62 KiB

Raw Permalink Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog.

This project does not follow semantic versioning. The major part of the version is the year The minor part is the month The patch part is incremented if multiple releases happen the same month

[Unreleased]

Added

Changed

autosysadmin-agent: upstream release 24.03.2
evolinux-base: Add new variable to disable global customisation of bash config
evolinux-base: Disable logcheck monitoring of journald only if journald.logfiles exists
evolinux-users: Add sudo mvcli for nagios user
haproxy: support bookworm for backport packages
nrpe: !disk1 exclude filesystem type overlay
postfix/amavis: max servers is now 3 (previously 2)
roundcube: Use /var/log/roundcube directly
vrrpd: configure and restart minifirewall before starting VRRP
vrrpd: configure minifirewall with blocks instead of lines

Fixed

certbot: Fix HAProxy renewal hook
keepalived: Fix tasks that use file instead of copy
memcached: Fix conditions not properly writen (installation was always in multi-instance mode)
fail2ban: SQLite purge script didn't vacuum as expected + error when vacuum cannot be done
nagios-nrpe: create /etc/bash_completion.d if missing
packweb: fix old bug (2017!) .orig file created by module patch and taken in account by ProFTPd
redis: replace inline argument with environment variable for the password
evolinux-base/logcheck: fix conf patch, journal check was not disabled when asked
openvpn: install packages manually, because openbsd_pkg module is broken since OpenBSD 7.4 with the version of Ansible we currently use

Removed

docker-host: Removed setting docker_conf_use_iptables (iptable usage forced to true)

Security

[24.03] 2024-03-01

Added

autosysadmin-agent: upstream release 24.03
autosysadmin-restart_nrpe: add role
certbot: Renewal hook for NRPE
kvm-host: add minifirewall rules if DRBD interface is configured
proftpd: add whitelist ip

Changed

apt: add ftp.evolix.org as recognized system source
autosysadmin-agent: logs clearing is done weekly
autosysadmin-agent: rename /usr/share/scripts/autosysadmin/{auto,restart}
certbot: use pkey to test the key
evolinux-base: execute autosysadmin-agent and autosysadmin-restart_nrpe roles
lxc-php, php: Update sury PGP key
openvpn: earlier alert for CA expiration
redis: create sysfs config file if missing
nextcloud: use latest version by default

Removed

autosysadmin: replaced by autosysadmin-agent

[24.02.1] 2024-02-08

Fixed

fail2ban: fix Ansible syntax

[24.02] 2024-02-08

Added

Support for PHP 8.3 with bookworm LXC containers
apt: add task file to install ELTS repository (default: False)
autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation
check_free_space: added role
etc-git: add /var/chroot-bind/etc/bind repo
fail2ban: add script unban_ip
generateldif: new Services for check_pressure_{cpu,io,mem}
kvm-host: Automatically add an LVM filter when LVM is present
lxc-php: Allow one to install php83 on Bookworm container
minifirewall: Fix nagios check for old versions of minifirewall
mongodb: add gpg key for 7.0
nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
nagios-nrpe: new check_pressure_{cpu,io,mem}
remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
vrrpd: configure minifirewall
vrrpd: test if interface exists before deleting it
webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm
webapps/nextcloud: Add condition for archive tasks
webapps/nextcloud: Add condition for config tasks
webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
webapps/nextcloud: Set ownership and permissions of data directory

Changed

add-vm.sh: allow VM name max length > 20
amavis: make ldap_suffix mandatory
apache : fix goaway pattern for bad bots
apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
apache: use backward compatible Redirect directive
apt: Disable archive repository for Debian 8
apt: Use the GPG version of the key for Debian 8-9
bind: Update role for Buster, Bullseye and Bookworm support
dovecot: add variables for LDAP
dovecot: Munin plugin conf path is now /etc/munin/plugin-conf.d/zzz-dovecot (instead of z-evolinux-dovecot)
evocheck: upstream release 24.01
evolinux-base: dump-server-state upstream release 23.11
evolinux-base: use separate default config file for rsyslog
kvmstats: use .capacity instead of .physical for disk size
ldap: make ldap_suffix mandatory
listupgrade : old-kernel-removal.sh upstream release 24.01
log2mail: move custom config in separate file
lxc: init /etc git repository in lxc container
mysql: disable performance schema for Debian 8
nagios: add dockerd check in nrpe check template
nagios: cleaning nrpe check template
nagios: rename var nagios_nrpe_process_processes into nagios_nrpe_processes and check systemd-timesyncd instead of ntpd in Debian 12
nagios: add option --full to check pressure IO and mem to avoid flaps
proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
redis: manage config template inside a block, to allow custom modifications outside
spamassassin: Use spamd starting with Bookworm
squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
unbound: Add config file to allow configuration reload on Debian 11 and lower
unbound: Add munin configuration & setup plugin
unbound: Big cleanup
unbound: Move generated config file to /etc/unbound/unbound.conf.d/evolinux.conf
unbound: Use root hints provided by debian package dns-root-data instead of downloading them
vrrpd: replace switch script with custom one (fix MAC issue, use ip(8), shell cleanup…)
vrrpd: variable to force update the switch script (default: false)
webapps/nextcloud: Add Ceph volume to fstab
webapps/nextcloud: Set home directory's mode

Fixed

Add php-fpm82 to LDAP when relevant
Check stat.exists before stat.isdir
apache: fix MaxRequestsPerChild value to be sync with wiki.e.o
apt: use archive.debian.org with Stretch
certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '' » or « doveadm expunge -u "" mailbox INBOX savedbefore 7d »).
dovecot: fix missing default mails
dovecot: fix plugin dovecot1
evoadmin-web: Fix PHP version for Bookworm
evolinux-base: fix hardware.yml (wrong repo, missing update cache)
evolinux-base: start to install linux-image-cloud-amd64 with Buster
fail2ban: fix template marker
minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore.
nagios: fix default file to monitor for check_clamav_db
nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode
nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
nginx: keep indentation
nginx: take care of « already defined » and « not yet defined » server status suffix in check mode
php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository
php: drop apt_preferences(5) file for sury
postfix: remove dependency on evolinux_fqdn var
proftpd: set missing default listen IP for SFTP
roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL)
ssl: no not execute haproxy tasks and reload if haproxy is disabled
unbound: Add a apt cache validity to enforce an apt update if needed
webapps/nextcloud: added check that nextcloud uid is over 3000
webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
webapps/nextcloud: fix misplaced gid attribute
webapps/nextcloud: fix missing gid
webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice)
amavis: Add variables for generate "ldap_suffix"
proftpd: fix error when no SSH key is provided

Removed

evolinux-base: no need to remove update-evobackup-canary from sbin anymore
evolinux-base: no need to symlink backup-server-state to dump-server-state anymore

[23.10] 2023-10-14

Added

apt: disable NonFreeFirmware warning for VM on Debian 12+
apt: explicit signed-by directives for official sources
bind: add reload-zone helper
certbot: deploy-hook for proftpd
docker-host: added var for user namespace setting
dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
dovecot: fix old_stats plugin for Dovecot 2.3
evocheck: add support for Debian >= 12 split SSH configuration
evolinux-base: add split SSH configuration for Debian >= 12
evolinux-base: configure .bashrc for all users
evolinux-base: New variable evolinux_system_include_ntpd to chose wether or not to include ntpd role
evolinux-base: reboot the server if the Cloud kernel has been installed
evolinux-users: add split SSH configuration for Debian >= 12
evolinux: install HPE Agentless Management Service (amsd)
fail2ban: add default variable fail2ban_dbpurgeage_default
fail2ban: add fail2ban_sshd_port variable to configure sshd port
kvm-host: release 23.10 for migrate-vm.sh
metricbeat/logstash: fix Ansible syntax
mysql: new munin graph to follow binlog_days over time
nagios-nrpe: add a NRPE check-local command with completion.
nagios-nrpe: add a proper monitoring plugin for GlusterFS (on servers, not for clients)
php: add new variable to disable overriding settings of php-fpm default pool (www)
policy_pam: New role to manage password policy with pam_pwquality & pam_pwhistory
userlogrotate: add a userlogpurge script disabled by default
userlogrotate: new version, with separate conf file
userlogrotate: rotate also php.log
java: allow version 17
timesyncd: new role, used instead of ntpd by default starting with Debian 12

Changed

all: change syntax "become: [yes,no]" → "become: [true,false]"
all: change syntax "force: [yes,no]" → "force: [true,false]"
elasticsearch: improve networking configuration
evolinux-base: include files under sshd_config.d
evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
evomaintenance: upstream release 23.10.1
lxc-php: change LXC container in bookworm for php82
minifirewall: update nrpe script to check active configuration
minifirewall: upstream release 23.07
mysql: improve shell syntax for mysql_skip script
nagios-nrpe: set default check_load --per-cpu for BSD
pgbouncer: minor fixes
postfix (packmail or when postfix_slow_transport_include is True): change miniprofmal_backoff_time from 2h to 15m (see HowtoPostfix)
postfix (packmail) : optimize Amavis integration
postfix: disable sending mails via IPv6
postfix: new spam.sh update script that avoids reloading if files did not change.
postgresql: fix file postgresql.pref.j2 for exclude package
postgresql: fix task update apt cache for PGDG repo
redis: standardize plugins path from /usr/local/share/munin/ to /usr/local/lib/munin/plugins/
varnish: allow the systemd template to be overridden with a template outside of the role
lxc: purge openssh-server from container on install

Fixed

elasticsearch: comment the Xlog:gc line instead of changing it completely
evocheck: fix IS_SSHALLOWUSERS condition
evolinux-base, evolinux-users: Fix files mode under /etc/ssh/sshd_config.d
evolinux-base: fix file extension
fail2ban: fix cron fail2ban_dbpurge (should be bash instead of sh)
lxc-php: fix APT keyring path inside containers
nagios-nrpe: check_ssl_local now has an output that nrpe can understand when it isn't OK
nagios-nrpe: remount /usr after installing the packages
nagios-nrpe: sync Redis check from redis roles
nginx: set default server directive in default vhost
opendkim: update apt cache before install
packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container
postfix: add missing localhost.$mydomain to mydestination
redis: replace erroneous ini_file module for Munin config, fix dedicated Munin config filename (z-XXX).
evolinux-base: use lineinfile instead of replace under root task
evolinux-base: Corriger autorisation pour evolinux_user
docker-host: Retirer directive state en trop
rbenv: Installer libyaml-dev

Removed

dovecot: remove Munin plugin dovecot (not working)

[23.04] 2023-04-23

Added

graylog: new role
lxc-php: add support for PHP 8.2 container

Changed

Use FQCN (Fully Qualified Collection Name)
apt: with Debian 12, backports are installed but disabled by default
openvpn: updated the README file
pgbouncer: add handler to restart the service

Fixed

generate-ldif: Support for Debian 12

[23.03.1] 2023-03-16

Added

pgbouncer: new role

Changed

apt: deb822 migration python script is looked relative to shell script
listupgrade: remove old typo version of the cron task
minifirewall: support protocols in numeric form

[23.03] 2023-03-16

Added

apache: add task to enable mailgraph on default vhost and index.html
apt: add move-apt-keyrings script/tasks
apt: add tools to migrate sources to deb822 format
fail2ban: add "Internal login failure" to Dovecot filter
lxc: copy /etc/profile.d/evolinux.sh from host into container
nagios-nrpe: add tasks/files for a wrapper
nagios-nrpe: Print pool config path in check_phpfpm_multi output
php: add php_version variable when sury is activated for each Debian version
php: add a way to choose which version to install using sury repository
postfix: Add task to enable mailgraph on packmail
postgresql: configure max_connections
userlogrotate: create dedicated role, separated from packweb-apache
varnish: add varnish_update_config variable to disable configuration update

Changed

Use systemd module instead of command
Removed all warn: False args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
apt: Use pub.evolix.org instead of pub.evolix.net
bind: refactor role
elasticsearch: Disable garabge collector logging (JDK >= 9)
evolinux-users: Update sudoers template to remove commands allowed without password
listupgrade: upstream release 23.03.3
kvmstats: use virsh domstats | awk to get guests informations
nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …)
openvpn: Change check_openvpn destination file to comply with recent EvoBSD change
postfix: come back to default value of notify_classes for pack mails.
userlogrotate: set rotate date format in right order (YYYY-MM-DD)!
webapps/nextcloud : Change default data directory to be outside web root
webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
yarn: update apt key

Fixed

Proper jinja spacing
clamav: set MaxConnectionQueueLength to its default value (200), custom (15) was way too small and caused recurring failures in Postfix.
docker-host: fix type in daemon.json and remove host configuration that is already in the systemd service by default
evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
haproxy: fix missing admin ACL in stats module access permissions
openvpn: fix the client cipher configuration to match the server cipher configuration
php: fix error introduced in #33503e4538 (False evaluated as a String instead of Boolean)
php: install using Sury repositories on Bullseye
postfix (packmail only): disable concurrency_failed_cohort_limit for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in minimal_backoff_time (2h) and maximal_backoff_time (6h) to reduce the risk of ban from external SMTPs.
postfix: avoid Amavis transport to be considered dead when restarted.
postfix: remove unused aliases_scope=sub from virtual_aliases.cf (it generated warnings)
userlogrotate: fix bug introduced in commit 2e54944a24 (rotated files were not zipped)
userlogrotate: skip zipping if .gz log already exists (prevents interactive question)

Removed

evolinux-base: subversion is not installed anymore

[22.12] 2022-12-14

Added

all: add signed-by option for additional APT sources
all: preliminary work to support Debian 12
all: use proper keyrings directory for APT version
evolinux-base: replace regular kernel by cloud kernel on virtual servers
lxc-php: set php-fpm umask to 007
nagios-nrpe: check_ceph_*
nagios-nrpe: check_haproxy_stats supports DRAIN status
packweb-apache: enable log_forensic module
rabbitmq: add link in default page
varnish: create special tmp directory for syntax validation
postfix: add localhost.$mydomain to mydestination

Changed

certbot: auto-detect HAPEE version in renewal hook
evocheck: install script according to Debian version
evolinux-base: utils.yml can be excluded
evolinux-todo: execute tasks only for Debian distribution (because this task is a dependency for others roles used on different distributions)
evolinux-user: add sudoers privilege for check php_fpm81
evomaintenance: allow missing API endpoint if APi is disabled
java: use default JRE package when version is not specified
keepalived: change exit code (warning if running but not on expected state ; critical if not running)
listupgrade: better detection for PostgreSQL
listupgrade: sort/uniq of packages/services lists in email template
lxc-solr: detect the real partition options
lxc-solr: download URL according to Solr Version
lxc-solr: set homedir and port at install
minifirewall: whitelist deb.freexian.com
openvpn: shellpki upstream release 22.12.2
openvpn: specifies that the mail for expirations is for OpenVPN
packweb-apache: manual dependencies resolution
redis: some values should be quoted
redis: variable to disable transparent hugepage (default: do nothing)
squid: whitelist deb.freexian.com
varnish: better package facts usage with check mode and tags
varnish: systemd override depends on Varnish version instead of Debian version

Fixed

evolinux-user: Fix sudoers privilege for check php_fpm80
nagios-nrpe: Fix check opendkim for recent change in listening port
openvpn: Fix mode of shellpki script
proftpd: Fix format of public key files controlled by Ansible
proftpd: Fix mode of public key directory and files (they have to be accessible by proftpd:nobody)
varnish: fix missing state, that blocked the task

Removed

openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream

[22.09] 2022-09-19

Added

evolinux_users: create only users who have a certain value for the create key (default: always).
php: install php-xml with recent PHP versions
vrrp: add an ip.yml task file to help create VRRP addresses
webapps/nextcloud: Add compatibility with apache2, and apache2 mod_php.
memcached: NRPE check for multi-instance setup
munin: Add ipmi_ plugins on dedicated hardware
proftpd: Add options to override configs (and add a warning if file was overriden)
proftpd: Allow user auth with ssh keys

Changed

evocheck: upstream release 22.09
evolinux-base: update-evobackup-canary upstream release 22.06
generate-ldif: Support any MariaDB version
minifirewall: use handlers to restart minifirewall
openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
openvpn: Run OpenVPN with the _openvpn user and group instead of nobody which is originally for NFS
nagios-nrpe: Upgrade check_mongo

Fixed

fail2ban: fix dovecot-evolix regex syntax
haproxy: make it so that munin doesn't break if there is a non default haproxy_stats_path
mysql: Add missing Munin conf for Debian 11
redis: config directory must be owned by the user that runs the service (to be able to write tmp config files in it)
varnish: make -j <jail_config> the first argument on jessie/stretch as it has to be the first argument there.
webapps/nextcloud: Add missing dependencies for imagick

Removed

evocheck: remove failure if deprecated variable is used
webapps/nextcloud: Drop support for Nginx

[22.07.1] 2022-07-28

Changed

evocheck: upstream release 22.07
evomaintenance: upstream release 22.07
mongodb: replace version_compare() with version()
nagios-nrpe: check_disk1 returns only alerts
nagios-nrpe: use regexp to exclude paths/devices in check_disk1

[22.07] 2022-07-08

Added

fail2ban: Ensure apply dbpurgeage from stretch and buster

[22.07] 2022-07-06

Added

evolinux-base: session timeout is configurable (default: 36000 seconds = 10 hours)
haproxy: add haproxy_allow_ip_nonlocal_bind to set sysctl value (optional)
kvm-host: fix depreciation of "drbd-overview" by "drbdadm status" in add-vm.sh
openvpn: configure logrotate

Changed

openvpn: minimal rights on /etc/shellpki/ and crl.pem

Fixed

evolinux-base: Update PermitRootLogin task to work on Debian 11
evolinux-user: Update PermitRootLogin task to work on Debian 11
minifirewall: docker mode is configurable

[22.06.3] 2022-06-17

Changed

evolinux-base: blacklist and do not install megaclisas-status package on incompatible servers

[22.06.2] 2022-06-10

Added

postgresql: add variable to configure binding addresses (default: 127.0.0.1)

Changed

evocheck: upstream release 22.06.2
fail2ban: Give the possibility to override jail.local (with fail2ban_override_jaillocal)
fail2ban: If jail.local was overriden, add a warning
fail2ban: Allow to tune some jail settings (maxretry, bantime, findtime) with ansible
fail2ban: Allow to tune the default action with ansible
fail2ban: Change default action to ban only (instead of ban + mail with whois report)
fail2ban: Configure recidive jail (off by default) + extend dbpurgeage
redis: binding is possible on multiple interfaces (breaking change)

Fixed

Enforce String notation for mode
postgresql: fix nested loop for Munin plugins
postgresql: Fix task order when using pgdg repo
postgresql: Install the right pg version

[22.06.1] 2022-06-06

Changed

evocheck: upstream release 22.06.1
minifirewall: upstream release 22.06
mysql: evomariabackup release 22.06.1
mysql: reorganize evomariabackup to use mtree instead of our own dir-check

[22.06] 2022-06-03

Added

certbot: add hapee (HAProxy Enterprise Edition) deploy hook
evolinux-base: add dir-check script
evolinux-base: add update-evobackup-canary script
mysql: add post-backup-hook to evomariabackup
mysql: use dir-check inside evomariabackup

Changed

docker: Allow "live-restore" to be toggled with docker_conf_live_restore
evocheck: upstream release 22.06
evolinux-base: Replacement of variable evolinux_packages_hardware by ansible_virtualization_role == "host" automatize host type detection and avoids installing smartd & other on VM.
minifirewall: tail template follows symlinks
mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner

Fixed

Role postfix: Add missing localhost.localdomain localhost to mydestination variable which caused undelivered of some local mails.

[22.05.1] 2022-05-12

Added

docker: Introduce new default settings + allow to change the docker data directory
docker: Introduce new variables to tweak daemon settings

Changed

evocheck: Upstream release 22.05

Removed

docker: Removed Debian Jessie support

[22.05] 2022-05-10

Added

etc-git: use "ansible-commit" to efficiently commit all available repositories (including /etc inside LXC) from Ansible
minifirewall: compatibility with "legacy" version of minifirewall
minifirewall: configure proxy/backup/sysctl values
munin: Add possibility to install local plugins, and install dhcp_pool plugin
nagios-nrpe: Add a check dhcp_pool
redis: Activate overcommit sysctl
redis: Add log2mail user to redis group

Changed

dump-server-state: upstream release 22.04.3
evocheck: upstream release 22.04.1
evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
evolinux-base: rename backup-server-state to dump-server-state
generate-ldif: Add services check for bkctld
minifirewall: restore "force-restart" and fix "restart-if-needed"
minifirewall: tail template follows symlinks
minifirewall: upstream release 22.05
opendkim : add generate opendkim-genkey in sha256 and key 4096
openvpn: use a local copy of files instead of cloning an external git repository
openvpn: use a subnet topology instead of the net30 default topology
tomcat: Tomcat 9 by default with Debian 11
vrrpd: Store sysctl values in specific file

Fixed

etc-git : Remount /usr in rw for git gc in in /usr/share/scripts/
etc-git: Make evocommit fully compatible with OpenBSD
generate-ldif: Correct generated entries for php-fpm in containers
keepalived: repair broken role
minifirewall: fix failed_when condition on restart
postfix: Do not send mails through milters a second time after amavis (in packmail)
redis: Remount /usr with RW before adding nagios plugin

[22.03] 2022-03-02

Added

apt: apt_hold_packages: broadcast message with wall, if present
evolinux-base: option to bypass raid-related tasks
Explicit permissions for systemd overrides
generate-ldif: Add support for php-fpm in containers
kvm-host: add missing default value
lxc-php: preliminary support for PHP 8.1 container
openvpn: now check that openvpn has been restarted since last certificates renewal
redis: always install check_redis_instances
redis: check_redis_instances tolerates absence of instances

Changed

elasticsearch: Use /etc/elasticsearch/jvm.options.d/evolinux instead of default /etc/elasticsearch/jvm.options
evolinux-users: check permissions for /etc/sudoers.d
evolinux-users: optimize sudo configuration
lxc: Fail if /var is nosuid
openvpn: make it compatible with OpenBSD and add some improvements

[22.01.3] 2022-01-31

Changed

rbenv: install Ruby 3.1.0 by default
evolinux-base: backup-server-state: add "force" mode

Fixed

evolinux-base: backup-server-state: fix systemctl invocation
varnish: update munin plugin to work with recent varnish versions

[22.01.2] 2022-01-27

Changed

evolinux-base: many improvements for backup-server-state script
remount-usr: use findmnt to find if usr is a readonly partition

[22.01] 2022-01-25

Added

Support for Debian 11 « Bullseye » (with possible remaining blind spots)
apache: new variable for MPM mode (+ updated default config accordingly)
apache: prevent accessing Git or "env" related files
certbot: add script for manual deploy hooks execution
docker-host: install additional dependencies
dovecot: switch to TLS 1.2+ and external DH params
etc-git: centralize cron jobs in dedicated crontab
etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
evolinux-base: add script backup-server-state
evolinux-base: configure top and htop to display the swap column
evolinux-base: install molly-guard by default
generate-ldif: detect RAID controller
generate-ldif: detect mdadm
listupgrade: crontab is configurable
logstash: logging to syslog is configurable (default: True)
mongodb: create munin plugins directory if missing
munin: systemd override to unprotect home directory
mysql: add evomariabackup 21.11
mysql: improve Bullseye compatibility
mysql: script "mysql_connections" to display a compact list of connections
mysql: script "mysql-queries-killer.sh" to kill MySQL queries
nagios-nrpe + evolinux-users: new check for ipmi
nagios-nrpe + evolinux-users: new check for RAID (soft + hard)
nagios-nrpe + evolinux-users: new checks for bkctld
nagios-nrpe: new check influxdb
openvpn: new role (beta)
redis: instance service for Debian 11
squid: add *.o.lencr.org to default whitelist

Changed

Change version pattern
Install python 2 or 3 libraries according to running python version
Remove embedded GPG keys only if legacy keyring is present
apt: remove workaround for Evolix public repositories with Debian 11
apt: upgrade packages after all the configuration is done
apt: use the new security repository for Bullseye
certbot: silence letsencrypt deprecation warnings
elasticsearch: elastic_stack_version = 7.x
evoacme: exclude renewal-hooks directory from cron
evoadmin-web: simpler PHP packages lists
evocheck: upstream release 21.10.4
evolinux-base: alert5 comes after the network
evolinux-base: force Debian version to buster for Evolix repository (temporary)
evolinux-base: install freeipmi by default on dedicated hw
evolinux-base: logs are rotated with dateext by default
evolinux-base: split dpkg logrotate configuration
evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
evomaintenance: extract a config.yml tasks file
evomaintenance: upstream release 22.01
filebeat/metricbeat: elastic_stack_version = 7.x
kibana: elastic_stack_version = 7.x
listupgrade: old-kernel-removal version 21.10
listupgrade: upstream release 21.06.3
logstash: elastic_stack_version = 7.x
mongodb: Allow to specify a mongodb version for buster & bullseye
mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
mongodb: Support version 5.0 (for buster)
mysql: use python3 and mariadb-client-10.5 with Debian 11 and later
nodejs: default to version 16 LTS
php: enforce Debian version with assert instead of fail
squid: improve default whitelist (more specific patterns)
squid: must be started in foreground mode for systemd
squid: remove obsolete variable on Squid 4

Fixed

evolinux-base: fix alert5.service dependency syntax
certbot: sync_remote excludes itself
lxc-php: fix config for opensmtpd on bullseye containers
mysql : Create a default ~root/.my.cnf for compatibility reasons
nginx : fix variable name and debug to actually use nginx-light
packweb-apache : Support php 8.0
nagios-nrpe: Fix check_nfsserver for buster and bullseye

Removed

evocheck: package install is not supported anymore
logstash: no more dependency on Java
php: remove php-gettext for 7.4

[10.6.0] 2021-06-28

Added

Add Elastic GPG key to kibana, filebeat, logstash, metricbeat roles
apache: new variable for mpm mode (+ updated default config accordingly)
evolinux-base: add default motd template
kvm-host: add migrate-vm script
mysql: variable to disable myadd script overwrite (default: True)
nodejs: update apt cache before installing the package
squid: add Yarn apt repository in default whitelist

Changed

Update Galaxy metadata (company, platforms and galaxy_tags)
Use 'loop' syntax instead of 'with_first_found/with_items/with_dict/with_nested/with_list'
Use Ansible syntax used in Ansible 2.8+
apt: store keys in /etc/apt/trusted.gpg.d in ascii format
certbot: sync_remote.sh is configurable
evolinux-base: copy GPG key instead of using apt-key
evomaintenance: upstream release 0.6.4
kvm-host: replace the "kvm-tools" package with scripts deployed by Ansible
listupgrade: upstream release 21.06.2
nodejs: change GPG key name
ntpd: Add leapfile configuration setting to ntpd on debian 10+
packweb-apache: install phpMyAdmin from buster-backports
spamassassin: change dependency on evomaintenance
squid: remove obsolete variable on Squid 4

Fixed

add default (useless) value for file lookup (first_found)
fix pipefail option for shell invocations
elasticsearch: inline YAML formatting of seed_hosts and initial_master_nodes
evolinux-base: fix motd lookup path
ldap: fix edge cases where passwords were not set/get properly
listupgrade: fix wget error + shellcheck cleanup

Removed

elasticsearch: recent versiond don't depend on external JRE

[10.5.1] 2021-04-13

Added

haproxy: dedicated internal address/binding (without SSL)

Changed

etc-git: commit in /usr/share/scripts when there's an active repository

[10.5.0] 2021-04-01

Added

apache: new variables for logrotate + server-status
filebeat: package can be upgraded to latest (default: False)
haproxy: possible admin access with login/pass
lxc-php: Add PHP 7.4 support
metricbeat: package can be upgraded to latest (default: False)
metricbeat: new variables to configure SSL mode
nagios-nrpe: new script check_phpfpm_multi
nginx: add access to server status on default VHost
postfix: add smtpd_relay_restrictions in configuration

Changed

apache: rotate logs daily instead of weekly
apache: deny requests to ^/evolinux_fpm_status-.*
certbot: use a fixed 1.9.0 version of the certbot-auto script (renamed "letsencrypt-auto")
certbot: use the legacy script on Debian 8 and 9
elasticsearch: log rotation is more readable/maintainable
evoacme: upstream release 21.01
evolinux-users: Add sudo rights for nagios for multi-php lxc
listupgrade: update script from upstream
minifirewall: change some defaults
nagios-nrpe: update check_phpfpm_status.pl & install perl dependencies
redis: use /run instead or /var/run
redis: escape password in Munin configuration

Fixed

bind9: added log files to apparmor definition so bind can run
filebeat: fix Ansible syntax error
nagios-nrpe: libfcgi-client-perl is not available before Debian 10
redis: socket/pid directories have the correct permissions

Removed

nginx: no more "minimal" mode, but the package remains customizable.

[10.4.0] 2020-12-24

Added

certbot: detect domains if missing
certbot: new "sync_remote.sh" hook to sync certificates and execute hooks on remote servers
varnish: variable for jail configuration

Changed

certbot: disable auth for Let's Encrypt challenge
nginx: change from "nginx_status-XXX" to "server-status-XXX"

[10.3.0] 2020-12-21

Added

bookworm-detect: transitional role to help dealing with unreleased bookworm version
dovecot: Update munin plugin & configure it
dovecot: vmail uid/gid are configurable
evoacme: variable to disable Debian version check (default: False)
kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
minifirewall: upstream release 20.12
minifirewall: add variables to force upgrade the script and the config (default: False)
mysql: install save_mysql_processlist script
nextcloud: New role to setup a nextcloud instance
redis: variable to force use of port 6379 in instances mode
redis: check maxmemory in NRPE check
lxc-php: Allow php containers to contact local MySQL with localhost
varnish: config file name is configurable

Changed

Create system users for vmail (dovecot) and evoadmin
apt: disable APT Periodic
evoacme: upstream release 20.12
evocheck: upstream release 20.12
evolinux-users: improve uid/login checks
tomcat-instance: fail if uid already exists
varnish: change template name for better readability
varnish: no threadpool delay by default
varnish: no custom reload script for Debian 10 and later

Fixed

cerbot: parse HAProxy config file only if HAProxy is found

[10.2.0] 2020-09-17

Added

evoacme: remount /usr if necessary
evolinux-base: swappiness is customizable
evolinux-base: install wget
tomcat: root directory owner/group are configurable

Changed

Change default public SSH/SFTP port from 2222 to 22222

Fixed

certbot: an empty change shouldn't raise an exception
certbot: fix "no-self-upgrade" option

Removed

evoacme: remove Debian 9 support

[10.1.0] 2020-08-21

Added

certbot: detect HAProxy cert directory
filebeat: allow using a template
generate-ldif: add NVMe disk support
haproxy: add deny_ips file to reject connections
haproxy: add some comments to default config
haproxy: enable stats frontend with access lists
haproxy: preconfigure SSL with defaults
lxc-php: Don't disable putenv() by default in PHP settings
lxc-php: Install php-sqlite by default
metricbeat: allow using a template
mysql: activate binary logs by specifying log_bin path
mysql: option to define as read only
mysql: specify a custom server_id
nagios-nrpe/evolinux-base: brand new check for hardware raid on HP servers gen 10
nginx: make default vhost configurable
packweb-apache: Install zip & unzip by default
php: Don't disable putenv() by default in PHP settings
php: Install php-sqlite by default

Changed

certbot: fix haproxy hook (ssl cert directory detection)
certbot: install certbot dependencies non-interactively for jessie
elasticsearch: configure cluster with seed hosts and initial masters
elasticsearch: set tmpdir before datadir
evoacme: read values from environment before defaults file
evoacme: update for new certbot role
evoacme: upstream release 20.08
haproxy: adapt backports installed package list to distibution
haproxy: chroot and socket path are configurable
haproxy: deport SSL tuning to Mozilla SSL generator
haproxy: rotate logs with date extension and immediate compression
haproxy: split stats variables
lxc-php: Do --no-install-recommends for ssmtp/opensmtpd
mongodb: install custom munin plugins
nginx: read server-status values before changing the config
packweb-apache: Don't turn on mod-evasive emails by default
redis: create sudoers file if missing
redis: new syntax for match filter
redis: raise an error is port 6379 is used in "instance" mode

Fixed

certbot: restore compatibility with old Nginx
evobackup-client: fixed the ssh connection test
generate-ldif: better detection of computerOS field
generate-ldif: skip some odd ethernet devices
lxc-php: Install opensmtpd as intended
mongodb: fix logrotate patterm on Debian buster
nagios-nrpe: check_amavis: updated regex
squid: better regex to match sa-update domains
varnish: fix start command when multiple addresses are present

[10.0.0] - 2020-05-13

Added

apache: the default VHost doesn't redirect to https for ".well-known" paths
apt: added buster backports prerferences
apt: check if cron is installed before adding a cron job
apt: remove jessie/buster sources from Gandi servers
apt: verify that /etc/evolinux is present
certbot : new role to install and configure certbot
etc-git: add versioning for /usr/share/scripts on Debian 10+
evoacme: upstream version 19.11
evolinux-base: default value for "evolinux_ssh_group"
evolinux-base: install /sbin/deny
evolinux-base: install Evocheck (default: True)
evolinux-base: on debian 10 and later, add noexec on /dev/shm
evolinux-base: on debian 10 and later, add /usr/share/scripts in root's PATH
evolinux-base: remove the chrony package
evomaintenance: don't configure firewall for database if not necessary
generate-ldif: support MariaDB 10.3
haproxy: add a variable to keep the existing configuration
java: add Java 11 as possible version to install
listupgrade: install old-kernel-autoremoval script
minifirewall: add a variable to force the check scripts update
mongodb: mongodb: compatibility with Debian 10
mysql-oracle: backport tasks from mysql role
networkd-to-ifconfig: add variables for configuration by variables
packweb-apache: Deploy opcache.php to give some insights on PHP's opcache status
php: variable to install the mysqlnd module instead of the default mysql module
postgresql : variable to install PostGIS (default: False)
redis: rewrite of the role (separate instances, better systemd units…)
webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist
webapps/evoadmin-web Overload templates if needed
evolinux-base: install ssacli for HP Smart Array
evobackup-client role to configure a machine for backups with bkctld(8)
bind: enable query logging for recursive resolvers
bind: enable logrotate for recursive resolvers
bind: enable bind9 munin plugin for recursive resolvers

Changed

replace version_compare() with version()s
removed some deprecations for Ansible 2.7
apache: improve permissions in save_apache_status script
apt: hold packages only if package is installed
bind: the munin task was present, but not included
bind: change name of logrotate file to bind9
certbot: commit hook must be executed at the end
elasticsearch: listen on local interface only by default
evocheck: upstream version 20.04.4
evocheck: cron jobs execute in verbose
evolinux-base: use "evolinux_internal_group" for SSH authentication
evolinux-base: Don't customize the logcheck recipient by default.
evolinux-base: configure cciss-vol-statusd in the proper file
evomaintenance: upstream release 0.6.3
evomaintenance: Turn on API by default (instead of DB)
evomaintenance: install PG dependencies only when needed
listupgrade: update from upstream
lxc: rely on lxc_container module instead of command module
lxc: remove useless loop in apt execution
lxc: update our default template to be compatible with Debian 10
lxc-php: refactor tasks for better maintainability
lxc-php: Use OpenSMTPD for Stretch/Buster containers, and ssmtp for Jessie containers
lxc-solr: changed default Solr version to 8.4.1
minifirewall: better alert5 activation
minifirewall: no http filtering by default
minifirewall: /bin/true command doesn't report "changed" anymore
nagios-nrpe: update check_redis_instances (same as redis role)
nagios-nrpe: change default haproxy socket path
nagios-nrpe: check_mode per cpu dynamically
nodejs: change default version to 12 (new LTS)
packweb-apache: Do the install & conffigure phpContainer script (instead of evoadmin-web role)
php: By default, allow 128M for OpCache (instead of 64M)
php: Don't set a chroot for the default fpm pool
php: Make sure the default pool we define can be fully functionnal witout debian's default pool file
php: Change the default pool names to something more explicit (and same for the variables names)
php: Add a task to remove Debian's default FPM pool file (off by default)
php: Cleanup CLI Settings. Also, allow url fopen and don't disable functions (in CLI only)
postgresql : changed logrotate config to 10 days (and fixed permissions)
rbenv: changed default Ruby version to 2.7.0
squid: Remove wait time when we turn off squid
squid: compatibility wit Debian 10
tomcat: package version derived from Debian version if missing
varnish: remove custom ExecReload= script for Debian 10+

Fixed

etc-git: fix warnings ansible-lint
evoadmin-web: Put the php config at the right place for Buster
lxc: Don't stop the container if it already exists
lxc: Fix container existance check to be able to run in check_mode
lxc-php: Don't remove the default pool
minifirewall: fix warnings ansible-lint
nginx: fix munin fcgi not working (missing chmod 660 on logs)
php: add missing handler for php7.3-fpm
roundcube: fix typo for roundcube vhost
tomcat: fix typo for default tomcat_version
evolinux-base: Fix our zsyslog rotate config that doesn't work on Debian 10
certbot: Properly evaluate when apache is installed
evolinux-base: Don't make alert5.service executable as systemd will complain
webapps/evoadmin-web: Set default evoadmin_mail_tpl_force to True to fix a regression where the mail template would not get updated because the file is created before the role is first run.
minifirewall: Backport changes from minifirewall (properly open outgoing smtp(s))
minifirewall: Properly detect alert5.sh to turn on firewall at boot
packweb-apache: Add missing dependency to evoacme role
php: Chose the debian version repo archive for packages.sury.org
php: update surry_post.yml to match current latest PHP release
packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available

Removed

clamav : do not install the zoo package anymore

[9.10.1] - 2019-06-21

Changed

evocheck : update (version 19.06) from upstream

[9.10.0] - 2019-06-21

Added

apache: add server status suffix in VHost (and default site) if missing
apache: add a variable to customize the server-status host
apt: add a script to manage packages with "hold" mark
etc-git: gitignore /etc/letsencrypt/.certbot.lock
evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later)
evomaintenance: make hooks configurable
nginx: add server status suffix in VHost (and default site) if missing
redmine: enable gzip compression in nginx vhost

Changed

evocheck : update (unreleased) from upstream
evomaintenance : use the web API instead of PG Insert
fluentd: store gpg key locally
rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3
redmine: update default version to 4.0.3
nagios-nrpe: change required status code for http and https check
redmine: use custom errors-pages in Nginx vhost
nagios-nrpe: check_load is now based on ansible_processor_vcpus
php: Stop enforcing /var/www/html as chroot while we use /var/www
apt: Add Debian Buster repositories

Fixed

rbenv: add check_mode for check rbenv and ruby versions
nagios-nrpe: fix redis_instances check when Redis port equal 0
redmine: fix 500 error on logging
evolinux-base: Validate sshd config with "-t" instead of "-T"
evolinux-base: Ensure rename is present
evolinux-users: Validate sshd config with "-t" instead of "-T"
nagios-nrpe: Replace the dummy packages nagios-plugins-with monitoring-plugins-

[9.9.0] - 2019-04-16

Added

etc-git: ignore evobackup/.keep-* files
lxc: /home is mounted in the container by default
nginx : add "x-frame-options: sameorigin" for Munin

Changed

changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
apt: Ensure jessie-backport from archives.debian.org is accepted
apt: Remove jessie-update suite as it's no longer exists
apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
evocheck : update script from upstream
evolinux-base: remove apt-listchanges on Stretch and later
evomaintenance: embed version 0.5.0
opendkim: aligning roles with our conventions, major changes in opendkim-add.sh
redis: higher limit of open files
redis: set variables on inclusion, not with set_facts
tomcat: better tomcat version management
webapps/evoadmin-web: add dbadmin.sh to sudoers file

Fixed

spamassasin: fix sa-update.sh and ensure service is started and enabled
tomcat-instance: deploy correct version of config files
tomcat-instance: deploy correct version of server.xml

[9.8.0] - 2019-01-31

Added

filebeat: disable cloud_metadata processor by default
metricbeat: disable cloud_metadata processor by default
percona : new role to install Percona repositories and tools
redis: add variable for configure unixsocketperm

Changed

redmine: refactoring of redmine role with use of rbenv

Fixed

ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config

[9.7.0] - 2019-01-17

Added

apache: add Munin configuration for Apache server-status URL
evomaintenance: database variables must be set or the task fails
fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
metricbeat: add a variable for the protocol to use with Elasticsearch
rbenv: add pkg-config to the list of packages to install
redis: Configure munin when working in instance mode
redis: add a variable for renamed/disabled commands
redis: add a variable to disable the restart handler
redis: add a variable to force a restart (even with no change)
proftpd: add FTPS and SFTP support

Changed

redis: distinction between main and master password
evocheck: update evocheck.sh for source install
php: added php-zip in the installed package list for debian 9 (and later)
squid: added packagist.org in the whitelist
java: update Oracle java package to 8u192

Fixed

fail2ban: fix "ignoreip" update
metricbeat: fix username/password replacement
nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
nginx: Munin url config is now a template to insert the server-status prefix
nodejs: Update yarn repo GPG key (current key expired)
redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account

[9.6.0] - 2018-12-04

Added

evolinux-base: deploy custom motd if template are present
minifirewall: all variables are configurable (untouched by default)
minifirewall: main file is configurable
squid: minifirewall main file is configurable

Changed

minifirewall: compare config before/after (for restart condition)
squid: better replacement in minifirewall config
evoadmin-mail: complete refactoring, use Debian Package

[9.5.0] - 2018-11-14

Added

apache: separate task to update IP whitelist
evolinux-base: install man package
evolinux-users: add newaliases handler
evomaintenance: FROM domain is configurable
fail2ban: separate task to update IP whitelist
nginx: add tag for ips management
nginx: separate task to update IP whitelist
postfix: enable SSL/TLS client
ssl: add an SSL role for certificates deployment
haproxy: add vars for tls configuration
mysql: logdir can be customized

Changed

evocheck: update script from upstream
evomaintenance: update script from upstream
mysql: restart service if systemd unit has been patched

Fixed

packweb-apache: mod-security config is already included elsewhere
redis: for permissions on log and lib directories
redis: fix shell for instance users
evoacme: fix error handling in sed_cert_path_for_(apache|nginx)

[9.4.2] - 2018-10-12

Added

evomaintenance: install dependencies manually when installing vendored version
nagios-nrpe: add an option to ignore servers in NOLB status

Changed

haproxy: move check_haproxy_stats to nagios-nrpe role

Fixed

evoacme: better error when apache2ctl fails
evomaintenance: fix role compatibility with OpenBSD
spamassassin: add missing right for amavis
amavis: fix output result checking

[9.4.1] - 2018-09-28

Added

redis: set masterauth when redis_password is defined
evomaintenance: variable to install a vendored version
evomaintenance: tasks/variables to handle minifirewall restarts

Changed

mysql-oracle: better handle packages and users

[9.4.0] - 2018-09-20

Added

etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: True)
evolinux-base: better shell history
evolinux-users: add user to /etc/aliases
generate-ldif: add a section for postgresql
logstash: tmp directory can be customized
logstash: max memory is set to 512M by default
logstash: version 6.x is installed by default
mysql: add a variable to prevent mysql from restarting
networkd-to-ifconfig: add a role to switch from networkd to ifconfig
webapps/evoadmin-web: add users to /etc/aliases
redis: add support for multi instances
nagios-nrpe: add check_redis_instances

Changed

dovecot: stronger TLS configuration

Fixed

apache: cleaner way to overwrite the server status suffix
packweb-apache: don't regenerate phpMyAdmin suffix each time
nginx: cleaner way to overwrite the server status suffix
redis: add missing tags

[9.3.2] - 2018-09-06

Added

minifirewall: add a variable to disable the restart handler
minifirewall: add a variable to force a restart of the firewall (even with no change)
minifirewall: improve variables values and documentation

Changed

dovecot: enable SSL/TLS by default with snakeoil certificate

Fixed

Security

[9.3.1] - 2018-08-30

Added

metricbeat: new variables to configure elasticsearch hosts and auth

[9.3.0] - 2018-08-24

Added

elasticsearch: tmpdir configuration compatible with 5.x also
elasticsearch: add http.publish_host variable
evoacme: disable old certbot cron also in cron.daily
evocheck: detect installed packages even if "held" by APT (manual fix)
evocheck: the crontab is updated by the role (default: True)
evolinux-base: add mail related aliases
evolinux-todo: new role, to help maintain a file of todo tasks
fail2ban: add a variable to disable the ssh filter (default: False)
etc-git: install a script to optimize the repository each month
fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: False)
generate-ldif: detect installed packages even if "held" by APT
java: support for Oracle JRE
kibana: log messages go to /var/log/kibana/kibana.log
metricbeat: add a role (copied from filebeat)
munin: properly rename Munin cache directory
mysql: add an option to install the client development libraries (default: False)
mysql: add a few variables to customize the configuration
nagios-nrpe: add check_postgrey

Changed

etc-git: some entries of .gitignore are mandatory
evocheck: update upstream script
evolinux-base: improve hostname configuration (real vs. internal)
evolinux-base: use the "evolinux-todo" role
evolinux-users: add sudo permission for bkctld check
java8: renamed to java (java8 symlinked to java for backward compatibility)
minifirewall: the tail file can be overwritten, or not (default: True)
nagios-nrpe: use bkctld internal check instead of nrpe plugin
php: reorganization of the role for Sury overrides and more clear configuration
redmine: use .my.cnf for mysql password
rbenv: change default Ruby version (2.5.1)
rbenv: switch from copy to lineinfile for default gems
remount-usr: mount doesn't report a change
squid: add a few news sites to the whitelist
tomcat: better nrpe check output
kvm-host: install kvm-tools package instead of copying add-vm.sh

Fixed

apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
bind: chroot-bind.sh must not be executed in check mode
evoacme: fix module detection in apache config
fail2ban: fix fail2ban_ignore_ips definition
mysql-oracle: fix configuration directory variable
php: fpm slowlog needs an absolute path
roundcube: add missing slash to https redirection

[9.2.0] - 2018-05-16

Changed

filebeat: install version 6.x by default
filebeat: cleanup unused code
squid: add some domaine and fix broken restrictions
elasticsearch: defaults to version 6.x

Fixed

evolinux-users: secondary groups are comma-separated
ntpd: fix configuration (server and ACL)
varnish: don't fork the process on startup with systemd

[9.1.9] - 2018-04-24

Added

Changed

apache: customize logrotate (52 weeks)
evolinux: groups for SSH configuration are used with Debian 10 and later
evolinux-base: fail2ban is not enabled by default
evolinux-users: refactoring of the SSH configuration
mysql-oracle: copy evolinux config files in mysql.cond.d
mysql/mysql-oracle: mysqltuner cron scripts is 0755
generate-ldif: add a minifirewall service when /etc/default/minifirewall exists

[9.1.8] - 2018-04-16

Changed

packweb-apache: use dependencies instead of include_role for apache and php roles

Fixed

mysql: use check_mode for apg command (Fix --check)
mysql/mysql-oracle: properly reload systemd
packweb-apache: use check_mode for apg command (Fix --check)

[9.1.7] - 2018-04-06

Added

added a few become attributes where missing
etc-git: add tags for Ansible
evolinux-base: install ncurses-term package
haproxy: install Munin plugins
listupgrade: add service restart notification for Squid and libstdc++6
minifirewall: add "check_minifirewall" Nagios plugin (and minifirewall_status script)
mysql-oracle: new role to install MySQL 5.7 with Oracle packages
mysql: remount /usr before creating scripts directory
nagios-nrpe: add "check_open_files" plugin
nagios-nrpe: mark plugins as executable
nodejs: Yarn package manager can be installed (default: false)
packweb-apache: choose mysql variant (default: debian)
postfix: add lines in /etc/.gitignore
proftpd: use "proftpd_accounts" list to manage ftp accounts
redmine: added missing tags

Changed

elasticsearch: RESTART_ON_UPGRADE is configurable (default: true)
elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from /etc/default/elasticsearch instead of changing /etc/elesticsearch/jvm.options).
evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
evolinux-users: split AllowGroups/AllowUsers modes for SSH directives
mongodb: allow unauthenticated packages for Jessie
mongodb: configuration is forced by default but it's configurable (default: false)
mongodb: rename logrotate script
nagios-nrpe: mark plugins as executable
nginx: don't debug variables in verbosity 0
nginx: package name can be specified (default: nginx-full)
php: fix FPM custom file permissions
php: more tasks notify FPM handler to restart if needed
webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined

Fixed

dovecot: fix support of plus sign
mysql/mysql-oracle: mysqltuner cron task is executable
nginx: fix basic auth for default vhost
rbenv: fix become user issue with copy tasks

[9.1.6] - 2018-02-02

Added

mongodb: install python-pymongo for monitoring
nagios-nrpe: allowed_hosts can be updated

Changed

Changelog: explain the versioning scheme
Changelog: add a release date for 9.1.5
evoacme: exclude typical certbot directories

Fixed

fail2ban: fix horrible typo, Python is not Ruby
nginx: fix servers status dirname

[9.1.5] - 2018-01-18

Added

There is a changelog!
redis: configuration variable for protected mode (v3.2+)
evolinux-users: users are in "adm" group for Debian 9 or later
evolinx-base: purge locate/mlocate packages
evolinx-base: create /etc/evolinux if missing
many Ansible tags for easier fine grained execution of playbooks
apache/nginx: server status suffix management
unbound: retrieve list of root DNS servers
redmine: ability to install themes and plugins

Changed

rbenv: Ruby 2.5 becomes the default version
evocheck: update upstream version embedded in role (c993244)
bind: keep 52 weeks of logs

Fixed

squid: different logrotate file for Jessie or Stretch+
evoacme: don't invoke evoacme if no vhost is found
evomaintenance: explicit quotes in config file
redmine: force xpath gem < 3.0.0

Security

evomaintenance: fix permissions for config file

[9.1.4] - 2017-12-20

Added

php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
mysql: add a check_mysql_slave in nrpe configuration
ldap: slapd tcp port is configurable
elasticsearch: broader patterns for log rotation

Changed

split IP lists in 2 – default and additional – for easier customization.

Fixed

minifirewall: allow outgoing SSH connections over IPv6
nodejs: rename source.list file

Security

evoadmin-web: change config.local.php file permissions
evolinux-base: change default_www file permissions

[9.1.3] 2017-12-08

Added

evolinux-base: install traceroute package
evolinux-base/ntpd: purge openntpd
tomcat: add Tomcat 8 cmpatibility
log2mail: add "The total blob data length" pattern for MySQL
nagios-nrpe: add bkctld check in evolix.cfg
varnish: reload or restart if needed
rabbitmq: add a munin plugin and an NRPE check
minifirewall: add debug for variables
elastic: option for stack main version

Changed

nginx: rename Let's Encrypt snippet
nginx: simpler apt preferences for backports
generate-ldif: add clamd service instead of clamav_db
mysql: parameterize evolinux config files
rbenv: use Rbenv 1.1.1 and Ruby 2.4.2 by default
elasticsearch: update curator debian repository
evoacme: crontab management
evoacme: better documentation
mongodb: comatible with Stretch

Removed

mongodb: logfile/pidfile are not configurable on Jessie
minifirewall: remove zidane.evolix.net from HTTPSITES

Fixed

nginx: fix munin CGI graphs
ntpd: fix default configuration (localhost only)
logstash: fix permissions on pipeline configuration
postfix/spamassassin: add user in cron job
php: php.ini custom file are now readable
hostname customization needs the dbus package

[9.1.2] 2017-12-05

Fixed

listupgrade: remount /usr as rw

[9.1.1] 2017-11-21

Added

amazon-ec2: add egress rules

Fixed

evoacme: fix multiple bugs

[9.1.0] 2017-11-19

Warning: huge release, many entries are missing below.

Added

amazon-ec2: new role, for EC2 instances creation
Move /usr rw remount into remount-usr role
kibana: host and basepath configuration
kibana: move optimize and data to /var
logstash: daily job for log rotation
elasticsearch: daily job for log rotation
roundcube: add link in default site index
nagios-nrpe: add opendkim check

Changed

Combine evolix and additional trusted IP addresses
amazon-ec2: split tasks
apt: don't upgrade by default
postfix: extract main.cf md5sum into variables
evolinux-base: cache hwraid pgp key locally
evoacme: improve cron task
elasticsearch: use elastic.list APT source list for curator
ldap: better variables

Fixed

fail2ban: create config hierarchy beforehand
elasticsearch: fix datadir/tmpdir conditions
elastic: remove double ".list" suffix
nagios-nrpe: fix check_free_mem for OpenBSD 6.2
nagios-nrpe: fix check_amavis

Removed

Security

[9.0.1] 2017-10-02

Added

haproxy: add a Nagios check
php: add "sury" mode for PHP 7.1 on Stretch
minifirewall: explicit dependency on iptables
apt: remove Gandi source files
docker-host: new variable for docker home

Changed

php: install php5/php package after fpm/libapache2-mod-php

Fixed

mysql: add "REPLICATION CLIENT" privilege for nrpe
evoadmin-web: revert from variables to keywords in the templates
evoacme: many fixes
etc-git: detect user if root (without su or sudo)
docker-host: clean override of docker systemd unit
varnish: fix systemd unit override

[9.0.0] 2017-09-19

First official release

62 KiB Raw Permalink Blame History Unescape Escape

Changelog

[Unreleased]

Added

Changed

Fixed

Removed

Security

[24.03] 2024-03-01

Added

Changed

Removed

[24.02.1] 2024-02-08

Fixed

[24.02] 2024-02-08

Added

Changed

Fixed

Removed

[23.10] 2023-10-14

Added

Changed

Fixed

Removed

[23.04] 2023-04-23

Added

Changed

Fixed

[23.03.1] 2023-03-16

Added

Changed

[23.03] 2023-03-16

Added

Changed

Fixed

Removed

[22.12] 2022-12-14

Added

Changed

Fixed

Removed

[22.09] 2022-09-19

Added

Changed

Fixed

Removed

[22.07.1] 2022-07-28

Changed

[22.07] 2022-07-08

Added

[22.07] 2022-07-06

Added

Changed

Fixed

[22.06.3] 2022-06-17

Changed

[22.06.2] 2022-06-10

Added

Changed

Fixed

[22.06.1] 2022-06-06

Changed

[22.06] 2022-06-03

Added

Changed

Fixed

[22.05.1] 2022-05-12

Added

Changed

Removed

[22.05] 2022-05-10

Added

Changed

Fixed

[22.03] 2022-03-02

Added

Changed

[22.01.3] 2022-01-31

Changed

Fixed

62 KiB

Raw Permalink Blame History