Ubuntu 18.04 support #70
28
CHANGELOG.md
28
CHANGELOG.md
|
@ -10,19 +10,39 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
* Ubuntu 18.04 support
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
* elasticsearch: listen on local interface only by default
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
* lxc-php: Don't remove the default pool
|
||||||
|
|
||||||
|
### Security
|
||||||
|
|
||||||
|
## [9.10.1] - 2019-06-21
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
* evocheck : update (version 19.06) from upstream
|
||||||
|
|
||||||
|
## [9.10.0] - 2019-06-21
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
* apache: add server status suffix in VHost (and default site) if missing
|
* apache: add server status suffix in VHost (and default site) if missing
|
||||||
|
* apache: add a variable to customize the server-status host
|
||||||
* apt: add a script to manage packages with "hold" mark
|
* apt: add a script to manage packages with "hold" mark
|
||||||
* etc-git: gitignore /etc/letsencrypt/.certbot.lock
|
* etc-git: gitignore /etc/letsencrypt/.certbot.lock
|
||||||
* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later)
|
|
||||||
* evomaintenance: make hooks configurable
|
* evomaintenance: make hooks configurable
|
||||||
* nginx: add server status suffix in VHost (and default site) if missing
|
* nginx: add server status suffix in VHost (and default site) if missing
|
||||||
* redmine: enable gzip compression in nginx vhost
|
* redmine: enable gzip compression in nginx vhost
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
* evocheck : version 19.04 from upstream
|
* evocheck : update (unreleased) from upstream
|
||||||
* evomaintenance : use the web API instead of PG Insert
|
* evomaintenance : use the web API instead of PG Insert
|
||||||
* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5
|
* fluentd: store gpg key locally
|
||||||
|
* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3
|
||||||
* redmine: update default version to 4.0.3
|
* redmine: update default version to 4.0.3
|
||||||
* nagios-nrpe: change required status code for http and https check
|
* nagios-nrpe: change required status code for http and https check
|
||||||
* redmine: use custom errors-pages in Nginx vhost
|
* redmine: use custom errors-pages in Nginx vhost
|
||||||
|
@ -39,8 +59,6 @@ The **patch** part changes incrementally at each release.
|
||||||
* evolinux-users: Validate sshd config with "-t" instead of "-T"
|
* evolinux-users: Validate sshd config with "-t" instead of "-T"
|
||||||
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
|
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
|
||||||
|
|
||||||
### Security
|
|
||||||
|
|
||||||
## [9.9.0] - 2019-04-16
|
## [9.9.0] - 2019-04-16
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
@ -19,3 +19,5 @@ apache_munin_include: True
|
||||||
|
|
||||||
general_alert_email: "root@localhost"
|
general_alert_email: "root@localhost"
|
||||||
log2mail_alert_email: Null
|
log2mail_alert_email: Null
|
||||||
|
|
||||||
|
apache_serverstatus_host: 127.0.0.1
|
||||||
|
|
|
@ -62,7 +62,8 @@
|
||||||
- name: apache-status URL is configured for Munin
|
- name: apache-status URL is configured for Munin
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/munin/plugin-conf.d/munin-node
|
dest: /etc/munin/plugin-conf.d/munin-node
|
||||||
line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto"
|
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
|
||||||
regexp: "env.url http://127.0.0.1/server-status"
|
regexp: 'env.url http://[^\\/]+/server-status'
|
||||||
insertafter: "[apache_*]"
|
insertafter: "[apache_*]"
|
||||||
create: no
|
create: no
|
||||||
|
notify: restart munin-node
|
||||||
|
|
|
@ -34,6 +34,8 @@
|
||||||
create: yes
|
create: yes
|
||||||
state: present
|
state: present
|
||||||
when: ansible_lsb.codename == "jessie"
|
when: ansible_lsb.codename == "jessie"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Apt update
|
- name: Apt update
|
||||||
apt:
|
apt:
|
||||||
|
|
|
@ -19,6 +19,8 @@
|
||||||
- /etc/apt/sources.list.d/debian-stretch.list
|
- /etc/apt/sources.list.d/debian-stretch.list
|
||||||
- /etc/apt/sources.list.d/debian-update.list
|
- /etc/apt/sources.list.d/debian-update.list
|
||||||
when: apt_clean_gandi_sourceslist
|
when: apt_clean_gandi_sourceslist
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Apt update
|
- name: Apt update
|
||||||
apt:
|
apt:
|
||||||
|
|
|
@ -12,6 +12,8 @@
|
||||||
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
||||||
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
||||||
when: apt_evolinux_config
|
when: apt_evolinux_config
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: DPkg invoke hooks
|
- name: DPkg invoke hooks
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -26,19 +28,27 @@
|
||||||
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
|
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
|
||||||
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
|
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
|
||||||
when: apt_hooks
|
when: apt_hooks
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Remove Aptitude
|
- name: Remove Aptitude
|
||||||
apt:
|
apt:
|
||||||
name: aptitude
|
name: aptitude
|
||||||
state: absent
|
state: absent
|
||||||
when: apt_remove_aptitude
|
when: apt_remove_aptitude
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Updating APT cache
|
- name: Updating APT cache
|
||||||
apt:
|
apt:
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Upgrading system
|
- name: Upgrading system
|
||||||
apt:
|
apt:
|
||||||
upgrade: dist
|
upgrade: dist
|
||||||
when: apt_upgrade
|
when: apt_upgrade
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
|
@ -12,8 +12,10 @@
|
||||||
apt_key:
|
apt_key:
|
||||||
#url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D
|
#url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D
|
||||||
data: "{{ lookup('file', 'reg.gpg') }}"
|
data: "{{ lookup('file', 'reg.gpg') }}"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Evolix public list is installed
|
- name: Evolix public list is installed (only for Debian)
|
||||||
template:
|
template:
|
||||||
src: evolix_public.list.j2
|
src: evolix_public.list.j2
|
||||||
dest: /etc/apt/sources.list.d/evolix_public.list
|
dest: /etc/apt/sources.list.d/evolix_public.list
|
||||||
|
@ -22,6 +24,7 @@
|
||||||
register: apt_evolix_public
|
register: apt_evolix_public
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
when: ansible_distribution == "Debian"
|
||||||
|
|
||||||
- name: Apt update
|
- name: Apt update
|
||||||
apt:
|
apt:
|
||||||
|
|
|
@ -5,6 +5,8 @@
|
||||||
register: apt_mark
|
register: apt_mark
|
||||||
changed_when: "'{{ item }} set on hold.' in apt_mark.stdout"
|
changed_when: "'{{ item }} set on hold.' in apt_mark.stdout"
|
||||||
with_items: "{{ apt_hold_packages }}"
|
with_items: "{{ apt_hold_packages }}"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: "hold packages (config)"
|
- name: "hold packages (config)"
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -13,12 +15,16 @@
|
||||||
create: True
|
create: True
|
||||||
state: present
|
state: present
|
||||||
with_items: "{{ apt_hold_packages }}"
|
with_items: "{{ apt_hold_packages }}"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: "unhold packages (apt)"
|
- name: "unhold packages (apt)"
|
||||||
shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}"
|
shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}"
|
||||||
register: apt_mark
|
register: apt_mark
|
||||||
changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout"
|
changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout"
|
||||||
with_items: "{{ apt_unhold_packages }}"
|
with_items: "{{ apt_unhold_packages }}"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: "unhold packages (config)"
|
- name: "unhold packages (config)"
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -27,6 +33,8 @@
|
||||||
create: True
|
create: True
|
||||||
state: absent
|
state: absent
|
||||||
with_items: "{{ apt_unhold_packages }}"
|
with_items: "{{ apt_unhold_packages }}"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: /usr/share/scripts exists
|
- name: /usr/share/scripts exists
|
||||||
file:
|
file:
|
||||||
|
@ -35,6 +43,8 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
state: directory
|
state: directory
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Check scripts is installed
|
- name: Check scripts is installed
|
||||||
copy:
|
copy:
|
||||||
|
@ -42,6 +52,8 @@
|
||||||
dest: /usr/share/scripts/check_held_packages.sh
|
dest: /usr/share/scripts/check_held_packages.sh
|
||||||
force: yes
|
force: yes
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Check for held packages (script)
|
- name: Check for held packages (script)
|
||||||
cron:
|
cron:
|
||||||
|
@ -55,3 +67,5 @@
|
||||||
day: "{{ apt_check_hold_cron_day }}"
|
day: "{{ apt_check_hold_cron_day }}"
|
||||||
month: "{{ apt_check_hold_cron_month }}"
|
month: "{{ apt_check_hold_cron_month }}"
|
||||||
state: "present"
|
state: "present"
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
|
@ -2,9 +2,9 @@
|
||||||
|
|
||||||
- name: "Compatibility check"
|
- name: "Compatibility check"
|
||||||
fail:
|
fail:
|
||||||
msg: only compatible with Debian >= 8
|
msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
|
||||||
when:
|
when:
|
||||||
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
|
- (ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')) and (ansible_distribution != "Ubuntu" or ansible_distribution_major_version | version_compare('18', '<'))
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
|
|
5
apt/templates/bionic_basics.list.j2
Normal file
5
apt/templates/bionic_basics.list.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
deb http://archive.ubuntu.com/ubuntu/ bionic {{ apt_basics_components | mandatory }}
|
||||||
|
deb http://archive.ubuntu.com/ubuntu/ bionic-updates {{ apt_basics_components | mandatory }}
|
||||||
|
deb http://security.ubuntu.com/ubuntu bionic-security {{ apt_basics_components | mandatory }}
|
|
@ -27,7 +27,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
|
||||||
* `elasticsearch_jvm_xmx`: maximum heap size reserved for the JVM (default: `2g`).
|
* `elasticsearch_jvm_xmx`: maximum heap size reserved for the JVM (default: `2g`).
|
||||||
* `elasticsearch_restart_on_upgrade`: restart the service after package upgrade (default: `true`)
|
* `elasticsearch_restart_on_upgrade`: restart the service after package upgrade (default: `true`)
|
||||||
|
|
||||||
By default, Elasticsearch will listen to the public interfaces (`_site_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host), so you will have to secure it, with firewall rules for example.
|
By default, Elasticsearch will listen to the local interface (`_local_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host).
|
||||||
|
|
||||||
## Curator
|
## Curator
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@ elasticsearch_cluster_name: Null
|
||||||
elasticsearch_cluster_members: Null
|
elasticsearch_cluster_members: Null
|
||||||
elasticsearch_minimum_master_nodes: Null
|
elasticsearch_minimum_master_nodes: Null
|
||||||
elasticsearch_node_name: "${HOSTNAME}"
|
elasticsearch_node_name: "${HOSTNAME}"
|
||||||
elasticsearch_network_host: "[_site_, _local_]"
|
elasticsearch_network_host: "[_local_]"
|
||||||
elasticsearch_network_publish_host: Null
|
elasticsearch_network_publish_host: Null
|
||||||
elasticsearch_http_publish_host: Null
|
elasticsearch_http_publish_host: Null
|
||||||
elasticsearch_custom_datadir: Null
|
elasticsearch_custom_datadir: Null
|
||||||
|
|
|
@ -315,7 +315,7 @@ check_nrpeperms() {
|
||||||
}
|
}
|
||||||
check_minifwperms() {
|
check_minifwperms() {
|
||||||
if [ -f "$MINIFW_FILE" ]; then
|
if [ -f "$MINIFW_FILE" ]; then
|
||||||
actual=$(stat --format "%a" $MINIFW_FILE)
|
actual=$(stat --format "%a" "$MINIFW_FILE")
|
||||||
expected="600"
|
expected="600"
|
||||||
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
|
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
|
||||||
fi
|
fi
|
||||||
|
@ -386,7 +386,7 @@ check_raidsoft() {
|
||||||
}
|
}
|
||||||
# Verification du LogFormat de AWStats
|
# Verification du LogFormat de AWStats
|
||||||
check_awstatslogformat() {
|
check_awstatslogformat() {
|
||||||
if is_installed apache2.2-common awstats; then
|
if is_installed apache2 awstats; then
|
||||||
grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
|
grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
|
||||||
|| failed "IS_AWSTATSLOGFORMAT"
|
|| failed "IS_AWSTATSLOGFORMAT"
|
||||||
fi
|
fi
|
||||||
|
@ -531,20 +531,30 @@ check_userlogrotate() {
|
||||||
}
|
}
|
||||||
# Verification de la syntaxe de la conf d'Apache
|
# Verification de la syntaxe de la conf d'Apache
|
||||||
check_apachectl() {
|
check_apachectl() {
|
||||||
if is_installed apache2.2-common; then
|
if is_installed apache2; then
|
||||||
/usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
|
/usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
# Check if there is regular files in Apache sites-enabled.
|
# Check if there is regular files in Apache sites-enabled.
|
||||||
check_apachesymlink() {
|
check_apachesymlink() {
|
||||||
if is_installed apache2.2-common; then
|
if is_installed apache2; then
|
||||||
stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK"
|
apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print)
|
||||||
|
nbApacheFind=$(wc -m <<< "$apacheFind")
|
||||||
|
if [[ $nbApacheFind -gt 1 ]]; then
|
||||||
|
if [[ $VERBOSE == 1 ]]; then
|
||||||
|
while read -r line; do
|
||||||
|
failed "IS_APACHESYMLINK" "Not a symlink: $line"
|
||||||
|
done <<< "$apacheFind"
|
||||||
|
else
|
||||||
|
failed "IS_APACHESYMLINK"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
|
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
|
||||||
check_apacheipinallow() {
|
check_apacheipinallow() {
|
||||||
# Note: Replace "exit 1" by "print" in Perl code to debug it.
|
# Note: Replace "exit 1" by "print" in Perl code to debug it.
|
||||||
if is_installed apache2.2-common; then
|
if is_installed apache2; then
|
||||||
grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
|
grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
|
||||||
| grep -iv "from all" \
|
| grep -iv "from all" \
|
||||||
| grep -iv "env=" \
|
| grep -iv "env=" \
|
||||||
|
@ -559,7 +569,7 @@ check_muninapacheconf() {
|
||||||
else
|
else
|
||||||
muninconf="/etc/apache2/conf-available/munin.conf"
|
muninconf="/etc/apache2/conf-available/munin.conf"
|
||||||
fi
|
fi
|
||||||
if is_installed apache2.2-common; then
|
if is_installed apache2; then
|
||||||
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
|
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -881,12 +891,17 @@ check_mysqlmunin() {
|
||||||
}
|
}
|
||||||
check_mysqlnrpe() {
|
check_mysqlnrpe() {
|
||||||
if is_debian_stretch && is_installed mariadb-server; then
|
if is_debian_stretch && is_installed mariadb-server; then
|
||||||
nagios_file="~nagios/.my.cnf"
|
nagios_file=~nagios/.my.cnf
|
||||||
{ test -f $nagios_file \
|
|
||||||
&& [ "$(stat -c %U $nagios_file)" = "nagios" ] \
|
if ! test -f ${nagios_file}; then
|
||||||
&& [ "$(stat -c %a $nagios_file)" = "600" ] \
|
failed "IS_MYSQLNRPE" "${nagios_file} is missing"
|
||||||
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file";
|
elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \
|
||||||
} || failed "IS_MYSQLNRPE"
|
|| [ "$(stat -c %a ${nagios_file})" != "600" ]; then
|
||||||
|
failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions"
|
||||||
|
else
|
||||||
|
grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \
|
||||||
|
|| failed "IS_MYSQLNRPE" "check_mysql is missing"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_phpevolinuxconf() {
|
check_phpevolinuxconf() {
|
||||||
|
@ -1078,9 +1093,7 @@ check_evomaintenanceconf() {
|
||||||
&& grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
|
&& grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
|
||||||
&& grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
|
&& grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
|
||||||
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
|
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
|
||||||
&& grep "^REALM" $f | grep -qv "example.com" \
|
&& grep "^REALM" $f | grep -qv "example.com"
|
||||||
&& grep "^API_ENDPOINT" $f | grep -qv "https://example.com/api/" \
|
|
||||||
&& grep "^API_KEY" $f | grep -qv "secretkey";
|
|
||||||
} || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
|
} || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
|
||||||
else
|
else
|
||||||
failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
|
failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
|
||||||
|
@ -1102,7 +1115,7 @@ check_evobackup_incs() {
|
||||||
if is_installed bkctld; then
|
if is_installed bkctld; then
|
||||||
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
|
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
|
||||||
if [ -f "${bkctld_cron_file}" ]; then
|
if [ -f "${bkctld_cron_file}" ]; then
|
||||||
root_crontab=$(grep -v "^#" ${bkctld_cron_file})
|
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
|
||||||
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
|
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
|
||||||
echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
|
echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
|
||||||
else
|
else
|
||||||
|
@ -1111,6 +1124,12 @@ check_evobackup_incs() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_osprober() {
|
||||||
|
if is_installed os-prober qemu-kvm; then
|
||||||
|
failed "IS_OSPROBER" "Removal of os-prober package is recommended as it can cause serious issue on KVM server"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
# Default return code : 0 = no error
|
# Default return code : 0 = no error
|
||||||
RC=0
|
RC=0
|
||||||
|
@ -1158,7 +1177,7 @@ main() {
|
||||||
test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
|
test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
|
||||||
test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
|
test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
|
||||||
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
|
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
|
||||||
test "${IS_DISKPERF:=1}" = 1 && check_diskperf
|
test "${IS_DISKPERF:=0}" = 1 && check_diskperf
|
||||||
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
|
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
|
||||||
test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
|
test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
|
||||||
test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
|
test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
|
||||||
|
@ -1231,6 +1250,7 @@ main() {
|
||||||
test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre
|
test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre
|
||||||
test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir
|
test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir
|
||||||
test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs
|
test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs
|
||||||
|
test "${IS_OSPROBER:=1}" = 1 && check_osprober
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#-----------------------------------------------------------
|
#-----------------------------------------------------------
|
||||||
|
@ -1343,7 +1363,7 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
|
||||||
# shellcheck disable=2124
|
# shellcheck disable=2124
|
||||||
readonly ARGS=$@
|
readonly ARGS=$@
|
||||||
|
|
||||||
readonly VERSION="19.04"
|
readonly VERSION="19.06"
|
||||||
|
|
||||||
# Disable LANG*
|
# Disable LANG*
|
||||||
export LANG=C
|
export LANG=C
|
||||||
|
@ -1396,4 +1416,5 @@ while :; do
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# shellcheck disable=SC2086
|
||||||
main ${ARGS}
|
main ${ARGS}
|
||||||
|
|
|
@ -3,9 +3,9 @@
|
||||||
- name: "System compatibility checks"
|
- name: "System compatibility checks"
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- ansible_distribution == "Debian"
|
- (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu")
|
||||||
- ansible_distribution_major_version | version_compare('8', '>=')
|
- (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
msg: only compatible with Debian >= 8
|
msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
|
||||||
|
|
||||||
- name: Apt configuration
|
- name: Apt configuration
|
||||||
include_role:
|
include_role:
|
||||||
|
|
|
@ -80,11 +80,20 @@
|
||||||
- mlocate
|
- mlocate
|
||||||
when: evolinux_packages_purge_locate
|
when: evolinux_packages_purge_locate
|
||||||
|
|
||||||
- name: Install/Update serveur-base meta-package
|
- name: Install/Update serveur-base meta-package on debian
|
||||||
apt:
|
apt:
|
||||||
name: serveur-base
|
name: serveur-base
|
||||||
allow_unauthenticated: yes
|
allow_unauthenticated: yes
|
||||||
when: evolinux_packages_serveur_base
|
when: evolinux_packages_serveur_base and (ansible_distribution == "Debian")
|
||||||
|
|
||||||
|
- name: Install/Update serveur-base meta-package on ubuntu
|
||||||
|
apt:
|
||||||
|
deb: "{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- 'http://pub.evolix.net/stretch/log2mail_0.3.0-2_amd64.deb'
|
||||||
|
- 'http://pub.evolix.net/stretch/evocheck_0.10-1_all.deb'
|
||||||
|
- 'http://pub.evolix.net/stretch/serveur-base_0.4.0_all.deb'
|
||||||
|
when: evolinux_packages_serveur_base and (ansible_distribution == "Ubuntu")
|
||||||
|
|
||||||
- name: Install/Update packages for Stretch and later
|
- name: Install/Update packages for Stretch and later
|
||||||
apt:
|
apt:
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# We want to allow any user from a list of IP addresses to login with password,
|
# We want to allow any user from a list of IP addresses to login with password,
|
||||||
# but users of the "evolix" group can't login with password from other IP addresses
|
# but users of the "evolix" group can't login with password from other IP addresses
|
||||||
|
|
||||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
- name: "Security directives for Evolinux (Debian 10 and Ubuntu 18.04 or later)"
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||||
|
@ -27,7 +27,7 @@
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
when:
|
when:
|
||||||
- evolinux_ssh_password_auth_addresses != []
|
- evolinux_ssh_password_auth_addresses != []
|
||||||
- ansible_distribution_major_version | version_compare('10', '>=')
|
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
- name: Security directives for Evolinux (Jessie/Stretch)
|
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||||
blockinfile:
|
blockinfile:
|
||||||
|
|
|
@ -125,7 +125,7 @@
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
when:
|
when:
|
||||||
- evolinux_system_alert5_init
|
- evolinux_system_alert5_init
|
||||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
|
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
- name: Enable alert5 init script (jessie/stretch)
|
- name: Enable alert5 init script (jessie/stretch)
|
||||||
service:
|
service:
|
||||||
|
@ -134,7 +134,7 @@
|
||||||
when:
|
when:
|
||||||
- evolinux_system_alert5_init
|
- evolinux_system_alert5_init
|
||||||
- evolinux_system_alert5_enable
|
- evolinux_system_alert5_enable
|
||||||
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch"
|
- ansible_lsb.codename == "jessie" or ansible_lsb.codename == "stretch" or ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -3,9 +3,9 @@
|
||||||
- name: "System compatibility checks"
|
- name: "System compatibility checks"
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- ansible_distribution == "Debian"
|
- (ansible_distribution == "Debian") or (ansible_distribution == "Ubuntu")
|
||||||
- ansible_distribution_major_version | version_compare('8', '>=')
|
- (ansible_distribution_major_version | version_compare('8', '>=')) or (ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
msg: only compatible with Debian >= 8
|
msg: only compatible with Debian >= 8 AND Ubuntu >= 18.04
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
msg: "Warning: empty 'evolinux_users' variable, tasks will be skipped!"
|
||||||
|
|
|
@ -28,9 +28,9 @@
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
# If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
|
||||||
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '>='))) }}"
|
ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and ((ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | version_compare('18', '>=')))) }}"
|
||||||
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
# If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
|
||||||
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
ssh_allowusers: "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('10', '<'))) }}"
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
var: ssh_allowgroups
|
var: ssh_allowgroups
|
||||||
|
|
|
@ -4,6 +4,6 @@
|
||||||
when: ansible_lsb.codename == "jessie"
|
when: ansible_lsb.codename == "jessie"
|
||||||
|
|
||||||
- include: sudo_stretch.yml
|
- include: sudo_stretch.yml
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
|
@ -59,31 +59,32 @@
|
||||||
|
|
||||||
## Group for SSH authorizations
|
## Group for SSH authorizations
|
||||||
|
|
||||||
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
|
- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 and Ubuntu 18 or later)"
|
||||||
group:
|
group:
|
||||||
name: "{{ evolinux_ssh_group }}"
|
name: "{{ evolinux_ssh_group }}"
|
||||||
state: present
|
state: present
|
||||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 and Ubuntu 18 or later)"
|
||||||
user:
|
user:
|
||||||
name: '{{ user.name }}'
|
name: '{{ user.name }}'
|
||||||
groups: "{{ evolinux_ssh_group }}"
|
groups: "{{ evolinux_ssh_group }}"
|
||||||
append: yes
|
append: yes
|
||||||
when: ansible_distribution_major_version | version_compare('10', '>=')
|
when: (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('10', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
## Optional group for all evolinux users
|
## Optional group for all evolinux users
|
||||||
|
|
||||||
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
|
- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 and Ubuntu 18 or later)"
|
||||||
group:
|
group:
|
||||||
name: "{{ evolinux_internal_group }}"
|
name: "{{ evolinux_internal_group }}"
|
||||||
state: present
|
state: present
|
||||||
when:
|
when:
|
||||||
- evolinux_internal_group is defined
|
- evolinux_internal_group is defined
|
||||||
- evolinux_internal_group != ""
|
- evolinux_internal_group != ""
|
||||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
|
|
||||||
|
- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 and Ubuntu 18 or later)"
|
||||||
user:
|
user:
|
||||||
name: '{{ user.name }}'
|
name: '{{ user.name }}'
|
||||||
groups: "{{ evolinux_internal_group }}"
|
groups: "{{ evolinux_internal_group }}"
|
||||||
|
@ -91,7 +92,8 @@
|
||||||
when:
|
when:
|
||||||
- evolinux_internal_group is defined
|
- evolinux_internal_group is defined
|
||||||
- evolinux_internal_group != ""
|
- evolinux_internal_group != ""
|
||||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
- (ansible_distribution == "Debian" and ansible_distribution_major_version | version_compare('9', '>=')) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | version_compare('18', '>='))
|
||||||
|
|
||||||
|
|
||||||
## Optional secondary groups, defined per user
|
## Optional secondary groups, defined per user
|
||||||
|
|
||||||
|
|
18
evomaintenance/tasks/install_package_ubuntu.yml
Normal file
18
evomaintenance/tasks/install_package_ubuntu.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Package is installed
|
||||||
|
apt:
|
||||||
|
deb: 'http://pub.evolix.net/stretch/evomaintenance_0.2.9-1_all.deb'
|
||||||
|
tags:
|
||||||
|
- evomaintenance
|
||||||
|
|
||||||
|
- name: Configuration is installed
|
||||||
|
template:
|
||||||
|
src: evomaintenance.j2
|
||||||
|
dest: /etc/evomaintenance.cf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
force: "{{ evomaintenance_force_config | bool }}"
|
||||||
|
tags:
|
||||||
|
- evomaintenance
|
|
@ -9,15 +9,20 @@
|
||||||
- evomaintenance_api_key is not none
|
- evomaintenance_api_key is not none
|
||||||
msg: evomaintenance api variables must be set
|
msg: evomaintenance api variables must be set
|
||||||
|
|
||||||
|
- include: install_package_ubuntu.yml
|
||||||
|
when:
|
||||||
|
- not evomaintenance_install_vendor
|
||||||
|
- ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
- include: install_package_debian.yml
|
- include: install_package_debian.yml
|
||||||
when:
|
when:
|
||||||
- not evomaintenance_install_vendor
|
- not evomaintenance_install_vendor
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
- include: install_vendor_debian.yml
|
- include: install_vendor_debian.yml
|
||||||
when:
|
when:
|
||||||
- evomaintenance_install_vendor
|
- evomaintenance_install_vendor
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
- include: install_vendor_openbsd.yml
|
- include: install_vendor_openbsd.yml
|
||||||
when:
|
when:
|
||||||
|
@ -25,4 +30,4 @@
|
||||||
|
|
||||||
- include: minifirewall.yml
|
- include: minifirewall.yml
|
||||||
when:
|
when:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian" or ansible_distribution == "Ubuntu"
|
||||||
|
|
53
fluentd/files/fluentd.gpg
Normal file
53
fluentd/files/fluentd.gpg
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
Version: GnuPG v2
|
||||||
|
|
||||||
|
mQINBFhiI8wBEADThWLNd8IKPRw7Ygu3DHS4Sb/Yc6vSZSaMGJ6Wkj245jScvI+C
|
||||||
|
nG4C4rtO/8ObUj5cUpb4CyfYZX8W4tp9x+W68c4paXevG4s+X4EE3uUsgdwTnFXi
|
||||||
|
GMa57QDzR4p/JvjUjfGJ2UAr4Bfj8Q2S54LmIu6UAe82ce2B4tEHCeYSxkmVUDAZ
|
||||||
|
utfmgKoVTbnceTemU0m5ANS6IC1/53KEhgB1sKm5G/FjRJGslHWb3mf+bLrhmlkP
|
||||||
|
pA4BOKF2w3eFYH3LhWskxMS0SPM7J6aq+6LyNNqtlKL6lUS7qVjRQ6PlgFcmtG4J
|
||||||
|
tijsZI62bDn1f44DmeLY+LMS/nM0xyIx94lYumGH5EYmjUECagqMool98/+Wx79A
|
||||||
|
Thtg/1pYNzo8Z76qr0i3xLSRtsQ2Om2Rfal7VGadOrx4sqlkSaUaGI+hBc1r4tNy
|
||||||
|
tERvBEMGSf78bWDbdzxSNEW4LUDUpniNQb0DrURfWkqRa3q4WcTJr8lpQM/NmAru
|
||||||
|
owayAXQwKob+OIZ09/O69EaqVJ9MqsM3keQouSHShKvzNrppuo3D3z+Dpy05FsYw
|
||||||
|
MAiIN7auXxy+XQwCVsKF083YaDHcC0I22GReEgt43yZXQ/b/J9QNrm5nJ+3Cpso3
|
||||||
|
jJnMzubuniSOOdd3mXQ6MwgZvWgtH/nPF8oUX9VSGwqNohiKWcxQDxW7qQARAQAB
|
||||||
|
tFRUcmVhc3VyZSBEYXRhLCBJbmMgKFRyZWFzdXJlIEFnZW50IE9mZmljaWFsIFNp
|
||||||
|
Z25pbmcga2V5KSA8c3VwcG9ydEB0cmVhc3VyZS1kYXRhLmNvbT6JAjcEEwEIACEF
|
||||||
|
AlhiI8wCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQkB+Rd6uXrL5GrhAA
|
||||||
|
nh82+caSu9Qu/LW256gN5UjPUFhph66ElT1OVyAR2FoOmz2pJH3t8YYD5cUV2W6/
|
||||||
|
xqJDmjl+vnL2HBgxjHKRCo2K3hrq6z4LoU7SpWDI1cZ03lkjh1yNx13S+9JvZNlp
|
||||||
|
jit0WRIspke0n0vWSpNo4nh19Yg3EA1c+vGeHnmlYo6xwRHu6XOhhCwywtFRGC3a
|
||||||
|
iMJzAV4N69ZU6P5VZZkC6LjYYQtF4aI10COLZ4AcObH2htGAZTj2KlZfdJHmr+Oa
|
||||||
|
wY57giUYz7OF45LLCuqe+VwpGp2d3UK/MtCnXRLi5InMVJKDvyt18MzRDFuyA27e
|
||||||
|
WSt+JumVqhEjawh3hmdzIS1cHKmv19gdeE8On2i2Lf8lyek8fsB/YPgADAmp2oSe
|
||||||
|
cjLu0ocGbgxRjuCR29+6IG+DiUDFCkqFZNdLiGVqzjpjpYHaPhVe77ciwA8TCPru
|
||||||
|
3dh5t/qv2HglSd7lj95IApZBtny5AK8NS4qtaOeZbBbbDRuOPL0c7fU3bqyIPy57
|
||||||
|
zvdYi3KdjWZVCawcAmk3ILP83eFSivCRPRoyCqO+HX8U647BBWvlFuEbPa+Y1sgE
|
||||||
|
12MEF/Y6VVJh3Ptw+h/qKRbra4LdA+5Y30q/9l6WGgbO/4h3NKmGeVCrAFvS3h92
|
||||||
|
fS0ABYD1nAP7fSNS9RfYIqfBXtJem+tJ14YKJwWiAYW5Ag0EWGIjzAEQAMw5EMJu
|
||||||
|
RBFRdhXD5UeA7I7wwkql/iYof8ydUALBxh9NSpmwaACkb4Me6h/rHdVsPRO3vIoo
|
||||||
|
uXftSjkRk2frjziihfEdeYxYU5PPawZxwCRDInr/OLZmcCCA2yCkRnFBhZxQy8NW
|
||||||
|
iJz0tlJtohhuJ7NRK7+HVJ3rPrtoV1lZVricDrB7DdVySp+7VciEM/XQhKKlesyd
|
||||||
|
gYXic4fx7xvPS6hRmH/fNVdvFobIhQBNUuPfKJeKpeJqPHeqkCNRz1Kl6NW9XXBq
|
||||||
|
hNyAlC7SPdKmjsv4UVIcFLUXP5wv7nprtEh15LoDlJCvFEF/iDJzaWI3QeVqY8XS
|
||||||
|
EI77WNsA/w7nlVNO3lGOPMjW8cxn4Jd2s4lpNa/e+RfrG/PD+ODSS92ISkuihBIU
|
||||||
|
Z2XeFa1xjQ1ayint4lVe3FGWTBJjqK8qX3JaOVeUD0AlSWqFcJzI7KxfNtVZCOaZ
|
||||||
|
WL/PVG124A118AUMFEWfb3r2Le8ddl+AKFP5Etsb+00VEWL06VPDampJIHanGjyX
|
||||||
|
h3dZkzORO3l3dt/P6embimic2QDOmO5x+wESnD8spITPKDl9OuqebCB8Z2oShnnG
|
||||||
|
+xhKDl045UFCPMVOXLb4kHonBmN2wBT/GIh4qqZj/7mm6r4P194HzN8LQuZsloJs
|
||||||
|
A6tnEpEmSe33xBDfGAeS0eNxFiATGwAcCRyRABEBAAGJAh8EGAEIAAkFAlhiI8wC
|
||||||
|
GwwACgkQkB+Rd6uXrL559w/9GfoTxZS+VJQsQc1inW9YKZaWl99Hd4u8CGhE057S
|
||||||
|
zvzMnIH6fcgib3m+TelevplSEN1QN1GGTvn95n8JQ8RX36xy8SQVzrPIlO4gXGAF
|
||||||
|
J1uHmSp3SSplrwKIBQk3MORrfbTg78CN9527GCQHih8+qgB3IYe23NhsKLre3mbZ
|
||||||
|
h9NAWOeMsBF0jG0c0Cu3/F8muY2XSTqENB8R263YJsQSC3qaiaq9TtstisOe/HWK
|
||||||
|
yQix2Hofg3H96dZXsqbQEvxgyema+A6ptCm7S66eSYoPPeXQaraTsz6nLlVtvhSD
|
||||||
|
kll2axjAK4NDbSjJuZI/54CkO+FB00bkXDxPFgnfDPWgvPMF1cBuuX0QN1BO8n4C
|
||||||
|
eA9zyBBdTw9bbzO1kRdeBHLa7n845ecVbEh15Hvtf20/CJB9ua+qRlcXtgxhUf3+
|
||||||
|
pm/xbAM22z/F3+RsLwGOG8T0Vy2q//VVqLxSFlawiZW9RkClKyV6A1KH0EA6W84d
|
||||||
|
GcxiDgwrBHd+d40s3VDE/Wlmj0w73xeebEaXCmaTO/Hp5DIA64LfXHB2ckvwv15I
|
||||||
|
ISQV2g55+ghnwaD/02uGCGpJl0zJgQ+PKvrFAz+wIUqrQJxXP4epqWycmzG98T7g
|
||||||
|
pi20lwzO87S6b1GIL9t6Q/Zge8bbB7lG5mBR2U5XyGhfHXGaHTb6nQQYh3hCet8G
|
||||||
|
5Ow=
|
||||||
|
=Me4L
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -2,7 +2,8 @@
|
||||||
|
|
||||||
- name: Fluentd GPG key is installed
|
- name: Fluentd GPG key is installed
|
||||||
apt_key:
|
apt_key:
|
||||||
url: https://packages.treasuredata.com/GPG-KEY-td-agent
|
# url: https://packages.treasuredata.com/GPG-KEY-td-agent
|
||||||
|
data: "{{ lookup('file', 'fluentd.gpg') }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- fluentd
|
- fluentd
|
||||||
|
|
23
lxc-php/README.md
Normal file
23
lxc-php/README.md
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# lxc-php
|
||||||
|
|
||||||
|
Create LXC containers and install all the required PHP packages as a way to use multiple PHP version on Debian.
|
||||||
|
|
||||||
|
*note : this role depend on the lxc role.*
|
||||||
|
|
||||||
|
## Tasks
|
||||||
|
|
||||||
|
Everything is in the `tasks/main.yml` file.
|
||||||
|
|
||||||
|
## Available variables
|
||||||
|
|
||||||
|
As this role depend on the lxc role, please refer to it for a variable exhaustive list.
|
||||||
|
|
||||||
|
Here is the list of available variables for the PHP part:
|
||||||
|
|
||||||
|
* `php_conf_short_open_tag` Default: `"Off"`
|
||||||
|
* `php_conf_expose_php` Default: `"Off"`
|
||||||
|
* `php_conf_display_errors` Default: `"Off"`
|
||||||
|
* `php_conf_log_errors` Default: `"On"`
|
||||||
|
* `php_conf_html_errors` Default: `"Off"`
|
||||||
|
* `php_conf_allow_url_fopen` Default: `"Off"`
|
||||||
|
* `php_conf_disable_functions` Default: `"exec,shell-exec,system,passthru,putenv,popen"`
|
|
@ -46,27 +46,6 @@
|
||||||
command: "lxc-attach -n {{name}} -- apt-get install -y php7.3 php7.3-fpm php7.3-cli php7.3-curl php7.3-mysql php7.3-pgsql php7.3-ldap php7.3-imap php7.3-gd php-ssh2 php-gettext composer libphp-phpmailer ssmtp git zip unzip php7.3-zip"
|
command: "lxc-attach -n {{name}} -- apt-get install -y php7.3 php7.3-fpm php7.3-cli php7.3-curl php7.3-mysql php7.3-pgsql php7.3-ldap php7.3-imap php7.3-gd php-ssh2 php-gettext composer libphp-phpmailer ssmtp git zip unzip php7.3-zip"
|
||||||
when: name == 'php73'
|
when: name == 'php73'
|
||||||
|
|
||||||
- name: Remove default FPM 5.6 pool
|
|
||||||
file:
|
|
||||||
name: "/var/lib/lxc/{{name}}/rootfs/etc/php5/fpm/pool.d/www.conf"
|
|
||||||
state: absent
|
|
||||||
notify: "Reload {{name}}-fpm"
|
|
||||||
when: name == 'php56'
|
|
||||||
|
|
||||||
- name: Remove default FPM 7.0 pool
|
|
||||||
file:
|
|
||||||
name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.0/fpm/pool.d/www.conf"
|
|
||||||
state: absent
|
|
||||||
notify: "Reload {{name}}-fpm"
|
|
||||||
when: name == 'php70'
|
|
||||||
|
|
||||||
- name: Remove default FPM 7.3 pool
|
|
||||||
file:
|
|
||||||
name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.3/fpm/pool.d/www.conf"
|
|
||||||
state: absent
|
|
||||||
notify: "Reload {{name}}-fpm"
|
|
||||||
when: name == 'php73'
|
|
||||||
|
|
||||||
- name: Copy evolinux PHP 5.6 configuration
|
- name: Copy evolinux PHP 5.6 configuration
|
||||||
template:
|
template:
|
||||||
src: z-evolinux-defaults.ini.j2
|
src: z-evolinux-defaults.ini.j2
|
||||||
|
|
27
lxc-solr/README.md
Normal file
27
lxc-solr/README.md
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# lxc-solr
|
||||||
|
|
||||||
|
Create one or more LXC containers with Solr in the version of your choice.
|
||||||
|
|
||||||
|
*note : this role depend on the lxc role.*
|
||||||
|
|
||||||
|
## Tasks
|
||||||
|
|
||||||
|
Everything is in the `tasks/main.yml` file.
|
||||||
|
|
||||||
|
## Available variables
|
||||||
|
|
||||||
|
Since this role depend on the lxc role, please refer to it for a full variable list related to the lxc containers setup.
|
||||||
|
|
||||||
|
* `lxc_containers`: list of LXC containers to create. Default: `[]` (empty).
|
||||||
|
* `name`: name of the LXC container to create.
|
||||||
|
* `release`: Debian version to install
|
||||||
|
* `solr_version`: Solr version to install *(refer to https://archive.apache.org/dist/lucene/solr/ for a full version list)*
|
||||||
|
* `solr_port`: port for Solr to listen on
|
||||||
|
Eg.:
|
||||||
|
```
|
||||||
|
lxc_containers:
|
||||||
|
- name: solr8
|
||||||
|
release: stretch
|
||||||
|
solr_version: 6.6.6
|
||||||
|
solr_port: 8983
|
||||||
|
```
|
18
lxc-solr/defaults/main.yml
Normal file
18
lxc-solr/defaults/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
# List of LXC containers to create alongside with the version of Solr to install for each of them
|
||||||
|
# Eg.:
|
||||||
|
# lxc_containers:
|
||||||
|
# - name: solr6
|
||||||
|
# release: stretch
|
||||||
|
# solr_version: 6.6.6
|
||||||
|
# solr_port: 8983
|
||||||
|
# - name: solr7
|
||||||
|
# release: stretch
|
||||||
|
# solr_version: 7.7.2
|
||||||
|
# solr_port: 8984
|
||||||
|
# - name: solr8
|
||||||
|
# release: stretch
|
||||||
|
# solr_version: 8.1.1
|
||||||
|
# solr_port: 8985
|
||||||
|
lxc_containers: []
|
||||||
|
|
16
lxc-solr/tasks/main.yml
Normal file
16
lxc-solr/tasks/main.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
- name: LXC configuration
|
||||||
|
include_role:
|
||||||
|
name: lxc
|
||||||
|
|
||||||
|
- name: Ensure containers root directory is 755
|
||||||
|
file:
|
||||||
|
path: "/var/lib/lxc/{{ item.name }}/rootfs"
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
with_items:
|
||||||
|
- "{{ lxc_containers }}"
|
||||||
|
|
||||||
|
- include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}"
|
||||||
|
with_items:
|
||||||
|
- "{{ lxc_containers }}"
|
42
lxc-solr/tasks/solr.yml
Normal file
42
lxc-solr/tasks/solr.yml
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
---
|
||||||
|
- name: Install openjdk-8-jre-headless and lsof packages
|
||||||
|
command: "lxc-attach -n {{name}} -- apt-get install -y openjdk-8-jre-headless lsof"
|
||||||
|
|
||||||
|
- name: "Download Solr {{ solr_version }}"
|
||||||
|
get_url:
|
||||||
|
url: "https://archive.apache.org/dist/lucene/solr/{{ solr_version }}/solr-{{ solr_version }}.tgz"
|
||||||
|
dest: "/var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz"
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
- name: "Extract solr-{{ solr_version }}.tgz"
|
||||||
|
unarchive:
|
||||||
|
src: /var/lib/lxc/{{ name }}/rootfs/root/solr-{{ solr_version }}.tgz
|
||||||
|
dest: /var/lib/lxc/{{ name }}/rootfs/root/
|
||||||
|
remote_src: yes
|
||||||
|
|
||||||
|
- name: "Install Solr {{ solr_version }}"
|
||||||
|
command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz"
|
||||||
|
|
||||||
|
- name: "Stop Solr"
|
||||||
|
command: "lxc-attach -n {{name}} -- /etc/init.d/solr stop"
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
- name: "Make sure /home/solr exists"
|
||||||
|
file:
|
||||||
|
path: /home/solr
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: "Move Solr data directory to /home/solr/{{name}}"
|
||||||
|
command: "lxc-attach -n {{name}} -- mv /var/solr /home/solr/{{name}}"
|
||||||
|
|
||||||
|
- name: "Create a symbolic link to /home/solr/{{name}}"
|
||||||
|
command: "lxc-attach -n {{name}} -- ln -s /home/solr/{{name}} /var/solr"
|
||||||
|
|
||||||
|
- name: "Set Solr port to {{ solr_port }}"
|
||||||
|
lineinfile:
|
||||||
|
dest: /var/lib/lxc/{{ name }}/rootfs/etc/default/solr.in.sh
|
||||||
|
line: "SOLR_PORT={{ solr_port }}"
|
||||||
|
|
||||||
|
- name: "Start Solr"
|
||||||
|
command: "lxc-attach -n {{name}} -- /etc/init.d/solr start"
|
3
lxc-solr/templates/rc.local.j2
Normal file
3
lxc-solr/templates/rc.local.j2
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/bash
|
||||||
|
/opt/solr-{{ solr_version }}/bin/solr start -p {{ solr_port }} -force
|
||||||
|
exit 0
|
|
@ -21,8 +21,13 @@
|
||||||
|
|
||||||
- name: Add subuid and subgid ranges to root
|
- name: Add subuid and subgid ranges to root
|
||||||
command: usermod -v 100000-199999 -w 100000-109999 root
|
command: usermod -v 100000-199999 -w 100000-109999 root
|
||||||
when: lxc_unprivilegied_containers and root_subuids.rc
|
when:
|
||||||
|
- lxc_unprivilegied_containers
|
||||||
|
- root_subuids.rc
|
||||||
|
|
||||||
- name: Create containers
|
- name: Create containers
|
||||||
include: "create-container.yml name={{item.name}} release={{item.release}}"
|
include: create-container.yml
|
||||||
|
vars:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
release: "{{item.release}}"
|
||||||
with_items: "{{lxc_containers}}"
|
with_items: "{{lxc_containers}}"
|
||||||
|
|
|
@ -29,7 +29,18 @@ minifirewall_private_ports_udp: []
|
||||||
# Keep a null value to leave the setting as is
|
# Keep a null value to leave the setting as is
|
||||||
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
|
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
|
||||||
minifirewall_dns_servers: Null
|
minifirewall_dns_servers: Null
|
||||||
minifirewall_http_sites: Null
|
|
||||||
|
minifirewall_http_sites:
|
||||||
|
- pub.evolix.net
|
||||||
|
- mirror.evolix.org
|
||||||
|
- hwraid.le-vert.net
|
||||||
|
- antispam00.evolix.org
|
||||||
|
- spamassassin.apache.org
|
||||||
|
- sa-update.space-pro.be
|
||||||
|
- sa-update.secnap.net
|
||||||
|
- www.sa-update.pccc.com
|
||||||
|
- sa-update.dnswl.org
|
||||||
|
|
||||||
minifirewall_https_sites: Null
|
minifirewall_https_sites: Null
|
||||||
minifirewall_ftp_sites: Null
|
minifirewall_ftp_sites: Null
|
||||||
minifirewall_ssh_ok: Null
|
minifirewall_ssh_ok: Null
|
||||||
|
@ -37,6 +48,16 @@ minifirewall_smtp_ok: Null
|
||||||
minifirewall_smtp_secure_ok: Null
|
minifirewall_smtp_secure_ok: Null
|
||||||
minifirewall_ntp_ok: Null
|
minifirewall_ntp_ok: Null
|
||||||
|
|
||||||
|
minifirewall_default_debian_http_sites:
|
||||||
|
- security.debian.org
|
||||||
|
- security-cdn.debian.org
|
||||||
|
- volatile.debian.org
|
||||||
|
- backports.debian.org
|
||||||
|
|
||||||
|
minifirewall_default_ubuntu_http_sites:
|
||||||
|
- archive.ubuntu.com
|
||||||
|
- security.ubuntu.com
|
||||||
|
|
||||||
minifirewall_autostart: False
|
minifirewall_autostart: False
|
||||||
minifirewall_restart_if_needed: True
|
minifirewall_restart_if_needed: True
|
||||||
minifirewall_restart_force: False
|
minifirewall_restart_force: False
|
||||||
|
|
|
@ -50,7 +50,7 @@ DNSSERVEURS='0.0.0.0/0'
|
||||||
# HTTP authorizations
|
# HTTP authorizations
|
||||||
# (you can use DNS names but set cron to reload minifirewall regularly)
|
# (you can use DNS names but set cron to reload minifirewall regularly)
|
||||||
# (if you have HTTP proxy, set 0.0.0.0/0)
|
# (if you have HTTP proxy, set 0.0.0.0/0)
|
||||||
HTTPSITES='security.debian.org security-cdn.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org'
|
HTTPSITES=''
|
||||||
|
|
||||||
# HTTPS authorizations
|
# HTTPS authorizations
|
||||||
HTTPSSITES='0.0.0.0/0'
|
HTTPSSITES='0.0.0.0/0'
|
||||||
|
|
|
@ -120,7 +120,22 @@
|
||||||
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
||||||
regexp: "HTTPSITES='.*'"
|
regexp: "HTTPSITES='.*'"
|
||||||
create: no
|
create: no
|
||||||
when: minifirewall_http_sites is not none
|
|
||||||
|
- name: Configure HTTPSITES for debian
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
line: "HTTPSITES='{{ minifirewall_default_debian_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'"
|
||||||
|
regexp: "HTTPSITES='.*'"
|
||||||
|
create: no
|
||||||
|
when: ansible_distribution == "Debian"
|
||||||
|
|
||||||
|
- name: Configure HTTPSITES for ubuntu
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ minifirewall_main_file }}"
|
||||||
|
line: "HTTPSITES='{{ minifirewall_default_ubuntu_http_sites | join(' ') }} {{ minifirewall_http_sites | join(' ') }}'"
|
||||||
|
regexp: "HTTPSITES='.*'"
|
||||||
|
create: no
|
||||||
|
when: ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
- name: Configure HTTPSSITES
|
- name: Configure HTTPSSITES
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|
|
@ -75,6 +75,18 @@
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
|
|
||||||
|
# Percona Toolkit
|
||||||
|
|
||||||
|
- name: "Install percona-toolkit (Debian 9 or later)"
|
||||||
|
apt:
|
||||||
|
name: percona-toolkit
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
- percona-toolkit
|
||||||
|
- mysql
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
# automatic optimizations
|
# automatic optimizations
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
rbenv_version: v1.1.2
|
rbenv_version: v1.1.2
|
||||||
rbenv_ruby_version: 2.5.5
|
rbenv_ruby_version: 2.6.3
|
||||||
rbenv_root: "~/.rbenv"
|
rbenv_root: "~/.rbenv"
|
||||||
rbenv_repo: "https://github.com/rbenv/rbenv.git"
|
rbenv_repo: "https://github.com/rbenv/rbenv.git"
|
||||||
rbenv_plugins:
|
rbenv_plugins:
|
||||||
|
|
|
@ -5,5 +5,10 @@
|
||||||
name: apache2
|
name: apache2
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: restart apache2
|
||||||
|
service:
|
||||||
|
name: apache2
|
||||||
|
state: restarted
|
||||||
|
|
||||||
- name: newaliases
|
- name: newaliases
|
||||||
command: newaliases
|
command: newaliases
|
||||||
|
|
|
@ -46,3 +46,10 @@
|
||||||
owner: evoadmin
|
owner: evoadmin
|
||||||
group: evoadmin
|
group: evoadmin
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
|
- name: Enable proxy_fcgi
|
||||||
|
apache2_module:
|
||||||
|
state: present
|
||||||
|
name: proxy_fcgi
|
||||||
|
notify: restart apache2
|
||||||
|
when: evoadmin_multi_php == True
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
|
CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
|
||||||
WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
|
WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
|
||||||
{% if evoadmin_multi_php == "True" %}
|
{% if evoadmin_multi_php == True %}
|
||||||
PHP_VERSIONS=(56 70 73)
|
PHP_VERSIONS=(56 70 73)
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
Loading…
Reference in a new issue