forked from evolix/ansible-roles
Merge branch 'unstable' into change_timezone
This commit is contained in:
commit
18ce6a7a57
12
CHANGELOG.md
12
CHANGELOG.md
|
@ -13,16 +13,26 @@ The **patch** part changes incrementally at each release.
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
* dovecot: Update munin plugin & configure it
|
* dovecot: Update munin plugin & configure it
|
||||||
|
* dovecot: vmail uid/gid are configurable
|
||||||
|
* evoacme: variable to disable Debian version check (default: False)
|
||||||
|
* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
|
||||||
|
* minifirewall: upstream release 20.12
|
||||||
|
* minifirewall: add variables to force upgrade the script and the config (default: False)
|
||||||
|
* mysql: install save_mysql_processlist script
|
||||||
* nextcloud: New role to setup a nextcloud instance
|
* nextcloud: New role to setup a nextcloud instance
|
||||||
* redis: variable to force use of port 6379 in instances mode
|
* redis: variable to force use of port 6379 in instances mode
|
||||||
|
* redis: check maxmemory in NRPE check
|
||||||
* lxc-php: Allow php containers to contact local MySQL with localhost
|
* lxc-php: Allow php containers to contact local MySQL with localhost
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* evoacme: Don't ignore hooks with . in the name (ignore when it's ".disable")
|
* apt: disable APT Periodic
|
||||||
|
* evoacme: upstream release 20.12
|
||||||
|
* evocheck: upstream release 20.12
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
* cerbot: parse HAProxy config file only if HAProxy is found
|
||||||
* lxc: Force lxc containers to be in the correct timezone
|
* lxc: Force lxc containers to be in the correct timezone
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
with_items:
|
with_items:
|
||||||
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
||||||
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
||||||
|
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
|
||||||
when: apt_evolinux_config
|
when: apt_evolinux_config
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
|
@ -56,6 +56,9 @@ main() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if daemon_found_and_running; then
|
if daemon_found_and_running; then
|
||||||
|
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
|
||||||
|
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
|
||||||
|
|
||||||
if found_renewed_lineage; then
|
if found_renewed_lineage; then
|
||||||
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
|
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
|
||||||
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
||||||
|
@ -86,7 +89,5 @@ readonly VERBOSE=${VERBOSE:-"0"}
|
||||||
readonly QUIET=${QUIET:-"0"}
|
readonly QUIET=${QUIET:-"0"}
|
||||||
|
|
||||||
readonly haproxy_bin=$(command -v haproxy)
|
readonly haproxy_bin=$(command -v haproxy)
|
||||||
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
|
|
||||||
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
|
|
||||||
|
|
||||||
main
|
main
|
||||||
|
|
|
@ -1,2 +1,4 @@
|
||||||
---
|
---
|
||||||
dovecot_foo: bar
|
|
||||||
|
dovecot_vmail_uid: 5000
|
||||||
|
dovecot_vmail_gid: 5000
|
||||||
|
|
|
@ -40,7 +40,7 @@
|
||||||
- name: create vmail group
|
- name: create vmail group
|
||||||
group:
|
group:
|
||||||
name: vmail
|
name: vmail
|
||||||
gid: 5000
|
gid: "{{ dovecot_vmail_gid }}"
|
||||||
tags:
|
tags:
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
|
@ -48,7 +48,7 @@
|
||||||
user:
|
user:
|
||||||
name: vmail
|
name: vmail
|
||||||
group: vmail
|
group: vmail
|
||||||
uid: 5000
|
uid: "{{ dovecot_vmail_uid }}"
|
||||||
shell: /bin/false
|
shell: /bin/false
|
||||||
tags:
|
tags:
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
|
@ -14,3 +14,5 @@ evoacme_ssl_loc: 'Marseille'
|
||||||
evoacme_ssl_org: 'Evolix'
|
evoacme_ssl_org: 'Evolix'
|
||||||
evoacme_ssl_ou: 'Security'
|
evoacme_ssl_ou: 'Security'
|
||||||
evoacme_ssl_email: 'security@evolix.net'
|
evoacme_ssl_email: 'security@evolix.net'
|
||||||
|
|
||||||
|
evoacme_disable_debian_check: False
|
||||||
|
|
|
@ -14,7 +14,7 @@ show_version() {
|
||||||
cat <<END
|
cat <<END
|
||||||
evoacme version ${VERSION}
|
evoacme version ${VERSION}
|
||||||
|
|
||||||
Copyright 2009-2019 Evolix <info@evolix.fr>,
|
Copyright 2009-2020 Evolix <info@evolix.fr>,
|
||||||
Victor Laborie <vlaborie@evolix.fr>,
|
Victor Laborie <vlaborie@evolix.fr>,
|
||||||
Jérémy Lecour <jlecour@evolix.fr>,
|
Jérémy Lecour <jlecour@evolix.fr>,
|
||||||
Benoit Série <bserie@evolix.fr>
|
Benoit Série <bserie@evolix.fr>
|
||||||
|
@ -284,13 +284,19 @@ main() {
|
||||||
export EVOACME_CHAIN="${LIVE_CHAIN}"
|
export EVOACME_CHAIN="${LIVE_CHAIN}"
|
||||||
export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}"
|
export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}"
|
||||||
|
|
||||||
|
# emulate certbot hooks environment variables
|
||||||
|
export RENEWED_LINEAGE="${LIVE_DIR}"
|
||||||
|
export RENEWED_DOMAINS="${VHOST}"
|
||||||
|
|
||||||
# search for files in hooks directory
|
# search for files in hooks directory
|
||||||
for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do
|
for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do
|
||||||
|
set +e
|
||||||
# keep only executables files, not containing a "."
|
# keep only executables files, not containing a "."
|
||||||
if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then
|
if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then
|
||||||
debug "Executing ${hook}"
|
debug "Executing ${hook}"
|
||||||
${hook}
|
${hook}
|
||||||
fi
|
fi
|
||||||
|
set -e
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -303,7 +309,7 @@ readonly QUIET=${QUIET:-"0"}
|
||||||
readonly TEST=${TEST:-"0"}
|
readonly TEST=${TEST:-"0"}
|
||||||
readonly DRY_RUN=${DRY_RUN:-"0"}
|
readonly DRY_RUN=${DRY_RUN:-"0"}
|
||||||
|
|
||||||
readonly VERSION="20.08"
|
readonly VERSION="20.12"
|
||||||
|
|
||||||
# Read configuration file, if it exists
|
# Read configuration file, if it exists
|
||||||
[ -r /etc/default/evoacme ] && . /etc/default/evoacme
|
[ -r /etc/default/evoacme ] && . /etc/default/evoacme
|
||||||
|
|
|
@ -13,7 +13,7 @@ show_version() {
|
||||||
cat <<END
|
cat <<END
|
||||||
make-csr version ${VERSION}
|
make-csr version ${VERSION}
|
||||||
|
|
||||||
Copyright 2009-2019 Evolix <info@evolix.fr>,
|
Copyright 2009-2020 Evolix <info@evolix.fr>,
|
||||||
Victor Laborie <vlaborie@evolix.fr>,
|
Victor Laborie <vlaborie@evolix.fr>,
|
||||||
Jérémy Lecour <jlecour@evolix.fr>,
|
Jérémy Lecour <jlecour@evolix.fr>,
|
||||||
Benoit Série <bserie@evolix.fr>
|
Benoit Série <bserie@evolix.fr>
|
||||||
|
@ -265,7 +265,7 @@ readonly ARGS=$@
|
||||||
readonly VERBOSE=${VERBOSE:-"0"}
|
readonly VERBOSE=${VERBOSE:-"0"}
|
||||||
readonly QUIET=${QUIET:-"0"}
|
readonly QUIET=${QUIET:-"0"}
|
||||||
|
|
||||||
readonly VERSION="20.08"
|
readonly VERSION="20.12"
|
||||||
|
|
||||||
# Read configuration file, if it exists
|
# Read configuration file, if it exists
|
||||||
[ -r /etc/default/evoacme ] && . /etc/default/evoacme
|
[ -r /etc/default/evoacme ] && . /etc/default/evoacme
|
||||||
|
|
|
@ -13,7 +13,7 @@ show_version() {
|
||||||
cat <<END
|
cat <<END
|
||||||
vhost-domains version ${VERSION}
|
vhost-domains version ${VERSION}
|
||||||
|
|
||||||
Copyright 2009-2019 Evolix <info@evolix.fr>,
|
Copyright 2009-2020 Evolix <info@evolix.fr>,
|
||||||
Victor Laborie <vlaborie@evolix.fr>,
|
Victor Laborie <vlaborie@evolix.fr>,
|
||||||
Jérémy Lecour <jlecour@evolix.fr>,
|
Jérémy Lecour <jlecour@evolix.fr>,
|
||||||
Benoit Série <bserie@evolix.fr>
|
Benoit Série <bserie@evolix.fr>
|
||||||
|
@ -170,7 +170,7 @@ readonly ARGS=$@
|
||||||
readonly VERBOSE=${VERBOSE:-"0"}
|
readonly VERBOSE=${VERBOSE:-"0"}
|
||||||
readonly QUIET=${QUIET:-"0"}
|
readonly QUIET=${QUIET:-"0"}
|
||||||
|
|
||||||
readonly VERSION="20.08"
|
readonly VERSION="20.12"
|
||||||
|
|
||||||
readonly SRV_IP=${SRV_IP:-""}
|
readonly SRV_IP=${SRV_IP:-""}
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('9', '>=')
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
msg: only compatible with Debian >= 9
|
msg: only compatible with Debian >= 9
|
||||||
|
when: not evoacme_disable_debian_check
|
||||||
|
|
||||||
- include: certbot.yml
|
- include: certbot.yml
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
# Script to verify compliance of a Debian/OpenBSD server
|
# Script to verify compliance of a Debian/OpenBSD server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
readonly VERSION="20.04.3"
|
readonly VERSION="20.12"
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
|
||||||
|
@ -205,10 +205,13 @@ check_customsudoers() {
|
||||||
grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file"
|
grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file"
|
||||||
}
|
}
|
||||||
check_vartmpfs() {
|
check_vartmpfs() {
|
||||||
|
FINDMNT_BIN=$(command -v findmnt)
|
||||||
|
if [ -x "${FINDMNT_BIN}" ]; then
|
||||||
|
${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
||||||
|
else
|
||||||
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
||||||
}
|
fi
|
||||||
check_vartmpfs() {
|
|
||||||
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
|
||||||
}
|
}
|
||||||
check_serveurbase() {
|
check_serveurbase() {
|
||||||
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
|
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
|
||||||
|
@ -559,7 +562,7 @@ check_evobackup_exclude_mount() {
|
||||||
# shellcheck disable=SC2064
|
# shellcheck disable=SC2064
|
||||||
trap "rm -f ${excludes_file}" 0
|
trap "rm -f ${excludes_file}" 0
|
||||||
# shellcheck disable=SC2044
|
# shellcheck disable=SC2044
|
||||||
for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do
|
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
|
||||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||||
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
|
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
|
||||||
for mount in ${not_excluded}; do
|
for mount in ${not_excluded}; do
|
||||||
|
@ -878,15 +881,25 @@ check_sql_backup() {
|
||||||
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
|
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
|
||||||
# You could change the default path in /etc/evocheck.cf
|
# You could change the default path in /etc/evocheck.cf
|
||||||
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
|
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
|
||||||
test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})"
|
for backup_path in ${SQL_BACKUP_PATH}; do
|
||||||
|
if [ ! -f "${backup_path}" ]; then
|
||||||
|
failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})"
|
||||||
|
test "${VERBOSE}" = 1 || break
|
||||||
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_postgres_backup() {
|
check_postgres_backup() {
|
||||||
if is_installed "postgresql-9*"; then
|
if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then
|
||||||
# If you use something like barman, you should disable this check
|
# If you use something like barman, you should disable this check
|
||||||
# You could change the default path in /etc/evocheck.cf
|
# You could change the default path in /etc/evocheck.cf
|
||||||
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
|
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"}
|
||||||
test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})"
|
for backup_path in ${POSTGRES_BACKUP_PATH}; do
|
||||||
|
if [ ! -f "${backup_path}" ]; then
|
||||||
|
failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})"
|
||||||
|
test "${VERBOSE}" = 1 || break
|
||||||
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_mongo_backup() {
|
check_mongo_backup() {
|
||||||
|
@ -1013,7 +1026,7 @@ check_duplicate_fs_label() {
|
||||||
BLKID_BIN=$(command -v blkid)
|
BLKID_BIN=$(command -v blkid)
|
||||||
if [ -x "$BLKID_BIN" ]; then
|
if [ -x "$BLKID_BIN" ]; then
|
||||||
tmpFile=$(mktemp -p /tmp)
|
tmpFile=$(mktemp -p /tmp)
|
||||||
parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
|
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
|
||||||
for part in $parts; do
|
for part in $parts; do
|
||||||
echo "$part" >> "$tmpFile"
|
echo "$part" >> "$tmpFile"
|
||||||
done
|
done
|
||||||
|
@ -1517,8 +1530,6 @@ main() {
|
||||||
|
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
readonly PROGNAME=$(basename "$0")
|
readonly PROGNAME=$(basename "$0")
|
||||||
# shellcheck disable=SC2034
|
|
||||||
readonly PROGDIR=$(realpath -m "$(dirname "$0")")
|
|
||||||
# shellcheck disable=2124
|
# shellcheck disable=2124
|
||||||
readonly ARGS=$@
|
readonly ARGS=$@
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,6 @@
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- include: sudo_stretch.yml
|
- include: sudo_stretch.yml
|
||||||
when: ansible_distribution_major_version is version('9', '>=')
|
when: ansible_distribution_major_version is defined and ansible_distribution_major_version is version('9', '>=')
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
---
|
---
|
||||||
kvm_custom_libvirt_images_path: ''
|
kvm_custom_libvirt_images_path: ''
|
||||||
|
kvm_install_drbd: True
|
||||||
|
|
|
@ -12,8 +12,8 @@ galaxy_info:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- jessie
|
- jessie
|
||||||
|
- stretch
|
||||||
|
- buster
|
||||||
|
|
||||||
dependencies: []
|
dependencies:
|
||||||
# List your role dependencies here, one per line.
|
- { role: evolix/drbd, when: kvm_install_drbd }
|
||||||
# Be sure to remove the '[]' above if you add dependencies
|
|
||||||
# to this list.
|
|
||||||
|
|
|
@ -5,11 +5,15 @@ minifirewall_tail_file: /etc/default/minifirewall.tail
|
||||||
minifirewall_tail_included: False
|
minifirewall_tail_included: False
|
||||||
minifirewall_tail_force: True
|
minifirewall_tail_force: True
|
||||||
|
|
||||||
|
minifirewall_force_upgrade_script: False
|
||||||
|
minifirewall_force_upgrade_config: False
|
||||||
|
|
||||||
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
|
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
|
||||||
minifirewall_checkout_path: "/tmp/minifirewall"
|
minifirewall_checkout_path: "/tmp/minifirewall"
|
||||||
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
|
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
|
||||||
minifirewall_ipv6: "on"
|
minifirewall_ipv6: "on"
|
||||||
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
||||||
|
minifirewall_docker: "off"
|
||||||
|
|
||||||
minifirewall_default_trusted_ips: []
|
minifirewall_default_trusted_ips: []
|
||||||
minifirewall_additional_trusted_ips: []
|
minifirewall_additional_trusted_ips: []
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
|
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
|
||||||
# For fun, we keep last change from first CVS repository:
|
# Version 20.12 — 2020-12-01 22:55:35
|
||||||
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
|
|
||||||
|
|
||||||
# Main interface
|
# Main interface
|
||||||
INT='eth0'
|
INT='eth0'
|
||||||
|
@ -8,6 +7,12 @@ INT='eth0'
|
||||||
# IPv6
|
# IPv6
|
||||||
IPV6=on
|
IPV6=on
|
||||||
|
|
||||||
|
# Docker Mode
|
||||||
|
# Changes the behaviour of minifirewall to not break the containers' network
|
||||||
|
# For instance, turning it on will disable nat table purge
|
||||||
|
# Also, we'll add the DOCKER-USER chain, in iptable
|
||||||
|
DOCKER='off'
|
||||||
|
|
||||||
# Trusted IPv4 local network
|
# Trusted IPv4 local network
|
||||||
# ...will be often IP/32 if you don't trust anything
|
# ...will be often IP/32 if you don't trust anything
|
||||||
INTLAN='192.168.0.2/32'
|
INTLAN='192.168.0.2/32'
|
||||||
|
|
|
@ -51,13 +51,19 @@
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||||
content: |
|
block: |
|
||||||
# Main interface
|
# Main interface
|
||||||
INT='{{ minifirewall_int }}'
|
INT='{{ minifirewall_int }}'
|
||||||
|
|
||||||
# IPv6
|
# IPv6
|
||||||
IPV6='{{ minifirewall_ipv6 }}'
|
IPV6='{{ minifirewall_ipv6 }}'
|
||||||
|
|
||||||
|
# Docker Mode
|
||||||
|
# Changes the behaviour of minifirewall to not break the containers' network
|
||||||
|
# For instance, turning it on will disable nat table purge
|
||||||
|
# Also, we'll add the DOCKER-USER chain, in iptable
|
||||||
|
DOCKER='{{ minifirewall_docker }}'
|
||||||
|
|
||||||
# Trusted IPv4 local network
|
# Trusted IPv4 local network
|
||||||
# ...will be often IP/32 if you don't trust anything
|
# ...will be often IP/32 if you don't trust anything
|
||||||
INTLAN='{{ minifirewall_intlan }}'
|
INTLAN='{{ minifirewall_intlan }}'
|
||||||
|
@ -89,7 +95,7 @@
|
||||||
blockinfile:
|
blockinfile:
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||||
content: |
|
block: |
|
||||||
# Protected services
|
# Protected services
|
||||||
# (add also in Public services if needed)
|
# (add also in Public services if needed)
|
||||||
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
|
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
template:
|
template:
|
||||||
src: minifirewall.j2
|
src: minifirewall.j2
|
||||||
dest: /etc/init.d/minifirewall
|
dest: /etc/init.d/minifirewall
|
||||||
force: no
|
force: "{{ minifirewall_force_upgrade_script | default('no') }}"
|
||||||
mode: "0700"
|
mode: "0700"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
@ -18,7 +18,7 @@
|
||||||
copy:
|
copy:
|
||||||
src: minifirewall.conf
|
src: minifirewall.conf
|
||||||
dest: "{{ minifirewall_main_file }}"
|
dest: "{{ minifirewall_main_file }}"
|
||||||
force: no
|
force: "{{ minifirewall_force_upgrade_config | default('no') }}"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
||||||
# See https://gitea.evolix.org/evolix/minifirewall
|
# See https://gitea.evolix.org/evolix/minifirewall
|
||||||
|
|
||||||
# Copyright (c) 2007-2015 Evolix
|
# Copyright (c) 2007-2020 Evolix
|
||||||
# This program is free software; you can redistribute it and/or
|
# This program is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU General Public License
|
# modify it under the terms of the GNU General Public License
|
||||||
# as published by the Free Software Foundation; either version 3
|
# as published by the Free Software Foundation; either version 3
|
||||||
|
@ -51,6 +51,20 @@ BROAD='255.255.255.255'
|
||||||
PORTSROOT='0:1023'
|
PORTSROOT='0:1023'
|
||||||
PORTSUSER='1024:65535'
|
PORTSUSER='1024:65535'
|
||||||
|
|
||||||
|
chain_exists()
|
||||||
|
{
|
||||||
|
local chain_name="$1" ; shift
|
||||||
|
[ $# -eq 1 ] && local intable="--table $1"
|
||||||
|
iptables $intable -nL "$chain_name" >/dev/null 2>&1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
oldconfigfile="/etc/firewall.rc"
|
||||||
|
configfile="{{ minifirewall_main_file }}"
|
||||||
|
|
||||||
|
IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||||
|
DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||||
|
INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start)
|
||||||
|
@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT
|
||||||
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||||
$IPT -A LOG_ACCEPT -j ACCEPT
|
$IPT -A LOG_ACCEPT -j ACCEPT
|
||||||
|
|
||||||
# Configuration
|
|
||||||
oldconfigfile="/etc/firewall.rc"
|
|
||||||
configfile="{{ minifirewall_main_file }}"
|
|
||||||
|
|
||||||
if test -f $oldconfigfile; then
|
if test -f $oldconfigfile; then
|
||||||
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
|
||||||
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$DOCKER" = "on" ]; then
|
||||||
|
|
||||||
|
$IPT -N MINIFW-DOCKER-TRUSTED
|
||||||
|
$IPT -A MINIFW-DOCKER-TRUSTED -j DROP
|
||||||
|
|
||||||
|
$IPT -N MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
|
||||||
|
$IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
|
||||||
|
|
||||||
|
$IPT -N MINIFW-DOCKER-PUB
|
||||||
|
$IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -A MINIFW-DOCKER-PUB -j RETURN
|
||||||
|
|
||||||
|
# Flush DOCKER-USER if exist, create it if absent
|
||||||
|
if chain_exists 'DOCKER-USER'; then
|
||||||
|
$IPT -F DOCKER-USER
|
||||||
|
else
|
||||||
|
$IPT -N DOCKER-USER
|
||||||
|
fi;
|
||||||
|
|
||||||
|
# Pipe new connection through MINIFW-DOCKER-PUB
|
||||||
|
$IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
|
||||||
|
$IPT -A DOCKER-USER -j RETURN
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Local services restrictions
|
# Local services restrictions
|
||||||
#############################
|
#############################
|
||||||
|
|
||||||
|
@ -218,6 +255,64 @@ for x in $SERVICESUDP3
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$DOCKER" = "on" ]; then
|
||||||
|
|
||||||
|
# Public services defined in SERVICESTCP1 & SERVICESUDP1
|
||||||
|
for dstport in $SERVICESTCP1
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in $SERVICESUDP1
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
# Privileged services (accessible from privileged & trusted IPs)
|
||||||
|
for dstport in $SERVICESTCP2
|
||||||
|
do
|
||||||
|
for srcip in $PRIVILEGIEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in $SERVICESUDP2
|
||||||
|
do
|
||||||
|
for srcip in $PRIVILEGIEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# Trusted services (accessible from trusted IPs)
|
||||||
|
for dstport in $SERVICESTCP3
|
||||||
|
do
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in $SERVICESUDP3
|
||||||
|
do
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
# External services
|
# External services
|
||||||
###################
|
###################
|
||||||
|
|
||||||
|
@ -323,11 +418,24 @@ trap - INT TERM EXIT
|
||||||
$IPT -F ONLYTRUSTED
|
$IPT -F ONLYTRUSTED
|
||||||
$IPT -F ONLYPRIVILEGIED
|
$IPT -F ONLYPRIVILEGIED
|
||||||
$IPT -F NEEDRESTRICT
|
$IPT -F NEEDRESTRICT
|
||||||
$IPT -t nat -F
|
[ "$DOCKER" = "off" ] && $IPT -t nat -F
|
||||||
$IPT -t mangle -F
|
$IPT -t mangle -F
|
||||||
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
||||||
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
||||||
|
|
||||||
|
if [ "$DOCKER" = "on" ]; then
|
||||||
|
$IPT -F DOCKER-USER
|
||||||
|
$IPT -A DOCKER-USER -j RETURN
|
||||||
|
|
||||||
|
$IPT -F MINIFW-DOCKER-PUB
|
||||||
|
$IPT -X MINIFW-DOCKER-PUB
|
||||||
|
$IPT -F MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -X MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -F MINIFW-DOCKER-TRUSTED
|
||||||
|
$IPT -X MINIFW-DOCKER-TRUSTED
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
# Accept all
|
# Accept all
|
||||||
$IPT -P INPUT ACCEPT
|
$IPT -P INPUT ACCEPT
|
||||||
$IPT -P OUTPUT ACCEPT
|
$IPT -P OUTPUT ACCEPT
|
||||||
|
|
25
mysql/files/save_mysql_processlist.sh
Normal file
25
mysql/files/save_mysql_processlist.sh
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
processlist() {
|
||||||
|
mysqladmin --verbose --vertical processlist
|
||||||
|
}
|
||||||
|
|
||||||
|
DIR="/var/log/mysql-processlist"
|
||||||
|
TS=`date +%Y%m%d%H%M%S`
|
||||||
|
FILE="${DIR}/${TS}"
|
||||||
|
|
||||||
|
if [ ! -d "${DIR}" ]; then
|
||||||
|
mkdir -p "${DIR}"
|
||||||
|
chown root:adm "${DIR}"
|
||||||
|
chmod 750 "${DIR}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
processlist > "${FILE}"
|
||||||
|
chmod 640 "${FILE}"
|
||||||
|
chown root:adm "${FILE}"
|
||||||
|
|
||||||
|
find "${DIR}" -type f -mtime +1 -delete
|
||||||
|
|
||||||
|
exit 0
|
|
@ -22,4 +22,4 @@
|
||||||
- name: 'restart xinetd'
|
- name: 'restart xinetd'
|
||||||
service:
|
service:
|
||||||
name: 'xinetd'
|
name: 'xinetd'
|
||||||
state: 'restart'
|
state: 'restarted'
|
||||||
|
|
|
@ -178,3 +178,12 @@
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
- name: "Install save_mysql_processlist.sh"
|
||||||
|
copy:
|
||||||
|
src: save_mysql_processlist.sh
|
||||||
|
dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}/save_mysql_processlist.sh"
|
||||||
|
mode: "0755"
|
||||||
|
force: no
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
|
|
@ -9,7 +9,7 @@ postgresql_random_page_cost: 1.5
|
||||||
postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
|
postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
|
||||||
|
|
||||||
# PostgreSQL version
|
# PostgreSQL version
|
||||||
postgresql_version: '9.6'
|
postgresql_version: ''
|
||||||
|
|
||||||
# Set locales
|
# Set locales
|
||||||
locales_default: fr_FR.UTF-8
|
locales_default: fr_FR.UTF-8
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: "Set variables (Debian 10)"
|
||||||
|
set_fact:
|
||||||
|
postgresql_version: '11'
|
||||||
|
when: postgresql_version == ""
|
||||||
|
|
||||||
- include: pgdg-repo.yml
|
- include: pgdg-repo.yml
|
||||||
when: postgresql_version != '11'
|
when: postgresql_version != '11'
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: "Set variables (Debian 8)"
|
||||||
|
set_fact:
|
||||||
|
postgresql_version: '9.4'
|
||||||
|
when: postgresql_version == ""
|
||||||
|
|
||||||
- include: pgdg-repo.yml
|
- include: pgdg-repo.yml
|
||||||
when: postgresql_version != '9.4'
|
when: postgresql_version != '9.4'
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: "Set variables (Debian 9)"
|
||||||
|
set_fact:
|
||||||
|
postgresql_version: '9.6'
|
||||||
|
when: postgresql_version == ""
|
||||||
|
|
||||||
- include: pgdg-repo.yml
|
- include: pgdg-repo.yml
|
||||||
when: postgresql_version != '9.6'
|
when: postgresql_version != '9.6'
|
||||||
|
|
||||||
|
|
|
@ -18,8 +18,13 @@
|
||||||
#url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc
|
#url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc
|
||||||
data: "{{ lookup('file', 'ACCC4CF8.asc') }}"
|
data: "{{ lookup('file', 'ACCC4CF8.asc') }}"
|
||||||
|
|
||||||
|
- name: Update and upgrade apt packages for PGDG repository
|
||||||
|
apt:
|
||||||
|
upgrade: yes
|
||||||
|
update_cache: yes
|
||||||
|
|
||||||
- name: Add APT preference file
|
- name: Add APT preference file
|
||||||
template:
|
template:
|
||||||
src: postgresql.pref.j2
|
src: postgresql.pref.j2
|
||||||
dest: /etc/apt/preferences.d/
|
dest: /etc/apt/preferences.d/postgresql.pref
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
|
@ -30,11 +30,21 @@ check_server() {
|
||||||
host=$(config_var "bind" "${conf_file}")
|
host=$(config_var "bind" "${conf_file}")
|
||||||
port=$(config_var "port" "${conf_file}")
|
port=$(config_var "port" "${conf_file}")
|
||||||
pass=$(config_var "requirepass" "${conf_file}")
|
pass=$(config_var "requirepass" "${conf_file}")
|
||||||
|
maxmemory=$(config_var "maxmemory" "${conf_file}")
|
||||||
|
maxmemory_policy=$(config_var "maxmemory-policy" "${conf_file}")
|
||||||
|
|
||||||
cmd="${check_bin} -H ${host} -p ${port}"
|
cmd="${check_bin} -H ${host} -p ${port}"
|
||||||
|
# If "requirepass" is set we add the password to the check
|
||||||
if [ -n "${pass}" ]; then
|
if [ -n "${pass}" ]; then
|
||||||
cmd="${cmd} -x ${pass}"
|
cmd="${cmd} -x ${pass}"
|
||||||
fi
|
fi
|
||||||
|
# If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction"
|
||||||
|
# then we enforce the "maxmemory" limit
|
||||||
|
if [ -n "${maxmemory}" ]; then
|
||||||
|
if [ -z "${maxmemory_policy}" ] || [ "${maxmemory_policy}" = "noeviction" ]; then
|
||||||
|
cmd="${cmd} --total_memory ${maxmemory} --memory_utilization 80,90"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
result=$($cmd)
|
result=$($cmd)
|
||||||
ret="${?}"
|
ret="${?}"
|
||||||
if [ "${ret}" -ge 2 ]; then
|
if [ "${ret}" -ge 2 ]; then
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
create: yes
|
create: yes
|
||||||
marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
|
marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
|
||||||
content: |
|
block: |
|
||||||
file = {{ redis_log_dir }}/redis-server.log
|
file = {{ redis_log_dir }}/redis-server.log
|
||||||
pattern = "Cannot allocate memory"
|
pattern = "Cannot allocate memory"
|
||||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||||
|
|
Loading…
Reference in a new issue