webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm #172
25
CHANGELOG.md
25
CHANGELOG.md
|
@ -14,26 +14,49 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* Preliminary work for php83
|
* Preliminary work for php83
|
||||||
|
* apt: add task file to install ELTS repository (default: False)
|
||||||
* lxc-php: Allow one to install php83 on Bookworm container
|
* lxc-php: Allow one to install php83 on Bookworm container
|
||||||
* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
|
* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
|
||||||
* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
|
* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
|
||||||
* etc-git: add /var/chroot-bind/etc/bind repo
|
* etc-git: add /var/chroot-bind/etc/bind repo
|
||||||
|
* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm
|
||||||
|
* webapps/nextcloud: Set ownership and permissions of data directory
|
||||||
|
* webapps/nextcloud: Add condition for config tasks
|
||||||
|
* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
|
||||||
|
* minifirewall: Fix nagios check for old versions of minifirewall
|
||||||
|
* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm
|
||||||
|
* webapps/nextcloud: Set ownership and permissions of data directory
|
||||||
|
* webapps/nextcloud: Add condition for config tasks
|
||||||
|
* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* add-vm.sh: allow VM name max length > 20
|
* add-vm.sh: allow VM name max length > 20
|
||||||
* apache : fix goaway pattern for bad bots
|
* apache : fix goaway pattern for bad bots
|
||||||
* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
|
* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
|
||||||
|
* apache: use backward compatible Redirect directive
|
||||||
|
* apt: Disable archive repository for Debian 8
|
||||||
|
* apt: Use the GPG version of the key for Debian 8-9
|
||||||
* bind: Update role for Buster, Bullseye and Bookworm support
|
* bind: Update role for Buster, Bullseye and Bookworm support
|
||||||
|
* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
|
||||||
* evocheck: upstream release 23.11.1
|
* evocheck: upstream release 23.11.1
|
||||||
* evolinux-base: dump-server-state upstream release 23.11
|
* evolinux-base: dump-server-state upstream release 23.11
|
||||||
* evolinux-base: use separate default config file for rsyslog
|
* evolinux-base: use separate default config file for rsyslog
|
||||||
* kvmstats: use .capacity instead of .physical for disk size
|
* kvmstats: use .capacity instead of .physical for disk size
|
||||||
* log2mail: move custom config in separate file
|
* log2mail: move custom config in separate file
|
||||||
* lxc: init /etc git repository in lxc container
|
* lxc: init /etc git repository in lxc container
|
||||||
|
* mysql: disable performance schema for Debian 8
|
||||||
* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
|
* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
|
||||||
* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
|
* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
|
||||||
|
* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
|
||||||
|
* unbound: Add config file to allow configuration reload on Debian 11 and lower
|
||||||
|
* unbound: Add munin configuration & setup plugin
|
||||||
|
* unbound: Big cleanup
|
||||||
|
* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf`
|
||||||
|
* unbound: Use root hints provided by debian package dns-root-data instead of downloading them
|
||||||
* vrrpd: variable to force update the switch script (default: false)
|
* vrrpd: variable to force update the switch script (default: false)
|
||||||
|
* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
|
||||||
|
* webapps/nextcloud: Add Ceph volume to fstab
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
@ -52,7 +75,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
|
* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
|
||||||
* evolinux-base: start to install linux-image-cloud-amd64 with Buster
|
* evolinux-base: start to install linux-image-cloud-amd64 with Buster
|
||||||
* apt: use archive.debian.org with Stretch
|
* apt: use archive.debian.org with Stretch
|
||||||
|
* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
|
|
|
@ -48,17 +48,17 @@ MaxKeepAliveRequests 10
|
||||||
<DirectoryMatch "/\.git">
|
<DirectoryMatch "/\.git">
|
||||||
# We don't want to let the client know a file exist on the server,
|
# We don't want to let the client know a file exist on the server,
|
||||||
# so we return 404 "Not found" instead of 403 "Forbidden".
|
# so we return 404 "Not found" instead of 403 "Forbidden".
|
||||||
Redirect 404
|
Redirect 404 "-"
|
||||||
</DirectoryMatch>
|
</DirectoryMatch>
|
||||||
|
|
||||||
# File names starting with
|
# File names starting with
|
||||||
<FilesMatch "^\.(git|env)">
|
<FilesMatch "^\.(git|env)">
|
||||||
Redirect 404
|
Redirect 404 "-"
|
||||||
</FilesMatch>
|
</FilesMatch>
|
||||||
|
|
||||||
# File names ending with
|
# File names ending with
|
||||||
<FilesMatch "\.(inc|bak)$">
|
<FilesMatch "\.(inc|bak)$">
|
||||||
Redirect 404
|
Redirect 404 "-"
|
||||||
</FilesMatch>
|
</FilesMatch>
|
||||||
|
|
||||||
<LocationMatch "^/evolinux_fpm_status-.*">
|
<LocationMatch "^/evolinux_fpm_status-.*">
|
||||||
|
|
|
@ -14,6 +14,7 @@ apt_install_backports: False
|
||||||
apt_backports_components: "main"
|
apt_backports_components: "main"
|
||||||
|
|
||||||
apt_install_evolix_public: True
|
apt_install_evolix_public: True
|
||||||
|
apt_install_extended_lts: False
|
||||||
|
|
||||||
apt_clean_gandi_sourceslist: False
|
apt_clean_gandi_sourceslist: False
|
||||||
|
|
||||||
|
@ -28,4 +29,4 @@ apt_check_hold_cron_weekday: "*"
|
||||||
apt_check_hold_cron_day: "*"
|
apt_check_hold_cron_day: "*"
|
||||||
apt_check_hold_cron_month: "*"
|
apt_check_hold_cron_month: "*"
|
||||||
|
|
||||||
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
|
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
|
||||||
|
|
BIN
apt/files/freexian-archive-extended-lts.gpg
Normal file
BIN
apt/files/freexian-archive-extended-lts.gpg
Normal file
Binary file not shown.
|
@ -24,10 +24,16 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
|
- name: Set Evolix GPG key format to ASC
|
||||||
|
set_fact:
|
||||||
|
apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Add Evolix GPG key
|
- name: Add Evolix GPG key
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: pub_evolix.asc
|
src: pub_evolix.asc
|
||||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
dest: "{{ apt_evolix_public_key }}"
|
||||||
force: true
|
force: true
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
|
|
|
@ -24,10 +24,26 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
|
- name: Set Evolix GPG key format to GPG (Debian < 9)
|
||||||
|
set_fact:
|
||||||
|
apt_evolix_public_key: "pub_evolix.gpg"
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('9', '<')
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Set Evolix GPG key format to ASC (Debian >= 9)
|
||||||
|
set_fact:
|
||||||
|
apt_evolix_public_key: "pub_evolix.asc"
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Add Evolix GPG key
|
- name: Add Evolix GPG key
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: pub_evolix.asc
|
src: "{{ apt_evolix_public_key }}"
|
||||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}"
|
||||||
force: true
|
force: true
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
|
|
37
apt/tasks/extended-lts.oneline.yml.yml
Normal file
37
apt/tasks/extended-lts.oneline.yml.yml
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||||
|
file:
|
||||||
|
path: "{{ apt_keyring_dir }}"
|
||||||
|
state: directory
|
||||||
|
mode: "755"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Add Evolix GPG key
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "freexian-archive-extended-lts.gpg"
|
||||||
|
dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"
|
||||||
|
force: true
|
||||||
|
mode: "0644"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: ELTS list is installed
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ ansible_distribution_release }}_extended-lts.list.j2"
|
||||||
|
dest: /etc/apt/sources.list.d/extended-lts.list
|
||||||
|
force: true
|
||||||
|
mode: "0640"
|
||||||
|
register: apt_extended_lts
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Apt update
|
||||||
|
ansible.builtin.apt:
|
||||||
|
update_cache: yes
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when: apt_extended_lts is changed
|
|
@ -80,6 +80,14 @@
|
||||||
- apt_install_evolix_public | bool
|
- apt_install_evolix_public | bool
|
||||||
- ansible_distribution_major_version is version('12', '>=')
|
- ansible_distribution_major_version is version('12', '>=')
|
||||||
|
|
||||||
|
- name: Install Extended-LTS repositories (Debian < 10)
|
||||||
|
ansible.builtin.import_tasks: extended-lts.oneline.yml.yml
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
when:
|
||||||
|
- apt_install_extended_lts | bool
|
||||||
|
- ansible_distribution_major_version is version('10', '<')
|
||||||
|
|
||||||
- name: Clean GANDI sources
|
- name: Clean GANDI sources
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: '{{ item }}'
|
path: '{{ item }}'
|
||||||
|
@ -126,4 +134,4 @@
|
||||||
upgrade: dist
|
upgrade: dist
|
||||||
when: apt_upgrade | bool
|
when: apt_upgrade | bool
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb http://archive.org/debian jessie {{ apt_basics_components | mandatory }}
|
### Those repositories are unusable. Move to ELTS (manually).
|
||||||
deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
|
# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }}
|
||||||
|
# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
|
||||||
|
|
4
apt/templates/jessie_extended-lts.list.j2
Normal file
4
apt/templates/jessie_extended-lts.list.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main
|
||||||
|
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main
|
4
apt/templates/stretch_extended-lts.list.j2
Normal file
4
apt/templates/stretch_extended-lts.list.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main
|
||||||
|
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main
|
|
@ -14,6 +14,8 @@ galaxy_info:
|
||||||
- jessie
|
- jessie
|
||||||
- stretch
|
- stretch
|
||||||
- buster
|
- buster
|
||||||
|
- bullseye
|
||||||
|
- bookworm
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags: []
|
||||||
# Be sure to remove the '[]' above if you add dependencies
|
# Be sure to remove the '[]' above if you add dependencies
|
||||||
|
|
|
@ -14,11 +14,16 @@
|
||||||
path: /etc/munin/plugins/dovecot
|
path: /etc/munin/plugins/dovecot
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: Remove dovecot plugin conf
|
- name: Remove old dovecot plugin conf
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /etc/munin/plugin-conf.d/dovecot
|
path: /etc/munin/plugin-conf.d/dovecot
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
|
- name: Remove old dovecot plugin conf
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /etc/munin/plugin-conf.d/z-evolinux-dovecot
|
||||||
|
state: absent
|
||||||
|
|
||||||
- name: "Remount /usr if needed"
|
- name: "Remount /usr if needed"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: remount-usr
|
name: remount-usr
|
||||||
|
@ -47,7 +52,7 @@
|
||||||
- name: Copy Munin config
|
- name: Copy Munin config
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: z-evolinux-dovecot.conf
|
src: z-evolinux-dovecot.conf
|
||||||
dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot
|
dest: /etc/munin/plugin-conf.d/zzz-dovecot
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
|
|
||||||
|
|
|
@ -87,7 +87,7 @@ main() {
|
||||||
append_details "configuration is up-to-date"
|
append_details "configuration is up-to-date"
|
||||||
summary_ok "minifirewall is started and configuration is up-to-date"
|
summary_ok "minifirewall is started and configuration is up-to-date"
|
||||||
else
|
else
|
||||||
if echo "${check_result}" | grep --quiet --regexp 'usage'; then
|
if echo "${check_result}" | grep --ignore-case --quiet --regexp 'usage'; then
|
||||||
append_details "minifirewall is too old to check active configuration"
|
append_details "minifirewall is too old to check active configuration"
|
||||||
else
|
else
|
||||||
case "${check_rc}" in
|
case "${check_rc}" in
|
||||||
|
|
|
@ -59,5 +59,5 @@ mysql_binlog_format: mixed
|
||||||
mysql_server_id: null
|
mysql_server_id: null
|
||||||
mysql_bind_address: null
|
mysql_bind_address: null
|
||||||
mysql_repl_password: ''
|
mysql_repl_password: ''
|
||||||
mysql_read_only: 0
|
mysql_read_only: False
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
- ansible.builtin.set_fact:
|
- ansible.builtin.set_fact:
|
||||||
mysql_config_directory: /etc/mysql/conf.d
|
mysql_config_directory: /etc/mysql/conf.d
|
||||||
|
mysql_performance_schema: False
|
||||||
|
|
||||||
- name: "Copy MySQL defaults config file (jessie)"
|
- name: "Copy MySQL defaults config file (jessie)"
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
|
|
|
@ -38,7 +38,7 @@ lower_case_table_names = {{ mysql_lower_case_table_names }}
|
||||||
{% if mysql_innodb_log_file_size %}
|
{% if mysql_innodb_log_file_size %}
|
||||||
innodb_log_file_size = {{ mysql_innodb_log_file_size }}
|
innodb_log_file_size = {{ mysql_innodb_log_file_size }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
read_only = {{ mysql_read_only }}
|
read_only = {{ mysql_read_only | bool | ternary('1','0') }}
|
||||||
{% if mysql_performance_schema %}
|
{% if mysql_performance_schema %}
|
||||||
performance_schema = ON
|
performance_schema = ON
|
||||||
performance-schema-instrument='stage/%=ON'
|
performance-schema-instrument='stage/%=ON'
|
||||||
|
|
|
@ -1,17 +1,28 @@
|
||||||
---
|
---
|
||||||
# findmnt returns 0 on hit, 1 on miss
|
# findmnt returns 0 on hit, 1 on miss
|
||||||
# If the return code is higher than 1, it's a blocking failure
|
# If the return code is higher than 1, it's a blocking failure
|
||||||
|
|
||||||
|
- name: "check if /usr is a mountpoint"
|
||||||
|
ansible.builtin.shell: "findmnt -n /usr &> /dev/null"
|
||||||
|
register: usr_mount_exists
|
||||||
|
failed_when: False
|
||||||
|
check_mode: False
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
- name: "check if /usr is a read-only partition"
|
- name: "check if /usr is a read-only partition"
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: 'findmnt /usr --noheadings --options ro'
|
cmd: 'findmnt /usr --noheadings --options ro'
|
||||||
|
register: usr_partition
|
||||||
|
when: usr_mount_exists.rc == 0
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: usr_partition.rc > 1
|
failed_when: usr_partition.rc > 1
|
||||||
check_mode: no
|
check_mode: False
|
||||||
register: usr_partition
|
|
||||||
|
|
||||||
- name: "mount /usr in rw"
|
- name: "mount /usr in rw"
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: 'mount -o remount,rw /usr'
|
cmd: 'mount -o remount,rw /usr'
|
||||||
changed_when: False
|
when:
|
||||||
when: usr_partition.rc == 0
|
- usr_mount_exists.rc == 0
|
||||||
|
- usr_partition.rc == 0
|
||||||
notify: remount usr
|
notify: remount usr
|
||||||
|
changed_when: False
|
||||||
|
|
|
@ -3,3 +3,8 @@
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: spamassassin
|
name: spamassassin
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart spamd
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: spamd
|
||||||
|
state: restarted
|
||||||
|
|
|
@ -4,6 +4,16 @@
|
||||||
name:
|
name:
|
||||||
- spamassassin
|
- spamassassin
|
||||||
state: present
|
state: present
|
||||||
|
when: ansible_distribution_major_version is version('12', '<')
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: install spamd
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- spamd
|
||||||
|
state: present
|
||||||
|
when: ansible_distribution_major_version is version('12', '>=')
|
||||||
tags:
|
tags:
|
||||||
- spamassassin
|
- spamassassin
|
||||||
|
|
||||||
|
@ -13,6 +23,17 @@
|
||||||
dest: /etc/spamassassin/local_evolix.cf
|
dest: /etc/spamassassin/local_evolix.cf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify: restart spamassassin
|
notify: restart spamassassin
|
||||||
|
when: ansible_distribution_major_version is version('12', '<')
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: configure spamd
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: spamassassin.cf
|
||||||
|
dest: /etc/spamassassin/local_evolix.cf
|
||||||
|
mode: "0644"
|
||||||
|
notify: restart spamd
|
||||||
|
when: ansible_distribution_major_version is version('12', '>=')
|
||||||
tags:
|
tags:
|
||||||
- spamassassin
|
- spamassassin
|
||||||
|
|
||||||
|
@ -22,6 +43,7 @@
|
||||||
regexp: 'ENABLED=0'
|
regexp: 'ENABLED=0'
|
||||||
replace: 'ENABLED=1'
|
replace: 'ENABLED=1'
|
||||||
notify: restart spamassassin
|
notify: restart spamassassin
|
||||||
|
when: ansible_distribution_major_version is version('12', '<')
|
||||||
tags:
|
tags:
|
||||||
- spamassassin
|
- spamassassin
|
||||||
|
|
||||||
|
@ -97,5 +119,15 @@
|
||||||
name: spamassassin
|
name: spamassassin
|
||||||
state: started
|
state: started
|
||||||
enabled: True
|
enabled: True
|
||||||
|
when: ansible_distribution_major_version is version('12', '<')
|
||||||
|
tags:
|
||||||
|
- spamassassin
|
||||||
|
|
||||||
|
- name: ensure spamd is started and enabled
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: spamd
|
||||||
|
state: started
|
||||||
|
enabled: True
|
||||||
|
when: ansible_distribution_major_version is version('12', '>=')
|
||||||
tags:
|
tags:
|
||||||
- spamassassin
|
- spamassassin
|
||||||
|
|
|
@ -6,7 +6,7 @@ Installation and configuration of Squid
|
||||||
|
|
||||||
Everything is in the `tasks/main.yml` file.
|
Everything is in the `tasks/main.yml` file.
|
||||||
|
|
||||||
A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses in the whitelist.
|
A blank file is created at `/etc/squid/whitelist-custom.conf` to add addresses in the whitelist.
|
||||||
|
|
||||||
## Available variables
|
## Available variables
|
||||||
|
|
||||||
|
|
|
@ -38,14 +38,14 @@
|
||||||
- name: "squid.conf is present (jessie)"
|
- name: "squid.conf is present (jessie)"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: squid.conf.j2
|
src: squid.conf.j2
|
||||||
dest: /etc/squid3/squid.conf
|
dest: /etc/squid/squid.conf
|
||||||
notify: "restart squid3"
|
notify: "restart squid3"
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: "evolix whitelist is present (jessie)"
|
- name: "evolix whitelist is present (jessie)"
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: whitelist-evolinux.conf
|
src: whitelist-evolinux.conf
|
||||||
dest: /etc/squid3/whitelist.conf
|
dest: /etc/squid/whitelist.conf
|
||||||
force: false
|
force: false
|
||||||
notify: "reload squid3"
|
notify: "reload squid3"
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
@ -135,7 +135,7 @@
|
||||||
- name: add some URL in whitelist (Debian 8)
|
- name: add some URL in whitelist (Debian 8)
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
dest: /etc/squid3/whitelist.conf
|
dest: /etc/squid/whitelist.conf
|
||||||
line: "{{ item }}"
|
line: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
loop: '{{ squid_whitelist_items }}'
|
loop: '{{ squid_whitelist_items }}'
|
||||||
|
|
|
@ -8,7 +8,7 @@ acl localhost src 127.0.0.0/32
|
||||||
acl INTERNE src {{ squid_address }}/32 127.0.0.0/8
|
acl INTERNE src {{ squid_address }}/32 127.0.0.0/8
|
||||||
acl Safe_ports port 80 # http
|
acl Safe_ports port 80 # http
|
||||||
acl SSL_ports port 443 563
|
acl SSL_ports port 443 563
|
||||||
acl WHITELIST url_regex "/etc/squid3/whitelist.conf"
|
acl WHITELIST url_regex "/etc/squid/whitelist.conf"
|
||||||
http_access deny !WHITELIST
|
http_access deny !WHITELIST
|
||||||
http_access allow INTERNE
|
http_access allow INTERNE
|
||||||
http_access deny all
|
http_access deny all
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
unbound_interfaces:
|
unbound_interfaces:
|
||||||
- '127.0.0.1'
|
- '127.0.0.1'
|
||||||
- '::1'
|
- '::1'
|
||||||
|
|
||||||
unbound_acls:
|
unbound_acls:
|
||||||
- '0.0.0.0/0 refuse'
|
- '0.0.0.0/0 refuse'
|
||||||
- '127.0.0.0/8 allow_snoop'
|
- '127.0.0.0/8 allow_snoop'
|
||||||
- '::0/0 refuse'
|
- '::0/0 refuse'
|
||||||
- '::1 allow_snoop'
|
- '::1 allow_snoop'
|
||||||
|
|
5
unbound/files/munin-plugin.conf
Normal file
5
unbound/files/munin-plugin.conf
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
[unbound*]
|
||||||
|
user root
|
||||||
|
env.statefile /tmp/munin-unbound-state
|
||||||
|
env.unbound_conf /etc/unbound/unbound.conf
|
||||||
|
env.unbound_control /usr/sbin/unbound-control
|
|
@ -1,5 +1,15 @@
|
||||||
---
|
---
|
||||||
- name: reload unbound
|
- name: Restart unbound
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: unbound
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Reload unbound
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: unbound
|
name: unbound
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: Restart munin-node
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: munin-node
|
||||||
|
state: restarted
|
||||||
|
|
|
@ -1,38 +1,73 @@
|
||||||
---
|
---
|
||||||
- name: Install Unbound package
|
- name: Install Unbound package
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: unbound
|
name:
|
||||||
|
- unbound
|
||||||
|
- unbound-anchor
|
||||||
|
- dns-root-data
|
||||||
state: present
|
state: present
|
||||||
when: ansible_distribution == "Debian"
|
|
||||||
tags:
|
tags:
|
||||||
- unbound
|
- unbound
|
||||||
|
|
||||||
- name: Retrieve list of root DNS servers
|
|
||||||
ansible.builtin.get_url:
|
|
||||||
url: https://www.internic.net/domain/named.cache
|
|
||||||
dest: /etc/unbound/root.hints
|
|
||||||
force: true
|
|
||||||
mode: "0644"
|
|
||||||
notify: reload unbound
|
|
||||||
tags:
|
|
||||||
- unbound
|
|
||||||
|
|
||||||
- name: Copy Unbound config
|
- name: Copy Unbound config
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: unbound.conf.j2
|
src: evolinux.conf.j2
|
||||||
dest: /etc/unbound/unbound.conf
|
dest: /etc/unbound/unbound.conf.d/evolinux.conf
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
when: ansible_distribution == "Debian"
|
notify: Reload unbound
|
||||||
notify: reload unbound
|
|
||||||
tags:
|
tags:
|
||||||
- unbound
|
- unbound
|
||||||
|
|
||||||
|
- name: Copy Unbound config for reloading (Debian 11 and older)
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: evolinux-reload.conf.j2
|
||||||
|
dest: /etc/unbound/unbound.conf.d/evolinux-reload.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
when:
|
||||||
|
- ansible_distribution_major_version is version('11', '<=')
|
||||||
|
notify: Restart unbound
|
||||||
|
tags:
|
||||||
|
- unbound
|
||||||
|
|
||||||
|
- name: Copy munin plugin config
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: munin-plugin.conf
|
||||||
|
dest: /etc/munin/plugin-conf.d/unbound
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
tags:
|
||||||
|
- unbound
|
||||||
|
|
||||||
|
- name: Enable unbound munin plugin
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: /usr/share/munin/plugins/unbound_munin_
|
||||||
|
dest: "/etc/munin/plugins/unbound_munin_{{ plugin_name }}"
|
||||||
|
state: link
|
||||||
|
loop:
|
||||||
|
- hits
|
||||||
|
- queue
|
||||||
|
- memory
|
||||||
|
- by_type
|
||||||
|
- by_class
|
||||||
|
- by_opcode
|
||||||
|
- by_rcode
|
||||||
|
- by_flags
|
||||||
|
- histogram
|
||||||
|
loop_control:
|
||||||
|
loop_var: plugin_name
|
||||||
|
notify: Restart munin-node
|
||||||
|
tags:
|
||||||
|
- unbound
|
||||||
|
|
||||||
- name: Starting and enabling Unbound
|
- name: Starting and enabling Unbound
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: unbound
|
name: unbound
|
||||||
enabled: yes
|
enabled: true
|
||||||
state: started
|
state: started
|
||||||
tags:
|
tags:
|
||||||
- unbound
|
- unbound
|
||||||
|
|
7
unbound/templates/evolinux-reload.conf.j2
Normal file
7
unbound/templates/evolinux-reload.conf.j2
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
remote-control:
|
||||||
|
control-enable: yes
|
||||||
|
# by default the control interface is is 127.0.0.1 and ::1 and port 8953
|
||||||
|
# it is possible to use a unix socket too
|
||||||
|
control-interface: /run/unbound.ctl
|
53
unbound/templates/evolinux.conf.j2
Normal file
53
unbound/templates/evolinux.conf.j2
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
server:
|
||||||
|
#interface: X.X.X.X
|
||||||
|
#interface: 127.0.0.1@5353 # listen on alternative port
|
||||||
|
{% for interface in unbound_interfaces %}
|
||||||
|
interface: {{ interface }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% for acl in unbound_acls %}
|
||||||
|
access-control: {{ acl }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
hide-identity: yes
|
||||||
|
hide-version: yes
|
||||||
|
|
||||||
|
root-hints: "/usr/share/dns/root.hints"
|
||||||
|
|
||||||
|
# Uncomment to enable DNSSEC validation.
|
||||||
|
#auto-trust-anchor-file: "/etc/unbound/root.key"
|
||||||
|
|
||||||
|
# Enable extended stats for munin plugin
|
||||||
|
extended-statistics: yes
|
||||||
|
statistics-cumulative: no
|
||||||
|
statistics-interval: 0
|
||||||
|
|
||||||
|
|
||||||
|
# Serve zones authoritatively from Unbound to resolver clients.
|
||||||
|
# Not for external service.
|
||||||
|
|
||||||
|
#local-zone: "local." static
|
||||||
|
#local-data: "mycomputer.local. IN A 192.0.2.51"
|
||||||
|
#local-zone: "2.0.192.in-addr.arpa." static
|
||||||
|
#local-data-ptr: "192.0.2.51 mycomputer.local
|
||||||
|
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
|
||||||
|
# May need lowering on broken networks with fragmentation/MTU issues,
|
||||||
|
# particularly if validating DNSSEC.
|
||||||
|
|
||||||
|
#edns-buffer-size: 1480
|
||||||
|
# Use TCP for "forward-zone" requests. Useful if you are making
|
||||||
|
# DNS requests over an SSH port forwarding.
|
||||||
|
#tcp-upstream: yes
|
||||||
|
|
||||||
|
|
||||||
|
# Use an upstream forwarder (recursive resolver) for specific zones.
|
||||||
|
# Example addresses given below are public resolvers valid as of 2014/03.
|
||||||
|
#
|
||||||
|
#forward-zone:
|
||||||
|
# name: "." # use for ALL queries
|
||||||
|
# forward-addr: 74.82.42.42 # he.net
|
||||||
|
# forward-addr: 2001:470:20::2 # he.net v6
|
||||||
|
# forward-addr: 8.8.8.8 # google.com
|
||||||
|
# forward-addr: 2001:4860:4860::8888 # google.com v6
|
||||||
|
# forward-addr: 208.67.222.222 # opendns.com
|
||||||
|
# forward-first: yes # try direct if forwarder fails
|
|
@ -1,45 +0,0 @@
|
||||||
server:
|
|
||||||
#interface: X.X.X.X
|
|
||||||
#interface: 127.0.0.1@5353 # listen on alternative port
|
|
||||||
{% for interface in unbound_interfaces %}
|
|
||||||
interface: {{ interface }}
|
|
||||||
{% endfor %}
|
|
||||||
#do-ip6: no
|
|
||||||
|
|
||||||
{% for acl in unbound_acls %}
|
|
||||||
access-control: {{ acl }}
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
hide-identity: yes
|
|
||||||
hide-version: yes
|
|
||||||
|
|
||||||
root-hints: "/etc/unbound/root.hints"
|
|
||||||
# Uncomment to enable DNSSEC validation.
|
|
||||||
#auto-trust-anchor-file: "/etc/unbound/root.key"
|
|
||||||
# Serve zones authoritatively from Unbound to resolver clients.
|
|
||||||
# Not for external service.
|
|
||||||
|
|
||||||
#local-zone: "local." static
|
|
||||||
#local-data: "mycomputer.local. IN A 192.0.2.51"
|
|
||||||
#local-zone: "2.0.192.in-addr.arpa." static
|
|
||||||
#local-data-ptr: "192.0.2.51 mycomputer.local
|
|
||||||
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
|
|
||||||
# May need lowering on broken networks with fragmentation/MTU issues,
|
|
||||||
# particularly if validating DNSSEC.
|
|
||||||
|
|
||||||
#edns-buffer-size: 1480
|
|
||||||
# Use TCP for "forward-zone" requests. Useful if you are making
|
|
||||||
# DNS requests over an SSH port forwarding.
|
|
||||||
#tcp-upstream: yes
|
|
||||||
|
|
||||||
# Use an upstream forwarder (recursive resolver) for specific zones.
|
|
||||||
# Example addresses given below are public resolvers valid as of 2014/03.
|
|
||||||
#
|
|
||||||
#forward-zone:
|
|
||||||
# name: "." # use for ALL queries
|
|
||||||
# forward-addr: 74.82.42.42 # he.net
|
|
||||||
# forward-addr: 2001:470:20::2 # he.net v6
|
|
||||||
# forward-addr: 8.8.8.8 # google.com
|
|
||||||
# forward-addr: 2001:4860:4860::8888 # google.com v6
|
|
||||||
# forward-addr: 208.67.222.222 # opendns.com
|
|
||||||
# forward-first: yes # try direct if forwarder fails
|
|
|
@ -4,10 +4,27 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
|
- name: Get evoadmin-mail package
|
||||||
|
ansible.builtin.get_url:
|
||||||
|
url: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-1_all.deb
|
||||||
|
dest: /tmp/evoadmin-mail.deb
|
||||||
|
when: ansible_distribution_major_version is version('12', '<')
|
||||||
|
tags:
|
||||||
|
- evoadmin-mail
|
||||||
|
|
||||||
- name: Install evoadmin-mail package
|
- name: Install evoadmin-mail package
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
deb: /tmp/evoadmin-mail.deb
|
deb: /tmp/evoadmin-mail.deb
|
||||||
state: present
|
state: present
|
||||||
|
when: ansible_distribution_major_version is version('12', '<')
|
||||||
|
tags:
|
||||||
|
- evoadmin-mail
|
||||||
|
|
||||||
|
- name: Install evoadmin-mail package
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: evoadmin-mail
|
||||||
|
state: present
|
||||||
|
when: ansible_distribution_major_version is version('12', '>=')
|
||||||
tags:
|
tags:
|
||||||
- evoadmin-mail
|
- evoadmin-mail
|
||||||
|
|
||||||
|
|
|
@ -17,3 +17,5 @@ nextcloud_db_name: "{{ nextcloud_instance_name }}"
|
||||||
|
|
||||||
nextcloud_admin_login: "admin"
|
nextcloud_admin_login: "admin"
|
||||||
nextcloud_admin_password: ""
|
nextcloud_admin_password: ""
|
||||||
|
|
||||||
|
nextcloud_do_config: True
|
||||||
|
|
|
@ -54,3 +54,4 @@
|
||||||
- ansible.builtin.include: mysql-user.yml
|
- ansible.builtin.include: mysql-user.yml
|
||||||
|
|
||||||
- ansible.builtin.include: config.yml
|
- ansible.builtin.include: config.yml
|
||||||
|
when: nextcloud_do_config
|
||||||
|
|
|
@ -43,7 +43,14 @@
|
||||||
- name: Mount up Ceph volume by UUID
|
- name: Mount up Ceph volume by UUID
|
||||||
ansible.posix.mount:
|
ansible.posix.mount:
|
||||||
path: "{{ nextcloud_data }}"
|
path: "{{ nextcloud_data }}"
|
||||||
src: "{{ nextcloud_data_uuid }}"
|
src: "UUID={{ nextcloud_data_uuid }}"
|
||||||
fstype: ext4
|
fstype: ext4
|
||||||
opts: defaults,noexec,nosuid,nodev,relatime,lazytime
|
opts: defaults,noexec,nosuid,nodev,relatime,lazytime
|
||||||
state: present
|
state: mounted
|
||||||
|
|
||||||
|
- name: Set volume's root permissions and ownership
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ nextcloud_data }}"
|
||||||
|
owner: "{{ nextcloud_user }}"
|
||||||
|
group: "{{ nextcloud_user }}"
|
||||||
|
mode: "0700"
|
||||||
|
|
Loading…
Reference in a new issue