diff --git a/CHANGELOG.md b/CHANGELOG.md
index b9152395..58cc82d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,26 +14,49 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
* Preliminary work for php83
+* apt: add task file to install ELTS repository (default: False)
* lxc-php: Allow one to install php83 on Bookworm container
* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
* etc-git: add /var/chroot-bind/etc/bind repo
+* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm
+* webapps/nextcloud: Set ownership and permissions of data directory
+* webapps/nextcloud: Add condition for config tasks
+* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
+* minifirewall: Fix nagios check for old versions of minifirewall
+* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm
+* webapps/nextcloud: Set ownership and permissions of data directory
+* webapps/nextcloud: Add condition for config tasks
+* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
### Changed
* add-vm.sh: allow VM name max length > 20
* apache : fix goaway pattern for bad bots
* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
+* apache: use backward compatible Redirect directive
+* apt: Disable archive repository for Debian 8
+* apt: Use the GPG version of the key for Debian 8-9
* bind: Update role for Buster, Bullseye and Bookworm support
+* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
* evocheck: upstream release 23.11.1
* evolinux-base: dump-server-state upstream release 23.11
* evolinux-base: use separate default config file for rsyslog
* kvmstats: use .capacity instead of .physical for disk size
* log2mail: move custom config in separate file
* lxc: init /etc git repository in lxc container
+* mysql: disable performance schema for Debian 8
* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
+* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
+* unbound: Add config file to allow configuration reload on Debian 11 and lower
+* unbound: Add munin configuration & setup plugin
+* unbound: Big cleanup
+* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf`
+* unbound: Use root hints provided by debian package dns-root-data instead of downloading them
* vrrpd: variable to force update the switch script (default: false)
+* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
+* webapps/nextcloud: Add Ceph volume to fstab
### Fixed
@@ -52,7 +75,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
* evolinux-base: start to install linux-image-cloud-amd64 with Buster
* apt: use archive.debian.org with Stretch
-
+* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
### Removed
diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf
index 73b7f136..c05f77f2 100644
--- a/apache/files/evolinux-defaults.conf
+++ b/apache/files/evolinux-defaults.conf
@@ -48,17 +48,17 @@ MaxKeepAliveRequests 10
# We don't want to let the client know a file exist on the server,
# so we return 404 "Not found" instead of 403 "Forbidden".
- Redirect 404
+ Redirect 404 "-"
# File names starting with
- Redirect 404
+ Redirect 404 "-"
# File names ending with
- Redirect 404
+ Redirect 404 "-"
diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml
index 3720d893..772a8fb9 100644
--- a/apt/defaults/main.yml
+++ b/apt/defaults/main.yml
@@ -14,6 +14,7 @@ apt_install_backports: False
apt_backports_components: "main"
apt_install_evolix_public: True
+apt_install_extended_lts: False
apt_clean_gandi_sourceslist: False
@@ -28,4 +29,4 @@ apt_check_hold_cron_weekday: "*"
apt_check_hold_cron_day: "*"
apt_check_hold_cron_month: "*"
-apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
\ No newline at end of file
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
diff --git a/apt/files/freexian-archive-extended-lts.gpg b/apt/files/freexian-archive-extended-lts.gpg
new file mode 100644
index 00000000..819c10ff
Binary files /dev/null and b/apt/files/freexian-archive-extended-lts.gpg differ
diff --git a/apt/tasks/evolix_public.deb822.yml b/apt/tasks/evolix_public.deb822.yml
index 0a91dddf..0e6639c3 100644
--- a/apt/tasks/evolix_public.deb822.yml
+++ b/apt/tasks/evolix_public.deb822.yml
@@ -24,10 +24,16 @@
owner: root
group: root
+- name: Set Evolix GPG key format to ASC
+ set_fact:
+ apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc"
+ tags:
+ - apt
+
- name: Add Evolix GPG key
ansible.builtin.copy:
src: pub_evolix.asc
- dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
+ dest: "{{ apt_evolix_public_key }}"
force: true
mode: "0644"
owner: root
diff --git a/apt/tasks/evolix_public.oneline.yml b/apt/tasks/evolix_public.oneline.yml
index 9501e595..165a7b93 100644
--- a/apt/tasks/evolix_public.oneline.yml
+++ b/apt/tasks/evolix_public.oneline.yml
@@ -24,10 +24,26 @@
owner: root
group: root
+- name: Set Evolix GPG key format to GPG (Debian < 9)
+ set_fact:
+ apt_evolix_public_key: "pub_evolix.gpg"
+ when:
+ - ansible_distribution_major_version is version('9', '<')
+ tags:
+ - apt
+
+- name: Set Evolix GPG key format to ASC (Debian >= 9)
+ set_fact:
+ apt_evolix_public_key: "pub_evolix.asc"
+ when:
+ - ansible_distribution_major_version is version('9', '>=')
+ tags:
+ - apt
+
- name: Add Evolix GPG key
ansible.builtin.copy:
- src: pub_evolix.asc
- dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
+ src: "{{ apt_evolix_public_key }}"
+ dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}"
force: true
mode: "0644"
owner: root
diff --git a/apt/tasks/extended-lts.oneline.yml.yml b/apt/tasks/extended-lts.oneline.yml.yml
new file mode 100644
index 00000000..09974684
--- /dev/null
+++ b/apt/tasks/extended-lts.oneline.yml.yml
@@ -0,0 +1,37 @@
+---
+
+- name: "Ensure {{ apt_keyring_dir }} directory exists"
+ file:
+ path: "{{ apt_keyring_dir }}"
+ state: directory
+ mode: "755"
+ owner: root
+ group: root
+
+- name: Add Evolix GPG key
+ ansible.builtin.copy:
+ src: "freexian-archive-extended-lts.gpg"
+ dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"
+ force: true
+ mode: "0644"
+ owner: root
+ group: root
+ tags:
+ - apt
+
+- name: ELTS list is installed
+ ansible.builtin.template:
+ src: "{{ ansible_distribution_release }}_extended-lts.list.j2"
+ dest: /etc/apt/sources.list.d/extended-lts.list
+ force: true
+ mode: "0640"
+ register: apt_extended_lts
+ tags:
+ - apt
+
+- name: Apt update
+ ansible.builtin.apt:
+ update_cache: yes
+ tags:
+ - apt
+ when: apt_extended_lts is changed
diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml
index 4d357f8b..c20abe54 100644
--- a/apt/tasks/main.yml
+++ b/apt/tasks/main.yml
@@ -80,6 +80,14 @@
- apt_install_evolix_public | bool
- ansible_distribution_major_version is version('12', '>=')
+- name: Install Extended-LTS repositories (Debian < 10)
+ ansible.builtin.import_tasks: extended-lts.oneline.yml.yml
+ tags:
+ - apt
+ when:
+ - apt_install_extended_lts | bool
+ - ansible_distribution_major_version is version('10', '<')
+
- name: Clean GANDI sources
ansible.builtin.file:
path: '{{ item }}'
@@ -126,4 +134,4 @@
upgrade: dist
when: apt_upgrade | bool
tags:
- - apt
\ No newline at end of file
+ - apt
diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2
index e00899e7..7ed18708 100644
--- a/apt/templates/evolix_public.list.j2
+++ b/apt/templates/evolix_public.list.j2
@@ -1,3 +1,3 @@
# {{ ansible_managed }}
-deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
+deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
diff --git a/apt/templates/jessie_basics.list.j2 b/apt/templates/jessie_basics.list.j2
index fad381f8..7d72bfbd 100644
--- a/apt/templates/jessie_basics.list.j2
+++ b/apt/templates/jessie_basics.list.j2
@@ -1,4 +1,5 @@
# {{ ansible_managed }}
-deb http://archive.org/debian jessie {{ apt_basics_components | mandatory }}
-deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
+### Those repositories are unusable. Move to ELTS (manually).
+# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }}
+# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
diff --git a/apt/templates/jessie_extended-lts.list.j2 b/apt/templates/jessie_extended-lts.list.j2
new file mode 100644
index 00000000..c20be4e7
--- /dev/null
+++ b/apt/templates/jessie_extended-lts.list.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main
diff --git a/apt/templates/stretch_extended-lts.list.j2 b/apt/templates/stretch_extended-lts.list.j2
new file mode 100644
index 00000000..374e571e
--- /dev/null
+++ b/apt/templates/stretch_extended-lts.list.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main
diff --git a/bind/meta/main.yml b/bind/meta/main.yml
index 6cf180b1..533f4335 100644
--- a/bind/meta/main.yml
+++ b/bind/meta/main.yml
@@ -14,6 +14,8 @@ galaxy_info:
- jessie
- stretch
- buster
+ - bullseye
+ - bookworm
galaxy_tags: []
# Be sure to remove the '[]' above if you add dependencies
diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml
index 7227e991..8d0df9db 100644
--- a/dovecot/tasks/munin.yml
+++ b/dovecot/tasks/munin.yml
@@ -14,11 +14,16 @@
path: /etc/munin/plugins/dovecot
state: absent
- - name: Remove dovecot plugin conf
+ - name: Remove old dovecot plugin conf
ansible.builtin.file:
path: /etc/munin/plugin-conf.d/dovecot
state: absent
+ - name: Remove old dovecot plugin conf
+ ansible.builtin.file:
+ path: /etc/munin/plugin-conf.d/z-evolinux-dovecot
+ state: absent
+
- name: "Remount /usr if needed"
ansible.builtin.include_role:
name: remount-usr
@@ -47,7 +52,7 @@
- name: Copy Munin config
ansible.builtin.copy:
src: z-evolinux-dovecot.conf
- dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot
+ dest: /etc/munin/plugin-conf.d/zzz-dovecot
mode: '0644'
notify: restart munin-node
diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall
index fc034de4..565a912d 100644
--- a/minifirewall/files/check_minifirewall
+++ b/minifirewall/files/check_minifirewall
@@ -87,7 +87,7 @@ main() {
append_details "configuration is up-to-date"
summary_ok "minifirewall is started and configuration is up-to-date"
else
- if echo "${check_result}" | grep --quiet --regexp 'usage'; then
+ if echo "${check_result}" | grep --ignore-case --quiet --regexp 'usage'; then
append_details "minifirewall is too old to check active configuration"
else
case "${check_rc}" in
diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml
index af43f495..871dd599 100644
--- a/mysql/defaults/main.yml
+++ b/mysql/defaults/main.yml
@@ -59,5 +59,5 @@ mysql_binlog_format: mixed
mysql_server_id: null
mysql_bind_address: null
mysql_repl_password: ''
-mysql_read_only: 0
+mysql_read_only: False
diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml
index 3d8c494d..364ee175 100644
--- a/mysql/tasks/config_jessie.yml
+++ b/mysql/tasks/config_jessie.yml
@@ -2,6 +2,7 @@
- ansible.builtin.set_fact:
mysql_config_directory: /etc/mysql/conf.d
+ mysql_performance_schema: False
- name: "Copy MySQL defaults config file (jessie)"
ansible.builtin.copy:
diff --git a/mysql/templates/evolinux-custom.cnf.j2 b/mysql/templates/evolinux-custom.cnf.j2
index 119943a1..cc66df94 100644
--- a/mysql/templates/evolinux-custom.cnf.j2
+++ b/mysql/templates/evolinux-custom.cnf.j2
@@ -38,7 +38,7 @@ lower_case_table_names = {{ mysql_lower_case_table_names }}
{% if mysql_innodb_log_file_size %}
innodb_log_file_size = {{ mysql_innodb_log_file_size }}
{% endif %}
-read_only = {{ mysql_read_only }}
+read_only = {{ mysql_read_only | bool | ternary('1','0') }}
{% if mysql_performance_schema %}
performance_schema = ON
performance-schema-instrument='stage/%=ON'
diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml
index eb5c0109..18dfe6ce 100644
--- a/remount-usr/tasks/main.yml
+++ b/remount-usr/tasks/main.yml
@@ -1,17 +1,28 @@
---
# findmnt returns 0 on hit, 1 on miss
# If the return code is higher than 1, it's a blocking failure
+
+- name: "check if /usr is a mountpoint"
+ ansible.builtin.shell: "findmnt -n /usr &> /dev/null"
+ register: usr_mount_exists
+ failed_when: False
+ check_mode: False
+ changed_when: False
+
- name: "check if /usr is a read-only partition"
ansible.builtin.command:
cmd: 'findmnt /usr --noheadings --options ro'
+ register: usr_partition
+ when: usr_mount_exists.rc == 0
changed_when: False
failed_when: usr_partition.rc > 1
- check_mode: no
- register: usr_partition
+ check_mode: False
- name: "mount /usr in rw"
ansible.builtin.command:
cmd: 'mount -o remount,rw /usr'
- changed_when: False
- when: usr_partition.rc == 0
+ when:
+ - usr_mount_exists.rc == 0
+ - usr_partition.rc == 0
notify: remount usr
+ changed_when: False
diff --git a/spamassasin/handlers/main.yml b/spamassasin/handlers/main.yml
index 78597a37..7dbc9c7f 100644
--- a/spamassasin/handlers/main.yml
+++ b/spamassasin/handlers/main.yml
@@ -3,3 +3,8 @@
ansible.builtin.service:
name: spamassassin
state: restarted
+
+- name: restart spamd
+ ansible.builtin.service:
+ name: spamd
+ state: restarted
diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml
index 9f2889ca..fbcd6e5c 100644
--- a/spamassasin/tasks/main.yml
+++ b/spamassasin/tasks/main.yml
@@ -4,6 +4,16 @@
name:
- spamassassin
state: present
+ when: ansible_distribution_major_version is version('12', '<')
+ tags:
+ - spamassassin
+
+- name: install spamd
+ ansible.builtin.apt:
+ name:
+ - spamd
+ state: present
+ when: ansible_distribution_major_version is version('12', '>=')
tags:
- spamassassin
@@ -13,6 +23,17 @@
dest: /etc/spamassassin/local_evolix.cf
mode: "0644"
notify: restart spamassassin
+ when: ansible_distribution_major_version is version('12', '<')
+ tags:
+ - spamassassin
+
+- name: configure spamd
+ ansible.builtin.copy:
+ src: spamassassin.cf
+ dest: /etc/spamassassin/local_evolix.cf
+ mode: "0644"
+ notify: restart spamd
+ when: ansible_distribution_major_version is version('12', '>=')
tags:
- spamassassin
@@ -22,6 +43,7 @@
regexp: 'ENABLED=0'
replace: 'ENABLED=1'
notify: restart spamassassin
+ when: ansible_distribution_major_version is version('12', '<')
tags:
- spamassassin
@@ -97,5 +119,15 @@
name: spamassassin
state: started
enabled: True
+ when: ansible_distribution_major_version is version('12', '<')
+ tags:
+ - spamassassin
+
+- name: ensure spamd is started and enabled
+ ansible.builtin.systemd:
+ name: spamd
+ state: started
+ enabled: True
+ when: ansible_distribution_major_version is version('12', '>=')
tags:
- spamassassin
diff --git a/squid/README.md b/squid/README.md
index 8811a91f..aba25b4d 100644
--- a/squid/README.md
+++ b/squid/README.md
@@ -6,7 +6,7 @@ Installation and configuration of Squid
Everything is in the `tasks/main.yml` file.
-A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses in the whitelist.
+A blank file is created at `/etc/squid/whitelist-custom.conf` to add addresses in the whitelist.
## Available variables
diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml
index 2f0e94aa..965be04b 100644
--- a/squid/tasks/main.yml
+++ b/squid/tasks/main.yml
@@ -38,14 +38,14 @@
- name: "squid.conf is present (jessie)"
ansible.builtin.template:
src: squid.conf.j2
- dest: /etc/squid3/squid.conf
+ dest: /etc/squid/squid.conf
notify: "restart squid3"
when: ansible_distribution_release == "jessie"
- name: "evolix whitelist is present (jessie)"
ansible.builtin.copy:
src: whitelist-evolinux.conf
- dest: /etc/squid3/whitelist.conf
+ dest: /etc/squid/whitelist.conf
force: false
notify: "reload squid3"
when: ansible_distribution_release == "jessie"
@@ -135,7 +135,7 @@
- name: add some URL in whitelist (Debian 8)
ansible.builtin.lineinfile:
insertafter: EOF
- dest: /etc/squid3/whitelist.conf
+ dest: /etc/squid/whitelist.conf
line: "{{ item }}"
state: present
loop: '{{ squid_whitelist_items }}'
diff --git a/squid/templates/squid.conf.j2 b/squid/templates/squid.conf.j2
index 108a3bc1..4c89a777 100644
--- a/squid/templates/squid.conf.j2
+++ b/squid/templates/squid.conf.j2
@@ -8,7 +8,7 @@ acl localhost src 127.0.0.0/32
acl INTERNE src {{ squid_address }}/32 127.0.0.0/8
acl Safe_ports port 80 # http
acl SSL_ports port 443 563
-acl WHITELIST url_regex "/etc/squid3/whitelist.conf"
+acl WHITELIST url_regex "/etc/squid/whitelist.conf"
http_access deny !WHITELIST
http_access allow INTERNE
http_access deny all
diff --git a/unbound/defaults/main.yml b/unbound/defaults/main.yml
index 86f51822..0d7807c1 100644
--- a/unbound/defaults/main.yml
+++ b/unbound/defaults/main.yml
@@ -1,9 +1,11 @@
---
+
unbound_interfaces:
-- '127.0.0.1'
-- '::1'
+ - '127.0.0.1'
+ - '::1'
+
unbound_acls:
-- '0.0.0.0/0 refuse'
-- '127.0.0.0/8 allow_snoop'
-- '::0/0 refuse'
-- '::1 allow_snoop'
+ - '0.0.0.0/0 refuse'
+ - '127.0.0.0/8 allow_snoop'
+ - '::0/0 refuse'
+ - '::1 allow_snoop'
diff --git a/unbound/files/munin-plugin.conf b/unbound/files/munin-plugin.conf
new file mode 100644
index 00000000..cf008d48
--- /dev/null
+++ b/unbound/files/munin-plugin.conf
@@ -0,0 +1,5 @@
+[unbound*]
+user root
+env.statefile /tmp/munin-unbound-state
+env.unbound_conf /etc/unbound/unbound.conf
+env.unbound_control /usr/sbin/unbound-control
diff --git a/unbound/handlers/main.yml b/unbound/handlers/main.yml
index 7c801751..fdb9a629 100644
--- a/unbound/handlers/main.yml
+++ b/unbound/handlers/main.yml
@@ -1,5 +1,15 @@
---
-- name: reload unbound
+- name: Restart unbound
+ ansible.builtin.service:
+ name: unbound
+ state: restarted
+
+- name: Reload unbound
ansible.builtin.service:
name: unbound
state: reloaded
+
+- name: Restart munin-node
+ ansible.builtin.service:
+ name: munin-node
+ state: restarted
diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml
index 976c6386..6be337d3 100644
--- a/unbound/tasks/main.yml
+++ b/unbound/tasks/main.yml
@@ -1,38 +1,73 @@
---
- name: Install Unbound package
ansible.builtin.apt:
- name: unbound
+ name:
+ - unbound
+ - unbound-anchor
+ - dns-root-data
state: present
- when: ansible_distribution == "Debian"
tags:
- - unbound
-
-- name: Retrieve list of root DNS servers
- ansible.builtin.get_url:
- url: https://www.internic.net/domain/named.cache
- dest: /etc/unbound/root.hints
- force: true
- mode: "0644"
- notify: reload unbound
- tags:
- - unbound
+ - unbound
- name: Copy Unbound config
ansible.builtin.template:
- src: unbound.conf.j2
- dest: /etc/unbound/unbound.conf
+ src: evolinux.conf.j2
+ dest: /etc/unbound/unbound.conf.d/evolinux.conf
owner: root
group: root
mode: "0644"
- when: ansible_distribution == "Debian"
- notify: reload unbound
+ notify: Reload unbound
tags:
- - unbound
+ - unbound
+
+- name: Copy Unbound config for reloading (Debian 11 and older)
+ ansible.builtin.template:
+ src: evolinux-reload.conf.j2
+ dest: /etc/unbound/unbound.conf.d/evolinux-reload.conf
+ owner: root
+ group: root
+ mode: "0644"
+ when:
+ - ansible_distribution_major_version is version('11', '<=')
+ notify: Restart unbound
+ tags:
+ - unbound
+
+- name: Copy munin plugin config
+ ansible.builtin.copy:
+ src: munin-plugin.conf
+ dest: /etc/munin/plugin-conf.d/unbound
+ owner: root
+ group: root
+ mode: "0644"
+ tags:
+ - unbound
+
+- name: Enable unbound munin plugin
+ ansible.builtin.file:
+ src: /usr/share/munin/plugins/unbound_munin_
+ dest: "/etc/munin/plugins/unbound_munin_{{ plugin_name }}"
+ state: link
+ loop:
+ - hits
+ - queue
+ - memory
+ - by_type
+ - by_class
+ - by_opcode
+ - by_rcode
+ - by_flags
+ - histogram
+ loop_control:
+ loop_var: plugin_name
+ notify: Restart munin-node
+ tags:
+ - unbound
- name: Starting and enabling Unbound
ansible.builtin.service:
name: unbound
- enabled: yes
+ enabled: true
state: started
tags:
- - unbound
+ - unbound
diff --git a/unbound/templates/evolinux-reload.conf.j2 b/unbound/templates/evolinux-reload.conf.j2
new file mode 100644
index 00000000..f2f395ae
--- /dev/null
+++ b/unbound/templates/evolinux-reload.conf.j2
@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+remote-control:
+ control-enable: yes
+ # by default the control interface is is 127.0.0.1 and ::1 and port 8953
+ # it is possible to use a unix socket too
+ control-interface: /run/unbound.ctl
diff --git a/unbound/templates/evolinux.conf.j2 b/unbound/templates/evolinux.conf.j2
new file mode 100644
index 00000000..339dfe45
--- /dev/null
+++ b/unbound/templates/evolinux.conf.j2
@@ -0,0 +1,53 @@
+server:
+ #interface: X.X.X.X
+ #interface: 127.0.0.1@5353 # listen on alternative port
+{% for interface in unbound_interfaces %}
+ interface: {{ interface }}
+{% endfor %}
+
+{% for acl in unbound_acls %}
+ access-control: {{ acl }}
+{% endfor %}
+
+ hide-identity: yes
+ hide-version: yes
+
+ root-hints: "/usr/share/dns/root.hints"
+
+ # Uncomment to enable DNSSEC validation.
+ #auto-trust-anchor-file: "/etc/unbound/root.key"
+
+ # Enable extended stats for munin plugin
+ extended-statistics: yes
+ statistics-cumulative: no
+ statistics-interval: 0
+
+
+ # Serve zones authoritatively from Unbound to resolver clients.
+ # Not for external service.
+
+ #local-zone: "local." static
+ #local-data: "mycomputer.local. IN A 192.0.2.51"
+ #local-zone: "2.0.192.in-addr.arpa." static
+ #local-data-ptr: "192.0.2.51 mycomputer.local
+ # UDP EDNS reassembly buffer advertised to peers. Default 4096.
+ # May need lowering on broken networks with fragmentation/MTU issues,
+ # particularly if validating DNSSEC.
+
+ #edns-buffer-size: 1480
+ # Use TCP for "forward-zone" requests. Useful if you are making
+ # DNS requests over an SSH port forwarding.
+ #tcp-upstream: yes
+
+
+# Use an upstream forwarder (recursive resolver) for specific zones.
+# Example addresses given below are public resolvers valid as of 2014/03.
+#
+#forward-zone:
+# name: "." # use for ALL queries
+# forward-addr: 74.82.42.42 # he.net
+# forward-addr: 2001:470:20::2 # he.net v6
+# forward-addr: 8.8.8.8 # google.com
+# forward-addr: 2001:4860:4860::8888 # google.com v6
+# forward-addr: 208.67.222.222 # opendns.com
+# forward-first: yes # try direct if forwarder fails
diff --git a/unbound/templates/unbound.conf.j2 b/unbound/templates/unbound.conf.j2
deleted file mode 100644
index a97e725d..00000000
--- a/unbound/templates/unbound.conf.j2
+++ /dev/null
@@ -1,45 +0,0 @@
-server:
- #interface: X.X.X.X
- #interface: 127.0.0.1@5353 # listen on alternative port
-{% for interface in unbound_interfaces %}
- interface: {{ interface }}
-{% endfor %}
- #do-ip6: no
-
-{% for acl in unbound_acls %}
- access-control: {{ acl }}
-{% endfor %}
-
- hide-identity: yes
- hide-version: yes
-
- root-hints: "/etc/unbound/root.hints"
- # Uncomment to enable DNSSEC validation.
- #auto-trust-anchor-file: "/etc/unbound/root.key"
- # Serve zones authoritatively from Unbound to resolver clients.
- # Not for external service.
-
- #local-zone: "local." static
- #local-data: "mycomputer.local. IN A 192.0.2.51"
- #local-zone: "2.0.192.in-addr.arpa." static
- #local-data-ptr: "192.0.2.51 mycomputer.local
- # UDP EDNS reassembly buffer advertised to peers. Default 4096.
- # May need lowering on broken networks with fragmentation/MTU issues,
- # particularly if validating DNSSEC.
-
- #edns-buffer-size: 1480
- # Use TCP for "forward-zone" requests. Useful if you are making
- # DNS requests over an SSH port forwarding.
- #tcp-upstream: yes
-
-# Use an upstream forwarder (recursive resolver) for specific zones.
-# Example addresses given below are public resolvers valid as of 2014/03.
-#
-#forward-zone:
-# name: "." # use for ALL queries
-# forward-addr: 74.82.42.42 # he.net
-# forward-addr: 2001:470:20::2 # he.net v6
-# forward-addr: 8.8.8.8 # google.com
-# forward-addr: 2001:4860:4860::8888 # google.com v6
-# forward-addr: 208.67.222.222 # opendns.com
-# forward-first: yes # try direct if forwarder fails
diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml
index a1018eca..1b2c9356 100644
--- a/webapps/evoadmin-mail/tasks/main.yml
+++ b/webapps/evoadmin-mail/tasks/main.yml
@@ -4,10 +4,27 @@
ansible.builtin.include_role:
name: evolix/remount-usr
+- name: Get evoadmin-mail package
+ ansible.builtin.get_url:
+ url: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-1_all.deb
+ dest: /tmp/evoadmin-mail.deb
+ when: ansible_distribution_major_version is version('12', '<')
+ tags:
+ - evoadmin-mail
+
- name: Install evoadmin-mail package
ansible.builtin.apt:
deb: /tmp/evoadmin-mail.deb
state: present
+ when: ansible_distribution_major_version is version('12', '<')
+ tags:
+ - evoadmin-mail
+
+- name: Install evoadmin-mail package
+ ansible.builtin.apt:
+ name: evoadmin-mail
+ state: present
+ when: ansible_distribution_major_version is version('12', '>=')
tags:
- evoadmin-mail
diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml
index 72ce812d..ca42901e 100644
--- a/webapps/nextcloud/defaults/main.yml
+++ b/webapps/nextcloud/defaults/main.yml
@@ -17,3 +17,5 @@ nextcloud_db_name: "{{ nextcloud_instance_name }}"
nextcloud_admin_login: "admin"
nextcloud_admin_password: ""
+
+nextcloud_do_config: True
diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml
index 02304334..5329646e 100644
--- a/webapps/nextcloud/tasks/main.yml
+++ b/webapps/nextcloud/tasks/main.yml
@@ -54,3 +54,4 @@
- ansible.builtin.include: mysql-user.yml
- ansible.builtin.include: config.yml
+ when: nextcloud_do_config
diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml
index c0ce5172..020fce90 100644
--- a/webapps/nextcloud/tasks/user.yml
+++ b/webapps/nextcloud/tasks/user.yml
@@ -43,7 +43,14 @@
- name: Mount up Ceph volume by UUID
ansible.posix.mount:
path: "{{ nextcloud_data }}"
- src: "{{ nextcloud_data_uuid }}"
+ src: "UUID={{ nextcloud_data_uuid }}"
fstype: ext4
opts: defaults,noexec,nosuid,nodev,relatime,lazytime
- state: present
+ state: mounted
+
+- name: Set volume's root permissions and ownership
+ ansible.builtin.file:
+ path: "{{ nextcloud_data }}"
+ owner: "{{ nextcloud_user }}"
+ group: "{{ nextcloud_user }}"
+ mode: "0700"