• 24.05 fe1e66f79c

    Release 24.05 Stable

    jlecour released this 2024-05-15 14:17:20 +02:00 | 2 commits to stable since this release

    Added

    • apt: add list-upgradable-held-packages.sh

    Changed

    • evobackup-client: upstream release 24.05.1
    • evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
    • evolinux-users: improve SSH configuration
    • evomaintenance: upstream release 24.05
    • evomaintenance: move upstream files into upstream folder

    Fixed

    • apt: use archive.debian.org with Buster
    Downloads
  • 24.04 145b279a12

    Release 24.04 Stable

    jlecour released this 2024-04-30 17:42:57 +02:00 | 21 commits to stable since this release

    Added

    • proftpd: optional configuration of IP whitelists per groups of users

    Changed

    • autosysadmin-agent: upstream release 24.03.2
    • evobackup-client: replace non-functional role with install tasks
    • evobackup-client: upstream release 24.04.1
    • evolinux-base: Add new variable to disable global customisation of bash config
    • evolinux-base: Disable logcheck monitoring of journald only if journald.logfiles exists
    • evolinux-users: Add sudo mvcli for nagios user
    • haproxy: support bookworm for backport packages
    • nrpe: !disk1 exclude filesystem type overlay
    • postfix/amavis: max servers is now 3 (previously 2)
    • roundcube: Use /var/log/roundcube directly
    • vrrpd: configure and restart minifirewall before starting VRRP
    • vrrpd: configure minifirewall with blocks instead of lines

    Fixed

    • certbot: Fix HAPEE renewal hook
    • certbot: Fix HAProxy renewal hook
    • evolinux-base/logcheck: fix conf patch, journal check was not disabled when asked
    • fail2ban: SQLite purge script didn't vacuum as expected + error when vacuum cannot be done
    • keepalived: Fix tasks that use file instead of copy
    • memcached: Fix conditions not properly writen (installation was always in multi-instance mode)
    • nagios-nrpe: create /etc/bash_completion.d if missing
    • openvpn: install packages manually, because openbsd_pkg module is broken since OpenBSD 7.4 with the version of Ansible we currently use
    • packweb: fix old bug (2017!) .orig file created by module patch and taken in account by ProFTPd
    • redis: replace inline argument with environment variable for the password

    Removed

    • docker-host: Removed docker_conf_use_iptables variable (iptable usage forced to true)
    Downloads
  • 24.03 2a856d579e

    Release 24.03 Stable

    jlecour released this 2024-03-01 09:07:42 +01:00 | 63 commits to stable since this release

    Added

    • autosysadmin-agent: upstream release 24.03
    • autosysadmin-restart_nrpe: add role
    • certbot: Renewal hook for NRPE
    • kvm-host: add minifirewall rules if DRBD interface is configured

    Changed

    • apt: add ftp.evolix.org as recognized system source
    • autosysadmin-agent: logs clearing is done weekly
    • autosysadmin-agent: rename /usr/share/scripts/autosysadmin/{auto,restart}
    • certbot: use pkey to test the key
    • evolinux-base: execute autosysadmin-agent and autosysadmin-restart_nrpe roles
    • lxc-php, php: Update sury PGP key
    • openvpn: earlier alert for CA expiration
    • redis: create sysfs config file if missing

    Removed

    • autosysadmin: replaced by autosysadmin-agent
    Downloads
  • 24.02.1 9402458304

    jlecour released this 2024-02-08 11:10:12 +01:00 | 84 commits to stable since this release

    Fixed

    • fail2ban: fix Ansible syntax
    Downloads
  • 24.02 2f96151c70

    Release 24.02 Stable

    jlecour released this 2024-02-08 09:50:58 +01:00 | 87 commits to stable since this release

    Added

    • Support for PHP 8.3 with bookworm LXC containers
    • apt: add task file to install ELTS repository (default: False)
    • autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation
    • check_free_space: added role
    • etc-git: add /var/chroot-bind/etc/bind repo
    • fail2ban: add script unban_ip
    • generateldif: new Services for check_pressure_{cpu,io,mem}
    • kvm-host: Automatically add an LVM filter when LVM is present
    • lxc-php: Allow one to install php83 on Bookworm container
    • minifirewall: Fix nagios check for old versions of minifirewall
    • mongodb: add gpg key for 7.0
    • nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
    • nagios-nrpe: new check_pressure_{cpu,io,mem}
    • remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
    • vrrpd: configure minifirewall
    • vrrpd: test if interface exists before deleting it
    • webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm
    • webapps/nextcloud: Add condition for archive tasks
    • webapps/nextcloud: Add condition for config tasks
    • webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
    • webapps/nextcloud: Set ownership and permissions of data directory

    Changed

    • add-vm.sh: allow VM name max length > 20
    • amavis: make ldap_suffix mandatory
    • apache : fix goaway pattern for bad bots
    • apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
    • apache: use backward compatible Redirect directive
    • apt: Disable archive repository for Debian 8
    • apt: Use the GPG version of the key for Debian 8-9
    • bind: Update role for Buster, Bullseye and Bookworm support
    • dovecot: add variables for LDAP
    • dovecot: Munin plugin conf path is now /etc/munin/plugin-conf.d/zzz-dovecot (instead of z-evolinux-dovecot)
    • evocheck: upstream release 24.01
    • evolinux-base: dump-server-state upstream release 23.11
    • evolinux-base: use separate default config file for rsyslog
    • kvmstats: use .capacity instead of .physical for disk size
    • ldap: make ldap_suffix mandatory
    • listupgrade : old-kernel-removal.sh upstream release 24.01
    • log2mail: move custom config in separate file
    • lxc: init /etc git repository in lxc container
    • mysql: disable performance schema for Debian 8
    • nagios: add dockerd check in nrpe check template
    • nagios: cleaning nrpe check template
    • nagios: rename var nagios_nrpe_process_processes into nagios_nrpe_processes and check systemd-timesyncd instead of ntpd in Debian 12
    • proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
    • redis: manage config template inside a block, to allow custom modifications outside
    • spamassassin: Use spamd starting with Bookworm
    • squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
    • unbound: Add config file to allow configuration reload on Debian 11 and lower
    • unbound: Add munin configuration & setup plugin
    • unbound: Big cleanup
    • unbound: Move generated config file to /etc/unbound/unbound.conf.d/evolinux.conf
    • unbound: Use root hints provided by debian package dns-root-data instead of downloading them
    • vrrpd: replace switch script with custom one (fix MAC issue, use ip(8), shell cleanup…)
    • vrrpd: variable to force update the switch script (default: false)
    • webapps/nextcloud: Add Ceph volume to fstab
    • webapps/nextcloud: Set home directory's mode

    Fixed

    • Add php-fpm82 to LDAP when relevant
    • Check stat.exists before stat.isdir
    • apache: fix MaxRequestsPerChild value to be sync with wiki.e.o
    • apt: use archive.debian.org with Stretch
    • certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
    • dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '' » or « doveadm expunge -u "" mailbox INBOX savedbefore 7d »).
    • dovecot: fix missing default mails
    • dovecot: fix plugin dovecot1
    • evoadmin-web: Fix PHP version for Bookworm
    • evolinux-base: fix hardware.yml (wrong repo, missing update cache)
    • evolinux-base: start to install linux-image-cloud-amd64 with Buster
    • fail2ban: fix template marker
    • minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore.
    • nagios: fix default file to monitor for check_clamav_db
    • nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode
    • nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
    • nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
    • nginx: keep indentation
    • nginx: take care of « already defined » and « not yet defined » server status suffix in check mode
    • php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository
    • php: drop apt_preferences(5) file for sury
    • postfix: remove dependency on evolinux_fqdn var
    • proftpd: set missing default listen IP for SFTP
    • roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL)
    • ssl: no not execute haproxy tasks and reload if haproxy is disabled
    • unbound: Add a apt cache validity to enforce an apt update if needed
    • webapps/nextcloud: added check that nextcloud uid is over 3000
    • webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
    • webapps/nextcloud: fix misplaced gid attribute
    • webapps/nextcloud: fix missing gid
    • webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice)
    • amavis: Add variables for generate "ldap_suffix"
    • proftpd: fix error when no SSH key is provided

    Removed

    • evolinux-base: no need to remove update-evobackup-canary from sbin anymore
    • evolinux-base: no need to symlink backup-server-state to dump-server-state anymore
    Downloads
  • 23.10 198f3fab0a

    Release 23.10 Stable

    jlecour released this 2023-10-14 07:55:17 +02:00 | 240 commits to stable since this release

    Added

    • apt: disable NonFreeFirmware warning for VM on Debian 12+
    • apt: explicit signed-by directives for official sources
    • bind: add reload-zone helper
    • certbot: deploy-hook for proftpd
    • docker-host: added var for user namespace setting
    • dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
    • dovecot: fix old_stats plugin for Dovecot 2.3
    • evocheck: add support for Debian >= 12 split SSH configuration
    • evolinux-base: add split SSH configuration for Debian >= 12
    • evolinux-base: configure .bashrc for all users
    • evolinux-base: New variable evolinux_system_include_ntpd to chose wether or not to include ntpd role
    • evolinux-base: reboot the server if the Cloud kernel has been installed
    • evolinux-users: add split SSH configuration for Debian >= 12
    • evolinux: install HPE Agentless Management Service (amsd)
    • fail2ban: add default variable fail2ban_dbpurgeage_default
    • fail2ban: add fail2ban_sshd_port variable to configure sshd port
    • kvm-host: release 23.10 for migrate-vm.sh
    • metricbeat/logstash: fix Ansible syntax
    • mysql: new munin graph to follow binlog_days over time
    • nagios-nrpe: add a NRPE check-local command with completion.
    • nagios-nrpe: add a proper monitoring plugin for GlusterFS (on servers, not for clients)
    • php: add new variable to disable overriding settings of php-fpm default pool (www)
    • policy_pam: New role to manage password policy with pam_pwquality & pam_pwhistory
    • userlogrotate: add a userlogpurge script disabled by default
    • userlogrotate: new version, with separate conf file
    • userlogrotate: rotate also php.log
    • java: allow version 17
    • timesyncd: new role, used instead of ntpd by default starting with Debian 12

    Changed

    • all: change syntax "become: [yes,no]" → "become: [true,false]"
    • all: change syntax "force: [yes,no]" → "force: [true,false]"
    • elasticsearch: improve networking configuration
    • evolinux-base: include files under sshd_config.d
    • evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
    • evomaintenance: upstream release 23.10.1
    • lxc-php: change LXC container in bookworm for php82
    • minifirewall: update nrpe script to check active configuration
    • minifirewall: upstream release 23.07
    • mysql: improve shell syntax for mysql_skip script
    • nagios-nrpe: set default check_load --per-cpu for BSD
    • pgbouncer: minor fixes
    • postfix (packmail or when postfix_slow_transport_include is True): change miniprofmal_backoff_time from 2h to 15m (see HowtoPostfix)
    • postfix (packmail) : optimize Amavis integration
    • postfix: disable sending mails via IPv6
    • postfix: new spam.sh update script that avoids reloading if files did not change.
    • postgresql: fix file postgresql.pref.j2 for exclude package
    • postgresql: fix task update apt cache for PGDG repo
    • redis: standardize plugins path from /usr/local/share/munin/ to /usr/local/lib/munin/plugins/
    • varnish: allow the systemd template to be overridden with a template outside of the role
    • lxc: purge openssh-server from container on install

    Fixed

    • elasticsearch: comment the Xlog:gc line instead of changing it completely
    • evocheck: fix IS_SSHALLOWUSERS condition
    • evolinux-base, evolinux-users: Fix files mode under /etc/ssh/sshd_config.d
    • evolinux-base: fix file extension
    • fail2ban: fix cron fail2ban_dbpurge (should be bash instead of sh)
    • lxc-php: fix APT keyring path inside containers
    • nagios-nrpe: check_ssl_local now has an output that nrpe can understand when it isn't OK
    • nagios-nrpe: remount /usr after installing the packages
    • nagios-nrpe: sync Redis check from redis roles
    • nginx: set default server directive in default vhost
    • opendkim: update apt cache before install
    • packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container
    • postfix: add missing localhost.$mydomain to mydestination
    • redis: replace erroneous ini_file module for Munin config, fix dedicated Munin config filename (z-XXX).
    • evolinux-base: use lineinfile instead of replace under root task
    • evolinux-base: Corriger autorisation pour evolinux_user
    • docker-host: Retirer directive state en trop
    • rbenv: Installer libyaml-dev

    Removed

    • dovecot: remove Munin plugin dovecot (not working)
    Downloads
  • 23.04 a10cff94d0

    Release 23.04 Stable

    jlecour released this 2023-04-23 10:51:41 +02:00 | 425 commits to stable since this release

    Added

    • graylog: new role
    • lxc-php: add support for PHP 8.2 container

    Changed

    • Use FQCN (Fully Qualified Collection Name)
    • apt: with Debian 12, backports are installed but disabled by default
    • openvpn: updated the README file
    • pgbouncer: add handler to restart the service

    Fixed

    • generate-ldif: Support for Debian 12
    Downloads
  • 23.03.1 7052b7bd1e

    jlecour released this 2023-03-16 22:18:53 +01:00 | 472 commits to stable since this release

    Added

    • pgbouncer: new role

    Changed

    • apt: deb822 migration python script is looked relative to shell script
    • listupgrade: remove old typo version of the cron task
    • minifirewall: support protocols in numeric form
    Downloads
  • 23.03 8e4e77cb8b

    Release 23.03 Stable

    jlecour released this 2023-03-16 15:00:03 +01:00 | 479 commits to stable since this release

    Added

    • apache: add task to enable mailgraph on default vhost and index.html
    • apt: add move-apt-keyrings script/tasks
    • apt: add tools to migrate sources to deb822 format
    • fail2ban: add "Internal login failure" to Dovecot filter
    • lxc: copy /etc/profile.d/evolinux.sh from host into container
    • nagios-nrpe: add tasks/files for a wrapper
    • nagios-nrpe: Print pool config path in check_phpfpm_multi output
    • php: add php_version variable when sury is activated for each Debian version
    • php: add a way to choose which version to install using sury repository
    • postfix: Add task to enable mailgraph on packmail
    • postgresql: configure max_connections
    • userlogrotate: create dedicated role, separated from packweb-apache
    • varnish: add varnish_update_config variable to disable configuration update

    Changed

    • Use systemd module instead of command
    • Removed all warn: False args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
    • apt: Use pub.evolix.org instead of pub.evolix.net
    • bind: refactor role
    • elasticsearch: Disable garabge collector logging (JDK >= 9)
    • evolinux-users: Update sudoers template to remove commands allowed without password
    • listupgrade: upstream release 23.03.3
    • kvmstats: use virsh domstats | awk to get guests informations
    • nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …)
    • openvpn: Change check_openvpn destination file to comply with recent EvoBSD change
    • postfix: come back to default value of notify_classes for pack mails.
    • userlogrotate: set rotate date format in right order (YYYY-MM-DD)!
    • webapps/nextcloud : Change default data directory to be outside web root
    • webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
    • yarn: update apt key

    Fixed

    • Proper jinja spacing
    • clamav: set MaxConnectionQueueLength to its default value (200), custom (15) was way too small and caused recurring failures in Postfix.
    • docker-host: fix type in daemon.json and remove host configuration that is already in the systemd service by default
    • evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
    • haproxy: fix missing admin ACL in stats module access permissions
    • openvpn: fix the client cipher configuration to match the server cipher configuration
    • php: fix error introduced in #33503e4538 (False evaluated as a String instead of Boolean)
    • php: install using Sury repositories on Bullseye
    • postfix (packmail only): disable concurrency_failed_cohort_limit for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in minimal_backoff_time (2h) and maximal_backoff_time (6h) to reduce the risk of ban from external SMTPs.
    • postfix: avoid Amavis transport to be considered dead when restarted.
    • postfix: remove unused aliases_scope=sub from virtual_aliases.cf (it generated warnings)
    • userlogrotate: fix bug introduced in commit 2e54944a24 (rotated files were not zipped)
    • userlogrotate: skip zipping if .gz log already exists (prevents interactive question)

    Removed

    • evolinux-base: subversion is not installed anymore
    Downloads
  • 22.12 e1e4f39778

    Release 22.12 Stable

    jlecour released this 2022-12-14 12:04:12 +01:00 | 584 commits to stable since this release

    Added

    • all: add signed-by option for additional APT sources
    • all: preliminary work to support Debian 12
    • all: use proper keyrings directory for APT version
    • evolinux-base: replace regular kernel by cloud kernel on virtual servers
    • lxc-php: set php-fpm umask to 007
    • nagios-nrpe: check_ceph_*
    • nagios-nrpe: check_haproxy_stats supports DRAIN status
    • packweb-apache: enable log_forensic module
    • rabbitmq: add link in default page
    • varnish: create special tmp directory for syntax validation

    Changed

    • certbot: auto-detect HAPEE version in renewal hook
    • evocheck: install script according to Debian version
    • evolinux-base: utils.yml can be excluded
    • evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions)
    • evolinux-user: add sudoers privilege for check php_fpm81
    • evomaintenance: allow missing API endpoint if APi is disabled
    • java: use default JRE package when version is not specified
    • keepalived: change exit code (warning if running but not on expected state ; critical if not running)
    • listupgrade: better detection for PostgreSQL
    • listupgrade: sort/uniq of packages/services lists in email template
    • lxc-solr: detect the real partition options
    • lxc-solr: download URL according to Solr Version
    • lxc-solr: set homedir and port at install
    • minifirewall: whitelist deb.freexian.com
    • openvpn: shellpki upstream release 22.12.2
    • openvpn: specifies that the mail for expirations is for OpenVPN
    • packweb-apache: manual dependencies resolution
    • redis: some values should be quoted
    • redis: variable to disable transparent hugepage (default: do nothing)
    • squid: whitelist deb.freexian.com
    • varnish: better package facts usage with check mode and tags
    • varnish: systemd override depends on Varnish version instead of Debian version

    Fixed

    • evolinux-user: Fix sudoers privilege for check php_fpm80
    • nagios-nrpe: Fix check opendkim for recent change in listening port
    • openvpn: Fix mode of shellpki script
    • proftpd: Fix format of public key files controlled by Ansible
    • proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody)
    • varnish: fix missing state, that blocked the task

    Removed

    • openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
    Downloads