evolix
/
ansible-roles
22
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 32 Wiki Activity

release 22.07.1 #160

Merged
jlecour merged 21 commits from unstable into stable 2022-07-28 13:51:58 +02:00
Conversation 0 Commits 21 Files Changed 19 +193 -22
19 changed files with 193 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
.Jenkinsfile Normal file
View File

@ -0,0 +1,50 @@
pipeline {
agent { label 'docker' }
environment {
ROLES_VERSION = "${env.GIT_COMMIT}"
}
stages {
stage('Build tagged docker image') {
when {
buildingTag()
}
steps {
script {
def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}")
im.inside {
sh 'echo Test needed'
}
def version = TAG_NAME
def versions = version.split('\\.')
def major = versions[0]
def minor = versions[0] + '.' + versions[1]
def patch = version.trim()
/* No crendentials yet
im.push(major)
im.push(minor)
im.push(patch)
*/
}
}
}
stage('Build latest docker image') {
when {
branch 'unstable'
}
steps {
script {
def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}")
im.inside {
sh 'echo Test needed'
}
/* No crendentials yet
im.push('latest')
*/
}
}
}
}
}

16
CHANGELOG.md
View File

@ -20,6 +20,22 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Security
## [22.07.1] 2022-07-28
### Changed
* evocheck: upstream release 22.07
* evomaintenance: upstream release 22.07
* mongodb: replace version_compare() with version()
* nagios-nrpe: check_disk1 returns only alerts
* nagios-nrpe: use regexp to exclude paths/devices in check_disk1
## [22.07] 2022-07-08
### Added
* fail2ban: Ensure apply dbpurgeage from stretch and buster
## [22.07] 2022-07-06
### Added

19
evocheck/files/evocheck.sh
View File

@ -4,7 +4,7 @@
# Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix
VERSION="22.06.2"
VERSION="22.07"
readonly VERSION
# base functions
@ -610,6 +610,14 @@ check_evobackup() {
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
}
# Vérification de la mise en place de la purge pour fail2ban
check_purge_fail2ban() {
if is_debian_stretch || is_debian_buster; then
if is_installed fail2ban; then
test -f /etc/cron.daily/fail2ban_dbpurge || failed "IS_FAIL2BAN_PURGE" "missing script fail2ban_dbpurge cron"
fi
fi
}
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
check_evobackup_exclude_mount() {
excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX")
@ -742,7 +750,7 @@ check_backupuptodate() {
backup_dir="/home/backup"
if [ -d "${backup_dir}" ]; then
if [ -n "$(ls -A ${backup_dir})" ]; then
find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do
find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do
limit=$(date +"%s" -d "now - 2 day")
updated_at=$(stat -c "%Y" "$file")
@ -970,7 +978,7 @@ check_mongo_backup() {
# You could change the default path in /etc/evocheck.cf
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
if [ -d "$MONGO_BACKUP_PATH" ]; then
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}*; do
# Skip indexes file.
if ! [[ "$file" =~ indexes ]]; then
limit=$(date +"%s" -d "now - 2 day")
@ -1227,8 +1235,8 @@ check_sshpermitrootno() {
# -T doesn't require the additional -C.
sshd_args=
fi
# XXX: We want parameter expension here
if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then
# shellcheck disable=SC2086
if ! (sshd -T ${sshd_args} | grep -q 'permitrootlogin no'); then
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
fi
}
@ -1810,6 +1818,7 @@ while :; do
IS_UPTIME=0
IS_MELTDOWN_SPECTRE=0
IS_CHECK_VERSIONS=0
IS_NETWORKING_SERVICE=0
;;
-v|--verbose)
VERBOSE=1

38
evomaintenance/files/evomaintenance.sh
View File

@ -7,7 +7,7 @@
# Copyright 2007-2022 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
# Jérémy Lecour <jlecour@evolix.fr> and others.
VERSION="22.01"
VERSION="22.07"
show_version() {
cat <<END
@ -47,6 +47,7 @@ Options
--no-evocheck disable evocheck execution
--auto use "auto" mode
--no-auto use "manual" mode (default)
--autosysadmin author change as autosysadmin
-v, --verbose increase verbosity
-n, --dry-run actions are not executed
--help print this message and exit
@ -97,13 +98,22 @@ get_who() {
}
get_begin_date() {
printf "%s %s" "$(date "+%Y")" "$(get_who | cut -d" " -f3,4,5)"
# XXX A begin date isn't applicable when used in autosysadmin, so we
# use the same date as the end date.
if is_autosysadmin; then
get_end_date
else
printf "%s %s" "$(date "+%Y")" "$(get_who | cut -d" " -f3,4,5)"
fi
}
get_ip() {
ip=$(get_who | cut -d" " -f6 | sed -e "s/^(// ; s/)$//")
[ -z "${ip}" ] && ip="unknown (no tty)"
[ "${ip}" = ":0" ] && ip="localhost"
if is_autosysadmin || [ "${ip}" = ":0" ]; then
ip="localhost"
elif [ -z "${ip}" ]; then
ip="unknown (no tty)"
fi
echo "${ip}"
}
@ -116,6 +126,14 @@ get_now() {
date +"%Y-%m-%dT%H:%M:%S%z"
}
get_user() {
if is_autosysadmin; then
echo autosysadmin
else
logname
fi
}
get_complete_hostname() {
REAL_HOSTNAME=$(get_fqdn)
if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
@ -174,6 +192,10 @@ print_session_data() {
printf "Message : %s\n" "${MESSAGE}"
}
is_autosysadmin() {
test "${AUTOSYSADMIN}" -eq 1
}
is_repository_readonly() {
if [ "$(get_system)" = "OpenBSD" ]; then
partition=$(stat -f '%Sd' $1)
@ -382,6 +404,7 @@ AUTO=${AUTO:-"0"}
EVOCHECK=${EVOCHECK:-"0"}
GIT_STATUS_MAX_LINES=${GIT_STATUS_MAX_LINES:-20}
API_ENDPOINT=${API_ENDPOINT:-""}
AUTOSYSADMIN=${AUTOSYSADMIN:-0}
# initialize variables
MESSAGE=""
@ -497,7 +520,7 @@ HOSTNAME_TEXT=$(get_complete_hostname)
IP=$(get_ip)
BEGIN_DATE=$(get_begin_date)
END_DATE=$(get_end_date)
USER=$(logname)
USER=$(get_user)
PATH=${PATH}:/usr/sbin
@ -536,6 +559,11 @@ EVOCHECK_BIN="/usr/share/scripts/evocheck.sh"
GIT_REPOSITORIES="/etc /etc/bind /usr/share/scripts"
# Add /etc directories from lxc containers if they are git directories
if [ -d /var/lib/lxc ]; then
GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')"
fi
# initialize variable
GIT_STATUSES=""
# git statuses

19
fail2ban/tasks/fix-dbpurgeage.yml Normal file
View File

@ -0,0 +1,19 @@
- name: Sqlite needed
ansible.builtin.apt:
name:
- sqlite3
state: present
- name: Register bantime from default config from package
shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1"
register: default_dbpurgeage
changed_when: false
check_mode: false
- name: Add crontab
template:
src: fail2ban_dbpurge.j2
dest: /etc/cron.daily/fail2ban_dbpurge
mode: 0700
owner: root
group: root

9
fail2ban/tasks/main.yml
View File

@ -103,4 +103,11 @@
mode: "0644"
notify: restart fail2ban
when:
- fail2ban_recidive
- fail2ban_recidive
- name: Fix dbpurgeage for stretch and buster
include: fix-dbpurgeage.yml
when:
- ansible_distribution_release == "stretch" or ansible_distribution_release == "buster"
tags:
- fail2ban

3
fail2ban/templates/fail2ban_dbpurge.j2 Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
# Juin 2022 : #64088
/usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE date('now', '-{{ fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }}') > datetime(timeofban, 'unixepoch'); VACUUM;"

4
fail2ban/tests/test.yml
View File

@ -1,4 +1,6 @@
---
- hosts: test-kitchen
- hosts: all
become: yes
# gather_facts: no
roles:
- role: fail2ban

4
generate-ldif/templates/generateldif.sh.j2
View File

@ -488,8 +488,8 @@ EOT
fi
# Dovecot
if is_pkg_installed dovecot-common; then
dovecot_version=$(get_pkg_version dovecot-common)
if is_pkg_installed dovecot-core; then
dovecot_version=$(get_pkg_version dovecot-core)
fi
if [ -n "${dovecot_version}" ]; then
cat <<EOT >> "${ldif_file}"

2
mongodb/tasks/main_bullseye.yml
View File

@ -4,7 +4,7 @@
msg: Not compatible with Debian 11 (Bullseye)
when:
- ansible_distribution_release == "bullseye"
- mongodb_version is version_compare('5.0', '<=')
- mongodb_version is version('5.0', '<=')
- name: MongoDB embedded GPG key is absent

2
nagios-nrpe/templates/evolix.cfg.j2
View File

@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
# System checks
command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7
command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home
command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/'
command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10

17
packweb-apache/files/userlogrotate
View File

@ -5,7 +5,6 @@ HOMEPREFIX="/home"
rotate () {
mv $1 $1.$DATE
gzip $1.$DATE
touch $1
chown $2 $1
chmod g+r $1
@ -36,5 +35,21 @@ fi;
test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1
# Zipping is done after web server reload, so that the file descriptor is released.
# Else, an error is raised (gzip file size changed while zipping)
# and logs written during the zipping process might be lost.
for log in access.log access-*.log error.log; do
for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do
gzip $i
done
done
for log in production.log delayed_job.log development.log test.log; do
for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do
gzip $i
done
done
# we want exit 0
true

16
packweb-apache/tasks/update_userlogrotate.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: "Cherche l'emplacement de userlogrotate"
ansible.builtin.find:
path: /etc
patterns: userlogrotate
register: find_logrotate
- name: "Met-à-jour userlogrotate"
ansible.builtin.copy:
src: userlogrotate
dest: "{{ item }}"
mode: "0755"
loop: "{{ find_logrotate.files }}"
when: find_logrotate.files | length>0

2
php/files/sury.preferences
View File

@ -1,4 +1,4 @@
Package: php* libapache2-mod-php* libpcre2* libzip4*
Package: php* libapache2-mod-php* libpcre2* libzip4* libgd*
Pin: origin packages.sury.org
Pin-Priority: 999

1
php/tasks/sury_pre.yml
View File

@ -40,3 +40,4 @@
- php-ssh2
- composer
- libphp-phpmailer
when: ansible_distribution_release != "bullseye"

4
postfix/templates/packmail_main.cf.j2
View File

@ -412,8 +412,8 @@ smtpd_sasl_path = private/auth-client
# Amavis and OpenDKIM
content_filter = smtp-amavis:[127.0.0.1]:10024
smtpd_milters = inet:[127.0.0.1]:54321
non_smtpd_milters = inet:[127.0.0.1]:54321
smtpd_milters = inet:[127.0.0.1]:8891
non_smtpd_milters = inet:[127.0.0.1]:8891
{% if postfix_slow_transport_include == True %}
# Slow transports configuration

5
webapps/evoadmin-mail/tasks/main.yml
View File

@ -1,4 +1,9 @@
---
- name: Remount /usr RW
include_role:
name: evolix/remount-usr
- name: Install evoadmin-mail package
apt:
deb: /tmp/evoadmin-mail.deb

2
webapps/roundcube/templates/apache2.conf.j2
View File

@ -9,7 +9,7 @@
ServerName {{ roundcube_host }}
# Repertoire principal
DocumentRoot /var/lib/roundcube/
DocumentRoot /var/lib/roundcube/public_html
# Return 503 if imapproxy doesn't run
<If "! -f '/run/imapproxy.pid'">

2
webapps/roundcube/templates/nginx.conf.j2
View File

@ -10,7 +10,7 @@ server {
access_log /var/log/nginx/.{{ roundcube_host }}.access.log;
error_log /var/log/nginx/.{{ roundcube_host }}.error.log;
root /var/lib/roundcube/;
root /var/lib/roundcube/public_html;
index index.php;
location / {