webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm #172
25
CHANGELOG.md
25
CHANGELOG.md
|
@ -14,26 +14,49 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
### Added
|
||||
|
||||
* Preliminary work for php83
|
||||
* apt: add task file to install ELTS repository (default: False)
|
||||
* lxc-php: Allow one to install php83 on Bookworm container
|
||||
* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
|
||||
* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
|
||||
* etc-git: add /var/chroot-bind/etc/bind repo
|
||||
* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm
|
||||
* webapps/nextcloud: Set ownership and permissions of data directory
|
||||
* webapps/nextcloud: Add condition for config tasks
|
||||
* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
|
||||
* minifirewall: Fix nagios check for old versions of minifirewall
|
||||
* webapps/evoadmin-mail: package can now installed via public.evolix.org/evolix repo starting from Bookworm
|
||||
* webapps/nextcloud: Set ownership and permissions of data directory
|
||||
* webapps/nextcloud: Add condition for config tasks
|
||||
* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
|
||||
|
||||
### Changed
|
||||
|
||||
* add-vm.sh: allow VM name max length > 20
|
||||
* apache : fix goaway pattern for bad bots
|
||||
* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
|
||||
* apache: use backward compatible Redirect directive
|
||||
* apt: Disable archive repository for Debian 8
|
||||
* apt: Use the GPG version of the key for Debian 8-9
|
||||
* bind: Update role for Buster, Bullseye and Bookworm support
|
||||
* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
|
||||
* evocheck: upstream release 23.11.1
|
||||
* evolinux-base: dump-server-state upstream release 23.11
|
||||
* evolinux-base: use separate default config file for rsyslog
|
||||
* kvmstats: use .capacity instead of .physical for disk size
|
||||
* log2mail: move custom config in separate file
|
||||
* lxc: init /etc git repository in lxc container
|
||||
* mysql: disable performance schema for Debian 8
|
||||
* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
|
||||
* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
|
||||
* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
|
||||
* unbound: Add config file to allow configuration reload on Debian 11 and lower
|
||||
* unbound: Add munin configuration & setup plugin
|
||||
* unbound: Big cleanup
|
||||
* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf`
|
||||
* unbound: Use root hints provided by debian package dns-root-data instead of downloading them
|
||||
* vrrpd: variable to force update the switch script (default: false)
|
||||
* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
|
||||
* webapps/nextcloud: Add Ceph volume to fstab
|
||||
|
||||
### Fixed
|
||||
|
||||
|
@ -52,7 +75,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
|
||||
* evolinux-base: start to install linux-image-cloud-amd64 with Buster
|
||||
* apt: use archive.debian.org with Stretch
|
||||
|
||||
* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
|
||||
|
||||
### Removed
|
||||
|
||||
|
|
|
@ -48,17 +48,17 @@ MaxKeepAliveRequests 10
|
|||
<DirectoryMatch "/\.git">
|
||||
# We don't want to let the client know a file exist on the server,
|
||||
# so we return 404 "Not found" instead of 403 "Forbidden".
|
||||
Redirect 404
|
||||
Redirect 404 "-"
|
||||
</DirectoryMatch>
|
||||
|
||||
# File names starting with
|
||||
<FilesMatch "^\.(git|env)">
|
||||
Redirect 404
|
||||
Redirect 404 "-"
|
||||
</FilesMatch>
|
||||
|
||||
# File names ending with
|
||||
<FilesMatch "\.(inc|bak)$">
|
||||
Redirect 404
|
||||
Redirect 404 "-"
|
||||
</FilesMatch>
|
||||
|
||||
<LocationMatch "^/evolinux_fpm_status-.*">
|
||||
|
|
|
@ -14,6 +14,7 @@ apt_install_backports: False
|
|||
apt_backports_components: "main"
|
||||
|
||||
apt_install_evolix_public: True
|
||||
apt_install_extended_lts: False
|
||||
|
||||
apt_clean_gandi_sourceslist: False
|
||||
|
||||
|
@ -28,4 +29,4 @@ apt_check_hold_cron_weekday: "*"
|
|||
apt_check_hold_cron_day: "*"
|
||||
apt_check_hold_cron_month: "*"
|
||||
|
||||
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
|
||||
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
|
||||
|
|
BIN
apt/files/freexian-archive-extended-lts.gpg
Normal file
BIN
apt/files/freexian-archive-extended-lts.gpg
Normal file
Binary file not shown.
|
@ -24,10 +24,16 @@
|
|||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Set Evolix GPG key format to ASC
|
||||
set_fact:
|
||||
apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Add Evolix GPG key
|
||||
ansible.builtin.copy:
|
||||
src: pub_evolix.asc
|
||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||
dest: "{{ apt_evolix_public_key }}"
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
|
|
|
@ -24,10 +24,26 @@
|
|||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Set Evolix GPG key format to GPG (Debian < 9)
|
||||
set_fact:
|
||||
apt_evolix_public_key: "pub_evolix.gpg"
|
||||
when:
|
||||
- ansible_distribution_major_version is version('9', '<')
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Set Evolix GPG key format to ASC (Debian >= 9)
|
||||
set_fact:
|
||||
apt_evolix_public_key: "pub_evolix.asc"
|
||||
when:
|
||||
- ansible_distribution_major_version is version('9', '>=')
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Add Evolix GPG key
|
||||
ansible.builtin.copy:
|
||||
src: pub_evolix.asc
|
||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||
src: "{{ apt_evolix_public_key }}"
|
||||
dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}"
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
|
|
37
apt/tasks/extended-lts.oneline.yml.yml
Normal file
37
apt/tasks/extended-lts.oneline.yml.yml
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Add Evolix GPG key
|
||||
ansible.builtin.copy:
|
||||
src: "freexian-archive-extended-lts.gpg"
|
||||
dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: ELTS list is installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ ansible_distribution_release }}_extended-lts.list.j2"
|
||||
dest: /etc/apt/sources.list.d/extended-lts.list
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_extended_lts
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Apt update
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
tags:
|
||||
- apt
|
||||
when: apt_extended_lts is changed
|
|
@ -80,6 +80,14 @@
|
|||
- apt_install_evolix_public | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: Install Extended-LTS repositories (Debian < 10)
|
||||
ansible.builtin.import_tasks: extended-lts.oneline.yml.yml
|
||||
tags:
|
||||
- apt
|
||||
when:
|
||||
- apt_install_extended_lts | bool
|
||||
- ansible_distribution_major_version is version('10', '<')
|
||||
|
||||
- name: Clean GANDI sources
|
||||
ansible.builtin.file:
|
||||
path: '{{ item }}'
|
||||
|
@ -126,4 +134,4 @@
|
|||
upgrade: dist
|
||||
when: apt_upgrade | bool
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
||||
deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://archive.org/debian jessie {{ apt_basics_components | mandatory }}
|
||||
deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
|
||||
### Those repositories are unusable. Move to ELTS (manually).
|
||||
# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }}
|
||||
# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
|
||||
|
|
4
apt/templates/jessie_extended-lts.list.j2
Normal file
4
apt/templates/jessie_extended-lts.list.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main
|
||||
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main
|
4
apt/templates/stretch_extended-lts.list.j2
Normal file
4
apt/templates/stretch_extended-lts.list.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main
|
||||
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main
|
|
@ -14,6 +14,8 @@ galaxy_info:
|
|||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
- bullseye
|
||||
- bookworm
|
||||
|
||||
galaxy_tags: []
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
|
|
|
@ -14,11 +14,16 @@
|
|||
path: /etc/munin/plugins/dovecot
|
||||
state: absent
|
||||
|
||||
- name: Remove dovecot plugin conf
|
||||
- name: Remove old dovecot plugin conf
|
||||
ansible.builtin.file:
|
||||
path: /etc/munin/plugin-conf.d/dovecot
|
||||
state: absent
|
||||
|
||||
- name: Remove old dovecot plugin conf
|
||||
ansible.builtin.file:
|
||||
path: /etc/munin/plugin-conf.d/z-evolinux-dovecot
|
||||
state: absent
|
||||
|
||||
- name: "Remount /usr if needed"
|
||||
ansible.builtin.include_role:
|
||||
name: remount-usr
|
||||
|
@ -47,7 +52,7 @@
|
|||
- name: Copy Munin config
|
||||
ansible.builtin.copy:
|
||||
src: z-evolinux-dovecot.conf
|
||||
dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot
|
||||
dest: /etc/munin/plugin-conf.d/zzz-dovecot
|
||||
mode: '0644'
|
||||
notify: restart munin-node
|
||||
|
||||
|
|
|
@ -87,7 +87,7 @@ main() {
|
|||
append_details "configuration is up-to-date"
|
||||
summary_ok "minifirewall is started and configuration is up-to-date"
|
||||
else
|
||||
if echo "${check_result}" | grep --quiet --regexp 'usage'; then
|
||||
if echo "${check_result}" | grep --ignore-case --quiet --regexp 'usage'; then
|
||||
append_details "minifirewall is too old to check active configuration"
|
||||
else
|
||||
case "${check_rc}" in
|
||||
|
|
|
@ -59,5 +59,5 @@ mysql_binlog_format: mixed
|
|||
mysql_server_id: null
|
||||
mysql_bind_address: null
|
||||
mysql_repl_password: ''
|
||||
mysql_read_only: 0
|
||||
mysql_read_only: False
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
- ansible.builtin.set_fact:
|
||||
mysql_config_directory: /etc/mysql/conf.d
|
||||
mysql_performance_schema: False
|
||||
|
||||
- name: "Copy MySQL defaults config file (jessie)"
|
||||
ansible.builtin.copy:
|
||||
|
|
|
@ -38,7 +38,7 @@ lower_case_table_names = {{ mysql_lower_case_table_names }}
|
|||
{% if mysql_innodb_log_file_size %}
|
||||
innodb_log_file_size = {{ mysql_innodb_log_file_size }}
|
||||
{% endif %}
|
||||
read_only = {{ mysql_read_only }}
|
||||
read_only = {{ mysql_read_only | bool | ternary('1','0') }}
|
||||
{% if mysql_performance_schema %}
|
||||
performance_schema = ON
|
||||
performance-schema-instrument='stage/%=ON'
|
||||
|
|
|
@ -1,17 +1,28 @@
|
|||
---
|
||||
# findmnt returns 0 on hit, 1 on miss
|
||||
# If the return code is higher than 1, it's a blocking failure
|
||||
|
||||
- name: "check if /usr is a mountpoint"
|
||||
ansible.builtin.shell: "findmnt -n /usr &> /dev/null"
|
||||
register: usr_mount_exists
|
||||
failed_when: False
|
||||
check_mode: False
|
||||
changed_when: False
|
||||
|
||||
- name: "check if /usr is a read-only partition"
|
||||
ansible.builtin.command:
|
||||
cmd: 'findmnt /usr --noheadings --options ro'
|
||||
register: usr_partition
|
||||
when: usr_mount_exists.rc == 0
|
||||
changed_when: False
|
||||
failed_when: usr_partition.rc > 1
|
||||
check_mode: no
|
||||
register: usr_partition
|
||||
check_mode: False
|
||||
|
||||
- name: "mount /usr in rw"
|
||||
ansible.builtin.command:
|
||||
cmd: 'mount -o remount,rw /usr'
|
||||
changed_when: False
|
||||
when: usr_partition.rc == 0
|
||||
when:
|
||||
- usr_mount_exists.rc == 0
|
||||
- usr_partition.rc == 0
|
||||
notify: remount usr
|
||||
changed_when: False
|
||||
|
|
|
@ -3,3 +3,8 @@
|
|||
ansible.builtin.service:
|
||||
name: spamassassin
|
||||
state: restarted
|
||||
|
||||
- name: restart spamd
|
||||
ansible.builtin.service:
|
||||
name: spamd
|
||||
state: restarted
|
||||
|
|
|
@ -4,6 +4,16 @@
|
|||
name:
|
||||
- spamassassin
|
||||
state: present
|
||||
when: ansible_distribution_major_version is version('12', '<')
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: install spamd
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- spamd
|
||||
state: present
|
||||
when: ansible_distribution_major_version is version('12', '>=')
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
|
@ -13,6 +23,17 @@
|
|||
dest: /etc/spamassassin/local_evolix.cf
|
||||
mode: "0644"
|
||||
notify: restart spamassassin
|
||||
when: ansible_distribution_major_version is version('12', '<')
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: configure spamd
|
||||
ansible.builtin.copy:
|
||||
src: spamassassin.cf
|
||||
dest: /etc/spamassassin/local_evolix.cf
|
||||
mode: "0644"
|
||||
notify: restart spamd
|
||||
when: ansible_distribution_major_version is version('12', '>=')
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
|
@ -22,6 +43,7 @@
|
|||
regexp: 'ENABLED=0'
|
||||
replace: 'ENABLED=1'
|
||||
notify: restart spamassassin
|
||||
when: ansible_distribution_major_version is version('12', '<')
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
|
@ -97,5 +119,15 @@
|
|||
name: spamassassin
|
||||
state: started
|
||||
enabled: True
|
||||
when: ansible_distribution_major_version is version('12', '<')
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: ensure spamd is started and enabled
|
||||
ansible.builtin.systemd:
|
||||
name: spamd
|
||||
state: started
|
||||
enabled: True
|
||||
when: ansible_distribution_major_version is version('12', '>=')
|
||||
tags:
|
||||
- spamassassin
|
||||
|
|
|
@ -6,7 +6,7 @@ Installation and configuration of Squid
|
|||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses in the whitelist.
|
||||
A blank file is created at `/etc/squid/whitelist-custom.conf` to add addresses in the whitelist.
|
||||
|
||||
## Available variables
|
||||
|
||||
|
|
|
@ -38,14 +38,14 @@
|
|||
- name: "squid.conf is present (jessie)"
|
||||
ansible.builtin.template:
|
||||
src: squid.conf.j2
|
||||
dest: /etc/squid3/squid.conf
|
||||
dest: /etc/squid/squid.conf
|
||||
notify: "restart squid3"
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "evolix whitelist is present (jessie)"
|
||||
ansible.builtin.copy:
|
||||
src: whitelist-evolinux.conf
|
||||
dest: /etc/squid3/whitelist.conf
|
||||
dest: /etc/squid/whitelist.conf
|
||||
force: false
|
||||
notify: "reload squid3"
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
@ -135,7 +135,7 @@
|
|||
- name: add some URL in whitelist (Debian 8)
|
||||
ansible.builtin.lineinfile:
|
||||
insertafter: EOF
|
||||
dest: /etc/squid3/whitelist.conf
|
||||
dest: /etc/squid/whitelist.conf
|
||||
line: "{{ item }}"
|
||||
state: present
|
||||
loop: '{{ squid_whitelist_items }}'
|
||||
|
|
|
@ -8,7 +8,7 @@ acl localhost src 127.0.0.0/32
|
|||
acl INTERNE src {{ squid_address }}/32 127.0.0.0/8
|
||||
acl Safe_ports port 80 # http
|
||||
acl SSL_ports port 443 563
|
||||
acl WHITELIST url_regex "/etc/squid3/whitelist.conf"
|
||||
acl WHITELIST url_regex "/etc/squid/whitelist.conf"
|
||||
http_access deny !WHITELIST
|
||||
http_access allow INTERNE
|
||||
http_access deny all
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
---
|
||||
|
||||
unbound_interfaces:
|
||||
- '127.0.0.1'
|
||||
- '::1'
|
||||
- '127.0.0.1'
|
||||
- '::1'
|
||||
|
||||
unbound_acls:
|
||||
- '0.0.0.0/0 refuse'
|
||||
- '127.0.0.0/8 allow_snoop'
|
||||
- '::0/0 refuse'
|
||||
- '::1 allow_snoop'
|
||||
- '0.0.0.0/0 refuse'
|
||||
- '127.0.0.0/8 allow_snoop'
|
||||
- '::0/0 refuse'
|
||||
- '::1 allow_snoop'
|
||||
|
|
5
unbound/files/munin-plugin.conf
Normal file
5
unbound/files/munin-plugin.conf
Normal file
|
@ -0,0 +1,5 @@
|
|||
[unbound*]
|
||||
user root
|
||||
env.statefile /tmp/munin-unbound-state
|
||||
env.unbound_conf /etc/unbound/unbound.conf
|
||||
env.unbound_control /usr/sbin/unbound-control
|
|
@ -1,5 +1,15 @@
|
|||
---
|
||||
- name: reload unbound
|
||||
- name: Restart unbound
|
||||
ansible.builtin.service:
|
||||
name: unbound
|
||||
state: restarted
|
||||
|
||||
- name: Reload unbound
|
||||
ansible.builtin.service:
|
||||
name: unbound
|
||||
state: reloaded
|
||||
|
||||
- name: Restart munin-node
|
||||
ansible.builtin.service:
|
||||
name: munin-node
|
||||
state: restarted
|
||||
|
|
|
@ -1,38 +1,73 @@
|
|||
---
|
||||
- name: Install Unbound package
|
||||
ansible.builtin.apt:
|
||||
name: unbound
|
||||
name:
|
||||
- unbound
|
||||
- unbound-anchor
|
||||
- dns-root-data
|
||||
state: present
|
||||
when: ansible_distribution == "Debian"
|
||||
tags:
|
||||
- unbound
|
||||
|
||||
- name: Retrieve list of root DNS servers
|
||||
ansible.builtin.get_url:
|
||||
url: https://www.internic.net/domain/named.cache
|
||||
dest: /etc/unbound/root.hints
|
||||
force: true
|
||||
mode: "0644"
|
||||
notify: reload unbound
|
||||
tags:
|
||||
- unbound
|
||||
- unbound
|
||||
|
||||
- name: Copy Unbound config
|
||||
ansible.builtin.template:
|
||||
src: unbound.conf.j2
|
||||
dest: /etc/unbound/unbound.conf
|
||||
src: evolinux.conf.j2
|
||||
dest: /etc/unbound/unbound.conf.d/evolinux.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
when: ansible_distribution == "Debian"
|
||||
notify: reload unbound
|
||||
notify: Reload unbound
|
||||
tags:
|
||||
- unbound
|
||||
- unbound
|
||||
|
||||
- name: Copy Unbound config for reloading (Debian 11 and older)
|
||||
ansible.builtin.template:
|
||||
src: evolinux-reload.conf.j2
|
||||
dest: /etc/unbound/unbound.conf.d/evolinux-reload.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
notify: Restart unbound
|
||||
tags:
|
||||
- unbound
|
||||
|
||||
- name: Copy munin plugin config
|
||||
ansible.builtin.copy:
|
||||
src: munin-plugin.conf
|
||||
dest: /etc/munin/plugin-conf.d/unbound
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
tags:
|
||||
- unbound
|
||||
|
||||
- name: Enable unbound munin plugin
|
||||
ansible.builtin.file:
|
||||
src: /usr/share/munin/plugins/unbound_munin_
|
||||
dest: "/etc/munin/plugins/unbound_munin_{{ plugin_name }}"
|
||||
state: link
|
||||
loop:
|
||||
- hits
|
||||
- queue
|
||||
- memory
|
||||
- by_type
|
||||
- by_class
|
||||
- by_opcode
|
||||
- by_rcode
|
||||
- by_flags
|
||||
- histogram
|
||||
loop_control:
|
||||
loop_var: plugin_name
|
||||
notify: Restart munin-node
|
||||
tags:
|
||||
- unbound
|
||||
|
||||
- name: Starting and enabling Unbound
|
||||
ansible.builtin.service:
|
||||
name: unbound
|
||||
enabled: yes
|
||||
enabled: true
|
||||
state: started
|
||||
tags:
|
||||
- unbound
|
||||
- unbound
|
||||
|
|
7
unbound/templates/evolinux-reload.conf.j2
Normal file
7
unbound/templates/evolinux-reload.conf.j2
Normal file
|
@ -0,0 +1,7 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
# by default the control interface is is 127.0.0.1 and ::1 and port 8953
|
||||
# it is possible to use a unix socket too
|
||||
control-interface: /run/unbound.ctl
|
53
unbound/templates/evolinux.conf.j2
Normal file
53
unbound/templates/evolinux.conf.j2
Normal file
|
@ -0,0 +1,53 @@
|
|||
server:
|
||||
#interface: X.X.X.X
|
||||
#interface: 127.0.0.1@5353 # listen on alternative port
|
||||
{% for interface in unbound_interfaces %}
|
||||
interface: {{ interface }}
|
||||
{% endfor %}
|
||||
|
||||
{% for acl in unbound_acls %}
|
||||
access-control: {{ acl }}
|
||||
{% endfor %}
|
||||
|
||||
hide-identity: yes
|
||||
hide-version: yes
|
||||
|
||||
root-hints: "/usr/share/dns/root.hints"
|
||||
|
||||
# Uncomment to enable DNSSEC validation.
|
||||
#auto-trust-anchor-file: "/etc/unbound/root.key"
|
||||
|
||||
# Enable extended stats for munin plugin
|
||||
extended-statistics: yes
|
||||
statistics-cumulative: no
|
||||
statistics-interval: 0
|
||||
|
||||
|
||||
# Serve zones authoritatively from Unbound to resolver clients.
|
||||
# Not for external service.
|
||||
|
||||
#local-zone: "local." static
|
||||
#local-data: "mycomputer.local. IN A 192.0.2.51"
|
||||
#local-zone: "2.0.192.in-addr.arpa." static
|
||||
#local-data-ptr: "192.0.2.51 mycomputer.local
|
||||
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
|
||||
# May need lowering on broken networks with fragmentation/MTU issues,
|
||||
# particularly if validating DNSSEC.
|
||||
|
||||
#edns-buffer-size: 1480
|
||||
# Use TCP for "forward-zone" requests. Useful if you are making
|
||||
# DNS requests over an SSH port forwarding.
|
||||
#tcp-upstream: yes
|
||||
|
||||
|
||||
# Use an upstream forwarder (recursive resolver) for specific zones.
|
||||
# Example addresses given below are public resolvers valid as of 2014/03.
|
||||
#
|
||||
#forward-zone:
|
||||
# name: "." # use for ALL queries
|
||||
# forward-addr: 74.82.42.42 # he.net
|
||||
# forward-addr: 2001:470:20::2 # he.net v6
|
||||
# forward-addr: 8.8.8.8 # google.com
|
||||
# forward-addr: 2001:4860:4860::8888 # google.com v6
|
||||
# forward-addr: 208.67.222.222 # opendns.com
|
||||
# forward-first: yes # try direct if forwarder fails
|
|
@ -1,45 +0,0 @@
|
|||
server:
|
||||
#interface: X.X.X.X
|
||||
#interface: 127.0.0.1@5353 # listen on alternative port
|
||||
{% for interface in unbound_interfaces %}
|
||||
interface: {{ interface }}
|
||||
{% endfor %}
|
||||
#do-ip6: no
|
||||
|
||||
{% for acl in unbound_acls %}
|
||||
access-control: {{ acl }}
|
||||
{% endfor %}
|
||||
|
||||
hide-identity: yes
|
||||
hide-version: yes
|
||||
|
||||
root-hints: "/etc/unbound/root.hints"
|
||||
# Uncomment to enable DNSSEC validation.
|
||||
#auto-trust-anchor-file: "/etc/unbound/root.key"
|
||||
# Serve zones authoritatively from Unbound to resolver clients.
|
||||
# Not for external service.
|
||||
|
||||
#local-zone: "local." static
|
||||
#local-data: "mycomputer.local. IN A 192.0.2.51"
|
||||
#local-zone: "2.0.192.in-addr.arpa." static
|
||||
#local-data-ptr: "192.0.2.51 mycomputer.local
|
||||
# UDP EDNS reassembly buffer advertised to peers. Default 4096.
|
||||
# May need lowering on broken networks with fragmentation/MTU issues,
|
||||
# particularly if validating DNSSEC.
|
||||
|
||||
#edns-buffer-size: 1480
|
||||
# Use TCP for "forward-zone" requests. Useful if you are making
|
||||
# DNS requests over an SSH port forwarding.
|
||||
#tcp-upstream: yes
|
||||
|
||||
# Use an upstream forwarder (recursive resolver) for specific zones.
|
||||
# Example addresses given below are public resolvers valid as of 2014/03.
|
||||
#
|
||||
#forward-zone:
|
||||
# name: "." # use for ALL queries
|
||||
# forward-addr: 74.82.42.42 # he.net
|
||||
# forward-addr: 2001:470:20::2 # he.net v6
|
||||
# forward-addr: 8.8.8.8 # google.com
|
||||
# forward-addr: 2001:4860:4860::8888 # google.com v6
|
||||
# forward-addr: 208.67.222.222 # opendns.com
|
||||
# forward-first: yes # try direct if forwarder fails
|
|
@ -4,10 +4,27 @@
|
|||
ansible.builtin.include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: Get evoadmin-mail package
|
||||
ansible.builtin.get_url:
|
||||
url: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-1_all.deb
|
||||
dest: /tmp/evoadmin-mail.deb
|
||||
when: ansible_distribution_major_version is version('12', '<')
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Install evoadmin-mail package
|
||||
ansible.builtin.apt:
|
||||
deb: /tmp/evoadmin-mail.deb
|
||||
state: present
|
||||
when: ansible_distribution_major_version is version('12', '<')
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
- name: Install evoadmin-mail package
|
||||
ansible.builtin.apt:
|
||||
name: evoadmin-mail
|
||||
state: present
|
||||
when: ansible_distribution_major_version is version('12', '>=')
|
||||
tags:
|
||||
- evoadmin-mail
|
||||
|
||||
|
|
|
@ -17,3 +17,5 @@ nextcloud_db_name: "{{ nextcloud_instance_name }}"
|
|||
|
||||
nextcloud_admin_login: "admin"
|
||||
nextcloud_admin_password: ""
|
||||
|
||||
nextcloud_do_config: True
|
||||
|
|
|
@ -54,3 +54,4 @@
|
|||
- ansible.builtin.include: mysql-user.yml
|
||||
|
||||
- ansible.builtin.include: config.yml
|
||||
when: nextcloud_do_config
|
||||
|
|
|
@ -43,7 +43,14 @@
|
|||
- name: Mount up Ceph volume by UUID
|
||||
ansible.posix.mount:
|
||||
path: "{{ nextcloud_data }}"
|
||||
src: "{{ nextcloud_data_uuid }}"
|
||||
src: "UUID={{ nextcloud_data_uuid }}"
|
||||
fstype: ext4
|
||||
opts: defaults,noexec,nosuid,nodev,relatime,lazytime
|
||||
state: present
|
||||
state: mounted
|
||||
|
||||
- name: Set volume's root permissions and ownership
|
||||
ansible.builtin.file:
|
||||
path: "{{ nextcloud_data }}"
|
||||
owner: "{{ nextcloud_user }}"
|
||||
group: "{{ nextcloud_user }}"
|
||||
mode: "0700"
|
||||
|
|
Loading…
Reference in a new issue