CHANGELOG.md

@@ -14,26 +14,49 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Added
 
 * Preliminary work for php83
+* apt: add task file to install ELTS repository (default: False)
 * lxc-php: Allow one to install php83 on Bookworm container
 * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
 * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
 * etc-git: add /var/chroot-bind/etc/bind repo
+* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm
+* webapps/nextcloud: Set ownership and permissions of data directory
+* webapps/nextcloud: Add condition for config tasks
+* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
+* minifirewall: Fix nagios check for old versions of minifirewall
+* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm
+* webapps/nextcloud: Set ownership and permissions of data directory
+* webapps/nextcloud: Add condition for config tasks
+* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
 
 ### Changed
 
 * add-vm.sh: allow VM name max length > 20
 * apache : fix goaway pattern for bad bots 
 * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
+* apache: use backward compatible Redirect directive
+* apt: Disable archive repository for Debian 8
+* apt: Use the GPG version of the key for Debian 8-9
 * bind: Update role for Buster, Bullseye and Bookworm support
+* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
 * evocheck: upstream release 23.11.1
 * evolinux-base: dump-server-state upstream release 23.11
 * evolinux-base: use separate default config file for rsyslog
 * kvmstats: use .capacity instead of .physical for disk size
 * log2mail: move custom config in separate file
 * lxc: init /etc git repository in lxc container
+* mysql: disable performance schema for Debian 8
 * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
+* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
+* unbound: Add config file to allow configuration reload on Debian 11 and lower
+* unbound: Add munin configuration & setup plugin
+* unbound: Big cleanup
+* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf`
+* unbound: Use root hints provided by debian package dns-root-data instead of downloading them
 * vrrpd: variable to force update the switch script (default: false)
+* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
+* webapps/nextcloud: Add Ceph volume to fstab
 
 ### Fixed
 
@@ -52,7 +75,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
 * evolinux-base: start to install linux-image-cloud-amd64 with Buster
 * apt: use archive.debian.org with Stretch
-
+* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
 
 ### Removed
 

apache/files/evolinux-defaults.conf

@@ -48,17 +48,17 @@ MaxKeepAliveRequests 10
 <DirectoryMatch "/\.git">
     # We don't want to let the client know a file exist on the server,
     # so we return 404 "Not found" instead of 403 "Forbidden".
-    Redirect 404
+    Redirect 404 "-"
 </DirectoryMatch>
 
 # File names starting with
 <FilesMatch "^\.(git|env)">
-    Redirect 404
+    Redirect 404 "-"
 </FilesMatch>
 
 # File names ending with
 <FilesMatch "\.(inc|bak)$">
-    Redirect 404
+    Redirect 404 "-"
 </FilesMatch>
 
 <LocationMatch "^/evolinux_fpm_status-.*">

apt/defaults/main.yml

@@ -14,6 +14,7 @@ apt_install_backports: False
 apt_backports_components: "main"
 
 apt_install_evolix_public: True
+apt_install_extended_lts: False
 
 apt_clean_gandi_sourceslist: False
 
@@ -28,4 +29,4 @@ apt_check_hold_cron_weekday: "*"
 apt_check_hold_cron_day: "*"
 apt_check_hold_cron_month: "*"
 
-apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"

apt/tasks/evolix_public.deb822.yml

@@ -24,10 +24,16 @@
     owner: root
     group: root
 
+- name: Set Evolix GPG key format to ASC
+  set_fact:
+    apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc"
+  tags:
+    - apt
+
 - name: Add Evolix GPG key
   ansible.builtin.copy:
     src: pub_evolix.asc
-    dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
+    dest: "{{ apt_evolix_public_key }}"
     force: true
     mode: "0644"
     owner: root

apt/tasks/evolix_public.oneline.yml

@@ -24,10 +24,26 @@
     owner: root
     group: root
 
+- name: Set Evolix GPG key format to GPG (Debian < 9)
+  set_fact:
+    apt_evolix_public_key: "pub_evolix.gpg"
+  when:
+    - ansible_distribution_major_version is version('9', '<')
+  tags:
+    - apt
+
+- name: Set Evolix GPG key format to ASC (Debian >= 9)
+  set_fact:
+    apt_evolix_public_key: "pub_evolix.asc"
+  when:
+    - ansible_distribution_major_version is version('9', '>=')
+  tags:
+    - apt
+
 - name: Add Evolix GPG key
   ansible.builtin.copy:
-    src: pub_evolix.asc
-    dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
+    src: "{{ apt_evolix_public_key }}"
+    dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}"
     force: true
     mode: "0644"
     owner: root

apt/tasks/extended-lts.oneline.yml.yml

@@ -0,0 +1,37 @@
+---
+
+- name: "Ensure {{ apt_keyring_dir }} directory exists"
+  file:
+    path: "{{ apt_keyring_dir }}"
+    state: directory
+    mode: "755"
+    owner: root
+    group: root
+
+- name: Add Evolix GPG key
+  ansible.builtin.copy:
+    src: "freexian-archive-extended-lts.gpg"
+    dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"
+    force: true
+    mode: "0644"
+    owner: root
+    group: root
+  tags:
+    - apt
+
+- name: ELTS list is installed
+  ansible.builtin.template:
+    src: "{{ ansible_distribution_release }}_extended-lts.list.j2"
+    dest: /etc/apt/sources.list.d/extended-lts.list
+    force: true
+    mode: "0640"
+  register: apt_extended_lts
+  tags:
+    - apt
+
+- name: Apt update
+  ansible.builtin.apt:
+    update_cache: yes
+  tags:
+    - apt
+  when: apt_extended_lts is changed

apt/tasks/main.yml

@@ -80,6 +80,14 @@
     - apt_install_evolix_public | bool
     - ansible_distribution_major_version is version('12', '>=')
 
+- name: Install Extended-LTS repositories (Debian < 10)
+  ansible.builtin.import_tasks: extended-lts.oneline.yml.yml
+  tags:
+    - apt
+  when:
+    - apt_install_extended_lts | bool
+    - ansible_distribution_major_version is version('10', '<')
+
 - name: Clean GANDI sources
   ansible.builtin.file:
     path: '{{ item }}'
@@ -126,4 +134,4 @@
     upgrade: dist
   when: apt_upgrade | bool
   tags:
-    - apt
+    - apt

apt/templates/evolix_public.list.j2

@@ -1,3 +1,3 @@
 # {{ ansible_managed }}
 
-deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
+deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main

apt/templates/jessie_basics.list.j2

@@ -1,4 +1,5 @@
 # {{ ansible_managed }}
 
-deb http://archive.org/debian jessie {{ apt_basics_components | mandatory }}
-deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
+### Those repositories are unusable. Move to ELTS (manually).
+# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }}
+# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}

apt/templates/jessie_extended-lts.list.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main

apt/templates/stretch_extended-lts.list.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main
+deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main

bind/meta/main.yml

@@ -14,6 +14,8 @@ galaxy_info:
         - jessie
         - stretch
         - buster
+        - bullseye
+        - bookworm
 
   galaxy_tags: []
     # Be sure to remove the '[]' above if you add dependencies

dovecot/tasks/munin.yml

@@ -14,11 +14,16 @@
         path: /etc/munin/plugins/dovecot
         state: absent
 
-    - name: Remove dovecot plugin conf
+    - name: Remove old dovecot plugin conf
       ansible.builtin.file:
         path: /etc/munin/plugin-conf.d/dovecot
         state: absent
 
+    - name: Remove old dovecot plugin conf
+      ansible.builtin.file:
+        path: /etc/munin/plugin-conf.d/z-evolinux-dovecot
+        state: absent
+
     - name: "Remount /usr if needed"
       ansible.builtin.include_role:
         name: remount-usr
@@ -47,7 +52,7 @@
     - name: Copy Munin config
       ansible.builtin.copy:
         src: z-evolinux-dovecot.conf
-        dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot
+        dest: /etc/munin/plugin-conf.d/zzz-dovecot
         mode: '0644'
       notify: restart munin-node
 

minifirewall/files/check_minifirewall

@@ -87,7 +87,7 @@ main() {
           append_details "configuration is up-to-date"
           summary_ok "minifirewall is started and configuration is up-to-date"
         else
-          if echo "${check_result}" | grep --quiet --regexp 'usage'; then
+          if echo "${check_result}" | grep --ignore-case --quiet --regexp 'usage'; then
             append_details "minifirewall is too old to check active configuration"
           else
             case "${check_rc}" in

mysql/defaults/main.yml

@@ -59,5 +59,5 @@ mysql_binlog_format: mixed
 mysql_server_id: null
 mysql_bind_address: null
 mysql_repl_password: ''
-mysql_read_only: 0
+mysql_read_only: False
 

mysql/tasks/config_jessie.yml

@@ -2,6 +2,7 @@
 
 - ansible.builtin.set_fact:
     mysql_config_directory: /etc/mysql/conf.d
+    mysql_performance_schema: False
 
 - name: "Copy MySQL defaults config file (jessie)"
   ansible.builtin.copy:

mysql/templates/evolinux-custom.cnf.j2

@@ -38,7 +38,7 @@ lower_case_table_names = {{ mysql_lower_case_table_names }}
 {% if mysql_innodb_log_file_size %}
 innodb_log_file_size = {{ mysql_innodb_log_file_size }}
 {% endif %}
-read_only = {{ mysql_read_only }}
+read_only = {{ mysql_read_only | bool | ternary('1','0') }}
 {% if mysql_performance_schema %}
 performance_schema = ON
 performance-schema-instrument='stage/%=ON'

remount-usr/tasks/main.yml

@@ -1,17 +1,28 @@
 ---
 # findmnt returns 0 on hit, 1 on miss
 # If the return code is higher than 1, it's a blocking failure
+
+- name: "check if /usr is a mountpoint"
+  ansible.builtin.shell: "findmnt -n /usr &> /dev/null"
+  register: usr_mount_exists
+  failed_when: False
+  check_mode: False
+  changed_when: False
+
 - name: "check if /usr is a read-only partition"
   ansible.builtin.command:
     cmd: 'findmnt /usr --noheadings --options ro'
+  register: usr_partition
+  when: usr_mount_exists.rc == 0
   changed_when: False
   failed_when: usr_partition.rc > 1
-  check_mode: no
-  register: usr_partition
+  check_mode: False
 
 - name: "mount /usr in rw"
   ansible.builtin.command:
     cmd: 'mount -o remount,rw /usr'
-  changed_when: False
-  when: usr_partition.rc == 0
+  when:
+    - usr_mount_exists.rc == 0
+    - usr_partition.rc == 0
   notify: remount usr
+  changed_when: False

spamassasin/handlers/main.yml

@@ -3,3 +3,8 @@
   ansible.builtin.service:
     name: spamassassin
     state: restarted
+
+- name: restart spamd
+  ansible.builtin.service:
+    name: spamd
+    state: restarted

spamassasin/tasks/main.yml

@@ -4,6 +4,16 @@
     name:
       - spamassassin
     state: present
+  when: ansible_distribution_major_version is version('12', '<')
+  tags:
+    - spamassassin
+
+- name: install spamd
+  ansible.builtin.apt:
+    name:
+      - spamd
+    state: present
+  when: ansible_distribution_major_version is version('12', '>=')
   tags:
     - spamassassin
 
@@ -13,6 +23,17 @@
     dest: /etc/spamassassin/local_evolix.cf
     mode: "0644"
   notify: restart spamassassin
+  when: ansible_distribution_major_version is version('12', '<')
+  tags:
+    - spamassassin
+
+- name: configure spamd
+  ansible.builtin.copy:
+    src: spamassassin.cf
+    dest: /etc/spamassassin/local_evolix.cf
+    mode: "0644"
+  notify: restart spamd
+  when: ansible_distribution_major_version is version('12', '>=')
   tags:
     - spamassassin
 
@@ -22,6 +43,7 @@
     regexp: 'ENABLED=0'
     replace: 'ENABLED=1'
   notify: restart spamassassin
+  when: ansible_distribution_major_version is version('12', '<')
   tags:
     - spamassassin
 
@@ -97,5 +119,15 @@
     name: spamassassin
     state: started
     enabled: True
+  when: ansible_distribution_major_version is version('12', '<')
+  tags:
+    - spamassassin
+
+- name: ensure spamd is started and enabled
+  ansible.builtin.systemd:
+    name: spamd
+    state: started
+    enabled: True
+  when: ansible_distribution_major_version is version('12', '>=')
   tags:
     - spamassassin

squid/README.md

@@ -6,7 +6,7 @@ Installation and configuration of Squid
 
 Everything is in the `tasks/main.yml` file.
 
-A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses in the whitelist.
+A blank file is created at `/etc/squid/whitelist-custom.conf` to add addresses in the whitelist.
 
 ## Available variables
 

squid/tasks/main.yml

@@ -38,14 +38,14 @@
 - name: "squid.conf is present (jessie)"
   ansible.builtin.template:
     src: squid.conf.j2
-    dest: /etc/squid3/squid.conf
+    dest: /etc/squid/squid.conf
   notify: "restart squid3"
   when: ansible_distribution_release == "jessie"
 
 - name: "evolix whitelist is present (jessie)"
   ansible.builtin.copy:
     src: whitelist-evolinux.conf
-    dest: /etc/squid3/whitelist.conf
+    dest: /etc/squid/whitelist.conf
     force: false
   notify: "reload squid3"
   when: ansible_distribution_release == "jessie"
@@ -135,7 +135,7 @@
 - name: add some URL in whitelist (Debian 8)
   ansible.builtin.lineinfile:
     insertafter: EOF
-    dest: /etc/squid3/whitelist.conf
+    dest: /etc/squid/whitelist.conf
     line: "{{ item }}"
     state: present
   loop: '{{ squid_whitelist_items }}'

squid/templates/squid.conf.j2

@@ -8,7 +8,7 @@ acl localhost src 127.0.0.0/32
 acl INTERNE src {{ squid_address }}/32 127.0.0.0/8
 acl Safe_ports port 80          # http
 acl SSL_ports port 443 563
-acl WHITELIST url_regex "/etc/squid3/whitelist.conf"
+acl WHITELIST url_regex "/etc/squid/whitelist.conf"
 http_access deny !WHITELIST
 http_access allow INTERNE
 http_access deny all

unbound/defaults/main.yml

@@ -1,9 +1,11 @@
 ---
+
 unbound_interfaces:
-- '127.0.0.1'
-- '::1'
+  - '127.0.0.1'
+  - '::1'
+
 unbound_acls:
-- '0.0.0.0/0 refuse'
-- '127.0.0.0/8 allow_snoop'
-- '::0/0 refuse'
-- '::1 allow_snoop'
+  - '0.0.0.0/0 refuse'
+  - '127.0.0.0/8 allow_snoop'
+  - '::0/0 refuse'
+  - '::1 allow_snoop'

unbound/files/munin-plugin.conf

@@ -0,0 +1,5 @@
+[unbound*]
+user root
+env.statefile /tmp/munin-unbound-state
+env.unbound_conf /etc/unbound/unbound.conf
+env.unbound_control /usr/sbin/unbound-control

unbound/handlers/main.yml

@@ -1,5 +1,15 @@
 ---
-- name: reload unbound
+- name: Restart unbound
+  ansible.builtin.service:
+    name: unbound
+    state: restarted
+
+- name: Reload unbound
   ansible.builtin.service:
     name: unbound
     state: reloaded
+
+- name: Restart munin-node
+  ansible.builtin.service:
+    name: munin-node
+    state: restarted

unbound/tasks/main.yml

@@ -1,38 +1,73 @@
 ---
 - name: Install Unbound package
   ansible.builtin.apt:
-    name: unbound
+    name:
+      - unbound
+      - unbound-anchor
+      - dns-root-data
     state: present
-  when: ansible_distribution == "Debian"
   tags:
-  - unbound
-
-- name: Retrieve list of root DNS servers
-  ansible.builtin.get_url:
-    url: https://www.internic.net/domain/named.cache
-    dest: /etc/unbound/root.hints
-    force: true
-    mode: "0644"
-  notify: reload unbound
-  tags:
-  - unbound
+    - unbound
 
 - name: Copy Unbound config
   ansible.builtin.template:
-    src: unbound.conf.j2
-    dest: /etc/unbound/unbound.conf
+    src: evolinux.conf.j2
+    dest: /etc/unbound/unbound.conf.d/evolinux.conf
     owner: root
     group: root
     mode: "0644"
-  when: ansible_distribution == "Debian"
-  notify: reload unbound
+  notify: Reload unbound
   tags:
-  - unbound
+    - unbound
+
+- name: Copy Unbound config for reloading (Debian 11 and older)
+  ansible.builtin.template:
+    src: evolinux-reload.conf.j2
+    dest: /etc/unbound/unbound.conf.d/evolinux-reload.conf
+    owner: root
+    group: root
+    mode: "0644"
+  when:
+    - ansible_distribution_major_version is version('11', '<=')
+  notify: Restart unbound
+  tags:
+    - unbound
+
+- name: Copy munin plugin config
+  ansible.builtin.copy:
+    src: munin-plugin.conf
+    dest: /etc/munin/plugin-conf.d/unbound
+    owner: root
+    group: root
+    mode: "0644"
+  tags:
+    - unbound
+
+- name: Enable unbound munin plugin
+  ansible.builtin.file:
+    src: /usr/share/munin/plugins/unbound_munin_
+    dest: "/etc/munin/plugins/unbound_munin_{{ plugin_name }}"
+    state: link
+  loop:
+    - hits
+    - queue
+    - memory
+    - by_type
+    - by_class
+    - by_opcode
+    - by_rcode
+    - by_flags
+    - histogram
+  loop_control:
+    loop_var: plugin_name
+  notify: Restart munin-node
+  tags:
+    - unbound
 
 - name: Starting and enabling Unbound
   ansible.builtin.service:
     name: unbound
-    enabled: yes
+    enabled: true
     state: started
   tags:
-  - unbound
+    - unbound

unbound/templates/evolinux-reload.conf.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+remote-control:
+  control-enable: yes
+  # by default the control interface is is 127.0.0.1 and ::1 and port 8953
+  # it is possible to use a unix socket too
+  control-interface: /run/unbound.ctl

unbound/templates/evolinux.conf.j2

@@ -0,0 +1,53 @@
+server:
+    #interface: X.X.X.X
+    #interface: 127.0.0.1@5353      # listen on alternative port
+{% for interface in unbound_interfaces %}
+    interface: {{ interface }}
+{% endfor %}
+
+{% for acl in unbound_acls %}
+    access-control: {{ acl }}
+{% endfor %}
+
+    hide-identity: yes
+    hide-version: yes
+
+    root-hints: "/usr/share/dns/root.hints"
+
+    # Uncomment to enable DNSSEC validation.
+    #auto-trust-anchor-file: "/etc/unbound/root.key"
+
+    # Enable extended stats for munin plugin
+    extended-statistics: yes
+    statistics-cumulative: no
+    statistics-interval: 0
+
+
+    # Serve zones authoritatively from Unbound to resolver clients.
+    # Not for external service.
+
+    #local-zone: "local." static
+    #local-data: "mycomputer.local. IN A 192.0.2.51"
+    #local-zone: "2.0.192.in-addr.arpa." static
+    #local-data-ptr: "192.0.2.51 mycomputer.local
+    # UDP EDNS reassembly buffer advertised to peers. Default 4096.
+    # May need lowering on broken networks with fragmentation/MTU issues,
+    # particularly if validating DNSSEC.
+
+    #edns-buffer-size: 1480
+    # Use TCP for "forward-zone" requests. Useful if you are making
+    # DNS requests over an SSH port forwarding.
+    #tcp-upstream: yes
+
+
+# Use an upstream forwarder (recursive resolver) for specific zones.
+# Example addresses given below are public resolvers valid as of 2014/03.
+#
+#forward-zone:
+#       name: "."                               # use for ALL queries
+#       forward-addr: 74.82.42.42               # he.net
+#       forward-addr: 2001:470:20::2            # he.net v6
+#       forward-addr: 8.8.8.8                   # google.com
+#       forward-addr: 2001:4860:4860::8888      # google.com v6
+#       forward-addr: 208.67.222.222            # opendns.com
+#       forward-first: yes                      # try direct if forwarder fails

unbound/templates/unbound.conf.j2

@@ -1,45 +0,0 @@
-server:
-	#interface: X.X.X.X
-	#interface: 127.0.0.1@5353      # listen on alternative port
-{% for interface in unbound_interfaces %}
-	interface: {{ interface }}
-{% endfor %}
-	#do-ip6: no
-
-{% for acl in unbound_acls %}
-	access-control: {{ acl }}
-{% endfor %}
-
-	hide-identity: yes
-	hide-version: yes
-
-	root-hints: "/etc/unbound/root.hints"
-	# Uncomment to enable DNSSEC validation.
-	#auto-trust-anchor-file: "/etc/unbound/root.key"
-	# Serve zones authoritatively from Unbound to resolver clients.
-	# Not for external service.
-
-	#local-zone: "local." static
-	#local-data: "mycomputer.local. IN A 192.0.2.51"
-	#local-zone: "2.0.192.in-addr.arpa." static
-	#local-data-ptr: "192.0.2.51 mycomputer.local
-	# UDP EDNS reassembly buffer advertised to peers. Default 4096.
-	# May need lowering on broken networks with fragmentation/MTU issues,
-	# particularly if validating DNSSEC.
-
-	#edns-buffer-size: 1480
-	# Use TCP for "forward-zone" requests. Useful if you are making
-	# DNS requests over an SSH port forwarding.
-	#tcp-upstream: yes
-
-# Use an upstream forwarder (recursive resolver) for specific zones.
-# Example addresses given below are public resolvers valid as of 2014/03.
-#
-#forward-zone:
-#       name: "."                               # use for ALL queries
-#       forward-addr: 74.82.42.42               # he.net
-#       forward-addr: 2001:470:20::2            # he.net v6
-#       forward-addr: 8.8.8.8                   # google.com
-#       forward-addr: 2001:4860:4860::8888      # google.com v6
-#       forward-addr: 208.67.222.222            # opendns.com
-#       forward-first: yes                      # try direct if forwarder fails

webapps/evoadmin-mail/tasks/main.yml

@@ -4,10 +4,27 @@
   ansible.builtin.include_role:
     name: evolix/remount-usr
 
+- name: Get evoadmin-mail package
+  ansible.builtin.get_url:
+    url: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-1_all.deb
+    dest: /tmp/evoadmin-mail.deb
+  when: ansible_distribution_major_version is version('12', '<')
+  tags:
+    - evoadmin-mail
+
 - name: Install evoadmin-mail package
   ansible.builtin.apt:
     deb: /tmp/evoadmin-mail.deb
     state: present
+  when: ansible_distribution_major_version is version('12', '<')
+  tags:
+    - evoadmin-mail
+
+- name: Install evoadmin-mail package
+  ansible.builtin.apt:
+    name: evoadmin-mail
+    state: present
+  when: ansible_distribution_major_version is version('12', '>=')
   tags:
     - evoadmin-mail
 

webapps/nextcloud/defaults/main.yml

@@ -17,3 +17,5 @@ nextcloud_db_name: "{{ nextcloud_instance_name }}"
 
 nextcloud_admin_login: "admin"
 nextcloud_admin_password: ""
+
+nextcloud_do_config: True

webapps/nextcloud/tasks/main.yml

@@ -54,3 +54,4 @@
 - ansible.builtin.include: mysql-user.yml
 
 - ansible.builtin.include: config.yml
+  when: nextcloud_do_config

webapps/nextcloud/tasks/user.yml

@@ -43,7 +43,14 @@
 - name: Mount up Ceph volume by UUID
   ansible.posix.mount:
     path: "{{ nextcloud_data }}"
-    src: "{{ nextcloud_data_uuid }}"
+    src: "UUID={{ nextcloud_data_uuid }}"
     fstype: ext4
     opts: defaults,noexec,nosuid,nodev,relatime,lazytime
-    state: present
+    state: mounted
+
+- name: Set volume's root permissions and ownership
+  ansible.builtin.file:
+    path: "{{ nextcloud_data }}"
+    owner: "{{ nextcloud_user }}"
+    group: "{{ nextcloud_user }}"
+    mode: "0700"