diff --git a/CHANGELOG.md b/CHANGELOG.md index 98a91bd9..9f662180 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,19 +10,39 @@ The **patch** part changes incrementally at each release. ## [Unreleased] +* Ubuntu 18.04 support + +### Added + +### Changed +* elasticsearch: listen on local interface only by default + +### Fixed +* lxc-php: Don't remove the default pool + +### Security + +## [9.10.1] - 2019-06-21 + +### Changed +* evocheck : update (version 19.06) from upstream + +## [9.10.0] - 2019-06-21 + ### Added * apache: add server status suffix in VHost (and default site) if missing +* apache: add a variable to customize the server-status host * apt: add a script to manage packages with "hold" mark * etc-git: gitignore /etc/letsencrypt/.certbot.lock -* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later) * evomaintenance: make hooks configurable * nginx: add server status suffix in VHost (and default site) if missing * redmine: enable gzip compression in nginx vhost ### Changed -* evocheck : version 19.04 from upstream +* evocheck : update (unreleased) from upstream * evomaintenance : use the web API instead of PG Insert -* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5 +* fluentd: store gpg key locally +* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3 * redmine: update default version to 4.0.3 * nagios-nrpe: change required status code for http and https check * redmine: use custom errors-pages in Nginx vhost @@ -39,8 +59,6 @@ The **patch** part changes incrementally at each release. * evolinux-users: Validate sshd config with "-t" instead of "-T" * nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-* -### Security - ## [9.9.0] - 2019-04-16 ### Added diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index ffc74b4e..15ff1a53 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -19,3 +19,5 @@ apache_munin_include: True general_alert_email: "root@localhost" log2mail_alert_email: Null + +apache_serverstatus_host: 127.0.0.1 diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 6497966b..1d6cd8df 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -62,7 +62,8 @@ - name: apache-status URL is configured for Munin lineinfile: dest: /etc/munin/plugin-conf.d/munin-node - line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto" - regexp: "env.url http://127.0.0.1/server-status" + line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto" + regexp: 'env.url http://[^\\/]+/server-status' insertafter: "[apache_*]" create: no + notify: restart munin-node diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml index 02e189a3..0bdc82c7 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -5,7 +5,7 @@ regexp: "backports" state: absent tags: - - apt + - apt - name: Backports sources list is installed template: @@ -15,7 +15,7 @@ mode: "0640" register: apt_backports_list tags: - - apt + - apt - name: Backports configuration copy: @@ -25,7 +25,7 @@ mode: "0640" register: apt_backports_config tags: - - apt + - apt - name: Archived backport are accepted (jessie) lineinfile: @@ -34,10 +34,12 @@ create: yes state: present when: ansible_lsb.codename == "jessie" + tags: + - apt - name: Apt update apt: update_cache: yes when: apt_backports_list | changed or apt_backports_config | changed tags: - - apt + - apt diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml index edd3ea0c..9f792a7f 100644 --- a/apt/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -8,21 +8,23 @@ force: yes register: apt_basic_list tags: - - apt + - apt - name: Clean GANDI sources.list.d/debian-security.list file: path: '{{ item }}' state: absent with_items: - - /etc/apt/sources.list.d/debian-security.list - - /etc/apt/sources.list.d/debian-stretch.list - - /etc/apt/sources.list.d/debian-update.list + - /etc/apt/sources.list.d/debian-security.list + - /etc/apt/sources.list.d/debian-stretch.list + - /etc/apt/sources.list.d/debian-update.list when: apt_clean_gandi_sourceslist + tags: + - apt - name: Apt update apt: update_cache: yes when: apt_basic_list | changed tags: - - apt + - apt diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 264e8dd7..988aac7a 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -9,9 +9,11 @@ state: present mode: "0640" with_items: - - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } - - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } + - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } + - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } when: apt_evolinux_config + tags: + - apt - name: DPkg invoke hooks lineinfile: @@ -21,24 +23,32 @@ state: present mode: "0640" with_items: - - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" - - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" - - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" - - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" + - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" + - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" + - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" + - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" when: apt_hooks + tags: + - apt - name: Remove Aptitude apt: name: aptitude state: absent when: apt_remove_aptitude + tags: + - apt - name: Updating APT cache apt: update_cache: yes changed_when: False + tags: + - apt - name: Upgrading system apt: upgrade: dist when: apt_upgrade + tags: + - apt diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index ba0a0da6..ed6f98e2 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -12,8 +12,10 @@ apt_key: #url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D data: "{{ lookup('file', 'reg.gpg') }}" + tags: + - apt -- name: Evolix public list is installed +- name: Evolix public list is installed (only for Debian) template: src: evolix_public.list.j2 dest: /etc/apt/sources.list.d/evolix_public.list @@ -21,11 +23,12 @@ mode: "0640" register: apt_evolix_public tags: - - apt + - apt + when: ansible_distribution == "Debian" - name: Apt update apt: update_cache: yes when: apt_evolix_public | changed tags: - - apt + - apt diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 0939335b..b44a1581 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -5,6 +5,8 @@ register: apt_mark changed_when: "'{{ item }} set on hold.' in apt_mark.stdout" with_items: "{{ apt_hold_packages }}" + tags: + - apt - name: "hold packages (config)" lineinfile: @@ -13,12 +15,16 @@ create: True state: present with_items: "{{ apt_hold_packages }}" + tags: + - apt - name: "unhold packages (apt)" shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}" register: apt_mark changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout" with_items: "{{ apt_unhold_packages }}" + tags: + - apt - name: "unhold packages (config)" lineinfile: @@ -27,6 +33,8 @@ create: True state: absent with_items: "{{ apt_unhold_packages }}" + tags: + - apt - name: /usr/share/scripts exists file: @@ -35,6 +43,8 @@ owner: root group: root state: directory + tags: + - apt - name: Check scripts is installed copy: @@ -42,6 +52,8 @@ dest: /usr/share/scripts/check_held_packages.sh force: yes mode: "0755" + tags: + - apt - name: Check for held packages (script) cron: @@ -55,3 +67,5 @@ day: "{{ apt_check_hold_cron_day }}" month: "{{ apt_check_hold_cron_month }}" state: "present" + tags: + - apt diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index b02e779f..cf84ca22 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -2,38 +2,38 @@ - name: "Compatibility check" fail: - msg: only compatible with Debian >= 8 + msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04 when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') + - (ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')) and (ansible_distribution != "Ubuntu" or ansible_distribution_major_version | version_compare('18', '<')) tags: - - apt + - apt - name: Custom configuration include: config.yml when: apt_config tags: - - apt + - apt - name: Install basics repositories include: basics.yml when: apt_install_basics tags: - - apt + - apt - name: Install APT Backports repository include: backports.yml when: apt_install_backports tags: - - apt + - apt - name: Install Evolix Public APT repository include: evolix_public.yml when: apt_install_evolix_public tags: - - apt + - apt - name: Install check for packages marked hold include: hold_packages.yml when: apt_install_hold_packages tags: - - apt + - apt diff --git a/apt/templates/bionic_basics.list.j2 b/apt/templates/bionic_basics.list.j2 new file mode 100644 index 00000000..bd3e9d9c --- /dev/null +++ b/apt/templates/bionic_basics.list.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +deb http://archive.ubuntu.com/ubuntu/ bionic {{ apt_basics_components | mandatory }} +deb http://archive.ubuntu.com/ubuntu/ bionic-updates {{ apt_basics_components | mandatory }} +deb http://security.ubuntu.com/ubuntu bionic-security {{ apt_basics_components | mandatory }} diff --git a/elasticsearch/README.md b/elasticsearch/README.md index e8184019..933beb0f 100644 --- a/elasticsearch/README.md +++ b/elasticsearch/README.md @@ -27,7 +27,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` : * `elasticsearch_jvm_xmx`: maximum heap size reserved for the JVM (default: `2g`). * `elasticsearch_restart_on_upgrade`: restart the service after package upgrade (default: `true`) -By default, Elasticsearch will listen to the public interfaces (`_site_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host), so you will have to secure it, with firewall rules for example. +By default, Elasticsearch will listen to the local interface (`_local_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host). ## Curator diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index f5693bf2..91e81915 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -5,7 +5,7 @@ elasticsearch_cluster_name: Null elasticsearch_cluster_members: Null elasticsearch_minimum_master_nodes: Null elasticsearch_node_name: "${HOSTNAME}" -elasticsearch_network_host: "[_site_, _local_]" +elasticsearch_network_host: "[_local_]" elasticsearch_network_publish_host: Null elasticsearch_http_publish_host: Null elasticsearch_custom_datadir: Null diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 6e9985f2..857b7919 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -315,7 +315,7 @@ check_nrpeperms() { } check_minifwperms() { if [ -f "$MINIFW_FILE" ]; then - actual=$(stat --format "%a" $MINIFW_FILE) + actual=$(stat --format "%a" "$MINIFW_FILE") expected="600" test "$expected" = "$actual" || failed "IS_MINIFWPERMS" fi @@ -386,7 +386,7 @@ check_raidsoft() { } # Verification du LogFormat de AWStats check_awstatslogformat() { - if is_installed apache2.2-common awstats; then + if is_installed apache2 awstats; then grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \ || failed "IS_AWSTATSLOGFORMAT" fi @@ -531,20 +531,30 @@ check_userlogrotate() { } # Verification de la syntaxe de la conf d'Apache check_apachectl() { - if is_installed apache2.2-common; then + if is_installed apache2; then /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL" fi } # Check if there is regular files in Apache sites-enabled. check_apachesymlink() { - if is_installed apache2.2-common; then - stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK" + if is_installed apache2; then + apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print) + nbApacheFind=$(wc -m <<< "$apacheFind") + if [[ $nbApacheFind -gt 1 ]]; then + if [[ $VERBOSE == 1 ]]; then + while read -r line; do + failed "IS_APACHESYMLINK" "Not a symlink: $line" + done <<< "$apacheFind" + else + failed "IS_APACHESYMLINK" + fi + fi fi } # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). check_apacheipinallow() { # Note: Replace "exit 1" by "print" in Perl code to debug it. - if is_installed apache2.2-common; then + if is_installed apache2; then grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ | grep -iv "from all" \ | grep -iv "env=" \ @@ -559,7 +569,7 @@ check_muninapacheconf() { else muninconf="/etc/apache2/conf-available/munin.conf" fi - if is_installed apache2.2-common; then + if is_installed apache2; then test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF" fi } @@ -881,12 +891,17 @@ check_mysqlmunin() { } check_mysqlnrpe() { if is_debian_stretch && is_installed mariadb-server; then - nagios_file="~nagios/.my.cnf" - { test -f $nagios_file \ - && [ "$(stat -c %U $nagios_file)" = "nagios" ] \ - && [ "$(stat -c %a $nagios_file)" = "600" ] \ - && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file"; - } || failed "IS_MYSQLNRPE" + nagios_file=~nagios/.my.cnf + + if ! test -f ${nagios_file}; then + failed "IS_MYSQLNRPE" "${nagios_file} is missing" + elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ + || [ "$(stat -c %a ${nagios_file})" != "600" ]; then + failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" + else + grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ + || failed "IS_MYSQLNRPE" "check_mysql is missing" + fi fi } check_phpevolinuxconf() { @@ -1078,9 +1093,7 @@ check_evomaintenanceconf() { && grep "^FULLFROM" $f | grep -qv "John Doe " \ && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ - && grep "^REALM" $f | grep -qv "example.com" \ - && grep "^API_ENDPOINT" $f | grep -qv "https://example.com/api/" \ - && grep "^API_KEY" $f | grep -qv "secretkey"; + && grep "^REALM" $f | grep -qv "example.com" } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" else failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" @@ -1102,7 +1115,7 @@ check_evobackup_incs() { if is_installed bkctld; then bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} if [ -f "${bkctld_cron_file}" ]; then - root_crontab=$(grep -v "^#" ${bkctld_cron_file}) + root_crontab=$(grep -v "^#" "${bkctld_cron_file}") echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" else @@ -1111,6 +1124,12 @@ check_evobackup_incs() { fi } +check_osprober() { + if is_installed os-prober qemu-kvm; then + failed "IS_OSPROBER" "Removal of os-prober package is recommended as it can cause serious issue on KVM server" + fi +} + main() { # Default return code : 0 = no error RC=0 @@ -1158,7 +1177,7 @@ main() { test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers - test "${IS_DISKPERF:=1}" = 1 && check_diskperf + test "${IS_DISKPERF:=0}" = 1 && check_diskperf test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw @@ -1231,6 +1250,7 @@ main() { test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs + test "${IS_OSPROBER:=1}" = 1 && check_osprober fi #----------------------------------------------------------- @@ -1343,7 +1363,7 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")") # shellcheck disable=2124 readonly ARGS=$@ -readonly VERSION="19.04" +readonly VERSION="19.06" # Disable LANG* export LANG=C @@ -1396,4 +1416,5 @@ while :; do shift done +# shellcheck disable=SC2086 main ${ARGS} diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index ff0213a8..6d0a0f9b 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -3,9 +3,9 @@ - name: "System compatibility checks" assert: that: - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('8', '>=') - msg: only compatible with Debian >= 8 + - (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu") + - (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>=')) + msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04 - name: Apt configuration include_role: diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index b4d9cee1..d7778fe7 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -80,11 +80,20 @@ - mlocate when: evolinux_packages_purge_locate -- name: Install/Update serveur-base meta-package +- name: Install/Update serveur-base meta-package on debian apt: name: serveur-base allow_unauthenticated: yes - when: evolinux_packages_serveur_base + when: evolinux_packages_serveur_base and (ansible_distribution == "Debian") + +- name: Install/Update serveur-base meta-package on ubuntu + apt: + deb: "{{ item }}" + with_items: + - 'http://pub.evolix.net/stretch/log2mail_0.3.0-2_amd64.deb' + - 'http://pub.evolix.net/stretch/evocheck_0.10-1_all.deb' + - 'http://pub.evolix.net/stretch/serveur-base_0.4.0_all.deb' + when: evolinux_packages_serveur_base and (ansible_distribution == "Ubuntu") - name: Install/Update packages for Stretch and later apt: diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index c6b87cae..e6b31ccb 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -13,7 +13,7 @@ # We want to allow any user from a list of IP addresses to login with password, # but users of the "evolix" group can't login with password from other IP addresses -- name: "Security directives for Evolinux (Debian 10 or later)" +- name: "Security directives for Evolinux (Debian 10 and Ubuntu 18.04 or later)" blockinfile: dest: /etc/ssh/sshd_config marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" @@ -27,7 +27,7 @@ notify: reload sshd when: - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_major_version | version_compare('10', '>=') + - (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) - name: Security directives for Evolinux (Jessie/Stretch) blockinfile: diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 502df7e9..d61f496c 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -125,7 +125,7 @@ mode: "0755" when: - evolinux_system_alert5_init - - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" + - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu" - name: Enable alert5 init script (jessie/stretch) service: @@ -134,7 +134,7 @@ when: - evolinux_system_alert5_init - evolinux_system_alert5_enable - - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" + - ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu" diff --git a/evolinux-users/tasks/main.yml b/evolinux-users/tasks/main.yml index e5872a91..a7230d15 100644 --- a/evolinux-users/tasks/main.yml +++ b/evolinux-users/tasks/main.yml @@ -3,9 +3,9 @@ - name: "System compatibility checks" assert: that: - - ansible_distribution == "Debian" - - ansible_distribution_major_version | version_compare('8', '>=') - msg: only compatible with Debian >= 8 + - (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu") + - (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>=')) + msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04 - debug: msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!" diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 70570c63..f22fe0fd 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -28,9 +28,9 @@ - set_fact: # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+", - ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}" + ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and ((ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | version_compare('18', '>=')))) }}" # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10" - ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}" + ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '<'))) }}" - debug: var: ssh_allowgroups diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index a4b28d25..add7343e 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -4,6 +4,6 @@ when: ansible_lsb.codename == "jessie" - include: sudo_stretch.yml - when: ansible_distribution_major_version | version_compare('9', '>=') + when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) - meta: flush_handlers diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 96c70e31..9ded655e 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -59,31 +59,32 @@ ## Group for SSH authorizations -- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)" +- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 and Ubuntu 18 or later)" group: name: "{{ evolinux_ssh_group }}" state: present - when: ansible_distribution_major_version | version_compare('10', '>=') + when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) -- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)" +- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 and Ubuntu 18 or later)" user: name: '{{ user.name }}' groups: "{{ evolinux_ssh_group }}" append: yes - when: ansible_distribution_major_version | version_compare('10', '>=') + when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) ## Optional group for all evolinux users -- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)" +- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 and Ubuntu 18 or later)" group: name: "{{ evolinux_internal_group }}" state: present when: - evolinux_internal_group is defined - evolinux_internal_group != "" - - ansible_distribution_major_version | version_compare('9', '>=') + - (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) -- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)" + +- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 and Ubuntu 18 or later)" user: name: '{{ user.name }}' groups: "{{ evolinux_internal_group }}" @@ -91,7 +92,8 @@ when: - evolinux_internal_group is defined - evolinux_internal_group != "" - - ansible_distribution_major_version | version_compare('9', '>=') + - (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>=')) + ## Optional secondary groups, defined per user diff --git a/evomaintenance/tasks/install_package_ubuntu.yml b/evomaintenance/tasks/install_package_ubuntu.yml new file mode 100644 index 00000000..5b6664fc --- /dev/null +++ b/evomaintenance/tasks/install_package_ubuntu.yml @@ -0,0 +1,18 @@ +--- + +- name: Package is installed + apt: + deb: 'http://pub.evolix.net/stretch/evomaintenance_0.2.9-1_all.deb' + tags: + - evomaintenance + +- name: Configuration is installed + template: + src: evomaintenance.j2 + dest: /etc/evomaintenance.cf + owner: root + group: root + mode: "0600" + force: "{{ evomaintenance_force_config | bool }}" + tags: + - evomaintenance diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 6d2cd26c..e9e22007 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -9,15 +9,20 @@ - evomaintenance_api_key is not none msg: evomaintenance api variables must be set +- include: install_package_ubuntu.yml + when: + - not evomaintenance_install_vendor + - ansible_distribution == "Ubuntu" + - include: install_package_debian.yml when: - not evomaintenance_install_vendor - - ansible_distribution == "Debian" + - ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" - include: install_vendor_debian.yml when: - evomaintenance_install_vendor - - ansible_distribution == "Debian" + - ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" - include: install_vendor_openbsd.yml when: @@ -25,4 +30,4 @@ - include: minifirewall.yml when: - - ansible_distribution == "Debian" + - ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" diff --git a/fluentd/files/fluentd.gpg b/fluentd/files/fluentd.gpg new file mode 100644 index 00000000..7a998316 --- /dev/null +++ b/fluentd/files/fluentd.gpg @@ -0,0 +1,53 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBFhiI8wBEADThWLNd8IKPRw7Ygu3DHS4Sb/Yc6vSZSaMGJ6Wkj245jScvI+C +nG4C4rtO/8ObUj5cUpb4CyfYZX8W4tp9x+W68c4paXevG4s+X4EE3uUsgdwTnFXi +GMa57QDzR4p/JvjUjfGJ2UAr4Bfj8Q2S54LmIu6UAe82ce2B4tEHCeYSxkmVUDAZ +utfmgKoVTbnceTemU0m5ANS6IC1/53KEhgB1sKm5G/FjRJGslHWb3mf+bLrhmlkP +pA4BOKF2w3eFYH3LhWskxMS0SPM7J6aq+6LyNNqtlKL6lUS7qVjRQ6PlgFcmtG4J +tijsZI62bDn1f44DmeLY+LMS/nM0xyIx94lYumGH5EYmjUECagqMool98/+Wx79A +Thtg/1pYNzo8Z76qr0i3xLSRtsQ2Om2Rfal7VGadOrx4sqlkSaUaGI+hBc1r4tNy +tERvBEMGSf78bWDbdzxSNEW4LUDUpniNQb0DrURfWkqRa3q4WcTJr8lpQM/NmAru +owayAXQwKob+OIZ09/O69EaqVJ9MqsM3keQouSHShKvzNrppuo3D3z+Dpy05FsYw +MAiIN7auXxy+XQwCVsKF083YaDHcC0I22GReEgt43yZXQ/b/J9QNrm5nJ+3Cpso3 +jJnMzubuniSOOdd3mXQ6MwgZvWgtH/nPF8oUX9VSGwqNohiKWcxQDxW7qQARAQAB +tFRUcmVhc3VyZSBEYXRhLCBJbmMgKFRyZWFzdXJlIEFnZW50IE9mZmljaWFsIFNp +Z25pbmcga2V5KSA8c3VwcG9ydEB0cmVhc3VyZS1kYXRhLmNvbT6JAjcEEwEIACEF +AlhiI8wCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQkB+Rd6uXrL5GrhAA +nh82+caSu9Qu/LW256gN5UjPUFhph66ElT1OVyAR2FoOmz2pJH3t8YYD5cUV2W6/ +xqJDmjl+vnL2HBgxjHKRCo2K3hrq6z4LoU7SpWDI1cZ03lkjh1yNx13S+9JvZNlp +jit0WRIspke0n0vWSpNo4nh19Yg3EA1c+vGeHnmlYo6xwRHu6XOhhCwywtFRGC3a +iMJzAV4N69ZU6P5VZZkC6LjYYQtF4aI10COLZ4AcObH2htGAZTj2KlZfdJHmr+Oa +wY57giUYz7OF45LLCuqe+VwpGp2d3UK/MtCnXRLi5InMVJKDvyt18MzRDFuyA27e +WSt+JumVqhEjawh3hmdzIS1cHKmv19gdeE8On2i2Lf8lyek8fsB/YPgADAmp2oSe +cjLu0ocGbgxRjuCR29+6IG+DiUDFCkqFZNdLiGVqzjpjpYHaPhVe77ciwA8TCPru +3dh5t/qv2HglSd7lj95IApZBtny5AK8NS4qtaOeZbBbbDRuOPL0c7fU3bqyIPy57 +zvdYi3KdjWZVCawcAmk3ILP83eFSivCRPRoyCqO+HX8U647BBWvlFuEbPa+Y1sgE +12MEF/Y6VVJh3Ptw+h/qKRbra4LdA+5Y30q/9l6WGgbO/4h3NKmGeVCrAFvS3h92 +fS0ABYD1nAP7fSNS9RfYIqfBXtJem+tJ14YKJwWiAYW5Ag0EWGIjzAEQAMw5EMJu +RBFRdhXD5UeA7I7wwkql/iYof8ydUALBxh9NSpmwaACkb4Me6h/rHdVsPRO3vIoo +uXftSjkRk2frjziihfEdeYxYU5PPawZxwCRDInr/OLZmcCCA2yCkRnFBhZxQy8NW +iJz0tlJtohhuJ7NRK7+HVJ3rPrtoV1lZVricDrB7DdVySp+7VciEM/XQhKKlesyd +gYXic4fx7xvPS6hRmH/fNVdvFobIhQBNUuPfKJeKpeJqPHeqkCNRz1Kl6NW9XXBq +hNyAlC7SPdKmjsv4UVIcFLUXP5wv7nprtEh15LoDlJCvFEF/iDJzaWI3QeVqY8XS +EI77WNsA/w7nlVNO3lGOPMjW8cxn4Jd2s4lpNa/e+RfrG/PD+ODSS92ISkuihBIU +Z2XeFa1xjQ1ayint4lVe3FGWTBJjqK8qX3JaOVeUD0AlSWqFcJzI7KxfNtVZCOaZ +WL/PVG124A118AUMFEWfb3r2Le8ddl+AKFP5Etsb+00VEWL06VPDampJIHanGjyX +h3dZkzORO3l3dt/P6embimic2QDOmO5x+wESnD8spITPKDl9OuqebCB8Z2oShnnG ++xhKDl045UFCPMVOXLb4kHonBmN2wBT/GIh4qqZj/7mm6r4P194HzN8LQuZsloJs +A6tnEpEmSe33xBDfGAeS0eNxFiATGwAcCRyRABEBAAGJAh8EGAEIAAkFAlhiI8wC +GwwACgkQkB+Rd6uXrL559w/9GfoTxZS+VJQsQc1inW9YKZaWl99Hd4u8CGhE057S +zvzMnIH6fcgib3m+TelevplSEN1QN1GGTvn95n8JQ8RX36xy8SQVzrPIlO4gXGAF +J1uHmSp3SSplrwKIBQk3MORrfbTg78CN9527GCQHih8+qgB3IYe23NhsKLre3mbZ +h9NAWOeMsBF0jG0c0Cu3/F8muY2XSTqENB8R263YJsQSC3qaiaq9TtstisOe/HWK +yQix2Hofg3H96dZXsqbQEvxgyema+A6ptCm7S66eSYoPPeXQaraTsz6nLlVtvhSD +kll2axjAK4NDbSjJuZI/54CkO+FB00bkXDxPFgnfDPWgvPMF1cBuuX0QN1BO8n4C +eA9zyBBdTw9bbzO1kRdeBHLa7n845ecVbEh15Hvtf20/CJB9ua+qRlcXtgxhUf3+ +pm/xbAM22z/F3+RsLwGOG8T0Vy2q//VVqLxSFlawiZW9RkClKyV6A1KH0EA6W84d +GcxiDgwrBHd+d40s3VDE/Wlmj0w73xeebEaXCmaTO/Hp5DIA64LfXHB2ckvwv15I +ISQV2g55+ghnwaD/02uGCGpJl0zJgQ+PKvrFAz+wIUqrQJxXP4epqWycmzG98T7g +pi20lwzO87S6b1GIL9t6Q/Zge8bbB7lG5mBR2U5XyGhfHXGaHTb6nQQYh3hCet8G +5Ow= +=Me4L +-----END PGP PUBLIC KEY BLOCK----- diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index cad4f17e..30a4f0bf 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -2,7 +2,8 @@ - name: Fluentd GPG key is installed apt_key: - url: https://packages.treasuredata.com/GPG-KEY-td-agent + # url: https://packages.treasuredata.com/GPG-KEY-td-agent + data: "{{ lookup('file', 'fluentd.gpg') }}" tags: - packages - fluentd diff --git a/lxc-php/README.md b/lxc-php/README.md new file mode 100644 index 00000000..bb7475d9 --- /dev/null +++ b/lxc-php/README.md @@ -0,0 +1,23 @@ +# lxc-php + +Create LXC containers and install all the required PHP packages as a way to use multiple PHP version on Debian. + +*note : this role depend on the lxc role.* + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +As this role depend on the lxc role, please refer to it for a variable exhaustive list. + +Here is the list of available variables for the PHP part: + +* `php_conf_short_open_tag` Default: `"Off"` +* `php_conf_expose_php` Default: `"Off"` +* `php_conf_display_errors` Default: `"Off"` +* `php_conf_log_errors` Default: `"On"` +* `php_conf_html_errors` Default: `"Off"` +* `php_conf_allow_url_fopen` Default: `"Off"` +* `php_conf_disable_functions` Default: `"exec,shell-exec,system,passthru,putenv,popen"` diff --git a/lxc-php/tasks/php.yml b/lxc-php/tasks/php.yml index 49cb8116..25b72ccd 100644 --- a/lxc-php/tasks/php.yml +++ b/lxc-php/tasks/php.yml @@ -46,27 +46,6 @@ command: "lxc-attach -n {{name}} -- apt-get install -y php7.3 php7.3-fpm php7.3-cli php7.3-curl php7.3-mysql php7.3-pgsql php7.3-ldap php7.3-imap php7.3-gd php-ssh2 php-gettext composer libphp-phpmailer ssmtp git zip unzip php7.3-zip" when: name == 'php73' -- name: Remove default FPM 5.6 pool - file: - name: "/var/lib/lxc/{{name}}/rootfs/etc/php5/fpm/pool.d/www.conf" - state: absent - notify: "Reload {{name}}-fpm" - when: name == 'php56' - -- name: Remove default FPM 7.0 pool - file: - name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.0/fpm/pool.d/www.conf" - state: absent - notify: "Reload {{name}}-fpm" - when: name == 'php70' - -- name: Remove default FPM 7.3 pool - file: - name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.3/fpm/pool.d/www.conf" - state: absent - notify: "Reload {{name}}-fpm" - when: name == 'php73' - - name: Copy evolinux PHP 5.6 configuration template: src: z-evolinux-defaults.ini.j2 diff --git a/lxc-solr/README.md b/lxc-solr/README.md new file mode 100644 index 00000000..6fb31c40 --- /dev/null +++ b/lxc-solr/README.md @@ -0,0 +1,27 @@ +# lxc-solr + +Create one or more LXC containers with Solr in the version of your choice. + +*note : this role depend on the lxc role.* + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +Since this role depend on the lxc role, please refer to it for a full variable list related to the lxc containers setup. + +* `lxc_containers`: list of LXC containers to create. Default: `[]` (empty). + * `name`: name of the LXC container to create. + * `release`: Debian version to install + * `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)* + * `solr_port`: port for Solr to listen on + Eg.: + ``` + lxc_containers: + - name: solr8 + release: stretch + solr_version: 6.6.6 + solr_port: 8983 + ``` diff --git a/lxc-solr/defaults/main.yml b/lxc-solr/defaults/main.yml new file mode 100644 index 00000000..c6bbeda0 --- /dev/null +++ b/lxc-solr/defaults/main.yml @@ -0,0 +1,18 @@ +--- +# List of LXC containers to create alongside with the version of Solr to install for each of them +# Eg.: +# lxc_containers: +# - name: solr6 +# release: stretch +# solr_version: 6.6.6 +# solr_port: 8983 +# - name: solr7 +# release: stretch +# solr_version: 7.7.2 +# solr_port: 8984 +# - name: solr8 +# release: stretch +# solr_version: 8.1.1 +# solr_port: 8985 +lxc_containers: [] + diff --git a/lxc-solr/tasks/main.yml b/lxc-solr/tasks/main.yml new file mode 100644 index 00000000..86ef2500 --- /dev/null +++ b/lxc-solr/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- name: LXC configuration + include_role: + name: lxc + +- name: Ensure containers root directory is 755 + file: + path: "/var/lib/lxc/{{ item.name }}/rootfs" + state: directory + mode: '0755' + with_items: + - "{{ lxc_containers }}" + +- include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}" + with_items: + - "{{ lxc_containers }}" diff --git a/lxc-solr/tasks/solr.yml b/lxc-solr/tasks/solr.yml new file mode 100644 index 00000000..4cf521ae --- /dev/null +++ b/lxc-solr/tasks/solr.yml @@ -0,0 +1,42 @@ +--- +- name: Install openjdk-8-jre-headless and lsof packages + command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless lsof" + +- name: "Download Solr {{ solr_version }}" + get_url: + url: "https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz" + dest: "/var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz" + mode: '0644' + +- name: "Extract solr-{{ solr_version }}.tgz" + unarchive: + src: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz + dest: /var/lib/lxc/{{ name }}/rootfs/root/ + remote_src: yes + +- name: "Install Solr {{ solr_version }}" + command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz" + +- name: "Stop Solr" + command: "lxc-attach -n {{name}} -- /etc/init.d/solr stop" + ignore_errors: True + +- name: "Make sure /home/solr exists" + file: + path: /home/solr + state: directory + mode: '0755' + +- name: "Move Solr data directory to /home/solr/{{name}}" + command: "lxc-attach -n {{name}} -- mv /var/solr /home/solr/{{name}}" + +- name: "Create a symbolic link to /home/solr/{{name}}" + command: "lxc-attach -n {{name}} -- ln -s /home/solr/{{name}} /var/solr" + +- name: "Set Solr port to {{ solr_port }}" + lineinfile: + dest: /var/lib/lxc/{{ name }}/rootfs/etc/default/solr.in.sh + line: "SOLR_PORT={{ solr_port }}" + +- name: "Start Solr" + command: "lxc-attach -n {{name}} -- /etc/init.d/solr start" diff --git a/lxc-solr/templates/rc.local.j2 b/lxc-solr/templates/rc.local.j2 new file mode 100644 index 00000000..5a74a8b5 --- /dev/null +++ b/lxc-solr/templates/rc.local.j2 @@ -0,0 +1,3 @@ +#!/bin/bash +/opt/solr-{{ solr_version }}/bin/solr start -p {{ solr_port }} -force +exit 0 diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index c606a02c..11d267c5 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -3,9 +3,9 @@ apt: name: '{{ item }}' with_items: - - lxc - - debootstrap - - xz-utils + - lxc + - debootstrap + - xz-utils - name: Copy LXC default containers configuration template: @@ -21,8 +21,13 @@ - name: Add subuid and subgid ranges to root command: usermod -v 100000-199999 -w 100000-109999 root - when: lxc_unprivilegied_containers and root_subuids.rc + when: + - lxc_unprivilegied_containers + - root_subuids.rc - name: Create containers - include: "create-container.yml name={{item.name}} release={{item.release}}" + include: create-container.yml + vars: + name: "{{ item.name }}" + release: "{{item.release}}" with_items: "{{lxc_containers}}" diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 3f173962..e0ebd800 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -29,7 +29,18 @@ minifirewall_private_ports_udp: [] # Keep a null value to leave the setting as is # otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']" minifirewall_dns_servers: Null -minifirewall_http_sites: Null + +minifirewall_http_sites: + - pub.evolix.net + - mirror.evolix.org + - hwraid.le-vert.net + - antispam00.evolix.org + - spamassassin.apache.org + - sa-update.space-pro.be + - sa-update.secnap.net + - www.sa-update.pccc.com + - sa-update.dnswl.org + minifirewall_https_sites: Null minifirewall_ftp_sites: Null minifirewall_ssh_ok: Null @@ -37,6 +48,16 @@ minifirewall_smtp_ok: Null minifirewall_smtp_secure_ok: Null minifirewall_ntp_ok: Null +minifirewall_default_debian_http_sites: + - security.debian.org + - security-cdn.debian.org + - volatile.debian.org + - backports.debian.org + +minifirewall_default_ubuntu_http_sites: + - archive.ubuntu.com + - security.ubuntu.com + minifirewall_autostart: False minifirewall_restart_if_needed: True minifirewall_restart_force: False diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 85246940..3de4f7f9 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -50,7 +50,7 @@ DNSSERVEURS='0.0.0.0/0' # HTTP authorizations # (you can use DNS names but set cron to reload minifirewall regularly) # (if you have HTTP proxy, set 0.0.0.0/0) -HTTPSITES='security.debian.org security-cdn.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' +HTTPSITES='' # HTTPS authorizations HTTPSSITES='0.0.0.0/0' diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 13cb6145..e19d53a0 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -120,7 +120,22 @@ line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'" regexp: "HTTPSITES='.*'" create: no - when: minifirewall_http_sites is not none + +- name: Configure HTTPSITES for debian + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'" + regexp: "HTTPSITES='.*'" + create: no + when: ansible_distribution == "Debian" + +- name: Configure HTTPSITES for ubuntu + lineinfile: + dest: "{{ minifirewall_main_file }}" + line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'" + regexp: "HTTPSITES='.*'" + create: no + when: ansible_distribution == "Ubuntu" - name: Configure HTTPSSITES lineinfile: diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 74ebceef..ff8ad1bc 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -75,6 +75,18 @@ tags: - mysql +# Percona Toolkit + +- name: "Install percona-toolkit (Debian 9 or later)" + apt: + name: percona-toolkit + state: present + tags: + - packages + - percona-toolkit + - mysql + when: ansible_distribution_major_version | version_compare('9', '>=') + # automatic optimizations - include_role: diff --git a/rbenv/defaults/main.yml b/rbenv/defaults/main.yml index 2c0ecd28..533834cd 100644 --- a/rbenv/defaults/main.yml +++ b/rbenv/defaults/main.yml @@ -1,6 +1,6 @@ --- rbenv_version: v1.1.2 -rbenv_ruby_version: 2.5.5 +rbenv_ruby_version: 2.6.3 rbenv_root: "~/.rbenv" rbenv_repo: "https://github.com/rbenv/rbenv.git" rbenv_plugins: diff --git a/webapps/evoadmin-web/handlers/main.yml b/webapps/evoadmin-web/handlers/main.yml index edb3404e..669b0553 100644 --- a/webapps/evoadmin-web/handlers/main.yml +++ b/webapps/evoadmin-web/handlers/main.yml @@ -5,5 +5,10 @@ name: apache2 state: reloaded +- name: restart apache2 + service: + name: apache2 + state: restarted + - name: newaliases command: newaliases diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 23b35204..d9be3b6e 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -46,3 +46,10 @@ owner: evoadmin group: evoadmin force: no + +- name: Enable proxy_fcgi + apache2_module: + state: present + name: proxy_fcgi + notify: restart apache2 + when: evoadmin_multi_php == True diff --git a/webapps/evoadmin-web/templates/web-add.conf.j2 b/webapps/evoadmin-web/templates/web-add.conf.j2 index b3362fbe..4bc41ad8 100644 --- a/webapps/evoadmin-web/templates/web-add.conf.j2 +++ b/webapps/evoadmin-web/templates/web-add.conf.j2 @@ -1,5 +1,5 @@ CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}" WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}" -{% if evoadmin_multi_php == "True" %} +{% if evoadmin_multi_php == True %} PHP_VERSIONS=(56 70 73) {% endif %}