From 87327636979817d1f59429392c3c405684b58a7e Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 5 Dec 2023 11:50:24 +0100 Subject: [PATCH 01/22] webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm --- CHANGELOG.md | 1 + webapps/evoadmin-mail/tasks/main.yml | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9152395..a229af4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * etc-git: add /var/chroot-bind/etc/bind repo +* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm ### Changed diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index a1018eca..1b2c9356 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -4,10 +4,27 @@ ansible.builtin.include_role: name: evolix/remount-usr +- name: Get evoadmin-mail package + ansible.builtin.get_url: + url: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-1_all.deb + dest: /tmp/evoadmin-mail.deb + when: ansible_distribution_major_version is version('12', '<') + tags: + - evoadmin-mail + - name: Install evoadmin-mail package ansible.builtin.apt: deb: /tmp/evoadmin-mail.deb state: present + when: ansible_distribution_major_version is version('12', '<') + tags: + - evoadmin-mail + +- name: Install evoadmin-mail package + ansible.builtin.apt: + name: evoadmin-mail + state: present + when: ansible_distribution_major_version is version('12', '>=') tags: - evoadmin-mail -- 2.39.2 From df05c9550be816da93338bd9fd6f5603d80cd857 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 7 Dec 2023 09:34:04 +0100 Subject: [PATCH 02/22] webapps/nextcloud: Ajouter volume dans fstab --- webapps/nextcloud/tasks/user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index c0ce5172..0d999479 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -46,4 +46,4 @@ src: "{{ nextcloud_data_uuid }}" fstype: ext4 opts: defaults,noexec,nosuid,nodev,relatime,lazytime - state: present + state: mounted -- 2.39.2 From 2bc83052b8565877cfac2ef7eddd52fa6c826bfd Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 7 Dec 2023 09:42:34 +0100 Subject: [PATCH 03/22] webapps/nextcloud: Set owner and mode once mounted --- webapps/nextcloud/tasks/user.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index 0d999479..a9682914 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -47,3 +47,10 @@ fstype: ext4 opts: defaults,noexec,nosuid,nodev,relatime,lazytime state: mounted + +- name: Set volume's root permissions and ownership + ansible.builtin.file: + path: "{{ nextcloud_data }}" + owner: "{{ nextcloud_user }}" + group: "{{ nextcloud_user }}" + mode: "0700" -- 2.39.2 From 646049ad2ff62b502edf1ec84650f80423165dd0 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 7 Dec 2023 10:03:28 +0100 Subject: [PATCH 04/22] dovecot: Munin plugin conf path is now /etc/munin/plugin-conf.d/zzz-dovecot (instead of z-evolinux-dovecot) --- CHANGELOG.md | 1 + dovecot/tasks/munin.yml | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a229af4f..9cbf8485 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * vrrpd: variable to force update the switch script (default: false) +* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) ### Fixed diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml index 7227e991..8d0df9db 100644 --- a/dovecot/tasks/munin.yml +++ b/dovecot/tasks/munin.yml @@ -14,11 +14,16 @@ path: /etc/munin/plugins/dovecot state: absent - - name: Remove dovecot plugin conf + - name: Remove old dovecot plugin conf ansible.builtin.file: path: /etc/munin/plugin-conf.d/dovecot state: absent + - name: Remove old dovecot plugin conf + ansible.builtin.file: + path: /etc/munin/plugin-conf.d/z-evolinux-dovecot + state: absent + - name: "Remount /usr if needed" ansible.builtin.include_role: name: remount-usr @@ -47,7 +52,7 @@ - name: Copy Munin config ansible.builtin.copy: src: z-evolinux-dovecot.conf - dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot + dest: /etc/munin/plugin-conf.d/zzz-dovecot mode: '0644' notify: restart munin-node -- 2.39.2 From 63973fc2b7d5b42fbbbdef212353ca0eebf04230 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 7 Dec 2023 10:18:09 +0100 Subject: [PATCH 05/22] webapps/nextcloud: Add condition for config tasks And update CHANGELOG --- CHANGELOG.md | 3 +++ webapps/nextcloud/defaults/main.yml | 2 ++ webapps/nextcloud/tasks/main.yml | 1 + 3 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9cbf8485..6136e02c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * etc-git: add /var/chroot-bind/etc/bind repo * webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm +* webapps/nextcloud: Set ownership and permissions of data directory +* webapps/nextcloud: Add condition for config tasks ### Changed @@ -36,6 +38,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * vrrpd: variable to force update the switch script (default: false) * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) +* webapps/nextcloud: Add Ceph volume to fstab ### Fixed diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml index 72ce812d..ca42901e 100644 --- a/webapps/nextcloud/defaults/main.yml +++ b/webapps/nextcloud/defaults/main.yml @@ -17,3 +17,5 @@ nextcloud_db_name: "{{ nextcloud_instance_name }}" nextcloud_admin_login: "admin" nextcloud_admin_password: "" + +nextcloud_do_config: True diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 02304334..5329646e 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -54,3 +54,4 @@ - ansible.builtin.include: mysql-user.yml - ansible.builtin.include: config.yml + when: nextcloud_do_config -- 2.39.2 From f023d7093ed775fa2e8672a84d5e2f6612858618 Mon Sep 17 00:00:00 2001 From: Tom David--Broglio Date: Thu, 7 Dec 2023 11:02:04 +0100 Subject: [PATCH 06/22] fix Add Ceph volume to fstab : missing UUID= in src --- CHANGELOG.md | 2 +- webapps/nextcloud/tasks/user.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6136e02c..6d0bb0b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -57,7 +57,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) * evolinux-base: start to install linux-image-cloud-amd64 with Buster * apt: use archive.debian.org with Stretch - +* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src ### Removed diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index a9682914..020fce90 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -43,7 +43,7 @@ - name: Mount up Ceph volume by UUID ansible.posix.mount: path: "{{ nextcloud_data }}" - src: "{{ nextcloud_data_uuid }}" + src: "UUID={{ nextcloud_data_uuid }}" fstype: ext4 opts: defaults,noexec,nosuid,nodev,relatime,lazytime state: mounted -- 2.39.2 From 958d78c0d0a86d597599f3f5a9d1a40d90a9624d Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 8 Dec 2023 16:13:41 +0100 Subject: [PATCH 07/22] Unbound: Big update & enhancements * Move configuration generated to /etc/unbound/unbound.conf.d/evolinux.conf so we don't override default config file * Make use of root hints provided by dns-root-data instead of downloading them * Add configuration to ensure that configuration reload work out of the box on Debian11 and old * Add required configuration in Unbound and munin to allow tge plugin to work * Make ansible-lint a bit more happy --- CHANGELOG.md | 5 ++ unbound/defaults/main.yml | 14 +++-- unbound/files/munin-plugin.conf | 5 ++ unbound/handlers/main.yml | 12 +++- unbound/tasks/main.yml | 75 +++++++++++++++++------ unbound/templates/evolinux-reload.conf.j2 | 7 +++ unbound/templates/evolinux.conf.j2 | 53 ++++++++++++++++ unbound/templates/unbound.conf.j2 | 45 -------------- 8 files changed, 144 insertions(+), 72 deletions(-) create mode 100644 unbound/files/munin-plugin.conf create mode 100644 unbound/templates/evolinux-reload.conf.j2 create mode 100644 unbound/templates/evolinux.conf.j2 delete mode 100644 unbound/templates/unbound.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d0bb0b5..8ec16853 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,11 @@ The **patch** part changes is incremented if multiple releases happen the same m * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * vrrpd: variable to force update the switch script (default: false) * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) +* unbound: Big cleanup +* unbound: Use root hints provided by debian package dns-root-data instead of downloading them +* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf` +* unbound: Add config file to allow configuration reload on Debian 11 and lower +* unbound: Add munin configuration & setup plugin * webapps/nextcloud: Add Ceph volume to fstab ### Fixed diff --git a/unbound/defaults/main.yml b/unbound/defaults/main.yml index 86f51822..0d7807c1 100644 --- a/unbound/defaults/main.yml +++ b/unbound/defaults/main.yml @@ -1,9 +1,11 @@ --- + unbound_interfaces: -- '127.0.0.1' -- '::1' + - '127.0.0.1' + - '::1' + unbound_acls: -- '0.0.0.0/0 refuse' -- '127.0.0.0/8 allow_snoop' -- '::0/0 refuse' -- '::1 allow_snoop' + - '0.0.0.0/0 refuse' + - '127.0.0.0/8 allow_snoop' + - '::0/0 refuse' + - '::1 allow_snoop' diff --git a/unbound/files/munin-plugin.conf b/unbound/files/munin-plugin.conf new file mode 100644 index 00000000..cf008d48 --- /dev/null +++ b/unbound/files/munin-plugin.conf @@ -0,0 +1,5 @@ +[unbound*] +user root +env.statefile /tmp/munin-unbound-state +env.unbound_conf /etc/unbound/unbound.conf +env.unbound_control /usr/sbin/unbound-control diff --git a/unbound/handlers/main.yml b/unbound/handlers/main.yml index 7c801751..fdb9a629 100644 --- a/unbound/handlers/main.yml +++ b/unbound/handlers/main.yml @@ -1,5 +1,15 @@ --- -- name: reload unbound +- name: Restart unbound + ansible.builtin.service: + name: unbound + state: restarted + +- name: Reload unbound ansible.builtin.service: name: unbound state: reloaded + +- name: Restart munin-node + ansible.builtin.service: + name: munin-node + state: restarted diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml index 976c6386..6be337d3 100644 --- a/unbound/tasks/main.yml +++ b/unbound/tasks/main.yml @@ -1,38 +1,73 @@ --- - name: Install Unbound package ansible.builtin.apt: - name: unbound + name: + - unbound + - unbound-anchor + - dns-root-data state: present - when: ansible_distribution == "Debian" tags: - - unbound - -- name: Retrieve list of root DNS servers - ansible.builtin.get_url: - url: https://www.internic.net/domain/named.cache - dest: /etc/unbound/root.hints - force: true - mode: "0644" - notify: reload unbound - tags: - - unbound + - unbound - name: Copy Unbound config ansible.builtin.template: - src: unbound.conf.j2 - dest: /etc/unbound/unbound.conf + src: evolinux.conf.j2 + dest: /etc/unbound/unbound.conf.d/evolinux.conf owner: root group: root mode: "0644" - when: ansible_distribution == "Debian" - notify: reload unbound + notify: Reload unbound tags: - - unbound + - unbound + +- name: Copy Unbound config for reloading (Debian 11 and older) + ansible.builtin.template: + src: evolinux-reload.conf.j2 + dest: /etc/unbound/unbound.conf.d/evolinux-reload.conf + owner: root + group: root + mode: "0644" + when: + - ansible_distribution_major_version is version('11', '<=') + notify: Restart unbound + tags: + - unbound + +- name: Copy munin plugin config + ansible.builtin.copy: + src: munin-plugin.conf + dest: /etc/munin/plugin-conf.d/unbound + owner: root + group: root + mode: "0644" + tags: + - unbound + +- name: Enable unbound munin plugin + ansible.builtin.file: + src: /usr/share/munin/plugins/unbound_munin_ + dest: "/etc/munin/plugins/unbound_munin_{{ plugin_name }}" + state: link + loop: + - hits + - queue + - memory + - by_type + - by_class + - by_opcode + - by_rcode + - by_flags + - histogram + loop_control: + loop_var: plugin_name + notify: Restart munin-node + tags: + - unbound - name: Starting and enabling Unbound ansible.builtin.service: name: unbound - enabled: yes + enabled: true state: started tags: - - unbound + - unbound diff --git a/unbound/templates/evolinux-reload.conf.j2 b/unbound/templates/evolinux-reload.conf.j2 new file mode 100644 index 00000000..f2f395ae --- /dev/null +++ b/unbound/templates/evolinux-reload.conf.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +remote-control: + control-enable: yes + # by default the control interface is is 127.0.0.1 and ::1 and port 8953 + # it is possible to use a unix socket too + control-interface: /run/unbound.ctl diff --git a/unbound/templates/evolinux.conf.j2 b/unbound/templates/evolinux.conf.j2 new file mode 100644 index 00000000..339dfe45 --- /dev/null +++ b/unbound/templates/evolinux.conf.j2 @@ -0,0 +1,53 @@ +server: + #interface: X.X.X.X + #interface: 127.0.0.1@5353 # listen on alternative port +{% for interface in unbound_interfaces %} + interface: {{ interface }} +{% endfor %} + +{% for acl in unbound_acls %} + access-control: {{ acl }} +{% endfor %} + + hide-identity: yes + hide-version: yes + + root-hints: "/usr/share/dns/root.hints" + + # Uncomment to enable DNSSEC validation. + #auto-trust-anchor-file: "/etc/unbound/root.key" + + # Enable extended stats for munin plugin + extended-statistics: yes + statistics-cumulative: no + statistics-interval: 0 + + + # Serve zones authoritatively from Unbound to resolver clients. + # Not for external service. + + #local-zone: "local." static + #local-data: "mycomputer.local. IN A 192.0.2.51" + #local-zone: "2.0.192.in-addr.arpa." static + #local-data-ptr: "192.0.2.51 mycomputer.local + # UDP EDNS reassembly buffer advertised to peers. Default 4096. + # May need lowering on broken networks with fragmentation/MTU issues, + # particularly if validating DNSSEC. + + #edns-buffer-size: 1480 + # Use TCP for "forward-zone" requests. Useful if you are making + # DNS requests over an SSH port forwarding. + #tcp-upstream: yes + + +# Use an upstream forwarder (recursive resolver) for specific zones. +# Example addresses given below are public resolvers valid as of 2014/03. +# +#forward-zone: +# name: "." # use for ALL queries +# forward-addr: 74.82.42.42 # he.net +# forward-addr: 2001:470:20::2 # he.net v6 +# forward-addr: 8.8.8.8 # google.com +# forward-addr: 2001:4860:4860::8888 # google.com v6 +# forward-addr: 208.67.222.222 # opendns.com +# forward-first: yes # try direct if forwarder fails diff --git a/unbound/templates/unbound.conf.j2 b/unbound/templates/unbound.conf.j2 deleted file mode 100644 index a97e725d..00000000 --- a/unbound/templates/unbound.conf.j2 +++ /dev/null @@ -1,45 +0,0 @@ -server: - #interface: X.X.X.X - #interface: 127.0.0.1@5353 # listen on alternative port -{% for interface in unbound_interfaces %} - interface: {{ interface }} -{% endfor %} - #do-ip6: no - -{% for acl in unbound_acls %} - access-control: {{ acl }} -{% endfor %} - - hide-identity: yes - hide-version: yes - - root-hints: "/etc/unbound/root.hints" - # Uncomment to enable DNSSEC validation. - #auto-trust-anchor-file: "/etc/unbound/root.key" - # Serve zones authoritatively from Unbound to resolver clients. - # Not for external service. - - #local-zone: "local." static - #local-data: "mycomputer.local. IN A 192.0.2.51" - #local-zone: "2.0.192.in-addr.arpa." static - #local-data-ptr: "192.0.2.51 mycomputer.local - # UDP EDNS reassembly buffer advertised to peers. Default 4096. - # May need lowering on broken networks with fragmentation/MTU issues, - # particularly if validating DNSSEC. - - #edns-buffer-size: 1480 - # Use TCP for "forward-zone" requests. Useful if you are making - # DNS requests over an SSH port forwarding. - #tcp-upstream: yes - -# Use an upstream forwarder (recursive resolver) for specific zones. -# Example addresses given below are public resolvers valid as of 2014/03. -# -#forward-zone: -# name: "." # use for ALL queries -# forward-addr: 74.82.42.42 # he.net -# forward-addr: 2001:470:20::2 # he.net v6 -# forward-addr: 8.8.8.8 # google.com -# forward-addr: 2001:4860:4860::8888 # google.com v6 -# forward-addr: 208.67.222.222 # opendns.com -# forward-first: yes # try direct if forwarder fails -- 2.39.2 From 709464d5e2334908d15a60f8ca2c9bcee75829dd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 9 Dec 2023 10:00:30 +0100 Subject: [PATCH 08/22] apt: fix Jessie repository --- apt/templates/jessie_basics.list.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apt/templates/jessie_basics.list.j2 b/apt/templates/jessie_basics.list.j2 index fad381f8..a3b4aea8 100644 --- a/apt/templates/jessie_basics.list.j2 +++ b/apt/templates/jessie_basics.list.j2 @@ -1,4 +1,4 @@ # {{ ansible_managed }} -deb http://archive.org/debian jessie {{ apt_basics_components | mandatory }} +deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }} deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }} -- 2.39.2 From 28f478defe00ba6d7ce5101a49e7d094f0b781e7 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 8 Dec 2023 10:11:45 +0100 Subject: [PATCH 09/22] remount-usr: do not try to remount /usr RW if /usr is not a mounted partition --- CHANGELOG.md | 1 + remount-usr/tasks/main.yml | 19 +++++++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ec16853..082430c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm * webapps/nextcloud: Set ownership and permissions of data directory * webapps/nextcloud: Add condition for config tasks +* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition ### Changed diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml index eb5c0109..18dfe6ce 100644 --- a/remount-usr/tasks/main.yml +++ b/remount-usr/tasks/main.yml @@ -1,17 +1,28 @@ --- # findmnt returns 0 on hit, 1 on miss # If the return code is higher than 1, it's a blocking failure + +- name: "check if /usr is a mountpoint" + ansible.builtin.shell: "findmnt -n /usr &> /dev/null" + register: usr_mount_exists + failed_when: False + check_mode: False + changed_when: False + - name: "check if /usr is a read-only partition" ansible.builtin.command: cmd: 'findmnt /usr --noheadings --options ro' + register: usr_partition + when: usr_mount_exists.rc == 0 changed_when: False failed_when: usr_partition.rc > 1 - check_mode: no - register: usr_partition + check_mode: False - name: "mount /usr in rw" ansible.builtin.command: cmd: 'mount -o remount,rw /usr' - changed_when: False - when: usr_partition.rc == 0 + when: + - usr_mount_exists.rc == 0 + - usr_partition.rc == 0 notify: remount usr + changed_when: False -- 2.39.2 From bc03fd5bf062352f4da8bd7506f89ae9bfa6faba Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 9 Dec 2023 12:28:17 +0100 Subject: [PATCH 10/22] squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 --- CHANGELOG.md | 11 ++++++----- squid/README.md | 2 +- squid/tasks/main.yml | 6 +++--- squid/templates/squid.conf.j2 | 2 +- 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 082430c4..ffb0902f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) * bind: Update role for Buster, Bullseye and Bookworm support +* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) * evocheck: upstream release 23.11.1 * evolinux-base: dump-server-state upstream release 23.11 * evolinux-base: use separate default config file for rsyslog @@ -37,13 +38,13 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc: init /etc git repository in lxc container * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 -* vrrpd: variable to force update the switch script (default: false) -* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) -* unbound: Big cleanup -* unbound: Use root hints provided by debian package dns-root-data instead of downloading them -* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf` +* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 * unbound: Add config file to allow configuration reload on Debian 11 and lower * unbound: Add munin configuration & setup plugin +* unbound: Big cleanup +* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf` +* unbound: Use root hints provided by debian package dns-root-data instead of downloading them +* vrrpd: variable to force update the switch script (default: false) * webapps/nextcloud: Add Ceph volume to fstab ### Fixed diff --git a/squid/README.md b/squid/README.md index 8811a91f..aba25b4d 100644 --- a/squid/README.md +++ b/squid/README.md @@ -6,7 +6,7 @@ Installation and configuration of Squid Everything is in the `tasks/main.yml` file. -A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses in the whitelist. +A blank file is created at `/etc/squid/whitelist-custom.conf` to add addresses in the whitelist. ## Available variables diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 2f0e94aa..965be04b 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -38,14 +38,14 @@ - name: "squid.conf is present (jessie)" ansible.builtin.template: src: squid.conf.j2 - dest: /etc/squid3/squid.conf + dest: /etc/squid/squid.conf notify: "restart squid3" when: ansible_distribution_release == "jessie" - name: "evolix whitelist is present (jessie)" ansible.builtin.copy: src: whitelist-evolinux.conf - dest: /etc/squid3/whitelist.conf + dest: /etc/squid/whitelist.conf force: false notify: "reload squid3" when: ansible_distribution_release == "jessie" @@ -135,7 +135,7 @@ - name: add some URL in whitelist (Debian 8) ansible.builtin.lineinfile: insertafter: EOF - dest: /etc/squid3/whitelist.conf + dest: /etc/squid/whitelist.conf line: "{{ item }}" state: present loop: '{{ squid_whitelist_items }}' diff --git a/squid/templates/squid.conf.j2 b/squid/templates/squid.conf.j2 index 108a3bc1..4c89a777 100644 --- a/squid/templates/squid.conf.j2 +++ b/squid/templates/squid.conf.j2 @@ -8,7 +8,7 @@ acl localhost src 127.0.0.0/32 acl INTERNE src {{ squid_address }}/32 127.0.0.0/8 acl Safe_ports port 80 # http acl SSL_ports port 443 563 -acl WHITELIST url_regex "/etc/squid3/whitelist.conf" +acl WHITELIST url_regex "/etc/squid/whitelist.conf" http_access deny !WHITELIST http_access allow INTERNE http_access deny all -- 2.39.2 From 782b3264f3fb720fcb4453cc263b4250c7fac4e4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 9 Dec 2023 13:52:08 +0100 Subject: [PATCH 11/22] mysql: use a boolean for read-only --- mysql/defaults/main.yml | 2 +- mysql/templates/evolinux-custom.cnf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index af43f495..871dd599 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -59,5 +59,5 @@ mysql_binlog_format: mixed mysql_server_id: null mysql_bind_address: null mysql_repl_password: '' -mysql_read_only: 0 +mysql_read_only: False diff --git a/mysql/templates/evolinux-custom.cnf.j2 b/mysql/templates/evolinux-custom.cnf.j2 index 119943a1..cc66df94 100644 --- a/mysql/templates/evolinux-custom.cnf.j2 +++ b/mysql/templates/evolinux-custom.cnf.j2 @@ -38,7 +38,7 @@ lower_case_table_names = {{ mysql_lower_case_table_names }} {% if mysql_innodb_log_file_size %} innodb_log_file_size = {{ mysql_innodb_log_file_size }} {% endif %} -read_only = {{ mysql_read_only }} +read_only = {{ mysql_read_only | bool | ternary('1','0') }} {% if mysql_performance_schema %} performance_schema = ON performance-schema-instrument='stage/%=ON' -- 2.39.2 From 4bfcf4a508da2d61fd40155284ee148426fd41d3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 14:04:55 +0100 Subject: [PATCH 12/22] apt: use the GPG version of the key for Debian 8-9 --- CHANGELOG.md | 1 + apt/tasks/evolix_public.deb822.yml | 8 +++++++- apt/tasks/evolix_public.oneline.yml | 20 ++++++++++++++++++-- apt/templates/evolix_public.list.j2 | 2 +- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ffb0902f..040082d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) +* apt: use the GPG version of the key for Debian 8-9 * bind: Update role for Buster, Bullseye and Bookworm support * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) * evocheck: upstream release 23.11.1 diff --git a/apt/tasks/evolix_public.deb822.yml b/apt/tasks/evolix_public.deb822.yml index 0a91dddf..0e6639c3 100644 --- a/apt/tasks/evolix_public.deb822.yml +++ b/apt/tasks/evolix_public.deb822.yml @@ -24,10 +24,16 @@ owner: root group: root +- name: Set Evolix GPG key format to ASC + set_fact: + apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc" + tags: + - apt + - name: Add Evolix GPG key ansible.builtin.copy: src: pub_evolix.asc - dest: "{{ apt_keyring_dir }}/pub_evolix.asc" + dest: "{{ apt_evolix_public_key }}" force: true mode: "0644" owner: root diff --git a/apt/tasks/evolix_public.oneline.yml b/apt/tasks/evolix_public.oneline.yml index 9501e595..165a7b93 100644 --- a/apt/tasks/evolix_public.oneline.yml +++ b/apt/tasks/evolix_public.oneline.yml @@ -24,10 +24,26 @@ owner: root group: root +- name: Set Evolix GPG key format to GPG (Debian < 9) + set_fact: + apt_evolix_public_key: "pub_evolix.gpg" + when: + - ansible_distribution_major_version is version('9', '<') + tags: + - apt + +- name: Set Evolix GPG key format to ASC (Debian >= 9) + set_fact: + apt_evolix_public_key: "pub_evolix.asc" + when: + - ansible_distribution_major_version is version('9', '>=') + tags: + - apt + - name: Add Evolix GPG key ansible.builtin.copy: - src: pub_evolix.asc - dest: "{{ apt_keyring_dir }}/pub_evolix.asc" + src: "{{ apt_evolix_public_key }}" + dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}" force: true mode: "0644" owner: root diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index e00899e7..7ed18708 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,3 @@ # {{ ansible_managed }} -deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main +deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main -- 2.39.2 From 95fa1e01b67aa69250a052fae017dd5e8a44e78d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 14:06:10 +0100 Subject: [PATCH 13/22] apt: add task file to install ELTS repository (default: False) --- CHANGELOG.md | 1 + apt/defaults/main.yml | 3 +- apt/files/freexian-archive-extended-lts.gpg | Bin 0 -> 1176 bytes apt/tasks/extended-lts.oneline.yml.yml | 37 ++++++++++++++++++++ apt/tasks/main.yml | 10 +++++- apt/templates/jessie_extended-lts.list.j2 | 4 +++ apt/templates/stretch_extended-lts.list.j2 | 4 +++ 7 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 apt/files/freexian-archive-extended-lts.gpg create mode 100644 apt/tasks/extended-lts.oneline.yml.yml create mode 100644 apt/templates/jessie_extended-lts.list.j2 create mode 100644 apt/templates/stretch_extended-lts.list.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 040082d7..98682d9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * Preliminary work for php83 +* apt: add task file to install ELTS repository (default: False) * lxc-php: Allow one to install php83 on Bookworm container * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index 3720d893..772a8fb9 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -14,6 +14,7 @@ apt_install_backports: False apt_backports_components: "main" apt_install_evolix_public: True +apt_install_extended_lts: False apt_clean_gandi_sourceslist: False @@ -28,4 +29,4 @@ apt_check_hold_cron_weekday: "*" apt_check_hold_cron_day: "*" apt_check_hold_cron_month: "*" -apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" diff --git a/apt/files/freexian-archive-extended-lts.gpg b/apt/files/freexian-archive-extended-lts.gpg new file mode 100644 index 0000000000000000000000000000000000000000..819c10ff58554f8c923fbb5547b91033560220c0 GIT binary patch literal 1176 zcmV;J1ZVr10u2OP3>k+35CE!*la@dGSZvSDM8iRcInG1)P{N=(7x?10JSiF{TjyF* zFAc}dYTJ`V+M7ayLf+6i@+jA%ECWj>C8yGZ+mBWK0?b}8!#>P=;K#ZAFO$=p+=TcF zW=;Ht4Bjm|zRHR^K4En3i-iQ%tt*F^W%*%3W?zD!8VklE58+9^Tu7s zw)gj&Js}nWDE>vjUXR`B0p*FuvlOEpOQ14Ok~HV`sjB*UVvvh)QxF9kC^zQiSCw~# z+m$j0EzQFz(?uoImN!zqt#o-0_v0>C+fuyI^WMNdU+HLT8w}zu*fb>?0I7e+%BJb# ziF9-va~rCRwa3MiF*E=ShNvMe7QnYdc6=@h@Fej1rR$Ord?|(dGMx~51fXoI>G1zL zjIdu#sFLmFG+ro7WeSv#ZGpGU__Dk%gV@sP_jUL&cj=Cu7%Uw^Wp2tMINGLiW}ho} zy^-0Ybo@tYDin=mM}9Al!BhAJoHL;@nIk^9aAFYLL8R-NdGQ5r-`*Xx57z|~Yo-s` z4(HON9Ld$}g#=xf*wxIn8l%B5Z&QhsVd^xx6bT3jFQ`t&Oq3m1Nwf93e1g%ke2z@; zBVF1Z`8$GP-UR>=0RRECFGYBCWo~3;WFSmbQy@}haBp*IbZ>HbAUtzLGf za%E+BX<=?IV{dIfi2_sv69EVSJ^~v91q%rX2Lc8a2nh-c0t6NU0|5da0Rk6*79j+y zS$t1#Gl0EIE9=6ba}d*M1zlPN0%DsoJp~C7=>N6=3JDOPa}d*M1zlSHx)1=Sqq_^% z{^3z{pn8(R(G*1}I^7SxxB;rzrg9!F^RQLctKT5nFL6XebR-^i=d$`>Y>!T6 z*Zb)vOxWYF4K&2Ib?EvTd8E9SAj3<8pXnP9QF_2K{vZe}ZLsbJov+lN6NFr!Tu+Db zAuxc|+O2ByA@Iy<aEH7)nm=7P^Nw$m&L^B(--*Gg ztwF#Ik3?);3h+nmze3L#G+9aPqxT6LcQ0gyuYyaEWD>|6bHrGPvg*ast`y>Oa{rIa q@dG0}9Dw33F^}f!O`7ygKR7;u{v-iCt~UQnD=$vejsPKruP6Bwc_o(s literal 0 HcmV?d00001 diff --git a/apt/tasks/extended-lts.oneline.yml.yml b/apt/tasks/extended-lts.oneline.yml.yml new file mode 100644 index 00000000..09974684 --- /dev/null +++ b/apt/tasks/extended-lts.oneline.yml.yml @@ -0,0 +1,37 @@ +--- + +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + +- name: Add Evolix GPG key + ansible.builtin.copy: + src: "freexian-archive-extended-lts.gpg" + dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg" + force: true + mode: "0644" + owner: root + group: root + tags: + - apt + +- name: ELTS list is installed + ansible.builtin.template: + src: "{{ ansible_distribution_release }}_extended-lts.list.j2" + dest: /etc/apt/sources.list.d/extended-lts.list + force: true + mode: "0640" + register: apt_extended_lts + tags: + - apt + +- name: Apt update + ansible.builtin.apt: + update_cache: yes + tags: + - apt + when: apt_extended_lts is changed diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 4d357f8b..c20abe54 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -80,6 +80,14 @@ - apt_install_evolix_public | bool - ansible_distribution_major_version is version('12', '>=') +- name: Install Extended-LTS repositories (Debian < 10) + ansible.builtin.import_tasks: extended-lts.oneline.yml.yml + tags: + - apt + when: + - apt_install_extended_lts | bool + - ansible_distribution_major_version is version('10', '<') + - name: Clean GANDI sources ansible.builtin.file: path: '{{ item }}' @@ -126,4 +134,4 @@ upgrade: dist when: apt_upgrade | bool tags: - - apt \ No newline at end of file + - apt diff --git a/apt/templates/jessie_extended-lts.list.j2 b/apt/templates/jessie_extended-lts.list.j2 new file mode 100644 index 00000000..c20be4e7 --- /dev/null +++ b/apt/templates/jessie_extended-lts.list.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main +deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main diff --git a/apt/templates/stretch_extended-lts.list.j2 b/apt/templates/stretch_extended-lts.list.j2 new file mode 100644 index 00000000..374e571e --- /dev/null +++ b/apt/templates/stretch_extended-lts.list.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main +deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main -- 2.39.2 From a47970f1ba5acedd60a766bd0cf28791a62cd561 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 14:07:15 +0100 Subject: [PATCH 14/22] apt: Disable archive repository for Debian 8 --- CHANGELOG.md | 3 ++- apt/templates/jessie_basics.list.j2 | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 98682d9c..b0b4705a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,7 +29,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) -* apt: use the GPG version of the key for Debian 8-9 +* apt: Disable archive repository for Debian 8 +* apt: Use the GPG version of the key for Debian 8-9 * bind: Update role for Buster, Bullseye and Bookworm support * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) * evocheck: upstream release 23.11.1 diff --git a/apt/templates/jessie_basics.list.j2 b/apt/templates/jessie_basics.list.j2 index a3b4aea8..7d72bfbd 100644 --- a/apt/templates/jessie_basics.list.j2 +++ b/apt/templates/jessie_basics.list.j2 @@ -1,4 +1,5 @@ # {{ ansible_managed }} -deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }} -deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }} +### Those repositories are unusable. Move to ELTS (manually). +# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }} +# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }} -- 2.39.2 From 87d8387e52bb65c304efb883b539187c3bb4e3da Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 18:19:38 +0100 Subject: [PATCH 15/22] apache: use backward compatible Redirect directive --- CHANGELOG.md | 1 + apache/files/evolinux-defaults.conf | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b0b4705a..a9cfb29e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) +* apache: use backward compatible Redirect directive * apt: Disable archive repository for Debian 8 * apt: Use the GPG version of the key for Debian 8-9 * bind: Update role for Buster, Bullseye and Bookworm support diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index 73b7f136..c05f77f2 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -48,17 +48,17 @@ MaxKeepAliveRequests 10 # We don't want to let the client know a file exist on the server, # so we return 404 "Not found" instead of 403 "Forbidden". - Redirect 404 + Redirect 404 "-" # File names starting with - Redirect 404 + Redirect 404 "-" # File names ending with - Redirect 404 + Redirect 404 "-" -- 2.39.2 From 55598841b27ee69a2bfc84b2069db84e86264da0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 18:21:57 +0100 Subject: [PATCH 16/22] mysql: disable performance schema for Debian 8 --- CHANGELOG.md | 1 + mysql/tasks/config_jessie.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a9cfb29e..fbf6fb9f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,6 +40,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * kvmstats: use .capacity instead of .physical for disk size * log2mail: move custom config in separate file * lxc: init /etc git repository in lxc container +* mysql: disable performance schema for Debian 8 * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index 3d8c494d..364ee175 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -2,6 +2,7 @@ - ansible.builtin.set_fact: mysql_config_directory: /etc/mysql/conf.d + mysql_performance_schema: False - name: "Copy MySQL defaults config file (jessie)" ansible.builtin.copy: -- 2.39.2 From c00913c85205e3d35cc682fea9c66da4594d9bbf Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 11 Dec 2023 11:05:06 +0100 Subject: [PATCH 17/22] spamassin: Use spamd starting with Bookworm --- spamassasin/handlers/main.yml | 5 +++++ spamassasin/tasks/main.yml | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/spamassasin/handlers/main.yml b/spamassasin/handlers/main.yml index 78597a37..7dbc9c7f 100644 --- a/spamassasin/handlers/main.yml +++ b/spamassasin/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: spamassassin state: restarted + +- name: restart spamd + ansible.builtin.service: + name: spamd + state: restarted diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index 9f2889ca..fbcd6e5c 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -4,6 +4,16 @@ name: - spamassassin state: present + when: ansible_distribution_major_version is version('12', '<') + tags: + - spamassassin + +- name: install spamd + ansible.builtin.apt: + name: + - spamd + state: present + when: ansible_distribution_major_version is version('12', '>=') tags: - spamassassin @@ -13,6 +23,17 @@ dest: /etc/spamassassin/local_evolix.cf mode: "0644" notify: restart spamassassin + when: ansible_distribution_major_version is version('12', '<') + tags: + - spamassassin + +- name: configure spamd + ansible.builtin.copy: + src: spamassassin.cf + dest: /etc/spamassassin/local_evolix.cf + mode: "0644" + notify: restart spamd + when: ansible_distribution_major_version is version('12', '>=') tags: - spamassassin @@ -22,6 +43,7 @@ regexp: 'ENABLED=0' replace: 'ENABLED=1' notify: restart spamassassin + when: ansible_distribution_major_version is version('12', '<') tags: - spamassassin @@ -97,5 +119,15 @@ name: spamassassin state: started enabled: True + when: ansible_distribution_major_version is version('12', '<') + tags: + - spamassassin + +- name: ensure spamd is started and enabled + ansible.builtin.systemd: + name: spamd + state: started + enabled: True + when: ansible_distribution_major_version is version('12', '>=') tags: - spamassassin -- 2.39.2 From cb3afb871344f381f504283bf9df56a4559a62ca Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 12 Dec 2023 17:11:45 +0100 Subject: [PATCH 18/22] bind: allow bullseye and bookworm --- bind/meta/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bind/meta/main.yml b/bind/meta/main.yml index 6cf180b1..533f4335 100644 --- a/bind/meta/main.yml +++ b/bind/meta/main.yml @@ -14,6 +14,8 @@ galaxy_info: - jessie - stretch - buster + - bullseye + - bookworm galaxy_tags: [] # Be sure to remove the '[]' above if you add dependencies -- 2.39.2 From 23099e40cb0c7bbcacbcd09a99cc4478aaf54155 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Thu, 14 Dec 2023 16:59:55 +0100 Subject: [PATCH 19/22] fix(minifirewall): Properly detect old minifirewall versions --- CHANGELOG.md | 1 + minifirewall/files/check_minifirewall | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fbf6fb9f..9ab720e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Set ownership and permissions of data directory * webapps/nextcloud: Add condition for config tasks * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition +* minifirewall: Fix nagios check for old versions of minifirewall ### Changed diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index fc034de4..565a912d 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -87,7 +87,7 @@ main() { append_details "configuration is up-to-date" summary_ok "minifirewall is started and configuration is up-to-date" else - if echo "${check_result}" | grep --quiet --regexp 'usage'; then + if echo "${check_result}" | grep --ignore-case --quiet --regexp 'usage'; then append_details "minifirewall is too old to check active configuration" else case "${check_rc}" in -- 2.39.2 From 13b4e761623599a8243ffc52c67e627985dfab29 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 5 Dec 2023 11:50:24 +0100 Subject: [PATCH 20/22] webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ab720e6..c9baa8e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Add condition for config tasks * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition * minifirewall: Fix nagios check for old versions of minifirewall +* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm ### Changed -- 2.39.2 From a6ac5c3052b1ec4db5739f1686ba9aeadd0978d4 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 7 Dec 2023 10:18:09 +0100 Subject: [PATCH 21/22] webapps/nextcloud: Add condition for config tasks And update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c9baa8e1..e4ce869b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition * minifirewall: Fix nagios check for old versions of minifirewall * webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm +* webapps/nextcloud: Set ownership and permissions of data directory +* webapps/nextcloud: Add condition for config tasks ### Changed @@ -52,6 +54,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf` * unbound: Use root hints provided by debian package dns-root-data instead of downloading them * vrrpd: variable to force update the switch script (default: false) +* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) * webapps/nextcloud: Add Ceph volume to fstab ### Fixed -- 2.39.2 From 318290b10c754c4b7e5ecc8127098fde5d7613ac Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 8 Dec 2023 10:11:45 +0100 Subject: [PATCH 22/22] remount-usr: do not try to remount /usr RW if /usr is not a mounted partition --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e4ce869b..58cc82d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm * webapps/nextcloud: Set ownership and permissions of data directory * webapps/nextcloud: Add condition for config tasks +* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition ### Changed -- 2.39.2