# Changelog
All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).

This project does not follow semantic versioning.
The **major** part of the version is aligned with the stable version of Debian.
The **minor** part changes with big changes (probably incompatible).
The **patch** part changes incrementally at each release.

## [Unreleased]

### Added

### Changed
* evocheck : version 19.04 from upstream

### Fixed

### Security

## [9.9.0] - 2019-04-16

### Added
* etc-git: ignore evobackup/.keep-* files
* lxc: /home is mounted in the container by default
* nginx : add "x-frame-options: sameorigin" for Munin

### Changed
* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
* apt: Ensure jessie-backport from archives.debian.org is accepted
* apt: Remove jessie-update suite as it's no longer exists
* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
* evocheck : update script from upstream
* evolinux-base: remove apt-listchanges on Stretch and later
* evomaintenance: embed version 0.5.0
* opendkim: aligning roles with our conventions, major changes in opendkim-add.sh
* redis: higher limit of open files
* redis: set variables on inclusion, not with set_facts
* tomcat: better tomcat version management
* webapps/evoadmin-web: add dbadmin.sh to sudoers file


### Fixed
* spamassasin: fix sa-update.sh and ensure service is started and enabled
* tomcat-instance: deploy correct version of config files
* tomcat-instance: deploy correct version of server.xml

## [9.8.0] - 2019-01-31

### Added
* filebeat: disable cloud_metadata processor by default
* metricbeat: disable cloud_metadata processor by default
* percona : new role to install Percona repositories and tools
* redis: add variable for configure unixsocketperm

### Changed
* redmine: refactoring of redmine role with use of rbenv

### Fixed
* ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config

## [9.7.0] - 2019-01-17

### Added
* apache: add Munin configuration for Apache server-status URL
* evomaintenance: database variables must be set or the task fails
* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
* metricbeat: add a variable for the protocol to use with Elasticsearch
* rbenv: add pkg-config to the list of packages to install
* redis: Configure munin when working in instance mode
* redis: add a variable for renamed/disabled commands
* redis: add a variable to disable the restart handler
* redis: add a variable to force a restart (even with no change)
* proftpd: add FTPS and SFTP support

### Changed
* redis: distinction between main and master password
* evocheck: update evocheck.sh for source install
* php: added php-zip in the installed package list for debian 9 (and later)
* squid: added packagist.org in the whitelist
* java: update Oracle java package to 8u192

### Fixed
* fail2ban: fix "ignoreip" update
* metricbeat: fix username/password replacement
* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
* nginx: Munin url config is now a template to insert the server-status prefix
* nodejs: Update yarn repo GPG key (current key expired)
* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account


## [9.6.0] - 2018-12-04

### Added
* evolinux-base: deploy custom motd if template are present
* minifirewall: all variables are configurable (untouched by default)
* minifirewall: main file is configurable
* squid: minifirewall main file is configurable

### Changed
* minifirewall: compare config before/after (for restart condition)
* squid: better replacement in minifirewall config
* evoadmin-mail: complete refactoring, use Debian Package

## [9.5.0] - 2018-11-14

### Added
* apache: separate task to update IP whitelist
* evolinux-base: install man package
* evolinux-users: add newaliases handler
* evomaintenance: FROM domain is configurable
* fail2ban: separate task to update IP whitelist
* nginx: add tag for ips management
* nginx: separate task to update IP whitelist
* postfix: enable SSL/TLS client
* ssl: add an SSL role for certificates deployment
* haproxy: add vars for tls configuration
* mysql: logdir can be customized

### Changed
* evocheck: update script from upstream
* evomaintenance: update script from upstream
* mysql: restart service if systemd unit has been patched

### Fixed
* packweb-apache: mod-security config is already included elsewhere
* redis: for permissions on log and lib directories
* redis: fix shell for instance users
* evoacme: fix error handling in sed_cert_path_for_(apache|nginx)

## [9.4.2] - 2018-10-12

### Added
* evomaintenance: install dependencies manually when installing vendored version
* nagios-nrpe: add an option to ignore servers in NOLB status

### Changed
* haproxy: move check_haproxy_stats to nagios-nrpe role

### Fixed
* evoacme: better error when apache2ctl fails
* evomaintenance: fix role compatibility with OpenBSD
* spamassassin: add missing right for amavis
* amavis: fix output result checking

## [9.4.1] - 2018-09-28

### Added
* redis: set masterauth when redis_password is defined
* evomaintenance: variable to install a vendored version
* evomaintenance: tasks/variables to handle minifirewall restarts

### Changed
* mysql-oracle: better handle packages and users

## [9.4.0] - 2018-09-20

### Added
* etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
* evolinux-base: better shell history
* evolinux-users: add user to /etc/aliases
* generate-ldif: add a section for postgresql
* logstash: tmp directory can be customized
* logstash: max memory is set to 512M by default
* logstash: version 6.x is installed by default
* mysql: add a variable to prevent mysql from restarting
* networkd-to-ifconfig: add a role to switch from networkd to ifconfig
* webapps/evoadmin-web: add users to /etc/aliases
* redis: add support for multi instances
* nagios-nrpe: add check_redis_instances

### Changed
* dovecot: stronger TLS configuration

### Fixed
* apache: cleaner way to overwrite the server status suffix
* packweb-apache: don't regenerate phpMyAdmin suffix each time
* nginx: cleaner way to overwrite the server status suffix
* redis: add missing tags

## [9.3.2] - 2018-09-06

### Added
* minifirewall: add a variable to disable the restart handler
* minifirewall: add a variable to force a restart of the firewall (even with no change)
* minifirewall: improve variables values and documentation

### Changed
* dovecot: enable SSL/TLS by default with snakeoil certificate

### Fixed

### Security

## [9.3.1] - 2018-08-30

### Added
* metricbeat: new variables to configure elasticsearch hosts and auth

## [9.3.0] - 2018-08-24

### Added
* elasticsearch: tmpdir configuration compatible with 5.x also
* elasticsearch: add http.publish_host variable
* evoacme: disable old certbot cron also in cron.daily
* evocheck: detect installed packages even if "held" by APT (manual fix)
* evocheck: the crontab is updated by the role (default: `True`)
* evolinux-base: add mail related aliases
* evolinux-todo: new role, to help maintain a file of todo tasks
* fail2ban: add a variable to disable the ssh filter (default: `False`)
* etc-git: install a script to optimize the repository each month
* fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`)
* generate-ldif: detect installed packages even if "held" by APT
* java: support for Oracle JRE
* kibana: log messages go to /var/log/kibana/kibana.log
* metricbeat: add a role (copied from filebeat)
* munin: properly rename Munin cache directory
* mysql: add an option to install the client development  libraries (default: `False`)
* mysql: add a few variables to customize the configuration
* nagios-nrpe: add check_postgrey

### Changed
* etc-git: some entries of .gitignore are mandatory
* evocheck: update upstream script
* evolinux-base: improve hostname configuration (real vs. internal)
* evolinux-base: use the "evolinux-todo" role
* evolinux-users: add sudo permission for bkctld check
* java8: renamed to java (java8 symlinked to java for backward compatibility)
* minifirewall: the tail file can be overwritten, or not (default: `True`)
* nagios-nrpe: use bkctld internal check instead of nrpe plugin
* php: reorganization of the role for Sury overrides and more clear configuration
* redmine: use .my.cnf for mysql password
* rbenv: change default Ruby version (2.5.1)
* rbenv: switch from copy to lineinfile for default gems
* remount-usr: mount doesn't report a change
* squid: add a few news sites to the whitelist
* tomcat: better nrpe check output
* kvm-host: install kvm-tools package instead of copying add-vm.sh

### Fixed
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
* bind: chroot-bind.sh must not be executed in check mode
* evoacme: fix module detection in apache config
* fail2ban: fix fail2ban_ignore_ips definition
* mysql-oracle: fix configuration directory variable
* php: fpm slowlog needs an absolute path
* roundcube: add missing slash to https redirection

## [9.2.0] - 2018-05-16

### Changed
* filebeat: install version 6.x by default
* filebeat: cleanup unused code
* squid: add some domaine and fix broken restrictions
* elasticsearch: defaults to version 6.x

### Fixed
* evolinux-users: secondary groups are comma-separated
* ntpd: fix configuration (server and ACL)
* varnish: don't fork the process on startup with systemd

## [9.1.9] - 2018-04-24

### Added

### Changed
* apache: customize logrotate (52 weeks)
* evolinux: groups for SSH configuration are used with Debian 10 and later
* evolinux-base: fail2ban is not enabled by default
* evolinux-users: refactoring of the SSH configuration
* mysql-oracle: copy evolinux config files in mysql.cond.d
* mysql/mysql-oracle: mysqltuner cron scripts is 0755
* generate-ldif: add a minifirewall service when /etc/default/minifirewall exists

## [9.1.8] - 2018-04-16

### Changed
* packweb-apache: use dependencies instead of include_role for apache and php roles

### Fixed
* mysql: use check_mode for apg command (Fix --check)
* mysql/mysql-oracle: properly reload systemd
* packweb-apache: use check_mode for apg command (Fix --check)

## [9.1.7] - 2018-04-06

### Added
* added a few become attributes where missing
* etc-git: add tags for Ansible
* evolinux-base: install ncurses-term package
* haproxy: install Munin plugins
* listupgrade: add service restart notification for Squid and libstdc++6
* minifirewall: add "check_minifirewall" Nagios plugin (and `minifirewall_status` script)
* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
* mysql: remount /usr before creating scripts directory
* nagios-nrpe: add "check_open_files" plugin
* nagios-nrpe: mark plugins as executable
* nodejs: Yarn package manager can be installed (default: `false`)
* packweb-apache: choose mysql variant (default: `debian`)
* postfix: add lines in /etc/.gitignore
* proftpd: use "proftpd_accounts" list to manage ftp accounts
* redmine: added missing tags

### Changed
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
* evolinux-users: split AllowGroups/AllowUsers modes for SSH directives
* mongodb: allow unauthenticated packages for Jessie
* mongodb: configuration is forced by default but it's configurable (default: `false`)
* mongodb: rename logrotate script
* nagios-nrpe: mark plugins as executable
* nginx: don't debug variables in verbosity 0
* nginx: package name can be specified (default: `nginx-full`)
* php: fix FPM custom file permissions
* php: more tasks notify FPM handler to restart if needed
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined

### Fixed
* dovecot: fix support of plus sign
* mysql/mysql-oracle: mysqltuner cron task is executable
* nginx: fix basic auth for default vhost
* rbenv: fix become user issue with copy tasks

## [9.1.6] - 2018-02-02

### Added
* mongodb: install python-pymongo for monitoring
* nagios-nrpe: allowed_hosts can be updated

### Changed
* Changelog: explain the versioning scheme
* Changelog: add a release date for 9.1.5
* evoacme: exclude typical certbot directories

### Fixed
* fail2ban: fix horrible typo, Python is not Ruby
* nginx: fix servers status dirname

## [9.1.5] - 2018-01-18

### Added
* There is a changelog!
* redis: configuration variable for protected mode (v3.2+)
* evolinux-users: users are in "adm" group for Debian 9 or later
* evolinx-base: purge locate/mlocate packages
* evolinx-base: create /etc/evolinux if missing
* many Ansible tags for easier fine grained execution of playbooks
* apache/nginx: server status suffix management
* unbound: retrieve list of root DNS servers
* redmine: ability to install themes and plugins

### Changed
* rbenv: Ruby 2.5 becomes the default version
* evocheck: update upstream version embedded in role (c993244)
* bind: keep 52 weeks of logs

### Fixed
* squid: different logrotate file for Jessie or Stretch+
* evoacme: don't invoke evoacme if no vhost is found
* evomaintenance: explicit quotes in config file
* redmine: force xpath gem < 3.0.0

### Security
* evomaintenance: fix permissions for config file

## [9.1.4] - 2017-12-20

### Added
* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
* mysql: add a check_mysql_slave in nrpe configuration
* ldap: slapd tcp port is configurable
* elasticsearch: broader patterns for log rotation

### Changed
* split IP lists in 2 – default and additional – for easier customization.

### Fixed
* minifirewall: allow outgoing SSH connections over IPv6
* nodejs: rename source.list file

### Security
* evoadmin-web: change config.local.php file permissions
* evolinux-base: change default_www file permissions

## [9.1.3] 2017-12-08

### Added
* evolinux-base: install traceroute package
* evolinux-base/ntpd: purge openntpd
* tomcat: add Tomcat 8 cmpatibility
* log2mail: add "The total blob data length" pattern for MySQL
* nagios-nrpe: add bkctld check in evolix.cfg
* varnish: reload or restart if needed
* rabbitmq: add a munin plugin and an NRPE check
* minifirewall: add debug for variables
* elastic: option for stack main version

### Changed
* nginx: rename Let's Encrypt snippet
* nginx: simpler apt preferences for backports
* generate-ldif: add clamd service instead of clamav_db
* mysql: parameterize evolinux config files
* rbenv: use Rbenv 1.1.1 and Ruby 2.4.2 by default
* elasticsearch: update curator debian repository
* evoacme: crontab management
* evoacme: better documentation
* mongodb: comatible with Stretch

### Removed
* mongodb: logfile/pidfile are not configurable on Jessie
* minifirewall: remove zidane.evolix.net from HTTPSITES

### Fixed
* nginx: fix munin CGI graphs
* ntpd: fix default configuration (localhost only)
* logstash: fix permissions on pipeline configuration
* postfix/spamassassin: add user in cron job
* php: php.ini custom file are now readable
* hostname customization needs the dbus package

## [9.1.2] 2017-12-05

### Fixed
* listupgrade: remount /usr as rw

## [9.1.1] 2017-11-21

### Added
* amazon-ec2: add egress rules

### Fixed
* evoacme: fix multiple bugs

## [9.1.0] 2017-11-19

_Warning: huge release, many entries are missing below._

### Added
* amazon-ec2: new role, for EC2 instances creation
* Move /usr rw remount into remount-usr role
* kibana: host and basepath configuration
* kibana: move optimize and data to /var
* logstash: daily job for log rotation
* elasticsearch: daily job for log rotation
* roundcube: add link in default site index
* nagios-nrpe: add opendkim check

### Changed
* Combine evolix and additional trusted IP addresses
* amazon-ec2: split tasks
* apt: don't upgrade by default
* postfix: extract main.cf md5sum into variables
* evolinux-base: cache hwraid pgp key locally
* evoacme: improve cron task
* elasticsearch: use elastic.list APT source list for curator
* ldap: better variables

### Fixed
* fail2ban: create config hierarchy beforehand
* elasticsearch: fix datadir/tmpdir conditions
* elastic: remove double ".list" suffix
* nagios-nrpe: fix check_free_mem for OpenBSD 6.2
* nagios-nrpe: fix check_amavis

### Removed

### Security


## [9.0.1] 2017-10-02

### Added
* haproxy: add a Nagios check
* php: add "sury" mode for PHP 7.1 on Stretch
* minifirewall: explicit dependency on iptables
* apt: remove Gandi source files
* docker-host: new variable for docker home

### Changed
* php: install php5/php package after fpm/libapache2-mod-php

### Fixed
* mysql: add "REPLICATION CLIENT" privilege for nrpe
* evoadmin-web: revert from variables to keywords in the templates
* evoacme: many fixes
* etc-git: detect user if root (without su or sudo)
* docker-host: clean override of docker systemd unit
* varnish: fix systemd unit override

## [9.0.0] 2017-09-19

First official release