_iptables: False
# Disable the possibility for containers processes to gain new privileges
docker_conf_no_newprivileges: False
# Toggle live restore (need to be disabled in swarm mode)
docker_conf_live_restore: True
# Toggle user namespace
docker_conf_user_namespace: True
# Disable all default network connectivity
docker_conf_disable_default_networking: False
# Remote access
docker_remote_access_enabled: False
docker_daemon_port: 2376
docker_daemon_listening_ip: 0.0.0.0
docker_tls_enabled: True
docker_tls_path: "{{docker_home}}/tls"
# TLS
docker_tls_enabled: False
docker_tls_path: "{{ docker_home }}/tls"
docker_tls_ca: ca/ca.pem
docker_tls_ca_key: ca/ca-key.pem
docker_tls_cert: server/cert.pem
docker_tls_key: server/key.pem
docker_tls_csr: server/server.csr
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"

3
docker-host/files/docker_preferences
View file

@ -1,3 +0,0 @@
Package: python-docker
Pin: release a=jessie-backports
Pin-Priority: 999

5
docker-host/handlers/main.yml
View file

@ -1,9 +1,10 @@
---
- name: reload systemd
command: systemctl daemon-reload
ansible.builtin.systemd:
daemon-reload: yes
- name: restart docker
service:
ansible.builtin.systemd:
name: docker
state: restarted
enabled: yes

23
docker-host/tasks/jessie_backports.yml
View file

@ -1,23 +0,0 @@
---
- include_role:
name: evolix/apt
tasks_from: backports.yml
tags:
- packages
- name: Prefer python-docker package from jessie-backports
copy:
src: docker_preferences
dest: /etc/apt/preferences.d/999-docker
force: yes
mode: "0640"
register: docker_apt_preferences
tags:
- packages
- name: update apt
apt:
update_cache: yes
when: docker_apt_preferences is changed
tags:
- packages

79
docker-host/tasks/main.yml
View file

@ -1,7 +1,7 @@
# This role installs the docker daemon
---
- name: Remove older docker packages
apt:
ansible.builtin.apt:
name:
- docker
- docker-engine
@ -9,81 +9,83 @@
state: absent
- name: Install source requirements
apt:
ansible.builtin.apt:
name:
- apt-transport-https
- ca-certificates
- gnupg2
state: present
update_cache: yes
- name: Add Docker repository
apt_repository:
repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
- name: Install apt-transport-https (Debian <10)
ansible.builtin.apt:
name:
- apt-transport-https
state: present
update_cache: no
filename: docker.list
- include: jessie_backports.yml
when: ansible_distribution_release == 'jessie'
when: ansible_distribution_major_version is version('10', '<')
- name: Add Docker's official GPG key
copy:
ansible.builtin.copy:
src: docker-debian.asc
dest: /etc/apt/trusted.gpg.d/docker-debian.asc
force: yes
dest: "{{ apt_keyring_dir }}/docker-debian.asc"
force: true
mode: "0644"
owner: root
group: root
- name: Add Docker repository (Debian <12)
ansible.builtin.apt_repository:
repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
filename: docker
state: present
update_cache: yes
when: ansible_distribution_major_version is version('12', '<')
- name: Add Docker repository (Debian >=12)
ansible.builtin.template:
src: docker.sources.j2
dest: /etc/apt/sources.list.d/docker.sources
state: present
register: docker_sources
when: ansible_distribution_major_version is version('12', '>=')
- name: Update APT cache
ansible.builtin.apt:
update_cache: yes
when: docker_sources is changed
- name: Install Docker
apt:
ansible.builtin.apt:
name:
- docker-ce
- docker-ce-cli
- containerd.io
update_cache: yes
- name: python-docker is installed
apt:
ansible.builtin.apt:
name: python-docker
state: present
when: ansible_python_version is version('3', '<')
- name: python3-docker is installed
apt:
ansible.builtin.apt:
name: python3-docker
state: present
when: ansible_python_version is version('3', '>=')
- name: Copy Docker daemon configuration file
template:
ansible.builtin.template:
src: daemon.json.j2
dest: /etc/docker/daemon.json
notify: restart docker
- name: Create override directory for docker unit
file:
name: /etc/systemd/system/docker.service.d/
state: directory
mode: "0755"
- name: Remove options in ExecStart from docker unit
copy:
src: docker.conf
dest: /etc/systemd/system/docker.service.d/
mode: "0644"
notify: reload systemd
- name: Creating Docker tmp directory
file:
ansible.builtin.file:
path: "{{ docker_tmpdir }}"
state: directory
mode: "0644"
owner: root
- name: Creating Docker TLS directory
file:
ansible.builtin.file:
path: "{{ docker_tls_path }}"
state: directory
mode: "0644"
@ -91,7 +93,7 @@
when: docker_tls_enabled | bool
- name: Copy shellpki utility to Docker TLS directory
template:
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "{{ docker_tls_path }}/{{ item }}"
mode: "0744"
@ -101,12 +103,13 @@
when: docker_tls_enabled | bool
- name: Check if certs are already created
stat:
ansible.builtin.stat:
path: "{{ docker_tls_path }}/certs"
register: tls_certs_stat
- name: Creating a CA, server key
command: "{{ docker_tls_path }}/shellpki.sh init"
ansible.builtin.command:
cmd: "{{ docker_tls_path }}/shellpki.sh init"
when:
- docker_tls_enabled | bool
- not tls_certs_stat.stat.isdir

42
docker-host/templates/daemon.json.j2
View file

@ -1,16 +1,32 @@
{
"debug": false
{% if docker_tls_enabled %}
,
"tls": true,
"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}",
"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}",
"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}"
{% endif %}
,
{% if docker_remote_access_enabled %}
"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"]
{% else %}
"hosts": ["fd://"]
{% endif %}
{# Docker data-dir (default to /var/lib/docker) #}
,"data-root": "{{ docker_home }}"
{# Keep containers running while docker daemon downtime #}
,"live-restore": {{ docker_conf_live_restore | to_json }}
{% if docker_conf_user_namespace %}
{# Turn on user namespace remaping #}
,"userns-remap": "default"
{% endif %}
{% if docker_conf_use_iptables %}
{# Use iptables instead of docker-proxy #}
,"userland-proxy": false
,"iptables": true
{% endif %}
{# Disable the possibility for containers processes to gain new privileges #}
,"no-new-privileges": {{ docker_conf_no_newprivileges | to_json }}
{% if docker_conf_disable_default_networking %}
{# Disable all default network connectivity #}
,"bridge": "none"
,"icc": false
{% endif %}
{% if docker_tls_enabled %}
,"tls": true
,"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}"
,"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}"
,"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}"
{% endif %}
{% if docker_remote_access_enabled %}
,"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"]
{% endif %}
}

8
docker-host/templates/docker.sources.j2 Normal file
View file

@ -0,0 +1,8 @@
# {{ ansible_managed }}
Types: deb
URIs: https://download.docker.com/linux/debian
Suites: {{ ansible_distribution_release }}
Components: stable
Signed-by: {{ apt_keyring_dir }}/docker-debian.asc
Enabled: yes

13
dovecot/README.md
View file

@ -2,6 +2,8 @@
Installation and basic configuration of dovecot
Do not use this role to update Dovecot 2.2 to 2.3.
## Tasks
Minimal configuration is in `tasks/main.yml`
@ -9,3 +11,14 @@ Minimal configuration is in `tasks/main.yml`
## Available variables
The full list of variables (with default values) can be found in `defaults/main.yml`.
## Munin plugins
### dovecot_stats_
Note : This is an Evolix patched version.
This plugin can be installed only when installin a server, because it needs Dovevcot plugin stats (Dovecot 2.2) or old_stats (Dovecot 2.3), which previously were not activated by default.
To skip this plugin installation, use "--skip-tags dovecot_stats_".

2
dovecot/files/munin_config
View file

@ -1,2 +0,0 @@
[dovecot]
group adm

128
dovecot/files/munin_plugin
View file

@ -1,128 +0,0 @@
#! /bin/bash
#
# Munin Plugin
# to count logins to your dovecot mailserver
#
# Created by Dominik Schulz <lkml@ds.gauner.org>
# http://developer.gauner.org/munin/
# Contributions by:
# - Stephane Enten <tuf@delyth.net>
# - Steve Schnepp <steve.schnepp@pwkf.org>
# - pcy <pcy@ulyssis.org> (make 'Connected Users' DERIVE, check existence of logfile in autoconf)
#
# Parameters understood:
#
# config (required)
# autoconf (optional - used by munin-config)
#
# Config variables:
#
# logfile - Where to find the syslog file
#
# Add the following line to a file in /etc/munin/plugin-conf.d:
# env.logfile /var/log/your/logfile.log
#
# Magic markers (optional - used by munin-config and installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
######################
# Configuration
######################
EXPR_BIN=/usr/bin/expr
LOGFILE=${logfile:-/var/log/mail.log}
######################
if [ "$1" = "autoconf" ]; then
[ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)"
exit 0
fi
if [ "$1" = "config" ]; then
echo 'graph_title Dovecot Logins'
echo 'graph_category mail'
echo 'graph_args --base 1000 -l 0'
echo 'graph_vlabel Login Counters'
for t in Total TLS SSL IMAP POP3
do
field=$(echo $t | tr '[:upper:]' '[:lower:]')
echo "login_$field.label $t Logins"
echo "login_$field.type DERIVE"
echo "login_$field.min 0"
done
echo 'connected.label Connected Users'
echo "connected.type DERIVE"
exit 0
fi
######################
# Total Logins
######################
echo -en "login_total.value "
VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# Connected Users
######################
DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE)
CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS)
if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then
VALUE=0
fi
echo -en "connected.value "
echo $VALUE
echo -n
######################
# TLS Logins
######################
echo -en "login_tls.value "
VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# SSL Logins
######################
echo -en "login_ssl.value "
VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# IMAP Logins
######################
echo -en "login_imap.value "
VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# POP3 Logins
######################
echo -en "login_pop3.value "
VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n

242
dovecot/files/munin_plugin_dovecot1 Normal file
View file

@ -0,0 +1,242 @@
#!/usr/bin/perl
#%# family=auto
#%# capabilities=autoconf
use Munin::Plugin;
$pos = undef;
$connected = 0;
$connectedimap = 0;
$connectedpop3 = 0;
$connections = 0;
$connectionsimap = 0;
$connectionspop3 = 0;
$login = 0;
$pop3login = 0;
$imaplogin = 0;
$tls = 0;
$ssl = 0;
$aborted = 0;
($dirname = $0) =~ s/[^\/]+$//;
$dovelogfile = 0 ;
$logfile = $ENV{'LOGFILE'} || '/var/log/mail.log';
if ( $logfile =~ /dovecot/ ) {
$dovelogfile = 1 ;
}
# Use an overridden $PATH for all external programs if needed
$DOVEADM = "doveadm";
if ( $ARGV[0] and $ARGV[0] eq "autoconf" ) {
if (! -x $DOVEADM) {
print "no (no doveadm)\n";
exit(0);
}
if (! -f $logfile) {
print "no (logfile $logfile does not exist)\n";
exit(0);
}
if (-r "$logfile") {
print "yes\n";
exit 0;
} else {
print "no (logfile not readable)\n";
}
exit 0;
}
if (-f "$logfile.0") {
$rotlogfile = $logfile . ".0";
} elsif (-f "$logfile.1") {
$rotlogfile = $logfile . ".1";
} elsif (-f "$logfile.01") {
$rotlogfile = $logfile . ".01";
} else {
$rotlogfile = $logfile . ".0";
}
if ( $ARGV[0] and $ARGV[0] eq "config" ) {
print "multigraph dovecot_connections\n";
print "graph_title Dovecot connections\n";
print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
print "graph_vlabel connections\n";
print "graph_category mail\n";
print "connections.label Connections open\n";
print "connections.type GAUGE\n";
print "connections.draw LINE1\n";
print "connections.min 0\n";
print "connectionsimap.label IMAP\n";
print "connectionsimap.type GAUGE\n";
print "connectionsimap.draw AREA\n";
print "connectionsimap.min 0\n";
print "connectionspop3.label POP3\n";
print "connectionspop3.type GAUGE\n";
print "connectionspop3.draw STACK\n";
print "connectionspop3.min 0\n";
print "multigraph dovecot_connected\n";
print "graph_title Dovecot connected users\n";
print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
print "graph_vlabel connections\n";
print "graph_category mail\n";
print "connected.label Connected users\n";
print "connected.type GAUGE\n";
print "connected.draw LINE1\n";
print "connected.min 0\n";
print "connectedimap.label IMAP\n";
print "connectedimap.type GAUGE\n";
print "connectedimap.draw AREA\n";
print "connectedimap.min 0\n";
print "connectedpop3.label POP3\n";
print "connectedpop3.type GAUGE\n";
print "connectedpop3.draw STACK\n";
print "connectedpop3.min 0\n";
print "multigraph dovecot_logins\n";
print "graph_title Dovecot logins\n";
print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
print "graph_vlabel logins/5 minute\n";
print "graph_category mail\n";
print "login.label Logins\n";
print "login.type GAUGE\n";
print "login.draw LINE1\n";
print "login.min 0\n";
print "imaplogin.label IMAP logins\n";
print "imaplogin.type GAUGE\n";
print "imaplogin.draw LINE1\n";
print "imaplogin.min 0\n";
print "pop3login.label POP3 logins\n";
print "pop3login.type GAUGE\n";
print "pop3login.draw LINE1\n";
print "pop3login.min 0\n";
print "tls.label TLS\n";
print "tls.type GAUGE\n";
print "tls.draw LINE1\n";
print "tls.min 0\n";
print "ssl.label SSL\n";
print "ssl.type GAUGE\n";
print "ssl.draw LINE1\n";
print "ssl.min 0\n";
print "aborted.label Aborted logins\n";
print "aborted.type GAUGE\n";
print "aborted.draw LINE1\n";
print "aborted.min 0\n";
exit 0;
}
if (! -f $logfile and ! -f $rotlogfile) {
print "multigraph dovecot_connections\n";
print "connections.value U";
print "connectionsimap.value U";
print "connectionspop3.value U";
print "multigraph dovecot_connected\n";
print "connected.value U\n";
print "connectedimap.value U\n";
print "connectedpop3.value U\n";
print "multigraph dovecot_logins\n";
print "login.value U\n";
print "pop3login.value U\n";
print "imaplogin.value U\n";
print "tls.value U\n";
print "ssl.value U\n";
print "aborted.value U\n";
exit 0;
}
# dit kan beter maar twee calls zijn toch nodig also we niet zelf aggegreren
# suggestie: doveadm who -1 | awk '{print $1" "$2" "$4}' | sort | uniq -c
$connectedimap = `$DOVEADM -f flow who | grep imap | wc -l`;
$connectedpop3 = `$DOVEADM -f flow who | grep pop3 | wc -l`;
$connectionsimap = `$DOVEADM -f flow who -1 | grep imap | wc -l`;
$connectionspop3 = `$DOVEADM -f flow who -1 | grep pop3 | wc -l`;
#trim
$connectedimap =~ s/\s+$//;
$connectedpop3 =~ s/\s+$//;
$connectionsimap =~ s/\s+$//;
$connectionspop3 =~ s/\s+$//;
$connected = $connectedimap + $connectedpop3;
$connections = $connectionsimap + $connectionspop3;
my ($pos) = restore_state();
$startsize = (stat $logfile)[7];
if (!defined $pos) {
# Initial run.
$pos = $startsize;
}
if ($startsize < $pos) {
# Log rotated
parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]);
$pos = 0;
}
parseDovecotfile ($logfile, $pos, $startsize);
$pos = $startsize;
save_state($pos);
print "multigraph dovecot_connections\n";
print "connections.value $connections\n";
print "connectionsimap.value $connectionsimap\n";
print "connectionspop3.value $connectionspop3\n";
print "multigraph dovecot_connected\n";
print "connected.value $connected\n";
print "connectedimap.value $connectedimap\n";
print "connectedpop3.value $connectedpop3\n";
print "multigraph dovecot_logins\n";
print "login.value $login\n";
print "pop3login.value $pop3login\n";
print "imaplogin.value $imaplogin\n";
print "tls.value $tls\n";
print "ssl.value $ssl\n";
print "aborted.value $aborted\n";
sub parseDovecotfile {
my ($fname, $start, $stop) = @_;
open (logf, $fname) or exit 3;
seek (logf, $start, 0) or exit 2;
while (tell (logf) < $stop) {
my $line =<logf>;
chomp ($line);
if ( $dovelogfile == 0 and $line !~ m/dovecot/) { next; }
else {
if ($line =~ m/Aborted/) {
$aborted++;
} elsif ($line =~ m/Login:/) {
$login++;
if ( $line =~ m/TLS/) {
$tls++;
} elsif ($line =~ m/SSL/) {
$ssl++;
}
if ( $line =~ m/pop3-login:/) {
$pop3login++;
} elsif ($line =~ m/imap-login:/) {
$imaplogin++;
}
}
}
}
close(logf);
}
# vim:syntax=perl

158
dovecot/files/munin_plugin_dovecot_stats_ Normal file
View file

@ -0,0 +1,158 @@
#!/bin/bash
: <<=cut
=head1 NAME
dovecot_stats_ - Munin plugin to display statistics for the dovecot mail server
=head1 CONFIGURATION
This plugin must be run with permissions to run "doveadm". That usually means root, but to test, run the following as any user:
doveadm who
If you get a permission denied message, check the permissions on the socket mentioned in the error line.
=head1 MAGIC MARKERS
#%# family=contrib
#%# capability=autoconf suggest
=head1 AUTHOR
Paul Saunders <darac+munin@darac.org.uk>
=cut
. $MUNIN_LIBDIR/plugins/plugin.sh
is_multigraph
if [[ "$1" == "autoconf" ]]; then
if [[ -x /usr/bin/doveadm ]]; then
echo yes
else
echo no
fi
exit 0
fi
# Dovecot 2.3 changes the stas format, but we can still access the older version with "doveadm oldstats".
dovecot_version=$(/usr/sbin/dovecot --version | awk '{print $1}')
verlte() {
[ "$1" = "$2" ] && return 1 || [ "$2" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
}
verlt() {
[ "$1" = "$2" ] && return 1 || verlte $2 $1
}
# The stats command is "stats" unless the version is NOT less than 2.3, in which case it's "oldstats".
stats_command="stats"
verlt $dovecot_version 2.3 || stats_command="oldstats"
if [[ "$1" == "suggest" ]]; then
doveadm $stats_command dump domain|awk 'NR!=1 {print $1}'
exit 0
fi
domain=$(basename $0)
domain=${domain#dovecot_stats_}
if [[ -z $domain ]]; then
exit 1
fi
if [[ "$1" == "config" ]]; then
cat <<EOF
multigraph dovecot_cpu_${domain//\./_}
graph_title Dovecot CPU Usage for $domain
graph_vlabel Seconds
graph_category mail
user_cpu.label User CPU
user_cpu.type DERIVE
user_cpu.min 0
user_cpu.cdef user_cpu,1000000,/
sys_cpu.label System CPU
sys_cpu.type DERIVE
sys_cpu.min 0
sys_cpu.cdef sys_cpu,1000000,/
multigraph dovecot_system_${domain//\./_}
graph_title Dovecot System Usage for $domain
graph_category mail
min_faults.label Minor page faults
min_faults.type DERIVE
min_faults.min 0
maj_faults.label Major page faults
maj_faults.type DERIVE
maj_faults.min 0
vol_cs.label Voluntary context switches
vol_cs.type DERIVE
vol_cs.min 0
invol_cs.label Involuntary context switches
invol_cs.type DERIVE
invol_cs.min 0
read_count.label read() syscalls
read_count.type DERIVE
read_count.min 0
write_count.label write() syscalls
write_count.type DERIVE
write_count.min 0
multigraph dovecot_mail_${domain//\./_}
graph_title Dovecot Mail Access for $domain
graph_category mail
num_logins.label Logins
num_logins.type DERIVE
num_logins.min 0
num_cmds.label Commands
num_cmds.type DERIVE
num_cmds.min 0
mail_lookup_path.label Path Lookups
mail_lookup_path.type DERIVE
mail_lookup_path.min 0
mail_lookup_attr.label Attr lookups
mail_lookup_attr.type DERIVE
mail_lookup_attr.min 0
mail_read_count.label Messages read
mail_read_count.type DERIVE
mail_read_count.min 0
mail_cache_hits.label Cache hits
mail_cache_hits.type DERIVE
mail_cache_hits.min 0
EOF
exit 0
fi
# Added by Will
if [ "${domain}" = "global" ]; then
args="global"
else
args="domain domain=$domain"
fi
# Fetch data
# Gawk script cadged from http://awk.info/?JanisP
doveadm $stats_command dump $args | gawk -F\\t -v cols="user_cpu sys_cpu min_faults maj_faults vol_cs invol_cs read_count write_count num_logins num_cmds mail_lookup_path mail_lookup_attr mail_read_count mail_cache_hits " -v domain=${domain//\./_} '
BEGIN {
n=split(cols,col," ")
for (i=1; i<=n; i++) s[col[i]]=i
}
NR==1 {
for (f=1;f<=NF; f++)
if ($f in s) c[s[$f]]=f
next
}
{ for (f=1; f<=n; f++) {
if (col[f] == "user_cpu") printf ("\nmultigraph dovecot_cpu_%s\n", domain)
if (col[f] == "min_faults") printf ("\nmultigraph dovecot_system_%s\n", domain)
if (col[f] == "num_logins") printf ("\nmultigraph dovecot_mail_%s\n", domain)
if (col[f] == "user_cpu" || col[f] == "sys_cpu")
printf("%s.value %d\n",col[f],$c[f] * 1000000)
else
printf("%s.value %d\n",col[f],$c[f])
}
}
'

10
dovecot/handlers/main.yml
View file

@ -1,16 +1,20 @@
---
- name: restart dovecot
service:
ansible.builtin.service:
name: dovecot
state: restarted
- name: reload dovecot
service:
ansible.builtin.service:
name: dovecot
state: reloaded
- name: restart log2mail
service:
ansible.builtin.service:
name: log2mail
state: restarted
- name: restart munin-node
ansible.builtin.systemd:
name: munin-node
state: restarted

26
dovecot/tasks/main.yml
View file

@ -1,5 +1,5 @@
- name: ensure packages are installed
apt:
ansible.builtin.apt:
name:
- dovecot-ldap
- dovecot-imapd
@ -11,12 +11,12 @@
- dovecot
- name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
openssl_dhparam:
community.crypto.openssl_dhparam:
path: /etc/ssl/dhparams.pem
size: 4096
- name: disable pam auth
replace:
ansible.builtin.replace:
dest: /etc/dovecot/conf.d/10-auth.conf
regexp: "[^#]!include auth-system.conf.ext"
replace: "#!include auth-system.conf.ext"
@ -24,7 +24,7 @@
- dovecot
- name: update ldap auth
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/dovecot/dovecot-ldap.conf.ext
line: "{{ item.key }} = {{ item.value }}"
regexp: "^#*{{ item.key }}"
@ -43,7 +43,7 @@
- dovecot
- name: create vmail group
group:
ansible.builtin.group:
name: vmail
gid: "{{ dovecot_vmail_gid }}"
system: True
@ -51,7 +51,7 @@
- dovecot
- name: create vmail user
user:
ansible.builtin.user:
name: vmail
group: vmail
uid: "{{ dovecot_vmail_uid }}"
@ -61,7 +61,7 @@
- dovecot
- name: deploy evolix config
template:
ansible.builtin.template:
src: z-evolinux-defaults.conf.j2
dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf
mode: "0644"
@ -70,7 +70,7 @@
- dovecot
- name: deploy file for custom configuration
template:
ansible.builtin.template:
src: zzz-evolinux-custom.conf.j2
dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf
mode: "0644"
@ -78,18 +78,18 @@
tags:
- dovecot
- include: munin.yml
- ansible.builtin.include: munin.yml
tags:
- dovecot
- dovecot
- name: log2mail is installed
apt:
ansible.builtin.apt:
name: log2mail
state: present
tags: dovecot
- name: dovecot is configured in log2mail
blockinfile:
ansible.builtin.blockinfile:
path: /etc/log2mail/config/mail.conf
create: true
owner: log2mail

81
dovecot/tasks/munin.yml
View file

@ -1,23 +1,84 @@
---
- name: is Munin present ?
stat:
ansible.builtin.stat:
path: /etc/munin/plugin-conf.d/munin-node
check_mode: no
register: munin_node_plugins_config
- name: Munin plugins are present and configured
block:
- name: Install munin plugin
copy:
src: munin_plugin
dest: /etc/munin/plugins/dovecot
- name: Disable dovecot plugin
ansible.builtin.file:
path: /etc/munin/plugins/dovecot
state: absent
- name: Remove dovecot plugin conf
ansible.builtin.file:
path: /etc/munin/plugin-conf.d/dovecot
state: absent
- name: "Remount /usr if needed"
ansible.builtin.include_role:
name: remount-usr
- name: Ensures /usr/local/lib/munin/plugins/ dir exists
ansible.builtin.file:
path: "/usr/local/lib/munin/plugins/"
state: directory
mode: "0755"
- name: Install munin config
copy:
src: munin_config
dest: /etc/munin/plugin-conf.d/dovecot
mode: "0644"
- name: Install dovecot1 plugin
# Original from https://github.com/munin-monitoring/contrib/blob/master/plugins/dovecot/dovecot1
ansible.builtin.copy:
src: munin_plugin_dovecot1
dest: /usr/local/lib/munin/plugins/dovecot1
mode: "0755"
- name: Install dovecot_stats_ plugin
# Modified from https://github.com/munin-monitoring/contrib/blob/master/plugins/dovecot/dovecot_stats_
ansible.builtin.copy:
src: munin_plugin_dovecot_stats_
dest: /usr/local/lib/munin/plugins/dovecot_stats_
mode: "0755"
tags: dovecot_stats_
- name: Sections dovecot1 and dovecot_stats_ are in /etc/munin/plugin-conf.d/zzz-evolinux
ansible.builtin.lineinfile:
path: /etc/munin/plugin-conf.d/zzz-evolinux
regex: '\[{{ item }}\]'
line: '[{{ item }}]'
create: yes
mode: '0644'
loop: ['dovecot1', 'dovecot_stats_*']
notify: restart munin-node
- name: User root is set for plugins in /etc/munin/plugin-conf.d/zzz-evolinux
ansible.builtin.lineinfile:
path: /etc/munin/plugin-conf.d/zzz-evolinux
regex: '^[[:blank:]]*user root[[:blank:]]*$'
insertafter: '\[{{ item }}\]'
line: 'user root'
create: yes
mode: '0644'
loop: ['dovecot1', 'dovecot_stats_*']
notify: restart munin-node
- name: Enable dovecot1 plugin
ansible.builtin.file:
src: "/usr/local/lib/munin/plugins/dovecot1"
dest: "/etc/munin/plugins/dovecot1"
state: link
when: not ansible_check_mode
- name: Enable wildcard dovecot_stats_ plugin for all domains
ansible.builtin.file:
src: "/usr/local/lib/munin/plugins/dovecot_stats_"
dest: "/etc/munin/plugins/dovecot_stats_global"
state: link
when: not ansible_check_mode
tags: dovecot_stats_
when: munin_node_plugins_config.stat.exists

21
dovecot/templates/z-evolinux-defaults.conf.j2
View file

@ -1,5 +1,8 @@
# {{ ansible_managed }}
# Plugins list (must be before filters {} that modify it)
mail_plugins = $mail_plugins old_stats
# Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS
disable_plaintext_auth = no
auth_mechanisms = plain login
@ -36,14 +39,26 @@ service login {
mail_max_userip_connections = 42
# Configuration pour stats dovecot
service stats {
unix_listener stats-reader {
protocol imap {
mail_plugins = $mail_plugins imap_old_stats
}
plugin {
old_stats_refresh = 30 secs
old_stats_track_cmds = yes
}
service old-stats {
fifo_listener old-stats-mail {
user = vmail
group = vmail
mode = 0660
}
unix_listener old-stats-reader {
user = vmail
group = vmail
mode = 0660
}
unix_listener stats-writer {
unix_listener old-stats-writer {
user = vmail
group = vmail
mode = 0660

2
drbd/handlers/main.yml
View file

@ -1,5 +1,5 @@
---
- name: restart munin-node
service:
ansible.builtin.service:
name: munin-node
state: restarted

6
drbd/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- include: packages.yml
- ansible.builtin.include: packages.yml
- include: munin.yml
- ansible.builtin.include: munin.yml
- include: nagios.yml
- ansible.builtin.include: nagios.yml

6
drbd/tasks/munin.yml
View file

@ -1,7 +1,7 @@
---
- name: Check if Munin plugins exists
stat:
ansible.builtin.stat:
path: /etc/munin/plugins/
register: munin_plugins_dir
check_mode: no
@ -10,7 +10,7 @@
# https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/drbd/drbd
- name: Get Munin plugin
copy:
ansible.builtin.copy:
src: munin/drbd-plugin
dest: /etc/munin/plugins/drbd
mode: "0755"
@ -20,7 +20,7 @@
- drbd
- name: Copy Munin plugin conf
copy:
ansible.builtin.copy:
src: munin/drbd-config
dest: /etc/munin/plugin-conf.d/drbd
mode: "0644"

6
drbd/tasks/nagios.yml
View file

@ -1,21 +1,21 @@
---
- name: Check if Nagios is installed
stat:
ansible.builtin.stat:
path: /usr/local/lib/nagios/plugins/
register: nagios_plugins_dir
check_mode: no
tags:
- drbd
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
tags:
- drbd
# https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=3367&cf_id=30
- name: Install Nagios plugin
copy:
ansible.builtin.copy:
src: "nagios/check_drbd"
dest: "/usr/local/lib/nagios/plugins/check_drbd"
mode: "0755"

4
drbd/tasks/packages.yml
View file

@ -1,5 +1,5 @@
- name: Install dependency
apt:
ansible.builtin.apt:
name:
- drbd-utils
- lvm2
@ -7,7 +7,7 @@
- drbd
- name: Enable drbd.service
service:
ansible.builtin.service:
name: drbd
enabled: yes
tags:

16
elasticsearch/defaults/main.yml
View file

@ -5,10 +5,20 @@ elasticsearch_cluster_name: Null
elasticsearch_cluster_members: Null
elasticsearch_minimum_master_nodes: Null
elasticsearch_node_name: "${HOSTNAME}"
elasticsearch_network_host:
- "_local_"
# https://www.elastic.co/guide/en/elasticsearch/reference/8.7/modules-network.html
elasticsearch_network_host: "_local_"
elasticsearch_network_publish_host: Null
elasticsearch_network_port: Null
elasticsearch_http_host: Null
elasticsearch_http_publish_host: Null
elasticsearch_http_port: Null
elasticsearch_transport_host: Null
elasticsearch_transport_publish_host: Null
elasticsearch_transport_port: Null
elasticsearch_discovery_seed_hosts: Null
elasticsearch_cluster_initial_master_nodes: Null
elasticsearch_custom_datadir: Null
@ -29,3 +39,5 @@ elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www"
elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp"
elasticsearch_additional_scripts_dir: /usr/share/scripts
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"

2
elasticsearch/handlers/main.yml
View file

@ -1,7 +1,7 @@
---
- name: restart elasticsearch
systemd:
ansible.builtin.systemd:
daemon_reload: yes
name: elasticsearch
state: restarted

10
elasticsearch/tasks/additional_scripts.yml
View file

@ -1,11 +1,11 @@
---
- include_role:
- ansible.builtin.include_role:
name: evolix/remount-usr
when: elasticsearch_additional_scripts_dir is search ("/usr")
when: elasticsearch_additional_scripts_dir is search("/usr")
- name: "{{ elasticsearch_additional_scripts_dir }} exists"
file:
ansible.builtin.file:
dest: "{{ elasticsearch_additional_scripts_dir }}"
mode: "0700"
owner: root
@ -13,10 +13,10 @@
state: directory
- name: Plugins upgrade script is installed
copy:
ansible.builtin.copy:
src: upgrade_elasticsearch_plugins.sh
dest: "{{ elasticsearch_additional_scripts_dir }}/upgrade_elasticsearch_plugins.sh"
mode: "0755"
owner: "root"
group: "root"
force: yes
force: true

36
elasticsearch/tasks/apt_sources.yml Normal file
View file

@ -0,0 +1,36 @@
---
- name: APT https transport is enabled (Debian <10)
ansible.builtin.apt:
name: apt-transport-https
state: present
when: ansible_distribution_major_version is version('10', '<')
- name: Elastic GPG key is installed
ansible.builtin.copy:
src: elastic.asc
dest: "{{ apt_keyring_dir }}/elastic.asc"
force: true
mode: "0644"
owner: root
group: root
- name: Add Elastic repository (Debian <12)
ansible.builtin.apt_repository:
repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
filename: elastic
state: present
update_cache: yes
when: ansible_distribution_major_version is version('12', '<')
- name: Add Elastic repository (Debian >=12)
ansible.builtin.template:
src: elastic.sources.j2
dest: /etc/apt/sources.list.d/elastic.sources
state: present
register: elastic_sources
when: ansible_distribution_major_version is version('12', '>=')
- name: Update APT cache
ansible.builtin.apt:
update_cache: yes
when: elastic_sources is changed

13
elasticsearch/tasks/bootstrap_checks.yml
View file

@ -1,7 +1,8 @@
---
- name: Read maximum map count
command: "sysctl -n vm.max_map_count"
ansible.builtin.command:
cmd: "sysctl -n vm.max_map_count"
register: max_map_count
failed_when: False
changed_when: False
@ -9,16 +10,16 @@
- config
- name: Maximum map count check
sysctl:
ansible.posix.sysctl:
name: vm.max_map_count
value: 262144
value: "262144"
sysctl_file: /etc/sysctl.d/elasticsearch.conf
when: max_map_count | int < 262144
tags:
- config
- name: bootstrap.memory_lock
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "bootstrap.memory_lock: true"
regexp: "^bootstrap.memory_lock:"
@ -27,12 +28,12 @@
- config
- name: Create a system config directory for systemd overrides
file:
ansible.builtin.file:
path: /etc/systemd/system/elasticsearch.service.d
state: directory
- name: Override memory config in systemd unit
ini_file:
community.general.ini_file:
dest: /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf
section: Service
option: "LimitMEMLOCK"

109
elasticsearch/tasks/configuration.yml
View file

@ -1,7 +1,7 @@
---
- name: Configure cluster name
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "cluster.name: {{ elasticsearch_cluster_name }}"
regexp: "^cluster.name:"
@ -11,7 +11,7 @@
- config
- name: Configure node name
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "node.name: {{ elasticsearch_node_name }}"
regexp: "^node.name:"
@ -20,9 +20,9 @@
- config
- name: Configure network host
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "network.host: {{ elasticsearch_network_host }}"
line: "network.host: {{ elasticsearch_network_host }}"
regexp: "^network.host:"
insertafter: "^# *network.host:"
when: elasticsearch_network_host | default("", True) | length > 0
@ -30,36 +30,97 @@
- config
- name: Configure network publish_host
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
regexp: "^network.publish_host:"
insertafter: "^network.host:"
when: elasticsearch_network_publish_host | default("", True) | length > 0
tags:
- config
- name: Configure http publish_host
lineinfile:
- name: Configure network port
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
line: "network.port: {{ elasticsearch_network_port }}"
regexp: "^network.port:"
insertafter: "^network.host:"
when: elasticsearch_network_port | default("", True) | length > 0
tags:
- config
- name: Configure http host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "http.host: {{ elasticsearch_http_host }}"
regexp: "^http.host:"
insertafter: "^# *http.host:"
when: elasticsearch_http_host | default("", True) | length > 0
tags:
- config
- name: Configure http publish_host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
regexp: "^http.publish_host:"
insertafter: "^http.port:"
when: elasticsearch_http_publish_host | default("", True) | length > 0
tags:
- config
- name: Configure http port
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "http.port: {{ elasticsearch_http_port }}"
regexp: "^http.port:"
insertafter: "^http.host:"
when: elasticsearch_http_port | default("", True) | length > 0
tags:
- config
- name: Configure transport host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "transport.host: {{ elasticsearch_transport_host }}"
regexp: "^transport.host:"
insertafter: "^# *transport.host:"
when: elasticsearch_transport_host | default("", True) | length > 0
tags:
- config
- name: Configure transport publish_host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "transport.publish_host: {{ elasticsearch_transport_publish_host }}"
regexp: "^transport.publish_host:"
insertafter: "^transport.host:"
when: elasticsearch_transport_publish_host | default("", True) | length > 0
tags:
- config
- name: Configure transport port
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "transport.port: {{ elasticsearch_transport_port }}"
regexp: "^transport.port:"
insertafter: "^transport.host:"
when: elasticsearch_transport_port | default("", True) | length > 0
tags:
- config
- name: Configure discovery seed hosts
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}"
regexp: "^discovery.seed_hosts:"
insertafter: "^# *discovery.seed_hosts:"
when: elasticsearch_discovery_seed_hosts | default([], True) | length > 0
tags:
- config
- name: Configure empty discovery seed hosts
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
regexp: "^discovery.seed_hosts:"
state: absent
@ -68,7 +129,7 @@
- config
- name: Configure initial master nodes
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "cluster.initial_master_nodes: {{ elasticsearch_cluster_initial_master_nodes | to_yaml(default_flow_style=True) }}"
regexp: "^cluster.initial_master_nodes:"
@ -77,7 +138,7 @@
- config
- name: Configure empty initial master nodes
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
regexp: "^cluster.initial_master_nodes:"
state: absent
@ -86,7 +147,7 @@
- config
- name: Configure RESTART_ON_UPGRADE
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/default/elasticsearch
line: "RESTART_ON_UPGRADE={{ elasticsearch_restart_on_upgrade | bool | ternary('true','false') }}"
regexp: "^RESTART_ON_UPGRADE="
@ -95,31 +156,39 @@
- config
- name: JVM Heap size (min) is set
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
regexp: "^-Xms"
line: "-Xms{{ elasticsearch_jvm_xms }}"
create: yes
owner: root
group: elasticsearch
mode: 0640
mode: "0640"
tags:
- config
- name: JVM Heap size (max) is set
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
regexp: "^-Xmx"
line: "-Xmx{{ elasticsearch_jvm_xmx }}"
create: yes
owner: root
group: elasticsearch
mode: 0640
mode: "0640"
tags:
- config
- name: Disable garbage collector logs
ansible.builtin.replace:
dest: /etc/elasticsearch/jvm.options
regexp: '^([^#]*-Xlog:gc.+)'
replace: '#\1'
tags:
- config
- name: Configure cluster members
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.zen.ping.unicast.hosts: {{ elasticsearch_cluster_members }}"
regexp: "^discovery.zen.ping.unicast.hosts:"
@ -129,7 +198,7 @@
- config
- name: Configure minimum master nodes
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.zen.minimum_master_nodes: {{ elasticsearch_minimum_master_nodes }}"
regexp: "^discovery.zen.minimum_master_nodes:"

Some files were not shown because too many files have changed in this diff Show more